Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


gsm hacker35814;.35299;sms

Posted by zura at 2020-04-14

Recently, the topic of GSM has been fried again. By the way, I have a hot article last year. It's all a few years ago. It's not interesting to mention it again. Because I always think this topic is very sensitive, I don't like to say anything, but recently someone has been in the dark cloud, but some places are vague. Anyway, it has been made public, so I'll go into details. What's more annoying is that some organizations only send screenshots and no details for a long time.

This article will take the latest version 1.05 of Kali running in the virtual machine as the system to realize the sniffing of GSM. I won't say specifically about the hardware. The most popular article mentioned has already been mentioned. What I use is the following.

My connecting cable is made by myself through the earphone of DIY mobile phone. It looks like it's a little DIY. Well, it seems that there's a ready-made one now. It's 10 yuan. It's expensive. It saves a lot of things. I'll do it by myself.

First of all, you need to build a compilation environment for the arm code. Without a compilation environment, you can't compile osmocombb and so on. You can refer to this document:

However, some of the above steps are still missing, which may lead to subsequent compilation failure. The following is pasted with the complete steps. The default directory is under root:

Updated on December 11, 2015: the script of the third version is used and passed the test under kali2

See the hint

Enter, then wait for a long time, ask you to add the path to the system variable, simple

If the last sentence is not executed, the system variable will not take effect immediately, resulting in subsequent compilation failure. Then start to git the source code of osmocombb to local and select the required branch to compile.

Now that we have finished the foreplay, we can insert it, carefully input your usb2ttl module into the USB port, and then connect it to the virtual machine. The light on the module should be blinking. You can see the CP2102 module with lsmod. Four new command-line windows will be opened in Kali. We will need these four windows to run different commands. First enter in the first window

Then tap the small G-point of the phone, which is the key to turn on the phone, and you will find that the following characters constantly pop up in the command line window, and the phone also displays.

The second step is to scan and find the nearby base station, and input the second window

You will find that there is a continuous stream of nearby base station information output, including its operator name.

The third step is to sniff the specified channel number. If we really want to start to build a foundation, but we only have one machine and it's cheap. For the specific theoretical explanation, please see the following figure. Therefore, we can only choose one channel for one machine. We need to choose a certain channel number. What's the joke? Of course, we need to choose the channel number of our mobile phone. Readers, we can't mess with it.

We need to know the ARFCN of our mobile phone that is currently connected to the base station. Generally, there is an engineering mode for mobile phones. Take iPhone for example, enter it on the dial-up keyboard:

For ARFCN issues, the previous table:

After entering the engineering mode, select GSM cell environment - > GSM cell Info - > GSM serving cell, and you can see the ARFCN value of the base station to which the mobile phone is connected. In the second step, you should also see that the ID exists. Other cell phone commands

Then throw out your soap boldly, and change the atfcn ID into the ID you find the cell phone is using

Step 4: use Wireshark to grab packets locally. At this time, the GSM protocol has been encapsulated with TCP-IP, which can be caught locally with Wireshark.

Select GSM ﹣ SMS and find a way to call a message. You will see it on Wireshark. Well, it's said that many people buy more than half a dozen at a time, and the surrounding base stations are all connected, one machine to one base.

Reprint please indicate the source. If you like this site, you can subscribe to this site.