http://www.instructables.

com/id/Telephony-DECT-Sniffing-with-Dedected/
Food Living Outside Play Technology Workshop
Telephony, DECT Sniffing with Dedected.
by zebuilin on December 3, 2011
Table of Contents
Telephony, DECT Sniffing with Dedected. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Intro: Telephony, DECT Sniffing with Dedected. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Step 1: 1: What is DECT? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Step 2: 1.1: Insecurity... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Step 3: 2: Installing Dedected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Step 4: Scan for fixed parts or fp(DECT base stations) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Step 5: Ignore other phones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Step 6: Record the call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Step 7: Decode the callstream . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Step 8: Import the streams into Audacity to listen to the calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Step 9: CLEAN UP! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Step 10: Dect Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Related Instructables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
http://www.instructables.com/id/Telephony-DECT-Sniffing-with-Dedected/
Intro: Telephony, DECT Sniffing with Dedected.
DISCLAMER: Recording phone conversation is illigal in the US and most countrys
Step 1:1: What is DECT?
http://en.wikipedia.org/wiki/Digital_Enhanced_Cordless_Telecommunications
Step 2:1.1: Insecurity...
most telecomunication companys don't implement or offer encryption for their devices so they can be easily sniffed.
The following has been tested under these circumstances:
- Backtrack 5 final x86 KDE with Kernel 2.6.38
- Original Dosh&Amand Type II PCMCIA Card
- SIEMENS C1 DECT phones set up in repeater mode
Step 3:2: Installing Dedected
When installing Dedected on Backtrack 5 you have the following options:
-Use Dedected from the Backtrack repositorys
-Compile it on your own if you want to experiment
Install from source
root@bt:~# prepare-kernel-sources
root@bt:~# cd /usr/src/linux
root@bt:~# cp -rf include/generated/* include/linux/
root@bt:~# cd /pentest/telephony
root@bt:~# svn co https://dedected.org/svn/trunk dedected_svn
root@bt:~# cd dedected_svn/com-on-air_cs-linux/
root@bt:~# make && make -C tools
Instll from repository
root@bt:~# apt-get update
root@bt:~# apt-get install dedected
It is recomended that you have the tool Audacity if you are serious about recording phone conversations
Load the Drivers
root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux
root@bt:~# make node
root@bt:~# make load
http://www.instructables.com/id/Telephony-DECT-Sniffing-with-Dedected/
Step 4:Scan for fixed parts or fp(DECT base stations)
root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux/tools
root@bt:~# ./dect_cli
If you need info on the usage type "help". If you live in the U.S. switch to the US/DECT 6 band via the "band" command. Let's enable someverbosity: verb Now start
scanning fpscan After scanning multible time disable verbosity and stop scanning verb stop
Step 5:Ignore other phones
Start a callscan with
callscan
Now grab your DECT handset and make a test phonecall and wait until you see the phonecall .It is also sufficient if you just get a dialing tone. You should see something
like
### found new call on 00 82 31 33 73 on channel 7 RSSI 34
stop
Now dump all found calls
dump
Ignore every other phone except yours via the following command! IMPORTANT!!!
ignore 01 30 95 13 37
http://www.instructables.com/id/Telephony-DECT-Sniffing-with-Dedected/
Step 6:Record the call
This command will automatically record every phone call that Dedected can dedtect
autorec
Now grab your DECT telephony handset and do a testcall. I recommend to call a time telling serivce that can be reached over a normal phone number. You should get
something like this:
Now grab your DECT telephony handset and do a testcall. I recommend to call a time telling serivce that can be reached over a normal phone number. You should get
something like this:
### starting autorec
### stopping DIP
### starting callscan
### trying to sync on 00 82 ab b0 29
### got sync
### dumping to dump_2011-06-11_21_37_37_RFPI_00_82_ab_b0_29.pcap
### stopping DIP
After you hang up the dumping should stop
Step 7:Decode the callstream
stop the autorec
stop
Decode the audiostream into a raw packet dump
root@bt:~# ./decode.sh
http://www.instructables.com/id/Telephony-DECT-Sniffing-with-Dedected/
Step 8:Import the streams into Audacity to listen to the calls
Start audacity via "alt + f2" then type audacity and press enter. Import the fixed-part and hte portable-part .wav files from /pentest/telephony/dedected/com-on-air_cs-
linux/tools via File -> Import -> Audio or simply "ctrl + shift + I" . Import the files which end in .pcap_fp.ima.g721.wav and .pcap_pp.ima.g721.wav.
Play your phone call with the play button:
Step 9:CLEAN UP!
to reload the drivers
root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux
root@bt:~# make reload
If youre finished and want to clean up:
root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux
root@bt:~# make unload
root@bt:~# rm /dev/coa
Step 10:Dect Protocol
If you are interested in more details of the protocol you can open the .pcap file in Wireshark:
http://www.instructables.com/id/Telephony-DECT-Sniffing-with-Dedected/
Related Instructables
DECT headset
phone for cheap
by _soapy_
How to Hack
Wifi (and how to
avoid being
hacked):
WEP/WPA/WPA2
by techdls
New desktop
update (Photos)
by
albylovesscience
Easy Skype
Headset
Hookup by
iectyx3c
Cheap Desk
Phone Wireless
Headset by
pnautilus
Window
Password
Recovery! by
supernull