layer2/3 ported to target? paging attack code?

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

layer2/3 ported to target? paging attack code?

hcother
Hey, I finally watched Nico's talk "let me answer that for you" and heard him say he ported layer2/3 to target.

Also found a mailing list message about him cleaning it up and putting it up on git and sending it to a few folks.

Did that code ever get shared? Would be cool to play around with and is certainly something I would eventually want to accomplish for my project of making a phone that works by itself.

-Craig

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: layer2/3 ported to target? paging attack code?

Sylvain Munaut
Hi,

On Tue, Sep 3, 2013 at 7:01 PM, Craig Comstock <[hidden email]> wrote:
> Hey, I finally watched Nico's talk "let me answer that for you" and heard
> him say he ported layer2/3 to target.

No.

He implemented a very basic l2/l3 that just did exactly what the
attack needed (which in comparison to the whole 'mobile' application
is very little) and nothing more.

Cheers,

    Sylvain

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: layer2/3 ported to target? paging attack code?

hcother
Sure,

I suspected as much but had to ask. :)

For the time being I'll probably keep my focus on nuttx-bb and/or making a UI prototype in osmocom to see how it feels.

Thanks,
Craig



From: Sylvain Munaut <[hidden email]>
To: Craig Comstock <[hidden email]>
Cc: "[hidden email]" <[hidden email]>
Sent: Tuesday, September 3, 2013 1:15 PM
Subject: Re: layer2/3 ported to target? paging attack code?

Hi,

On Tue, Sep 3, 2013 at 7:01 PM, Craig Comstock <[hidden email]> wrote:
> Hey, I finally watched Nico's talk "let me answer that for you" and heard
> him say he ported layer2/3 to target.

No.

He implemented a very basic l2/l3 that just did exactly what the
attack needed (which in comparison to the whole 'mobile' application
is very little) and nothing more.

Cheers,

    Sylvain


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: layer2/3 ported to target? paging attack code?

Tim Ehlers
On Tue, 3 Sep 2013, Craig Comstock wrote:

Hi,

> I suspected as much but had to ask. :)

but anyhow, the code would be interesting. :)

Cheers

Tim

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: layer2/3 ported to target? paging attack code?

tsaitgaist
Excerpts from Tim Ehlers's message of 2013-09-04 14:07:55 +0200:
> On Tue, 3 Sep 2013, Craig Comstock wrote:
>
> Hi,
>
> > I suspected as much but had to ask. :)
>
> but anyhow, the code would be interesting. :)

The code is available here
http://tinyurl.com/fun-with-paging
(apply on osmocom changeset 4f0acac4c1fa538082f54cb14bef0841aa9c8abb)

but as sylvain said, it's not a complete layer2/3 port to the phone.
It only handles the paging requests (and a bit SMSs)

Kevin

>
> Cheers
>
> Tim

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: layer2/3 ported to target? paging attack code?

Dario Lombardo-2
Anyone tried it? I've downloaded the patch and applied it to the changset you said. Compilation is ok. Should it generate new images to dump to phone? I can see only standard targets.
Dario


On Wed, Sep 4, 2013 at 3:07 PM, Kevin Redon <[hidden email]> wrote:
Excerpts from Tim Ehlers's message of 2013-09-04 14:07:55 +0200:
> On Tue, 3 Sep 2013, Craig Comstock wrote:
>
> Hi,
>
> > I suspected as much but had to ask. :)
>
> but anyhow, the code would be interesting. :)

The code is available here
http://tinyurl.com/fun-with-paging
(apply on osmocom changeset 4f0acac4c1fa538082f54cb14bef0841aa9c8abb)

but as sylvain said, it's not a complete layer2/3 port to the phone.
It only handles the paging requests (and a bit SMSs)

Kevin

>
> Cheers
>
> Tim


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: layer2/3 ported to target? paging attack code?

Tim Ehlers
On Wed, 4 Sep 2013, Dario Lombardo wrote:

Hi,

> Anyone tried it? I've downloaded the patch and applied it to the
> changset you said. Compilation is ok. Should it generate new images to
> dump to phone? I can see only standard targets.Dario

yes, as I can see, the rssi Target has been modified. So need to load that
target with the modified osmocon, which opens another UNIX-Socket
/tmp/osmocom_mi to read the victims TMSI. Whith "*" you can toggle the
attack modes, which are DETACH, PAGING, RANGE_PAGING, ALL_PAGING,
STEAL_SMS.

My only problem is, that I can't find out how to send the TMSI over the
Socket. If I only send the TMSI with e.g. socat, I get

Err from socket: Bad address

from osmocon...

What do I miss?

Cheers

Tim

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: layer2/3 ported to target? paging attack code?

tsaitgaist
sorry, here the scripts to push the values

Excerpts from Tim Ehlers's message of 2013-09-04 20:46:34 +0200:

> On Wed, 4 Sep 2013, Dario Lombardo wrote:
>
> Hi,
>
> > Anyone tried it? I've downloaded the patch and applied it to the
> > changset you said. Compilation is ok. Should it generate new images to
> > dump to phone? I can see only standard targets.Dario
>
> yes, as I can see, the rssi Target has been modified. So need to load that
> target with the modified osmocon, which opens another UNIX-Socket
> /tmp/osmocom_mi to read the victims TMSI. Whith "*" you can toggle the
> attack modes, which are DETACH, PAGING, RANGE_PAGING, ALL_PAGING,
> STEAL_SMS.
>
> My only problem is, that I can't find out how to send the TMSI over the
> Socket. If I only send the TMSI with e.g. socat, I get
>
> Err from socket: Bad address
>
> from osmocon...
>
> What do I miss?
>
> Cheers
>
> Tim

push-tmsi.sh (351 bytes) Download Attachment
push-kc.sh (447 bytes) Download Attachment
push-range.sh (416 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: layer2/3 ported to target? paging attack code?

Tim Ehlers
On Wed, 4 Sep 2013, Kevin Redon wrote:

Hi Kevin,

> sorry, here the scripts to push the values

wow, ok. So I need to send "\x00\x04" and then the 4 hex values!

Thanks for all! I try to understand the code a bit now. :)

Cheers

Tim

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: layer2/3 ported to target? paging attack code?

Dario Lombardo-2
In reply to this post by tsaitgaist
On Wed, Sep 4, 2013 at 10:08 PM, Kevin Redon <[hidden email]> wrote:
sorry, here the scripts to push the values

Is the software expected to say something when the tmsi is correctly pushed? 
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: layer2/3 ported to target? paging attack code?

Tim Ehlers
On Thu, 5 Sep 2013, Dario Lombardo wrote:

Hi,

> On Wed, Sep 4, 2013 at 10:08 PM, Kevin Redon <[hidden email]>
> wrote:
>       sorry, here the scripts to push the values
>
> Is the software expected to say something when the tmsi is correctly
> pushed? 

         printf("changing victim TMSI to: ");
         for (i = 0; i < msg->len && i < 4; i++) {
                 victim_tmsi[i] = msg->data[i];
                 printf("%02x ", victim_tmsi[i]);
         }
         puts("\n");

Best

Tim
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: layer2/3 ported to target? paging attack code?

Dario Lombardo-2
Thanks.

Does the POWER indications works for you? Despite of the arfcn I enter, I get always -110. 
Using RSSI from master, I can get -76 from the strongest cell (arfcn = 1).


On Thu, Sep 5, 2013 at 3:32 PM, Tim Ehlers <[hidden email]> wrote:
On Thu, 5 Sep 2013, Dario Lombardo wrote:

Hi,

On Wed, Sep 4, 2013 at 10:08 PM, Kevin Redon <[hidden email]>
wrote:
      sorry, here the scripts to push the values

Is the software expected to say something when the tmsi is correctly
pushed? 

        printf("changing victim TMSI to: ");
        for (i = 0; i < msg->len && i < 4; i++) {
                victim_tmsi[i] = msg->data[i];
                printf("%02x ", victim_tmsi[i]);
        }
        puts("\n");

Best

Tim

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: layer2/3 ported to target? paging attack code?

Tim Ehlers
On Thu, 5 Sep 2013, Dario Lombardo wrote:

Hi Dario,

> Does the POWER indications works for you? Despite of the arfcn I enter, I get always
> -110. 
> Using RSSI from master, I can get -76 from the strongest cell (arfcn = 1).

I only tried one Cell (which is one of the strongest here) from O2 Germany
in my Location and Power says -68, which is (nearly) the same as
osmocombb-mobile says for that cell. So yes, I think it is working...

Best

Tim
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: layer2/3 ported to target? paging attack code?

Dast
This post has NOT been accepted by the mailing list yet.
In reply to this post by tsaitgaist
is it possible for having the code source of all this attack on osmocom
> attack modes, which are DETACH, PAGING, RANGE_PAGING, ALL_PAGING,
> STEAL_SMS. ?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: layer2/3 ported to target? paging attack code?

alex
This post has NOT been accepted by the mailing list yet.
any one try this code?  its look like work but for real not.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: layer2/3 ported to target? paging attack code?

sillymonkey
This post has NOT been accepted by the mailing list yet.
I'm facing a problem. I applied the patch and compiled successfully. However, whenever I tried to load the firmware into the phone I got ftmtool error. I thought it was because the cable so I try to load the original firmware with original osmocon app, same cable of course, it worked perfectly. So I reversed what I did and compiled again and run osmocon and still ftmtool error? So the problem is not the cable,not the patch. The problem is osmocon app itself. Am I right? Anyone knows what problem is it? Is it some kind of code changing prevention?
Loading...