Professional Documents
Culture Documents
Getting in The SS7 Kingdom: Hard Technology and Disturbingly Easy Hacks To Get Entry Points in The Walled Garden
Getting in The SS7 Kingdom: Hard Technology and Disturbingly Easy Hacks To Get Entry Points in The Walled Garden
Reliability
P1 Security Inc, http://www.p1security.com
Why do we have SS7?
• Thanks to hackers!
Steve Jobs and Steve Wozniak in 1975 with a bluebox
• CCITT#5 in-band signalling sends control messages
over the speech channel, allowing trunks to be
controlled
• Seize trunk (2600) / KP1 or KP2 / destination / ST
• Started in mid-60’s, became popular after Esquire 1971
• Sounds produced by whistles, electronics dialers,
computer programs, recorded tones
P1 Security Inc, http://www.p1security.com 3
How to get in?
ME vuln.
research External
APIs to
OpenBTS HLR:
+ crypto location,
cracking IMSI
OpenBSC Scanning
FemtoCell and
hacking Hacking
SS7 CN
SMS
HLR/VLR Home Location Register, Visitor Location Register injection
AuC : Authentication Center (within HLR)
EIR : Equipment Identity Register
MSC : Mobile Switching Center Illegal : SQL Injection? Uhh?
STP : Signaling Transfer Point (i.e. Router) Consulting : Nahh... not possible! (?)
LIG : Legal Interception Gateway? Product : Yes please!
Scanning Vulnerability,
injection
Reach of MSUs!
RFC4960
SCTP: Stream Control Transmission
Protocol
Advantages
Multi-homing
DoS resilient (4-way handshake, cookie)
Multi-stream
Reliable datagram mode
Some of TCP & UDP, improved
P1 Security Inc, http://www.p1security.com 11
SCTP stealth scan
Attacker Servers
INIT
Port 102
INIT-ACK
SCTPscan
Linux, BSD, MacOS X, Solaris, ...
IP scan, portscan, fuzzing, dummy server,
bridge
Included in BackTrack
SCTP Tricks: port mirroring, instreams
connections
NMAP new SCTP support (-Y), lacks tricks
SIGTRAN usually requires peer config
This is not the average TCP/IP app
P1 Security Inc, http://www.p1security.com 13
SCTPscan Usage
ss7calc
Like ipcalc, Open Source,
http://www.p1sec.com/corp/research/tools/ss7calc/
TCP/IP SS7
IPsec endpoint scan, MPLS label
SCTP endpoint scan
scan,VLAN tag scan
Arp or Ping scan MTP3 or M3UA scanning
SSN
Scanning
GTT
Scanning
DPC Scanning
Topology discovery
(needed for IP-based
topologies)
+--------------+
M3UA test
| |
+----------------------| ASP-ACTIVE |
| Other +-------| |
| ASP in AS | +--------------+
SCCP tests
| Overrides | ^ |
|
|
|
|
ASP
Active |
| | ASP
| Inactive
| | | v
MAP tests
| | +--------------+
| | | |:ASP Inactive Ack
| +------>| ASP-INACTIVE |:ASP Up Ack
| +--------------+:Notify.param=status=2
ASP Down/
SCTP CDI/
SCTP RI
|
|
|
|
ASP |
Up
^
|
|
|
| ASP Down /
| SCTP CDI/
v SCTP RI
INAP tests
| +--------------+
|
+--------------------->|
|
ASP-DOWN
|:Association loss/closed
|
Each depends
on configuration
| |
+--------------+
DPC
scan For each DPC
SSN
scan For each SS7 “application” or SSN (HLR, ...)
MAP tests
Application
INAP tests
tests
CAP tests ...
P1 Security Inc, http://www.p1security.com 25
Example of SS7 protocol:
ISUP & related attacks
ISUP message types
ISUP call flows
Attack Quiz!
Attack Quiz!
Insecure
Untested hw
Unprotected IPsec
No regular pentest Image Credit: Intomobile
P1sec SIGTRANalyzer
SS7 and SIGTRAN vulnerability scanning
Commercial product
Questions welcome