Jump to content
Hak5 Forums
audibleblink

ICS on macOS: A Future-Resilient HOWTO

Recommended Posts

ICS on macOS: There and back again

Apple likes to hard code the subnet (192.168.2.1) that is used on its implementation of Internet Connection Sharing (ICS). I don't know why; best I can figure is that somehow allows them to more reliably prevent the client network to access any resources on the host network. This is something that can be prevented on other ICS setups with a firewall rule.

Which brings me to another point. Apple likes to change firewalls. Apple likes to change everything. They recently switched to PF and a lot of the guides online are from before this change.

So we've established something here. Apple changes things. And we can't stop them from changing things. So what do we do?

Accounting for Change

One thing has remained consistent in their various iterations of ICS. They use the subnet 192.186.2.0/24. This gives us 1 constant, and if we've learned our lesson, we also know that it may not stay constant. So let me backup.

*ahem*

We have zero constants.

But we can plan for this one constant changing. Apple needs this base principle (a subnet) on which to build its ICS implementation. Think of a single stream in the woods that recursively branches out into thousands. In order to catalog the various species in the stream, it would not be wise to visit and collect samples from every stream. This would be inefficient. It would better serve you, your time and your study to head to the one stream whence all others came. The source.

This subnet is the one stream and any changes Apple makes will use it. And even if it changes it, it's still only one change we have to account for.

Knowing this, we can start to look at this problem from another perspective.

We can stop visiting individual streams and concede that our network must in the 192.168.2.1/24 range. What does that mean for Pineapple users? It means you can't access the Pineapple on 172.16.42.1 anymore.

Is this a bad thing?

Meh. It's a thing. For sure. I'd posit it's even a good thing. If we leave our pineapples on the default network, we eliminate the guesswork needed for anyone hunting pineapple. Yes, those people exists. And the tools necessary to do so bank on the fact that you haven't changed your default settings. See here.

Is there a simple solution? Just move the pineapple to a different network! How?

Depending on the version of the Pineapple, you can use WiFi or Ethernet or Etherner-over-USB to make the initial connection to the Pineapple over SSH on 172.16.42.1. Once you're in:

# This one could be anything you want. It's what you'll use to connect after the reboot
uci set network.lan.ipaddr='192.168.2.10'

# This is where the Pineapple will get it's Internet from.
uci set network.lan.gateway='192.168.2.1'

uci commit && reboot

That's it. Once you've rebooted, you can access the web interface and SSH like you would at 172.16.42.1, but if you used my configuration settings from above, you can access it from 192.168.2.10.

What if Apple changes the subnet? Then you only have two values to change.

Be sure to actually turn on ICS from the Mac's System Preferences > Sharing Pane.

Edited by audibleblink
replaces OSX references with macOS
  • Upvote 6

Share this post


Link to post
Share on other sites
telot   

Great stuff Audioblink! Many thanks!

Share this post


Link to post
Share on other sites

Hmmm...Following audibleblink's advice

nano is now at 192.168.2.10 but

MacBook air...no usb choice (two USB ports)...just Ax88x72A

And that doesn't result in successful sharing

maybe weird thunderbolt bridge stuff?

not clueful enough to know...

:(

Share this post


Link to post
Share on other sites
TaNk5665   

Hmmm...Following audibleblink's advice

nano is now at 192.168.2.10 but

MacBook air...no usb choice (two USB ports)...just Ax88x72A

And that doesn't result in successful sharing

maybe weird thunderbolt bridge stuff?

not clueful enough to know...

:(

I am having this same issue... Need Help.... I have even tried connecting through KALI linux on a VM on OSX and still dosent work... C'mon.. give the MAC guys some love Darren!!!!!!

Share this post


Link to post
Share on other sites
TaNk5665   

ICS on OS X: There and back again

Apple likes to hard code the subnet (192.168.2.1) that is used on its implementation of Internet Connection Sharing (ICS). I don't know why; best I can figure is that somehow allows them to more reliably prevent the client network to access any resources on the host network. This is something that can be prevented on other ICS setups with a firewall rule.

Which brings me to another point. Apple likes to change firewalls. Apple likes to change everything. They recently switched to PF and a lot of the guides online are from before this change.

So we've established something here. Apple changes things. And we can't stop them from changing things. So what do we do?

Accounting for Change

One thing has remained consistent in their various iterations of ICS. They use the subnet 192.186.2.0/24. This gives us 1 constant, and if we've learned our lesson, we also know that it may not stay constant. So let me backup.

*ahem*

We have zero constants.

But we can plan for this one constant changing. Apple needs this base principle (a subnet) on which to build its ICS implementation. Think of a single stream in the woods that recursively branches out into thousands. In order to catalog the various species in the stream, it would not be wise to visit and collect samples from every stream. This would be inefficient. It would better serve you, your time and your study to head to the one stream whence all others came. The source.

This subnet is the one stream and any changes Apple makes will use it. And even if it changes it, it's still only one change we have to account for.

Knowing this, we can start to look at this problem from another perspective.

We can stop visiting individual streams and concede that our network must in the 192.168.2.1/24 range. What does that mean for Pineapple users? It means you can't access the Pineapple on 172.16.42.1 anymore.

Is this a bad thing?

Meh. It's a thing. For sure. I'd posit it's even a good thing. If we leave our pineapples on the default network, we eliminate the guesswork needed for anyone hunting pineapple. Yes, those people exists. And the tools necessary to do so bank on the fact that you haven't changed your default settings. See here.

Is there a simple solution? Just move the pineapple to a different network! How?

Depending on the version of the Pineapple, you can use WiFi or Ethernet or Etherner-over-USB to make the initial connection to the Pineapple over SSH on 172.16.42.1. Once you're in:

# This one could be anything you want. It's what you'll use to connect after the reboot
uci set network.lan.ipaddr='192.168.2.10'

# This is where the Pineapple will get it's Internet from.
uci set network.lan.gateway='192.168.2.1'

uci commit && reboot

That's it. Once you've rebooted, you can access the web interface and SSH like you would at 172.16.42.1, but if you used my configuration settings from above, you can access it from 192.168.2.10.

What if Apple changes the subnet? Then you only have two values to change.

Be sure to actually turn on ICS from the Mac's System Preferences > Sharing Pane.

Does not work for Thunderbolt Bridge on MAC's with no ethernet...

Share this post


Link to post
Share on other sites

Hmmm...Following audibleblink's advice

nano is now at 192.168.2.10 but

MacBook air...no usb choice (two USB ports)...just Ax88x72A

And that doesn't result in successful sharing

maybe weird thunderbolt bridge stuff?

not clueful enough to know...

:(

I was having issues like this as well. Nano connected to a rMBP 2015 via USB ethernet adapter WITH 3 USB ports. The point here is, OS X needs to be told to share the connection with Ax88x72A if available, instead of USB 10/100/1000 {in my case}. Once I made this switch, the two simple commands audibleblink shared worked flawlessly! Thanks audibleblink.

Share this post


Link to post
Share on other sites
iad   

Hey guys,

I have changed subnet and address to 192.168.2.0/24 on pineapple.

Allowed internet sharing to Ax88x72A

Manually set address on bridge0 to 192.168.2.1 netmask 255.255.255.0

But pineapple doesn't see its gateway (192.168.2.1), what am i doing wrong ? :)

Thanks

Share this post


Link to post
Share on other sites
iad   

Hey guys,

I have changed subnet and address to 192.168.2.0/24 on pineapple.

Allowed internet sharing to Ax88x72A

Manually set address on bridge0 to 192.168.2.1 netmask 255.255.255.0

But pineapple doesn't see its gateway (192.168.2.1), what am i doing wrong ? :)

Thanks

Or i should set this 192.168.2.1 on en9 interface of pineapple?

Share this post


Link to post
Share on other sites
iad   

Okay guys, double check me please, but this seems to work, at least i can ping from pineapple: (inspired by https://github.com/inversepath/usbarmory/wiki/Host-communication, actually just copy-pasted)

# enable IP forwarding
$ sudo sysctl -w net.inet.ip.forwarding=1

# enable PF firewall
$ sudo pfctl -e

# Option 1: add NAT rule after en9 is up (Pineapple already plugged and started)
$ echo "nat on en0 from en5:network to any -> (en0)" | sudo pfctl -f -

# Option 2: add NAT rule before Pineapple is plugged, requires specifying its network
$ echo "nat on en0 from 10.0.0.0/8 to any -> (en0)" | sudo pfctl -f -

Share this post


Link to post
Share on other sites
iad   

I have one more post for today, so let's sum up my spamming(again sorry for it, i just got too excited with getting over OS's stupid iptables clone).

1). Enabled sharing internet to my device (Ax88x72A)

2). Changed IPs as shown in the first message of this topic, but put OS's en9 interface MANUALLY a 192.168.2.1 address

3). Changed Pineapples gateway to 192.168.2.1

4). Executed this pfctl rules in terminal:

# enable IP forwarding
$ sudo sysctl -w net.inet.ip.forwarding=1

# enable PF firewall
$ sudo pfctl -e

# Add NAT rule after en9 is up (Pineapple already plugged and started)
$ echo "nat on en0 from en9:network to any -> (en0)" | sudo pfctl -f -

I am sure, that you don't need to change the subnet, as you just nat everything from en9 interface to en0 (wifi interface).

Just make sure that your usb interface (en9 in my case) and pinapple gateway are the same.

So a packet from pineapple goes to gateway (ex. 192.168.2.1), then it is being nat'ed by OS from en9 interface to en0 interface.

Cheers.

  • Upvote 1

Share this post


Link to post
Share on other sites
ZaraByte   
# This one could be anything you want. It's what you'll use to connect after the reboot
uci set network.lan.ipaddr='192.168.2.10'

# This is where the Pineapple will get it's Internet from.
uci set network.lan.gateway='192.168.2.1'

uci commit && reboot

If the above commands are supposed to be typed into the Terminal on OS X then...

El Captain 10.11.4:

Last login: Mon Apr 25 07:25:22 on console

Matthews-iMac:~ freecst$ uci set network.lan.ipaddr='192.168.1.10'

-bash: uci: command not found

Share this post


Link to post
Share on other sites
Sebkinne   

If the above commands are supposed to be typed into the Terminal on OS X then...

El Captain 10.11.4:

Last login: Mon Apr 25 07:25:22 on console

Matthews-iMac:~ freecst$ uci set network.lan.ipaddr='192.168.1.10'

-bash: uci: command not found

They are to be typed on the WiFi Pineapple.

  • Upvote 1

Share this post


Link to post
Share on other sites

I've tried all the steps here (including the awesome guide @j2abro put together here in July.  Still no luck with ICS on a 2105 rMBP.

  1. Enabled sharing internet to my device (Ax88x72A)
  2. SSH into Wifi Pineapple and edited config.
  3. Successfully updated firmware to latest (1.1.1)
  4. Reboot.
  5. Pineapple is connected via USB, powers up, and shows as connected Under System Preferences > Network.
  6. I can login to the Pineapple using the updated IP, but still unable to connect to the internet (update modules) on the device.

Network 2016-09-03 08-56-38.png

I had previously tried the wp6.sh script, but always got stuck during the guided setup on step 3. The script never seemed to recognize that the device was connected.

I also followed the last steps in this thread and made sure the settings saved:

http://hints.macworld.com/article.php?story=20090510120814850

Still no dice.  I'm working on dual-booting the machine with Kali Linux as a better option, but roadblocked there because rEFInd doesn't recognize my live boot USB.  Any ideas/recommendations would be totally welcome.  Thanks!

Share this post


Link to post
Share on other sites

Update, I figured it out (in my case).

When reviewing the Network Settings, I saw that there was an option for managing virtual interfaces.  I hadn't seen that before.

Network 2016-09-03 10-43-02.png

Within the bridge interfaces, you can deselect and select the ones you want included.  In my case, the AX88x72A was not selected.  Checking the box and then refreshing the connection did the trick.  Hope this helps anyone else who made it this far but then got stuck.

Monosnap 2016-09-03 10-45-01.png

Thanks!

Share this post


Link to post
Share on other sites
-D-   
On 11/04/2016 at 10:15 PM, iad said:

I have one more post for today, so let's sum up my spamming(again sorry for it, i just got too excited with getting over OS's stupid iptables clone).

1). Enabled sharing internet to my device (Ax88x72A)

2). Changed IPs as shown in the first message of this topic, but put OS's en9 interface MANUALLY a 192.168.2.1 address

3). Changed Pineapples gateway to 192.168.2.1

4). Executed this pfctl rules in terminal:


# enable IP forwarding
$ sudo sysctl -w net.inet.ip.forwarding=1

# enable PF firewall
$ sudo pfctl -e

# Add NAT rule after en9 is up (Pineapple already plugged and started)
$ echo "nat on en0 from en9:network to any -> (en0)" | sudo pfctl -f -

I am sure, that you don't need to change the subnet, as you just nat everything from en9 interface to en0 (wifi interface).

Just make sure that your usb interface (en9 in my case) and pinapple gateway are the same.

So a packet from pineapple goes to gateway (ex. 192.168.2.1), then it is being nat'ed by OS from en9 interface to en0 interface.

Cheers.

I'm trying to run 

sudo pfctl -e
echo "nat on en0 from en7:network to any -> (en0)" | sudo pfctl -f -

But i keep on getting 

No ALTQ support in kernel
ALTQ related functions disabled
pfctl: pf already enabled

- - - AND - - -

pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

No ALTQ support in kernel
ALTQ related functions disabled

 

Does anybody know what to do? I can access the wifi pineapple on 192.168.2.10, but still cant connect to the internet. 

 

Thanks in advance!

Share this post


Link to post
Share on other sites
skilbjo   

Fantastic guide gents, I'll give it a try.

Two questions:

- my local network already has 192.168.2.0/24 mapped. I have on my local network 192.168.2.0/24 as a DMZ protected by a firewall, and 192.168.1.0/24 as the actual network, and my macOS computer is on this 192.168.1.x network (let's say macOS LAN IP is 192.168.1.2). Given this, will this conflict with the settings above? I suppose not as it's the pineapple getting its DHCP service from the LAN 192.168.2.1 whose WAN is actually 192.168.1.2, and upstream of that is the firewall gateway of 192.168.2.1. (confusing I know)

- how to roll back if this doesn't work?

uci set network.lan.ipaddr='172.16.42.1'

# This is where the Pineapple will get it's Internet from.
uci set network.lan.gateway='??'

uci commit && reboot

 

Share this post


Link to post
Share on other sites
Foxtrot   
13 hours ago, skilbjo said:

Fantastic guide gents, I'll give it a try.

Two questions:

- my local network already has 192.168.2.0/24 mapped. I have on my local network 192.168.2.0/24 as a DMZ protected by a firewall, and 192.168.1.0/24 as the actual network, and my macOS computer is on this 192.168.1.x network (let's say macOS LAN IP is 192.168.1.2). Given this, will this conflict with the settings above? I suppose not as it's the pineapple getting its DHCP service from the LAN 192.168.2.1 whose WAN is actually 192.168.1.2, and upstream of that is the firewall gateway of 192.168.2.1. (confusing I know)

- how to roll back if this doesn't work?


uci set network.lan.ipaddr='172.16.42.1'

# This is where the Pineapple will get it's Internet from.
uci set network.lan.gateway='??'

uci commit && reboot

 

Default gateway for the Pineapple is 172.16.42.42.

Share this post


Link to post
Share on other sites
obcr   

Here is what worked for me using Thunderbolt on a Macbook Pro (2017)

  1. Go to network, click on the gear, select Manage Virtual Interfaces.
  2. Click on Thunderbolt Bridge, click on the pen to edit.
  3. Check the USB adapter as part of the bridge.
  4. Click done and apply

Go to internet connection settings and select share WIFI and both the bridges.

Share this post


Link to post
Share on other sites
obcr   
28 minutes ago, obcr said:

Here is what worked for me using Thunderbolt on a Macbook Pro (2017)

  1. Go to network, click on the gear, select Manage Virtual Interfaces.
  2. Click on Thunderbolt Bridge, click on the pen to edit.
  3. Check the USB adapter as part of the bridge.
  4. Click done and apply

Go to internet connection settings and select share WIFI and both the bridges.

Important! While the internet sharing is enabled, disconnect the dongle (not just the USB cable) and plug it back in.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×