[A51] Kraken Cracking

Karsten Nohl nohl at virginia.edu
Thu Mar 7 00:36:22 CET 2013


Dear Alex,

From the sound of it, you may be trying to crack an unencrypted frame. If that's the case: There is nothing to crack.

Instead of finding an SI5 message in Wireshark, you'd have to _guess_ which encrypted frame could be an SI5, then XOR the SI5 burst with the suspected encrypted SI5 burst, and then run the result of that (=pure A5/1 key stream if you guessed right) through Kraken

One more complication: Even if you did all of this correctly, Kraken only finds the key in some cases, so you may have to try several times with different correct guesses/locations until you find a key.

Cheers,

     -Karsten

On Mar 7, 2013, at 24:22 , Alex <a.interrantegrant at gmail.com> wrote:

> Hello,
> 
> I'm having some trouble knowing which bursts to run through Kraken to try to 
> discover the key. I have the rainbow tables written to HD and everything seems 
> to be working. I tried this tutorial: http://lists.srlabs.de/pipermail/a51/2010-
> July/000688.html and everything worked nicely but when I try to run kraken on my 
> own bursts I can't seem to get them to crack no matter which burst I pick. 
> Here's what I'm doing:
> 
> 1) Use airprobe to decode unencrypted SACCH packets to a text file and view them 
> in wireshark
> 
> Exported packets look like this (System Information Type 5):
> C1 862242 1332356: 
> 00100000000111000010000000110010001100000110000011000000011010100100000010101001
> 0001001000110100000000101000000110
> P1 862242 1332356: 
> 00100000000111000010000000110010001100000110000011000000011010100100000010101001
> 0001001000110100000000101000000110
> S1 862242 1332356: 
> 00000000000000000000000000000000000000000000000000000000000000000000000000000000
> 0000000000000000000000000000000000
> C0 862243 1332389: 
> 00000000010100100010000000000010100000000110101101000010101000010100001000110100
> 0010000000000101000010101100010100
> P0 862243 1332389: 
> 00000000010100100010000000000010100000000110101101000010101000010100001000110100
> 0010000000000101000010101100010100
> S0 862243 1332389: 
> 00000000000000000000000000000000000000000000000000000000000000000000000000000000
> 0000000000000000000000000000000000
> C0 862244 1332422: 
> 10000001010010100000000111100000000001010000010001000000000101000011000000000100
> 1000000001000010101000010100110010
> P0 862244 1332422: 
> 10000001010010100000000111100000000001010000010001000000000101000011000000000100
> 1000000001000010101000010100110010
> S0 862244 1332422: 
> 00000000000000000000000000000000000000000000000000000000000000000000000000000000
> 0000000000000000000000000000000000
> C0 862245 1332455: 
> 11000000010010010000010100001101010100100000010000010000000001011000101001000010
> 1010100001010100000001000000001000
> P0 862245 1332455: 
> 11000000010010010000010100001101010100100000010000010000000001011000101001000010
> 1010100001010100000001000000001000
> S0 862245 1332455: 
> 00000000000000000000000000000000000000000000000000000000000000000000000000000000
> 0000000000000000000000000000000000
> 862245 1: 00 01 03 03 49 06 1d 9f 6d 18 10 80 00 00 00 00 00 00 00 00 00 00 00
> 
> 2) Find a System Information Type 5 packet in wireshark and look at the frame 
> number in the GSM Tap Header (in this case 862245)
> 
> 3) Find the corresponding burst in the text file:
> 11000000010010010000010100001101010100100000010000010000000001011000101001000010
> 1010100001010100000001000000001000
> 
> 4) Try and run the following in Kraken:
> crack 
> 11000000010010010000010100001101010100100000010000010000000001011000101001000010
> 1010100001010100000001000000001000
> 
> Which returns:
> Cracking 
> 11000000010010010000010100001101010100100000010000010000000001011000101001000010
> 1010100001010100000001000000001000
> crack #13 took 125975 msec
> 
> With no potential keys found. Can anyone let me know what I am doing wrong and 
> point me in the right direction?
> 
> Thanks,
> Alex
> 
> _______________________________________________
> A51 mailing list
> A51 at lists.srlabs.de
> http://lists.srlabs.de/cgi-bin/mailman/listinfo/a51




More information about the A51 mailing list