Due to overwhelming request I’m going to write a quick guide to setting you Mac into monitor mode for use with Cookie Cadger or Aircrack. In order to do this you will need a AirPort Extreme 802.11. The card that ships with any modern Mac. Depending on what version of OSX you hav installed the way set to monitor mode varies. I will be using Wireshark to set into monitor mode. You can download it from http://wireshark.org.
Panther (or earlier)
In Mac OS X releases prior to 10.4.0 (Panther and earlier), neither monitor mode, nor seeing 802.11 headers when capturing data, nor capturing non-data frames are supported – although promiscuous mode is supported.
In Mac OS X 10.4.x (Tiger) (at least in later updates), monitor mode is supported; 802.11 headers are provided, and non-data frames are captured, only in monitor mode. To capture in monitor mode on an AirPort Extreme device named enn, capture on a device named wltn instead – for example, if your AirPort Extreme device is named en1, capture on wlt1. On PowerPC Macs, you will have to enable that device by changing the !APMonitormode property in the /System/Library/Extensions/AppleAirport2.kext/Contents/Info.plist property list file to have the value “true” (<true/>) and rebooting; on Intel Macs, that device is enabled by default.
Leopard & Snow Leopard
In Mac OS X 10.5.x (Leopard) and 10.6.x (Snow Leopard), monitor mode is supported; 802.11 headers are provided, and non-data frames are captured, only in monitor mode. To capture in monitor mode on an AirPort Extreme device, select a “Link-layer header type” other than “Ethernet” from the Capture -> Options dialog box in Wireshark or by selecting a link-layer header type other than “EN10MB” with the “-y” flag in TShark or from the command line in Wireshark (the available link-layer types are printed if you use the “-L” flag).
Disassociating and Capturing
If you don’t already have Wireshark go ahead an download an install it from http://wireshark.org. Once installed and started, select the capture option and fill out the dialog as follows:
- Capture using interface “en1” which will be the wireless interface on the MAC
- Select “Capture packets in monitor mode” which is needed to allow Wireshark to capture all wireless frames on the network.
- The channel being sniffed will be the channel the MAC was associated to when Wireshark is started. While it is possible to change the channel being sniffed, you must do this via the “Airport” command on the terminal application. I’ve included a guide on how to use this below.
If you plan on using the captured packets in Cookie Cadger you have the option to open the captured file for exploitation.
It’s possible to capture in monitor mode on an AirPort Extreme while it’s associated, but this necessarily limits the captures to the channel in use. You can use the undocumented “airport” command to disassociate from a network, if necessary, and set the channel. As the command is not in the standard path, you might find it convenient to set up a link, as shown in http://osxdaily.com/2007/01/18/airport-the-little-known-command-line-wireless-utility/:
sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport
You will be prompted for your root password enter it and hit return. Now you can use the simple command ‘airport’. You’ll probably find the -I flag and -S flags to be most useful and informative, so type airport -I at the Terminal prompt, which will return something like the this:
$ airport -I commQuality: 75 rawQuality: 59 avgSignalLevel: -40 avgNoiseLevel: -97 linkStatus: ESS portType: Client lastTxRate: 11 maxRate: 11 lastAssocStatus: 1 BSSID: 00:06:5b:2a:37:10 SSID: OSXNetwork Security: none $
The output is detailed information on signal quality, noise, security, and other WiFi network attributes. The airport command is more powerful than just being able to list information on the current wireless network though, you can actually manually adjust many settings and troubleshoot too. While there is no manual page for the airport command, attaching the -h command to it will issue a brief list of flags and explanations of their function.
So just as a quick example of the usage of the airport command
sudo airport -z #disassociates you card from the current network sudo airport -c["channel you want to switch to"] #sets the channel the card monitors on
If you have any questions or think I missed something feel free to tell me in the comments.