Jump to content

Page Injection/nyan The Iphone

Recommended Posts

I noticed Darren complaining about not being able to Nyan iPhones in this post. I searched around and it doesn't seem like anyone found a solution.

The below feature isn't officially documented anywhere I could find but some snooping gave it away.

When an iOS 3.0 or higher device connects to an open Wi-Fi network and receives it's address through DHCP it sends a basic http request to http://www.apple.com/library/test/success.html with the UA string of "CaptiveNetworkSupport/1.0 wispr". If the device receives the appropiate reply the iPhone assumes the wireless connection is open and moves on with the connection phase. If it does not receive the correct reply iOS assumes the network has a captive portal and launches a thin browser for the end user. Every time the user clicks something in the thin browser it pauses before it checks for the apple success page again.

Until the check passes the device will route all network connections (besides the thin browser) though the 3G connection. Note this only applies to open networks. Networks with any form of authentication bypass this completely.

Here is a copy of the apple success as of the writing of this post


What you do with this information is up to you. Have fun and stay safe. ^_^

Edited by The Bunny Man
Link to comment
Share on other sites

Frak, I accident tally touched the delete button on the last post. The Bunny Man sid "

Thanks!Update:I didn't realize this until right now but new newest version of Safari/Mac OS X now does the exact same thing.It seems to be slightly less reliable (it didn't come up for several minutes) but it can be assumed 10.8 and further will have it as an OS level feature."


This is a fantastic find and shouldn't be lost. Let's either roll it into the firmware, add a module or pin it. I can see many useful scenarios for a little dns spoof.

Link to comment
Share on other sites

Bunny Man,

I've also noticed that when I use Chrome on Mac 10.7, then the captive portal page also pops up, a la iphone. Like Darren said above, it takes a second or two to popup, but I think this is a quirk of captive logins, as my uni uses them, and they are slow to appear on a regular basis.

BTW, slightly off topic, I've noticed that my Kindle doesn't seem to handle probe requests the same as other devices. Not a major thing, but could be cool to sniff the traffic off the kindle to see its whole handshaking proceedure.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...