博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
GSM:嗅探语音流量
阅读量:6619 次
发布时间:2019-06-25

本文共 5058 字,大约阅读时间需要 16 分钟。

GSM: Sniffing voice traffic

I wrap up the GSM series with a walkthrough on how to decrypt voice traffic. Voice is the way most people interact on a telecommunications network and therefore a major componenent of GSM traffic. I’ve explained a lot of the background on GSM communication in the previous posts so I’ll get right to it.

We will capture the traffic using the HackRF one and the call will take place between two Safaricom lines. The capture will take place on the downlink - that is the receiving end of the call. I’ll use a Blackberry as the receiving device so that I can easily get the TMSI and Kc.

Capturing the traffic

I’ll speed through a lot of these steps as they are similar to the sniffing SMS traffic scenario. I’ll use the Absolute Radio Frequency Channel Number  in specifying the radio channel. GSM uses ARFCNs to represent the various frequencies the BTS and mobile device communicate on. I’ll use the ARFCN instead of the frequency in the commands I’ll run for variety as I’ve been using frequency in the previous posts. We begin by getting the ARFCN, TMSI and Kc from the Blackberry. On a Blackberry these are readily available from the engineering screen menu. The ARFCN is gotten by navigating to the Cell Identity submenu, the TMSI from theMobile Identity submenu and finally the Kc from the SIM Browser submenu.

The values I get are:

ARFCN: 17 TMSI: 8D4812F8 Kc: 239E4C213612C000

I use the airprobe_rtlsdr_capture module of gr-gsm to capture the voice traffic. I begin the capture by running the following command:

1
airprobe_rtlsdr_capture.py -a 17 -s 1000000 -g 40 -c voice_capture.cfile -T 150

-a is the ARFCN, -s the sample rate in Hz, -g the gain, -c the output file and -T the duration of our capture in seconds.

I then make a call while the capture is in progress.

Decoding BCCH

As explained in the previous post, in idle mode the phone has to listen on the BCCH to detect traffic to be sent to it. Our aim here is to identify what SDCCH (Standalone Dedicated Control Channel) is used for our call setup.

We first start wireshark, monitor the loopback interface and then run the following command:

1
airprobe_decode.py -c voice_capture.cfile -s 1000000 -a 17 -m BCCH -t 0

voice_capture.cfile is the file with the voice traffic we captured. We then search for traffic specific to our TMSI by searching for it in wireshark packet details. we look for the paging request and inspect the Immediate Assignment that follows:

Note that it’s SDCCH/8, Timeslot 1.

Decoding SDCCH

We now need to identify the ciphering mode the BTS tells the phone to use. We restart wireshark on the loopback interface and then run the following command specifying SDCCH8 and Timeslot 1:

1
airprobe_decode.py -c voice_capture.cfile -s 1000000 -a 17 -m SDCCH8 -t 1

We look for a Paging Response followed by a Ciphering Mode Command.

We see that the algorithm in use is A5/1.

Decoding TCH

TCH is the Traffic Channel in GSM and is used to carry voice traffic and data. It could either be full rate TCH/F or half rate TCH/H. You can read up more on it .

We now restart wireshark on the loopback interface and run the following command:

1
airprobe_decode.py -c voice_capture.cfile -s 1000000 -a 17 -m SDCCH8 -t 1 -e 1 -k 0x23,0x9E,0x4C,0x21,0x36,0x12,0xC0,0x00

-e 1 specifies the algorithm A5/1, -k 0x23,0x9E,0x4C,0x21,0x36,0x12,0xC0,0x00 specifies the Kc.

On wireshark we first look for the Call Control Setup traffic and we can actually see the calling party number as below.

A bit down the capture we should see an Assignment command. We see that the voice call is assigned to Timeslot 7 and the Traffic Channel is full rate (TCH/F).

Decoding the voice traffic

We can now finally decode the voice traffic by running the following command:

1
airprobe_decode.py -c voice_capture.cfile -s 1000000 -a 17 -m TCHF -t 7 -e 1 -k 0x23,0x9E,0x4C,0x21,0x36,0x12,0xC0,0x00 -d FR -o speech.au.gsm

-m TCHF specifies the traffic channel, -t 7 the TCH/F timeslot, -d FR specifies the voice codec of the channel as full rate, andspeech.au.gsm specifies the output file.

speech.au.gsm contains the voice traffic. We convert it to an audio file using toast as follows:

1
toast -d speech.au.gsm

We will get a file called speech.au which we can play back and listen to the captured voice call :).

Alternative method

Alternatively one could use the mainstream airprobe modules instead of gr-gsm with the same results. The original modules had issues with the HackRF and later GNU Radio versions. I however did some patching and you can clone the patched version from my Github .

The equivalent commands for the whole process starting from decoding BCCH to decoding voice are:

1
2
3
4
./go.sh voice_capture.cfile 64 0B
./go.sh voice_capture.cfile 64 1S 239E4C213612C00001
./go.sh voice_capture.cfile 64 7T 239E4C213612C00001
toast -d speech.au.gsm

That concludes the GSM radio series for now. Till next time, happy hacking!

原文链接:https://www.ckn.io/blog/2016/01/25/gsm-sniffing-voice-traffic/

sigline.gif 
本文转自 K1two2 博客园博客,原文链接:http://www.cnblogs.com/k1two2/p/8484716.html
  ,如需转载请自行联系原作者
你可能感兴趣的文章
java程序员必须要学会的linux命令总结
查看>>
Java代码规范和质量检查插件-Checkstyle(官方资源)
查看>>
chrome设置书签默认显示
查看>>
Golang的字符编码介绍
查看>>
无法卸载软件? 卸载有残留
查看>>
SpringMVC(三):@RequestMapping中的URL中设定通配符,可以使用@PathVariable映射URL绑定的占位符...
查看>>
21-spring学习-springMVC实现CRUD
查看>>
Hibernate与IBatis的优缺点及可行性分析
查看>>
IDEA:将WEB-INF\lib下的Jar包添加到项目中
查看>>
【大型网站技术实践】初级篇:借助Nginx搭建反向代理服务器
查看>>
多域名THINKPHP利用MEMCACHE方式共享SESSION数据(转)
查看>>
[C#] 回眸 C# 的前世今生 - 见证 C# 6.0 的新语法特性
查看>>
Spring Data JPA: 实现自定义Repository
查看>>
学习ASP.NET MVC(十一)——分页
查看>>
创业杂记——重视自己【序】
查看>>
java面试①整体流程
查看>>
nginx http proxy 正向代理
查看>>
Python type()函数用途及使用方法
查看>>
Swift 静态派发和动态派发
查看>>
BZOJ2002: [Hnoi2010]Bounce 弹飞绵羊(LCT)
查看>>