Mobile Network Hacking
Mobile Network Hacking
Mobile Network Hacking
Who am i
Do you really want to know who am it, but I really want to know who is reading this open research now. So to make it simple
visit my LinkedIn page or github let’s talk?
https://www.linkedin.com/in/hassan-profile/
https://github.com/VraiHack
Resume
Why this open free theoretical research? Very simple, because I was curious to hack mobile network, so I learn new thing I
wrote or copy it to save it for later so I can also at the end share happiness with you.
For who this research? Absolutely Not for beginner, for Telecommunication network engineer, for Pentester who have
knowledge in mobile network protocol and communication good understanding for authentication, attachment, call flow
etc…
Table of contents
1 SS7 | Sigtran | GTP | Diameter ......................................................................................................................................... 11
1.1 SS7 in PSTN network ................................................................................................................................................ 11
1.1.1 SS7 protocol stack ................................................................................................................................................ 11
1.2 SIGTRAN in IP Telephony network ........................................................................................................................... 12
1.2.1 SIGTRAN protocol stack ....................................................................................................................................... 13
1.3 VOIP .......................................................................................................................................................................... 14
1.3.1 VOIP Protocol Stack .................................................................................................................................................. 14
1.4 SS7/Sigtran in GSM network .................................................................................................................................... 18
1.4.1 SS7/Sigtran protocol stack in GSM ....................................................................................................................... 18
1.4.2 GSM attachment .................................................................................................................................................. 19
1.5 GTP in GPRS network ............................................................................................................................................... 20
1.5.1 GPRS attachment and Activation ......................................................................................................................... 21
1.5.2 GPRS Tunneling Protocol ..................................................................................................................................... 21
1.5.3 GTP protocol stack ............................................................................................................................................... 21
1.5.4 GTP packet header ............................................................................................................................................... 22
1.6 GTP in LTE network .................................................................................................................................................. 22
1.6.1 GTP packet header ............................................................................................................................................... 23
1.7 Diameter in LTE ........................................................................................................................................................ 24
1.7.1 Diameter base ...................................................................................................................................................... 25
1.7.2 Diameter application ........................................................................................................................................... 25
1.7.3 Diameter message format ................................................................................................................................... 25
1.7.4 Diameter architecture .......................................................................................................................................... 26
1.7.5 Diameter protocol stack ...................................................................................................................................... 27
1.7.7 Summary ................................................................................................................................................................... 28
1.7.8 LTE attachment ......................................................................................................................................................... 29
2 GSM | GPRS | VOIP | VOLTE | LTE threats attack ............................................................................................................ 30
2.1 GSM threat attacks ................................................................................................................................................... 30
2.1.1 Attacker’s profile.................................................................................................................................................. 30
2.1.2 IMSI disclosure (Requesting MSC) ....................................................................................................................... 30
2.1.3 Subscriber Profile Manipulation (Send fake subscriber profile to VLR) ............................................................... 31
2.1.4 Cell Level Tracking using MAP’s anyTimeInterrogation (ATI) service .................................................................. 31
2.1.5 Cell Level Tracking using MAP’s SendRoutingInfoForSM (Fake SMSC) ................................................................ 32
2.1.6 Denial of Service (Fake MSC) ............................................................................................................................... 33
2.1.7 DOS call (using numerous roaming number requests) ........................................................................................ 34
2.1.8 USSD Request Manipulation ................................................................................................................................ 34
MOBILE NETWORK HACKING
References
SS7
# Things Hackers Can Do with Your Cell Phone Number | Reader's Digest
# Overview - Cellular Network Infrastructure - Open Source Mobile Communications
# SS7 Protocols for GSM | Telecom crash courses
# GSM Network Connection to SS7 Networks - Broadband Telecommunications
# Why SS7 was needed in GSM? - technopediasite-Ultimate Resource For Telecom Technical Support
# SIGTRAN PROTOCOL STACK PDF
# How To Scan Ports With SCTP On Nmap [Complete] - ElderNode Blog
rfc4666
# Technical-report-on-the-SS7-vulnerabilities-and-their-impact-on-DFS-transactions_f-1-1.pdf
# comst-2971757-pp.pdf - 08984216.pdf
# Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks | Electronic Frontier Foundation
# SCTPscan: SCTP network and port scanner - P1 Security
# Queue | Telecom Signalling Attacks - SS7 to All IP - PDFCOFFEE.COM
# 3G: Practical Attacks Against the SS7 Signaling Protocol - Security Compass Advisory
# Some Notes on Utilizing Telco Networks for Penetration Tests – Insinuator.net
# GSM Security Map
# Overview of GSM, GPRS, and UMTS
# 31c3-ss7-locate-track-manipulate.pdf
# Hacking-related-books/Hacking mobile network via SS7 - interception, shadowing and more by Dmitry Kurbatov.pdf at
master · pathakabhi24/Hacking-related-books · GitHub
# SS7_Vulnerability_2017_A4.ENG_.0003.03.pdf
# SIGNALING SYSTEM 7 (SS7) SECURITY REPORT - PDF Free Download
# Attacking SS7-2009-Philipe Langlois-P1security-HES-v10.key - HES2010-planglois-Attacking-SS7.pdf
# bh-eu-07-langlois.ppt - bh-eu-07-langlois-ppt-apr19.pdf
# Hacking-related-books/Telecommunications Infrastructure - Security SS7 Signalling Security by Philippe Langlois.pdf at
master · pathakabhi24/Hacking-related-books · GitHub
# Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & T…
#
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwisrN3_scb0AhVCz4
UKHaw3DLcQFnoECBIQAQ&url=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttps%2Fwww.cellusys.com%2Fdownload%2Fss7-
vulnerabilities.pdf&usg=AOvVaw3LV_m_AIuA-sujAyDY29mZ
# Attacks on SS7.pdf
# Signalling Security in Telecom SS7/Diameter/5G - Interconnect Security SS7-Diameter.pdf
# Telecom security from ss7 to all ip all-open-v3-zeronights
GTP
# GPRS Tunneling Protocol (GTP)
# Vulnerabilities of Mobile Internet (GPRS)
# GTP Deployments
# Monitoring GTP Traffic | Securing GTP and SCTP Traffic User Guide for Security Devices | Juniper Networks TechLibrary
# 3GPP TS 29.274 - 29274-d70.pdf
# Wireless Internet Networking Carriers Perspective ChihLin I Wireless
# GTPing, How To
MOBILE NETWORK HACKING
Diameter
# Diameter
# rfc6733
# Diameter Protocol Explained: Diameter AVP Structure
# 3GPP spec skeleton - ts_129109v060900p.pdf
# Diameter Protocol Explained: Diameter Routing Agent (DRA)
# What Is AAA?
# Radius vs Diameter
# Diameter and 3GPP - Cellusys
# Philippe Langlois - Hacking HLR HSS and MME core network elements
VOIP
# IP Telephony and VoIP Tutorial - Comprehensive Guide
# How to attack an infrastructure using VoIP exploitation [Tutorial] | Packt Hub
GSM
# Hacking GSM: Building a Rogue Base Station to Hack Cellular Devices
# Step by Step guide on how to create 2G network at your own home – Information Technology Blog
# GSM with Osmocom Part 4: The Base Station Controller (BSC) – Nick vs Networking
# How to Build an IMSI Catcher to Intercept GSM traffic
# dpkg - How to remove/install a package that is not fully installed? - Ask Ubuntu
# command-not-found.com – osmo-bts-virtual
# Setting up Yate and YateBTS with the bladeRF · Nuand/bladeRF Wiki · GitHub
SMS
# Quickstart With Kannel. Recently , I got opportunity to work in… | by Sudeep Parajuli | Medium
# SMS, appels et courriers électroniques indésirables et/ou frauduleux | Arcep
# Kannel 1.4.5 User's Guide
LTE
# P1security-LTE_Pwnage v2 PL.pptx - D1T2 - Philippe Langlois - Hacking HLR HSS and MME Core Network Elements.pdf
# Top 10 Cyber Threats to Private 5G/LTE Networks - Security Boulevard
7-deadly-threats-4g.pdf
# LTE :Mobile Network Security
# Paper Title (use style: paper title) - 20151031_100157.pdf
# (PDF) Security Threats Against LTE Networks: A Survey: 6th International Symposium, SSCC 2018, Bangalore, India,
September 19–22, 2018, Revised Selected Papers
# securecomm_camera-ready.pdf
# 1510.07563.pdf
# Microsoft Word - BH-whitepaper-LTE and IMSI catcher myths.docx - eu-15-Borgaonkar-LTE-And-IMSI-Catcher-Myths-
wp.pdf
# How to create an EVIL LTE Twin. Be very careful when playing with any… | by Adam Toscher | Medium
# LTE Phone Number Catcher: A Practical Attack against Mobile Privacy
# [REPO]@Telematika | W00t3k/Awesome-Cellular-Hacking
# How to install GNU Radio, FFTW, RTL SDR, GrOsmoSDR, and more using PyBombs with dependencies, by rpm/deb or build
from source | sMyles
MOBILE NETWORK HACKING
# us-20-Quintin-Detecting-Fake-4G-Base-Stations-In-Real-Time.pdf
# Detecting false base stations in mobile networks - Ericsson
# Easy_4GLTE_IMSI_Catchers_for_Non-Programmers.pdf
# Hacking Cellular Networks - Lin_Huan_-_UE_Security.pdf
# Blog – 4G and 5G reference software
# https://www.synacktiv.com/ressources/synacktiv_mobile_communications_attacks.pdf
Volte
# VoLTE in IMS | Real Time Communication
# IMS VoLTE Architecture - Voice Over LTE Tutorial
# VoLTE Roaming and Interconnection Standard Technology - vol15_2_037en.pdf
# VoLTE Call Flow and Procedures - Voice Over IP Tutorial
5G
# 5G Security Vulnerabilities detailed by Positive Technologies; ITU-T and 3GPP 5G Security specs - Technology Blog
PFCP - Wikipedia
# A guide to 5G network security insight report - Ericsson
# 5G-Implementation-Guideline-v2.0-July-2019.pdf
# 5G Protocol Stack - User Plane/Control Plane | NETMANIAS
2G 4G VOLTE Hack
# alex14324/ss7
# SigPloiter/GTScan: The Nmap Scanner for Telco
# mgp25/OpenLTE: An open source 3GPP LTE implementation.
# open5gs/open5gs: Open5GS is a C-language Open Source implementation for 5G Core and EPC, i.e. the core network of
LTE/NR network (Release-16)
# Wooniety/srsLTE-Sniffer: Stuff for srsLTE IMSI catcher
srsran/srsRAN: Open source SDR 4G/5G software suite from Software Radio Systems (SRS)
SigPloit – Telecom Signaling Exploitation Framework – SS7, GTP, Diameter & SIP – Julio Della Flora
ss7MAPer – A SS7 pen testing toolkit – Insinuator.net
P1 Labs » Presenting QCSuper: a tool for capturing your 2G/3G/4G air traffic on Qualcomm-based phones
5 best open source bladerf projects.
ernw/ss7MAPer: SS7 MAP (pen-)testing toolkit. DISCONTINUED REPO, please use:
https://github.com/0xc0decafe/ss7MAPer/
SecuraBV/SIPWatcher
proceedings-2016/05_LTE_Security_and_Protocol_Exploits.md at master · shmoocon/proceedings-2016 · GitHub
使用GnuRadio + OpenLTE + SDR 搭建4G LTE 基站(上)_TYINY的博客-CSDN博客
android
# How to Check if Your Android Phone is Rooted
# Kali NetHunter | Kali Linux Documentation
# GitHub - urbanadventurer/Android-PIN-Bruteforce: Unlock an Android phone (or device) by bruteforcing the lockscreen
PIN. Turn your Kali Nethunter phone into a bruteforce PIN cracker for Android devices! (no root, no adb)
# GitHub - Ondrik8/HARD_device_attack
MOBILE NETWORK HACKING
Training
# Telecom Security Hands-on Course | Training | Course | Training Center - TeleScope
# Mobile Device Hacking with SDR | Training Live Streams
# 3-DAY TRAINING 6 – Hacking Mobile Networks with Software Defined Radios « JD-HITBSecConf2018 – Beijing
# Trainings | P1 Security | Telecom Security Network World Leader
# 4G IMSI Catcher | IMSI Catcher | IMEI Catcher | TMSI Catcher | LTE catcher
# Electromagnetic Field GSM Network - Lime Microsystems
# CableLabs Launches 10G Challenge: Powering the Future of Broadband Innovation
# 5G Penetration Testing and Ethical Hacking Training - Tonex Training
# Utiliser un Raspberry Pi pour détecter les IMSI Catchers | Silicon
# Ensuring SS7 Network Security - Newsletter
Credits for:
OSMOCOM : https://osmocom.org/projects/cellular-infrastructure
It is the system that controls how telephone calls are routed and billed, and it enables advanced calling features and Short
Message Service (SMS). It may also be called Signalling System No. 7, Signaling System No. 7 or -- in the United States --
Common Channel Signaling System 7, or CCSS7.
SS7 was first adopted as an international standard in 1988, and the latest revision of the standard was in 1993. It is still the
current standard for telephone calls and is in use for both landline and mobile phone service all the way up to and including
5G.
Service Switching Points (SSP) are the telephone “switches” that are interconnected to each other by SS7 links. The SSPs
perform call processing on calls that originate, tandem, or terminate at that site.
Signal Transfer Points (STP) are “routers” that relay messages between network switches and databases. Their main function
is to route SS7 messages to the correct outgoing signaling link, based on information contained in the SS7 message address
fields.
Service Control Points (SCP) contains centralized network databases for providing enhanced services. Examples of services
include toll-free numbers and prepaid subscriptions.
MTP (Message Transfer Part) Layers 1-3: lower level functionality at the Physical, Data Link and Network Level. They serve as
a signaling transfer point, and support multiple congestion priority, message discrimination, distribution and routing.
ISUP (Integrated Services Digital Network User Part): network side protocol for the signaling functions required to support
voice, data, text and video services in ISDN. ISUP supports the call control function for the control of analog or digital circuit
switched network connections carrying voice or data tra!c.
SCCP (Signaling Control Connection Part): supports higher protocol layers such as TCAP with an array of data transfer services
including connection-less and connection oriented services. SCCP supports global title translation (routing based on directory
number or application title rather than point codes), and ensures reliable data transfer independent of the underlying
hardware.
TCAP (Transaction Capabilities Application Part): provides the signaling function for communication with network databases.
TCAP provides non-circuit transaction based information exchange between network entities.
MAP (Mobile Application Part): provides inter-system connectivity between wireless systems, and was specifically developed
as part of the GSM standard.
INAP (Intelligent Network Application Part): runs on top of TCAP and provides high-level services interacting with SSP, SCP
and SDP in an SS7 network.
All components of the IP telephony system use digitized voice which is transferred as IP packets through an IP network (usually
the LAN network).
The call control system is usually a software based (softswitch) server or even a hardware device like the Cisco Call Manager
Express, which handles all call signaling, call routing, IP phone management etc, again using IP protocol for transport. So think
about IP telephony as a bigger concept compared to VoIP.
IP Telephony is the overall concept of the modern form of voice communication which harnesses the power and features of
VoIP technology in order to offer the overall experience of communicating effectively and with lots of extra features.
Media Gateway (MGW) terminates voice calls on inter-switch trunks from the PSTN, compresses and packetizes the voice
data, and delivers voice packets to the IP network. For ISDN calls from the PSTN, Q.931 signaling information is transported
from the MGW to the media gateway controller for call processing.
MOBILE NETWORK HACKING
Media Gateway Controller (MGC) handles the registration and management of resources at the media gateways. An MGC
exchanges ISUP messages with CO switches via a signaling gateway. Sometimes called a softswitch.
Signaling Gateway (SGW) provides transparent interworking of signaling between switched circuit and IP networks. The SGW
may terminate SS7 signaling
The SIGTRAN protocols specify the means by which SS7 messages can be reliably transported over IP networks.
The architecture identifies two components: a common transport protocol for the SS7 protocol layer being carried and an
adaptation module to emulate lower layers of the protocol. For example:
If the native protocol is MTP (Message Transport Layer) Level 3, the SIGTRAN protocols provide the equivalent functionality
of MTP Level 2.
If the native protocol is ISUP or SCCP, the SIGTRAN protocols provide the same functionality as MTP Levels 2 and 3.
If the native protocol is TCAP, the SIGTRAN protocols provide the functionality of SCCP (connectionless classes) and MTP
Levels 2 and 3.
MOBILE NETWORK HACKING
1.3 VOIP
The telephone handsets (VoIP phones) translate the analogue voice signal into digital voice (binary voice) which is transferred
as IP packets from one phone to another.
VoIP on the other hand is a subset of IP Telephony. Basically, VoIP is the technology which is used by IP Telephony as the
vehicle to transport phone calls.
VoIP is the technology in which the analogue voice signal is digitized (analog to digital conversion) and becomes binary
numbers in order to be transferred by the IP protocol.
VoIP is the basis for the implementation and functionality of an IP Telephony system. VoIP can also be used by legacy TDM
based PBX systems to transport voice calls over an IP WAN network or even over the Internet.
Special voice gateways are used to connect to the legacy PBX telephone system on one end and to the IP network on the
other end in order to translate the TDM voice stream into IP voice packets.
Real-time Protocol (RTP) is a transport protocol, specifically over UDP, based on RFC 3550. It is used in real-time
multimedia applications and in end-to-end real-time data stream transfer. In order to achieve that, a video, for example,
goes through a number of steps:
- Encoding
- Packetizing
- Transport Control
- Reassembly
- Decoding
MOBILE NETWORK HACKING
Although RTP is specified to carry the media stream, there is another protocol that works with RTP called Real-time
Control Protocol (RTCP). This protocol works side by side with RTP to monitor transmissions and assure Quality of Service
(QoS). The aim of RTCP is checking whether there is packet loss during the process.
H.323 is a data over IP standard introduced by the International Telecommunication Union Standardization Sector (ITU-
T ). As you can see, this standardization body uses letters to define the scope based on many criteria, listed here:
- H: For audiovisual and multimedia systems
- G: For transmission systems and media
- Q: For switching and signaling
- T: For terminals for telematic services
H.323 is one of the oldest packet-based communication systems protocols. Thus, this protocol is stable. The current
version is v6. It is well used by many vendors in many products, such as Cisco call manager, NetMeeting, and RadVision.
The following diagram illustrates the different components of the H.323 stack
Media Gateway Control Protocol (MGCP) is a protocol developed by Cisco. The goal of MGCP is to handle signals and
session management. It is a communication mechanism between media gateway controllers and media gateways. Thus,
the control is centralized.
In other words, the controller communicates with many media gateways. The controller also supervises terminals and
registers the new ones in its zone. H.248 is also like H.323, an ITU-based protocol. It is an enhanced version of MGCP. As
you can see in the diagram, MGCP is a master-slave protocol:
MOBILE NETWORK HACKING
Session Initiation Protocol Session Initiation Protocol (SIP) is a session management protocol based on the RFC 3261
protocol. It works on both UDP and TCP, and it also supports TLS. It is more scalable than H323. SIP handles calls in the
following five steps:
- User location
- User availability
- User capability
- Session set up
- Session management
To start a SIP operation, a registration is needed by the user:
The following diagram describes the steps required to establish a connection between two user agent clients:
SIP requests are similar to HTTP requests. They are in the following format:
METHOD URI SIP/X.X
HEADER: XXX
Here, the method is the request type, and we have the following six methods:
- Register
MOBILE NETWORK HACKING
- Invite
- ACK
- Cancel
- Options
- Bye
GTP uses tunnels to allow two GPRS support nodes (GSNs) to communicate over a GTP-based interface and to separate traffic
into different communication flows.
GTP creates, modifies, and deletes tunnels for transporting IP payloads between the user equipment, the GPRS support nodes
(GSNs) in the GPRS backbone network and the internet.
GTP comprises three types of traffic—control plane (GTP-C), user plane (GTP-U), and charging (GTP’ derived from GTP-C)
traffic.
MOBILE NETWORK HACKING
The Diameter protocol, standardized by the IETF Authentication, Authorization and Accounting (AAA) working group, is
the successor to the RADIUS protocol and was developed to overcome several limitations of RADIUS.
AAA protocols such as TACACS+ and RADIUS were initially deployed to provide dialup Point-to-Point Protocol (PPP) and
terminal server access.
Over time, with the growth of the Internet and the introduction of new access technologies, including wireless, DSL,
Mobile IP, and Ethernet, routers and network access servers (NAS) have increased in complexity and density, putting
new demands on AAA protocols.
MOBILE NETWORK HACKING
Now starting with this new architecture in LTE EPS, those functions are handled by Diameter on interfaces called
“S6a/S6d/S13/S13.” In addition, LTE networks allow an optional architecture called SMS in MME. And, yes that also uses
Diameter on interfaces “S6c and SGd.” So now our Diameter application tree looks like this:
MOBILE NETWORK HACKING
The s6a interface is between MME and HSS in the LTE network and s6d is between SGSN and HSS.
1.7.7 Summary
As a recap, Diameter is an IETF-defined AAA protocol. It is in a Request/Answer format. It delivers parameters called Attribute
Value Pairs (AVP). Along with the base protocol, the IETF wrote several applications for Diameter. Additionally, it is used in
3GPP networks in the IMS, in LTE for mobility management and for Policy and Charging Control PCC. Though we won’t redraw
our 3GPP application tree, 3GPP also uses Diameter for other interfaces. These include:
- Generic Authentication Architecture (GAA)
- 3GPP to Wireless LAN (WLAN) Interworking
- Location Services (LCS)
- EPS AAA Interfaces
However, the primary ones are used in IMS, LTE and PCC
MOBILE NETWORK HACKING
To access an SS7 network, attackers can acquire an existing provider’s connection on the black (underground) market and
obtain authorization to operate as a mobile carrier in countries with lax communications’ laws.
In addition, any hacker who happens to work as a technical specialist at a telecommunications operator, would be able to
connect their hacking equipment to the company’s SS7 network.
In order to perform certain attacks, legitimate functions of the existing communication network equipment must be used.
There is also an opportunity to penetrate a provider’s network through a cracked edge device (GGSN or a femtocell).
Besides having different ways of accessing an SS7 network, attackers likely also have different motives for doing so including
performing fraudulent activities, obtaining a subscriber’s confidential data or disrupting service for certain subscribers or the
whole network.
- This attack is based on requesting the Mobile Switching Center (MSC) Visitor Location Register (VLR) address, and the
IMSI.
- The request is part of the SMS delivery protocol, which allows the source network to receive information about the
subscriber’s location for further routing of the message.
- The initial data includes the target subscriber number
+ Subscriber’s IMSI + Servicing MSC/VLR address + Home Location Register (HLR) address where the subscriber’s account data
is located
The MSC/VLR address will determine the subscriber’s location down to the regional level. Moreover, the intruder can use the
obtained data in more complex attacks (as described below).
MOBILE NETWORK HACKING
Description: When a subscriber registers on a switch, his/her profile is copied from the HLR database to the VLR database.
The profile contains information about active and inactive subscriber services, call forwarding parameters, the on-line billing
platform address, etc. An attacker can send a fake subscriber profile to the VLR.
Result: A fake profile will fool the MSC/VLR into providing services to the subscriber based on altered and fraudulent
parameters. For example, the subscriber will be able to make voice calls that bypass the billing system.
Description: This attack is based on the procedure of assigning a roaming number (MSRN) when receiving a voice call.
When a call is received, the current subscriber’s MSC/VLR is identified, after which a voice channel is established to this switch
using a temporary roaming number.
Normally, a roaming number lives for a split second. However, the default values of timers responsible for holding a roaming
number, which are specified on the equipment, are 30—45 seconds.
If an attacker sends numerous roaming number requests, to a switch using default parameters, then the pool of available
numbers will be used up quickly.
As a result, the switch will not be able to process incoming mobile calls.
Description: This attack is a good example of using a legitimate message with a USSD request sent from VLR to HLR. The initial
data is the target subscriber number, the HLR address and the USSD string.
The HLR address can be obtained as outlined in 4.1 and USSD requests are described on the service provider’s site.
MOBILE NETWORK HACKING
- Now, when somebody wants to call or text the subscriber, the HLR gets asked for routing information (sendRoutingInfo...)
and hands out the address of the VLR/MSC
- Now, calls and SMS for that subscriber are routed to the attacker
- Example: Subscriber’s bank sends text with mTAN. Attacker intercepts message and transfers money to his own account
MOBILE NETWORK HACKING
Description. This attack is an extension of Subscriber Profile Manipulation in VLR attack, described in 1.7 section.
An attacker substitutes a billing platform address with their equipment address, in the subscriber’s profile.
When the subscriber makes a call, the billing request along with the number of the destination subscriber are sent to the
attacker’s equipment.
The attacker can then redirect the call and create a three-way (destination subscriber, calling subscriber and an attacker)
conference call.
Description: This attack is for incoming calls and is an extension of the attack described in section 1.10.
When a call is terminated, the gateway MSC (GMSC) sends a request to the HLR to identify the MSC/VLR that currently serves
the subscriber. This data is necessary to route the call to the appropriate switch.
After successfully performing the attack in section 1.10, the HLR will redirect the received request to a fake MSC/VLR, which
in turn will send the Mobile Station Roaming Number (MSRN) to redirect the call. The HLR transfers this number to the GMSC,
which redirects the call to the provided MSRN.
MOBILE NETWORK HACKING
- Subscriber wants to make a phone call, but dials number in German national format (0317654...)
- MSC asks gsmSCF in home network what to do with the call
- gsmSCF rewrites number to international format (+49317654...) and tells MSC to continue with the new number
- Attacker overwrites gsmSCF address in subscriber’s MSC/VLR with its own, “fake gsmSCF” address
- Subscriber wants to call +345678..., but the MSC now contacts the attacker instead of the subscriber’s gsmSCF
- Attacker rewrites number to +210987..., his recording proxy (e.g. an Asterisk PBX)
- MSC sets up call to +210987..., which bridges it to the original +345678...
- Both subscribers can talk to each other, while the attacker records the conversation
MOBILE NETWORK HACKING
Spam SMS:
- sending fraudulent SMS, which encourages calling a premium rate number, generally 0899,
- sending an SMS to a premium rate number, generally 5 characters,
- Or clicking on a link on a page Internet.
The messages received have a familiar and encouraging nature, such as:
- "Hi, it's me, you didn't call me. I'm waiting for your call back on 0899 (...).
- "Or" Hello, a package has been waiting for you for 10 days and will leave if you don't pick it up by tomorrow. Please call
us on 0899 (...).
Voice spam:
- Emission of calls broadcasting a pre-recorded message in order to encourage the called party to call back a surcharged
number in 089.
The messages are familiar, encouraging but can sometimes be very anxiety-provoking such as:
"Hello, these are the emergencies of XYZ Hospital. Your partner has just had a serious accident. Please call us on 0899
(…). ";
Ping call:
transmission of short calls (one or two maximum rings) without giving the recipient time to pick up the receiver in the hope
that the latter will call back the number presented without paying attention or out of curiosity.
While “ping calls” historically called back surcharged “089” numbers directly, this practice has evolved since Arcep banned
the use of 089 numbers as a caller ID in 2012 (decision no. -0856).
Spoofing
There were nearly 26 billion scam calls in 2019, according to data collected by YouMail, and scammers are getting smarter.
Now they are using a technique called spoofing to make it easier to scam you.
Spoofing is when someone makes your phone number pop up on a caller ID when it really isn’t you that’s making the call.
For example, a scammer once spoofed my daughter’s phone number to make me think she was calling me. The goal was to
trick me into answering the phone. It worked, because what if it was an emergency and my daughter needed me? When a
scammer gets you to pick up, they have the chance to trick you into whatever scheme they’ve come up with, like tricking you
into giving them your credit card information.
It doesn’t take much to spoof a phone number. There are apps and websites that allow scammers to simply type in a phone
number and make a call. It’s super easy and quick, which makes it appealing to scammers.
MOBILE NETWORK HACKING
Search result displays about 40 devices using this abbreviation in their banners.
The screenshot provides a list of some devices that use this abbreviation, including devices with open Telnet and turned off
password authentication.
- An attacker can perform an intrusion into the network of the operator in the Central African Republic by connecting
to this device and implementing the required settings.
- Having access to the network of any operator, the attacker will automatically get access to the GRX network and other
operators of mobile services. One single mistake made by one single operator in the world creates this opportunity for
attack to many other mobile networks.
- There are more ways of using the compromised boundary host, for example, DNS spoofing attack (more information
about attacks is considered below).
MOBILE NETWORK HACKING
Attack vector: An attacker conducts attacks from the GRX network or the operator’s network.
Description: IMSI is the SIM card Number (International Mobile Subscriber ID). It consists of 15 digits, the first three identify
the Mobile Country Code (MCC), and the next two digits are the Mobile Network Code (MNC).
- You can choose the required operator on the website www.mcc-mnc.com, enter the MCC and MNC
- And then brute force the remaining 10 digits by sending a «Send Routing Information for GPRS Request» message via
GRX.
This message can be sent to any GSN device, which converts the request into an SS7 format (CS core network component)
and sends it to HLR where it is processed by SS7 network.
If the subscriber with this IMSI uses the Internet, we can get the SGSN IP address serving the mentioned subscriber.
Otherwise, response will be as follows: «Mobile station Not Reachable for GPRS».
Attack vector: An attacker conducts attacks from the GRX network or the operator’s network.
Description: An attacker can use this vulnerability after the success of the previous attack or if he/she gets a subscriber’s IMSI
via a viral application for the subscriber’s smartphone.
The attacker needs to know the SGSN IP address, garnered from the previous attack.
After that, the attacker sends an Update PDP Context Request to the SGSN IP address requesting the subscriber’s location;
the GSN Control Plane is spoofed with the attacker’s IP address.
The response contains MSISDN (Mobile Subscriber Integrated Services Digital Number), IMEI (International Mobile Equipment
Identity, it helps to identify the model of a subscriber’s phone) and the current subscriber’s mobile radio base tower (MCC,
MNC, LAC, CI).
Consequently, the attacker can find the subscriber’s location accurate to several hundred meters using the following website:
https://xinit.ru/bs/ or http://opencellid.org/.
Attack vector: An attacker conducts attacks from the GRX network or the operator’s network.
Description: The attack is based on sending the «PDP context delete request» packets to the target GGSN with all the
TEID listed.
The PDP Сontext information is deleted, which causes disconnection of authorized subscribers.
At the same time, GGSN unilaterally closes tunnels and sends the responses on this event to the attacker.
A valid SGSN used by the subscriber to set up the connection doesn’t have information about closing connections, so tunnels
continue to occupy the hardware resources.
The subscriber’s Internet stops working, but the connection is displayed as active.
Result: All subscribers connected to this GGSN will be disconnected. The amount of subscribers served by one GGSN
is 100,000— 10,000,000.
MOBILE NETWORK HACKING
Attack vector: An attacker conducts attacks from the GRX network or the operator’s network.
Description: The attack is based on sending the «Create PDP context request» packets with IMSI list, thus the exhaustion
of the available pool of PDP tunnels occurs.
For example, the maximum number of PDP Context Cisco 7200 with 256 MB of memory is 80,000, with 512 MB — 135,000:
it is not difficult to brute force all possible combinations.
Moreover, more and more IP addresses from DHCP pool are issued and they may be exhausted.
It does not matter what will be exhausted first — the DHCP pool or the PDP pool,
After all, GGSN will response with «No resource available» to all valid connection requests.
Moreover, GGSN cannot close tunnels, because when you try to close one, GGSN sends an attacker «Delete PDP context
request» with the number of the tunnel to be closed.
If there is no response (actually, there isn’t any response because an attacker does not want this to happen), GGSN sends
such requests over and over again. The resources remain occupied.
In case of successful implementation of this attack, authorized subscribers will not be able to connect to the Internet and
those who were connected will be disconnected as GGSN sends these tunnels to the attacker’s address.
This attack is an analogue of the DHCP starvation attack at the GTP level.
Result: The subscribers of the attacked GGSN will not be able to connect to the Internet. The amount of subscribers served
by one GGSN is 100,000–10,000,000.
MOBILE NETWORK HACKING
Attack vector: An attacker conducts attacks from the GRX network or the operator’s network.
Description: The attack is based on sending the «Create PDP context request» packets with the IMSI of a subscriber known
in advance.
It is possible to establish connection via the IMSI of a non-existent subscriber, as subscriber authorization is performed at the
stage of connecting to SGSN and GGSN receives already verified connections.
Result: An attacker can connect to the Internet with the credentials of a legitimate user.
MOBILE NETWORK HACKING
2.2.7 Data interception (Using a spoofed GSN addresses to SGSN and GGSN
Goal: To listen to the traffic of the victim and conduct a fishing attack.
Attack vector: An attacker conducts attacks from the GRX network or the operator’s network.
Description: An attacker can intercept data sent between the subscriber’s device and the Internet by sending an «Update
PDP Context Request» message with spoofed GSN addresses to SGSN and GGSN.
This attack is an analogue of the ARP Spoofing attack at the GTP level.
Result: Listening to traffic or spoofing traffic from the victim and disclosure of sensitive data.
MOBILE NETWORK HACKING
Attack vector: The attacker is the subscriber of a mobile phone network and acts through a mobile phone.
Description: This is a well-known attack vector, rooted in the days of dial-up, but the implementation of low-price and fast
dedicated Internet access made it less viable.
However, this attack can be used in mobile networks, for example, in roaming when prices for mobile Internet are
unreasonably high and the data transfer speed is not that important (for example, for checking email).
The point of this attack is that some operators do not rate DNS traffic, usually in order to redirect the subscriber to the
operator’s webpage for charging the balance.
An attacker can use this vulnerability by sending special crafted requests to the DNS server; to get access one needs
a specialized host on the Internet.
Result: Getting non-paid access to the Internet at the expense of mobile operator.
MOBILE NETWORK HACKING
Description: If an attacker gets access to GGSN (which is quite possible as we could see), the DNS address can be spoofed
with the attacker’s address and all the subscriber’s traffic will be redirected through the attacker’s host. Thus, listening to all
the mobile traffic of the subscriber is possible.
Result: An ability to listen to traffic or spoof traffic from all subscribers and then gather confidential data to engage
it in fishing attacks.
MOBILE NETWORK HACKING
Later, an attacker could search for vulnerabilities out there to try exploiting that particular system. Searching for phone
numbers could also be a smart move, to have an idea of the target based on its voicemail, because each vendor has a
default one. If the administrator has not changed it, listening to the voicemail can let you know about your target. If you
want to have a look at some of the default voicemails, check http://www.hackingvoip.com/voicemail.html. It is a great
resource for learning a great deal about hacking VoIP.
Google hacking is an amazing technique for searching for information and online portals. We discussed Google hacking
using Dorks. The following demonstration is the output of this Google Dork—in URL: Network Configuration Cisco:
You can find connected VoIP devices using the Shodan.io search engine:
MOBILE NETWORK HACKING
VoIP devices are generally connected to the internet. Thus, they can be reached by an outsider. They can be exposed via
their web interfaces; that is why, sometimes leaving installation files exposed could be dangerous, because using a search
engine can lead to indexing the portal. The following screenshot is taken from an online Asterisk management portal:
And this screenshot is taken from a configuration page of an exposed website, using a simple search engine query:
After collecting juicy information about the target, from an attacker perspective, we usually should perform scanning.
Banner grabbing is a well-known technique in enumeration, and the first step to enumerate a VoIP infrastructure is by
starting a banner grabbing move.
In order to do that, using the Netcat utility would help you grab the banner easily, or you can simply use the Nmap script
named banner: nmap -sV --script=banner <target>
MOBILE NETWORK HACKING
For a specific vendor, there are a lot of enumeration tools you can use; EnumIAX is one of them. It is a built-in
enumeration tool in Kali Linux to brute force Inter-Asterisk Exchange protocol usernames:
Automated Corporate Enumerator (ACE) is another built-in enumeration tool in Kali Linux:
svmap is an open source built-in tool in Kali Linux for identifying SIP devices. Type svmap -h and you will get all the
available options for this amazing tool:
MOBILE NETWORK HACKING
To measure the quality of VoIP, there are some scoring systems, such as the Mean Opinion Score (MOS) or the R-value based
on several parameters (jitter, latency, and packet loss). Scores of the mean opinion score range from 1 to 5 (bad to very clear)
and scores of R-value range from 1 to 100 (bad to very clear). The following screenshot is taken from an analysis of an RTP
packet downloaded from the Wireshark website:
MOBILE NETWORK HACKING
VoIP infrastructure can be attacked by the classic DoS attacks. We saw some of them previously:
- Smurf flooding attack
- TCP SYN flood attack
- UDP flooding attack
One of the DoS attack tools is iaxflood. It is available in Kali Linux to perform DoS attacks. IAX stands for Inter-Asterisk
Exchange.
Open a Kali terminal and type iaxflood <Source IP> <Destination IP> <Number of packets>:
The VoIP infrastructure can not only be attacked by the previous attacks attackers can perform packet Fragmentation and
Malformed Packets to attack the infrastructure, using fuzzing tools.
MOBILE NETWORK HACKING
Also, an attacker can harvest phone numbers and build a valid phone numbers databases, after recording all the outgoing
and ongoing calls. Eavesdropping does not stop there, attackers can record your calls and even know what you are typing
using the Dual-Tone Multi-Frequency (DTMF). You can use the DTMF decoder/encoder from this link http://www.polar-
electric.com/DTMF/:
Voice Over Misconfigured Internet Telephones (VOMIT) is a great utility to convert Cisco IP Phone conversations into
WAV files. You can download it from its official website http://vomit.xtdnet.nl/:
MOBILE NETWORK HACKING
Rogue SIP B2BUA: In this attacking technique, the attacker mimics SIP B2BUA:
During a SIP registration hijacking attack, the attacker disables a normal user by a Denial of Service, for example, and simply
sends a registration request with his own IP address instead of that users because, in SIP, messages are transferred clearly,
so SIP does not ensure the integrity of signalling messages:
MOBILE NETWORK HACKING
If you are a Metasploit enthusiast, you can try many other SIP modules. Open a Metasploit console by typing msfconsole and
search SIP modules using search SIP:
To use a specific SIP module, simply type use <module >. The following interface is an example of SIP module usage
Softphones are also a highly probable target for attackers. Compromising your softphone could be very dangerous because
if an attacker exploits it, they can compromise your VoIP network. Malware is not the only threat against VoIP endpoints.
VoIP firmware is a potential attack vector for hackers. Firmware hacking can lead to phones being compromised.
MOBILE NETWORK HACKING
The following project contains many modules to test SIP and Skinny protocols:
To use them, copy the lib, modules, and data folders to a Metasploit folder in your system.
Thus, in this article, we demonstrated how to exploit the VoIP infrastructure. We explored the major VoIP attacks and how
to defend against them, in addition to the tools and utilities most commonly used by penetration testers.
If you’ve enjoyed reading this, do check out Advanced Infrastructure Penetration Testing to discover post-exploitation tips,
tools, and methodologies to help your organization build an intelligent security system.
MOBILE NETWORK HACKING
Method 2: Also with a passive attack can take place during handover process; knowing that handovers are network
triggered in LTE.
Method 3: with semi-passive attacks (For precise tracking of user location) can produce signaling messages through
Volte calls or social media applications like WhatsApp or Facebook and confirm a particular cell within the Tracking Area
(TA) for retrieval of paging information.
Method 4: with active attacks: an attacker deploys a rogue eNodeB in the network and reprimands the vulnerabilities
present in RRC protocol stack for a more fine-grained location tracking.
- The attacker’s main concern is to take advantage of Measurement Report (MR) or Radio Link Failure (RLF) report
messages which provides signal strengths, even GPS coordinates under some circumstances of the victim UE.
- The distance between the victim UE and the rogue eNodeB can be easily calculated using trilateration technique or
directly from GPS coordinates.
Why Smart Jamming in LTE?, However, in LTE standards, text message traffic does not share resources with control
signaling channels, thus making text based flooding attack on RAN impossible.
- Smart jamming can be performed by saturating one or more of the control channels in both downlink and uplink that are
necessary for the UE to access the spectrum.
- Instead of saturating the entire control channel, the attacker will target narrower control channels leading to less power
consumption. The Physical Control Format Indicator Channel (PCFICH) is distinctly a sparse channel, turning it to be more
vulnerable to sophisticated jamming techniques.
The PCFICH essentially carries all control information’s required to decode Physical Downlink Control Channel (PDCCH)
for the UE. According to LTE specifications, since the radio resource allocation of broadcast and downlink synchronization
channels (PBCH, PDCH, PSS and SSS) is known beforehand, smart jamming is an easy improvement over basic RF jamming.
An attacker would block downlink reception of one or more of the aforementioned control channels; by simply
tuning a commercially available off-the-shelf (OTS) radio jammer at the targeted center frequency of the LTE band
and transmission bandwidth of at least 1.08 MHz.
Similar attack would be possible in uplink control channels too and; given the fact that an attacker is challenging
lower-power UEs, the required power to accomplish the jamming will be relatively low.
However, in context to gaining network services, the UE may search for GSM or 3 G network.
- By downgrading to non-LTE networks like 2G or 3G, a DoS threat can be triggered by an attacker; which would not only
open doors to attacks like a full man in the middle attack, active eavesdropping to phone calls or text messages, but also
make complete loss of LTE services.
- As long as the UE does not loose connectivity to non-LTE networks, the user might not even realize it is connected by
GSM or 3G network.
2.4.5.3 Denying All Network Services
A similar threat can be accomplished by placing “TAU Reject” message with EMM cause number 8: “LTE and non-LTE
services not allowed”.
- In such scenario, the UE again considers itself invalid for any LTE services unless a rebooting or USIM re-insertion happens.
- The UE further enters into a state of “EMM-DEREGISTERED”, which makes it unknown to MME, consequently causing a
persistent Denial of Service (DoS).
- The UE will never attempt to connect GSM, 3G or LTE networks despite being available.
1. The IMS client attempts to register by sending a REGISTER request to the P-CSCF.
2. The P-CSCF forwards the REGISTER request to the I-CSCF.
3. The I-CSCF polls the HSS for data used to decide which S-CSCF should manage the REGISTER request. The I-CSCF
then makes that decision.
4. The I-CSCF forwards the REGISTER request to the appropriate S-CSCF.
5. The S-CSCF typically sends the P-CSCF a 401 (UNAUTHORIZED) response as well as a challenge string in the form of a
“number used once” or “nonce”.
6. The P-CSCF forwards the 401 – UNAUTHORIZED response to the UE.
7. Both the UE and the network have stored some Shared Secret Data (SSD), the UE in its ISIM or USIM and the
network on the HSS. The UE uses an algorithm per RFC 33101 (e.g. AKAv2-MD5) to hash the SSD and the nonce.”
8. The UE sends a REGISTER request to the P-CSCF. This time the request includes the result of the hashed nonce and
SSD.
9. The P-CSCF forwards the new REGISTER request to the I-CSCF.
10. The I-CSCF forwards the new REGISTER request to the S-CSCF.
11. The S-CSCF polls the HSS (via the I-CSCF) for the SSD, hashes it against the nonce and determines whether the UE
should be allowed to register. Assuming the hashed values match, the S-CSCF sends 200 – OK response to the P-
CSCF. At this point an IPSec security association is established by the P-CSCF.
12. The P-CSCF forwards the 200 – OK response to the UE.
MOBILE NETWORK HACKING
With the help of Osmocom we can build this system for our hack: and then we can apply all hacking technique we saw
it in chapter 2
So what is Osmocom? The Osmocom project is an umbrella project regarding Open source mobile communications. This
includes software and tools implementing a variety of mobile communication standards, including GSM, DECT, TETRA
and others.
Under each umbrella projects there is a lot of projects, and in our resume we will focus on these umbrella project:
- Cellular Network Infrastructure we will focus on : OsmoBTS, OsmoBSC, OsmoMSC, OsmoTRX, OsmoHLR
- SDR (Software Defined Radio)
- OsmocomBB
MOBILE NETWORK HACKING
In each projects for example OsmoMSC there is 2 things that we need to take care about it in the “wiki” page:
- Source code: this we will need it for the installation of the fake OsmoMSC
- Manuals : this we will use it to understand and to configure the OsmoMSC
As you can imagine a lot of things to read in the manual for setup the Osmo… But this dude “nickvsnetworking.com”
make it easy for us to configure directly the specified equipment OsmoMSC etc….
But I just want to mention that in case you faced any problem or you want to get more hand control on OsmoMSC,
OsmoBTS etc… the manuals will be your best friend
MOBILE NETWORK HACKING
It is the SCTP equivalent of a TCP SYN scan. It is able to scan thousands of ports per second on a fast network not hampered
by restrictive firewalls.
Like SYN scan, INIT scan is relatively unobtrusive and stealthy, since it never completes SCTP associations. It also allows clear,
reliable differentiation between the open, closed, and filtered states.
Since you don’t open a full SCTP association, this technique is known as half-open scanning. You send an INIT chunk as if you
are going to open a real association and then wait for a response.
MOBILE NETWORK HACKING
However, to scan a port with SCTP, first, open your terminal and run: nmap -sn -PY <target>
MOBILE NETWORK HACKING
GTScan includes Message handling: Return message on error in the SCCP layer to determine from the response what is the
scanned node. If a TCAP abort message is returned with an error p-abortCause: unrecognizedMessageType (0) thus the
destination nodes is listening on the SSN that was scanned, else then the scanner continues scanning on other SSNs
You can provide GTscan a range of global titles to be scanned, a comma-separated or a single GT to be scanned, along with
other parameters
3.1.4.2 SigPloit-ss7
SiGploit a signaling security testing framework dedicated to Telecom Security professionals and reasearchers to pentest and
exploit vulnerabilites in the signaling protocols used in mobile operators regardless of the geneartion being in use. SiGploit
aims to cover all used protocols used in the operators interconnects SS7, GTP (3G), Diameter (4G) or even SIP for IMS and
VoLTE infrastructures used in the access layer and SS7 message encapsulation into SIP-T. Recommendations for each
vulnerability will be provided to guide the tester and the operator the steps that should be done to enhance their security
posture
SiGploit is developed on several versions. Note: In order to test SS7 attacks, you need to have an SS7 access or you can test
in the virtual lab with the provided server sides of the attacks, the used values are provided.
Detecting a node with m3ua is an indication that this is a node core node in a telecom infrastructure that provides signaling.
This scanner could be helpful to identify signaling nodes exposed on the internet that could be compromised and used as a
gate to the SS7 network.
One benefit could be testing if telecom nodes are hardened and only forming sctp associations with the nodes that supposed
to connect to only, testing if there is some filtering done on the nodes to prevent anyone to perform sctp associations with it
thus connect to the network.
3.1.4.4 HLR-Lookups
This script is used to automate hlr-lookup process using the api from hlr-lookups and extract important data from it like the
IMSI of the subscriber, which country is he/she roaming in that is provided in the current MSC GT along with the HLR GT,
these information could be useful to conduct further attacks... using sigploit.
Must be noted that those public services like HLR-Lookups are using one variant of SS7 messages that is most probably
SendRoutingInformationForSM(SRISM) that is used to locate the target location before sending SMS, some operators
implement an SMS Firewall/proxy that scrambles the IMSI and/or HLR and returns back a fake MSC.
To overcome this kind of protection it’s always recommended to perform TCAP scanning on the range of GT as the
implementation of such scrambling is very weak and predictable. Thus it’s recommended to run the script twice for each
msisdns to make sure that the returned information is the same and is not changing per request
3.1.4.5 GTping
Like ping(8), but uses GTP ping requests to ping GGSNs and anything else that will answer them.
HandBook: https://www.slideshare.net/naotomatsumoto/gtp-56187797
https://www.slideshare.net/kentaroebisawa/gtping-how-to
3.1.4.6 ss7MAPer
SS7 MAP (pen-)testing toolkit.
Hardware we need: Any of the hardware below can be used for practical purposes.
- RTL-SDR
- Hackrf
- USRP
- Blade-RF
Software we need: The following software tools are required for practical purposes.
- GR-GSM: A python module, which is used for receiving information transmitted by GSM.
- Wireshark: Capturing the wireless traffic.
- IMSI-Catcher: This program shows the IMSI number, country, brand and operator of cellphones.
- GQRX: Software defined radio receiver.
- RTL-SDR Tools: Get the information of the RTL SDR dongle.
- Kailbrate: Determine the signal strength
Installation of Kalibrate
sudo apt-get update
git clone https://github.com/steve-m/kalibrate-rtl
cd kalibrate-rtl
./bootstrap && CXXFLAGS='-W -Wall -O3'
./configure
make
sudo make install
In France Mobile GSM networks work on 900MHz and 1800MHz frequency bands (Uplink and Downlink).
The help guide of the “grgsm scanner” tool. Search for nearby GSM base stations using “Kalibrate” or “grgsm_scanner” tools.
Three base stations were found. The signal mentioned above was relatively strong with a frequency of 945.4MHz and 945.6MHz.
In the above manner, we obtained some parameter information of the base station, such as: center frequency, channel, ARFCN value,
LAC, MCC, MNC value, etc.
- With the above details, we want to sniff the base station frequency. For that the program called “grgsm_livemon” will be used.
- Run the “Wireshark” before running the “grgsm_livemon” tool to capture the packets. Select any interface to capture all the data.
- Once the sniffing of the frequency starts, a popup window appears, as shown in the screenshot below.
- The frequency button needs to be moved in order to capture the frequency. Once data capture starts it will look like the screenshot
below.
MOBILE NETWORK HACKING
- Now we need to capture the IMSI details with the help of an “IMSI Catcher” tool. To capture the IMSI and other details like TMSI,
Country, Brand, Operator, MCC, MNC, LAC, Cell-ID etc., run the “IMSI Catcher” tool.
- In Wireshark, the captured data of base station’s MNC, MCC, LAI and other information can be seen.
MOBILE NETWORK HACKING
The instructions in this resume are for the installation and setup of the BladeRF 2.0 Micro. The setup uses the 2.0 Micro (A9)
model. The BladeRF X40, the predecessor to the BladeRF 2.0 Micro supported 300 MHz to 3.8 GHz while the 2.0 Micro
supports 47 MHz to 6 GHz.
Note: the author and the maker Nick used an Ubuntu 18.04 as a system.
3.3.1 Setup
Step 1: Update/upgrade your fresh installation of your linux system.
$ apt update ; apt upgrade
Step 2: Add BladeRF PPA and install BladeRF tools and libbladeRF
$ add-apt-repository papa:nuand/bladerf
$ apt update
$ apt install libbladerf-dev
Step 11: Connect to NIPC with your web browser and configure MCC, MNC, and Band for your BTS.
NOTE: To determine what values to use here, select a wireless network to act as a decoy (E.g. AT&T Wireless).
If your mobile phone is connected to the wireless network you want to imitate a BTS for, you can place your phone into
field test mode.
Here is the code you need to dial for an iPhone and Android:
1. Push the call button to make a phone call
2. Dial *3001#12345#*
3. Push the Call button
4. Push Serving Cell Info
freq_band_ind (Frequency Band Indicator):
4G :
700 MHz Lower B/C, Band 12/17 (LTE). 850 MHz Cellular, Band 5 (LTE).
1700/ 2100 MHz AWS, Band 4 (LTE).
1900 MHz PCS, Band 2 (LTE).
2300 MHz WCS, Band 30 (LTE).
5G:
850 MHz, 24 GHz, 39 GHz (Band n260).
In our case, the freq_band_ind is 2. Because we using AT&T Wireless, the frequency for Band 2 would be LTE, 1900 MHz
PCS. The sel_plmn_mcc:310, sel_plmn_mnc:410.
This matches up with what mcc-mnc.com says for our carrier: the freq_band_ind is currently 2. So based on the above
bands for AT&T Wireless, the phone is operating currently at 1900 MHz PCS over 4G/LTE.
MOBILE NETWORK HACKING
Once you have the appropriate values to plug into YateBTS, you’ll want to enter them into the following screens before
starting Yate. Below is the configuration from our side of the world.
MOBILE NETWORK HACKING
MOBILE NETWORK HACKING
Step 12: Plug in the BladeRF to the USB cable and laptop and soft load the FPGA
$ bladeRF-cli -l /usr/src/Nuand/bladeRF/hostedxA9.rbf (or whatever FPGA file matches your board)
Once Yate has been started, you should be able to start Wireshark and point it at your local loopback interface in order
to see the GSM traffic flowing across your BTS.
https://nickvsnetworking.com/connecting-any-3rd-party-hss-to-open5gs-mme/
https://nickvsnetworking.com/compiling-yatebts-nipc-for-software-defined-gsm-gprs/
MOBILE NETWORK HACKING
In short: by using OsmocomBB on a compatible phone, you will be able to make and receive phone calls, send and receive
SMS, etc. based on Free Software only.
Osmocom-BB is not an user oriented project (yet?). It's mainly targeted at developers / hackers / researchers that want to
learn more and play with GSM. As such, there are a few things we expect from you.
Unclear problem
- After purchasing a jack, make sure that it can be inserted into the headset jack on the end. Otherwise, you may receive
errors due to an unreliable connection to the phone or not at all.
- Jacks, which are most often sold in the shops of radio components, are not inserted into the socket until the end. They
are hindered by the body (of their own phone).
- To make sure that the jack comes through, you can get the phone out of the case and try to insert the jack
MOBILE NETWORK HACKING
You can check the reliability of the connection using PuTTY. You can find out the COM port number by looking in th e
Device Manager.
- Connect the phone to the computer via the USB-TTL converter and the assembled wire, briefly press the power button
and in the PuTTY window, the @ftmtoolerror message should appear among other symbols.
Collecting Osmocombb
The master branch takes part in launching the GSM network, but it will be useful if you want to work with other
applications, such as RSSI or cell_log (see further in the text). If you want to be able to send anything to the network,
you need to uncomment the src/target/firmware/Makefile line:
CFLAGS += -DCONFIG_TX_ENABLE
- Assemble
git clone git://git.osmocom.org/osmocom-bb.git osmocombb
cd osmocombb/src
make
# Compile:
make HOST_layer23_CONFARGS=–enable-transceiver
# Download: sourceforge.net/projects/libdbi/files/libdbi/libdbi-0.8.3
tar -xvzf libdbi-0.8.3.tar.gz
cd libdbi-0.8.3
autogen.sh
./configure –disable-docs
make
make install
ldconfig
cd ..
MOBILE NETWORK HACKING
# Download: sourceforge.net/projects/libdbi-drivers/files/libdbi-drivers/libdbi-drivers-0.8.3
tar -xvzf libdbi-drivers-0.8.3.tar.gz
cd libdbi-drivers-0.8.3
# There is a type in the driver that causes errors during connection to the HLR. We correct it before compilation.
vi drivers/sqlite3/dbd_sqlite3.c
Change _dbi_internal_error_handler to _dbd_internal_error_handler.
# Collect:
./autogen.sh
./configure –disable-docs –with-sqlite3 –with-sqlite3-dir=/usr/bin –with-dbi-incdir=/usr/local/include
make
make install
ldconfig
Installing ORTP
wget http://download.savannah.gnu.org/releases/linphone/ortp/sources/ortp-0.22.0.tar.gz
tar -xvf ortp-0.22.0.tar.gz
cd ortp-0.22.0/
./autogen.sh
./configure
make
make install
ldconfig
Installing OpenBSC
apt-get install libssl0.9.8 libssl-dev
ldconfig
git clone git://git.osmocom.org/openbsc.git
cd openbsc/openbsc/
autoreconf -i
./configure
make
make install
MOBILE NETWORK HACKING
Installing OsmoBTS
git clone git://git.osmocom.org/osmo-bts.git
cd osmo-bts
autoreconf -i
./configure –enable-trx
make
make install
Configuration
# We are working with Osmocom from under root, so my configuration files are in /root/.osmocom
mkdir /root/.osmocom;cd /root/.osmocom
touch ~/.osmocom/osmo-bts.cfg
touch ~/.osmocom/open-bsc.cfg
ARFCN is the radio channel on which your base station will operate. A suitable ARFCN can be found using the RSSI
program, the OsmocomBB package, or using the cell_log tool.
Remember that the signal from your base station should not interfere with the signals of commercial GSM networks.
Depending on which channel you use, select band.
In order to securely limit the signal from your base station, you can build a Faraday Cage.
Without adding ARFCN and band to our configuration files, OsmoNTIB will not start.
3.4.3 Launching
We connect both phones to the computer and check their availability.
ls -l /dev/ttyUSB*
You should see ttyUSB0 and ttyUSB1. Next, each command must be executed in a separate terminal.
In the Osmocon syntax, you can have differences. For example, in your case, there may be compal_e86 or e87 and not
c123xor, but something else.
Initialize the first transceiver
cd /root/osmocom/trx/src
host/osmocon/osmocon -m c123xor -p /dev/ttyUSB0 -s /tmp/osmocom_l2 -c
target/firmware/board/compal_e88/trx.highram.bin -r 99
- Press the power button of the phone that was connected first. After the download is complete, you will see TRX on the
phone screen.
- Instead of ARFCN, you must specify the channel number on which the commercial base station operates with a good
signal. Again, can be found using RSSI or cell_log.
Launch MSC, HLR and SMS Center
cd /root/.osmocom
osmo-nitb -c ~/.osmocom/open-bsc.cfg -l ~/.osmocom/hlr.sqlite3 -P -C –debug=DRLL:DCC:DMM:DRR:DRSL:DNM
3.4.4 Testing
Now you can connect to the network from any cell phone by selecting it in manual mode. The network is displayed as 00101
or TestNet. The network may not be on the first try.
If something went wrong during the connection, turn on the air mode, turn it off and try again to connect to the network.
After connecting, you can find your number using USSD code * # 100 #.
You can connect to the OsmoNTIB console in this way:telnet localhost 4242
Connect to the OsmoBTS console as follows:telnet localhost 4241
Configuration files:
[su_spoiler title=”osmo-bts.cfg” open=”yes” style=”fancy” icon=”arrow”]! ! OsmoBTS (0.4.0.433-8913) configuration
saved from vty !!! ! log stderr logging filter all 1 logging color 1 logging print category 0 logging timestamp 0 logging
level all everything logging level rsl info logging level oml info logging level rll notice logging level rr notice logging level
meas notice logging level pag info logging level l1c info logging level l1p info logging level dsp debug logging level pcu
notice logging level ho notice logging level trx notice logging level loop notice logging level abis notice logging level rtp
notice logging level sum notice logging level lglobal notice logging level llapd notice logging level linp notice logging
level lmux notice logging level lmi notice logging level lmib notice logging level lsms notice logging level lctrl notice
logging level lgtp notice logging level lstats notice logging level lgsup notice logging level loap notice logging level lss7
notice logging level lsccp notice logging level lsua notice logging level lm3ua notice log file OsmoBTS.log logging filter
all 0 logging color 1 logging print category 0 logging timestamp 1 logging level all everything logging level rsl info
logging level oml info logging level rll notice logging level rr notice logging level meas notice logging level pag info
logging level l1c info logging level l1p info logging level dsp debug logging level pcu notice logging level ho notice
logging level trx notice logging level loop notice logging level abis notice logging level rtp notice logging level sum
notice logging level lglobal notice logging level llapd notice logging level linp notice logging level lmux notice logging
level lmi notice logging level lmib notice logging level lsms notice logging level lctrl notice logging level lgtp notice
logging level lstats notice logging level lgsup notice logging level loap notice logging level lss7 notice logging level lsccp
notice logging level lsua notice logging level lm3ua notice ! line vty no login ! e1_input e1_line 0 driver ipa e1_line 0
port 0 no e1_line 0 keepalive phy 0 osmotrx ip 127.0.0.1 osmotrx fn-advance 30 osmotrx rts-advance 5 instance 0 bts
0 band [ЗАДАТЬ GSM900 ИЛИ DCS1800] ipa unit-id 1801 0 oml remote-ip 127.0.0.1 rtp jitter-buffer 0 paging queue-
size 200 paging lifetime 0 uplink-power-target -75 min-qual-rach 50 min-qual-norm -5 ms-power-loop -65 timing-
advance-loop setbsic trx 0 power-ramp max-initial 0 mdBm power-ramp step-size 2000 mdB power-ramp step-interval
1 ms-power-control dsp phy 0 instance 0[/su_spoiler]
logging level meas notice logging level sccp notice logging level msc notice logging level mgcp notice logging level ho
notice logging level db notice logging level ref notice logging level gprs debug logging level ns info logging level bssgp
debug logging level llc debug logging level sndcp debug logging level nat notice logging level ctrl notice logging level
smpp debug logging level filter debug logging level ranap debug logging level sua debug logging level lglobal notice
logging level llapd notice logging level linp notice logging level lmux notice logging level lmi notice logging level lmib
notice logging level lsms notice logging level lctrl notice logging level lgtp notice logging level lstats notice logging level
lgsup notice logging level loap notice logging level lss7 notice logging level lsccp notice logging level lsua notice logging
level lm3ua notice log file OsmoBSC.log logging filter all 0 logging color 1 logging print category 0 logging timestamp 1
logging level all info logging level rll notice logging level cc notice logging level mm notice logging level rr notice logging
level rsl notice logging level nm info logging level mncc notice logging level pag notice logging level meas notice logging
level sccp notice logging level msc notice logging level mgcp notice logging level ho notice logging level db notice
logging level ref notice logging level gprs debug logging level ns info logging level bssgp debug logging level llc debug
logging level sndcp debug logging level nat notice logging level ctrl notice logging level smpp debug logging level filter
debug logging level ranap debug logging level sua debug logging level lglobal notice logging level llapd notice logging
level linp notice logging level lmux notice logging level lmi notice logging level lmib notice logging level lsms notice
logging level lctrl notice logging level lgtp notice logging level lstats notice logging level lgsup notice logging level loap
notice logging level lss7 notice logging level lsccp notice logging level lsua notice logging level lm3ua notice ! stats
interval 5 ! line vty no login ! e1_input e1_line 0 driver ipa e1_line 0 port 0 no e1_line 0 keepalive network network
country code 1 mobile network code 1 short name TestNet long name TestNet auth policy accept-all authorized-
regexp .* location updating reject cause 13 encryption a5 0 neci 1 paging any use tch 0 rrlp mode none mm info 1
handover 0 handover window rxlev averaging 10 handover window rxqual averaging 1 handover window rxlev
neighbor averaging 10 handover power budget interval 6 handover power budget hysteresis 3 handover maximum
distance 9999 timer t3101 10 timer t3103 0 timer t3105 40 timer t3107 0 timer t3109 0 timer t3111 0 timer t3113 60
timer t3115 0 timer t3117 0 timer t3119 0 timer t3122 10 timer t3141 0 dyn_ts_allow_tch_f 0 subscriber-keep-in-ram
0 bts 0 type sysmobts description calypso band DCS1800 cell_identity 0 location_area_code 1 base_station_id_code
63 ms max power 30 cell reselection hysteresis 4 rxlev access min 0 periodic location update 30 radio-link-timeout 32
channel allocator ascending rach tx integer 9 rach max transmission 7 channel-descrption attach 1 channel-descrption
bs-pa-mfrms 5 channel-descrption bs-ag-blks-res 1 early-classmark-sending forbidden ip.access unit_id 1801 0 oml
ip.access stream_id 255 line 0 neighbor-list mode automatic codec-support fr amr amr tch-h modes 0 amr tch-h start-
mode 1 gprs mode none no force-combined-si trx 0 rf_locked 0 arfcn[/su_spoiler]
MOBILE NETWORK HACKING
3.5 OsmoBTS
Note: we’ll be using a Linux system and trying where possible to use packages from Repos instead of compiling from source.
This will get the Osmocom key added to your package manager and the Osmocom sources in apt ready for us to install.
wget https://download.opensuse.org/repositories/network:/osmocom:/latest/Debian_10/Release.key
apt-key add Release.key && rm Release.key
echo "deb https://download.opensuse.org/repositories/network:/osmocom:/latest/xUbuntu_18.04/ ./" >
/etc/apt/sources.list.d/osmocom-latest.list
apt-get update
By default Osmocom software runs as a daemon in systemctl, we’ll disable and stop this behavior for now so we can
better understand it running in the foreground:
systemctl stop osmo-bts-virtual
systemctl disable osmo-bts-virtual
We’ll start by setting a Unit ID of the BTS and setting the IP of the BSC.
cd /etc/osmocom/
vi osmo-bts-virtual.cfg
- We’ll edit the oml remote-ip to point to the IP of the server that will run our BSC:
If you’re planning on running the BTS and BSC on the same machine you can leave it as localhost (127.0.0.1).
- Next up we’ll set the Unit-ID of the BTS, this identifies the BTS inside the BSC,
I’ll set it to unit-id 4242 by changing ipa unit-id 4242 0
MOBILE NETWORK HACKING
- Finally we’ll change the logging config to show everything by changing it to:
log stderr
logging filter all 1
!
So that’s it in terms of config for our virtual BTS through text files, so we’ll save the file and try starting up osmo-bts-
virtual.
osmo-bts-virtual -c osmo-bts-virtual.cfg
root@gsm-bts:/etc/osmocom#
In the next chapter we’ll pick up adding our Virtual BTS to the Virtual BSC but first we need to creat the Virtual BSC
which is in our case OsmoBSC
MOBILE NETWORK HACKING
3.6 OsmoBSC
So in our last post we finished setting up a Base Transceiver Station (BTS) but it’s no use unless it can home itself to a Base
Station Controller (BSC).
By acting as a funnel of sorts, the MSC only needs a connection to each BSC instead of to each BTS (Which would be an
impractically large number of connections)
In order to serve the BTSs it controls, Osmo-BSC relies on connectivity to a Mobile Switching Center (MSC), which in turn
connects to a HLR (Home Location Register). The BSC and MSC communicate via SS7, and the routing is done by a Signal
Transfer Points (STP).
In order to bring our BSC up in a useful way, we’ll need to install and start these applications.
apt-get install osmo-stp osmo-msc osmo-hlr
systemctl start osmo-stp
systemctl start osmo-msc
systemctl start osmo-hlr
MOBILE NETWORK HACKING
Instead of working with the text file we’ll start the service and work on it through Telnet, like we would for many common
network devices.
Osmo-BSC listens on port 4242, so we’ll start Osmo-BSC and connect to it via Telnet:
systemctl start osmo-bsc
telnet localhost 4242
We’ll start by enabling logging so we can get an idea of what’s going on:
OsmoBSC> enable
OsmoBSC# logging enable
OsmoBSC# logging filter all 1
OsmoBSC# logging color 1
Next up in a new terminal / SSH session, we’ll run the OsmoBTS again;
osmo-bts-virtual -c osmo-bts-virtual.cfg
This time we’ll get a different output from the BTS when we try to start it:
root@gsm-bts:/etc/osmocom# osmo-bts-virtual -c osmo-bts-virtual.cfg
((*))
|
/ \ OsmoBTS
<0010> telnet_interface.c:104 Available via telnet 127.0.0.1 4241
<0012> input/ipaccess.c:901 enabling ipaccess BTS mode, OML connecting to 127.0.0.1:3002
<0012> input/ipa.c:128 127.0.0.1:3002 connection done
<0012> input/ipaccess.c:724 received ID_GET for unit ID 4242/0/0
<0012> input/ipa.c:63 127.0.0.1:3002 lost connection with server
<000d> abis.c:142 Signalling link down
<000d> abis.c:156 OML link was closed early within 0 seconds. If this situation persists, please
check your BTS and BSC configuration files for errors. A common error is a mismatch between unit_id
configuration parameters of BTS and BSC.
root@gsm-bts:/etc/osmocom#
Well our virtual BTS is trying to connect to our BSC, and this time it’s able to, but our BSC doesn’t have any config in place
for that BTS, so the BSC has rejected the connection.
So now we’ve got to configure the BSC to recognize our BTS (Provisioning a new OsmoBTS in the OsmoBSC)
MOBILE NETWORK HACKING
We can get the information about the rejected BTS connection attempt from the BSC terminal:
OsmoBSC# show rejected-bts
Date Site ID BTS ID IP
2020-03-29 01:32:37 4242 0 10.0.1.252
So we know the Site-ID is 4242 (we set it earlier) and the BTS ID for that site is 0, so let’s create a BTS in the BSC;
OsmoBSC> enable
OsmoBSC# configure terminal
OsmoBSC(config)# network
OsmoBSC(config-net)# bts 1
OsmoBSC(config-net-bts)# type sysmobts
OsmoBSC(config-net-bts)# description "Virtual BTS"
OsmoBSC(config-net-bts)# ipa unit-id 4242 0
OsmoBSC(config-net-bts)# band DCS1800
OsmoBSC(config-net-bts)# codec-support fr hr efr amr
OsmoBSC(config-net-bts)# cell_identity 4242
OsmoBSC(config-net-bts)# location_area_code 4242
OsmoBSC(config-net-bts)# base_station_id_code 4242
OsmoBSC(config-net-bts)# base_station_id_code 42
OsmoBSC(config-net-bts)# ms max power 40
OsmoBSC(config-net-bts)# trx 0
OsmoBSC(config-net-bts-trx)# max_power_red 20
OsmoBSC(config-net-bts-trx)# arfcn 875
OsmoBSC(config-net-bts-trx)# timeslot 0
OsmoBSC(config-net-bts-trx-ts)# phys_chan_config CCCH+SDCCH4
OsmoBSC(config-net-bts-trx-ts)# exit
OsmoBSC(config-net-bts-trx)# timeslot 1
OsmoBSC(config-net-bts-trx-ts)# phys_chan_config TCH/F
OsmoBSC(config-net-bts-trx-ts)# exit
OsmoBSC(config-net-bts-trx)# timeslot 2
OsmoBSC(config-net-bts-trx-ts)# phys_chan_config TCH/F
OsmoBSC(config-net-bts-trx-ts)# exit
OsmoBSC(config-net-bts-trx)# timeslot 3
OsmoBSC(config-net-bts-trx-ts)# phys_chan_config TCH/F
OsmoBSC(config-net-bts-trx-ts)# exit
OsmoBSC(config-net-bts-trx)# timeslot 4
OsmoBSC(config-net-bts-trx-ts)# phys_chan_config TCH/F
OsmoBSC(config-net-bts-trx-ts)# exit
OsmoBSC(config-net-bts-trx)# timeslot 5
OsmoBSC(config-net-bts-trx-ts)# phys_chan_config TCH/F
OsmoBSC(config-net-bts-trx-ts)# exit
OsmoBSC(config-net-bts-trx)# timeslot 6
OsmoBSC(config-net-bts-trx-ts)# phys_chan_config TCH/F
OsmoBSC(config-net-bts-trx-ts)# exit
OsmoBSC(config-net-bts-trx)# timeslot 7
OsmoBSC(config-net-bts-trx-ts)# phys_chan_config TCH/F
OsmoBSC(config-net-bts-trx-ts)# exit
OsmoBSC(config-net-bts-trx)# exit
OsmoBSC(config-net-bts)# exit
OsmoBSC(config-net)# exit
OsmoBSC(config)# exit
OsmoBSC# copy running-config startup-config
MOBILE NETWORK HACKING
Well as we’re getting the majority of the smarts for the BTS from the BSC, we’ve got to tell the BSC all about how we
want the BTS setup.
The type, IPA Unit ID, band and Cell Identity make up some of the parameters we need to identify the BTS (IPA Unit ID)
and give it it’s basic identity parameters.
- Next up in the trx 0 section we set the contents of the 8 GSM timeslots:
Our first time slot we configure as CCCH+SDCCH4 meaning the first timeslot will contain the Common Control
Channel and 4 Standalone dedicated control channels, used for signaling,
While the reamining 7 timeslots will be used with traffic channels for full-rate speech (TCH/F).
- It’s important that what we tell the BSC the capabilities of the BTS are match the actual capabilities of the BTS.
For example there’s no point configuring GPRS or EDGE support on the BSC if the BTS doesn’t support it.
- If you’ve got logging enabled when the BTS connects to the BSC you’ll see errors listing the features mismatch
between the two.
If you’ve made it this far, congratulations. Our virtual BTS is now connected to our BSC – If it wasn’t virtual we’d be on
the air!
In the next chapter we’ll setup an SDR hardware as a BTS, then provision it on the BSC, and then our cell will be on the
air !!
MOBILE NETWORK HACKING
- If you’re using any of these premade BTS hardware options, or osmo-bts-virtual, you probably just need to setup the
basics on your BTS and point it to your BSC, end of story.
The below chapter will touch on using common SDR hardware to act as our BTS (i.e. LimeSDR)
3.7.1 OsmoTRX
In order to bring in a large array of SDR hardware, Osmocom have introduced OsmoTRX, which handles the Layer 1 physical
layer of the BTS, and connects to OsmoBTS which serves as the BTS and talks Abis over IP to the MSC.
Certain hardware can talk directly to OsmoBTS, but we’re going to rely on OsmoTRX to act as the middleman between
our SDR hardware and the BTS.
The above diagram from the Osmocom wiki shows how this fits together with generic SDR platforms, here’s how it fits
together for us:
- osmo-trx-lms will take care of the SDR side of the equation, pretty much serving as a modem and sending everything it
gets on the Uu interface to osmo-bts-trx over UDP, and everything it receives from osmo-bts-trx over UDP it sends out
the Uu interface.
- osmo-bts-trx will then setup an Abis over IP connection to our BSC.
Next we’ll connect up the LimeSDR to a USB port, confirm it’s there and upgrade its firmware:
LimeUtil --find
Assuming LimeSDR is hooked up and everything installed we should see an output similar to this:
Now that we’ve got the Osmocom Debian repos added we can install the packages we need, we’re going to install
Osmo-BTS-TRX for talking to the BSC over Abis, and install Osmo-TRX-LMS for talking to the SDR.
apt-get install osmo-bts-trx osmo-trx-lms
After we ve installed the packages, Osmo-BTS-TRX will run as a daemon, we’ll stop it for now and bring it up manually
in the foreground.
systemctl disable osmo-bts-trx
systemctl disable osmo-trx-bts
We’ll begin by running Osmo-TRX-LMS to connect to the LimeSDR and encapsulate the Uu data into UDP packets we
send to Osmo-BTS-TRX.
Config files for Osmocom are installed in /etc/osmocom/ so we’ll run everything from that directory.
osmo-trx-lms -C osmo-trx-lms.cfg
If all was successful we’ll see something similar to what we’ve got below, showing Osmo-TRX-LMS has connected to the
SDR and is ready to go.
MOBILE NETWORK HACKING
But if we go scanning the airwaves now, we won’t see any data coming out of the SDR’s transmitter.
That’s because Osmo-TRX-LMS needs to connect to Osmo-BTS-TRX,
We’ll leave Osmo-TRX-LMS running, so let’s open up another session and start Osmo-BTS-TRX.
osmo-bts-trx -c osmo-bts-trx.cfg
You’ll see this reflected in the Osmo-TRX-LMS stdout, but it’ll show the poweroff command has been sent to it, so what
gives?
Well, the answer becomes clear if you leave Osmo-BTS-TRX running for a minute or two,
So what’s going on? In the same way we saw our Virtual BTS shut itself down, without a connection to the BSC (Via
the Abis interface) the BTS will shut itself down, as it’s not able to run on it’s own.
In our next post we’ll introduce our BSC and provision a BTS on it.
We’ll edit the oml remote-ip to the IP of the server running your BSC, if you’re running on the same machine you can
leave it as localhost (127.0.0.1).
Next up we’ll set the Unit-ID of the BTS, this identifies the BTS inside the BSC, I’ll set it to unit-id 1234 by changing ipa
unit-id 1234 0
Finally we’ll change the logging config to show everything by changing it to:
log stderr
logging filter all 1
!
OsmoBSC(config-net-bts-trx)# timeslot 0
OsmoBSC(config-net-bts-trx-ts)# phys_chan_config CCCH+SDCCH4
OsmoBSC(config-net-bts-trx-ts)# exit
OsmoBSC(config-net-bts-trx)# timeslot 1
OsmoBSC(config-net-bts-trx-ts)# phys_chan_config TCH/F
OsmoBSC(config-net-bts-trx-ts)# exit
OsmoBSC(config-net-bts-trx)# timeslot 2
OsmoBSC(config-net-bts-trx-ts)# phys_chan_config TCH/F
OsmoBSC(config-net-bts-trx-ts)# exit
OsmoBSC(config-net-bts-trx)# timeslot 3
OsmoBSC(config-net-bts-trx-ts)# phys_chan_config TCH/F
OsmoBSC(config-net-bts-trx-ts)# exit
OsmoBSC(config-net-bts-trx)# timeslot 4
OsmoBSC(config-net-bts-trx-ts)# phys_chan_config TCH/F
OsmoBSC(config-net-bts-trx-ts)# exit
OsmoBSC(config-net-bts-trx)# timeslot 5
OsmoBSC(config-net-bts-trx-ts)# phys_chan_config TCH/F
OsmoBSC(config-net-bts-trx-ts)# exit
OsmoBSC(config-net-bts-trx)# timeslot 6
OsmoBSC(config-net-bts-trx-ts)# phys_chan_config TCH/F
OsmoBSC(config-net-bts-trx-ts)# exit
OsmoBSC(config-net-bts-trx)# timeslot 7
OsmoBSC(config-net-bts-trx-ts)# phys_chan_config TCH/F
OsmoBSC(config-net-bts-trx-ts)# exit
OsmoBSC(config-net-bts-trx)# exit
OsmoBSC(config-net-bts)# exit
OsmoBSC(config-net)# exit
OsmoBSC(config)# exit
OsmoBSC# copy running-config startup-config
One logged into Osmo-BSC with logging enabled (check chapter 6.4.2 for info on how to do that).
We’ll start another terminal for running the TRX modem / Layer 1 interface:
osmo-trx-lms -C /etc/osmocom/osmo-trx-lms.cfg
All going well our terminal with Osmo-BSC should report the connection:
OsmoBSC#
<0016> input/ipa.c:287 0.0.0.0:3003 accept()ed new link from 10.0.1.252:39595
<0003> osmo_bsc_main.c:291 bootstrapping RSL for BTS/TRX (2/0) on ARFCN 875 using MCC-MNC 001-01
LAC=1234 CID=1234 BSIC=12
And the osmo-trx-lms and osmo-bts-trx windows should have data flying by at a rate of knots.
Let’s run a scan of the networks on our phone. I found putting mine on GSM only before scanning for networks meant it
popped up a heck of a lot faster.
Our cell is online and broadcasting it’s info. You won’t be able to connect to it at this stage as we’ve still got a few more steps
to go.
In the next post we’ll introduce the Home Location Register and then the MSC.
MOBILE NETWORK HACKING
MOBILE NETWORK HACKING
3.8 OsmoHLR
We actually installed OmsoHLR in the post on Base Station Controllers chapter 6.4, so we’ll just need to start the daemon
/ service:
systemctl start osmo-hlr
We are going to enable the EIR functionality of the HSS by changing the configuration of the HLR, this is optional but it’s
useful to use the EIR functionality.
Like with our other network elements we’ll use Telnet to interactively configure this one,
root@gsm-bts:/home/nick# telnet localhost 4258
Welcome to the OsmoHLR VTY interface
OsmoHLR> enable
OsmoHLR# configure terminal
OsmoHLR(config)# hlr
OsmoHLR(config-hlr)# store-imei
OsmoHLR(config-hlr)# exit
OsmoHLR(config)# exit
OsmoHLR# copy running-config startup-config
So we’ve created a subscriber with IMSI 001010000000004 in the HSS and assigned an MSISDN (phone number).
Optionally, if we’re using SIM cards we can program by setting the Ki / K key for authentication using the update
aud2g function, if not we can skip that step.
And with that we’ve added our first subscriber, lather rinse repeat with any additional subscribers / SIMs you want
to provision.
By default subscribers created using this method have access to both Circuit Switched (Voice and SMS) and Packet
Switched (Data) networks. (We haven’t configured Packet Switched services yet)
So, If you’d like to restrict access to one, both or none of the above options, you can do that by using the subscriber
update command to set the services available to those subscribers.
OsmoHLR# subscriber id 3 update network-access-mode cs+ps
OsmoHLR# subscriber id 3 update network-access-mode cs
OsmoHLR# subscriber id 3 update network-access-mode ps
OsmoHLR# subscriber id 3 update network-access-mode none
MOBILE NETWORK HACKING
This may be useful if you’re setting up a network where you don’t control the SIMs for example.
Let’s say we want to automatically create users with access to voice & data services and assign a 10 digit MSISDN for that
subscriber, we can do that with:
OsmoHLR> enable
OsmoHLR# configure terminal
OsmoHLR(config)# hlr
OsmoHLR(config-hlr)# subscriber-create-on-demand 10 cs+ps
Alternatley you may wish to simply add the subscriber to the HLR but not provide any services:
OsmoHLR> enable
OsmoHLR# configure terminal
OsmoHLR(config)# hlr
OsmoHLR(config-hlr)# subscriber-create-on-demand no-msisdn none
MOBILE NETWORK HACKING
3.9 OsmoMSC
The MSC handles switching of voice calls and SMS/text messages between local & remote subscribers and networks.
- The OsmoMSC also features a minimalistic SMSC (Short Message Service Server) for routing SMS traffic between
subscribers on the network.
- This basic SMSC acts in a store-and-forward fashion. Production networks would typically use an external SMSC for
handling SMS, OsmoMSC has the SMSC functionality built in by default, but the interfaces are there if you wanted to use
an external SMSC.
- Any calls/texts to subscribers/destinations outside the MSC (for example a call to a mobile subscribers on a different
carrier or on the PSTN) are typically routed to another MSC known as the Gateway MSC.
- The GMSC handles the interconnection with other networks. We’ll touch upon this later with the SIP connector, but for
now we’ll focus just on on-net calls between subscribers.
- It’s worth noting that the MSC does not sit in the media stream, it just sets up and tears down the calls, we’ll cover more
on the nitty-gritty of calling in GSM soon.
MOBILE NETWORK HACKING
We’ll go into how point codes route requests in a later post, but so long as you’re running Osmo-BSC, Osmo-MGW, Omso-
MSC and Osmo-HLR on the same machine you won’t need to link them to each other like we had to do with adding our BTS
to the BSC.
The GSUP connection between the MSC and the HLR will be established at startup, but BSCs will only establish a
connection to the MSC when they need something from the MSC.
Once we’ve got everything started we can Telnet into the MSC to confirm it’s running and check it’s status:
root@gsm # telnet localhost 4254
From this point we can say that we was ready to do all the attack described in chapter 2.1, you can imagine if an insider attack
was offered some good network information (IR21 should be good ) to make our virtual network (active IMSI catcher) a
part from a real network operator.
The same for the LTE, in a way to simulate the threat attack described in chapter 2.4 we also need some virtualized network
but this time we will use OpenLTE, srsRAN (old name srsLTE) and Open air interface by connecting it to supported USRP
devices like (B210 or B200).
1.8.1.1 Hardware
Two computers: one Intel NUC D54250WYK (i5-4250U [email protected]) and one Lenovo ThinkPad T460s (i7-6600U CPU@
2,30GHz).
- Both run 64-bit Kubuntu 14.04 kernel version 3.19.0-61-low latency and have USB3 ports, which are prerequisites for
running the OAI software.
- The Intel NUC computer was attached with standard peripherals (display screen, mouse, and keyboard).
Two USRP B200mini: used to set up the eNodeBs from Ettus Research that can be programmed to operate over a wide
radio-frequency range (70MHz - 6GHz), communicating in full duplex
One Samsung Galaxy S4 device: used to find the LTE channels and TACs used in the targeted area.
Two LG Nexus 5X phones: running Android v6 with different USIMs from the two biggest Norwegian operators, and the
two biggest Romanian operators used for testing the IMSI Catcher.
MOBILE NETWORK HACKING
1.8.1.2 Software
Service and Testing Modes: Seen as a facility of the operating system and the privilege rights of the user, service or
testing modes of mobile devices offer important information about the LTE network.
We describe, for comparison, the information displayed by the two types of phones we used during the experiments:
- Samsung phones offer LTE connection details by default. To access Service Mode, call *#0011#. The most important
pieces of information are the EARFCN DL (downlink EARFCN) and the TAC. Other interesting information include the
MCC, MNC and Cell ID.
- Android phones (including Samsung phones) access Testing Mode by calling *#*#4636#*#*. This is a feature available
on all Android phones, which does not necessarily display EARFCN DL by default (it is dependent of the Android version),
but displays information about several LTE cells that coexist in the area on which the phone might downgrade to in case
the actual cell becomes unavailable.
The UE is registered to the first displayed cell (mRegistered=YES), while the others are showed to be accessible. However,
last versions of Android or applications such as LTE G-Net Track Lite or NetCell Tracker (in root mode) can provide EARFCN
DL and other information in a user-friendly format.
OAI (Open Air Interface): Basically, the LTE network is emulated on a computer, and the USRP is used as the radio
platform for the eNodeB implementation.
It is recommended to run EPC and EUTRAN on different machines, but OAI accepts both on a single computer too.
In this research, they used two machines, one for each of the two rogue eNodeBs that must run concurrently.
To install OAI follow the instruction in this link: https://open-cells.com/index.php/2019/09/22/all-in-one-
openairinterface/
MOBILE NETWORK HACKING
One rogue eNodeB (called eNodeB Jammer from now on) causes the UE to detach from the serving cell that it is camped
on, and to reselect to our rogue cell set up by the second eNodeB (called eNodeB Collector), which masquerades as an
authorized eNodeB but with higher signal power.
- The eNodeB Jammer is turned on, using the radio channel of the cell that the UE camps on. This jams the radio interface
and decreases the signal of the commercial eNodeB under the specified threshold, causing the UE to trigger a new search
for available eNodeBs. The UE tries to camp to the cell that runs on the next priority frequency and provides the best
signal, namely the rogue eNodeB.
One eNodeB Collector broadcasts the MCC and the MNC of the target network operator to impersonate the real
network.
- The eNodeB Collector signals a TAC value different from the commercial one, which brings the UE to initiate a TAU
REQUEST message.
For simplicity, they configured it to the next available TAC (TAC of the commercial network + 1). They found that the TAC
must not be changed for multiple runs of the experiment (assuming the commercial TAC is unchanged), therefore they
kept this value constant.
- Besides the MCC-MNC of the target network, the eNodeB Collector must run on the LTE EARFCN (the absolute physical
radio channel) which corresponds to the highest priority next to the jammed channel.
This assures that the UE prefers the eNodeB Collector prior to any other commercial eNodeB in the area.
Phase 2. Configure and run the LTE IMSI Catcher:
1 Configure and run the eNodeB Collector, using the MCC and MNC of the target network, a different TAC than the
one in Phase 1 and the EARFCN DL set to the value in Phase 1.3
2 Configure and run the eNodeB Jammer, using the MCC and MNC of the target network and the EARFCN DL set to
the value in Phase 1.1.
The channel displayed in Phase 1.1 is associated with the highest priority (unless the signal power is below the reselection
threshold).
The UE connects to it even if the signal power is not so strong. This can be easily seen by comparing the information displayed
by the mobile device before and after the eNodeB Jammer is turned on.
The channel in Phase 1.3 has either the same priority, but lower signal power, or lower priority, regardless the signal power.
Once the eNodeB Jammer is active, this triggers an ATTACH REQUEST message from the UE to the eNodeB Collector. Then
the UE will reveal its IMSI as a response to an IDENTITY REQUEST query from our Collector cell.
MOBILE NETWORK HACKING
1.9 OpenLTE
OpenLTE is an open source implementation of the 3GPP LTE specifications. To make easy and simple like it should, this is the
link into the project: https://github.com/mgp25/OpenLTE and all what we need to do is to follow the steps.
While am reading the instruction something really got my attention which is this part down below:
So I think you got the message! This is what bad guy do but not us today (we don’t like jail )
So to be honest with you I don’t have the budget to create a real attack scenario as you can see hardware not low cost, and
implementation like this it will pass the 1000$ (PC, Phone, B210).
MOBILE NETWORK HACKING
BladeRF Drivers:
BladeRF firmware:
GNU Radio:
The above steps require a lot of dependency packages. Children who want to be lazy can use the Ubuntu LiveCD released
by GnuRadio, which has already built a series of dependency environments required by SDR such as gnuradio, HackRF,
BladeRF, USRP, gqrx, rtl-sdr, etc. Using this method can avoid most of the pits encountered in the installation system
environment.
OpenLTE compilation
MOBILE NETWORK HACKING
After OpenLTE compilation is completed, an executable file will be generated in the build directory:
MOBILE NETWORK HACKING
Create a new terminal and enter the OpenLTE working terminal interactive interface through Telnet:
LTE_fdd_dl_scan will scan the FCN value in the dl_earfcn_list list: from 25 to 575
ARFCN: Absolute Radio Frequency Channel Number (ARFCN) is a numbering scheme used to identify special radio
frequency channels in the GSM wireless system.
In the 7 years since then, srsLTE has grown to almost a million lines of code with full-stack UE, eNodeB and EPC applications
providing a complete end-to-end 4G network.
In late 2018, 3GPP delivered the final Release 15 specifications for 5G NR. Building upon the technical foundation of 4G LTE,
5G NR introduces more flexibility, higher bandwidths and support for new millimeter wave frequency bands.
Since early 2020, the SRS team has been developing support for this new standard and with the 21.04 release, they have
added support for their first complete 5G application, the NSA-mode UE. This will be followed by the gNodeB application.
The focus of the project beyond 4G LTE and into 5G NR, the “srsLTE” naming no longer fits like it used to. So, coinciding with
the 21.04 release, the srsLTE project has become the srsRAN project.
Now I wish you a good deep reading because there no sense to repeat the official documentation here: For application
features, build instructions and user guides see the srsRAN documentation.
Also, you can check again the work of NickvsNetworking with srsLTE:
https://nickvsnetworking.com/srs-lte-software-defined-lte-stack-with-bladerf-x40/
https://nickvsnetworking.com/srslte-install-for-bladerf-limesdr-on-debian-ubuntu/
MOBILE NETWORK HACKING
- https://www.blackhat.com/docs/eu-15/materials/eu-15-Borgaonkar-LTE-And-IMSI-Catcher-Myths-wp.pdf
- https://arxiv.org/pdf/1510.07563.pdf
paper was prepared within the scope of employment.
NDSS ’16, 21-24 February 2016, San Diego, CA, USA
Copyright 2016 Internet Society, ISBN 1-891562-41-X
http://dx.doi.org/10.14722/ndss.2016.23236
According to this two research, to build an LTE network, they used a USRP B210 device, which acts as a base station. On the
software side, they modified OpenLTE and srsLT packages in order to be able to communicate with commercial LTE devices.
According to their research they take advantage by Exploit weaknesses in the cellular network security design: Device attach,
authentication, & paging procedure
Implementation for the Passive and semi-passive attack setup: In order to sniff LTE broadcast channels, they utilized
parts of srsLTE.
- In particular, they used the pdsch-ue application to scan a specified frequency and detect surrounding eNodeBs. It
can listen and decode SIB messages broadcast by eNodeB.
- Further, they modified pdsch-ue to decode paging messages which are identified over-the-air with a Paging-Radio
Network Temporary Identifier (P-RNTI). Upon its detection, GUTI(s) and/or IMSI(s) can be extracted out of paging
messages.
In semi-passive attack mode, they used Facebook and WhatsApp applications over the Internet, in addition to initiating
communication with targets via silent text messages or phone calls.
MOBILE NETWORK HACKING
Implementation for the active attack (Rogue eNodeB): make sure to visit chapter 2.4.4 to understand how LTE eNodeB
selection work.
The rogue eNodeB broadcasts MCC and MNC numbers identical to the network operator of targeted subscribers to
impersonate the real network operator. Generally, when UE detects a new TA it initiates a “TAU Request” to the eNodeB.
In order to trigger such request messages, the rogue eNodeB operates on a TAC that is different from the real eNodeB
Their active attack is launched using the USRP B210 and a host laptop which together are running OpenLTE.
Further, they programmed LTE_Fdd_enodeb to include LTE RRC and NAS protocol messages to demonstrate active
attacks.
In addition, we modified the telephony protocol dissector available in Wireshark to decode all messages exchanged
between the rogue eNodeB and UE. These modifications are submitted to the Wireshark project and are being merged
into the mainstream application.
Two things not clear to me, and my question was: How they did for:
- modifying the telephony protocol dissector available in Wireshark
- Programming the LTE_Fdd_enodeb to include LTE RRC and NAS protocol messages
And sure that was on purpose that they didn’t described in their research, because this the key of the wall Rogue eNodeB
But today in our work we don’t want to answer these two question, also it doesn’t seem to me something hard, I already
done some work in decoding radio message:
https://www.scribd.com/document/360213237/Decoding-radio-messages-of-the-layer3-protocols-In-GSM-UMTS-and-
LTE-Networks
My research will help to understand even what is NAS and relation with protocol, how RRC protocol are programmed etc…
For hardware and software setup and eNodeB configuration all of these you can found detailed in this link:
https://docs.srsran.com/en/latest/app_notes/source/pi4/source/index.html
MOBILE NETWORK HACKING
5 Virtual 5G network
First, today 5G is based on the successor of the LTE there is no standalone 5G system, all what we have from the 5G is the
new radio part NR.
So the question is do LTE attack work on 5G NSA? Yes but I will take different faces,
Do we have some 5G virtualized network? Yes and these are the links to it:
https://github.com/open5gs/open5gs
https://nickvsnetworking.com/my-first-5g-core-open5gs-and-ueransim/
https://nickvsnetworking.com/open5gs-nrf-setup/
https://nickvsnetworking.com/connecting-any-3rd-party-hss-to-open5gs-mme/
Do IMSI catcher attack on 5G SA work? Can we still exploit weaknesses in the cellular network security design: Device
attach, authentication, & paging procedure?
- First in 5G we speech SUPI + SUCI instead of IMSI for the public key of home network, and SUCI vulnerable to
decoding. If SUPI is not based on IMSI, SUCI may not be random (lengh differs)*
MOBILE NETWORK HACKING
- Paging in 5G we speech 5G-S-TMSI or I-RNTI with a mandatory refresh applied after paging but sometime Lack of
randomness and refreshens (when user is not moving) and possible to link 5G-GUTI to a subscriber
- Downgrade to 3G/2G or lower generations with unprotected messages (Registration Reject: LTE not allowed)
Automatic timer-based recovery? Not implemented in many phones
- Tracking with 5G-AKA Vulnerabilities
- 5G NR tower carry data-traffic
- Optional integrity protection for data-traffic
- Not enabled in 4 NSA networks: Vulnerable to alter-attacks
https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-5G-IMSI-Catchers-Mirage.pdf
To be honest with you 5G deserver a standalone research, I will try to make something about that.
But for the moment I hope that you enjoyed reading this theoretical research.
MOBILE NETWORK HACKING
If it exists, then it is a legitimate one, and there is no danger. However, if the tower is not on the list, there is something
suspicious going on – and there is a high probability that this is an IMSI Catcher. In this case, the best you can do is to turn off
your phone and turn it on again, once you reach a safe location.
https://www.findbestopensource.com/tagged/bladerf
https://www.ericsson.com/en/blog/2018/6/detecting-false-base-stations-in-mobile-networks
https://i.blackhat.com/USA-20/Wednesday/us-20-Quintin-Detecting-Fake-4G-Base-Stations-In-Real-Time.pdf