Crawl — 2G GSM Attachment
Understand the 2G attach flow and that authentication is one-way — the network authenticates the subscriber, but not vice-versa. Watch the IMSI travel in cleartext.
Scene 1.1 · Trigger the attach
Bring the handset onto the network. Start a 2G attach.
attach --net 2g
On first attach the MS has no TMSI yet, so it sends its permanent identity unprotected.
Scene 1.2 · Capture the cleartext IMSI
Something sensitive just crossed the air interface. Sniff it.
sniff air
decode last
310260123456789 (cleartext IMSI). Use submit <value>.
Scene 1.3 · Watch the challenge-response
The network challenges the SIM. Inspect the exchange.
auth show
The crux: the MS never verifies the network. Anyone who sounds like a valid network is trusted. This is the seam Stage 2 exploits.
Walk — The IMSI-Catcher Problem
Demonstrate why a 2G MS willingly attaches to a rogue base station, and how that yields a subscriber's identity and rough location.
Scene 2.1 · Stand up a rogue cell
Place a fake base station advertising the same network. Make it the strongest signal.
cell rogue --mcc 310 --mnc 260 --power high
Scene 2.2 · Force re-attach & harvest identity
Get the handset to identify itself to your cell.
attach --net 2g
decode last
310260987654321 — a different subscriber from Stage 1, proving the catcher harvests any device that comes near.
The rogue never had to prove anything. Missing mutual authentication = the entire vulnerability.
Scene 2.3 · Optional: downgrade nudge
A modern phone tried to use a newer network. Push it down to 2G.
cell rogue --suppress lte
--suppress is a teaching abstraction. Real-world bidding-down is subtler and gradual; we compress it here to make the effect visible in seconds.
Run — 5G Attachment & Authentication
See SUCI concealment and mutual 5G-AKA, then watch the Stage 2 attack fail.
Scene 3.1 · Trigger the 5G registration
Attach the same subscriber over 5G. Watch what identity crosses the air now.
attach --net 5g
Scene 3.2 · Inspect the concealed identifier
Capture the air-interface identity. What does an attacker actually get?
sniff air
decode last
The SUCI ciphertext (concealed, rotates per attach). Hint: paste it from the captured frame.
Scene 3.3 · Mutual authentication (5G-AKA)
Run authentication and confirm who proves what to whom.
auth show
Two-way arrows now glow. AUTN carries the network's proof; the UE side shows "network verified" — the thing 2G never had.
Scene 3.4 · Re-run the catcher → it fails
Stand up your rogue cell again and try to harvest the identity.
cell rogue --mcc 310 --mnc 260 --power high
attach --net 5g
AUTN_VERIFY_FAIL — or submit none to confirm the harvest was empty.
Same attack, defeated by two changes — concealed identity (SUCI) + mutual authentication (AUTN).