OS X As A Pentesting OS

Apple’s OS X has been recieving a lot of flack lately, both in regard to security issues and as it’s worth as an OS. I used to be a long time Linux/BSD user, until one day I found an 12′ Apple Powerbook lying around. After playing around on it for a week or so, I really began to see the possibilities, which lead me to go and buy my own 15′ Powerbool and to see if this could replace my aging Dell laptop which was currently dual booting Debian and OpenBSD. As OS X is built on a FreeBSD microkernel, it has all the BSD bits under the hood, so I wanted to see how far I could push this baby, and see if I could end up using a Mac for my daily pen-testing work, and have a rock solid secure operating system to work on at the same time? The answer is a huge yes!

OS X may have it’s faults, but it is a damn site more secure than Windows, but then again, that doesn’t really take too much now does it? It ships with a built in firewall, which is the standard FreeBSD IPFW (IP Firewall),this really is an great firewall, and in my opinion blows the likes of IPchains/IPtables on Linux out of the water. It’s a lot easier to configure, and has a hell of a lot more options. I won’t argue that the interface that Apple gives you is really basic, and consists of options like, enable/disable SSH, SMB, VNC, etc, and whether or not you want logging turned on or off. As a security professional, and a UNIX geek, this really isn’t good enough at all, so we need to drop under the hood and really modify these rules to suit our everyday needs, and only allow the things in and out that we really want to, and to have some fun we’ll set it so certain rules only kick in at certain times of the day (using cron) or when our laptop is getting scanned/probed (portsentry). For info on how to lock down IPFW on OS X either read the IPFW man page (best way), or have a look at these links, as they will give you the basics:




Great! So now we’re got the firewall on our shiny new Mac configured, and we can move on to other things, before we start adding a load of tools and the like. OS X comes with a great utility called FileVault, what this little baby does is encrypt your entire home folder and everything in it with 128-bit AES encryption. The encryption and decryption happens in real time, and when you turn it on, there really isn’t any performance hit at all. So now we have a OS that after the few minutes we just spent tweaking it, is already a hell of a lot more secure than most other OS’s.

Now OS X has a load of cool applications already developed for it, especially for anything media related, but we’re not going to go down that route. We want a pen-testing box to play with. First things first, if you’ve ever used Free/Open/Net BSD or Debian/Gentoo Linux then you’re going to know how useful the ports and package collections are. OS X doesn’t ship with any form of ports collection, but you can just install one, and away you go. Currently you get two different ports trees for OS X Fink (http://fink.sourceforge.net/) and Darwin Ports (http://darwinports.opendarwin.org/), my personal favourite is Darwin ports, as it has a lot more security related ports. So get that installed, all the installation instructions are on the Darwin ports site, and it’s a pretty painless install.

Now on to adding some tools on our little beast, the tools that I most frequently used on Linux/BSD are listed below, all the ones with * next to them are able to be installed on OS X, most of them through the Darwin ports tree.

Cryptcat* (OS X has NetCat installed by default)
Metasploit Framework*
Perl (Installed by default)
Web Scarab*

So as you can see, I managed to get everything that I was using on Linux and BSD installed, I also have a load of other tools installed, but the ones listed above are the more popular tools. If you can install anything on BSD then it should be taken as a given that you’ll be able to install it on OS X (it may require a bit of extra work, but usually nothing major.) This does include window managers as well, as I’ve had Fluxbox and KDE running.

When it comes to wireless tools, you really can’t go wrong with KisMac, it’s a clone of Kismet, but yet is does a hell of a lot more than Kismet, for instance it has built in WEP cracking, which really is a nice added plus. I know that this sort of thing is planned for the next big release of Kismet, but still, on OS X it’s here now. One thing here though, you need to have a Powerbook to be able to use KisMac as the standard Apple airport card currently can’t do passive sniffing, and the Powerbooks are the only Macs with a PCMCIA slot. If your wireless PCMCIA card isn’t supported head over to http://wirelessdriver.sourceforge.net/ and see if there’s a driver listed for your card there. Wirelessdriver works like a charm for my Orinoco and Prism cards.

There’s also MacStumbler and iStumbler which are pretty much like NetStumbler, never been a great fan of NetStumbler, but useful for a quick look around.

Well that’s about it, but I’d seriously recommend a Mac with OS X for pen-testing, mine hasn’t let me down yet.

  • ghostii

    How come it took so long for you to reaalise that it was, in fact, the pefect weapon???

    Took me about thirty seconds!! :o )

  • chris

    are you sure you mean kismit and not kismac?

  • http://www.xyberpix.com xyberpix

    yep, Kismet installs fine, I’ve got Kismet and KisMac running.

  • http://www.xyberpix.com xyberpix

    As a follow on in regard to Kismet on OS X.

    From http://kismetwireless.net/blog/
    “Sat Jun 14 2003 -Thanks to Sushila’s hard work, Kismet runs natively on
    OSX now using the Viha drivers. Read the README, but the basic method
    is: “./configure –disable-pcap –enable-viha” and set the
    capturesource to viha,en1,foo.”

  • http://djtechnocrat.blogspot.com/ Technocrat


    Couple of tips on anti-spyware and anti-virus software for OS X

  • http://www.xyberpix.com xyberpix

    Nice, thanks for the heads up on that one mate. The anti-spyware is interesting, but I’m sorry, but I’m just one of those people that still thinks until there’s a need to install AV software on UNIX boxes, then I’m not going to do it ;-) Anyone else feel the same, or is it just me?

  • http://bitfever.de/weblog Toto

    MisMAC indeed now supports passive scanning using Appe Airport Extreme Cards. The Version is not released yet, but you can build it from SVN. No Packet Injection yet, tough.

  • http://www.xyberpix.com xyberpix


  • http://bitfever.de/weblog Toto

    Kismac Sorry for the typo, but hte SVN version of KisMAC does indeed support passive WLAN detection.

  • http://www.xyberpix.com xyberpix

    Cool!! Wasn’t aware of that, thanks for the heads up. Any idea’s when the official next release date is?

  • duke

    Toto how and where can i download the svn version ?

  • krzee

    kismac can do packet reinjection on b networks with the prism chipset, but this is only good if the victim wifi AP has a b client connected. The ralink chipset should support reinjection on g networks soon, in fact rumors say it is working but not submitted to svn yet. Google will happily tell you how to install latest svn version.