Saturday, December 17, 2005
Saturday, October 01, 2005
Tuesday, August 23, 2005
The Hackers Guide to GSM Phones
The Hackers' Guide to GSM Phones
by proton igger -------------------------------------------------------------------------------- NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site. -------------------------------------------------------------------------------- Section 1: The Introduction Originally developed as a European standard for mobile telephony, GSM has quickly gained grounds all over the world. However, for much of the world this is still new technology, and therefore there are many people with many questions to ask. One of the ones I most commonly hear from time to time when I idle in Hackers' Lounge is "how do you hack gsm phones?". This is understandable. For much of the world this is still new technology, and there are a lot of people who want to know about all the fun things they can do with these new phones. Well, this tutorial is for all of you. A complete guide for all your gsm hacking needs. Enjoy... Section 2: How GSM Operates As I've said in past tutorials, in order to hack anything in any sense of the word you have to first understand how it operates. Therefore in this section you will learn the details on GSM to have a better understanding of how it operates. Therefore, you will have a better understanding of how it can be exploited. GSM (Global System for Mobile communication) is fundamentally different from some of it's older counterparts like AMP in the sense that it operates using digital technology, instead of using the traditional analog technology. GSM being a cellular system is of course divided into cells. These cells correspond to their covering area of one trasmitter, or a small collection of transmitters. The size of these cells depend on the power of their transmitter. GSM, as with other cellular systems, uses low power transmitters so that frequencies can be reused efficiently. The frequency band used by a cellular mobile radio system is distributed over a group of cells, which is repeated in all the covering area of an operator. All the radio channels that are available can then be used in each group of cells that form the covering area of an operator. The frequencies that are used then will be reused several cells away. There are four different types of cells that are used. Macrocells, microcells, selective cells, and umbrella cells. Macrocells are large cells that are used for remote and sparsely populated areas. Microcells on the other hand are used for densely populated areas. With using these types of cells in densely populated areas, the number of channels available is increased as well as the capacity of the cells. Transmitters under these types of cells use less power in order to reduce the possibility of interference between neighboring calls. In areas where a full 360 degrees of coverage is not needed, selective cells are used to specify a certain area of coverage. Umbrella cells are used in correlation with microcells in order to solve the issue with handovers when traversing through microcell areas. The power levels within an umbrella cell is increased compared to the power levels within the microcells that the umbrella cell covers. The cells themselves are grouped into clusters. The number of cells used within a cluster is determined so that the cluster can be repeated continuously within the covering area of an operator. Your typical cluster usually contains either 4, 7, 12, or 21 cells. The number of cells used within a cluster is very important. The smaller the number of cells per cluster is, the bigger the number of channels per cell will be, which will therefore increase the capacity of each cell. The total number of channels used in each cell depends on the number of available channels and the type of cluster used. A balance must be established when setting up these clusters in order to avoid interference with neighboring clusters. Now lets discuss the architecture of the GSM network. A GSM network can be divided into four main parts. The MS (Mobile Station), the BSS (Base Station Subsystem), the NSS (Network and Switching Subsystem), and the OSS (Operation and Support Subsystem). The two main elements of an MS is the terminal, and the SIM (Subscriber Identity Module). There are different types of terminals within the MS architecture that are distinguished based on their power and application. The fixed terminals are the ones installed in cars, and have a maximum output of 20 watts. The GSM portable terminals can also be installed in cars, and have a maximum output of 8 watts. Then finally handheld terminals, which has a maximum output of 2 watts, but nowadays these terminals can and do transmit at 0.8 watts. The SIM is a smart card that is used for identifying the terminal. This SIM card is protected by a PIN (Personal Idenfitication Number), and in order to identify the user to the system also includes other parameters of the user such as it's IMSI (International Mobile Subscriber Identity). This is what allows the terminal to operate within the GSM network. Without the SIM card, the terminal itself is a useless device. The BSS is in charge of transmission and reception, and is what connects the MS and the NSS. There are two parts that make up the BSS; the BTS (Base Transceiver Station, also known as a Base Station), and the BSC (Base Station Controller). The BTS corresponds with the tranceivers and antennas used in each cell within the network, and are usually located in the center of the cell. The transmission power of the BTS is what defines the size of it's cell. Each BTS has between 1 and 16 transceivers, depending on the density of users within the cell. TheBSC is what manages the BTSs, and is primarily in charge of handovers, frequency hopping, exchange functions, and is in charge of the radio frequency powers levels of the BTSs. The NSS is in charge of managing the communications between the mobile users, and other users. This part of the GSM architecture is separated into 7 parts. The MSC (Mobile services Switching Center), the GMSC (Gateway Mobile services Switching Center), the HLR (Home Location Register), the VLR (Visitor Location Register), the AuC (Authentication Center), the EIR (Equipment Identity Register), and the GIWU (GSM Interworking Unit). The center component of the NSS is the MSC, which performs the switching functions of the network, as well as provides connectivity to other networks. Next is the GMSC, which is provided as the interface between the cellular network and the PSTN (Public Switched Telephone Network). This is in charge of routing calls from the fixed network to a GSM user, and this is usually implemented in the same machine as the MSC. The HLR is in charge of storing information of the subscribers belonging to the covering area of the MSC, as well as stores the current location of these subscribers and the services that they have access to. The location of the subscriber corresponds to the ss7 (short for Common Channel Signaling System 7, the protocol used by modern PSTNs) address of the VLR. The VLR is in charge of storing information from a subscriber's HLR that is necessary in order to provide the subscribed services to visiting users. This information is recorded into the VLR upon request from the HLR after a subscriber enters the covering area of an MSC. That way the VLR can assure subscribed services to the user without having to call upon the HLR every time a connection is established. The AuC is a security feature within the NSS. It provides the parameters needed for authentication and encryption functions within the GSM network, which helps to verify the user's identity. The EIR as well is also used for security purposes. The EIR contains information about the mobile equipments; more particularly, a list of all valid terminals within the covering area of an MSC. A terminal is identified with it's IMEI, and the EIR is used to forbid calls from stolen or unauthorized terminals. The GIWU is made up of both hardware and software that provides an interface to various networks for data communication. Using the GIWU, speech and data can be alternated during the same call. Finally the OSS is interconnected to different components of the NSS and to the BSC in order to monitor and control the GSM system, as well as controlling the traffic load of the BSS. Now that we understand the structure of a GSM network, lets dive further into the functions within the GSM system. There are five different defined functions within the GSM system. Transmission, RR (Radio Resources management), MM (Mobility Management), CM (Communication Management), and OAM (Operation, Administration and Maintenance). The first function we shall discuss is of course the transmission function, which actually in itself contains two subfunctions. The first subfunction deals with the means needed for the transmission of user information, while the second subfunction deals witht he means needed for the transmission of signaling information. Contrary to what one may believe on first glance, not all functions within the GSM network are strongly related to the transmission function. The MS, BTS, and BSC are of course very strongly related to transmission. However, other aspects of the GSM network such as the HLR, VLR, and EIR only deal with transmission for signaling purposes with other components of the GSM network. Now lets take a minute to talk about the more important aspects of the transmission function. One of the main objectives of GSM is roaming. So in order to obtain a complete compatibility between mobile stations and networks of different manufacturers and operators, the radio interface must be completely defined. This specification of the radio interface is a very important influence on the spectrum efficiency. First there is frequency allocation, which allocates two frequency bands for the GSM system. The frequency band 890-915 Mhz has been allocated for the uplink direction (transmitting from the mobile station to the base station), and the frequency band 935-960 Mhz has been allocated for the downlink direction (transmitting from the base station to the mobile station). However, what you must understand about frequency allocation is that not all frequencies within the frequency bands specified can be used by all countries, due to military reasons and that existing analog systems use part of the two 25 MHz frequency bands. Then there is the multiple access scheme, which defines how different simultaneous communications, between different mobile stations situated in different cells, share the GSM radio spectrum. The multiple access scheme adopted by GSM is actually a mixture of FDMA (Frequency Division Multiple Access) and TDMA (Time Division Multiple Access) with the addition of frequency hopping. FDMA operates by assigning a frequency to a specific user, while TDMA allows several users to share the same channel. It does this by assigning each user their own burst within a frame (a group of bursts). Under GSM, TDMA operates within a FDMA structure. It accomplishes this by dividing a 25 MHz frequency band into 124 carrier frequencies spaced from each other by a 200 khz frequency band. The first carrier frequency is used as a guard band between GSM and other functions, which operate on lower frequencies. Each of these carrier frequencies are then divided in time using a TDMA scheme, which splits the radio channel, with a width of 200 khz, into 8 bursts. Each of these eight bursts are then assigned to a single user. Now a channel corresponds to the recurrence of one burst every frame. This is defined by its frequency and the position of its corresponding burst within a TDMA frame. Within GSM, there are two types of channels, traffic channels and control channels. Traffic channels are used to transport speech and data information. TCH/Fs (full rate traffic channels) are defined using a group of 26 TDMA frames referred to as a 26-multiframe. Using the 26-multiframe structure, uplink and downlink traffic channels are separated by 3 bursts. The structure for the 26-multiframe is as follows; 24 frames are reserved for traffic, 1 frame is used for the SACCH (Slow Associated Control Channel), and the last frame is unused to allow the mobile station to perform other functions like measuring signal strength of neighboring cells. There are also TCH/Hs (half rate traffic channels) which also are grouped in a 26-multiframe, but the internal structure is a bit different. Control channels are used for network management and some channel maintenance tasks. There are four different types of control channels defined by the task they perform. BCH channels (Broadcast Channels), CCCH channels (Common Control Channels), DCCH channels (Dedicated Control Channels), and associated control channels. BCH channels are used by the base station to provide the mobile station with sufficient information needed to synchronize with the network. There are 3 different types of BCH channels; BCCH (Broadcast Control Channel) channels, SCH (Synchronization Channel) channels, and FCCH (Frequency-Correction Channel) channels. The BCCH channel gives the mobile station the parameters necessary in order to identify and access the network. The SCH channel gives the mobile station the training sequence needed in order to demodulate the information sent by the base station. Finally the FCCH gives the mobile station the frequency reference of the system in order to synchronize with the network. The CCCH channels are used to establish the calls from the mobile station or the network. Once again, there are three different types of CCCH channels. The PCH (Paging Channel) channel, the RACH (Random Access Channel) channel, and the AGCH (Access Grant Channel) channel. The PCH channel is used to alert the mobile station of an incoming call. The RACH channel is used by the mobile station to request access to the network. Then the AGCH channel is used by the base station to inform the mobile station about which channel it should use, which is the answer of a base station to a RACH from the mobile station. The DCCH channels are used for message exchange between several mobiles and the network. There are two different types of DCCH that can be defined; the SDCCH (Standalone Dedicated Control Channel), and the SACCH (Slow Associated Control Channel). The SDCCH is used in order to exchange signaling information in the downlink and uplink directions, and the SACCH is used for channel maintenance and control. Then finally there is the associated control channel, which composes of the FACCH (Fast Associated Control Channels). The FACCH replaces all or part of a traffic channel when urgent signaling information must be sent. These types of channels carry the same information as the SDCCH channels. So now that we (hopefully) understand how FDMA and TDMA operate under GSM, we can now explore into the third part of the multiple access scheme, frequency hopping. There are two types of frequency hopping. The slow frequency hopping changes the frequency with every TDMA frame, which is used to avoid important differences in the quality of the channels. On the other hand, fast frequency hopping changes the frequency many times per frame. Fast frequency hopping however is not used within GSM, so it is not really important to us. However, in order for frequency hopping to even be used across the network, it has to be approved by the mobile station. Now lets get into speech coding. Speech coding is the most important aspect of a cellular mobile service, so a lot of attention is given into detail. The codec used by this service first and foremost is a codec called RPE-LTP (Regular Pulse Excitation Long-Term Prediction), which uses the information from previous samples in order to predict the current sample. The speech signal itself is divided into blocks of 20 ms. The size of these blocks are of 260 bits. These blocks once divided are then passed to the speech codec, which has a rate of 13 kbps. Next is channel coding, which adds redundancy bits to the original information in order to detect and correct (if possible) the errors occured during transmission. Channel coding uses two codes; a block code and a convolutional code. The block code receives an input block of 240 bits and appends four 0 tail bits at the end of the input block, thus making the block 244 bits. The convolutional code adds redundancy bits in order to protect the information. What makes convolutional code and block code different is the convolutional encoder contains memory. A convolutional code can be defined by 3 variables; n, k, and K. For the sake of your sanity and mine, I will skip over explaining this. If you feel curious enough to read into this, then you can do a google search and find more information on this in your spare time. Interleaving is another function that rearranges a group of bits in a particular way. Within GSM it is used in combination with FEC codes in order to improve the performance of the error correction mechanisms. Again, I'm going to let you look into the details on this function in your own time. There is also burst assembling, which is in charge of grouping the bits into bursts. Then there is ciphering, which might be a topic that may wake a few of you readers up. Ciphering is of course used to protect signaling and user data. This cipher works by computing a ciphering key using the A8 algorithm stored in the SIM card, the subscriber key, and the random number delivered by the network (the same one used in the authentication procedure). Then a 114 bit sequence is produced using the ciphering key, the A5 algorithm and the burst numbers. This bit sequence is then XORed with the two 57 bit blocks of data included in a normal burst. In order to decipher all this correctly, the receiver of the transmission has to use to the same A5 algorithm for the deciphering procedure. Finally for those of you who may want to know, the modulation used with GSM is the GMSK (Gaussian Minimum Shift Keying), which has a rate of 270 5/6 kbauds and a BT product equal to 0.3. There are a few other functions, but I didn't feel that they were necessary for this tutorial so I didn't include them. Now that we're done talking about the transmission function, feel free to take a break real quick to rest your eyes and let your brain process all this in. Smoke a cigarette, eat some junk food, just do whatever you need to do to relax and let all this information I've given you sink in. Finished? All right, let's continue. Now that we are done talking about transmission, the next function we shall discuss is radio resources management. RR is used to establish, maintain, and release communication links between mobile stations and the MSC. The main elements of the RR deal with the base station and the mobile station, but since the MSC needs to deal with handovers, then it also concerned with RR functions. The main procedures involved with RR is channel assignment, change, and release; handovers; frequency hopping; power-level control; discontinuous transmission and reception; and timing advance. However, since we've already gone over most of these functions when talking about transmission, then the only one we really need to concentrate at this point is handovers. Handovers are of course the process of changing the channel or cell that a user is on when they are moving. There are four different types of handovers that are used in these instances. The handover of channels within the same cell, the handover of cells controlled by the same BSC, the handover of cells belonging to the same MSC but controlled by different BSCs, and finally the handover of cells controlled by different MSCs. The first two types of handovers are managed by the BSC, while the MSC is only notified of these handovers. Meanwhile the MSC is in charge of managing the last two mentioned handovers. In order for this handover to work, the mobile station controls its own signal strength and the signal strength of the neighboring cells. These power measurements allow the MSC or BSC to decide which cell is best to use in order to maintain the quality of the communication link. There are two different types of handover algorithms that are used, the 'minimum acceptable performance' algorithm, and the 'power budget' algorithm. The 'minimum acceptable performance' algorithm works by increasing the power level of the mobile when the quality of the transmission is decreased until this increase has no effect on the quality of the signal, which is then when a handover is performed. On the other hand, the 'power budget' algorithm just goes ahead and makes the handover instead of increasing the power level in order to obtain a good communication quality. Well as I said the rest of the RR functions were already discussed when we were talking about transmission, so now lets get into mobility management. MM is in charge of all aspects related with the mobility of a user, specifically the location management and the authentication and security. Location management is performed by performing an update location procedure by indicating it's IMSI to the network when the mobile station is powered on. When a mobile station moves to a different location area or a different PLMN, the location update message is sent to the new MSC/VLR, which then gives this location information to the subscriber's HLR. If this step is authenticated, the HLR cancels the registration of the mobile station with the old MSC/VLR. This location updating is performed periodically, and if after the updating time period the mobile station hasn't registered, then it's deregistered. When a mobile station is powered off, it sends an IMSI detach procedure in order to let the network know that it's no longer connected. Now the authentication procedure is involved with the SIM card and the Authentication Center. A secret key that is stored within the SIM card and the AuC, and the A3 ciphering algorithm mentioned earlier is used to verify the authenticity of the user. The mobile station and the AuC creates an SRES using the secret key, the A3 algorithm, and a random number generated by the AuC. If these two SRESs are the same, then the user is authenticated. Also the AuC checks the equipment identity to see if the IMEI number of the mobile is authorized to the EIR, which if so, the mobile station is allowed access to the network. During the authentication procedure the subscribed services for the user is also checked. Also in order to assure user confidentiality, the user is registered with a TMSI (Temporary Mobile Subscriber Identity) after it's first location update procedure. Now lets talk about communication management. CM is responsible for three different functions within the GSM system. Call control, supplementary services management, and short message services management. Call control is in charge of call establishing, maintaining, and releasing as well as selecting the type of service. One of the most important roles of CC is call routing. In order for a user to reach a mobile subscriber, a user dials the MSISDN (Mobile Subscriber Integrated Services Digital Network) which includes a country code, a national destination code identifying the subscriber's operator, and a code corresponding to the subscriber's HLR. This call is then passed to the GMSC (if the call indeed is originated from a fixed network), which knows the HLR corresponding to a certain MSISDN number. The GMSC then asks the HLR for information needed in call routing, the HLR requests this information from the subscriber's VLR, and this VLR allocates an MSRN (Mobile Station Roaming NUmber) temporarily for the call. This MSRN number is then sent through the HLR to the GMSC, which allows for the call to be routed to the subscriber's current MSC/VLR, and thus the mobile is paged. Now lets talk about the supplementary services management function. This function deals with only the mobile station and the HLR, and is what provides selected services to the subscriber. One function within supplementary services management is call forwarding, which allows a user to forward incoming calls to another number if the mobile is busy. This function call also be applied unconditionally. Another service is call barring. There are many different types of call barring services. BAOC (Barring All Outgoing Calls), BOIC (Barring Outgoing International Calls), BOIC-exHC (Barring Outgoing International Calls except those directed towards the Home PLMN Country), BAIC (Barring All Incoming Calls), and barring all incoming calls when roaming. Then of course there are other services like call hold, call waiting, multiparty service, CLIP (Calling Line Identification Presentation), CLIR (Calling Line Identification Restriction), and other services. I would go into them all, but I want to go ahead and finish up this section so I can continue with the rest of the tutorial. Now short message services management of course in charge of managing the sms service. This service is supported via a Short Message Service Center through two interfaces. One is SMS-MT/PP (the SMS-GMSC for Mobile Terminating Short Messages), and SMS-MO/PP (the SMS-IWMSC for Mobile Originating Short Messages). It's good to note that SMS-MT/PP plays the same role as GMSC. Now onto OAM (Operation, Administration, and Maintenance). OAM is used to allow the operator to monitor and control the gsm system as well as modify the configuration of the properties and elements of the gsm system. OSS, BSS, and NSS all play a part in OAM's operation. Certain components of BSS and NSS provide the information needed by the operator, which is then passed to the OSS, which is in charge of analyzing it and controlling the network. The self test tasks usually carried out by the BSS and NSS are also used by the OAM for certain functions. The BSC, which is in charge of controlling several BTSs is also a part of OAM. Well that concludes it for the functions within the GSM system and for this section. If you have ended this section utterly confused then feel free to read it over. It's not that you need to remember every single component and fact listed in this section, but it helps to have a pretty good understanding of the gsm system, and it's better that the information is here for you to recall on. Just be sure that you have a basic understanding of the information I have provided you before you continue to the next section. Section 3: Exploiting GSM Phones So now that you hopefully have at least a basic understanding of how gsm operates, let's talk about the fun stuff. The first trick I will discuss is an activity that is becoming quite prevalant, SIM cloning. If you have paid attention to any cell phone related tutorials in the past, then you may remember cloning being made popular by certain public figures like Kevin Mitnick in order to place calls on the bill of another subscriber. Well, even with GSM this trick still holds relevant. How could such a flaw exist in a system that is obviously concentrated on preventing such fraudulant use? The flaw is within the COMP128 authentication algorithm used as an instantiation of A3/A8 widely used by gsm providers. Unfortunately for these providers, the COMP128 algorithm is just not strong enough to prevent fraud. We attack the algorithm by using a chosen-challenge attack, which works by forming a number of specially-chosen challenges and querying the SIM card for each one. Then by analyzing the responses from these queries, we are able to determine the value of the secret key that is used for authentication. So how do we perform this attack? Well there are a few things you need before you start. First you will need to buy a SIM card reader, a card programmer, empty silver pic 2 card, and an unregulated adapter, and if you don't have one a 9 pin male to female extension cable. You can probably put a bid on ebay for most of this hardware, or just google up some sites that sell them. You will also need some software for this trick. First you will need a SIM card editor. An excellent piece of software to use in this instance is Cardinal Sim Editor, which you can find (including the crack for it) at the below link... http://www.cracksweb.com/news.php?go=824 Another tool you will is CardMaster, which once again you can find at the below link... http://cardmaster.dk/download2.php Finally what you will need is a SIM card emulator. An excellent example of an emulator to use is SIMEMU, which you can find at the below link... http://simemu.cjb.net/ Note for those of you who feel the need to read the instructions on the site, just go to www.freetranslation.com to translate the web page from Spanish to English. Now let's go ahead and get started shall we. You will first want to plug your SIM Reader into your com port. Then run Cardinal and then click where it says "Click Here" and then click Settings. You will then select your com/serial port and the baud rate. Then you will close this out, and then left click where it says "Click Here", go to smartcard, and click SIM editor. The program will from there start up, and you will go to SIM, then SIM Info, and click the load button. After doing this you will see the IMSI code, take note of this code as you will need it. Now close the SIM Info and go to Security/Find key KI. When this window opens just click Start and wait. It will take approximately 4 hours to find the key. Once it is found take note of this KI and exit. Now you should have the IMSI and KI noted, if so lets continue with the next step. Now take your silver card. Within the unzipped file within you will find two files. SEE50s.hex (EEPROM) and SEF50sEN.hex (PIC). Now connect your programmer to a com port and go to the setup menu on your CardMaster program and choose the appropriate com port. You should then see a yellow rectangle at the bottom of the program that says that there is no card. Now insert your smartcard into the programmer, and the rectangle should change to green and you will see "Card ready". Now go to where it says "Card type:" and select "Silvercard". NOw go to the "File to Pic:" field and upload SEF50sEN.hex, then go to the "File to Eeprom:" field and upload SEE50s.hex. Now go to Edit and click "Auto Program". Now once this is finished you will need to cut the card so that it will fit into the phone. Instructions for how the card needs to be cut is provided on the GSM solutions web site that will be listed in the Sites to Visit section at the bottom of this page. Now insert the newly cut silvercard into the phone. If it asks for a pin just punch in 111. Then from the main menu open up "Sim-Emu". Now from this menu go to Set Phone #, then -GSM #1 (or any slot), then Configure, then Edit #. Now edit GSM #X to any name, and then press ok. Now go to Config.Pos. and it will ask for PIN2, which will be 1234. It will then ask you what position you want the card to be, choose Position 1. It will then ask you for the IMSI, which you will punch in the IMSI you got from Cardinal. It will then ask you for the KI, which again you punch in the KI you got from Cardinal. It will then ask you to enter your PUK which can be anything up to 8 digits. Then it will ask you to enter your PIN which can be anything up to 4 digits. There you go, now you have cloned another SIM card, and are now free to call away all you want to on someone elses bill. There have also been rumors that on certain services there are ways to clone a SIM remotely, but none have been tested so this can't be proven. So now that we're finished talking about SIM cloning, let's get into another trick involving exploiting gsm phones, bluejacking. What is bluejacking you ask? Bluejacking is exploiting the BlueTooth wireless communication system common among PDAs, cell phones, and of course laptops. In essense this is nothing more than a harmless little prank, similar to defacing web sites. For bluejacking gsm phones what we are trying to do is first create a phonebook contact that says something like "haha I haxor3d j00r ph0n3!", and then send it to any bluetooth enabled device in the facinity. This in essense amounts up to at most a harmless little prank, but it's fun to watch their faces when they get the message. However, I won't bother explaining the details of how to bluejack, since the methods are models and manufacturer dependant, and are explained on a site that will be listed at the bottom of this tutorial. Don't believe that the possibilities for exploiting bluetooth enabled gsm phones ends there though. Another activity that we can jump onto is called bluebugging. Bluebugging is the process of sniffing out communication from a bluetooth-enabled cell phone. Like, for example, sms messages. Yup, now you can sit in a coffee shop, open up your laptop, and spy on everyone else who is using their phone. This concept was first introduced to the world in a presentation at DefCon 11, and is now available to the public in the form of a tool called BlueSniff that works as a bluetooth wardriving utility to play big brother. Go to the below address to get a copy of this tool... http://bluesniff.shmoo.com/bluesniff-0.1.tar.gz Another nice tool to use for such means is btscanner, which can be used to gather as much information as possible on a bluetooth-enabled device. Yet again, this wonderful tool can be found at the below address... http://www.pentest.co.uk/src/btscanner-1.0.tar.gz There is also a method known as bluesnarfing, which can be used to gain access into a cell phone to steal files. However, contrary to the media hype surrounding this issue, bluesnarfing tools are NOT freely available for all to take (at least none that I know of). The only known tool to exploit this weakness is Bluesnarf, which is not freely available for download. However, don't let that get you down, since as you can see there are many more bluetooth flaws that we are able to take advantage of. Well that concludes it for this section. As always, hope you all have enjoyed reading this tutorial as much as I enjoyed writing it. So until next time... Section 4: Sites to Visit www.gsmsolutionsltd.com - GSM Solutions ltd. - full information on SIM cloning including how to properly cut the silvercards www.bluejackq.com - a site dedicated to bluejacking www.geocities.com/henrik.kaare.poulsen/gsm.html - a complete guide to how gsm operates Note: For those of you who have any questions or comments and feel the need to reach me then you can do so at protonigg3r@yahoo.com and I will try to get back to you as soon as possible.
by proton igger -------------------------------------------------------------------------------- NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site. -------------------------------------------------------------------------------- Section 1: The Introduction Originally developed as a European standard for mobile telephony, GSM has quickly gained grounds all over the world. However, for much of the world this is still new technology, and therefore there are many people with many questions to ask. One of the ones I most commonly hear from time to time when I idle in Hackers' Lounge is "how do you hack gsm phones?". This is understandable. For much of the world this is still new technology, and there are a lot of people who want to know about all the fun things they can do with these new phones. Well, this tutorial is for all of you. A complete guide for all your gsm hacking needs. Enjoy... Section 2: How GSM Operates As I've said in past tutorials, in order to hack anything in any sense of the word you have to first understand how it operates. Therefore in this section you will learn the details on GSM to have a better understanding of how it operates. Therefore, you will have a better understanding of how it can be exploited. GSM (Global System for Mobile communication) is fundamentally different from some of it's older counterparts like AMP in the sense that it operates using digital technology, instead of using the traditional analog technology. GSM being a cellular system is of course divided into cells. These cells correspond to their covering area of one trasmitter, or a small collection of transmitters. The size of these cells depend on the power of their transmitter. GSM, as with other cellular systems, uses low power transmitters so that frequencies can be reused efficiently. The frequency band used by a cellular mobile radio system is distributed over a group of cells, which is repeated in all the covering area of an operator. All the radio channels that are available can then be used in each group of cells that form the covering area of an operator. The frequencies that are used then will be reused several cells away. There are four different types of cells that are used. Macrocells, microcells, selective cells, and umbrella cells. Macrocells are large cells that are used for remote and sparsely populated areas. Microcells on the other hand are used for densely populated areas. With using these types of cells in densely populated areas, the number of channels available is increased as well as the capacity of the cells. Transmitters under these types of cells use less power in order to reduce the possibility of interference between neighboring calls. In areas where a full 360 degrees of coverage is not needed, selective cells are used to specify a certain area of coverage. Umbrella cells are used in correlation with microcells in order to solve the issue with handovers when traversing through microcell areas. The power levels within an umbrella cell is increased compared to the power levels within the microcells that the umbrella cell covers. The cells themselves are grouped into clusters. The number of cells used within a cluster is determined so that the cluster can be repeated continuously within the covering area of an operator. Your typical cluster usually contains either 4, 7, 12, or 21 cells. The number of cells used within a cluster is very important. The smaller the number of cells per cluster is, the bigger the number of channels per cell will be, which will therefore increase the capacity of each cell. The total number of channels used in each cell depends on the number of available channels and the type of cluster used. A balance must be established when setting up these clusters in order to avoid interference with neighboring clusters. Now lets discuss the architecture of the GSM network. A GSM network can be divided into four main parts. The MS (Mobile Station), the BSS (Base Station Subsystem), the NSS (Network and Switching Subsystem), and the OSS (Operation and Support Subsystem). The two main elements of an MS is the terminal, and the SIM (Subscriber Identity Module). There are different types of terminals within the MS architecture that are distinguished based on their power and application. The fixed terminals are the ones installed in cars, and have a maximum output of 20 watts. The GSM portable terminals can also be installed in cars, and have a maximum output of 8 watts. Then finally handheld terminals, which has a maximum output of 2 watts, but nowadays these terminals can and do transmit at 0.8 watts. The SIM is a smart card that is used for identifying the terminal. This SIM card is protected by a PIN (Personal Idenfitication Number), and in order to identify the user to the system also includes other parameters of the user such as it's IMSI (International Mobile Subscriber Identity). This is what allows the terminal to operate within the GSM network. Without the SIM card, the terminal itself is a useless device. The BSS is in charge of transmission and reception, and is what connects the MS and the NSS. There are two parts that make up the BSS; the BTS (Base Transceiver Station, also known as a Base Station), and the BSC (Base Station Controller). The BTS corresponds with the tranceivers and antennas used in each cell within the network, and are usually located in the center of the cell. The transmission power of the BTS is what defines the size of it's cell. Each BTS has between 1 and 16 transceivers, depending on the density of users within the cell. TheBSC is what manages the BTSs, and is primarily in charge of handovers, frequency hopping, exchange functions, and is in charge of the radio frequency powers levels of the BTSs. The NSS is in charge of managing the communications between the mobile users, and other users. This part of the GSM architecture is separated into 7 parts. The MSC (Mobile services Switching Center), the GMSC (Gateway Mobile services Switching Center), the HLR (Home Location Register), the VLR (Visitor Location Register), the AuC (Authentication Center), the EIR (Equipment Identity Register), and the GIWU (GSM Interworking Unit). The center component of the NSS is the MSC, which performs the switching functions of the network, as well as provides connectivity to other networks. Next is the GMSC, which is provided as the interface between the cellular network and the PSTN (Public Switched Telephone Network). This is in charge of routing calls from the fixed network to a GSM user, and this is usually implemented in the same machine as the MSC. The HLR is in charge of storing information of the subscribers belonging to the covering area of the MSC, as well as stores the current location of these subscribers and the services that they have access to. The location of the subscriber corresponds to the ss7 (short for Common Channel Signaling System 7, the protocol used by modern PSTNs) address of the VLR. The VLR is in charge of storing information from a subscriber's HLR that is necessary in order to provide the subscribed services to visiting users. This information is recorded into the VLR upon request from the HLR after a subscriber enters the covering area of an MSC. That way the VLR can assure subscribed services to the user without having to call upon the HLR every time a connection is established. The AuC is a security feature within the NSS. It provides the parameters needed for authentication and encryption functions within the GSM network, which helps to verify the user's identity. The EIR as well is also used for security purposes. The EIR contains information about the mobile equipments; more particularly, a list of all valid terminals within the covering area of an MSC. A terminal is identified with it's IMEI, and the EIR is used to forbid calls from stolen or unauthorized terminals. The GIWU is made up of both hardware and software that provides an interface to various networks for data communication. Using the GIWU, speech and data can be alternated during the same call. Finally the OSS is interconnected to different components of the NSS and to the BSC in order to monitor and control the GSM system, as well as controlling the traffic load of the BSS. Now that we understand the structure of a GSM network, lets dive further into the functions within the GSM system. There are five different defined functions within the GSM system. Transmission, RR (Radio Resources management), MM (Mobility Management), CM (Communication Management), and OAM (Operation, Administration and Maintenance). The first function we shall discuss is of course the transmission function, which actually in itself contains two subfunctions. The first subfunction deals with the means needed for the transmission of user information, while the second subfunction deals witht he means needed for the transmission of signaling information. Contrary to what one may believe on first glance, not all functions within the GSM network are strongly related to the transmission function. The MS, BTS, and BSC are of course very strongly related to transmission. However, other aspects of the GSM network such as the HLR, VLR, and EIR only deal with transmission for signaling purposes with other components of the GSM network. Now lets take a minute to talk about the more important aspects of the transmission function. One of the main objectives of GSM is roaming. So in order to obtain a complete compatibility between mobile stations and networks of different manufacturers and operators, the radio interface must be completely defined. This specification of the radio interface is a very important influence on the spectrum efficiency. First there is frequency allocation, which allocates two frequency bands for the GSM system. The frequency band 890-915 Mhz has been allocated for the uplink direction (transmitting from the mobile station to the base station), and the frequency band 935-960 Mhz has been allocated for the downlink direction (transmitting from the base station to the mobile station). However, what you must understand about frequency allocation is that not all frequencies within the frequency bands specified can be used by all countries, due to military reasons and that existing analog systems use part of the two 25 MHz frequency bands. Then there is the multiple access scheme, which defines how different simultaneous communications, between different mobile stations situated in different cells, share the GSM radio spectrum. The multiple access scheme adopted by GSM is actually a mixture of FDMA (Frequency Division Multiple Access) and TDMA (Time Division Multiple Access) with the addition of frequency hopping. FDMA operates by assigning a frequency to a specific user, while TDMA allows several users to share the same channel. It does this by assigning each user their own burst within a frame (a group of bursts). Under GSM, TDMA operates within a FDMA structure. It accomplishes this by dividing a 25 MHz frequency band into 124 carrier frequencies spaced from each other by a 200 khz frequency band. The first carrier frequency is used as a guard band between GSM and other functions, which operate on lower frequencies. Each of these carrier frequencies are then divided in time using a TDMA scheme, which splits the radio channel, with a width of 200 khz, into 8 bursts. Each of these eight bursts are then assigned to a single user. Now a channel corresponds to the recurrence of one burst every frame. This is defined by its frequency and the position of its corresponding burst within a TDMA frame. Within GSM, there are two types of channels, traffic channels and control channels. Traffic channels are used to transport speech and data information. TCH/Fs (full rate traffic channels) are defined using a group of 26 TDMA frames referred to as a 26-multiframe. Using the 26-multiframe structure, uplink and downlink traffic channels are separated by 3 bursts. The structure for the 26-multiframe is as follows; 24 frames are reserved for traffic, 1 frame is used for the SACCH (Slow Associated Control Channel), and the last frame is unused to allow the mobile station to perform other functions like measuring signal strength of neighboring cells. There are also TCH/Hs (half rate traffic channels) which also are grouped in a 26-multiframe, but the internal structure is a bit different. Control channels are used for network management and some channel maintenance tasks. There are four different types of control channels defined by the task they perform. BCH channels (Broadcast Channels), CCCH channels (Common Control Channels), DCCH channels (Dedicated Control Channels), and associated control channels. BCH channels are used by the base station to provide the mobile station with sufficient information needed to synchronize with the network. There are 3 different types of BCH channels; BCCH (Broadcast Control Channel) channels, SCH (Synchronization Channel) channels, and FCCH (Frequency-Correction Channel) channels. The BCCH channel gives the mobile station the parameters necessary in order to identify and access the network. The SCH channel gives the mobile station the training sequence needed in order to demodulate the information sent by the base station. Finally the FCCH gives the mobile station the frequency reference of the system in order to synchronize with the network. The CCCH channels are used to establish the calls from the mobile station or the network. Once again, there are three different types of CCCH channels. The PCH (Paging Channel) channel, the RACH (Random Access Channel) channel, and the AGCH (Access Grant Channel) channel. The PCH channel is used to alert the mobile station of an incoming call. The RACH channel is used by the mobile station to request access to the network. Then the AGCH channel is used by the base station to inform the mobile station about which channel it should use, which is the answer of a base station to a RACH from the mobile station. The DCCH channels are used for message exchange between several mobiles and the network. There are two different types of DCCH that can be defined; the SDCCH (Standalone Dedicated Control Channel), and the SACCH (Slow Associated Control Channel). The SDCCH is used in order to exchange signaling information in the downlink and uplink directions, and the SACCH is used for channel maintenance and control. Then finally there is the associated control channel, which composes of the FACCH (Fast Associated Control Channels). The FACCH replaces all or part of a traffic channel when urgent signaling information must be sent. These types of channels carry the same information as the SDCCH channels. So now that we (hopefully) understand how FDMA and TDMA operate under GSM, we can now explore into the third part of the multiple access scheme, frequency hopping. There are two types of frequency hopping. The slow frequency hopping changes the frequency with every TDMA frame, which is used to avoid important differences in the quality of the channels. On the other hand, fast frequency hopping changes the frequency many times per frame. Fast frequency hopping however is not used within GSM, so it is not really important to us. However, in order for frequency hopping to even be used across the network, it has to be approved by the mobile station. Now lets get into speech coding. Speech coding is the most important aspect of a cellular mobile service, so a lot of attention is given into detail. The codec used by this service first and foremost is a codec called RPE-LTP (Regular Pulse Excitation Long-Term Prediction), which uses the information from previous samples in order to predict the current sample. The speech signal itself is divided into blocks of 20 ms. The size of these blocks are of 260 bits. These blocks once divided are then passed to the speech codec, which has a rate of 13 kbps. Next is channel coding, which adds redundancy bits to the original information in order to detect and correct (if possible) the errors occured during transmission. Channel coding uses two codes; a block code and a convolutional code. The block code receives an input block of 240 bits and appends four 0 tail bits at the end of the input block, thus making the block 244 bits. The convolutional code adds redundancy bits in order to protect the information. What makes convolutional code and block code different is the convolutional encoder contains memory. A convolutional code can be defined by 3 variables; n, k, and K. For the sake of your sanity and mine, I will skip over explaining this. If you feel curious enough to read into this, then you can do a google search and find more information on this in your spare time. Interleaving is another function that rearranges a group of bits in a particular way. Within GSM it is used in combination with FEC codes in order to improve the performance of the error correction mechanisms. Again, I'm going to let you look into the details on this function in your own time. There is also burst assembling, which is in charge of grouping the bits into bursts. Then there is ciphering, which might be a topic that may wake a few of you readers up. Ciphering is of course used to protect signaling and user data. This cipher works by computing a ciphering key using the A8 algorithm stored in the SIM card, the subscriber key, and the random number delivered by the network (the same one used in the authentication procedure). Then a 114 bit sequence is produced using the ciphering key, the A5 algorithm and the burst numbers. This bit sequence is then XORed with the two 57 bit blocks of data included in a normal burst. In order to decipher all this correctly, the receiver of the transmission has to use to the same A5 algorithm for the deciphering procedure. Finally for those of you who may want to know, the modulation used with GSM is the GMSK (Gaussian Minimum Shift Keying), which has a rate of 270 5/6 kbauds and a BT product equal to 0.3. There are a few other functions, but I didn't feel that they were necessary for this tutorial so I didn't include them. Now that we're done talking about the transmission function, feel free to take a break real quick to rest your eyes and let your brain process all this in. Smoke a cigarette, eat some junk food, just do whatever you need to do to relax and let all this information I've given you sink in. Finished? All right, let's continue. Now that we are done talking about transmission, the next function we shall discuss is radio resources management. RR is used to establish, maintain, and release communication links between mobile stations and the MSC. The main elements of the RR deal with the base station and the mobile station, but since the MSC needs to deal with handovers, then it also concerned with RR functions. The main procedures involved with RR is channel assignment, change, and release; handovers; frequency hopping; power-level control; discontinuous transmission and reception; and timing advance. However, since we've already gone over most of these functions when talking about transmission, then the only one we really need to concentrate at this point is handovers. Handovers are of course the process of changing the channel or cell that a user is on when they are moving. There are four different types of handovers that are used in these instances. The handover of channels within the same cell, the handover of cells controlled by the same BSC, the handover of cells belonging to the same MSC but controlled by different BSCs, and finally the handover of cells controlled by different MSCs. The first two types of handovers are managed by the BSC, while the MSC is only notified of these handovers. Meanwhile the MSC is in charge of managing the last two mentioned handovers. In order for this handover to work, the mobile station controls its own signal strength and the signal strength of the neighboring cells. These power measurements allow the MSC or BSC to decide which cell is best to use in order to maintain the quality of the communication link. There are two different types of handover algorithms that are used, the 'minimum acceptable performance' algorithm, and the 'power budget' algorithm. The 'minimum acceptable performance' algorithm works by increasing the power level of the mobile when the quality of the transmission is decreased until this increase has no effect on the quality of the signal, which is then when a handover is performed. On the other hand, the 'power budget' algorithm just goes ahead and makes the handover instead of increasing the power level in order to obtain a good communication quality. Well as I said the rest of the RR functions were already discussed when we were talking about transmission, so now lets get into mobility management. MM is in charge of all aspects related with the mobility of a user, specifically the location management and the authentication and security. Location management is performed by performing an update location procedure by indicating it's IMSI to the network when the mobile station is powered on. When a mobile station moves to a different location area or a different PLMN, the location update message is sent to the new MSC/VLR, which then gives this location information to the subscriber's HLR. If this step is authenticated, the HLR cancels the registration of the mobile station with the old MSC/VLR. This location updating is performed periodically, and if after the updating time period the mobile station hasn't registered, then it's deregistered. When a mobile station is powered off, it sends an IMSI detach procedure in order to let the network know that it's no longer connected. Now the authentication procedure is involved with the SIM card and the Authentication Center. A secret key that is stored within the SIM card and the AuC, and the A3 ciphering algorithm mentioned earlier is used to verify the authenticity of the user. The mobile station and the AuC creates an SRES using the secret key, the A3 algorithm, and a random number generated by the AuC. If these two SRESs are the same, then the user is authenticated. Also the AuC checks the equipment identity to see if the IMEI number of the mobile is authorized to the EIR, which if so, the mobile station is allowed access to the network. During the authentication procedure the subscribed services for the user is also checked. Also in order to assure user confidentiality, the user is registered with a TMSI (Temporary Mobile Subscriber Identity) after it's first location update procedure. Now lets talk about communication management. CM is responsible for three different functions within the GSM system. Call control, supplementary services management, and short message services management. Call control is in charge of call establishing, maintaining, and releasing as well as selecting the type of service. One of the most important roles of CC is call routing. In order for a user to reach a mobile subscriber, a user dials the MSISDN (Mobile Subscriber Integrated Services Digital Network) which includes a country code, a national destination code identifying the subscriber's operator, and a code corresponding to the subscriber's HLR. This call is then passed to the GMSC (if the call indeed is originated from a fixed network), which knows the HLR corresponding to a certain MSISDN number. The GMSC then asks the HLR for information needed in call routing, the HLR requests this information from the subscriber's VLR, and this VLR allocates an MSRN (Mobile Station Roaming NUmber) temporarily for the call. This MSRN number is then sent through the HLR to the GMSC, which allows for the call to be routed to the subscriber's current MSC/VLR, and thus the mobile is paged. Now lets talk about the supplementary services management function. This function deals with only the mobile station and the HLR, and is what provides selected services to the subscriber. One function within supplementary services management is call forwarding, which allows a user to forward incoming calls to another number if the mobile is busy. This function call also be applied unconditionally. Another service is call barring. There are many different types of call barring services. BAOC (Barring All Outgoing Calls), BOIC (Barring Outgoing International Calls), BOIC-exHC (Barring Outgoing International Calls except those directed towards the Home PLMN Country), BAIC (Barring All Incoming Calls), and barring all incoming calls when roaming. Then of course there are other services like call hold, call waiting, multiparty service, CLIP (Calling Line Identification Presentation), CLIR (Calling Line Identification Restriction), and other services. I would go into them all, but I want to go ahead and finish up this section so I can continue with the rest of the tutorial. Now short message services management of course in charge of managing the sms service. This service is supported via a Short Message Service Center through two interfaces. One is SMS-MT/PP (the SMS-GMSC for Mobile Terminating Short Messages), and SMS-MO/PP (the SMS-IWMSC for Mobile Originating Short Messages). It's good to note that SMS-MT/PP plays the same role as GMSC. Now onto OAM (Operation, Administration, and Maintenance). OAM is used to allow the operator to monitor and control the gsm system as well as modify the configuration of the properties and elements of the gsm system. OSS, BSS, and NSS all play a part in OAM's operation. Certain components of BSS and NSS provide the information needed by the operator, which is then passed to the OSS, which is in charge of analyzing it and controlling the network. The self test tasks usually carried out by the BSS and NSS are also used by the OAM for certain functions. The BSC, which is in charge of controlling several BTSs is also a part of OAM. Well that concludes it for the functions within the GSM system and for this section. If you have ended this section utterly confused then feel free to read it over. It's not that you need to remember every single component and fact listed in this section, but it helps to have a pretty good understanding of the gsm system, and it's better that the information is here for you to recall on. Just be sure that you have a basic understanding of the information I have provided you before you continue to the next section. Section 3: Exploiting GSM Phones So now that you hopefully have at least a basic understanding of how gsm operates, let's talk about the fun stuff. The first trick I will discuss is an activity that is becoming quite prevalant, SIM cloning. If you have paid attention to any cell phone related tutorials in the past, then you may remember cloning being made popular by certain public figures like Kevin Mitnick in order to place calls on the bill of another subscriber. Well, even with GSM this trick still holds relevant. How could such a flaw exist in a system that is obviously concentrated on preventing such fraudulant use? The flaw is within the COMP128 authentication algorithm used as an instantiation of A3/A8 widely used by gsm providers. Unfortunately for these providers, the COMP128 algorithm is just not strong enough to prevent fraud. We attack the algorithm by using a chosen-challenge attack, which works by forming a number of specially-chosen challenges and querying the SIM card for each one. Then by analyzing the responses from these queries, we are able to determine the value of the secret key that is used for authentication. So how do we perform this attack? Well there are a few things you need before you start. First you will need to buy a SIM card reader, a card programmer, empty silver pic 2 card, and an unregulated adapter, and if you don't have one a 9 pin male to female extension cable. You can probably put a bid on ebay for most of this hardware, or just google up some sites that sell them. You will also need some software for this trick. First you will need a SIM card editor. An excellent piece of software to use in this instance is Cardinal Sim Editor, which you can find (including the crack for it) at the below link... http://www.cracksweb.com/news.php?go=824 Another tool you will is CardMaster, which once again you can find at the below link... http://cardmaster.dk/download2.php Finally what you will need is a SIM card emulator. An excellent example of an emulator to use is SIMEMU, which you can find at the below link... http://simemu.cjb.net/ Note for those of you who feel the need to read the instructions on the site, just go to www.freetranslation.com to translate the web page from Spanish to English. Now let's go ahead and get started shall we. You will first want to plug your SIM Reader into your com port. Then run Cardinal and then click where it says "Click Here" and then click Settings. You will then select your com/serial port and the baud rate. Then you will close this out, and then left click where it says "Click Here", go to smartcard, and click SIM editor. The program will from there start up, and you will go to SIM, then SIM Info, and click the load button. After doing this you will see the IMSI code, take note of this code as you will need it. Now close the SIM Info and go to Security/Find key KI. When this window opens just click Start and wait. It will take approximately 4 hours to find the key. Once it is found take note of this KI and exit. Now you should have the IMSI and KI noted, if so lets continue with the next step. Now take your silver card. Within the unzipped file within you will find two files. SEE50s.hex (EEPROM) and SEF50sEN.hex (PIC). Now connect your programmer to a com port and go to the setup menu on your CardMaster program and choose the appropriate com port. You should then see a yellow rectangle at the bottom of the program that says that there is no card. Now insert your smartcard into the programmer, and the rectangle should change to green and you will see "Card ready". Now go to where it says "Card type:" and select "Silvercard". NOw go to the "File to Pic:" field and upload SEF50sEN.hex, then go to the "File to Eeprom:" field and upload SEE50s.hex. Now go to Edit and click "Auto Program". Now once this is finished you will need to cut the card so that it will fit into the phone. Instructions for how the card needs to be cut is provided on the GSM solutions web site that will be listed in the Sites to Visit section at the bottom of this page. Now insert the newly cut silvercard into the phone. If it asks for a pin just punch in 111. Then from the main menu open up "Sim-Emu". Now from this menu go to Set Phone #, then -GSM #1 (or any slot), then Configure, then Edit #. Now edit GSM #X to any name, and then press ok. Now go to Config.Pos. and it will ask for PIN2, which will be 1234. It will then ask you what position you want the card to be, choose Position 1. It will then ask you for the IMSI, which you will punch in the IMSI you got from Cardinal. It will then ask you for the KI, which again you punch in the KI you got from Cardinal. It will then ask you to enter your PUK which can be anything up to 8 digits. Then it will ask you to enter your PIN which can be anything up to 4 digits. There you go, now you have cloned another SIM card, and are now free to call away all you want to on someone elses bill. There have also been rumors that on certain services there are ways to clone a SIM remotely, but none have been tested so this can't be proven. So now that we're finished talking about SIM cloning, let's get into another trick involving exploiting gsm phones, bluejacking. What is bluejacking you ask? Bluejacking is exploiting the BlueTooth wireless communication system common among PDAs, cell phones, and of course laptops. In essense this is nothing more than a harmless little prank, similar to defacing web sites. For bluejacking gsm phones what we are trying to do is first create a phonebook contact that says something like "haha I haxor3d j00r ph0n3!", and then send it to any bluetooth enabled device in the facinity. This in essense amounts up to at most a harmless little prank, but it's fun to watch their faces when they get the message. However, I won't bother explaining the details of how to bluejack, since the methods are models and manufacturer dependant, and are explained on a site that will be listed at the bottom of this tutorial. Don't believe that the possibilities for exploiting bluetooth enabled gsm phones ends there though. Another activity that we can jump onto is called bluebugging. Bluebugging is the process of sniffing out communication from a bluetooth-enabled cell phone. Like, for example, sms messages. Yup, now you can sit in a coffee shop, open up your laptop, and spy on everyone else who is using their phone. This concept was first introduced to the world in a presentation at DefCon 11, and is now available to the public in the form of a tool called BlueSniff that works as a bluetooth wardriving utility to play big brother. Go to the below address to get a copy of this tool... http://bluesniff.shmoo.com/bluesniff-0.1.tar.gz Another nice tool to use for such means is btscanner, which can be used to gather as much information as possible on a bluetooth-enabled device. Yet again, this wonderful tool can be found at the below address... http://www.pentest.co.uk/src/btscanner-1.0.tar.gz There is also a method known as bluesnarfing, which can be used to gain access into a cell phone to steal files. However, contrary to the media hype surrounding this issue, bluesnarfing tools are NOT freely available for all to take (at least none that I know of). The only known tool to exploit this weakness is Bluesnarf, which is not freely available for download. However, don't let that get you down, since as you can see there are many more bluetooth flaws that we are able to take advantage of. Well that concludes it for this section. As always, hope you all have enjoyed reading this tutorial as much as I enjoyed writing it. So until next time... Section 4: Sites to Visit www.gsmsolutionsltd.com - GSM Solutions ltd. - full information on SIM cloning including how to properly cut the silvercards www.bluejackq.com - a site dedicated to bluejacking www.geocities.com/henrik.kaare.poulsen/gsm.html - a complete guide to how gsm operates Note: For those of you who have any questions or comments and feel the need to reach me then you can do so at protonigg3r@yahoo.com and I will try to get back to you as soon as possible.
Monday, August 22, 2005
Sunday, June 19, 2005
File Crap...
win98se CMGRR-XCBMG-4P8TB-DR9FW-62PFB
win2k xf7dk 7x2wm 2qrct y9r23 4bhdg
winxp_sp1 7QVT6-T2738-WRKJB-YKRFQ-XVK98
winxp_sp2 MMTQX-DHGW3-PVX2H-Y4JMF-KPCCW
office2k3 GWH28 DGCMP P6RC4 6J4MT 3HFDY
irc search: http://packetnews.com/
free_ddlhttp://www.r3mteam.org/
http://www.fixdown.com/
http://soft.ttdown.com/Default.html
http://blueportal.org/
opera8 key:
w-L364W-KNQAE-yNweX-Cxktb-BMWWB
w-vYpCV-jKWbD-Mh7DK-pT3np-NtLUe
w-Xmf8m-6tymh-fHPjm-DemDM-dCPva
w-swtBf-6fVFn-78fSu-jivME-biQkF
w-5nBzw-QXjLb-FKDvj-8QCwP-zYmTS
w-7viSJ-rRUTQ-UnFik-vRNiP-rx5ik
w-TYt5W-BAWzE-eyMAU-7pjRd-kNs7u
http://www.iphone-forum.org/viewtopic.php?t=20818&highlight=pathway+glory+download
http://www.hot.ee/salusoft6/aawsepro.rar
http://dl1.rapidshare.de/files/817492/244/LimeWire_Pro_v4.8.1.exe
FinePrint Enterprise Edition v5.35Name:crskyCode:ZEZX-WCNQ-6PYB
banyak mp3:
http://sanjayd.kicks-ass.net/music/
http://jawhite.rh.ncsu.edu/iTunesMusic/Weezer/Albany,%202_17_02/
http://battou.trix.net/Downloads/
http://www.gamingunderground.com/files/
http://www.rcpix.net/filenuts/fedsfiles/music/
http://67.116.162.14/hslab/mp3/
http://www.alakayonk.com/Music/Full%20Albums/
videos
http://granfaro.blogspot.com/2005/04/622-music-videos-various-from-perfect.html
useful blog
http://wirez.wxcs.com/
http://vincentwashier.blogspot.com/
http://readyouth.blogspot.com/
Camtasia Studio 2.1.2
Name: Noserials.com
Serial: 84F429989A9C616F4E
ebooks
http://greylib.align.ru/libdetectiv.htm
http://preterhuman.net/texts/
open username/pass
http://bugmenot.com/
http://briefcase.pathfinder.gr/view/DidimosGR
triplesixes:
http://www.aloha.net/~mikesch/666.htm
http://www.dayofgod.net/Malachy/malachy.htm
ta links:
http://www.ieinspector.com/httpanalyzer/download/httpanalyzer.exe
http://www.abspdf.com/download/absTools-HTTP.zip
http://ietrace.jumpersoftware.com/index_files/ietracesetup.zip
Ulead VideoStudio v9.01
66A2-89001-11884941173A2-89001-17214513960A2-89000-07969457558A2-89001-38033300
http://www.codeproject.com/dll/inside_a_maze_of_dlls.asp
Login email : biyachat@yahoo.com
Password : 186871052
adobe acrobat pro
http://gradict.kahosl.be/omar.reygaert/download/Adobe%20Acrobat%207.0%20Professional.exe
DVDIdle Pro v5.84
0msbRRtGlEOmHpIgpRU39BOMMgICZAaNzoM5qqfl9Gj1lVOwtxBtxMXmwqN9p9YjNiuLf
6H44dgqGOuSIyELbcq3WPhU9En2uu5dqDY5zfEQ1dNsQho95ehjlhGVupCUUqzEzS7phq
VOvgmdpvQBi67fL0Gu2otS4chZ7Mv3Jjx8=0/7J7ow3ry7xQZxJ9Q+J6xyCLt89v4Ic1pLe2gCbtlRZU9UEkfQHCltsuR47NTyVo+GsG
Z5+fIq656xob3EcNanRgVGazFJsYPt+I8oZXwhhHZ3y4DNxuSc1u7me76dBNiotKhEPwl
EJA86e75TrLrHCcUkQ66ueQ3j+xYtyCQSo=
native_instruments
http://www18.fixdown.com/keydown2003/h-nigrgc-2004-11-25.rar
http://www18.fixdown.com/keydown2003/h-pro53d-2004-12-03.rar
http://www19.fixdown.com/h-nib21e-2004-12-20.rar
http://www19.fixdown.com/h-nx101a-2004-11-11.rar
http://www19.fixdown.com/h-nia311-2005-02-21.rar
http://www19.fixdown.com/h-k20108-2005-04-22.rar
ulead videostudio9From:
http://www19.fixdown.com/ssguvs9b-2005-04-26.rar
cyberlink powerdirectorhttp://www19.fixdown.com/zwtcpd08-2005-03-15.rar
ym6http://cn.download.yahoo.com/dl/ymsgrcn.exe
jar emulatorhttp://kwyshell.myweb.hinet.net/
hi-downloadhttp://www.mp3towav.org/download/HiDownload-Pro.exehttp://cardigans.com/microsites/long.gone.before.daylight/video.html
MASS_DOWNLOADER
Name: softcrew
S/N: dqmafWMUqguBZrEemgNG2I0oJ0cNgsIgXTcVQpjS2j4h9BToXJ+nEKxo7kBTmdjEF+0he
Ju6wAQxiEwsIifsX2saqGpAY3Pr+wAamq
Name: www.softcrew.net
S/N:
dqmadSFBm99XTY++Zo5iZWsMxzeoriSxoZF5WAvaRitO1l0WdbGLwqHPe9mTcspfGvgAe
HXE+79DpvVdknyjG8K2Qs3uNQbFFgA
http://rapidshare.de/files/1838457/CoffeeCup_HTML_Editor_2005-G.rar.html
http://www.rokey.net/v2/dlstuff/TigerDesks.rar
my temporary site: http://www.terserah.bobos.ca/blog
win2k xf7dk 7x2wm 2qrct y9r23 4bhdg
winxp_sp1 7QVT6-T2738-WRKJB-YKRFQ-XVK98
winxp_sp2 MMTQX-DHGW3-PVX2H-Y4JMF-KPCCW
office2k3 GWH28 DGCMP P6RC4 6J4MT 3HFDY
irc search: http://packetnews.com/
free_ddlhttp://www.r3mteam.org/
http://www.fixdown.com/
http://soft.ttdown.com/Default.html
http://blueportal.org/
opera8 key:
w-L364W-KNQAE-yNweX-Cxktb-BMWWB
w-vYpCV-jKWbD-Mh7DK-pT3np-NtLUe
w-Xmf8m-6tymh-fHPjm-DemDM-dCPva
w-swtBf-6fVFn-78fSu-jivME-biQkF
w-5nBzw-QXjLb-FKDvj-8QCwP-zYmTS
w-7viSJ-rRUTQ-UnFik-vRNiP-rx5ik
w-TYt5W-BAWzE-eyMAU-7pjRd-kNs7u
http://www.iphone-forum.org/viewtopic.php?t=20818&highlight=pathway+glory+download
http://www.hot.ee/salusoft6/aawsepro.rar
http://dl1.rapidshare.de/files/817492/244/LimeWire_Pro_v4.8.1.exe
FinePrint Enterprise Edition v5.35Name:crskyCode:ZEZX-WCNQ-6PYB
banyak mp3:
http://sanjayd.kicks-ass.net/music/
http://jawhite.rh.ncsu.edu/iTunesMusic/Weezer/Albany,%202_17_02/
http://battou.trix.net/Downloads/
http://www.gamingunderground.com/files/
http://www.rcpix.net/filenuts/fedsfiles/music/
http://67.116.162.14/hslab/mp3/
http://www.alakayonk.com/Music/Full%20Albums/
videos
http://granfaro.blogspot.com/2005/04/622-music-videos-various-from-perfect.html
useful blog
http://wirez.wxcs.com/
http://vincentwashier.blogspot.com/
http://readyouth.blogspot.com/
Camtasia Studio 2.1.2
Name: Noserials.com
Serial: 84F429989A9C616F4E
ebooks
http://greylib.align.ru/libdetectiv.htm
http://preterhuman.net/texts/
open username/pass
http://bugmenot.com/
http://briefcase.pathfinder.gr/view/DidimosGR
triplesixes:
http://www.aloha.net/~mikesch/666.htm
http://www.dayofgod.net/Malachy/malachy.htm
ta links:
http://www.ieinspector.com/httpanalyzer/download/httpanalyzer.exe
http://www.abspdf.com/download/absTools-HTTP.zip
http://ietrace.jumpersoftware.com/index_files/ietracesetup.zip
Ulead VideoStudio v9.01
66A2-89001-11884941173A2-89001-17214513960A2-89000-07969457558A2-89001-38033300
http://www.codeproject.com/dll/inside_a_maze_of_dlls.asp
Login email : biyachat@yahoo.com
Password : 186871052
adobe acrobat pro
http://gradict.kahosl.be/omar.reygaert/download/Adobe%20Acrobat%207.0%20Professional.exe
DVDIdle Pro v5.84
0msbRRtGlEOmHpIgpRU39BOMMgICZAaNzoM5qqfl9Gj1lVOwtxBtxMXmwqN9p9YjNiuLf
6H44dgqGOuSIyELbcq3WPhU9En2uu5dqDY5zfEQ1dNsQho95ehjlhGVupCUUqzEzS7phq
VOvgmdpvQBi67fL0Gu2otS4chZ7Mv3Jjx8=0/7J7ow3ry7xQZxJ9Q+J6xyCLt89v4Ic1pLe2gCbtlRZU9UEkfQHCltsuR47NTyVo+GsG
Z5+fIq656xob3EcNanRgVGazFJsYPt+I8oZXwhhHZ3y4DNxuSc1u7me76dBNiotKhEPwl
EJA86e75TrLrHCcUkQ66ueQ3j+xYtyCQSo=
native_instruments
http://www18.fixdown.com/keydown2003/h-nigrgc-2004-11-25.rar
http://www18.fixdown.com/keydown2003/h-pro53d-2004-12-03.rar
http://www19.fixdown.com/h-nib21e-2004-12-20.rar
http://www19.fixdown.com/h-nx101a-2004-11-11.rar
http://www19.fixdown.com/h-nia311-2005-02-21.rar
http://www19.fixdown.com/h-k20108-2005-04-22.rar
ulead videostudio9From:
http://www19.fixdown.com/ssguvs9b-2005-04-26.rar
cyberlink powerdirectorhttp://www19.fixdown.com/zwtcpd08-2005-03-15.rar
ym6http://cn.download.yahoo.com/dl/ymsgrcn.exe
jar emulatorhttp://kwyshell.myweb.hinet.net/
hi-downloadhttp://www.mp3towav.org/download/HiDownload-Pro.exehttp://cardigans.com/microsites/long.gone.before.daylight/video.html
MASS_DOWNLOADER
Name: softcrew
S/N: dqmafWMUqguBZrEemgNG2I0oJ0cNgsIgXTcVQpjS2j4h9BToXJ+nEKxo7kBTmdjEF+0he
Ju6wAQxiEwsIifsX2saqGpAY3Pr+wAamq
Name: www.softcrew.net
S/N:
dqmadSFBm99XTY++Zo5iZWsMxzeoriSxoZF5WAvaRitO1l0WdbGLwqHPe9mTcspfGvgAe
HXE+79DpvVdknyjG8K2Qs3uNQbFFgA
http://rapidshare.de/files/1838457/CoffeeCup_HTML_Editor_2005-G.rar.html
http://www.rokey.net/v2/dlstuff/TigerDesks.rar
my temporary site: http://www.terserah.bobos.ca/blog
Sunday, May 22, 2005
Thursday, March 31, 2005
Subscribe to:
Posts (Atom)
