How to hack a telecommunication company and stay alive. Sergey Gordeychik
-
Upload
positive-hack-days -
Category
Technology
-
view
3.822 -
download
1
Transcript of How to hack a telecommunication company and stay alive. Sergey Gordeychik
![Page 1: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/1.jpg)
How to Hack a Telecommunication Company
And Stay Alive
Sergey Gordeychik
Positive Technologies
CTO
![Page 2: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/2.jpg)
Ic Beo
Sergey Gordeychik, Positive Technologies, CTO
A “script writer” and a “director” of the Positive Hack Days forum
Science editor of the SecurityLab.Ru portal
Author of the Web Application Security course, and a book titled A Wireless Network Security and a namesake course
A participant of WASC, RISSPA
http://sgordey.blogspot.com
![Page 3: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/3.jpg)
What Is It All About?
What is so peculiar about telecoms?
Attacks against subscribers/Attacks by subscribers
Perimeter… Just a perimeter
Partners and contractors
Technology networks
![Page 4: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/4.jpg)
What’s So Peculiar?
![Page 5: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/5.jpg)
Specific Features of Telecommunication Companies
Large, large networks
Unification of various services (broadband access, Wi-Fi, hosting, mobile communication)
Great number of applications and systems on the perimeter
Exotics inside and outside
Lots of perimeters
Most networks belong to third parties
Forensics nightmare
![Page 6: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/6.jpg)
Subscribers
Partners
How many perimeters do telecoms have?
Office
Technology network
Internet
![Page 7: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/7.jpg)
…and a bit more…
Mobile
communications
Wired broadband access
Wireless broadband access
VOIP
Hosting
...
Broadband access
Technological network
Internet TV Hosting
![Page 8: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/8.jpg)
…and a bit more…
Vladivostok Moscow
Roma Phnom Penh
![Page 9: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/9.jpg)
Attack AGAINST Subscribers
![Page 10: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/10.jpg)
Why Subscribers?
Subscribers’ $ = telecoms’ $
DOS = - $$ - reputation - $$
PWN (100 000 PC) = Botnet
Personal data!
![Page 11: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/11.jpg)
Broadband Access
Huge non-segmented networks
Great number of end devices:• Various SOHO devices• Installed and unattended• Standard bugs configurations
A manual on insecurity of network appliances SNMP/Telnet/HTTP/UPnP control protocols in the Internet Insecure/empty passwords Web attacks on Client’s side (Pinning, CSRF)
Huge number of users • 1 out of1000, for 10 000 000 = 10 000• Trivial passwords
![Page 12: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/12.jpg)
Broadband Access. Attack
Collecting information• Network scanning• Access layer error (BRAS)• Collecting information from internal forums and
other resources• Self-service platform errors
Invalid login or passwordvs
Invalid username
Preparing scenarios• Capturing devices• Guessing passwords
$profit$
![Page 13: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/13.jpg)
Well…yes, it happens
![Page 14: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/14.jpg)
Pick a Task…
![Page 15: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/15.jpg)
Examples of Risks
Gaining access to a self-service portal• Cashout
guessing password or stealing the router cfg files (vpn/pppoe) transferring money from a broadband access to a cell phone
(integration!) Cashing out via PRS
• It drives me NUTS!!! Guessing password or stealing the router cfg files (vpn/ppoe) Purchasing the available Balance =0
Performing a mass hacking of a router/PC
Performing a mass changing of configurations
![Page 16: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/16.jpg)
Attacks against Clients of Mobile Networks
Faking Caller ID• self-service portal/USSD• voice mailbox• cash-out via PRS• direct money withdrawal
SS7Internet TagetGSM
SIP-GW TechSystemsFAKE ID
unauthorized access
![Page 17: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/17.jpg)
Attacks against Clients of Mobile Networks
Malware for mobile devices; Intercepting GSM –
Not a ROCKET SCIENCE!• attacking A5/1• MITM, switch to A5/0• downgrading UMTS -> GSM
Traffic, SMS, one-time passwords...• Self-service portals/USSD• Cash-out via PRS• Voice mailbox
![Page 18: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/18.jpg)
Hosting
Local network for collocated/dedicated servers• Attacks of a network/data link layer, attacks against network infrastructure
• ARP Spoofing, IP Spoofing… old school• Intrasegment IPv6 attacks
Attack against infrastructure (DNS…)
Shared hosting (once having intruded into one of the sites…)
Secunia Hacked?
![Page 19: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/19.jpg)
Pentester Tips & Tricks
|| ||
![Page 20: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/20.jpg)
Pentester Tips & Tricks
We are only searching for vulnerabilities
We use only our own resources for demonstration
We avoid information protected by the law
A fickle client…
C: Prove it! Enter the portal!
P: No, thank you. Here is a password – enter it yourself…
![Page 21: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/21.jpg)
Attacks BY Subscribers
![Page 22: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/22.jpg)
Why Subscribers? AGAIN?
Subscribers are WITHIN one of the perimeters
Many attacks are easier if performed on subscriber’s side
The number of subscribers of modern telecoms is quite large
![Page 23: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/23.jpg)
General Problems
Network access control weakness
Intrasegment attacks
Protection of the end equipment
Web applications for subscribers
![Page 24: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/24.jpg)
Network Access Control Errors
C:\>tracert -d www.ru
Tracing route to www.ru [194.87.0.50] over a maximum of 30 hops:
1 * * * Request timed out.3 10 ms 13 ms 5 ms 192.168.5.44 7 ms 6 ms 5 ms 192.168.4.6
A direct way does not always mean the most interesting one :)
![Page 25: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/25.jpg)
Per Aspera Ad…level 15
#sh runUsing 10994 out of 155640 bytes!version 12.3...!username test1 password 7 <removed>username antipov password 7 <removed>username gordey password 7 <removed>username anisimov password 7 <removed>username petkov password 7 <removed>username mitnik password 7 <removed>username jeremiah password 7 <removed>
![Page 26: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/26.jpg)
Network Access Control Errors
GPRS/EDGE/3G, which traditionally stick to NAT
Other clients are “invisible”
This is not always true…
GPRS: payment kiosks, ATMs, and etc., which can have:
• A missing firewall;• Missing updates;• misconfigurations.
![Page 27: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/27.jpg)
A Joke
SNMP ‘private’ on a GGSN
![Page 28: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/28.jpg)
A Joke
Captive portal
“Your balance is low”
•Linux•Apache•MySQL•PHP
![Page 29: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/29.jpg)
Intrasegment Attacks
Subscribers of broadcast access and hosting
Secunia Hacked?
![Page 30: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/30.jpg)
Web Portals and Services for Subscribers
A good few of resources• forums, dating sites, video convertors, online games, statistics, online shopping, photo hosting, file hosting, online radio…
A good few of loopholes• Old versions of applications and CMS, SQLi, LFI and so on…
Single-Sign-On or the same passwords…
Are often placed into the DMZ together with “ordinary” servers
![Page 31: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/31.jpg)
Web Portals and Servers for Subscribers
Games server*
Proxima CMS, path traversal
+ SQLi + configuration error= root
About 20 more sites on the host• Online broadcasting• Branded desktop applications• …
![Page 32: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/32.jpg)
Pentester Tips & Tricks
Resources on the subscriber networks are often SUBSCRIBER’s resources
Getting approvals for every step of your work
Many systems operate on a wing and a prayer
They collapse all the time, but if you are online anyway…
Avoiding (!) information protected by the law
A fickle client…
![Page 33: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/33.jpg)
Perimeter…Just a Perimeter
![Page 34: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/34.jpg)
Perimeter?
Large, large networks!•Use clouds
Great number of “third-party” resources
Get ready for rarities
Corporate web applications
The Lord of The Net
![Page 35: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/35.jpg)
Great Number of Third-Party Resources
Quite a large number of perimeter hosts belong to partners/subscribers
Quite often these hosts are “mixed” with those of the client
Yet, they should not be disregarded• Imagine that you are already a level 15/root/admin on the host and you just entered the segment
![Page 36: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/36.jpg)
Great Number of Third-Party Resources
SQLi on the mobile content portal (Oracle, sys)
private at the VoIP gateway
Maintained by partners
No hacking
Are actually located at a flat DMZ together with client’s servers
Enabling the billing Front-End
![Page 37: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/37.jpg)
Rarities
So many different things can be found on the perimeter• Technology “hardware”• VoIP• Old-school firewalls • Web cameras • Unusual control systems: ELOM, conditioners (!), UPS (!), etc.
Keep in mind the momentous attacks (X-mas scan, UNIX RPC, Finger, and etc.)
Don’t underrate the rarities
![Page 38: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/38.jpg)
Rarities
nc –P 20 xxx.xxx.xxx.xxx 8080
Wireless Access Point• Insecure password for web• Enabling Telnet• Compiling tcpdump/nc and others for the platform• Using them for traffic/tunnel interception
Web camera• LFI via a web interface• Obtaining configuration files• Gaining an access password for the control system• Gaining access to the control system
![Page 39: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/39.jpg)
Journey to Gattaca
![Page 40: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/40.jpg)
Watching the Video
![Page 41: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/41.jpg)
Cobweb
Lots of Web. For real.
Enterprise web applications are often accessible• Terminal services (Citrix)• Email systems• Helpdesk systems• Ill-equipped for operating on the
“wild web”
![Page 42: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/42.jpg)
Support system
We found and applied Path Traversal ManageEngine ServiceDesk Plus
Gained the “encrypted” password for integration with AD
The password fitted for VPN
The password fitted for AD (Enterprise Admin)
The password fitted for Cisco ACS
So we finally got lucky!
![Page 43: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/43.jpg)
VPN
Lots of VPN, good and not so good
Passwords, IPSec Aggressive Mode…
![Page 44: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/44.jpg)
The Lords of the Net
Administrator, the Lord of the Net
A large network means many administrators
Feudalism• Rules are for wimps • Enterprise IT infrastructure
VS “my infrastructure”• Remote access systems• Amusing web servers and trail
apps
![Page 45: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/45.jpg)
“All animals are equal but…”
![Page 46: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/46.jpg)
The Lords of the Rings
TCP:1337 (SSL) – a web server of the system administration department
Radio broadcasting (ShoutCast Server with a default password)
Location: an administrator workstation
With all the consequences…
![Page 47: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/47.jpg)
Pentester Tips & Tricks
Try not to miss a thing on the perimeter
Keep in mind third-party hosts
Get approvals for every step of your work
Don’t disregard network rarities. Sometimes a web camera can pave the way to the network core!
Pay special attention to Web
Remember admins
![Page 48: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/48.jpg)
Partners and Contractors
![Page 49: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/49.jpg)
Contractors?
Requirements for system access (VPN)
Standard accounts (in order to remember)
No update management
Employees
![Page 50: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/50.jpg)
Contractors…
Contractor in the technology network• Wireless interface on a laptop• Everyone, a shared folder • The folder contains an installer of a control system
for xDSL modems/end routers• With an in-built SA password in DBMS• Who also has the same system?
Applications for agents, sale and activation of communication services package• Fat-client application• Build-in access password for DBMS• … as SYSDBA
![Page 51: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/51.jpg)
There Are Different Contractors...
OMG?! HAVE I PWND THAT?
![Page 52: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/52.jpg)
Pentester Tips & Tricks
Contractors are never to be hacked
Get approvals for every step of your work
Many scenarios can be efficiently demonstrated by a “white box” method
Suppose, I were a contractor
But you are not a contractor
…A fickle client…
![Page 53: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/53.jpg)
Technology Networks
![Page 54: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/54.jpg)
Something special?
Changes are highly dynamic in the network• New gadgets keep emerging • Contractors keep working• Configuration keeps changing
Implemented components and protocols are standard• Threats typical for IP• Configuration errors• Platform vulnerabilities
Some errors can cause failures and facilitate frauds
![Page 55: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/55.jpg)
Technology Networks Are Networks First of All!
Equipment vulnerabilities
Test systems, contractors’ systems
FORGOTTEN(!) systems
Network management systems
![Page 56: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/56.jpg)
Forgotten Systems
Non-configured switch
Uptime: 2 years!
![Page 57: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/57.jpg)
Network Management Systems
Such treasure• Network topology• Device configuration• Passwords and keys for VPN/Wi-Fi/SNMP/RADIUS/VPN…
“They are behind the firewall”+ Web password- OS, DBMS, Web updates+ Standard passwords for DBMS+ File(!) shares
![Page 58: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/58.jpg)
That’s Tough!
WPA-PSK for AP is found
Where are the points located?!!
![Page 59: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/59.jpg)
Backup Is Quite a Useful Thing!
Especially on the Net!
![Page 60: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/60.jpg)
VoIP Is a Honey Pie
VoIP
Access to the enterprise network
Call management (fraud)
Fraud or fraudulent mispresentation
Wiretapping
Identity theft
And more…
Attack against… infrastructure gateways protocols i[P]Phone
![Page 61: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/61.jpg)
VoIP
PSTN
IP PBX
Компания «А»
ТОПТОП
Вне офиса Компании «А»
Компьютер нарушителя
WEP
КЛВС
SQL injectionCVE-2008-0026
2
3
1. VoIP Wi-Fi access (No WPA, so “slow”)
2. The nearest CISCO Call Managera) SQLi, CVE-2008-0026
b) Collecting hash
c) Restoring passwords from the hash
3. Level 15 for the whole network
runsql select user,password from applicationuser
https://www.example.org/ccmuser/personaladdressbookEdit.do?key='+UNION+ALL+SELECT+'','','',user,'',password+from+applicationuser;--
1
![Page 62: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/62.jpg)
Mobile Networks – It’s So Banal
Only the perimeter is secure
Some weird hardware?• 3G SoftSwitch – Solaris 10 с CVE-2007-0882 (telnet -f)
• …
![Page 63: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/63.jpg)
Self-Service Platform
WEB/USSD/WAP
Interface with payment systems
A possibility of money withdrawal
No authentication (Caller ID)
Weak authentication (PIN-код?)
Vulnerable applications (Web, SQL Injection, XSS)
![Page 64: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/64.jpg)
VAS platforms
Someone’s application on the operator’s network
Malicious content, WAP-provisioning
Rich access via mobile stations (WAP/HTTP): • Web application vulnerabilities• Platform vulnerabilities
Platforms for service development
![Page 65: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/65.jpg)
Instead of a Conclusion
![Page 66: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/66.jpg)
Forensic Nightmare
Large networks make it extremely difficult to investigate incidents
Lots of vectors, tons of hardware, a great deal of administrators
A couple of hops on the internal network, and no one will make head or tail of it
![Page 67: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/67.jpg)
Who is there?
![Page 68: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/68.jpg)
Trying To Make Head or Tail…
![Page 69: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/69.jpg)
Some Are Concerned…
![Page 70: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/70.jpg)
Others Are Happy
![Page 71: How to hack a telecommunication company and stay alive. Sergey Gordeychik](https://reader035.fdocuments.in/reader035/viewer/2022081504/55845b8ad8b42a5b0a8b5304/html5/thumbnails/71.jpg)
Thank you for your attention!
Sergey Gordeychik
http://sgordey.blogspot.com http://ptresearch.blogspot.comhttp://phdays.com