Immersed Network Discovery and Attacks. Philippe Langlois Telecom Security Task Force Philippe.Langlois@tstf.net http://www.tstf.

Similar documents
Philippe Langlois, P1 Security Inc.

SCTPscan - Finding entry points to SS7 Networks & Telecommunication Backbones

SS7 & LTE Stack Attack

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Building the Next Generation of Computer Security Professionals. Chris Simpson

Ranch Networks for Hosted Data Centers

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Network Security. Network Packet Analysis

IP Link Best Practices for Network Integration and Security. Introduction...2. Passwords...4 ACL...5 VLAN...6. Protocols...6. Conclusion...

Worldwide attacks on SS7 network

Configuration Notes Aastra MX-ONE in Ascom VoWiFi System

Certified Ethical Hacker (CEH)

Network Access Security. Lesson 10

Steelcape Product Overview and Functional Description

Remotely crashing HLR MSC STP

1 Scope of Assessment

Author: Sumedt Jitpukdebodin. Organization: ACIS i-secure. ID: My Blog:

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Network performance in virtual infrastructures

Multi-Homing Dual WAN Firewall Router

Attack Lab: Attacks on TCP/IP Protocols

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

How to make free phone calls and influence people by the grugq

The Nexpose Expert System

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

Virtually Pwned Pentesting VMware. Claudio

GPRS and 3G Services: Connectivity Options

Vulnerability Assessment and Penetration Testing

Interoperability Test Report XENER SYSTEMS LTD

point to point and point to multi point calls over IP

Exam Questions SY0-401

Network Penetration Testing and Ethical Hacking Scanning/Penetration Testing. SANS Security Sans Mentor: Daryl Fallin

Telecom Signaling attacks on 3G and LTE networks

iscsi Security (Insecure SCSI) Presenter: Himanshu Dwivedi

How To Set Up Mybpx Security Configuration Guide V1.2.2 (V1.3.2) On A Pc Or Mac)

June 2014 WMLUG Meeting Kali Linux

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

How To Protect Your Network From A Hacker Attack On Zcoo Ip Phx From A Pbx From An Ip Phone From A Cell Phone From An Uniden Ip Pho From A Sim Sims (For A Sims) From A

Linux Network Security

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Penetration Testing SIP Services

AUTHOR CONTACT DETAILS

Passive Vulnerability Detection

Learn Ethical Hacking, Become a Pentester

Metasploit Unleashed. Class 2: Information Gathering and Vulnerability Scanning. Georgia Weidman Director of Cyberwarface, Reverse Space

1 SIP Carriers Warnings Vendor Contact Vendor Web Site : Versions Verified SIP Carrier status as of 9/11/2011

Note: As of Feb 25, 2010 Priority Telecom has not completed FXS verification of fax capabilities. This will be updated as soon as verified.

Bit Chat: A Peer-to-Peer Instant Messenger

Computer Forensics Training - Digital Forensics and Electronic Discovery (Mile2)

EXTRA. Vulnerability scanners are indispensable both VULNERABILITY SCANNER

Version 0.1 June Xerox WorkCentre 7120 Fax over Internet Protocol (FoIP)

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

TMOS Secure Development and Implementation

SIP Trunking with Microsoft Office Communication Server 2007 R2

Lab Objectives & Turn In

ZMap. Fast Internet-Wide Scanning and its Security Applications. Zakir Durumeric Eric Wustrow J. Alex Halderman. University of Michigan

Cisco PIX vs. Checkpoint Firewall

Payment Card Industry (PCI) Executive Report. Pukka Software

Introduction. Channel Associated Signaling (CAS) Common Channel Signaling (CCS) Still widely deployed today Considered as old technology

An Introduction to Nmap with a Focus on Information Gathering. Ionuț Ambrosie

information security and its Describe what drives the need for information security.

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

How to protect your home/office network?

Conducting an IP Telephony Security Assessment

How to hack a website with Metasploit

Vulnerability Assessment and Penetration Testing. CC Faculty ALTTC, Ghaziabad

SIP Trunking Quick Reference Document

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

The Trivial Cisco IP Phones Compromise

Divide and Conquer Real World Distributed Port Scanning

Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor Cyber Security

CHAPTER 1 INTRODUCTION

Network Security. Network Scanning

Network Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones

Penetration Testing with Kali Linux

VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION

Certified Cyber Security Expert V Web Application Development

1.1.3 Versions Verified SIP Carrier status as of 18 Sep 2014 : validated on CIC 4.0 SU6.

Enumerating and Breaking VoIP

Internet Technology Voice over IP

Host Fingerprinting and Firewalking With hping

Open Source Security Tool Overview

OS/390 Firewall Technology Overview

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

From traditional to alternative approach to storage and analysis of flow data. Petr Velan, Martin Zadnik

Technical Note. ForeScout CounterACT: Virtual Firewall

Proxies. Chapter 4. Network & Security Gildas Avoine

Firewall Defaults and Some Basic Rules

CIT 380: Securing Computer Systems

File Transfer And Access (FTP, TFTP, NFS) Chapter 25 By: Sang Oh Spencer Kam Atsuya Takagi

My FreeScan Vulnerabilities Report

Hands-on Hacking Unlimited

VERITAS Cluster Server Traffic Director Option. Product Overview

INFORMATION SECURITY TRAINING CATALOG (2015)

Transcription:

Immersed Network Discovery and Attacks Specifics of Telecom Core Network (CN) insider attacks Philippe Langlois Telecom Security Task Force Philippe.Langlois@tstf.net http://www.tstf.net 1

Speaker Introduction 15 years in security Background as entrepreneur (Security consulting group, ISP, professional software, ASP) Founded Qualys, worldwide leader in vulnerability assessment ASP Founded Telecom Security Task Force 7 years ago, research forum. 2

Agenda Necessity is mother of invention, what about BIG PROBLEM? New tool Actions Information access Demo CN Specifics 3

Story of an SS7/SIGTRAN Pentest Asia, multi-perimeter (Internet, GPRS, WLAN, Internal) Root on the Internet segment Root on some MMS/SMS gw Shared usage of same passwords Guess it was going to be easy 4

WRONG! Incredibly well segmented Excellent default firewall rules Not possible to get on CN Not the necessary tools Needed much more time to complete!

Guess we needed something stronger Multi-perimeter attacks Permanent on-watch firewall monitoring Pervasive & resilient way to communicate Distributed attack stations 6

Agenda Necessity is mother of invention, what about BIG PROBLEM? New tool Actions Information access Demo CN Specifics 7

Introducing Barung Doesn t replace any tool Works on standard BackTrack ;-) Uses Metasploit Can use nmap / scanrand /... Fast parallelization Easy to add attacks / behaviour

New way to see / modelize Perspective-based scanning Inference-based expert system, module based Immersed behaviour Presence-based collaboration (Telepathy) Collaborative information database

Technology Ruby command line tool (1500 lines of code) Interfaced to many external (C?) tools YAML datastore 1 file per module / information type dynamic loading i.e. class_for_name()

Agenda Necessity is mother of invention, what about BIG PROBLEM? New tool Actions Information access Demo CN Specifics 11

Perspective based Perimeters heterogeneity Internet, VPN, WLAN, GPRS-HSCSD APNs, X25, SS7-SIGTRAN, VLANs,... Firewall perspective Per participant GUID Anonimity of participant, changeability of GUID (TOR?)

Inference scans Informations (IP, Ports,...) IP TCP scan UDP scan Actions as Modules (enum, portscan,...) Inference process (Kernel) Port Enable / Disbable lists for specific behaviors Barong online service, dyn loading off the net Protocol Discovery Service

Informations & Modules INFOs Modules INFO_defaultroute.rb INFO_host.rb INFO_immersed.rb INFO_interface.rb INFO_iprange.rb INFO_iproute.rb INFO_potentialiproute.rb INFO_quietimmersion.rb INFO_selector.rb... MOD_defaultroute.rb MOD_internalrouting.rb MOD_tcpscan.rb MOD_dnsenum.rb MOD_protocol_discovery.rb...

Parallelization Thread based on modules runs Scan efficiency Duration Harshness? Number of thread organically set Dynamic adjustments on qualitative response measurements

Pivoting Plenty of existing techniques Syscall proxying? ala CORE IMPACT Custom API? ala Random win32 backdoor Simpler Approach Shell-based (telnet api / expect /...) SSH based

Agenda Necessity is mother of invention, what about BIG PROBLEM? New tool Actions Information access Demo CN Specifics 17

Information Storage Filesystem YAML Database > PersisterConverter

Information sharing Email (s/mime) SVN Tor support / hidden services Telepathy / DRB

Information access File-system Flat files Web-based Rails app?

Reporting Raw results Remaining work Statistical data Graphical representation Executive Presentation

Analysis, Prioritization and Decision making Ignore list Comments Ranking / Ticket management interface

Blah blah blah Didn t we start getting into fluffy markety things? Isn t it a tech conference? Ok, DEMO!

Agenda Necessity is mother of invention, what about BIG PROBLEM? New tool Actions Information access Demo CN Specifics 24

How does that mix with CN attacks? Immersed, exploded walled garden Multi-perimeter, Multi-protocol Internet, VPN, WLAN, GPRS-HSCSD APNs, X25, SS7-SIGTRAN, VLANs,... Total unknown, very often proprietary systems Lots of specific network setups

Specific answers to telco pentest First: Easy to develop new modules, needed onsite Fast grasp of net / situation Interface with SCTPscan and other TSTF tools for SS7 & SIGTRAN SSH based pivoting Pivot-based tools

Easy development Weird VoIP extension to SIP sniffed? Need for SIP-embedded SS7 data scanning / fuzzing? SIGTRAN stack on HPUX or Solaris? MMS software suite on dedicated hardware? IMS equipment on open unix platform?

Fast Grasp Huge networks Redundant RFC1918 address spaces Heavily segmented into N planes equal N times the same mapping / scanning Make some pentest undoable by hand Use of automated scanner?

Interface with SCTPscan First Protocol layer for SS7 adaptation over IP Tool released earlier Command line based Act as nmap for ASPs on SIGTRAN

SCTP Association: 4-way handshake, not stealth Client socket(), connect() Server socket(), bind(), listen(), accept() INIT INIT-ACK COOKIE-ECHO COOKIE-ACK 30

Scanning vs. Stealth Scanning Attacker Servers INIT INIT INIT INIT-ACK Port 100 Port 101 Port 102 Closed? Packet loss? Delay? Re-xmit? 31

Scan against current implementation Attacker Servers INIT ABORT Port 101 INIT INIT-ACK Port 102 32

Other SIGTRAN Layers, other tools SS7 33 SIGTRAN

Barung CN modules coding Proprietary command-line tools Proprietary binaries Proprietary protocols Downtime unacceptable

Entry point specificities SIGTRAN ASPs Defined Peers Abusing Authorized peers SIP & H323 Signalling information injection Not direct SIGTRAN attacks Other weirdness MML injection Internet Messaging to SMSC / MMSC OTA signalling attacks 35

CN == unknown environment all the time Need for a way to generically find SS7 / SIGTRAN entry points Echelon lesson Module Let the dictionnary be the key (M2PA, M3UA, DPC, OPC, MML, TCAP, ISUP, LINKSET,...) Host based key-word search for SS7 / SIGTRAN related terms SSH pivoting, dev time, adjustment time

Status & Conclusion alpha alpha alpha Very useful in CN pentests now! In other environments? Capitalize on every mission Need to test in multitude of environment If you want to participate, come after the conference.

Q & As Go ahead...

Thanks Philippe.Langlois@tstf.net See you at Hacker Space Fest in Paris, 16 to 22 June 2008, http://www.hackerspace.net

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information