Project

General

Profile

Wiki » History » Version 17

Anonymous, 01/04/2014 05:18 PM

1 5 Karsten
h2. SIMtester
2 2 Karsten
3 1 Karsten
The provided tools assess SIM card security in two dimensions:
4
5
* *Cryptanalytic attack surface.* Collect cryptographic signatures and encryptions of known plaintexts
6
7 9 Anonymous
* *Application attack surface.* Generate a list of all application identifiers (TAR) and find "unprotected" (MSL(Minimum Security Level)=0) applications
8 1 Karsten
9 5 Karsten
h3. Requirements
10 1 Karsten
11 6 Anonymous
* Java 1.7 (code can be easily tweaked to compile under Java 1.6 or even lower if needed)
12
* PC/SC reader (via pcsc daemon) –or–
13
* Osmocom phone (via libosmosim)
14 1 Karsten
15 5 Karsten
h3. Download
16 1 Karsten
17 17 Anonymous
# "Pre-compiled .jar":https://opensource.srlabs.de/attachments/download/85/SIMTester_v1.5.zip
18 15 Linus
# "Live-System":https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/GSMmap-live
19
# "Source code":https://opensource.srlabs.de:/git/SIMtester.git
20 1 Karsten
21 5 Karsten
h3. Instructions
22 13 Linus
23 17 Anonymous
# Download "Tarball":https://opensource.srlabs.de/attachments/download/85/SIMTester_v1.5.zip –or– "Live-System":https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/GSMmap-live –or– "Source code":https://opensource.srlabs.de:/git/SIMtester.git
24 1 Karsten
25
h4. Running SIMTester on LiveISO
26
27 14 Linus
Choose "Run Test" -> "SIM" from main menu, follow instructions.
28
29 10 Anonymous
h4. Running SIMTester by hand
30 1 Karsten
31 10 Anonymous
SIMTester is a Java application (JAR archive), both sources and binaries are accessible under SIMTester git (https://opensource.srlabs.de:/git/SIMtester.git).
32 12 Linus
33 17 Anonymous
Unpack: <pre> unzip SIMTester_v1.5.zip</pre>
34 11 Anonymous
35
You can either compile your own JAR from sources or run the pre-compiled JAR in "binaries/" directory like this:
36
37
<pre>
38
java -jar SIMTester.jar <arguments>
39
</pre>
40
41 10 Anonymous
h5. General options
42
43
| command line option | description |
44
|*@-vp, --verify-pin <pin>@*|verifies the PIN, works for CHV1|
45 1 Karsten
|*@-sp, --skip-pin@*|skips verification of a PIN and ignore permission errors (may produce incomplete results!)|
46 10 Anonymous
|*@-dp, --disable-pin <pin>@*|disables PIN, works for CHV1 (ideal for testing cards so no PIN database in needed)|
47
|*@-tf, --terminal-factory <PCSC/OsmocomBB>@*|what are you using as SIM card reader|
48
|*@-ri, --reader-index <index of a reader>@*|multiple PC/SC readers can be connected, first is 0|
49 17 Anonymous
|*@-gsmmap, --gsmmap@*|Automatically contribute data to gsmmap.org|
50 10 Anonymous
51
h5. SIMTester contains 3 main functionalities:
52
53
h5. Fuzzer
54
55
Has its own intelligent logic, fuzzes ~120 chosen TARs, is divided into 3 modes:
56
* Full fuzzing (default) - all 15 keysets with all 16 fuzzing mechanisms
57
* Quick fuzzing (-qf option) - keysets 1 to 6, only 4 most successful fuzzing mechanisms
58
* Poke the card (-poke option) - same as quick fuzzing but only fuzzes 3 most common TARs (000000, B00001, B00010)
59
60
Custom keysets and TARs can be specified via *-t* and *-k* parameters (space being a delimiter between multiple values).
61
62
h5. TAR Scanner
63
64
Scans for valid TAR(Toolkit Application Reference) values by sending messages to them, has 2 modes:
65
* Full scan (-st option) - scans for all possible TAR values (0x000000 - 0xFFFFFF) - may take a few hours or several days depending on your SIM card speed
66
* Ranged scan (-str option) - scans for valid TAR values in pre-specified ranges to optimise the scanning duration
67
68
A starting value for Full scan can be specified using *-t* option.
69
A keyset used for sending messages can be specified using *-k* option (for both Full and Ranged scans).
70
71
Tip: run fuzzer first, see what keysets seem responsive (give answers other than none) and use one of those for TAR scanning, because if you use an inactive keyset it's very probable the card will NOT answer even on a valid TAR which makes TAR scanning non-functional.
72
73
h5. APDU Scanner
74
75
Scans for valid APDU(Application Protocol Data Unit) values (think of APDUs as of commands to the card) on TARs without any public APDU reference, it has 2 modes:
76
* LEVEL 1 scan (performed automatically after *Fuzzer* finishes and has found unprotected TARs with responses) - only scans for valid CLA(Class) 0x00 - 0xFF - it is performed via OTA(Over The Air) messages.
77
* LEVEL 2 scan (-sa option) - scans for both CLA(Class) 0x00 - 0xFF and INS(Instruction) 0x00 - 0xFF - it is performed locally on card I/O on initially selected application
78
79 16 Anonymous
h5. Using OsmocomBB phone as a SIM reader
80
81
This requires a patched firmware and a libosmosim.so library. Patched sources can be found in luca/libosmosim branch in OsmocomBB git tree:
82
83
<pre>
84
git clone git://git.osmocom.org/osmocom-bb.git
85
cd osmocom-bb/
86
git checkout luca/libosmosim
87
</pre>
88
89 1 Karsten
once compiled use the *@layer1.compalram.bin@* firmware and copy *@libosmosim.so@* (@layer23/src/libosmosim/.libs/@) to your java.library.path folder (usually @/usr/lib/jni/@ on Linux).
90
91
then just use *@-tf OsmocomBB @* to turn your Osmocom phone into a SIM card reader for SIMTester.
92
93 17 Anonymous
h5. Contribution to gsmmap.org
94
95
a new option *@-gsmmap@* has been introduced in version 1.5 in order to provide upload functionality to gsmmap.org even for users not using the "Live-System":https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/GSMmap-live
96
97
Tor can be also used by specifying:
98
99
<pre>
100
java -jar SIMTester.jar -gsmmap -socksProxyHost=127.0.0.1 -socksProxyPort=<tor_port> ... other options ...
101
</pre>
102
103
If you already have scanned your cards *without @-gsmmap@* option, you can use the web form here: http://gsmmap.org/upload.html to upload your CSV results SIMTester provided.
104
105 7 Anonymous
h3. Dependencies
106 1 Karsten
107 7 Anonymous
Software uses several libraries, if compiled from source the following libraries are needed:
108
109
* "Apache Common CLI 1.3":http://commons.apache.org/proper/commons-cli/
110 17 Anonymous
* "Apache HttpClient 4.3.x":http://hc.apache.org/
111 8 Anonymous
* "CombinatoricsLib 2.0":https://code.google.com/p/combinatoricslib/
112
* SIMLibrary - available in the git along with SIMTester
113 1 Karsten
114 7 Anonymous
h3. Mailing list
115 5 Karsten
116 1 Karsten
A public mailing list for announcements and discussion can be found "here":https://lists.srlabs.de/cgi-bin/mailman/listinfo/simsec
117 17 Anonymous
Feel free to post your questions, observations or results.