Big update :-)

This commit is contained in:
Oros 2016-09-29 15:53:56 +02:00
parent 049a256016
commit 1ec3bae89e
3 changed files with 94 additions and 68 deletions

View file

@ -9,24 +9,17 @@ This program shows you IMSI numbers of cellphones around you.
What you need
=============
1 PC with more than 3Go of RAM * to compile gr-gsm
1 PC
1 USB DVB-T key (RTL2832U) with antenna (less than 15$)
\* *On EEEPC 1000H with 2Go of RAM and 2Go of swap, compiling take 1 day.*
Setup
=====
```
cd /tmp
sudo apt-get install git python-scapy python-pip
sudo pip install PyBOMBS
sudo pybombs prefix init /usr/local -a default_prx
sudo pybombs config default_prefix default_prx
sudo pybombs recipes add gr-recipes git+https://github.com/gnuradio/gr-recipes.git
sudo pybombs recipes add gr-etcetera git+https://github.com/gnuradio/gr-etcetera.git
sudo pybombs install gr-gsm
sudo ldconfig
sudo add-apt-repository -y ppa:ptrkrysik/gr-gsm
sudo apt update
sudo apt install gr-gsm python-numpy python-scipy python-scapy
```
Run

Binary file not shown.

Before

Width:  |  Height:  |  Size: 115 KiB

After

Width:  |  Height:  |  Size: 141 KiB

147
simple_IMSI-catcher.py Executable file → Normal file
View file

@ -1,7 +1,8 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Author: Oros
# 2015/06/03
# Contributor : puyoulu
# 2016/09/29
# License : CC0 1.0 Universal
"""
@ -12,21 +13,15 @@ This program shows you IMSI numbers of cellphones around you.
What you need :
1 PC with more than 3Go of RAM to compile gr-gsm
1 PC
1 USB DVB-T key (RTL2832U) with antenna (less than 15$)
Setup :
cd /tmp
sudo apt-get install git python-scapy python-pip
sudo pip install PyBOMBS
sudo pybombs prefix init /usr/local -a default_prx
sudo pybombs config default_prefix default_prx
sudo pybombs recipes add gr-recipes git+https://github.com/gnuradio/gr-recipes.git
sudo pybombs recipes add gr-etcetera git+https://github.com/gnuradio/gr-etcetera.git
sudo pybombs install gr-gsm
sudo ldconfig
sudo add-apt-repository -y ppa:ptrkrysik/gr-gsm
sudo apt update
sudo apt install gr-gsm python-numpy python-scipy python-scapy
Run :
@ -61,11 +56,13 @@ Realtek RTL2832U : http://doc.ubuntu-fr.org/rtl2832u and http://doc.ubuntu-fr.or
"""
from scapy.all import sniff
import json
imsis=[]
def show_imsi(imsi):
cpt=1
def show_imsi(imsi, p):
global imsis
global cpt
new_imsi=''
for a in imsi:
c=hex(ord(a))
@ -73,56 +70,92 @@ def show_imsi(imsi):
new_imsi+=str(c[3])+str(c[2])
else:
new_imsi+=str(c[2])+"0"
new_imsi=new_imsi[1:4]+" "+new_imsi[4:6]+" "+new_imsi[6:11]+" "+new_imsi[11:]
if new_imsi not in imsis:
imsis.append(new_imsi)
print(new_imsi)
mcc=new_imsi[1:4]
mnc=new_imsi[4:6]
m=""
if mcc in mcc_codes:
if mnc in mcc_codes[mcc]['MNC']:
# m=" : "+country+", "+brand+" - "+operator
m=" ; "+mcc_codes[mcc]['c'][0]+" ; "+mcc_codes[mcc]['MNC'][mnc][0]+" ; "+mcc_codes[mcc]['MNC'][mnc][1]
new_imsi=mcc+" "+mnc+" "+new_imsi[6:]
elif mnc+"0" in mcc_codes[mcc]['MNC']:
mnc+="0"
# m=" : "+country+", "+brand+" - "+operator
m=" ; "+mcc_codes[mcc]['c'][0]+" ; "+mcc_codes[mcc]['MNC'][mnc][0]+" ; "+mcc_codes[mcc]['MNC'][mnc][1]
new_imsi=mcc+" "+mnc+" "+new_imsi[7:]
else:
print("Error : ",p)
print(str(cpt)+" ; "+new_imsi+m)
cpt+=1
def find_imsi(x):
p=str(x)
"""
if p[58:][:2] != '\x01+':
# if not (CCCH) (SS)
# GSM CCCH
l2_pseudo_len=p[58]
if p[80] != '\x2b' and p[80] != '\x00' and p[80] != '\x4b' and p[80] != '\xc0':
if l2_pseudo_len=='\x55' and p[71:][:2] == '\x08\x29':
# if IMSI
show_imsi(p[72:][:8])
elif l2_pseudo_len=='\x59' and p[62:][:2] == '\x08\x29':
# if IMSI
show_imsi(p[63:][:8])
if p[72:][:2] == '\x08\x29':
# if IMSI 2
show_imsi(p[73:][:8])
"""
# https://github.com/ptrkrysik/gr-gsm/wiki/Installation
# sudo grgsm_scanner -v -b P-GSM
# sudo grgsm_livemon -f 944200000
# works in China
# Channel Type: CCCH (2)
if ord(p[0x36]) == 0x2:
# Message Type: Paging Request Type 1
if ord(p[0x3c]) == 0x21:
# Channel 1: TCH/F (Full rate) (2)
if ord(p[0x3d]) == 0x20:
if ord(p[0x3c]) == 0x21: # Message Type: Paging Request Type 1
if ord(p[0x3e]) == 0x08 and (ord(p[0x3f]) & 0x1) == 0x1: # Channel 1: TCH/F (Full rate) (2)
# Mobile Identity 1 Type: IMSI (1)
if ord(p[0x3e]) == 0x08 and (ord(p[0x3f]) & 0x1) == 0x1:
show_imsi(p[0x3f:][:8])
# Channel 1: TCH/F (Full rate) (2)
# Channel 2: TCH/F (Full rate) (2)
if ord(p[0x3d]) == 0xa0:
# Mobile Identity 1 Type: IMSI (1)
if ord(p[0x3e]) == 0x08 and (ord(p[0x3f]) & 0x1) == 0x1:
show_imsi(p[0x3f:][:8])
# Mobile Identity 2 Type: IMSI (1)
if ord(p[0x45]) == 0x08 and (ord(p[0x46]) & 0x1) == 0x1:
show_imsi(p[0x46:][:8])
# Message Type: Paging Request Type 2
elif ord(p[0x3c]) == 0x22:
# Mobile Identity 3 Type: IMSI (1)
if ord(p[0x47]) == 0x08 and (ord(p[0x48]) & 0x1) == 0x1:
show_imsi(p[0x48:][:8])
"""
0000 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00
0010 00 43 1c d4 40 00 40 11 1f d4 7f 00 00 01 7f 00
0020 00 01 c2 e4 12 79 00 2f fe 42 02 04 01 00 00 00
0030 c9 00 00 16 21 26 02 00 07 00 31 06 21 00 08 XX
0040 XX XX XX XX XX XX XX 2b 2b 2b 2b 2b 2b 2b 2b 2b
0050 2b
XX XX XX XX XX XX XX XX = IMSI
"""
show_imsi(p[0x3f:][:8], p)
# ord(p[0x3a]) == 0x59 = l2 pseudo length value: 22
if ord(p[0x3a]) == 0x59 and ord(p[0x48]) == 0x08 and (ord(p[0x49]) & 0x1) == 0x1: # Channel 2: TCH/F (Full rate) (2)
# Mobile Identity 2 Type: IMSI (1)
"""
0000 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00
0010 00 43 90 95 40 00 40 11 ac 12 7f 00 00 01 7f 00
0020 00 01 b4 1c 12 79 00 2f fe 42 02 04 01 00 00 00
0030 c8 00 00 16 51 c6 02 00 08 00 59 06 21 00 08 YY
0040 YY YY YY YY YY YY YY 17 08 XX XX XX XX XX XX XX
0050 XX
YY YY YY YY YY YY YY YY = IMSI 1
XX XX XX XX XX XX XX XX = IMSI 2
"""
show_imsi(p[0x49:][:8], p)
elif ord(p[0x45]) == 0x08 and (ord(p[0x46]) & 0x1) == 0x1: # Channel 2: TCH/F (Full rate) (2)
# Mobile Identity 2 Type: IMSI (1)
"""
0000 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00
0010 00 43 57 8e 40 00 40 11 e5 19 7f 00 00 01 7f 00
0020 00 01 99 d4 12 79 00 2f fe 42 02 04 01 00 00 00
0030 c7 00 00 11 05 99 02 00 03 00 4d 06 21 00 05 f4
0040 yy yy yy yy 17 08 XX XX XX XX XX XX XX XX 2b 2b
0050 2b
yy yy yy yy = TMSI/P-TMSI - Mobile Identity 1
XX XX XX XX XX XX XX XX = IMSI
"""
show_imsi(p[0x46:][:8], p)
elif ord(p[0x3c]) == 0x22: # Message Type: Paging Request Type 2
if ord(p[0x47]) == 0x08 and (ord(p[0x48]) & 0x1) == 0x1: # Mobile Identity 3 Type: IMSI (1)
"""
0000 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00
0010 00 43 1c a6 40 00 40 11 20 02 7f 00 00 01 7f 00
0020 00 01 c2 e4 12 79 00 2f fe 42 02 04 01 00 00 00
0030 c9 00 00 16 20 e3 02 00 04 00 55 06 22 00 yy yy
0040 yy yy zz zz zz 4e 17 08 XX XX XX XX XX XX XX XX
0050 8b
yy yy yy yy = TMSI/P-TMSI - Mobile Identity 1
zz zz zz zz = TMSI/P-TMSI - Mobile Identity 2
XX XX XX XX XX XX XX XX = IMSI
"""
show_imsi(p[0x48:][:8], p)
# mcc codes form https://en.wikipedia.org/wiki/Mobile_Network_Code
with open('mcc-mnc/mcc_codes.json') as file:
mcc_codes = json.load(file)
print("cpt ; IMSI ; country ; brand ; operator")
sniff(iface="lo", filter="port 4729 and not icmp and udp", prn=find_imsi, store=0)