Description
In this video I show how to crack and decrypt SMS from start to finish with an RTL-SDR and a Kraken server! All of the required steps are shown, using a manual approach to better understand how input for Kraken is generated. Everything you need to know is in this video.
Note: Even with a working Kraken server, you’re not guaranteed to crack all A5/1 encrypted bursts. You may have to call your mobile phone (you’ll receive a new Kc), and then capture traffic from your mobile phone again while you send yourself SMS’.
Topics covered:
– Installing airprobe
– Installing gsmframecoder
– Using Make With Multiple Jobs
– Forcing 2G Mode on iPhone 4S
– Field Test Mode on iPhone 4S
– Finding the SDCCH8 Timeslot
– Finding the iPhone 4S TMSI Without Knowing It
– Verifying Our Device Uses A5/1 Encryption
– System Information Packets (SI5, SI5Ter, SI6)
– GSM Frame Numbers
– Finding Potentially Encrypted SI5 Candidates (i.e. packets/frames)
– Sorting Decoded GSM Packets by Subslot
– GSM Frame Bursts In Practice (i.e. How To Find Them and How They Work)
– Using gsmframecoder to Decode an Unencrypted Burst (SI5 Packet/Frame)
– Timing Advance with System Information 5 Packets
– Modified Frame Numbers (Used for A5/1 Decryption)
– XOR’ing the Unencrypted SI5 Bursts with the Encrypted SI5 Burst
– Using Kraken to Crack the XOR’d SI5 Bursts
– Using find_kc to Find the (Symmetric) Encryption/Decryption Key
– Using grgsm_decode to Decode the Encrypted SMS’
Tools covered:
– grgsm_decode (https://github.com/ptrkrysik/gr-gsm)
– go.sh (https://github.com/iamckn/airprobe)
– gsmframecoder (https://www.ks.uni-freiburg.de/download/misc/gsmframecoder.tar.gz)
– Kraken (https://github.com/joswr1ght/kraken)
– find_kc (See above)
– xor.py (https://github.com/joswr1ght/kraken/blob/master/Utilities/xor.py)
Disclaimer: The contents of this video is meant for educational purposes only. Only decrypt your own traffic. Anything else may be illegal.
Stay tuned and subscribe for more upcoming videos showing actual hacks!
Is it possible to spoof the SMS by using RTL-SDR?
RTL-SDR’s can’t transmit by default.
If Time advance is 1, which unencrypted burst should be used?
You are meant to use almost “identical” packets for this type of hack. (Where one packet is encrypted, and the other is unencrypted.) You don’t have to use System Information 5 (SI5) packets, it is possible to use other packets based on what I’ve heard from other people. I haven’t tested this myself, but it should work. The most important thing is that the type of packet is regularly transmitted so you can guess where it is, just like I did in the video with SI5 packets, as they are generally transmitted every 102 frames.
hello , i’m havin a trauble . when i proceed into ./configure && make -j4 , it shows me an error :
checking for GNURADIO_CORE… configure: error: Package requirements (gnuradio-core >= 3) were not met:
No package ‘gnuradio-core’ found
Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.
could you help me fix it .
Thanks
It means you don’t have gnuradio-core installed, try apt-get install gnuradio-core.
Check out this article as well: https://nuand.com/forums/viewtopic.php?t=3137
hello
what is needed for me to see sms? I see many use hackrf but what is everything else thats needed for it to work?
I would like to have a range of about 100 m so i guess i would need an antenna? Any recomendations?
Would really appritiate your help.
The SMS needs to be sent over 2G and the encryption will need to be A5/1. It’s a very conditional and not very practical attack. I recommend you watch the entire video series to get a better understanding of this topic. When you passively sniff GSM you’re almost always up to 1km away, and that means that you could potentially sniff someone 2km away on the other side of that antenna. (Think of your location as being the outer radius of a circle on one side.)
I want to know about the key{a5/1} used to encrypt
Eg: suppose Bob(victim) is sitting at the same place for 2 hours and is connected to the same base station with 2g connection .Bob receives 2 sms(2nd sms after 15 minutes) Alex (attacker) is sniffing the sms. I saw your video to view the sms I need the key. Luckily Alex decrypted the first sms and now he wants to decrypt the 2nd sms.
all I want to know is does Alex has to find the new key to decrypt it or he has to use the key he found earlier as the victim is connected to the same cell tower.
Good question, this depends on several factors. Some telcos only change the encryption key periodically, or when you switch tower (or frequency/channel). Other telcos only switch encryption key when you receive a phone call, and it seems that some telcos will switch encryption key for every SMS sent or received. However, in my case the encryption key is only changed when I receive a phone call or change tower or frequency/channel.
So in your scenario where the victim (Bob) receives two SMS’, one immediately and one after 15 minutes, it would be possible to decrypt the subsequent SMS received.
If the time Advance = 1,with non hopping channel, which XOR’ing Unencrypted Bursts Should be used..?
Thanks in advance
If the time advance is 1, which XOR’ing Unencrypted Bursts should be used …
Thanks in advance
Hello, the whole thing is going perfectly here and ofcourse every one is sharing information, that’s really good, keep up writing.|