EvilZone
Hacking and Security => Hacking and Security => : DioGt October 09, 2013, 08:40:10 PM
-
So let's start with some general theory
Almost every Sim has directories like:
RD (Root Directory)
MF (Master File)
DF-tel (Directory- Telcom)
DF-gsm (Directory-GSM)
DF-3g (Directory-3G)
EF (Elementary File)
More Spesific tha location of DF(tel/gsm/3g) are subsets of MF and MF is subset of RD
EF is the Directory that info of SIM kept, like: Phone-contacts, Sended sms etc.
Every SIM has uniqe : IMSI-TMSI / LAI / BCCH
IMSI-TMSI : permanent-temporary customer identity network
LAI: Location of customer
BCCH: control channel
and you can access on these only if you know KI and KC
[Pin also need to access some directories]
Ki: key [password for encryption]
KC: session key (Key for the encryption - not stable/ can change)
Encryption that GSM - 3G networks use: A5/2 > A5/1 > A5/3 > A5/0 [A3, A8]
*On AuC-(Authentication Center) is saved the Ki*
A5/2 most powerful than: A5/1 >A5/3 > A5/0
A5/1 most powerful than: A5/3 A5/0 - actually is means no encryption :D
a) to testify the network provider the phone compare the Ki that the phone has with the one on their system to see if it is the same [to do that they use A3 algorithm]
b) with Ki data & A8 algorithm the Kc is created.
c) with the Kc now ready the A5/x encryption (= algorithm ) encrypts the singal for a call Or sms Or internet (3G).
NOW about the "free" 3G internet. There are 2 (maybe 3 ) possible ways I've thought.
*That doesn't means that they will work :p BUT they have great possibilities to work! *
1. Hijack the: IMSI-TMSI / LAI / BCCH and Ki from an other User to get "free" access on the net with him/her paying the bill :p ( Too risky, but it can work)
2. by bypassing the security network and get free access ( working on that)
3. By exloiting the free 0.facebook access and gain access to other sites without paying ( Needs advanced knowlegde to Mobile networks
Because it takes lot's of time to write all these and also i do not have complete my thoughts i will continue to P2 (part 2) :)
A photo i found that explains how Directories of sim are: (don't have 3G network)
P.S.: Sorry for my english :D
-
found interest on your post.... waiting for your part 2...keep up... tnx btw..
-
3. By exloiting the free 0.facebook access and gain access to other sites without paying ( Needs advanced knowlegde to Mobile networks
this one has been using in my country, thx to anonymous phreaker who found the way and share the trick.
free internet access since 6 months ago using my 3g usb modem :P
this "0.facebook" called as bughost, used to camouflage data that will be sent to ISP's proxy.
What needed: isp proxy:port, isp header data, bughost, a simple proxy server app that can manipulate header data (called as inject)
inject will send an injectdata (header data contain bughost) to open connection with isp proxy before realdata will be sent.
-
do have any of this tools you mentioned? like bughost ang the others?
-
do have any of this tools you mentioned? like bughost ang the others?
inject:
configurable one
http://sourceforge.net/projects/injectheaderquery/uploaded by the maker
work for all opsel in my country, though each one have it's own configuration.
bughost:
it can be different for each opsel, so it's more like trial-error. even adf.ly can be used as a bughost lol
-
How would I find out the ISP header data? And the bughost always has to be facebook right?
-
How would I find out the ISP header data? And the bughost always has to be facebook right?
google can answer your first Q ;)
http://web-sniffer.net/
bughost:
this is my header request, you can see what bughost used for
HTTP Request Header
Connect to 202.80.220.95 on port 80 ... ok
GET / HTTP/1.1[CRLF]
Host: news.okezone.com[CRLF] <<<<<< bughost
-
thanks for ur all response,,, gonna try this,,,
-
thanks for ur all response,,, gonna try this,,,
btw, it's better to combine inject with ssh, not a direct access to browser & other app ;D
since direct need extra configuration :P
this is my full set up:
1. uncheck default gateway in your dial-up connection
2. connect
3. add route to your isp proxy
4. start inject
5. login your ssh acc, use inject as your proxy (bitvise or putty, enable proxy forward)
6. open proxifier (make sure all req sent through bitvise)
7. pray, hope your isp have a bughole 8)
last, I need part2 of this topic, 3 of 7 isp in my country already know how to fix this method :'(
-
nice tut,,,, tnx.....
-
Nice one balanyc +1. I was wondering would this also work on the Homespot routers instead of 3G? I mean those AP's some ISPs automaticly broadcast when they give you a wireless router. So everybody who has an account on their network can sign in via your router.
-
Hi this is cool. I will look into this