GSM IMSI-Catcher
Summary
This article explains how to build an GSM IMSI-Catcher with the SDR called HackRF One.
Requirements
- Operating system: Ubuntu 20.04 LTS (Focal Fossa)!
- Packages: git, Wireshark
- SDR HackRF One
Description
Installation of the necessary tools
(Do not use any other OS than Ubuntu 20.04 LTS (Focal Fossa)!!!)
Enter these commands in the shell
git clone https://github.com/Oros42/IMSI-catcher.git cd IMSI-catcher
sudo apt install python3-numpy python3-scipy python3-scapy
sudo apt-get install -y \ cmake \ autoconf \ libtool \ pkg-config \ build-essential \ python-docutils \ libcppunit-dev \ swig \ doxygen \ liblog4cpp5-dev \ gnuradio-dev \ gr-osmosdr \ libosmocore-dev \ liborc-0.4-dev \ swig
git clone -b maint-3.8 https://github.com/velichkov/gr-gsm.git
cd gr-gsm mkdir build cd build cmake .. make -j 4 sudo make install sudo ldconfig echo 'export PYTHONPATH=/usr/local/lib/python3/dist-packages/:$PYTHONPATH' >> ~/.bashrc
IMSI catching in action
Now that all necessary tools are installed, first thing to do is connect the HackRF One to the Computer, in case you are using a VM ensure that you mounted your USB device to the VM.
It is recommended do start each tool in separate terminals!
First start
grgsm_scanner
grgsm_scanner is used to perform a GSM frequency channel scan to identify active frequencies in a given area.
This should now list the active frequencies that can be received at the current location.
Then start grgsm_livemon with one of the frequencies that has just been discovered in the previous step.
grgsm_livemon -f <Frequency scanned with grgsm_scanner>
grgsm_livemon is used for capturing and analyzing GSM signals in a specific frequency band using a software-defined radio (SDR) in this case the HackRF One.
This should now open a GUI displaying the scanner and the terminal should show incoming Hex values received by the SDR.
Next up is the simple_IMSI-catcher.py this is a handy script which takes the incoming radio stream from grgsm_livemon and decodes and extracts the most important information. It list all the information in a nicely formatted table. This could take a minute until something is displayed. If there are issues with the scrip not displaying anything simple restart a) the script b) livemon c) both or pick an other frequency.
There is one extra step that can be done to display extra information, for that enter:
sudo wireshark -k -Y '!icmp && gsmtap' -i lo
This command captures GSM TAP protocol packets on the loopback interface using Wireshark, excluding ICMP packets. The GSMTAP protocol is a format used for capturing GSM protocol messages over the air interface. It is a simple protocol that encapsulates GSM protocol messages inside a UDP packet.
Now it should list all gsmtap protocol packets in real time giving more information about the transmission over the connected SDR.
Used Hardware
HackRF One Software Defined Radio (SDR)
References
https://github.com/velichkov/gr-gsm.git https://github.com/Oros42/IMSI-catcher