如何搭建並使用便攜式 4G/LTE 偽基站研究移動安全


此文章PDF文檔下載地址:點擊下載

0x00 前言

在移動互聯網深入普及和物聯網開始規模應用的今天,網絡安全公司怎能不研究移動安全,要研究移動安全,怎能沒有4G/LTE偽基站研究測試環境?

本文介紹如何利用開源項目和SDR,合法的搭建並使用便攜式4G/LTE偽基站,用於實驗室的安全研究,或者用於用戶授權的物理滲透測試。

0x01 合法開展研究活動

根據國家無線電管理法規,我們需要先取得頻率、設備和人員許可才能合法的在通信業務頻段進行收發。而已經分配給運營商的頻段,需要該運營商同意才能使用。因此,我們做通信實驗時,通常的做法不是申請許可,而是構造一個封閉的電磁空間,即法拉第籠,在這個空間里進行無線信號的發射和接收不會影響到外部世界。

法拉第籠是由金屬或金屬網包圍形成的一個空間,大可以到一個大房子,小可能就是一個小箱子。測試時,如果法拉第籠比較小,我們就只把發射和接收無線電信號的天線放在法拉第籠里面,其它部分仍可放在外面,內外通過饋線連接。

0x02 硬件准備

SBC:UP Board, Intel Atom x5-Z8350 四核CPU,4GB RAM,64GB eMMC

SDR:USRP B200mini + USB電纜

天線+饋線+雙工器

充電寶:5V 3A(非常重要)

0x04 軟件准備

1.Ubuntu 16.04 LTS

安裝之后更新

sudo apt-get update

sudo apt-get upgrade

2.必備軟件:Git

sudo apt-get install git

國內專享:Shadowsocks、Privoxy

sudo apt-get install privoxy python-gevent python-pip

sudo pip install shadowsocks

科學上網配置略。

0x05 安裝步驟

1.eNodeB: OpenAirInterface

git clone https://gitlab.eurecom.fr/oai/openairinterface5g.git

cd openairinterface5g

git checkout develop

source oaienv

cd cmake_targets

./build_oai -I --eNB -x --install-system-files -w USRP

2.EPC: OpenAir-CN

git clone https://gitlab.eurecom.fr/oai/openair-cn.git

cd openair-cn

git checkout develop

cd scripts

./build_hss -i

./build_mme -i

./build_spgw -i

./build_hss

./build_mme

./build_spgw

0x06 配置

1.eNodeB: 

找到 ~/openairinterface5g/targets/PROJECTS/GENERIC-LTE-EPC/CONF/enb.band3.tm1.usrpb210.conf 進行如下修改,並另存為enb.band3.tm1.usrpb200.conf。
tracking_area_code  =  "13";

    mobile_country_code =  "460";

    mobile_network_code =  "01";


    Nid_cell                          = 0;


    ////////// MME parameters:
    mme_ip_address      = ( { ipv4       = "127.0.1.10";
                              ipv6       = "192:168:30::17";
                              active     = "yes";
                              preference = "ipv4";
                            }
                          );
    NETWORK_INTERFACES :
    {
        ENB_INTERFACE_NAME_FOR_S1_MME         = "lo";
        ENB_IPV4_ADDRESS_FOR_S1_MME           = "127.0.1.2/8";

        ENB_INTERFACE_NAME_FOR_S1U            = "lo";
        ENB_IPV4_ADDRESS_FOR_S1U              = "127.0.6.2/8";
        ENB_PORT_FOR_S1U                      = 2152; # Spec 2152
    };

2.EPC:

修改hosts文件和hostname,然后重新啟動。

sudo gedit /etc/hosts

127.0.0.1   localhost
127.0.1.1   mini.openair4G.eur mini
127.0.33.1  hss.openair4G.eur hss
sudo gedit
/etc/hostname

mini

復制EPC配置文件:

sudo mkdir -p /usr/local/etc/oai/freeDiameter
sudo cp ~/openair-cn/etc/mme.conf /usr/local/etc/oai
sudo cp ~/openair-cn/etc/hss.conf /usr/local/etc/oai
sudo cp ~/openair-cn/etc/spgw.conf /usr/local/etc/oai
sudo cp ~/openair-cn/etc/acl.conf /usr/local/etc/oai/freeDiameter
sudo cp ~/openair-cn/etc/mme_fd.conf /usr/local/etc/oai/freeDiameter
sudo cp ~/openair-cn/etc/hss_fd.conf /usr/local/etc/oai/freeDiameter

編輯hss.conf

## MySQL mandatory options
MYSQL_server = "127.0.0.1";
MYSQL_user   = "root";
MYSQL_pass   = "linux";
MYSQL_db     = "oai_db";

編輯mme.conf

REALM = "openair4G.eur";

    S6A :
    {
        S6A_CONF                   = "/usr/local/etc/oai/freeDiameter/mme_fd.conf"; # YOUR MME freeDiameter config file path
        HSS_HOSTNAME               = "hss";                                         # THE HSS HOSTNAME
    };

GUMMEI_LIST = ( 
        {MCC="460" ; MNC="01"; MME_GID="4" ; MME_CODE="13"; }                   # YOUR GUMMEI CONFIG HERE
     );

TAI_LIST = (
{MCC="460" ; MNC="01";  TAC = "13"; }                              # YOUR PLMN CONFIG HERE
);

   NETWORK_INTERFACES :
    {
        # MME binded interface for S1-C or S1-MME  communication (S1AP), can be ethernet interface, virtual ethernet interface, we don't advise wireless interfaces
        MME_INTERFACE_NAME_FOR_S1_MME         = "lo";                        # YOUR NETWORK CONFIG HERE
        MME_IPV4_ADDRESS_FOR_S1_MME           = "127.0.1.10/8";            # YOUR NETWORK CONFIG HERE

        # MME binded interface for S11 communication (GTPV2-C)
        MME_INTERFACE_NAME_FOR_S11_MME        = "lo";                          # YOUR NETWORK CONFIG HERE
        MME_IPV4_ADDRESS_FOR_S11_MME          = "127.0.8.11/8";                # YOUR NETWORK CONFIG HERE
        MME_PORT_FOR_S11_MME                  = 2123;                          # YOUR NETWORK CONFIG HERE
    };

S-GW :
{
    # S-GW binded interface for S11 communication (GTPV2-C), if none selected the ITTI message interface is used
    SGW_IPV4_ADDRESS_FOR_S11                = "127.0.8.1/8";            # YOUR NETWORK CONFIG HERE

};

編輯spgw.conf

S-GW :
{

    NETWORK_INTERFACES : 
    {
        # S-GW binded interface for S11 communication (GTPV2-C), if none selected the ITTI message interface is used
        SGW_INTERFACE_NAME_FOR_S11              = "lo";                    # YOUR NETWORK CONFIG HERE
        SGW_IPV4_ADDRESS_FOR_S11                = "127.0.8.1/8";            # YOUR NETWORK CONFIG HERE

        # S-GW binded interface for S1-U communication (GTPV1-U) can be ethernet interface, virtual ethernet interface, we don't advise wireless interfaces
        SGW_INTERFACE_NAME_FOR_S1U_S12_S4_UP    = "lo";                       # YOUR NETWORK CONFIG HERE, USE "lo" if S-GW run on eNB host
        SGW_IPV4_ADDRESS_FOR_S1U_S12_S4_UP      = "127.0.6.1/8";           # YOUR NETWORK CONFIG HERE
        SGW_IPV4_PORT_FOR_S1U_S12_S4_UP         = 2152;                         # PREFER NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING

        # S-GW binded interface for S5 or S8 communication, not implemented, so leave it to none
        SGW_INTERFACE_NAME_FOR_S5_S8_UP         = "none";                       # DO NOT CHANGE (NOT IMPLEMENTED YET)
        SGW_IPV4_ADDRESS_FOR_S5_S8_UP           = "0.0.0.0/24";                 # DO NOT CHANGE (NOT IMPLEMENTED YET)
    };

...
}


P-GW =
{
    NETWORK_INTERFACES :
    {
        # P-GW binded interface for S5 or S8 communication, not implemented, so leave it to none
        PGW_INTERFACE_NAME_FOR_S5_S8          = "none";                         # DO NOT CHANGE (NOT IMPLEMENTED YET)
        PGW_IPV4_ADDRESS_FOR_S5_S8            = "0.0.0.0/24";                   # DO NOT CHANGE (NOT IMPLEMENTED YET)

        # P-GW binded interface for SGI (egress/ingress internet traffic)
        PGW_INTERFACE_NAME_FOR_SGI            = "eth0";                         # YOUR NETWORK CONFIG HERE
        PGW_IPV4_ADDRESS_FOR_SGI              = "192.168.12.82/24";             # YOUR NETWORK CONFIG HERE
        PGW_MASQUERADE_SGI                    = "yes";                          # YOUR NETWORK CONFIG HERE
    };
...
   # DNS address communicated to UEs
    DEFAULT_DNS_IPV4_ADDRESS     = "192.168.106.12";                            # YOUR NETWORK CONFIG HERE
    DEFAULT_DNS_SEC_IPV4_ADDRESS = "192.168.12.100";                            # YOUR NETWORK CONFIG HERE

...
}

編輯HSS freediameter配置文件 (/usr/local/etc/oai/freeDiameter/hss_fd.conf):

Identity = "hss.openair4G.eur";
Realm = "openair4G.eur";

編輯MME freediameter配置文件 (/usr/local/etc/oai/freeDiameter/mme_fd.conf):

Identity = "mini.openair4G.eur";
Realm = "openair4G.eur";
ConnectPeer= "hss.openair4G.eur" { ConnectTo = "127.0.33.1"; No_SCTP ; No_IPv6; Prefer_TCP; No_TLS; port = 3868;  realm = "openair4G.eur";};

0x07 運行

安裝證書:

cd ~/openair-cn/scripts
./check_hss_s6a_certificate /usr/local/etc/oai/freeDiameter/ hss.openair4G.eur
./check_mme_s6a_certificate /usr/local/etc/oai/freeDiameter/ mini.openair4G.eur

首次運行HSS:

cd ~/openair-cn/scripts
./run_hss -i ~/openair-cn/src/oai_hss/db/oai_db.sql

之后每次運行HSS:

cd ~/openair-cn/scripts
./run_hss

運行MME:

cd ~/openair-cn/scripts
./run_mme

安全測試通常不需要運行SP-GW。

運行eNB:

cd ~/openairinterface5g
source oaienv
cd cmake_targets/lte_build_oai/build
sudo -E ./lte-softmodem -O $OPENAIR_DIR/targets/PROJECTS/GENERIC-LTE-EPC/CONF/enb.band3.tm1.usrpb200.conf

0x08 高級玩法

1.對TD-LTE的支持

  OAI本身支持TD-LTE。但是因為TD系統全網收發同步的要求,偽基站要正常工作,就必須與運營商現網同步。OAI已含有部分通過空中接口信號實現TD同步的代碼,需要進一步修改才能完成與現網同步。

2.精簡代碼

  如果我們只做網絡安全研究,不做通信研究,就不需要完整的EPC。大部分公司只是研究空口的DoS攻擊和RRC重定向攻擊,每次只有少量固定格式的網絡報文從MME返回,因此可以修改代碼,直接返回我們想要的報文,或者執行我們想要的邏輯,就可以精簡掉EPC,只運行lte-softmodem一個進程就好了。

3.連接運營商核心網

  如果能從運營商核心網獲得安全認證四元組:Kasme、AUTN、RAND、XRES,就能通過雙向鑒權,讓LTE手機相信我們的基站是真基站。這需要修改MME的代碼和freeDiameter的配置來實現。

4.同一硬件集成LTE+GSM偽基站

5.架設自己的測試網

如果你對某一種高級玩法感興趣,並且知道大體怎么實現,歡迎找我組隊,可以一起做點有意思的(開源)通信安全項目,Seeker老師的微信:70772177。

0x09 結束語

在萬物互聯時代,了解LTE可用性和安全性的邊界,事關我們每個人的人身安全和數據安全。

不管你是在開發無人駕駛汽車、醫療設備、智能電表,還是普通的移動應用,過於相信運營商網絡的可用性和安全性都會帶來安全威脅。不只是網絡安全公司需要研究無線通信的安全,產品開發者同樣需要。


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM