On 25/07/10 19.40, Harald Welte wrote: > Sure. But this hasn't really changed much in a number of years for now. > The various projects that form airprobe are around for 2-3 years (at least), > and none of the people who have managed to reproduce the setup have > decided to write documentation or improve the projects much. > Ok, i just ordered USRP1 + DBRX + Antenna with express shipping and i'm seeing to retrieve a copy of the 2TB rainbow tables. So i should be equiped to be able to run with both OpenBTS and Airprobe.
When hardware will arrive i will start playing with it to get enough basic knowledge of the software setup and see which are the difficulties i will encounter, documenting the setup process, what would require better explanation and basic tool usage in a "howto" approach. I hope that most of the information would be provided also by Karsten in the BH talk, in order to make even easier that job of writing down an howto for non-gsm-protocol-stack-coder and non-hardcore-cryptoanalyst . :-) > sure, but you can just work with existing capture/sample files of GSM and > work on them. Of course you shouldn't do this on real-world data from > real-world operators - but there are more than 70 people who have bought > an inexpensive Siemens BS-11 BTS plus more people with ip.access nanoBTS > who can run OpenBSC (which has encryption + authentication support) and > establish encrypted calls on suhc a cell. Samples from that traffic > can legally be distributed without any legal issues. And everyoen can > test, play with and improve the software tools before he decides on buying > any hardware. > Let's discuss about the legal framework more in details. I think that basically it's just illegal to receive and transmit on exclusively licensed frequencies such as 900mhz and 1800mhz, independently from the fact that you are listening and cracking your own SIM card connected to your the mobile operator. So in theory also making TX/TR with Siemens BS-11 BTS plus or ip.access nanoBTS would just be illegal. I am going to write to the mailing list Italian Lawyer Association for IT Laws (www.csig.it) to check and get a picture about it regarding italian laws (or whether there's some european wide regulation). I know for sure that there are 2 different authorization, one for being ham radio (TX/RX on certain freq.) and one for being a radio listener (that i don't know if there are freq. limits). I am going to write to the mailing list Italian Lawyer Association for IT Laws (www.csig.it) to check and get a picture about it. Are there in germany specific rules related to: - Acquiring permission for research - Acquiring permission for limited radio emission - Acquiring permission for radio listening ? If there's a legal framework that allow to transmit and receive on those frequencies, which kind of laws interpretation affect the differences between listening your own BTS respect to listening the mobile operator BTS by cracking SIM card of your subscription? You are on the same frequency in both case. I think that regarding the privacy and monitoring laws if i am aware of the tapping or i am authorized by the owner of the subscription, the subject's privacy would not be broken. So, give the permission to make radio listening on certain frequencies, there would be different accusation related to listening mobile operator specific channels (given that you are listening only yourself). Additionally, does the airprobe allow to filter precisely which on-air data to dump (a specific IMSI) or does it read and work on other radio streams that does not strictly relate to the specific IMSI connection? For example with WiFi hacking and cracking you are listening on 2.4ghz frequency spectrum where a lot of AP exist, but you record and crack only the data related to the AP or user you want to hack (and for which may be authorized). >> @ Airprobe is GSM network sniffer whose oline documentation refer to USRP1 >> > ACK. You can use any frontend, and you can also use it with USRP2. In fact, > you can use it with any > Ok, i got the point. But just now the code that can be downloaded from the SVN already works with USRP1 and with USRP2 or it require code hacking to basically work with one of them? And both USRP1 and USRP2 will be usable with the upcoming airprobe improvements or there is some code logic that's specific to USRP1 or USRP2? If both are compatible, which are the practical advantages/disadvantages of using USRP1 respect to using USRP2 for playing with airprobe? >> @ OpenBSC is a Base Station Controller (BSC) to be used with BTS Siemens >> BS11 microBTS and ip.access nanoBTS and require an E1 telephony card for >> interconnection >> > E1 only in case of the BS11 > On the BTS procurement, which are the most accessible sources (shops, distributors, etc) to acquire it in Europe (or even in South America, USA and Asia? That way we can provide hints on how to get the hardware for BTS. >> @ A community / system for Rainbowtable distribution that can scale-up >> to hundreds of users >> > ACK. > Something on this must be written, i'll try to sketch up in upcoming weeks a doc with a possible process to handle an hard-disk-based-transfer-protocol (in practical terms). >> Do i understood properly or there's something else? >> > It might be worth publishing a summary paper that covers all the available > tools, just like your outline above. > > >> @ About missing code of airprobe / other tools? >> Regarding what's still missing, would it reasonable also to provide >> something bounties like "Google summer of code" for specific features / >> module? >> > I don't think bounties will help. There should be plenty of people with > motivation, but apparently not enough people with the combination of > available time, skill set and "self-esteem" (i.e. they can do it even > if there is no 1:1 detailed instructions they can follow) > ACK > >> @ About documentation >> I am available to come for a weekend with the proper hardware (within >> Europe), together with who have the deep project knowledge prepare a >> setup from scratch, by writing in the meantime the documentation for the >> hw/sw setup for who don't know anything about the internals/details of >> the projects but want to start playing with it. >> It's summer and a weekend of hacking it's always a pleasure :-) >> That's still a critical point today imho, to let people (like me that >> know about protocols and security but are not hardcore low-level code >> hacker) start playing with it at higher level. >> > I'm quite sure that poeple like Karsten, Dieter and/or myself would be > available for running such a workshop (i.e. speaking at it). > Now i'll get the hardware and later will try some attempt to make everything working and will bother again the list with issues, writing down any information collected in an howto . Besos, Fabio Pietrosanti (naif) _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
