Jump to content

Defeat iOS9 MAC Randomization

Cripter

By Cripter
in Questions

 Share

Recommended Posts

Cripter Newbie

Cripter

Posted
Posted

Are there any available scripts, tool kits or modules for the Pineapple which would allow me to only passively capture probe frames from iOS9 and other wifi enabled smartphones via the temporary setup of soft APs?

My requirement is to upload a list of wifi networks such as 'Starbucks' or 'Virgin123' to create soft APs for the iOS devices (and any other device) to connect to and respond with their real MAC address. Once the real MAC addresses have been captured, I need to drop the connection and not re-establish with the device for the duration of its time in range. The final output (csv/pcap) should contain both the uncovered real MAC addresses and the bunch of random addresses.

Link to comment
Share on other sites
vailixi Newbie

vailixi

Posted
Posted

I'm not sure about the configurations on IOS. I know with Linux you can set a certain MAC address or each Wifi connection. I'm assuming IOS is similar.

As far as getting the BSSID, ESSID, cipher, encryption, channel airodump -w and the grep out the station MAC addresses. So you would have the client MACs but not neccisarily the actual MAC addresses as the MAC spoofing happens client side.

Are you trying to catch someone hacking from Starbucks and other free wifis with a Cell phone? Good luck.

Link to comment
Share on other sites
Cripter Newbie

Cripter

Posted
  • Author
Posted

iOS 9 has now fully implemented MAC randomization for probe requests frames. The iDevices also no longer show SSIDs in the probe frames so it is passively scanning for broadcasts from APs within range. This explains why my reports are now displaying dozens of MAC addresses which do not resolve to any known vendor in my OUI database. The aim is to identify the real MAC address of the iDevice utilizing MAC randomization via comparison from multiple captures.

I want to automate the process of creating soft APs based on a list of commonly connected APs such as starbucks in the hope that the device of interest has previously connect to at least one of these. I know I can load my soft AP ESSID list into a tool such as airbase-ng but I need something much more automated which will let the device automatically connect to the softAP (if the device is configured to) to reveal it's true MAC address, disconnect right after and then not allow re-connection whilst capturing into a pcap/csv.

On occasions where I also have the key to a previously connected WPA2 AP I need the functionality to add that to the setup.

I can then compare data from multiple captures in multiple locations to identify the device of interest.

Link to comment
Share on other sites
  • 3 months later...
cutllas Newbie

cutllas

Posted
Posted

iOS 9 has now fully implemented MAC randomization for probe requests frames. The iDevices also no longer show SSIDs in the probe frames so it is passively scanning for broadcasts from APs within range. This explains why my reports are now displaying dozens of MAC addresses which do not resolve to any known vendor in my OUI database. The aim is to identify the real MAC address of the iDevice utilizing MAC randomization via comparison from multiple captures.

I want to automate the process of creating soft APs based on a list of commonly connected APs such as starbucks in the hope that the device of interest has previously connect to at least one of these. I know I can load my soft AP ESSID list into a tool such as airbase-ng but I need something much more automated which will let the device automatically connect to the softAP (if the device is configured to) to reveal it's true MAC address, disconnect right after and then not allow re-connection whilst capturing into a pcap/csv.

On occasions where I also have the key to a previously connected WPA2 AP I need the functionality to add that to the setup.

I can then compare data from multiple captures in multiple locations to identify the device of interest

It is very interesting idea and theoretically it seems to be possible.

Since real MAC is only known when the iDevice is connected to an access point so i think there is no any other ways.

apart from SSID like Starbucks, what are the other info on that list that you wanna get it uploaded on SoftAP?

What about security information !?

Have you implemented it yet ? Have you got any result that you can share here !!

Link to comment
Share on other sites
  • 4 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...