基于OpenBTS+USRP B210搭建GSM漏洞验证环境<\/h1>

1. 环境概述<\/h2>
本教学文档详细介绍了如何使用OpenBTS和USRP B210搭建GSM漏洞验证环境。该环境可用于蜂窝协议实现的安全研究，包括GSM协议漏洞验证、短信测试、通话测试以及GSM报文捕获与分析。<\/p>

1.1 硬件选择<\/h3>

USRP B210<\/strong>: 支持频率范围70MHz-6GHz，带宽56MHz，价格适中<\/li>

其他可选硬件: HackRF、BladeRF、LimeSDR、PlutoSDR等<\/li> <\/ul>
1.2 软件选择<\/h3>

OpenBTS<\/strong>: 开源GSM基站实现<\/li>
UHD<\/strong>: USRP硬件驱动<\/li>
Asterisk<\/strong>: VoIP电话系统<\/li> <\/ul>
2. 系统准备<\/h2>
2.1 操作系统<\/h3>

Ubuntu 16.04 LTS<\/strong>: 推荐使用纯净系统<\/li>
注意: 使用国内源可能导致依赖包找不到问题<\/li> <\/ul>
3. 安装步骤<\/h2>
3.1 安装UHD驱动<\/h3>

从GitHub克隆UHD项目:<\/p>
git clone https:\/\/github.com\/EttusResearch\/uhd.git <\/span><\/span><\/code><\/pre><\/li> 切换到3.14.0.0分支:<\/p> git checkout UHD-3.14.0.0 <\/span><\/span><\/code><\/pre><\/li> 编译安装:<\/p> cd uhd\/host <\/span><\/span>mkdir build <\/span><\/span>cd build <\/span><\/span>cmake ..\/ <\/span><\/span>make <\/span><\/span>make install <\/span><\/span><\/code><\/pre><\/li> 设置环境变量:<\/p> export LD_LIBRARY_PATH=<\/span>\/usr\/local\/lib <\/span><\/span><\/code><\/pre><\/li> 测试安装:<\/p> uhd_usrp_probe <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3.2 安装OpenBTS<\/h3> 安装依赖:<\/p> sudo apt-get install autoconf libtool libortp-dev libusb-1.0-0-dev libsqlite3-dev libreadline-dev libssl-dev libzmq3-dev libdbd-sqlite3 libosip2-dev libtool pkg-config libortp-dev libusb-1.0-0-dev libsqlite3-dev libreadline-dev libssl-dev libzmq3-dev libdbd-sqlite3 libosip2-dev <\/span><\/span><\/code><\/pre><\/li> 编译安装:<\/p> .\/autogen.sh <\/span><\/span>.\/configure <\/span><\/span>make <\/span><\/span>sudo make install <\/span><\/span><\/code><\/pre><\/li> 编译问题解决:<\/p> 删除代码中的(BctbxLogFunc)<\/code><\/li> 删除强制类型转换中的(void *)<\/code><\/li> <\/ul> <\/li> <\/ol> 3.3 配置流量转发<\/h3> 编辑\/etc\/OpenBTS\/iptables.rules<\/code>:<\/p> *nat <\/span><\/span>:PREROUTING ACCEPT [<\/span>0:0]<\/span> <\/span><\/span>:POSTROUTING ACCEPT [<\/span>0:0]<\/span> <\/span><\/span>:OUTPUT ACCEPT [<\/span>0:0]<\/span> <\/span><\/span>-A POSTROUTING -o eth0 -j MASQUERADE <\/span><\/span>COMMIT <\/span><\/span><\/code><\/pre>根据实际情况修改网卡名称。<\/p> 4. 启动和配置OpenBTS<\/h2> 4.1 启动组件<\/h3> 配置数据库:<\/p> sudo sqlite3 \/var\/lib\/asterisk\/sqlite3dir\/sqlite3.db ".read .\/apps\/OpenBTS\/OpenBTS.example.sql"<\/span> <\/span><\/span><\/code><\/pre><\/li> 启动transceiver连接SDR硬件:<\/p> sudo transceiver & <\/span><\/span><\/code><\/pre><\/li> 启动基站:<\/p> sudo OpenBTS & <\/span><\/span><\/code><\/pre><\/li> 启用短信服务:<\/p> sudo smqueue & <\/span><\/span><\/code><\/pre><\/li> 启动鉴权服务:<\/p> sudo OpenBTSCLI <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4.2 基站配置<\/h3> 开启任意终端准入:<\/p> config Control.LUR.OpenRegistration * <\/span><\/span><\/code><\/pre><\/li> 设置天线功率:<\/p> config GSM.Radio.PowerManager.MaxAttenDB 10<\/span> <\/span><\/span><\/code><\/pre><\/li> 检查噪声强度:<\/p> noise <\/span><\/span><\/code><\/pre> RSSI信号强度为-71dB表示背景噪声<\/li> 配置的RSSI信号强度为-50dB<\/li> 差值小于10dB表示上行链路质量有限<\/li> 差值小于0dB表示无法建立上行链路<\/li> <\/ul> <\/li> 设置频段:<\/p> config GSM.Radio.Band 900<\/span> <\/span><\/span><\/code><\/pre><\/li> 设置欢迎短信:<\/p> config OpenBTS.WelcomeSM "Welcome to OpenBTS"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5. 终端管理<\/h2> 5.1 查看注册设备<\/h3> OpenBTSCLI> tmsis <\/span><\/span><\/code><\/pre>5.2 短信测试<\/h3> 发送短信到411(回显测试):<\/p> 手机发送任意内容到411<\/li> 几秒后会收到相同内容的回复<\/li> <\/ul> <\/li> 命令行发送短信:<\/p> sendsms XXXXXXX AAAAAA "Test message"<\/span> <\/span><\/span><\/code><\/pre> XXXXXXX: 设备的IMSI号码<\/li> AAAAAA: 虚拟的手机号(显示为发送方)<\/li> 注意: 不支持中文内容<\/li> <\/ul> <\/li> 设备间互发短信:<\/p> 两台在该网络中注册的手机可通过手机号互相发送消息<\/li> <\/ul> <\/li> <\/ol> 6. 电话测试<\/h2> 6.1 Asterisk配置<\/h3> 编辑\/etc\/asterisk\/sip.conf<\/code>:<\/p> [general]<\/span> <\/span><\/span>context<\/span>=<\/span>default<\/span> <\/span><\/span>allowguest<\/span>=<\/span>yes<\/span> <\/span><\/span>srvlookup<\/span>=<\/span>yes<\/span> <\/span><\/span>udpbindaddr<\/span>=<\/span>0.0.0.0<\/span> <\/span><\/span>transport<\/span>=<\/span>udp<\/span> <\/span><\/span> <\/span><\/span>[600]<\/span> <\/span><\/span>type<\/span>=<\/span>friend<\/span> <\/span><\/span>host<\/span>=<\/span>dynamic<\/span> <\/span><\/span>secret<\/span>=<\/span>600<\/span> <\/span><\/span>context<\/span>=<\/span>phones<\/span> <\/span><\/span><\/code><\/pre><\/li> 编辑\/etc\/asterisk\/extensions.conf<\/code>:<\/p> [phones]<\/span> <\/span><\/span>exten<\/span> =<\/span>> 600,1,Answer()<\/span> <\/span><\/span>exten<\/span> =<\/span>> 600,n,Echo()<\/span> <\/span><\/span>exten<\/span> =<\/span>> 600,n,Hangup()<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 6.2 测试通话<\/h3> 拨打600:<\/p> 经过一段语音后，会回传发送的语音信息<\/li> <\/ul> <\/li> 手机间通话:<\/p> 配置完成后，注册的手机可以互相拨打电话<\/li> <\/ul> <\/li> <\/ol> 7. GSM抓包和重放<\/h2> 7.1 捕获GSM报文<\/h3> 开启GSM流量转发:<\/p> sudo iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT <\/span><\/span>sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT <\/span><\/span><\/code><\/pre><\/li> 使用Wireshark捕获:<\/p> 可捕获RR协议和SMS协议的报文<\/li> MM、CC等L3层的报文可能无法直接捕获(因payload在SIP协议中传输)<\/li> <\/ul> <\/li> <\/ol> 7.2 报文篡改<\/h3> 根据OpenBTS架构:<\/p> 手机1->BTS使用GSM消息通信<\/li> BTS将SETUP请求解析并包装成SIP报文<\/li> 根据Asterisk配置找到手机2<\/li> 基于解析的SIP报文，包装成GSM报文发送给手机2<\/li> <\/ol> 可行方案<\/strong>: 直接修改BTS代码，发送包含特定payload的报文<\/p> 8. 日志监控<\/h2> 8.1 设备日志<\/h3> 三星设备:<\/p> 拨打*#9900#<\/code>进入sysdump日志系统<\/li> 可dump设备日志<\/li> <\/ul> <\/li> 使用adb logcat:<\/p> adb logcat <\/span><\/span><\/code><\/pre><\/li> <\/ol> 8.2 真机调试<\/h3> 参考Synacktiv文章:<\/p> 通过TEE漏洞重写modem固件<\/li> 将调试器写入不用的代码段实现调试功能<\/li> <\/ul> 9. 注意事项<\/h2> 本环境仅限实验室环境使用<\/li> 仅用于蜂窝协议实现的安全研究<\/li> 切勿用于非法目的<\/li> 天线功率和距离会影响手机接入<\/li> 噪声干扰会影响通信质量<\/li> <\/ol> 10. 参考资源<\/h2> OpenBTS使用指南<\/a><\/li> OpenBTS Application Suite手册<\/a><\/li> OpenBTS Project手册<\/a><\/li> <\/ol>

基于OpenBTS+USRP B210搭建GSM漏洞验证环境<\/h1>

1. 环境概述<\/h2> 本教学文档详细介绍了如何使用OpenBTS和USRP B210搭建GSM漏洞验证环境。该环境可用于蜂窝协议实现的安全研究，包括GSM协议漏洞验证、短信测试、通话测试以及GSM报文捕获与分析。<\/p>

2. 系统准备<\/h2>

3. 安装步骤<\/h2>

4. 启动和配置OpenBTS<\/h2>

5. 终端管理<\/h2>

6. 电话测试<\/h2>

7. GSM抓包和重放<\/h2>

10. 参考资源<\/h2> OpenBTS使用指南<\/a><\/li> OpenBTS Application Suite手册<\/a><\/li> OpenBTS Project手册<\/a><\/li> <\/ol>

1. 环境概述<\/h2>
本教学文档详细介绍了如何使用OpenBTS和USRP B210搭建GSM漏洞验证环境。该环境可用于蜂窝协议实现的安全研究，包括GSM协议漏洞验证、短信测试、通话测试以及GSM报文捕获与分析。<\/p>

10. 参考资源<\/h2>

OpenBTS使用指南<\/a><\/li>
OpenBTS Application Suite手册<\/a><\/li>
OpenBTS Project手册<\/a><\/li> <\/ol>