Jaj, to jsem se nechal nachytat :-)
Ad Pavol: Nemyslim si, ze by to bylo az tak tezke, vetsina tech dulezitych veci je zverejnena. Posilat SMS, cekat na potvrzeni a korelovat TMSI s vystupem z layer23 je jednoduche a princip je v te prednasce hezky vysvetleny. Vlasni sniff - pokud se nepouziva channel hopping, tak by to melo byt relativne jednoduche, patch do DSP, ktery chyta 4 timesloty najednou a ignoruje sifrovani je zverejneny, infrastruktura pro jeho zavolani v L1 taky. Takze idealne dva telefony downlink, dva telefony uplink, hlidam BCCH na Paging request / Immediate assignment a pripadne ho nasleduju na jinou frekvenci. S channel hopingem to bude trochu slozitejsi, ale pro hovory tam uz implemetovany je, takze by to melo jit taky. Prevod dumpu na audio - Sylvain sliboval, ze az to procisti, tak ho zverejni. SysOp. On 01/05/11 15:27, Pavol Luptak wrote: > V prvom rade si precitajte Sylvainov Munautov doleuvedeny mail. > > Tie telefony Vam budu uplne nanic, ak ich kupujete na GSM sniffing hratky, > lebo nastroje na to nie su verejne (a ani nebudu!) > Ak si samozrejme tie nastroje teda nenapisete sami (co vyzaduje precitat > stovky PDF specifikacii GSM :) > > Nejake info o tom som pisal aj tu: > https://www.nethemba.com/sk/blog/-/blogs/nove-trendy-v-gsm-odpocuvani > > Pavol > > >>> On Fri, Dec 31, 2010 at 05:29:36PM +0100, Sylvain Munaut wrote: >>> >>>> Hi, >>>> >>>> >>>> Since a lot of people are asking the same questions and there seems to >>>> be a rush on the C123 on ebay I tought some clarification is needed. >>>> >>>> >>>> Short version: >>>> - The exact tools I used on stage are _not_ and will _not_ be >>>> released (or sold ... several people asked ...) >>>> - Any one willing to re-code them without any apriori knowledge of >>>> GSM would most likely need months to read/understand both the >>>> specifications and the way the code works. (That's thousands of page >>>> of GSM spec and thousands of line of code) >>>> - Osmocom-BB project is not designed to be a sniffer, it's a baseband >>>> implementation, I just used part of it as a base. >>>> >>>> So basically, unless you are really interested in GSM and are willing >>>> to dedicate time to understand it deeply and to contribute the various >>>> projects, there is not much point in you buying phones, or hanging out >>>> in the ml/irc or whatever ... >>>> >>>> >>>> For those who are still reading and interested here's a little more >>>> > +detail: > >>>> * The HLR query step: >>>> -> Go watch the awesome 25C3 talk about it >>>> >>>> * The TMSI recovering step >>>> - Won't be published >>>> - If you know how paging works, you know what to do anyway and it's >>>> trivial. Method is in the talk, >>>> there is nothing to it. >>>> >>>> * The targeted sniffing application >>>> - Won't be published either >>>> - Some improvements to the layer23 app frame work will be done but >>>> these are generic framework stuff, not app-specific >>>> - Again, if you know how L2 works and have looked at several traces, >>>> it's obvious what to do. >>>> - The 'DSP' part of the sniffer is public for a while with a small >>>> demo app (single phone and doesn't exploit the full potential of the >>>> DSP patch) and it's perfectly sufficient to debug things on your o >>>> wn controlled network. (This is basically what I showed at Deepsec 2010). >>>> >>>> * The tool to generate the input to Kraken >>>> - Won't be published either >>>> - Making the guesses is easy for anyone that knows what he's doing. >>>> >>>> * The improved Kraken >>>> - No idea about it, see with Karsten / Sacha / Frank, I only got >>>> access to it 1 hour or so before the talk :) >>>> >>>> * Conversion from burst to audio >>>> - This was a hacked software mostly with airprobe code. >>>> - The exact app will not be released but I'd like to see the >>>> capability put in some clean library we >>>> can re-use from airprobe and other application without having to >>>> multiply the code each time. >>>> - ... But since I'd like it to support AMR and viterbi softoutput >>>> before that happens, it could take >>>> some time. >>>> - Anyone familiar with GSM, airprobe and C could re-hack the same >>>> thing in an hour ... >>>> >>>> As you can see, everything you need to analyze your own network / your >>>> own traffic, even at the burst level is already published and has been >>>> for more than a month. >>>> The other tools have been written only so that we could demonstrate >>>> that what we _say_ is possible for about year, we can now do it >>>> _practically_. It's apparently needed to get people attentions, >>>> "theoretical" attacks are not enough to get the operators / gsma to >>>> react. We'll see if that did it ... >>>> >>>> >>>> A few advices that are always good: >>>> >>>> - Make sure to checkout the a5/1 project ML and airprobe project ML and >>>> > +try > >>>> to ask your questions in the proper mailing list as much as possible. >>>> - Check the wiki and mailing list archives toroughly before asking >>>> > +questions. > >>>> >>>> Cheers, >>>> >>>> Sylvain Munaut >>>> >>>> >>>> PS: I only posted on this list because it seems a lot of people were >>>> pointed here while in fact airprobe would probably be more appropriate >>>> to discuss attack scenarios and such, so make sure to answer / start >>>> new discussion on the right list. >>>> >>>> >> > > On Wed, Jan 05, 2011 at 01:48:21PM +0100, Tomas Holenda wrote: > >> Ahoj, >> nasel jsem na ebay Motorolu C139, maji jich tam hodne a za rozumnou >> cenu. Mate nekdo paypal a ucet na ebay, ze byste to koupili? >> >> >> http://viewitem.eim.ebay.cz/Crystal_Case_Kristall_Handyhlle_Motorola_C139_C_139/350214590351/item >> >> >> SysOp. >> _______________________________________________ Brmlab mailing list [email protected] http://rover.ms.mff.cuni.cz/mailman/listinfo/brmlab
