The IMSI number is held within the SIM card in the mobile phone and identifies the country, the carrier, and the user. With this information, the person sniffing this traffic can identify and locate the phone user at a minimum and potentially intercept and spoof the user’s traffic.
Let’s see how we can harvest that information from 2G and 3G mobile networks with our RTL-SDR dongle and a few pieces of software.
For this tutorial, we will be using Kali and several new pieces of software. Let’s begin with gr-gsm. Gr-gsm is a set of tools for receiving GSM transmissions, which works with any software radio (SDR) hardware capable of receiving a GSM signal.
Although gr-gsm is available in the Kali repository, I found that building it from the source code works better. To install gr-gsm, first install the dependencies;
1 2 kali > sudo apt-get install -y cmake autoconf libtool pkg-config build-essential python-docutils libcppunit-dev swig doxygen liblog4cpp5-dev gnuradio-dev gr-osmosdr libosmocore-dev liborc-0.4-dev swig
Then, clone gr-gsm from the github repository.
1 kali > sudo git clone https://git.osmocom.org/gr-gsm
Then follow the next few steps to build the application.
1 2 3 4 5 6 7 8 9 10 11 12 13 cd gr-gsm mkdir build cd build cmake .. make -j 4 sudo make install sudo ldconfig ```bash Lastly, we need change the PYTHONPATH environment variable ```bash kali > sudo echo 'export PYTHONPATH=/usr/local/lib/python3/dist-packages/:$PYTHONPATH' >> ~/.bashrc
Now you are ready to install kalibrate-rtl from the Kali repository.
1 kali > sudo apt install kalibrate-rtl
Next, clone the IMSI-catcher from github.
The next step is to find the base stations in your area and the frequency they are operating on. For this action, we can use kalibrate.
Let’s begin by examining the kalibrate help screen.
1 kali > kal -h
As you can see above, kal simply needs -s to scan followed by the technology such as GSM850, GSM-R, GSM900, EGSM, DCS or PCS. In addition, we can specify the gain with the-g option. Since GSM850 is common in North and South America, I’ll scan for it with a gain of 45db.
1 kali > sudo kal -s GSM850 -g 45
As you can see above, there were 2 base stations within range at 889.0Mhz and 890.0Mhz. These fall within the receiving range of my RTL-SDR dongle (24-1766Mhz).
Now we need to turn the grgsm to the frequency of the nearby base station. Navigate to the gr-gsm directory and enter;
1 kali > grgsm_livemon -f 889.0M -g 45
This should open the gr-gsm GUI. If you need, you can adjust the frequency with the slide bar.
Where 889.0M is the frequency we want to “listen” on (make certain to substitute the frequency found at your locale with kalibrate) and -g 45 is the gain rate.
Finally, let’s start the IMSI catcher.
Navigate to the IMSI-catcher directory and then execute the catcher with the -s option (scan).
1 kali > cd IMSI-catcher
1 kali > sudo python simple_IMSI-catcher.py -s
On the other hand, another user in Europe where GSM is the standard and still has many 2G and 3G phones, captured numerous IMSI’s along with operator and cell ID.