[A51] Kraken Cracking

Alex a.interrantegrant at gmail.com
Thu Mar 7 23:48:04 CET 2013


Karsten Nohl <nohl at ...> writes:

> 
> Dear Alex,
> 
> From the sound of it, you may be trying to crack an unencrypted frame. If 
that's the case: There is nothing to crack.
> 
> Instead of finding an SI5 message in Wireshark, you'd have to _guess_ which 
encrypted frame could be an SI5,
> then XOR the SI5 burst with the suspected encrypted SI5 burst, and then run 
the result of that (=pure A5/1
> key stream if you guessed right) through Kraken
> 
> One more complication: Even if you did all of this correctly, Kraken only 
finds the key in some cases, so you
> may have to try several times with different correct guesses/locations until 
you find a key.
> 
> Cheers,
> 
>      -Karsten
> 
> On Mar 7, 2013, at 24:22 , Alex <a.interrantegrant at ...> wrote:
> 
> > Hello,
> > 
> > I'm having some trouble knowing which bursts to run through Kraken to try to 
> > discover the key. I have the rainbow tables written to HD and everything 
seems 
> > to be working. I tried this tutorial: 
http://lists.srlabs.de/pipermail/a51/2010-
> > July/000688.html and everything worked nicely but when I try to run kraken 
on my 
> > own bursts I can't seem to get them to crack no matter which burst I pick. 
> > Here's what I'm doing:
> > 
> > 1) Use airprobe to decode unencrypted SACCH packets to a text file and view 
them 
> > in wireshark
> > 
> > Exported packets look like this (System Information Type 5):
> > C1 862242 1332356: 
> > 
00100000000111000010000000110010001100000110000011000000011010100100000010101001
> > 0001001000110100000000101000000110
> > P1 862242 1332356: 
> > 
00100000000111000010000000110010001100000110000011000000011010100100000010101001
> > 0001001000110100000000101000000110
> > S1 862242 1332356: 
> > 
00000000000000000000000000000000000000000000000000000000000000000000000000000000
> > 0000000000000000000000000000000000
> > C0 862243 1332389: 
> > 
00000000010100100010000000000010100000000110101101000010101000010100001000110100
> > 0010000000000101000010101100010100
> > P0 862243 1332389: 
> > 
00000000010100100010000000000010100000000110101101000010101000010100001000110100
> > 0010000000000101000010101100010100
> > S0 862243 1332389: 
> > 
00000000000000000000000000000000000000000000000000000000000000000000000000000000
> > 0000000000000000000000000000000000
> > C0 862244 1332422: 
> > 
10000001010010100000000111100000000001010000010001000000000101000011000000000100
> > 1000000001000010101000010100110010
> > P0 862244 1332422: 
> > 
10000001010010100000000111100000000001010000010001000000000101000011000000000100
> > 1000000001000010101000010100110010
> > S0 862244 1332422: 
> > 
00000000000000000000000000000000000000000000000000000000000000000000000000000000
> > 0000000000000000000000000000000000
> > C0 862245 1332455: 
> > 
11000000010010010000010100001101010100100000010000010000000001011000101001000010
> > 1010100001010100000001000000001000
> > P0 862245 1332455: 
> > 
11000000010010010000010100001101010100100000010000010000000001011000101001000010
> > 1010100001010100000001000000001000
> > S0 862245 1332455: 
> > 
00000000000000000000000000000000000000000000000000000000000000000000000000000000
> > 0000000000000000000000000000000000
> > 862245 1: 00 01 03 03 49 06 1d 9f 6d 18 10 80 00 00 00 00 00 00 00 00 00 00 
00
> > 
> > 2) Find a System Information Type 5 packet in wireshark and look at the 
frame 
> > number in the GSM Tap Header (in this case 862245)
> > 
> > 3) Find the corresponding burst in the text file:
> > 
11000000010010010000010100001101010100100000010000010000000001011000101001000010
> > 1010100001010100000001000000001000
> > 
> > 4) Try and run the following in Kraken:
> > crack 
> > 
11000000010010010000010100001101010100100000010000010000000001011000101001000010
> > 1010100001010100000001000000001000
> > 
> > Which returns:
> > Cracking 
> > 
11000000010010010000010100001101010100100000010000010000000001011000101001000010
> > 1010100001010100000001000000001000
> > crack #13 took 125975 msec
> > 
> > With no potential keys found. Can anyone let me know what I am doing wrong 
and 
> > point me in the right direction?
> > 
> > Thanks,
> > Alex
> > 
> > _______________________________________________
> > A51 mailing list
> > A51 at ...
> > http://lists.srlabs.de/cgi-bin/mailman/listinfo/a51
> 

Karsten,

Thanks for your help, I think I have a better idea of how Kraken works now. Any 
tips on how to find a known plain-text candidate? Or do I just have to xor every 
encrypted burst with a SI5 one and try those as keystreams?

Thanks again,
Alex




More information about the A51 mailing list