OpenBTS Implementation
With OpenBTS, we can start running an active GSM base station - a working cellular carrier.
Open the terminal and run:
$ osmo-trx -f
Open a new terminal window and run:
$ sudo start asterisk
$ sudo start sipauthserve
$ sudo start smqueue
$ sudo start openbts
$ cd /OpenBTS
$ ./OpenBTSCLI
*In order to close all proccess, run in terminal:
$ sudo stop openbts && sudo stop asterisk && sudo stop sipauthserve && sudo stop smqueue
Those commands should get you into the OpenBTS menu:
(if not, return to Worksapce Setup and reinstall OpenBTS)
In order to allow auto-registration to the network, run:
$ config Control.LUR.OpenRegistration .*
In case where cellular networks in the area are up and running, and all the phones in the area are still connected with their carriers, it is a little bit more complicated to get them to register to our BTS .
In that case we will rather use the passive approach, or it is possible to force-handover phones to our network using IMSI-catcher methods.
An IMSI-catcher is a telephone eavesdropping device used for intercepting mobile phone traffic and tracking movement of mobile phone users.
Essentially it is a “fake” mobile tower acting between the target mobile phone and the service provider’s real tower, it is considered man-in-the-middle (MITM) attack.
In order to force handover a registered mobile phone into my base station, the BTS has to have the same network parameters as the real network.
Those parameters are:
-
MCC- Mobile Country Code
-
MNC- Mobile Network Code
-
ARFCN- Absolute Radio-Frequency Channel Number
-
LAC- Location Area Code
-
Name of Network
Those parameters can be modified to the operator’s choice in the “config” section in OpenBTS:
Once the configuration of the fake network is done, the BTS is impersonating to the real network, and due to the proximity of the device to the cellular phones nearby, they will automatically attach to the fake BTS.
"Welcome" message