SigPloit – Telecom Signaling Exploitation Framework SS7, GTP, Diameter & SIP

SiGploit a signaling security testing framework dedicated to Telecom Security professionals and reasearchers to pentest and exploit vulnerabilites in the signaling protocols used in mobile operators regardless of the geneartion being in use.

SiGploit aims to cover all used protocols used in the operator’s interconnects SS7,GTP (3G), Diameter (4G) or even SIP for IMS and VoLTE infrastrucutres used in the access layer.

Recommendations for each vulnerability will be provided to guide the tester and the operator the steps that should be done to enhance their security posture.

SiGploit is developed on several versions.

Version 1: SS7
SiGploit will initially start with SS7 vulnerabilites providing the messages used to test the below attacking scenarios
A- Location Tracking 
B- Call and SMS Interception 
C- Fraud.

Version 2: GTP
This version will focus on data roaming attacks that occurvin IPX/GRX interconnect.

Version 3: Diameter
This Version will focus on the attacks occuring on the LTE roaming interconnects using Diameter as the signaling protocol.

Version 4: SIP
This Version will be concerned with SIP wd the signaling protocol used in the access layer for voice over LTE(VoLTE) and IMS infrastructure. Also, SIP will be used to encapsulate SS7 messages (ISUP) to be relayed over VoIP providers to SS7 nwtworks taking advantage of SIP-T protocol, a protocol extension for SIP to provide intercompatability between VoIP and SS7 networks.

Version 5: Reporting
This last Version will introduce the reporting feature. A comprehensive report with the tests done along with the recommendations provided for each vulnerability that has been exploited.

How To Install SigPloit

Requirements are
  1. Pyton 2.7
  2. Java version 1.7+
  3. Sudo apt-get install lksctp-tools
  4. Linux machine
Now To Run Sigploit Use:
  • cd SigPloit
  • sudo pip2 install -r requirements.txt
  • python
Also read: Mr. SIP: SIP-Based Audit and Attack Tool

How to use Sigploit – The SS7 module

 But before we discuss on the SS7 module,there are some terminologies you must know; but if you know them,you can skip them.
Global Title (GT): Each node in the core of the operator (msc,vlr,..etc) have their own address (i.e public IP) in a format of an international number ,example: +441234567890. This is the address used for routing traffic to and from and the nodes between the operators
Point Code (PC): Communication in SS7 network is done on a hop by hop basis in order to reach the final destination (GT). PC is a 4-5 digits that determines the next peer hop that packets should go through (STP) in order to reach the destination. When you get an SS7 access your SS7 provider is your peer, and the peer PC should be set to their.
International Mobile Subscriber Identity (IMSI): Is the most important target parameter. It is the subscriber ID that used in all operations withing the home operator or for roaming operations between operators. This is the first subscriber info that should be gathered as all critical and important attacks (i.e interception, fraud) is done with IMSI.
Mobile Station International Subscriber Directory Number (MSISDN): The phone number
International Mobile Equipment Identity (IMEI): is a unique number for each mobile hardware. The IMEI number is used by a GSM network to identify valid devices and therefore can be used for stopping a stolen phone from accessing that network. For example, if a mobile phone is stolen, the owner can call their network provider and instruct them to blacklist the phone using its IMEI number.The importance of this info is that some extension of IMEI (IMEISV) provides the software version as well of the handset, allowing to initiated a more targeted client side attack.. let’s move to what you have been looking for:

The SS7 Attacking

In order to attack the SS7 on real life target you have to get an access to the SS7 network. It is often provided by the VoIP providers, SMS providers, HLR lookup web application providers, you just need to dig deeper to find a suitable provider.
The project provides two modes for this attacks;
 1)Simulation Mode
 2)Live mode
Now let me explain this mode one by one:

Simulation Mode

If you after your deep digging,you couldn’t get any data’s from the providers i.e No Access and you need to have the sense of attacks and critically of such a threat, you can go to the simulation mode. The project provides the server side code of each and every attack that simulates the corresponding nodes responsible for the requests. The server side jar files be found under “SigPloit/Testing/Server/Attacks/”. Each server side code provides the hard coded values that you need to use on the client side to simulate the attack.

Live Mode

In this case you succeeded in getting access you then jump into Live mode and use the parameters that she provided by your provider. The providers will provide you the following parameters;

  1. The global title you will use
  2. The point code you will use(Client PC)
  3. The peer point code of the provider(Peer PC)
  4. The IP address of the providers peer SCTP associations and the used port(Peer IP,Peer Port)
All you need to do now is to have a static public IP assigned to the sever/machine having the code and the provider will allow it access from its side and route it so you can reach all the operators this provider is connected to.

Mobile Network Architecture

2G/3G Architecture

As the above figure , there are several important nodes that needs be familiarized with and what are their functions.
Home Location Register (HLR): Each operator has one or more HLR depending on its capacity. HLR operator’s database each subscriber’s profile/info is stored in only one HLR. The HLR hold the below critical info:
  • IMSI
  • IMEI
  • Authentication Keys of Subscribers
  • Subscriber Latest Location
  • Subscription profile
  • Service Allowed (Call forwarding,Call barring..etc).. etc
Visitor Location Register (VLR): Each VLR is responsible for a specific region. Every subscriber roaming in a specific region is attached/connected to the VLR responsible for this region. The VLR acts as a temp database for the period of the roaming subscriber. It has the same info as the home network HLR.
Mobile Switching Centre (MSC): Each group of cells/BTS/towers are connected to an MSC. The MSC is responsible to route and switch calls,SMS and data from and to the subscribers attached to it.
Short Message Switching Centre (SMSC): Responsible for sending and delivering short messages (SMS) to subscribers.
Signal Transfer Point (STP): It acts as the gateway (i.e router) of the operators,which is responsible for all the routing, path determination and relaying of the SS7 messages.

Leave a Reply

Your email address will not be published. Required fields are marked *