SlideShare une entreprise Scribd logo

Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommunication Backbones

P
P1Security

Finding entry points to SS7 Networks & Telecommunication Backbones Black Hat Europe 2007

TechnologieBusiness
1  sur  63
Télécharger pour lire hors ligne
SCTPscan - Finding entry points to SS7 Networks & Telecommunication Backbones Philippe Langlois Telecom Security Task Force Philippe.Langlois@tstf.net 1
Agenda  History of telecommunications security  Review of digital telephony concepts  Discovering the backbone  SIGTRAN: From SS7 to TCP/IP  Attacking SIGTRAN  Q&A 2
The origins  Phreaking is a slang term for the action of making a telephone system do something that it normally should not allow.  Telecommunications security problems started in the 1960’s when the hackers of the time started to discover ways to abuse the telephone company. 3
But… what is it?  Discovery and exploration of features of telecommunications systems  Controlling Network Elements (NE) in a way that was not planned by its designers  Abusing weaknesses of protocols, systems and applications in telephone networks 4
The Blue Box Steve Jobs and Steve Wozniak in 1975 with a bluebox  CCITT#5 in-band signalling sends control messages over the speech channel, allowing trunks to be controlled  Seize trunk (2600) / KP1 or KP2 / destination / ST  Started in mid-60’s, became popular after Esquire 1971  Sounds produced by whistles, electronics dialers, computer programs, recorded tones 5
The end of the blueboxing era  Telcos installed filters, changed frequencies, analyzed patterns, sued fraudsters  The new SS7 digital signalling protocol is out-of-band and defeats blueboxing  In Europe, boxing was common until the early nineties and kept on until 1997-1998  In Asia, boxing can still be done on some 6 countries.
Past & current threats on the telecom backbone  Fraud  Blue Box  Internal Fraud  Reliability  US: 911, Europe: 112  How much lost revenue is one minute of downtime? 7
21st century telecom attacks  SIP account hacking  Remember ”Calling Cards” fraud?  VoIP GW hacking  Remember ”PBX hacking”?  Signalling hacking directly on SS7 – SIGTRAN level  Back at the good old BlueBox?  Not nearly but, the closest so far… 8
Example of SS7 Attacks  Theft of service, interception of calling cards numbers, privacy concerns  Introduce harmful packets into the national and global SS7 networks  Get control of call processing, get control of accounting reports  Obtain credit card numbers, non-listed numbers, etc.  Messages can be read, altered, injected or deleted  Denial of service, security triplet replay to compromise authentication  Annoyance calls, free calls, disruption of emergency services  Capture of gateways, rerouting of call traffic  Disruption of service to large parts of the network  Call processing exposed through Signaling Control Protocol  Announcement service exposed to IP through RTP  Disclosure of bearer channel traffic 9
Agenda  History of telecommunications security  Review of digital telephony concepts  Discovering the backbone  SIGTRAN: From SS7 to TCP/IP  Attacking SIGTRAN  Q&A  Lab - BYOL 10
Telephony 101 (recap)  Fixed line (PSTN): analog, digital (ISDN)  Mobile: analog (AMPS, NMT), digital (GSM, CDMA, 3G), private (PMR, Military)  Telephony switches speak out-of-band SS7 signalling  Speech and data convergence is increasing  Services are growing (SMS, MMS, packet data, WLAN integration, etc.)  VoIP and related technologies (SIP, IMS, PacketCable) 11
Telecom Backbones Organization 12
SS7: The walled garden  From a customer perspective  Wikipedia: “Walled Garden – Mobile Network Operators (MNOs). At the start of 2007, probably the best example. MNOs manage closed networks - very hard to enter the garden, or leave the garden, especially as it pertains to Internet, web services, web applications. Fearful of losing customer and brand control, the MNOs opt to guard the garden as much as possible.”  But also from a technology perspective  OSI : Open Protocol - Proprietary Stacks  Closed OSI network, IP management network 13
Agenda  History of telecommunications security  Review of digital telephony concepts  Discovering the backbone  SIGTRAN: From SS7 to TCP/IP  Attacking SIGTRAN  Q&A  Lab - BYOL 14
SS7 Network: Regional & Local 15
Opening up  Deregulation  Europe / US: CLEC vs ILEC  New services and new busines partners  Premium numbers, SMS providers, …  Push toward an “All IP” infrastructure  Management network first…  Cost  SIGTRAN (SS7 over IP) 16
Telco Backbone Global Picture IMS = SS7 SIGTRAN + IP-based Advanced Services 17
VoIP and SIGTRAN  SS7 & SIGTRAN  Core  Formerly, the walled garden  VoIP  Edge 18  Hard to make it reliable (QoS, SBCs)
SS7 and IP  There is also exponential growth in the use of interconnection between the telecommunication networks and the Internet, for example with VoIP protocols (e.g. SIP, SCTP, M3UA, etc.)  The IT community now has many protocol converters for conversion of SS7 data to IP, primarily for the transportation of voice and data over the IP networks. In addition new services such as those based on IN will lead to a growing use of the SS7 network for general data transfers.  There have been a number of incidents from accidental action on SS7, which have damaged a network. To date, there have 19 been very few deliberate actions. Far from VoIP here.
A shock of culture: SS7 vs. IP  Different set of people  IT vs Telecom Operations  New Open Technology  Open stack  Open software  Interconnected Networks  Habits and induced security problems  Eiffel, QA, Acceptance tests, … 20
Agenda  History of telecommunications security  Review of digital telephony concepts  Discovering the backbone  SIGTRAN: From SS7 to TCP/IP  Attacking SIGTRAN  Q&A  Lab - BYOL 21
SIGTRAN in the VoIP big picture 22
SCTP as SIGTRAN Foundation SS7 SIGTRAN 23
SCTP over IP +------------------------------------+ | Telephony Signalling Protocol | +------------------------------------+ | +------------------------------------+ | User Adaptation Layers | +------------------------------------+ | +------------------------------------+ |Stream Control Transmission Protocol| | (SCTP) | +------------------------------------+ | +------------------------------------+ | Internet Protocol (IPv4/IPv6) | +------------------------------------+ From RFC 4166 24
SCTP Specs & Advantages  RFC2960  SCTP: Stream Control Transmission Protocol  Advantages  Multi-homing  DoS resilient (4-way handshake, cookie)  Multi-stream  Reliable datagram mode  Some of TCP & UDP, improved 25
SCTP Packets 3. SCTP packet Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Common Header | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Chunk #1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Chunk #n | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  From RFC 2960 26
SCTP Common Header SCTP Common Header Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port Number | Destination Port Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Verification Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Straight from RFC2960 27
SCTP Chunk types ID Value Chunk Type ----- ---------- 0 - Payload Data (DATA) 1 - Initiation (INIT) 2 - Initiation Acknowledgement (INIT ACK) 3 - Selective Acknowledgement (SACK) 4 - Heartbeat Request (HEARTBEAT) 5 - Heartbeat Acknowledgement (HEARTBEAT ACK) 6 - Abort (ABORT) 7 - Shutdown (SHUTDOWN) 8 - Shutdown Acknowledgement (SHUTDOWN ACK) 9 - Operation Error (ERROR) 10 - State Cookie (COOKIE ECHO) 11 - Cookie Acknowledgement (COOKIE ACK) 12 - Reserved for Explicit Congestion Notification Echo (ECNE) 13 - Reserved for Congestion Window Reduced (CWR) 14 - Shutdown Complete (SHUTDOWN COMPLETE) 28
SCTP in the wild  Software  Tons of proprietary implementations  Open source implementations (Linux, BSD…)  Network presence  Stack widespread with Linux 2.6 support  Scarcity on the open Internet  Rising in telco backbones / intranet  Adoption by other worlds: MPI clusters, high speed transfers, … 29
SCTP Ports & Applications  http://sctp.tstf.net/index.php/SCTPscan/SCTPports  Common ports from IANA and RFCs  Augmented with open source package ports  Updated based on SCTPscan results  Open to contribution  Watch out for the application fingerprinting  Cf. collaborative scanning 30
Agenda  History of telecommunications security  Review of digital telephony concepts  Discovering the backbone  SIGTRAN: From SS7 to TCP/IP  Attacking SIGTRAN  Q&A  Lab - BYOL 31
SCTP Association: 4-way handshake Client Server socket(), connect() socket(), bind(), listen(), accept() INIT INIT-ACK COOKIE-ECHO COOKIE-ACK 32
Scanning vs. Stealth Scanning Attacker Servers INIT INIT INIT INIT-ACK 33
RFC & Implementation  Where implementation diverge from RFCs  RFC says « hosts should never answer to INIT packets on non-existings ports. »  RFC: 0, hacker: 1.  Syn scanning is slow when no RST  Same here, but thanks to over-helping implementation  on scanning, hacker wins 34
Scan against current implementation Attacker Servers INIT (port=a) ABORT INIT (port=b) INIT-ACK 35
Below the IDS radar  How many firewall logs dropped SCTP packets?  How many IDSes watch for SCTP socket evil content?  Example  Dshield.org – Real life distributed IDS  Hundreds of thousands of IP scanned  Not detected / Not reported as scanner 36
INIT vs SHUTDOWN_ACK Packet Scanning  From RFC 2960  “8.4 Handle "Out of the blue" Packets  An SCTP packet is called an "out of the blue" (OOTB) packet if it is correctly formed, i.e., passed the receiver's Adler-32 / CRC-32 check (see Section 6.8), but the receiver is not able to identify the association to which this packet belongs.  The receiver of an OOTB packet MUST do the following: […]  5) If the packet contains a SHUTDOWN ACK chunk, the receiver should respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.”  New way to elicit answers even if not answering ABORTs to INITs targeted at not-opened port. 37
Tool Demo: SCTPscan  Like nmap for SCTP ports (-sS) root@gate:~/sctp# ./sctpscan-v11 --scan --autoportscan -r 203.151.1 Netscanning with Crc32 checksumed packet 203.151.1.4 SCTP present on port 2905 203.151.1.4 SCTP present on port 7102 203.151.1.4 SCTP present on port 7103 203.151.1.4 SCTP present on port 7105 203.151.1.4 SCTP present on port 7551 203.151.1.4 SCTP present on port 7701 203.151.1.4 SCTP present on port 7800 203.151.1.4 SCTP present on port 8001 203.151.1.4 SCTP present on port 2905 root@gate:~/sctp# 38
SCTP Stack Fingerprinting  SCTP stack reliability  Robustness testing (stress testing)  QA of a few stacks  Fuzzing built-in SCTPscan  SCTP stack fingerprinting  Discrepancies in SCTP answer packets  Different stack behaviours  Much more states than TCP=opportunities  Cookie randomness 39
Scarce Presence - Distributed Collaborative Scaning  SCTP application is rare on the internet  But common on modern telco backbones  Research needs collaborative effort  Built-in collaborative reporting with SCTPscan.  Going to be expanded for  Fuzzing results  Application Fingerprinting 40
Going up: SIGTRAN & SS7 41
Going up: upper layer protocols  Key to the upper level  M2PA and M3UA  Vulnerabilities  Telecom potential  Technical vulnerability  The expert way & the automated way  Ethereal is our friend  In need of new packet captures: open call! 42
Demo: Ethereal Dissection of Upper Layer Protocols  Fire up your Ethereal or Wireshark!  Collect your own examples  And contribute to the SCTPscan wiki!  Lots of SS7 specifics in higher level protocols  DPC/OPC  BICC, ISUP, TCAP, GSM-MAP protocols  Less and less IP-related  IP is only a bearer technology  Transport only 43
Fuzzing upper layer protocols  Quick way to find vulnerabilities  Automated inspection  State fuzzing vs. input fuzzing  Already some stack vulnerabilities in the wild  Only found DoS for now  Input fuzzing for UA layers  SIGTRAN higher protocols  User Adaptation layers  Largest “opportunity” / work area 44 © Roger Ballen
Vulnerability evolution  Same as with TCP  First, stack and “daemons” vulnerabilities  More and more application-level vulnerabilities  Custom & Application-related  Requires more knowledge of Telecom  Same as with web app testing  “niche”: requires understanding of SS7 world  Specifics  Defined Peers make attack difficult 45
References & Conclusion  New realm  New “tunneling / VPN”  Same Rules  New fun!  Lots of references, complex  RFC 2960, 4166, 4666  ITU (Now free) 46
Thanks  Questions?  Thank you very much!  Special thanks to all TSTF OOB Research Team; Emmanuel Gadaix, Fyodor Yarochkin, Raoul Chiesa, Grugq, Inode, Stealth, Raptor, Job De Haas, Halvar, Michael M. Kemp, and all the community http://sctp.tstf.net Some illustrations on slides are © Sycamore, Cisco, Continous Comp, 47
Q&A  Thanks a lot! 48
Agenda  History of telecommunications security  Review of digital telephony concepts  Discovering the backbone  SIGTRAN: From SS7 to TCP/IP  Attacking SIGTRAN  Q&A  Lab - BYOL 49
Lab: Hands-on Agenda  Setup  Network Inventory  Scanner vs. Targets  Scanning types  Scanning conflicts & Kernel impact  Analyze a SCTP exchange  Ethereal  Discover a SIGTRAN architecture  Exploring & Finding vulnerabilities 50
Required Skills  Know how to compile a C program  Know how TCP protocol works  Know how to use tcpdump and ethereal 51
Hands on requirement  Laptop with VMware or bootable distribution with  Ubuntu with Linux 2.6 kernel (scanner and dummy server tested ok) - Download  nUbuntu Live CD with Linux 2.6 kernel (scanner and dummy server tested ok) - Download  Linux 2.4 distribution (only scanner will work, not the dummy server)  Solaris 10  Nexenta OS (GNU/Linux Solaris 10) (dummy server only) - Download instructions or distrib or VMware image at Distrowatch  MacOsX (scanner and dummy server tested ok)  Software  C Compiler (apt-get install gcc)  Glib 2.0 development library  Libpcap development librar  tcpdump (apt-get install tcpdump)  ethereal (apt-get install ethereal) 52  netstat
Important workshop notes!  Your computers / VMware images must be installed before the workshop.  OS installation or vmware image setup is not covered during the workshop.  We have some ISOs of these Oses available for download in any case, but beware of the short time.  http://sctp.tstf.net/index.php/SCTPscan/Workshop 53
Notes on VMware images  Make sure to select "Bridged mode" for your ethernet connector. 54
Hands-on Tests  Who scans who?  Scanners vs. Targets  Scanning types  Scanning conflicts & Kernel impact  Analyze a SCTP exchange  Ethereal 55
Common problems Q: I try to run the Dummy SCTP server for testing, and I get: "socket: Socket type not supported" A: Your kernel does not support SCTP sockets. SCTP sockets are supported by Linux Kernel 2.6 or Solaris 10. For Linux, you may want to try as root something like: modprobe sctp Then rerun: sctpscan --dummyserver Note: you only need a SCTP-aware kernel to run dummyserver. Scanning is ok with 2.4 linux kernels! For Mac Os X, you may add support for SCTP in Tiger 10.4.8 by downloading: http://sctp.fh-muenster.de/sctp-nke.html Install the software package and run as root: kextload /System/Library/Extensions/SCTP.kext Then you can run "sctpscan -d" to run the dummy server. Note that "netstat" won't report the use of the SCTP socket, use instead: lsof -n | grep -i '132?' 56
Kernel conflicts: Linux 2.6 [root@nubuntu] ./sctpscan -s -r 192.168.0 -p 10000 Netscanning with Crc32 checksumed packet 192.168.0.3 SCTP present on port 10000 SCTP packet received from 192.168.0.4 port 10000 type 1 (Initiation (INIT)) End of scan: duration=5 seconds packet_sent=254 packet_rcvd=205 (SCTP=2, ICMP=203) [root@nubuntu] uname -a Linux nubuntu 2.6.17-10-386 #2 Fri Oct 13 18:41:40 UTC 2006 i686 GNU/Linux [root@nubuntu]  If after this scan, we test the dummy server SCTP daemon built in SCTPscan, we'll notice that further scans from this host will have different behavior: [root@nubuntu] ./sctpscan -d Trying to bind SCTP port Listening on SCTP port 10000 ^C [root@nubuntu] [root@nubuntu] [root@nubuntu] ./sctpscan -s -r 192.168.0 -p 10000 Netscanning with Crc32 checksumed packet 192.168.0.3 SCTP present on port 10000 SCTP packet received from 192.168.0.4 port 10000 type 1 (Initiation (INIT)) SCTP packet received from 192.168.0.4 port 10000 type 6 (Abort (ABORT)) End of scan: duration=5 seconds packet_sent=254 packet_rcvd=206 (SCTP=3, ICMP=203) 57 [root@nubuntu]
Kernel conflicts: MacOS X localhost:~/Documents/sctpscan/ root# kextload /System/Library/Extensions/SCTP.kext kextload: /System/Library/Extensions/SCTP.kext loaded successfully localhost:~/Documents/sctpscan/ root# ./sctpscan -s -r 192.168.0 -p 10000 Netscanning with Crc32 checksumed packet End of scan: duration=9 seconds packet_sent=254 packet_rcvd=3 (SCTP=0, ICMP=3) localhost:~/Documents/sctpscan/ root# kextunload /System/Library/Extensions/SCTP.kext kextunload: unload kext /System/Library/Extensions/SCTP.kext succeeded localhost:~/Documents/sctpscan/ root# ./sctpscan -s -r 192.168.0 -p 10000 Netscanning with Crc32 checksumed packet SCTP packet received from 127.0.0.1 port 10000 type 1 (Initiation (INIT)) 192.168.0.4 SCTP present on port 10000 End of scan: duration=9 seconds packet_sent=254 packet_rcvd=5 (SCTP=2, ICMP=3) localhost:~/Documents/sctpscan/ root#  You saw in this example that loading the SCTP kernel module prevents SCTPscan to receive the response packets, and thus is not capable to detect presence of a remote open port. 58
Thanks  Thank you very much!  Special thanks to Emmanuel Gadaix, Fyodor Yarochkin, Raoul Chiesa, Inode, Stealth, Raptor, Job De Haas, Michael M. Kemp, all TSTF OOB Research Team and all the community  Contact / Questions:  Philippe Langlois - pl@tstf.net Some illustrations on slides are © Sycamore, Cisco, Continous Comp, 59
Backup slides 60
Comparison SCTP, TCP, UDP 61
Details of an SSP / STP 62
63

Recommandé

Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisP1Security
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsP1Security
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityP1Security
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
SS7 & SIGTRAN
SS7 & SIGTRANSS7 & SIGTRAN
SS7 & SIGTRANStephanie Galloway-Williams
 
Using SS7 & SIGTRAN to Solve Today's Network Challenges
Using SS7 & SIGTRAN to Solve Today's Network ChallengesUsing SS7 & SIGTRAN to Solve Today's Network Challenges
Using SS7 & SIGTRAN to Solve Today's Network ChallengesContinuous Computing
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 

Recommandé

Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisP1Security
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsP1Security
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityP1Security
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
SS7 & SIGTRAN
SS7 & SIGTRANSS7 & SIGTRAN
SS7 & SIGTRANStephanie Galloway-Williams
 
Using SS7 & SIGTRAN to Solve Today's Network Challenges
Using SS7 & SIGTRAN to Solve Today's Network ChallengesUsing SS7 & SIGTRAN to Solve Today's Network Challenges
Using SS7 & SIGTRAN to Solve Today's Network ChallengesContinuous Computing
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 
sigtran
sigtransigtran
sigtrankrsgowri
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksJim Geovedi
 
Diameter Penetration Test Lab
Diameter Penetration Test LabDiameter Penetration Test Lab
Diameter Penetration Test Labfrcarlson
 
SS7 over IP Brown Bag
SS7 over IP Brown BagSS7 over IP Brown Bag
SS7 over IP Brown BagStephanie Galloway-Williams
 
Extending the Life of your SS7 Network with SIGTRAN
Extending the Life of your SS7 Network with SIGTRANExtending the Life of your SS7 Network with SIGTRAN
Extending the Life of your SS7 Network with SIGTRANAlan Percy
 
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksOmer Coskun
 
ss7 and M3UA
ss7 and M3UAss7 and M3UA
ss7 and M3UAEng Ahmed Bakaal
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...Siddharth Rao
 
ETE405-lec4.pptx
ETE405-lec4.pptxETE405-lec4.pptx
ETE405-lec4.pptxmashiur
 
Hallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginHallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginEC-Council
 
Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...EC-Council
 
Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Peter R. Egli
 
Sigtran protocol
Sigtran protocolSigtran protocol
Sigtran protocolIsybel Harto
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Alejandro Corletti Estrada
 
Sangoma SS7 Gateway Training
Sangoma SS7 Gateway TrainingSangoma SS7 Gateway Training
Sangoma SS7 Gateway TrainingEmpatiq İletişim Teknolojileri AŞ.
 
VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS networkKarel Berkovec
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocolsAbdessamad TEMMAR
 
Router and Routing Protocol Attacks
Router and Routing Protocol AttacksRouter and Routing Protocol Attacks
Router and Routing Protocol AttacksConferencias FIST
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security TestingConferencias FIST
 
Introduction to Diameter: The Evolution of Signaling
Introduction to Diameter: The Evolution of SignalingIntroduction to Diameter: The Evolution of Signaling
Introduction to Diameter: The Evolution of SignalingPT
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisP1Security
 
Modul 7 gprs operation
Modul 7 gprs operationModul 7 gprs operation
Modul 7 gprs operationWijaya Kusuma
 

Contenu connexe

Tendances

HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksJim Geovedi
 
Diameter Penetration Test Lab
Diameter Penetration Test LabDiameter Penetration Test Lab
Diameter Penetration Test Labfrcarlson
 
Extending the Life of your SS7 Network with SIGTRAN
Extending the Life of your SS7 Network with SIGTRANExtending the Life of your SS7 Network with SIGTRAN
Extending the Life of your SS7 Network with SIGTRANAlan Percy
 
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksOmer Coskun
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...Siddharth Rao
 
ETE405-lec4.pptx
ETE405-lec4.pptxETE405-lec4.pptx
ETE405-lec4.pptxmashiur
 
Hallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginHallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginEC-Council
 
Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...EC-Council
 
Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Peter R. Egli
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Alejandro Corletti Estrada
 
VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS networkKarel Berkovec
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocolsAbdessamad TEMMAR
 
Router and Routing Protocol Attacks
Router and Routing Protocol AttacksRouter and Routing Protocol Attacks
Router and Routing Protocol AttacksConferencias FIST
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security TestingConferencias FIST
 
Introduction to Diameter: The Evolution of Signaling
Introduction to Diameter: The Evolution of SignalingIntroduction to Diameter: The Evolution of Signaling
Introduction to Diameter: The Evolution of SignalingPT
 

Tendances (20)

sigtran
sigtransigtran
sigtran
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
 
Diameter Penetration Test Lab
Diameter Penetration Test LabDiameter Penetration Test Lab
Diameter Penetration Test Lab
 
SS7 over IP Brown Bag
SS7 over IP Brown BagSS7 over IP Brown Bag
SS7 over IP Brown Bag
 
Extending the Life of your SS7 Network with SIGTRAN
Extending the Life of your SS7 Network with SIGTRANExtending the Life of your SS7 Network with SIGTRAN
Extending the Life of your SS7 Network with SIGTRAN
 
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
 
ss7 and M3UA
ss7 and M3UAss7 and M3UA
ss7 and M3UA
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...
 
ETE405-lec4.pptx
ETE405-lec4.pptxETE405-lec4.pptx
ETE405-lec4.pptx
 
Hallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginHallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul Coggin
 
Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...
 
Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)
 
Sigtran protocol
Sigtran protocolSigtran protocol
Sigtran protocol
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
 
Sangoma SS7 Gateway Training
Sangoma SS7 Gateway TrainingSangoma SS7 Gateway Training
Sangoma SS7 Gateway Training
 
VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS network
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
 
Router and Routing Protocol Attacks
Router and Routing Protocol AttacksRouter and Routing Protocol Attacks
Router and Routing Protocol Attacks
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security Testing
 
Introduction to Diameter: The Evolution of Signaling
Introduction to Diameter: The Evolution of SignalingIntroduction to Diameter: The Evolution of Signaling
Introduction to Diameter: The Evolution of Signaling
 

En vedette

Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisP1Security
 
Modul 7 gprs operation
Modul 7 gprs operationModul 7 gprs operation
Modul 7 gprs operationWijaya Kusuma
 
4G LTE Mobile Broadband Overview
4G LTE Mobile Broadband Overview4G LTE Mobile Broadband Overview
4G LTE Mobile Broadband OverviewSigit Priyanggoro
 
Implementing Internet and MPLS BGP
Implementing Internet and MPLS BGPImplementing Internet and MPLS BGP
Implementing Internet and MPLS BGPPrivate
 
Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010Febrian ‎
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private NetworkPeter R. Egli
 
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHackito Ergo Sum
 
Modul 1 optim overview
Modul 1 optim overviewModul 1 optim overview
Modul 1 optim overviewWijaya Kusuma
 
Modul 6 antenna & related equipments
Modul 6 antenna & related equipmentsModul 6 antenna & related equipments
Modul 6 antenna & related equipmentsWijaya Kusuma
 
Modul 1 Wireless Introduction
Modul 1 Wireless IntroductionModul 1 Wireless Introduction
Modul 1 Wireless IntroductionWijaya Kusuma
 
Modul 3 gsm procedures
Modul 3 gsm proceduresModul 3 gsm procedures
Modul 3 gsm proceduresWijaya Kusuma
 
Modul 2 gsm air interface
Modul 2 gsm air interfaceModul 2 gsm air interface
Modul 2 gsm air interfaceWijaya Kusuma
 
Modul 5 bss parameter
Modul 5 bss parameterModul 5 bss parameter
Modul 5 bss parameterWijaya Kusuma
 
Modul 4 signalling dimensioning
Modul 4 signalling dimensioningModul 4 signalling dimensioning
Modul 4 signalling dimensioningWijaya Kusuma
 
Diameter and Diameter Roaming
Diameter and Diameter RoamingDiameter and Diameter Roaming
Diameter and Diameter RoamingJohn Loughney
 
Modul 6 antenna & related equipments
Modul 6 antenna & related equipmentsModul 6 antenna & related equipments
Modul 6 antenna & related equipmentsWijaya Kusuma
 
Rk 4 signaling system
Rk 4 signaling systemRk 4 signaling system
Rk 4 signaling systemVishal Pandey
 

En vedette (20)

Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
 
Modul 7 gprs operation
Modul 7 gprs operationModul 7 gprs operation
Modul 7 gprs operation
 
Mpls vpn toi
Mpls vpn toiMpls vpn toi
Mpls vpn toi
 
Voice over MPLS
Voice over MPLSVoice over MPLS
Voice over MPLS
 
4G LTE Mobile Broadband Overview
4G LTE Mobile Broadband Overview4G LTE Mobile Broadband Overview
4G LTE Mobile Broadband Overview
 
Implementing Internet and MPLS BGP
Implementing Internet and MPLS BGPImplementing Internet and MPLS BGP
Implementing Internet and MPLS BGP
 
Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010Deploying IP/MPLS VPN - Cisco Networkers 2010
Deploying IP/MPLS VPN - Cisco Networkers 2010
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private Network
 
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
 
Modul 1 optim overview
Modul 1 optim overviewModul 1 optim overview
Modul 1 optim overview
 
Modul 6 antenna & related equipments
Modul 6 antenna & related equipmentsModul 6 antenna & related equipments
Modul 6 antenna & related equipments
 
Modul 1 Wireless Introduction
Modul 1 Wireless IntroductionModul 1 Wireless Introduction
Modul 1 Wireless Introduction
 
Optim Overview
Optim OverviewOptim Overview
Optim Overview
 
Modul 3 gsm procedures
Modul 3 gsm proceduresModul 3 gsm procedures
Modul 3 gsm procedures
 
Modul 2 gsm air interface
Modul 2 gsm air interfaceModul 2 gsm air interface
Modul 2 gsm air interface
 
Modul 5 bss parameter
Modul 5 bss parameterModul 5 bss parameter
Modul 5 bss parameter
 
Modul 4 signalling dimensioning
Modul 4 signalling dimensioningModul 4 signalling dimensioning
Modul 4 signalling dimensioning
 
Diameter and Diameter Roaming
Diameter and Diameter RoamingDiameter and Diameter Roaming
Diameter and Diameter Roaming
 
Modul 6 antenna & related equipments
Modul 6 antenna & related equipmentsModul 6 antenna & related equipments
Modul 6 antenna & related equipments
 
Rk 4 signaling system
Rk 4 signaling systemRk 4 signaling system
Rk 4 signaling system
 

Similaire à Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommunication Backbones

Telecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesPositiveTechnologies
 
Intelligent Networks
Intelligent NetworksIntelligent Networks
Intelligent NetworksFaraz Shahid
 
How to migrate legacy serial devices to IP broadband
How to migrate legacy serial devices to IP broadbandHow to migrate legacy serial devices to IP broadband
How to migrate legacy serial devices to IP broadbandWestermo Network Technologies
 
On her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyOn her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyStephen Kho
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data DATA SECURITY SOLUTIONS
 
L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)Motonori Shindo
 
VoIP@RCTS presented at CESNET IP Telephony workshop
VoIP@RCTS presented at CESNET IP Telephony workshopVoIP@RCTS presented at CESNET IP Telephony workshop
VoIP@RCTS presented at CESNET IP Telephony workshopMarco Mouta
 
SS7 Network Technology
SS7 Network TechnologySS7 Network Technology
SS7 Network TechnologyMohmmad Azam
 
Practical Experiences of Multi-Operator Neutral Hosting James Body, TADSummit...
Practical Experiences of Multi-Operator Neutral Hosting James Body, TADSummit...Practical Experiences of Multi-Operator Neutral Hosting James Body, TADSummit...
Practical Experiences of Multi-Operator Neutral Hosting James Body, TADSummit...Alan Quayle
 
POSTECH 1 Business V2.0 UR final.ppt
POSTECH 1 Business V2.0 UR final.pptPOSTECH 1 Business V2.0 UR final.ppt
POSTECH 1 Business V2.0 UR final.pptDwiPratiwi50
 
Session bordercontrollers
Session bordercontrollersSession bordercontrollers
Session bordercontrollersAstri AndTi
 
Cisco XFP10GEROC192IR
Cisco XFP10GEROC192IRCisco XFP10GEROC192IR
Cisco XFP10GEROC192IRsavomir
 
What is SS7? An Introduction to Signaling System 7
What is SS7? An Introduction to Signaling System 7What is SS7? An Introduction to Signaling System 7
What is SS7? An Introduction to Signaling System 7TelcoBridges Inc.
 
ASCC Network Experience in IPv6
ASCC Network Experience in IPv6ASCC Network Experience in IPv6
ASCC Network Experience in IPv6Ethern Lin
 
Cisco SFPOC48SR
Cisco SFPOC48SRCisco SFPOC48SR
Cisco SFPOC48SRsavomir
 
Wireless intelligent networking
Wireless intelligent networkingWireless intelligent networking
Wireless intelligent networkingManish Kumar
 

Similaire à Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommunication Backbones (20)

Telecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenes
 
Intelligent Networks
Intelligent NetworksIntelligent Networks
Intelligent Networks
 
Networking
NetworkingNetworking
Networking
 
How to migrate legacy serial devices to IP broadband
How to migrate legacy serial devices to IP broadbandHow to migrate legacy serial devices to IP broadband
How to migrate legacy serial devices to IP broadband
 
Project
ProjectProject
Project
 
On her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy AgencyOn her majesty's secret service - GRX and a Spy Agency
On her majesty's secret service - GRX and a Spy Agency
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data
 
L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)
 
VoIP@RCTS presented at CESNET IP Telephony workshop
VoIP@RCTS presented at CESNET IP Telephony workshopVoIP@RCTS presented at CESNET IP Telephony workshop
VoIP@RCTS presented at CESNET IP Telephony workshop
 
SS7 Network Technology
SS7 Network TechnologySS7 Network Technology
SS7 Network Technology
 
New top ix challenges
New top ix challengesNew top ix challenges
New top ix challenges
 
Practical Experiences of Multi-Operator Neutral Hosting James Body, TADSummit...
Practical Experiences of Multi-Operator Neutral Hosting James Body, TADSummit...Practical Experiences of Multi-Operator Neutral Hosting James Body, TADSummit...
Practical Experiences of Multi-Operator Neutral Hosting James Body, TADSummit...
 
POSTECH 1 Business V2.0 UR final.ppt
POSTECH 1 Business V2.0 UR final.pptPOSTECH 1 Business V2.0 UR final.ppt
POSTECH 1 Business V2.0 UR final.ppt
 
Session bordercontrollers
Session bordercontrollersSession bordercontrollers
Session bordercontrollers
 
Cisco XFP10GEROC192IR
Cisco XFP10GEROC192IRCisco XFP10GEROC192IR
Cisco XFP10GEROC192IR
 
What is SS7? An Introduction to Signaling System 7
What is SS7? An Introduction to Signaling System 7What is SS7? An Introduction to Signaling System 7
What is SS7? An Introduction to Signaling System 7
 
Ride the Light
Ride the LightRide the Light
Ride the Light
 
ASCC Network Experience in IPv6
ASCC Network Experience in IPv6ASCC Network Experience in IPv6
ASCC Network Experience in IPv6
 
Cisco SFPOC48SR
Cisco SFPOC48SRCisco SFPOC48SR
Cisco SFPOC48SR
 
Wireless intelligent networking
Wireless intelligent networkingWireless intelligent networking
Wireless intelligent networking
 

Dernier

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Dernier (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

Philippe Langlois - SCTPscan Finding entry points to SS7 Networks & Telecommunication Backbones

  • 1. SCTPscan - Finding entry points to SS7 Networks & Telecommunication Backbones Philippe Langlois Telecom Security Task Force Philippe.Langlois@tstf.net 1
  • 2. Agenda  History of telecommunications security  Review of digital telephony concepts  Discovering the backbone  SIGTRAN: From SS7 to TCP/IP  Attacking SIGTRAN  Q&A 2
  • 3. The origins  Phreaking is a slang term for the action of making a telephone system do something that it normally should not allow.  Telecommunications security problems started in the 1960’s when the hackers of the time started to discover ways to abuse the telephone company. 3
  • 4. But… what is it?  Discovery and exploration of features of telecommunications systems  Controlling Network Elements (NE) in a way that was not planned by its designers  Abusing weaknesses of protocols, systems and applications in telephone networks 4
  • 5. The Blue Box Steve Jobs and Steve Wozniak in 1975 with a bluebox  CCITT#5 in-band signalling sends control messages over the speech channel, allowing trunks to be controlled  Seize trunk (2600) / KP1 or KP2 / destination / ST  Started in mid-60’s, became popular after Esquire 1971  Sounds produced by whistles, electronics dialers, computer programs, recorded tones 5
  • 6. The end of the blueboxing era  Telcos installed filters, changed frequencies, analyzed patterns, sued fraudsters  The new SS7 digital signalling protocol is out-of-band and defeats blueboxing  In Europe, boxing was common until the early nineties and kept on until 1997-1998  In Asia, boxing can still be done on some 6 countries.
  • 7. Past & current threats on the telecom backbone  Fraud  Blue Box  Internal Fraud  Reliability  US: 911, Europe: 112  How much lost revenue is one minute of downtime? 7
  • 8. 21st century telecom attacks  SIP account hacking  Remember ”Calling Cards” fraud?  VoIP GW hacking  Remember ”PBX hacking”?  Signalling hacking directly on SS7 – SIGTRAN level  Back at the good old BlueBox?  Not nearly but, the closest so far… 8
  • 9. Example of SS7 Attacks  Theft of service, interception of calling cards numbers, privacy concerns  Introduce harmful packets into the national and global SS7 networks  Get control of call processing, get control of accounting reports  Obtain credit card numbers, non-listed numbers, etc.  Messages can be read, altered, injected or deleted  Denial of service, security triplet replay to compromise authentication  Annoyance calls, free calls, disruption of emergency services  Capture of gateways, rerouting of call traffic  Disruption of service to large parts of the network  Call processing exposed through Signaling Control Protocol  Announcement service exposed to IP through RTP  Disclosure of bearer channel traffic 9
  • 10. Agenda  History of telecommunications security  Review of digital telephony concepts  Discovering the backbone  SIGTRAN: From SS7 to TCP/IP  Attacking SIGTRAN  Q&A  Lab - BYOL 10
  • 11. Telephony 101 (recap)  Fixed line (PSTN): analog, digital (ISDN)  Mobile: analog (AMPS, NMT), digital (GSM, CDMA, 3G), private (PMR, Military)  Telephony switches speak out-of-band SS7 signalling  Speech and data convergence is increasing  Services are growing (SMS, MMS, packet data, WLAN integration, etc.)  VoIP and related technologies (SIP, IMS, PacketCable) 11
  • 13. SS7: The walled garden  From a customer perspective  Wikipedia: “Walled Garden – Mobile Network Operators (MNOs). At the start of 2007, probably the best example. MNOs manage closed networks - very hard to enter the garden, or leave the garden, especially as it pertains to Internet, web services, web applications. Fearful of losing customer and brand control, the MNOs opt to guard the garden as much as possible.”  But also from a technology perspective  OSI : Open Protocol - Proprietary Stacks  Closed OSI network, IP management network 13
  • 14. Agenda  History of telecommunications security  Review of digital telephony concepts  Discovering the backbone  SIGTRAN: From SS7 to TCP/IP  Attacking SIGTRAN  Q&A  Lab - BYOL 14
  • 15. SS7 Network: Regional & Local 15
  • 16. Opening up  Deregulation  Europe / US: CLEC vs ILEC  New services and new busines partners  Premium numbers, SMS providers, …  Push toward an “All IP” infrastructure  Management network first…  Cost  SIGTRAN (SS7 over IP) 16
  • 17. Telco Backbone Global Picture IMS = SS7 SIGTRAN + IP-based Advanced Services 17
  • 18. VoIP and SIGTRAN  SS7 & SIGTRAN  Core  Formerly, the walled garden  VoIP  Edge 18  Hard to make it reliable (QoS, SBCs)
  • 19. SS7 and IP  There is also exponential growth in the use of interconnection between the telecommunication networks and the Internet, for example with VoIP protocols (e.g. SIP, SCTP, M3UA, etc.)  The IT community now has many protocol converters for conversion of SS7 data to IP, primarily for the transportation of voice and data over the IP networks. In addition new services such as those based on IN will lead to a growing use of the SS7 network for general data transfers.  There have been a number of incidents from accidental action on SS7, which have damaged a network. To date, there have 19 been very few deliberate actions. Far from VoIP here.
  • 20. A shock of culture: SS7 vs. IP  Different set of people  IT vs Telecom Operations  New Open Technology  Open stack  Open software  Interconnected Networks  Habits and induced security problems  Eiffel, QA, Acceptance tests, … 20
  • 21. Agenda  History of telecommunications security  Review of digital telephony concepts  Discovering the backbone  SIGTRAN: From SS7 to TCP/IP  Attacking SIGTRAN  Q&A  Lab - BYOL 21
  • 22. SIGTRAN in the VoIP big picture 22
  • 23. SCTP as SIGTRAN Foundation SS7 SIGTRAN 23
  • 24. SCTP over IP +------------------------------------+ | Telephony Signalling Protocol | +------------------------------------+ | +------------------------------------+ | User Adaptation Layers | +------------------------------------+ | +------------------------------------+ |Stream Control Transmission Protocol| | (SCTP) | +------------------------------------+ | +------------------------------------+ | Internet Protocol (IPv4/IPv6) | +------------------------------------+ From RFC 4166 24
  • 25. SCTP Specs & Advantages  RFC2960  SCTP: Stream Control Transmission Protocol  Advantages  Multi-homing  DoS resilient (4-way handshake, cookie)  Multi-stream  Reliable datagram mode  Some of TCP & UDP, improved 25
  • 26. SCTP Packets 3. SCTP packet Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Common Header | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Chunk #1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Chunk #n | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  From RFC 2960 26
  • 27. SCTP Common Header SCTP Common Header Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port Number | Destination Port Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Verification Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Straight from RFC2960 27
  • 28. SCTP Chunk types ID Value Chunk Type ----- ---------- 0 - Payload Data (DATA) 1 - Initiation (INIT) 2 - Initiation Acknowledgement (INIT ACK) 3 - Selective Acknowledgement (SACK) 4 - Heartbeat Request (HEARTBEAT) 5 - Heartbeat Acknowledgement (HEARTBEAT ACK) 6 - Abort (ABORT) 7 - Shutdown (SHUTDOWN) 8 - Shutdown Acknowledgement (SHUTDOWN ACK) 9 - Operation Error (ERROR) 10 - State Cookie (COOKIE ECHO) 11 - Cookie Acknowledgement (COOKIE ACK) 12 - Reserved for Explicit Congestion Notification Echo (ECNE) 13 - Reserved for Congestion Window Reduced (CWR) 14 - Shutdown Complete (SHUTDOWN COMPLETE) 28
  • 29. SCTP in the wild  Software  Tons of proprietary implementations  Open source implementations (Linux, BSD…)  Network presence  Stack widespread with Linux 2.6 support  Scarcity on the open Internet  Rising in telco backbones / intranet  Adoption by other worlds: MPI clusters, high speed transfers, … 29
  • 30. SCTP Ports & Applications  http://sctp.tstf.net/index.php/SCTPscan/SCTPports  Common ports from IANA and RFCs  Augmented with open source package ports  Updated based on SCTPscan results  Open to contribution  Watch out for the application fingerprinting  Cf. collaborative scanning 30
  • 31. Agenda  History of telecommunications security  Review of digital telephony concepts  Discovering the backbone  SIGTRAN: From SS7 to TCP/IP  Attacking SIGTRAN  Q&A  Lab - BYOL 31
  • 32. SCTP Association: 4-way handshake Client Server socket(), connect() socket(), bind(), listen(), accept() INIT INIT-ACK COOKIE-ECHO COOKIE-ACK 32
  • 33. Scanning vs. Stealth Scanning Attacker Servers INIT INIT INIT INIT-ACK 33
  • 34. RFC & Implementation  Where implementation diverge from RFCs  RFC says « hosts should never answer to INIT packets on non-existings ports. »  RFC: 0, hacker: 1.  Syn scanning is slow when no RST  Same here, but thanks to over-helping implementation  on scanning, hacker wins 34
  • 35. Scan against current implementation Attacker Servers INIT (port=a) ABORT INIT (port=b) INIT-ACK 35
  • 36. Below the IDS radar  How many firewall logs dropped SCTP packets?  How many IDSes watch for SCTP socket evil content?  Example  Dshield.org – Real life distributed IDS  Hundreds of thousands of IP scanned  Not detected / Not reported as scanner 36
  • 37. INIT vs SHUTDOWN_ACK Packet Scanning  From RFC 2960  “8.4 Handle "Out of the blue" Packets  An SCTP packet is called an "out of the blue" (OOTB) packet if it is correctly formed, i.e., passed the receiver's Adler-32 / CRC-32 check (see Section 6.8), but the receiver is not able to identify the association to which this packet belongs.  The receiver of an OOTB packet MUST do the following: […]  5) If the packet contains a SHUTDOWN ACK chunk, the receiver should respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE.”  New way to elicit answers even if not answering ABORTs to INITs targeted at not-opened port. 37
  • 38. Tool Demo: SCTPscan  Like nmap for SCTP ports (-sS) root@gate:~/sctp# ./sctpscan-v11 --scan --autoportscan -r 203.151.1 Netscanning with Crc32 checksumed packet 203.151.1.4 SCTP present on port 2905 203.151.1.4 SCTP present on port 7102 203.151.1.4 SCTP present on port 7103 203.151.1.4 SCTP present on port 7105 203.151.1.4 SCTP present on port 7551 203.151.1.4 SCTP present on port 7701 203.151.1.4 SCTP present on port 7800 203.151.1.4 SCTP present on port 8001 203.151.1.4 SCTP present on port 2905 root@gate:~/sctp# 38
  • 39. SCTP Stack Fingerprinting  SCTP stack reliability  Robustness testing (stress testing)  QA of a few stacks  Fuzzing built-in SCTPscan  SCTP stack fingerprinting  Discrepancies in SCTP answer packets  Different stack behaviours  Much more states than TCP=opportunities  Cookie randomness 39
  • 40. Scarce Presence - Distributed Collaborative Scaning  SCTP application is rare on the internet  But common on modern telco backbones  Research needs collaborative effort  Built-in collaborative reporting with SCTPscan.  Going to be expanded for  Fuzzing results  Application Fingerprinting 40
  • 41. Going up: SIGTRAN & SS7 41
  • 42. Going up: upper layer protocols  Key to the upper level  M2PA and M3UA  Vulnerabilities  Telecom potential  Technical vulnerability  The expert way & the automated way  Ethereal is our friend  In need of new packet captures: open call! 42
  • 43. Demo: Ethereal Dissection of Upper Layer Protocols  Fire up your Ethereal or Wireshark!  Collect your own examples  And contribute to the SCTPscan wiki!  Lots of SS7 specifics in higher level protocols  DPC/OPC  BICC, ISUP, TCAP, GSM-MAP protocols  Less and less IP-related  IP is only a bearer technology  Transport only 43
  • 44. Fuzzing upper layer protocols  Quick way to find vulnerabilities  Automated inspection  State fuzzing vs. input fuzzing  Already some stack vulnerabilities in the wild  Only found DoS for now  Input fuzzing for UA layers  SIGTRAN higher protocols  User Adaptation layers  Largest “opportunity” / work area 44 © Roger Ballen
  • 45. Vulnerability evolution  Same as with TCP  First, stack and “daemons” vulnerabilities  More and more application-level vulnerabilities  Custom & Application-related  Requires more knowledge of Telecom  Same as with web app testing  “niche”: requires understanding of SS7 world  Specifics  Defined Peers make attack difficult 45
  • 46. References & Conclusion  New realm  New “tunneling / VPN”  Same Rules  New fun!  Lots of references, complex  RFC 2960, 4166, 4666  ITU (Now free) 46
  • 47. Thanks  Questions?  Thank you very much!  Special thanks to all TSTF OOB Research Team; Emmanuel Gadaix, Fyodor Yarochkin, Raoul Chiesa, Grugq, Inode, Stealth, Raptor, Job De Haas, Halvar, Michael M. Kemp, and all the community http://sctp.tstf.net Some illustrations on slides are © Sycamore, Cisco, Continous Comp, 47
  • 48. Q&A  Thanks a lot! 48
  • 49. Agenda  History of telecommunications security  Review of digital telephony concepts  Discovering the backbone  SIGTRAN: From SS7 to TCP/IP  Attacking SIGTRAN  Q&A  Lab - BYOL 49
  • 50. Lab: Hands-on Agenda  Setup  Network Inventory  Scanner vs. Targets  Scanning types  Scanning conflicts & Kernel impact  Analyze a SCTP exchange  Ethereal  Discover a SIGTRAN architecture  Exploring & Finding vulnerabilities 50
  • 51. Required Skills  Know how to compile a C program  Know how TCP protocol works  Know how to use tcpdump and ethereal 51
  • 52. Hands on requirement  Laptop with VMware or bootable distribution with  Ubuntu with Linux 2.6 kernel (scanner and dummy server tested ok) - Download  nUbuntu Live CD with Linux 2.6 kernel (scanner and dummy server tested ok) - Download  Linux 2.4 distribution (only scanner will work, not the dummy server)  Solaris 10  Nexenta OS (GNU/Linux Solaris 10) (dummy server only) - Download instructions or distrib or VMware image at Distrowatch  MacOsX (scanner and dummy server tested ok)  Software  C Compiler (apt-get install gcc)  Glib 2.0 development library  Libpcap development librar  tcpdump (apt-get install tcpdump)  ethereal (apt-get install ethereal) 52  netstat
  • 53. Important workshop notes!  Your computers / VMware images must be installed before the workshop.  OS installation or vmware image setup is not covered during the workshop.  We have some ISOs of these Oses available for download in any case, but beware of the short time.  http://sctp.tstf.net/index.php/SCTPscan/Workshop 53
  • 54. Notes on VMware images  Make sure to select "Bridged mode" for your ethernet connector. 54
  • 55. Hands-on Tests  Who scans who?  Scanners vs. Targets  Scanning types  Scanning conflicts & Kernel impact  Analyze a SCTP exchange  Ethereal 55
  • 56. Common problems Q: I try to run the Dummy SCTP server for testing, and I get: "socket: Socket type not supported" A: Your kernel does not support SCTP sockets. SCTP sockets are supported by Linux Kernel 2.6 or Solaris 10. For Linux, you may want to try as root something like: modprobe sctp Then rerun: sctpscan --dummyserver Note: you only need a SCTP-aware kernel to run dummyserver. Scanning is ok with 2.4 linux kernels! For Mac Os X, you may add support for SCTP in Tiger 10.4.8 by downloading: http://sctp.fh-muenster.de/sctp-nke.html Install the software package and run as root: kextload /System/Library/Extensions/SCTP.kext Then you can run "sctpscan -d" to run the dummy server. Note that "netstat" won't report the use of the SCTP socket, use instead: lsof -n | grep -i '132?' 56
  • 57. Kernel conflicts: Linux 2.6 [root@nubuntu] ./sctpscan -s -r 192.168.0 -p 10000 Netscanning with Crc32 checksumed packet 192.168.0.3 SCTP present on port 10000 SCTP packet received from 192.168.0.4 port 10000 type 1 (Initiation (INIT)) End of scan: duration=5 seconds packet_sent=254 packet_rcvd=205 (SCTP=2, ICMP=203) [root@nubuntu] uname -a Linux nubuntu 2.6.17-10-386 #2 Fri Oct 13 18:41:40 UTC 2006 i686 GNU/Linux [root@nubuntu]  If after this scan, we test the dummy server SCTP daemon built in SCTPscan, we'll notice that further scans from this host will have different behavior: [root@nubuntu] ./sctpscan -d Trying to bind SCTP port Listening on SCTP port 10000 ^C [root@nubuntu] [root@nubuntu] [root@nubuntu] ./sctpscan -s -r 192.168.0 -p 10000 Netscanning with Crc32 checksumed packet 192.168.0.3 SCTP present on port 10000 SCTP packet received from 192.168.0.4 port 10000 type 1 (Initiation (INIT)) SCTP packet received from 192.168.0.4 port 10000 type 6 (Abort (ABORT)) End of scan: duration=5 seconds packet_sent=254 packet_rcvd=206 (SCTP=3, ICMP=203) 57 [root@nubuntu]
  • 58. Kernel conflicts: MacOS X localhost:~/Documents/sctpscan/ root# kextload /System/Library/Extensions/SCTP.kext kextload: /System/Library/Extensions/SCTP.kext loaded successfully localhost:~/Documents/sctpscan/ root# ./sctpscan -s -r 192.168.0 -p 10000 Netscanning with Crc32 checksumed packet End of scan: duration=9 seconds packet_sent=254 packet_rcvd=3 (SCTP=0, ICMP=3) localhost:~/Documents/sctpscan/ root# kextunload /System/Library/Extensions/SCTP.kext kextunload: unload kext /System/Library/Extensions/SCTP.kext succeeded localhost:~/Documents/sctpscan/ root# ./sctpscan -s -r 192.168.0 -p 10000 Netscanning with Crc32 checksumed packet SCTP packet received from 127.0.0.1 port 10000 type 1 (Initiation (INIT)) 192.168.0.4 SCTP present on port 10000 End of scan: duration=9 seconds packet_sent=254 packet_rcvd=5 (SCTP=2, ICMP=3) localhost:~/Documents/sctpscan/ root#  You saw in this example that loading the SCTP kernel module prevents SCTPscan to receive the response packets, and thus is not capable to detect presence of a remote open port. 58
  • 59. Thanks  Thank you very much!  Special thanks to Emmanuel Gadaix, Fyodor Yarochkin, Raoul Chiesa, Inode, Stealth, Raptor, Job De Haas, Michael M. Kemp, all TSTF OOB Research Team and all the community  Contact / Questions:  Philippe Langlois - pl@tstf.net Some illustrations on slides are © Sycamore, Cisco, Continous Comp, 59
  • 62. Details of an SSP / STP 62
  • 63. 63