Project

General

Profile

Accelerate3g5 -- blobb » History » Version 129

blobb, 05/07/2017 10:18 PM

1 1 blobb
h1. Accelerate3g5 -- blobb
2 2 blobb
3 2 blobb
h2. Summary
4 2 blobb
5 3 blobb
Trying to come up with a fuzzing interface.
6 3 blobb
7 2 blobb
h3. Participants
8 2 blobb
9 85 blobb
* André (email: dr.blobb@gmail.com)
10 2 blobb
11 122 blobb
 
12 122 blobb
13 2 blobb
h2. Details
14 3 blobb
15 115 blobb
First setting up the femtocell and understand necessary basics of UMTS communication to do so. (done)
16 36 blobb
Collecting information e.g. slides, talks, docu about fuzzing of wireless protocols. (done)
17 62 blobb
Writing some code to craft requests and run fuzz tests against subscriber. (to be done)
18 1 blobb
19 1 blobb
Note: first time fuzzing.
20 1 blobb
21 121 blobb
 
22 121 blobb
23 25 blobb
h2. Test devices
24 25 blobb
25 25 blobb
TD1: Samsung Galaxy S5 Mini (G800F) 
26 25 blobb
 OS: Lineage OS (14.1/7.1.1) 
27 25 blobb
 BB: G800FXXU1BPC3
28 25 blobb
SIM: MicroSIM
29 25 blobb
30 25 blobb
TD2: LG Nexus 5 (hammerhead)
31 25 blobb
 OS: Android Marshmallow (6.0) 
32 25 blobb
 BB: M48974A-2.0.50.2.27
33 25 blobb
SIM: MicroSIM
34 25 blobb
35 25 blobb
TD3: HTC One M9
36 25 blobb
 OS: Android Lollipop (5.1)
37 25 blobb
 BB: 01.04_U11440601_71.02.50709G_F
38 25 blobb
SIM: NanoSIM (cutted MicroSIM)
39 25 blobb
40 87 blobb
TD4: Samsung S3 (GT-I9300)
41 87 blobb
 OS: Android Jelly Bean (4.3)
42 87 blobb
 BB: I9300XXUGNA8
43 88 blobb
SIM: MicroSim
44 87 blobb
45 118 blobb
 
46 118 blobb
 
47 118 blobb
48 7 blobb
h2. Journal
49 7 blobb
50 39 blobb
+_2017-03-07_+
51 42 blobb
Pick up package at Sysmocom office.
52 42 blobb
Having an informative conversation with Neels about Jenkins, Docker and build artifacts.
53 8 blobb
54 39 blobb
+_2017-03-12_+
55 10 blobb
Set up wiki page.
56 26 blobb
Seeing femtocell on network interface.
57 1 blobb
Compiled source as described, but couldn't configure/launch CN successfully (yet).
58 26 blobb
Next time will try Neels' launch script and same IP range.
59 1 blobb
60 39 blobb
+_2017-03-15_+
61 1 blobb
Reading "data sheet [overview]":http://www.ipaccess.com/uploads/wysiwyg_editor/files/2017/S8_S16-Datasheet-v1.0.pdf "data sheet [details]":https://fccid.io/pdf.php?id=1462491 about ip.access nano3G S8.
62 1 blobb
Configuring femtocell via telnet (dry run).
63 1 blobb
Running in HLR issue mentioned in wiki when invoking run.sh.
64 12 blobb
65 39 blobb
+_2017_04-02_+
66 33 blobb
Collecting input about fuzzing:
67 1 blobb
68 50 blobb
papers/theses:
69 33 blobb
>"SMS Fuzzing - SIM Toolkit Attack - B. Alecu, defcon21 2013":https://www.defcon.org/images/defcon-21/dc-21-presentations/Alecu/DEFCON-21-Bogdan-Alecu-Attacking-SIM-Toolkit-with-SMS-WP.pdf
70 37 blobb
>"SMS Vulnerability Analysis on Feature Phones - N. Golde, 2011":http://www.isti.tu-berlin.de/fileadmin/fg214/finished_theses/NicoGolde/diplom_golde.pdf
71 49 blobb
>"Fuzzing the GSM Protocol - B. Hond, master thesis 2011":http://www.ru.nl/publish/pages/769526/scriptie-brinio-final-brinio_hond.pdf
72 26 blobb
73 34 blobb
talks:
74 33 blobb
>"SMS Fuzzing - Sim Toolkit Attack - B. Alecu, Deepsec 2011":http://www.securitytube.net/video/2518
75 33 blobb
>"Using OpenBSC for fuzzing of GSM handsets - H. Welte, 26c3 2009":http://mirror.fem-net.de/CCC/26C3/mp4/26c3-3535-en-using_openbsc_for_fuzzing_of_gsm_handsets.mp4
76 26 blobb
77 34 blobb
slides:
78 33 blobb
>"MobiDeke: Fuzzing the GSM Protocol Stack - S. Dudek & G. Delugr, hack.lu 2012":http://archive.hack.lu/2012/Fuzzing_The_GSM_Protocol_Stack_-_Sebastien_Dudek_Guillaume_Delugre.pdf
79 33 blobb
>"Base Jumping - Attacking the GSM BB and BTS - grugq, 2010":http://conference.hackinthebox.org/hitbsecconf2010kul/materials/D2T1%20-%20The%20Grugq%20-%20Attacking%20GSM%20Basestations.pdf
80 33 blobb
>"Fuzzing your GSM phone - Harald Welte, 26c3 2009":https://events.ccc.de/congress/2009/Fahrplan/attachments/1503_openbsc_gsm_fuzzing.pdf
81 33 blobb
>"Fuzzing the Phone in your Phone - C. Miller & C. Mulliner, Blackhat 2009":https://engineering.purdue.edu/dcsl/reading/2011/jevin-fuzzing.pdf
82 33 blobb
>"Injecting SMS Messages into Smart Phones for Security Analysis - C. Mulliner, 2009":https://www.mulliner.org/security/sms/feed/injecting_sms_mulliner_miller.pdf
83 33 blobb
>"Security Testing esp. Fuzzing - E. Poll, ????":https://www.cs.ru.nl/E.Poll/ss/slides/12_Fuzzing.pdf
84 26 blobb
85 39 blobb
+_2017-04-19_+
86 43 blobb
Resolving HLR issue and set correct IPs in "*.cfg files":https://osmocom.org/attachments/download/2559/3G-config-example-v3.tar. 
87 58 blobb
hNodeB connects to hnbgw, but no UE is connecting to it. 
88 58 blobb
> [issue from wiki: ...unable to resolve DNS record look up of 0.ipaccess.pool.ntp.org... no trx].
89 58 blobb
Connect femtocell to LAN with internet access to resolve DNS record look up issue, still no phones are connecting (yet).
90 1 blobb
Adding SIM cards to hlr.db, after creating db successfully [thanks to "andreas":https://osmocom.org/projects/cellular-infrastructure/wiki/Accelerate3g5_--_andreas]
91 1 blobb
92 39 blobb
+_2017-04-20_+
93 1 blobb
Create and attach "build_3G.sh":https://osmocom.org/attachments/download/2602/build_3G.sh (adapted from "build_2G.sh":https://osmocom.org/attachments/download/2438/build_2G.sh).
94 68 blobb
Rebuild with correct branch/tag (openbsc:vlr_3G,libosmo-sccp:old_sua).
95 38 blobb
TD1 and TD2 *successfully connected* to femtocell!!! *\o/*
96 67 blobb
*Voice calls work* (TD1<->TD2).
97 53 blobb
98 1 blobb
+_2017-04-22_+
99 1 blobb
Create and attach "configure_nano3G.exp":https://projects.osmocom.org/attachments/download/2604/configure_nano3G.exp. 
100 71 blobb
> Invoke expect script within "run.sh":https://projects.osmocom.org/attachments/download/2559/3G-config-example-v3.tar to automate initial nano3G configuration via telnet. 
101 69 blobb
*SMS work* (TD1<->TD2), probably worked before but have been tested "today".
102 62 blobb
103 1 blobb
+_2017-04-24_+
104 1 blobb
Compile OpenBSC with --enable-mgcp-transcoding flag and create 127.0.0.2 on lo. :)
105 1 blobb
Attach refactored version of "build_3G.sh":https://projects.osmocom.org/attachments/download/2605/build_3G.sh.
106 81 blobb
*Data "works"* (TD1<->TD2, TDx<->tun0/192.168.42.1
107 75 blobb
>Note: data "worked" before (UEs got IP 2017-4-20). But I didn't manage to forward packets from tun0->eth0->inet yet, although the following iptable rule has been applied:
108 79 blobb
>>sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" 
109 75 blobb
>>sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
110 73 blobb
111 74 blobb
+_2017-04-25_+
112 1 blobb
Create and attach "find_nano3G.sh":https://osmocom.org/attachments/download/2609/find_nano3G.sh.
113 102 blobb
Picked up TD4 at a friend's place. Now I don't need to change the SIM/USIM card in TD1, which is my "normal" cell phone to test functionality. *Thanks* a lot buddy :)
114 89 blobb
115 90 blobb
+_2017-04-26_+
116 92 blobb
As it actually belongs to the accelerate3g5 project, I add the "hands-on repo":https://github.com/blobbsen/repo-handson this journal.
117 99 blobb
> It provides functionality to clone necessary git repos and build accerelate3g5 CN stack.
118 7 blobb
119 93 blobb
+_2017-04-29_+
120 1 blobb
Test MMS, *doesn't* work.
121 125 blobb
I'd changed MCC and MNC from the "wiki-default":http://osmocom.org/projects/cellular-infrastructure/wiki/Configuring_the_ipaccess_nano3G values (MCC=901, MNC=98) to MCC=809 and MNC=90 on the hNodeB (telnet) to align with SIM-cards' IMSIs and avoid roaming, but it didn't work out (yet).
122 113 blobb
  
123 111 blobb
+_2017-04-30_+
124 101 blobb
Set csgAccessMode to CSG_ACCESS_MODE_CLOSED_ACCESS to avoid interfering with UEs now owned by me.
125 125 blobb
Set additional ip table rule. UE's have finally internet connection. *\o/*  
126 125 blobb
 
127 96 blobb
>sudo iptables -t nat -A POSTROUTING -o lo -j MASQUERADE
128 98 blobb
129 98 blobb
130 96 blobb
+_2017-05-01_+
131 114 blobb
UEs are not roaming anymore *\o/*. Actually the explanation of a friend how the MCC and MNC has to be set according to the IMSI (0-2 MCC, 3-4 MNC digits) was correct, 
132 123 blobb
but I didn't read the IMSI correctly from the "sysmocom full-size SIM card". Such IMSIs on the full-size SIM card consist of 18 digits. 
133 123 blobb
After using IMSIs from delivery e-mail (which are 15 digits long and not 18 as full-size-SIM-card-IMSI) it works. 
134 124 blobb
Moreover, I now know that the IMSI can ONLY hold 15 digits and consists of MCC (3), MNC (2-3) and MSIN (9-10).
135 125 blobb
136 125 blobb
A poor/manual stability test for the entire UMTS network has been successful for 12 hours ((DL: 7,8-5,9, UL: 1,2-0,8) Mbit/s and ping: 170-150 ms).
137 114 blobb
138 126 blobb
+_2017-05-08_+
139 129 blobb
Reading about "SIM lock":https://en.wikipedia.org/wiki/SIM_lock to verify whether I could use "cheap prepaid phones":https://www.walmart.com/ip/Walmart-Family-Mobile-Alcatel-PIXI-4-Prepaid-Smartphone/54457505#about-item as TDs.
140 126 blobb
141 119 blobb
&nbsp;
142 119 blobb
&nbsp;
143 119 blobb
144 24 blobb
h2. Conclusions
145 1 blobb
146 117 blobb
- UE's are connecting. Voice calls + SMS + data are working and UEs are *not* roaming. =)
147 100 blobb
148 84 blobb
&nbsp;
149 84 blobb
&nbsp;
Add picture from clipboard (Maximum size: 48.8 MB)