Project

General

Profile

Mobile Network Assessment Tools » History » Version 8

Karsten, 12/23/2013 01:48 PM

1 1 Linus
h2. Overview
2 1 Linus
3 1 Linus
This is a collection of tools for the assessment of mobile network security.
4 1 Linus
It includes:
5 3 Linus
6 3 Linus
* *[[SIMtester]]*
7 8 Karsten
Finds configuration bugs in SIM cards
8 1 Linus
9 8 Karsten
* *[[GSMmap-apk]]*
10 8 Karsten
Android application that collects 2G and 3G network traces from Samsung Galaxy phones
11 8 Karsten
12 3 Linus
* *[[xgoldscanner]]*
13 8 Karsten
Linux application that collects 2G and 3G network traces from Samsung Galaxy phones
14 2 Linus
15 3 Linus
* *[[catcher catcher]]*
16 8 Karsten
Collect evidence of 2G fake base station activity (requires Osmocom phone)
17 1 Linus
18 1 Linus
19 8 Karsten
The tools are included in the *GSMmap-live* system, which auto-submits data for analysis at "GSMmap.org":https://GSMmap.org
20 1 Linus
21 1 Linus
*****
22 2 Linus
23 2 Linus
h2. SIMtester
24 2 Linus
25 8 Karsten
Assess SIM card security in two dimensions:
26 2 Linus
27 8 Karsten
* *Cryptanalytic attack surface.* Collect cryptographic signatures and encryptions of known plaintexts
28 1 Linus
29 8 Karsten
* *Application  attack surface.* Generate a list of all TARs and find "unprotected" (NSL=0) applications
30 2 Linus
* *Spec. compliance*
31 2 Linus
32 2 Linus
h3. Requirements:
33 2 Linus
34 8 Karsten
* Java (TODO: Which Java edition/version?)
35 2 Linus
* PC/SC reader –or–
36 2 Linus
* Osmocom phone
37 2 Linus
38 1 Linus
h3. Download
39 1 Linus
40 3 Linus
Pre-compiled .jar TODO
41 3 Linus
Source Code TODO
42 2 Linus
Live System TODO
43 2 Linus
44 2 Linus
h3. Instructions
45 2 Linus
46 2 Linus
# Download
47 1 Linus
# unpack
48 3 Linus
# run: TODO call
49 3 Linus
* TODO command line parameters
50 3 Linus
51 5 Ben
h3. Mailing list
52 3 Linus
53 8 Karsten
A public mailing list for announcements and discussion can be found "here":https://lists.srlabs.de/cgi-bin/mailman/listinfo/simsec .
54 2 Linus
55 2 Linus
*****
56 2 Linus
57 1 Linus
h2. xgoldscanner
58 2 Linus
59 3 Linus
Actively collect 2G and 3G traces using Samsung Android phones.
60 2 Linus
Log files can be analyzed with Tobias Engel's "xgoldmon":https://github.com/2b-as/xgoldmon tool, which heavily inspired the development of xgoldscanner.
61 2 Linus
62 2 Linus
h3. Requirements:
63 2 Linus
64 2 Linus
* Samsung Galaxy S2 / S3  phone
65 2 Linus
* Micro-USB cable
66 2 Linus
* Linux Computer
67 1 Linus
68 2 Linus
h3. Download:
69 1 Linus
70 1 Linus
* Source Code (bash)
71 1 Linus
* Live System
72 6 Linus
73 6 Linus
h3. Disclaimer
74 7 Karsten
75 6 Linus
The active tests include an active part. First, your phone will place outgoing calls
76 6 Linus
to a dedicated number. This number will always be busy and never answer in order
77 6 Linus
to rule out voice charges as best as we can.
78 6 Linus
79 6 Linus
Secondly, your phone will send SMS short messages via an invalid SMS-C to
80 6 Linus
an invalid number.
81 6 Linus
82 6 Linus
During our tests we have not found a European network that charges for these
83 6 Linus
transactions. However, we can not rule out that you may be charged in specific
84 6 Linus
settings.
85 6 Linus
86 6 Linus
To control for involuntary charges, we strongly advise the use of a dedicated
87 6 Linus
pre-paid SIM card for these tests.
88 1 Linus
89 1 Linus
h3. Instructions
90 2 Linus
91 4 Linus
# Download
92 4 Linus
# unpack
93 4 Linus
# run:  <pre>sudo ./xgoldscanner.sh -n [telephone number, e.g. +491234567]</pre>
94 4 Linus
Optional parameters:
95 4 Linus
*  -g  conduct GPRS test
96 4 Linus
*  -d  display debug messages
97 4 Linus
*  -o  offline mode [skip log upload for manual submission]
98 4 Linus
*  -3  conduct 3G tests only [skip 2G tests]
99 2 Linus
*  -y  assume "yes" to questions and confirmation dialogues [for automated testing]
100 2 Linus
*  -i  <n> repeat each test <n> times (default is 5)
101 2 Linus
102 3 Linus
h3. Advanced usage
103 2 Linus
104 3 Linus
Use Tobias Engel's "xgoldmon":https://github.com/2b-as/xgoldmon tool to analyze log files.
105 3 Linus
106 3 Linus
h3. Mailing list
107 3 Linus
108 5 Ben
A public mailing list for announcements and discussion can be found TODO  "here":http://lists.srlabs.de/cgi-bin/mailman/listinfo/a51 .
109 3 Linus
Please file bugs and support requests through the "issue tracker TODO ":http://opensource.srlabs.de/projects/a51-decrypt/issues/new as they may be of little relevance to the majority of the mailing list subscribers.
110 2 Linus
111 2 Linus
*****
112 1 Linus
113 1 Linus
h2. catcher catcher
114 2 Linus
115 2 Linus
Display mobile network irregularities hinting at fake base station activity.
116 2 Linus
117 2 Linus
h3. Requirements:
118 2 Linus
119 2 Linus
* Osmocom phone
120 1 Linus
* Osmocom serial cable
121 1 Linus
* Linux Computer
122 1 Linus
123 1 Linus
h3. Download:
124 1 Linus
125 2 Linus
* Source Code
126 2 Linus
* Live System
127 2 Linus
128 2 Linus
h3. Instructions
129 2 Linus
130 2 Linus
# Download
131 2 Linus
# unpack
132 2 Linus
# run: TODO call
133 2 Linus
* TODO command line parameters
134 3 Linus
135 3 Linus
h3. Mailing list
136 3 Linus
137 5 Ben
A public mailing list for announcements and discussion can be found TODO  "here":http://lists.srlabs.de/cgi-bin/mailman/listinfo/a51 .
138 3 Linus
Please file bugs and support requests through the "issue tracker TODO ":http://opensource.srlabs.de/projects/a51-decrypt/issues/new as they may be of little relevance to the majority of the mailing list subscribers.
139 1 Linus
140 1 Linus
*****
141 2 Linus
142 2 Linus
h2. GSMmap-apk
143 2 Linus
144 2 Linus
Actively collect 2G and 3G traces using Samsung Android phones.
145 1 Linus
146 1 Linus
h3. Requirements:
147 1 Linus
148 1 Linus
* Samsung Galaxy S2 / S3 phone
149 1 Linus
150 2 Linus
h3. Download:
151 2 Linus
152 1 Linus
* Pre-compiled .apk
153 1 Linus
* Source Code
154 6 Linus
155 6 Linus
h3. Disclaimer
156 6 Linus
157 6 Linus
Our 3G tests include an active part. First, your phone will place outgoing calls
158 6 Linus
to a dedicated number. This number will always be busy and never answer in order
159 6 Linus
to rule out voice charges as best as we can.
160 6 Linus
161 6 Linus
Secondly, your phone will send SMS short messages via an invalid SMS-C to
162 6 Linus
an invalid number.
163 6 Linus
164 6 Linus
During our tests we have not found a European network that charges for these
165 6 Linus
transactions. However, we can not rule out that you may be charged in specific
166 6 Linus
settings.
167 6 Linus
168 6 Linus
To control for involuntary charges, we strongly advise the use of a dedicated
169 6 Linus
pre-paid SIM card for these tests.
170 2 Linus
171 2 Linus
h3. Instructions
172 2 Linus
173 2 Linus
# Install application from App Store
174 2 Linus
# Run
175 3 Linus
176 3 Linus
h3. Mailing list
177 3 Linus
178 5 Ben
A public mailing list for announcements and discussion can be found TODO  "here":http://lists.srlabs.de/cgi-bin/mailman/listinfo/a51 .
179 3 Linus
Please file bugs and support requests through the "issue tracker TODO ":http://opensource.srlabs.de/projects/a51-decrypt/issues/new as they may be of little relevance to the majority of the mailing list subscribers.
180 2 Linus
181 2 Linus
*****
182 1 Linus
183 2 Linus
h2. GSMmap-live
184 3 Linus
185 3 Linus
This live linux system is equipped with all the assessment tools listed above. It furthermore includes
186 2 Linus
It facilitates their use and automatically uploads logs to GSMmap.org.
187 1 Linus
188 1 Linus
h3. Requirements:
189 1 Linus
190 1 Linus
* 64bit-compatible Computer
191 1 Linus
* For each test: Requirements listed above
192 2 Linus
193 2 Linus
h3. Download:
194 2 Linus
195 1 Linus
* Live system image
196 6 Linus
* Source Code
197 6 Linus
198 6 Linus
h3. Disclaimer
199 6 Linus
200 6 Linus
Our 3G tests include an active part. First, your phone will place outgoing calls
201 6 Linus
to a dedicated number. This number will always be busy and never answer in order
202 6 Linus
to rule out voice charges as best as we can.
203 6 Linus
204 6 Linus
Secondly, your phone will send SMS short messages via an invalid SMS-C to
205 6 Linus
an invalid number.
206 6 Linus
207 6 Linus
During our tests we have not found a European network that charges for these
208 6 Linus
transactions. However, we can not rule out that you may be charged in specific
209 6 Linus
settings.
210 6 Linus
211 6 Linus
To control for involuntary charges, we strongly advise the use of a dedicated
212 2 Linus
pre-paid SIM card for these tests.
213 2 Linus
214 2 Linus
h3. Instructions
215 2 Linus
216 2 Linus
# Download
217 2 Linus
# Unpack: <pre>tar xvzf gsmmap-live.img.tar.gz</pre>
218 2 Linus
# Write to stick <pre>dd if=gsmmap-live.img of=/dev/[USB-stick] [bs=1M]</pre>
219 3 Linus
# Boot from stick
220 3 Linus
221 3 Linus
h3. Mailing list
222 3 Linus
223 5 Ben
A public mailing list for announcements and discussion can be found TODO  "here":http://lists.srlabs.de/cgi-bin/mailman/listinfo/a51 .
224 1 Linus
Please file bugs and support requests through the "issue tracker TODO ":http://opensource.srlabs.de/projects/a51-decrypt/issues/new as they may be of little relevance to the majority of the mailing list subscribers.