While running some SS7 pentests last year, I developed a small tool automating some of the well-known SS7 attack cases. Today I’m releasing the first version of ss7MAPer, a SS7 MAP (pen-)testing toolkit.
The toolkit is build upon the Osmocom SS7 stack and implements some basic MAP messages. At its current state tests against the HLR are ready for use, in future versions tests against VLR, MSC and SMSC will follow.
The source code of the tool is published on github, feel free to use and extend.
The tool is written in Erlang; to get it running you will need the Erlang runtime environment. It is developed for version 17.5.
As example, the screen shot below shows the output of the tool against a HLR, testing which MAP messages are accepted and the results given back.
As you can see in the picture, the demonstrated test cases for the HLR respond to most of the MAP messages regardless the fact that we are not registered as valid provider. The tool is not configured as a serving MSC nor a roaming contractor. Some of the information gathered can be seen as critical, as the MSISD -> IMSI resolution, the over-the-air crypto keys or the ability to create supplementary services e.g. call forwarding.
The code (and its dependencies) are not that easy to compile but I tried to give a complete step by step instructions in the README file.
The messages and test cases are gathered from public SS7 research of the last years (see 1, 2) and check for known weaknesses in the SS7 domain.
The tool itself was developed under a cooperation with the Belgium provider Proximus and aims to test the secure configuration of the internal and external SS7 network access. Thanks a lot for giving us the opportunity here, we are convinced that the tool gives the research community but also telecommunication providers a new, important and (especially) open-source-based possibility for SS7 testing.
That’s it, get the code, try the tool.
Best wishes from Heidelberg.