IMSI-catcher
IMSI-catcher copied to clipboard
Oros42
Open issue for any questions
Hi there regarding the Key issue https://github.com/Oros42/IMSI-catcher/issues/8 it is all about a lost MCC/MNC ? or any other issue ? Best regards
You should find a LTE receiver because gr-gsm could only receive GSM. I haven't search yet.
Hi, thanks for the goods... ehm, why i am unable to track my own IMSI? It never shows up it the logs? I have 4 cells around me for my provider. I switched my phone to 2G only and disabled data. The phone jumps sometimes from one to another cell but still my IMSI won`t show up...
Tool from Play Store to get my IMSI: Network Info II
I can see many IMSI's there but filtering out my own with "-m" switch leaves me empty. Im switching the cellid's manually with airprobe_rtlsdr.py when i see the phone somehow changed the frequency and jumps to another cell, so why there is nothing in the logs? Do you know a better way to track your own?
Nb IMSI ; TMSI-1 ; TMSI-2 ; IMSI ; country ; brand ; operator ; MCC ; MNC ; LAC ; CellId WARNING: Unless called manually, this could indicate deprecated use. Should be changed to bytes(self) WARNING: Unless called manually, this could indicate deprecated use. Should be changed to bytes(self)
on Python 3.5.2 i get this error Nb IMSI ; TMSI-1 ; TMSI-2 ; IMSI ; country ; brand ; operator ; MCC ; MNC ; LAC ; CellId WARNING: Unless called manually, this could indicate deprecated use. Should be changed to bytes(self) WARNING: Unless called manually, this could indicate deprecated use. Should be changed to bytes(self)
We have plan to rewrite the code. So in waiting of this you can run it with python 2.7.
Hello, this software looks promising. However I can't get it to work with grgsm_livemon. If I start simple_IMSI-catcher.py, grgsm_livemon throws this error:
Traceback (most recent call last):
File "/usr/local/bin/grgsm_livemon", line 270, in
If I start grgsm_livemon it runs fine but then simple_IMSI-catcher.py results in this error:
Traceback (most recent call last):
File "simple_IMSI-catcher.py", line 535, in
It looks like I can't get to start both things at the same time. Any tips?
Thank you!
Hi, thank you for a great script!
Iḿ running Ubuntu 16.04 LTS on a virtualbox. Nothing else except update and uprade has been done. I have installed gr gsm and IMSI catcher according to the following instructions;
sudo apt-get install git python-pip
sudo pip install PyBOMBS
sudo pybombs prefix init /usr/local -a default_prx
sudo pybombs config default_prefix default_prx
sudo pybombs recipes add gr-recipes git+https://github.com/gnuradio/gr-recipes.git
sudo pybombs recipes add gr-etcetera git+https://github.com/gnuradio/gr-etcetera.git
sudo pybombs install gr-gsm
sudo ldconfig
sudo apt install python-numpy python-scipy python-scapy
git clone https://github.com/Oros42/IMSI-catcher.git
python IMSI-catcher/mcc-mnc/update_codes.py
I can start the IMSI-catcher script with sudo python simple_IMSI-catcher.py (also tried with simple_IMSI-catcher.py -s)
However when trying to run grgsm_livemon from terminal 2 i get the following error:
Using device #0 Realtek RTL2838UHIDIR SN: 00000001
Found Rafael Micro R820T tuner
[R82XX] PLL not locked!
Exact sample rate is: 2000000,052982 Hz
[R82XX] PLL not locked!
Traceback (most recent call last):
File "/usr/local/bin/grgsm_livemon", line 370, in
python simple_IMSI-catcher.py works only with the last gr-gsm (https://tracker.debian.org/pkg/gr-gsm).
But sudo python simple_IMSI-catcher.py -s should works 0_o
Could you try this :
- update IMSI-catcher
- in term 1 run
sudo python simple_IMSI-catcher.py -s - in term 2 run
grgsm_livemon
Hi Have problem using "python simple_IMSI-catcher.py -m". It returns mistake
Traceback (most recent call last):
File "simple_IMSI-catcher.py", line 559, in
How can I fix it?
@Oros42
Cheers and sory for not replying sooner!
I reinstalled everything and got it to work with the command python simple_IMSI-catcher.py -s . However I am experiencing some issues.
-
I´m a little suspicious that all the captures are not correct. I capture more foreign IMSI (Austria, Germany and Guam (!?) that should be present in my area a few of them might be right but looking at other users captures, this seems to be an issue for others as well.
-
Also, I´m not able to capture my own IMSI (The phones are set on 2g and I switch between flightmode and active) I try this to confirm wether I am actually capturing correct and existing IMSI. As mentioned, no luck.
Any suggestions regarding this?
The third issue is most likely due to limited knowledge when it comes to linux and is not most likely related to IMSI-catcher.. After a run with grgsm_livemon I´m not able to restart the grgsm. I recieve the error RuntimeError: bind: Address already in use. I have to reboot the system to run grgsm again.
For others that experience the same problems with 0 (overflows?) Lowering the sample rate to 1M fixed my issue and I was able to capture IMSI. Inititally ( grgsm_livemon -s 1M )
Once again, thank you for this!
/Wallace
1- It's possible that there are errors. To check that, you can run wireshark and looking for Message Type: Paging Request Type 1 packets.
2- I quite sure that flightmode doesn't completly turn off baseband. So you should remove the barrery.
3- I think you haven't correcly exit grgsm_livemon. If the command pgrep grgsm_livemon return you a number, then you have grgsm_livemon running in backgroud.
So you should use kill -15 <Number_returned_by_pgrep>.
Hi, I am very interested in your work, is this program can demodulate the GSM1800 band Or get information of GSM1800? Thank you very much!
It's not my program who made the demodulation. It's grgsm who made it. And yes, it can demodulate the GSM1800.
@Oros42 thank you very much , Your program IMSI-catcher gave me a lot of help for my study, sincerely thank you!
Hi, Im installed everything without errors but when I try to run I got the error:
marcelo@imsi:~/Downloads$ sudo python simple_IMSI-catcher.py --sniff File "simple_IMSI-catcher.py", line 7 ^ SyntaxError: invalid syntax marcelo@imsi:~/Downloads$
I got the same error on version of gr-gsm >= 0.41.2-1
Could you help me please?
FFY00 Thanks for your response but I realize that when I download the files from Github, then came with some html code inside. I edited it and solved the problem.
tks
@Micolocobr2 you probably were using the wrong python version. The reason it worked it's not because you edited the html files but because for some reason the program was called with a different python version.
idconfig 0_o ???
Where did you see this ?
Perhaps it's ifconfig you search ?
Hi,
I dont know why but all the files I download was with peaces of html code inside. Once I remove it within the files, problem solved!
Thanks guys for your help.
From de github in the oros42 page using Firefox from linux 16.04 desktop. If you click on each file to download, it comes with something wrong in the code. Some html piece of code.
At the time I was not realize the "clone or download" button, then I tried to download files one by one.
@Micolocobr2 please download the files from this link https://github.com/Oros42/IMSI-catcher/archive/master.zip
Hello @Oros42 appreciate your work :), wanted to know, you sniff and decode paging requests ? because there are times that TMSI and IMSI appear together so i assumed that they are paging requests, so just wanted to make sure on which type of traffic you extract the IMSIs
thanks
In simple_IMSI-catcher.py, from line 426 to 522 you have comments who explain which type of packet I use. Packets were extracted with wireshark. ;-)
Hi @Oros42
Thanks for sharing this, i have learned a ton about GSM from your code.
My question is where did you find the data on the structure of the packets. I want to understand more in depth the whole flow of data.
I read about frames and all that, but how did you find that: ord(p[0x12]) == 0x1b: # Message Type: System Information Type 3 for example or any of the other parsing of the packet.
If you send me a link to the recourse or whatever would be very much appreciated.
Thanks
Oooh fuck. The documentation didn't follow the upgrade of the code :-( There are an offset of 0x2a. 0x12 (from the code) + 0x2a (offset) == 0x3c (in documentation's dump)
Just pulled and saw the changes.
Ahhh ok, the offset makes a lot more sense...
Im still wondering where you found the structure from? how did you know what address is what data?
Thanks
Hi Oros42, first of all many thanks for sharing this development I will try to run it. I have just one doubt, this solution is compatible with macOS ?
Cheers
I don't know. I only use Gnu/Linux. You have to check if you can setup gr-gsm on macOS. https://osmocom.org/projects/gr-gsm/wiki/Installation
Hi Oros42, I already installed everything (I think) but when I tried to check my antenna with rtl_test it gives me the following information:
Found 1 device(s): 0: Realtek, RTL2838UHIDIR, SN: 00000001
Using device 0: Generic RTL2832U OEM Detached kernel driver No supported tuner found Enabled direct sampling mode, input 1 Supported gain values (1): 0.0 Sampling at 2048000 S/s. No E4000 tuner found, aborting. Reattached kernel driver
when I try to run the grgsm_scanner -b GSM900 -g 40 -d I got the following error:
Args=
gr-osmosdr v0.1.4-127-g4d83c606 (0.1.5git) gnuradio 3.7.13.4
built-in source types: file osmosdr fcd rtl rtl_tcp uhd hackrf bladerf rfspace airspy soapy redpitaya
[INFO] [UHD] linux; GNU C++ version 7.3.0; Boost_106501; UHD_3.14.0.0-220-g97935b15
Using device #0 Realtek RTL2838UHIDIR SN: 00000001
Detached kernel driver
No supported tuner found
Enabled direct sampling mode, input 1
Exact sample rate is: 2000000.052982 Hz
Traceback (most recent call last):
File "/usr/local/bin/grgsm_scanner", line 426, in
I am doing something wrong? Is the frequency wrong? Can you support?
PS: I tested my antenna in windows 10 with blazehd and it is working.
EDIT: With sudo command I got segmentation fault. In apport.log I got the following:
ERROR: apport (pid 21207) Wed Jan 9 18:56:29 2019: called for pid 21150, signal 6, core limit 0, dump mode 1 ERROR: apport (pid 21207) Wed Jan 9 18:56:29 2019: script: /usr/local/bin/grgsm_scanner, interpreted by /usr/bin/python2.7 (command line "/usr/bin/python2 /usr/local/bin/grgsm_scanner -b GSM900 -g 40 -d") ERROR: apport (pid 21207) Wed Jan 9 18:56:29 2019: executable does not belong to a package, ignoring ERROR: apport (pid 24509) Wed Jan 9 19:08:15 2019: called for pid 24364, signal 11, core limit 0, dump mode 1 ERROR: apport (pid 24509) Wed Jan 9 19:08:15 2019: script: /usr/local/bin/grgsm_scanner, interpreted by /usr/bin/python2.7 (command line "/usr/bin/python2 /usr/local/bin/grgsm_scanner -b GSM900 -g 40 -d") ERROR: apport (pid 24509) Wed Jan 9 19:08:15 2019: executable does not belong to a package, ignoring
EDIT2: When I am running with scan-and-livemon active I got a similiar error
sudo grgsm_scanner -b DCS1800 -g 40 -d
Args=
gr-osmosdr v0.1.4-127-g4d83c606 (0.1.5git) gnuradio 3.7.13.4
built-in source types: file osmosdr fcd rtl rtl_tcp uhd hackrf bladerf rfspace airspy soapy redpitaya
[INFO] [UHD] linux; GNU C++ version 7.3.0; Boost_106501; UHD_3.14.0.0-220-g97935b15
Using device #0 Realtek RTL2838UHIDIR SN: 00000001
usb_claim_interface error -6
Traceback (most recent call last):
File "/usr/local/bin/grgsm_scanner", line 426, in
Many thanks
is it possible to know how many phones connecting to a basestation?
@ezevu I don't know. Ask to @ptrkrysik (https://github.com/ptrkrysik/gr-gsm)
@phamduythai92mta you could have an idea of how many by counting IMSI from the output of my program. But you can't have the exact number.
thanks for the answer, but i am still getting confused that the IMSI is rarely transmitted to BS, so how can i get my phone's IMSI?
kinda new to SDR's here. Picked up a NooElec R820T SDR & DVB-T NESDR mini. I followed the guide got stuff installed (running on Raspbian (PI)). when I run python simple_IMSI-catcher.py no errors, just looks like its waiting to display data. when I start python scan-and-livemon I get
*** Error in `python': corrupted double-linked list: 0x0193e250 *** Aborted
So not sure if the antenna is not being detected or if I borked up the install? Any ideas?
Hi all,
There is no such thing as passive IMSI catcher. You can get some of the IMSIs transmitted by the network, but only on some relatively rare occasions, for some small percentage of current users.
The whole purpose of IMSI catcher is to get all IMSIs, so one can do nefarious stuff like i.e. pinpointing IMSI to a given person handset based on capturing all IMSIs in places where a given person is expected to be, or getting IMSIs of all people attending a protest.
Assuring that you get most of IMSIs in the area (and not some small fraction of them) can be assured only by performing active attack.
re-installed on ubuntu no errors I just get nothing back... I can query the antenna no problem (followed manf guidelines to load correct drivers etc). so I guess progress? Going to try a different antenna see if I get anything new.... Question will the scan pyhton script run up and down the frequency list or will it simply pick a default MGHTZ?
How can resolve this problem with imsi catcher
“Python can not open file ‘simple imsi -catcher .py’
Why this error appear ?
Hi there,
Im trying to get the IMSI catcher working for several times now and it failed every time. . So i decided to install it again and do it step by step according this site https://osmocom.org/projects/gr-gsm/wiki/Installation
Now i come to the point that i have to download and install gr-gsm and do the cmake .. command. and that is where the shit started to hit the fan.....
And i'm getting this information from CMakeError.log
Can someone explain me what i have to do to fix this?
Thanx!
Determining if the pthread_create exist failed with the following output: Change Dir: /home/sdr/Desktop/sdr/gr-gsm/build/CMakeFiles/CMakeTmp
Run Build Command:"/usr/bin/make" "cmTC_f066e/fast"
/usr/bin/make -f CMakeFiles/cmTC_f066e.dir/build.make CMakeFiles/cmTC_f066e.dir/build
make[1]: Entering directory '/home/sdr/Desktop/sdr/gr-gsm/build/CMakeFiles/CMakeTmp'
Building C object CMakeFiles/cmTC_f066e.dir/CheckSymbolExists.c.o
/usr/bin/cc -o CMakeFiles/cmTC_f066e.dir/CheckSymbolExists.c.o -c /home/sdr/Desktop/sdr/gr-gsm/build/CMakeFiles/CMakeTmp/CheckSymbolExists.c
Linking C executable cmTC_f066e
/usr/bin/cmake -E cmake_link_script CMakeFiles/cmTC_f066e.dir/link.txt --verbose=1
/usr/bin/cc -rdynamic CMakeFiles/cmTC_f066e.dir/CheckSymbolExists.c.o -o cmTC_f066e
CMakeFiles/cmTC_f066e.dir/CheckSymbolExists.c.o: In function main': CheckSymbolExists.c:(.text+0x1b): undefined reference to pthread_create'
collect2: error: ld returned 1 exit status
CMakeFiles/cmTC_f066e.dir/build.make:97: recipe for target 'cmTC_f066e' failed
make[1]: *** [cmTC_f066e] Error 1
make[1]: Leaving directory '/home/sdr/Desktop/sdr/gr-gsm/build/CMakeFiles/CMakeTmp'
Makefile:126: recipe for target 'cmTC_f066e/fast' failed
make: *** [cmTC_f066e/fast] Error 2
File /home/sdr/Desktop/sdr/gr-gsm/build/CMakeFiles/CMakeTmp/CheckSymbolExists.c: /* */ #include <pthread.h>
int main(int argc, char** argv) { (void)argv; #ifndef pthread_create return ((int*)(&pthread_create))[argc]; #else (void)argc; return 0; #endif }
Determining if the function pthread_create exists in the pthreads failed with the following output: Change Dir: /home/sdr/Desktop/sdr/gr-gsm/build/CMakeFiles/CMakeTmp
Run Build Command:"/usr/bin/make" "cmTC_e014d/fast" /usr/bin/make -f CMakeFiles/cmTC_e014d.dir/build.make CMakeFiles/cmTC_e014d.dir/build make[1]: Entering directory '/home/sdr/Desktop/sdr/gr-gsm/build/CMakeFiles/CMakeTmp' Building C object CMakeFiles/cmTC_e014d.dir/CheckFunctionExists.c.o /usr/bin/cc -DCHECK_FUNCTION_EXISTS=pthread_create -o CMakeFiles/cmTC_e014d.dir/CheckFunctionExists.c.o -c /usr/share/cmake-3.10/Modules/CheckFunctionExists.c Linking C executable cmTC_e014d /usr/bin/cmake -E cmake_link_script CMakeFiles/cmTC_e014d.dir/link.txt --verbose=1 /usr/bin/cc -DCHECK_FUNCTION_EXISTS=pthread_create -rdynamic CMakeFiles/cmTC_e014d.dir/CheckFunctionExists.c.o -o cmTC_e014d -lpthreads /usr/bin/ld: cannot find -lpthreads collect2: error: ld returned 1 exit status CMakeFiles/cmTC_e014d.dir/build.make:97: recipe for target 'cmTC_e014d' failed make[1]: *** [cmTC_e014d] Error 1 make[1]: Leaving directory '/home/sdr/Desktop/sdr/gr-gsm/build/CMakeFiles/CMakeTmp' Makefile:126: recipe for target 'cmTC_e014d/fast' failed make: *** [cmTC_e014d/fast] Error 2
I'm not the author of gr-gsm ! Have you try this https://osmocom.org/projects/gr-gsm/wiki/Installation#Installation-from-packages-on-Debian-Testing-and-Ubuntu-1804 ?
I'm not the author of gr-gsm ! Have you try this https://osmocom.org/projects/gr-gsm/wiki/Installation#Installation-from-packages-on-Debian-Testing-and-Ubuntu-1804 ?
So you mean i have to start from that point instead of the beginning of the page?
I recommend you to READ ALL the page. And you will notice there are different way to install depending your setup.
Hey Oros, could you give me a hand? I'm trying to execute both simple_IMSI-catcher.py and grgsm_livemon, but I can't execute one if the other is running because they're using the same address, or port, I don't know. The error message is the in both terminals:
RuntimeError: bind: Address already in use
I don't know what am I supposed to do with that, soulnd't I be supposed to be able to run both without a problem? Is there any way to solve this?
I would really appreciate your help with this.
Did you do :
sudo python3 simple_IMSI-catcher.py --sniff
? See https://github.com/Oros42/IMSI-catcher#with-an-old-version-of-gr-gsm
Did you do :
sudo python3 simple_IMSI-catcher.py --sniff? See https://github.com/Oros42/IMSI-catcher#with-an-old-version-of-gr-gsm
I did, and it gives me this:
ModuleNotFoundError: No module named 'scapy'
I've tried installing scapy before but it won't let me. Also I'm using Kali 2019's version, don't quite remember the version itself.
What I did get to work was:
python simple_IMSI-catcher.py -a -s
Although I don't really understand the data it displays. The columns are these:
And (part of) the data is this:
What it is actually picking up? I know that the ones that state the country are IMSI's, which I guess would be the phones, but it's the same phone over an over again, right? Could there be any particular reason to why I'm not receiving IMSI's from different phones? I don't know if it's suppossed to work that way or I'm doing something wrong, which I don't think so. Could it be because of where I'm located?
I'm sorry for all the questions and thank you in advanced for taking the time to reply.
In kali 2020, scapy for python3 is already installed.
7024 (LAC) is the location of the cell tower
5455 (CellId) is the id of the cell tower
In your screenshot you only have TMSI's of cell phones.
In kali 2020, scapy for python3 is already installed.
7024(LAC) is the location of the cell tower5455(CellId) is the id of the cell tower In your screenshot you only have TMSI's of cell phones.
Right. And TMSI's are logs of what exactly? I'm still kinda new at this.
Hey Oros, quick question. So I picked up the next info:
Despite the fact that they are from the same operator and brand, their IMSI's are slightly different, which means they're different phones right?
Yes, in your screenshot you have 7 phones. For TMSI : https://en.wikipedia.org/wiki/Temporary_Mobile_Subscriber_Identity
Yes, in your screenshot you have 7 phones. For TMSI : https://en.wikipedia.org/wiki/Temporary_Mobile_Subscriber_Identity
Awesome. I was asked to see if there's a way of modifying the .py script in order to get data about the distance from the phones and my antenna. Is it possible to do that with this? And if it is, wouldn't you happen to know about a repository of site where I can learn how to do that? Or maybe you have something already done and can give me some hints? Any help is greatly appreciated.
No, you can't have a distance. But if you want to learn more, run wireshark.
sudo wireshark -k -Y '!icmp && gsmtap' -i lo
This is one solution :
sudo python3 simple_IMSI-catcher.py --sniff | grep <THE_MMC>
You can also use -m
sudo python3 simple_IMSI-catcher.py --sniff -m XXX
or
sudo python3 simple_IMSI-catcher.py --sniff -m XXXYYY
with XXX=MCC code and YYY=MNC code
hello Oros42, is it possible for this tool to catch IMEI as well? Or do you happen to know any of the tools that can do that? your reply will be much appreciated. Thanks!
I am running the docker on OSX Mojave but I can't get my RTL-SDR to passthrough to the docker machine. I tried /dev/bus/usb:/dev/bus/usb and /dev/ttys000:/dev/bus/usb and some other variations in my docker run command. Can somebody help me.
Excuse me. If I have the triangulation on a target phone and I run the Imsi Catcher near that cell tower how can a get the exact location on that phone.
Hi dear Oros and many thank for providing this program. I have a problem, I'm installing your IMSI catcher project step-by-step in kali 2021 and works properly but I can't catching my own IMSI. do you have any idea?
Hi Dear Oros42, At First I should thank u for ur kind endeavors and good code. I listed my concerns and issues as follows which I hope u kindly help to resolve them :
issue no. 1: when running the simple_imsi-catcher.py code, I cant find my own IMSI's as mentioned by some other users above several times? why ? Do u have any idea? Why we can not recognize our own IMSI's?
I try to make a outgoing and incoming call to my phone and sending and receiving sms via it to activate the scenario of sending IMSI to/from network but I am not successful yet.
issue no. 2: I dont know exactly which ARFCN now my phone is working on!!! this make me to probe the whole band by "gqrx" on linux or other spectral seeker program and check all possible GSM channels have power separately one by one to check whether or not my IMSI is sent to it or not but no result yet.
issue no. 3 : do u have any code that can sniff on multi-channel simultaneously ? e.g. 2 channels, or 3 or 4 or even more. This make it for me and everyone easier to probe different channels for own or other IMSI's.
I can work on grgsm_livemon to make it work in multichannel simultaneously but it takes time if u have any similar code which make us able to monitor multichannel , it'll be good . (of course I know that u r not the author of grgsm but that was just a suggestion but of course we need a new_simple-ims-catcher.py to sniff multichannel simultaneously )
looking forward to hearing from you to hint for 3 mentioned issues...
Regards,
hello!
help please..
root@RootBTSLive:/home/alpine/IMSI-catcher# ./simple_IMSI-catcher.py -s File "./simple_IMSI-catcher.py", line 111 new_imsi = f"{mcc} {mnc} {new_imsi[6:]}" ^ SyntaxError: invalid syntax root@RootBTSLive:/home/alpine/IMSI-catcher#
