x33fcon 2019 SS7 for INFOSEC Paul Coggin @Paul Coggin
What is SS7 SS7/C7 is to PSTN what BGP routing protocol is to Internet • Created by AT&T in 1975 • Adopted as standard in 1980 • SS7 – North America • C7 – Utilized outside of North America • SS7 protocol is utilized whenever a call leaves the local exchange carrier switch. • Setups up call and reserves required resources end to end. • Cell phones use SS7/C7 to verify subscribers(roaming, International, register and authenticate, not stolen) • E911 • Caller-id • SMS • Call block • Many other services Reference: Signaling System No.7 (SS7/C7) Protocol, Architecture, and Services, Lee Dryburgh, Jeff Hewett, Cisco Press
SS7 Node Types SS7 is comprised of signal point(SP) nodes with point code(PC) identifiers. Signal Transfer Point (STP) – Routes SS7 messages between the SS7 nodes. STP has access control list filtering capabilities. Service Switching Point (SSP) – Carrier telephone switch that processes various end point PSTN services such as voice, fax and modem. Service Control Point (SCP) – Integrates the SS7 network with the databases that contain information regarding services such as 800 numbers, mobile subscribers, calling cards and other services. Reference: Signaling System No.7 (SS7/C7) Protocol, Architecture, and Services, Lee Dryburgh, Jeff Hewett, Cisco Press
SS7 Network Architecture STP STP B-Links A-Links A-Links B-Links C-Links C-Links SCP SCP B-Links STP STP A-Links A-Links E-Link(AA-link) F-Links SSP SSP Reference: Voice Over IP Fundamentals, Cisco Press
Cellular Network Architecture Base Station Operations Support Controller (BSC) Subsystem (OSS) Mobile Switching Center(MSC) Authentication Center(AUC) HLR AuC Home Location Base Station Register (HLR) Controller (BSC) Visitor Location VLR Register (HLR) Equipment Identity EIR Register (EIR) Network and Switching Subsystems (NSS) Base Transceiver Station(BTS) Other Base Station PSTN / SS7 Other MSC Subsystem(BSS) MSC’s VLR Reference: Signaling System No.7 (SS7/C7) Protocol, Architecture, and Services, Lee Dryburgh, Jeff Hewett, Cisco Press
SS7 Packet Capture Reference: https://www.corelatus.com/gth/api/save_to_pcap/index.html
SIGTRAN Packet Capture Reference: http://labs.p1sec.com/2013/04/04/ss7-traffic-analysis-with-wireshark/
Telecommunications Network Architecture DHCP AAA ICS / SCADA VoIP GW SIP Proxy Control/Applications/ Situational Awareness Servers Server Server Lawful Video Headend Assurance Policy Billing Provisioning Web Intercept IPTV/VOD Servers Server Server Servers server NMS CALEA Patriot Act ( TCP/IP Wire Tap ) Voice Soft Switch Network Management Application Services SCE BRAS/ISG Policy & Control Plane - Vendor/Mfg. Remote Support P Internet - Internal Tech Staff VPN Core The image Triple Play and Smart Carrier Class Telco Networks cannot be P displayed. - Customer online bill payment Your Grid Service 10 Gig, Highly Redundant computer MPLS/IP - Misconfigured Backdoor Thousands Of Devices Edge Demand for Bandwidth driving L3VPN- Optical Network Growth; Telcos, … L3VPN- Metro Access/ PE The image L3VPN- PE cannot Aggregation Si PE be i S DWDM Cellular Mobile IP Si Si Si Si Backhaul Si Si U-PE/ Si Si GE Ring PE-AGG SONET/SDH Ring Insertion Point DSL or Fiber Hub & Spoke Smart Grid Edge Data Service Voice Service Branch Office Cell Tower Video Service CE Water / Sewer Telecommuter Enterprise Residential Treatment Plant Residential SOHO Energy Distribution
Strategy to Gain Access to SS7 Network Transport Network Infrastructure Attack Tree Network and System Architecture - Centralized, Distributed, Redundant - Physical and Logical Network Infrastructure - Transport Network (RF, Fiber, Copper, Satellite) Attack Vectors - In-band - Out-of-band Network Protocols MITM SNMP Community Telnet\SSH ARP Poisoning HP OpenView Server UNIX NetMgt Server String Dictionary Attack Dictionary Attack - RouFng, Switching, Redundancy Network Mgt Application Sniffing Enumerate Oracle Running NIS v1 with Spoofing to Router\Switches\ TNS Listener to Download Router\ NetMgt Server - Apps, Client/Server Identify Default SID’s Switch Configuration Ypcat -d <domain> Capture SNMP Community <server IP> passwd Strings and Unencrypted Attempt to Login Using Build New Router HW, SW, Apps, RDBMS Build New Router Login\Passwords, Protocol Default Login\Password Configuration File to Grab shadow file hashes Further Enumerate Configuration File to Passwords Further Enumerate enable further privilege Oracle SID’s to enable further privilege - Open Source Oracle SID’s to escation escation Identify User Accts. Identify Default Reconfigure - Commercial DBA System Level Crack Passwords Configure Perform Dictionary Router or Switch Accts\Passwords Inject New Routes Device for Attack - SoK Switch Or Bogus Protocol Upload New Further Packets Configuration File Privilege - Middleware Using Comprimised Escalation SNMP RW String Access Server Own Network Own Network Login to Oracle DB Directly Infrastructure with Discovered DBA Infrastructure Own Network Privilege Account Trust RelaOonships – Internet, BSS, OSS, NMS, Net Own Network Infrastructure - Network Management and Network Devices Infrastructure - Billing, Middleware, Provisioning Discover Backup Execute OS CMDs from Run Oracle SQL CMDs Run Oracle SQL HW Configs Execute OS CMDs CMDs Oracle PL/SQL - Vendor remote access Exploit ACL Trust Execute OS CMDs Find NetMgt Relationship Attack Network from DB Find NetMgt Passwords, Add New passwords and Attack SNMP\Telnet\SSH SNMP info, OS password Privileged OS SNMP config files - Tech staff remote access files Account - Self Provisioning Crack Passwords - Physical access Use New Privileged Crack Passwords - Trusted Insider OS account to Escalate Privileged Access to Network - Cross connect Own Network Infrastructure - CE in-band management Own Network - Physical access to CE configuraFon seRngs Infrastructure
Voice Soft Switch Network SS7 SSP The service provider transport and soft switch vendors commonly provide a EMS for their solution. The EMS server commonly is multi-homed with one interface connected directly to the Internet and a second connected to the management network. Internet The transport and voice technical staff may have the system installed without the protection of a firewall or VPN. A number of soft switch EMS systems have been hacked using SSH brute force attacks. In some cases the EMS is installed behind a firewall with ACL’s trusting any inbound IP connection destined to the SSH service. Management EMS Network Internet Voice Transport Network Backup EMS Soft Switch / SS7 SSP Backup Soft Switch / SS7 SSP
Network Management Architecture for a Service Provider Use to Pivot to SS7 Infrastructure OSS Provisioning Remote VPN NOC OSS NetMgt User \ Vendor AAA Reports SQL Database Internet NMS, EMS, MOM OSS Servers Network Operations - Target TL1 - Leverage Intel from exploited CE The image - Exploit trust relationship to NOC TL1 Gateway SNMP Agent - Pivot NOC to P, PE, CE, VPN’s (TL1 to/from SNMP) - Pivot to Internal, IPTV, VoIP, Alarms, Traps, Internet\BGP, Vendors,Transport IP Configuration Provisioning, Control, Reports, Backup Software Download SCP \ Service STP SSP \ Soft Database Switch SSP \ Soft Switch Cellular Network PE PE Cust-1 CE P P Physical Access - In-band Mgt P - Password recovery P Cust-1 CE - Trust Relationships DWDM - SNMP, ACL’s, Accts - Protocols Cellular Network MPLS CORE - AAA, NetMgt IP’s PE PE
Obtain International Mobile Subscriber Identity(IMSI) of a subscriber • Attacker has the Mobile # for target and STP Point Code information • Attacker crafts SS7 messages acting as a Short Message Service Center(SMSC). • Message sent to subscriber home network where HLR lookups up subscriber phone # to ID the current MSC VLR for subscriber . • HLR sends response to requestor in this case the attacker. • Attacker now has subscriber phone number, IMSI(unique #), current MSC/VLR, HLR address for subscriber STP Attacker impersonating a Short Message Service SS7 network access Center – Sends SMS message References: Signaling System No.7 (SS7/C7) Protocol, Architecture, and Services, Lee Dryburgh, Jeff Hewett, Cisco Press Reference: https://www.cellusys.com/2016/03/19/subscriber-identity-disclosure-how-an-attacker-can-obtain-imsi-of-a-subscriber/
Identify Subscriber Location Any Time Interrogation • Attacker now has subscriber phone number, IMSI(unique #), current MSC/VLR, HLR address for subscriber from previous attack. • Attacker crafts SS7 messages querying HLR for subscriber location. • Message sent to subscriber home network where HLR sends message to VLR for current location. • VLR sends a message to BSS to identify location of the mobile subscriber. • BSS pages the subscriber phone. • HLR sends response to requestor in this case the STP attacker. • Any Time Interrogation is not Attacker crafts and sends enabled on many networks SS7 network access message to HLR to ID today to protect HLR location. performance and security. Reference: Signaling System No.7 (SS7/C7) Protocol, Architecture, and Services, Lee Dryburgh, Jeff Hewett, Cisco Press https://www.itu.int/en/ITU-T/Workshops-and-Seminars/201606/Documents/Abstracts_and_Presentations/S2P1_Luca_Melette.pdf
Recommend
More recommend
