Differences

This shows you the differences between two versions of the page.

Link to this comparison view

gan-gun [2011/08/30 15:03]
gan-gun [2011/08/30 15:34] (current)
Line 1: Line 1:
 +====== GAN client ======
 +
 +The GAN client communicates to the [[gan-proxy]] over a slightly extended version of the GAN protocol.
 +The protocol uses a newly introduced (unreserved) message type of 6.
 +Additionally, the following enum defines the IE types used for the actual communication:
 +
 +  enum ga_proxy_type {
 +    GA_PROXY_GET_TMSI=0,
 +    GA_PROXY_RET_TMSI=1,
 +    GA_PROXY_GET_IMSI=2,
 +    GA_PROXY_RET_IMSI=3,
 +    GA_PROXY_AUTH_COMPLETE=4,
 +    GA_PROXY_GET_SMS=5,
 +    GA_PROXY_ERROR=6,
 +    GA_PROXY_GET_ID=7,
 +    GA_PROXY_RET_ID=8,
 +  };
 +  
 +This may be useful when debugging these messages in wireshark...
 +
 +The source consists of two tools, one to send/modify SMS messages (featuring an SMS_SUBMIT encoder/decoder) and a second tool that allows you to send location update requests or imsi detach requests for a specific IMSI. Please only do this with IMSI numbers of your own SIM card.
 +
 +The tool usage is pretty much self-explanatory:
 +  $ ./rogue_client -h
 +  ./rogue_client [options]
 +  
 +  -h display this help...
 +  -p <proxy ip>
 +  -a <attack>
 +  -t <sms text>
 +  -d <destination number>
 +  
 +  attack can be either 'm' (modify), 'i' (inject new)
 +  $ ./imsi_loc
 +  ./imsi_loc <target ip> <imsi> <attack (l - location update / d - imsi detach)
 +
 +This tool is not specific to anything related to SFR/Ubiquisys, it should be an example of interacting with GAN infrastructure.
 +
 +The complete source: {{:gan-gun.tar.bz2|}}
  
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki