Breaking

Hacking 101 to mobile data

Here is a short blog post that explains how you can make your own Man-in-the-Middle (MitM) setup for sniffing the traffic between a SIM card and the backend server. This is NOT a new research but I hope this will help anyone who doesn’t have a telco background to get started to play with mobile data sniffing and fake base stations. This is applicable to many scenarios today as we have so many IoT devices with SIM cards in it that connects to the backend.
In this particular case, I am explaining the simplest scenario where the SIM card is working with 2G and GPRS. You can probably expect me with more articles with 3G, 4G MitM in future. But lets stick to 2G and GPRS for now.

Continue reading “Hacking 101 to mobile data”

Continue reading
Breaking

All Your Calls Are Still Belong to Us – continued

Hi again and a happy new year 2013!

Lets continue were I left you the last time.

The CTL

The CTL is basically a binary TLV file with 1 byte type, followed by 2 bytes length and finally the data. But as this is far to easy, some special fields omit the length field and just place the data after the type (I guess those are fields with a fixed length). Here is an example CTL file:

Red fields are the types (counting up), green fields are the length (note the missing length on some fileds) and the purple field contains the data (in this case data with a length of 8 bytes and a type 0x05, which is the signing cert serial number btw. [and yes, this is a real example; Cisco signs phone loads with this ‘random’ cert]).

The CTL contains a header with types from 0x01 to 0x0f which is padded with 0x0d. The same header is used for the signed files .sgn from the TFTP server later on. The header describes the file version, the header length, the certificate the file is signed by (further called Signing Cert), the corresponding Certificate Authority, the file name, the files time stamp and finally the signature. The header is followed by multiple cert entries, which again use types 0x01 to 0x0f.  The cert entry contains a role field 0x04 which describes the use of the cert. We are interested in the CAPF cert (0x04) and the Call Manager cert (0x02).
Continue reading “All Your Calls Are Still Belong to Us – continued”

Continue reading
Breaking

All Your Calls Are Still Belong to Us – aka. Hacking Cisco high secure Enterprise VoIP Solution

Some of you may have heard the topic before, as we have spoken about on this years BlackHat EuropeTROOPERS12  and HES12, so this is nothing completely new, but as we’re done with responsible disclosure (finally (-; )  and all the stuff should be fixed, we’re going to publish the code that brought us there. I will split the topic into two blog posts, this one will wrap up the setup, used components and protocols, the next one [tbd. till EOY, hopefully] will get into detail on the tools and techniques we used to break the enterprise grade security.

 The Components

First lets take a look on all the components involved in the setup:

As you can see in the picture, there are a lot of components and even more certificates involved. From left to right: Continue reading “All Your Calls Are Still Belong to Us – aka. Hacking Cisco high secure Enterprise VoIP Solution”

Continue reading
Breaking

Loki for Windows released

Today is a great day, its the day, Loki finally runs on all big operating systems. Im proud to announce the first Loki release for Windows!

There are a few things not working (yet / at all) under Windows. Those are:

  • The WLCCP Module – ive not yet managed to build and link against asleap on windows [but time may help (-; ]
  • TCP-MD5 Auth for BGP – This will never work, as Windows has no TCP-MD5 impl. in the kernel
  • The MPLS Module – Had some hassle here with WinPcap, may be working in the future

The most testing so far was done on Windows 7 were all the other functions work as they do on Linux and Mac.

Download the installer here [1ebf2edbb0cdb631dc2704e82d9c2d778fac703d].

cheers

/daniel

Continue reading