# Passive Sniffing ### Detect BTSs Around ``` grgsm_scanner --band=GSM900 --gain=34 --speed=5 --args=rtl=0 ``` ### Capture Broadcast packets from BTS ``` grgsm_capture --arfcn=11 --rec-length=70 --args="hackrf,num_recv_frames=1024" --gain=34 arfcn_11.cfile ``` ### Decode BCCH Channels The Broadcast Control Channel (BCCH) is a critical component in GSM networks that carries network-specific and cell-specific information. This data includes the identity of the network and associated parameters, information about neighboring cells, and other details necessary for mobile stations to connect to the network. By regularly monitoring the BCCH, mobile devices can maintain proper communication with the network and ensure seamless handovers between cells. This channel operates continuously, providing essential data to facilitate efficient network operations. ``` grgsm_decode --arfcn=11 --mode=BCCH --timeslot=0 --cfile=arfcn_11.cfile ``` ### Decode SDCCH/8 Channels Standalone Dedicated Control Channel (SDCCH/8) is a crucial element in GSM networks used primarily for signaling and control. SDCCH/8 facilitates non-traffic purposes such as call setup, SMS delivery, and location updates. It operates independently of voice channels, ensuring efficient network management without occupying significant bandwidth. By utilizing SDCCH/8, mobile networks can efficiently handle control tasks, leading to streamlined operations and improved resource allocation. ``` grgsm_decode --cfile=arfcn_11.cfile --arfcn=11 --mode=SDCCH8 --timeslot=0 --print-bursts ``` ### A5/1 Cracking with Kc Key A5/1 is a stream cipher used to encrypt voice and data communications in GSM cellular networks. Designed to provide confidentiality, A5/1 works by encrypting the data stream between mobile devices and base stations. It operates on a 64-bit key (Kc), which is generated during the authentication process and shared between the mobile device and the network. #### Key Features of A5/1 Encryption: * **Stream Cipher**: Encrypts data on-the-fly as it is transmitted, allowing for real-time communication. * **64-bit Key Length**: Uses a 64-bit key, making it a relatively lightweight encryption mechanism. * **Fast and Simple**: Designed to suit the processing capabilities of mobile devices and support high-speed transmission. * **Uses Kc**: The ciphering key (Kc) is a central part of the encryption process, ensuring that communication remains secure. Despite its widespread use, A5/1 has been shown to have vulnerabilities, which have led to considerations of stronger encryption alternatives in modern networks. ``` grgsm_decode --cfile=arfcn_11.hrf.cfile --arfcn=11 --mode=SDCCH8 --timeslot=0 --a5=1 --kc=KEY-HERE ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gsm-hacking.telco-sec.com/bts-to-mobile-station/passive-sniffing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.