14 Feb
2014
14 Feb
'14
5:58 p.m.
Hi Michael,
It is my intention to share an image and speed the process
up for other researchers interested in GSM attacks and building simulations
in their labs. At this time there are code changes I want to expand upon
before I do (predominantly cosmetic changes and making it more feature
useful from the python script). I am also hoping that enhanced detection of
fakeBTS attacks will be expanded upon by the osmocom-bb toolkit (the launch
of the detection capability occurred in December 2013 at CCC.) which would
sufficiently detect anyone attempting to use tools of this nature in an
illegal way. Most of the work I did can be recreated from the slides
previously provided. If you are interested in the E100 platform, I spent
alot of time exploring its capabilities and re-compiling packages. I first
started trying to build the firmware from scratch with some discussion
occurring between myself and the firmware developer at Ettus, eventually it
became easier to customize the firmware provided by Ettus - the most
difficult change being a cross-compiled kernel to enable netfilter so that
IP routing became practical thus allowing for GPRS capabilities. I also had
issues with the OpenBTS 52MTransceiver application in the more recent
commits as significant overhaul has begun on changing its capabilities. I
eventually settled on r6718 version as this provided GPRS capabilities and
also was the last version functioning with the 52MTransceiver application.
Most of the firmware I had to rebuild from source including things not
available in package repos such as libpcap, asterisk (w/ODBC), odbc,
libsqlite and python to get the capabilities I needed to demonstrate the
practical elements of a GSM attack from an embedded device. I will be
releasing the firmware image as soon as I tidy up some of my python code
and detection tools become more effective. If you do really need the image
for some research purpose then please e-mail me directly and I will gladly
share a copy with you providing I can understand better your requirement
for needing an off-the-shelf attack tool for GSM.
Kind Regards,
Matthew
On Fri, Feb 14, 2014 at 3:53 PM, Michael Mooradian <
mooradianm(a)nkiengineering.com> wrote:
Mathew,
Is there any chance you will post the GreedyBTS E100 image online, or
maybe even a screen capture demonstration of it working? I am very
interested in how you were able to handle making the E100 run more
efficiently. Also impressive is how you were able to script some very
useful commands into your shell script. I would be very interested in how
you were able to group all of it together.
Thank you for any feedback you can give,
Michael
On Fri, Feb 7, 2014 at 5:12 AM, Hacker Fantastic <
hackerfantastic(a)googlemail.com> wrote:
--
Matthew Hickey
Tel: +44 7543 661237
Web: http://blog.hackerfantastic.com
Please visit my website for blog postings, status updates and project
information.
Hi all,
My first attempt to send this email didn't appear to succeed so I
am re-sending without attachment. Here is a copy of some slides
https://github.com/HackerFantastic/Public/blob/master/presentations/mwri_la…
wrote for a presentation on security weaknesses within GSM. I used an
Ettus E100 to develop a malicious BTS and GSM related attacks in a Faraday
cage and presented on how these attacks work to better understand them for
defensive purposes. I was able to use the E100 as a generic IP-router after
I cross-compiled a new kernel with netfilter enabled and also I had to
recompile a number of the packages such as Asterisk to enable ODBC and
improved SQLite support, I also had to make some changes to Python and its
modules. I used GNURadio 3.6.4 and I had to compile a specific version of
the OpenBTS code as the recent transceiver application did not function
with the E100. I was able to get the E100 to work as a GSM/GPRS router and
do real-time call placement etc. I got it to function with real-time
support and wrote a small script to provision new devices by watching the
syslog and adding to the SQLite database.
I also used osmocom-bb to do things like use gnuplot and graph the
channel usage although the code is extremely ugly! I took RSSI measurements
over a period of time into images and then tied them together for a movie,
it isn't quite realtime but it makes pretty graphs. I mentioned how you
could implement the MS side of the GSM stack using the osmocom project and
as such am sharing the slides with the osmocom list.
Just goes to show how mighty things come in small packages! Hope this
material is useful to others on the list who may also be trying similar
experiments. I ended up creating a firmware image that could be used to dd
and boot an E100 but at this time I do not plan on hosting it for download
unless there is sufficient interest. If you need it for some reason drop me
an e-mail.
Here is an example of the output of the greedyBTS script. As an example
my code plays "Rick Astley - never going to give you up" when a user places
a phone call and they have been provisioned with service. All of this work
was done in a faraday cage which I obtained from Ramsey electronics which
had very good frequency attenuation graph from 0mhz all the way to 1ghz.
root@usrp-e1xx:~# ./launch.sh
Launching asterisk
Launching HLR SMS
Launching OpenBTS
Launching Greedy BTS..
888 888 d8
e88 888 888,8, ,e e, ,e e, e88 888 Y8b Y888P 888 88e d88 dP"Y
d888 888 888 " d88 88b d88 88b d888 888 Y8b Y8P 888 888b d88888 C88b
Y888 888 888 888 , 888 , Y888 888 Y8b Y 888 888P 888 Y88D
"88 888 888 "YeeP" "YeeP" "88 888 888 888
88" 888 d,dP
, 88P 888 pDK++
"8",P" 888
[+] Current CELL configuration
[-] ==========================
[-] Shortname: 'Noone'
[-] MCC: 901 MNC: 70 C0 ARFCN: 51
[-] LAC: 3336 ARFCN's: 1 BAND: 900
[-]
[-] Radio Power
[-] ===========
[-] RxGain: 47 MaxPower: 10 MinPower: 0
--> help
[+] HELP SCREEN
[-] dump imei - lists all identified IMEI
[-] dump assoc - lists all IMEI+IMSI associations
[-] dump imsi - lists all identified IMSI
[-] dump save - store a record of all identities
[-] start service - provide service to IMSI & log traffic
[-] show service - show all provisioned phones
[-] stop service - deletes an identified IMSI from HLR
[-] calls - provide call collection statistics
[-] sms - provide sms collection statistics
[!] gprs - provide gprs collection statistics
[-] cellconfig - configure cell parameters for spoofing
[-] cellinfo - dump information on current cell
[-] cellshow - list short codes for common cells
[!] sounddial - play a sound recording to an IMSI
[!] spoofsms - send a spoof SMS message to an IMSI
[!] trunksetup - display current SIP trunk details
[-] verbose - turn on real time tracing
[-] exit - leave without shutdown
[-] shutdown - bye!
--> dump imei
[+] Dumping seen handset IMEI
[-] 1: IMEI359209002648230
[-] 2: IMEI358622002760070
[-] 3: IMEI350694801239040
[-] Total IMEI identified 3
--> dump imsi
[+] Dumping IMSI capture results
[-] 1: IMSI901700000002484
[-] 2: IMSI901700000002486
[-] 3: IMSI901700000002488
[-] Total IMSI identified 3
--> dump assoc
[+] Dumping IMSI/IMEI association
[-] 1 IMEI:358622002760070 used IMSI901700000002486
[-] 2 IMEI:350694801239040 used IMSI901700000002488
[-] Total associations 2
--> show service
[+] Displaying all provisioned IMSI
[-] 1: exten: 2100 user: IMSI001010000000000
[-] 2: exten: 2339 user: IMSI901700000002484
[-] Total subscriber count 2
--> stop service
[+] Deleting IMSI from HLR
[-] Enter IMSI: IMSI901700000002484
[-] Deleted IMSI901700000002484
--> help
[+] HELP SCREEN
[-] dump imei - lists all identified IMEI
[-] dump assoc - lists all IMEI+IMSI associations
[-] dump imsi - lists all identified IMSI
[-] dump save - store a record of all identities
[-] start service - provide service to IMSI & log traffic
[-] show service - show all provisioned phones
[-] stop service - deletes an identified IMSI from HLR
[-] calls - provide call collection statistics
[-] sms - provide sms collection statistics
[!] gprs - provide gprs collection statistics
[-] cellconfig - configure cell parameters for spoofing
[-] cellinfo - dump information on current cell
[-] cellshow - list short codes for common cells
[!] sounddial - play a sound recording to an IMSI
[!] spoofsms - send a spoof SMS message to an IMSI
[!] trunksetup - display current SIP trunk details
[-] verbose - turn on real time tracing
[-] exit - leave without shutdown
[-] shutdown - bye!
--> dump imei
[+] Dumping seen handset IMEI
[-] 1: IMEI359209002648230
[-] 2: IMEI358622002760070
[-] 3: IMEI350694801239040
[-] Total IMEI identified 3
--> dump imsi
[+] Dumping IMSI capture results
[-] 1: IMSI901700000002484
[-] 2: IMSI901700000002486
[-] 3: IMSI901700000002488
[-] Total IMSI identified 3
--> dump assoc
[+] Dumping IMSI/IMEI association
[-] 1 IMEI:358622002760070 used IMSI901700000002486
[-] 2 IMEI:350694801239040 used IMSI901700000002488
[-] Total associations 2
--> dump save
[+] Saving IMSI capture results
[+] Saving seen handset IMEI
[+] Saving IMSI/IMEI association
[-] logfile stored as 'greedybts.log'
--> shutdown
root@usrp-e1xx:~# cat greedybts.log
[-] 1: IMSI901700000002484
[-] 2: IMSI901700000002486
[-] 3: IMSI901700000002488
[-] Total IMSI identified 3
[-] 1: IMEI359209002648230
[-] 2: IMEI358622002760070
[-] 3: IMEI350694801239040
[-] Total IMEI identified 3
[-] 1 IMEI:358622002760070 used IMSI901700000002486
[-] 2 IMEI:350694801239040 used IMSI901700000002488
[-] Total associations 2
Kind Regards,
Matthew
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.c…
_______________________________________________
Openbts-discuss mailing list
Openbts-discuss(a)lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openbts-discuss
--
Michael Mooradian
Nathan Kunes Inc.
5055 North Harbor Drive, Suite 230
San Diego, CA 92106619-822-1045 MAIN619-553-3076 DIRECT619-997-7055 CELL619-221-1235
FAXmooradianm(a)nkiengineering.com
14 Feb
14 Feb
6:27 p.m.
New subject: [Openbts-discuss] OpenBTS / E100 & GSM attacks.
Hi Matthew, all,
IMHO releasing such kind of image will just increase the number of script kiddies around
that could mess with 2G networks (and that is a bloody seriously problem).
From my experience (e.g. after releasing some slides
http://www.slideshare.net/iazza/dcm-final-23052013fullycensored ) I have always been asked
to release sources/scripts/etc. which I have promptly denied.
The reason is pretty simple as you can imagine... If someone own an USRP or an
OsmocomBB-MS... and also know just a bit of ETSI specs, SDR and C++... It is unlikely they
will need a ready-to-deploy image.
Obviously that is just my two cents.
Just be wise about sharing it.
Cheers,
Luca
Hi Michael,
It is my intention to share an image and speed the process up for other
researchers interested in GSM attacks and building simulations in their labs. At this time
there are code changes I want to expand upon before I do (predominantly cosmetic changes
and making it more feature useful from the python script). I am also hoping that enhanced
detection of fakeBTS attacks will be expanded upon by the osmocom-bb toolkit (the launch
of the detection capability occurred in December 2013 at CCC.) which would sufficiently
detect anyone attempting to use tools of this nature in an illegal way. Most of the work I
did can be recreated from the slides previously provided. If you are interested in the
E100 platform, I spent alot of time exploring its capabilities and re-compiling packages.
I first started trying to build the firmware from scratch with some discussion occurring
between myself and the firmware developer at Ettus, eventually it became easier to
customize the firmware provided by Ettus - the most difficult change being a
cross-compiled kernel to enable netfilter so that IP routing became practical thus
allowing for GPRS capabilities. I also had issues with the OpenBTS 52MTransceiver
application in the more recent commits as significant overhaul has begun on changing its
capabilities. I eventually settled on r6718 version as this provided GPRS capabilities and
also was the last version functioning with the 52MTransceiver application. Most of the
firmware I had to rebuild from source including things not available in package repos such
as libpcap, asterisk (w/ODBC), odbc, libsqlite and python to get the capabilities I needed
to demonstrate the practical elements of a GSM attack from an embedded device. I will be
releasing the firmware image as soon as I tidy up some of my python code and detection
tools become more effective. If you do really need the image for some research purpose
then please e-mail me directly and I will gladly share a copy with you providing I can
understand better your requirement for needing an off-the-shelf attack tool for GSM.
Kind Regards,
Matthew
The information contained in this message may be CONFIDENTIAL and is intended for the
addressee only. If you are not the addressee, please notify the sender immediately by
return e-mail and delete this message. Thank you.
6:41 p.m.
New subject: [Openbts-discuss] OpenBTS / E100 & GSM attacks.
Luca -
I generally agree, for whatever it’s worth. To release a “turn-key” attack tool is
irresponsible. Anyone qualified to actually do this kind of research can hack together
their own attack experiments from available software without much trouble.
— David
On Feb 14, 2014, at 19:27, Luca Bongiorni <luca.bongiorni1(a)studenti.unimi.it>
wrote:
Hi Matthew, all,
IMHO releasing such kind of image will just increase the number of script kiddies around
that could mess with 2G networks (and that is a bloody seriously problem).
From my experience (e.g. after releasing some slides
http://www.slideshare.net/iazza/dcm-final-23052013fullycensored ) I have always been asked
to release sources/scripts/etc. which I have promptly denied.
The reason is pretty simple as you can imagine... If someone own an USRP or an
OsmocomBB-MS... and also know just a bit of ETSI specs, SDR and C++... It is unlikely they
will need a ready-to-deploy image.
Obviously that is just my two cents.
Just be wise about sharing it.
Cheers,
Luca
Hi Michael,
It is my intention to share an image and speed the process up for other
researchers interested in GSM attacks and building simulations in their labs. At this time
there are code changes I want to expand upon before I do (predominantly cosmetic changes
and making it more feature useful from the python script). I am also hoping that enhanced
detection of fakeBTS attacks will be expanded upon by the osmocom-bb toolkit (the launch
of the detection capability occurred in December 2013 at CCC.) which would sufficiently
detect anyone attempting to use tools of this nature in an illegal way. Most of the work I
did can be recreated from the slides previously provided. If you are interested in the
E100 platform, I spent alot of time exploring its capabilities and re-compiling packages.
I first started trying to build the firmware from scratch with some discussion occurring
between myself and the firmware developer at Ettus, eventually it became easier to
customize the firmware provided by Ettus - the most difficult change being a
cross-compiled kernel to enable netfilter so that IP routing became practical thus
allowing for GPRS capabilities. I also had issues with the OpenBTS 52MTransceiver
application in the more recent commits as significant overhaul has begun on changing its
capabilities. I eventually settled on r6718 version as this provided GPRS capabilities and
also was the last version functioning with the 52MTransceiver application. Most of the
firmware I had to rebuild from source including things not available in package repos such
as libpcap, asterisk (w/ODBC), odbc, libsqlite and python to get the capabilities I needed
to demonstrate the practical elements of a GSM attack from an embedded device. I will be
releasing the firmware image as soon as I tidy up some of my python code and detection
tools become more effective. If you do really need the image for some research purpose
then please e-mail me directly and I will gladly share a copy with you providing I can
understand better your requirement for needing an off-the-shelf attack tool for GSM.
Kind Regards,
Matthew
The information contained in this message may be CONFIDENTIAL and is intended for the
addressee only. If you are not the addressee, please notify the sender immediately by
return e-mail and delete this message. Thank you.
6:45 p.m.
New subject: [Openbts-discuss] OpenBTS / E100 & GSM attacks.
Hi Luca,
Whilst I agree that arming a bunch of script kiddies is
completely detrimental to the security of everyone I must point out that
there are many practical applications for the use of such technology to
assist people working in security. For instance on multiple occasions I
have been told "It is GPRS, not WIFI" which is a complete misunderstanding
of the vulnerabilities in current mobility solutions used by many. I have
no intention to weaken the state of security any further than it is but I
am always happy to assist those who are interested in building stronger
defences. When the detection tools become better it will be less of an
issue but as it stands we are still in the infancy of detecting and
preventing such threats because there is misunderstanding about the
triviality of exploitation. I have no intention to provide material that
could enable anyone to exploit others, I merely aimed to highlight what is
possible and open the question as to how it can be accounted for in
traditional security defences.
Kind Regards,
Matthew
On Fri, Feb 14, 2014 at 5:27 PM, Luca Bongiorni <
luca.bongiorni1(a)studenti.unimi.it> wrote:
Hi Matthew, all,
IMHO releasing such kind of image will just increase the number of script
kiddies around that could mess with 2G networks (and that is a bloody
seriously problem).
From my experience (e.g. after releasing some slides
http://www.slideshare.net/iazza/dcm-final-23052013fullycensored ) I have
always been asked to release sources/scripts/etc. which I have promptly
denied.
The reason is pretty simple as you can imagine... If someone own an USRP
or an OsmocomBB-MS... and also know just a bit of ETSI specs, SDR and
C++... It is unlikely they will need a ready-to-deploy image.
Obviously that is just my two cents.
Just be wise about sharing it.
Cheers,
Luca
Hi Michael,
It is my intention to share an image and speed the
process up for other researchers interested in GSM attacks and building
simulations in their labs. At this time there are code changes I want to
expand upon before I do (predominantly cosmetic changes and making it more
feature useful from the python script). I am also hoping that enhanced
detection of fakeBTS attacks will be expanded upon by the osmocom-bb
toolkit (the launch of the detection capability occurred in December 2013
at CCC.) which would sufficiently detect anyone attempting to use tools of
this nature in an illegal way. Most of the work I did can be recreated from
the slides previously provided. If you are interested in the E100 platform,
I spent alot of time exploring its capabilities and re-compiling packages.
I first started trying to build the firmware from scratch with some
discussion occurring between myself and the firmware developer at Ettus,
eventually it became easier to customize the firmware provided by Ettus -
the most difficult change being a cross-compiled kernel to enable netfilter
so that IP routing became practical thus allowing for GPRS capabilities. I
also had issues with the OpenBTS 52MTransceiver application in the more
recent commits as significant overhaul has begun on changing its
capabilities. I eventually settled on r6718 version as this provided GPRS
capabilities and also was the last version functioning with the
52MTransceiver application. Most of the firmware I had to rebuild from
source including things not available in package repos such as libpcap,
asterisk (w/ODBC), odbc, libsqlite and python to get the capabilities I
needed to demonstrate the practical elements of a GSM attack from an
embedded device. I will be releasing the firmware image as soon as I tidy
up some of my python code and detection tools become more effective. If you
do really need the image for some research purpose then please e-mail me
directly and I will gladly share a copy with you providing I can understand
better your requirement for needing an off-the-shelf attack tool for GSM.
Kind Regards,
Matthew
The information contained in this message may be CONFIDENTIAL and is
intended for the addressee only. If you are not the addressee, please
notify the sender immediately by return e-mail and delete this
message. Thank you.
--
Matthew Hickey
Tel: +44 7543 661237
Web: http://blog.hackerfantastic.com
Please visit my website for blog postings, status updates and project
information.
6:54 p.m.
New subject: [Openbts-discuss] OpenBTS / E100 & GSM attacks.
Hi all.
Although general caution is advised in this case I have to disagree. I don't think
that availability of such an image will result in influx of gsm script-kiddies:
unlike some random internet attack tool, you can't hide behind some proxy in remote
country - you've got to be sufficiently close physically to your target.
That alone put enough restrictions to make people think twice before attempting to
use it.
On the other hand availability of ready-made image with the instructions on proper
and safe usage might lower the bar for actual researchers.
Also don't underestimate "forbidden fruit" effect - getting your hands on
something
that those "conspiracy of gsm developers" is trying to hide from
mega-cool-hacker is
one thing. Downloading freely available image is way more boring.
And no, I personally do not need this image - I'm quite happy with what we have in
our university lab already :)
cheers,
Max.
14.02.2014 18:27, Luca Bongiorni пишет:
Hi Matthew, all,
IMHO releasing such kind of image will just increase the number of script kiddies
around that could mess with 2G networks (and that is a bloody seriously problem).
From my experience (e.g. after releasing some
slides http://www.slideshare.net/iazza/dcm-final-23052013fullycensored ) I have
always been asked to release sources/scripts/etc. which I have promptly denied.
The reason is pretty simple as you can imagine... If someone own an USRP or an
OsmocomBB-MS... and also know just a bit of ETSI specs, SDR and C++... It is unlikely
they will need a ready-to-deploy image.
Obviously that is just my two cents.
Just be wise about sharing it.
Cheers,
Luca
--
best regards,
Max, http://fairwaves.ru
Hi Michael,
It is my intention to share an image and speed the process up for
other researchers interested in GSM attacks and building simulations in their labs.
At this time there are code changes I want to expand upon before I do
(predominantly cosmetic changes and making it more feature useful from the python
script). I am also hoping that enhanced detection of fakeBTS attacks will be
expanded upon by the osmocom-bb toolkit (the launch of the detection capability
occurred in December 2013 at CCC.) which would sufficiently detect anyone
attempting to use tools of this nature in an illegal way. Most of the work I did
can be recreated from the slides previously provided. If you are interested in the
E100 platform, I spent alot of time exploring its capabilities and re-compiling
packages. I first started trying to build the firmware from scratch with some
discussion occurring between myself and the firmware developer at Ettus, eventually
it became easier to customize the firmware provided by Ettus - the most difficult
change being a cross-compiled kernel to enable netfilter so that IP routing became
practical thus allowing for GPRS capabilities. I also had issues with the OpenBTS
52MTransceiver application in the more recent commits as significant overhaul has
begun on changing its capabilities. I eventually settled on r6718 version as this
provided GPRS capabilities and also was the last version functioning with the
52MTransceiver application. Most of the firmware I had to rebuild from source
including things not available in package repos such as libpcap, asterisk (w/ODBC),
odbc, libsqlite and python to get the capabilities I needed to demonstrate the
practical elements of a GSM attack from an embedded device. I will be releasing the
firmware image as soon as I tidy up some of my python code and detection tools
become more effective. If you do really need the image for some research purpose
then please e-mail me directly and I will gladly share a copy with you providing I
can understand better your requirement for needing an off-the-shelf attack tool for
GSM.
Kind Regards,
Matthew
The information contained in this message may be CONFIDENTIAL and is intended for the
addressee only. If you are not the addressee, please notify the sender immediately by
return e-mail and delete this message. Thank you.
3725
days inactive
3725
days old
baseband-devel@lists.osmocom.org
4 comments
4 participants
participants (4)
-
David A. Burgess -
Hacker Fantastic -
Luca Bongiorni -
☎