In this post, we’re going to learn how to install and use Rayhunter—but first, we need to understand the rays we’ll be hunting.
Stingray is the brand name of an IMSI catcher, also known as a Cell Site Simulator (CSS). These are surveillance tools used by law enforcement, intelligence agencies, and criminals to intercept mobile phone traffic and track the location of cellular devices. The IMSI catcher mimics a legitimate cell tower, tricking nearby phones into connecting to it. Once connected, the device can:
- Capture a phone’s IMSI number (International Mobile Subscriber Identity)
- Track its physical location
- Intercept calls, texts, and data
Why IMSI Catchers Are Problematic
IMSI catchers don’t just affect the target—they collect data from all phones in the area. This mass surveillance can:
- Disrupt phone service
- Interfere with emergency calls
- Expose unencrypted metadata and location data
- Violate 4th Amendment Rights
Most troubling, though, is that law enforcement agencies often use this technology illegally, without warrants, and with little or no oversight.
Key Legal Cases
Court cases exposing the unlawful, Unconstitutional use of IMSI catchers include:
- United States v. Lambis (2016) – U.S. District Court, Southern District of New York
- State v. Andrews (2016) – Maryland Court of Special Appeals
- Prince Jones v. United States (2017) – D.C. Court of Appeals
Despite growing awareness, details about IMSI catchers remain scarce. Vendors sign law enforcement to NDAs, and prosecutors sometimes drop charges to avoid revealing details about the tech in court. Even worse, agencies may use parallel construction investigations, where they fabricate a legal-looking explanation for information that was actually obtained illegally.
Enter Rayhunter
In the interest of transparency, the Electronic Frontier Foundation (EFF)—a non-profit defending civil liberties in the digital world—has created Rayhunter.
Rayhunter is an open-source tool that runs off an affordable mobile hotspot. The EFF describes it as a tool that can empower anyone, regardless of technical skill, to search for Cell Site Simulators worldwide.
If you’ve ever programmed a pwnagotchi or prepped a pineapple clone,
ou’ll have no trouble installing Rayhunter. Setup is super simple.
What You’ll Need
- An Orbic Speed RC400L (Verizon) 4G LTE Mobile WiFi Hotspot
- A USB-C data cable (included with device)
- A Linux PC or Linux Virtual Machine
If you don’t have a Linux system, follow my tutorial:
“How Hackers Install Kali for FREE (and you can too)!”
(Did you know?: Kali has always been free!)
Also, in most cases: don’t hack the police.
Installing Rayhunter
Fire up your Kali VM. Head to the Rayhunter GitHub releases page and download the release.tar file.
Open a terminal and run:
cd Downloads
mkdir rayhunter
mv release.tar rayhunter
cd rayhunter
tar -xvf release.tar
Now turn on the Orbic by pressing and holding the power button for 3 seconds. Plug it into the PC. If you’re using VMware, it’ll prompt you to connect the device to the VM.
Run the install script:
sudo ./install.sh
The device will reboot. VMware will prompt you to connect it again. If you see the script declare “success,” that’s good! If not, check the “Development” section on the Rayhunter GitHub for troubleshooting tips.
Using RayHunter
In your browser, go to: localhost:8080
Here, you can begin and stop recordings and view .pcap files (packet captures). Recordings should persist across reboots and even firmware updates. Be sure to click “Start Recording” in the upper left hand corner of the webUI.
Check out your Orbic’s display. It may say “no service”, but that’s okay. It can still (likely) detect IMSI catchers, because the SIM card broadcasts its IMSI and attempts to authenticate with any tower it can find—especially on 2G/3G networks.
At the top of the Orbic’s display, you’ll see a green line—this indicates RayHunter is recording. If it turns red, you may have encountered a rogue base station. However, this line resets upon reboot or starting a new recording via the WebUI.
You can also check the WebUI or analyze PCAP files directly for evidence of IMSI catchers.
What’s Next?
After unplugging and re-plugging the Orbic, I encountered an issue—turning what I hoped would be a one-shot tutorial into a multi-part series.
In upcoming posts, I’ll cover:
- Fixing udev permissions to keep the WebUI working
- Analyzing PCAPs to detect rogue base stations
To be continued…