Project

General

Profile

Accelerate3g5 -- blobb » History » Version 77

blobb, 04/25/2017 11:55 AM

1 1 blobb
h1. Accelerate3g5 -- blobb
2 2 blobb
3
h2. Summary
4
5 3 blobb
Trying to come up with a fuzzing interface.
6
7 2 blobb
h3. Participants
8
9
* André Boddenberg (email: dr.blobb@gmail.com)
10
11
h2. Details
12 3 blobb
13 62 blobb
First setting up the femtocell and understand necessary basics of UMTS communication to do so. (done)
14 36 blobb
Collecting information e.g. slides, talks, docu about fuzzing of wireless protocols. (done)
15 62 blobb
Writing some code to craft requests and run fuzz tests against subscriber. (to be done)
16 1 blobb
17
Note: first time fuzzing.
18
19 25 blobb
h2. Test devices
20
21
TD1: Samsung Galaxy S5 Mini (G800F) 
22
 OS: Lineage OS (14.1/7.1.1) 
23
 BB: G800FXXU1BPC3
24
SIM: MicroSIM
25
26
TD2: LG Nexus 5 (hammerhead)
27
 OS: Android Marshmallow (6.0) 
28
 BB: M48974A-2.0.50.2.27
29
SIM: MicroSIM
30
31
TD3: HTC One M9
32
 OS: Android Lollipop (5.1)
33
 BB: 01.04_U11440601_71.02.50709G_F
34
SIM: NanoSIM (cutted MicroSIM)
35
36 7 blobb
h2. Journal
37
38 39 blobb
+_2017-03-07_+
39 42 blobb
Pick up package at Sysmocom office.
40
Having an informative conversation with Neels about Jenkins, Docker and build artifacts.
41 8 blobb
42 39 blobb
+_2017-03-12_+
43 10 blobb
Set up wiki page.
44 26 blobb
Seeing femtocell on network interface.
45 1 blobb
Compiled source as described, but couldn't configure/launch CN successfully (yet).
46 26 blobb
Next time will try Neels' launch script and same IP range.
47 1 blobb
48 39 blobb
+_2017-03-15_+
49 1 blobb
Reading "data sheet [overview]":http://www.ipaccess.com/uploads/wysiwyg_editor/files/2017/S8_S16-Datasheet-v1.0.pdf "data sheet [details]":https://fccid.io/pdf.php?id=1462491 about ip.access nano3G S8.
50
Configuring femtocell via telnet (dry run).
51
Running in HLR issue mentioned in wiki when invoking run.sh.
52 12 blobb
53 39 blobb
+_2017_04-02_+
54 33 blobb
Collecting input about fuzzing:
55 1 blobb
56 50 blobb
papers/theses:
57 33 blobb
>"SMS Fuzzing - SIM Toolkit Attack - B. Alecu, defcon21 2013":https://www.defcon.org/images/defcon-21/dc-21-presentations/Alecu/DEFCON-21-Bogdan-Alecu-Attacking-SIM-Toolkit-with-SMS-WP.pdf
58 37 blobb
>"SMS Vulnerability Analysis on Feature Phones - N. Golde, 2011":http://www.isti.tu-berlin.de/fileadmin/fg214/finished_theses/NicoGolde/diplom_golde.pdf
59 49 blobb
>"Fuzzing the GSM Protocol - B. Hond, master thesis 2011":http://www.ru.nl/publish/pages/769526/scriptie-brinio-final-brinio_hond.pdf
60 26 blobb
61 34 blobb
talks:
62 33 blobb
>"SMS Fuzzing - Sim Toolkit Attack - B. Alecu, Deepsec 2011":http://www.securitytube.net/video/2518
63
>"Using OpenBSC for fuzzing of GSM handsets - H. Welte, 26c3 2009":http://mirror.fem-net.de/CCC/26C3/mp4/26c3-3535-en-using_openbsc_for_fuzzing_of_gsm_handsets.mp4
64 26 blobb
65 34 blobb
slides:
66 33 blobb
>"MobiDeke: Fuzzing the GSM Protocol Stack - S. Dudek & G. Delugr, hack.lu 2012":http://archive.hack.lu/2012/Fuzzing_The_GSM_Protocol_Stack_-_Sebastien_Dudek_Guillaume_Delugre.pdf
67
>"Base Jumping - Attacking the GSM BB and BTS - grugq, 2010":http://conference.hackinthebox.org/hitbsecconf2010kul/materials/D2T1%20-%20The%20Grugq%20-%20Attacking%20GSM%20Basestations.pdf
68
>"Fuzzing your GSM phone - Harald Welte, 26c3 2009":https://events.ccc.de/congress/2009/Fahrplan/attachments/1503_openbsc_gsm_fuzzing.pdf
69
>"Fuzzing the Phone in your Phone - C. Miller & C. Mulliner, Blackhat 2009":https://engineering.purdue.edu/dcsl/reading/2011/jevin-fuzzing.pdf
70
>"Injecting SMS Messages into Smart Phones for Security Analysis - C. Mulliner, 2009":https://www.mulliner.org/security/sms/feed/injecting_sms_mulliner_miller.pdf
71
>"Security Testing esp. Fuzzing - E. Poll, ????":https://www.cs.ru.nl/E.Poll/ss/slides/12_Fuzzing.pdf
72 26 blobb
73 39 blobb
+_2017-04-19_+
74 43 blobb
Resolving HLR issue and set correct IPs in "*.cfg files":https://osmocom.org/attachments/download/2559/3G-config-example-v3.tar. 
75 58 blobb
hNodeB connects to hnbgw, but no UE is connecting to it. 
76
> [issue from wiki: ...unable to resolve DNS record look up of 0.ipaccess.pool.ntp.org... no trx].
77
Connect femtocell to LAN with internet access to resolve DNS record look up issue, still no phones are connecting (yet).
78 1 blobb
Adding SIM cards to hlr.db, after creating db successfully [thanks to "andreas":https://osmocom.org/projects/cellular-infrastructure/wiki/Accelerate3g5_--_andreas]
79
80 39 blobb
+_2017-04-20_+
81 1 blobb
Create and attach "build_3G.sh":https://osmocom.org/attachments/download/2602/build_3G.sh (adapted from "build_2G.sh":https://osmocom.org/attachments/download/2438/build_2G.sh).
82 68 blobb
Rebuild with correct branch/tag (openbsc:vlr_3G,libosmo-sccp:old_sua).
83 38 blobb
TD1 and TD2 *successfully connected* to femtocell!!! *\o/*
84 67 blobb
*Voice calls work* (TD1<->TD2).
85 53 blobb
86 1 blobb
+_2017-04-22_+
87
Create and attach "configure_nano3G.exp":https://projects.osmocom.org/attachments/download/2604/configure_nano3G.exp. 
88 71 blobb
> Invoke expect script within "run.sh":https://projects.osmocom.org/attachments/download/2559/3G-config-example-v3.tar to automate initial nano3G configuration via telnet. 
89 69 blobb
*SMS work* (TD1<->TD2), probably worked before but have been tested "today".
90 62 blobb
91 1 blobb
+_2017-04-24_+
92
Compile OpenBSC with --enable-mgcp-transcoding flag and create 127.0.0.2 on lo. :)
93
Attach refactored version of "build_3G.sh":https://projects.osmocom.org/attachments/download/2605/build_3G.sh.
94
*Data works* (TD1<->TD2, TDx<->tun0/192.168.42.1
95 75 blobb
>Note: data "worked" before (UEs got IP 2017-4-20). But I didn't manage to forward packets from tun0->eth0->inet yet, although the following iptable rule has been applied:
96 77 blobb
97
@sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"@
98
@sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE@
99 75 blobb
100 73 blobb
101
+_2017-04-25_+
102 74 blobb
Create and attach "find_nano3G.sh":https://osmocom.org/attachments/download/2609/find_nano3G.sh.
103 7 blobb
104 24 blobb
h2. Conclusions
105 1 blobb
106 32 blobb
- UE's are connecting and voice calls are working.
107 25 blobb
>- network LED does not indicate whether IP has been assigned by DHCP server.
108
>- umts LED does indicate whether cell is connected to hnbgw, etc pp.
Add picture from clipboard (Maximum size: 48.8 MB)