Jump to content

Recommended Posts

Posted

Hi all,

I want to make it clear that I am completely uneducated in this matter. I was wondering if it is possible to triangulate a cell phone without being the government, and if so how. I have gathered that you would need some way of measuring the signal strength of a cell phone. How to do this, I do not know. I thought the hak5 would be the right place to ask about this.

Thanks for any help!

P.S. I also want to make it clear that there is genuinely no nefarious purpose for this project. It seems like a fun weekend project.

  • Replies 94
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Posted

What you can do is set up 2 directional wifi receivers equipped with a digital compass. They would each rotate and record the strength of the wifi broadcasts sent out by any phone in range.

A computer that has access to the recorded data of both those receivers would look for the record where the signal strength is greatest. It then has the exact coordinates of the recorders and a direction where the signal came from thanks to the compass. After that all you need to do is draw 2 lines on a map and see where they intersect. This is how I would locate stationary targets (see the "would this work" topic I'm too lazy to find and link to).

An alternative is to take a limited space, a square or triangle within which you want to guesstimate the location with some accuracy, continuously. You put a sector antenna (one of those panel shaped ones) on each corner and start by measuring signal strength with a single source within the space to calibrate. See how strong a signal is based on the distance. The actual value isn't what counts, but the relative strength seen by the various receivers if one sees a maasive signal and the others don't you can safely assume it's closer to that antenna. Using the input from the other two you can plot that a little further to the left or right.

Companies use this technique to track you as you walk through the store to assess the effectiveness of their in-store advertisements and to see how often you walked past a display before buying anything.

I wish I was making this shit up....

Posted (edited)

Isn't it always 3? I too am un-educated on this, but it seems that everything i see is always 3 antennas.. Maybe thats why its called triangulation?

Is there any benefit over having two or three antennas? or 7? etc

Edited by Foxtrot
Posted (edited)

Isn't it always 3? I too am un-educated on this, but it seems that everything i see is always 3 antennas.. Maybe thats why its called triangulation?

Is there any benefit over having two or three antennas? or 7? etc

Triangulation is about triangle, not about three of something, you only need to know 2 angle to figure the 3rd angle of a triangle... A 3 antenna setup will have you focus on the distance to each 3 while a 2 antenna setup will require you to calculate the distance AND angle of both, both setup is doable, it depend whether you can place a 3rd antenna BEHIND the object you want to triangulate while 2 sweeping directional antenna doesn't require one behind target...

GPS work with 3 (and more) antenna (satelite) because it cant have a directional panel focused on each and every GPS users

Our eyes work with 2 and can figure the 3D spacial position of an object with only 2 reference

Yeah visible light is radio wave, so most of what apply to RF also apply to Light because they are essentially the same thing

our eyes are highly specialized antenna array (retina) with special focus-able diffracting material (Pupil) and a shutter, how beautiful is that!

so we are all triangulating every second of our life with 2 receiver...

Edited by madhak
Posted (edited)

But as for cell phone its more difficult because its encrypted so all you will see is a cloud of noise coming from many sources, you can't filter those source without decryption which require a 2TB rainbow table and Kraken, see this thread and don't ask this stuff here, nobody want to have their IP address listed at the pentagon ;)

Decryption of RF signal is ILLEGAL!

http://www.insinuator.net/2012/10/pytacle-alpha1-released/

Edited by madhak
Posted

What a magnificently, breathtakingly fucking *AWESOME* post is that! If you were nearby I'd make people think we're a gay couple (probably having an argument as I think you'd try to push me away).

That's BRILLIANT! Take a 2TB rainbowtable (i.e. so tiny it's almost insignificant. 70 euro worth of hd. Yawn!), your 10 dollar SDR and you could tie some tools together and listen in on a GSM conversation. I thought GSM was protected better than that. I *LOVE* IT!

And I quickly looked into your warning and if it pertains to Dutch law aswell. Sadly, it does. You're legally allowed to grab whatever you want out of the airwaves as long as it contains information (that last bit is why the radar detector in your car to warn you about an approaching speed trap was deemed illegal - there was no information in the signal) but once you have to do something ... excessive to be able to interpret that acquired information (like, say, grab a 2TB rainbowtable and a fair chunk of CPU power to grind through a decryption algorithm) you are in total violation of the law.

Problem for the lawmakers: That means they have to prove you actually did the decrypting.

Problem for you: If you did it and posted it on Youtube/Facebook/Twitter which YOU KNOW YOU WILL, you're completely and utterly screwed.

Thanks ever so much for pointing this out. :D

Posted

Hi again,

Do you have any suggestions as to the specific hardware and/or software to be used to pick up these broadcast gsm or wifi signals (and measuring their exact strength)? I am not interested in listening in on a conversation, or mitm, but merely measuring signal strenght. I was also wondering if there was a program already written to analyze the signal strength and direction data and draw the lines on a map for me.

Thanks again!

Posted

Hi again,

Do you have any suggestions as to the specific hardware and/or software to be used to pick up these broadcast gsm or wifi signals (and measuring their exact strength)? I am not interested in listening in on a conversation, or mitm, but merely measuring signal strenght. I was also wondering if there was a program already written to analyze the signal strength and direction data and draw the lines on a map for me.

Thanks again!

And just one more thing I forgot to ask: for the wifi triangulation, I would have to be on the same wifi network, otherwise I would just be triangulating the router, right?

Thanks so much for all of the responses!

Posted

That's actually a very good question. There's *TONS* of software that can tell you the signal strength of an AP as seen by a client, but the other way around... I really don't know.

With regards to the triangulation the "network" is the frequency band and since in monitor mode a large chunk of this appears to be scanned continuously (please tell me when the radio is in fact dialling through the range instead of scanning everything continuously - I'd really like to know) I think it's safe to assumed that you're effectively monitoring the full spectrum range of the WiFi channels so as long as you're looking for a WiFi signal, you're sharing the band with your target.

So most software I know about tracks the broadcasts of an AP and tells you the signal strength based off that. If you can take any given packet/frame/whatever they call it in WiFi land and get the radio to report the strength of that signal, you can focus on that. Assuming encryption is in play as it typically is, I wonder how difficult it would be for an outsider to isolate the traffic between you and an AP with someone nearby enough to be in range for me to also receive his traffic and accessing that same AP and producing a significant amount of traffic.

I came in a bit late on the WiFi front so this might be the boring basic stuff to most but I honestly don't know...

Posted

Thanks!

I think it would be considerably less (or more, I actually don't know) complicated to do this with gsm instead of wifi, because there is no router involved. How would I get the gsm signal strength of a broadcasting telephone? Is there even a way without having access to the towers? I don't think I would need to decrypt anything, because I am just going for signal strength and not actual information (or would I? I don't know). What specific program (if there is one) would I use for this? And would I need any hardware apart from the two antennae? And about this frequency scanning, how would I do it? Do you have any specific recommendations as to this hardware?

As you can tell, I am completely unknowledgeable in this matter, so I'm sorry if I've made myself out otherwise or if this annoys you.

Thanks so much for all of your kind help!!

Posted

Oh and one more question (I'm really sorry I forgot to ask this in the last post): Wouldn't this be completely useless, as I could not control which phone I am triangulating, or have to be able to see the phone I am trying to triangulate? And won't there be strong gsm signals coming from all over the place, making any triangulating impossible? I think I would need some way of identifying the phone I am trying to triangulate.

Thanks!

Posted (edited)

Cooper you forgot to take in consideration the HDD price per GB when GSM was drafted in the early 90's ;)

Swaggie for your last question you are right and I meant to say that in my original response, you have to make up a meaning from those reading, for that you need to get a device identifier that relate to the signal strength you are reading.

For Wifi its easy, they broadcast a SSID openly and most of the time their MAC address too so you can identify those device you are reading and map them. For GSM you will get their IMEI, which is the equivalent of a MAC address for cellular devices, but only after decrypting the frame...

GSM is used as fallback or in remote locations, most people are on 3G or better, a false belief is that GSM carry phone call and 3G data, they can both carry both...

But you could jam the 3G frequency to force a phone to go to GSM but again you can't do that legally in most country and i'm damn sure they can triangulate the source of a jammer ;)

Your phone is always in one mode, 3G+ or GSM but not both, your phone will drain a lot more battery in GSM and will show a GSM icon instead of a 3G or LTE...

Back to main topic: Triangulating RADIO signal to be generic, there's 2 layout possible:

- 2 RX antenna with steerable beam, you could use 2 directional antenna or 2 phased array (the beam forming one), but the math i'm talking about after will not be pleasant in the later case.

300px-Radiotriangulation.jpg

- 3 RX antenna at different location around the target

10149430-hinton-locator-uses-network-dat

You need in both case to take consideration of the radiation pattern of each antenna, because they all receive signal from different direction, but at different amplitude (or signal strength but thats overly simplifying here)

http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-antennas-accessories/prod_white_paper0900aecd806a1a3e.html

To find a SDR you need to know the the frequency's range you need to listen to, wifi is 2.4GHz, I dont know of a cheap (but many expensive) SDR that can do that but you could use a down-converter like those used on old digital TV grid antenna, look on your roof, you might have one if you had the 1st gen digital TV, before HD and stuff but not via satellite, its a grid pointed to a mountain or a tall building, you can safely remove that if you see that on your house, its golden for SDR'er, it take 2.4GHz and downconvert it to 900MHz which a cheap SDR like the one in the shop here can pickup :D

Aww snap we haven't even got to the triangulating part and its getting late... but look, its all maths from here... and i'll be back for you if you don't run away from this :)

Edited by madhak
Posted

Hi again,

So from the information I've gathered so far, here is what I would do to do this with wifi (please correct any mistakes, and I will ask questions in parentheses): I would get two of these antennas: http://www.meritline.com/m/showproduct.aspx?productid=74953 and put them each on a motor so they rotate. I would then get a digital tv down converter (where would I find this? I don't have one on my roof) and wire the two antennae to it (how?) and then wire the downconverter to the Hakshop sdr kit (again, how?). Here comes the part I really don't know how to do at all: I hook the SDR kit up to my laptop and look for the proper frequency (how?) and see what's coming from the antennae (tcpdump? Wireshark? As far as I know these only work if you are on the same wifi network as your target) Anyway, using a software tool, I find the mac address of my intended target, and filter my results to that. I gathered from your diagrams that I would need to have both antennae pointing towards the target cell phone, which means that I would need to see in what direction the broadcast signal from the victim is strongest (do you know how to do this?) After that, it's all maths .

Thank you do much!

Posted

For the down converter, as a primer read the wikipedia article about a Heterodyne and then start investigating here about what you need where and why.

Once you have the equiptment the question of connecting the device to the antennae is a simple matter of finding converters between plugs - and you can't do that until you know what both sides are.

Since this project involves an SDR, get one of those super-cheap ones (see SDR part of the forum) and play around with it and the associated programs for a while. It's a cheap place to start and you'll have to get a feel for this before you can start working on the rest.

Posted

Hi, thanks for your help. I did some research and made a list of parts and tools that I will need. Please let me know if you have any suggestions to make it cheaper, better, or if there is anything missing or wrong with it. Here it is:

Directional antenna: ($12.99) x2

http://www.meritline.com/m/showproduct.aspx?productid=74953

LIST BEGINS HERE

Downconverter: ($12.35) + shipping: $9.2

http://m.aliexpress.com/item/670265064.html?tracelog=wwwdetail2mobilesitedetail

From article:

http://www.rtl-sdr.com/tag/downconverter/

Sdr: ($19.99)

https://hakshop.myshopify.com/products/software-defined-radio-kit-rtl-sdr

Total: 57.52

LIST ENDS HERE

Thanks so much!

Posted (edited)

You should've taken a much closer look at the parts you're trying to use.

First is your directional antenna. It combines the antenna with a wireless adapter, so what comes out of the device is a USB connection. How did you intend to down-convert an already interpreted wireless signal?

Next comes your downconverter. Did you notice it only has 1 plug? Why do you think that is? I mean, wouldn't you expect 2 plugs, one for receiving the high frequency signal and the other for delivering the low(er) frequency signal.

Take a look at this aliexpress offer for the exact same item, also showing how to mount it. Or even in the description of the item you linked where it says "Input type: BT280/: Integrated Dipole Antenna". That double-sided square cup at the top is the receiving antenna of the device it seems and it probably won't be as directional as you probably want it to (you could mount it like in that linked item which would make it very directional, but then you'd have to buy such a dish). You might be able to unscrew it in some way and hook up something else, but I'm unable to uncover what you will find here. So if you're serious about going this route your best bet I feel is to get this device, see what it does and how well it does it and them check out what else you may need.

Also, since you want to have 2 receivers to triangulate, you're going to have to have 2 downconverters, one for each receiver.

Here's effectively the same SDR dongle for just over 12 dollars. It uses an MCX connector for its receiving antenna. The plug coming out of the downconverter looks like a BNC connector so you need something that attaches those 2. Start searching here but keep a close look at that BNC (ish?) connector on the downconverter. Notice the threads on the outside and the apparent need to insert a pin in the center so it won't fit as-is against the item I linked. Maybe there's a converter plug for that or maybe you need a different cable for this.

Since it's best to keep cables short you'll probably hook things up as close to the downconverter as possible so you might want to consider getting a simple USB extension cable so you can move the antenna around a bit without having to move your computer.

So as it currently stands you need:

2x downconverter with integrated antenna ($25 + $17.50 shipping) $42.40.

2x SDR dongle ($12.50) $25

2x MCX to BNC pigtail ($3) $6

2x USB extension cord ($4?) $8

So your project, despite efforts to make it cheaper, totals around the $80-85 mark.

If you can find a way to measure signal strength of 'regular' wifi traffic or even bluetooth, I'm fairly certain we could cut down the price tag of this little project significantly.

Edited by Cooper
Posted (edited)

Cooper is right, but if you focus on WiFi only then you only need 2 of those antenna you listed, I tried them before, they are good for the price, quite directionnal, they are not real dish tho, just a patch that look like a dish but it will work.

If your focus is on RF in general in the 2.4 band then cooper setup sugestion will work, those grid dish with the downconverter are kick ass, I could get wifi signal several miles away with that! But you are missing a Power injector for the downconverter, these dont work just like that...

In both case you are still missing the rotary part, you will need a couple of cheap hobby grade servo of your choice ~10$, if you only want to triangulate in 2D you nee one per antenna otherwise 2 per antenna. and a servo controler like a pololu: http://www.pololu.com/product/207

Then we'll get to the software part, I'm actualy working on something similar if you couldnt tell ;)

I highly sugest Python as the software framework, there's triangulation library as well as IQ sampling lib for SDR and servo operation so its almost all there, just need some code stitching and a GUI :)

Edited by madhak
Posted

Hi, I decided to use the antenna + downconverter compound and was wondering if this: http://www.cafepress.com/mf/68911621/parabolic-solar-cooker-_sticker?utm_medium=cpc&utm_term=794924771&utm_source=google&utm_campaign=sem-cpc-product-ads&utm_content=search-pla&productId=794924771 would work as a makeshift dish to make it more directional, because it's a lot cheaper than buying a real dish. Also, you mentioned a power injector. What is this, and how would I set it up? I'm also assuming that I only need one servo controller for both antennae. Is this right?

Thanks!

P.S. I'm sorry I didn't review the first materials list before posting it.

Posted

Oh my oh my oh my, please review the solar cooker link you provided, if that price was for an actual solar cooker I would order 100 of them and make a solar death ray or something, but please reread the description carefully and if you decide to order it then please post a picture of your face when you receive it. No mean to be disrespectful here ;)

Also, if it was a solar cooker, it would work only if its made of metal, and from the look of it it look like mirror which work for visible light only...

Here's a link for the power injector, note that they also have downconverter on this site, this may be a better alternative to the MMDS one as this one will allow you to connect your own antenna.

http://www.winradio.com/home/bt-3500.htm

I don't think there's a cheap route for this project unless you find the dish with the down-converter in the garbage and extract the power injector circuit from a receiver unit that was used with those antenna... sorry ham stuff is expensive, only the SDR is not ;)

Posted

Yeah. What they're selling is stickers. Full stop.

A great directional wifi antenna can be made using a metal mesh colander and a bog standard usb wifi card. Put one inside the other and you have your directional dish wifi receiver. Total price would be a tenner perhaps?

Those wifi cards tend to transmit almost constantly to see if a preferable network is there and also to see how good the signal is. There must be a way to tune into this.

Posted

Look at running as AP and run the command

iwinfo <dev> assoclist

Posted

Hi all, first I want to thank you for the near-immediate and helpful responses. Thank you.

Secondly, I have some questions. Do you have any particular suggestions as to what I should search for regarding the servos in order to get a tutorial on what I have to do? Because I literally have no experience with servos whatsoever. Also, I found this tutorial ( http://www.zero13wireless.net/foro/showthread.php?248-Fabricacion-de-una-Parrilla-para-una-Antena-de-Wireless ) on making a grid reflector. Does this seem suitable? Also, the tutorial is unfortunately in Spanish, and google translate is acting up on this. Do you know of a similar tutorial in English (please don't spend hours searching for this, I'm sure I could manage with google translate but English would make it easier). Cooper, thanks for the colander idea, but I think it would actually be less expensive to do it with the downconverter + antenna thing and a DIY reflector, as that is the cheapest downconverter I have found. Also this would have longer range and be more directional (I think? Correct me if I'm wrong). Madhak, are you sure that I need a power injector for the downconverter? Because not only are they 100 bucks, but in the installation guide in the description of the product on the website this is not mentioned.

Again thank you so much for the great help!

Posted (edited)

I think you're really over-complicating things. Sure you could create that metal thing using an electric furnace and some soldering wire (don't burn down your house. Spend $15 on a cheap soldering iron) but even the parts used there can't compare favorably to getting a cheap, large metal colander and stuffing your WIFI receiver in there.

using a colander, a generic USB Wifi adapter and some hot glue. If he can do it, I'm sure ANYBODY can. The bigger the colander, the better.

But let's contemplate the downconverter scenario. How hard is it to get signal strength from an SDR? Let's assume there are 4 people in the room. How difficult would it be to determine that the first bit if data you saw fly by came from user 1 and the second bit of data came from user 2? You can't interpret it anymore I suspect due to the down-converter probably mangling the data stream (do correct me if I'm wrong - I don't quite understand the process). Before you go and purchase all sorts of parts for exceedingly large amounts of money I would suggest you investigate this part of the process first.

Edit: Actually, not really the bigger the colander the better. Rather you want a colander that is as round as possible and that would envelop your wifi adapter exactly. View the colander as half a ball. You want the center of that ball to be where the antenna of your USB Wifi adapter is located. Most Wifi USB adapters have their antenna on the far side of the stick, relative to the plug. Take that length, times 2, that's roughly the diameter of the colander you're looking for.

Edited by Cooper

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...