使用SDR扫描嗅探GSM网络

0x00 环境搭建

平台:Ubuntu 18.04 x64

硬件:820T2 & SDR

安装依赖包

apt install git cmake libboost-all-dev libcppunit-dev swig doxygen liblog4cpp5-dev python-scipy gnuradio gnuradio-dev rtl-sdr librtlsdr-dev osmo-sdr libosmosdr-dev libosmocore libosmocore-dev gr-osmosdr m4 automake

编译 gr-gsm

git clone https://github.com/ptrkrysik/gr-gsm.git
cd gr-gsm
mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig

编译kalibrate

根据自己的硬件选择对应的版本

kalibrate-hackrf (kalibrate For HackRF)

git clone https://github.com/scateu/kalibrate-hackrf.git
cd kalibrate-hackrf
./bootstrap
./configure
make
sudo make install

kalibrate-rtl(kalibrate For rtl-sdr)

git clone https://github.com/steve-m/kalibrate-rtl.git
cd kalibrate-rtl
./bootstrap
./configure
make
sudo make install

0x01 扫描基站

kal

扫描GSM900频段

kal -s GSM900 -g 40

gr-gsm (HackRF、BladeRF)

在编译完成的gr-gsm项目中,App目录里有用于扫描、解码gsm流量的脚本

grgsm_scanner -v

Sniffer 嗅探

通过扫描我们获取到了基站的中心频率、信道、ARFCN值、LAC、MCC、MNC值等参数信息如下

ARFCN:   34, Freq:  941.8M, CID: 29001, LAC: 16889, MCC: 460, MNC:   0, Pwr: -29
  |---- Configuration: 2 CCCH, not combined
  |---- Cell ARFCNs: 11, 15, 34, 50
  |---- Neighbour Cells: 5, 7, 9, 34, 36, 39, 40, 41, 43, 45, 47, 48, 52, 608, 610, 619, 630, 632, 635

ARFCN:   40, Freq:  943.0M, CID: 29002, LAC: 16889, MCC: 460, MNC:   0, Pwr: -31
  |---- Configuration: 2 CCCH, not combined
  |---- Cell ARFCNs: 7, 18, 22, 40
  |---- Neighbour Cells: 5, 7, 9, 34, 36, 39, 40, 41, 43, 45, 47, 48, 52, 608, 610, 619, 630, 632, 635

上面的输出表示在 941.8 - 943.0 MHz 频率间发现 GSM 基站信号

使用 gqrx 查看瀑布图

gqrx

Device 中选择自己的设备

Device String 中添加

,derect_samp=2

点击 OK 即可进入 gqrx 图形界面,点击左上角开始监听

LICENSED UNDER CC BY-NC-SA 4.0
Comment