基于OpenBTS的GSM短信基站实验

admin
admin
admin
137950
文章
113
评论
2024年10月22日15:43:34评论39 views字数 14485阅读48分17秒阅读模式

补档

仅供无线电及网络安全学习交流!严禁将此技术用于违法途径!违者后果自负!
对2020年埋下的坑做一个补充,由于种种原因迟了4年才发出来
基于OpenBTS的GSM短信基站实验
该技术在时间上可能已经过时了,后续会在HackRF上研究更多好玩的东西
喜欢的点个关注吧,至于什么时候能发出来,这我就不知道了,快的话1年
慢的话5年;特殊情况n^n年

搭建教程已略(网上一搜一大把),这是一篇长坑,后面会慢慢补,因为我不是通信专业的,所以有些地方写的不好还请见谅,凭兴趣爱好发电。

Pre

  • Ubuntu 20.04.03 (LTS)

  • a53

  • osmocom-bb

    • 需配置arm交叉编译环境

  • libosmocore

  • libosmo-dsp

  • libtalloc-dev (lib talloc)

  • OpenBTS

osmocom-bb分支详情请查看,https://osmocom.org/projects/baseband/wiki/Branches,官网写的很详细了,英语好的可以直接照着官网复现一遍。

这里选用 sylvain/testing

It is possible to turn Calypso based phone into a small BTS. The transceiver application and corresponding firmware should be used in OpenBTS or OsmoBTS setup. See CalypsoBTS for details.

osmocom-bb需要的依赖

1
 
libtalloc-dev libtirpc-dev libfftw3-3 libfftw3-dev libfftw3-doc autoconf libtool libosip2-dev libortp-dev libusb-1.0-0-dev g++ sqlite3 libsqlite3-dev erlang libreadline6-dev libncurses5-dev libtool shtool autoconf git-core pkg-config make gcc libpcsclite-dev gnutls-dev libmnl-dev libsctp-dev

如果爆出下面错误

1
 
/root/gsm_openbts/osmocom-bb/src/target/firmware/include/stdint.h:32:23: error: conflicting types for ‘int64_t’   32 | typedef long long int int64_t;      |                       ^~~~~~~In file included from /usr/include/stdint.h:34,                 from /usr/lib/gcc/x86_64-linux-gnu/9/include/stdint.h:9,                 from /root/gsm_openbts/osmocom-bb/src/target/firmware/include/stdint.h:19,                 from ../../include/osmocom/core/signal.h:4,                 from ../../src/signal.c:21:/usr/include/x86_64-linux-gnu/bits/stdint-intn.h:27:19: note: previous declaration of ‘int64_t’ was here   27 | typedef __int64_t int64_t;      |                   ^~~~~~~In file included from ../../include/osmocom/core/signal.h:4,                 from ../../src/signal.c:21:/root/gsm_openbts/osmocom-bb/src/target/firmware/include/stdint.h:33:32: error: conflicting types for ‘uint64_t’

打开 osmocom-bb/src/target/firmware/include/stdint.h 如下图进行修改

基于OpenBTS的GSM短信基站实验

修改好了后 ./configure 然后 make 即可

基于OpenBTS的GSM短信基站实验

具体就是搭建arm交叉编译环境,编译libosmocorelibosmo-dsp,然后搭个OpenBTS。

伪基站原理简单来说就是不法分子通过黑产设备模拟了附近基站的信号,通过劫持IMEI(国际移动用户识别码)等信息就可以通过手机IMEI展开一系列的攻击。

防范伪基站最有效的方法包括以下几点首先,启用手机的网络锁定功能,只允许连接已知的运营商网络;其次,定期更新手机操作系统和应用,以修补安全漏洞;再者,使用强加密的通信工具(如端到端加密的聊天应用)进行重要信息传输;此外,利用VPN在公共网络中增强隐私保护;最后,保持对手机安全应用的关注,这些应用可以实时监测和警告可能的伪基站威胁。通过这些综合措施,可以有效降低伪基站的风险。(ChatGLM;非常牛逼非常好用很好的大模型很牛逼推荐一下牛逼好

让BTS支持发送中文消息

参考Axelle Apvrille写的论文 “OpenBTS for dummies”

OpenBTS默认是不支持发送中文的,如果硬发会爆出乱码,这里我写了封邮件咨询了 Axelle 有关中文发送的问题,但给的回复不是很满意,后来在原先脚本上自己做了些修改,才能发送中文,不过有字符限制

基于OpenBTS的GSM短信基站实验

基于OpenBTS的GSM短信基站实验

基于OpenBTS的GSM短信基站实验

如果想要让OpenBTS发送中文,非常简单,必须自己修改源代码,打开文件/OpenBTS/CLI/CLI.cpp,添加

https://github.com/fairwaves/openbts-2.8/commit/faf14b0e9ad4673b64d28e2038bdab90d69fcefb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
 
/** Submit an SMS for delivery to an IMSI. */
int sendsmspdu(int argc, char** argv, ostream& os)
{
if (argc<4) return BAD_NUM_ARGS;

char *IMSI = argv[1];
char *srcAddr = argv[2];
string rest = "";
for (int i=3; i<argc; i++) rest = rest + argv[i]; //+ " ";
const char *txtBuf = rest.c_str();

if (!isIMSI(IMSI)) {
os << "Invalid IMSI. Enter 15 digits only."; return BAD_VALUE; } Control::TransactionEntry *transaction = new Control::TransactionEntry( gConfig.getStr("SIP.Proxy.SMS").c_str(), GSM::L3MobileIdentity(IMSI), NULL, GSM::L3CMServiceType::MobileTerminatedShortMessage, GSM::L3CallingPartyBCDNumber(srcAddr), GSM::Paging, txtBuf); transaction->messageType("application/vnd.3gpp.sms");
Control::initiateMTTransaction(transaction,GSM::SDCCHType,30000);
os << "message submitted for delivery" << endl;
return SUCCESS;
}
 

1
 
addCommand("sendsmspdu", sendsmspdu, "IMSI src# PDU message... -- send PDU SMS to IMSI, addressed from source number src#.");

之后写个简单的 pdu 脚本就行了,可以参考 python-smspdu 进行修改

This sends an SMS to IMSI 208304424439206, from 24567, with text ”Test”.
Finally, it is also possible to have phone send SMS to each other:

  • Register the phone. This step must be done if you get this error in smqueue logs (and the corresponding
    SMS on your phone):

基于OpenBTS的GSM短信基站实验

鉴于该技术从大体上来说可能也许大概率应该已经过时加上一些XX元素

上述脚本一律不放出来

如何防御

  • 发现手机被降频时立马关掉移动网络,如网络显示OpenBTS或者2G网(G网),要及时更换环境,重新连接附近的基站

  • 一些媒体给出的策略是晚上关机或者开启飞行模式,而实际上这样做的意义并不大,因为有的手机可能被劫持后本身已经无法接收到短信。较为明显的被攻击特征除了接受短信外还有手机信号可能在4g和2g之间切换。而一旦你晚上关机或者开启飞行模式,也可能导致其他诈骗风险的上升或者重要事件时亲友无法联系你。所以比较稳妥的办法是关闭手机的移动信号,只使用家中或者办公室的Wi-Fi,这样既能保持和大家的网络联系,也能略微提高被嗅探的难度。

对遗留日志的取证分析

样本名:2016.log

MD5:61aa4478bb128f8ea6736e09f26c4f24

Size: 538 MB (564,635,221 Bytes)

样本数据

1
 
Jun  4 06:25:23 ubuntu openbts: INFO 3075847888 OpenBTS.cpp:483:main: received command "addsms 1401834316 10651086117 0101111001111000011110011000111101010001011101100101101110011110010111111000100001111011100000000101001101010101111111110001101001010011111000110110111000110100010011101000011001010101100111010110011101101111011011000011010001101101101001100110110110100110010101011000100111111111000011000111000011100110011000000111110001100101111101100101010000101100010101000010110010010111111100110100111001010000100011110111101110001111011110110110011101111110111111110000110001110101101100100101000000100110011001011111011001010111001010000110100100000101010011100000101001100010010100110100111000101010011101101111100111111111000011000101101110001001100101110101100110010001110011000110001011111111100011010111011101100010010010110110011100111010010100111101000101100111011000010111011111101101010011111110000101100011110100001001000110010010010011110110000011111111000110100101100100101001010011101010111001001110100001101111111100001100010110010111110110001101011101110101111010001010010011101000011011111111000000010111100101011101010011110110000001101011110011110101100100101001010110010111110101011111110000110110000011000101" from

根据网上公开系统的加密代码,逆向编写解密脚本。

基于OpenBTS的GSM短信基站实验

1
2
3
4
5
6
7
8
9
10
11
 
<?php
function decode($s)
{
    $l = strlen($s);
    if ($l % 16 != 0)
        return '';
    $s = str_base_convert($s, 2, 16);
    $s = hex2bin($s);
    $s = mb_convert_encoding($s, 'UTF-8', 'UCS-2');
    return $s;
}

数据一

0101111001111000011110011000111101010001011101100101101110011110010111111000100001111011100000000101001101010101111111110001101001010011111000110110111000110100010011101000011001010101100111010110011101101111011011000011010001101101101001100110110110100110010101011000100111111111000011000111000011100110011000000111110001100101111101100101010000101100010101000010110010010111111100110100111001010000100011110111101110001111011110110110011101111110111111110000110001110101101100100101000000100110011001011111011001010111001010000110100100000101010011100000101001100010010100110100111000101010011101101111100111111111000011000101101110001001100101110101100110010001110011000110001011111111100011010111011101100010010010110110011100111010010100111101000101100111011000010111011111101101010011111110000101100011110100001001000110010010010011110110000011111111000110100101100100101001010011101010111001001110100001101111111100001100010110010111110110001101011101110101111010001010010011101000011011111111000000010111100101011101010011110110000001101011110011110101100100101001010110010111110101011111110000110110000011000101

解码后

幸福其实很简单:口渴了喝杯水润润喉,烦恼时听听音乐轻轻松,疲倦时在椅上打个盹,安静里拿起手机发条短信提醒你:天亮了,好起床了!祝你每天好心情

数据二

1000110110000101010111100000001001100101001101101001010011110110011111001111101101111110110111111111111100001100100010011110011001011100010011111001100100010000100110010110111001110000101110011000001111011100011111001111101101111110110111111111111100001100011101010001110001010100110000010101100101110110100000110011011001100101001101101001010011110110100010111011111001011001000001111111111100001100011001110000100101010001011100110110010100110110100101001111011001110110100001001001010111101110100110001001100001101011001000101000111111001110010101001010100010001011111000100110010100110110100101001111011001001110000100110101101110110110000000000011000100000000001101010000000000110110000000000011000000000000001101010000000000111000000000000011100000000000001110000000000000110101000000000011001000000000001100010101000101101000010110010101011110001011101111100101100100000111010100011110110101110111111011010100111111100001011100100111100101001110111101110000000000110010000000000011011000000000001100000000000000110000010101000010101110001111110110111001010100000000010110110101100001111011101000010111010000000110

解码后

超市收银系统,触屏餐饮点菜系统,甜品奶茶收银设备,有关收银的问题欢迎咨询收银专家156***521(已码)全套设备凭短信特价2600含进销存管理

数据三

1000110110000101010111100000001001100101001101101001010011110110011111001111101101111110110111111111111100001100100010011110011001011100010011111001100100010000100110010110111001110000101110011000001111011100011111001111101101111110110111111111111100001100011101010001110001010100110000010101100101110110100000110011011001100101001101101001010011110110100010111011111001011001000001111111111100001100011001110000100101010001011100110110010100110110100101001111011001110110100001001001010111101110100110001001100001101011001000101000111111001110010101001010100010001011111000100110010100110110100101001111011001001110000100110101101110110110000000000011000100000000001101010000000000110110000000000011000000000000001101010000000000111000000000000011100000000000001110000000000000110101000000000011001000000000001100010101000101101000010110010101011110001011101111100101100100000111010100011110110101110111111011010100111111100001011100100111100101001110111101110000000000110010000000000011011000000000001100000000000000110000010101000010101110001111110110111001010100000000010110110101100001111011101000010111010000000110

解码后

超市收银系统,触屏餐饮点菜系统,甜品奶茶收银设备,有关收银的问题欢迎咨询收银专家156***21全套设备凭短信特价2600含进销存管理

数据三

01110101000111110101010001111101010110011000001001101100101100111111111100001100011101010010100001011111111010110100111001010000011001000100011001101110001000011111111100011011010011101011101001110101000111110101100110000010011010110100110011111111000011000111010100101000011010001010011001100000111100110101010000011111010101010011000111111111000110110110010111100101010110110101000001011001100000100101110001110001111111110000110001110101001010000101001010101010010100101001101101100101000000000111011001111011111111110001101101011100100000010110011100001000010110011000001001100010000011111111111100001100011101010010100001110111000111110101111111000011011011110001010001111110110011101111111100011011011000100001000001010010100111110101100110000010010100010100100111111111000011000111010100101000010011101101100001010001111110101001000111000111011001000101100011111111000110110101001111001011011000001100010101011001100000100110100000010001111111110000110001110101001010000111011100011111100010111101101001010100011101010110001010100100001100000000001001011110001110000110000001101000011001110000100001101110111000010101001000011001010011101000111110000010101100010110111011100001010100100001100101010001110010111111111100001100010011110101010101011111110001010101100100101010100011111100011110001011101000011000111110000011001100000000001001110101001010000101011101100110100000110110000101110110100001000101111111000011111111110000110010001101011100000101111001111000011110011000111101110110100001001000110111101111111111110000110001100001001111110100111101100000010111111110101101001110010100000110001111100001010101110010100001100010010010111111111100001100010110010111110110001111110100001000111010101011100011111011100101110101010110011111111100001100010111100111100001111001100011110111011011111000010011110011010010001101011100001111111100000001

解码后

生命如河,用快乐摆渡;人生如歌,用梦想吟唱;日子如山,用努力攀登;岁月如戏,用真心演绎;成功如光,用付出采摘;友情如树,用真诚呵护。常恨月满则亏花满则凋,何必太过计较。用坦荡的心,走幸福的路,愿你快乐握在手,好运身边留,幸福相伴走!

数据四

01110011110011010110000011011100010011101000011011111111000011001000000011111101011000101110010101100111000010011111111100011011010011101101100001010001111110100100111010000110111111110000110001100111000010010101011011011110011000101010010111111111000110111000110101110000100011111100011101001110100001101111111100001100010011100000110101010100000011100110000010010100001100000000001001100111000010110101001111001011111111110000110001100001001111110100111101100000100011010111000001011001011111010111010100011111010101000111110101110110100001000110101111001111010011100000000001101011011001011111111100001100010111100111100001111001100011110101111111101011010011100101000001101011110011110100111000000000010110010010100111111111000000010100111000001101011001100010111101101011110011111000111101101110100000100111001110010110001100111001000011111101011001101001011001001110101110101111111100001100010011100000110101100110001011110110101111001111011100100100011101001110010011000100111010010001100100001111110101001110000010111001011011101000111111110000110001100101111000100111000100110110010100011011001101011011100110100100111000001101010011101000011001010100011111011000111111010000011101101000010001010011101110110101010000010001111111110000110010010000101000110101110000110001100011100000111110001110000011110101101110011110010110111001111001010111001100001000110101110000010110010111110101101011110011110100111000000000010110010010100111111111000011001000101111110111011101101111100001001111111000011111111100011010011000100001000101110110100001000111100101011101011110011000111101100110001011110110011100000000011101110001111101110110100001001111111100000001

解码后

珍惜了,能拥有;付出了,有回报;走过了,不后悔。朋友,愿你走好生命的每一步,幸福快乐每一天!不是每轮艳阳都暖人,不是每片乌云都下雨,既然决定不了命运的去向,那就踏踏实实地走好每一天,请相信:我的祝福是最真的!

数据五

10001011110110100100111010100100010100110101010110001110101010110101100101110011010110001110101111111111000011000000000000110010000000000011000000000000001011010000000000110011000000000011010101011100100000011111111100001100000000000101000100000000010100010000000000110011000000000011001000000000001101100000000000110101000000000011100100000000001110000000000000111000000000000011100100000000001101100000000000100000

解码后

诚交单身女士,20-35岁,QQ3*****

数据六

010011101100101001011001001010011001011000110101100101101110100000000000001000000000000000110010000000000011000111111111010111100000000000110010000000000011100000100001000000111111111100001100100110001100111001010010100110111111111100011010100010010111111101010011010101111001100011001110000000000011001001111110101001111111111100001100011011100111111101011110101001101111111100011010000000000011100100000000001100000000000000100101111111110000110010010110010011010110110000110100011010011000001001110011100001111111111100011010000000000011011100000000001100000000000000100101001100000000001001100110000011100101100100101001010011100010110110010110111010001111111100001100000000000011001000000000001100100000000000101101000000000011001000000000001101010010000100000011100110001100111001010010100110111111111100011010010011100001110001010011010101111001100011001110010111111010111010011000110011100000000000100000

解码后

今天阵雨 21~28℃,风力:西南风2级,湿度:90%,降水概率:70%。明天中雨,22-25℃风力:东南风微风

Reference

  • https://sites.google.com/site/yimpleteam/Home/developement/pdu-ge-shi

  • http://vitruvianhub.co.za/Content/fordummies.pdf

  • http://gnuradio.microembedded.com/openbtssms

  • https://github.com/0x7678/OpenBTS

  • https://github.com/ttsou/openbts-p2.8

  • https://www.cnblogs.com/k1two2/p/8315208.html

  • https://blog.csdn.net/weixin_34032827/article/details/89758718

  • https://github.com/cheviwinner/openbts-uhd/commit/216ade372ce9b1c4695ad5ae311a4e27346391a5

原文始发于微信公众号(Gh0xE9):基于OpenBTS的GSM短信基站实验

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年10月22日15:43:34
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   基于OpenBTS的GSM短信基站实验https://cn-sec.com/archives/3301112.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息