Wednesday, July 6, 2011

DECT Sniffing Dedected~RECORD PHONE CONVERSATIONS

This is a detailled guided videotutorial on how to install and use the dedected.org DECT-sniffing tools, record phonecalls, decode them and listen to them. All this is done with a vanilla BackTrack 5 KDE x86

Back-Track-Wiki:

backtrack-linux.org/​wiki/​index.php/​DECT_Sniffing_Dedected


Contents
1 What is DECT?
1.1 The problem?
1.2 Tested on
2 Installing dedected
2.1 Install from repository
2.2 Install from source
3 Install some additional tools
4 Load the drivers
5 Scan for fixed parts a.k.a. fp (DECT base stations)
6 Ignore phones you don’t want to sniff (e.g. your neighbours!)
7 Record the phone call
8 Decode the call out of the datastream
9 Import the streams into audacity and listen to the calls
10 Clean up / Reload
11 DECT protocol
12 Video: Sniffing DECT phones with BackTrack 5

# What is DECT ?


http://en.wikipedia.org/wiki/Digital_Enhanced_Cordless_Telecommunications

# The problem ?
Most vendors don’t implement encryption in their devices so one can sniff it with certain hardware and software.

Tested on

BackTrack 5 final x86 KDE with kernel 2.6.38
Original Dosch&Amand Type II PCMCIA Card
SIEMENS C1 DECT Phones set up in repeater mode

NOTE: This is experimental software which is not very actively supported anymore!
Installing dedected

In order to get dedected installed on BackTrack, you have the choice between:

Use dedected from the BackTrack 5 repositories.
Compile it on your own if you want to experiment.

Install from repository


root@bt:~# apt-get update
root@bt:~# apt-get install dedected

Install from source

This stage is optional for those wanting to build the tools from source code.


root@bt:~# prepare-kernel-sources
root@bt:~# cd /usr/src/linux
root@bt:~# cp -rf include/generated/* include/linux/
root@bt:~# cd /pentest/telephony
root@bt:~# svn co https://dedected.org/svn/trunk dedected_svn
root@bt:~# cd dedected_svn/com-on-air_cs-linux/
root@bt:~# make && make -C tools

Install some additional tools


root@bt:~# apt-get -y install audacity

Load the drivers


root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux
root@bt:~# make node

If you did not insert your Dosch&Amand Type 2 or Type 3 or Voo:doo # PCMCIA-card do so now! Next, we load the driver:


root@bt:~# make load

Scan for fixed parts a.k.a. fp (DECT base stations)


root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux/tools
root@bt:~# ./dect_cli

If you need info on the usage type "help". If you live in the U.S. switch to the US/DECT 6 band via the "band" command. Let's enable someverbosity:


verb

And start scanning for base stations:


fpscan

After scanning 2-3 times through all channels disable verbosity, and stop scanning:


verb
stop

image :
http://www.backtrack-linux.org/wiki/images/8/80/DECT-BT5-Image02.png

Ignore phones you don’t want to sniff (e.g. your neighbours!)

Start a callscan


callscan
Now grab your DECT handset and make a test phonecall and wait until you see the phonecall .It is also sufficient if you just get a dialing tone. You should see something like


### found new call on 00 82 31 33 73 on channel 7 RSSI 34

stop
Name your basestation if you want:


name 00 82 31 33 73 stallowned
Dump all found phones:


dump
Ignore every other phone except yours via the following command! IMPORTANT!!!


ignore 01 30 95 13 37
Record the phone call

Start automaticially recording of every phone call it detects:


autorec
Now grab your DECT telephony handset and do a testcall. I recommend to call a “time telling serivce” that can be reached over a normal phone number. You should get something like this:


### starting autorec
### stopping DIP
### starting callscan
### trying to sync on 00 82 ab b0 29
### got sync
### dumping to dump_2011-06-11_21_37_37_RFPI_00_82_ab_b0_29.pcap
### stopping DIP
After you hung up your phonecall the dumping should stop: 
image :

http://www.backtrack-linux.org/wiki/images/0/0c/DECT-BT5-Image04.png

Decode the call out of the datastream

Stop the autorec:


stop

Decode the audiostream out of the raw dump


root@bt:~# ./decode.sh

image :

http://www.backtrack-linux.org/wiki/images/5/57/DECT-BT5-Image01.png

Import the streams into audacity and listen to the calls

Start audacity via "alt + f2" then type “audacity” and press enter. Import the fixed-part and hte portable-part .wav files from /pentest/telephony/dedected/com-on-air_cs-linux/tools via File -> Import -> Audio or simply "ctrl + shift + I" . Import the files which end in .pcap_fp.ima.g721.wav and .pcap_pp.ima.g721.wav.

Play your phone call with the play button:

image :

http://www.backtrack-linux.org/wiki/images/6/64/DECT-BT5-Image00.png

Hint: if you can only hear noise your phone seems to use some encoding/encryption. You can enable the repeater mode in your telephone so it disables encryption and you can test if your setup is working properly.
Clean up / Reload

If you need to reload the drivers


root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux
root@bt:~# make reload

If you’re finished and want to clean up:


root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux
root@bt:~# make unload
root@bt:~# rm /dev/coa

DECT protocol

If you are interested in more details of the protocol you can open the .pcap file in Wireshark:

image :

http://www.backtrack-linux.org/wiki/images/e/e3/DECT-BT5-Image03.png

Video: Sniffing DECT phones with BackTrack 5 :


http://vimeo.com/25027253

And a snifflog and pdf with much more information can be found there:


offensive-security.com/​backtrack/​sniffing-dect-phones/​

Thanks to 5m7x, dedected (https://dedected.org/trac) is soon to be added to the BackTrack repositories. In our internal tests, the standard AT&T cordless phone was found not to use encryption. The recording quality was phenomenal – you can find a copy of this recording here :

http://www.offensive-security.com/downloads/sniff-dect.mp3​

offensive-security.com/​backtrack/​sniffing-dect-phones-the-details/​
5M7X  has completed his DECT write-up, and it rocks. As DECT phone  manufacturers
rarely give any indication about their phone encryption  capabilities,
 the only reliable way to check the security of your phone  is to test it yourself.

The paper goes into detail about the underlying technology, hardware and
software needed to test your own phone and assess it’s security.
---------------------------------------------------
Download Sniffing DECT Phones for phun and prophit :

http://www.offensive-security.com/downloads/sniffing-dect-phones-for-fun-and-profit.pdf

Check out the accompanying Video. Dedected will be pushed into the BT repo in a couple of days.

Video :

http://www.youtube.com/v/vAZLZ8dMIL0&hl=en_US&feature=player_embedded&version=3

# This article was contributed by 5M7X and Collected by K0242. 










Posted by



at







































No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)