MiTM for GPRS
Everyone has their own secrets ... someone has a secret correspondence with a loved one, someone has multi-million banking operations, someone has private pictures on their mobile :)
Yes, and it doesn’t matter what secrets the most important thing is, that practically everyone has them. With today's frantic pace of life, it is increasingly necessary to use data transfer on the road, often via mobile devices. It’s good if the relatively “secure” BlackBerry is used as a mobile terminal, and what if it is a “regular” phone with GPRS / EDGE output.
Have you ever wondered, and how secure is data transmission via GPRS / EDGE technology through the operator's mobile network?
')
We will not say that the operator can disable interface encryption for the duration of the tests, or the operator can use the weaker encryption protocol [GEA - GPRS Encryption Algorithm], which will allow the use of radio interface encryption defects and intercept and analyze data transmission. In this article we will talk about one seemingly unlikely, but fully realistic, threat — an insider incursion.
So what do we have ...
A simplified wiring diagram for the GPRS / EDGE packet architecture is presented in the diagram below:
Suppose, purely hypothetically, that an operator has “wound up” an operator who is very interested in collecting confidential information from mobile data transfer users.
Suppose also. that our insider has access to the Gn interface. The Gn interface is a direct link from SGSN 'and on the GGSN , the bandwidth is selected based on the existing load, usually two (to ensure duplication) 1000-fullduplex Ethernet link.
For more specificity, let's set additional initial conditions:
Let us now consider a non-trivial situation in order to understand what an insider can do on an operator’s network, having access to one or several network elements and taking into account the initial conditions we have set.
An insider connection scheme in the operator’s network is shown in the diagram below (the diagram shows several connection diagrams for the insider’s laptop, but only one connection will be sufficient to collect confidential information):
Suppose that our insider uses the console utility from Wireshak'a - tshark.
An example filter, “concocted” in haste to intercept subscriber packets destined for one of the popular social networks, will look like this:
I think it makes no sense to describe the parameters of the tshark.exe utility, who are interested can be found here . A little “clean” file:
If an insider has access to one of the SGSN or GGSN network elements, then having completed all the above steps, he can carry out a kind of MITM attack by duplicating part of the stream to another port, connecting a laptop to this port. Thus, having carried out such an attack, our insider will collect logins / passwords from a popular social network, thereby obtaining confidential information of subscribers of a mobile operator.
Naturally, many may say that I have not told anything new in this article, because any system administrator in a large company can also easily compromise any user by putting it “in pencil”, but I just wanted to say that you should not forget about the precautions when transferring important information to you, even if you use packet data transmission with the help of technologies GPRS / EDGE ...
PS: the whole article is based only on my fantasies and has nothing to do with reality, but is intended only to familiarize with possible methods of removing traces from the Gn interface. I do not call to commit unlawful actions aimed at the collection and disclosure of confidential information relating both to the cellular operator, and information relating to personal data of subscribers.
A small assistant:
BSC - Base Station Controller
BTS - Base Transceiver Station
EDGE - Enhanced Data rates for GSM Evolution
GGSN - Gateway GPRS Support Node
GPRS - General Packet Radio Service
IMEI - International Mobile Equipment Identity
IMSI - International Mobile Subscriber Identity
ISDN - Integrated Services Digital Network
L2TP - Layer 2 Tunneling Protocol
MS - Mobile Station
MSISDN - Mobile Station ISDN Number
PPTP - Point-to-Point Tunneling Protocol
PS - Packet Switched
P-TMSI - Packet TMSI
SGSN - Serving GPRS Support Node
TMSI - Temporary Mobile Subscriber Identity
VPN - Virtual private network
Yes, and it doesn’t matter what secrets the most important thing is, that practically everyone has them. With today's frantic pace of life, it is increasingly necessary to use data transfer on the road, often via mobile devices. It’s good if the relatively “secure” BlackBerry is used as a mobile terminal, and what if it is a “regular” phone with GPRS / EDGE output.
Intro
Have you ever wondered, and how secure is data transmission via GPRS / EDGE technology through the operator's mobile network?
')
We will not say that the operator can disable interface encryption for the duration of the tests, or the operator can use the weaker encryption protocol [GEA - GPRS Encryption Algorithm], which will allow the use of radio interface encryption defects and intercept and analyze data transmission. In this article we will talk about one seemingly unlikely, but fully realistic, threat — an insider incursion.
So what do we have ...
Scheme
A simplified wiring diagram for the GPRS / EDGE packet architecture is presented in the diagram below:
Suppose, purely hypothetically, that an operator has “wound up” an operator who is very interested in collecting confidential information from mobile data transfer users.
Suppose also. that our insider has access to the Gn interface. The Gn interface is a direct link from SGSN 'and on the GGSN , the bandwidth is selected based on the existing load, usually two (to ensure duplication) 1000-fullduplex Ethernet link.
For more specificity, let's set additional initial conditions:
- The operator uses encryption of the radio interface from the subscriber to the SGSN'a - GEA-1,2,3 algorithms.
In principle, in this situation, it doesn’t matter whether the encryption algorithm is applied before SGSN, since Our insider will try to “catch” information on the Gn interface, which in most cases is not encrypted.
- The subscriber transmits data without stream encryption, i.e. connects NOT via VPN [L2TP, PPTP, IPSec].
This moment is quite important to our insider, because if the subscriber encrypts the data stream with software, then on the Gn interface the insider will “see” the encrypted stream. This measure, of course, does not give a 100% guarantee of the security of data transmission, but the methods that our insider will take will be much more complicated and ultimately will be based on the value of the possible information. Consideration of these methods is beyond the scope of this article.
- An insider has direct access to SGSN or GGSN.
One of the conditions necessary for our insider is access to one of the network elements within the PS Core Network (packet network) - SGSN or GGSN. What does this provide an insider? The simplest thing that comes to mind is to establish a duplication of data flow over the Gn interface [port SPANing] on the Ethernet interface, to which you can connect using a laptop, since Behind the “border” of SGSN is the already “clean” IP Backbone operator. A more sophisticated method is setting up filters on the network element itself for a specific subscriber. Subscriber identification can be carried out by IMSI , TMSI , P-TMSI, IMEI , MSISDN , or by IP / X.25 addresses assigned to the subscriber in the mobile network of the operator.
Let us now consider a non-trivial situation in order to understand what an insider can do on an operator’s network, having access to one or several network elements and taking into account the initial conditions we have set.
Collection of confidential information from an online stream
An insider connection scheme in the operator’s network is shown in the diagram below (the diagram shows several connection diagrams for the insider’s laptop, but only one connection will be sufficient to collect confidential information):
Suppose that our insider uses the console utility from Wireshak'a - tshark.
An example filter, “concocted” in haste to intercept subscriber packets destined for one of the popular social networks, will look like this:
tshark.exe -i 6 -B 16 -n -R "(http.host == "login.vk.com") && (http.request.method == "POST")" -V -l -T text -wd:\dump -a filesize:16000 -b filesize:16000 -b files:2 -S >> d:\vpass_db.txtI think it makes no sense to describe the parameters of the tshark.exe utility, who are interested can be found here . A little “clean” file:
type vps.txt | findstr /I /L "email %40 pass" | findstr /V "Referer" | sort >> passdb.txtIf an insider has access to one of the SGSN or GGSN network elements, then having completed all the above steps, he can carry out a kind of MITM attack by duplicating part of the stream to another port, connecting a laptop to this port. Thus, having carried out such an attack, our insider will collect logins / passwords from a popular social network, thereby obtaining confidential information of subscribers of a mobile operator.
Outro
Naturally, many may say that I have not told anything new in this article, because any system administrator in a large company can also easily compromise any user by putting it “in pencil”, but I just wanted to say that you should not forget about the precautions when transferring important information to you, even if you use packet data transmission with the help of technologies GPRS / EDGE ...
PS: the whole article is based only on my fantasies and has nothing to do with reality, but is intended only to familiarize with possible methods of removing traces from the Gn interface. I do not call to commit unlawful actions aimed at the collection and disclosure of confidential information relating both to the cellular operator, and information relating to personal data of subscribers.
A small assistant:
BSC - Base Station Controller
BTS - Base Transceiver Station
EDGE - Enhanced Data rates for GSM Evolution
GGSN - Gateway GPRS Support Node
GPRS - General Packet Radio Service
IMEI - International Mobile Equipment Identity
IMSI - International Mobile Subscriber Identity
ISDN - Integrated Services Digital Network
L2TP - Layer 2 Tunneling Protocol
MS - Mobile Station
MSISDN - Mobile Station ISDN Number
PPTP - Point-to-Point Tunneling Protocol
PS - Packet Switched
P-TMSI - Packet TMSI
SGSN - Serving GPRS Support Node
TMSI - Temporary Mobile Subscriber Identity
VPN - Virtual private network
Source: https://habr.com/ru/post/95530/
All Articles