SiGploit a signalling security testing framework dedicated to Telecom Security professionals and researchers to pentest and exploit vulnerabilities in the signalling protocols used in mobile operators regardless of the generation being in use.
SiGploit aims to cover all used protocols used in the operator’s interconnects SS7, GTP (3G), Diameter (4G) or even SIP for IMS and VoLTE infrastructures used in the access layer.
Recommendations for each vulnerability will be provided to guide the tester and the operator the steps that should be done to enhance their security posture
SiGploit is developed on several versions.
Version 1: SS7
SiGploit will initially start with SS7 vulnerabilities providing the messages used to test the below-attacking scenarios A- Location Tracking B- Call and SMS Interception C- Fraud. Version 2: GTP
This version will focus on data roaming attacks that occur in IPX/GRX interconnect.
Version 3: Diameter
This Version will focus on the attacks occurring on the LTE roaming interconnects using Diameter as the signalling protocol.
Version 4: SIP
This Version will be concerned with SIP wd the signalling protocol used in the access layer for voice over LTE(VoLTE) and IMS infrastructure.
Also, SIP will be used to encapsulate SS7 messages (ISUP) to be relayed over VoIP providers to SS7 networks taking advantage of SIP-T protocol, a protocol extension for SIP to provide inter compatibility between VoIP and SS7 networks.
Version 5: Reporting
This last Version will introduce the reporting feature. A comprehensive report with the tests done along with the recommendations provided for each vulnerability that has been exploited.
Now that you have to install Sigploit, You might be wondering: How do I use Sigploit?? Here’s the deal:
How to use Sigploit – The SS7 module
But before we discuss the SS7 module, there are some terminologies you must know; but if you know them, you can skip them.
Global Title (GT): Each node in the core of the operator (msc,vlr,..etc) have their own address (i.e public IP) in a format of an international number, example: +441234567890. This is the address used for routing traffic to and from and the nodes between the operators
Point Code (PC): Communication in the SS7 network is done on a hop by hop basis in order to reach the final destination (GT). PC is 4-5 digits that determine the next peer hop that packets should go through (STP) in order to reach the destination. When you get SS7 access your SS7 provider is your peer, and the peer PC should be set to theirs.
International Mobile Subscriber Identity (IMSI): Is the most important target parameter. It is the subscriber ID that used in all operations within the home operator or for roaming operations between operators. This is the first subscriber info that should be gathered as all critical and important attacks (i.e interception, fraud) is done with IMSI.
Mobile Station International Subscriber Directory Number (MSISDN): The phone number
International Mobile Equipment Identity (IMEI): is a unique number for each mobile hardware. The IMEI number is used by a GSM network to identify valid devices and therefore can be used for stopping a stolen phone from accessing that network. For example, if a mobile phone is stolen, the owner can call their network provider and instruct them to blacklist the phone using its IMEI number.
The importance of this info is that some extension of IMEI (IMEISV) provides the software version as well of the handset, allowing to initiate a more targeted client-side attack.. let’s move to what you have been looking for:
The SS7 Attacking
In order to attack the SS7 on a real-life target, you have to get access to the SS7 network. It is often provided by the VoIP providers, SMS providers, HLR lookup web application providers, you just need to dig deeper to find a suitable provider.
The project provides two modes for these attacks;
Now let me explain this mode one by one:
If you after your deep digging, you couldn’t get any data’s from the providers i.e No Access and you need to have the sense of attacks and critically of such a threat, you can go to the simulation mode.
The project provides the server-side code of each and every attack that simulates the corresponding nodes responsible for the requests. The server side jar files are found under “SigPloit/Testing/Server/Attacks/”.
Each server-side code provides the hardcoded values that you need to use on the client-side to simulate the attack.
In this case, you succeeded in getting access you then jump into Live mode and use the parameters that she provided by your provider. The providers will provide you with the following parameters;
The global title you will use
The point code you will use(Client PC)
The peer point code of the provider(Peer PC)
The IP address of the providers peer SCTP associations and the used port(Peer IP, Peer Port)
All you need to do now is to have a static public IP assigned to the server/machine having the code and the provider will allow it access from its side and route it so you can reach all the operators this provider is connected to.
Here is a bonus tip:
Before you let I would love you to check into this.. it’s important you get familiarize with them to know better how SS7 works.
Here they are:
Mobile Network Architecture
As the above figure, there are several important nodes that need to be familiarized with and what are their functions.
Home Location Register (HLR): Each operator has one or more HLR depending on its capacity. HLR operator’s database each subscriber’s profile/info is stored in only one HLR. The HLR hold the below critical info:
Authentication Keys of Subscribers
Subscriber Latest Location
Service Allowed (Call forwarding, Call barring..etc).. etc
Visitor Location Register (VLR): Each VLR is responsible for a specific region. Every subscriber roaming in a specific region is attached/connected to the VLR responsible for this region. The VLR acts as a temp database for the period of the roaming subscriber. It has the same info as the home network HLR.
Mobile Switching Centre (MSC): Each group of cells/BTS/towers are connected to an MSC. The MSC is responsible for route and switch calls, SMS and data from and to the subscribers attached to it.
Short Message Switching Centre (SMSC): Responsible for sending and delivering short messages (SMS) to subscribers.
Signal Transfer Point (STP): It acts as the gateway (i.e router) of the operators, which is responsible for all the routing, path determination and relaying of the SS7 messages.
Now I think you have learned something today.. if you are having a problem installing Sigploit, don’t be shy, drop your queries below in the comments.. and also don’t hesitate to share this post, also subscribe to my blog for the more awesome post.