IMSI-catcher: a tool to discover sensitive information on nearby mobile phones

Category:

IMSI-catcher is a tool that can help you find the IMSI number, country, brand and operator of nearby mobile phones.

The equipment you need

A PC

1 USB DVB-T key (RTL2832U) with antenna (approximately less than $15), or an OsmocomBB mobile phone and a HackRF device.

Set up

git clone https://github.com/Oros42/IMSI-catcher.git
# or wget https://github.com/Oros42/IMSI-catcher/archive/master.zip && unzip -q master.zip

sudo apt install python-numpy python-scipy python-scapy

For the installation of Debian Testing (10) and Ubuntu 18.04+ gr-gsm, please refer to: https://osmocom.org/projects/gr-gsm/wiki/Installation

The installation commands for older versions of Debian and Ubuntu are as follows:

sudo add-apt-repository -y ppa:ptrkrysik/gr-gsm
sudo apt update
sudo apt install gr-gsm

If gr-gsm setting fails, please refer to: https://github.com/ptrkrysik/gr-gsm/wiki/Installation for setting.

Debian: https://tracker.debian.org/pkg/gr-gsm

run
Use old version of gr-gsm
Open 2 terminals.

Enter in terminal 1:

sudo python simple_IMSI-catcher.py --sniff

You can add the -h parameter to display the available options.

In terminal 2, search frequency:

grgsm_scanner

Use grgsm_livemon command to sniff the frequency you found:

grgsm_livemon -f <your_frequency>M

E.g:

grgsm_livemon -f 938.2M

After running, it should produce output similar to the following:

15 06 21 00 01 f0 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
25 06 21 00 05 f4 f8 68 03 26 23 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
49 06 1b 95 cc 02 f8 02 01 9c c8 03 1e 57 a5 01 79 00 00 1c 13 2b 2b
...

You can change different frequencies according to your needs.

gr-gsm >= 0.41.2-1
Similarly, open 2 terminals.

Enter in terminal 1:

python simple_IMSI-catcher.py

You can add the -h parameter to display the available options.

Enter in terminal 2:

python scan-and-livemon

This process may take several minutes. Because, it needs to run grgsm_scanner to find nearby base stations and request grgsm_livemon_headless to receive signals.

Or find the frequency of nearby base stations first.

grgsm_scanner

Next, use the grgsm_livemon command to sniff the frequencies you found:

grgsm_livemon -f <your_frequency>M

E.g:

grgsm_livemon -f 938.2M

After running, it should produce output similar to the following:

15 06 21 00 01 f0 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
25 06 21 00 05 f4 f8 68 03 26 23 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
49 06 1b 95 cc 02 f8 02 01 9c c8 03 1e 57 a5 01 79 00 00 1c 13 2b 2b
...

You can change different frequencies according to your needs.

After completing the above operations, the next thing we need to do is to wait for the result. In about a minute or so, we can see the IMSI number in terminal 1. If nothing appears after one minute, then please change your frequency.

Related documentation: https://fr.wikipedia.org/wiki/Global_System_for_Mobile_Communications

For example, the frequency in France is: 9.288e+08 Bouygues

View the captured packets:

sudo wireshark -k -Y '!icmp && gsmtap' -i lo

 

Optional
Get information about the signal tower:

sudo python find_cell_id.py

Obtain Immediate Assignment signaling:

sudo python immediate_assignment_catcher.py

 

Find frequency
In addition to using the grgsm_scanner mentioned above to find the frequency, you can also use a tool like kalibrate-hackrf to find:

sudo apt-get install automake autoconf libhackrf-dev
git clone https://github.com/scateu/kalibrate-hackrf
cd kalibrate-hackrf/
./bootstrap
./configure
make
sudo make install

run

kal -s GSM900
kal: Scanning for GSM-900 base stations.
GSM-900:
  chan:   14 (937.8MHz + 10.449kHz)	power: 3327428.82
  chan:   15 (938.0MHz + 4.662kHz)	power: 3190712.41

Reference materials:

Gr-Gsm Set up:https://github.com/ptrkrysik/gr-gsm/wiki/Installation

frequency:http://www.worldtimezone.com/gsm.html(https://fr.wikipedia.org/wiki/Global_System_for_Mobile_Communications)

MNC:https://en.wikipedia.org/wiki/Mobile_Network_Code

Scapy:http://secdev.org/projects/scapy/doc/usage.html

IMSI:https://fr.wikipedia.org/wiki/IMSI

Realtek RTL2832U:https://osmocom.org/projects/sdr/wiki/rtl-sdr(http://doc.ubuntu-fr.org/rtl2832u)http://doc.ubuntu-fr.org/rtl-sdr

Reviews

There are no reviews yet.

Be the first to review “IMSI-catcher: a tool to discover sensitive information on nearby mobile phones”

Your email address will not be published. Required fields are marked *