Professional Documents
Culture Documents
Sniffer Technology Documentation
Sniffer Technology Documentation
CHAPTER 1
INTRODUCTION
One of the most interesting things about cell phone is that it is really a radio an extremely
sophisticated radio, which uses some band of frequency that has the basic working similar
to the ordinary cordless phone. The mobile cellular communication has been appreciated
since its birth in the early 70’s and the advancement in the field of VLSI has helped in
designing less power, smaller size but efficient transceiver for the purpose of
communication.
But however, the technology has not yet answered the loss or misplacement of the
lost mobile phone which is significantly increasing. In this paper we discuss the problem
and the probable solution that could be done. The IMEI number is a unique number that is
embedded in the mobile phone the main purpose of which is the blocking of calls that is
made by unauthorized person once the mobile is reported as stolen but here we use it
effectively for the purpose of detection.
A sniffer which can also be referred to as a network analyzer, is a piece of
software that analyzes network traffic, decodes it, gives it back packet information so that
a network administrator can use it to help diagnose problems on the network. But because
these tools can be so powerful, they can also help give leverage to those of the black hat
world by allowing them to pull plain text information off the network as well (usernames,
passwords, unencrypted emails, instant message chat, etc).
Some of the more “legitimate” uses for a sniffer fall towards the roles of the
network administrators. They can be used to probe the network for bandwidth usage,
helping pinpoint which individual machines may be running malware or simply have
wrong network settings. Sniffers are often used as a practical defense against finding
intrusion attempts by detecting inappropriate traffic. If you were ever going to be in a role
where you need to ensure your network is protected, you would do well to learn how to
use a sniffer. I recommend Wireshark (formerly known as Ethereal), it’s free (as in beer)
and well supported with great documentation. Other alternatives are NAI Sniffer
(commercial), TCP DUMP (*nix), WINDUMP (Win32), CAIN & ABEL, DSNIFF, and
ETTERCAP (the last three are most specialized for password extraction but can still be
used to test your applications or network protocols).
Sniffers can also be used to bypass security. Many application protocols pass
credentials in plain text or use weak encryption that is easy for a sniffer to decode.
Common examples of insecure protocols are FTO, TELNET, POP3, SMTP, and HTTP
Basic Authentication.
One of the most common hacks other than the password sniffing that sniffers can
be used for is probably ARP Spoofing /ARP Poisoning. ARP (address resolution
protocol) allows the network to translate IP addresses into MAC addresses. Essentially,
when one host using IP on the LAN is trying to contact another, it needs the MAC
address of the host it is trying to contact. It first looks in its ARP cache to see if already
knows the MAC address. Otherwise, it sends out an ARP request (looking for the IP).
In common bus networks like a wired hub or 8052.11b, all traffic can be seen by
all hosts whose NICs are in promiscuous mode, but not a switched network. A switch
looks at the data send to it and only forwards packets to the intended recipient based on
the MAC. This helps secure the network by only sending packets to where they need to
go. Programs like ARP Spoof (part of the Dsniff package), Ether cap, or Cain and Abel
can allow you to fool the network and allow you to spoof another machine making the
network think you have the IP it is looking for, then funnel their traffic through you.
So, even with a switched network, it’s not too difficult for an attacker to simply
boot up their Backtrack CD, do some ARP spoofing with Dsniff or Ethercap, and redirect
traffic through them for the purpose of sniffing.
CHAPTER 2
INTERNATIONAL MOBILE EQUIPMENT IDENTITY
BREIF EXPLANATION ABOUT IMEI:
The IMEI number is used by a GSM network to identify valid devices and
therefore can be used for stopping a stolen phone from accessing that network. For
example, if a mobile phone is stolen, the owner can call their network provider and
instruct them to blacklist the phone using its IMEI number. This renders the phone
useless on that network and sometimes other networks too, whether or not the
phone's subscriber identity module (SIM) is changed.
The IMEI is only used for identifying the device and has no permanent or semi-
permanent relation to subscriber. Instead, the subscriber is identified by transmission of
an International Mobile Subscriber Identity (IMSI) number, which is stored on a SIM
card. that can in theory be transferred to any handset.
Many countries have acknowledged the use of the IMEI in reducing the effect of
mobile phone thefts. For example, in the United Kingdom, under the Mobile Telephones
(Re-programming) Act, changing the IMEI of a phone, or possessing equipment that can
change it, is considered an offence under some circumstances.
IMEI blocking is not the only approach available for combating phone theft. For
example, mobile operators in Singapore are not required by the regulator to implement
phone blocking or tracing systems, IMEI-based or other. The regulator has expressed its
doubts on the real effectiveness of this kind of system in the context of the mobile market
in Singapore. Instead, mobile operators are encouraged to take measures such as the
immediate suspension of service and the replacement of SIM cards in case of loss or theft.
The existence of a formally allocated IMEI number range for a GSM terminal
does not mean that the terminal is approved or complies with regulatory requirements.
The linkage between regulatory approval and IMEI allocation was removed in April
2000, with the introduction of the European R&TTE Directive. Since that date, IMEIs
have been allocated by BABT (or one of several other regional administrators acting on
behalf of the GSM Association) to legitimate GSM terminal manufacturers without the
need to provide evidence of approval.
When mobile equipment is stolen or lost, the owner can contact their local
operator with a request that it should be blocked from the operator's network, and the
operator can be expected to do so if required by law in the operator's jurisdiction. If the
local operator possesses an Equipment Identity Register (EIR), it then may put the device
IMEI into it, and can optionally communicate this to shared registries, such as the Central
Equipment Identity Register (CEIR) which blacklists the device in switches of other
operators that use the CEIR. With this blacklisting in place the device becomes unusable
on any operator that uses the CEIR, making theft of mobile equipment a useless business
proposition, unless for parts.
The IMEI number is not supposed to be easy to change, making the CEIR
blacklisting effective. However, this is not always the case: a phone's IMEI may be easy
to change with special tools. In addition, IMEI is an un-authenticated mobile identifier (as
opposed to IMSI, which is routinely being authenticated by home and serving mobile
networks.) Spoofed IMEI can thwart all efforts to track handsets, or target handsets for
lawful intercept.
Australia was first to implement IMEI blocking across all GSM networks, in
2003. In Australia the Electronic Information Exchange (EIE) Administration Node
provides a blocked IMEI lookup service for Australian customers.
In the UK, a voluntary charter operated by the mobile networks ensures that any
operator's blacklisting of a handset is communicated to the CEIR and subsequently to all
other networks. This ensures the handset will be unusable for calls quite quickly, at most
within 48 hours.
All UK Police forces, including the Metropolitan Police Service actively check
IMEI numbers of phones found involved in crime, against the National Mobile Property
Register (NMPR). The NMPR draws its information from many property databases. One
of the databases consulted is Immobilize, which allows optional (and free) registration of
devices by the public. Such registration ensures that a device coming into police
possession may be easily reunited with its registered owner.
It is unclear whether local barring of IMEI has any positive effect, as it may result
in international smuggling of stolen phones.
LIMITATIONS:
The IMEI (15 decimal digits: 14 digits plus a check digit) or IMEISV (16 digits) includes
information on the origin, model, and serial number of the device. The structure of the
IMEI/SV is specified in 3GPP TS 23.003. The model and origin comprise the initial 8-
digit portion of the IMEI/SV, known as the Type Allocation Code (TAC). The remainder
of the IMEI is manufacturer-defined, with a Luhn check digit at the end. For the IMEI
format prior to 2003, the GSMA guideline was to have this Check Digit always
transmitted to the network as zero. This guideline seems to have disappeared for the
format valid from 2003 and onwards
AA - BB BB BB - CC CC CC D or EE
Old IMEI TAC FAC Serial number (Optional) Luhn checksum
New IMEI TAC
Old TAC FAC Software Version Number
IMEISV (SVN).
New TAC
IMEISV
phones was 00. After April 1, 2004, the Final Assembly Code ceased to exist and the
Type Allocation Code increased to eight digits in length.
In any of the above cases, the first two digits of the TAC are the Reporting Body
Identifier, which identifies the GSMA-approved group that allocated the TAC. The RBI
numbers are allocated by the Global Decimal Administrator. IMEI numbers being
decimal allows them to be distinguished from an MEID, which is hexadecimal and
always has 0xA0 or larger as its first two hexadecimal digits.
For example, the old style IMEI code 35-209900-176148-1 or IMEISV code 35-
209900-176148-23 tells us the following:
TAC: 35-2099 - issued by the BABT (code 35) with the allocation number 2099
FAC: 00 - indicating the phone was made during the transition period when FACs were
being removed.
SNR: 176148 - uniquely identifying a unit of this model
CD: 1 so it is a GSM Phase 2 or higher
SVN: 23 - The "software version number" identifying the revision of the software
installed on the phone. 99 is reserved.
By contrast, the new style IMEI code 49-015420-323751 has an 8-digit TAC of
49-015420.
The new CDMA Mobile Equipment Identifier (MEID) uses the same basic format
as the IMEI.
The Check Digit shall be calculated according to Luhn formula (ISO/IEC 7812). (See
GSM 02.16 / 3GPP 22.016). The Check Digit is a function of all other digits in the IMEI.
The Software Version Number (SVN) of a mobile is not included in the calculation.
The purpose of the Check Digit is to help guard against the possibility of incorrect entries
to the CEIR and EIR equipment.
The presentation of the Check Digit both electronically and in printed form on the label
and packaging is very important. Logistics (using bar-code reader) and EIR/CEIR
administration cannot use the Check Digit unless it is printed outside of the packaging,
and on the ME IMEI/Type Accreditation label.
The check digit is not transmitted over the radio interface, nor is it stored in the EIR
database at any point. Therefore, all references to the last three or six digits of an IMEI
refer to the actual IMEI number, to which the check digit does not belong.
1. Starting from the right, double every other digit (e.g., 7 → 14).
2. Sum the digits (e.g., 14 → 1 + 4).
3. Check if the sum is divisible by 10.
Conversely, one can calculate the IMEI by choosing the check digit that would give a
sum divisible by 10. For the example IMEI 354530085441085.
IMEI 4 9 0 1 5 4 2 0 3 2 3 7 5 1 x
Double 4 18 0 2 5 8 2 0 3 4 3 14 5 2 X
every
other
Sum digits 4 + (1 + 8) + 0 + 2 + 5 + 8 + 2 + 0 + 3 + 4 + 3 + (1 + 4) + 5 + 2 + x = 52 + x
To make the sum divisible by 10, we set x = 8, so the complete IMEI become
490154203237518.
The Broadband Global Area Network (BGAN), Iridium and Thuraya satellite
phone networks all use IMEI numbers on their transceiver units as well as SIM cards in
much the same way as GSM phones do. The Iridium 9601 modem relies solely on its
IMEI number for identification and uses no SIM card; however, Iridium is a proprietary
network and the device is incompatible with terrestrial GSM networks.
IMEI EXAMPLE:
01,02 AEG
07,40 MOTOROLA
10,20 NOKIA
30 ERICSSON
40,41,44 SIEMENS
47 OPTION INTERNATIONAL
50 BOSCH
51 SONY
51 SIEMENS
51 ERICSSON
60 ALCATEL
70 SAGEM
CHAPTER 3
The sniffer is a small base station, it includes transceiver section. It should operate at a
frequency that is much different from the frequency of the current cell in which the
operation of detection is being carried out. Some of the main important things are the
frequency that has to be generated by the transceiver section is around 900MHz range
which is a VHF range and it is necessarily to design the oscillator circuit for that
frequency range. Another important is the cooling that has to be provided to the circuit
while designing the circuit that is to be operated at 900MHz range of frequency. Hence
proper design of base station is an important thing in the design of the sniffer. Mobile
phones as well as the base station has low power transmitter is also transmitting at low
Power. The transmitter of the sniffer has to be a low power transmitter. This helps in the
process of reducing the interference of the device with the devices that are in the other
cells.
Though the transceiver in a sniffer plays an important role in the detection of the
mobile phone but however it is the directional antenna that has a major role in the design
of the transmitter. The directional antenna acts as the eyes for the sniffer for the purpose
of the detecting the lost mobile phones. Hence the proper design of the directional
antenna is required. Antenna is a device which works at specified frequencies range for
transmitting or receiving the data signal. In general, antennas transmit power depending
on lobe pattern which varies from one antenna to the other. The lobe pattern is a two-
dimensional diagram that is used to show radiation pattern. Radiation pattern
of directional antenna is shown in below figure.
The average power that gets radiated is given as (avg) =W/4 (watts per steradian)
The Directivity of the antenna is the direction in which there is maximum gain for
the radiation that is being radiated, the gain of the antenna is given as a function of the
angles. The directivity value is constant for a particular direction. In addition to the
directivity and the gain of the antenna the other important thing that has to be taken into
account is the power that is being radiated by the antenna. The total power is given as W
and is the summation of the radiated power and the ohmic loss of the antenna. Here the
Wl represents the ohmic losses of the antenna.
Wt=Wr+Wl
The power gain of the antenna is given as
gp =4/wt
The ratio of power to the directivity is referred as a measure of efficiency of the
antenna
gp/gd =Wr/(Wr+Wl)
The power radiated by the antenna should be properly designed as this causes
more penetration of the electromagnetic radiation and thus it might have some effect in
the nearby cells. The effective area of the antenna is another important factor that is
mainly required in the receiving antenna and it may be referred as the effective aperture
or capture area and is related to the directive gain of the antenna through the relation
A=gd_2/4
Since the sniffer device that is constructed is a device that has both the
transmitting and the receiving antenna. Effective gain has to be taken into account and
this shows the ability of the antenna to capture the signal that the lost mobile is
transmitting.
number of the lost mobile phone from the RAM and this ID done using the SQL query
that fetches the IMEI number. After getting the input of the lost mobile phones IMEI
number it checks the comport for getting the information whether it obtains any signaling
information from the lost device that might respond to the signal sent by the sniffer The
programming is done with C or Java. However, the C is most preferred as it is easily
embedded with the chips. With VB the front end is designed. The oracle SQL is the back
end as it helps in retrieving the input data from the RAM using the query. But however,
the sample program that we have designed does not use the oracle it takes the input
directly from the keyboard and this is an example and a dummy program that has been
created that helps in the understanding of how the device would work.
CHAPTER 4
The sniffer is basically a transceiver that works in the frequency which is in the
special unused range that is operated by the service provided or it can designed to operate
at a frequency that is of much different frequency than the one that is being used by the
nearby cells as there may be possibility of interference by the device with the devices in
the nearby cells. The working for the device is as follows. The figures show the working
of the sniffer; as given in the fig4.2 it gives the normal operation of the mobile with the
base station and there is a BTS that acts as a middle man in the process of
communication between the mobile and the MTSO which is popularly known as MSC or
Mobile Switching Centre. There is always a two-way communication between devices
and before the establishment of the communication the authentication of the SIM card
that has the IMSI or the International Mobile Subscriber Identifier. This IMSI number
helps in the authorization of the user. The second authentication is the authentication of
the handset, which is done in EIR or the Equipment Identifier Register. This register is
located at the MSC and it contains the IMEI number of the lost handset and if the signal
is obtained from the normal one then the two-way communication is established. The
IMEI of the lost mobile phone number once has been reported to the service provider,
who keeps in track of the record of lost mobile phones. The MTSO or the MSC which
keeps in track of all the mobile phones with IMEI number and the IMSI number has the
information of the lost mobile phones location which means the location of the cell where
the lost device is because of the two-way communication with the device the BTS of the
lost device is known to MSC. From this information regarding the cell in which the
device is located the sniffer device is introduced.
The BELOW figure shows the sniffer that gets into work for the purpose
of detection of the lost device. After the information regarding the IMEI number of the
lost device is provided by the MTSO or MSC. This is then fed into the sniffers main
memory the sniffer’s located in particular cell gets into action of detecting the lost device.
The sniffer uses a frequency that is different from the one that is being used by the base
station and the located nearby cells. The base station disconnects the connection with the
lost mobile phone, as there is a request regarding this action from the EIR part of the
MSC. This causes the lost device to search the BTS to get locked with since each base
station does not have authorization capability the lost device sends appropriate connection
request signal. Now when the sniffer device is being deployed and this device has in built
authorization capability the lost device finds the sniffer to get itself locked to the
frequency of the sniffer. While the connection between the sniffer and the mobile phone
is established; the IMEI of the lost mobile is validated with the stored IMEI and after
successful authorization the communication between the sniffer and the lost device is
established. If the other devices in the same try
to communicate with the sniffer the access is denied and this is done at the validation
done based on the IME. Once the communication starts it is mainly with the antenna and
the signal
strength of the lost device the location can be tracked. However, the process to searching
can also be aided with the GPS system for more accurate and fast detection the main
requirement is that the sniffer is operated in a frequency that is different from the
frequency adopted by the cell and nearby ones. Hence the interference from the nearby
cell can be avoided. The directional antenna is used in finding the location of the mobile
phone.
Here the signal strength of the received signal is obtain antenna pattern is plotted once the
signal of the mobile is obtained. The no. of antenna pattern for different position of same
mobile phone is used to find the exact location. But however in this method the
directional antenna used much be of a very small beam width this helps in more accurate
process of detection.
ADVANTAGES:
This method is used for finding the lost mobile effectively
Cost effective
Low power consumption
Easy to design
DISADVANTAGES:
Frequency should be maintained correctly because there may be a slight effect of
the reflection of the signal from the ground.
Even though the directivity of antenna is less the direction of propagation should
be restricted.
CHAPTER 5
CONCLUSION
Since the boom of the mobile phone for the purpose of the communication there has been
a large number of complaints regarding the mobile phone that is being lost and there has
been no effective method developed for detecting the lost device. The given sniffer
technology dealt the idea of development “Sniffer for the detection of lost Mobile
Phones” paves a way by means of which the lost mobile phones can be recovered. But the
process of detection is yet to be developed through the software and demo has been
developed and is with the authors. The demo has been written in VB that gives the over
view of how the lost mobile is being detected and the software has been written in C. The
SQL has to be used for the purpose of querying and the internal architecture is of lesser
complexity compared to the base station as this mainly involves the control signal and
there is no need for the voice process. The design involved the following: Design of the
sniffer base station, design of unidirectional antenna, development of the software
tracking. Though this method appears to be a little bit complex involving the design of the
sniffer but however for large scale detection the overall effective cost of the design and
the detection scales down. There are certain boundary conditions or criteria that have to
be qualified for the identification of the lost mobile like the power of the mobile should
be good enough; the mobile phone should not be in the shadow region etc., but however
this method can be improved by using modern technologies and devices.
CHAPTER 6
REFERENCES
I. International Journal for Engineering Trends and Technology (IJETT) -Volume4
Issue4