This article (GSM Penetration Testing Fundamentals) attempts to give an overview of the technology, terms, and security that are built into GSM Technology. I hope this will allow you to get started in hacking Bluetooth without getting bogged down by too much technical detail.
Before starting any hacking tutorials, you need to understand the technology.
As we know, GSM is an ancient technology and nowadays is totally insecure, many countries are removing GSM infrastructure and reusing the frequencies for 5G and other transmission technologies.
Here I will explain the different network devices on a GSM network and public attacks against each device.
First I will describe the hardware with a few technical details, then is necessary to understand how the spectrum works and what frequencies our country uses for GSM.
A GSM network has many devices connected some of them are on the client side others are outdoors and inside the data centers, they all have one thing in common! They all have IDs that identify them.
What to understand GSM in deep? Check free Courses HERE
On the client side, we have Mobile Stations (Cellphones), SIM cards, and USB modems. Each one of them has security vulnerabilities and different entry points to be explored, here I will try to talk about all of them.
SIM Card Attacks
SIM cards have been developed around three decades ago, there were a lot of functionality improvements on each version but some vulnerabilities were kept because they aren’t technology related.
In this tutorial, we only use an RTL-SDR device, which is enough to do a passive recon around you and understand the basic concepts about the technology and how the PLMN (Public Land Mobile Network).
Passive sniffing GSM is not legal in most countries, check your law or your credentials.
!NEVER actively sniff.
|RPI3 1 GB RAM|
|SD-CARD 64 GB|
|USB RTL SDR|
Here I will explain the most common public attacks against GSM networks using cheap hardware like an rtl-sdr. Keep in mind these types of hardware can only receive (RX) data.
- We only receive traffic (RX) Downstream
- To capture both Upstream and Downstream we need two dongles
Attention the limitations are related to the hardware used in this tutorial, if we use more expensive hardware and apply other techniques other attacks can be possible. I will write about them in other articles.
If you want to learn how to install a Rogue BTS read my other article from the GSM Hacking Series.
Passive Sniff GSM
After we know what ARFCN we want to monitor we will capture live data on a specific channel and save it into a cfile to further analysis.
To calculate the downstream frequency based on your ARFCN you can use this calculator:
This cfile will allow us to decode other layers of traffic data dedicated to other protocols and at the end, I will explain how to crack A5/1 encryption using rainbow tables. ( … and how to download them! 😀 )
GSM IMSI Catchers
Decrypt SMS Data
Decrypt Voice Channel
GSM A5/1 Decryption
git clone git://git.srlabs.de/kraken