Thursday, June 26, 2014

Evil Twin [GSM Style]

Now I have an Evil twin... lol not exactly what you think about me having another like me only evil hell no, in a security sense/point of view.... an evil twin from wikipedia [full article]

Evil twin is a term for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications.[1]
An evil twin is the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitimate provider.
This type of evil twin attack may be used to steal the passwords of unsuspecting users by either snooping the communication link or by phishing, which involves setting up a fraudulent web site and luring people there.[2]

works as above , now i actually saw a demo of this at AfricaHackOn (first information security conference in Africa) on the 28th of february 2014, where a hacker named Casper and D3crapt did the demo on stage to fake wi-fi connections and did a a major MITM attack on unsuspecting people, now with this knowledge, i found it quite interesting and i wanted to take this a notch further, and you know what :) .... I succeeded, now what i wanted to do, was simply achieve the same attack but not on a small scale factor as WIFI no... a bigger scale say GSM(SMS/VOICE/DATA/Mobile-Payment platform) [the whole 9 yards]

Did I make it? now i know thats the main question but lets look at MITM (Man In The Middle attack)

The man-in-the-middle attack (often abbreviated MITMMitMMIMMiMMITMA) in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle).[citation needed]

Now with this given info we know what attack we are carrying out as Evil Twin really relies on MITM and most of all we do want data right? and all variables check out right?

lets see:

  • GSM: relies heavily on the same concept as wi-fi no actually wi-fi relies heavily on the same structure GSM was/is created on so if it works for wi-fi ...might work for GSM.
  • GSM: (for a successful MITM [A man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to the satisfaction of the other — it is an attack on mutual authentication (or lack thereof).]
  • Evil Twin (create a fake Broadcast channel/transmission unit)
  • MITM capture sessions, Data and even encryption methods
Now.... what works ... well long story short, everything alas.... 
Now Materials, 
Hardware .... in the case of Wi-Fi, Routers(broadcast station) in case of GSM ,SDR (software defined radios)
Now heres a tricky bit which i will throw in tonnes of comparison, now for SDRs we have

  • USRP---> Expensive (i kid you not) around 2500USD for a full good set ... after that it has enough documentation to set up, run, configure, tweak, create applications (so easy after purchasing it)has been ported to nearly every single platform out there (mac,linux and windows)
  • RTL/SDR---> Enters the familiar and easy to configure , cheap affordable RTL this is a DVB/TV usb tuner that will act as an SDR owww trust me its powerful and cheap at 20 USD or less, has a lot of documentation and has been ported to nearly every single platform out there (mac,linux and windows)
  • OsmocomBB---> This are specific devices used to run special firmwares that will do wild things on GSM frequency and when i say wild owwww i mean wild from acting as phones (calypso based (Motorola c113,115,139,123) this  phones are ultra cheap) with costs of 20 or less dollars) but the real price to pay is probably the part where you pay for the following.... nearly primitive code (oww its good code but oww you will pay for having a whole read up of how raw GSM works like ave been here for 14 or so months and ave not fully mastered the whole thing yet) , No documentation (ok there is but its new so expect a lot of few faults) in short not the best thing to start of as a noob (sadly[as this is what we will use])
  • Now there are other options (sadly i wont recommend them as yet as i am to get my hands on them [talking bout BladeRF HackRF and others])
ok so we have hardware and we have softwares which ave also listed with their hardwares,

what we need to do... i guess now its basically setup > run or what else?

ok we can learn but am already on my second full page scroll and we aint done nothing yet.... setup is easy if you ask me (ok it wasn't when i started but talk to me and i can give you a script to do all that :) alright) moving on....

After the setup, what do we expect :) ...

HAVOC.... ok ok am on sugar... lets relax...

Setup a Fake (evil twin capable of) Intercepting Mobile (Modem [GSM]) /Traffic hence: 

  • Location Disclosure (find victims vicinity)
  • SMS (uplink) capture (downlink can be done with RTL-SDR
  • VOICE (uplink) (same as above)
  • DATA (uplink and downlink)
  • Mobile-Payment Platform infiltration (yes its possible to hack both agent and client
  • Umm yes this is the best i think so far but i wont disclose further details (update sim-card details owww not simple things like contacts only even trivial things like the sim-card apps on it)
  • lastly falsify information (spoof) information to our captured assailants :)
So what did we just do there :) everything....

POC? you want it.... find me, buy me a big KFC lunch and i will sort you out, yes knowledge should be paid for with food and maybe an occasional bank account top-up like a donation but hey am #iOut.

Tuesday, June 17, 2014

Am explaining, don't arrest me, its called consultancy.... and heads up.... am the good guy

Now I really hate doing this.... honestly I do, why ... o one actually brands me as the good guy... it sucks coz am trying to live a good guy life, but good guys dont get the recognition they deserve, anyway....

now todays news

well so a friend of mine asked me how ca someone block/jam a cell(mobile in this case) network....
so many ways....

1. Broadcast Noise
2. Fake a network signal hence intercept and interrupt network
3. Kill Transmission

1. now this is simple... broadcast noise on the same frequency as the mobile network just a little louder than the phones can listen and ...baaam out

2. now i did illustrate all this earlier when i put this post up about creating a fake BTS.....
now people think this is very trivial, surprising thing... it kinda isnt, now here is my cell jammer budget
USRP N210/200 plus a laptop and a very good antennae .... cost 6000 or so USD or in Kenya Shillings about 500,000 KSH....
or since we dont want all that expense.... here we go, 600 USD or in Kenya shillings a laptop and a 2000 KSH phone yes the motorola c118 comes in handy here....

3.Kill transmission ... this is what was said to happen ..i.e the BTS (tower/booster) was disconnected from the power source.

now to expound on no.2
here we go:

since i explained how to make a BTS from cheap materials (a laptop and a 2000ksh (~20USD) phone)
we have the requirements to run the fake network... and with that let phones connect to our Network and they cant access the original network... so what distance can we cove .. from 50m to 6km
and how many BTSs ca we interrupt? well one at a time .... a full LAC is 6 BTSs, so is it possible, VERY possible.

Prevention ... as Chris Paget said "You can absolutely do nothing when someone Jams a cellphone using noise... absolutely nothing"


Monday, June 9, 2014

Making sure that data from two modems gets routed via the same channel it came through even when its split over two simultaneously connected modem

Ok so since i have shown a method to get access to the internet with multiple modems , someone asked what about if i need the same data to pass though the same modem (why? incase of a download that shouldnt be stopped/doesnt allow resume support) so... heres a method...

so we come up with names. Let $IF1 be the name of the first interface and $IF2 the name of the second interface. Then  $IP1 be the IP address associated with $IF1 and $IP2 the IP address associated with $IF2. Next, let $P1 be the IP address of the gateway at Provider 1, and $P2 the IP address of the gateway at provider 2. Finally, let $P1_NET be the IP network $P1 is in, and $P2_NET the IP network $P2 is in.
One creates two additional routing tables, say T1 and T2. These are added in /etc/iproute2/rt_tables. Then you set up routing in these tables as follows:
   ip route add $P1_NET dev $IF1 src $IP1 table T1
   ip route add default via $P1 table T1
   ip route add $P2_NET dev $IF2 src $IP2 table T2
   ip route add default via $P2 table T2
Nothing spectacular, just build a route to the gateway and build a default route via that gateway, as you would do in the case of a single upstream provider, but put the routes in a separate table per provider. Note that the network route suffices, as it tells you how to find any host in that network, which includes the gateway, as specified above.
Next you set up the main routing table. It is a good idea to route things to the direct neighbour through the interface connected to that neighbour. Note the `src' arguments, they make sure the right outgoing IP address is chosen.
     ip route add $P1_NET dev $IF1 src $IP1
     ip route add $P2_NET dev $IF2 src $IP2
Then, your preference for default route:
     ip route add default via $P1
Next, you set up the routing rules. These actually choose what routing table to route with. You want to make sure that you route out a given interface if you already have the corresponding source address:
     ip rule add from $IP1 table T1
     ip rule add from $IP2 table T2
This set of commands makes sure all answers to traffic coming in on a particular interface get answered from that interface.

NB: 'If $P0_NET is the local network and $IF0 is its interface, the following additional entries are desirable:
ip route add $P0_NET     dev $IF0 table T1
ip route add $P2_NET     dev $IF2 table T1
ip route add dev lo   table T1
ip route add $P0_NET     dev $IF0 table T2
ip route add $P1_NET     dev $IF1 table T2
ip route add dev lo   table T2                                      
Now, this is just the very basic setup. It will work for all processes running on the route itself, and for the local network, if it is masqueraded. If it is not, then you either have IP space from both modems or you are going to want to masquerade to one of the two modems. In both cases you will want to add rules selecting which modems to route out from based on the IP address of the machine in the local network.

Now Before you SUE me.... am helping for real I AM. #ATTACKING MOBILE PAYMENT SYSTEM MiTM+SE

So a while ago i actually stated that attacking mobile payment systems is inevitable.... now i have not suggested i will be doing that though stick around and you might probably learn a thing or two about this.... now here goes nothing.

so the basic structure of a mobile system is pretty simple

for example I use Safaricoms MPESA ... this is their earlier structure (yet to find any major change though)

Ok first of all let it be known ... I am not doing this on Safaricoms MPESA except for the fact:

1.I use MPESA (actually never used any other service)
2.I own an MPESA sim (duuh) hence my test was restricted to only this
3.I am pretty sure this works on other networks (though not tested)

Ok variables....
MPESA on a standard KEYPAD is emulated by the numbers 67372 ..... now i found this out playing with my iPhone (twas a 3G) quite a while ago.... :) see i once tried saving is a contact and the above numbers poped up.... anyway trying to call the number (oww what could go wrong) it reverted to activating my sim-toolkit lol ...suprise .... and there was my first break through .... now how do we exploit this?

Well Man In The Middle is a nice way but how do you MITM someone when you cant clearly send a message without spoofing the sender ID .... THATS IT :) uh huh, so step one .... create a GSM network ... ok that's not so easy? well it is actually... i did it in 3 hours ok to be fair i had hard-coded something close to that in a few months lol ... just had to watch enough youtube videos ... join OpenBTS forum, revisit my DCE classes (digital comp eng) a little of my ADCE also, alot of soldering, ok long story short reused a lot of code and owww ave already posted that here (well thats just like the uM (air) layer only where you have a BTS that controls several phones at once ....

with a few configurations like setting

Control.LUR.OpenRegistration = .*
to allow any phone to connect to the BTS... MITM is more than inevitable ....

now here's the trick that makes all this work.... once you send an SMS to any phone with the numbers 67372 .... the result automatically displays .... MPESA ..pretty nifty huh :)

Now Safaricom has done a goodthing not to allow any SMSs to be sent to the AGENTs phones but hmmmm that's not enough.... they are still normal phones/SIM cards and basically have the IMSI that am sending the message/SMS to.... here is my proof of sending a message to myself (YES MYSELF) that aint ILLEGAL :) and deceiving my SIM its an MPESA message ... here is the screen shot you can see some other transactions below (legit i might add)

and with a little S.E we can craft an SMS and send it to an AGENT and pretend to withdraw the cash .... this is a serious felony right here, I will be contacting Safaricom by the meantime ... if you don't hear from me... well... take a wild guess :)

VX #iOut

(oww not only safaricom) also other telcos will be notified as my niece says BAI (bye)

Wednesday, June 4, 2014


I always go into hiding when things are in a knot... currently i have had some good news....

a new gsm hacking tool by VX is out... VX has been on this path for a while trying to come up with a good remedy to sort* all the newbies and experts in the gsm field (read RF)

what it do :) .....

So on a basic stand off in the field of hacking(read pen-test and vulnerability assessments) alot of the procedure goes like...

well you get the picture... so what we will do is debug entire scenarios of GSM in the same format...

  • we do recon of the area, networks, Base Stations (call them boosters if you like but am not saying its correct) and also rogue base stations (come on you wanna know when someone listening to you right?)
  • Scan the area (now this and step one basically have the same ideology here but other methods can be employed on step one that have a different point of operation from step two)
  • Gain access --- rather gain access to certain channels + frequencies (read ARFCN * (BTS in a very big nutshell))
  • Maintain access ... (this simply means camp(SYNC) to that BTS (ARFCN)  and now isten very well to the SMS/voice/Data .... see we good righ?
  • we add our own step here .... crack the encryption (if any used)
  • Cover tracks (well till now i have yet to find any tracks to be covered so just run when you are done owkaeeey?
So this tool --- TYPHON who should be credited...

alot of people.... lets start with:

The FIRMWARE guys (Osmocombb)
Most of the scripts (BRMLAB)
The Guy who created it all and maintains it (VX)

well then how does it work?

>>  basic explanation .... connect a GSM hardware to your computer to be able to debug the air interface (communication between the BTS and the MS) sort of the hardware acts as an ethernet card to our PC and Software... here comes in OsmocomBB (Open source mobile communications BaseBand) this is a stack running on your calypso based device (support for other may be added later on) e.g Motorola C115,118,123 (get all of them here) and interfaces to your laptop, this allows fluid communication and allows studying whats happening in the air interface.

and thats the most basic principle....
with this we can do alot of things as stated above... which the full details will be published as soon as the tool is released. thank you :)

so check the links out and also Follow @taeCode0h on twitter for more info and when he will release the tool.


:) No longer posting, all articles should be treated as archived and outdated