Geekly Articles each Day
📜 ⬆️ ⬇️

We attack DHCP part 3. DHCP + Apple = MiTM

LOGO


In this article I will talk about how to implement MiTM of any Apple device in a WiFi network. Before reading this article, I strongly recommend that you read the first and second parts.


The restrictions are the same:


  1. We must be connected to the attacked access point.
  2. We should be able to listen to broadcast traffic on the network.

As it turned out, macOS and iOS surpassed everyone in terms of obtaining network settings via DHCP . When these operating systems send a DHCPREQUEST , the DHCP server responds with a DHCPACK , and they set the network settings from the server's response. It seems so far as everyone has:


MacOS legal DHCPACK

But the problem is that the DHCPREQUEST broadcast and the attacker, as a rule, can intercept it without any problems and extract the xid and chaddr fields from it to form the correct DHCPACK . But the attacker will send a DHCPACK , of course, later a legitimate DHCP server, that is, his answer will come second. All other DHCP clients on other OSes will simply ignore the second DHCPACK, but not macOS and iOS.


What do you think, what network settings expose these operating systems? Answer : those settings that will be contained in the second DHCPACK (in the attacker's DHCPACK).


MacOS attacker DHCPACK

Video demonstration of the bug in the DHCP client on macOS:



How do you think this bug or feature? I thought a bug and just in case I got an application for the Apple Bug Reporter for this application for more than a month, but I haven’t received a single comment from Apple experts.


Apple bug reporter

I did not stop at the application for the Apple Bug Reporter and wrote a letter to product-security@apple.com


Apple email

Apple specialists are not at all fast, but they nevertheless answered and said that their DHCP client was working in accordance with RFC 2131. That is, this is not a bug at all, it is a feature. That's all I wanted to say.


Thats all folks

Afterword


For the laziest , I prepared the apple_wifi_mitmer.py script, which automatically finds all Apple devices in the Wi-Fi network, deauthenticates them and produces MiTM.


All you need to specify in the script arguments is the name of the wireless interface that is already connected to the Wi-Fi network under investigation, and another wireless interface for sending deauth packets.


Video demonstration of the script apple_wifi_mitmer.py :



Does it work on new iOS 11? Answer: Yes, it works.


')

Source: https://habr.com/ru/post/338864/

More articles:


All Articles