|
阅读:4247回复:0
GSM Hackeing 之 SMS Sniffer 学习
◆0 前言
最近看到微博以及一些论坛谈论关于GSM Hacking的比较多,使用的是开源的程序 osmocombb 和摩托罗拉的手机 c118。我也凑凑热闹,找来相关资料进行学习,国内关于这方面的资料的确太少了,大都是一些编译 osmocombb 的资料,而没有更深入的学习资料,比如如何进行 GSM SMS 的 Sniffer,估计是在我大宋朝这个太敏感了吧。 不过最近在 http://www.hacklook.com/ 却有不少相关的资料可以参考学习,在次对作者表示感谢。 ◆1 准备工具 对这方面学习所需要的工具倒不是很昂贵,下面罗列出需要的材料: 一台笔记本或者一台虚拟机C118 手机一台FT232RL、CP2102、PL2303 USB2TTL 模块一个2.5mm 耳机插头带线一根C118 手机淘宝 25 元左右一台,为了避免广告这里不给出链接了。USB2TTL模块我这里用的是PL2303,我看有的文章说这个不行,但是我这里没问题,2.5mm的耳机线买的是那种两头都是插头的,中间剪开然后接上杜邦头就可以和USB2TTL进行连接了。以上成本加起来30元左右。 下面是全家福 图片:2014091812121754365.jpg  ◆2 编译环境 PC端环境我使用的是虚拟机,操作系统安装Kali Linux操作系统,由于Kali系统中已经有PL2303的驱动,so太方便了。Kali的安装就略过。下面进行osmocombb的编译: 安装需要的包 #!shellsudo apt-get install libtool shtool autoconf git-core pkg-config make gcc build-essential libgmp3-dev libmpfr-dev libx11-6 libx11-dev texinfo flex bison libncurses5 libncurses5-dbg libncurses5-dev libncursesw5 libncursesw5-dbg libncursesw5-dev zlibc zlib1g-dev libmpfr4 libmpc-dev然后建立交叉编译环境,主要参考下面文章: http://bb.osmocom.org/trac/wiki/GnuArmToolchain 下载 osmocombb、libosmocore 源码 #!shellcd ~git clone git://git.osmocom.org/osmocom-bb.gitgit clone git://git.osmocom.org/libosmocore.git编译 libosmocore #!shellcd ~/libosmocoreautoreconf -i./configuremakesudo make install然后切换 osmocombb 到下面的分支,并且编译 #!shellcd ~/osmocom-bbgit checkout --track origin/luca/gsmmapcd srcmake◆3 测试 经过上面的编译过程,环境准备的差不多了,下面进行测试,首先确保一下步骤: 把 USB2TTL 模块插入到电脑上,再共享到虚拟机中 把带有 2.5mm 耳机插头的线一头接手机,另外一头链接 USB2TTL 模块 可以通过下面命令来查看是否正常: #!shelllsmod | grep usb我这边显示为: #!shellusbserial 23960 1 pl2303手机处于关机状态,运行如下命令: #!shellcd ~/osmocom-bb/src/host/osmocon/./osmocon -m c123xor -p /dev/ttyUSB0 ../../target/firmware/board/compal_e88/layer1.compalram.bin这个时候短按手机开机键,在虚拟机中会看到如下输出: #!shellgot 1 bytes from modem, data looks like: 2f /got 1 bytes from modem, data looks like: 00 .got 1 bytes from modem, data looks like: 1b .got 4 bytes from modem, data looks like: f6 02 00 41 ...Agot 1 bytes from modem, data looks like: 01 .got 1 bytes from modem, data looks like: 40 @Received PROMPT1 from phone, responding with CMDread_file(../../target/firmware/board/compal_e88/layer1.compalram.bin): file_size=56016, hdr_len=4, dnload_len=56023got 1 bytes from modem, data looks like: 1b .got 1 bytes from modem, data looks like: f6 .got 1 bytes from modem, data looks like: 02 .got 1 bytes from modem, data looks like: 00 .got 1 bytes from modem, data looks like: 41 Agot 1 bytes from modem, data looks like: 02 .got 1 bytes from modem, data looks like: 43 CReceived PROMPT2 from phone, starting downloadhandle_write(): 4096 bytes (4096/56023)handle_write(): 4096 bytes (8192/56023)handle_write(): 4096 bytes (12288/56023)handle_write(): 4096 bytes (16384/56023)handle_write(): 4096 bytes (20480/56023)handle_write(): 4096 bytes (24576/56023)handle_write(): 4096 bytes (28672/56023)handle_write(): 4096 bytes (32768/56023)handle_write(): 4096 bytes (36864/56023)handle_write(): 4096 bytes (40960/56023)handle_write(): 4096 bytes (45056/56023)handle_write(): 4096 bytes (49152/56023)handle_write(): 4096 bytes (53248/56023)handle_write(): 2775 bytes (56023/56023)handle_write(): finishedgot 1 bytes from modem, data looks like: 1b .got 1 bytes from modem, data looks like: f6 .got 1 bytes from modem, data looks like: 02 .got 1 bytes from modem, data looks like: 00 .got 1 bytes from modem, data looks like: 41 Agot 1 bytes from modem, data looks like: 03 .got 1 bytes from modem, data looks like: 42 BReceived DOWNLOAD ACK from phone, your code is running now!battery_compal_e88_init: starting up然后在虚拟机中再起一个终端,执行如下命令进行基站扫描 #!shellcd ~/osmocom-bb/src/host/layer23/src/misc/./cell_log看到如下输出则说明扫描到可用的基站 #!shellARFCN 117: tuningARFCN 117: got syncCell ID: 460_1_03EE_B130 cell_log.c:248 Cell: ARFCN=117 PWR=-62dB MCC=460 MNC=01 (China, China Unicom)基站的绝对无线频道编号为 117,然后通过如下的命令进行抓包 #!shellcd ~/osmocom-bb/src/host/layer23/src/misc/./ccch_scan -i 127.0.0.1 -a 117同时开启 wireshark 抓包, #!shellsudo wireshark -k -i lo -f 'port 4729'然后在 wireshark 的 filter 中对 gsm_sms 的包进行过滤显示 下图为抓到的短信包: 图片:2014091812121754365.jpg ◆4 最后 本文参考下面资料: http://bb.osmocom.org/ https://srlabs.de/gsm-map-tutorial/ https://srlabs.de/gprs/ http://www.hacklook.com/forum.php?mod=viewthread&tid=12 http://www.hacklook.com/forum.php?mod=viewthread&tid=22 下面是部分注意事项 请注意 USB2TTL GND/TX/RX 的接线顺序 以及确认交叉编译环境正常工作 OVER! |
|
