As we continue our research in the 3GPP protocol world, there is a new tool for you to play with. It is called s1ap_enum and thats also what it does 😉
The tool itself is written in erlang, as i found no other free ASN.1 parser that is able to parse those fancy 3GPP protocol specs. It connects to an MME on sctp/36412 and tries to initiate a S1AP session by sending an S1SetupRequest PDU. To establish a S1AP session with an MME the right MCC and MNC are needed in the PLMNIdentity. The tool tries to guess the right MCC/MNC combinations. It comes with a preset of known MCC/MNC pairs from mcc-mnc.com, but can try all other combinations as well.
So how’s S1 on the internetz?
A friendly neighbor did a masscan recently and we found some of those hosts still alive. And chatty as well 😉
So we were able to establish a S1 session with this one, someone wants to (de-)reg some UE? xD
Others are not so nice, like this one here:
But the big question is, what are those MMEs doing in the internetzz? This isn’t your walled ISP garden! Or do you want to test how much S1AP garbage your equipment can take?
The same thing with X2AP. Seems to out there as well, waiting for some chitchat. I haven’t tried to build the ASN.1 spec yet, but if erlc is nice thats just a matter of seconds. xD
So have fun banging your head through tail recursion, play with the tool and have a nice day!