GSM Hacking guide for professional pentesters and hobbyists. As we know, GSM is an ancient technology and nowadays is totally insecure, many countries are removing GSM infrastructure and reusing the frequencies for 5G and other transmissions technologies.
Here I will explain the different network devices and public attacks against each device.

First I will describe the hardware with a few technical details, then is necessary to understand how the spectrum works and what frequencies our country use for GSM.
After we know what ARFCN we want monitor we will capture live data on specific channel and save into a cfile.
To calculate the downstream frequency based on your ARFCN you can use this calculator: https://www.cellmapper.net/arfcn
This cfile will allow us to decode other layers of traffic data dedicated to other protocols and at the end I will explain how to crack A5/1 encryption using rainbow tables.
Hardware
On this tutorial we only use a RTL-SDR device and is enough to do a passive recon around you and understand the basic concepts about the technology and how the PLMN (Public Land Mobile Network)
Device | Price | Store |
RPI3 1 GB RAM | ||
SD-CARD 64 GB | ||
USB RTL SDR | ||
Power Bank |
RTL-SDR Limitations
Here I will explain the most common public attacks against GSM networks using cheap hardware like an rtl-sdr. Keep in mind these type of hardware can only receive (RX) data.
- We only receive traffic (RX) Downstream
- To capture both Upstream and Downstream we need two dongles
Attention the limitations are related to the hardware used on this tutorial, if we use more expensive hardware and apply other techniques other attacks can be possible. I will write about then on other articles.
SIM Card Attacks
Mobile Station
Rogue BTS
If you want to learn how to install a Rogue BTS read my other article from the GSM Hacking Series.
GSM IMSI Catchers
Capture BTS Broadcast Unencrypted Data
Decrypt SMS Data
Decrypt Voice Channel
GSM A5/1 Decryption
git clone git://git.srlabs.de/kraken