Intercepting Signalling System No. 7 (SS7) - Practical Lab

-

Introduction 


This is my first blog on blogger.com. I want it to be very interesting for people who are interested in information security field and also want learn new things. I will try to share good reads and intersting articles on my blogs. Lets begin with my favorite one here. Please note that english is not my native language I will apologize for my bad english in advance 😀.

It was an awesome experience while playing around Immersive labs machines during the past month, there are much to learn from hands-on practical labs. But one lab I liked the most was Signalling System No. 7 (SS7) interception practical lab, which is used to exchange data between devices in telecommunication networks. We will use it to gain access to a fictional user’s bank account and successfully transfer funds.
There are many good tutorials and online resources available for SS7, therefore I will keep it short here.

 

Introduction to SS7 Interception


There have been a number of attacks related to the insecure method of two-factor authentication (2FA) via the Signalling System No. 7 protocol. This attack has hit large online forum platforms as well as multiple banks.

 

SS7 protocol


SS7 is a protocol that defines the method by which systems in Public Switched Telephone Networks (PSTNs) exchange information over a digital signal. There are a number of services that the SS7 protocol manages, as shown below:
  • Basic call setup
  • Efficient worldwide telecommunications
  • SMS
  • Information transfer across various network elements
  • Billing over telephone communications
The SS7 protocol stack involves a number of different layers. This protocol stack defines the different layers of encapsulation that the protocol uses when communicating. In this lab we will be discussing communication over SMS.
SS7 runs inside the Stream Control Transmission Protocol (SCTP), which is implemented in the transport layer of the Open Systems Interconnection (OSI) model.

 

Protocols


TCAP: Transaction Capabilities Application Part
SCTP: Stream Control Transmission Protocol
ASP: Application Service Part
SCCP: Signaling Connection Control Part
TUP: Telephone User Part
ISUP: ISDN User Part
BISUP: Broadband ISDN User Part
MTP: Message Transfer Part

SMS network


There are a number of network elements involved in the tracking of a person’s phone for successful communication. Different data is stored about each phone in different parts of this public network. The elements are as follows:
  • GSM – Global System for Mobile communications
  • GMSC – Gateway Mobile Switching Centre
  • HLR – Home Location Register
  • MSC – Mobile Switching Centre
  • V-MSC – Visited Mobile Switching Centre
  • VLR – Visitor Location Register
  • BSS – Base Station Subsystem


GMSC


The Gateway Mobile Switching Centre (GMSC) is the initial point of access for mobile phones once they have entered a number for an SMS message and sent the text message. The GMSC is tasked with accessing the Home Location Register (HLR) for information. Each network provider has a GMSC in its ‘home’ network.
For example, if Bob sent Alice a text message from India, and she was subscribed to T-Mobile in the UK, the text message would first make its way to T-Mobile’s GMSC in the UK to find information on that number. This is done by understanding the country code and mobile network code of the number (first few digits).

 

HLR


The Home Location Register is a central database that stores data on each mobile phone subscriber within a certain network provider. This is queried by the GMSC once a communication request has been made. The HLR stores details of every SIM card, which is then used to locate the SIM card from other databases.
The HLR stores various pieces of important data:
  • Subscriber ID (IMSI and MSISDN)
  • Current subscriber VLR (current location)
  • Supplementary services subscribed to (caller tone, missed call alert, any other services etc.)
  • Subscriber status (registered or deregistered)
  • Authentication key and AUC functionality
  • Mobile Subscriber Roaming Number

 

MSC


The Mobile Switching Centre (MSC) is a routing node that is responsible for routing voice and SMS calls. This routes the packets received from GMSC or other MSCs; it can also hold an HLR and VLR.

 

V-MSC


The Visited Mobile Switching Centre (V-MSC) is the mobile switching centre that the recipient of the text message is closest to and holds their Visitor Location Register.

 

VLR


The Visitor Location Register (VLR) is a database that stores data passed on by the HLR or the mobile switches, as well as information about the local numbers to the MSC. The information found on a VLR is detailed below:
  • IMSI (the subscriber's identity number)
  • Authentication data
  • MSISDN (the subscriber's phone number)
  • GSM services that the subscriber is allowed to access
  • An access point (GPRS) subscribed to
  • The HLR address of the subscriber
  • SCP address (for prepaid subscriber)

 

BSS


The Base Station Subsystem (BSS) is responsible for handling traffic and signalling between a mobile phone and the network switching subsystem (MSC, GMSC etc.).

 

Queries


There are numerous queries sent between these network elements that transfer various pieces of important data. Sometimes these messages need to be sequenced in a certain order. For example, to update the location of a certain phone number, you need to first know the IMSI connected to a certain MSISDN.
These are the two queries you will be using inside this lab.

 

SendIMSI


SendIMSI is a request query sent to the HLR to receive the International Mobile Subscriber Identity (IMSI), which is used to uniquely identify a mobile user on the GSM network.
To use this query, there is one parameter that needs to be known.
  • MSISDN – Mobile Station International Subscriber Directory Number
The request query will be sent to the attacker’s local MSC, where it will then locate the HLR of the queried MSISDN. It will then make the SendIMSI query and return the location of the HLR and the IMSI related to the MSISDN to the local MSC of the attacker.
23% of attacks that use the SendIMSI query have been successful.

 

UpdateLocation


This is the final query to be made before an attacker can successfully trick the GSM into thinking their phone is the phone number of the victim.
The UpdateLocation request query requires a few parameters to successfully update the ‘Current Subscriber VLR (Current Location)’ field within the HLR so that it points to the attackers VLR location and not the actual location of the victim.
These parameters are as follows:
  • Attacker’s MSC number
  • Attacker’s VLR number
  • Victim’s IMSI number
Once this has been done, the text messages sent to the victim's number will instead go to the attacker-controlled system.

 

SS7 security


As SS7 is an old protocol, it has suffered the same fate as protocols such as HTTP, whereby security was not thought of within its development. Each query discussed in this lab can be sent from a completely unauthenticated source because there are no access control lists or authentication required. This is why an attacker can intercept any messages or calls. This has been used heavily to intercept American Congressmen’s phone calls, to intercept two-factor authentication text messages, and to intercept criminal’s phone calls.
The only real security involved is the difficulty to get access into the SS7 network. This is normally achieved by either knowing someone who can give you access, exploiting your way in, or finding an open SS7 relay.

 

Exploitation


Now the fun time begins. here are the steps which we will follow to exploit the SS7.
Tasks:
  1. Log on to the banking application using the credentials dump from bank site.
  2. Send money to the attacker account number.
  3. Using the phone number found in the banking application, intercept the SS7 2FA text message:
  4. Run the SS7 Python tool to find IMSI number for victim phone number.
  5. Use the imsi function to retrieve the users imsi.
  6. Use the sms function to listen for SMS messages.
  7. Authenticate yourself to successfully send the money to the attacker's account.
Step1: We will login to Banking application using provided credentials dump.




Step2: Now we have access to victim account, our 1st objective is to find victim phone number and 2nd objective is to send amount from victim account to attacker account. which is 92748391.


Yeah!, now we have the victim phone number, lets go to the more fun part.
Step3: We will use found phone number to intercept the SS7 2FA text message.


Step4: We will use SS7 python tool to find victim IMSI number. Lets play with the SS7 tool.

python ss7tool.py -h
 

Step5: We will use the --imsi function to retrieve the users imsi.

python ss7tool.py --getimsi --num 03031237300 --ss7 10.102.10.145
 
 
great! we have retrieved target IMSI 602027891234567
Step6: Now we have the user IMSI number, lets use the --sms function to retrieve 2FA text message from SS7 machine.

python ss7tool.py --imsi 602027891234567 --sms --ss7 10.102.7.40
 
 
Okay! our sms intercept command is ready, let get to banking system for getting verification sms. Click the send text button then run the above command to intercept the 2FA security token.



Enter the command to intercept sms for imsi.



Hurray!!! we have the security token.
Step7: Now by using the security token lets authenticate to successfully send the money to the attacker's account. Click send button.




Congratulations! We have retrieved the lab completion token by successfully intercepting SS7 SMS.

Ref: Immersive labs SS7 intercepting practical lab.

Blog posts


There are several well written reports and presentations on the issues around SS7. You can read more in the following links:

ptsecurity - PDF
Giulio Maggiore - PDF
Tobias Engel - Video

Comments

  1. doyen dz1 May 2020 at 09:46

    link python ss7tool.py -h ?

    ReplyDelete
  2. ADMIN 24 June 2020 at 12:50

    This comment has been removed by a blog administrator.

    ReplyDelete

Post a Comment

Popular posts from this blog

ZoomEye IoT Search Engine

-
Image
IoT Search Engines There are many known search engines for IoT such as Shodan , IoT Crawler , Thingful and Censys etc. but I will share some interesting features of a very powerful Chinese IoT search engine ZoomEye .  What is ZoomEye ZoomEye is a Cyberspace Search Engine recording information of devices, websites, services and components etc. ZoomEye has two powerful detection engines Xmap and Wmap aiming at devices and websites in the cyberspace. It can be used to identify all the services and components through 24/7 continuous detection. Therefore it is easier for researchers to understand the component coverage and the damage scope of vulnerabilities. Although being regarded as a "hacker-friendly" search engine, ZoomEye is not designed to initiate attacks towards network devices or websites. The recorded data is for security research use only. It is more like a navigational chart in the cyberspace. What ZoomEye Show You can search Zoo
Read more

OSCP Buffer Overflow Practice

-
Image
What is Buffer Overflow?     A buffer overflow occurs when data written to a buffer also corrupts data values in memory addresses adjacent to the destination buffer due to insufficient bounds checking. This can occur when copying data from one buffer to another without first checking that the data fits within the destination buffer.  I am learning buffer overflow and I just screen record my buffer overflow practice and shared with you. It might help you as well.  Try Harder!!!   Part 1       Part 2
Read more