Analysis of GSM network traffic in Wireshark

The second article will be devoted to working with GSM traffic in Wireshark. I recommend to get acquainted with the first , if you want to get more opportunities for practice.

For us, we use an osmocom-bb compatible phone capable of receiving a signal at GSM frequencies, for Russia it is 900 MHz and 1800 MHz and a computer with a Wireshark sniffer installed.

')
Cycle articles:

We start GSM network at home
Analysis of GSM network traffic in Wireshark
Add GPRS to your home GSM network
Practical examples of attacks inside the GSM network

GSMTAP

To correctly display the GSM protocols in Wireshark of the latest versions, there is no need to install any additional dissectors.

The only thing that needs to be set is the setting for the LAPD protocol - Use GSM SAPI values.



GSM protocols will be encapsulated into UDP packets with a GSMTAP header when transmitted via the Um interface or into TCP packets with OML and RSL headers when tracing the A-bis interface.



Launch Wireshark to listen to the loopback interface and set filters to see only GSM Um traffic.

wireshark -k -f udp -Y gsmtap -i lo 

Applications capable of generating GSMTAP traffic for Wireshark typically act as follows:

1. Get Um frame over radio interface
2. Add GSMTAP Header
3. Send all this to the specified IP address in UDP packets (in our case, loopback)

In addition to the GSMTAP filter, you can use other filters starting with gsm, for example gsm_sms, to search for SMS messages in traffic. But using the GSMTAP filter will allow you to view all GSM Um traffic, since all other headers are embedded in GSMTAP.

Traffic capture

To study GSM traffic, you must first write it down somehow. Using the SDR device as a receiver, you can study the data transmitted on the public CCCH channels, unless you know the Kc-session encryption key.

However, when using OsmocomBB, a phone with a SIM card and a mobile application, you know your Kc encryption key and can view all your traffic in the clear, transmitted via the Um interface (radio interface) in Wireshark, and learn how real cellular networks work.

If you launched your GSM network on the basis of two OsmocomBB-compatible phones, as mentioned in the previous article , you can send GSMTAP packets from OsmoBTS to Wireshark and thus study the operation of the network.

If you want to practice capturing your traffic using SDR transceivers, then I recommend reading the gr-gsm utility package.

The most affordable option would be to buy an RTL-SDR receiver .



I do not recommend buying cheap Chinese receivers, like this for 700 rubles.

Personally, he worked for me unstable and a week later completely stopped. On the RTL-SDR forums, people had similar problems. So this is not an isolated case.

The fact is that both rtl2832u and r820t2 chips, commonly used by RTL-SDR compatible devices, get very hot during operation, and cheap receivers do not provide any cooling. Secondly, there is no protection against static and you can easily burn the receiver with careless handling. There are other problems.

Therefore, I recommend purchasing the official RTL-SDR receiver of the latest version in an aluminum case. It costs only 1500 rubles, but you will get 2 antennas, passive cooling, static protection, stable operation, improved filtering, and much more. As is well known "Miserly pays twice."

Traffic analysis

I will not consider working with gr-gsm and RTL-SDR here, so go straight to Osmocom.

You can work with any commercial GSM network using the Open Source implementation of the GSM protocol stack from Osmocom. In other words, you can connect the phone on the Calypso chipset to the computer, start the application from the OsmocomBB package and make calls, send SMS and do everything that a regular 2G phone can do, plus access to any technical information about the current communication session.

The application we need for this is called mobile and is located here src / host / layer23 / src / mobile

I hope everyone has already compiled OsmocomBB on their computers. The process is described in my previous article and in this cycle .

Mobile is an application that runs on the computer side, but you must also download firmware layer1 to your phone .

In the base view you need:

1. Connect the phone to the computer via USB-TTL converter
2. Check that the device / dev / ttyUSBx has appeared, load firmware layer1 through osmocon into the phone.
3. Launch mobile and specify the interface for sending GSMTAP so that we can listen to this interface in Wireshark.

I already wrote about how to download the firmware to the phone in the previous article. To start mobile, go to the directory with the application and run the following command

 ./mobile -i 127.0.0.1 

When you first start you can see a message about the absence of the configuration file. Create it empty in the directory specified in the error message. (I have this /root/.osmocom/bb).

If you did everything correctly, you will see in the console a log of the work of mobile.



Now you can connect to the mobile terminal and control the phone so

 telnet localhost 4247 

You will be taken to an intuitive cisco-like VTY interface. Use the command help, TAB for auto add-on or SHIFT +?



The show ms, show subscriber, show ba and show cell commands will help to get information about the current connection. To enable privileged mode, use enable and to write changes to the write file.

Wireshark is already running, and you can see GSMTAP packets in the list. While the phone is in standby mode, and no one sends us an SMS and does not ring, the output will consist of open traffic from the control channels.



You can send an SMS from your personal number to a mobile phone or send an SMS to yourself via the VTY interface. Then, if you search in Wireshark traffic by the gsm_sms filter, we will see.



There are other utilities that allow capturing various kinds of GSM traffic, you can find them here src / host / layer23 / src / misc

In particular, cell_log allows you to determine which base stations are around you and can send GSMTAP packets to Wireshark.

ccch_scan allows you to listen to messages on CCCH channels, including SMS, if you use the modified version of the osmocombb branch sylvain / burst_ind , which allows you to set the encryption key Kc.

However, in this case, you will still have to flash your USB-TTL converter to work at non-standard speeds.

As for voice call capture, everything becomes more complicated, since the real operator can use Frequency Hopping , which “smears” burst at different frequencies and we need to follow the change in phone frequency, or record all traffic at all possible TCH cell frequencies which in turn may not allow your receiver to be made due to physical limitations.

If you are researching your own network, then you do not need Frequency Hopping, however Osmocom does not provide tools for sniffing voice calls using osmocomb-compatible phones.

But the gr-gsm package grgsm_decode utility is capable of decoding speech, when SDR traffic is captured by the receiver and grgsm_capture .

A-bis traffic analysis

A-bis - messaging interface between BTS and BSC. We do not have access to research of such traffic of commercial networks. But you can study such things on the example of your own GSM network.

To view the RSL messages, you need to start listening on the loopback interface (note that TCP is used here, not UDP) and you will see messages like these:

For RSL, you can use the gsm_abis_rsl filter.



And for OML. You can use the gsm_abis_oml filter or filter by ports 3002 and 3003.



At the same time, SMS messages will be embedded in RSL packets, and not in GSMTAP, as is the case with transmission via the Um interface.



That's all. Next time I will talk about adding GPRS support to your home network.

UPD: I remind you that I will tell and show (on the stand) about practical examples of creating a base station and analyzing mobile traffic (at the stand) at the Pentestit Security Conference in my report: “Implementation of the GSM protocol stack”.