0×00 引子
近年來,隨着雲計算、物聯網技術的快速發展,物聯網的理念和相關技術產品已經廣泛滲透到社會經濟民生的各個領域,越來越多的穿戴設備、家用電器通過藍牙、Wi-Fi、Li-Fi、z-wave、LoRa等技術接入互聯網,成為聯網的終端設備。
但是由於這些技術普遍為短距離無線通信技術,通常被設計用於室內和短距離使用,在室外尤其是非視距下性能表現非常差,而作為現有成熟的GSM(Global System for Mobile Communication)技術,因其網絡在全國范圍內實現了聯網和漫游,在網絡資源、傳輸特性及數據可靠性等方面的優勢,提供了一個機動、靈活、可靠的遠距離傳輸方式,所以使用GSM模塊聯網的方案也被廣泛使用。
0×01 測試短板
針對短距離無線通信技術的測試方法有很多,同時也被大家所悉知、使用,所以這里不再一一詳述。而對於通過使用2G/GSM、3G/UMTS以及4G/LTE基站聯網通信的設備,例如智能電表、POS機、抓娃娃機、自動售貨機這些硬件的測試方法、技巧卻是寥寥無幾,幾乎一片空白。
本文將分享如何通過SDR加開源項目搭建偽基站並使用偽基站的GPRS功能作為網關來進行GSM/GPRS網絡測試,並對GSM模塊的硬件流量進行攔截、分析、重放等。
0×02 環境搭建
下載Ubuntu-16.04-desktop-i386.iso,安裝使用一台全新的機器,防止因依賴問題導致的報錯。
2.1 更新
sudo apt-get install software-properties-common python-software-properties sudo add-apt-repository ppa:git-core/ppa sudo apt-get update sudo apt-get install git
2.2 搭建OpenBTS開發環境
mkdir sdr //新建sdr文件夾 cd sdr //進入該文件夾 git clone https://github.com/RangeNetworks/dev.git cd dev ./clone.sh //從GitHub克隆代碼 ./switchto.sh master //切到master分支 ./build.sh B200
編譯下載的源碼,因為使用的是USRP B200 build腳本后加SDR硬件 ,如果使用的是USRP N200 則執行./build.sh N200(過程中需從谷歌下載源碼,建議全程翻牆,否則會報錯!)
編譯過程根據網絡、機器性能而異,通常在30-45分鍾左右,編譯完成后,ubuntu自動安裝GnuRadio、USRP的UHD驅動等相關SDR環境,但USRP的固件還需手動下載:
$sudo python /usr/lib/uhd/utils/uhd_images_downloader.py Images destination: /usr/share/uhd/images Downloading images from: http://files.ettus.com/binaries/images/uhd-images_003.009.002-release.zip Downloading images to: /tmp/tmpEplLOD/uhd-images_003.009.002-release.zip 26296 kB / 26296 kB (100%) Images successfully installed to: /usr/share/uhd/images
$ uhd_usrp_probe linux; GNU C++ version 5.3.1 20151219; Boost_105800; UHD_003.009.002-0-unknown -- Loading firmware image: /usr/share/uhd/images/usrp_b200_fw.hex... -- Detected Device: B200 -- Loading FPGA image: /usr/share/uhd/images/usrp_b200_fpga.bin... done -- Operating over USB 2. -- Detecting internal GPSDO.... No GPSDO found -- Initialize CODEC control... -- Initialize Radio control... -- Performing register loopback test... pass -- Performing CODEC loopback test... pass -- Asking for clock rate 16.000000 MHz... -- Actually got clock rate 16.000000 MHz. -- Performing timer loopback test... pass -- Setting master clock rate selection to 'automatic'. _____________________________________________________ / | Device: B-Series Device | _____________________________________________________ | / | | Mboard: B200 | | revision: 5 | | product: 1 | | serial: 30EA064 | | name: MyB200 | | FW Version: 8.0 | | FPGA Version: 13.0 | | | | Time sources: none, internal, external, gpsdo | | Clock sources: internal, external, gpsdo | | Sensors: ref_locked | | _____________________________________________________ | | / | | | RX DSP: 0 | | | Freq range: -8.000 to 8.000 MHz | | _____________________________________________________ | | / | | | RX Dboard: A | | | _____________________________________________________ | | | / | | | | RX Frontend: A | | | | Name: FE-RX1 | | | | Antennas: TX/RX, RX2 | | | | Sensors: temp, rssi, lo_locked | | | | Freq range: 50.000 to 6000.000 MHz | | | | Gain range PGA: 0.0 to 76.0 step 1.0 dB | | | | Bandwidth range: 200000.0 to 56000000.0 step 0.0 Hz | | | | Connection Type: IQ | | | | Uses LO offset: No | | | _____________________________________________________ | | | / | | | | RX Codec: A | | | | Name: B200 RX dual ADC | | | | Gain Elements: None | | _____________________________________________________ | | / | | | TX DSP: 0 | | | Freq range: -8.000 to 8.000 MHz | | _____________________________________________________ | | / | | | TX Dboard: A | | | _____________________________________________________ | | | / | | | | TX Frontend: A | | | | Name: FE-TX1 | | | | Antennas: TX/RX | | | | Sensors: temp, lo_locked | | | | Freq range: 50.000 to 6000.000 MHz | | | | Gain range PGA: 0.0 to 89.8 step 0.2 dB | | | | Bandwidth range: 200000.0 to 56000000.0 step 0.0 Hz | | | | Connection Type: IQ | | | | Uses LO offset: No | | | _____________________________________________________ | | | / | | | | TX Codec: A | | | | Name: B200 TX dual DAC | | | | Gain Elements: None
編譯完成后也會在BUILD目錄下生成一個以編譯時間為名的文件,如果系統為32bit編譯后則在該目錄下生成i386.deb的軟件包,如果系統為64bit則生成amd64.deb :
2.3 更新&安裝依賴包
sudo apt-get install software-properties-common python-software-properties sudo add-apt-repository ppa:chris-lea/zeromq sudo apt-get update
2.4 安裝編譯完成的DEB軟件包
需注意是否有報錯:
cd dev/BUILD/2016-11-29--23-23-16 sudo dpkg -i libcoredumper1_1.2.1-1_i386.deb libcoredumper-dev_1.2.1-1_i386.deb sudo dpkg -i liba53_0.1_i386.deb sudo dpkg -i range-configs_5.0_all.deb sudo dpkg -i range-asterisk*.deb sudo apt-get install -f sudo dpkg -i sipauthserve_5.0_i386.deb sudo apt-get install -f sudo dpkg -i smqueue_5.0_i386.deb sudo apt-get install -f sudo dpkg -i openbts_5.0_i386.deb sudo apt-get install -f
0×03 開啟數據轉發、配置iptables
因為OpenBTS基站的GPRS網絡流量是基於PC機,所以在開啟基站GPRS功能前,需要開啟數據包轉發以及配置Iptables防火牆規則。
3.1 開啟數據包轉發:
ubuntu開數據轉發需以root身份執行,如果不是root用戶,即使使用sudo也無法開啟:
sudo su echo 1 >> /proc/sys/net/ipv4/ip_forward
3.2 配置iptables規則:
/etc/OpenBTS/iptables.rules 配置規則文件內容如下:
# Generated by iptables-save v1.4.4 *nat :P REROUTING ACCEPT [0:0] :P OSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Generated by iptables-save v1.4.4 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT
某些情況下機器的網卡並非eth0 ,所以需要根據自身實際情況,靈活地修改配置文件。
sudo iptables-restore < /etc/OpenBTS/iptables.rules
iptables -t nat -L -n -v
3.3 加載數據庫
cd sdr/dev/openbts/apps sudo sqlite3 -init OpenBTS.example.sql /etc/OpenBTS/OpenBTS.db ".quit" cd sdr/dev/subscriberRegistry/apps sudo sqlite3 -init sipauthserve.example.sql /etc/OpenBTS/sipauthserve.db ".quit" cd sdr/dev/smqueue/smqueue sudo sqlite3 -init smqueue.example.sql /etc/OpenBTS/smqueue.db ".quit"
3.4 配置asterisk
Asterisk是運行在Linux上來實現用戶電話交換的IP-PBX系統開源軟件,支持各種的VOIP協議。Asterisk提供了很多以前只有昂貴、專業的PBX系統才支持的功能,如:會議電話、語音信箱、交互式語音應答、自動電話轉接。
在/etc/asterisk/目錄中需要修改sip.conf、extensions.conf 具體方法:將手機的IMSI國際用戶識別碼和分配的號碼登記數據asterisk中,也就是將數據寫入sip.conf、extensions.conf兩個配置文件。 SIP.CONF:
[IMSI46001658*****19] callerid=2000003 canreinvite=no type=friend allow=gsm context=sip-external host=dynamic dtmfmode=info [IMSI41004030*****62] callerid=2000004 canreinvite=no type=friend allow=gsm context=sip-external host=dynamic dtmfmode=info
callerid=2000003,表示將IMSI為46001658*****19的手機分配號碼2000003;
canreinvite=no,表示被呼叫的手機一旦建立連接后OpenBTS將不再發送重新邀請的指令;
context=sip-external,表示允許外部未分配號碼的匿名電話呼入。
0×04 啟動基站:
4.1 執行 transceiver連接SDR硬件
cd sdr/dev/openbts/Transceiver52M
sudo ./transceiver
4.3 執行smqueue,啟用短信服務
cd sdr/dev/smqueue/smqueue
sudo ./smqueue
4.4 執行sipauthserve,啟用鑒權服務
cd sdr/dev/subscriberRegistry/apps
sudo ./sipauthserve
4.5 asterisk -vvvc or asterisk -r
4.6 啟動OpenBTS終端控制台:
cd sdr/dev/openbts/apps
sudo ./OpenBTSCLI
root@0xroot:/home/init3/sdr/dev/openbts/apps# ./OpenBTSCLI OpenBTS Command Line Interface (CLI) utility Copyright 2012, 2013, 2014 Range Networks, Inc. Licensed under GPLv2. Includes libreadline, GPLv2. Connecting to 127.0.0.1:49300... Remote Interface Ready. Type: "help" to see commands, "version" for version information, "notices" for licensing information, "quit" to exit console interface. OpenBTS> version release 5.0-master+c438a5a689 CommonLibs:76b71d509b+GPRS P built 2016-11-29T23:31:19 OpenBTS> help Type "help" followed by the command name for help on that command. alarms audit calls cbs cellid chans config crashme devconfig endcall freqcorr gprs handover help load memstat neighbors noise notices page power rawconfig regperiod restart rmconfig rxgain sendsimple sendsms sgsn shutdown stats sysinfo tmsis trxfactory txatten unconfig uptime version OpenBTS>
0×05 配置基站
GSM 900頻段瀑布圖:
gr-gsm &Kal掃描GSM基站
剛搭建完成的基站由於天線功率過大以及手機跟基站的距離太近等原因,可能會導致手機不能正常加入到基站,這時需要配置加入基站的條件以及設置天線功率:
允許任意機器接入:
OpenBTS> config Control.LUR.OpenRegistration .* Control.LUR.OpenRegistration changed from "" to ".*"
設置天線功率:
OpenBTS> devconfig GSM.Radio.RxGain 18 GSM.Radio.RxGain changed from "50" to "18" GSM.Radio.RxGain is static; change takes effect on restart
設置基站頻段:
OpenBTS> config GSM.Radio.Band 900 GSM.Radio.Band changed from "850" to "900" GSM.Radio.Band is static; change takes effect on restart
設置歡迎短信:
config Control.LUR.NormalRegistration.Message Welcome to BTS 1
設置基站名:
config GSM.Identity.ShortName GroundControl
將基站設置為測試網絡:
config Identity config GSM.Identity.MCC 001
將基站設置為國內: MCC460 為中國
config GSM.Identity.MCC 460
設置運營商為聯通:
config GSM.Identity.MNC 01
設置運營商為移動:
config GSM.Identity.MNC 00
設置ARFCN、LAC、BCC
網絡色碼,NCC,一般用於標識運營商;基站色碼,BCC,區分同一運營商下的相同BCCH的不同基站。
一般采用BCCH頻點和BSIC來聯合標識小區,BSIC=NCC+BCC。在TD和WCDMA里,存在PLMN,PLMN=MCC+MNC,其中MCC為移動國家碼,MNC為移動網絡碼標識運營商。
基站切換的時候,主要是通過CI、BCCHBSIC等信息尋找目標小區,當同時檢測到鄰區列表里出現同BCCH同擾碼組的小區時,容易出現切換失敗。
OpenBTS> config GSM.Radio.C0 168 GSM.Radio.C0 changed from "151" to "168" GSM.Radio.C0 is static; change takes effect on restart OpenBTS> config GSM.Identity.BSIC.BCC 3 GSM.Identity.BSIC.BCC changed from "2" to "3"
OpenBTS> config GSM.Identity.LAC 1001 GSM.Identity.LAC changed from "1000" to "1001" OpenBTS> config GSM.Identity.CI 11 GSM.Identity.CI changed from "10" to "11"
用戶管理
在3.4配置asterisk再我們給部分用戶配置了callerid號碼,啟動OpenBTS后可通過NodeManager目錄下的nmcli.py腳本進行用戶管理:
cd sdr/dev/openbts/NodeManager/
添加用戶示例:
./nmcli.py sipauthserve subscribers create name imsi msisdn
將123456 (MSISDN碼)分配到IMSI 碼為46001658*****19的LG G3設備中
./nmcli.py sipauthserve subscribers create "LG G3" IMSI46001658*****19 123456
讀取已錄入信息:
root@0xroot:/home/init3/sdr/dev/openbts/NodeManager#./nmcli.py sipauthserve subscribers read raw request: {"command":"subscribers","action":"read","key":"","value":""} raw response: { "code" : 200, "data" : [ { "imsi" : "IMSI46001658*****19", "msisdn" : " 123456", "name" : "LG G3" }, { "imsi" : "IMSI46000645*****91", "msisdn" : " 223456", "name" : "MoTo" } ] }
啟用GPRS功能:
OpenBTS> config GPRS.Enable 1
設置基站DNS服務器:
OpenBTS> config GGSN.DNS 8.8.8.8
編輯/etc/resolv.conf
nameserver 8.8.8.8
為防止機器重啟或重啟網絡后/etc/resolv.conf文件被重寫復原,可修改/etc/resolvconf/resolv.conf.d/head
nameserver 8.8.8.8
設置GGSN日志存放路徑:
OpenBTS> devconfig GGSN.Logfile.Name /tmp/GGSN.log
查看已加入基站的設備:
OpenBTS> tmsis IMSI TMSI IMEI AUTH CREATED ACCESSED TMSI_ASSIGNED 46001658*****19 - 354834060*****0 1 30m 30m 0
查看日志:cat /var/log/OpenBTS.log
配置文件:/etc/rsyslog.d/OpenBTS.conf
發送短信:sendsms $IMSI $號碼 ”$內容”
sendsms 46001658*****19 888888 "Hello World"
OpenBTS+Burp suite
使用Burp攔截硬件流量請求的方法這里可參考NCC Group的一篇博客:GSM/GPRS Traffic Interception for Penetration Testing Engagements
0×06 硬件調試
硬件芯片模塊
G510-Q50-00 Pin Definitoins
焊接TTL進行調試:
串口調試:
0×07 refer
GSM/GPRS Traffic Interception for Penetration Testing Engagements
Getting Started with OpenBTS
PDF: http://openbts.org/site/wp-content/uploads/ebook/Getting_Started_with_OpenBTS_Range_Networks.pdf
HTML:https://www.safaribooksonline.com/library/view/getting-started-with/9781491924280/ch04.html
OpenBTS Application Suite Release 4.0 User Manual
http://openbts.org/site/wp-content/uploads/2014/07/OpenBTS-4.0-Manual.pdf
OpenBTS BuildInstallRun
http://openbts.org/w/index.php?title=BuildInstallRun
http://openbts.org/w/index.php?title=OpenBTS-UMTS
https://wush.net/trac/rangepublic/wiki/GPRS
How to get 3G working on the UmTRX
https://fairwaves.co/blog/openbts-umts-3g-umtrx/
FIBOCOM G510
http://www.fibocom.com/product/2-1-2-1.html
FIBOCOM G510 Q50-00
http://www.tme.eu/gb/details/g510-q50-00/gsmgpsgprshspaedgelte-modules/fibocom/g510-q50-00/
http://www.fibocom.com/upfile/down/document_2_1_2_1.pdf
http://www.tme.eu/gb/Document/fabb43e22a46fba821931db19e577988/FIBOCOM_G510_U_M.pdf
原文地址:http://www.freebuf.com/articles/wireless/124147.html