A 2021 GUIDE TO BYPASS 3D-SECURE BY

MAKING AN IMSI CATCHER TO

INTERCEPT GSM TRAFFIC

Hustlers, the most talked-about 3D-Secure payment protocol will continue to be

rolled out throughout this year 2021 and beyond, those of you who will adapt
will continue to survive and thrive and those who will ignore this will be left
behind to catch the dust, in this guide today we will give you an up to date
information on making your very own IMSI catcher to bypass 3D-Secure
transactions.
This may sound like a plan straight out from a Hollywood blockbuster but we
can assure you that it’s not as complicated as you may think and very practical
to implement once you understand the mechanics of how the IMSI catcher
works.
Recently, there have been many cases of using GSM hijacking + text message
sniffing to steal bank cards, let us explain to you by laying out the information
on how to sniff the traffic of a GSM Network and will follow the structure in this
guide below.

Now, before we delve deeper into the subject, some basic terminology and
background information on GSM is provided below as it’s necessary for you to
understand and digest this article further ahead as you will scroll down and
more importantly how to go about making one for your own team (considering
you are part of an underground cybercrime network and a heavy hitter)

#AN SDR
SDR stands for “Software Defined Radio” it is a radio broadcast
communication technology, which is based on a software-defined wireless
communication protocol instead of being implemented through hard-wires.
SDR allows easy signal processing and experimentation with more complex
radiofrequency builds.
#AN RTL-SDR

Ok an RTL-SDR is a Realtek (RTL2832U) TV stick. TV sticks allow transmission of

raw I/O samples, which can be used for DAB / DAB + / FM demodulation.

#GSM
GSM stands for “Global System for Mobile” communication. FYI more than 5
billion people use GSM technology to communicate all over the world.
Operators in every country use a different frequency in the GSM possible
spectrum. If you want more info on that you can jump ahead and read more
here https://www.worldtimezone.com/gsm.html but doing so will open a new
window..

#IMSI
IMSI stands for “International Mobile Subscriber Identity” and is globally
unique for each subscriber. The IMSI consists of 15 digits, which contain the
Mobile Country Code (MCC), Mobile Network Code (MNC), and the Mobile
Subscriber Identification Number (MSIN). The IMSI is stored in the Subscriber
Identity Module also known as your SIM card.
So now you have a little bit of idea of where we are heading with this article,
let’s get the “generations” out of the way as well and of course, we always
aim is to keep our articles lean by only touching base on the information that is
important and necessary for that particular subject

#1G
The first generation of mobile phones was implemented in the 1980s. The data
sent from and to the phones were analog and naturally had no security
whatsoever.
Additionally, it was only possible to make voice calls with 1G networks, you
may remember that ext messaging was not yet possible at that point.
#2G
In the 1990s the second generation of mobile phone technology was rolling out.
Features such as SMS, data, MMS, voice mail, and call forwarding were
implemented also, the radio signals became digital and were encrypted.
Later 2.5G and 2.75G were introduced and both implemented improved
techniques for data transfer such as GPRS and EDGE.
The Global System for Mobile Communication (GSM) standard is the most
widely used 2G standard and as of 2007, the most widely used mobile phone
protocol in general.

#3G
3G was slowly rolled out in the 00s, the International Telecommunication Union
(ITU) set up specifications that label certain mobile networks like 3G. 3G mobile
networks support Global positioning systems (GPS), mobile television, and
video conferencing.
It also offers way more data transfer bandwidth and speed. Furthermore, the
encryption standard is improved by using two-way authentication between the
mobile phone and the base station and having improved encryption standards.

#4G
4G is also specified by the International Telecommunication Union (ITU). One of
the requirements of 4G is a speed of 100 Mbit/s in a car or train and 1 Gbit/s for
pedestrians.
A 4G internal network is also completely IP-based, so no more circuit-switched
telephone.
It must be noted that the current 4G standards are not actually fully compliant
yet with the ITU specifications. However, they are still considered 4G since they
are the closest to 4G speeds and are substantially better than 3G technologies.

#5G
The next-generation of telecom networks (fifth generation or 5G) started hitting
the market at the start of 2019 and will continue to expand worldwide in 2021
and beyond.
Besides the speed improvement, 5G is expected to unleash a massive IoT
(Internet of Things) ecosystem where networks can serve communication
needs for billions of connected devices, with the right trade-offs between
speed, latency, and cost, this is going to be very interesting, honestly, we can’t
wait!
#GSM ARCHITECTURE
Take a good look at this below as we will explain that for your ease so it will be
easier to understand as we are building your knowledge step by step before we
go for the kill, so to speak!

#MS
MS represents a “mobile station”. The mobile station is a device that can
access the GSM network via radio.
The mobile station can be broken down into two separate parts, the mobile
hardware, and the SIM card.

#BS
No, it’s not bull shit, BS stands for “base station” iit s the antenna and is also
called the “cell tower” or “cell site.”
One BS covers a cellular area in the cellular network. The size of this cell can
vary from a few hundred meters to several kilometers.
The size of the cell area depends on the landscape features and the population
density of the area.
In subway stations and large buildings, relay stations can be placed to act as
repeaters. These relay stations then wire the signal to the nearest base station.

#BSC
BSC means “base station controller” this controls several base stations. It
handles the session handoffs between the different base stations when a user
is moving through different cells.
If the base stations are not connected to the same BSC, then the Mobile
Switching Center (MSC) handles the handover.

#MSC
MSC is a “mobile switching center” it is responsible for managing the
authentication, handover to the other BSCs and routing calls to the landline.

#VLR
VLR is for “Visitor Location Register” and each MSC has its own Visitor Location
Register (VLR). The VLR holds subscriber information of subscribers that are
under the care of the MSC (which are copied from the Home Location Register
(HLR)).
The VLR, for example, holds the Temporary Mobile Subscriber Identity (TMSI),
which is a temporary alias for the IMSI. This is to reduce the frequent
broadcasting of the IMSI.

#HLR
The “home location register” HLR stores personal subscriber information
like the IMSI and the phone number. There is only one HLR for every GSM
network provider.

#AUC
AUC means an “Authentication Center” it handles the authentication
process of a subscriber to the network.
The AUC holds the shared secret key and generates the random challenge that
is used to authenticate.

#WHAT IS AN IMSI CATCHER?

An IMSI Catcher is a device, with the right software it can be used to locate and
track all mobile phones that are switched on in a certain area.
The IMSI Catcher does this by “pretending” to be a mobile phone tower so it
basically tricks your phone into connecting to it and then revealing your
personal details without your knowledge.
IMSI catchers are indiscriminate surveillance tools that could be used to track
the activities of your target, they can also monitor calls and edit your target
messages and the best part is that they wouldn’t even know it had happened.
#HOW DOES AN IMSI CATCHER WORK?
As explained above, IMSI Catchers are devices that act like fake cell towers,
which trick a target’s device to connect to them and then relay the
communication to an actual cell tower of the network carrier.
The target’s communications in the form of calls, text messages, internet
traffic, etc. go through the IMSI Catcher, which can read messages, listen to the
calls, and so on.
While all this is happening at the same time your victim will have no knowledge
that this is happening as everything will seemingly work as normal, in
underground terms we can refer to it as a “Man-In-Middle” attack.

This is possible because mobile phones are always looking for the mobile tower
with the strongest signal to provide the best commutation. This is usually the
nearest one. At the same time, when a device connects to a cell tower, it
authenticates to it via an IMSI number.
However, the tower doesn’t have to authenticate back. This is why every time
someone places a device that acts as a cell tower near your phone, it would
connect to it and give away its IMSI.

HOW IMSI CATCHER ID YOUR TARGET?

IMSI is a number unique to a SIM card. Once your target’s phone is tricked into
connecting to an IMSI catcher, it then reveals its unique number.
You may have heard numerous cases in which cops were able to catch the
guy/gal by identifying them, yes that’s right cops in most countries around the
world have access to this IMSI catcher so once the police have the IMSI, they
can easily determine the identity of that person.

HOW IMSI CATCHER FINDS THE LOCATION?

Once the target’s phone has been tricked into revealing its IMSI, the IMSI
catcher can determine its phone’s general location by measuring the strength
of the signal from the phone.
Measuring the strength of the signal from different locations permits an ever-
more precise determination of the phone’s location.

CAN YOU USE IMSI CATCHER TO INTERCEPT

CALLS & TEXTS?
The short answer is “Yes”. There is a lot more to it than just calls and texts.
IMSI Catcher can ‘intercept’ your target’s text messages, “calls” and
“Internet traffic”.
This means you can read or listen to your target’s personal communications.
IMSI Catchers can even re-route or edit communications and data sent to and
from your target’s phone, isn’t that amazing?
IMSI Catchers can also temporarily block communication service so your target
can no longer use their phone to make or receive calls and text messages this
holds true even for emergency calls.

#INSTALLATION
#Hardware
Feel free to search any of the hardware below on aliexpress or alibaba as you
will find every single piece of hardware needed to make your own IMSI catcher.
You will then use the device for practical purposes to bypass 3D-secure
protocols, of course, you can use it for a whole range of things other than just
for your cybercriminal activities but we recommends that you use the tools that
are needed to do specific jobs and not get into extra-curricular activities that
may end up wasting your time, if you are into gathering intel for blackmailing
and what not then suit yourself, but always weigh the risks involved before
getting into things to see if you have the infrastructure needed to carry out the
jobs that you are after or else you can always talk to us (only if you are serious
and ready to take action).
So, the hardware that you will need is:
• RTL-SDR
• Hackrf
• USRP
• Blade-RF

#SOFTWARE
The following software tools are required for practical purposes.
• GR-GSM – A python module used for receiving information transmitted
by GSM.
• Wireshark – Captures the wireless traffic.
• IMSI-Catcher – This program shows the IMSI number, country, brand,
and operator of cellphones.
• GQRX – Software defined radio receiver.
• RTL-SDR Tools – Gets the information on the RTL SDR dongle.
• Kailbrate – Determines the signal strength.

INSTALLATION GUIDE FOR WIRESHARK, GQRX, GR-GSM, RTL-

SDR
sudo apt-get update

sudo apt-get install gnuradio gnuradio-dev git cmake autoconf libtool

pkg-config g++ gcc make libc6 libc6-dev libcppunit-1.14-0 libcppunit-
dev swig doxygen liblog4cpp5v5 liblog4cpp5-dev python3-scipy gr-
osmosdr libosmocore libosmocore-dev rtl-sdr osmo-sdr libosmosdr-
dev libboost-all-dev libgmp-dev liborc-dev libboost-regex-dev
python3-docutils build-essential automake librtlsdr-dev libfftw3-dev
gqrx wireshark tshark

git clone -b maint-3.8 https://github.com/velichkov/gr-gsm.git

cd gr-gsm

mkdir build
 cd build

cmake ..

make

sudo make install

sudo ldconfig

export PYTHONPATH=/usr/local/lib/python3/dist-packages/:
$PYTHONPATH

#KALIBRATE INSTALLATION
sudo apt-get update

git clone https://github.com/steve-m/kalibrate-rtl

cd kalibrate-rtl

./bootstrap && CXXFLAGS=’-W -Wall -O3′

./configure

make

sudo make install

Installation of IMSI Catcher

sudo apt install python-numpy python-scipy python-scapy

git clone https://github.com/Oros42/IMSI-catcher.git

#CAPTURING GSM TRAFFIC

Now you have made it this far, we are sure you are very excited to read what
lays ahead, for this practical, the RTL-SDR dongle was used (you can easily get
that on aliexpress or alibaba as explained above). Once the tools installation
process is complete, plugin the RTL-SDR USB dongle into your system.
Open the terminal and run the below command to check the dongle has been
plugged in successfully.

In the US Mobile, GSM networks work on HSPA/HSPA+ 1900 MHz, 1700/2100

MHz frequency bands (Uplink and Downlink) but you can easily get your
countries frequency or contact our support and we will get you the frequencies
for your country.
The help guide of the “GRGSM Scanner” tool.

See you can easily search for nearby GSM base stations using “Kalibrate” or
“GRGSM_Scanner” tools.

Three base stations were found. The signal mentioned above was relatively
strong with a frequency of 945.4MHz and 945.6MHz.
In the above manner, we obtained some parameter information of the base
station, such as: center frequency, channel, ARFCN value, LAC, MCC, MNC
value, etc.
With the above details, we want to sniff the base station frequency. For that the
program called “grgsm_livemon” will be used.
The help guide of the “grgsm_livemon” tool.

Run the “Wireshark” before running the “grgsm_livemon” tool to capture

the packets.
Select any interface to capture all the data.
Once the sniffing of the frequency starts, a popup window appears, as shown in
the screenshot below.

The frequency button needs to be moved in order to capture the frequency.

Once data capture starts it will look like the screenshot below.
Now we need to capture the IMSI details with the help of an “IMSI Catcher”
tool.
To capture the IMSI and other details like TMSI, Country, Brand, Operator, MCC,
MNC, LAC, Cell-ID etc., run the “IMSI Catcher” tool.

In Wireshark, the captured data of the base station’s MNC, MCC, LAI, and other
information can be seen.

IMSI CATCHER DETECTION

There are different applications available, which help to find the IMSI Catcher in
your location. Once it is installed on mobile, it will automatically detect the IMSI
Catcher.
Are you surprised? Well, don’t be let us explain how that works!
Once you have the mobile/cell tower database application installed on your
phone, you will see it will show a database of all the cell/mobile towers of
phone carriers in your city location and it regularly updates this list.
Now here’s the fun part, every time it detects a cell tower, it checks the list to
see if it exists. If it exists, then it is a legitimate one, and there is no one trying
to intercept your communications.
However, if the tower is not on the list, there is something suspicious going on
and there is a high probability that this is an IMSI Catcher, trying to intercept
your communications.
So in such a case, the best course of action that you can take is to turn off your
phone and turn it on again, once you are out of that IMSI’s reach, but hey this
was just to tell you how one can detect the IMSI catcher but you have nothing
to worry about as you will be the one with IMSI catcher and you may find a
unicorn before you will find someone who has the cell/mobile tower database
app installed on their phone.
But just in case if you would like to do an experiment on your very own IMSI
catcher you can do so by installing one of the following Apps to detect your
IMSI catcher.
• Osmocom
• Android IMSI
• SnoopSnitch
• Cell Spy Catcher
• GSM Spy Finder
With that said above, it’s time for us to wrap up this article, today you have
learned A 2021 GUIDE TO BYPASS 3D-SECURE BY MAKING AN IMSI
CATCHER TO INTERCEPT GSM TRAFFIC.

Meanwhile, we will see you on the other side!