Jaj, to jsem se nechal nachytat :-)
Ad Pavol: Nemyslim si, ze by to bylo az tak tezke, vetsina tech dulezitych veci je zverejnena.
Posilat SMS, cekat na potvrzeni a korelovat TMSI s vystupem z layer23 je jednoduche a princip je v te prednasce hezky vysvetleny.
Vlasni sniff - pokud se nepouziva channel hopping, tak by to melo byt relativne jednoduche, patch do DSP, ktery chyta 4 timesloty najednou a ignoruje sifrovani je zverejneny, infrastruktura pro jeho zavolani v L1 taky. Takze idealne dva telefony downlink, dva telefony uplink, hlidam BCCH na Paging request / Immediate assignment a pripadne ho nasleduju na jinou frekvenci.
S channel hopingem to bude trochu slozitejsi, ale pro hovory tam uz implemetovany je, takze by to melo jit taky.
Prevod dumpu na audio - Sylvain sliboval, ze az to procisti, tak ho zverejni.
SysOp.
On 01/05/11 15:27, Pavol Luptak wrote:
V prvom rade si precitajte Sylvainov Munautov doleuvedeny mail.
Tie telefony Vam budu uplne nanic, ak ich kupujete na GSM sniffing hratky, lebo nastroje na to nie su verejne (a ani nebudu!) Ak si samozrejme tie nastroje teda nenapisete sami (co vyzaduje precitat stovky PDF specifikacii GSM :)
Nejake info o tom som pisal aj tu: https://www.nethemba.com/sk/blog/-/blogs/nove-trendy-v-gsm-odpocuvani
Pavol
On Fri, Dec 31, 2010 at 05:29:36PM +0100, Sylvain Munaut wrote:
Hi,
Since a lot of people are asking the same questions and there seems to be a rush on the C123 on ebay I tought some clarification is needed.
Short version:
- The exact tools I used on stage are _not_ and will _not_ be
released (or sold ... several people asked ...)
- Any one willing to re-code them without any apriori knowledge of
GSM would most likely need months to read/understand both the specifications and the way the code works. (That's thousands of page of GSM spec and thousands of line of code)
- Osmocom-BB project is not designed to be a sniffer, it's a baseband
implementation, I just used part of it as a base.
So basically, unless you are really interested in GSM and are willing to dedicate time to understand it deeply and to contribute the various projects, there is not much point in you buying phones, or hanging out in the ml/irc or whatever ...
For those who are still reading and interested here's a little more
+detail:
The HLR query step: -> Go watch the awesome 25C3 talk about it
The TMSI recovering step
- Won't be published
- If you know how paging works, you know what to do anyway and it's
trivial. Method is in the talk, there is nothing to it.
- The targeted sniffing application
- Won't be published either
- Some improvements to the layer23 app frame work will be done but
these are generic framework stuff, not app-specific
- Again, if you know how L2 works and have looked at several traces,
it's obvious what to do.
- The 'DSP' part of the sniffer is public for a while with a small
demo app (single phone and doesn't exploit the full potential of the DSP patch) and it's perfectly sufficient to debug things on your o wn controlled network. (This is basically what I showed at Deepsec 2010).
- The tool to generate the input to Kraken
- Won't be published either
- Making the guesses is easy for anyone that knows what he's doing.
- The improved Kraken
- No idea about it, see with Karsten / Sacha / Frank, I only got
access to it 1 hour or so before the talk :)
- Conversion from burst to audio
- This was a hacked software mostly with airprobe code.
- The exact app will not be released but I'd like to see the
capability put in some clean library we can re-use from airprobe and other application without having to multiply the code each time.
- ... But since I'd like it to support AMR and viterbi softoutput
before that happens, it could take some time.
- Anyone familiar with GSM, airprobe and C could re-hack the same
thing in an hour ...
As you can see, everything you need to analyze your own network / your own traffic, even at the burst level is already published and has been for more than a month. The other tools have been written only so that we could demonstrate that what we _say_ is possible for about year, we can now do it _practically_. It's apparently needed to get people attentions, "theoretical" attacks are not enough to get the operators / gsma to react. We'll see if that did it ...
A few advices that are always good:
- Make sure to checkout the a5/1 project ML and airprobe project ML and
+try
to ask your questions in the proper mailing list as much as possible.
- Check the wiki and mailing list archives toroughly before asking
+questions.
Cheers,
Sylvain Munaut
PS: I only posted on this list because it seems a lot of people were pointed here while in fact airprobe would probably be more appropriate to discuss attack scenarios and such, so make sure to answer / start new discussion on the right list.
On Wed, Jan 05, 2011 at 01:48:21PM +0100, Tomas Holenda wrote:
Ahoj, nasel jsem na ebay Motorolu C139, maji jich tam hodne a za rozumnou cenu. Mate nekdo paypal a ucet na ebay, ze byste to koupili?
http://viewitem.eim.ebay.cz/Crystal_Case_Kristall_Handyhlle_Motorola_C139_C_...
SysOp.