DECT Sniffing Dedected
This article was contributed by 5M7X.
- URL : http://www.back-track.de/index.php?page=team#smtx
- Twitter: http://twitter.com/#!/5M7X
- Email : 5M7X@mail.ru
BIG FAT HAIRY WARNING: IT IS ILLEGAL TO RECORD PHONE CONVERSATIONS IN MANY COUNTRIES.
For a list of state privacy laws in the US, check http://epic.org/privacy/consumer/states.html and http://fjallfoss.fcc.gov/edocs_public/attachmatch/DOC-266204A1.pdf.
- 1 What is DECT?
- 2 Installing dedected
- 3 Install some additional tools
- 4 Load the drivers
- 5 Scan for fixed parts a.k.a. fp (DECT base stations)
- 6 Ignore phones you don’t want to sniff (e.g. your neighbours!)
- 7 Record the phone call
- 8 Decode the call out of the datastream
- 9 Import the streams into audacity and listen to the calls
- 10 Clean up / Reload
- 11 DECT protocol
- 12 Video: Sniffing DECT phones with BackTrack 5
What is DECT?
Most vendors don’t implement encryption in their devices so one can sniff it with certain hardware and software.
For a previous post on the topic, check: http://www.offensive-security.com/backtrack/sniffing-dect-phones-the-details/
- BackTrack 5 final x86 KDE with kernel 2.6.38
- Original Dosch&Amand Type II PCMCIA Card
- SIEMENS C1 DECT Phones set up in repeater mode
NOTE: This is experimental software which is not very actively supported anymore!
In order to get dedected installed on BackTrack, you have the choice between:
- Use dedected from the BackTrack 5 repositories.
- Compile it on your own if you want to experiment.
Install from repository
root@bt:~# apt-get update root@bt:~# apt-get install dedected
Install from source
This stage is optional for those wanting to build the tools from source code.
root@bt:~# prepare-kernel-sources root@bt:~# cd /usr/src/linux root@bt:~# cp -rf include/generated/* include/linux/ root@bt:~# cd /pentest/telephony root@bt:~# svn co https://dedected.org/svn/trunk dedected_svn root@bt:~# cd dedected_svn/com-on-air_cs-linux/ root@bt:~# make && make -C tools
Install some additional tools
root@bt:~# apt-get -y install audacity
Load the drivers
root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux root@bt:~# make node
If you did not insert your Dosch&Amand Type 2 or Type 3 or Voo:doo # PCMCIA-card do so now! Next, we load the driver:
root@bt:~# make load
Scan for fixed parts a.k.a. fp (DECT base stations)
root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux/tools root@bt:~# ./dect_cli
If you need info on the usage type "help". If you live in the U.S. switch to the US/DECT 6 band via the "band" command. Let's enable someverbosity:
And start scanning for base stations:
After scanning 2-3 times through all channels disable verbosity, and stop scanning:
Ignore phones you don’t want to sniff (e.g. your neighbours!)
Start a callscan
Now grab your DECT handset and make a test phonecall and wait until you see the phonecall .It is also sufficient if you just get a dialing tone. You should see something like
### found new call on 00 82 31 33 73 on channel 7 RSSI 34
Name your basestation if you want:
name 00 82 31 33 73 stallowned
Dump all found phones:
Ignore every other phone except yours via the following command! IMPORTANT!!!
ignore 01 30 95 13 37
Record the phone call
Start automaticially recording of every phone call it detects:
Now grab your DECT telephony handset and do a testcall. I recommend to call a “time telling serivce” that can be reached over a normal phone number. You should get something like this:
### starting autorec ### stopping DIP ### starting callscan ### trying to sync on 00 82 ab b0 29 ### got sync ### dumping to dump_2011-06-11_21_37_37_RFPI_00_82_ab_b0_29.pcap ### stopping DIP
Decode the call out of the datastream
Stop the autorec:
Decode the audiostream out of the raw dump
Import the streams into audacity and listen to the calls
Start audacity via "alt + f2" then type “audacity” and press enter. Import the fixed-part and hte portable-part .wav files from /pentest/telephony/dedected/com-on-air_cs-linux/tools via File -> Import -> Audio or simply "ctrl + shift + I" . Import the files which end in .pcap_fp.ima.g721.wav and .pcap_pp.ima.g721.wav.
Hint: if you can only hear noise your phone seems to use some encoding/encryption. You can enable the repeater mode in your telephone so it disables encryption and you can test if your setup is working properly.
Clean up / Reload
If you need to reload the drivers
root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux root@bt:~# make reload
If you’re finished and want to clean up:
root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux root@bt:~# make unload root@bt:~# rm /dev/coa
Video: Sniffing DECT phones with BackTrack 5