IMSI-catcher: Discover Cellphone IMSI Numbers with SDR
Summary
IMSI-catcher is a Python program designed for educational purposes, allowing users to understand how GSM networks function. It utilizes Software Defined Radio (SDR) receivers like RTL-SDR or HackRF to detect and display IMSI numbers, country, brand, and operator of nearby cellphones. This tool provides a practical way to explore mobile communication protocols and security aspects.
Repository Info
Tags
Click on any tag to explore related repositories
Introduction
IMSI-catcher is an open-source Python program that enables users to detect and display IMSI (International Mobile Subscriber Identity) numbers, along with country, brand, and operator information, from cellphones in the vicinity. Developed by Oros42, this project is primarily intended for educational purposes, helping individuals understand the workings of GSM networks and the underlying mobile communication protocols. It emphasizes responsible use, explicitly stating it's not for malicious hacking.
Installation
To set up IMSI-catcher, you'll need a PC running Gnu/Linux (tested with Debian 10, Ubuntu 20.04+, Kali 2020+), and an SDR receiver such as a USB DVB-T key (RTL2832U), OsmocomBB phone, HackRF, or BladeRF.
First, clone the repository or download the source:
git clone https://github.com/Oros42/IMSI-catcher.git
cd IMSI-catcher
Alternatively:
wget https://github.com/Oros42/IMSI-catcher/archive/master.zip && unzip -q master.zip
cd IMSI-catcher-master
Install the necessary Python dependencies:
sudo apt install python3-numpy python3-scipy python3-scapy
Important: Avoid using Python 3.9 due to a ctypes bug.
You have two options for installing gr-gsm: directly in your OS or via Docker.
Install gr-gsm in your OS (recommended)
Install build dependencies:
sudo apt-get install -y \
cmake \
autoconf \
libtool \
pkg-config \
build-essential \
python3-docutils \
libcppunit-dev \
swig \
doxygen \
liblog4cpp5-dev \
gnuradio-dev \
gr-osmosdr \
libosmocore-dev \
liborc-0.4-dev \
swig
Check your GnuRadio version:
gnuradio-config-info -v
Based on your GnuRadio version, clone the appropriate gr-gsm branch:
- If
>= 3.10:git clone -b maint-3.10_with_multiarfcn https://github.com/bkerler/gr-gsm - If
>= 3.8:git clone -b maint-3.8 https://github.com/velichkov/gr-gsm.git - If
3.7:git clone https://git.osmocom.org/gr-gsm
Then, build and install gr-gsm:
cd gr-gsm
mkdir build
cd build
cmake ..
make -j 4
sudo make install
sudo ldconfig
echo 'export PYTHONPATH=/usr/local/lib/python3/dist-packages/:$PYTHONPATH' >> ~/.bashrc
Importlib vs Imp
For Python 3.1 and newer, Imp is replaced by importlib. If you encounter issues, install importlib:
apt install python3-pip
pip install importlib
Install gr-gsm with Docker
For a containerized setup:
sudo xhost +local:docker
docker pull atomicpowerman/imsi-catcher
docker run -ti --net=host -e DISPLAY=$DISPLAY --privileged -v /dev/bus/usb:/dev/bus/usb atomicpowerman/imsi-catcher bash
Run all grgsm_* commands inside this Docker container.
Examples
IMSI-catcher typically uses grgsm_livemon to decode GSM signals and simple_IMSI-catcher.py to process and display IMSIs.
Open two terminals.
In terminal 1, start the IMSI catcher in sniff mode:
sudo python3 simple_IMSI-catcher.py -s
In terminal 2, start grgsm_livemon:
grgsm_livemon
Adjust the frequency in grgsm_livemon until you see decoded GSM frames.
Wireshark Integration
You can also monitor GSM packets using Wireshark:
sudo apt install wireshark
sudo wireshark -k -Y '!icmp && gsmtap' -i lo
Finding Frequencies
To find active GSM frequencies, use grgsm_scanner:
grgsm_scanner
This will output ARFCNs and frequencies. You can then specify a frequency for grgsm_livemon:
grgsm_livemon -f 925.4M
For HackRF users, kalibrate-hackrf can help find GSM frequencies:
sudo apt-get install automake autoconf libhackrf-dev
git clone https://github.com/scateu/kalibrate-hackrf
cd kalibrate-hackrf/
./bootstrap
./configure
make
sudo make install
Then run:
kal -s GSM900
Logging Data to MySQL
To save observed IMSI values to a MySQL database:
cp .env.dist .env
nano .env
# set your config
sudo apt install python-decouple python3-mysqldb
Then run the IMSI catcher with the --mysql option:
sudo python3 simple_IMSI-catcher.py -s --mysql
Use db-example.sql from the repository to create your database schema.
Why Use IMSI-catcher?
IMSI-catcher offers a unique hands-on approach to understanding the intricacies of GSM networks. For students, researchers, and security enthusiasts, it provides a practical platform to:
- Learn GSM Protocols: Observe real-time GSM traffic and understand how mobile devices communicate with base stations.
- Explore SDR Capabilities: Gain experience with Software Defined Radio hardware and software for signal processing.
- Security Research: Investigate potential vulnerabilities in GSM networks and the methods used for tracking mobile devices.
- Educational Tool: Serve as an excellent educational resource for courses in telecommunications, cybersecurity, and radio frequency engineering.
Links
- Setup of Gr-Gsm: Osmocom Gr-Gsm Installation and velichkov/gr-gsm GitHub
- Frequency Information: World Time Zone GSM and Wikipedia Global System for Mobile Communications
- Mobile Network Code: Wikipedia Mobile Network Code
- Scapy: Scapy Usage Documentation
- IMSI: Wikipedia IMSI
- Realtek RTL2832U: Osmocom RTL-SDR, Ubuntu-fr RTL2832U and Ubuntu-fr RTL-SDR
- AskUbuntu gr-gsm 3.10 fix: AskUbuntu Answer