Tuesday, November 8, 2016

Penetration Testing of a Telco Company [CORE]

Over the past few years/months... Theres been a lot of chatter about penetration testing and security of telecommunication companies, however the biggest hinderance to this has however been, well you guessed it, access:

from, tools, resources, money and well knowledge.

As a step to help out on the community, I will be releasing some of the materials to familiarize the intended audience (student, lectures, humans and fellow security enthusiasts) from this basically knowledge and tools.

We will be looking at security in telcos now not only in the Air & Abis layer but also the protocols, and the infrastructure, the core networks so :

SS7
Diameter
GGSN
GRX
HLR&VLR

we are coming for you: :) , I will also start this in a point of explaining how telcos work and the heavy accronyms behind them, then after we will dive into setting up some test/lab facilities, then move on to the security side of them, the 4-6 part series will be broken down so everyone can chime in :) feel free to engage.

Friday, September 16, 2016

Reverse 3NG1N33R1NG [Playing with Radare2 .. OK Bokken)

IDA is a expensive, but its superb... superb is an understatement , however I am not coughing up 2700Euros for that , after all many of my students cant afford this, and am really loving the learning curve that radare2 comes with.

So what is radare2 > OpenSource IDA replacement (well for me that is)

its a huge library of reverse engineering tools, however Radare2 lacked a major component , GUI hence the steep learning curve, I am willing to look at multiple GUI methods, however I have been in love with Bokken , an option for GUI in the radare2 framework.

I will explore more options as I go on, including the visual mode and WebUI:

BOKKEN:









Installation

Bokken has some issues, its still under development (personally i maintain my own bit as much as i can, I have yet to push all my changes (forbid as i am still going through most of this code)

Installation on MacOSX (El-Captian soon moving to Siera (this will be an issue but i will see through ti :) ... )

simple:

brew install bokken
(installs bokken 1.8 last release)

Error: os.getenv("DISPLAY").strip()

When i try to start bokken, i fix this by installing  XQuartz to handle $DISPLAY

another Error:  from PIL import Image - ImportError: No module named PIL
When try to start bokken again, I fix this by installing pillow via pip (check if installed with pip freeze | grep pillow) install by:sudo pip install pillow

I manage to start get bokken running (see first image, however, when trying to load a file, i meet this error)

Error: ValueError: invalid literal for int() with base 10:

This seems that theres an issue, I look at the code (I will be fixing this and pushing it to my github, for now i just commented the code to work from a standpoint that entry points aren't calculated, this will be fixed soon from my end and pushed out , for now, am just looking around and having too much fun :)


If you have questions, kindly reach out :)


Tuesday, April 12, 2016

HCK the BRCK (i)

Hailed as the revolution of Africa's connection to the internet the BRCK has been one of the most talked about modem/router , with rugged features to allow secure usage through any kind of physical elements, I moved the advert up a ladder to test its security.

Details about the BRCK
  • Modem
  • Router 
  • Power back up
This are the main/surface details about the BRCK, beyond this it contains an operating system (BusyBox) closed source however.

I managed to get my hands on one of the 1st generation BRCKs from the founder a very jovial, smart lady Juliana Rotich, she gave me a task of 'checking it for bugs' I went a little further, and as off by the end of this four part series on how we dive into working the BRCKs security and development wise.

Wednesday, April 6, 2016

Testing the CryptoPhone 500 against OUR... DIY IMSI catcher

I got a chance to use and test the GSMK Cryptophone 500 , with this phone , rumors have it to cost in between 2000USD to 5000USD depending on make and model/vendor , I am not into prices so much as features and specifications, however the phone is noted to have the following:

The GSMK CryptoPhone 500 is an Android-based secure mobile phone with 360° mobile device security for secure messaging and voice over IP communication on any network.
Cp500 72dpi
By combining GSMK’s renowned end-to-end voice and message encryption with a highly sophisticated approach towards mobile device protection, the CryptoPhone 500 offers a defence-grade mobile phone security solution with true 360° mobile device security:
  • Secure messaging and voice over IP calls on any network, including 2G GSM, 3G UMTS/W-CDMA, and Wireless LAN
  • Hardened Android operating system with granular security management and streamlined, security-optimized components
  • Permission enforcement module controls access to network, data and sensors, keeping you in control of your security policies
  • Baseband firewall protects against over-the-air attacks with constant monitoring of baseband processor activity, baseband attack detection, and automated initiation of countermeasures
  • Two-layer storage encryption system protects data at rest against unauthorized access





(pulled from the products website)

I really wanted to check the performance of security offered by the cryptophone 500 that claims to be able to protect one from IMSI catchers which can listen into your GSM conversations/do OTA attacks / perform DOS on your phone to kick you off the mobile network / spoof address e.t.c

So we created a very cheap IMSI catcher (50 USD or less i.e without a computer)

The firewall on the phone was up:





I ran the IMSI catcher with some interesting results, here are the screenshots:




the above shows the IMSI caught by our catcher





the cryptophone registering to the IMSI catcher (we only allowed it to see the messages for POC purposes+verify IMSI)


With the phone 'ON' (we also had rebooted the baseband to check we shake of any unwanted connection and try again)

We managed to capture the CryptoPhone and get a connection to/from it and received the following (on the baseband firewall prompt):








Where it alerted us of a medium 'suspicion data' entry saying the BTS (IMSI catcher) had no neighbouring cell available (this is pretty easy to fix... we dint move to fix it as we were trying it on a base level budget [single osmocombb BTS])

We then moved to attacking the CryptoPhone by simple attacks such as spoofing the SMS address and sending an SMS to it



spoofing a text message


and more down here (means we can spam/fuzz :)   )





We then tried to make calls to verify our call integrity , but however we were greeted by a stern warning:





We turned on back encryption (we could still however record the call) and this is what we received:



encrypted huh :)

We managed to record the conversation irrespective of been allowed to make the call under 'secure' infrastructure, we will not disclose how our IMSI catcher is setup, however we will reach out to CryptoPhone for this findings, :)


Using Typhon OS and an OsmocomBB phone to create a RogueBTS (Rogue GSM Base Station) IMSI catcher

Requirements:

OsmocomBB compatible phone (Motorola c113/115/118/123)
CP2102 cable (can be found here)
TyphonOS (read this is you havent, or directly head to downloading)

Setup:

Boot up the OS(live or install)


All the softwares referenced here are already installed.

To run an OsmocomBB application on the phone, you must first find out what interface your CP2102 cable is connected to. Run this command:
dmesg | grep tty

If you want to run it on ttyUSB0 (and I propose that you do) remove all USB devices and plug the CP2102 cable in first. The CP2102 cable will automatically move to /dev/ttyUSB0. To run it on other interfaces, modify the firmware upload string appropriately.

You can now upload firmware on the phone and observe output.
 From the /rf/osmocom-bb/src/host/osmocon/ directory, run:

sudo ./osmocon -d tr -p /dev/ttyUSB0 -m c123xor –c ../../target/firmware/board/compal_e88/rssi.highram.bin

Then, with the phone powered off, press the power button once briefly and wait for the firmware to load onto the phone.
As it loads, the screen output should look like this:















RSSI stands for Received Strength Signal Indicator and is can be used to identify the strongest ARFCN in the area. This is important as the BTS needs to sync with the strongest legitimate BTS in order to receive configuration information.


Once done exploring the RSSI app, there are plenty more applications that you can run which are beyond the scope of this document. However, feel free to explore them to further your understanding on the OsmocomBB platform.

Running

After installing everything, we can now run the full system.
Plug in the calypso phone with the CP2102 cable, and ensure that it is on ttyUSB0 before proceeding. Note: Charge the phone to its fullest as the power cable interferes with transmission.
From the /rf/osmocom-bb/src/host/osmocon/ directory run the trx application with the following code (on one line):

sudo ./osmocon -p /dev/ttyUSB0 -m c123xor -c ../../target/firmware/board/compal_e88/trx.highram.bin ../../target/firmware/board/compal_e88/chainload.compalram.bin


Then press the power button on the phone briefly to load the application.

From the /rf/public/smqueue/trunk/smqueue directory run the smqueue application with the following code:

sudo ./smqueue

From the /rf/public/subscriberRegistry/trunk directory, run the sipauthserve application with the following code:

sudo ./sipauthserve

Finally, from the /rf/public/openbts/trunk/apps directory, run the OpenBTS application with the following code:

sudo ./OpenBTS

After a few seconds, the OpenBTS terminal (top right) will look like this indicating that syncing has taken place and it is transmitting:



Figure 15 - Running TRX, smqueue, sipauthserve and OpenBTS


If you had set your MCC and MNC to that of a legitimate network operator, the 2G phones in the area will begin connecting to your fake base station. If you left it as the default then you will see a name either “Test” or “Range” or "Safaricom [this is not legal by the way assuming you spoofed the name too]" when perform a manual search on your phone.



The above setup creates a fakeBTS (IMSI catcher) and works as a spoofed Mobile Network.
On the next setup we will work on how to send SMSs and even spoof some messages alphanumeric address and all.


ARCHIVED

:) No longer posting, all articles should be treated as archived and outdated