GSM Capturing, Decoding with USRP and SDR in Kali Linux Rolling Edition

[scoyok]

Hello All,

Tutorial is in this thread now, Slick added rtl-sdr support, you may still view/download from the link.

Thanks



https://docs.google.com/document/d/1...4ue_WXezI0/pub

http://https://docs.google.com/docum...4ue_WXezI0/pub

Okay gonna start getting this transfered a piece at a time! (Please forgive the formatting, I am copying and pasting then adding the screen shots etc... it looks pretty in the PDF format you can download from the link or we can email it to you, I know there is people waiting for this be put up with the rtl-sdr steps included from slick's notes)



GSM Capturing, Decoding with USRP and SDR in Kali Linux Rolling Edition

This is a full, step by step, tutorial installing GR-GSM, libosmocore, gnuradio companion and everything needed to capture GSM packets and decode in Wireshark. Using the USRP device Hackrf One.

By Community member Scoyok (Scott)

I could not put this together without community member Slick97477 (Bryon)

(He has also modified this tutorial for compatibility with Kali Sana 2.0 KDE(rtl-sdr) coming soon)

I got all the information contained herein from too many places to name them all, here is a few:

https://github.com/mossmann/hackrf
http://www.rtl-sdr.com/tag/airprobe/
https://gnuradio.org/redmine/project...RadioCompanion
http://sdr.osmocom.org/trac/wiki/GrO...ckRFSourceSink
https://z4ziggy.wordpress.com/2015/0...c-with-hackrf/
https://github.com/ptrkrysik/gr-gsm/wiki
http://bb.osmocom.org/trac/wiki/libosmocore
http://hackaday.com/2015/10/10/sdr-t...chael-ossmann/

DISCLAIMER:

IF YOU BREAK ANY OF YOUR DEVICES IN ANY WAY, CAUSE THE END OF THE WORLD, GET ARRESTED, OR NERD RAGE ON YOUR FAMILY, I AM NOT RESPONSIBLE.
I AM NOT RESPONSIBLE FOR HOW YOU USE ANY INFORMATION CONTAINED HEREIN, IT IS INTENDED FOR EDUCATIONAL AND RESEARCH PURPOSES ONLY. IT IS SOLELY YOUR RESPONSIBILITY TO UNDERSTAND AND FOLLOW LOCAL, AND INTERNATIONAL LAWS. DO NOT INTERACT WITH ANY SIGNAL BUT YOUR OWN!


Equipment: Software Defined Radio device, I used the Hackrf One to make this tutorial, it was modified to work in Kali Sana 2.0 with the Rtl-Sdr by Slick97477 aka Bryon (he will post that separately)I installed this dual booting with windows 10 on an amd quad core laptop and on my primary custom machine. Keep in mind that if you have a different SDR you may have to change a few of the drivers specific to yours.
Recommended: I tested this tutorial with fresh install, I only ran these commands before starting this tutorial.

apt update
apt upgrade -y
apt-get install kali-linux-all
apt-get install flashplugin-nonfree
update-flashplugin-nonfree --install

I suggest your install be as fresh as possible, brand new if you can.

WARNING: You have probably noticed that there isn’t a working tutorial up anywhere else yet for Sana or Rolling release. I tried all the different methods from all the sites I could find before coming to this exact order and combInation. DO NOT USE PYBOMBS! DO NOT TRY USING ORIGINAL AIRPROBE! (or the patch airprobe method) these methods will pretty much nuke your install. We are gonna be installing a whole bunch of dependencies that are not native to Kali, the exact order and directory you are in while compiling (using a lot make cmds) has everything to do with success. If you mess up you may have to re-install Kali so have an .iso handy. I run as root all the time, add sudo to the majority of commands if you do not.
Feel free to email me with any questions and I will provide as much support as possible. The second email is Bryon and I’s linked development account solely for support, one of us will get back to you.

Just for me (Scott) [email protected] or for both of us [email protected]
Just for Bryon [email protected]

Finally, this isn’t perfect, I spent a couple of hours late night for a week working on this so there may be a few extra packages that get installed. Posting my progress to Bryon via comments in google docs then playing catch up after working 14 hour days and coming home to a wife and kids. Bryon and I have made the decision to become more publicly active, so look for more coming from us in the future. This is our passion and our work, but family always come first. Be respectful and patient, one of us will get back to you. We want to learn from others and help others learn. If you happen to catch something feel free to let us know.

Keep in mind that some are installed twice on purpose. For whatever reason the package talloc, for example, can be installed now and then later during make it will say “...make failed package libtalloc…” not found. So then you go back into package manager and search again and all of the sudden more talloc dev packages pop up. So, I ask that you just follow the tutorial all the way through step by step and if you have the Hackrf One I know it will work.

EDIT: It is 100% confirmed working on the rtl-sdr now too, tested on three different pc's. Thanks to slick, I will be adding his notes as optional steps where they correspond in this tutorial.

Follow the step by step instructions to make sure your Hackrf One is updated and the drivers are installed. You can check by running hackrf_info:

Selection_031.jpg

STEP 1: Package Downloader

Applications (drop down menu), then to Usual Applications (drop down) then System and Select Package Downloader (has picture of a blue down arrow)

Selection_001.jpg

Once opened search in the search bar for “osmo” and download everything that you even think has anything to do with SDR, GSM, or gr-gsm. Since the programs run on std=gnu++11 and std=c++11 do the same, now we are going to search Talloc (for the first time) as well and select ALL packages for install to meet requirements for libosmocore.

This is necessary to integrate C++ and Python, gr-gsm/gnuradio relies primarily on C++
DOWNLOAD IT ALL, TRUST ME YOU WOULD RATHER HAVE MORE THAN LESS!

STEP: 2 Commands for Dependencies

More dependencies through apt-get and git commands, these are pretty self explanatory

apt-get install hackrf libhackrf-dev libhackrf0

apt-get -y install git-core autoconf automake libtool g++ python-dev swig libpcap0.8-dev

apt-get install gnuradio gnuradio-dev gr-osmosdr gr-osmosdr

apt-get install git cmake libboost-all-dev libcppunit-dev swig doxygen liblog4cpp5-dev python-scipy

STEP3: Libosmocore

Have to have libosmocore and you will need the following tools:

apt-get install build-essential libtool shtool autoconf automake git-core pkg-config make gcc

and the following (optional) libraries:

apt-get install libpcsclite-dev

git clone https://github.com/ptrkrysik/gr-gsm.git

cd gr-gsm

************PAUSE***********

Go back to Package Downloader and search for Talloc again, there should be somewhere around 7 more 2.1.x packages now the other dependencies have opened up, download them or you will return a “make” failure. Trust me do it.

So, things should be going good, make sure you are in the right directory and that you do this in the right order or any one of these could become very frustrating.

From the gr-gsm directory clone into Libosmocore

git clone git://git.osmocom.org/libosmocore.git
cd libosmocore
autoreconf -i
./configure
make
make install
ldconfig -i
cd ..

STEP 4: Back to setting up gr-gsm now that the dependencies are resolved

****START****

mkdir build
cd build
cmake ..
make
make install
ldconfig

now using a text editor, create a text file named:

config.conf

then paste the following into it:

[grc]
local_blocks_path=/usr/local/share/gnuradio/grc/blocks

****NOTE****

(the places “Home” function in rolling release does not search actual root, go to computer)
You may have to manually locate the file using Places, click Home, click Other Locations (at the bottom), click Computer, (this is the REAL root) open ETC, then Gnuradio, then you save as in text editor ( I used GEDIT) to this location. (If you have a different desktop environment this could be different, email Bryon at [email protected] with any issues)

So when you're done, wherever your gnuradio folder is located in the root of your drive /gnuradio (you will see a conf.d folder in there, that is where the global gnu config file is) place your text file next to it. Your ~/etc/gnuradio folder should look like this:

Selection_002.jpg

STEP: 5 Time for Kalibrate-hackrf

EDIT: If you are using the rtl-sdr please skip to next step 5b

If you are NOT using the Hackrf One you may have to do a little googling to see how to get the correct version for your device. Bryon used the rtl-sdr version located here https://github.com/steve-m/kalibrate-rtl

Now we need Kalibrate-hackrf(dependent on which device you have)

git clone https://github.com/scateu/kalibrate-hackrf.git
cd kalibrate-hackrf
./bootstrap
./configure
make
make install
ldconfig

STEP:5b Kalibrate for the rtl-sdr

git clone https://github.com/steve-m/kalibrate-rtl
cd kalibrate-rtl
./bootstrap
./configure
make
make install
ldconfig

You should have had no errors thus far, if you did more than likely you didn’t fill a dependency or installed something in the wrong directory.

Now let’s test everything out and run a scan for GSM base stations using Kalibrate. You will have to use the proper GSM parameter (‘-s’) to correspond to your local operator, check your countries band range here:


END POST 1

[Quest]

Thanks scoyok and welcome,

This is very interesting to me and to others also. If you made it work, I would appreciate if you can post a step-by-step howto here. The information provided on RTL-SDR.com and other sites is incomplete and all over the place. Take as many posts as you need.

[scoyok]

Thanks scoyok and welcome,

This is very interesting to me and to others also. If you made it work, I would appreciate if you can post a step-by-step howto here. The information provided on RTL-SDR.com and other sites is incomplete and all over the place. Take as many posts as you need.

It works! Put a lot of work with my brother into this guide. We tested it 10 times from scratch, we are almost done testing his modified version that works in Sana. We had the same problem, the information is scattered and incomplete. I would be more than willing to get it up here, give me a few days to take it apart piece by piece and upload the screenshots one at a time and I can make it happen. I work full time and have a wofe and kids, so for those eager to try it, check out the link.

[slick97477]

It works! Put a lot of work with my brother into this guide. We tested it 10 times from scratch, we are almost done testing his modified version that works in Sana. We had the same problem, the information is scattered and incomplete. I would be more than willing to get it up here, give me a few days to take it apart piece by piece and upload the screenshots one at a time and I can make it happen. I work full time and have a wofe and kids, so for those eager to try it, check out the link.

I can assure you we have got it working. I have followed this tutorial on a fresh install of kali 2.0 64 bit sana (not rolling release) with kde. Also i have the rtl-sdr. I had to make a couple changes to make it work on sana kde but it is functioning. Gonna try to upload a couple screenshots from just now showing it is 100 percent functioning. As you can see from my screenshots it working 100 percent. Will be adding the couple simple fixes to the tutorial later when we had the how-to directly to kali.org forums instead of the link we provided earlier

gsm.jpg

[soxrok2212]

Excellent post! I'll be following this.

[Quest]

oh I'll be waiting also

Thanks again you two



OT: didn't know that you were also into SDR, soxrok. Been following airplanes and some other amazing cool stuff...

[soxrok2212]

oh I'll be waiting also

Thanks again you two



OT: didn't know that you were also into SDR, soxrok. Been following airplanes and some other amazing cool stuff...

Right! Really interesting stuff! I was also thinking about building some antennas to listen in to the ISS when it passes by and capture some NOAA satellite images.

Also, I'll have to wait for RTL-SDR info, don't have a HackRF One, very expensive :P

[Quest]

Yeah satellites!! I have a howto for windows7 to do that. There's been more development under W7 than Linux.

*sorry scoyok & slick, we are known to chat. We just don't get many SDR topics*

[slick97477]

Right! Really interesting stuff! I was also thinking about building some antennas to listen in to the ISS when it passes by and capture some NOAA satellite images.

Also, I'll have to wait for RTL-SDR info, don't have a HackRF One, very expensive :P

So i currently have a rtl-sdr as well and have done testing and it works flawlessly. The screenshots from earlier are form my rtl-sdr. I too cannot afford a hackrf so went the route of rtl-sdr. The biggest thing i saw, I followed the tutorial to the end. Instead of the "kalibrate-hack-rf" you use "kalibrate-rtl" when building kalibrate at the end of the tutorial. Also if you have installed the "kali-linux-all" the "kalibrate-rtl" might be there by default. You can check within the package manager
to see if kalibrate is installed or from terminal type "kal" and see if it runs. if the command "kal" runs you should see something similar to this screenshot below.kal.jpg

[scoyok]

Don't apologize! It is great to see so much conversation on the subject! We are very excited to be apart of this community! Please, anyone reading this, do not be afraid to ask for support at any part of the tutorial, provide constructive feedback! We hope to continue with tutorials and active participation within the Kali community, I do love to write... and its the one place my over explaining of everything is helpful! Lol

[slick97477]

Don't apologize! It is great to see so much conversation on the subject! We are very excited to be apart of this community! Please, anyone reading this, do not be afraid to ask for support at any part of the tutorial, provide constructive feedback! We hope to continue with tutorials and active participation within the Kali community, I do love to write... and its the one place my over explaining of everything is helpful! Lol

For sure guys don't apologize, it is great to see some great enthusiasm around sdr. I am learning very fast at this sdr stuff and loving it so far, seeing some of the airplane tracking stuff is simply amazing. I have cb radios,scanners and many other things and have loved the scanner hobby I have to huge antenna's One on top off my house and another attached to my shop so this is a new hobby for me and looking forward to learning all i can and pushing this rtl-sdr to its limits. For the record here is a link to the one i have in case anyone wants to know:http://www.amazon.com/gp/product/B01...ilpage_o01_s00

[scoyok]

http://www.worldtimezone.com/gsm.html

Here is the United States copied from the website for quick reference:

United States (USA) 1900 850

3G 850/1900 Verizon; 3G 1700/2100 T-Mobile USA; 3G 850/1900 AT&T; 3G 800/1900 Sprint; 3G 800/1900 boost; 3G 1700/2100 MetroPCS; 3G 1700/2100 VTel Wireless; 3G 1900 Alaska Wireless; 3G 1700/2100 New Mexico RSA; 3G 1700/2100 Iowa Wireless; 3G 850 Cordova Wireless; 3G 1700/2100 Cincinnati Bell; 3G 1700/2100 CTC Telcom; 3G 1700/2100 Big River;

4G LTE Verizon 700/850/1700/2100Mhz; 4G LTE T-Mobile USA 700/1700/2100Mhz; 4G LTE AT& T 700/850/1700/1900Mhz; 4G LTE Sprint 800/1900/2500Mhz; 4G LTE boost 800/1900Mhz; 4G LTE MetroPCS 700/1700/2100Mhz; 4G LTE NewCore Wireless 1900Mhz; 4G LTE SRT Wireless 1900Mhz; 4G LTE U.S. Cellular 700/850/1900/2100Mhz; 4G LTE Adams Networks 700Mhz; 4G LTE AlaskaComm / GCI 1700Mhz; 4G LTE Big River Broadband 1700Mhz; 4G LTE Bluegrass Cellular 700Mhz; 4G LTE C Spire 1700/1900Mhz; 4G LTE Colorado Valley 700Mhz; 4G LTE ETC 700Mhz; 4G LTE Evolve Broadband 700Mhz; 4G LTE Fuego Wireless 700Mhz; 4G LTE miSpot 700Mhz; 4G LTE Mosaic Telecom 700/1700Mhz; 4G LTE Nex-Tech Wireless 700Mhz; 4G LTE Nortex 700Mhz; 4G LTE nTelos 1900Mhz; 4G LTE PTCI 700Mhz; 4G LTE Peoples Telephone Cooperative 700Mhz; 4G LTE Space Data Corporation 1700Mhz; 4G LTE Syringa 700Mhz4G LTE United Wireless 700Mhz; 4G LTE VTel 700Mhz

Here was my terminal output:

Selection_004.jpg

Note: it may take a bit to scan, just let it run the more options you have the better for later.

Sometimes you will only get a few results, and others you will have about 7 channels. It all depends on GSM traffic at that time.

Now you have narrowed down a frequency or two and we need to open up GQRX get an exact frequency for the next step. From terminal type:

root@OFF:~# gqrx

Selection_005.jpg

(see above)

Now gqrx should open up and just be sitting there. You want to take the frequencies that you scanned with kalibrate and enter them in the top left digital Mhz display, then set your filter to “Wide” and your mode to “AM”, then the “Power” button is almost directly underneath the file tab (again top left). I only mention this because apparently some people had the power button default to the same color as the background.

After adjusting your settings and adding your frequency click power to activate gqrx and it should look something like the first screenshot. Now you can see that the heavier traffic (GSM) is indicated by the thicker yellow bar and wider range on the graph, which means we have to dial it in just a little. The easiest way (so you do not lose your center) is to click into the digital dialer and use the arrow keys on your keyboard to go up or down until the little spectrum graph shows a sharper (bottom right of gqrx) drop and you can hear a high pitched squeal with little or no static, you can see this in the second screenshot below.

Selection_006.jpg

(After entering the initial scan results from Kalibrate)

Selection_007.jpg

(Dialed in on the GSM signal)
Now it is time to record the dialed in frequency somewhere so we can close gqrx and start capturing and decoding through gnu radio companion and gr-gsm (formerly airprobe, you will notice the commands still say airprobe).

Close gqrx, from root terminal change directories cd /gr-gsm/apps -see below:

Selection_008.jpg

Now enter the following command:

gnuradio-companion airprobe_rtlsdr.grc (note the hyphen and underscore)

EDIT: As of the recent update to gr-gsm this command no longer works, it is now:

gnuradio-companion grgsm_livemon.grc

(Thank you Kali.org community member jsa91)

END POST 2

[scoyok]

The goal is to point gnuradio companion at the corresponding location within the /gr-gsm/apps directory. -see below

Selection_009.jpg

after entering the proper command (gnuradio-companion grgsm_livemon.grc)

your terminal output should be this right before opening gnuradio.

Selection_010.jpg

With gnuradio companion open you should now be looking at this screen:

Selection_011.jpg

The first thing I recommend you do is adjust your QT GUI Range block, by default it starts at 900Mhz and some areas you are going need at least 800Mhz to start. So, from top left, double click on the second QT GUI Range block and it will open to look like the screenshot below. Now you can see the area I highlighted says: Start 800e6 I changed mine previously, yours should look like this: Start 900e6 You guessed it, change the “9” in yours to an “8” then click on apply to save your changes. From this point forward your beginning frequency will always be 800Mhz.

Selection_011.jpg

Now we are ready to generate our GSM block tree by clicking this little button on the top command bar

(to save a screen shot usage the button looks like a blue pyramid jumping a red ball and it is next to the universal "play" on the left)

Click one time and in the bottom terminal window it will read:

Selection_014.png


Out of screen shots END POST 3

[scoyok]

Now we will execute the block tree with the play button next to the generate button

(saving a screen shot- its the universal "Play" button next to the generate button in the last step)

Now watch your terminal window output the following, and almost instantly afterwards the Volk radio will open there will be NO SOUND.

(sadly this screen shot is failing to load, its not terribly important, just a quick read out of Volk loading)

The Volk radio should look like this:

Selection_017.jpg

This part is a little confusing, highlight the frequency indicator, then type in your EXACT frequency you recorded from gqrx earlier and hit enter. It should dial into your frequency, IF your calculations from earlier were perfect, then you will see another terminal open instantly decoding the signal with gr-gsm IT WILL SAY airprobe much like the top of Volk radio in the above screen shot.

Selection_018.jpg

Notice the wider range frequency appeared indicating GSM traffic, now after a week of practice I have got pretty good about narrowing down the frequency through gqrx radio by the visual and audio indicators. Do not get discouraged, it took me 3 hours to get it decoding the first time.
I hit the frequency dead on the terminal output within the gnuradio companion GUI is now decoding AND another root terminal has opened doing the same the output will look the same in both:

(the terminal output from gnuradio companion GUI)

Selection_019.jpg

(terminal output from the root terminal)

Selection_020.jpg

Okay so we are now successfully capturing and decoding (not decrypting OR saving) my personal GSM signal. You know that this when you see the “2b” in the code stream, this is the most common code filler used in GSM traffic. If you want to learn more then I highly recommend watching this lecture via youtube, it has a ton of educational information delivered by the leading industry expert Karsten Nohl. Just search his name and you will find it.
Now we need to send the streaming signal into wireshark for analysis. Open another terminal window and enter the following command:

wireshark -k -Y 'gsmtap && !icmp' -i lo (do not forget to enter “sudo” if your non root)

Now you should have the live stream feeding into wireshark partially decoded readed to be interpreted, it will look like the screenshot below Notice that there are paging requests with different categories assigned to them, these are where you get important information for later decryption of your own signal. For now open them up and get to know the GSM signal I will show the important information in numerous smaller screenshots below.
I will not be going over decryption in this tutorial

Selection_021.jpg

(sorry for the crappy screenshot, was trying select window shot- will not be doing that again)

Out of screen shots- END POST 4

[scoyok]

Where we left off......

The next screenshot I want you to look at (below) is a “Location Updating Request” coming in from the provider, it is also listed below Cingular Wireless (AT&T). You will also see that the cipher is not listed as it is encrypted.

Selection_023.jpg

This next one is the rest of the location update request, notice it has the IMSI number listed.

Selection_024.jpg

Let’s look at one more, we will look at a paging request. System level 1 paging request are essentially just filler containing status information, i.e. channel, power level etc… We are going to look at some more important information from a system information type 1, again this basic system information but we are working our way up the ladder.

Selection_025.jpg

I just got a text message so it has worked out for you to see the output when there is a lot of encrypted data contained in a message. This is a system information type 13

Selection_027.jpg

(these continue into each other)

Selection_028.jpg

Out of screen shots- END POST 5

[scoyok]

(these continue into each other)

Selection_029.jpg

This is from the bottom of the page in Wireshark, this where you would see text messages appear if you had the key.

Selection_030.png

There is quite a bit of information in all of these requests, including the encryption type A51, but again, I won’t be getting into rainbow tables or decrypting. I will say that there will a lot more to come from TwoBrothersDevs in the future!

This concludes this tutorial, I noticed I have gone up to 20 pages, I apologize. GSM information is hard to find in one place, and near impossible for GSM and Kali Linux. I hope this has helped you learn about this subject. The Internet is one thing, but GSM is the big picture, mastering GSM signals opens infinite possibilities!

Thanks for reading this far,

Scott (Scoyok) and Bryon (Slick97477)

For support or questions email [email protected]

For individual questions for Scott [email protected]

For individual questions for Bryon [email protected]

Look for Slick97477’s modified version of this tutorial for Kali Linux Sana 2.0 coming soon!

Slick, double check the added rtl-sdr support again for me-

[Quest]

") 5/5

Many thanks for this write up guys! Only a few have the knowhow, time and are willing to share pertinent information, so your contribution is very much appreciated, and this will give me sufficient motivation to DL KL 2016.1 and install it (I prefer KL1).

Cheers!

[slick97477]

") 5/5

Many thanks for this write up guys! Only a few have the knowhow, time and are willing to share pertinent information, so your contribution is very much appreciated, and this will give me sufficient motivation to DL KL 2016.1 and install it (I prefer KL1).

Cheers!

you are very welcome Scott and I put our hearts and souls into this stuff. When the 2 of get focused on a project there has not been something we can't figure out yet and this is our latest project. Anybody who runs would love to hear feedback of people who complete the tutorial and let us know any issue or if it worked perfectly. There were a issue or 2 i had but to be honest i am gonna hold back on posting it for now, it would make things more confusing if i put up the fixes for something thats not broke.I personally think the couple work arounds i had to do were do to KDE and not the default gnome being installed. Anyway enjoy

[soxrok2212]

Do you ever plan on doing stuff with Kraken/A5/1 rainbow tables/decrypting? Still working on getting everything set up, very busy week.

[scoyok]

Do you mean as a tutorial? Or in general?

[soxrok2212]

Both I guess!

[scoyok]

Both I guess!

In general yes, I have been. It actually plays directly into a live capture (via SDR) concept I have been tossing around that, to my knowledge, has not been done yet but obvious legalities will keep any public posts to conceptual only.

As far as a tutorial goes around utilizing the rainbow tables and Kraken goes, I think we should tread litely and base any decision on the response and responsibiltiy of the community in which it would be posted (mainly here). There is a fine line between eduaction and research and neglegance when it comes to the exact letter of the laws.

Slick and I have talked about it, at this point, lets see how this goes!

[Quest]

might be way off, but my comprehension about potential illegality is that it's not about publishing programs or knowledge, rather personal usage of programs and knowledge.

It's alot like banning machetes because it might be used as weapons, when it is in fact a tool, an inert object, that needs a human operator. If something is wrong with one individual, there are a million others who use it as a tool to cut vegetation.

In other words, who's to determine if a program or information was meant to improve a product/service or to hack a product/service?.. The answer is > individual usage. At least that's my understanding. Same with WiFi.

.02

[scoyok]

No, you are right. Posting the information is not illegal. If you watch the lecture I reference in the tutorial he discusses some of the legalities around releasing information that could compromise an active communications system that contains personal information and/or is being used by law enforcement and safety personal. In fact that is why no information was released in 2007 (might be off on the year) from the group that was researching GSM decryption at the time. Eventually, as we all know, it came out. So it isn't an issue to post tutorials on the use of kraken or the rainbow tables.

The gray area comes in when it is new information that could put people at risk. Therefore the project I am in process of conceptualizing, using USRP/SDR to capture and decrypt GSM signals live, would have to be something that a private and select group of individuals worked on with me. That project has a long way to go before it even leaves the theoretical stage, but I assure you, at some point it will.

By the way excellent analogy! I would like to focus on providing support for this tutorial right now, as I am sure as people run through it in different environments with different variables different complications may arise. I really want to see everyone functioning at 100% with Kali and GSM, it has been too long since this has functioned, and it appears even then, airprobe never really worked quite right within Kali.

On a side note, I am very excited, the creator of GR-GSM has contacted Slick and I and wants to go over the tutorial. He said he gets a lot of questions about Kali and GR-GSM, and wants to see if this works. Hopefully this tutorial can help Kali and its users get back in the running in the SDR community as a competitive distro, and the best!

Short answer, yes, we will cover decryption in the near future. It appears there is a demand, and I do love to write the tutorials!

[soxrok2212]

Awesome! I'll be setting up everything in a VM. Unfortunately, I won't be able to work with GSM decrypting as I just have a laptop and it only has a 500GB SSD. The processor would work great (i7 4980HQ) but it will be through a VM and I don't like having it running super strenuous tasks for extended periods of time... not the best cooling. Guess I need to start saving to build a desktop! Really looking forward to more of this! Thank you very much!\

Also, to anyone using and RTL-SDR, if you get this error

Code:

No package 'librtlsdr' found

While running ./configure for kalibrate-rtl, open the package manager, search librtlsdr and install the development package.

[slick97477]

Awesome! I'll be setting up everything in a VM. Unfortunately, I won't be able to work with GSM decrypting as I just have a laptop and it only has a 500GB SSD. The processor would work great (i7 4980HQ) but it will be through a VM and I don't like having it running super strenuous tasks for extended periods of time... not the best cooling. Guess I need to start saving to build a desktop! Really looking forward to more of this! Thank you very much!

Also, to anyone using and RTL-SDR, if you get this error
Code:

No package 'librtlsdr' found

While running ./configure for kalibrate-rtl, open the package manager, search librtlsdr and install the development package.

Thank you very much for pointing that out it, will get it added into the tutorial tomorrow .There are alot of great ways to circumvent the heat issue with laptops. for instance to get around alot of the over heating issues of a typical laptop, i use panasonic toughbooks when out in the field because they are made to handle extreme cold and extreme heat without failing. i currently have a cf-t8 toughbook which is dual-core but i have pushed it way beyond its limits via overclocking and it doesnt faze it. I have had running building a pyrit database for several hours at a time utilizing cpu and gpu at max usage where the most heat would normally shut down a normal laptop but toughbooks wont shut down unless the hardware itself fails. Or at least that has been my experience so far with them. Sorry for the long explanation but just a thought to get around the heat issue of a conventional laptop.

[soxrok2212]

Do you have any more tips for locking down on an exact frequency? There are 2 in my area (though I think I may have fried my GSM antenna somehow... it vibrates when I flick it... but that's another story) but I'm having trouble locking down. I'll occasionally get a string of data XX XX XX 2b 2b 2b.... but i just can't seem to hone in perfectly on a signal.

[scoyok]

Do you have any more tips for locking down on an exact frequency? There are 2 in my area (though I think I may have fried my GSM antenna somehow... it vibrates when I flick it... but that's another story) but I'm having trouble locking down. I'll occasionally get a string of data XX XX XX 2b 2b 2b.... but i just can't seem to hone in perfectly on a signal.

Yes, I was already working on another addition to this thread that will go over that more extensively, give me a couple hours to finish up my work day and I will get one up!

For now, when you are in Volk radio, I recommend double clicking into the frequency selection box, keep that box selected, then just hover your mouse over the signal wave (not all the way at the top) and it will show the exact frequency under your pointer, then enter that into the frequency box and push enter-you should still be selected.

The single biggest recommendation I have is to manually enter the numbers, use the arrow keys to move to where you to change, then backspace and enter a single or multiple digits. Do not use the auto-step (unless you want to change its step levels, Slick has modified his). I usually narrow it down to the center of the wave frequency, then I am usually just working with the last 3 digits in the 9 digit selector. Hope this helps, again I will get a more detailed explanation with screen shots later tonight for everyone that likes the visuals.

I am stoked that your that far! It gets really exciting when you start seeing the decoded signal in Wireshark!

*****two year old not feeling so good, be a day or two before I can get the addition up.*****

[slick97477]

There are a few different ways to handle the issue at hand. I am including a screenshot of gnuradio with the gr-gsm diagram opened. There are 3 boxes that say QT GUI Range. The middle one is the frequency settings. At the bottom of the middle one it says Step:100k. Cant remember off hand what the default is. However you can change those values. You can turn the stepping down so that when you scroll your mouse or hit the arrow within volk radio it wont jump so far when scrolling with the arrow or mouse.gnu1.jpg

[soxrok2212]

I was actually about to post that.. That's exactly what I did!

[thetest]

Hello,
First THANK YOU guys for your contribution!
But (i repeated the procedure two times to be sure)..

[ 70%] Generating python docstrings for grgsm_swig_doc
[ 70%] Built target grgsm_swig_swig_doc
Scanning dependencies of target _grgsm_swig_swig_tag
[ 72%] Building CXX object swig/CMakeFiles/_grgsm_swig_swig_tag.dir/_grgsm_swig_swig_tag.cpp.o
Linking CXX executable _grgsm_swig_swig_tag
[ 72%] Built target _grgsm_swig_swig_tag
[ 73%] Generating grgsm_swig.tag
Scanning dependencies of target grgsm_swig_swig_2d0df
[ 75%] Building CXX object swig/CMakeFiles/grgsm_swig_swig_2d0df.dir/grgsm_swig_swig_2d0df.cpp.o
Linking CXX executable grgsm_swig_swig_2d0df
Swig source
[ 75%] Built target grgsm_swig_swig_2d0df
Scanning dependencies of target _grgsm_swig
[ 77%] Building CXX object swig/CMakeFiles/_grgsm_swig.dir/grgsm_swigPYTHON_wrap.cxx.o
Linking CXX shared module _grgsm_swig.so
/usr/bin/ld: cannot find -lgrgsm
collect2: error: ld returned 1 exit status
swig/CMakeFiles/_grgsm_swig.dir/build.make:90: recipe for target 'swig/_grgsm_swig.so' failed
make[2]: *** [swig/_grgsm_swig.so] Error 1
CMakeFiles/Makefile2:303: recipe for target 'swig/CMakeFiles/_grgsm_swig.dir/all' failed
make[1]: *** [swig/CMakeFiles/_grgsm_swig.dir/all] Error 2
Makefile:127: recipe for target 'all' failed
make: *** [all] Error 2


I tried to sick to your instructions as hard it is possible:

"Go back to Package Downloader and search for Talloc again, there should be somewhere around 7 more 2.1.x packages now the other dependencies have opened up, download them or you will return a “make” failure. Trust me do it.
So, things should be going good, make sure you are in the right directory and that you do this in the right order or any one of these could become very frustrating."

There was no new Talloc.

Do you have any idea what can be wrong?

Cheers, TT

[scoyok]

Hello,
First THANK YOU guys for your contribution!
But (i repeated the procedure two times to be sure)..

[ 70%] Generating python docstrings for grgsm_swig_doc
[ 70%] Built target grgsm_swig_swig_doc
Scanning dependencies of target _grgsm_swig_swig_tag
[ 72%] Building CXX object swig/CMakeFiles/_grgsm_swig_swig_tag.dir/_grgsm_swig_swig_tag.cpp.o
Linking CXX executable _grgsm_swig_swig_tag
[ 72%] Built target _grgsm_swig_swig_tag
[ 73%] Generating grgsm_swig.tag
Scanning dependencies of target grgsm_swig_swig_2d0df
[ 75%] Building CXX object swig/CMakeFiles/grgsm_swig_swig_2d0df.dir/grgsm_swig_swig_2d0df.cpp.o
Linking CXX executable grgsm_swig_swig_2d0df
Swig source
[ 75%] Built target grgsm_swig_swig_2d0df
Scanning dependencies of target _grgsm_swig
[ 77%] Building CXX object swig/CMakeFiles/_grgsm_swig.dir/grgsm_swigPYTHON_wrap.cxx.o
Linking CXX shared module _grgsm_swig.so
/usr/bin/ld: cannot find -lgrgsm
collect2: error: ld returned 1 exit status
swig/CMakeFiles/_grgsm_swig.dir/build.make:90: recipe for target 'swig/_grgsm_swig.so' failed
make[2]: *** [swig/_grgsm_swig.so] Error 1
CMakeFiles/Makefile2:303: recipe for target 'swig/CMakeFiles/_grgsm_swig.dir/all' failed
make[1]: *** [swig/CMakeFiles/_grgsm_swig.dir/all] Error 2
Makefile:127: recipe for target 'all' failed
make: *** [all] Error 2


I tried to sick to your instructions as hard it is possible:

"Go back to Package Downloader and search for Talloc again, there should be somewhere around 7 more 2.1.x packages now the other dependencies have opened up, download them or you will return a “make” failure. Trust me do it.
So, things should be going good, make sure you are in the right directory and that you do this in the right order or any one of these could become very frustrating."

There was no new Talloc.

Do you have any idea what can be wrong?

Cheers, TT

Okay, sorry for the delay in response, a few questions so I can better help you:

Are you running rolling release or Sana?

Did you start from a fresh install or existing?
(I have two different error logs to go through depending on your answer)

When you say "I tried to stick to your instructions best I could..." what instructions were you not able to follow and what errors did you get?

I will look into what you have now, the more info you have the better. I will even take an entire log if you have it. During this install you are doing some delicate things when creating the directory based python, c++ overlay and hierarchy. If you have an entire log you can email it to me at [email protected] and slick can assist as well. There a lot of possibilities based on whay you have posted, narrowing it down will help a lot!

Bests,

Scoyok

[thetest]

Thank you for your answer. It appears that something is wrong with the sources:
https://github.com/ptrkrysik/gr-gsm/issues/143

In the meantime: would your install procedure be fine with 'kali-rolling'?

Cheers, TT

[scoyok]

Thank you for your answer. It appears that something is wrong with the sources:
https://github.com/ptrkrysik/gr-gsm/issues/143

In the meantime: would your install procedure be fine with 'kali-rolling'?

Cheers, TT

I suspected that was the case. Yes! This guide is actually specifically for rolling release! Its in the title Running this tutorial in Sana is quite complex, there are many source issues, actually one of the first steps is to swap your sources to the rolling release and apt-get a few packages then switch back. The versions and compatability of the Sana sources are VERY different, on just enough of the packages, that Slick and I found no other way to install this on Sana. As was the case for many before us, we simply had the advantage of gr-gsm being released, 2016.1 releasing and pure determination. We haven't released the Sana tutorial yet because there are soooo many variables between environments i.e. drivers, version etc.... that we simply do not have the time to offer support (yet) and are working on a few additions to this tutorial, a rainbow tables tutorial and we are both dads with overtime based careers.

Best advice, start at the top of the tutorial and read every word with a fresh install of Kali 2016.1 rolling release and it will work. Capture all your logs and if you hit a snag let us know!

Between the both us and those emailing us, this tutorial has been successfull more times than I have time to count! If you find anything you think we should add post it!

Bests,

Scott

[slick97477]

I suspected that was the case. Yes! This guide is actually specifically for rolling release! Its in the title Running this tutorial in Sana is quite complex, there are many source issues, actually one of the first steps is to swap your sources to the rolling release and apt-get a few packages then switch back. The versions and compatability of the Sana sources are VERY different, on just enough of the packages, that Slick and I found no other way to install this on Sana. As was the case for many before us, we simply had the advantage of gr-gsm being released, 2016.1 releasing and pure determination. We haven't released the Sana tutorial yet because there are soooo many variables between environments i.e. drivers, version etc.... that we simply do not have the time to offer support (yet) and are working on a few additions to this tutorial, a rainbow tables tutorial and we are both dads with overtime based careers.

Best advice, start at the top of the tutorial and read every word with a fresh install of Kali 2016.1 rolling release and it will work. Capture all your logs and if you hit a snag let us know!

Between the both us and those emailing us, this tutorial has been successfull more times than I have time to count! If you find anything you think we should add post it!

Bests,

Scott

As Scott stated this tutorial is mainly for kali 2016.1 rolling release. I am putting together all the steps needed for the different packages needed to compile the gsm decoding. There are several packages that have dependencies that are from the rolling release but are backwards compatible with kali 2.0 sana. Sorry i have not got them up yet, have a pregnant wife, and a sick daughter on top of work so free time has been very scarce lately, should have some this weekend and get the package differences up so you run it on Kali 2.0 too. I am not in front of my main machine but if i am not mistaken the error you are getting is from one of the packages that is required from the rolling release repository. Easiest way to find out is to add the rolling release repository to your /etc/apy/sources.lst file then use synaptic(kde) or package manager for (gnome) and refresh the list and check for the newer version. Just install the one package needed and re-edit the sources.lst and refresh your packages again or it will show alot of packages from rolling release. Some of the new packages dont play nice together, However i just did a complete fresh install of kali rolling release on a test machine and was able to complete the tutorial without any issue
Will try and get exact details of the packages up this weekend.


Bryon

[Quest]

speaking of "backwards compatible", I still haven't found the motivation to DL/install 2016.1 I just don't like the new interface and other things about it. Maybe I will come around (probly not), but if you guys are bored one day and have free time, I (and I suspect other dropouts) would like an annex for KL 1.1.0a (un-updated). OR the soon to be KiLiX http://www.division0.net/aboutus.html

OT: do you have an eta soxrok?

[soxrok2212]

As of right now, KiliX is being designed as an embedded OS to run on small embedded systems (pretty much devices that can run OpenWrt or similar). Don't really have an ETA. AAnarchYY is the leader of that project. I'm working on a site overhaul now, still have a lot of work to do, decided to use an open source theme as it's much easier to maintain and it also has a mobile css stylesheet so it formats correctly for mobile devices.

Kinda back on topic, I think I managed to melt my GSM antenna It vibrates when I flick it and my signal quality is pretty crappy now... I still haven't been able to tune in precisely either. Pain in the **** finding the exact frequency towers are using in my area. I'll have to see about building a new (or a few new types of antennas) for some fun projects.

[scoyok]

As of right now, KiliX is being designed as an embedded OS to run on small embedded systems (pretty much devices that can run OpenWrt or similar). Don't really have an ETA. AAnarchYY is the leader of that project. I'm working on a site overhaul now, still have a lot of work to do, decided to use an open source theme as it's much easier to maintain and it also has a mobile css stylesheet so it formats correctly for mobile devices.

Kinda back on topic, I think I managed to melt my GSM antenna It vibrates when I flick it and my signal quality is pretty crappy now... I still haven't been able to tune in precisely either. Pain in the **** finding the exact frequency towers are using in my area. I'll have to see about building a new (or a few new types of antennas) for some fun projects.

Okay, so I know I have been saying I am adding more for a couple weeks, I am sorry. My son got sick, I got sick, my wife is now sick and I put in 155.4 hours in the last pay period. No more excuses, I have dedicated time set aside for this weekend. Family is out of town and I have a half days at work.

So, soxrok2212, can you give me a little more information about whats happening when you are trying to fine tune? Screen shots if you can, and maybe the region or the frequencies you are trying to dial in, are you using the antenna that came with the rtl-sdr? As many of the little details that you can give me the better, I want to rule out some noise issues and see what you are seeing so I can help you dial in a bit.

Everyone else; Any other issues you have that you want Slick or I to tackle this weekend? Now is the time.

Bests,

scoyok -Scott

[krysiek]

I have followed the whole tutorial, Kali 2016.1 rolling, RTL-SDR device. I have no any airprobe files in gr-gsm/apps folder. Are they not installed if no why?.

During installation in chapter 5b, I saw that when the files have been chceking there was something like" checking floor ....no sqrt....no. the rest of all were ok.
I have tried to find and install it(srt,floor) trough package center but there was nothing through apt-get as well, not found.

[scoyok]

I have followed the whole tutorial, Kali 2016.1 rolling, RTL-SDR device. I have no any airprobe files in gr-gsm/apps folder. Are they not installed if no why?.

During installation in chapter 5b, I saw that when the files have been chceking there was something like" checking floor ....no sqrt....no. the rest of all were ok.
I have tried to find and install it(srt,floor) trough package center but there was nothing through apt-get as well, not found.

sounds like gr-gsm did not completely "make", can you copy and paste your output into this thread for me?

Sorry about delays, moving and my pc is down while I build a rainbow tables/hash server and I have barely have cell service. Bare with me and we will get you up running!

[krysiek]

I have found something like grgsm_livemon.py and and grgsm_capture.py in gr-gsm\apps\helpers directory. When I run it,t works. Is this ok or should it be not the *.py files? I gues its python script.

Might it be that the autor of grgsm is not distributing those missing airprobe files?

regards

[scoyok]

I have found something like grgsm_livemon.py and and grgsm_capture.py in gr-gsm\apps\helpers directory. When I run it,t works. Is this ok or should it be not the *.py files? I gues its python script.

Might it be that the autor of grgsm is not distributing those missing airprobe files?

regards

Its possible, unlikely though, as the creator of gr-gsm (piotr) is one of the original airprobe creators and has been in contact with me since the publishing of this tutorial. If you could stand waiting about 15 hours, Bryon (slick) the co writer of this tutorial is coming to stay with me sat to sun and we will run through a fresh run of the tutorial and see if we can re create your issue and solve it. My gut is still telling me something failed in your make of the gr-gsm directories. This is a touchy process as we are directory basing c++ over python, controlled by a python heirarchy....ugh. One error may have flashed before your screen during the make but not stopped it or was ignored and without the log file it will be hard to find, but not impossible! Give us a day! We will get back to you here!

[scoyok]

Its possible, unlikely though, as the creator of gr-gsm (piotr) is one of the original airprobe creators and has been in contact with me since the publishing of this tutorial. If you could stand waiting about 15 hours, Bryon (slick) the co writer of this tutorial is coming to stay with me sat to sun and we will run through a fresh run of the tutorial and see if we can re create your issue and solve it. My gut is still telling me something failed in your make of the gr-gsm directories. This is a touchy process as we are directory basing c++ over python, controlled by a python heirarchy....ugh. One error may have flashed before your screen during the make but not stopped it or was ignored and without the log file it will be hard to find, but not impossible! Give us a day! We will get back to you here!

Okay through nunerous attempts, I cannot re create your error. So my only suggestion at this point is to run it again and capture your log so I may be able to assist you further. Sorry wish I could help more with what you have. I will be without internet access for the the next few weeks but I will to my best to stay in touch via my phone.

Bests

[jsa91]

Thank you so very much for this tutorial guys! Haven't been able to use gr-gsm since the 2016.1 release, until now.

During my installation I found something you might want to consider changing.

POST 3 describes the following command to open gnuradio-companion: gnuradio-companion airprobe_rtlsdr.grc
This produced the following error:

root@kali:~# gnuradio-companion airprobe_rtlsdr.grc
<<< Welcome to GNU Radio Companion 3.7.9 >>>

Preferences file: /root/.gnuradio/grc.conf
Block paths:
/usr/local/share/gnuradio/grc/blocks
/usr/share/gnuradio/grc/blocks
/root/.grc_gnuradio

Loading: "airprobe_rtlsdr.grc"
Error: [Errno 2] No such file or directory: 'airprobe_rtlsdr.grc'
>>> Failure
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/gnuradio/grc/gui/MainWindow.py", line 193, in new_page
file_path=file_path,
File "/usr/lib/python2.7/dist-packages/gnuradio/grc/gui/NotebookPage.py", line 49, in __init__
initial_state = flow_graph.get_parent().parse_flow_graph(file_path )
File "/usr/lib/python2.7/dist-packages/gnuradio/grc/base/Platform.py", line 191, in parse_flow_graph
open(flow_graph_file, 'r') # test open
IOError: [Errno 2] No such file or directory: 'airprobe_rtlsdr.grc'

Showing: ""

As I can understand it, developer Ptrkrysik changed the commands within gr-gsm with his latest update. In this case airprobe_rtlsdr is now replaced with grgsm_livemon
(source: https://github.com/ptrkrysik/gr-gsm/wiki/Usage)

Using the command gnuradio-companion grgsm_livemon.grc in /gr-gsm/apps could, in this case be a problem solver.

/J

[scoyok]

Thank you so very much for this tutorial guys! Haven't been able to use gr-gsm since the 2016.1 release, until now.

During my installation I found something you might want to consider changing.

POST 3 describes the following command to open gnuradio-companion: gnuradio-companion airprobe_rtlsdr.grc
This produced the following error:

root@kali:~# gnuradio-companion airprobe_rtlsdr.grc
<<< Welcome to GNU Radio Companion 3.7.9 >>>

Preferences file: /root/.gnuradio/grc.conf
Block paths:
/usr/local/share/gnuradio/grc/blocks
/usr/share/gnuradio/grc/blocks
/root/.grc_gnuradio

Loading: "airprobe_rtlsdr.grc"
Error: [Errno 2] No such file or directory: 'airprobe_rtlsdr.grc'
>>> Failure
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/gnuradio/grc/gui/MainWindow.py", line 193, in new_page
file_path=file_path,
File "/usr/lib/python2.7/dist-packages/gnuradio/grc/gui/NotebookPage.py", line 49, in __init__
initial_state = flow_graph.get_parent().parse_flow_graph(file_path )
File "/usr/lib/python2.7/dist-packages/gnuradio/grc/base/Platform.py", line 191, in parse_flow_graph
open(flow_graph_file, 'r') # test open
IOError: [Errno 2] No such file or directory: 'airprobe_rtlsdr.grc'

Showing: ""

As I can understand it, developer Ptrkrysik changed the commands within gr-gsm with his latest update. In this case airprobe_rtlsdr is now replaced with grgsm_livemon
(source: https://github.com/ptrkrysik/gr-gsm/wiki/Usage)

Using the command gnuradio-companion grgsm_livemon.grc in /gr-gsm/apps could, in this case be a problem solver.

/J

Hello, and Thank you!

I suspected something to that effect had occurred, I just got internet again, after moving, yesterday. Slick and I have been exchanging emails with a few people that have been heading in that direction, but with both us on madatory overtime, families and only one with internet 100 miles away from each other not much progress had been made on tje issue! I will login on my pc and update the tutorial to include the changes that you have pointed out. Again many thanks, we are very limited in the time we have to be active at this time and appreciate people helping support this tjread and tutorial!

Bests,

Scott

[dsound]

I've been wanting this for a long, long time.

PS I have an HD of Tables lying around that's bored and needs something to do.

[pamamolf]

Does it works on 3G or 4G ?

Also do i have to be close to the mobile that i want to test so we both be connected on the same antenna (Tower) ?

[scoyok]

Does it works on 3G or 4G ?

Also do i have to be close to the mobile that i want to test so we both be connected on the same antenna (Tower) ?

Yes and yes, you can capture both, and decode, you would just see the base band info like the screen shots but, 3g and 4g are EXTREMELY difficult to crack from scratch (rainbow tables will not work). That would involve creating a mini cell tower, then writing your own base band code, targeting the processors "secret" operating system and initiating a text (which is actually a paging request within the base band OS that the operator of the phone would be completely unaware of) that auto-executes and allows the initiator access to EVERYTHING on the device. That is not cracking though...that is just straight taking over, once there you could get the phones GSM key, but that would be a little redundant consider you could just read or listen to whatever you want at that point.

Bottom line, too much work. Said "Attacker" is better off engineering a deceptive attachment that the user initiates and allows the "Attacker" control.

[sylentrage]

not trying to hijack the thread, but this being about the only one with people talking about sdr and all that. i have the nooelec rtl2832u /r820t dongle. and lately been using these softwares just by following the installers on their site/github pages, and they work on both windows/and my kali linux rolling install. http://www.pothosware.com/ directs to. https://github.com/pothosware . and another sdrtrunk https://github.com/DSheirer/sdrtrunk .

[scoyok]

not trying to hijack the thread, but this being about the only one with people talking about sdr and all that. i have the nooelec rtl2832u /r820t dongle. and lately been using these softwares just by following the installers on their site/github pages, and they work on both windows/and my kali linux rolling install. http://www.pothosware.com/ directs to. https://github.com/pothosware . and another sdrtrunk https://github.com/DSheirer/sdrtrunk .

Curious...so following the above links will allow gsm capturing and decoding via wireshark? Or are you saying these links to software just allow the use of general sdr capture? I do not have a lot of time lately to look around for others achieving this objective...

Update:

Checked through quickly and saw a lot of cool bands and noticed a few suggestions referencing gsm but no actual gsm decoding, something that appeared to be gsm capturing but not exactly sure if there was any success. If anyone finds an actual success please link it to me here and I would love to investigate and add references to this thread for the greater wealth of knowledge, I am still working through a functional rainbow tables walk through and, well that takes up my only free time.

Scoyok