转载留做备份,原文地址:http://92ez.com/?action=show&id=23342
翻阅osmocom-bb源码的时候注意到,在cell_log中有非常多我们从来没有注意到的功能。这些功能看起来并不是适合我们当前的使用环境。例如,在cell_log里面有GPS的扫描。我们目前所接触到的还没有涉及到GPS设备的使用。当然,osmocom-bb的功能是非常强大的,如果只是简单的搞个GSM嗅探,那未必也太大材小用,所以如果你手头上有GPS设备,不妨可以试一试,嗅探的信息入库,同时加上GPS信息,这样一来,收集的信息是不是瞬间变得有用的多,对于二次定向攻击我想没有比这个更好地吧。
好吧,废话不多说,我们来看看cell_log到底有啥神奇的功能。开始就说到我们可以使用-h参数调出帮助信息,那我们就试一下
root@kbdancer:~/projects/GSM/gsmweb1.1# ./cell_log -h Copyright (C) 2010 Andreas Eversberg License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Usage: ./cell_log Some help... -h --help this text -s --socket /tmp/osmocom_l2. Path to the unix domain socket (l2) -i --gsmtap-ip The destination IP used for GSMTAP. -d --debug Change debug flags. Application specific -l --logfile LOGFILE Logfile for the cell log. -r --rach RACH Nr. of RACH bursts to send. -n --no-rach Send no rach bursts. -g --gpsd-host HOST 127.0.0.1. gpsd host. -p --port PORT 2947. gpsd port -f --gps DEVICE /dev/ttyACM0. GPS serial device. -b --baud BAUDRAT The baud rate of the GPS device -B --band BAND Select scan band, one of: all (default), 900, 1800, 850, 1900. -G --log-gprs Log some GPRS if available -O --only-scan Do a scan and show available ARFCNs, no data logging -w --wait-time TIME Time to wait in each cell
确实是很丰富很详细的帮助。我们一条条的阅读。-s和-h参数就不多说了,跟osmocon里面的是一样的,上一篇文章有介绍。先看-i参数,这个参数可以指定用于接受GSMTAP信息的机器的IP地址。比如我们有个虚拟机,虚拟机里面装个wireshark,我们想用wireshark来进行GSMTAP解析,这里就可以直接使用-i参数来指定虚拟机的IP
root@kbdancer:~/projects/GSM/gsmweb1.1# ./cell_log -i 192.168.2.206 -O Copyright (C) 2010 Andreas Eversberg License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Failed to connect to '/tmp/osmocom_sap'. Failed during sap_open(), no SIM reader <000e> cell_log.c:864 Scanner initialized Mobile initialized, please start phone now! <000e> cell_log.c:443 Measure from 0 to 124 <000e> cell_log.c:443 Measure from 512 to 885 <000e> cell_log.c:443 Measure from 955 to 1023 <000e> cell_log.c:434 Measurement done
我们看下测试截图,指定到win虚拟机里面
好了,接着我们看-d参数,这个参数跟osmocon里面的-d参数使用方法是一样的,用来显示debug信息,不多说。
然后我们来看一些功能性的参数,第一个就是-l参数,这个参数就是记录cell_log所产生的一些日志,这个也很有用,我们在使用python脚本获取ARFCN扫描结果的时候就是可以用-l参数,这样扫描结果就会存储到文件,我们只需要读取文件就可以快速的获取到扫描结果了,而且根据测试发现,cell_log是实时写入文件的,所以可以动态获取到已经扫描出来的ARFCN,而不需要等到扫描结束。我们测试下
root@kbdancer:~/projects/GSM/gsmweb1.1# ./cell_log -l arfcn.log -O Copyright (C) 2010 Andreas Eversberg License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Failed to connect to '/tmp/osmocom_sap'. Failed during sap_open(), no SIM reader <000e> cell_log.c:864 Scanner initialized Mobile initialized, please start phone now! <000e> cell_log.c:443 Measure from 0 to 124 <000e> cell_log.c:443 Measure from 512 to 885 <000e> cell_log.c:443 Measure from 955 to 1023 <000e> cell_log.c:434 Measurement done
这样会直接在文件所在的目录下面生成一个arfcn.log文件
查看下具体内容
[power] time 1438377722 arfcn 0 -88 -70 -87 -80 -62 -79 -88 -86 -80 -87 -68 -85 arfcn 12 -94 -90 -87 -99 -97 -99 -94 -98 -79 -79 -102 -100 arfcn 24 -100 -87 -95 -100 -99 -92 -102 -100 -89 -100 -83 -98 arfcn 36 -86 -101 -96 -100 -94 -102 -98 -97 -77 -87 -100 -102 arfcn 48 -102 -88 -69 -86 -88 -100 -102 -83 -97 -93 -84 -97 arfcn 60 -101 -91 -74 -98 -103 -92 -77 -85 -69 -77 -83 -76 arfcn 72 -79 -84 -68 -72 -66 -77 -73 -78 -69 -83 -74 -74 arfcn 84 -66 -78 -74 -78 -80 -77 -92 -96 -92 -91 -78 -86 arfcn 96 -73 -70 -76 -70 -68 -78 -62 -65 -83 -81 -72 -80 arfcn 108 -87 -88 -71 -86 -82 -83 -88 -74 -73 -72 -72 -81 arfcn 120 -73 -74 -68 -79 -70 arfcn 512 -110 -90 -84 -83 -76 -81 -83 -88 -93 -83 -87 -90 arfcn 524 -89 -71 -89 -72 -83 -91 -84 -95 -86 -80 -95 -75 arfcn 536 -97 -97 -97 -96 -98 -97 -98 -86 -96 -97 -98 -97 arfcn 548 -98 -98 -96 -98 -99 -97 -98 -99 -98 -98 -96 -90 arfcn 560 -98 -98 -99 -97 -97 -98 -98 -97 -99 -99 -99 -99 arfcn 572 -98 -98 -99 -98 -97 -98 -98 -98 -99 -96 -98 -98 arfcn 584 -98 -97 -99 -97 -95 -97 -94 -95 -90 -97 -96 -97 arfcn 596 -97 -99 -97 -97 -86 -94 -96 -98 -97 -95 -97 -98 arfcn 608 -94 -98 -98 -97 -99 -97 -96 -96 -97 -97 -99 -97 arfcn 620 -100 -99 -98 -99 -99 -98 -97 -97 -99 -97 -97 -97 arfcn 632 -96 -98 -98 -98 -97 -85 -66 -81 -89 -91 -87 -94 arfcn 644 -90 -89 -93 -91 -79 -88 -95 -90 -86 -92 -76 -78 arfcn 656 -88 -91 -86 -90 -85 -95 -99 -97 -83 -95 -97 -97 arfcn 668 -99 -99 -98 -98 -98 -98 -99 -97 -97 -97 -95 -79 arfcn 680 -86 -88 -72 -85 -80 -90 -74 -92 -98 -99 -97 -99 arfcn 692 -94 -89 -88 -89 -88 -88 -90 -89 -87 -88 -85 -89 arfcn 704 -88 -89 -90 -89 -89 -91 -89 -88 -88 -89 -90 -89 arfcn 716 -89 -89 -89 -91 -89 -88 -90 -88 -88 -89 -88 -88 arfcn 728 -87 -89 -87 -88 -89 -88 -86 -88 -86 -88 -88 -87 arfcn 740 -86 -89 -88 -85 -87 -88 -87 -86 -88 -88 -86 -88 arfcn 752 -87 -87 -87 -87 -87 -87 -88 -86 -87 -90 -87 -87 arfcn 764 -88 -87 -85 -86 -87 -86 -86 -86 -87 -86 -89 -89 arfcn 776 -89 -89 -88 -89 -88 -89 -90 -101 -99 -101 -101 -101 arfcn 788 -101 -101 -100 -91 -84 -86 -87 -91 -89 -92 -89 -89 arfcn 800 -90 -90 -80 -88 -90 -89 -91 -88 -88 -88 -92 -85 arfcn 812 -92 -91 -89 -89 -89 -88 -88 -89 -89 -88 -89 -91 arfcn 824 -86 -90 -92 -82 -90 -89 -88 -89 -91 -89 -89 -89 arfcn 836 -89 -88 -89 -91 -88 -89 -90 -88 -88 -89 -88 -89 arfcn 848 -87 -89 -88 -90 -91 -88 -88 -88 -88 -88 -87 -100 arfcn 860 -101 -99 -100 -100 -100 -101 -100 -100 -101 -99 -101 -100 arfcn 872 -100 -100 -101 -101 -100 -100 -101 -101 -101 -100 -99 -101 arfcn 884 -101 -99 arfcn 955 -100 -101 -105 -102 -100 -103 -104 -103 -102 -102 -103 -94 arfcn 967 -100 -102 -99 -97 -102 -102 -98 -102 -103 -103 -97 -103 arfcn 979 -103 -105 -107 -104 -104 -105 -102 -105 -104 -105 -105 -102 arfcn 991 -104 -105 -103 -102 -103 -103 -102 -103 -101 -102 -100 -101 arfcn 1003 -101 -103 -104 -99 -100 -101 -101 -92 -100 -102 -103 -101 arfcn 1015 -100 -102 -90 -71 -89 -86 -92 -92 -104 [sysinfo] arfcn 4 time 1438377722 bsic 2,2 rxlev -61 mcc 460 mnc 00 si2ter 01 06 03 bf 04 20 00 00 00 00 00 00 00 00 00 00 00 00 00 2b 2b 2b 2b si3 49 06 1b da 71 64 f0 00 59 dd d0 03 14 57 65 4e a5 00 00 1c 13 2b 2b [sysinfo] arfcn 103 time 1438377723 bsic 1,1 rxlev -65 mcc 460 mnc 01 si3 49 06 1b 84 97 64 f0 10 59 04 d0 00 0a 5c 65 08 79 00 00 80 00 b0 43
文件中记录了详细的ARFCN信息,读取非常的方便。接下来我们看参数-r,这个参数的解释是
-r --rach RACH Nr. of RACH bursts to send.
RACH是个什么鬼?查阅资料得知,RACH的中文名称叫做“随机接入信道“,这里给出一个百科
RACH(Random Access Channel)即随机接入信道,是一种上行传输信道。RACH在整个小区内进行接收,常用于PAGING回答和MS主叫/登录的接入等。
具体的用途这里就不说了,篇幅有限,有兴趣的可以去查阅相关资料了解下。具体能用来干啥,博主暂时还没研究出来,待我仔细查阅资料搞明白之后再补上相关细节。
接下来就是参数-n了,这个参数表示不发送rach信息出去,具体作用有待研究。
继续看参数-g,这个参数代表的是gpsd服务的IP地址,比如我们有个GPS设备,访问GPS设备并从设备上获取相关信息的时候就需要通过-g参数指定GPS服务的host,也就是IP地址。博主这里没有GPS设备,所以暂时无法测试。
下面要看的是参数-p,这个参数其实是跟-g参数配合使用的,作用是指定GPS设备的端口,一般GPS设备都是在一个默认的端口(2947)上传递数据的,如果这个端口被修改,则需要使用-p参数指定端口。
接着看-f参数,这个参数是指定GPS设备的标识,默认的是/dev/ttyACM0。
参数-b就是指定GPS设备的俄波特率
参数-B是指定扫描的频段,默认是扫描所有频段,可选频段为900, 1800, 850, 1900四个。
参数-G的把GPS日志记录下来
参数-O标示只扫描而不记录扫描日志
参数-w指的是扫描每个基站时候所等待的时间
好了,上面就是cell_log的所有参数,基本意思解释清楚了,希望能够需要的朋友一些参考。