• Home
  • GSM Hacking: Free Pentester Guide

GSM Hacking: Free Pentester Guide

GSM Hacking Pentester Guide

GSM Hacking guide for professional pentesters and hobbyists. As we know, GSM is an ancient technology and nowadays is totally insecure, many countries are removing GSM infrastructure and reusing the frequencies for 5G and other transmissions technologies.

Here I will explain the most common public attacks against GSM networks using cheap hardware like an rtl-sdr. Keep in mind these type of hardware can only receive (RX) data.

SS7 Attacks on GSM

SS7 attacks and attacks using Rogue GSM Base stations are not in scope and it will never be besides some tips on entry points. Remember I am not responsible for your actions, do it in your Lab and study with your own devices.

First I will described the hardware with a few technical details, then is necessary to understand how the spectrum works and what frequencies our country use for GSM.

After we know what ARFCN we want monitor we will capture live data on specific channel and save into a cfile.

This cfile will allow us to decode other layers of traffic data dedicated to other protocols and at the end I will explain how to crack A5/1 encryption using rainbow tables.

What hardware is necessary to capture GSM downstream packets?

As I said before here I only use a RTL-SDR device and is enough to do a passive recon around you and understand the basic concepts about the technology and decode some SMS messages or voice calls dedicated to us.

Limitations on GSM Hacking

Attention the limitations are related to the hardware used on this tutorial, if we use more expensive hardware and apply other techniques other attacks can be possible.

  • We only receive traffic (RX)
  • We only Decrypt Our Session
  • Extract the KC Key from our Session

GSM SIM Cards

SIM cards have to main categories CDMA / GSM here I am focused on GSM SIM cards. This cards have two types of charging system PREPAID and POSTPAID.

PREPAID

Prepaid cards already have a tax plan assigned to them

POSTPAID

SIM Card Structure

SIM cards hold a profile mapped by the network operator, these cards have a storage capacity 8k,16k,32k128k,etc…

MF – Master Files

DF – Dedicated Files

EF – Elementary Files

Standards : GSM 11.11 – 3GPP 51.011

SIM Card Profile

Network Requirements

  • MCC / MNC
  • IMSI
  • ICC-ID
  • SMS Parameters 

Marketing Requirements

  • Phonebook
  • Number of Short Messages
  • Service Dialing Number (Customer Care Numbers
  • Mailbox Number

Business Requirements

  • Roaming Partner List
  • PIN Handling

ICC-ID

ICC 

  • SIM – Single IMSI or Dual IMSI
  • RUIM – Single CDMS or Combo CDMA+GSM

ICC-ID is defined by ITU-T E.118

The ICC-ID has 19 digits and calculated using Luhn algorithm.

89-91-15-100-000000011-8

89 – Tele

91 – CC

15 – MNC

100 – Vendor

000000011 – Serial Number

8 – Checksum

IMSI

International Mobile Subscriber Identity

The IMSI has 15 digits and is unique across all globe and indicates the home network of the subscriber.

MCC + MNC + MSIN = IMSI

MNS + MSIN = NMSI

SIM Keys

GSM Hacking

GSM Mobile Station

Capture BTS Broadcast Unencrypted Data

Decrypt SMS Data

Decrypt Voice Channel

GSM A5/1 Decryption

git clone git://git.srlabs.de/kraken

https://opensource.srlabs.de/projects/a51-decrypt

GSM IMSI Catchers