Merge pull request #1386 from HackTricks-wiki/update_Demystifying_5G_Security__Understanding_the_Regist_20250905_011652

Demystifying 5G Security Understanding the Registration Prot...
2025-10-10 18:36:50 +00:00 · 2025-09-07 22:01:41 +02:00 · 2025-09-07 22:01:41 +02:00 · ec6e40cd80
commit ec6e40cd80
parent ae731e5827 ae64d3f74b
1 changed files with 110 additions and 0 deletions
--- a/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md
+++ b/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md
@ -141,17 +141,127 @@ rm -f /tmp/sh ; history -c
 * `Microsocks` + `ProxyChains` : lightweight SOCKS5 pivoting
 * `FRP` (≥0.37) : NAT traversal / asset bridging

+## 9. 5G NAS Registration Attacks: SUCI leaks, downgrade to EEA0/EIA0, and NAS replay
+
+The 5G registration procedure runs over NAS (Non-Access Stratum) on top of NGAP. Until NAS security is activated by Security Mode Command/Complete, initial messages are unauthenticated and unencrypted. This pre-security window enables multiple attack paths when you can observe or tamper with N2 traffic (e.g., on-path inside the core, rogue gNB, or testbed).
+
+Registration flow (simplified):
+- Registration Request: UE sends SUCI (encrypted SUPI) and capabilities.
+- Authentication: AMF/AUSF send RAND/AUTN; UE returns RES*.
+- Security Mode Command/Complete: NAS integrity and ciphering are negotiated and activated.
+- PDU Session Establishment: IP/QoS setup.
+
+Lab setup tips (non-RF):
+- Core: Open5GS default deployment is sufficient to reproduce flows.
+- UE: simulator or test UE; decode using Wireshark.
+- Active tooling: 5GReplay (capture/modify/replay NAS within NGAP), Sni5Gect (sniff/patch/inject NAS on the fly without bringing up a full rogue gNB).
+- Useful display filters in Wireshark:
+  - ngap.procedure_code == 15 (InitialUEMessage)
+  - nas_5g.message_type == 65 or nas-5gs.message_type == 65 (Registration Request)
+
+### 9.1 Identifier privacy: SUCI failures exposing SUPI/IMSI
+Expected: UE/USIM must transmit SUCI (SUPI encrypted with the home-network public key). Finding a plaintext SUPI/IMSI in the Registration Request indicates a privacy defect enabling persistent subscriber tracking.
+
+How to test:
+- Capture the first NAS message in InitialUEMessage and inspect the Mobile Identity IE.
+- Wireshark quick checks:
+  - It should decode as SUCI, not IMSI.
+  - Filter examples: `nas-5gs.mobile_identity.suci || nas_5g.mobile_identity.suci` should exist; absence plus presence of `imsi` indicates leakage.
+
+What to collect:
+- MCC/MNC/MSIN if exposed; log per-UE and track across time/locations.
+
+Mitigation:
+- Enforce SUCI-only UEs/USIMs; alert on any IMSI/SUPI in initial NAS.
+
+### 9.2 Capability bidding-down to null algorithms (EEA0/EIA0)
+Background:
+- UE advertises supported EEA (encryption) and EIA (integrity) in the UE Security Capability IE of the Registration Request.
+- Common mappings: EEA1/EIA1 = SNOW3G, EEA2/EIA2 = AES, EEA3/EIA3 = ZUC; EEA0/EIA0 are null algorithms.
+
+Issue:
+- Because the Registration Request is not integrity protected, an on-path attacker can clear capability bits to coerce selection of EEA0/EIA0 later during Security Mode Command. Some stacks wrongly allow null algorithms outside emergency services.
+
+Offensive steps:
+- Intercept InitialUEMessage and modify the NAS UE Security Capability to advertise only EEA0/EIA0.
+- With Sni5Gect, hook the NAS message and patch the capability bits before forwarding.
+- Observe whether AMF accepts null ciphers/integrity and completes Security Mode with EEA0/EIA0.
+
+Verification/visibility:
+- In Wireshark, confirm selected algorithms after Security Mode Command/Complete.
+- Example passive sniffer output:
+```
+Encyrption in use [EEA0]
+Integrity in use [EIA0, EIA1, EIA2]
+SUPI (MCC+MNC+MSIN) 9997000000001
+```
+
+Mitigations (must):
+- Configure AMF/policy to reject EEA0/EIA0 except where strictly mandated (e.g., emergency calls).
+- Prefer enforcing EEA2/EIA2 at minimum; log and alarm on any NAS security context that negotiates null algorithms.
+
+### 9.3 Replay of initial Registration Request (pre-security NAS)
+Because initial NAS lacks integrity and freshness, captured InitialUEMessage+Registration Request can be replayed to AMF.
+
+PoC rule for 5GReplay to forward matching replays:
+
+```xml
+<beginning>
+  <property value="THEN" 
+            property_id="101" 
+            type_property="FORWARD" 
+            description="Forward InitialUEMessage with Registration Request">
+
+    <!-- Trigger on NGAP InitialUEMessage (procedureCode == 15) -->
+    <event value="COMPUTE" 
+           event_id="1" 
+           description="Trigger: InitialUEMessage" 
+           boolean_expression="ngap.procedure_code == 15"/>
+
+    <!-- Context match on NAS Registration Request (message_type == 65) -->
+    <event value="COMPUTE" 
+           event_id="2" 
+           description="Context: Registration Request" 
+           boolean_expression="nas_5g.message_type == 65"/>
+
+  </property>
+</beginning>
+```
+
+What to observe:
+- Whether AMF accepts the replay and proceeds to Authentication; lack of freshness/context validation indicates exposure.
+
+Mitigations:
+- Enforce replay protection/context binding at AMF; rate-limit and correlate per-GNB/UE.
+
+### 9.4 Tooling pointers (reproducible)
+- Open5GS: spin up an AMF/SMF/UPF to emulate core; observe N2 (NGAP) and NAS.
+- Wireshark: verify decodes of NGAP/NAS; apply the filters above to isolate Registration.
+- 5GReplay: capture a registration, then replay specific NGAP + NAS messages as per the rule.
+- Sni5Gect: live sniff/modify/inject NAS control-plane to coerce null algorithms or perturb authentication sequences.
+
+### 9.5 Defensive checklist
+- Continuously inspect Registration Request for plaintext SUPI/IMSI; block offending devices/USIMs.
+- Reject EEA0/EIA0 except for narrowly defined emergency procedures; require at least EEA2/EIA2.
+- Detect rogue or misconfigured infrastructure: unauthorized gNB/AMF, unexpected N2 peers.
+- Alert on NAS security modes that result in null algorithms or frequent replays of InitialUEMessage.
+
 ---
 ## Detection Ideas
 1. **Any device other than an SGSN/GGSN establishing Create PDP Context Requests**.
 2. **Non-standard ports (53, 80, 443) receiving SSH handshakes** from internal IPs.
 3. **Frequent Echo Requests without corresponding Echo Responses** – might indicate GTPDoor beacons.
 4. **High rate of ICMP echo-reply traffic with large, non-zero identifier/sequence fields**.
+5. 5G: **InitialUEMessage carrying NAS Registration Requests repeated from identical endpoints** (replay signal).
+6. 5G: **NAS Security Mode negotiating EEA0/EIA0** outside emergency contexts.

 ## References

 - [Palo Alto Unit42 – Infiltration of Global Telecom Networks](https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/)
 - 3GPP TS 29.060 – GPRS Tunnelling Protocol (v16.4.0)
 - 3GPP TS 29.281 – GTPv2-C (v17.6.0)
+- [Demystifying 5G Security: Understanding the Registration Protocol](https://bishopfox.com/blog/demystifying-5g-security-understanding-the-registration-protocol)
+- 3GPP TS 24.501 – Non-Access-Stratum (NAS) protocol for 5GS
+- 3GPP TS 33.501 – Security architecture and procedures for 5G System

 {{#include ../../banners/hacktricks-training.md}}