iPhone/ Android will not dismiss wifi landing page implemented with DNS - ios

I am trying to implement a splash page/ wifi landing page on my existing public wifi network, using the DNS method mentioned in Wiki, in which I host a custom DNS server, that will redirect ALL dns lookup to a local address where a web server is hosted, for all user before they click agree.
After the user clicked agree, my custom DNS server starts returning correct ip for the look up, thus, user will be able to get online.
note: We totally understand that this is in no way secure our network, and even putting our network at risk. But the goal here is to just to pop the landing page up in front of our users.
This approach actually works on Windows Phone (Windows 8 I tested) as splash page, and even on a computer when I try to open a random website, it redirects me to my page, and after I hit agree, I can get to the internet.
When I try it on iPhone/ Android, once I connect to the hotspot, the splash page/ wifi landing page appear as expected (because the device is trying to verify internet access by going to the set of pages) However, after I click agree, and allow internet access, both iPhone and Android splash screen will not go away. I have to force iphone to "use this wifi without network" to exit.
I wonder if there is a special (javascript?) method I can call in the page, or some package I need to send to the device? I noticed on iOS, if I click a link to the App Store, the splash page go away without disconnecting from the network, So, I guess I am missing something here.
For example, clicking the link to the iOS StackOverflow App on iOS device can be a workaround.
Had been googling around for a week now, nothing seems to came up.
by the way, I am building my custom dns server on node js, with the module dnsd.
=-=-=
=-=-=-=-= edit =-=-=-=-=-=
I also uploaded a demo of my code on GitHub:
https://github.com/kylelam/dnsd_wifi
To test it, run it in your local network (sudo node demo.js). Then, change your phone's dns to your machine's IP. Disconnect your phone from wifi and connect to it again. (on iOS, you might need to go into detail, and enable auto-login, and auto-join, or if you can't, just reboot.)
*note1: the server will need to run on port 53, and 80, so it need sudo.
*note2: please don't laugh at my code, I'm very new to this. But please do point out.
*note3: you will need to npm install these packages: os, express, dns, dnsd

ttl set to 0 might be the cause of the issue, try a different value like 5.

Related

Burpsuite proxy troubleshoot issue

I am working on mobile pentests currently. At first, using my home network I was able to intercept traffic on burpsuite for both iOS and Android versions of “Test App”. Then the next day, I still am able to intercept traffic but the behaviour of this “Test App” for both iOS and Android seem like it has certificate pinning as I was just stuck on the pre-auth page and getting errors when trying to log in. Without proxy though I am still able to login OK and proceed with the app normally so I don’t think my home network got blacklisted? (For context, the binaries does not have any certificate pinning).
But when I tried to change my network to my mobile hotspot, I could intercept the traffic and app behaves normally again.
Anyone encountered the same previously? Any ideas on what could be causing this? Thanks
This does seem odd. I would wager one of three things is happening here:
You accidentally left "Intercept" on in Burp Suite Proxy. This holds the response in Burp Suite until you click Forward, which would cause behavior very similar to what you are describing here. I have done this more times than I am willing to admit.
There was a temporary outage in the application's API. Not unheard of, especially if this is an unreleased app.
There is some sort of issue on your home network, but this is unlikely. Maybe two devices have the same static IP address?
It's hard to say exactly what the issue might be based on the information you provided, but hopefully this was helpful, or at least gives you a place to start!

How to remote desktop to an iOS device, a.k.a. how do Mobile Device Farms work?

I have been trying to understand how Mobile Device Farms like DeviceConnect, AWS Device Farm, SauceLabs, etc. get to remote control iOS devices, but I can't find anything on the subject. They get to do it without jailbreaking, which baffles me even more.
I love these kind of projects, because at the moment it seems undoable, but I know that it is possible ('they' are doing it).
With remote control I mean: seeing the screen of the iOS device on your computer screen and able to touch and swipe with your mouse.
Can someone please point me in the right direction as to how these technically work?
If you're using an iPad (in particular) or an iPhone (if you think you'll be able to make our any detail on the smaller screen) then using remote access to view and control what's on your friend's Mac is a good option. And the best way to remote-access a Mac from an iPad is to use Google's free Chrome Remote Access service, which lets you remotely use Mac programs from an iOS device.
It's quite an involved process to set it up the first time, but easy if you want to do it again in future. You'll need the Google Chrome web browser for Mac, and a Google account.
Here is link for Chrome Remote access
https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp?hl=en
Open Chrome and go to Chrome Remote Desktop on the Chrome Webstore. Click Add to Chrome, then Add App. Click Allow, then Continue.
I will give you one approach and small explanation .
You will need to create application with all possible permissions at first also implementation handlers functions .
For example :
Works with files
Real native Socket connections (not http protocol) + need to have some main server signalling (domain or static ip).
Handle remote touch trigger (main problem for real remote/iOS)
Background part experience
Your app need to be non-Market app (more likely).
You can make Application with all possible options that apple give us.
What can you do remote with your app : -control camera/ Mic read geo data , work with galleries , delete or create files . Socket will be communication line .
Also app must initially started and make (on user request) always allow all permissions .
Use camera :
Send with socket some command example ( openCamera ) . AFTER receive this string perform action for opening camera .
If you can fix programability triggering touch events you can make remoteIOS.
More data links :
Q/A send remote events
Q about touch events
Q/A about Permisions
Sorry for the first quick answer,
All of these: DeviceConnect, AWS Device Farm, SauceLabs use Appium in order to control devices.
The component that execute the command is the WebDriver.
Appium have different WebDriver implementation in order to execute operations to different device.
The iOS WebDriver can be found here: https://github.com/appium/appium-ios-driver.
The protocol in use is the JsonWireProtocol.
more details can be found here:
http://appium.io/,
http://www.seleniumhq.org/
Regards

Facebook.com and the iOS7 Captive Portal Detection

I created a router that connects to facebook to get some info before a user may access the internet.
First they connect, get the Captive Portal Page and then continue to a facebook login. Since the upgrade to iOS7 it fails to load the facebook login page. On my mac with the Captive Portal Assistant it has no problems and even on the phone itself while using the iOS version of safari there are no problems.
What is going wrong here? Is facebook filtering request from the iOS7 Captive Portal Assistant or is Apple doing some sneaky stuff here?
It seems the problem is widespread and only related to facebook.
Update: I worked with the beta's and they worked fine a few weeks ago. Now with the same beta version it doesn't anymore. So another point for the facebook explaination.
Regards, Cas
This problem was fixed by Apple since IOS 8. But as all iPhone 4 users can't upgrade to IOS 8 this problem is still one.
The IOS 7 devices check for the following domains:
www.appleiphonecell.com
captive.apple.com
captive.apple.com
www.apple.com
www.itools.info
www.ibook.info
www.airport.us
www.thinkdifferent.us
Whitelisting this domains stops the login mask to be appearing as the IOS device thinks, that the internet is working as expected. This way you have control on the things which happens, as the IOS device does not interrupts anything, if you use a normal browser for login.
If you don't whitelist the domains, the following thing happens. I debugged it on routers with several IOS devices and they all did mostly the same:
If you connect to a wifi, the IOS device tries to connect to one of the domains, which are listed above. If it can contact one of the domains, it tries another one. If it can't, it starts the redirect, which is controlled by the router. Sometimes it query one or more domains, before it thinks, that the internet is working.
After the check, the login screen redirects to your router and then to the login screen of your captive portal. This behavior stayed the same as it was on IOS 6 or before.
Now you start an oauth login to a 3rd party provider like Facebook, Google or Twitter. And now the difference appears. You can check it on a router, if you run it in debug mode. As the IOS device goes to an other domain for oauth login (like www.facebook.com) the iPhone thinks, that something changed and starts to query one of the apple domains, which are listed above. The user sees only a white screen and in the background the IOS device tries to contact one of the domains repeatedly. For the user this seems to be an error, as the screen stays white or takes very long to show the login on the 3rd party provider. Sometimes it stops loading and nothing happens forever.
To avoid this behavior, you must whitelist the above listed domains. This is a not a common behavior for IOS users, but this way, your browser have the control of the login session and the IOS device don't interrupt it as it does with the login screen.
Some shallow parts of information is reported on the following sites:
https://supportforums.cisco.com/docs/DOC-36523
http://www.cadincweb.com/why-your-apple-ios-7-device-wont-connect-to-the-wifi-network
https://discussions.apple.com/thread/5355766
I couldn't find a detailed description of the problem and found the one above myself by debugging all parts with some routers and IOS devices like iPhones and iPads.
I've just tested various router settings and noticed that iOS 7 is NOT trying to contact above mentioned sites/URLs when router's DOMAIN field is blank.
My guess is that blank domain points to a consumer-type network set up and Apple is not expecting a Captive Portal at such network. If you have access to administer your router see if you can clear out the DOMAIN field (and restart/retest).
I found my solution to my problem. (a while ago, but I found this post again)
First I found out, iOS makes 3 calls, first to check, second to get the page that needs to be displayed, third to check again after the pageload. Then I discovered, for every POST or GET action made by the page, regarding of the source page was refreshed, iOS checks for an active internet connection. Since the facebook api makes a lot of calls, the browser starts stalling(possible in combination with QoS on my router) and freezes the page.
My Solution:
Since I am in control of the DNS records of the Router I use, I redirected all domains towards my own server.
First I saved the check request, this to later identify the user when he comes back for the 3th request.
When the second request comes I just display an info window that every thing is right, and the user has to click the "Done" button.
The page is loaded, so iOS checks again, but i recognize the user so I display the OK-code Apple also displays. The "Done" button us show, and the user has "internet", according to iOS..
On the page that I display, I instruct the user to open the webbrowser. When he does, he opens a page and my portal with the right page is shown(I can detect this based on the Browser Agent). Then my facebook api start doing its job, and of we go :-)
Let me know if someone needs some more info on how to detect or maybe even a code sample if necessary.
Extra Information
To capture a user on your own server, redirect every request to your processing page using for example .htaccess. The request is made to a domain with a subfile e.g:
http://captive.apple.com/getrT09Nx7G/YNrnUOulnDj/3cfrq3M40iR.html
To keep multiple users apart, use the unique url the device tries to contact when checking for internet, in this case: /getYT09Nx7G/YN1nUOulnDj/3cfMq3M40iR.html

How did a Captive Portal force to open a browser

I've setup a Captive Portal with dd-wrt, wifidog, authpuppy and some plugins from authpuppy as well as my own web app.
I am wondering what's the exact thing that will trigger a
browser on the client device to popup?
Is the popup browser from iPhone/iPad a regular browser mode?
It seems some JavaScript will fail on the browser mode, like the shake.js,
event though iOS Safari version is > 4.2.1 from https://github.com/alexgibson/shake.js/
P.S.:
I've done the research like
http://en.wikipedia.org/wiki/Captive_portal
https://personaltelco.net/wiki/CaptivePortal
they don't talk much about the popup browser.
Could anyone help?
If you will try to see the network statistics [request/response] you will find out that devices like ios and android both of them continuously hits some particular urls [in case of android it is www.google.com/generate_204 , don't remember exact url for ios]. These url are generated by system internally. These pings let their server know about various details. So as soon as ios gets connected with a captive portal it tries to hit the system generated url, failing to which it understands that this is packet level protected network and open the browser.
Hope this helps.

iOS 6.1.2 forever caching redirect content

I've got (actually my employer has) a mobile website that enables Safari integration (for iPhones and iPads) - meaning that customers can bookmark it to their home screen and then it would behave as a standalone web app (no address bar, custom icon, start-up image etc).
It works all right except that one week ago (coincidentally soon after apple has released iOS 6.1.2) some of our customers (6 of them initially) complained that they no longer get the normal content but a '404 page' of a public wifi provider (The Cloud owned by Sky here in the UK). After a bit of investigation we've figured that at some point those customers connected to the Cloud wifi without actually logging in (it's one of those providers that would redirect you to a login page to enter your credentials, after which you can carry on browsing). The thing is that even after switching back to their private wifi or mobile data connection the application would display the Cloud's page.
This only happens (as far as I can tell) when the application is launched via the bookmark (I couldn't see this behavior when using it from safari).
What happens is that the customers would connect to the cloud wifi (without logging in), they would open the application at which point the router will issue a redirect response to their login page; the application would cache the login page and it will always display it whenever using the bookmark again. (I've performed a capture when this happens and there are no requests being made at start-up whatsoever).
Even weirder, in this situation, if removing the existing bookmark and adding a new one will show you the same cached page (with the whole operation being performed away from the Cloud). We've fixed this by adding a unique identifier to the URL each time we hit the bookmark screen (this indicates that the web apps' sandboxes are linked to the url, which is to be expected).
What we're trying to achieve is to have the application properly recovering after the customer has moved away from the Cloud. But there doesn't seem to be a straight forward way to do this.
Furthermore there's a level of inconsistency in all of this - most of the times when the flow is performed I will see a 404 page (a custom 404 page https://service.thecloud.net/service-platform), but sometimes I would be properly redirected to the login page, in which case the application would not break.
My assumption is that there is a weird race condition in the standalone web app application model causing the browser not to properly handle redirects (and actually caching 404 pages). I've raised a support incident with Apple (which eventually turned into a bug report) but it might take a while and I'm trying my best to figure out a workaround.
Any ideas, maybe someone has seen this before?
The issue is aggravated by the fact that I need to have a 5 minutes walk ever time I'm testing any fixes; I've tried creating simple test forms, but I wasn't able to reproduce the issue, where as with the full app I can do it pretty much every time.
Here's a summary of the steps to reproduce:
Via private wifi (or mobile data connection) add a bookmark to a website (I've managed to reproduce it with quite a couple of apps that support safari integration as described above)
Open the application to review the normal content
Connect to a Cloud hotspot and open the application from the bookmark (open-close it for a couple of times if you don't get the 404 right away)
Connect to the private wifi (or mobile data connection) and open the application via the bookmark -> you'll see the same 404 page again
In the end the fix was to add a unique query string parameter with the initial page request (pretty easy with the setup we already had, via the launcher page). I've filed a bug report with Apple which they've acknowledged by linking it to a previous item. Here's a post on the topic:
http://blog.onos.ro/ios-6.1.2-caching-issue

Resources