romankh / gsm-assessment-toolkit Goto Github PK

Allow aliases for commands, i.e. exit could be an alias for quit

• support start ciphering messages
• analyze channel type (BCCH, BCCH/SDCCH, SDCCH8,....)
• analyze system info (MCC, MNC, LAC, LAI, etc)

To allow reuse of flowgraphs:

• create a separate package for flowgraphs
• put all flowgraphs there

Hi, im always encountering this exception everytime im trying to use the kraken module. is it because of my setup or a bug?

Here's my GAT output:

gat > analyze immediate --bursts /tmp/sample.bursts -m BCCH_SDCCH4
FNR  TYPE  TIMESLOT  TIMING ADVANCE  SUBCHANNEL HOPPING

==============================================================================
| FNR      | TYPE     | TIMESLOT  | TIMING ADVANCE  | SUBCHANNEL  | HOPPING  |
==============================================================================
| 1178789  | SDCCH/8  | 1         | 1               | 0           | N        |
------------------------------------------------------------------------------

gat > analyze cipher --bursts /tmp/sample.bursts -m SDCCH8 -t 1
CMCs:
Framenumber: 1178967   A5/1

gat > a51_kraken --bursts /tmp/sample.bursts --frame-cmc 1178967 -m SDCCH8 -t 1 -v
Cipher Mode Command at 1178967
Using SDCCH message bursts 1179018 - 1179022
Using SDCCH message bursts 1179069 - 1179073
Using SDCCH message bursts 1179120 - 1179124
Using SDCCH message bursts 1179171 - 1179175
ERROR: unhandled exception in Plugin command a51_kraken.
Message was:

gat >

Here's the output from my kraken server:

Allocated 41281052 bytes: ../indexes//250.idx
Allocated 41274520 bytes: ../indexes//124.idx
Tables: 132,324,364,388,268,148,260,156,164,356,348,436,172,500,180,372,428,188,492,196,140,420,204,212,292,412,220,396,100,230,340,380,404,108,238,116,332,276,250,124
Commands are: crack test quit
Cracking 110001011001011010011001101000001101100001101001001100001101011101101100011100010011011100001100011100111110001110
crack #0 took 163580 msec
Cracking 110010001000001000001111001011101101000110000100011111011111111011011111001011111111100010001000010001001111101011
crack #1 took 163804 msec
Cracking 111000110011111001001110101011001100001101011001000111101001000101000001000001110110001110101110001010010110011010
crack #2 took 163345 msec
Cracking 001111111010011010010111011100100110000110001000101010010101000100111011010101000001000000010111111110010010011100
crack #3 took 163770 msec
Cracking 100101110000000011110011111011111001111011100110100111110011110011101010111110101100011101101001111000011111011101
crack #4 took 162527 msec
Cracking 111110011100001100111110001101110011011000100001101110000011111100111010011001111000011011110111010010110101110010
crack #5 took 162704 msec
Cracking 110000001011111001111000110100000110001010000111011011110101100101101101001111111110111101111100111111101111110001
crack #6 took 163333 msec
Cracking 111111101000001001011101001011110001010001011000110011110111000001010010000011011100011010100011110010100001101001
crack #7 took 163828 msec
Cracking 011110001110101001011111101111001010011100011001001000101000110110010001110010010100011000100110000010111110001101
crack #8 took 164285 msec
Cracking 100100100001011010111001110000111100000110101110111010111101010111001100111001001011111000101001000011010011111010
crack #9 took 162402 msec
Cracking 000011000111100111111001111001110001100011001110000111011100111110100010101011100000110001100011111010010000000000
crack #10 took 163272 msec
Cracking 110010110110100110000011000101011001000000110111001110101011000000100111001000000001111011010010000101110010101000
crack #11 took 163199 msec
Cracking 101011011000100110100001001001111101111111001111001101000000001110010010001100011100111100001101000100001111110110
crack #12 took 162164 msec

Im thinking if its just throwing an unhandled exception if a potential key is not found after testing all possible frame numbers. I really have no idea. Thanks a lot.

HNC

Hello, I appreciate your work but when i run ./gat.py on Ubuntu or Kali Linux, i have this problem that i can't solve for now :

Traceback (most recent call last):
File "./gat.py", line 19, in
conf = ConfigProvider()
File "/home/utilisateur/Téléchargements/gsm-assessment-toolkit-master/core/common/config.py", line 36, in init
self.sessions_dir = expanduser(self.get('gat', 'usersessions'))
File "/home/utilisateur/Téléchargements/gsm-assessment-toolkit-master/core/common/config.py", line 55, in get
return self.__config.get(section, option)
File "/usr/lib/python2.7/ConfigParser.py", line 607, in get
raise NoSectionError(section)
ConfigParser.NoSectionError: No section: 'gat'

(I already use gr-gsm, python, pip correctly)

Thank you in advance

We need a plugin that can convert cfile captures into a burst file

gat > decode --bursts test -t 7 -m SDCCH8
 ERROR: unhandled exception in Plugin command decode.
 Message was:_

This is the first one, with all the python dependencies installed, tried on both Debian an Arch, same error. And besides that if I decode a bursts file outside of gat.py I can see a lot if IAs in it, but the analyze subcommand doesn't show any of them, even with -t 0 and -m BCCH_SDCCH4 specified.
I remember this toolkit worked like a few months ago. Now it is the only way to capture bursts files with gr-gsm instead of large cfiles, so please keep at least that part working. But I think it should be a lot more than that. Some people only realize a vulnerability if a public working automated exploit exists and this was a good way to show people gsm isn't really secure. Please fix it if you have time.

what am i doing wrong
gat > scan_rtlsdr -b GSM900 -g 40
ERROR: unhandled exception in Plugin command scan_rtlsdr.
Message was: arfcn2downlink() takes exactly 1 argument (2 given)

Move TMSI extraction to analysis into a separate subcommand

CMC analysis outputs a lot of false framenumbers as CMCs

Hi,
I use grgsm_capture and grgsm_decode
with my RTL2838U and everything is Ok and work correctly.
but in your program, none of the commands run !!

gat > scan_rtlsdr -b P-GSM -v
show nothing ...

I make a cfile with grgsm_capture and
I tried to decode it with your program

gat > decode -f 936e6 --cfile /root/test.cfile -m BCCH -t 0
ERROR: unhandled exception in Plugin command decode.
Message was: 'NoneType' object has no attribute 'get_bands'

gat > decode -b P-GSM -a 5 --cfile /root/test.cfile -m BCCH -t 0
ERROR: unhandled exception in Plugin command decode.
Message was: 'int' object has no attribute 'is_valid_arfcn'

gat > decode -b P-GSM --cfile /root/test.cfile -m BCCH -t 0
and last command shows nothing in wireshark ...

Also Capture dosen't work

gat > capture_rtlsdr -b P-GSM -a 5 --cfile /root/test.cfile --length 20
gr-osmosdr 0.1.4 (0.1.4) gnuradio 3.7.11
built-in source types: file osmosdr fcd rtl rtl_tcp uhd miri hackrf bladerf rfspace airspy airspyhf soapy redpitaya freesrp
Cannot connect to server socket err = No such file or directory
Cannot connect to server request channel
jack server is not running or cannot be started
JackShmReadWritePtr::~JackShmReadWritePtr - Init not done for 4294967295, skipping unlock
JackShmReadWritePtr::~JackShmReadWritePtr - Init not done for 4294967295, skipping unlock
Using device #0 Realtek RTL2838UHIDIR SN: 00000001
Detached kernel driver
Found Rafael Micro R820T tuner
[R82XX] PLL not locked!
Exact sample rate is: 2000000.052982 Hz
[R82XX] PLL not locked!

and It make a test.cfile that neither open with
grgsm_decoder nor decode in gat !!

Thanks.

Replace the external dependency by porting the functionality into the framework

error with capture_rtlsdr -b P-GSM -a 23 --bursts /tmp/23.bursts --length 120 --print-bursts

ERROR: unhandled exception in Plugin command capture_rtlsdr.
Message was:

nothing else

any idea

Currently the capture plugin only supports rtl-sdr.
Support for more devices would be great

• Integrate https://github.com/romankh/mcc-mnc-parser
• Implement plugin for dispaying country / operator info for MCC / MNC