Awesome-Cellular-Hacking (- In the process of Updating - lots of work to do...) / Rogue BTS & CDMA/GSM Traffic Impersonation and Interception |
| How To Build Your Own Rogue GSM BTS For Fun and Profit | | | "In this blog post I’m going to explain how to create a portable GSM BTS which can be used either to create a private ( and vendor free! ) GSM network or for GSM active tapping/interception/hijacking … yes, with some (relatively) cheap electronic equipment you can basically build something very similar to what the governments are using from years to perform GSM interception." |
| How to create an Evil LTE Twin/LTE Rogue BTS | | | How to setup a 4G/LTE Evil Twin Base Station using srsLTE and a USRP SDR device |
| Practical attacks against GSM networks: Impersonation | | | "Impersonating a cellular base station with SDR: With the flexibility, relative low cost of Software Defined Radio (SDR) and abundance of open source projects that emulate a cell tower, successfully impersonating a GSM Base Station (BTS) is not a difficult task these days." |
| Tutorial-Analyzing GSM with-Airprobe and Wireshark | | | "The RTL-SDR software defined radio can be used to analyze cellular phone GSM signals, using Linux based tools GR-GSM (or Airprobe) and Wireshark. This tutorial shows how to set up these tools for use with the RTL-SDR." |
| Traffic Interception for Penetration Testing Engagements | | | "Within the penetration testing domain quite often we have to deal with different technologies and devices. It’s important to cover all aspects of connectivity of a device being tested which is why we have built a GSM/GPRS interception capability. There are a number of different devices and systems that make use of GSM/GPRS, non-exhaustively we commonly see:" |
Blackhat 2022 Talks |
| Attacks from a New Front Door in 4G & 5G mobile networks | | | |
Blackhat 2021 Talks |
| Ettus USRP B210 | | | |
| srsENB | 3,484 | 5 months ago | |
| Open5GS | | | |
| sysmo-usim-tool | | | |
| pysim | 338 | 11 days ago | |
| CoIMS | | | |
| CoIMS_Wiki | 84 | almost 4 years ago | |
| Docker_open5gs | | | |
Blackhat 2021 Talks / Recent SeaGlass IMSI-Catcher News - Organizing - |
| SeaGlass: Enabling City-Wide IMSI-Catcher Detection | | | |
| |
| Voice over LTE implementations contain multiple vulnerabilities - CERT ALERT | | | |
Blackhat 2021 Talks / 5G Cellular Attacks (Soon to be updated) |
| Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information | | | |
| European 5G Security in the Wild: Reality versus Expectations | | | |
| Threat modeling framework for mobile communication system | | | |
| ENISA THREAT LANDSCAPE FOR 5G NETWORKS | 2,905 | 13 days ago | |
| Protecting the 4G and 5G Cellular PagingProtocols against Security and Privacy Attacks | 2,905 | 13 days ago | |
| Insecure Connection Bootstrapping in Cellular Networks: The Root of All Evil | 2,905 | 13 days ago | |
| 5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol | 2,905 | 13 days ago | |
| QCSniper - A tool For capture 2g-4g air traffic using qualcomm phones | | | |
| Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information | | | |
| New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols | | | |
| New Vulnerabilities in 5G Networks | | | |
| Side Channel Analysis in 4G and 5G Cellular Networks | | | |
| 5G NR Jamming, Spoofing, and Sniffing | 2,905 | 13 days ago | |
Blackhat 2021 Talks / 4G/LTE Cellular Attacks |
| LTRACK: Stealthy Tracking of Mobile Phones in LTE | | | |
| Detecting Fake 4G Base Stations In Real Time | | | |
| BaseSAFE: Baseband SAnitized Fuzzing through Emulation | | | |
| Paging Storm Attacks against 4G/LTE Networks from Regional Android Botnets: Rationale, Practicality, and Implications | | | |
| This is Your President Speaking:Spoofing Alerts in 4G LTE Networks | | | |
| Hacking Public Warning System in LTE Mobile Networks | | | |
| RF Exploitation: IoT/OT Hacking with SDR | | | |
| Forcing a targeted LTE Cellphone Into an Eavesdropping Network | | | |
| Hacking Cellular Networks | | | |
| Bye-Bye-IMSI-Catchers | | | |
| White-Stingray: Evaluating IMSI Catchers Detection Applications | | | |
| Breaking_LTE_on_Layer_Two | 2,905 | 13 days ago | |
| LTE/LTE-A Jamming, Spoofing, and Sniffing - Assessment and Mitigation | | | |
| Exploring LTE security and protocol exploits with open source software and low-cost software radio by Roger Jover | 2,905 | 13 days ago | |
| LTE PROTOCOL EXPLOITS: IMSI CATCHERS,BLOCKING DEVICES AND LOCATION LEAKS | 2,905 | 13 days ago | |
| Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems | 2,905 | 13 days ago | |
| Using OpenBTS - "Experimental_Security_Assessment_of_BMW_Cars by KeenLab" | | | |
| LTE Security – How Good Is It? | | | |
| Guide to LTE Security | | | |
| Small Tweaks do Not Help: Differential Power Analysis of MILENAGE Implementations in 3G/4G USIM Cards | | | |
| 4G Access Level Security Assessment | | | |
| Small Tweaks do Not Help: Differential Power Analysis of MILENAGE Implementations in 3G/4G USIM Cards | | | |
| LTE security and protocol exploits | | | |
| LTE Recon - (Defcon 23) | | | |
| LTE Pwnage: Hacking HLR/HSS and MME CoreNetwork Elements | | | |
| Modmobjam - Jam tomorrow, jam yesterday, but also jam today | | | |
| WiFi IMSI Catcher | | | |
| Analysis of the LTE Control Plane | | | |
| Demystifying the Mobile Network by Chuck McAuley | | | |
| NSA PLAYSET GSM | | | |
| VoLTE Phreaking - Ralph Moonen | 2,905 | 13 days ago | |
| Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stack | | | |
| Hiding in Plain Signal:Physical Signal Overshadowing Attack on LTE | | | |
| LTE Security Disabled—Misconfiguration in Commercial Network | | | |
| Shupeng-All-The-4G-Modules-Could-Be-Hacked | | | |
Blackhat 2021 Talks / SIM Specific Attacks |
| Rooting SIM-cards | | | |
| The Most Expensive Lesson Of My Life: Details of SIM port hack | | | |
Blackhat 2021 Talks / Stingray's |
| https://www.wired.com/story/dcs-stingray-dhs-surveillance/ | | | |
| https://www.vice.com/en_us/article/gv5k3x/heres-how-much-a-stingray-cell-phone-surveillance-tool-costs | | | |
| https://www.nyclu.org/en/stingrays | | | |
| |
| D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov | 2,905 | 13 days ago | |
| http://www.hackitoergosum.org/2010/HES2010-planglois-Attacking-SS7.pdf | | | |
| Getting in the SS7 kingdom: hard technology and disturbingly easy hacks= to get entry points in the walled garden | | | |
Blackhat 2021 Talks / Github/Code Repo's |
| https://github.com/Synacktiv-contrib/Modmobjam | 84 | over 4 years ago | |
| https://github.com/Synacktiv-contrib/Modmobmap | 97 | over 1 year ago | |
| |
| https://github.com/Evrytania/LTE-Cell-Scanner | 584 | over 5 years ago | |
| https://harrisonsand.com/imsi-catcher/ | | | |
| https://github.com/Oros42/IMSI-catcher | 3,212 | 5 months ago | |
| https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector | 4,740 | about 1 month ago | |
| https://github.com/ptrkrysik/gr-gsm/wiki/Passive-IMSI-Catcher | 1,346 | 11 months ago | |
| |
| RTL-SDR | | | |
| MCC-MNC Codes for Base Stations | | | |
| RFSec-ToolKit | 1,565 | 6 months ago | |
| FakeBTS | | | |
| https://rmusser.net/docs/Wireless.html#cn | | | |
| |
| Touching the Untouchables: Dynamic Security | | | |
| https://www.eff.org/pages/cell-site-simulatorsimsi-catchers | | | |
| http://leetupload.com/blagosphere/2014/03/28/analyze-and-crack-gsm-downlink-with-a-usrp/ | | | |
| AT&T Microcell FAIL - fail0verflow (Older blog article, but still a good read) | | | |
Awesome-Cellular-Hacking 
hack-with-github/awesome-hacking
enablesecurity/awesome-rtc-hacking
rtckit/awesome-rtc
herlesupreeth/docker_open5gs
zbetcheckin/security_list