Category Archives: mac

Kextstat_ASLR: Hiding Your Rootkits Mac OSX

I found a small utility for hiding your kernal rootkits in OSX Mountain Lion. Mountain Lion introduced kernel ASLR and the kextstat util output doesn’t support (yet?) this feature. The addresses are not the real ones and this is quite annoying (kgmacros from kernel debugging also seem to fail at this!).

What this util does is to read the kernel extensions information via the /dev/kmem device (hence this util is probably not useful for a large audience) and display it like kextstat does with the correct address for each kext (just the most important information, the linked against info might be added in the future).

Besides useful for anyone wanting to read the kexts information, it’s also useful for rootkits because it implements the trick that Crisis uses to retrieve this information for 64bits kernels. The only piece left is how to find the sLoadedKexts symbol. Here it’s hardcoded for version 10.8.2.

The code is located at
One feature the devoloper palns to add is the ability to “bruteforce” the whole sLoadedKexts array. The reason is that rootkits usually decrease the count but the information remains there. One minor detail is that it may be susceptible to changes to OSArray and OSKext classes since it’s using offsets into the instance variables.


Setting a Mac into Monitor Mode

Due to overwhelming request I’m going to write a quick guide to setting you Mac into monitor mode for use with Cookie Cadger or Aircrack. In order to do this you will need a AirPort Extreme 802.11. The card that ships with any modern Mac. Depending on what version of OSX you hav installed the way set to monitor mode varies. I will be using Wireshark to set into monitor mode. You can download it from

Panther (or earlier)

In Mac OS X releases prior to 10.4.0 (Panther and earlier), neither monitor mode, nor seeing 802.11 headers when capturing data, nor capturing non-data frames are supported – although promiscuous mode is supported.


In Mac OS X 10.4.x (Tiger) (at least in later updates), monitor mode is supported; 802.11 headers are provided, and non-data frames are captured, only in monitor mode. To capture in monitor mode on an AirPort Extreme device named enn, capture on a device named wltn instead – for example, if your AirPort Extreme device is named en1, capture on wlt1. On PowerPC Macs, you will have to enable that device by changing the !APMonitormode property in the /System/Library/Extensions/AppleAirport2.kext/Contents/Info.plist property list file to have the value “true” (<true/>) and rebooting; on Intel Macs, that device is enabled by default.

Leopard & Snow Leopard

In Mac OS X 10.5.x (Leopard) and 10.6.x (Snow Leopard), monitor mode is supported; 802.11 headers are provided, and non-data frames are captured, only in monitor mode. To capture in monitor mode on an AirPort Extreme device, select a “Link-layer header type” other than “Ethernet” from the Capture -> Options dialog box in Wireshark or by selecting a link-layer header type other than “EN10MB” with the “-y” flag in TShark or from the command line in Wireshark (the available link-layer types are printed if you use the “-L” flag).

Disassociating and Capturing

If you don’t already have Wireshark go ahead an download an install it from Once installed and started, select the capture option and fill out the dialog as follows:

  • Capture using interface “en1” which will be the wireless interface on the MAC
  • Select “Capture packets in monitor mode” which is needed to allow Wireshark to capture all wireless frames on the network.
  •   The channel being sniffed will be the channel the MAC was associated to when Wireshark is started. While it is possible to change the channel being sniffed, you must do this via the “Airport” command on the terminal application. I’ve included a guide on how to use this below.

If you plan on using the captured packets in Cookie Cadger you have the option to open the captured file for exploitation.

$ airport

It’s possible to capture in monitor mode on an AirPort Extreme while it’s associated, but this necessarily limits the captures to the channel in use. You can use the undocumented “airport” command to disassociate from a network, if necessary, and set the channel. As the command is not in the standard path, you might find it convenient to set up a link, as shown in

sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport

You will be prompted for your root password enter it and hit return. Now you can use the simple command ‘airport’. You’ll probably find the -I flag and -S flags to be most useful and informative, so type airport -I at the Terminal prompt, which will return something like the this:

$ airport -I
commQuality: 75
rawQuality: 59
avgSignalLevel: -40
avgNoiseLevel: -97
linkStatus: ESS
portType: Client
lastTxRate: 11
maxRate: 11
lastAssocStatus: 1
BSSID: 00:06:5b:2a:37:10
SSID: OSXNetwork
Security: none

The output is detailed information on signal quality, noise, security, and other WiFi network attributes. The airport command is more powerful than just being able to list information on the current wireless network though, you can actually manually adjust many settings and troubleshoot too. While there is no manual page for the airport command, attaching the -h command to it will issue a brief list of flags and explanations of their function.

So just as a quick example of the usage of the airport command

sudo airport -z #disassociates you card from the current network
sudo airport -c["channel you want to switch to"] #sets the channel the card monitors on

If you have any questions or think I missed something feel free to tell me in the comments.