kernel panic on macOS (any) when running wifi.deauth and wifi.assoc

[mandreko]

Environment

• Bettercap v2.16 (from go-install)
• MacOS Mojave 10.14.2
• Go version 1.11.5 (from homebrew)
• Running commands from tutorial here: https://www.evilsocket.net/2019/02/13/Pwning-WiFi-networks-with-bettercap-and-the-PMKID-client-less-attack/#.XGRV3mo06jA.twitter
• Crash on command: wifi.deauth
• Stack Trace information from OSX: bettercap_trace.txt

Steps to Reproduce

1. Ensure MacOS is not connected to any wifi AP
2. Open terminal
3. sudo bettercap -iface en0
4. wifi.recon on
5. set wifi.show.sort clients desc
6. set ticker.commands 'clear; wifi.show'
7. ticker on
8. wifi.recon.channel 11 #my AP's channel is 11
9. wifi.deauth 10:da:43:bf:73:e4 # My AP BSSID

Expected behavior:
This should start performing a deauth attack and capturing handshakes

Actual behavior:
The fan on the macbook spins at 100% for a second, screen flickers, then blacks out, and finally reboots.

[evilsocket]

it seems caused by a bug in com.apple.iokit.IONetworkingFamily rather than bettercap itself ... relevant info:

CR0: 0x0000000080010033, CR2: 0x00000000000094ea, CR3: 0x000000075f44213c, CR4: 
0x00000000003626e0
RAX: 0x00000000000094da, RBX: 0xffffff8050736800, RCX: 0xffffff7f84781508, RDX: 0x0000000000000000
RSP: 0xffffffa3c467ba70, RBP: 0xffffffa3c467ba80, RSI: 0xffffff83b46c3900, RDI: 0xffffff834
a275000
R8:  0xffffff7f84687106, R9:  0x0000000000000000, R10: 0xffffff8002e9c4e8, R11: 0x000000cedeecf5f8
R12: 0xffffff83b46c3900, R13: 0xffffff805289ea40, R14: 0xffffff83b46c3900, R15: 0xffffff805289ea40
RF
L: 0x0000000000010246, RIP: 0xffffff7f8395db7a, CS:  0x0000000000000008, SS:  0x0000000000000010
Fault CR2: 0x00000000000094ea, Error code: 0x0000000000000000, Fault CPU: 0x0, PL: 0, VF: 1

Backtrace (CPU 0),
 Frame : Return Address
0xffffffa3c467b540 : 0xffffff80025aeafd 
0xffffffa3c467b590 : 0xffffff80026e85a3 
0xffffffa3c467b5d0 : 0xffffff80026d9fca 
0xffffffa3c467b640 : 0xffffff800255bca0 
0xffffffa3c467b660
 : 0xffffff80025ae517 
0xffffffa3c467b780 : 0xffffff80025ae363 
0xffffffa3c467b7f0 : 0xffffff80026da1ed 
0xffffffa3c467b960 : 0xffffff800255bca0 
0xffffffa3c467b980 : 0xffffff7f8395db7a 
0xffffffa3c467ba80 
: 0xffffff7f8368cdc4 
0xffffffa3c467bac0 : 0xffffff8002c59435 
0xffffffa3c467bb20 : 0xffffff7f8368ceac 
0xffffffa3c467bb40 : 0xffffff7f8368c286 
0xffffffa3c467bbb0 : 0xffffff7f8368c4a7 
0xffffffa3c467bbf0 :
 0xffffff7f8395df6a 
0xffffffa3c467bc20 : 0xffffff7f8395de8f 
0xffffffa3c467bc40 : 0xffffff8002848d6a 
0xffffffa3c467bcd0 : 0xffffff8002838a87 
0xffffffa3c467bd40 : 0xffffff800282d210 
0xffffffa3c467bdc0 : 
0xffffff800281ec4e 
0xffffffa3c467be30 : 0xffffff8002aedeee 
0xffffffa3c467bee0 : 0xffffff8002aedd1a 
0xffffffa3c467bf40 : 0xffffff8002bb5efb 
0xffffffa3c467bfa0 : 0xffffff800255c466 
      Kernel Extensions in backtrace:
         com.apple.iokit.IONetworkingFamily(3.4)[3F8CF549-42D5-33F3-A686-5FDFCB7F45AC]@0xffffff7f83679000->0xffffff7f836a8fff
         com.apple.iokit.IO80211FamilyV2(1200.12.2)[C3772E9A-9AB4-31DE-82B2-DF7226B38D2C]@0xffffff7f838ff000->0xffffff7f839fefff
            dependency: com.apple.driver.corecapture(1.0.4)[1559120E-E24B-3BEF-B864-5E6D6FB0DDE6]@0xffffff7f83409000
            dependency: com.apple.driver.AppleMobileFileIntegrity(1.0.5)[A69BF990-ABB3-3731-A7A2-9C1FB76BCF6F]@0xffffff7f833ab000
            dependency: com.apple.kec.corecrypto(1.0)[0F77793D-78A0-3EA4-B2AC-A287F438DE3A]@0xffffff7f832ec000
            dependency: com.apple.iokit.IONetworkingFamily(3.4)[3F8CF549-42D5-33F3-A686-5FDFCB7F45AC]@0xffffff7f83679000

BSD process name corresponding to current thread: bettercap

Mac OS version:
18C54


Kernel version:
Darwin Kernel Version 18.2.0: Mon Nov 12 20:24:46 PST 2018; root:xnu-4903.231.4~2\/RELEASE_X86_64
Kernel UUID: 56B30885-F9BA-30E8-AD1C-5D59EC243BA9
Kernel slide:     0x0000000002200000

[Electronickss]

Environment

• Bettercap v2.16 (installed 2.14 from brew, backed up that symlink, wgeted 2.16 from the releases and dropped it in)
• MacOS Mojave 10.14.2
• Go version 1.11.5 (from homebrew)
• Running commands from tutorial here: https://www.evilsocket.net/2019/02/13/Pwning-WiFi-networks-with-bettercap-and-the-PMKID-client-less-attack (I skipped from the deauth section down to Client-less PMKID Attack)
• Crash on command: wifi.assoc
• Stack Trace information from OSX: I have some concerns about sensitive data in the stack trace

Steps to Reproduce

1. Ensure MacOS is not connected to any wifi AP
2. Open terminal
3. >sudo bettercap -iface en0
4. >wifi.recon on
5. >set wifi.show.sort clients desc
6. >set ticker.commands 'clear; wifi.show'
7. >ticker on
8. >wifi.recon.channel 1
9. >wifi.assoc all

Expected behavior:
This should start collecting PMKID pcaps

Actual behavior:
The fan on the macbook spins at 100% for a second, screen flickers, then blacks out, and finally reboots.

[evilsocket]

can you produce a panic with the keepsyms=1 kernel boot arg? that'll make it much more readable

[ohpe]

I can't replicate this issue, but I have Mojave 10.14.3. Try to upgrade the system .. maybe it has been fixed automagically by Apple.

[1337jay]

I can't replicate this issue, but I have Mojave 10.14.3. Try to upgrade the system .. maybe it has been fixed automagically by Apple.

Same, cannot reproduce on 10.14.3.

[evilsocket]

it seems clear to me this is a 10.14.2 bug rather than bettercap's, closing this since upgrading to 10.14.3 seems to fix the issue

[mandreko]

I'm not sure that it's a 10.14.2 bug. On my other MacBook (an older model), I ran the same stuff, and it's working great.

MacBook Pro (Retina, Mid 2012)
Bettercap v2.16 (from go-install)
MacOS Mojave 10.14.2
Go version 1.11.5 (from homebrew)

Maybe it could be an issue with 10.14.2 specifically with the newer MacBooks only?

[buffermet]

I believe that #429 is related.

[evilsocket]

well, it looks like a 10.14.2 bug with newer hardware ...

[joeddoe]

I can reproduce the kernel panic on MacBook Pro 2018 with macOS Mojave 10.14.3 when running wifi.assoc all or when trying to wifi.deauth BSSID, seems like an issue with newer hardware and it's not only in 10.14.2.

[evilsocket]

lol fun

[Electronickss]

I also can reproduce on 10.14.3. I am also on a 2018 retina. Has anyone attempted this with an external WiFi interface? All of my crashes were with the native WiFi interface

[mandreko]

I haven't been able to test it on my 2018 retina with an external Wifi yet, as OSX doesn't seem to recognize my normal adapter. I have an alfa arriving soon, so I'll try it to see. I can report that using a Kali VM on a 2018 Macbook worked fine, with a TP-Link TL-WN722N v1.

[logichard]

Same here :c I can reproduce the kernel panic on MacBook Pro 15 2018 with macOS Mojave 10.14.3 when running wifi.assoc all or when trying to wifi.deauth @evilsocket Maybe reopen?

[buffermet]

@logichard evilsocket has already pinpointed the error here

this issue should be raised with Apple instead, so a patch can be made

[elbowdonkey]

Unfortunately, I can reproduce this in 10.14.5.

I'm almost 100% certain that this only happens on Macs equipped with T2 chips. To determine if your machine has a T2 chip click the Apple menu, About This Mac, System Report, and under Hardware click on Controller. If you see "Apple T2 Security Chip" you're probably experiencing kernel panics when deauthing.

Apple's recommendation for a fix: wipe and reload MacOS from scratch, disable FileVault, and disable Power Nap.

I'm going to see if disabling Power Nap alone helps. If it doesn't, I'll use a $30 Odroid instead of this $3500 brick.

[elbowdonkey]

Disabling Power Nap did not help.

[neben]

Still happening on MacOS 10.14.6 (2018 MBP with T2).

[joshgubler]

Also happening on 2019 MBP with T2 running Mojave 10.14.6.

(Yes, I see that this is an Apple issue, not a Bettercap issue, but just in case others stumble across this thread...)

[joshgubler]

@elbowdonkey Do you have a link to the issue with Apple so that we can +1?

[myhalici]

MacBook Pro (15-inch, 2019)
Model Name: MacBook Pro
Model Identifier: MacBookPro15,1
Processor Name: Intel Core i9
Processor Speed: 2,3 GHz
Number of Processors: 1
Total Number of Cores: 8
L2 Cache (per Core): 256 KB
L3 Cache: 16 MB
Hyper-Threading Technology: Enabled
Memory: 16 GB
Boot ROM Version: 220.270.99.0.0 (iBridge: 16.16.6568.0.0,0)

Mac OS Version 10.14.6 (18G87)

same issue here. I can reproduce and report that apple multiple times.

[JimWas]

Also still happening on 2019 T2 Macbook Pro on 10.14.6. Anyone find a fix yet?

[ricardoparro]

this might be associated with the same problem I saw running sudo airport sniff <channel>. It returns Segmentation fault: 11.

[Saturate]

This also happens for me. on 10.15.1, with the new Macbook Pro 16".

I'll see if Apple can help out and update here.

panic(cpu 4 caller 0xffffff800f062e0a): Kernel trap at 0xffffff7f90533c98, type 14=page fault, registers:
CR0: 0x0000000080010033, CR2: 0x0000000000003a0e, CR3: 0x000000047c67b084, CR4: 0x00000000003626e0
RAX: 0x00000000000039fe, RBX: 0xffffff805d8a3000, RCX: 0xffffff7f90533c7c, RDX: 0x0000000000000000
RSP: 0xffffff83b9e43a80, RBP: 0xffffff83b9e43a90, RSI: 0xffffff83c2e72b00, RDI: 0xffffff805c748000
R8:  0x0000000000000000, R9:  0x0000000000000000, R10: 0xffffff8067b6fd50, R11: 0xffffff800f641560
R12: 0xffffff83b9e43b84, R13: 0xffffff8061222280, R14: 0xffffff83c2e72b00, R15: 0xffffff8061222280
RFL: 0x0000000000010246, RIP: 0xffffff7f90533c98, CS:  0x0000000000000008, SS:  0x0000000000000010
Fault CR2: 0x0000000000003a0e, Error code: 0x0000000000000000, Fault CPU: 0x4, PL: 0, VF: 1

Backtrace (CPU 4), Frame : Return Address
0xffffff83b9e434e0 : 0xffffff800ef39a3b 
0xffffff83b9e43530 : 0xffffff800f070fe5 
0xffffff83b9e43570 : 0xffffff800f062a5e 
0xffffff83b9e435c0 : 0xffffff800eee0a40 
0xffffff83b9e435e0 : 0xffffff800ef39127 
0xffffff83b9e436e0 : 0xffffff800ef3950b 
0xffffff83b9e43730 : 0xffffff800f6d17f9 
0xffffff83b9e437a0 : 0xffffff800f062e0a 
0xffffff83b9e43920 : 0xffffff800f062b08 
0xffffff83b9e43970 : 0xffffff800eee0a40 
0xffffff83b9e43990 : 0xffffff7f90533c98 
0xffffff83b9e43a90 : 0xffffff7f8fbbadc4 
0xffffff83b9e43ad0 : 0xffffff800f6418e5 
0xffffff83b9e43b30 : 0xffffff7f8fbbaea8 
0xffffff83b9e43b50 : 0xffffff7f8fbba2a0 
0xffffff83b9e43bb0 : 0xffffff7f8fbba4ad 
0xffffff83b9e43bf0 : 0xffffff7f90533d78 
0xffffff83b9e43c20 : 0xffffff7f90533c67 
0xffffff83b9e43c40 : 0xffffff800f1e52cf 
0xffffff83b9e43cd0 : 0xffffff800f1d4404 
0xffffff83b9e43d50 : 0xffffff800f1c8802 
0xffffff83b9e43dc0 : 0xffffff800f1b98a9 
0xffffff83b9e43e20 : 0xffffff800f4b6f10 
0xffffff83b9e43ee0 : 0xffffff800f4b6cd0 
0xffffff83b9e43f40 : 0xffffff800f59a1aa 
0xffffff83b9e43fa0 : 0xffffff800eee1206 
      Kernel Extensions in backtrace:
         com.apple.iokit.IONetworkingFamily(3.4)[F46C548B-88E3-3BDF-9A45-7A888C2A453C]@0xffffff7f8fba7000->0xffffff7f8fbd6fff
         com.apple.iokit.IO80211FamilyV2(1200.12.2b1)[B51562AE-CD15-392B-A65D-025E2A523244]@0xffffff7f904aa000->0xffffff7f9060bfff
            dependency: com.apple.driver.corecapture(1.0.4)[FB0FAE17-9062-3578-9D56-98488DB40E80]@0xffffff7f90221000
            dependency: com.apple.driver.AppleMobileFileIntegrity(1.0.5)[05E2056B-97F9-3920-A087-0D9CF4581EED]@0xffffff7f8ff18000
            dependency: com.apple.kec.corecrypto(1.0)[10F67ECA-3286-3AD2-A50D-E9E38C93B5B0]@0xffffff7f8fe34000
            dependency: com.apple.iokit.IOSkywalkFamily(1)[8C29E5F8-6CA9-3BBA-84C9-B433713B1F61]@0xffffff7f9029f000
            dependency: com.apple.iokit.IONetworkingFamily(3.4)[F46C548B-88E3-3BDF-9A45-7A888C2A453C]@0xffffff7f8fba7000

BSD process name corresponding to current thread: bettercap
Boot args: chunklist-security-epoch=0 -chunklist-no-rev2-dev

Mac OS version:
19B2106

Kernel version:
Darwin Kernel Version 19.0.0: Wed Oct 23 18:29:05 PDT 2019; root:xnu-6153.41.3~44/RELEASE_X86_64
Kernel UUID: A2105C6A-7856-3F61-8E00-36E694C78609
Kernel slide:     0x000000000ec00000
Kernel text base: 0xffffff800ee00000
__HIB  text base: 0xffffff800ed00000
System model name: MacBookPro16,1 (Mac-E1008331FDC96864)
System shutdown begun: NO

System uptime in nanoseconds: 678592290200
last loaded kext at 243442578689: @filesystems.msdosfs	1.10 (addr 0xffffff7f96348000, size 69632)
last unloaded kext at 409120067285: >usb.!UHostPacketFilter	1.0 (addr 0xffffff7f916ee000, size 24576)
loaded kexts:
org.virtualbox.kext.VBoxNetAdp	6.0.14
org.virtualbox.kext.VBoxNetFlt	6.0.14
org.virtualbox.kext.VBoxUSB	6.0.14
org.virtualbox.kext.VBoxDrv	6.0.14
@kext.AMDRadeonX6000	3.0.2
@kext.AMDRadeonServiceManager	3.0.2
>!AGraphicsDevicePolicy	4.5.13
@AGDCPluginDisplayMetrics	4.5.13
@fileutil	20.036.15
>!AHV	1
|IOUserEthernet	1.0.1
|IO!BSerialManager	7.0.1f1
>!AUpstreamUserClient	3.6.8
>AGPM	111.2.5
>!APlatformEnabler	2.7.0d0
>X86PlatformShim	1.0.0
>pmtelemetry	1
>AGDCBacklightControl	4.5.13
>!A!IKBLGraphics	14.0.2
@Dont_Steal_Mac_OS_X	7.0.0
>!AThunderboltIP	3.1.3
>BridgeAudioCommunication	6.55
>!ATopCaseHIDEventDriver	3410.1
>!AMCCSControl	1.13
>!AMuxControl2	4.5.13
>!AHIDALSService	1
>!ABridgeAudio!C	6.55
>!AGFXHDA	100.1.422
>!A!IPCHPMC	2.0.1
>!A!ICFLGraphicsFramebuffer	14.0.2
>!A!ISlowAdaptiveClocking	4.0.0
>!AAVEBridge	6.1
@filesystems.autofs	3.0
>BCMWLANFirmware4355.Hashstore	1
>BCMWLANFirmware4364.Hashstore	1
>BCMWLANFirmware4377.Hashstore	1
>!ABCMWLANBusInterfacePCIe	1
@filesystems.hfs.kext	522.0.9
@BootCache	40
@!AFSCompression.!AFSCompressionTypeDataless	1.0.0d1
@!AFSCompression.!AFSCompressionTypeZlib	1.0.0
>!AVirtIO	1.0
@filesystems.apfs	1412.41.1
@private.KextAudit	1.0
>!ASmartBatteryManager	161.0.0
>!AACPIButtons	6.1
>!ASMBIOS	2.1
>!AACPIEC	6.1
>!AAPIC	1.7
$!AImage4	1
@nke.applicationfirewall	303
$TMSafetyNet	8
@!ASystemPolicy	2.0.0
|EndpointSecurity	1
@kext.AMDRadeonX6100HWLibs	1.0
@kext.AMDRadeonX6000HWServices	3.0.2
|IOUSBUserClient	900.4.2
|IOAVB!F	800.17
>!ASSE	1.0
@kext.AMDRadeonX6000Framebuffer	3.0.2
>!ABacklightExpert	1.1.0
@!AGPUWrangler	4.5.13
>!AHIDKeyboard	209
@kext.AMDSupport	3.0.2
>!AHS!BDriver	3410.1
>IO!BHIDDriver	7.0.1f1
>!ASMBus!C	1.0.18d1
>!AActuatorDriver	3410.2
>!AMultitouchDriver	3410.2
>!AInputDeviceSupport	3410.1
>!AGraphicsControl	4.5.13
>X86PlatformPlugin	1.0.0
|IOAudio!F	300.2
@vecLib.kext	1.2.0
|IONDRVSupport	568
|IO!BHost!CUARTTransport	7.0.1f1
|IO!BHost!CTransport	7.0.1f1
>!A!ILpssUARTv1	3.0.60
>!A!ILpssUARTCommon	3.0.60
>!AOnboardSerial	1.0
>IOPlatformPlugin!F	6.0.0d8
@!AGraphicsDeviceControl	4.5.13
|IOAccelerator!F2	438.2.7
|IOGraphics!F	568
|IOSlowAdaptiveClocking!F	1.0.0
@plugin.IOgPTPPlugin	810.1
|IOEthernetAVB!C	1.1.0
@kext.triggers	1.0
>usb.cdc.ncm	5.0.0
>usb.cdc	5.0.0
>usb.networking	5.0.0
>usb.!UHostCompositeDevice	1.2
>!ABCMWLANCore	1.0.0
>mDNSOffloadUserClient	1.0.1b8
>IOImageLoader	1.0.0
|IO80211!FV2	1200.12.2b1
>corecapture	1.0.4
|IOSkywalk!F	1
|IOSurface	269.6
@filesystems.hfs.encodings.kext	1
|IOSerial!F	11
>usb.!UVHCIBCE	1.2
>usb.!UVHCI	1.2
>usb.!UVHCICommonBCE	1.0
>usb.!UVHCICommon	1.0
>!AEffaceableNOR	1.0
|IOBufferCopy!C	1.1.0
|IOBufferCopyEngine!F	1
|IONVMe!F	2.1.0
>!AThunderboltPCIDownAdapter	2.5.2
>!AThunderboltDPInAdapter	6.2.3
>!AThunderboltDPAdapter!F	6.2.3
>!AHPM	3.4.4
>!A!ILpssI2C!C	3.0.60
>!A!ILpssDmac	3.0.60
>!A!ILpssI2C	3.0.60
|IOUSB!F	900.4.2
>!AThunderboltNHI	5.8.0
|IOThunderbolt!F	7.4.6
>usb.!UXHCIPCI	1.2
>usb.!UXHCI	1.2
>!AEFINVRAM	2.1
>!AEFIRuntime	2.1
>!ASMCRTC	1.0
|IOSMBus!F	1.1
|IOHID!F	2.0.0
$quarantine	4
$sandbox	300.0
@kext.!AMatch	1.0.0d1
>!AKeyStore	2
>!UTDM	489.41.1
|IOSCSIBlockCommandsDevice	422.0.2
>!ACredentialManager	1.0
>KernelRelayHost	1
>!ASEPManager	1.0.1
>IOSlaveProcessor	1
>!AFDEKeyStore	28.30
>!AEffaceable!S	1.0
>!AMobileFileIntegrity	1.0.5
@kext.CoreTrust	1
|CoreAnalytics!F	1
|IOTimeSync!F	810.1
|IONetworking!F	3.4
>DiskImages	493.0.0
|IO!B!F	7.0.1f1
|IO!BPacketLogger	7.0.1f1
|IOUSBMass!SDriver	157.40.7
|IOSCSIArchitectureModel!F	422.0.2
|IO!S!F	2.1
|IOUSBHost!F	1.2
>usb.!UCommon	1.0
>!UHostMergeProperties	1.2
>!ABusPower!C	1.0
|IOReport!F	47
>!AACPIPlatform	6.1
>!ASMC	3.1.9
>watchdog	1
|IOPCI!F	2.9
|IOACPI!F	1.4
@kec.pthread	1
@kec.Libm	1
@kec.corecrypto	1.0

[dennis777]

M1 MacBooks do not have a T2 chip yet they still crash Best regards, Dennis

…

On Apr 4, 2021, at 10:28, schrammalama ***@***.***> wrote:  I think this is a problem with the T2 macbooks — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[dryyellow]

Using M1 Macbook running 11.2.3, Bettercap can still put WIFI card in monitor mode, still crashes on injection. Also M1's don't have the T2 chip because it was moved inside the M1.

[evilsocket]

yeah i highly doubt this is T2

[evilsocket]

can anyone paste the panic stack trace on M1?

[dennis777]

panic(cpu 4 caller 0xfffffe0018a7904c): Kernel data abort. at pc 0xfffffe0019f85260, lr 0xfffffe0019f8525c (saved state: 0xfffffe3f5613b570)
	  x0: 0x0000000000000d04  x1:  0xfffffe301a528300  x2:  0x0000000000000000  x3:  0xfffffe3f5613b9bc
	  x4: 0x0000000000000000  x5:  0x0000000000000000  x6:  0x0000000000000000  x7:  0xfaf6fe00189ab528
	  x8: 0xfffffe3000a64000  x9:  0x0000000000008018  x10: 0x0000000000000000  x11: 0x0000000000000002
	  x12: 0x0000000000000001 x13: 0x0000000000000003  x14: 0x00000000e00002e8  x15: 0x4953434c57447572
	  x16: 0xfffffe00187f532c x17: 0xfffffe001b723520  x18: 0x0000000000000000  x19: 0xfffffe301a528300
	  x20: 0xfffffe23360e2800 x21: 0xfffffe2335f128a0  x22: 0xfffffe301a528300  x23: 0xaffdfe001a647044
	  x24: 0xfffffe23354f5fc0 x25: 0x0000000000000002  x26: 0xfffffe166e668aa0  x27: 0xcda1fe233684db80
	  x28: 0x000000000000007f fp:  0xfffffe3f5613b8d0  lr:  0xfffffe0019f8525c  sp:  0xfffffe3f5613b8c0
	  pc:  0xfffffe0019f85260 cpsr: 0x80401208         esr: 0x96000006          far: 0x0000000000000d14

Debugger message: panic
Memory ID: 0x6
OS release type: User
OS version: 20D64
Kernel version: Darwin Kernel Version 20.3.0: Thu Jan 21 00:06:51 PST 2021; root:xnu-7195.81.3~1/RELEASE_ARM64_T8101
Fileset Kernelcache UUID: F08F12DFF70C39DBC0CC09CC01116325
Kernel UUID: 9FE8C0DA-8ED0-381C-9CEC-2A779F3E1503
iBoot version: iBoot-6723.81.1
secure boot?: YES
Paniclog version: 13
KernelCache slide: 0x0000000010690000
KernelCache base:  0xfffffe0017694000
Kernel slide:      0x00000000111c4000
Kernel text base:  0xfffffe00181c8000
Kernel text exec base:  0xfffffe0018290000
mach_absolute_time: 0xb16b1cb1e02
Epoch Time:        sec       usec
  Boot    : 0x6064a751 0x000ac646
  Sleep   : 0x607b18a8 0x0009c11d
  Wake    : 0x607b18c1 0x000a6bd0
  Calendar: 0x607b190c 0x0003eac6

CORE 0 recently retired instr at 0xfffffe00183fac0c
CORE 1 recently retired instr at 0xfffffe00183fac0c
CORE 2 recently retired instr at 0xfffffe00183fac0c
CORE 3 recently retired instr at 0xfffffe00183fac0c
CORE 4 recently retired instr at 0xfffffe00183f9748
CORE 5 recently retired instr at 0xfffffe00183fac10
CORE 6 recently retired instr at 0xfffffe00183fac10
CORE 7 recently retired instr at 0xfffffe00183fac10
Panicked task 0xfffffe1675ed5f18: 8001 pages, 15 threads: pid 94350: bettercap
Panicked thread: 0xfffffe1674e44000, backtrace: 0xfffffe3f5613ace0, tid: 9586654
		  lr: 0xfffffe00182ddfd0  fp: 0xfffffe3f5613ad50
		  lr: 0xfffffe00182ddd9c  fp: 0xfffffe3f5613adc0
		  lr: 0xfffffe00183fff0c  fp: 0xfffffe3f5613ade0
		  lr: 0xfffffe00183f18b8  fp: 0xfffffe3f5613ae90
		  lr: 0xfffffe00182977e8  fp: 0xfffffe3f5613aea0
		  lr: 0xfffffe00182dda2c  fp: 0xfffffe3f5613b230
		  lr: 0xfffffe00182dda2c  fp: 0xfffffe3f5613b2a0
		  lr: 0xfffffe0018a7865c  fp: 0xfffffe3f5613b2c0
		  lr: 0xfffffe0018a7904c  fp: 0xfffffe3f5613b430
		  lr: 0xfffffe00183f3768  fp: 0xfffffe3f5613b4a0
		  lr: 0xfffffe00183f17e4  fp: 0xfffffe3f5613b550
		  lr: 0xfffffe00182977e8  fp: 0xfffffe3f5613b560
		  lr: 0xfffffe0019f8525c  fp: 0xfffffe3f5613b8d0
		  lr: 0xfffffe001a6470f4  fp: 0xfffffe3f5613b920
		  lr: 0xfffffe00189ab440  fp: 0xfffffe3f5613b980
		  lr: 0xfffffe001a647260  fp: 0xfffffe3f5613b9a0
		  lr: 0xfffffe001a645fcc  fp: 0xfffffe3f5613ba10
		  lr: 0xfffffe001a646260  fp: 0xfffffe3f5613ba50
		  lr: 0xfffffe0019f85400  fp: 0xfffffe3f5613ba80
		  lr: 0xfffffe0019f8521c  fp: 0xfffffe3f5613baa0
		  lr: 0xfffffe001856fdc4  fp: 0xfffffe3f5613bb40
		  lr: 0xfffffe0018561bf0  fp: 0xfffffe3f5613bbb0
		  lr: 0xfffffe0018556678  fp: 0xfffffe3f5613bc30
		  lr: 0xfffffe0018549ff8  fp: 0xfffffe3f5613bca0
		  lr: 0xfffffe00187ff160  fp: 0xfffffe3f5613bd50
		  lr: 0xfffffe00187fefa4  fp: 0xfffffe3f5613bdb0
		  lr: 0xfffffe00188da7ac  fp: 0xfffffe3f5613be40
		  lr: 0xfffffe00183f159c  fp: 0xfffffe3f5613bef0
		  lr: 0xfffffe00182977e8  fp: 0xfffffe3f5613bf00
      Kernel Extensions in backtrace:
         com.apple.iokit.IONetworkingFamily(3.4)[C2AB95D8-8942-37CE-BEF5-7FB52C830516]@0xfffffe001a628000->0xfffffe001a64bfff
         com.apple.iokit.IO80211FamilyV2(1200.12.2b1)[3ADBA607-EC0C-3D52-88AF-5340832B3DA5]@0xfffffe0019ed8000->0xfffffe0019fe7fff
            dependency: com.apple.driver.AppleMobileFileIntegrity(1.0.5)[049EE20E-B1F5-3A79-A2A5-AC55F015074B]@0xfffffe001954c000->0xfffffe001955ffff
            dependency: com.apple.driver.corecapture(1.0.4)[943D5A8D-E9D2-30CB-A2FE-BB9234BB8D26]@0xfffffe001af44000->0xfffffe001af63fff
            dependency: com.apple.iokit.IONetworkingFamily(3.4)[C2AB95D8-8942-37CE-BEF5-7FB52C830516]@0xfffffe001a628000->0xfffffe001a64bfff
            dependency: com.apple.iokit.IOSkywalkFamily(1)[65FCAF99-B187-36EC-A275-25DEEB4DD2C4]@0xfffffe001a758000->0xfffffe001a7a7fff
            dependency: com.apple.kec.corecrypto(11.1)[E7263606-770E-3C0F-B5A1-F10042B34365]@0xfffffe001af64000->0xfffffe001afaffff

last started kext at 11102106042541: com.apple.driver.AppleXsanScheme	3 (addr 0xfffffe0017cc8000, size 16384)
last stopped kext at 11110186475753: com.apple.driver.AppleXsanScheme	3 (addr 0xfffffe0017cc8000, size 16384)
loaded kexts:
com.apple.filesystems.autofs	3.0
com.apple.fileutil	20.036.15
com.apple.driver.AppleTopCaseHIDEventDriver	4030.5
com.apple.iokit.IOBluetoothSerialManager	8.0.3d9
com.apple.driver.AppleBiometricServices	1
com.apple.driver.BCMWLANFirmware4378.Hashstore	1
com.apple.driver.CoreKDL	1
com.apple.driver.SEPHibernation	1
com.apple.driver.AppleSmartBatteryManager	161.0.0
com.apple.driver.AppleUSBDeviceNCM	5.0.0
com.apple.driver.AppleThunderboltIP	4.0.3
com.apple.filesystems.apfs	1677.81.1
com.apple.driver.AppleALSColorSensor	1.0.0d1
com.apple.driver.AppleAOPVoiceTrigger	11.5
com.apple.driver.AppleSmartIO2	1
com.apple.driver.ApplePMP	1
com.apple.nke.l2tp	1.9
com.apple.filesystems.tmpfs	1
com.apple.driver.ApplePMPFirmware	1
com.apple.IOTextEncryptionFamily	1.0.0
com.apple.filesystems.hfs.kext	556.60.1
com.apple.security.BootPolicy	1
com.apple.BootCache	40
com.apple.AppleFSCompression.AppleFSCompressionTypeZlib	1.0.0
com.apple.AppleFSCompression.AppleFSCompressionTypeDataless	1.0.0d1
com.apple.driver.AppleTAS5770LAmp	437.96
com.apple.driver.AppleCS42L83Audio	437.96
com.apple.driver.AppleAVE2	401.63.3
com.apple.driver.AppleDPDisplayTCON	1
com.apple.AppleEmbeddedSimpleSPINORFlasher	1
com.apple.driver.AppleMobileDispH13G-DCP	140.0
com.apple.driver.AppleSPMIPMU	1.0.1
com.apple.driver.AppleAVD	376
com.apple.AGXG13G	172.26.2
com.apple.driver.AppleJPEGDriver	4.6.0
com.apple.driver.AppleT8020SOCTuner	1
com.apple.driver.AppleT8103CLPCv3	1
com.apple.driver.usb.AppleUSBHostT8103	1
com.apple.driver.AudioDMAController-T8103	1.59
com.apple.driver.AppleS5L8960XNCO	1
com.apple.driver.AppleT8103PMGR	1
com.apple.driver.AppleS8000AES	1
com.apple.driver.AppleS8000DWI	1.0.0d1
com.apple.driver.AppleS5L8960XWatchDogTimer	1
com.apple.driver.AppleInterruptController	1.0.0d1
com.apple.driver.AppleT8020DART	1
com.apple.driver.AppleBluetoothModule	1
com.apple.driver.AppleSamsungSerial	1.0.0d1
com.apple.driver.AppleBCMWLANBusInterfacePCIe	1
com.apple.driver.AppleS5L8920XPWM	1.0.0d1
com.apple.driver.AppleS5L8940XI2C	1.0.0d2
com.apple.driver.AppleSPIMC	1
com.apple.driver.AppleM68Buttons	1.0.0d1
com.apple.driver.AppleT8101	1
com.apple.iokit.IOUserEthernet	1.0.1
com.apple.iokit.IOKitRegistryCompatibility	1
com.apple.iokit.EndpointSecurity	1
com.apple.driver.AppleDiskImages2	1
com.apple.AppleSystemPolicy	2.0.0
com.apple.nke.applicationfirewall	310
com.apple.kec.InvalidateHmac	1
com.apple.vecLib.kext	1.2.0
com.apple.kext.triggers	1.0
com.apple.driver.AppleActuatorDriver	4400.28
com.apple.driver.AppleMultitouchDriver	4400.28
com.apple.driver.AppleHSBluetoothDriver	4030.5
com.apple.driver.IOBluetoothHIDDriver	8.0.3d9
com.apple.driver.AppleHIDKeyboard	223
com.apple.iokit.IOAVBFamily	930.1
com.apple.plugin.IOgPTPPlugin	900.11
com.apple.iokit.IOEthernetAVBController	1.1.0
com.apple.driver.AppleMesaSEPDriver	100.99
com.apple.iokit.IOBiometricFamily	1
com.apple.driver.AppleSEPHDCPManager	1.0.1
com.apple.iokit.AppleSEPGenericTransfer	1
com.apple.driver.AppleBTM	1.0.1
com.apple.driver.IOBluetoothHostControllerPCIeTransport	8.0.3d9
com.apple.iokit.IOBluetoothHostControllerTransport	8.0.3d9
com.apple.driver.AppleConvergedIPCOLYBTControl	1
com.apple.driver.AppleConvergedPCI	1
com.apple.driver.AppleBluetoothDebug	1
com.apple.driver.usb.networking	5.0.0
com.apple.driver.AppleThunderboltUSBDownAdapter	1.0.4
com.apple.driver.AppleThunderboltDPInAdapter	8.1.4
com.apple.driver.AppleThunderboltDPAdapterFamily	8.1.4
com.apple.driver.AppleThunderboltPCIDownAdapter	4.1.1
com.apple.driver.AppleAOPAudio	14.32
com.apple.driver.AppleHIDTransportSPI	4400.35
com.apple.driver.AppleHIDTransport	4400.35
com.apple.driver.AppleInputDeviceSupport	4400.35
com.apple.nke.ppp	1.9
com.apple.driver.AppleDCPDPTXProxy	1.0.0
com.apple.driver.AppleSPU	1
com.apple.driver.DCPDPFamilyProxy	1
com.apple.driver.AppleBSDKextStarter	3
com.apple.filesystems.hfs.encodings.kext	1
com.apple.AGXFirmwareKextG13GRTBuddy	172.26.2
com.apple.AGXFirmwareKextRTBuddy64	172.26.2
com.apple.iokit.IONVMeFamily	2.1.0
com.apple.driver.AppleStockholmControl	1.0.0
com.apple.driver.AppleCSEmbeddedAudio	437.96
com.apple.driver.AppleEmbeddedAudio	437.96
com.apple.iokit.AppleARMIISAudio	80.34
com.apple.driver.AppleDiagnosticDataAccessReadOnly	1.0.0
com.apple.driver.AppleNANDConfigAccess	1.0.0
com.apple.driver.AppleHPM	3.4.4
com.apple.iokit.IOMobileGraphicsFamily-DCP	343.0.0
com.apple.driver.AppleDCP	1
com.apple.iokit.IOMobileGraphicsFamily	343.0.0
com.apple.driver.AppleDialogPMU	1.0.1
com.apple.iokit.IOGPUFamily	20.23
com.apple.driver.DCPAVFamilyProxy	1
com.apple.driver.AppleFirmwareKit	1
com.apple.driver.AppleH13CameraInterface	2.82.0
com.apple.driver.AppleH10PearlCameraInterface	14.70.0
com.apple.driver.AppleH11ANEInterface	4.52.0
com.apple.driver.ApplePassthroughPPM	3.0
com.apple.driver.AppleSPMI	1.0.1
com.apple.driver.AppleUSBXDCIARM	1.0
com.apple.driver.AppleUSBXDCI	1.0
com.apple.iokit.IOUSBDeviceFamily	2.0.0
com.apple.driver.usb.AppleUSBXHCIARM	1
com.apple.driver.usb.AppleUSBXHCI	1.2
com.apple.driver.AppleEmbeddedUSBHost	1
com.apple.driver.usb.AppleUSBHub	1.2
com.apple.driver.usb.AppleUSBHostCompositeDevice	1.2
com.apple.driver.AppleT8103TypeCPhy	1
com.apple.driver.AppleSART	1
com.apple.driver.ApplePMGR	1
com.apple.driver.watchdog	1
com.apple.driver.usb.AppleUSBHostPacketFilter	1.0
com.apple.driver.AppleDisplayCrossbar	1.0.0
com.apple.iokit.IODisplayPortFamily	1.0.0
com.apple.driver.AppleTypeCPhy	1
com.apple.driver.AppleThunderboltNHI	7.2.8
com.apple.driver.AppleT8103PCIeC	1
com.apple.iokit.IOThunderboltFamily	9.3.2
com.apple.driver.ApplePIODMA	1
com.apple.driver.AppleT8103PCIe	1
com.apple.driver.AppleBluetoothDebugService	1
com.apple.driver.AppleBCMWLANCore	1.0.0
com.apple.iokit.IO80211FamilyV2	1200.12.2b1
com.apple.driver.IOImageLoader	1.0.0
com.apple.driver.AppleMCA2-T8103	510.72
com.apple.driver.AppleGPIOICController	1.0.2
com.apple.driver.AppleMobileApNonce	1
com.apple.driver.AppleFireStormErrorHandler	1
com.apple.driver.AppleMultiFunctionManager	1
com.apple.driver.corecapture	1.0.4
com.apple.driver.AppleEmbeddedPCIE	1
com.apple.iokit.IOTimeSyncFamily	900.11
com.apple.driver.DiskImages	493.0.0
com.apple.iokit.IOGraphicsFamily	585
com.apple.iokit.IOBluetoothFamily	8.0.3d9
com.apple.iokit.IOBluetoothPacketLogger	8.0.3d9
com.apple.driver.FairPlayIOKit	68.6.0
com.apple.iokit.CoreAnalyticsFamily	1
com.apple.driver.AppleSSE	1.0
com.apple.driver.AppleSEPKeyStore	2
com.apple.driver.AppleUSBTDM	511.60.2
com.apple.iokit.IOUSBMassStorageDriver	184.40.6
com.apple.iokit.IOPCIFamily	2.9
com.apple.iokit.IOSCSIBlockCommandsDevice	436.40.6
com.apple.iokit.IOSCSIArchitectureModelFamily	436.40.6
com.apple.driver.AppleIPAppender	1.0
com.apple.driver.AppleFDEKeyStore	28.30
com.apple.driver.AppleEffaceableStorage	1.0
com.apple.driver.AppleCredentialManager	1.0
com.apple.driver.KernelRelayHost	1
com.apple.iokit.IOUSBHostFamily	1.2
com.apple.driver.AppleUSBHostMergeProperties	1.2
com.apple.driver.usb.AppleUSBCommon	1.0
com.apple.driver.AppleSMC	3.1.9
com.apple.driver.RTBuddy	1.0.0
com.apple.driver.AppleEmbeddedTempSensor	1.0.0
com.apple.driver.AppleARMPMU	1.0
com.apple.iokit.IOAccessoryManager	1.0.0
com.apple.driver.AppleOnboardSerial	1.0
com.apple.iokit.IOSkywalkFamily	1
com.apple.driver.mDNSOffloadUserClient	1.0.1b8
com.apple.iokit.IONetworkingFamily	3.4
com.apple.iokit.IOSerialFamily	11
com.apple.driver.AppleSEPManager	1.0.1
com.apple.driver.AppleA7IOP	1.0.2
com.apple.driver.IOSlaveProcessor	1
com.apple.driver.AppleBiometricSensor	2
com.apple.iokit.IOHIDFamily	2.0.0
com.apple.AUC	1.0
com.apple.iokit.IOAVFamily	1.0.0
com.apple.iokit.IOHDCPFamily	1.0.0
com.apple.iokit.IOCECFamily	1
com.apple.iokit.IOAudio2Family	1.0
com.apple.driver.AppleEmbeddedAudioLibs	1.17
com.apple.driver.AppleFirmwareUpdateKext	1
com.apple.driver.AppleM2ScalerCSCDriver	265.0.0
com.apple.iokit.IOSurface	289.3
com.apple.driver.IODARTFamily	1
com.apple.security.quarantine	4
com.apple.security.sandbox	300.0
com.apple.kext.AppleMatch	1.0.0d1
com.apple.driver.AppleMobileFileIntegrity	1.0.5
com.apple.kext.CoreTrust	1
com.apple.security.AppleImage4	3.0.0
com.apple.iokit.IOCryptoAcceleratorFamily	1.0.1
com.apple.driver.AppleARMPlatform	1.0.2
com.apple.iokit.IOStorageFamily	2.1
com.apple.iokit.IOSlowAdaptiveClockingFamily	1.0.0
com.apple.iokit.IOReportFamily	47
com.apple.kec.pthread	1
com.apple.kec.corecrypto	11.1
com.apple.kec.Libm	1



** Stackshot Succeeded ** Bytes Traced 283482 (Uncompressed 706368) **

Also I should note the crashing happens when you do wifi.ap as well.

[Sakuya]

Same problem on startup: "wifi.assoc all" kernel panic.
MacBook Pro (16-inch, 2019)
Version: 11.3 (20E232)
Bettercap: v2.31.0
en0:

Card Type: AirPort Extreme (0x14E4, 0x7BF)
Firmware Version: wl0: Feb 16 2021 03:05:58 version 9.30.444.10.32.5.67 FWID 01-3d719d60

[dennis777]

You can also get Karnal panic by turning on the fake AP too. wifi.ap

…

On May 8, 2021, at 04:31, Sakuya ***@***.***> wrote:  Same problem on startup: "wifi.assoc all" kernel panic. MacBook Pro (16-inch, 2019) Version: 11.3 (20E232) Bettercap: v2.31.0 en0: Card Type: AirPort Extreme (0x14E4, 0x7BF) Firmware Version: wl0: Feb 16 2021 03:05:58 version 9.30.444.10.32.5.67 FWID 01-3d719d60 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[dennis777]

@evilsocket I have some potentially good news! I am on the newest macOS Monterey (21A5248p) and deauth, assoc, and ap no longer cause the machine to crash. However, the requests don't do actually deauth or do anything.

To test it, I scanned the area and selected my wifi with wifi.recon BSSID after I saw a few clients on my network I simply set the ticker to deauth 1 specific client every 2 seconds set ticker.commands "wifi.deauth ClientBSSID"; ticker on. I also did set wifi.deauth.aquired true so that I could keep deauthing client even if handshake was captured. Now, it would say in the output sending deauth request to BSSID but the client never actually disconnected. Furthermore I turned wifi off and on on my client and sure enough it was able to disconnect and connect like there's no tomorrow. However, bettercap did manage to capture handshakes when reconnecting. Let me know if there's anything else I can provide to help.

[evilsocket]

thanks @dennis777, it looks like the way they fixed the issue is just by removing the capability to inject frames :/

[dennis777]

Wow that is truly a shame...hate to hear that these machines are so capable. Thank you

[evilsocket]

it is, macOS would be great for WiFi pentesting if it wasn't for this single issue

[dennis777]

Also for some reason looks like the wifi.deauth.aquired is not working for me (tested on Kali Linux). It deauth just fine until it captures the handshake and then it stops deauthing.

[evilsocket]

weird, will check, thanks

[faggianof]

Same error on BigSur 11.2.3

[cioccarellia]

Still present on Big Sur 11.5.2 (kernel panic after running mass deauth caplet) using bettercap 2.32.0

[Szpillmann]

Same here😭😭😭

[mnlsrv]

+1
MacBook Air 2020 (Apple Silicon/M1) Big Sur 11.6

[Yevhenii-Mykhailov]

+1 Mac Air BigSur 11.6 (M1)

[xanera]

MacBook Air 2020 (Apple Silicon/M1) Monterey
No kernel panic, deauthentication works only visually (devices are not disconnect)

[dennis777]

thanks @dennis777, it looks like the way they fixed the issue is just by removing the capability to inject frames :/

Can confirm same thing is happening to the new 14" and 16" MacBook Pro's. It doesn't crash but it also doesn't inject any frames either. Is there nobody who we can reach out to at Apple? This has been an issue ever since MacBooks with the T2 chip were made.

[mhzbg]

MacBook Pro 16" 2019
BigSur 11.6 (20G165).
Goes into monitor mode, but deauth crashes and reboots the machine,

[nicoschtein]

MacBook Pro 16" 2019

BigSur 11.6 (20G165).

Goes into monitor mode, but deauth crashes and reboots the machine,

+1

MacBook Pro (13-inch, M1, 2020)
Big Sur 11.6 (20G165)

[fluffybird2323]

M1 Pro Mac deauthentication works only visually (devices are not disconnect)

[SlickSlime]

Could this issue be because M1 Macbooks do not support package injection?

[evilsocket]

@SlickSlime what is package injection? BTW this issue happens also on Mac Intel

[dennis777]

I think it's macOS as a whole ever since macOS Monterey (12.0) disabled frame injection which is truly tragic 😩

see this comment by the man @evilsocket himself 2 years ago when I reported on my finding to him

thanks @dennis777, it looks like the way they fixed the issue is just by removing the capability to inject frames :/