We attack DHCP part 4. DHCP + ARP + Apple = MiTM

In this article, I will talk about how to implement MiTM of any Apple device in a wired or wireless network. Before reading this article, I strongly recommend that you read the first , second and third parts.

There is only one limitation: we must have the ability to listen to broadcast traffic on the network in order to intercept broadcast DHCP requests.

If this is a wireless network, then we must be connected to it.

I have already talked about identifying a conflict of IPv4 addresses on a local network . For this, the ARP protocol is used and it happens immediately after the host has received an IP address.

To detect an IP address conflict, the host sends several ARP request requests immediately after receiving the IP address:

1. Host with MAC address 98: 01: a7: e2: 9a: a9 obtains IP address 192.168.0.4 via DHCP :

2. The host sends broadcast ARP requests to detect a conflict of IP addresses, while in the Sender MAC address it sets its MAC address: 98: 01: a7: e2: 9a: a9 , in the Target IP address field - the received IP address is 192.168 .0.4 :

If there are no hosts on the network with the IP address 192.168.0.4, the answer will not come, but if there is, the answer will come:

As you can see after this response, the host sends a DHCP rejection broadcast message - DHCPDECLINE , after which the procedure for obtaining the IP address is repeated from the beginning.

Most operating systems do not respond to such ARP responses after having already received an IP address, but not MacOS and iOS !

Therefore, in order to initiate obtaining an IP address on MacOS and iOS operating systems, it is enough to send a couple of such ARP responses. And while receiving an IP address, we can interfere in this process and replace the IP addresses of the gateway and DNS server with our own IP!

Video of the attack on the example of MacOS: