Accelerate3g5 -- blobb » History » Version 51
blobb, 04/20/2017 11:58 PM
1 | 1 | blobb | h1. Accelerate3g5 -- blobb |
---|---|---|---|
2 | 2 | blobb | |
3 | h2. Summary |
||
4 | |||
5 | 3 | blobb | Trying to come up with a fuzzing interface. |
6 | |||
7 | 2 | blobb | h3. Participants |
8 | |||
9 | * André Boddenberg (email: dr.blobb@gmail.com) |
||
10 | |||
11 | h2. Details |
||
12 | 3 | blobb | |
13 | 36 | blobb | First setting up the femtocell and understand basics of UMTS communication. (almost done, data!) |
14 | Collecting information e.g. slides, talks, docu about fuzzing of wireless protocols. (done) |
||
15 | 25 | blobb | Writing some code to craft requests and run fuzz tests against subscriber. (tbd) |
16 | 1 | blobb | |
17 | Note: first time fuzzing. |
||
18 | |||
19 | 25 | blobb | h2. Test devices |
20 | |||
21 | TD1: Samsung Galaxy S5 Mini (G800F) |
||
22 | OS: Lineage OS (14.1/7.1.1) |
||
23 | BB: G800FXXU1BPC3 |
||
24 | SIM: MicroSIM |
||
25 | |||
26 | TD2: LG Nexus 5 (hammerhead) |
||
27 | OS: Android Marshmallow (6.0) |
||
28 | BB: M48974A-2.0.50.2.27 |
||
29 | SIM: MicroSIM |
||
30 | |||
31 | TD3: HTC One M9 |
||
32 | OS: Android Lollipop (5.1) |
||
33 | BB: 01.04_U11440601_71.02.50709G_F |
||
34 | SIM: NanoSIM (cutted MicroSIM) |
||
35 | |||
36 | |||
37 | 7 | blobb | h2. Journal |
38 | |||
39 | 39 | blobb | +_2017-03-07_+ |
40 | 42 | blobb | Pick up package at Sysmocom office. |
41 | Having an informative conversation with Neels about Jenkins, Docker and build artifacts. |
||
42 | 8 | blobb | |
43 | 39 | blobb | +_2017-03-12_+ |
44 | 10 | blobb | Set up wiki page. |
45 | 26 | blobb | Seeing femtocell on network interface. |
46 | 1 | blobb | Compiled source as described, but couldn't configure/launch CN successfully (yet). |
47 | 26 | blobb | Next time will try Neels' launch script and same IP range. |
48 | 1 | blobb | |
49 | 39 | blobb | +_2017-03-15_+ |
50 | 1 | blobb | Reading "data sheet [overview]":http://www.ipaccess.com/uploads/wysiwyg_editor/files/2017/S8_S16-Datasheet-v1.0.pdf "data sheet [details]":https://fccid.io/pdf.php?id=1462491 about ip.access nano3G S8. |
51 | Configuring femtocell via telnet (dry run). |
||
52 | Running in HLR issue mentioned in wiki when invoking run.sh. |
||
53 | 12 | blobb | |
54 | 39 | blobb | +_2017_04-02_+ |
55 | 33 | blobb | Collecting input about fuzzing: |
56 | 1 | blobb | |
57 | 50 | blobb | papers/theses: |
58 | 33 | blobb | >"SMS Fuzzing - SIM Toolkit Attack - B. Alecu, defcon21 2013":https://www.defcon.org/images/defcon-21/dc-21-presentations/Alecu/DEFCON-21-Bogdan-Alecu-Attacking-SIM-Toolkit-with-SMS-WP.pdf |
59 | 37 | blobb | >"SMS Vulnerability Analysis on Feature Phones - N. Golde, 2011":http://www.isti.tu-berlin.de/fileadmin/fg214/finished_theses/NicoGolde/diplom_golde.pdf |
60 | 49 | blobb | >"Fuzzing the GSM Protocol - B. Hond, master thesis 2011":http://www.ru.nl/publish/pages/769526/scriptie-brinio-final-brinio_hond.pdf |
61 | 26 | blobb | |
62 | 34 | blobb | talks: |
63 | 33 | blobb | >"SMS Fuzzing - Sim Toolkit Attack - B. Alecu, Deepsec 2011":http://www.securitytube.net/video/2518 |
64 | >"Using OpenBSC for fuzzing of GSM handsets - H. Welte, 26c3 2009":http://mirror.fem-net.de/CCC/26C3/mp4/26c3-3535-en-using_openbsc_for_fuzzing_of_gsm_handsets.mp4 |
||
65 | 26 | blobb | |
66 | 34 | blobb | slides: |
67 | 33 | blobb | >"MobiDeke: Fuzzing the GSM Protocol Stack - S. Dudek & G. Delugr, hack.lu 2012":http://archive.hack.lu/2012/Fuzzing_The_GSM_Protocol_Stack_-_Sebastien_Dudek_Guillaume_Delugre.pdf |
68 | >"Base Jumping - Attacking the GSM BB and BTS - grugq, 2010":http://conference.hackinthebox.org/hitbsecconf2010kul/materials/D2T1%20-%20The%20Grugq%20-%20Attacking%20GSM%20Basestations.pdf |
||
69 | >"Fuzzing your GSM phone - Harald Welte, 26c3 2009":https://events.ccc.de/congress/2009/Fahrplan/attachments/1503_openbsc_gsm_fuzzing.pdf |
||
70 | >"Fuzzing the Phone in your Phone - C. Miller & C. Mulliner, Blackhat 2009":https://engineering.purdue.edu/dcsl/reading/2011/jevin-fuzzing.pdf |
||
71 | >"Injecting SMS Messages into Smart Phones for Security Analysis - C. Mulliner, 2009":https://www.mulliner.org/security/sms/feed/injecting_sms_mulliner_miller.pdf |
||
72 | >"Security Testing esp. Fuzzing - E. Poll, ????":https://www.cs.ru.nl/E.Poll/ss/slides/12_Fuzzing.pdf |
||
73 | 26 | blobb | |
74 | 39 | blobb | +_2017-04-19_+ |
75 | 43 | blobb | Resolving HLR issue and set correct IPs in "*.cfg files":https://osmocom.org/attachments/download/2559/3G-config-example-v3.tar. |
76 | 42 | blobb | hNodeB connects to owmo-hnbgw, but no UE is connecting to it [issue -> unable to resolve DNS record look up of 0.ipaccess.pool.ntp.org]. |
77 | Adding SIM cards to hlr.db, after creating db successfully [thanks to "andreas":https://osmocom.org/projects/cellular-infrastructure/wiki/Accelerate3g5_--_andreas] |
||
78 | 1 | blobb | |
79 | 39 | blobb | +_2017-04-20_+ |
80 | 41 | blobb | Rebuild with correct branch/tag (openbsc:vlr_3G,libosmo-sccp:old_sua) |
81 | 51 | blobb | Attach "build_3G_ipaccess.sh":https://osmocom.org/attachments/download/2602/build_3G_ipaccess.sh (adapted from "build_2G.sh":https://osmocom.org/attachments/download/2438/build_2G.sh). |
82 | |||
83 | 38 | blobb | TD1 and TD2 *successfully connected* to femtocell!!! *\o/* |
84 | 27 | blobb | TD3 gets IP address but can not be called. *TODO*: investigate with wireshark |
85 | 47 | blobb | Voice calls work (TD1->TD2, TD2->TD1). *TODO*: test SMS |
86 | 46 | blobb | Data is not working *TODO*: make it work =) |
87 | 7 | blobb | |
88 | 24 | blobb | h2. Conclusions |
89 | 1 | blobb | |
90 | 32 | blobb | - UE's are connecting and voice calls are working. |
91 | 25 | blobb | >- network LED does not indicate whether IP has been assigned by DHCP server. |
92 | >- umts LED does indicate whether cell is connected to hnbgw, etc pp. |