User Tools

Site Tools


project:gsm:guesser

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Last revisionBoth sides next revision
project:gsm:guesser [2015/12/17 10:17] – length side channel jendaproject:gsm:guesser [2016/03/07 22:40] jenda
Line 1: Line 1:
 +====== Efficient plaintext guessing HOWTO ======
  
 +This page describes a more efficient approach to guess known plaintext for known plaintext attacks in GSM networks.
 +
 +Some of it is implemented in tkgenstat.pl/tkconvert/tknapalmex of [[:user:jenda:gsm|gsmtk]]
 +
 +===== Naive approach =====
 +
 +  * Notice that "03 03 01 2B 2B 2B..." sequence is being repeated frequently.
 +  * Guess "03 03 01 2B 2B 2B..."
 +
 +This does not work in networks with randomized paddings at all.
 +
 +===== A more efficient one =====
 +
 +Stage 1: we started sniffing on a new network, we have no data so far.
 +
 +  * Sniff ~100 communications.
 +  * Split them to SDCCH and SACCH (they act very differently)
 +  * Decode all plaintext frames and sort them by relative occurrence
 +  * Guess the most frequently used frames. You can have several guesses per burst, it would look like
 +<code>Plaintext: 0xABCDEF Confidence: 0.172
 +Plaintext: 0x123456 Confidence: 0.139
 +etc.</code>
 +  * Try to crack some communication with this. It should have reasonable high success rate.
 +
 +Stage 2: we have some cracked communication from a given BTS.
 +
 +  * Decode all frames and sort them by relative occurrence.
 +  * Decode all communications and create tuples (Communication length;Position;Plaintext). Sort them by relative occurrence.
 +  * On insecure networks, you will get something like "If the communication was 4 frames long, the third frame is ALWAYS XYZ". With this, you can guess plaintext very efficiently, with success rate peaking at 100 %.
 +
 +Stage 3: we have some cracked communication from this network, but we have moved to a different BTS.
 +
 +  * Notice that only SACCH channel changed. The SDCCH is still the same.
 +
 +Optimization: System information messages
 +
 +  * It might be possible that certain messages occur only when the frame number satisfies condition FN%X == Y. X could be 52 or 104. Guess Y and then guess SI messages only for the right frames.
 +
 +Optimization: Time advance and signal strength.
 +
 +  * Notice that the SI5 message contains two bytes that depend on physical location of the target phone. Usually this information is leaked in plaintext preamble or in other communications with the same TMSI. Use this leaked information to improve guessing. Also, if it won't work, try incrementing and decrementing these two variables by one (yielding 4 more frames).
 +
 +Optimization: targeting listening
 +
 +  * If you are only interested in SMS/calls/data/..., notice, that they usually come in communications of certain length. Crack only communications with the interesting length.
project/gsm/guesser.txt · Last modified: 2021/03/31 20:41 by jenda