Efficient plaintext guessing HOWTO

This page describes a more efficient approach to guess known plaintext for known plaintext attacks in GSM networks.

Some of it is implemented in tkgenstat.pl/tkconvert/tknapalmex of gsmtk

Naive approach

  • Notice that “03 03 01 2B 2B 2B…” sequence is being repeated frequently.
  • Guess “03 03 01 2B 2B 2B…”

This does not work in networks with randomized paddings at all.

A more efficient one

Stage 1: we started sniffing on a new network, we have no data so far.

  • Sniff ~100 communications.
  • Split them to SDCCH and SACCH (they act very differently)
  • Decode all plaintext frames and sort them by relative occurrence
  • Guess the most frequently used frames. You can have several guesses per burst, it would look like
Plaintext: 0xABCDEF Confidence: 0.172
Plaintext: 0x123456 Confidence: 0.139
etc.
  • Try to crack some communication with this. It should have reasonable high success rate.

Stage 2: we have some cracked communication from a given BTS.

  • Decode all frames and sort them by relative occurrence.
  • Decode all communications and create tuples (Communication length;Position;Plaintext). Sort them by relative occurrence.
  • On insecure networks, you will get something like “If the communication was 4 frames long, the third frame is ALWAYS XYZ”. With this, you can guess plaintext very efficiently, with success rate peaking at 100 %.

Stage 3: we have some cracked communication from this network, but we have moved to a different BTS.

  • Notice that only SACCH channel changed. The SDCCH is still the same.

Optimization: System information messages

  • It might be possible that certain messages occur only when the frame number satisfies condition FN%X == Y. X could be 52 or 104. Guess Y and then guess SI messages only for the right frames.

Optimization: Time advance and signal strength.

  • Notice that the SI5 message contains two bytes that depend on physical location of the target phone. Usually this information is leaked in plaintext preamble or in other communications with the same TMSI. Use this leaked information to improve guessing. Also, if it won't work, try incrementing and decrementing these two variables by one (yielding 4 more frames).

Optimization: targeting listening

  • If you are only interested in SMS/calls/data/…, notice, that they usually come in communications of certain length. Crack only communications with the interesting length.
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki