Home Building a Cellphone IMSI Catcher (Stingray)

Building a Cellphone IMSI Catcher (Stingray)

The IMSI number is held within the SIM card in the mobile phone and identifies the country, the carrier, and the user. With this information, the person sniffing this traffic can identify and locate the phone user at a minimum and potentially intercept and spoof the user’s traffic.

Let’s see how we can harvest that information from 2G and 3G mobile networks with our RTL-SDR dongle and a few pieces of software.

Step #1: Install New Software in Kali

For this tutorial, we will be using Kali and several new pieces of software. Let’s begin with gr-gsm. Gr-gsm is a set of tools for receiving GSM transmissions, which works with any software radio (SDR) hardware capable of receiving a GSM signal.

Although gr-gsm is available in the Kali repository, I found that building it from the source code works better. To install gr-gsm, first install the dependencies;

kali > sudo apt-get install -y cmake autoconf libtool pkg-config build-essential python-docutils libcppunit-dev swig doxygen liblog4cpp5-dev gnuradio-dev 
gr-osmosdr libosmocore-dev liborc-0.4-dev swig

Then, clone gr-gsm from the github repository.

kali > sudo git clone https://git.osmocom.org/gr-gsm 

Then follow the next few steps to build the application.

cd gr-gsm
mkdir build
cd build
cmake ..
make -j 4
sudo make install
sudo ldconfig

Lastly, we need change the PYTHONPATH environment variable

kali > sudo echo 'export PYTHONPATH=/usr/local/lib/python3/dist-packages/:$PYTHONPATH' >> ~/.bashrc

Now you are ready to install kalibrate-rtl from the Kali repository.

kali > sudo apt install kalibrate-rtl

Next, clone the IMSI-catcher from github.

Step #2: Find the Frequencies the Base Stations are Operating on

The next step is to find the base stations in your area and the frequency they are operating on. For this action, we can use kalibrate.

Let’s begin by examining the kalibrate help screen.

kali > kal -h

As you can see above, kal simply needs -s to scan followed by the technology such as GSM850, GSM-R, GSM900, EGSM, DCS or PCS. In addition, we can specify the gain with the-g option. Since GSM850 is common in North and South America, I’ll scan for it with a gain of 45db.

kali > sudo kal -s GSM850 -g 45

As you can see above, there were 2 base stations within range at 889.0Mhz and 890.0Mhz. These fall within the receiving range of my RTL-SDR dongle (24-1766Mhz).

Step #3: Tune grgsm to the Base Station Frequency

Now we need to turn the grgsm to the frequency of the nearby base station. Navigate to the gr-gsm directory and enter;

kali > grgsm_livemon -f 889.0M -g 45

This should open the gr-gsm GUI. If you need, you can adjust the frequency with the slide bar.

Where 889.0M is the frequency we want to “listen” on (make certain to substitute the frequency found at your locale with kalibrate) and -g 45 is the gain rate.

Step #4: Start IMSI Catcher

Finally, let’s start the IMSI catcher.

Navigate to the IMSI-catcher directory and then execute the catcher with the -s option (scan).

kali > cd IMSI-catcher
kali > sudo python simple_IMSI-catcher.py -s

On the other hand, another user in Europe where GSM is the standard and still has many 2G and 3G phones, captured numerous IMSI’s along with operator and cell ID.

This post is licensed under CC BY 4.0 by the author.