hello video
where
you see sms_request function
and Virtual machine
ctf_mobile.7z with clone function. 
I think it work just for the same base station
between the target and the malicious UE. From this link http://blog.ptsecurity.com/2015/07/the-mitm-mobile-contest-gsm-network.html could tell which branche does provide these function? Thank you

Lte inspector

2018_modmobjam

breaking_lte_on_layer_two

us-17-Yuwei-Ghost-Telephonist-Link-Hijack-Exploitations-In-4G-LTE-CS-Fallback

lin_huan_-_ue_security

https://arxiv.org/pdf/1510.07563.pdf

Modmobmap
Patched https://github.com/bbaranoff/Modmobmap

Modmobmap is a tool aimed to retrieve information of cellular networks.
https://www.rump.beer/2018/slides/modmobmap.pdf
this tool is able to retrieve information of 2G, 3G, 4G and more cellular network types with minimum requierement: only a phone with ServiceMode.

For the moment, the tool has only been tested and developped for the following devices:
– Samsung Galaxy S3 via [xgoldmon (Modmobmap’s edition)](https://github.com/FlUxIuS/xgoldmon);
– Samsung Galaxy S4;
– Samsung Galaxy S5;
– Samsung Galaxy Note 2 with LTE;

Moreover, as it’s compatible for XGold via Modmobmap’s forked of *xgoldmon*, this tools should also be able to work with devices supported by *xgoldmon* as well:
– Samsung Galaxy S4 GT-I9500 (this is the version without LTE!)
– Samsung Galaxy Nexus GT-I9250 (has to be rooted!)
– Samsung Galaxy S2 GT-I9100
– Samsung Galaxy Note 2 GT-N7100

Note that all devices should be rooted. In any other case, you will have to use the DFR technique by hand!

Also: Patches, or engines, for other devices are very much welcomed! 😉

Requirements
————-

Here are the following requirements:
– Python 2 or 3;
– Last Android SDK to run ADB: https://developer.android.com/studio/#downloads;
– A compatible mobile phone;
– A valid/unvalid SIM card (just in case to provide an IMSI number).

How to use
———-

The tool is provided with a quick help that shows you the required argument as follows:

“`
python modmobmap.py -h
usage: modmobmap.py [-h] [-m MODULE] [-n NETWORKS] [-o] [-s ANDROIDSDK]
[-a ATMODE] [-f FILE]

Mobile network mapping tool with cheap equipments

optional arguments:<br />-h, –help show this help message and exit<br />-m MODULE, –module MODULE<br />Module to use (e.g: "servicemode" by default)<br />-n NETWORKS, –networks NETWORKS<br />Networks in MCCMNC format splitted with commas<br />-o, –cached_operator<br />Use operator in cache to speed up the passive scan<br />-s ANDROIDSDK, –sdk ANDROIDSDK<br />Android SDK path<br />-a ATMODE, –at ATMODE<br />AT access mode. If host put something like<br />"/dev/ttyUSBxx. By default it uses ADB."<br />-f FILE, –file FILE File to parse. For the moment it could be used in<br />combination with AT mode host.<br />“`

Assuming the Android SDK is installed in */opt/Android*, the tool can be quickly started as follows:

“`
$ sudo python modmobmap.py
=> Requesting a list of MCC/MNC. Please wait, it may take a while…
Found 2 operator(s)
{u’20810′: u’F SFR’, u’20820′: u’F-Bouygues Telecom’}
[+] Unregistered from current PLMN
[+] New cell detected [CellID/PCI-DL_freq (4XXX-81)]
Network type=2G
PLMN=208-10
ARFCN=81
[+] New cell detected [CellID/PCI-DL_freq (6XXXXXX-2950)]
Network type=3G
PLMN=208-20
Band=8
Downlink UARFCN=2950
Uplink UARFCN=2725
[+] New cell detected [CellID/PCI-DL_freq (3XX-6300)]
Network type=4G
PLMN=208-10
Band=20
Downlink EARFCN=6300
[+] New cell detected [CellID/PCI-DL_freq (3XX-2825)]
Network type=4G
PLMN=208-10
Band=7
Downlink EARFCN=2825
[+] New cell detected [CellID/PCI-DL_freq (3XX-1675)]
Network type=4G
PLMN=208-10
Band=3
Downlink EARFCN=1675
[…]
“`

Note: If the Android SDK is installed anywhere else, you can use the *-s* parameter to specify its directory.

Speed-up the passive scan
—————————

When looking for operators, an AT command is sent to the modem. If you want to speed-up the scanning, you can hardcoded the operators to the following file `cache/operators.json`:

“`
{
“20801”: “Orange”,
“20810”: “F SFR”,
“20815”: “Free”,
“20820”: “F-Bouygues Telecom”
}
“`

Only the MCC/MNC codes are inmportant. Then you can re-launch the tool as follows:

“`
$ sudo python modmobmap.py -o
=> Requesting a list of MCC/MNC. Please wait, it may take a while…
Found 4 operators in cache, you choose to reuse them.
Found 4 operator(s)
{u’20810′: u’F SFR’, u’20820′: u’F-Bouygues Telecom’, u’20815′: u’Free’, u’20801′: u’Orange’}
[+] Unregistered from current PLMN
[+] New cell detected [CellID/PCI-DL_freq (XXXX-10614)]
Network type=3G
PLMN=208-10
Band=1
Downlink UARFCN=10614
Uplink UARFCN=9664
[…]
[+] New cell detected [CellID/PCI-DL_freq (XXX-3501)]
Network type=4G
PLMN=208-20
Band=8
Downlink EARFCN=3501
[…]
[+] Unregistered from current PLMN
=> Changing MCC/MNC for: 20815
[+] New cell detected [CellID/PCI-DL_freq (XXX-2825)]
Network type=4G
PLMN=208-15
Band=7
Downlink EARFCN=2825
[…]
=> Changing MCC/MNC for: 20801
[+] New cell detected [CellID/PCI-DL_freq (XXXXX-3011)]
Network type=3G
PLMN=208-1
Band=8
Downlink UARFCN=3011
Uplink UARFCN=2786
[…]
“`

Note we have been able to detect other cells the AT command *AT+COPS* did not returned.

A complet list of MCC and MNC codes could be retrieved anywhere on internet and in Wikipedia: https://en.wikipedia.org/wiki/Mobile_country_code

Focusing some operators
————————

It is possible to tell *Modmobmap* to focus only on specific operators with the *-m* argument:

“`
$ sudo python modmobmap.py -n 20801
=> Manual MCC/MNC processing…
Found 1 operator(s)
{‘20801’: ‘20801’}
[…]
=> Changing MCC/MNC for: 20801
[+] New cell detected [CellID/PCI-DL_freq (XXX-1675)]
Network type=4G
PLMN=208-01
Band=3
Downlink EARFCN=1675
[+] New cell detected [CellID/PCI-DL_freq (XXXXX-3011)]
Network type=3G
PLMN=208-1
Band=8
Downlink UARFCN=3011
Uplink UARFCN=2786
=> Changing network type for 3G only
[+] New cell detected [CellID/PCI-DL_freq (XXXXX-2950)]
Network type=3G
PLMN=208-1
Band=8
Downlink UARFCN=2950
Uplink UARFCN=2725
“`

Using Modmobmap with xgoldmon
——————————

With XGold modems, the use of xgoldmon will be required. But for now, only the fork for *Modmobmap* works to retrieve exact information of cells via the DIAG interface, and could be downloaded at: https://github.com/FlUxIuS/xgoldmon

Then after compiling, the tool *xgoldmon* could be started using the *-m* parameter like this:

“`
sudo ./xgoldmon -t s3 -m /dev/ttyACM1
“`

This will create a FIFO file that will be requested by Modmobmap later:

“`
$ ls
celllog.fifo Makefile screenshot-mtsms-while-in-a-call.png xgoldmon
“`

Then we can start running *Modmobmap* as follows precising the AT serial interface (*/dev/ttyACM0*) and the fifo file created b y *xgoldmon* (* Requesting a list of MCC/MNC. Please wait, it may take a while…
Found 4 operators in cache, you choose to reuse them.
Found 4 operator(s)
{‘20801’: ‘Orange’, ‘20810’: ‘F SFR’, ‘20815’: ‘Free’, ‘20820’: ‘F-Bouygues Telecom’}
[+] New cell detected [CellID/PCI-DL_freq (0x7XXXX-65535)]
Network type=3G
PLMN=208-1
Downlink UARFCN=65535
Uplink UARFCN=2850
[+] Unregistered from current PLMN
[+] New cell detected [CellID/PCI-DL_freq (0x7XXXX-3011)]
Network type=3G
PLMN=208-1
Downlink UARFCN=3011
Uplink UARFCN=2786
[…]
[+] Unregistered from current PLMN
=> Changing MCC/MNC for: 20810
[+] New cell detected [CellID/PCI-DL_freq (0x3XXXXX-3075)]
Network type=3G
PLMN=208-10
Downlink UARFCN=3075
Uplink UARFCN=2850
[…]
“`

Note that retrieving results from AT+COPS command could take a lot of time and sometime would need to restart the tool. If the tool is blocked on the operator retrieving step, please use cached or targeted operators features instead.

Saving results
—————

The process could be stopped any time when killing the process with a keyboard interrupt signal. Then results will be automatically save in a JSON file as follows:

“`
[…]
^C[+] Cells save as cells_1528738901.json
“`

Modmobjam

A smart jamming proof of concept for mobile equipments that could be powered with Modmobmap

For more information, this little tool has been presented during SSTIC rump 2018:

 

Warning

You should be warned that Jamming is illegal and you’re responsible for any damages when using it on your own.

 

Prerequisites

  • a radio devices that is enabled to transmit signal (HackRF, USRP, bladeRF, and so on.)
  • GNU Radio installed
  • Modmobmap to perform automatic smartjamming: https://github.com/Synacktiv/Modmobmap

 

Usage

 

Manual jamming

If you have a HackRF or any device compatible with osmocom drivers, you can directly run the code provided in GRC/jammer_gen.py as follows:

$ python GRC/jammer_gen.py

For those who want to use another device like USRP, edit the GNU Radio block schema GRC/jammer_gen.grc:

$ gnuradio-companion GRC/jammer_gen.grc

Then you can configure the central frequency with the WX GUI to target a frequency. But this tool has also a feature to do it automatically.

 

Automatic smartjamming

To automate jamming, you can first get a list of we the Modmobmap that saves a JSON file after monitoring surrounding cells in a precise location. This JSON file looks as follows:

$ cat cells_<generated timestamp>.json
{
    "****-***50": {
        "PCI": "****",
        "PLMN": "208-01",
        "TAC": "50****",
        "band": 3,
        "bandwidth": "20MHz",
        "eARFCN": 1850,
        "type": "4G"
    },
    "7-***": {
        "PLMN": "208-20",
        "arfcn": 1018,
        "cid": "***",
        "type": "2G"
    },
    "****:-****12": {
        "PLMN": "208-1",
        "RX": 10712,
        "TX": 9762,
        "band": 1,
        "type": "3G"
    },
    [...]
}

After generating this file containing cells to jam, you can launch the RPC client that communicate with GRC/jammer_gen.py as follows:

$ python smartjam_rpcclient.py -f cells_<generated timestamp>.json

Then leverage the gain for transmission and you should observe that a lot of noise is overflowing the targeted cells with gaussian noise.

Jamming session

Please note that the delay between each targeted cell can be set with a provided arguments ‘-d’ (see arguments helper).