Monday, June 9, 2014

Making sure that data from two modems gets routed via the same channel it came through even when its split over two simultaneously connected modem

Ok so since i have shown a method to get access to the internet with multiple modems , someone asked what about if i need the same data to pass though the same modem (why? incase of a download that shouldnt be stopped/doesnt allow resume support) so... heres a method...

so we come up with names. Let $IF1 be the name of the first interface and $IF2 the name of the second interface. Then  $IP1 be the IP address associated with $IF1 and $IP2 the IP address associated with $IF2. Next, let $P1 be the IP address of the gateway at Provider 1, and $P2 the IP address of the gateway at provider 2. Finally, let $P1_NET be the IP network $P1 is in, and $P2_NET the IP network $P2 is in.
One creates two additional routing tables, say T1 and T2. These are added in /etc/iproute2/rt_tables. Then you set up routing in these tables as follows:
   ip route add $P1_NET dev $IF1 src $IP1 table T1
   ip route add default via $P1 table T1
   ip route add $P2_NET dev $IF2 src $IP2 table T2
   ip route add default via $P2 table T2
Nothing spectacular, just build a route to the gateway and build a default route via that gateway, as you would do in the case of a single upstream provider, but put the routes in a separate table per provider. Note that the network route suffices, as it tells you how to find any host in that network, which includes the gateway, as specified above.
Next you set up the main routing table. It is a good idea to route things to the direct neighbour through the interface connected to that neighbour. Note the `src' arguments, they make sure the right outgoing IP address is chosen.
     ip route add $P1_NET dev $IF1 src $IP1
     ip route add $P2_NET dev $IF2 src $IP2
Then, your preference for default route:
     ip route add default via $P1
Next, you set up the routing rules. These actually choose what routing table to route with. You want to make sure that you route out a given interface if you already have the corresponding source address:
     ip rule add from $IP1 table T1
     ip rule add from $IP2 table T2
This set of commands makes sure all answers to traffic coming in on a particular interface get answered from that interface.

NB: 'If $P0_NET is the local network and $IF0 is its interface, the following additional entries are desirable:
ip route add $P0_NET     dev $IF0 table T1
ip route add $P2_NET     dev $IF2 table T1
ip route add dev lo   table T1
ip route add $P0_NET     dev $IF0 table T2
ip route add $P1_NET     dev $IF1 table T2
ip route add dev lo   table T2                                      
Now, this is just the very basic setup. It will work for all processes running on the route itself, and for the local network, if it is masqueraded. If it is not, then you either have IP space from both modems or you are going to want to masquerade to one of the two modems. In both cases you will want to add rules selecting which modems to route out from based on the IP address of the machine in the local network.

Now Before you SUE me.... am helping for real I AM. #ATTACKING MOBILE PAYMENT SYSTEM MiTM+SE

So a while ago i actually stated that attacking mobile payment systems is inevitable.... now i have not suggested i will be doing that though stick around and you might probably learn a thing or two about this.... now here goes nothing.

so the basic structure of a mobile system is pretty simple

for example I use Safaricoms MPESA ... this is their earlier structure (yet to find any major change though)

Ok first of all let it be known ... I am not doing this on Safaricoms MPESA except for the fact:

1.I use MPESA (actually never used any other service)
2.I own an MPESA sim (duuh) hence my test was restricted to only this
3.I am pretty sure this works on other networks (though not tested)

Ok variables....
MPESA on a standard KEYPAD is emulated by the numbers 67372 ..... now i found this out playing with my iPhone (twas a 3G) quite a while ago.... :) see i once tried saving is a contact and the above numbers poped up.... anyway trying to call the number (oww what could go wrong) it reverted to activating my sim-toolkit lol ...suprise .... and there was my first break through .... now how do we exploit this?

Well Man In The Middle is a nice way but how do you MITM someone when you cant clearly send a message without spoofing the sender ID .... THATS IT :) uh huh, so step one .... create a GSM network ... ok that's not so easy? well it is actually... i did it in 3 hours ok to be fair i had hard-coded something close to that in a few months lol ... just had to watch enough youtube videos ... join OpenBTS forum, revisit my DCE classes (digital comp eng) a little of my ADCE also, alot of soldering, ok long story short reused a lot of code and owww ave already posted that here (well thats just like the uM (air) layer only where you have a BTS that controls several phones at once ....

with a few configurations like setting

Control.LUR.OpenRegistration = .*
to allow any phone to connect to the BTS... MITM is more than inevitable ....

now here's the trick that makes all this work.... once you send an SMS to any phone with the numbers 67372 .... the result automatically displays .... MPESA ..pretty nifty huh :)

Now Safaricom has done a goodthing not to allow any SMSs to be sent to the AGENTs phones but hmmmm that's not enough.... they are still normal phones/SIM cards and basically have the IMSI that am sending the message/SMS to.... here is my proof of sending a message to myself (YES MYSELF) that aint ILLEGAL :) and deceiving my SIM its an MPESA message ... here is the screen shot you can see some other transactions below (legit i might add)

and with a little S.E we can craft an SMS and send it to an AGENT and pretend to withdraw the cash .... this is a serious felony right here, I will be contacting Safaricom by the meantime ... if you don't hear from me... well... take a wild guess :)

VX #iOut

(oww not only safaricom) also other telcos will be notified as my niece says BAI (bye)


:) No longer posting, all articles should be treated as archived and outdated