telephony dect sniffing with dedected
DESCRIPTION
It is a document that presents a DECT wireless telephony hack to detect phone chatsTRANSCRIPT
http://www.instructables.com/id/Telephony-DECT-Sniffing-with-Dedected/
Food Living Outside Play Technology Workshop
Telephony, DECT Sniffing with Dedected.by zebuilin on December 3, 2011
Table of Contents
Telephony, DECT Sniffing with Dedected. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Intro: Telephony, DECT Sniffing with Dedected. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Step 1: 1: What is DECT? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Step 2: 1.1: Insecurity... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Step 3: 2: Installing Dedected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Step 4: Scan for fixed parts or fp(DECT base stations) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Step 5: Ignore other phones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Step 6: Record the call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Step 7: Decode the callstream . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Step 8: Import the streams into Audacity to listen to the calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Step 9: CLEAN UP! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Step 10: Dect Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Related Instructables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
http://www.instructables.com/id/Telephony-DECT-Sniffing-with-Dedected/
Intro: Telephony, DECT Sniffing with Dedected.DISCLAMER: Recording phone conversation is illigal in the US and most countrys
Step 1: 1: What is DECT?http://en.wikipedia.org/wiki/Digital_Enhanced_Cordless_Telecommunications
Step 2: 1.1: Insecurity...most telecomunication companys don't implement or offer encryption for their devices so they can be easily sniffed.
The following has been tested under these circumstances:- Backtrack 5 final x86 KDE with Kernel 2.6.38- Original Dosh&Amand Type II PCMCIA Card- SIEMENS C1 DECT phones set up in repeater mode
Step 3: 2: Installing DedectedWhen installing Dedected on Backtrack 5 you have the following options:-Use Dedected from the Backtrack repositorys-Compile it on your own if you want to experiment
Install from source
root@bt:~# prepare-kernel-sourcesroot@bt:~# cd /usr/src/linuxroot@bt:~# cp -rf include/generated/* include/linux/root@bt:~# cd /pentest/telephonyroot@bt:~# svn co https://dedected.org/svn/trunk dedected_svnroot@bt:~# cd dedected_svn/com-on-air_cs-linux/root@bt:~# make && make -C tools
Instll from repository
root@bt:~# apt-get updateroot@bt:~# apt-get install dedected
It is recomended that you have the tool Audacity if you are serious about recording phone conversations
Load the Drivers
root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linuxroot@bt:~# make noderoot@bt:~# make load
http://www.instructables.com/id/Telephony-DECT-Sniffing-with-Dedected/
Step 4: Scan for fixed parts or fp(DECT base stations)
root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux/toolsroot@bt:~# ./dect_cli
If you need info on the usage type "help". If you live in the U.S. switch to the US/DECT 6 band via the "band" command. Let's enable someverbosity: verb Now startscanning fpscan After scanning multible time disable verbosity and stop scanning verb stop
Step 5: Ignore other phonesStart a callscan withcallscanNow grab your DECT handset and make a test phonecall and wait until you see the phonecall .It is also sufficient if you just get a dialing tone. You should see somethinglike
### found new call on 00 82 31 33 73 on channel 7 RSSI 34
stopNow dump all found callsdump
Ignore every other phone except yours via the following command! IMPORTANT!!!
ignore 01 30 95 13 37
http://www.instructables.com/id/Telephony-DECT-Sniffing-with-Dedected/
Step 6: Record the callThis command will automatically record every phone call that Dedected can dedtectautorecNow grab your DECT telephony handset and do a testcall. I recommend to call a “time telling serivce” that can be reached over a normal phone number. You should getsomething like this:
Now grab your DECT telephony handset and do a testcall. I recommend to call a “time telling serivce” that can be reached over a normal phone number. You should getsomething like this:
### starting autorec### stopping DIP### starting callscan### trying to sync on 00 82 ab b0 29### got sync### dumping to dump_2011-06-11_21_37_37_RFPI_00_82_ab_b0_29.pcap### stopping DIP
After you hang up the dumping should stop
Step 7: Decode the callstreamstop the autorecstopDecode the audiostream into a raw packet dump
root@bt:~# ./decode.sh
http://www.instructables.com/id/Telephony-DECT-Sniffing-with-Dedected/
Step 8: Import the streams into Audacity to listen to the callsStart audacity via "alt + f2" then type “audacity” and press enter. Import the fixed-part and hte portable-part .wav files from /pentest/telephony/dedected/com-on-air_cs-linux/tools via File -> Import -> Audio or simply "ctrl + shift + I" . Import the files which end in .pcap_fp.ima.g721.wav and .pcap_pp.ima.g721.wav.
Play your phone call with the play button:
Step 9: CLEAN UP!to reload the drivers
root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linuxroot@bt:~# make reload
If you’re finished and want to clean up:
root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linuxroot@bt:~# make unloadroot@bt:~# rm /dev/coa
Step 10: Dect ProtocolIf you are interested in more details of the protocol you can open the .pcap file in Wireshark:
http://www.instructables.com/id/Telephony-DECT-Sniffing-with-Dedected/
Related Instructables
DECT headsetphone for cheapby _soapy_
How to HackWifi (and how toavoid beinghacked):WEP/WPA/WPA2by techdls
New desktopupdate (Photos)byalbylovesscience
Easy SkypeHeadsetHookup byiectyx3c
Cheap DeskPhone WirelessHeadset bypnautilus
WindowPasswordRecovery! bysupernull