BINARY SMSs [PART 2] that cool thing you dint know SMSs could do

Find the XML structure of the message to be sent

Here’s a sample one, I will add the references on how to find the basic XML structure and where to find them,

<?xml version="1.0"?>

<!DOCTYPE si PUBLIC "-//WAPFORUM//DTD SI 1.0//EN" "http://www.wapforum.org/DTD/si.dtd">

<si>

<indication href=http://blog.0x7678.com/ si-id="bin">

hack random

</indication>

</si>

Now to convert to WBXML

HexCode                                                                                                  Meaning

02                                                                                                             WBXML Version 1.2          

05                                                                                                              SI 1.0 Public Identifier  

6A                                                                                                             Charset UTF-8        

00                                                                                                              String table length =   0   

45                                                                                                              <SI>                     

C6                                                                                                             <indication>   

0C                                                                                                              href=”http://     

03                                                                                                              String starts

* 7777772E6465762E6D6F62692F69735F66756E2E68746D6C          www.0x7678.com

00                                                                                                               String ends

07                                                                                                       Action attribute (signal – medium)

01                                                                                                       Ends of attributes, now the content

03                                                                                                       String starts

* 446576446F744D6F62692069732046756E2021                          hack random

00                                                                                                       String ends

01                                                                                                               </indication>

01                                                                                                               </SI>                      

* These are strings used to pass contents to the SI, each character in the string is converted to its hexadecimal representation.

** “6532” is to be considered a string of characters and not a number, so don’t use the calculator to convert this number

Our body is, putting all the numbers together:

02056A0045C60C037777772E6465762E6D6F62692F69735F66756E2E68746D6C0<br/>011033635333200070103446576446F744D6F62692069732046756E2021000101

(which is 130 chars)

PREPARE THE UDH

Preparing the UDH is pretty easy. Just start with “06 05 04” and then add the port numbers. Eg WAP push messages uses “destination port” 2948 while source port is 9200. Convert decimal port numbers to hexadecimal formats, so 2948 becomes 0B84 and 9200 becomes 23F0. Magically, the UDH is : 06 05 04 0B 84 23 F0

SENDS THE SMS AND THE UDH

Now, what you need to do with this? Pretty simple, just put everything together and the SMS is ready to be sent.

                                    <UDH> + <BODY>

UDH: 06 05 04 0B 84 23 F0<br/>BODY: 02056A0045C60C037777772E6465762E6D6F62692F69735F66756E2E68746D6C0

The complete message is then:

<span><strong>0605040B8423F0</strong><br/>02056A0045C60C037777772E6465762E6D6F62692F69735F66756E2E68746D6C0<br/>011033635333200070103446576446F744D6F62692069732046756E2021000101

Which is 137 chars long (hey, it’s a binary SMS, and my favorite language Java uses UTF-8 encoding for binary messages, so the limit for 1 SMS is 140 chars, aren’t we cool?)

For now that’s what I will teach, this however is a beginning to something bigger such as the OpenBTS am optimizing by adding binary SMS support.

NB: the above WBXML is only an example the converted WBXML is not as on my blog (for security purposes, link to original document can be found from the decoded wbxml :) cheers)

BINARY SMSs >> so far this is the coolest thing since me ok or rather this security Lab [Part 1]

BINARY SMSs

Basically SMSs are small number of packed bytes sent over the operator networks. Many people will speculate the Text Messages are the only types of SMSs that exist, well they are one of the many types that ideally exist, hence the term ‘texting’

So how do SMSs work and what are the basic constructs of an SMS

SMSs use the concept of ‘ports’ just as a standard internet sockets does;

SMS messages have limits of 140-160 characters (depending on encoding type);

The body is not the only thing you can edit in SMSs, there’s also UDH (User Header Data)

So J Those Ports

Say you go to the my website http://0x7678.com/  you basically called to port 80 of the webserver by convention. The connection will be initialized on port 80 and then switched to a higher port to let other users access the same port of the web server. Port 80, as stated by IANA refers to the HTTP protocol, this means that a server, which is able to understand HTTP protocol request, will be awakened and will be ready to answer and process HTTP requests. The same happens with SMS messages. You can send an SMS to a specific port of a phone and you will wake up a specific service on that device. Now, just as , not all computers have a standard service (e.g web server) also not all mobile devices have services listening to ports. (this is manufacturer specific, so you will need to check your phone what is enabled to accept.

NOW >> BORING STUFF OUT … WE GO ON TO BINARY SMSs

Ok long story short going through the whole bit about how SMSs work is too tedious

But here we go ….

Ok so SMSs on default use 7 bits to handle a character. This means that you can write in an SMS only characters on the basic ASCII char table … i.e 127 characters. If you want to go onto more complex stuff and send more ‘interesting’ characters , then a group of 8 bits is needed and the table of available chars get bigger. The available space is 1120 bits per SMS, no more, no less. You can have 160 chars using 7 bits or 140 chars using 8 bits.

NB: note this carefully … you will find this letters looking alike but are very different, " É "  and this " È " are very very different the first is contained in the 7 bit basic ASCII and the second contained in the 8 bit larger ‘interesting’ table, so if you  use it without checking it, you wont have enough space so be very precise.

UDH (User Data Header)

The UDH is what a ‘high level developer’ can set while to do something more than a simple “text message”. A UDH is very useful because you can send “invisible text messages” to mobile application (where to “mobile applications” I mean those running on mobile devices for example) or you can tell a device that the message will contain special information. It’s very similar to an XML file: you have to tell the parser what you are sending, and the content following the prolog which will be handled by the parser itself.

The UDH is mainly used to specify what ports our client (phone) will send SMS to. Its made by a set of hex number which describe:

<how long the UDH is><the format used to specify ports numbers><the port number length><destination port number><source port number>

As a practical example, say I want to create a UDH to send a WAP PUSH. Where the standard destination port for WAP pushes is 2948, the UDH will be:

06 05 04 0B 84 23 F0

Where:

06 means “hey the read the following 6 bytes”

05 is the format for numbers, in this case hexadecimal numbers

04 will tell the UDH that each port is represented using 4 characters

0B84 is the destination port, 2948 (decimal representation) or 0B84 (hexadecimal representation)

23F0 is the source port, 9200 (decimal representation) or 23F0 (hexadecimal representation).

NOTE: Use a simple calculator to convert decimal numbers to hex: select “Dec”, put 2948 in the calculator, then press the button “Hex”.

NOW REALLY >> BINARY SMSs

A binary SMS is an XML-formatted textual SMS, which has been transformed with WBXML (a tag transformer), this means that for each XML tag, a binary byte is associated. E.g , the tag <SI> is converted as the binary character &#x0005;

When you think WHY WBXML?

WBXML transformation is smaller in the number of generated bytes than the verbose textual XML file itself.

Note: many tags are converted to bytes, but sometimes also contents (such as URL addresses

) e.g the URL http://www.0x7678.com can be written in WBXML as 0D0x7678.com, where “0D” stands for http://www.

“OC” is more generic and stands for http:// so you can write the URL in two ways.

<span>0D0x7678.com </span>

or

<span>0Cwww.0x7678.com</span>

The first uses 9 chars (0D is one byte), the second 13 chars

So far so good ….. ?

·       Decide what we want to send

·       Find the docs about that topic

·       Find the XML structure of the message to be sent

·       Customize the XML

·       Convert the XML to WBXML

·       Prepare the UDH

·       Send the UDH and the BODY

NB

Binary SMSs have two indicators whilst been sent, either a “Service Indication <SI>” or “Service Load <SL>” the two have a difference only in <SI> prompts the owner to the phone that content is coming through and you need to authorize it...

[Cont. in Part 2....]

POC bypassing 2FA (2 Factor Authentication)

one thing i love about trying to secure systems is that people forget "you are as strong as your weakest link"


Today, we hack a system that has 2FA this where as an example to googles gmail, you would sign in using your password, then to put enough secure activity you would have another token required such as a code sent t your phone via SMS.


Pretty secure huh? not really.... it still can be broken, of course many people would start by assuming we will be stealing a phone by the end of this write up but the truth of the matter is, I wont need to touch your phone, so here we go.

The setup:

first we would have the users password (am not willing to engage in this as many a tutorials already exist to try and achieve this , from phishing to down right plain brute force)

second we would obviously require the SMS token sent to the user (hint: this tutorial is about that)
I will break this down to 2 parts, the explanation only then the POC .

EXPLANATION

we will be intercepting the SMS by attacking the um (air) interface between the victims mobile phone and the BTS (Base transmission station)

why does this work and what might be a solution/remediation to it.
1. I have covered this topic before but am going to explain. GSM is a broken technology (so far if you use a CDMA phone you are safe read so far)
2.GSM in most countries use a weak/broken encryption these are either
A5/0 ---- no encryption
A5/1 ---- most commonly used very low encryption and breakable with 2 TB rainbow tables in less than 5-30 minutes on a decent computer
A5/2 ---- much weaker version not commonly used... already  broken
A5/3 --- new version (KASUMI) theoretically broken
3. Phones dont do authentication checking to which BTS they are connected to or if any sniffing* activity is ongoing
4. Non hopping on BTSs allow passive sniffing (explained on part 2)

POC? as usual find it on part two meanwhile google up what those terms that may have eluded you on this piece , as we will indulge even deeper later on.