SS7 Hacking Tutorial

ss7
ss7

Signaling System 7 – SS7

Signaling System No. 7 (SS7) is a standard international network signaling protocol that enables common (independent) channel signaling for call origination, billing, routing and information exchange between the public switched telephone network (PSTN) nodes. SS7 system protocols are optimized for connections to control telephone systems and are only directly accessible to telephone network operators.

Common Channel Signaling (CCS) is a separate signaling system that separates the content of telephone calls from the information used to establish the call (signaling information). When the call processing information is disconnected from the communication channel, it is referred to as out of band signaling. This signaling method uses one of the channels in a multi-channel network to control, billing, and manage traffic on all channels of the network.

An SS7 network consists of service switching points (SSPs), signaling transfer points (STPs) and service control points (SCPs). The SSP collects the analog signaling information from the local line on the network (endpoint) and converts the information into an SS7 message. These messages are sent to the SS7 network of STPs that bring the packet closer to its destination. If special message processing is required (eg redirecting a call to a call forwarding number), the STP forwards the message to an SCP. The SCP is a database that can use the incoming message to identify other numbers and features associated with that particular call.

In the SS7 protocol, an address, e.g. Customer dialed digits, no explicit information to allow routing in a signaling network. Then the translation function of the signaling connection control part (SCCP) is needed. This is a process in the SS7 system that uses routing tables to convert an address (usually a telephone number) to the actual destination address (forwarding of the telephone number) or to the address of a service control point (database) containing the required customer data Edit call.

Intelligence in the network can be distributed to databases and information processing points throughout the network because the network uses common channel signaling A set of service development tools has been developed to allow companies to offer advanced intelligent network (AIN) services

This diagram shows the basic structure of the control signal system SS7. This diagram shows that a customer’s phone is connected to a local exchange (EO). The service switching point (SSP) is part of the EO and converts dialed digits and other signaling indicators (eg answer after answering) into SS7 signaling messages. The SS7 network forwards the control packet to its destination using separate STP (Signal Transfer Point) data packet switches. In some cases, when additional services are deployed, SCP (Service Control Point) databases are used to process requests for advanced telephone services. This diagram also shows that the connections used for signaling differ from voice connections. This diagram shows that there are multiple redundant connections between switches, switches, and network databases to ensure the reliability of the telephone network. The links between points in the SS7 system have different functions and message structures. Access links (A-links) are used to control access between EOs and SCPs. Bridge connections (B connections), cross-connections (C connections) and diagonal connections (D connections) connect STPs. Extended links (e-links) are optionally used to provide backup connections from an EO to the SS7 network. Fully mapped links (F links) share the link between EOs.

 In This Tutorial is going to just go to show you a little using ss7 tools without building the full program. I’m using tell scale opensource ss7 stack in here, you don’t have to do anything like building it or downloading lots of tools. this tool is in Java .jar format.

Requirements:

* Linux OS with SCTP support

* JRE 1.7(Java SE Runtime Environment) or above

Here is a Link to Download SS7 Assessment Tool:  SafeSeven.Zip

And Here is Link To Download JRE 8 (Java SE Runtime Environment): JRE 8 For Linux.tar.gz

JDK 7u6 and later releases include JavaFX SDK (version 2.2 or later). The JavaFX SDK and Runtime are installed and integrated into the standard JDK directory structure.

For information about how to work with JavaFX, see http://docs.oracle.com/javase/8/javase-clienttechnologies.html

Installation of the 64-bit JRE on Linux Platforms 

This procedure installs the Java Runtime Environment (JRE) for 64-bit Linux, using an archive binary file (.tar.gz). These instructions use the following file:

jre-8uversion-linux-x64.tar.gz

Download the file.                                Before the file can be downloaded, you must accept the license agreement. The archive binary can be installed by anyone (not only root users), in any location that you can write to. However, only the root user can install the JDK into the system location.

Change directory to the location where you would

like the JDK to be installed, then move the .tar.gz

archive binary to the current directory.

Unpack the tarball and install the JRE:

        % tar zxvf jre-8uversion-linux-x64.tar.gz

The Java Development Kit files are installed in a directory called jdk1.8.0_version in the current directory.

Delete the .tar.gz file if you want to save disk space.

Now, Extract the safeseven files to your home directory. Now Open WireShark.(well, Wireshark is preinstalled in Kali Linux)

Choose “SCTP” Protocol & Start capturing data packets. 

Then Open Terminal. I’m Writing Here Few Commands For Using the Java.Jar Files;

<Before Running Client On Actual SS7 Network>

Edit client_config file(Edit Details of Orange Marked Area)

“`

//Client 

SERVER_IP=”IP of STP you are connecting to”

CLIENT_IP=”IP address provisioned for you in STP”

SERVER_PORT=”STP port”

CLIENT_PORT=”client provisioned port”

IS_SERVER=FALSE “should be always false”

Local_SPC=”point code assigned to you”

Remote_SPC=”point code of STP”

Local_SSN=”local ssn”

Remote_SSN=”remote ssn”

Routing_Context=”routing context assigned to you by STP”

NETWORK_INDICATOR=”Network indicator”

Local_GT=”Local global title assigned to you”

Remote_GT=”remote Global title you are testing”

<#Commands For Simulating SS7 Network/#>

Simulating HLR:

      java -jar server.jar hlr_config

Simulating MSC/VLR:

      java -jar server.jar vlr_config

Running STP:

      java -jar STP.jar stp_config

<#Commands For Running SafeSeven/#>

SMS Related Operations:

       java -jar SMS.jar client_config

USSD Related Operations:

       java -jar ussd.jar client_config

Call Related Operations:

       java -jar Call_Handling.jar client_config

Mobility Related Operations:

       java -jar Mobility.jar client_config

Here Are Some Steps To Intercepting SMS By Using MapSMS.jar:

Step 1.

1. The attacker sends request SendRoutingInfoForSM addressing MAP(Mobile Application Part) message by MSISDN(Target Phone Number)

2.HLR(Home Resource Locator) replies with own address, serving MSC address, IMSI(The International Mobile Subscriber Identity (IMSI) is an internationally standardized unique number to identify a mobile subscriber. The IMSI is defined in ITU-T Recommendation E.212. The IMSI consists of a Mobile Country Code (MCC), a Mobile Network Code (MNC) and a Mobile Station Identification Number (MSIN).)

Step 2.

1. Attacker registers Target Phone Number On the fake MSC

2. HLR sets up a new location for our target number

3.HLR asks real MSC to release a memory

Step 3.

1. Someone sends SMS to Target Number

2. MSC translates the SMS to SMS-C

3. SMS-C requests HLR for Target number’s location

4. HLR replies with a fake MSC address

5. SMS-C translates SMS to the fake MSC & Your Wireshark captures SMS

There It is…

If you want to more develop on this by your self so you can download following program:

Eclipse Javascript IDE Download

Xampp Download For Linux

JDK(Java Development Kit) 8 Download

Total
26
Shares
Leave a Reply

Your email address will not be published.

Previous Post

How to Brute Force an Attack on a WordPress Site Using WPscan

Next Post

Google SQL Dorks List– 2020

Related Posts