中文:基于OpenBTS的GSM短信基站实验
搭建教程已略(网上一搜一大把),这是一篇长坑,后面会慢慢补,因为我不是通信专业的,所以有些地方写的不好还请见谅
在2020年我埋下了一个大坑,详见:https://iloli.moe/studying/202011043154.html,最近刚好有时间可以把这个烂坑给补上
Pre
- Ubuntu 20.04.03 (LTS)
- a53
- osmocom-bb
- 需配置arm交叉编译环境
- libosmocore
- libosmo-dsp
- libtalloc-dev (lib talloc)
- OpenBTS 2.8p
osmocom-bb分支详情请查看,Branches – OsmocomBB – Open Source Mobile Communications
这里选用
sylvain/testingIt is possible to turn Calypso based phone into a small BTS. The transceiver application and corresponding firmware should be used in OpenBTS or OsmoBTS setup. See CalypsoBTS for details.
osmocom-bb需要的依赖
libtalloc-dev libtirpc-dev libfftw3-3 libfftw3-dev libfftw3-doc autoconf libtool libosip2-dev libortp-dev libusb-1.0-0-dev g++ sqlite3 libsqlite3-dev erlang libreadline6-dev libncurses5-dev libtool shtool autoconf git-core pkg-config make gcc libpcsclite-dev gnutls-dev libmnl-dev libsctp-dev
如果爆出下面错误
/root/gsm_openbts/osmocom-bb/src/target/firmware/include/stdint.h:32:23: error: conflicting types for ‘int64_t’ 32 | typedef long long int int64_t; | ^~~~~~~ In file included from /usr/include/stdint.h:34, from /usr/lib/gcc/x86_64-linux-gnu/9/include/stdint.h:9, from /root/gsm_openbts/osmocom-bb/src/target/firmware/include/stdint.h:19, from ../../include/osmocom/core/signal.h:4, from ../../src/signal.c:21: /usr/include/x86_64-linux-gnu/bits/stdint-intn.h:27:19: note: previous declaration of ‘int64_t’ was here 27 | typedef __int64_t int64_t; | ^~~~~~~ In file included from ../../include/osmocom/core/signal.h:4, from ../../src/signal.c:21: /root/gsm_openbts/osmocom-bb/src/target/firmware/include/stdint.h:33:32: error: conflicting types for ‘uint64_t’
打开 osmocom-bb/src/target/firmware/include/stdint.h 如下图进行修改
修改好了后 ./configure 然后 make 即可
具体就是搭建arm交叉编译环境,编译libosmocore和libosmo-dsp,然后搭个OpenBTS。
伪基站原理简单来说就是不法分子通过黑产设备模拟了附近基站的信号,通过劫持IMEI(国际移动用户识别码)等信息就可以通过手机IMEI展开一系列的攻击。
让BTS支持发送中文消息
参考Axelle Apvrille写的论文 “OpenBTS for dummies”
OpenBTS默认是不支持发送中文的,如果硬发会爆出乱码
如果想要让OpenBTS发送中文,必须自己修改源代码,打开文件/OpenBTS/CLI/CLI.cpp,添加
https://github.com/fairwaves/openbts-2.8/commit/faf14b0e9ad4673b64d28e2038bdab90d69fcefb
/** Submit an SMS for delivery to an IMSI. */
int sendsmspdu(int argc, char** argv, ostream& os)
{
if (argc<4) return BAD_NUM_ARGS;
char *IMSI = argv[1];
char *srcAddr = argv[2];
string rest = "";
for (int i=3; i<argc; i++) rest = rest + argv[i]; //+ " ";
const char *txtBuf = rest.c_str();
if (!isIMSI(IMSI)) {
os << "Invalid IMSI. Enter 15 digits only."; return BAD_VALUE; } Control::TransactionEntry *transaction = new Control::TransactionEntry( gConfig.getStr("SIP.Proxy.SMS").c_str(), GSM::L3MobileIdentity(IMSI), NULL, GSM::L3CMServiceType::MobileTerminatedShortMessage, GSM::L3CallingPartyBCDNumber(srcAddr), GSM::Paging, txtBuf); transaction->messageType("application/vnd.3gpp.sms");
Control::initiateMTTransaction(transaction,GSM::SDCCHType,30000);
os << "message submitted for delivery" << endl;
return SUCCESS;
}
和
addCommand("sendsmspdu", sendsmspdu, "IMSI src# PDU message... -- send PDU SMS to IMSI, addressed from source number src#.");
之后写个简单的 pdu 脚本就行了,可以参考 python-smspdu 进行修改
This sends an SMS to IMSI 208304424439206, from 24567, with text ”Test”.
Finally, it is also possible to have phone send SMS to each other:
- Register the phone. This step must be done if you get this error in smqueue logs (and the corresponding
SMS on your phone):
如何防御
- 发现手机被降频时立马关掉移动网络,如网络显示OpenBTS或者GSM(G网),要及时更换环境,重新连接附近的基站
- 启用2FA
对遗留日志的取证分析
样本名:2016.log
MD5:61aa4478bb128f8ea6736e09f26c4f24
Size: 538 MB (564,635,221 Bytes)
样本数据
Jun 4 06:25:23 ubuntu openbts: INFO 3075847888 OpenBTS.cpp:483:main: received command "addsms 1401834316 10651086117 0101111001111000011110011000111101010001011101100101101110011110010111111000100001111011100000000101001101010101111111110001101001010011111000110110111000110100010011101000011001010101100111010110011101101111011011000011010001101101101001100110110110100110010101011000100111111111000011000111000011100110011000000111110001100101111101100101010000101100010101000010110010010111111100110100111001010000100011110111101110001111011110110110011101111110111111110000110001110101101100100101000000100110011001011111011001010111001010000110100100000101010011100000101001100010010100110100111000101010011101101111100111111111000011000101101110001001100101110101100110010001110011000110001011111111100011010111011101100010010010110110011100111010010100111101000101100111011000010111011111101101010011111110000101100011110100001001000110010010010011110110000011111111000110100101100100101001010011101010111001001110100001101111111100001100010110010111110110001101011101110101111010001010010011101000011011111111000000010111100101011101010011110110000001101011110011110101100100101001010110010111110101011111110000110110000011000101" from
根据网上公开系统的加密代码,逆向编写解密脚本。
<?php
function decode($s)
{
$l = strlen($s);
if ($l % 16 != 0)
return '';
$s = str_base_convert($s, 2, 16);
$s = hex2bin($s);
$s = mb_convert_encoding($s, 'UTF-8', 'UCS-2');
return $s;
}
数据一
0101111001111000011110011000111101010001011101100101101110011110010111111000100001111011100000000101001101010101111111110001101001010011111000110110111000110100010011101000011001010101100111010110011101101111011011000011010001101101101001100110110110100110010101011000100111111111000011000111000011100110011000000111110001100101111101100101010000101100010101000010110010010111111100110100111001010000100011110111101110001111011110110110011101111110111111110000110001110101101100100101000000100110011001011111011001010111001010000110100100000101010011100000101001100010010100110100111000101010011101101111100111111111000011000101101110001001100101110101100110010001110011000110001011111111100011010111011101100010010010110110011100111010010100111101000101100111011000010111011111101101010011111110000101100011110100001001000110010010010011110110000011111111000110100101100100101001010011101010111001001110100001101111111100001100010110010111110110001101011101110101111010001010010011101000011011111111000000010111100101011101010011110110000001101011110011110101100100101001010110010111110101011111110000110110000011000101
解码后
幸福其实很简单:口渴了喝杯水润润喉,烦恼时听听音乐轻轻松,疲倦时在椅上打个盹,安静里拿起手机发条短信提醒你:天亮了,好起床了!祝你每天好心情
数据二
解码后
超市收银系统,触屏餐饮点菜系统,甜品奶茶收银设备,有关收银的问题欢迎咨询收银专家156*****521(已码)全套设备凭短信特价2600含进销存管理
数据三
1000110110000101010111100000001001100101001101101001010011110110011111001111101101111110110111111111111100001100100010011110011001011100010011111001100100010000100110010110111001110000101110011000001111011100011111001111101101111110110111111111111100001100011101010001110001010100110000010101100101110110100000110011011001100101001101101001010011110110100010111011111001011001000001111111111100001100011001110000100101010001011100110110010100110110100101001111011001110110100001001001010111101110100110001001100001101011001000101000111111001110010101001010100010001011111000100110010100110110100101001111011001001110000100110101101110110110000000000011000100000000001101010000000000110110000000000011000000000000001101010000000000111000000000000011100000000000001110000000000000110101000000000011001000000000001100010101000101101000010110010101011110001011101111100101100100000111010100011110110101110111111011010100111111100001011100100111100101001110111101110000000000110010000000000011011000000000001100000000000000110000010101000010101110001111110110111001010100000000010110110101100001111011101000010111010000000110
解码后
超市收银系统,触屏餐饮点菜系统,甜品奶茶收银设备,有关收银的问题欢迎咨询收银专家156*****21全套设备凭短信特价2600含进销存管理
数据三
解码后
生命如河,用快乐摆渡;人生如歌,用梦想吟唱;日子如山,用努力攀登;岁月如戏,用真心演绎;成功如光,用付出采摘;友情如树,用真诚呵护。常恨月满则亏花满则凋,何必太过计较。用坦荡的心,走幸福的路,愿你快乐握在手,好运身边留,幸福相伴走!
数据四
解码后
珍惜了,能拥有;付出了,有回报;走过了,不后悔。朋友,愿你走好生命的每一步,幸福快乐每一天!不是每轮艳阳都暖人,不是每片乌云都下雨,既然决定不了命运的去向,那就踏踏实实地走好每一天,请相信:我的祝福是最真的!
数据五
解码后
诚交单身女士,20-35岁,QQ3*********
数据六
解码后
今天阵雨 21~28℃,风力:西南风2级,湿度:90%,降水概率:70%。明天中雨,22-25℃风力:东南风微风
Reference
- https://sites.google.com/site/yimpleteam/Home/developement/pdu-ge-shi
- http://vitruvianhub.co.za/Content/fordummies.pdf
- http://gnuradio.microembedded.com/openbtssms
- https://github.com/0x7678/OpenBTS
- https://github.com/ttsou/openbts-p2.8
- https://www.cnblogs.com/k1two2/p/8315208.html
- https://blog.csdn.net/weixin_34032827/article/details/89758718
- https://github.com/cheviwinner/openbts-uhd/commit/216ade372ce9b1c4695ad5ae311a4e27346391a5
