Introduction: Telephony, DECT Sniffing With Dedected.

Picture of Telephony, DECT Sniffing With Dedected.

DISCLAMER:  Recording phone conversation without consent from the users is illegal in the US and most country's However, this tutorial is meant to be tested on your OWN equipment.  Be smart and only record your DECT's not your neighbors. 

Step 1: 1: What Is DECT?

Picture of 1: What Is DECT?
usually known by the acronymDECT, is a digital communication standard, which is primarily used for creating cordless phone systems. It originated in Europe, where it is the universal standard, replacing earlier cordless phone standards, such as 900 MHz CT1 and CT2.[1]

Step 2: 1.1: Insecurity...

Picture of 1.1: Insecurity...

most telecomunication companys don't implement or offer encryption for their devices so they can be easily sniffed.

The following has been tested under these circumstances:
-  Backtrack 5 final x86 KDE with Kernel 2.6.38
- Original Dosh&Amand Type II PCMCIA Card
- SIEMENS C1 DECT phones set up in repeater mode

Step 3: 2: Installing Dedected

Picture of 2: Installing Dedected
When installing Dedected on Backtrack 5 you have the following options:
-Use Dedected from the Backtrack repositorys
-Compile it on your own if you want to experiment

Install from source
root@bt:~# prepare-kernel-sources
root@bt:~# cd /usr/src/linux
root@bt:~# cp -rf include/generated/* include/linux/
root@bt:~# cd /pentest/telephony
root@bt:~# svn co dedected_svn
root@bt:~# cd dedected_svn/com-on-air_cs-linux/
root@bt:~# make && make -C tools

Install from repository 

root@bt:~# apt-get update
root@bt:~# apt-get install dedected

It is recommended that you have the tool Audacity if you are serious about recording phone conversations

Load the Drivers
root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux
root@bt:~# make node
root@bt:~# make load

Step 4: Scan for Fixed Parts or Fp(DECT Base Stations)

Picture of Scan for Fixed Parts or Fp(DECT Base Stations)
root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux/tools
root@bt:~# ./dect_cli

If you need info on the usage type "help". If you live in the U.S. switch to the US/DECT 6 band via the "band" command. Let's enable some verbosity:
Now start scanning fpscan After scanning multiple times disable verbosity and stop scanning
verb stop

Step 5: Ignore Other Phones

Picture of Ignore Other Phones
Start a callscan with

Now grab your DECT handset and make a test phonecall and wait until you see the phonecall .It is also sufficient if you just get a dialing tone. You should see something like

### found new call on 00 82 31 33 73 on channel 7 RSSI 34

Now dump all found calls

Ignore every other phone except yours via the following command! IMPORTANT!!!

ignore 01 30 95 13 37

Step 6: Record the Call

Picture of Record the Call
This command will automatically record every phone call that Dedected can dedtect

Here's what it should look like:

### starting autorec
### stopping DIP
### starting callscan
### trying to sync on 00 82 ab b0 29
### got sync
### dumping to dump_2011-06-11_21_37_37_RFPI_00_82_ab_b0_29.pcap
### stopping DIP

After you hang up the dumping should stop

Step 7: Decode the Callstream

Picture of Decode the Callstream
stop the autorec
Decode the audiostream into a raw packet dump
root@bt:~# ./

Step 8: Import the Streams Into Audacity to Listen to the Calls

Picture of Import the Streams Into Audacity to Listen to the Calls

Start audacity via "alt + f2" then type “audacity” and press enter. Import the fixed-part and hte portable-part .wav files from /pentest/telephony/dedected/com-on-air_cs-linux/tools via File -> Import -> Audio or simply "ctrl + shift + I" . Import the files which end in .pcap_fp.ima.g721.wav and .pcap_pp.ima.g721.wav.

Play your phone call with the play button:

Step 9: CLEAN UP!

Picture of CLEAN UP!
to reload the drivers
root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux
root@bt:~# make reload

If you’re finished and want to clean up:

root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux
root@bt:~# make unload
root@bt:~# rm /dev/coa

Step 10: Dect Protocol

Picture of Dect Protocol

If you are interested in more details of the protocol you can open the .pcap file in Wireshark:

Step 11: Furthur Reading...

Picture of Furthur Reading...


zebuilin (author)2011-12-04

wow... the picture repeated i've got to fix this.

About This Instructable




More by zebuilin:Telephony, DECT Sniffing with Dedected.
Add instructable to: