Part 1
Talk about wiretapping continues. Indeed, Big Brother is watching everything. But besides the big brother, there are also attackers who also want to listen to your conversations and read your SMS. What do they have in their arsenal? What is true and what is fiction? Let's take a look at modern methods and capabilities based on facts.
Traffic interception methods
1. Passive method
Wiretapping of a mobile phone by intercepting and decoding GSM traffic.
Devices for these purposes are freely sold on the Internet, although their cost starts from 50k of greenery. Roughly speaking, such a device is a laptop to which an antenna is connected ...
This device scans the cellular communication channels around. And it makes it possible to connect to one of the channels and intercept information. But there is a nuance - all information is intercepted in encrypted form. For decryption it is necessary to use "rainbow tables" and the Kraken tool.
This method of interception is difficult in its application even for an experienced specialist, since one cellular operator has at least 4-5 ARFCNs, respectively, you need to connect to each of these channels and search for information. They are stored in the database of the cellular operator. For addressing calls and SMS, IMSI is used - the internal identifier of the SIM card.
How to find a subscriber's IMSI?
To find this number, you need to perform an HLR request for the subscriber's number: HLR test sms
2. Active method
This method involves actively interfering with the operation of the existing GSM network. The main tool is a fake base station, which acts as a bridge between subscribers and the operator's legitimate base station.
To implement the method, you can use professional (start from $ 120,000), semi-professional (start from $ 5,000) or amateur (start from $ 420) equipment.
The difference between these solutions is in 3 things:
1. Brand (all the same, the orientation goes to the special services)
2. Auxiliary functionality (thermal protection, battery, “wake-on-t” mode, etc.)
3. The number of radio modules - probably the most important parameter that is not available in bladerf / hackrf and other amateur equipment is working simultaneously with several operators and at different frequencies.
Encryption, rainbow tables, Kraken, unicorns and intelligence agencies of the planet Nibiru
Many users confuse active and passive methods of interception of traffic and have created their own sect "Witnesses of the use of rainbow tables in the active method of interception"
Let's take a look at encryption issues and start with the types of encryption:
А5 / 0 - plain text, no encryption or disabled
А5 / 1 - streaming encryption is enabled;
А5 / 2 - modification А5 / 1 with deliberately lowered complexity
А5 / 3 - (Kasumi) from the creator of RSA appeared with the advent of the 3G network
A5 / 4 - Kasumi modification for LTE networks
How does hacking happen?
In contrast to the passive interception method, in the active method, the attacker controls the encryption himself. All A5 cipher models use a key that is stored both by the operator and the subscriber on his sim card, this key is unique for each subscriber and for its protection there is a special cryptochip for each SIM card and this cryptochip will do everything that the base station tells him. A fake BS appears to be a subscriber for a real BS, and a real BS appears as a subscriber, while for the subscriber device, encryption is lowered to the A5 / 2 level - which is decrypted online on the fly, and at this moment the trap RETRIEVES THE SECRET KEY OF THE SUBSCRIBER and then restores the connection on the encryption of the previous level. Thus, having received the subscriber's encryption key, the attacker does not need any Krakens or rainbow tables and he can decrypt everything online.
3. Interactive method
Full access to SMS, calls, and geolocation of any subscriber anywhere in the world
It can be called in different ways, but its essence boils down to gaining access to the mobile network and exploiting the vulnerability of the SS7 protocol (SS7). The access itself is ip + port + login + pass, but in this form it can only be used by those who have already had experience with it.
Where can I buy?
Many are trying to search in the TOP, looking for some kind of "hacker" sites, like TYTS, but except for the thrown, you can hardly stumble upon anyone. Instead, access can be obtained officially or semi-officially from telecom operators and individual structures engaged in GSM interception on completely legal grounds.
List of offices providing access to ss7
Often, access is offered only to government organizations, but when making a transaction (payment with bitcoin or bank escrow), the moments of verification come down to “we trust you”.
But there is one pitfall, in the process of buying access it is necessary to clearly agree on the territory of access, the fact is that access to a subscriber can be limited only by the territory of the country of which you are a representative, and when you try to access other countries, you are simply disconnected and then reported a link to the rules that you violated and no one will return the money back, but such prohibitions are also often implemented in the user web interface to which you get access after the purchase.
How much does it cost?
Forget moronic articles like "For $ 500 you can wiretap any phone in the world!" or “A schoolboy saved on lunches and listened to his teacher without registration and SMS” - all this nonsense was written by journalists whose goal is a sensation.
If you take the HYIP associated with the TOP project “interconnect0r” - then this HYIP has spread all over the world, although it will take 5 minutes to make a site like that in the Top.
I contacted many offices and I will say that the range of prices from $ 10,000 to $ 30,000 per month, nothing could be found cheaper, and the difference in price is due to the lack of territorial binding and additional features of the web interface.
4. IMSI trap
On many IMSI resources, fake base stations are called traps, but I would single out a separate term for this very useful device. An IMSI trap is a "device" for example based on RTL-SDR that sees all subscribers around it. It uses a passive interception method, making it nearly impossible to detect.
Independent use of this device is doubtful because Well, what can be removed from the list of 30-40 surrounding subscribers? Moreover, not just numbers are visible, but only IMSI / TMSI / Network name.
This device is extremely useful when using a fake base station and is useful as a means of protecting an intruder from interception!
Example # 1:
The attacker is waiting for the victim (for example, near the house) and wants to intercept the victim's calls using bladerf. He needs to turn on the fake BS and sit and wait, but at this moment he becomes vulnerable because it can be found. Therefore, the attacker first turns on the IMSI trap, which, when a target appears, will automatically turn on the BS fake, and since the IMSI trap uses a passive interception method, it is almost impossible to detect it. Thus, the attacker will only work when the target is near.
Example # 2
I got a lot of questions like "Can I make bladerf hit 1km?" and every time I had a scene from the movie “Sportloto 82” in my head:
- San Sanych, can you eat these berries?
- You can, only poison yourself
Likewise, the answer to this question is - you can, just slept. The fact is that when you turn on the fake, the BS sends out a beacon request (like - I'm here! Come to me! Connect!) And when this illegitimate request gets to a legitimate BS of a real cellular operator, the "alarm" is turned on and the cellular operator is immediately aware of that an unidentified BS appeared, respectively, the countdown went and the question of a couple of tens of minutes until the intruder is detected. In order to avoid this, before turning on the fake BS, check the distance to the nearest BS (by signal level) and correlate the power of the fake BS so as not to catch the eye of a legitimate BS, and for this it is most convenient to use the RTL-SDR functions as IMSI traps.
Equipment
1. Motorolla cXXX
Description: This equipment is based on an old Motorolla phone based on the Calypso chipset (MotorolaC115 / C117 / C123 / C121 / C118 / C140 / C139 / C155 / V171), etc. which, due to the leakage of the specification into the network, was finalized by the Osmocom project participants and the USB-TTL cable. Extremely unstable work, constant lags and freezes, a small radius of action is compensated by a very cheap price - everything will take about 20 bucks.
An excellent option for independent study, but it is worth considering that with a passive interception method, in order to receive traffic entering the phone, you will need to rewire two very small filters, so it is better to buy a ready-made kit and not fool yourself.
Features: IMSI Trap, Active interception method, Passive interception method, Creation of your own cellular network
Where to buy: Regular version on the radio market (Motorola C115 / C117 / C123 / C121 / C118 / C140 / C139 / C155 / V171)
You can solder the USB-TTL cable yourself or buy a ready-made one:
USB-TTL
The finished version soldered for work can be found on ebay or taobao.
eBay Osmocom
Software:
Osmocom, TyphonOS
Photo:
2. HackRF
Description: Legendary SDR from Great Scott Gadgdgets. Morally a little outdated, but nevertheless - it does its job. Suitable for those who just want to try, but have not yet decided on the seriousness of their intentions. Main disadvantage: weak signal.
Features: IMSI Trap, Active interception method, Passive interception method, Creation of your own cellular network
Where to buy: AliExpress (numerous replicas for every taste and color)
Software: OpenBTS 2g / 3g
Photo:
3. BladeRF
Description: A new generation of SDR devices. It has much more flexible settings, high power and full duplex communication. For a full-fledged BS imitation, it is recommended to use this device.
Features: IMSI Trap, Active interception method, Passive interception method, Creation of your own cellular network
Where to buy: on the Internet
Software: OpenBTS 2g / 3g
Photo:
4. Rtl-SDR
Description: A TV tuner that is also an SDR is very cheap and everyone who builds his own BS MUST have it. Its main purpose is to measure the distance to a real legitimate BS, and based on this distance, the user must choose the signal strength of his fake BS. It also makes excellent IMSI traps.
Features: IMSI Trap, Passive interception method
Where to buy: On Aliexpress
Software: IMSI-Catcher
Photo:
Ready-made assemblies of operating systems:
It will be difficult for many to make the assembly and support of all software components for working with the above equipment, so below you can download ready-made assemblies
GNU-Radio
Assembled with set weight of components to work with SDR. Supports RTL-SDR / BladeRf / HackRf
GNU-Radio LiveCD 14
GNU-Radio LiveCD 16
RTL-SDR / HackRF
Preinstalled software for building IMSI traps and working with HackRF
RTL-SDR / HackRF
BladeRF Pentoo
Build to work with BladeRf
BladeRF
Osmocom
TyphonOS
Terminology
2G Second generation of GSM standard
3G Third generation GSM standard
3GMS Third generation mobile communication system
3GPP Third Generation Partnership Project
AGCH Access Grant Notification Channel
AID Application ID
AMR Adaptive Multi-Speed
ANSI U.S. National Standards Institute
AoC Charge Notice
AoCC Billing Notice (Expenses)
AoCI Billing Notice (Info)
API Application Programming Interface
ARFCN Absolute radio channel frequency number
ARIB Association of Radio Industry and Business
ASE Application Service Element
ASN.1 Abstract Syntax Notation Version 1
AT-command Command "Attention"
AuC Authentication Center
BAIC Barring all incoming calls
BAOC Barring all outgoing calls
BCCH Broadcast Control Channel
BCH Broadcast channels
BIC-Roam Barring incoming calls when roaming outside the home country of your PLMN
BOIC Barring outgoing international calls
BOIC-exHC Barring outgoing international calls, except for calls to the home country of PLMN
BTS Base Station
BSC Base Station Controller
BSS Base Station System
BSSMAP Base Station Subsystem Control Application Protocol
CAI Charging Information
CAMEL Advanced Mobile Communication Logic for Custom Applications
CAP CAMEL Application Subsystem
CB Call barring
CBC Cell Broadcast Center
CBCH Cell Broadcast Channel
CBS Cell Broadcast Service
CC Call Control
CCBS Establishing a connection when the subscriber is busy
СССH Common control channel
CD reject calls
CDR Call Report
CF Call Forwarding
CFB Call Forward Busy
CFNRc Call forwarding when terminal is unavailable
CFNR Call Forward No Answer
CFU Call Forwarding Unconditional
CLI Caller Line ID
CLIP Caller Line Identification Presentation
CLIR Caller Line Identification Restriction
CM Configuration Management
CMIP Common Control Information Protocol
CMISE General Control Information Service Element
CN Core network
CNAP Caller Name Representation
COLP Connected Line Identification Representation
COLR Connected Line Identification Restriction
CORBA A technology for building distributed object applications proposed by the company
CS Channel Switching
CS-1 Smart Grid Capability Set
CSE CAMEL Service Environment
CUG Closed User Group
CW Call Waiting Alert
CWTS China Wireless Standardization Group
DCE Data Link Termination Equipment
DCCH Dedicated Control Channel
DTE Data Terminal Equipment
DTMF Multi-frequency signaling
DTX Intermittent transmission
ECT Explicit Call Transfer
EGPRS Enhanced GPRS
EIR Equipment Identification Register
EM Subsystem for controlling elements
eMLPP Enhanced Multi-Level Priority and Preemption Service
EN Conformity mark of the European Committee for Standardization
E-OTD Improved Observed Time Difference
EP Elementary Procedure
ETSI European Telecommunication Standardization Institute
FACCH Fast Access Control Channel
FCCH Frequency Correction Channel
FM Failure Management
GAD Geographical Area Description
GBS Shared Transfer Services
GDMO Guidelines for Defining Managed Objects
GERAN GSM EDGE radio access network
GGSN Gateway GPRS Support Node
GLR Gateway Location Register
GMLC Gateway Mobile Location Center
GMSC Gateway MSC
GPRS General Packet Data Service
gprsSSF GPRS service switching function
GPS Global Positioning System
GSM Global System for Mobile Communications
GSM-EFR Enhanced GSM Full Rate Voice Codec
gsmSCF GSM Service Control Function
gsmSRF GSM Specialized Resource Support Function
gsmSSF GSM Service Switching Function
GSN GPRS Support Node
GT Global Title
GTP GPRS Tunneling Protocol
HDLC Upper Layer Data Link Control
HE Own environment
HLR Home Location Register
HPLMN Proprietary public land mobile network
HSCSD High Speed Circuit Switched Data
IC Integrated Circuit
ID Identifier
IMEI International Mobile Equipment Identity
IM-GSN Intermediate GPRS Serving Node
IM-MSC Intermediate Mobile Switching Center
IMSI International Mobile Station Identifier
IN Intelligent network
INAP Intelligent Network Application Layer Protocol
IP Internet Protocol
IPLMN Inquiring PLMN
IrDA Infrared Data Association
IrMC Infrared mobile communication
IRP Integration Reference Point
IS Information Service
ISDN Integrated Services Digital Network
ISO International Organization for Standardization
ISUP ISDN User Subsystem
Itf-N Interface N
IWF Interoperability Function
LAN Local area network
LCS Location Service
LMSI Local Mobile Station Identifier
LMU Positioning unit
LR Location Request
MAP Mobile Application Subsystem
MC Multiple call
MCC Mobile Station Country Code
ME Mobile communication equipment
MExE Mobile Station Runtime
MIM Management Information Model
MIME Multipurpose Internet Email Extensions
MLC Mobile Station Location Center
MM Mobility Management
MMI Human Machine Interface
MMS Multimedia Messaging Service
MNC Mobile network code
MNP Mobile Station Number Interchangeability
MO From mobile station
MO-LR Request from a mobile station to determine a position
MPTY Versatile
MS Mobile Station
MSC Mobile Switching Center
MSISDN International ISDN mobile station number
MSP Multiple Subscriber Profile
MSRN Mobile station roaming number
MT Mobile Terminal
MT Movable terminal
NE Network element
NITZ Network ID and Time Zone
NM Network Management
NRM Network Resource Model
OACSU Establishing a connection without first seizing a radio resource
ODB Operator-set call barring
OMG Managed Object Group
OS Operating System
OSA Open Systems Architecture
OSI Open Systems Interconnection
PBX Corporate PBX
PCH Paging channel MS Paging channel MS
PCM Pulse Code Modulation
PDC-EFR ARIB PDC-EFR speech codec at 6.7 kbps
PDN Public data network
PDP Packet Data Protocol
PDU Protocol data unit
PI Performance Indicator
PIX Native Application Identifier Extension
PLMN Public Land Mobile Network
PP Point-to-Point
PS Packet Switching
PSE Personal Service Environment
PSTN Public Switched Telephone Network
RACH Network Access Request Channel
RANAP Radio Access Network Application Subsystem
RID Registered Application Provider ID
RLC / MAC Radio Link Control / Media Access Control
RLP Radio Link Protocol
RNC Radio Network Controller
RNS Radio Network System
RR Radio resource
SACCH Slow Access Control Channel
SAT SIM Application Toolkit
SC Service Center
SCCP Signaling Connection Control Subsystem
SCH Sync channel
SCR Initial Controlled Speed
SCS Service Capability Server
SDO Standards Development Organization
SDR Software Controlled Radio
SGSN Serving GPRS Support Node
SI Screening indicator
SID Silence Descriptor
SIM GSM Subscriber Identity Module
SIWF Collaborative Function
SIWFS Collaborative Function Server
SM Session Management
SMIL Synchronized Multimedia Integration Language
SM-RL Short message broadcast function
SMS Short Message Service
SMSC Short Message Service Center
SMSCB Short Message Service - Cellular
SMTP Simple Email Protocol
SOR Optimal Routing Support
SRNC Serving Radio Network Controller
SRNS Serving RNS
SS Additional service
SS Solution Set
SS7 Alarm System No. 7
SSF Service Switching Function
T1 Committee for T1 Standards (part of ANSI)
T1P1 Technical Subcommittee on Wireless / Mobile Services and Systems
TA Terminal adaptation
TAF Terminal Adaptation Function
T-BCSM Served Basic Call State Model
TCAP Transaction Tools
TCH / F Full / Half Rate Voice Channel
TDMA Time Division Multiple Access
TDMA_EFR TIA IS-641 Enhanced Speech Codec
TDMA_USI TIA TDMA-US1 (Codec 12.2 Kbps, similar to GSM-EFR)
TE Terminal equipment
TIA Communications Industry Association
TMSI Temporary Mobile Station Identifier
TOA Arrival time
TrFO Operation without transcoder
TS Technical Specification
TSG Technical Specification Development Group
TTA Telecommunications Technology Association (Korea)
TTC Telecommunications Technology Committee (Japan)
TUP Telephone User Subsystem (Alarm System No. 7)
UDP Custom Datagram Protocol
UE User Equipment
UICC Universal IC Card
UIM User ID Module
UMTS Universal Mobile Telecommunications System
USAT USIM Application Toolkit
USIM Universal Subscriber Identity Module
USSD Unstructured Supplementary Service Data
UTRA Universal Terrestrial Radio Access
UTRA-FDD Universal Terrestrial Radio Access - Frequency Division Duplex
UTRAN Universal Terrestrial Radio Access Network
UTRA-TDD Universal Terrestrial Radio Access - Time Division Duplex
UUS User-to-user signaling
VAD Speech Detector
VBS Voice Broadcast Service
VGCS Voice Group Call Service
VHE Virtual Own Environment
VLR Temporary Location Register
VMSC Visiting Mobile Switching Center
VPLMN Public Land Mobile Visitor Network
WAP Wireless Application Protocol
To be continued….
Talk about wiretapping continues. Indeed, Big Brother is watching everything. But besides the big brother, there are also attackers who also want to listen to your conversations and read your SMS. What do they have in their arsenal? What is true and what is fiction? Let's take a look at modern methods and capabilities based on facts.
Traffic interception methods
1. Passive method
Wiretapping of a mobile phone by intercepting and decoding GSM traffic.
Devices for these purposes are freely sold on the Internet, although their cost starts from 50k of greenery. Roughly speaking, such a device is a laptop to which an antenna is connected ...
This device scans the cellular communication channels around. And it makes it possible to connect to one of the channels and intercept information. But there is a nuance - all information is intercepted in encrypted form. For decryption it is necessary to use "rainbow tables" and the Kraken tool.
This method of interception is difficult in its application even for an experienced specialist, since one cellular operator has at least 4-5 ARFCNs, respectively, you need to connect to each of these channels and search for information. They are stored in the database of the cellular operator. For addressing calls and SMS, IMSI is used - the internal identifier of the SIM card.
How to find a subscriber's IMSI?
To find this number, you need to perform an HLR request for the subscriber's number: HLR test sms
2. Active method
This method involves actively interfering with the operation of the existing GSM network. The main tool is a fake base station, which acts as a bridge between subscribers and the operator's legitimate base station.
To implement the method, you can use professional (start from $ 120,000), semi-professional (start from $ 5,000) or amateur (start from $ 420) equipment.
The difference between these solutions is in 3 things:
1. Brand (all the same, the orientation goes to the special services)
2. Auxiliary functionality (thermal protection, battery, “wake-on-t” mode, etc.)
3. The number of radio modules - probably the most important parameter that is not available in bladerf / hackrf and other amateur equipment is working simultaneously with several operators and at different frequencies.
Encryption, rainbow tables, Kraken, unicorns and intelligence agencies of the planet Nibiru
Many users confuse active and passive methods of interception of traffic and have created their own sect "Witnesses of the use of rainbow tables in the active method of interception"
Let's take a look at encryption issues and start with the types of encryption:
А5 / 0 - plain text, no encryption or disabled
А5 / 1 - streaming encryption is enabled;
А5 / 2 - modification А5 / 1 with deliberately lowered complexity
А5 / 3 - (Kasumi) from the creator of RSA appeared with the advent of the 3G network
A5 / 4 - Kasumi modification for LTE networks
How does hacking happen?
In contrast to the passive interception method, in the active method, the attacker controls the encryption himself. All A5 cipher models use a key that is stored both by the operator and the subscriber on his sim card, this key is unique for each subscriber and for its protection there is a special cryptochip for each SIM card and this cryptochip will do everything that the base station tells him. A fake BS appears to be a subscriber for a real BS, and a real BS appears as a subscriber, while for the subscriber device, encryption is lowered to the A5 / 2 level - which is decrypted online on the fly, and at this moment the trap RETRIEVES THE SECRET KEY OF THE SUBSCRIBER and then restores the connection on the encryption of the previous level. Thus, having received the subscriber's encryption key, the attacker does not need any Krakens or rainbow tables and he can decrypt everything online.
3. Interactive method
Full access to SMS, calls, and geolocation of any subscriber anywhere in the world
It can be called in different ways, but its essence boils down to gaining access to the mobile network and exploiting the vulnerability of the SS7 protocol (SS7). The access itself is ip + port + login + pass, but in this form it can only be used by those who have already had experience with it.
Where can I buy?
Many are trying to search in the TOP, looking for some kind of "hacker" sites, like TYTS, but except for the thrown, you can hardly stumble upon anyone. Instead, access can be obtained officially or semi-officially from telecom operators and individual structures engaged in GSM interception on completely legal grounds.
List of offices providing access to ss7
Often, access is offered only to government organizations, but when making a transaction (payment with bitcoin or bank escrow), the moments of verification come down to “we trust you”.
But there is one pitfall, in the process of buying access it is necessary to clearly agree on the territory of access, the fact is that access to a subscriber can be limited only by the territory of the country of which you are a representative, and when you try to access other countries, you are simply disconnected and then reported a link to the rules that you violated and no one will return the money back, but such prohibitions are also often implemented in the user web interface to which you get access after the purchase.
How much does it cost?
Forget moronic articles like "For $ 500 you can wiretap any phone in the world!" or “A schoolboy saved on lunches and listened to his teacher without registration and SMS” - all this nonsense was written by journalists whose goal is a sensation.
If you take the HYIP associated with the TOP project “interconnect0r” - then this HYIP has spread all over the world, although it will take 5 minutes to make a site like that in the Top.
I contacted many offices and I will say that the range of prices from $ 10,000 to $ 30,000 per month, nothing could be found cheaper, and the difference in price is due to the lack of territorial binding and additional features of the web interface.
4. IMSI trap
On many IMSI resources, fake base stations are called traps, but I would single out a separate term for this very useful device. An IMSI trap is a "device" for example based on RTL-SDR that sees all subscribers around it. It uses a passive interception method, making it nearly impossible to detect.
Independent use of this device is doubtful because Well, what can be removed from the list of 30-40 surrounding subscribers? Moreover, not just numbers are visible, but only IMSI / TMSI / Network name.
This device is extremely useful when using a fake base station and is useful as a means of protecting an intruder from interception!
Example # 1:
The attacker is waiting for the victim (for example, near the house) and wants to intercept the victim's calls using bladerf. He needs to turn on the fake BS and sit and wait, but at this moment he becomes vulnerable because it can be found. Therefore, the attacker first turns on the IMSI trap, which, when a target appears, will automatically turn on the BS fake, and since the IMSI trap uses a passive interception method, it is almost impossible to detect it. Thus, the attacker will only work when the target is near.
Example # 2
I got a lot of questions like "Can I make bladerf hit 1km?" and every time I had a scene from the movie “Sportloto 82” in my head:
- San Sanych, can you eat these berries?
- You can, only poison yourself
Likewise, the answer to this question is - you can, just slept. The fact is that when you turn on the fake, the BS sends out a beacon request (like - I'm here! Come to me! Connect!) And when this illegitimate request gets to a legitimate BS of a real cellular operator, the "alarm" is turned on and the cellular operator is immediately aware of that an unidentified BS appeared, respectively, the countdown went and the question of a couple of tens of minutes until the intruder is detected. In order to avoid this, before turning on the fake BS, check the distance to the nearest BS (by signal level) and correlate the power of the fake BS so as not to catch the eye of a legitimate BS, and for this it is most convenient to use the RTL-SDR functions as IMSI traps.
Equipment
1. Motorolla cXXX
Description: This equipment is based on an old Motorolla phone based on the Calypso chipset (MotorolaC115 / C117 / C123 / C121 / C118 / C140 / C139 / C155 / V171), etc. which, due to the leakage of the specification into the network, was finalized by the Osmocom project participants and the USB-TTL cable. Extremely unstable work, constant lags and freezes, a small radius of action is compensated by a very cheap price - everything will take about 20 bucks.
An excellent option for independent study, but it is worth considering that with a passive interception method, in order to receive traffic entering the phone, you will need to rewire two very small filters, so it is better to buy a ready-made kit and not fool yourself.
Features: IMSI Trap, Active interception method, Passive interception method, Creation of your own cellular network
Where to buy: Regular version on the radio market (Motorola C115 / C117 / C123 / C121 / C118 / C140 / C139 / C155 / V171)
You can solder the USB-TTL cable yourself or buy a ready-made one:
USB-TTL
The finished version soldered for work can be found on ebay or taobao.
eBay Osmocom
Software:
Osmocom, TyphonOS
Photo:
2. HackRF
Description: Legendary SDR from Great Scott Gadgdgets. Morally a little outdated, but nevertheless - it does its job. Suitable for those who just want to try, but have not yet decided on the seriousness of their intentions. Main disadvantage: weak signal.
Features: IMSI Trap, Active interception method, Passive interception method, Creation of your own cellular network
Where to buy: AliExpress (numerous replicas for every taste and color)
Software: OpenBTS 2g / 3g
Photo:
3. BladeRF
Description: A new generation of SDR devices. It has much more flexible settings, high power and full duplex communication. For a full-fledged BS imitation, it is recommended to use this device.
Features: IMSI Trap, Active interception method, Passive interception method, Creation of your own cellular network
Where to buy: on the Internet
Software: OpenBTS 2g / 3g
Photo:
4. Rtl-SDR
Description: A TV tuner that is also an SDR is very cheap and everyone who builds his own BS MUST have it. Its main purpose is to measure the distance to a real legitimate BS, and based on this distance, the user must choose the signal strength of his fake BS. It also makes excellent IMSI traps.
Features: IMSI Trap, Passive interception method
Where to buy: On Aliexpress
Software: IMSI-Catcher
Photo:
Ready-made assemblies of operating systems:
It will be difficult for many to make the assembly and support of all software components for working with the above equipment, so below you can download ready-made assemblies
GNU-Radio
Assembled with set weight of components to work with SDR. Supports RTL-SDR / BladeRf / HackRf
GNU-Radio LiveCD 14
GNU-Radio LiveCD 16
RTL-SDR / HackRF
Preinstalled software for building IMSI traps and working with HackRF
RTL-SDR / HackRF
BladeRF Pentoo
Build to work with BladeRf
BladeRF
Osmocom
TyphonOS
Terminology
2G Second generation of GSM standard
3G Third generation GSM standard
3GMS Third generation mobile communication system
3GPP Third Generation Partnership Project
AGCH Access Grant Notification Channel
AID Application ID
AMR Adaptive Multi-Speed
ANSI U.S. National Standards Institute
AoC Charge Notice
AoCC Billing Notice (Expenses)
AoCI Billing Notice (Info)
API Application Programming Interface
ARFCN Absolute radio channel frequency number
ARIB Association of Radio Industry and Business
ASE Application Service Element
ASN.1 Abstract Syntax Notation Version 1
AT-command Command "Attention"
AuC Authentication Center
BAIC Barring all incoming calls
BAOC Barring all outgoing calls
BCCH Broadcast Control Channel
BCH Broadcast channels
BIC-Roam Barring incoming calls when roaming outside the home country of your PLMN
BOIC Barring outgoing international calls
BOIC-exHC Barring outgoing international calls, except for calls to the home country of PLMN
BTS Base Station
BSC Base Station Controller
BSS Base Station System
BSSMAP Base Station Subsystem Control Application Protocol
CAI Charging Information
CAMEL Advanced Mobile Communication Logic for Custom Applications
CAP CAMEL Application Subsystem
CB Call barring
CBC Cell Broadcast Center
CBCH Cell Broadcast Channel
CBS Cell Broadcast Service
CC Call Control
CCBS Establishing a connection when the subscriber is busy
СССH Common control channel
CD reject calls
CDR Call Report
CF Call Forwarding
CFB Call Forward Busy
CFNRc Call forwarding when terminal is unavailable
CFNR Call Forward No Answer
CFU Call Forwarding Unconditional
CLI Caller Line ID
CLIP Caller Line Identification Presentation
CLIR Caller Line Identification Restriction
CM Configuration Management
CMIP Common Control Information Protocol
CMISE General Control Information Service Element
CN Core network
CNAP Caller Name Representation
COLP Connected Line Identification Representation
COLR Connected Line Identification Restriction
CORBA A technology for building distributed object applications proposed by the company
CS Channel Switching
CS-1 Smart Grid Capability Set
CSE CAMEL Service Environment
CUG Closed User Group
CW Call Waiting Alert
CWTS China Wireless Standardization Group
DCE Data Link Termination Equipment
DCCH Dedicated Control Channel
DTE Data Terminal Equipment
DTMF Multi-frequency signaling
DTX Intermittent transmission
ECT Explicit Call Transfer
EGPRS Enhanced GPRS
EIR Equipment Identification Register
EM Subsystem for controlling elements
eMLPP Enhanced Multi-Level Priority and Preemption Service
EN Conformity mark of the European Committee for Standardization
E-OTD Improved Observed Time Difference
EP Elementary Procedure
ETSI European Telecommunication Standardization Institute
FACCH Fast Access Control Channel
FCCH Frequency Correction Channel
FM Failure Management
GAD Geographical Area Description
GBS Shared Transfer Services
GDMO Guidelines for Defining Managed Objects
GERAN GSM EDGE radio access network
GGSN Gateway GPRS Support Node
GLR Gateway Location Register
GMLC Gateway Mobile Location Center
GMSC Gateway MSC
GPRS General Packet Data Service
gprsSSF GPRS service switching function
GPS Global Positioning System
GSM Global System for Mobile Communications
GSM-EFR Enhanced GSM Full Rate Voice Codec
gsmSCF GSM Service Control Function
gsmSRF GSM Specialized Resource Support Function
gsmSSF GSM Service Switching Function
GSN GPRS Support Node
GT Global Title
GTP GPRS Tunneling Protocol
HDLC Upper Layer Data Link Control
HE Own environment
HLR Home Location Register
HPLMN Proprietary public land mobile network
HSCSD High Speed Circuit Switched Data
IC Integrated Circuit
ID Identifier
IMEI International Mobile Equipment Identity
IM-GSN Intermediate GPRS Serving Node
IM-MSC Intermediate Mobile Switching Center
IMSI International Mobile Station Identifier
IN Intelligent network
INAP Intelligent Network Application Layer Protocol
IP Internet Protocol
IPLMN Inquiring PLMN
IrDA Infrared Data Association
IrMC Infrared mobile communication
IRP Integration Reference Point
IS Information Service
ISDN Integrated Services Digital Network
ISO International Organization for Standardization
ISUP ISDN User Subsystem
Itf-N Interface N
IWF Interoperability Function
LAN Local area network
LCS Location Service
LMSI Local Mobile Station Identifier
LMU Positioning unit
LR Location Request
MAP Mobile Application Subsystem
MC Multiple call
MCC Mobile Station Country Code
ME Mobile communication equipment
MExE Mobile Station Runtime
MIM Management Information Model
MIME Multipurpose Internet Email Extensions
MLC Mobile Station Location Center
MM Mobility Management
MMI Human Machine Interface
MMS Multimedia Messaging Service
MNC Mobile network code
MNP Mobile Station Number Interchangeability
MO From mobile station
MO-LR Request from a mobile station to determine a position
MPTY Versatile
MS Mobile Station
MSC Mobile Switching Center
MSISDN International ISDN mobile station number
MSP Multiple Subscriber Profile
MSRN Mobile station roaming number
MT Mobile Terminal
MT Movable terminal
NE Network element
NITZ Network ID and Time Zone
NM Network Management
NRM Network Resource Model
OACSU Establishing a connection without first seizing a radio resource
ODB Operator-set call barring
OMG Managed Object Group
OS Operating System
OSA Open Systems Architecture
OSI Open Systems Interconnection
PBX Corporate PBX
PCH Paging channel MS Paging channel MS
PCM Pulse Code Modulation
PDC-EFR ARIB PDC-EFR speech codec at 6.7 kbps
PDN Public data network
PDP Packet Data Protocol
PDU Protocol data unit
PI Performance Indicator
PIX Native Application Identifier Extension
PLMN Public Land Mobile Network
PP Point-to-Point
PS Packet Switching
PSE Personal Service Environment
PSTN Public Switched Telephone Network
RACH Network Access Request Channel
RANAP Radio Access Network Application Subsystem
RID Registered Application Provider ID
RLC / MAC Radio Link Control / Media Access Control
RLP Radio Link Protocol
RNC Radio Network Controller
RNS Radio Network System
RR Radio resource
SACCH Slow Access Control Channel
SAT SIM Application Toolkit
SC Service Center
SCCP Signaling Connection Control Subsystem
SCH Sync channel
SCR Initial Controlled Speed
SCS Service Capability Server
SDO Standards Development Organization
SDR Software Controlled Radio
SGSN Serving GPRS Support Node
SI Screening indicator
SID Silence Descriptor
SIM GSM Subscriber Identity Module
SIWF Collaborative Function
SIWFS Collaborative Function Server
SM Session Management
SMIL Synchronized Multimedia Integration Language
SM-RL Short message broadcast function
SMS Short Message Service
SMSC Short Message Service Center
SMSCB Short Message Service - Cellular
SMTP Simple Email Protocol
SOR Optimal Routing Support
SRNC Serving Radio Network Controller
SRNS Serving RNS
SS Additional service
SS Solution Set
SS7 Alarm System No. 7
SSF Service Switching Function
T1 Committee for T1 Standards (part of ANSI)
T1P1 Technical Subcommittee on Wireless / Mobile Services and Systems
TA Terminal adaptation
TAF Terminal Adaptation Function
T-BCSM Served Basic Call State Model
TCAP Transaction Tools
TCH / F Full / Half Rate Voice Channel
TDMA Time Division Multiple Access
TDMA_EFR TIA IS-641 Enhanced Speech Codec
TDMA_USI TIA TDMA-US1 (Codec 12.2 Kbps, similar to GSM-EFR)
TE Terminal equipment
TIA Communications Industry Association
TMSI Temporary Mobile Station Identifier
TOA Arrival time
TrFO Operation without transcoder
TS Technical Specification
TSG Technical Specification Development Group
TTA Telecommunications Technology Association (Korea)
TTC Telecommunications Technology Committee (Japan)
TUP Telephone User Subsystem (Alarm System No. 7)
UDP Custom Datagram Protocol
UE User Equipment
UICC Universal IC Card
UIM User ID Module
UMTS Universal Mobile Telecommunications System
USAT USIM Application Toolkit
USIM Universal Subscriber Identity Module
USSD Unstructured Supplementary Service Data
UTRA Universal Terrestrial Radio Access
UTRA-FDD Universal Terrestrial Radio Access - Frequency Division Duplex
UTRAN Universal Terrestrial Radio Access Network
UTRA-TDD Universal Terrestrial Radio Access - Time Division Duplex
UUS User-to-user signaling
VAD Speech Detector
VBS Voice Broadcast Service
VGCS Voice Group Call Service
VHE Virtual Own Environment
VLR Temporary Location Register
VMSC Visiting Mobile Switching Center
VPLMN Public Land Mobile Visitor Network
WAP Wireless Application Protocol
To be continued….
