Welcome back, my aspiring cyberwarriors!
In our modern digital world, there are cell towers all around us! As we travel, our cell phones automatically switch between these towers to give us uninterrupted cellular service (we hope). In addition, law enforcement and intelligence agencies set up their own cell towers in order to intercept our calls and eavesdrop on our conversations and data. One of the first steps to determining if you are a target of such agencies is to first find out which cell towers are in your vicinity. In that way, if a new cell towers suddenly appears, you will know it. In addition, this is the first step to understanding your local cell service infrastructure, a necessity is you hope to test it.
Think of this as like an nmap scan of a TCP/IP machine. It will provide the basic information before you begin testing.
In addition, this data combined with cell tower location can be used for more mundane tasks such as:
- Boost Your Signal Strength
- Troubleshoot Coverage
- Optimize 5G Home Internet
- Choose the Best Carrier
- Infrastructure Understanding
- Investigate the suspect’s location
In subsequent tutorials, we will use this information to intercept and decode signals from these cell towers.
For this tutorial, I will be using the DragonOS. It’s a Debian variant developed specifically for signals intelligence and SDR work. Instead of spending hours downloading and setting up your tools, they are already installed. In this case, I will be using LTE-Cell-Scanner with a HackRF.
LTE-Cell-Scanner is capable of scanning specified frequencies to identify active LTE cells, cell ID’s and signal information. It supports both FDD and TDD modes.
Step #1: Fire Up DragonOS
Let’s begin by firing up our DragonOS and locate LTE-Cell-Scanner. Unfortunately, it is not in the menu, so you will need to navigate to /usr/src/LTE-Cell_Scanner.
Now, let’s take a look at the help screen for this excellent tool.
dragonos> CellSearch -h
This tool has innumerable options but let’s try to keep it simple at first
Step #2: Scan a Frequency Range
4G LTE architecture operates at different frequencies in different countries and different carriers, ranging from 600MHz to 3.8GHz. This is obviously a very wide band, but the most common bands are 700MHz, 850MHz, 1700/2100 MHz, 1900 MHz, 2300 MHz and 2600MHz. So, we could search the entire spectrum from 600MHZ to 3.8 GHz or we would better served by focusing on these frequently used bands.
The basic command to begin searching for cell towers looks like this;
dragonos> CellSearch –freq-start
Let’s begin by searching the low frequency band at 700Mhz. I will begin my search at 699MHz and progress to 801 Mhz to capture the entire range.
Dragonos > CellSearch –freq-start 699000 –freq-end 801000000 -g 50
When we hit enter, we begin to scan the area looking for LTE towers transmitting at the specified frequency. Be patient, this process is very time consuming.
Eventually, the scan completes and displays that it has found 4 cell towers operating at that range of frequencies, specifically at 719.5 Mhz, two at 731.5Mhz, and 739Mhz. Note that our scan identifies that these towers are using FDD or Frequency Division Duplexing (using separate frequencies for uplink and downlink). as well as the cell ID (CID).
Next, let’s try scanning a wider spectrum of LTE frequencies in the higher frequency ranges, specifically 1.7Ghz to 2.3Ghz. These frequencies are often found in more urban areas.
Dragonos > CellSearch –freq-start 1700e6 –freq-end 2300e6 -g 50
Since this is an even wider frequency range, be prepared to wait. This might be a good time to get another cup of coffee and address another task. In some cases, these scans can take hours.
Eventually our scan completes and displays that it found 7 cell towers in our area operating in the frequencies between 1.7Ghz and 2.3Ghz.
Now that we know which cell towers are in our area and their frequencies, if suddenly a new cell appears in our area, we probably should investigate. This may simply be a new tower from the carriers or law enforcement placing a StingRay in your area to eavesdrop on your cellular communications. Be vigilant!
Step #3: Gathering Data on a Specific Cell Tower
Now that we know which cell towers are in our vicinity, we can focus our reconnaissance on a the towers at a specific frequency. For instance, we learned above that there is a cell tower using 719.5 Mhz. We can use the tool CellTracker to gain information about this tower or any others operating at the same frequency,
We simply use the command CellTracker_hackrf with the -f switch followed by the frequency, and the -g and gain such as;
dragonos> CellTracker_hackRF -f 719500000 -g 50
As you can see above, CellTracker monitors the multiple towers operating at that frequency and providing us with Cell ID and Signal-to-Noise ratio (SNR). Here we can see the SNR is negative for each of these towers, indicating a very weak and noisy signal (negative SNR’s indicates that noise is “stronger” than the signal. Healthy signals should be in the +20-50 range).
Let’s try another frequency. This time we will try tracking the cell towers operating at 1.9675 GHz.
dragonos > CellTracker_hackRF -f 1967500000 -g 50
Here you see that SNR’s are little better but still relatively weak. No wonder I have such poor cell service at this location.
Summary
Mobile telecom systems are among the most important infrastructure in our digital lives. We depend upon it for our cellphone service and, in many cases, Internet access. Furthermore, many companies use cell service to communicate throughout sprawling ICS systems.
The most advanced hackers in the world are always attacking these systems because the rewards so great. Once inside the network, the attacker has access to all data and voice transmissions. Chinese APT hackers have infiltrated the US and other nation’s cellular systems for just this reason.
The better you understand these systems, the better you can protect them. That is why we offering a training in Building Own Low Cost 5G Network.
Source: HackersArise
Source Link: https://hackers-arise.com/signals-intelligence-scanning-for-cell-towers-in-your-vicinity/