GSM Hacking Part①: Sniffing GSM networks with SDR scanning

0x00 written at the beginning

Recently, the discovery of crazy Danish hacker on YouTube released a very good tutorial video: Use SDR sniffing visits to listen to GSM network traffic (GSM sniffing Teaser–software Defined Radio Series). This tutorial is illustrated in detail from the installation of a TV stick to scanning, the use of sniffer tools, and the capture and decryption of GSM traffic packets:

As a porter, here will be divided into two or three parts reference & summarize the main content of the tutorial, output a Chinese course, hope to be interested in this area of children's shoes will help.

0X01 Environment Construction

OS: GNU Radio LiveCD

HardWare: TV Bar (RTL-SDR), HACKRF, Bladerf are available

1. Install the build dependency package

sudo apt-get install git cmake libboost-all-dev libcppunit-dev swig Doxygen liblog4cpp5-dev python-scipy

Kali 2.0

Apt-get Install Gnuradio gnuradio-dev rtl-sdr librtlsdr-dev osmo-sdr libosmosdr-dev libosmocore Libosmocore-dev cmake Lib Boost-all-dev Libcppunit-dev Swig Doxygen liblog4cpp5-dev python-scipy

2. Compiling gr-gsm

3. Compiling kalibrate

KALIBRATE-HACKRF (kalibrate for HACKRF)

git clone Https://github.com/scateu/kalibrate-hackrf.gitcd Kalibrate-hackrf./bootstrap./configuremakesudo make Install

Kalibrate-rtl (kalibrate for RTL-SDR)

git clone https://github.com/steve-m/kalibrate-rtl.gitcd kalibrate-rtl./bootstrap./configuremakesudo make install

0X01 Scan Base Station

1.1 Kal

kal Error:must enter channel or Frequencykalibrate V0.4.1-HACKRF, Copyright (c) Joshua lackeymodified for use with HACKRF devices, Copyright (c), [email protected]usage:gsm Base Stat Ion Scan:kal <-s Band indicator> [options] Clock Offset Calculation:kal <-f Frequency | -C channel> [Options]where options are:-S band to scan (GSM850, GSM-R, GSM900, EGSM, DCS, PCS)//Specify Scan network type & frequency Segment-F Frequency of nearby GSM base STATION-C channel of nearby GSM base Station-b Band indicator (GSM85  0, GSM-R, GSM900, EGSM, DCS, PCS)-a RF amplifier enable-g VGA (BB) gain in DB, 0-40db, 8dB step-l LNA (if) gain in DB, 0-62db, 2dB step-d RTL-SDR device index-e Initial frequency error in PPM-E manual f Requency offset in hz-v verbose-d enable debug messages-h help 

Kal-s gsm900-g 40-l 40//Scan GSM900 Band

1.2 gr-gsm (HACKRF, Bladerf)

In the compiled GR-GSM project, the app directory has scripts for scanning and decoding GSM traffic:

Grgsm_scanner-hlinux; GNU C + + version 4.8.4; boost_105400; Uhd_003.010.git-197-g053111dcusage:grgsm_scanner: [options]options:  -H,--help show this help            message and Exit  -B BAND,--band=band  Specify the GSM BAND for the frequency. Available                        bands are:p-gsm, DCS1800, PCS1900, e-gsm, r-gsm,                        GSM450, GSM480, GSM850-  s samp_rate,--samp-rate =samp_rate                        Set sample rate [default=2000000.0]-allowed values                        even_number*0.2e6-  p PPM,--ppm=ppm     Set frequency correction in ppm [default=0]  -G GAIN,--gain=gain  set GAIN [default=24.0]  --args=args           Set device arguments [default=]  --speed=speed         Scan speed [default=4]. Value range 0-5.  -V,--verbose         If set, verbose information output is PRINTED:CCCH                        configuration, cell ARFCN ' s, neighbour ARFCN ' s

1.3 Bladerf with Sdr-sharp

Through the above-mentioned method, we obtain some parameter information of the base station, such as: center frequency, channel, ARFCN value, LAC, MCC, MNC value, etc. This provides the convenience for our next work. So do Windows users have other ways to determine the center frequency of the base station?

Windows users can confirm the operation frequency of the base station through Sdr-sharp waterfall graph, because of HACKRF performance problem, the waterfall chart effect is not obvious when viewing GSM frequency, so I use Bladerf to realize this requirement. Since Sdr-sharp does not support Bladerf hardware by default, first we need to install hardware drivers for them, for details, refer to: Https://github.com/jmichelp/sdrsharp-bladerf

Copy the SDRSharp.BladeRF.dll from the release directory to the SDR master directory;

Copy all DLL files from the Libbladerf directory in the GitHub project to the SDR master directory;

Added in Frontends.xml file

<add key= "Bladerf" value= "Sdrsharp.bladerf.bladerfio,sdrsharp.bladerf"/>

To load the Bladerf FPGA firmware in Sdr-sharp:

Final effect:

0x02 Sniffer Sniff

By scanning we get the central frequency of the base station, channel, ARFCN value, LAC, MCC, MNC value and other parameter information:

It shows that GSM base station signal is found in 935-950mhz frequency interval. Take a look through the Gqrx Waterfall chart:

[Email protected]:~/gr-gsm/apps$ lsCMakeLists.txt  grgsm_livemon      grgsm_livemon.py  Helpersgrgsm_decode    grgsm_livemon.grc  grgsm_scanner     readme[email protected]:~/gr-gsm/apps$ grgsm_livemon-hlinux; GNU C + + version 4.8.4; boost_105400; Uhd_003.010.git-197-g053111dcusage:grgsm_livemon: [options]options:  -H,--help show this help            message and Exit  --args=args           set Device Arguments [default=]  -F FC,--FC=FC        Set FC [default=939.4m]-  g GAIN ,--gain=gain  set gain [default=30]-  p PPM,--ppm=ppm     Set PPM [default=0]-  s samp_rate,--samp-rate =samp_rate                        Set samp_rate [default=2m]  -o shiftoff,--shiftoff=shiftoff                        set shiftoff [default=400k]  --OSR=OSR             Set OSR [default=4]

Let's sniff the 937.4MHz base station:

Grgsm_livemon-f 937.4

The right terminal shows that the base station communication packet was successfully captured.

0X03 Decode decryption

3.1 Installing Wireshark

Apt-get Install Wireshark

3.2 Sniffing & Decryption

[Email protected]:~/gr-gsm/apps$ lsCMakeLists.txt  grgsm_livemon      grgsm_livemon.py  Helpersgrgsm_decode    grgsm_livemon.grc  grgsm_scanner     readme[email protected]:~/gr-gsm/apps$ gnuradio-companion grgsm_ Livemon.grc

To perform a GRC flow diagram:

sudo wireshark-k-y ' gsmtap &&!icmp '-I lo

The captured packets are as follows:

The decryption method can be referred to GitHub first:

Usage:decoding How to PTRKRYSIK/GR-GSM Wiki

Decoding-hopping-channels

In subsequent content, we will use SDR to capture the GSM packets in the phone during the call and use the Samsung Phone Lock screen Bypass vulnerability to directly obtain Tmsi, KC to decrypt the captured packets and extract the voice content from the call process.

Maybe, we can also discuss the security of 4G LTE base station based on Gr-lte Open source project. (The Gr-lte project is an Open Source software package which aims to provide a GNU Radio LTE Receiver to receive, sync Hronize and decode LTE signals.)

0x04 refer

Https://github.com/ptrkrysik/gr-gsm/wiki/Usage

https://z4ziggy.wordpress.com/2015/05/17/sniffing-gsm-traffic-with-hackrf/

GSM sniffing:kalibrate-rtl usage–software Defined Radio Series #5

GSM sniffing:installing gr-gsm–software Defined Radio Series #7

GSM sniffing:using gr-gsm–software Defined Radio Series #8

Original address: http://www.freebuf.com/articles/wireless/110773.html

GSM Hacking Part①: Sniffing GSM networks with SDR scanning