Signaling System 7 – SS7
Signaling System No. 7 (SS7) is a standard international network signaling protocol that enables common (independent) channel signaling for call origination, billing, routing and information exchange between the public switched telephone network (PSTN) nodes. SS7 system protocols are optimized for connections to control telephone systems and are only directly accessible to telephone network operators.
Common Channel Signaling (CCS) is a separate signaling system that separates the content of telephone calls from the information used to establish the call (signaling information). When the call processing information is disconnected from the communication channel, it is referred to as out of band signaling. This signaling method uses one of the channels in a multi-channel network to control, billing, and manage traffic on all channels of the network.
An SS7 network consists of service switching points (SSPs), signaling transfer points (STPs) and service control points (SCPs). The SSP collects the analog signaling information from the local line on the network (endpoint) and converts the information into an SS7 message. These messages are sent to the SS7 network of STPs that bring the packet closer to its destination. If special message processing is required (eg redirecting a call to a call forwarding number), the STP forwards the message to an SCP. The SCP is a database that can use the incoming message to identify other numbers and features associated with that particular call.
In the SS7 protocol, an address, e.g. Customer dialed digits, no explicit information to allow routing in a signaling network. Then the translation function of the signaling connection control part (SCCP) is needed. This is a process in the SS7 system that uses routing tables to convert an address (usually a telephone number) to the actual destination address (forwarding of the telephone number) or to the address of a service control point (database) containing the required customer data Edit call.
Intelligence in the network can be distributed to databases and information processing points throughout the network because the network uses common channel signaling A set of service development tools has been developed to allow companies to offer advanced intelligent network (AIN) services
This diagram shows the basic structure of the control signal system SS7. This diagram shows that a customer’s phone is connected to a local exchange (EO). The service switching point (SSP) is part of the EO and converts dialed digits and other signaling indicators (eg answer after answering) into SS7 signaling messages. The SS7 network forwards the control packet to its destination using separate STP (Signal Transfer Point) data packet switches. In some cases, when additional services are deployed, SCP (Service Control Point) databases are used to process requests for advanced telephone services. This diagram also shows that the connections used for signaling differ from voice connections. This diagram shows that there are multiple redundant connections between switches, switches, and network databases to ensure the reliability of the telephone network. The links between points in the SS7 system have different functions and message structures. Access links (A-links) are used to control access between EOs and SCPs. Bridge connections (B connections), cross-connections (C connections) and diagonal connections (D connections) connect STPs. Extended links (e-links) are optionally used to provide backup connections from an EO to the SS7 network. Fully mapped links (F links) share the link between EOs.
In This Tutorial is going to just go to show you a little using ss7 tools without building the full program. I’m using tell scale opensource ss7 stack in here, you don’t have to do anything like building it or downloading lots of tools. this tool is in Java .jar format.
* Linux OS with SCTP support
* JRE 1.7(Java SE Runtime Environment) or above
Here is a Link to Download SS7 Assessment Tool: SafeSeven.Zip
And Here is Link To Download JRE 8 (Java SE Runtime Environment): JRE 8 For Linux.tar.gz
JDK 7u6 and later releases include JavaFX SDK (version 2.2 or later). The JavaFX SDK and Runtime are installed and integrated into the standard JDK directory structure.
For information about how to work with JavaFX, see http://docs.oracle.com/javase/8/javase-clienttechnologies.html
Installation of the 64-bit JRE on Linux Platforms
This procedure installs the Java Runtime Environment (JRE) for 64-bit Linux, using an archive binary file (.tar.gz). These instructions use the following file:
Download the file. Before the file can be downloaded, you must accept the license agreement. The archive binary can be installed by anyone (not only root users), in any location that you can write to. However, only the root user can install the JDK into the system location.
Change directory to the location where you would
like the JDK to be installed, then move the .tar.gz
archive binary to the current directory.
Unpack the tarball and install the JRE:
% tar zxvf jre-8uversion-linux-x64.tar.gz
The Java Development Kit files are installed in a directory called jdk1.8.0_version in the current directory.
Delete the .tar.gz file if you want to save disk space.
Now, Extract the safeseven files to your home directory. Now Open WireShark.(well, Wireshark is preinstalled in Kali Linux)
Choose “SCTP” Protocol & Start capturing data packets.
Then Open Terminal. I’m Writing Here Few Commands For Using the Java.Jar Files;
<Before Running Client On Actual SS7 Network>
Edit client_config file(Edit Details of Orange Marked Area)
SERVER_IP=”IP of STP you are connecting to”
CLIENT_IP=”IP address provisioned for you in STP”
CLIENT_PORT=”client provisioned port”
IS_SERVER=FALSE “should be always false”
Local_SPC=”point code assigned to you”
Remote_SPC=”point code of STP”
Routing_Context=”routing context assigned to you by STP”
Local_GT=”Local global title assigned to you”
Remote_GT=”remote Global title you are testing”
<#Commands For Simulating SS7 Network/#>
java -jar server.jar hlr_config
java -jar server.jar vlr_config
java -jar STP.jar stp_config
<#Commands For Running SafeSeven/#>
SMS Related Operations:
java -jar SMS.jar client_config
USSD Related Operations:
java -jar ussd.jar client_config
Call Related Operations:
java -jar Call_Handling.jar client_config
Mobility Related Operations:
java -jar Mobility.jar client_config
Here Are Some Steps To Intercepting SMS By Using MapSMS.jar:
1. The attacker sends request SendRoutingInfoForSM addressing MAP(Mobile Application Part) message by MSISDN(Target Phone Number)
2.HLR(Home Resource Locator) replies with own address, serving MSC address, IMSI(The International Mobile Subscriber Identity (IMSI) is an internationally standardized unique number to identify a mobile subscriber. The IMSI is defined in ITU-T Recommendation E.212. The IMSI consists of a Mobile Country Code (MCC), a Mobile Network Code (MNC) and a Mobile Station Identification Number (MSIN).)
1. Attacker registers Target Phone Number On the fake MSC
2. HLR sets up a new location for our target number
3.HLR asks real MSC to release a memory
1. Someone sends SMS to Target Number
2. MSC translates the SMS to SMS-C
3. SMS-C requests HLR for Target number’s location
4. HLR replies with a fake MSC address
5. SMS-C translates SMS to the fake MSC & Your Wireshark captures SMS
There It is…
If you want to more develop on this by your self so you can download following program:
JDK(Java Development Kit) 8 Download