Introduction of 《Inside Radio: An Attack and Defense Guide》

inside-radio-an-attack-and-defense-guide

http://unicorn.360.com/blog/2018/01/29/Inside_Radio_An_Attack_and_Defense_Guide/

Inside Radio:An Attack and Defense Guide

This book discusses the security issues in a wide range of wireless devices and systems, such as RFID, Bluetooth, ZigBee, GSM, LTE, and GPS. It collects the findings of recent research by the UnicornTeam at 360 Technology, and reviews the state-of-the-art literature on wireless security. The book also offers detailed case studies and theoretical treatments – specifically it lists numerous laboratory procedures, results, plots, commands and screenshots from real-world experiments. It is a valuable reference guide for practitioners and researchers who want to learn more about the advanced research findings and use the off-the-shelf tools to explore the wireless world.

About the Authors

e69da8e58dbf_qing20yang

Qing YANG is the founder of UnicornTeam & the head of the Radio Security Research Department at 360 Technology. He has vast experience in information security area. He has presented at Black Hat, DEFCON, CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.
Twitter:@Ir0nSmith

 

e9bb84e790b3_lin20huang
Lin HUANG is a senior wireless security researcher and SDR technology expert at 360 Technology. Her interests include security issues in wireless communication, especially cellular network security. She was a speaker at Black Hat, DEFCON, and HITB security conferences. She is 360 Technology’s 3GPP SA3 delegate.

Twitter:@huanglin_bupt

 

This book is a joint effort by the entire UnicornTeam, including Qiren GU, Jun LI, Haoqi SHAN, Yingtao ZENG, and Wanqiao ZHANG etc.

e58fa4e8b5b7e4bb81_qiren20gu

Qiren GU is a senior security researcher at Radio Security Department of 360 Technology, a member of UnicornTeam. He focuses on wireless communication security,cellular network security, SDR Related Technologies, and also other problems in ADS-B, GPS, Bluetooth, Wifi, NFC, RFID. He is the trainer for ISC, also the lecturer of 360 Network Security University, defcon group 010 speaker. guy behind cn0xroot.com
Twitter:@cn0xroot

 

e69d8ee59d87_jun20li
Jun LI is a senior security researcher at Radio Security Department of 360 Technology, core member of UnicornTeam, he got a master degree from Chengdu University of Information Technology . His is focusing on the security research of connected cars,wireless communication,hardware etc. He had presented his researches at premier security conferences like Blackhat, DEFCON,ISC,CanSecWest, HITB, Syscan360 etc. He is the trainer for ISC . He is the author of Smart Car Attack&Defence Demystified. He won sixth place i n MITRE IoT Challenge .He was featured in the documentary A Century With Cars by CCTV. He started the first DEFCON GROUP in China—DC010 and his is the member of DEFCON GROUPs Global Advisory Board .
Twitter:@bravo_fighter

 

e58d95e5a5bde5a587_haoqi20shan
Haoqi Shan is a senior security researcher at Radio Security Department of 360 Technology. He is also a PhD student in information security at University of Florida. He focuses on Wi-Fi penetration, 2G/4G system, embedded device hacking etc. He made serial presentations about RFID hacking and LTE devices hacking on BlackHat, Defcon, Cansecwest, CodeBlue, Syscan360 and HITB, etc.

 

e69bbee9a296e6b69b_yingtao20zeng
Yingtao ZENG is a Security researcher at UnicornTeam in the Radio Security Research Department of 360 Technology. He is mainly focused on the security of Internet of things, car remote control systems and automotive radar safety research. He has found vulnerabilities in a variety of automobile manufacturers including Buick, Volvo, Chevrolet, Toyota, Nissan, BYD and more. He was a speaker at the Hack In The Box(HITB),DEFCON CarHacking Village,Black Hat

 

e5bca0e5a989e6a1a5_wanqiao20zhang
Wanqiao ZHANG is a senior security researcher at Radio Security Department of 360 Technology, a member of UnicornTeam, she got a master degree from Nanjing University of Aeronautics and Astronautics. She is focusing on the security research of Communication, Radio of Civil Aviation, Satellite Communication etc. She had presented her researches at premier security conferences like DEFCON, POC, RUXCON, MOSEC etc.She is the trainer for IChunqiu . A delegate of Qihoo 360 in 3GPP.

Page:400+

ISBN:
hardcover 978-981-10-8446-1

eBook 978-981-10-8447-8

Publisher: Springer Singapore

Publisher: Springer; 1st ed. 2018 edition (May 9, 2018)Or April 9,2018

We will sell the book in HITB SECCONF 2018 Amsterdam .

Springer http://www.springer.com/us/book/9789811084461

Amazon https://www.amazon.com/Inside-Radio-Attack-Defense-Guide/dp/9811084467

Index to Outline of 《Inside Radio: An Attack and Defense Guide》

 Chapter 1 Overview of Wireless Security, Attack and Defense

1.1 Overview of wireless security
1.1.1 Origin of wireless security
1.1.2 Difference between wireless security and mobile security
1.1.3 Status quo of wireless security
1.2 Wireless attack and defense methods
1.2.1 Common attack targets
1.2.2 Wireless attack methods
1.2.3 Wireless defense methods
1.2.4 Trend of wireless security

Chapter 2 Tools for Wireless Security Research

2.1 Software-defined radio technology
2.1.1 SDR capabilities
2.1.2 SDR usage
2.2 SDR hardware tools
2.2.1 USRP
2.2.2 RTL-SDR
2.2.3 HackRF
2.2.4 bladeRF
2.2.5 LimeSDR
2.3 SDR software tool — GNU Radio
2.3.1 GNU Radio installation
2.3.2 The first thing to do after installation
2.3.3 Example: OFDM Tunnel
2.4 Sniff mouse and keyboard data
2.4.1 Use SDR to sniff data packets of wireless keyboards and mouses running on nordic chips
2.4.2 MouseJack

Chapter 3 RFID/NFC Security

3.1 Introduction to Mifare Classic
3.2 Security analysis of Mifare Classic
3.2.2 Review of the process of cracking Mifare Classic
3.3 A real case of cracking Mifare Classic
3.3.1 Introduction to Proxmark Ⅲ
3.3.2 Burn and use Proxmark III firmware
3.3.3 Proxmark III client
3.3.4 Test the security of Mifare Classic with Proxmark III
3.3.5  Introduction to Chameleon-Mini
3.3.6 Burn and use Chameleon-Mini firmware
3.3.7 Simulate Mifare Classic by combining Proxmark III and Chameleon-Mini
3.3.8 Conclusion of HF attack and defense
3.4 Security analysis of LFID cards
3.4.1 Introduction to LFID cards
3.4.2 Coding principle of ID cards
3.4.3 Decoding principle of ID cards
3.4.4 Read data from ID cards
3.4.5 Format of the ID card number
3.5 Clone an LFID card
3.5.1 Simulation attacks with Proxmark III
3.5.2 Clone attacks with a blank card
3.5.3 Simulation attacks with HackID
3.6 EMV privacy leakage
3.6.1 EMV introduction
3.6.2 Mechanism of privacy leakage in contactless chip cards
3.6.3 Phenomenon of privacy leakage in contactless chip cards
3.6.4 Contactless chip card fraud
3.6.5 Privacy protection in the use of contactless chip cards

Chapter 4 433/315MHz Communication

4.1 Sniff and analyze the security of remote control signals
4.2 Attacks by replaying remote control signals
4.2.1 Parking bar signal replay
4.2.2 Wireless door bell signal replay
4.2.3 Vibrator signal replay
4.3 Crack fixed-code garage doors with brute force
4.3.1 Complexity of brute-force attack
4.3.2 Hardware for fixed-code brute-force attack
4.4 Security analysis of remote car key signals
4.4.1 Generation of remote control signals
4.4.2 Security analysis of Keeloq key generation algorithm
4.4.3 An example of remote controller bugs
4.4.4 Rolljam replay attacks on car keys
4.4 Security analysis of the PKE system
4.5 Security analysis of the tire pressure monitoring system

Chapter 5 Aeronautical Radio Navigation

5.1 Introduction to ADS-B system
5.1.1 Definition of ADS-B
5.1.2 Definition of 1090ES
5.2 ADS-B signal encoding
5.2.1 Modulation method
5.2.2 Format of message
5.2.3 Altitude code
5.2.4 CPR longitude and latitude code
5.2.5 CRC validation
5.3 ADS-B signal sniffing
5.3.1 Receive ADS-B signal with “dump1090”
5.3.2 Receive ADS-B signal with “gr-air-modes”
5.4 ADS-B signal deception
5.5 Analysis of attack and defense
References

Chapter 6 Bluetooth Security

6.1 Introduction to Bluetooth technology
6.3 Bluetooth sniffing tool Ubertooth
6.3.1 Ubertooth software installation
6.3.2 Ubertooth usage
6.4 Low-power Bluetooth
6.4.1 TI’s BLE Sniffer
6.4.2 Sniff BTLE data packets with “ubertooth-btle”
6.4.3 Read and write BLE devices’ properties with a mobile app
6.4.4 Transmit data packets by simulating the BLE device

Chapter 7 ZigBee Technology

7.1 Introduction to ZigBee
7.1.1 The relationship between ZigBee and IEEE 802.15.4
7.1.2 Structure of 802.15.4 frames
7.1.3 Different types of MAC frame in ZigBee
7.1.4 Device types and network topology of ZigBee
7.1.5 ZigBee networking
7.1.6 Application layer of ZigBee
7.1.7 The application support sub-layer of ZigBee
7.1.8 Application profile of ZigBee
7.2 ZigBee security
7.2.1 Security layers
7.2.2 Key types
7.2.3 Security levels
7.2.4 Key distribution
7.2.5 Access authentication for ZigBee nodes
7.3 ZigBee attacks
7.3.1 Attacking tools
7.3.2 Protocol analysis software
7.3.3 Network discovery
7.3.4 Attack an unencrypted network
7.3.5 Attack an encrypted network
7.4 An example of attacking
7.4.1 Obtain the key from the device
7.4.2 Attacks by using the key
7.5 Summary of attacks and defenses

Chapter 8 Mobile Network Security

8.1 Security status of the GSM system
8.1.1 Terminology and basic concepts of the GSM/UMTS system
8.1.2 Security of GSM encryption algorithms
8.1.3 Active attack and passive attack in GSM
8.1.4 GSM sniffing with “gr-gsm”
8.2 IMSI Catcher
8.2.1 What is an IMSI Catcher?
8.2.2 IMSI Catcher in GSM environment
8.2.3 IMSI Catcher in UMTS environment
8.2.4 IMSI Catcher in LTE environment
8.2.5 Defect of the IMSI Catcher
8.2.6 Stingray cellphone tracker
8.2.7 IMSI Catcher Detector
8.3 Femtocell security
8.3.1 Introduction to femtocell
8.3.2 Attack surface of femtocell
8.3.4 GSM femtocell based on VxWorks
8.4 LTE redirection and downgrade attack
8.4.1 Redirection attack principles
8.4.1.1 IMSI catcher
8.4.1.2 DoS Attack
8.4.1.3 Redirection Attack
8.4.2 The cause of redirection bugs
8.5 ‘Ghost Telephonist’ Attack
8.5.1 Vulnerability principle
8.5.2 Experiment setting
8.5.3 Attack methods
8.5.4 Countermeasures
8.6 Analysis of attack and defense

Chapter 9 Satellite Communication

9.1 Overview of artificial satellites
9.2 GPS security research
9.2.1 GPS sniffing and security analysis
9.2.2 GPS spoofing
9.2.3 Methods of defense and suggestions
9.3 Security analysis of Globalstar system
9.3.1 Globalstar’s CDMA technology
9.3.2 Globalstar data cracking
9.3.3 Possible attack methods
References

 

PlutoSDR Getting Started中文版 | PlutoSDR入门指南

PlutoSDR Getting Started PlutoSDR入门指南

post on http://unicorn.360.com/blog/2017/09/22/PlutoSDR-getting-started/

0x00 关于PlutoSDR

PlutoSDR是ADI公司 Analog Devices Inc又名亚德诺半导体技术有限公司设计生产的一款SDR硬件,是一款面向高校师生的SDR主动学习模块。通过该模块,电气工程专业的学生可快速地掌握软件定义无线电(SDR)、射频(RF)和无线通信的基础知识。 ADALM-PLUTO SDR针对不同层次和背景的学生而设计,可将这款独立自足的便携式射频实验室同时用于教师辅导和自主学习。

模块采用AD9363 RF捷便收发器,其特性如下:
频率支持 : 325 MHz – 3.8 GHz
Bandwidth 带宽:20 MHz
支持时分双工(TDD)和频分双工(FDD)工作模式。

当我第一次知道PlutoSDR的频率收发范围在325-3800MHz这一区间的时候,我想我是不会购买这块硬件的。毕竟作为一款SDR硬件,支持收发315/433MHz这些无线遥控的频率是无可厚非的。

随后,国外有细心的网友发现了PlutoSDR采用的AD9363芯片竟然可以升级成AD9364,或许很多人还不清楚这意味着什么,我们来看看下面的表格:

RF Transceiver LO tuning range Bandwidth
AD9363 PlutoSDR正在使用 325 – 3800 MHz 20 MHz
AD9364 PlutoSDR可升级成 70 – 6000 MHz 56 MHz

看完上面的表格,我们知道了PlutoSDR的芯片通过“升级”可以实现超频!支持的频率范围直接从原来的325-3800 MHz 升级到 70-6000 MHz,而且频宽也有大幅提升!
PlutoSD

0x01 驱动 & Tools

在Win7 环境下,首先需要安装的是PlutoSDR-M2k-USB驱动,下载链接:https://github.com/analogdevicesinc/plutosdr-m2k-drivers-win/releases

驱动

USB的驱动主要实现了USB COM口、USB网口等的驱动,另外在插入USB时,PlutoSDR自带U盘功能,config.txt文件配有PlutoSDR的IP地址、网关等参数:
IP

安装完驱动之后可尝试通过CMD ping该地址:
ping

0x02 “upgrade” PlutoSDR to 70 – 6000 MHz

通过COM口、网口均可进入PlutoSDR终端交互界面,认证信息如下:
用户名:root
密码:analog
通过配置系统变量,将
芯片“升级”成AD9364:

# fw_printenv attr_name
## Error: "attr_name" not defined
# fw_printenv attr_val
## Error: "attr_val" not defined
#fw_setenv attr_name compatible
#fw_setenv attr_val ad9364
#reboot

Snipaste_2017-09-18_14-13-33

设备重启后再次进入shell界面进行验证设备设置是否生效:

# fw_printenv attr_name
attr_name=compatible
# fw_printenv attr_val
attr_val=ad9364

Snipaste_2017-09-18_14-21-43

0x03 安装SDRSharp插件

这里需要使用x86 / 32-bit 版本的SDR# 目前不支持64位版本。
从Github下载ADALM-PLUTO frontend for SDRSharp 并把压缩包内的文件解压到SDR#软件的主目录,在FrontEnds.xml中增加一行:

<br />

frontENDS

启动SDR#,Source中选择PlutoSDR,并配置PlutoSDR的IP地址,最后进行连接:
SDR#

最后便可使用支持70-6000 MHz的PlutoSDR了!试试收听FM广播:
Snipaste_2017-09-18_15-36-49

Ubuntu、OSX环境中的使用可参考https://www.rtl-sdr.com/adalm-pluto-sdr-hack-tune-70-mhz-to-6-ghz-and-gqrx-install/
在gr-osmosdr-gqrx中编译plutosdr分支的代码

git clone https://github.com/csete/gr-osmosdr-gqrx
cd gr-osmosdr-gqrx/
git checkout plutosdr
mkdir build
cd build/
cmake ../
make
sudo make install
sudo ldconfig

最终gqrx、gnuradio通过osmosdr sink调用PlutoSDR。

0x04 参考

https://wiki.analog.com/university/tools/pluto/users/customizing

https://www.rtl-sdr.com/adalm-pluto-sdr-hack-tune-70-mhz-to-6-ghz-and-gqrx-install/

 

使用OpenBTS基站测试物联网模块 IoT Module fuzzing with OpenBTS Part ①

0x00 引子

近年来,随着云计算、物联网技术的快速发展,物联网的理念和相关技术产品已经广泛渗透到社会经济民生的各个领域,越来越多的穿戴设备、家用电器通过蓝牙、Wi-Fi、Li-Fi、z-wave、LoRa等技术接入互联网,成为联网的终端设备。

但是由于这些技术普遍为短距离无线通信技术,通常被设计用于室内和短距离使用,在室外尤其是非视距下性能表现非常差,而作为现有成熟的GSM(Global System for Mobile Communication)技术,因其网络在全国范围内实现了联网和漫游,在网络资源、传输特性及数据可靠性等方面的优势,提供了一个机动、灵活、可靠的远距离传输方式,所以使用GSM模块联网的方案也被广泛使用。

0x01 测试短板

针对短距离无线通信技术的测试方法有很多,同时也被大家所悉知、使用,所以这里不再一一详述。而对于通过使用2G/GSM、3G/UMTS以及4G/LTE基站联网通信的设备,例如智能电表、POS机、抓娃娃机、自动售货机这些硬件的测试方法、技巧却是寥寥无几,几乎一片空白。

本文将分享如何通过SDR加开源项目搭建伪基站并使用伪基站的GPRS功能作为网关来进行GSM/GPRS网络测试,并对GSM模块的硬件流量进行拦截、分析、重放等。

0x02 环境搭建

下载Ubuntu-16.04-desktop-i386.iso,安装使用一台全新的机器,防止因依赖问题导致的报错。

2.1 更新

sudo apt-get install software-properties-common python-software-properties
sudo add-apt-repository ppa:git-core/ppa
sudo apt-get update
sudo apt-get install git

2.2 搭建OpenBTS开发环境

mkdir sdr  //新建sdr文件夹
cd sdr  //进入该文件夹
git clone https://github.com/RangeNetworks/dev.git
cd dev
./clone.sh  //从GitHub克隆代码
./switchto.sh master  //切到master分支
./build.sh B200 

编译下载的源码,因为使用的是USRP B200 build脚本后加SDR硬件 ,如果使用的是USRP N200 则执行./build.sh N200(过程中需从谷歌下载源码,建议全程翻墙,否则会报错!)

编译过程根据网络、机器性能而异,通常在30-45分钟左右,编译完成后,ubuntu自动安装GnuRadio、USRP的UHD驱动等相关SDR环境,但USRP的固件还需手动下载:

$sudo python /usr/lib/uhd/utils/uhd_images_downloader.py
Images destination:      /usr/share/uhd/images
Downloading images from: http://files.ettus.com/binaries/images/uhd-images_003.009.002-release.zip
Downloading images to:   /tmp/tmpEplLOD/uhd-images_003.009.002-release.zip
26296 kB / 26296 kB (100%)

Images successfully installed to: /usr/share/uhd/images
$ uhd_usrp_probe
linux; GNU C++ version 5.3.1 20151219; Boost_105800; UHD_003.009.002-0-unknown

-- Loading firmware image: /usr/share/uhd/images/usrp_b200_fw.hex...
-- Detected Device: B200
-- Loading FPGA image: /usr/share/uhd/images/usrp_b200_fpga.bin... done
-- Operating over USB 2.
-- Detecting internal GPSDO.... No GPSDO found
-- Initialize CODEC control...
-- Initialize Radio control...
-- Performing register loopback test... pass
-- Performing CODEC loopback test... pass
-- Asking for clock rate 16.000000 MHz...
-- Actually got clock rate 16.000000 MHz.
-- Performing timer loopback test... pass
-- Setting master clock rate selection to 'automatic'.
  _____________________________________________________
 /
|       Device: B-Series Device
|     _____________________________________________________
|    /
|   |       Mboard: B200
|   |   revision: 5
|   |   product: 1
|   |   serial: 30EA064
|   |   name: MyB200
|   |   FW Version: 8.0
|   |   FPGA Version: 13.0
|   |
|   |   Time sources: none, internal, external, gpsdo
|   |   Clock sources: internal, external, gpsdo
|   |   Sensors: ref_locked
|   |     _____________________________________________________
|   |    /
|   |   |       RX DSP: 0
|   |   |   Freq range: -8.000 to 8.000 MHz
|   |     _____________________________________________________
|   |    /
|   |   |       RX Dboard: A
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       RX Frontend: A
|   |   |   |   Name: FE-RX1
|   |   |   |   Antennas: TX/RX, RX2
|   |   |   |   Sensors: temp, rssi, lo_locked
|   |   |   |   Freq range: 50.000 to 6000.000 MHz
|   |   |   |   Gain range PGA: 0.0 to 76.0 step 1.0 dB
|   |   |   |   Bandwidth range: 200000.0 to 56000000.0 step 0.0 Hz
|   |   |   |   Connection Type: IQ
|   |   |   |   Uses LO offset: No
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       RX Codec: A
|   |   |   |   Name: B200 RX dual ADC
|   |   |   |   Gain Elements: None
|   |     _____________________________________________________
|   |    /
|   |   |       TX DSP: 0
|   |   |   Freq range: -8.000 to 8.000 MHz
|   |     _____________________________________________________
|   |    /
|   |   |       TX Dboard: A
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       TX Frontend: A
|   |   |   |   Name: FE-TX1
|   |   |   |   Antennas: TX/RX
|   |   |   |   Sensors: temp, lo_locked
|   |   |   |   Freq range: 50.000 to 6000.000 MHz
|   |   |   |   Gain range PGA: 0.0 to 89.8 step 0.2 dB
|   |   |   |   Bandwidth range: 200000.0 to 56000000.0 step 0.0 Hz
|   |   |   |   Connection Type: IQ
|   |   |   |   Uses LO offset: No
|   |   |     _____________________________________________________
|   |   |    /
|   |   |   |       TX Codec: A
|   |   |   |   Name: B200 TX dual DAC
|   |   |   |   Gain Elements: None

编译完成后也会在BUILD目录下生成一个以编译时间为名的文件,如果系统为32bit编译后则在该目录下生成i386.deb的软件包,如果系统为64bit则生成amd64.deb :

2.3 更新&安装依赖包

sudo apt-get install software-properties-common python-software-properties
sudo add-apt-repository ppa:chris-lea/zeromq
sudo apt-get update

2.4 安装编译完成的DEB软件包

需注意是否有报错:

cd dev/BUILD/2016-11-29--23-23-16
sudo dpkg -i libcoredumper1_1.2.1-1_i386.deb libcoredumper-dev_1.2.1-1_i386.deb
sudo dpkg -i  liba53_0.1_i386.deb
sudo dpkg -i range-configs_5.0_all.deb
sudo dpkg -i range-asterisk*.deb
sudo apt-get install -f
sudo dpkg -i sipauthserve_5.0_i386.deb
sudo apt-get install -f
sudo dpkg -i smqueue_5.0_i386.deb
sudo apt-get install -f
sudo dpkg -i openbts_5.0_i386.deb
sudo apt-get install -f

0x03 开启数据转发、配置iptables

因为OpenBTS基站的GPRS网络流量是基于PC机,所以在开启基站GPRS功能前,需要开启数据包转发以及配置Iptables防火墙规则。

3.1 开启数据包转发:

ubuntu开数据转发需以root身份执行,如果不是root用户,即使使用sudo也无法开启:

sudo su 
echo 1 >> /proc/sys/net/ipv4/ip_forward

3.2 配置iptables规则:

/etc/OpenBTS/iptables.rules 配置规则文件内容如下:

# Generated by iptables-save v1.4.4
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Generated by iptables-save v1.4.4
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

某些情况下机器的网卡并非eth0 ,所以需要根据自身实际情况,灵活地修改配置文件。

sudo iptables-restore < /etc/OpenBTS/iptables.rules
iptables -t nat -L -n -v

3.3 加载数据库

cd sdr/dev/openbts/apps
sudo sqlite3 -init OpenBTS.example.sql /etc/OpenBTS/OpenBTS.db ".quit"

cd sdr/dev/subscriberRegistry/apps
sudo sqlite3 -init sipauthserve.example.sql /etc/OpenBTS/sipauthserve.db ".quit"

cd sdr/dev/smqueue/smqueue
sudo sqlite3 -init smqueue.example.sql /etc/OpenBTS/smqueue.db ".quit"

3.4 配置asterisk

Asterisk是运行在Linux上来实现用户电话交换的IP-PBX系统开源软件,支持各种的VOIP协议。Asterisk提供了很多以前只有昂贵、专业的PBX系统才支持的功能,如:会议电话、语音信箱、交互式语音应答、自动电话转接。

在/etc/asterisk/目录中需要修改sip.conf、extensions.conf 具体方法:将手机的IMSI国际用户识别码和分配的号码登记数据asterisk中,也就是将数据写入sip.conf、extensions.conf两个配置文件。

SIP.CONF:

[IMSI46001658*****19]
callerid=2000003
canreinvite=no
type=friend
allow=gsm
context=sip-external
host=dynamic
dtmfmode=info

[IMSI41004030*****62]
callerid=2000004
canreinvite=no
type=friend
allow=gsm
context=sip-external
host=dynamic
dtmfmode=info

callerid=2000003,表示将IMSI为46001658*****19的手机分配号码2000003;

canreinvite=no,表示被呼叫的手机一旦建立连接后OpenBTS将不再发送重新邀请的指令;

context=sip-external,表示允许外部未分配号码的匿名电话呼入。

0x04 启动基站:

4.1 执行 transceiver连接SDR硬件

cd sdr/dev/openbts/Transceiver52M
sudo ./transceiver

4.2 执行OpenBTS启动基站

cd sdr/dev/openbts/apps/
sudo ./OpenBTS

4.3 执行smqueue,启用短信服务

cd sdr/dev/smqueue/smqueue
sudo ./smqueue

4.4 执行sipauthserve,启用鉴权服务

cd sdr/dev/subscriberRegistry/apps
sudo ./sipauthserve

4.5 asterisk -vvvc or asterisk -r

Clipboard Image.png

4.6 启动OpenBTS终端控制台:

cd sdr/dev/openbts/apps
sudo ./OpenBTSCLI

root@0xroot:/home/init3/sdr/dev/openbts/apps# ./OpenBTSCLI
OpenBTS Command Line Interface (CLI) utility
Copyright 2012, 2013, 2014 Range Networks, Inc.
Licensed under GPLv2.
Includes libreadline, GPLv2.
Connecting to 127.0.0.1:49300...
Remote Interface Ready.
Type:
 "help" to see commands,
 "version" for version information,
 "notices" for licensing information,
 "quit" to exit console interface.
OpenBTS> version
release 5.0-master+c438a5a689 CommonLibs:76b71d509b+GPRS P built 2016-11-29T23:31:19

OpenBTS> help

Type "help" followed by the command name for help on that command.

alarms      audit       calls
cbs     cellid      chans
config      crashme     devconfig
endcall     freqcorr    gprs
handover    help        load
memstat     neighbors   noise
notices     page        power
rawconfig   regperiod   restart
rmconfig    rxgain      sendsimple
sendsms     sgsn        shutdown
stats       sysinfo     tmsis
trxfactory  txatten     unconfig
uptime      version

OpenBTS>

0x05 配置基站

GSM 900频段瀑布图:

Clipboard Image.png

gr-gsm &Kal扫描GSM基站

Clipboard Image.png

刚搭建完成的基站由于天线功率过大以及手机跟基站的距离太近等原因,可能会导致手机不能正常加入到基站,这时需要配置加入基站的条件以及设置天线功率:

允许任意机器接入:

OpenBTS> config Control.LUR.OpenRegistration .*
Control.LUR.OpenRegistration changed from "" to ".*"

设置天线功率:

OpenBTS> devconfig GSM.Radio.RxGain 18
GSM.Radio.RxGain changed from "50" to "18"
GSM.Radio.RxGain is static; change takes effect on restart

设置基站频段:

OpenBTS> config GSM.Radio.Band 900
GSM.Radio.Band changed from "850" to "900"
GSM.Radio.Band is static; change takes effect on restart 

设置欢迎短信:

config Control.LUR.NormalRegistration.Message Welcome to BTS 1

设置基站名:

config GSM.Identity.ShortName GroundControl

将基站设置为测试网络:

config Identity config GSM.Identity.MCC 001

将基站设置为国内: MCC460 为中国

config GSM.Identity.MCC 460

设置运营商为联 * 通:

config GSM.Identity.MNC 01 

设置运营商为移 * 动:

config GSM.Identity.MNC 00 

设置ARFCN、LAC、BCC

网络色码,NCC,一般用于标识运营商;基站色码,BCC,区分同一运营商下的相同BCCH的不同基站。

一般采用BCCH频点和BSIC来联合标识小区,BSIC=NCC+BCC。在TD和WCDMA里,存在PLMN,PLMN=MCC+MNC,其中MCC为移动国家码,MNC为移动网络码标识运营商。

基站切换的时候,主要是通过CI、BCCHBSIC等信息寻找目标小区,当同时检测到邻区列表里出现同BCCH同扰码组的小区时,容易出现切换失败。

OpenBTS> config GSM.Radio.C0 168
GSM.Radio.C0 changed from "151" to "168"
GSM.Radio.C0 is static; change takes effect on restart
OpenBTS> config GSM.Identity.BSIC.BCC 3
GSM.Identity.BSIC.BCC changed from "2" to "3"
OpenBTS> config GSM.Identity.LAC 1001
GSM.Identity.LAC changed from "1000" to "1001"
OpenBTS> config GSM.Identity.CI 11
GSM.Identity.CI changed from "10" to "11"

用户管理

在3.4配置asterisk再我们给部分用户配置了callerid号码,启动OpenBTS后可通过NodeManager目录下的nmcli.py脚本进行用户管理:

cd sdr/dev/openbts/NodeManager/

添加用户示例:

./nmcli.py sipauthserve subscribers create name imsi msisdn

将123456 (MSISDN码)分配到IMSI 码为46001658*****19的LG G3设备中

./nmcli.py sipauthserve subscribers create "LG G3" IMSI46001658*****19 123456

读取已录入信息:

root@0xroot:/home/init3/sdr/dev/openbts/NodeManager#./nmcli.py sipauthserve subscribers read
raw request: {"command":"subscribers","action":"read","key":"","value":""}
raw response: {
    "code" : 200,
    "data" : [
        {
            "imsi" : "IMSI46001658*****19",
            "msisdn" : " 123456",
            "name" : "LG G3"
        },
        {
            "imsi" : "IMSI46000645*****91",
            "msisdn" : " 223456",
            "name" : "MoTo"
        }
    ]
}

启用GPRS功能:

OpenBTS> config GPRS.Enable 1

设置基站DNS服务器:

OpenBTS> config GGSN.DNS 8.8.8.8

编辑/etc/resolv.conf

nameserver 8.8.8.8

为防止机器重启或重启网络后/etc/resolv.conf文件被重写复原,可修改/etc/resolvconf/resolv.conf.d/head

nameserver 8.8.8.8

设置GGSN日志存放路径:

OpenBTS> devconfig GGSN.Logfile.Name /tmp/GGSN.log

查看已加入基站的设备:

OpenBTS> tmsis
IMSI            TMSI IMEI            AUTH CREATED ACCESSED TMSI_ASSIGNED
46001658*****19 -    354834060*****0 1    30m     30m      0

查看日志:cat /var/log/OpenBTS.log

配置文件:/etc/rsyslog.d/OpenBTS.conf

发送短信:sendsms $IMSI $号码  “$内容”

sendsms 46001658*****19 888888 "Hello World"

OpenBTS对中文支持不是很友好,发送汉字文本信息将出现乱码:

OpenBTS+Burp suite

使用Burp拦截硬件流量请求的方法这里可参考NCC Group的一篇博客:GSM/GPRS Traffic Interception for Penetration Testing Engagements

0x06 硬件调试

硬件芯片模块

G510-Q50-00 Pin Definitoins

Clipboard Image.png

焊接TTL进行调试:

串口调试:

Clipboard Image.png

0x07 refer

GSM/GPRS Traffic Interception for Penetration Testing Engagements

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/may/gsmgprs-traffic-interception-for-penetration-testing-engagements/

Getting Started with OpenBTS

PDF:    http://openbts.org/site/wp-content/uploads/ebook/Getting_Started_with_OpenBTS_Range_Networks.pdf

HTML:https://www.safaribooksonline.com/library/view/getting-started-with/9781491924280/ch04.html

OpenBTS Application Suite Release 4.0 User Manual

http://openbts.org/site/wp-content/uploads/2014/07/OpenBTS-4.0-Manual.pdf

OpenBTS BuildInstallRun

http://openbts.org/w/index.php?title=BuildInstallRun

http://openbts.org/w/index.php?title=OpenBTS-UMTS
https://wush.net/trac/rangepublic/wiki/GPRS
How to get 3G working on the UmTRX

https://fairwaves.co/blog/openbts-umts-3g-umtrx/

FIBOCOM G510

http://www.fibocom.com/product/2-1-2-1.html

FIBOCOM G510 Q50-00

http://www.tme.eu/gb/details/g510-q50-00/gsmgpsgprshspaedgelte-modules/fibocom/g510-q50-00/

http://www.fibocom.com/upfile/down/document_2_1_2_1.pdf

http://www.tme.eu/gb/Document/fabb43e22a46fba821931db19e577988/FIBOCOM_G510_U_M.pdf

http://www.mouser.cn/ProductDetail/STMicroelectronics/STM32F103C8T6/?qs=bhCVus9SdFtq6kqxsU5%2FDA%3D%3D

使用USRP探索无线世界 Part 1:USRP从入门到追踪飞机飞行轨迹

温馨提示:请自觉遵守无线电管理法规,依法设置和使用无线电设备

Author:雪碧0xroot @漏洞盒子安全团队 cn0xroot.github.io

0x00 前言

USRP是数款流行的SDR硬件中功能和应用都相对成熟的一款产品,从WIFI协议、ZigBee协议、RFID协议、GSM通信系统、LTE 4G通信系统到飞机通信、卫星通信USRP都能很好的进行支持。软件开发工程师可以用它开发应用,安全工程师则用它来测试、研究相关的无线通信协议。

很大一部分玩过电视棒的小伙伴都使用过电视棒+dump1090的方案实现过追踪飞机飞行轨迹这一功能。之所以能够很容易的跟踪飞机,是因为航空CNS(通信导航监视)系统里大量采用非常古老的无线标准。

dump1090

(电视棒+dump1090 2D)

Clipboard Image.png

(图片来源:http://slideplayer.com/slide/2547225

二次监视雷达(SSR)系统,地面站发射1030MHz的查询信号,飞机接收到此信号之后在1090MHz发射应答信号,信号中包含了飞机的一些信息,显示在空管的雷达屏幕上。还有空中防撞系统(TCAS),飞机可以自己发射1030MHz的查询信号,其他飞机接收到此信号之后在1090MHz发射应答信号,因此一架飞机得以”看到”周围的飞机。由于以上的查询-应答模式在飞机很多的时候显得效率不是那么高,因此新出现了一种ADS-B方式。在ADS-B中,每架飞机不等查询,主动广播自己的信息,这时监视和防撞需要做的就仅仅是接收了。

在通用航空当中ADS-B信号经常在978MHz发射,在商业飞行中ADS-B信号经常在1090MHz发射。

0x01 HardWare

PC:Ubuntu OR Mac

SDR:USRP、天线、USB数据线

USRP

0x02 Software

2.1安装pip、pybombs

apt-get update
apt-get install git
apt-get install python-pip

pip install --upgrade pip
pip install git+https://github.com/gnuradio/pybombs.git

pybombs recipes add gr-recipes git+https://github.com/gnuradio/gr-recipes.git pybombs recipes add gr-etcetera git+https://github.com/gnuradio/gr-etcetera.git
pybombs prefix init /usr/local -a myprefix -R gnuradio-default
pybombs install gqrx gr-osmosdr uhd

以上内容是Ubuntu下安装SDR相关软件的方法,在Mac OSX中则可以使用mac port 进行安装。

2.2下载USRP镜像

使用pybombs安装完UHD(USRP Hardware Driver)后还需下载固件镜像以及FPGA镜像,执行:

python  /usr/local/lib/uhd/utils/uhd_images_downloader.py

Image

插入USRP后可执行:

uhd_find_devices

或者

uhd_usrp_probe

来查看设备信息:

Clipboard Image.png

2.3编译安装gr-air-modes:

git clone https://github.com/bistromath/gr-air-modes
cd gr-air-modes
mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig

2.4 安装谷歌地球

Ubuntu 32 bit:

wget http://dl.google.com/dl/earth/client/current/google-earth-stable_current_i386.deb

Ubuntu 64 bit:

wget http://dl.google.com/dl/earth/client/current/google-earth-stable_current_amd64.deb
sudo dpkg -i google-earth-stable_current_amd64.deb

Mac osx:

wget https://dl.google.com/earth/client/advanced/current/GoogleEarthMac-Intel.dmg

Clipboard Image.png

0x03 解码飞机信号&导入谷歌Earth

cd gr-air-modes/apps/
./modex_rx -K test.kml 

执行App目录下的modex_rx,开始接收并解码来自飞机的1090MHz无线信号,-K参数即把解码到的航班号、经纬度、飞行速度等等保存为.kml文件。

打开谷歌地球:添加–>网络链接–>

Clipboard Image.png

新建链接名称,以及kml文件的绝对路径:

Clipboard Image.png

设定刷新时间,以及是否在刷新时前往该视图:

Clipboard Image.png

如果开启刷新前往视图后,google-earth会自动定位到你所在的区域并显示接收到区域上空的飞机。

Clipboard Image.png

(飞机飞行轨迹 3D)

地图上显示飞机的航班号,双击飞机图标可以显示该飞机高度、飞行速度等信息。

0x04 演示视频

http://v.qq.com/iframe/player.html?vid=e0346ll12xf&tiny=0&auto=0

0x05 refer

https://kb.ettus.com/Implementation_of_an_ADS-B/Mode-S_Receiver_in_GNU_Radio

http://www.freebuf.com/articles/wireless/77819.html

USRP B200: Exploring the Wireless World

Aircraft Tracking with Mode S: Modez & Aviation Mapper
https://media.blackhat.com/bh-us-12/Briefings/Costin/BH_US_12_Costin_Ghosts_In_Air_WP.pdf

https://www.rs-online.com/designspark/10-things-you-can-do-with-software-defined-radio

使用SDR嗅探北欧芯片无线键鼠数据包

0x01 系统安装

下载Ubuntu 16.04

0x02 搭建SDR开发环境

安装pip和pybombs

apt-get update
apt-get install git
apt-get install python-pip
pip install --upgrade pip
pip install git+https://github.com/gnuradio/pybombs.git

获取GnuRadio的安装库

pybombs recipes add gr-recipes git+https://github.com/gnuradio/gr-recipes.git  
pybombs recipes add gr-etcetera git+https://github.com/gnuradio/gr-etcetera.git

安装SDR常用软件

pybombs install osmo-sdr rtl-sdr gnuradio hackrf airspy gr-iqbal libosmo-dsp gr-osmosdr gqrx

使用pybombs安装bladeRF会报错,这里选择源码编译:

git clone https://github.com/Nuand/bladeRF
cd bladeRF/host
mkdir build
cd build
cmake ../
make
sudo make install
sudo ldconfig

0x03 编译gr-nordic

gr-nordic:GNU Radio module and Wireshark dissector for the Nordic Semiconductor nRF24L Enhanced Shockburst protocol.

git clone https://github.com/BastilleResearch/gr-nordic/
cd gr-nordic/
mkdir build
cd build/
cmake ../
make
sudo make install
sudo ldconfig

0x04 安装WireShark

apt-get install wireshark

Ubuntu系统中,访问网络端口需要root权限,而wireshark的只是/usr/share/dumpcap的一个UI,/usr/share/dumpcap需要root权限,所以没法non-root用户无法读取网卡列表。解决办法使用sudo wireshark启动抓包,但使用root权限启动wireshark就不能使用lua脚本: 解决方案:

sudo -s  
groupadd wireshark  
usermod -a -G wireshark $你的用户名  
chgrp wireshark /usr/bin/dumpcap  
chmod 750 /usr/bin/dumpcap 

setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
getcap /usr/bin/dumpcap

当输出为:

/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

1.png

即为设置生效。注销登录状态或者重启系统启用配置。

0x05 数据包捕获

1.png

gr-nordic项目中include里边包含了nordic的tx、rx、API头文件,lib文件夹则是该项目依赖的一些库文件,example文件包含了Microsoft鼠标以及扫描、嗅探使用Nordic北欧芯片键鼠的利用脚本,wireshark文件夹中则是对扫描、嗅探到的数据包进行分析所需的lua脚本。

gr-nordic$ wireshark -X lua_script:wireshark/nordic_dissector.lua -i lo -k -f udp

gr-nordic$cd example

gr-nordic/example$./nordic_sniffer_scanner.py
14748794773330

0x06 演示视频

http://v.qq.com/iframe/player.html?vid=s033112i9oj&tiny=0&auto=0

0x07 Thanks & refer

gr-nordic: GNU Radio module and Wireshark dissector for the Nordic Semiconductor nRF24L Enhanced Shockburst protocol.

孤独小白:GNU Radio教程(一)

Sniffing with Wireshark as a Non-Root User

Bastille 巴士底狱安全研究员:Marc NewlinBalint Seeber

*文章原创作者:雪碧0xroot@vulbox,转载请注明来自FreeBuf黑客与极客(FreeBuf.COM)

Wireless Hacking With SDR And GnuRadio

0x01 信号捕获

市面上常见的无线遥控工作的频段,通常工作在315Mhz、433Mhz,也有少数的会采用868Mhz.915Mhz这几个频点。 我们可以用电视棒、HackRF、BladeRF等SDR硬件来确定遥控的工作频率: 打开软件按下遥控器后,能在瀑布图上看到明显的反应:

osmocom_fft -F -f 443e6 -s 4e6

gqrx

无线遥控中心频率:433870000

0x02 录制信号

SDR软件通常支持录制信号,可将遥控的信号保存为wav音频文件或者以.cfile、.raw格式保存。

这里用gnuradio-companion流图来实现信号录制以及信号重放。

左侧osmocom Source模块调用SDR硬件,我们设置其中心频率为433.874MHz,采样率为2M:

右侧上边 QT GUI Sink模块将捕获到的信号在瀑布图上展示出来,右侧下边的File Sink将录制到的信号保存为/tmp/key.raw文件:

执行流图,按下遥控前:

按下遥控:

转到/tmp 缓存目录:

0x03 信号重放

接下来再用gnuradio-companion写个信号重放的流图:

左侧File Source调用捕获到的key.raw信号文件,osmocom Sink调用HackRF、BladeRF将信号发射出去,与此同时QT GUI Time Sink、QT GUI Frequency Sink模块分别在屏幕上显示时间轴(时间域)、频率幅度(频率域),执行流图:

bingo!

0×04 演示视频 demo

https://v.qq.com/x/page/m0332e0zdo7.html

0x05 信号分析

inspectrum key.raw

信号分析&转码细节参考: 如何使用SDR+inspectrum逆向分析无线遥控信号 一文。

s = ''
a = [0.333033, 0.326189, 0.0332124, 0.388094, 0.326704, 0.0154539, 0.322883, 0.0270275, 0.0150091, 0.443235, 0.362946, 0.027745, 0.430879, 0.443824, 0.0277048, 0.330736, 0.0290668, 0.0133217, 0.376686, 0.0123277, 0.00931546, 0.446231, 0.397617, 0.0162406, 0.447861, 0.0050071, 0.0109479, 0.389289, 0.0271959, 0.0138626, 0.32109, 0.0268736, 0.0129828, 0.401142, 0.326009, 0.0303488, 0.379368, 0.0229494, 0.0134011, 0.318115, 0.346288, 0.017666, 0.333818, 0.326769, 0.0141554, 0.341832, 0.0291055, 0.0153984, 0.446665, 0.399975, 0.024566, 0.316297, 0.0159851, 0.010876, 0.428384, 0.444201, 0.0214323, 0.376211, 0.00628675, 0.0105036, 0.44565, 0.0195615, 0.012549, 0.445242, 0.366523, 0.0225733, 0.324775, 0.0192127, 0.0134437, 0.318991, 0.381386, 0.0149852, 0.00882163, 0.447015]
for i in a:
    if i > 0.1:
        s +='1'
    else:
        s +='0'
print s
python test.py 
 11011010011011010010011010010010011010011011010011010011010010011010011001
pip install bitstring`
python
import bitstring

bitstring.BitArray(bin='11011010011011010010011010010010011010011011010011010011010010011010011001').tobytes()

Image

Automated RF/SDR Signal Analysis [Reverse Engineering]

Payload: \x36\x9b\x49\xa4\x9a\x6d\x34\xd2\x69\x9

thanks for tresacton‘s help (GitHub)

0x06 Hacking The world with watch

德州仪器生产的EZ430 Chronos手表由于采用了MSP430芯片,该芯片支持发射1GHz以下频率的无线信号,覆盖市面上各种常见的无线遥控频率(315MHz、433MHz、868MHz、915MHz):

 6.1 开发环境搭建

到 TI德州仪器官网下载:(需注册账号) CCS studio (Code Composer Studio ):http://processors.wiki.ti.com/index.php/Download_CCS

FET-Pro430-Lite程序:http://www.elprotronic.com/download.html

SmartRF Studio : http://www.ti.com.cn/tool/cn/smartrftm-studio

以及GitHub上面的 miChronos项目代码:http://github.com/jackokring/miChronos

百度网盘:https://pan.baidu.com/s/1hsse2Ni

windows 7如果不是Service Pack 1 则需下载安装Windows 7 和 Windows Server 2008 R2 Service Pack 1 (KB976932)补丁,否则无法安装 Code Composer Studio 下载地址:https://www.microsoft.com/zh-cn/download/confirmation.aspx?id=5842

0x07 refer

Michael Ossmann: Software Defined Radio with HackRF, Lesson 11: Replay YouTuBe https://www.youtube.com/watch?v=CyYteFiIozM

TI eZ430-Chronos Hacking quickstart http://timgray.blogspot.jp/2012/12/ti-ez430-chronos-hacking-quickstart.html

The hackable watch: a wearable MSP430 MCU http://www.itopen.it/the-hackable-watch-a-wearable-msp430-mcu/

You can ring my bell! Adventures in sub-GHz RF land… http://adamsblog.aperturelabs.com/2013/03/you-can-ring-my-bell-adventures-in-sub.html?m=1

TI EZ430 Chronos watch, quick guide / tutorial to hacking the firmware https://www.youtube.com/watch?v=20dVNyJ8fYw&feature=youtu.be

Author:雪碧0xroot Blog

GnuRadio + BladeRF + OpenLTE 搭建4G LTE 基站 Part 1

本文作者:雪碧0xroot@漏洞盒子安全实验室

Clipboard Image.png

0x00 前言

在移动互联网大规模发展的背景下,智能手机的普及和各种互联网应用的流行,致使对无线网络的需求呈几何级增长,导致移动运营商之间的竞争愈发激烈。但由于资费下调等各种因素影响,运营商从用户获得的收益在慢慢减少,同时用于减少韵味和无线网络的升级投资不断增加,但收入却增长缓慢。为保证长期盈利增长,运营商必须节流。

SDR Software Define Radio 软件定义无线电可将基站信号处理功能尽量通过软件来实现,使用通用硬件平台可快速地实现信号的调制解调,编码运算,SDR为现有通信系统建设提供了全新思路,给技术研究开发降低了成本、并提供了更快的实现方式。(引用 基于开源SDR实现LTE系统对比 )

SDR是否能打破传统运营商在通信行业的垄断呢?

另外值得关注的是:国外安全大会上从数年前2G GSM攻击议题到近期的LTE 4G安全议题,基站通信安全一直备受安全爱好者关注。

Clipboard Image.png

在这一背景下,国外OpenLTE开源项目成为热门话题:

Clipboard Image.png

OpenLTE是在Linux系统下的使用GNURadio软件开发包实现的3GPP通信协议的一个开源项目,主要实现一个简单的4G基站的功能。在文章后面的内容中,我们将分享如何搭建、使用OpenLTE.

至于使用BladeRF搭建GSM基站的内容可阅读:

GSM BTS Hacking: 利用BladeRF和开源BTS 5搭建基站
GSM Hacking:使用BladeRF、树莓派、YatesBTS搭建便携式GSM基站
Demo:

IMG_0764.JPG

FreeBuf百科

2G网络是指第二代无线蜂窝电话通讯协议,是以无线通讯数字化为代表,能够进行窄带数据通讯。常见2G无线通讯协议有GSM频分多址(GPRS和EDGE和CDMA ) 传输速度很慢。

3G网络是第三代无线蜂窝电话通讯协议,主要是在2G的基础上发展了高带宽的数据通信,并提高了语音通话安全性。3G一般的数据通信带宽都在500Kb/s以上。目前3G常用的有3种标准:WCDMA、CDMA2000、TD-SCDMA,传速速度相对较快,可以很好的满足手机上网等需求。

4G网络是指第四代无线蜂窝电话通讯协议,该技术包括TD-LTE和FDD-LTE两种制式,是集3G与WLAN于一体并能够传输高质量视频图像以及图像传输质量与高清晰度电视不相上下的技术产品。 4G系统能够以100Mbps的速度下载,比拨号上网快2000倍,上传的速度也能达到20Mbps,并能够满足几乎所有用户对于无线服务的要求。

那么除去安全方面,2G、3G、4G之间有什么不同呢?对于用户而言,2G、3G、4G网络最大的区别在于传速速度不同。

给你一个秒懂的例子: 2G秒看苍老师.txt 3G秒看苍老师.jpg 4G秒看苍老师.avi:

Clipboard Image.png

0x01 环境搭建

OS:Ubuntu

GnuRadio 3.7

BladeRF

HackRF

1.1 BladeRF

1.1.1 驱动

mkdir bladeRF
wget -c https://github.com/Nuand/bladeRF/archive/master.zip
unzip master.zip
cd bladeRF-master
cd host
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr/local -DINSTALL_UDEV_RULES=ON ../
make -j4
make install > install.log
ldconfig

1.1.2 BladeRF 固件

wget -c http://www.nuand.com/fx3/bladeRF_fw_v1.8.0.img
bladeRF-cli -f bladeRF_fw_v1.8.0.img -v verbose

1.2 GNURadio

mkdir gnuradio
cd gnurdio
wget http://www.sbrac.org/files/build-gnuradio
chmod a+x build-gnuradio
./build-gnuradio –v
sudo apt-get install libpolarssl-dev 

0x02 另辟蹊径

以上步骤所需依赖包较多,想偷懒的童鞋可以使用GnuRadio发布的Ubuntu LiveCD,里边已经搭建好了gnuradio、HackRF、BladeRF、USRP、gqrx、rtl-sdr等一些列SDR所需的依赖环境。使用这种方式可以避免安装系统环境中遇到的绝大多数坑。
下载链接:http://gnuradio.org/redmine/projects/gnuradio/wiki/GNURadioLiveDVD

gnuradio.png

2.1 编译OpenLTE (文件列表

wget http://ufpr.dl.sourceforge.net/project/openlte/openlte_v00-19-04.tgz  //(目前最新版)
tar zxvf openlte_v00-19-04.tgz
cd openlte_v00-19-04/
mkdir build
cd build
sudo cmake ../
sudo make
sudo make install

2make.png

0x03 搜索附近基站

插入SDR设备,这里我使用了BladeRF(测试了一下HackRF也能使用,但由于HackRF采用USB 2.0传输数据,其效率会比BladeRF低很多,有条件的同学可以使用USRP):

3bladerf.png

osmocom_fft --samp-rate 80000000

2D0363E3-BA32-4D0F-958F-3D31E1FCDC79.png

Clipboard Image.png

OpenLTE编译完成之后会在build目录下生成可执行文件:

Clipboard Image.png

cd LTE_fdd_dl_scan
./LTE_fdd_dl_scan

新建一终端,通过Telnet进入OpenLTE工作终端交互界面:

telnet 127.0.0.1 20000

4telnet.png

Clipboard Image.png

telnet端执行start开始扫描:

Clipboard Image.png

LTE_fdd_dl_scan将扫描dl_earfcn_list列表中的FCN值:从25到575

ARFCN:绝对无线频道编号 (Absolute Radio Frequency Channel Number – ARFCN ),是在GSM无线系统中,用来鉴别特殊射频通道的编号方案,相信嗅探过GSM短信的童鞋对它一点不陌生。4G LTE中ARFCN被称作EARFCN。

3.1 搜索电信FDD LTE网络:(telnet端)

write band 1
help
start

Clipboard Image.png

Clipboard Image.png

3.2 搜索联通FDD LTE网络:(telnet端)

stop
write band 3
start

openlte.png

3.3 关闭搜索:(telnet端)

shutdown

3.4 移动、联通、电信TD-LTE频段与FDD-LTE部分频段:

bands

0x04 结语

文章第一部分主要分享如何搭建OpenLTE并扫描附近基站信号,在后续的内容中将根据OpenLTE官方WIKI分享OpenLTE其他功能的使用。如LTE_fdd_enodeb的发卡,添加用户功能:

Clipboard Image.png

0x05 参考&感谢

Mobile Security: Practical attacks using cheap equipment

Black Hat:LTE and IMSI catcher

①:https://www.blackhat.com/docs/eu-15/materials/eu-15-Borgaonkar-LTE-And-IMSI-Catcher-Myths-wp.pdf

②:https://www.blackhat.com/docs/eu-15/materials/eu-15-Borgaonkar-LTE-And-IMSI-Catcher-Myths.pdf

IMSI Catchers and Mobile Security

黄琳_HITB Paper:LTE REDIRECTION Forcing T argeted LTE Cellphone into Unsafe Network
OpenLTE:sourceforge.net

OpenLTE WIKI

OpenLTE开源代码结构解析(一)

OpenLTE开源代码结构解析(二)

基于开源SDR实现LTE系统对比

* 作者:雪碧0xroot@漏洞盒子安全实验室,转载请注明来自FreeBuf黑客与极客(FreeBuf.COM)

http://www.freebuf.com/articles/wireless/108417.html