rayhunter-check not give the warning even if SIB7 appear

[arifkyi]

i Collect my PCAP with SIB7 shown in frame 839, im using SCAT

Kindly see the snapshot below

I run the rayhunter-check:
./rayhunter-check -d -p ~/Desktop/raycheckpath/scat3_fixed.pcap

but the output just like below:
INFO [rayhunter_check] Analyzers:
INFO [rayhunter_check] - Identity (IMSI or IMEI) requested in suspicious manner (v3): Tests whether the ME sends an Identity Request NAS message without either an associated attach request or auth accept message
INFO [rayhunter_check] - Connection Release/Redirected Carrier 2G Downgrade (v1): Tests if a cell releases our connection and redirects us to a 2G cell.
INFO [rayhunter_check] - LTE SIB 6/7 Downgrade (v1): Tests for LTE cells broadcasting a SIB type 6 and 7 which include 2G/3G frequencies with higher priorities.
INFO [rayhunter_check] - Null Cipher (v1): Tests whether the cell suggests using a null cipher (EEA0)
INFO [rayhunter_check] - NAS Null Cipher Requested (v1): Tests whether the MME requests to use a null cipher in the NAS security mode command
INFO [rayhunter_check] - Incomplete SIB (v2): Tests whether a SIB1 message contains a full chain of followup sibs
INFO [rayhunter_check] **** Beginning analysis of scat3_fixed.pcap
INFO [rayhunter_check] /Users/ahmadrifky/Desktop/raycheckpath/scat3_fixed.pcap: 1230 messages analyzed, 0 warnings, 1230 messages skipped

show-skipped
curious with 1230 messages that skipped, i run again with --show-skipped
./rayhunter-check -d -p ~/Desktop/raycheckpath/scat3_fixed.pcap --show-skipped
INFO [rayhunter_check] Analyzers:
INFO [rayhunter_check] - Identity (IMSI or IMEI) requested in suspicious manner (v3): Tests whether the ME sends an Identity Request NAS message without either an associated attach request or auth accept message
INFO [rayhunter_check] - Connection Release/Redirected Carrier 2G Downgrade (v1): Tests if a cell releases our connection and redirects us to a 2G cell.
INFO [rayhunter_check] - LTE SIB 6/7 Downgrade (v1): Tests for LTE cells broadcasting a SIB type 6 and 7 which include 2G/3G frequencies with higher priorities.
INFO [rayhunter_check] - Null Cipher (v1): Tests whether the cell suggests using a null cipher (EEA0)
INFO [rayhunter_check] - NAS Null Cipher Requested (v1): Tests whether the MME requests to use a null cipher in the NAS security mode command
INFO [rayhunter_check] - Incomplete SIB (v2): Tests whether a SIB1 message contains a full chain of followup sibs
INFO [rayhunter_check] **** Beginning analysis of scat3_fixed.pcap
INFO [rayhunter_check] /Users/ahmadrifky/Desktop/raycheckpath/scat3_fixed.pcap: messages skipped:
INFO [rayhunter_check] - 1230: "failed to read GsmtapHeader: InvalidTypeSubtypeCombo(127, 255)"
INFO [rayhunter_check] /Users/ahmadrifky/Desktop/raycheckpath/scat3_fixed.pcap: 1230 messages analyzed, 0 warnings, 1230 messages skipped
(base) ahmadrifky@ahmads-mbp-2 rayhunter-check-macos-intel %

instead got new error - 1230: "failed to read GsmtapHeader: InvalidTypeSubtypeCombo(127, 255)"

looking forward for your resolution

[cooperq]

hmm looks like rayhunter-check is incompatible with the pcaps that SCAT generates. IDK what it would take to make this work, it would help if you can attach the pcap here.

[arifkyi]

Hello Cooper,
Thanks for response my issue, that pcap already deleted, but i generated the new one

ScatTestFiltered2.pcapng.zip

frame number 49

i run again the rayhunter-check and not give expected output mainly about SIB7

./rayhunter-check -p ~/Desktop/ScatTestFiltered2.pcapng
INFO [rayhunter_check] Analyzers:
INFO [rayhunter_check] - Identity (IMSI or IMEI) requested in suspicious manner (v3): Tests whether the ME sends an Identity Request NAS message without either an associated attach request or auth accept message
INFO [rayhunter_check] - Connection Release/Redirected Carrier 2G Downgrade (v1): Tests if a cell releases our connection and redirects us to a 2G cell.
INFO [rayhunter_check] - LTE SIB 6/7 Downgrade (v1): Tests for LTE cells broadcasting a SIB type 6 and 7 which include 2G/3G frequencies with higher priorities.
INFO [rayhunter_check] - Null Cipher (v1): Tests whether the cell suggests using a null cipher (EEA0)
INFO [rayhunter_check] - NAS Null Cipher Requested (v1): Tests whether the MME requests to use a null cipher in the NAS security mode command
INFO [rayhunter_check] - Incomplete SIB (v2): Tests whether a SIB1 message contains a full chain of followup sibs
INFO [rayhunter_check] **** Beginning analysis of ScatTestFiltered2.pcapng
INFO [rayhunter_check] /Users/ahmadrifky/Desktop/ScatTestFiltered2.pcapng: 220 messages analyzed, 0 warnings, 220 messages skipped

[arifkyi]

i forgot to show with --show-skipped

we can see

failed to read GsmtapHeader: InvalidTypeSubtypeCombo

218: "failed to read GsmtapHeader: InvalidTypeSubtypeCombo(254, 0)"
1: "failed to convert gsmtap message to IE: UnsupportedGsmtapType(GbLlc)"
1: "failed to read GsmtapHeader: InvalidTypeSubtypeCombo(255, 0)"

./rayhunter-check -p ~/Desktop/ScatTestFiltered2.pcapng --show-skipped
INFO [rayhunter_check] Analyzers:
INFO [rayhunter_check] - Identity (IMSI or IMEI) requested in suspicious manner (v3): Tests whether the ME sends an Identity Request NAS message without either an associated attach request or auth accept message
INFO [rayhunter_check] - Connection Release/Redirected Carrier 2G Downgrade (v1): Tests if a cell releases our connection and redirects us to a 2G cell.
INFO [rayhunter_check] - LTE SIB 6/7 Downgrade (v1): Tests for LTE cells broadcasting a SIB type 6 and 7 which include 2G/3G frequencies with higher priorities.
INFO [rayhunter_check] - Null Cipher (v1): Tests whether the cell suggests using a null cipher (EEA0)
INFO [rayhunter_check] - NAS Null Cipher Requested (v1): Tests whether the MME requests to use a null cipher in the NAS security mode command
INFO [rayhunter_check] - Incomplete SIB (v2): Tests whether a SIB1 message contains a full chain of followup sibs
INFO [rayhunter_check] **** Beginning analysis of ScatTestFiltered2.pcapng
INFO [rayhunter_check] /Users/ahmadrifky/Desktop/ScatTestFiltered2.pcapng: messages skipped:
INFO [rayhunter_check] - 218: "failed to read GsmtapHeader: InvalidTypeSubtypeCombo(254, 0)"
INFO [rayhunter_check] - 1: "failed to convert gsmtap message to IE: UnsupportedGsmtapType(GbLlc)"
INFO [rayhunter_check] - 1: "failed to read GsmtapHeader: InvalidTypeSubtypeCombo(255, 0)"
INFO [rayhunter_check] /Users/ahmadrifky/Desktop/ScatTestFiltered2.pcapng: 220 messages analyzed, 0 warnings, 220 messages skipped
(base) ahmadrifky@ahmadriyslaptop rayhunter-check-macos-arm %

[mo-krauti]

I just experienced the exact same issues with a pcap dumped from scat.

[mo-krauti]

Can somebody please provide a pcap dump created by rayhunter so that I can compare it to a dump generated by scat? I do not have access to any device capable of running rayhunter.

[untitaker]

you can get some captures from https://github.com/ZeroChaos-/rayhunter-traces

[mo-krauti]

Thank you very much. Signalcat uses Ethernet as the encapsulation type, while rayhunter uses raw ip. This leads to rayhunter looking at the wrong offsets resulting in the error above.

Quick fix:
Remove the Ethernet encapsulation from the signalcat dump in Wireshark: File -> Strip Headers -> Choose IP. Then save to another pcap file.

I think we should detect the encapsulation type and either support both types or at least throw a meaningful error.

[arifkyi]

Hello @mo-krauti @cooperq ,

thank you so much,

i will try it that "Strip Headers"

i have a question:

questions:

1. is the PCAP file that we got from QCSuper (Not from SCAT) will work with rayhunter without "Strip Header", if yes i will try also with Qcsuper

2. Is QMDL will work regardless SCAT or QCSUPER ?

Thank you so much in advance

[arifkyi]

Ok great

thank you so much @mo-krauti for your hints and also @cooperq for your great support

In the meantime im waiting your kindly answers from my question above 👆

after strip headers, we got progress:

before strip all messages were skipped:
"220 messages analyzed, 0 warnings, 220 messages skipped"

after strip 220 messages included to be analyzed:
"" 220 messages analyzed, 0 warnings, 1 messages skipped"

1. I tried with some scenario:

PCAP file that's i gave it to you not recognized the SIB 7 (i attached)

**** Beginning analysis of testHunter.pcapng
INFO [rayhunter_check] /Users/ahmadrifky/Desktop/testHunter.pcapng: 220 messages analyzed, 0 warnings, 1 messages skipped
(base) ahmadrifky@ahmadriyslaptop rayhunter-check-macos-arm %

2. but i have good news positive Good scenario that i think i dont need to share PCAP here:
   INFO [rayhunter_check] **** Beginning analysis of enbstripheadertestHUnter.pcapng
   INFO [rayhunter_check] /Users/ahmadrifky/Desktop/enbstripheadertestHUnter.pcapng: INFO - 2035-12-09 08:03:22.104866 +00:00 SIB1 scheduling info list was malformed (packet 9961)
   INFO [rayhunter_check] /Users/ahmadrifky/Desktop/enbstripheadertestHUnter.pcapng: INFO - 2035-12-09 08:03:32.601422 +00:00 SIB1 scheduling info list was malformed (packet 9997)
   INFO [rayhunter_check] /Users/ahmadrifky/Desktop/enbstripheadertestHUnter.pcapng: INFO - 2035-12-09 08:03:32.903280 +00:00 Identity Request happened but its not suspicious yet. (packet 10013)
   INFO [rayhunter_check] /Users/ahmadrifky/Desktop/enbstripheadertestHUnter.pcapng: INFO - 2035-12-09 08:03:57.801003 +00:00 Identity Request happened but its not suspicious yet. (packet 10033)

now the question remain, same with the subject title of this issue:
why not give the warning even if SIB7 appear?