Wubi Posted July 24, 2012 Report Posted July 24, 2012 This article was contributed by 5M7X.URL : Back-Track.de - German CommunityTwitter: TwitterEmail : 5M7X@mail.ru BIG FAT HAIRY WARNING: IT IS ILLEGAL TO RECORD PHONE CONVERSATIONS IN MANY COUNTRIES.For a list of state privacy laws in the US, check State Privacy LawsState Privacy Laws and http://fjallfoss.fcc.gov/edocs_public/attachmatch/DOC-266204A1.pdf.Contents 1 What is DECT? 1.1 The problem? 1.2 Tested on 2 Installing dedected 2.1 Install from repository 2.2 Install from source 3 Install some additional tools 4 Load the drivers 5 Scan for fixed parts a.k.a. fp (DECT base stations) 6 Ignore phones you don’t want to sniff (e.g. your neighbours!) 7 Record the phone call 8 Decode the call out of the datastream 9 Import the streams into audacity and listen to the calls 10 Clean up / Reload 11 DECT protocol 12 Video: Sniffing DECT phones with BackTrack 5What is DECT?Digital Enhanced Cordless Telecommunications - Wikipedia, the free encyclopediaThe problem?Most vendors don’t implement encryption in their devices so one can sniff it with certain hardware and software.For a previous post on the topic, check: http://www.offensive-security.com/backtrack/sniffing-dect-phones-the-details/ Tested onBackTrack 5 final x86 KDE with kernel 2.6.38 Original Dosch&Amand Type II PCMCIA Card SIEMENS C1 DECT Phones set up in repeater mode NOTE: This is experimental software which is not very actively supported anymore! Installing dedectedIn order to get dedected installed on BackTrack, you have the choice between: Use dedected from the BackTrack 5 repositories. Compile it on your own if you want to experiment. Install from repositoryroot@bt:~# [COLOR="#FF0000"]apt-get update[/COLOR]root@bt:~# [COLOR="#FF0000"]apt-get install dedected[/COLOR]Install from sourceThis stage is optional for those wanting to build the tools from source code. root@bt:~# [COLOR="#FF0000"]prepare-kernel-sources[/COLOR]root@bt:~# [COLOR="#FF0000"]cd /usr/src/linux[/COLOR]root@bt:~# [COLOR="#FF0000"]cp -rf include/generated/* include/linux/[/COLOR]root@bt:~# [COLOR="#FF0000"]cd /pentest/telephony[/COLOR]root@bt:~# [COLOR="#FF0000"]svn co https://dedected.org/svn/trunk dedected_svn[/COLOR]root@bt:~# [COLOR="#FF0000"]cd dedected_svn/com-on-air_cs-linux/[/COLOR]root@bt:~# [COLOR="#FF0000"]make && make -C tools[/COLOR]Install some additional toolsroot@bt:~# [COLOR="#FF0000"]apt-get -y install audacity[/COLOR]Load the driversroot@bt:~# [COLOR="#FF0000"]cd /pentest/telephony/dedected/com-on-air_cs-linux[/COLOR]root@bt:~# [COLOR="#FF0000"]make node[/COLOR]If you did not insert your Dosch&Amand Type 2 or Type 3 or Voo:doo # PCMCIA-card do so now! Next, we load the driver: root@bt:~# [COLOR="#FF0000"]make load[/COLOR]Scan for fixed parts a.k.a. fp (DECT base stations)root@bt:~# [COLOR="#FF0000"]cd /pentest/telephony/dedected/com-on-air_cs-linux/tools[/COLOR]root@bt:~# .[COLOR="#FF0000"]/dect_cli[/COLOR]If you need info on the usage type "help". If you live in the U.S. switch to the US/DECT 6 band via the "band" command. Let's enable someverbosity: [COLOR="#008080"]verb[/COLOR]And start scanning for base stations:[COLOR="#008080"]fpscan[/COLOR]After scanning 2-3 times through all channels disable verbosity, and stop scanning:[COLOR="#008080"]verbstop[/COLOR]Ignore phones you don’t want to sniff (e.g. your neighbours!)Start a callscan [COLOR="#008080"]callscan[/COLOR]Now grab your DECT handset and make a test phonecall and wait until you see the phonecall .It is also sufficient if you just get a dialing tone. You should see something like ### found new call on 00 82 31 33 73 on channel 7 RSSI 34[COLOR="#008080"]stop[/COLOR]Name your basestation if you want:[COLOR="#008080"]name 00 82 31 33 73 stallowned[/COLOR]Dump all found phones:[COLOR="#008080"]dump[/COLOR]Ignore every other phone except yours via the following command! IMPORTANT!!![COLOR="#008080"]ignore 01 30 95 13 37[/COLOR]Record the phone callStart automaticially recording of every phone call it detects:[COLOR="#008080"]autorec[/COLOR]Now grab your DECT telephony handset and do a testcall. I recommend to call a “time telling serivce” that can be reached over a normal phone number. You should get something like this: ### starting autorec### stopping DIP### starting callscan### trying to sync on 00 82 ab b0 29### got sync### dumping to dump_2011-06-11_21_37_37_RFPI_00_82_ab_b0_29.pcap### stopping DIPAfter you hung up your phonecall the dumping should stop: Decode the call out of the datastream Stop the autorec:[COLOR="#008080"]stop[/COLOR]Decode the audiostream out of the raw dumproot@bt:~# [COLOR="#FF0000"]./decode.sh[/COLOR]Import the streams into audacity and listen to the callsStart audacity via "alt + f2" then type “audacity” and press enter. Import the fixed-part and hte portable-part .wav files from /pentest/telephony/dedected/com-on-air_cs-linux/tools via File -> Import -> Audio or simply "ctrl + shift + I" . Import the files which end in .pcap_fp.ima.g721.wav and .pcap_pp.ima.g721.wav.Play your phone call with the play button: Hint: if you can only hear noise your phone seems to use some encoding/encryption. You can enable the repeater mode in your telephone so it disables encryption and you can test if your setup is working properly. Clean up / ReloadIf you need to reload the driversroot@bt:~# [COLOR="#FF0000"]cd /pentest/telephony/dedected/com-on-air_cs-linux[/COLOR]root@bt:~# [COLOR="#FF0000"]make reload[/COLOR]If you’re finished and want to clean up:root@bt:~# [COLOR="#FF0000"]cd /pentest/telephony/dedected/com-on-air_cs-linux[/COLOR]root@bt:~# [COLOR="#FF0000"]make unload[/COLOR]root@bt:~# [COLOR="#FF0000"]rm /dev/coa[/COLOR]DECT protocolIf you are interested in more details of the protocol you can open the .pcap file in Wireshark: Video: Sniffing DECT phones with BackTrack 5http://player.vimeo.com/video/25027253 Sursa: http://www.backtrack-linux.org/wiki/index.php/DECT_Sniffing_Dedected Quote
