Scribd
Upload
348 views

SS7 For INFOSEC Paul Coggin

SS7 is a telecommunications protocol that establishes connections between telephone network elements to enable calling features. It routes calls between local exchanges and verifies subscriber information for services like roaming. SS7 has several node types including signal transfer points, service switching points, and service control points. The SS7 network architecture uses these nodes and links between them to set up calls and exchange signaling information. Packet capture tools can monitor SS7 traffic for analysis and troubleshooting.

Uploaded by

MikiOstojic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
348 views

SS7 For INFOSEC Paul Coggin

SS7 is a telecommunications protocol that establishes connections between telephone network elements to enable calling features. It routes calls between local exchanges and verifies subscriber information for services like roaming. SS7 has several node types including signal transfer points, service switching points, and service control points. The SS7 network architecture uses these nodes and links between them to set up calls and exchange signaling information. Packet capture tools can monitor SS7 traffic for analysis and troubleshooting.

Uploaded by

MikiOstojic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

DeepSec

2018

SS7 for INFOSEC

Paul Coggin
@Paul Coggin
What is SS7

SS7/C7 is to PSTN what BGP routing protocol is to Internet


•  Created by AT&T in 1975
•  Adopted as standard in 1980
•  SS7 – North America
•  C7 – Utilized outside of North America
•  SS7 protocol is utilized whenever a call leaves the local exchange
carrier switch.
•  Setups up call and reserves required resources end to end.
•  Cell phones use SS7/C7 to verify subscribers(roaming, International,
register and authenticate, not stolen)
•  E911
•  Caller-id
•  SMS
•  Call block
•  Many other services

Reference: Signaling System No.7 (SS7/C7) Protocol, Architecture, and Services, Lee Dryburgh, Jeff Hewett, Cisco Press
SS7 Node Types

SS7 is comprised of signal point(SP) nodes with point code(PC) identifiers.

Signal Transfer Point (STP) – Routes SS7 messages between the SS7 nodes.
STP has access control list filtering capabilities.

Service Switching Point (SSP) – Carrier telephone switch that processes various
end point PSTN services such as voice, fax and modem.

Service Control Point (SCP) – Integrates the SS7 network with the databases
that contain information regarding services such as 800 numbers, mobile
subscribers, calling cards and other services.

Reference: Signaling System No.7 (SS7/C7) Protocol, Architecture, and Services, Lee Dryburgh, Jeff Hewett, Cisco Press
SS7 Network Architecture

STP STP
B-Links
A-Links
A-Links
B-Links
C-Links C-Links
SCP
SCP

B-Links

A-Links STP STP A-Links

E-Link(AA-link)

F-Links

SSP SSP

Reference: Voice Over IP Fundamentals, Cisco Press


Cellular Network Architecture
Base Station Operations Support
Controller (BSC) Subsystem (OSS)
Mobile Switching Center(MSC)
Authentication Center(AUC)
HLR
AuC
Home Location
Base Station Register (HLR)
Controller (BSC)
Visitor Location
VLR Register (HLR)

EIR Equipment Identity


Register (ELR)
Network and Switching Subsystems (NSS)

Base Transceiver
Station(BTS) Other
Base Station Other MSC PSTN / SS7
Subsystem(BSS) MSC’s VLR
Reference: Signaling System No.7 (SS7/C7) Protocol, Architecture, and Services, Lee Dryburgh, Jeff Hewett, Cisco Press
SS7 Packet Capture

Reference: https://www.corelatus.com/gth/api/save_to_pcap/index.html
SIGTRAN Packet Capture

Reference: http://labs.p1sec.com/2013/04/04/ss7-traffic-analysis-with-wireshark/
Telecommunications Network Architecture

DHCP AAA ICS / SCADA VoIP GW SIP Proxy


Situational Awareness Servers
Control/Applications/

Server Server
Lawful Video Headend
Policy Provisioning Assurance Billing Web
Intercept IPTV/VOD
Server Servers Servers Server server
NMS

CALEA Patriot Act


( TCP/IP Wire Tap ) Network Management Voice Soft Switch
SCE
Application Services
BRAS/ISG
Policy & Control Plane - Vendor/Mfg. Remote
Support
P The image
Internet - Internal Tech Staff VPN
Core

Triple Play and Smart Carrier Class Telco Networks cannot be


displayed.

P Your
- Customer online bill payment
Grid Service 10 Gig, Highly Redundant
computer

MPLS/IP - Misconfigured Backdoor


Thousands Of Devices
Aggregation Edge

Demand for Bandwidth driving


L3VPN- Optical Network Growth; Telcos, …
The
L3VPN- PE
Metro Access/

image
L3VPN-
cannot
PE
PE
be

S
Si
i
DWDM
Cellular Mobile IP
Si
Backhaul
U-PE/
Si

GE Ring Si

PE-AGG
Si

Insertion Point SONET/SDH Ring


Hub & Spoke
DSL or Fiber

Smart Grid
Edge

Data Service
Voice Service Branch Office Cell Tower
Video Service
Telecommuter Water / Sewer
CE

Enterprise Residential Treatment Plant


Residential SOHO Energy Distribution
Strategy to Gain Access to SS7 Network

Transport Network Infrastructure Attack Tree


Network and System Architecture
-  Centralized, Distributed, Redundant
-  Physical and Logical Network Infrastructure
-  Transport Network (RF, Fiber, Copper, Satellite) Attack Vectors

-  In-band
-  Out-of-band

Network Protocols SNMP Community
String Dictionary Attack
Telnet\SSH
Dictionary Attack UNIX NetMgt Server
MITM
ARP Poisoning HP OpenView Server
-  RouFng, Switching, Redundancy with Spoofing to
Download Router\
Router\Switches\
NetMgt Server
Running NIS v1 Sniffing
Network Mgt Application Enumerate Oracle
TNS Listener to
-  Apps, Client/Server Switch Configuration
Ypcat -d <domain>
Identify Default SID’s


Capture SNMP Community
<server IP> passwd Strings and Unencrypted Attempt to Login Using
Build New Router
HW, SW, Apps, RDBMS
Build New Router Login\Passwords, Protocol Default Login\Password
Configuration File to Configuration File to Grab shadow file hashes Further Enumerate
Passwords Further Enumerate
enable further privilege enable further privilege Oracle SID’s to
-  Open Source escation Oracle SID’s to
escation Identify User Accts.
Identify Default
Reconfigure DBA System Level
-  Commercial Crack Passwords
Inject New Routes
Configure
Device for
Router or Switch Accts\Passwords
Perform Dictionary
Attack
Or Bogus Protocol
-  SoK Switch Upload New
Configuration File Packets
Further
Privilege

-  Middleware Using Comprimised


SNMP RW String Access Server
Escalation
Own Network
Own Network Directly Login to Oracle DB
Infrastructure with Discovered DBA
Infrastructure Privilege Account
Own Network
Trust RelaMonships – Internet, BSS, OSS, NMS, Net Own Network Infrastructure

-  Network Management and Network Devices Infrastructure


Discover Backup
-  Billing, Middleware, Provisioning Exploit ACL Trust
HW Configs Execute OS CMDs from
Oracle PL/SQL
Run Oracle SQL CMDs
Execute OS CMDs
Run Oracle SQL
CMDs

-  Vendor remote access


Find NetMgt Execute OS CMDs
Relationship passwords and Attack Network from DB Find NetMgt Passwords, Add New
Attack SNMP\Telnet\SSH SNMP config files SNMP info, OS password Privileged OS

-  Tech staff remote access files Account

-  Self Provisioning Crack Passwords

- Physical access Crack Passwords


Use New Privileged

- Trusted Insider OS account to


Escalate Privileged
Access to Network
-  Cross connect Own Network
Infrastructure
-  CE in-band management
Own Network
-  Physical access to CE configuraFon seRngs Infrastructure


Voice Soft Switch Network
SS7 SSP
The service provider transport and soft switch vendors commonly provide a EMS for
their solution.

The EMS server commonly is multi-homed with one interface connected directly to the
Internet and a second connected to the management network.

The transport and voice technical staff may have the system installed without the
Internet
protection of a firewall or VPN.

A number of soft switch EMS systems have been hacked using SSH brute force attacks.
In some cases the EMS is installed behind a firewall with ACL’s trusting any inbound
IP connection destined to the SSH service.

Management EMS
Network
Internet Voice Transport Network

Backup EMS

Soft
Switch /
SS7 SSP
Backup
Soft Switch /
SS7 SSP
Network Management Architecture for a Service Provider
Use to Pivot to SS7 Infrastructure
OSS Provisioning
Remote VPN NOC OSS
NetMgt User \ Vendor AAA
Reports
Database SQL

Internet NMS, EMS, MOM


Servers OSS
Network Operations - Target
-  Leverage Intel from exploited CE The image
TL1
-  Exploit trust relationship to NOC TL1 Gateway
-  Pivot NOC to P, PE, CE, VPN’s SNMP Agent (TL1 to/from SNMP)
-  Pivot to Internal, IPTV, VoIP,
Alarms, Traps, Configuration Provisioning, Control,
Internet\BGP, Vendors,Transport IP
Reports, Backup Software Download
STP SCP \ Service
SSP \ Soft Database
Switch
SSP \ Soft
Cellular Network Switch
PE PE Cust-1 CE
P P Physical Access - In-band Mgt
P P -  Password recovery
Cust-1 CE -  Trust Relationships
DWDM -  SNMP, ACL’s, Accts
Cellular Network -  Protocols
PE MPLS CORE PE -  AAA, NetMgt IP’s
Obtain International Mobile Subscriber
Identity(IMSI) of a subscriber
•  Attacker has the Mobile # for
target and STP Point Code
information
•  Attacker crafts SS7 messages
acting as a Short Message
Service Center(SMSC).
•  Message sent to subscriber
home network where HLR
lookups up subscriber phone
# to ID the current MSC VLR
for subscriber.
•  HLR sends response to
requestor in this case the
attacker.
•  Attacker now has subscriber
phone number, IMSI(unique
#), current MSC/VLR, HLR
address for subscriber
STP
Attacker impersonating
a Short Message Service SS7 network access
Center – Sends SMS message
References: Signaling System No.7 (SS7/C7) Protocol, Architecture, and Services, Lee Dryburgh, Jeff Hewett, Cisco Press
Reference: https://www.cellusys.com/2016/03/19/subscriber-identity-disclosure-how-an-attacker-can-obtain-imsi-of-a-subscriber/
Identify Subscriber Location
Any Time Interrogation
•  Attacker now has subscriber
phone number, IMSI(unique
#), current MSC/VLR, HLR
address for subscriber from
previous attack.
•  Attacker crafts SS7 messages
querying HLR for subscriber
location.
•  Message sent to subscriber
home network where HLR
sends message to VLR for
current location.
•  VLR sends a message to BSS
to identify location of the mobile
subscriber.
•  BSS pages the subscriber
phone.
•  HLR sends response to
requestor in this case the
STP attacker.
•  Any Time Interrogation is not
Attacker crafts and sends
enabled on many networks
message to HLR to ID SS7 network access today to protect HLR
location. performance and security.
Reference: Signaling System No.7 (SS7/C7) Protocol, Architecture, and Services, Lee Dryburgh, Jeff Hewett, Cisco Press
https://www.itu.int/en/ITU-T/Workshops-and-Seminars/201606/Documents/Abstracts_and_Presentations/S2P1_Luca_Melette.pdf
Identify Subscriber Location
Impersonate a Home Location Register (HLR)
•  Attacker now has subscriber
phone number, IMSI(unique
#), current MSC/VLR, HLR
address for subscriber from
previous attack.
•  Attacker crafts SS7 Provide
Subscriber Information(PSI)
messages querying MSC for
subscriber location.
•  Message sent to subscriber
home network where HLR
sends message to VLR for
current location.
•  VLR sends a message to BSS
to identify location of the mobile
subscriber.
•  BSS pages the subscriber
phone.
STP •  MSC sends response to
requestor in this case the
Attacker crafts HLR messages attacker with subscriber
querying for subscriber SS7 network access details including location.
location HLR
Reference: Signaling System No.7 (SS7/C7) Protocol, Architecture, and Services, Lee Dryburgh, Jeff Hewett, Cisco Press
https://www.itu.int/en/ITU-T/Workshops-and-Seminars/201606/Documents/Abstracts_and_Presentations/S2P1_Luca_Melette.pdf
Intercept Calls\SMS
•  Attacker now has subscriber
phone number, IMSI(unique
#), current MSC/VLR, HLR
address for subscriber from
the information gathering
attack.
•  This attack is similar to previous
location attack.
•  Attacker crafts SS7 Provide
Subscriber Information(PSI)
messages to HLR with a
spoofed update of current
location.
•  Any incoming calls or SMS to
the spoofed subscriber will
now be rerouted to the
attackers
location(ANYWHERE IN
WORLD).
STP •  Attacker can proxy calls on to
Attacker crafts messages the true subscriber to capture
Updating Subscriber SS7 network access the voice communications or
just capture targeted SMS
location to setup MITM MSC communications.
Reference: Signaling System No.7 (SS7/C7) Protocol, Architecture, and Services, Lee Dryburgh, Jeff Hewett, Cisco Press
https://www.itu.int/en/ITU-T/Workshops-and-Seminars/201606/Documents/Abstracts_and_Presentations/S2P1_Luca_Melette.pdf
Things to Consider
SS7 Exploit Tools
•  SS7 Exploit tool – SigPloit on Github
•  ss7MAPer – Daniel Mende, ERNW
https://insinuator.net/2016/02/ss7maper-a-ss7-pen-testing-toolkit/
•  Scapy
•  Colasoft Packetbuilder
•  Netdude

SS7 Firewalls
•  Cellusys
•  Fortis Communications
•  Configure STP to filter SS7 messages

Other Recommendations
•  Audit the SS7, SIP, mobile wireless infrastructure in the telco voice networks
- Treat these networks similar to legacy ICS\SCADA networks when testing
- Penetration test
- Look for vendor backdoor remote access with static passwords (reused
EVERYWHERE)
•  Utilize Signal or other for personal secure communications
•  Replace SMS 2FA with alternative solutions
•  Secure Visualization and Instrumentation
References
Signaling System No.7 (SS7/C7) Protocol, Architecture, and Services, Lee Dryburgh, Jeff Hewett, Cisco Press
Security of Public and IP Telephone Networks, A Security Assessment of SS7, SIGTRAN and VoIP Protocols, Sengar
Voice Over IP Fundamentals, Cisco Press
https://www.cisco.com/c/dam/global/en_ae/assets/ciscoexposaudi2008/assets/transport-and-applications-forss7--signaling-franktuhus.pdf
https://docstore.mik.ua/univercd/cc/td/doc/product/tel_pswt/vco_prod/ss7_fund/ss7fun03.pdf
https://www.slideshare.net/janardhanreddy30/ss7-tutorial
http://secuinside.com/archive/2015/2015-2-7.pdf
www.blackhat.com/presentations/bh-usa-06/BH-US-06-Waldron.pdf
http://blogs.blackberry.com/2016/04/how-to-protect-yourself-from-ss7-and-other-cellular-network-vulnerabilities/
http://www.fiercetelecom.com/telecom/verizon-seeks-fcc-permission-to-shutter-more-legacy-ss7-voice-switches-cites-ongoing-ip
https://www.wired.com/2017/05/fix-ss7-two-factor-authentication-bank-accounts/
https://www.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-snooping-texts-calls
https://koolspan.com/ss7-mobile-network-vulnerabilities/
http://resources.infosecinstitute.com/ss7-protocol-how-hackers-might-find-you/
http://www.computerworld.com/article/3058020/security/hackers-only-need-your-phone-number-to-eavesdrop-on-calls-read-texts-track-
you.html
https://www.adaptivemobile.com/press-centre/press-releases/adaptivemobile-launches-ss7-protection
http://blogs.blackberry.com/2014/12/how-to-defeat-ss7-surveillance-of-calls-texts/
http://www.itproportal.com/2016/06/13/ss7-protocol-critical-mobile-network-security/
https://blog.kaspersky.com/hacking-cellular-networks/10633/
https://www.v3.co.uk/v3-uk/news/3009585/cybercriminals-use-ss7-telco-flaw-to-steal-from-bank-accounts
https://www.engagespark.com/blog/telcos-aggregators-ss7-grey-routes/
https://www.scmagazineuk.com/ss7-vulnerability-defeats-whatsapp-encryption-researchers-claim/article/530945/
http://www.centurylink.com/wholesale/pcat/ccsacss7.html
https://www.corelatus.com/gth/api/save_to_pcap/index.html
https://github.com/SigPloiter/SigPloit/wiki/3--How-to-use-the-SS7-module
https://www.cellusys.com/2016/03/19/subscriber-identity-disclosure-how-an-attacker-can-obtain-imsi-of-a-subscriber/
https://www.itu.int/en/ITU-T/Workshops-and-Seminars/201606/Documents/Abstracts_and_Presentations/S2P1_Luca_Melette.pdf
http://labs.p1sec.com/2013/04/04/ss7-traffic-analysis-with-wireshark/
https://www.blackhat.com/presentations/bh-europe-07/Langlois/Presentation/bh-eu-07-langlois-ppt-apr19.pdf
http://k4linux.com/2016/06/how-to-hack-facebook-account-with-phone-number-ss7.html
https://insinuator.net/2016/02/ss7maper-a-ss7-pen-testing-toolkit/
References
https://www.cyberscoop.com/finally-happened-criminals-exploit-ss7-vulnerabilities-prompting-concerns-2fa/
https://www.schneier.com/blog/archives/2014/12/ss7_vulnerabili.html
https://fedotov.co/ss7-hack-tutorial-software/
https://fedotov.co/ss7-mobile-phone-hacking-2/
https://www.blackhat.com/presentations/bh-europe-07/Langlois/Presentation/bh-eu-07-langlois-ppt-apr19.pdf
http://k4linux.com/2016/06/how-to-hack-facebook-account-with-phone-number-ss7.html
https://insinuator.net/2016/02/ss7maper-a-ss7-pen-testing-toolkit/
http://securityaffairs.co/wordpress/28397/hacking/surveillance-solutions.html
http://labs.p1sec.com/2012/12/02/sim-man-in-the-middle/
http://www.openss7.org
http://www.cellusys.com/2015/10/20/8-ss7-vulnerabilities-you-need-to-know-about/
https://thehackernews.com/2016/07/two-factor-authentication.html
http://blogs.blackberry.com/2016/01/how-ss7-flaw-gives-hackers-easy-access-to-your-private-phone-calls-what-you-can-do-about-it-white-
paper/
https://www.kaspersky.com/blog/hacking-cellular-networks/10633/
http://www.communicationsapplications.com/topics/communicationsapplications/articles/431871-hackers-bank-ss7-insecurity.htm?
utm_content=53980928&utm_medium=social&utm_source=twitter
https://en.wikipedia.org/wiki/Signalling_System_No._7
https://www.sans.org/reading-room/whitepapers/critical/fall-ss7--critical-security-controls-help-36225
https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/
https://securityintelligence.com/ss7-vulnerability-isnt-a-flaw-it-was-designed-that-way/
http://www.cellusys.com/tcap-handshaking-ss7-security/introduction-to-ss7-and-security/
https://www.washingtonpost.com/news/the-switch/wp/2014/12/18/german-researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-
cell-calls-and-read-your-texts/?noredirect=on&utm_term=.01131f2bc2b8
http://www.telecomspace.com/forum/telecom/ss7
http://www.telecomspace.com/ss7.html
https://wiki.wireshark.org/CaptureSetup/SS7
https://hitcon.org/2015/CMT/download/day1-d-r0.pdf
http://labs.p1sec.com/2014/12/28/ss7map-country-risk-ratings/
https://resources.infosecinstitute.com/ss7-protocol-how-hackers-might-find-you/#gref
https://www.ptsecurity.com/upload/ptcom/SS7_WP_A4.ENG.0036.01.DEC.28.2014.pdf
https://play.google.com/store/apps/details?id=de.srlabs.snoopsnitch
https://arxiv.org/pdf/1510.07563.pdf
References
https://blog.securegroup.com/vulnerabilities-in-ss7-expose-all-networks-to-attacks-why-you-should-be-concerned
http://blog.ptsecurity.com/2014/08/cell-phone-tapping-how-it-is-done-and.html
http://blog.ptsecurity.com/2014/08/cell-phone-tapping-how-it-is-done-and.html
http://energy.sandia.gov/wp-content/gallery/uploads/sand_2005_2846p.pdf
https://blog.drhack.net/whatsapp-telegram-hacking-demo-live-ss7-vulnerability/2/
http://www.riverpublishers.com/journal_read_html_article.php?j=JICTS/5/1/2
https://www.cisco.com/c/dam/global/en_ae/assets/ciscoexposaudi2008/assets/transport-and-applications-forss7--signaling-franktuhus.pdf
http://netdude.sourceforge.net/
https://www.colasoft.com/packet_builder/
https://scapy.net/
https://n0where.net/build-gsm-base-station/
http://hackaday.com/2015/11/11/getting-started-with-gnu-radio/?
utm_content=bufferb488a&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
https://www.blackhat.com/docs/eu-15/materials/eu-15-Borgaonkar-LTE-And-IMSI-Catcher-Myths-wp.pdf
http://resources.infosecinstitute.com/mobile-phone-tracking/
http://www.rs-online.com/designspark/electronics/eng/blog/running-a-gsm-network-on-the-raspberry-pi-2
https://github.com/yosriayed/GSM-scanner
http://resources.infosecinstitute.com/introduction-to-gsm-security/
http://discourse.criticalengineering.org/t/howto-gsm-base-station-with-the-beaglebone-black-debian-gnu-linux-and-a-usrp/56
http://www.insinuator.net/tag/gtp/
http://hackaday.com/2014/07/05/a-gsm-base-station-with-software-defined-radio/
http://imall.iteadstudio.com/im140318007.html
http://www.ptsecurity.com/download/Vulnerabilities_of_Mobile_Internet.pdf
http://blog.ptsecurity.com/2015/02/the-research-mobile-internet-traffic.html
https://www.schneier.com/blog/archives/2015/08/ss7_phone-switc.html
https://www.schneier.com/academic/archives/1999/12/attack_trees.html
MPLS VPN Security, Michael H. Behringer, Monique J. Morrow, Cisco Press
ISP Essentials, Barry Raveendran Greene, Philip Smith, Cisco Press
Router Security Strategies – Securing IP Network Traffic Planes, Gregg Schudel, David J. Smith, Cisco Press
LAN Switch Security – What Hackers Know About Your Switches, Eric Vyncke, Christopher Paggen, Cisco Press
Hijacking Label Switch Networks in the Cloud, Paul Coggin
Bending and Twisting Networks, Paul Coggin
Digital Energy – BPT, Paul Coggin
Questions?

@PaulCoggin
SS7 Link Types

•  Access links (A links) – Carriers use A links to connect to SSPs(carrier voice


switches) and SCPs(services databases) to STPs(SS7 message routers)

•  Crossover links (C links) – Used to mate\cluster STPs for redundancy. Links


carry management traffic and user traffic only if necessary

•  Bridge links (B links) – Connect STPs from different areas to create SS7
network backbone

•  Diagonal links (D links) – Connect STPs from different carrier networks or


architecture levels

•  Extended Links (E Links) – Sometimes referred to as alternate A link (AA link).


Connect to additional STPs for greater capacity and redundancy.

•  Full associated links ( F links) – In a large city SSPs and SCPs may connect
directly together using F links

Reference: Signaling System No.7 (SS7/C7) Protocol, Architecture, and Services, Lee Dryburgh, Jeff Hewett, Cisco Press
OSI Model vs. SS7 Protocol Stack
OSI Model SS7 Signaling Point Functions SS7 Level

7 Application TCAP

6 Presentation
TCAP ISUP TUP 4

5 Session

4 Transport SCCP SCCP

3 Network MTP Level 3 3

2 Data Link MTP Level 2 2

1 Physical MTP Level 1 1

Reference: Voice Over IP Fundamentals, Cisco Press

You might also like