The Bunny Man Posted May 12, 2012 Posted May 12, 2012 (edited) I noticed Darren complaining about not being able to Nyan iPhones in this post. I searched around and it doesn't seem like anyone found a solution. The below feature isn't officially documented anywhere I could find but some snooping gave it away. When an iOS 3.0 or higher device connects to an open Wi-Fi network and receives it's address through DHCP it sends a basic http request to http://www.apple.com/library/test/success.html with the UA string of "CaptiveNetworkSupport/1.0 wispr". If the device receives the appropiate reply the iPhone assumes the wireless connection is open and moves on with the connection phase. If it does not receive the correct reply iOS assumes the network has a captive portal and launches a thin browser for the end user. Every time the user clicks something in the thin browser it pauses before it checks for the apple success page again. Until the check passes the device will route all network connections (besides the thin browser) though the 3G connection. Note this only applies to open networks. Networks with any form of authentication bypass this completely. Here is a copy of the apple success as of the writing of this post <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <TITLE>Success</TITLE> </HEAD> <BODY> Success </BODY> </HTML> What you do with this information is up to you. Have fun and stay safe. ^_^ Edited May 12, 2012 by The Bunny Man Quote
Sebkinne Posted May 12, 2012 Posted May 12, 2012 Brilliant post! This is very good to know. Best, Sebkinne Quote
Darren Kitchen Posted May 13, 2012 Posted May 13, 2012 Frak, I accident tally touched the delete button on the last post. The Bunny Man sid " Thanks!Update:I didn't realize this until right now but new newest version of Safari/Mac OS X now does the exact same thing.It seems to be slightly less reliable (it didn't come up for several minutes) but it can be assumed 10.8 and further will have it as an OS level feature." Me: This is a fantastic find and shouldn't be lost. Let's either roll it into the firmware, add a module or pin it. I can see many useful scenarios for a little dns spoof. Quote
RebelCork Posted May 14, 2012 Posted May 14, 2012 Bunny Man, I've also noticed that when I use Chrome on Mac 10.7, then the captive portal page also pops up, a la iphone. Like Darren said above, it takes a second or two to popup, but I think this is a quirk of captive logins, as my uni uses them, and they are slow to appear on a regular basis. BTW, slightly off topic, I've noticed that my Kindle doesn't seem to handle probe requests the same as other devices. Not a major thing, but could be cool to sniff the traffic off the kindle to see its whole handshaking proceedure. Quote
The Bunny Man Posted May 16, 2012 Author Posted May 16, 2012 I haven't broken out the traffic sniffers quite yet but it seems that Mac OS X 10.7.4+ does it a little differently. I need to do more testing when I find time. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.