How To Get Arrested In 30 Minutes: Cracking A GSM Capture File In Real-time With AIRPROBE And KRAKEN

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
g'day YouTube Welcome to my channel it is Wednesday the 9th of March 2023 I'm in my Radio Shack and today we will be showing you how to decrypt a GSM data capture file I need to preface this with the following this video is being made for educational and experimentation purposes only MZ catching SMS sniffing and voice call interception on cellular networks is illegal and punishable by Hefty fines and imprisonment here is the legislation of Australia prohibiting interception of private Telecommunications here is the penalties for the offense Australia has no active GSM networks due to our 2G Sunset back in 2016 so I couldn't intercept these communications even if I wanted to um this is probably going to be quite a long video I've done little to no preparation for this and I intend to show from start to finish a potential workflow on how to obtain the KC value and decrypt some GSM traffic in real time um there's going to be quite a lot of copying and pasting data between Windows Terminals and text documents so be warned that it might not be very entertaining to watch the encrypted data capture file isn't that interesting either but I won't spoil the surprise and we'll analyze the data after we've decrypted it towards the end of the video my command a lot of my commands are pretty typed just for copying and pasting into the terminal because I'm notoriously slow typer so just pause the video if you need to transcribe them and I'll but normally I try and put the commands I run in the description for easy copying and pasting for you guys if they fit so here we go so there are required tools you're going to need is Dragon OS LTS public beta 2 to pre-made image built on Ubuntu 1804 gnu radio 3.7 is pre-installed and working virtual machine or bare metal on a bootable USB are both acceptable ways to run this operating system you only need to use this I guess if you are going to replicate my setup but you could be using Cali or any of those other pen testing Linux distributions and while we're on the topic of dragon OS go and check out Aaron over at CM execute a YouTube channel um here's the author of dragon OS and he doesn't get anywhere near enough recognition for his amazing Channel and incredible operating system the next thing you're going to need is air probe patched for gnu radio 3.7 this is used for decoding the GSM capture file and printing the frame bursts required for cracking we're going to talk about frames later and bursts later versions of grgsmd code can print frame bursts with the p argument but I couldn't get grgsm decode to read this particular capture file next thing you're going to need is Wireshark it's included in Dragon OS already and it is required for decoding and analyzing GSM packet data the fourth thing you're going to need is Kraken with a hard drive with the rainbow tables written to it this is used for cracking the A51 key stream and ultimately finding the KC value for use for decryption this is a mammoth task setting this up by itself and it probably requires a dedicated tutorial but that's beyond the scope of this video um just remember if you're using the crazy Danish hackers YouTube tutorial for installing Kraken you need two separate hard drives The Source Drive contains the downloaded DLT files and the target Drive will have the dlts written to it in a raw format he doesn't explain that clearly enough in his video many followers of his YouTube tutorial reported losing their 1.5 terabytes of downloaded DLT files because they tried to write them in raw format to the same Drive where the DLT files were kept this happened to me two times and you scroll through the comments of this video and there's heaps and heaps of people complaining about that issue so you need two hard drives to set up Kraken okay next thing we need is a capture file a capture file is in C4 format it is basically a computer transcribed version of GSM waves traveling through the air captured by software defined radio this capture file was uploaded with permission by the owner of the data for use as a decoding example for air probe um do not ever ever attempt to crack private GSM Communications from any other mobile subscriber except yourself only crack your own GSM Communications you can find voice call SMS and GPRS data traffic coming from your own Telephone by obtaining the timsy value from your sim card which is the temporary mobile subscriber identity and cross-referencing that with decoded packets in Wireshark as far as I'm aware um this file has never been publicly cracked and that is evident by this person asking for the key in the gr GSM Google Groups so doing a public first here potentially so let's get to it so what we're going to need to do first is open washer and then we go into another terminal window and we need to utilize air probe to decode the B CCH which stands for broadcast control Channel on time slot zero and now we can see the top window pane of Wireshark populating with decoded packets so what we need to do is sort the packets by alphabetical order locate the immediate assignment packet break drop this menu down GSM CCH immediate assignment click Channel description and we can see that there's been an allocation to an SD ccha channel on time slot one so we'll restart the Wireshark capture and we'll utilize air probe again to decode the s d c c h on time slot 1 and also print the bursts to a text document talk more about bursts very shortly so we just run that command so we locate the soft ring mode command uh drop this drop down menu down click on Cipher mode setting and just confirm that A51 encryption is in use Kraken can only crack A51 as far as I'm aware so if it's a53 don't even bother and A50 means that there's no encryption being used so be very very careful when you're decoding that traffic so all the data Beyond this ciphering mode command packet is encrypted and it's not decodable by a Wireshark anymore so we can't go further than this to see what traffic exists Beyond this software mode command packet we need to find the KC value that the base station provided this telephone to secure the communication so in this top pane of Wireshark these are the data link layer protocol packets each packet corresponds to a frame number which can be found in the bottom window of Wireshark under GSM tap pedal each GSM frame is made up of eight bursts which are the raw ones and zeros of a transmission we can extract these bursts with air probe as they are required for cracking A51 so our Target packet is going to be a lap DM function UI packet these are an idle packet that are repeated every 102 frames on this particular GSM base station a lot of carriers utilize different equipment and implement the GSM standard differently but this particular GSM base station repeats lapdm function UI frames every 102 frames and we can we can confirm that by locating frame number 1670814 copying that value opening up your calculator pasting that value and then adding 102. and we can see that 1670916 should be the next lapdm function UI packet so we'll click the next Target packet and we see that 167.0917 is the matching frame so that is just a confirmation that this base station is transmitting these frames every 102 frames so what we're going to do is we're going to copy that value and then paste it into our working text document on the target unencrypted frame number so now that we have our Target packet we need to guess where the next labdm function UI packet is in the encrypted form so that packet exists after this ciphering mode command in encrypted form somewhere for a more in-depth explanation on the guessing phase of cracking please refer to my previous GSM cracking video from last week because we know that lap DM function UI packets are repeated every 102 frames on this GSM base station we can use a calculator to add 102 to the frame number of the target packet so we'll copy this value paste it into calculator and then we add 102. so this Frame could potentially be the encrypted form of a lap DM function UI packet so what we'll do is we'll copy that value and paste it into our working text document under guest encrypted lapdm function UI frame number so the next thing we need to do is we don't need Wireshark for a while now so we'll just put that into the background and go to our air probe working directory where our capture file exists and locate the bursts Dot txt4 in order to use Kraken to find the KC value we need to generate a pure A51 keystream to feed into the cracker utility this keystream can be generated by xoring the frame burst together from the unencrypted target frame and the encrypted uh the guest encrypted frame so yeah as we can see that air probe outputted this file when we run the command decoding the sdcch and then what we'll do is we'll use the find utility and we'll find the 12 lines of GSM bursts relating that Define this packet so we hit find there and we need to copy all the frames from 913 last three digits to 916 last three digits it'll be a total of 12 lines so we copy all those paste them into the target unencrypted frame burst section of our working text document and then nextly we need to find the guest encrypted frame and copy the 12 lines of births relating to that packet use Ctrl F find utility paste that ignore this do not copy anything here scroll down a little bit and we need to copy the 12 line we need to copy all these bursts 12 lines from 015 last three digits 016 017 and 018 again it'll be 12 lines so we just copy that paste it into the guest encrypted frame burst section of our working text document um there's a lot of document ah there's a lot of data in our text document now we can close burst.txt we don't need that anymore so we've got a lot of data in our text document so we can remove the irrelevant um bursts that serve no purpose to cracking on both the unencrypted target frame and their guest encrypted frame so because I cracked this capture fold in the past I know which bursts deliver results so to save some time we will only exhort the burst required for the cracking so remove all the bursts that don't start with the letter P if they start with s and C delete them so it we're reaching the boring phase of the tutorial now let's go ahead and delete the lines that are irrelevant to the cracking and do the same for the guest encrypted rainbows only keep the lines that start with p if this were like a regular workflow you would saw exhort all the bursts with each other but because I already cracked this file yesterday I know which bursts deliver results so to speed up this video we will just keep the relevant frames that we need for obtaining the KC okay so now we need to open a another terminal so what we need to do now is we need to utilize Krakens xor.pi utility so you don't need to compile this this is just a python script that you can just download from git so yeah you just CD into the directory and then run your xor.pi script and we need to feed that script the first burst of the target unencrypted frame and also with a space and then the first guest encrypted frame like so hit enter and then we need this is the output so this is the xor result from this burst and that burst so and we'll just paste this down here and then you do the same or the rest so again very boring you know people generally write automate automation tools for this phase like the guessing the xoring and well I think I did that incorrectly sorry oh yeah people write automated tools um some of the tools that automate this step are particle top GUI autocracking uh I think there's one called G GSM TK is another one but writing such a tool to automate the guessing the xoring and the feeding of Kraken is far beyond my coding ability unfortunately but people do write their own Kraken oh sorry uh guessing automation tools and neglect to share them with the community because it's pretty illegal to do so so there we have it that's our xor output from xorring each burst each unencrypted burst with an encrypted burst and I'm just going to take a moment to just double check that I have the correct burst because I was running into a problem earlier where I was getting I was I was having to re-record the video when I got to this step about four times so far so yeah I'm just quickly double checking that everything is okay I'm assuming it was something to do with VNC not copying and pasting correctly but it seems to have worked this time so we'll move on so out of these four exhort bursts one of these is a crackable A51 key stream so far so good let's keep moving on so now what we need to do is I need to log into my private Kraken server which is sitting over there on a table relative to me it's powered on I'm already logged into SSH I've cd'd into the Kraken directory and then I need to run this command so what Kraken is doing now is it loading the rainbow tables using an index file index file contains all the addresses required for Kraken to access the rainbow tables because the rainbow tables are written in raw partition you can't actually browse it with a file manager so it's a really efficient way of keeping large amounts of data while that's doing that I'll have a sip of beer so yeah kraken's got a really really easy user interface it's only got three commands crack test and quit so we will type crack into it we can only crack one burst at a time so yeah it can sometimes be quite time consuming um this cracker machine is very old and slow so because I know which xor burst delivers results we will go ahead and crack the third xor burst um I'll just quickly label these so we can differentiate and I can refer to them by this name from now on foreign as I said before I know which burst delivers results so we're going to go ahead and I'm going to copy the third exord burst type crack space and then paste that potential A51 crackable keystream and then hit enter so yeah this uh this computer is a dual core core I3 with a h-61 motherboard in it which is from the era of about 2011 so it's not really a number crunching Beast unfortunately but it gets the job done so fingers crossed we should get some results very shortly bingo um yeah Kraken has found a candidate key which is this which is this um string of numbers and letters at position 11 which I believe it means position maybe 11 bits into this string this burst it has found a candidate key at position 11 bit position on attempt number zero and the rainbow table was number 212. that has found this result so we'll just Ctrl C out of that because I know it won't spit out any more results sometimes it spits out multiple results but this particular one just the one result so yeah we'll copy that and paste it into the Kraken output section of our working text document so yeah the next stage is we need to find the previous burst because the candidate key crap and found in its rainbow tables is not the KC value we need to utilize another Kraken binary called find KC to finally generate the actual KC value so to do this we need to generate some input to feed to the find KC utility so we need to um we need to locate the previous burst before um like the previous burst before the one that we cracked right so nine one one six seven oh nine one four so we need to open up our I know we just go scroll back up so we need to copy this line here because the reason we're doing this is because we need some of these numbers later on to generate the input to feed KC so that's the previous burst because we know the third result are the third burst gave results so the previous one is this one here of the unencrypted target frame so we'll just paste this down to here into previous unencrypted burst oh frame sorry oh yeah burst sorry yeah and then do the same for the guest encrypted burst so we know the third result uh the third burst gave results so we copy the burst before that and we'll do the same we'll paste it down here so yeah we need some of these numbers to feed find Casey so that's why we're just jotting them down in a little bit more accessible area of our text document and then we need to copy the second burst which is the burst before the Bursa gave us results so we'll just copy that from there we don't need to use the utility again because we've already got the output there in the text document already so yeah we'll just save that because we're getting quite a lot of Juicy data now text document now which is going to help us find the KC so okay this is it lo and behold the final step of the tutorial so we need to utilize find KC binary to find the KC value now so this one's a little bit tricky so you'll have to follow on a follow along with me I'll try and explain it the best I can again not a computer scientist or a cryptology expert here okay so we need to go to our text document and we need to copy we need to copy the candidate key which is that string of numbers and then one letter after it and then we are sorry first we need a CD into the utilities directory of crack and my apologies sorry about that so we'll utilize uh we'll go back to this window sorry yep and then we will just double check that the binary is in there yep find KC that's that's the utility that we will be utilizing so we need to copy this candidate key off sorry first we have to write find underscore KC oh sorry dot slash find KC space and then we copy the candidate key put another space type the bit position which was position 11. thirdly we need to copy the guest encrypted bursts frame count into the terminal so five six seven is the last three digits of that five six seven sorry five six seven two two five eight oh five six seven and then we paste that there fourthly we need to copy the previous guest encrypted burst frame count into the terminal so that is two five eight oh five three four so these are called frame counts these numbers here this is the frame number and this is the frame count and it's used for mixing into A51 while it does the back clocking I believe so we paste that there and then finally and finish the command we will send a fine KC copy the previous burst xor output so previous burst xor output field from down here copy that space and paste that right there so here's the moment we've all been waiting for will I have to record my video again or not stick around and find out we'll press enter on that and success there we have it that is what we've spent almost 30 minutes trying to achieve um the find KC utility has found eight candidate KC values and the eighth one is the decryption key that we can feed into air probe and reveal the encrypted GSM traffic so yeah we'll copy that result to our text document foreign we'll just have to do some reformatting so we can feed this value to air probe and then see what decrypted traffic was hiding behind the cipher mode command spoiler alert it's not very exciting but it's still pretty fun to do this kind of stuff anyway so yeah this is the final stage of the tutorial now we're going to go back to the our air probe window our terminal window sorry and we're going to run we're going to paste the command for decoding the sdcch on time slot one again except we're going to do it differently this time we're going to put a space after it and we're going to copy the KC value that we just cracked into it and then we're going to go to Wireshark restart the capture um and yeah just like I alluded to previously the encrypted packets are not that interesting it appears um well I'll just run my command first oh here we go so I'm not sure if this has been publicly released before but this could potentially be the first time that these packets are being displayed on the internet so that's pretty cool um just like I alluded to previously I think crypto packets aren't that interesting it appears to be traffic related to um Lai which stands for local area identification and the Lac uh where is it the Lac stands for location area code so this information was probably encrypted for the purpose of protecting a mobile subscribers location as they move between base stations cell towers and coverage errors typical tracking prevention type stuff on cellular network so yeah that kind of makes sense that this you know information that could potentially be used for tracking a mobile users being encrypted so so yeah that's very very cool I'm quite happy that I achieved to crack real GSM Communications has taken me a long time like months and months and months of reading and Gathering tools and things of that nature to achieve such a thing so as far as I'm aware the decryption key of this capture file has never been publicly disclosed so here we are it's all yours Community um I should reiterate to any law enforcement watching that this GSM capture file was recorded and uploaded by the owner of the data themselves for the purpose of educating two GE GSM users that their Communications are potentially insecure and open to ease dropping if they use these systems so yeah like usual I'll upload a zip Archive of the capture file my cracking notes document and anything else related to this video and then I'll upload it to Google Drive and put the link down there um so what's next for my GSM hacking Adventures nothing nothing at all what I I achieved what I set out to do by cracking actual GSM Communications in real time and in the process I educated some viewers that may be interested and in in cellular security and potentially inspired them I intend to dismantle this great GSM cracking set up and delete all the virtual machines and all the bootable USBS relating to it I may potentially sell my Kraken hard drive along with the idx and huh config files to someone if they're interested but that's a big maybe because I might repurpose the hard drive for something else it's a 1.5 terabyte oh sorry it's a 3.5 terabyte uh NAS drive so only 5400 RPM sorry not very good for cryptography stuff but yeah everything else is fairly well documented on my YouTube channel now if someone wanted to replicate these steps um so yeah it's time for disclaimers now like usual so yeah this video was made for the purposes of education and experimentation purposes only MZ catching SMS sniffing and voice call interception on cellular networks is illegal and punishable by Hefty fines and imprisonment if you value your freedom and don't want to go to prison do not ever ever replicate the steps in this video to eavesdrop on private encrypted telecommunications okay you have been warned thanks very much for watching Everybody bye
Info
Channel: Rob VK8FOES
Views: 1,420,923
Rating: undefined out of 5
Keywords: gsm, hack, hacking, cracking, kraken, gr-gsm, airprobe, wireshark, 2g, crack, decryption, decrypt, decrypting, A5, stream cipher, encryption key, Global System for Mobile Communications, mobile phone, cellular security, cell phone, A5/1, encrypt
Id: EFLvHMJ5PHk
Channel Id: undefined
Length: 35min 16sec (2116 seconds)
Published: Fri Mar 10 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.