Into the wild: Gaining access to SS7 – Part 1: Finding an access point

„Writing a ‘How to’ [sic] for the first time is a lot like having sex for the first time. You’re excited but you don’t really know what the hell you’re doing. And some way, one way or another, it’s over too fast.“ – Yuri Orlov

Hello 0x00sec,

Hello 0x00sec,

Today I gonna try to write my very first „How To“, so… Never done that, never been there, show mercy!

I decided to do that because I couldn’t find anything comparable on the internet so far and I thought maybe someone out there might be interested as well and might find some help in it to reduce his/her efforts by many hours.

This will likely become a series of two or three „How To“-articles, which I hope to write in the coming weeks and which will cover basically my own discoveries and insights.

Preamble:

There are only two ways to practice working in and with SS7:

  1. You work for a telco company (thanks, I already have job)
  2. You go out and try out yourself in the wild (not recommended of course)

So, since most of us are left with only Option 2, one has to probably read a lot and go for a path shattered with trial-and-error, which is what we’re going to do now. (Isn’t hacking always like that?)

Since hacking/pentesting without consent is illegal, this whole article and the upcoming ones are written from a purely educational perspective and for that use only. What ever you do with the knowledge is your own problem and I’m neither responsible nor legally liable for anything you might do and/or destroy.

Said that, let’s start right away:

0. Tools & Services used today

1. Browser of choice
2. nmap
3. Burp Community Edition
4. Website - http://ipv4info.com

Part 1 might seem a bit trivial, however, we need to get that done first to do the more interesting stuff later on.

1. What is SS7

I will keep that paragraph rather short as in terms of definitions there are a lot of resources online.

So, what is SS7?
SS7 is a rather complex topic with (comparably) very little resources available that offer in-depth insights or knowledge. On top of that, there is literally no information about it from a security/pentesting perspective – which makes you wonder if that is on purpose.

Anyway, what is it now?

Maybe it helps you to imagine it the following way (who loved Super Mario back then, will inevitably think of it now :grinning: ):

  • Unless the regular internet, SS7 is a closed shop with limited access. It is like a network of tubes under earth, all interconnected. Above earth there are entry points/those vertical tubes to jump in.
  • Each entry point has a distinct identifier, called ISPCInternational Signaling Point Code
  • These entry points are managed by telco companies and we are now going to search for them to jump in and dive deep.

The following image gives an idea about the basic structure of SS7, its different protocols and the connection between IP protocols (light blue) and the PSTN protocols (Public Switched Telephone Network – dark blue).

image
I didn’t get any money from Cisco for advertising them here.

    Side note:
    When I first started researching SS7 I found some scanners, like *sctpcanner* and the like which are designed to discover open SCTP ports (which is like finding the root password in an open ftp). However, I never came across any open port and I scanned a lot of hosts. This is why we’re now going the hard way.

2. Setting a goal

Making use of SS7 usually comes with a grain of salt. If you wanted to set up a telco company you’d probably not read this. Said that, in most cases your reasons might be a bit shady, such as intercepting calls, SMS or location tracking.

Which protocol (and later on which software) you use is very dependent on what you want to achieve, which makes answering this question the first step:

    Define the goal: What do you want to do/achieve?

Making use of SS7 usually comes with a grain of salt. If you wanted to set up a telco company you’d probably not read this. Said that, in most cases your reasons might be a bit shady, such as intercepting calls, SMS or location tracking.Which protocol (and later on which software) you use is very dependent on what you want to achieve, which makes answering this question the first step:

In our case, let’s take the following fictional story:

We got betrayed by a person who we thought would be a good friend and who owes us a lot of money. Since he disappeared there is no way for us to get a hold on him. Maybe we just want to scare him a bit by letting him know that wherever he is we know where he is. Make him feel a bit paranoid maybe.

    Story : ✔︎

„ So, how could SS7 help him with that?“, you might wonder. After doing some research we find out that mobile phone tracking is possible through SS7, using the MAP – Mobile Application Part, one of the essential protocols of SS7 (as seen in the image above). It’s basically the protocol that enables mobile telephony.

We might read that when working with Wireshark and MAP one could read a lot of information: in which country the subscriber is, what area and what cell tower he is connected to, when we fire off the command. And all that with a phone number. In most countries, especially in metropolitan areas, where there are a lot of cell towers, they give a very good indication about the location of the phone. Cell towers all have a unique ID, called CellID.

Wireshark is even able to give a link to OpenStreetMaps, marking the CellID’s location.

image
Credits for this screenshot to Tobias Engel, Chaos Computer Club, Germany.

To learn a bit more about Wireshark’s SS7 capabilities, see this pdf from a Wireshark employee here.

Check out this website https://www.opencellid.org to get an idea of how many cell towers are around you!

    Goal set: ✔︎

    (Somehow) getting access to SS7 to (somehow) use MAP.

Right now we don’t really have a clue what all that is about. All we know is that we somehow need to figure out how to get that done. Fair enough.

After researching a bit further, we come to the conclusion that SS7 is a globally interconnected net. Makes sense. Wherever on earth you are, most likely you can call someone on any place in the world (except maybe the poles).

And that’s the beauty of SS7! 
Why?
Because we can choose the access point ourselves.

Now let’s imagine SS7 is a treasure that is totally locked down and chained and we obviously do not have the key for the lock.

"Every chain is only as strong as its weakest link".

So, obviously we’re going to look for a weak link. Speaking the language of communication networks, what would a weak link be?

A poorly configured server/router that allows us to get access to SS7.

So, going by the Salami-tactic, we choose „Finding a weak link“ to be our first step on reaching our goal.

How do we find such a weak link?

The following chain of questions and answers will lead us to potential assessment targets:

Q: What is a badly configured server/router?
A: One that offers a lot of attack surface.

Q: Why would anyone configure it that way?
A: By error or because of lacking knowledge - or both.

Q: From a global perspective, where would the possibility 
   be the highest to find such?
A: In places where there is bad education and little money
   (to pay for better educated staff).

Q: Where do we find them?
A: In poor countries.

Q: What’s the bonus?
A: No one cares about a small telco company from a poor country, 
   so if we’d really be that sick and try to hack… eh pentest it - chances 
   are little that anything would happen even if we’d mess it up. 
   (From a purely professional perspective! 
   That’s not necessarily my „emotional“ point of view!)

By answering the questions, we now have a more specified goal.

Finding a poorly configured server in a poor country with access to SS7.

First, we check out a list of the poorest countries in the world. Second, we choose a few and check if they have access to SS7. (Btw: you’d be surprised how many international telco companies are active e.g. in Africa, such as Vodafone or huge Indian ones)

The following .pdf might help us figuring out if there are entry points in the respective country and which company is managing each of the entry points:

Although the document is 7 years old, most of the telco companies listed there still do exist.

After we’ve checked if these companies still exist we choose our assessment targets.

Now we need to find out the servers run by the respective company. One website that has proven valuable for this task is:


ipv4info.com

IPv4Info – All data for ipv4 network blocks and autonomous systems

All-in-one tool to view ipv4 netblock registration data, ipv4 allocation table, all domains on same ip address or in same netblock, ASN information.

At the upper right corner you can simply search for IPs or in our case keywords (e.g. company names) and the site prints out a table with all entries matching your keywords.

This page not only allows for various kinds of lookups but gives many additional information about the blocks in a very structured way. The page looks a bit old fashioned but provides a lot of valuable information, as you can see in this example:

image

Although the „description“ is not mandatory, you often find information that might help you.

3. Let’s go!

Now, since we did a bit of research let’s go and begin the real (hard) work.

From here, we start like we always do and go for nmap to see how „open“ the network is.

Depending on the size of the telcos there will be many, many hosts to scan. And that is where a quote comes to my mind that roughly goes like:

"In SS7 it is less about security. It is more about finding the access.“ 
- by unknown.

This is where the above mentioned additional information from http://ipv4info.com/ comes in handy and might shorten that period of scanning as you might find some blocks giving hints on the telco infrastructure etc.

Results:
After doing some trivial scanning we found two blocks (512 hosts) that are quite interesting as they offer a very solid (or not so solid?) attack surface:

  • 512 hosts overall
  • 60 hosts with at least one open port
  • 274 open ports overall

And that’s TCP only!

On our first try to catch a glimps on the hosts we do a very rough nmap scan:

nmap XXX.XXX.XXX.0/24 -Pn

We’re not switching some -T4 or -T5 as we have seen before that shortening the interval might falsify the results (probably due to some firewall):

image

Besides many http ports we find several open telnet ports. Testing those we get to some telnet logins for Huawei, ZTE routers and alike, but when we google them they seem to be more or less small scale office routers. Nothing of interest for now.

So, having open ports and hosts is good. However, we’re not looking for any server but the one.

When scrolling through the nmap results, we see a lot of open „port 80“ so obviously we want to know what’s on there.

Besides the website of the respective telco company we find again some login pages for different routers and some for web apps. On each checking the code doesn’t reveal anything promising.

Before burning our fingers on those logins, let’s do some more nmap scanning to find out the versions and OS of the (at a first glance) interesting hosts.

After doing a lot of scanning, we take a look on the results.

What immediately pops in our eye is a host running on Cisco IOS with 5 open ports, whereas we don’t see Cisco IOS on any other host. Most are run on VM with RHEL or some show qemu user mode emulation.

Since Cisco is world leader in the router market let’s take a closer look:

image

Port 80 open, four other ports as well – 2001,4001, 6001, 9001 – with unknown services and versions. So let’s check that one out.

When trying with a browser, a simple user/password prompt pops up. No greetings, information, no nothing.

To get a human-readable and fully featured response on our GET request, let’s Burp it up.

image

WWW-Authenticate: Basic realm=„level_15_access“.

Doesn’t sound too bad, does it? Without knowing anything specific, let’s google the “basic realm level 15 access” and shortly after, we find out that „Level 15“ is the highest access level on any Cisco product.

Alright buddy, now we’re talking.

Next, we need to find out what these four other ports are for since we can’t get no information from nmap.

Using any other scanner doesn’t shed a light on these ports. They are shown up as open but without any indication about what they’re used for. Also, the X001 four times seems to be configured manually so these ports are there for purpose.

Based on the open telnet ports on several other servers, we decide to give it a try and telnet those ports.

And…. What’s that?

That doesn’t give much information on the first sight, plus it sounds a bit scary. On all ports we’re greeted with the same welcome screen.

Under the red edited block there was the name of the telco and the city where the device is located. All that was known. But what is ITP1? No clue. Let’s ask Google.

"Cisco" "ITP1"

And of course, Google knows what it is:

image

Congrats, we just found our SS7 access point.

I hope someone of you might find it useful. I already did some more than what’s written here but so far no real results to present. I’m hoping to make progress in the coming days and weeks so it will be worth to write down Part 2 and maybe 3.

I hope someone of you might find it useful. I already did some more than what’s written here but so far no real results to present. I’m hoping to make progress in the coming days and weeks so it will be worth to write down Part 2 and maybe 3.

If you have any questions, let me know.

Of course, ideas and (constructive) criticism are very welcome.