Security flaws in VoLTE protocol allow an attacker to spoof numbers and track users

The research paper by P1 Security was presented last week in a security conference in France


A team of researchers from security firm P1 Security has detailed a list of flaws in the VoLTE protocol that allows an attacker to spoof anyone’s phone number and place phone calls under new identities, and extract IMSI and geo-location data from pre-call message exchanges.

These issues can be exploited by both altering some VoLTE packets and actively interacting with targets, but also by passively listening to VoLTE traffic on an Android device.

Voice over LTE (VoLTE)


VoLTE is a standard for high-speed wireless communication for mobile phones and data terminals, based on the IP Multimedia Subsystem network.

With VoLTE the voice service being delivered as data flows within the LTE data bearer, without dependency on the legacy circuit-switched voice network to be maintained.


The vulnerabilities

Researchers divide vulnerabilities into “active”, that require modifying special SIP packets, and “passive” that expose data via passive network monitoring or do not require any SIP packet modification.

Below a brief list of the flaws discovered (for extended information please refers to links in ‘Reference’ section, at the end of the post):

User enumeration

SIP INVITE messages are exchanged when phone calls via VoLTE are initiated and passes through all the mobile networking equipment that supports the call: an attacker on the same network can send modified SIP INVITE messages to brute-force the mobile provider and get a list of all users on its network.

Free data channel over SDP

This flaw allows a VoLTE customer to exchange data (phone calls, SMS, mobile data) via VoLTE networks without initiating the CDR module, responsible for billing.

P1 team discovers a method that using SIP and SDP messages to create unmonitored data tunnels in VoLTE networks: it allows possible crime suspects a way to create covert data communications channels.

User identity spoofing

Mobile networking equipment does not verify if the SIP INVITE header information is correct, taking the caller’s identity at face value, so an attacker can modify certain headers in SIP INVITE messages and place calls using another user’s MSISDN (phone number).

VoLTE equipment fingerprinting and topology discovery

This vulnerability allows an attacker to fingerprint network equipment of a target operator just by listening to VoLTE telephony traffic reaching an Android smartphone.

Leak of the victim’s IMEI

Watching VoLTE traffic on an Android that’s initiating a call, researchers discovered that intermediary messages exchanged before establishing a connection reveal information about the caller IMEI number.

Leak of the victim’s personal information

Similarly to the attack above, researchers also discovered that the same SIP messages can also leak more detailed information about victims: attackers could initiate shadow calls, detect the victim’s approximate location, and hang up before the phone call is established.


References

The paper

https://www.sstic.org/media/SSTIC2017/SSTIC-actes/remote_geolocation_and_tracing_of_subscribers_usin/SSTIC2017-Article-remote_geolocation_and_tracing_of_subscribers_using_4g_volte_android_phone-le-moal_ventuzelo_coudray.pdf

How to use the ip command instead of ifconfig

Did you know that in 2009 it was announced that the ifconfig Linux command would be deprecated?


On mostly Linux distribution the ifconfig command has been deprecated and will be definitely replaced by ip command.
What are de differences between ifconfig and ip?

Let’s try to summarize them:

Show network devices

ifconfig
ip addr show
ip link show

Enable a network interface

ifconfig eth0 up
ip link set eth0 up

A network interface can be disabled with:

ifconfig eth0 down
ip link set eth0 down

Setting IP address

The simple version:

ifconfig eth0 192.168.0.77
ip address add 192.168.0.77 dev eth0

The complete version with network mask or the broadcast address:

ifconfig eth0 192.168.0.77 netmask 255.255.255.0 broadcast 192.168.0.255
ip addr add 192.168.0.77/24 broadcast 192.168.0.255 dev eth0

Delete an IP address

This feature is available only with ip:

ip addr del 192.168.0.77/24 dev eth0

Add alias interface

ifconfig eth0:1 10.0.0.1/8
ip addr add 10.0.0.1/8 dev eth0 label eth0:1

Add an entry in the ARP table.

arp -i eth0 -s 192.168.0.1 00:11:22:33:44:55
ip neigh add 192.168.0.1 lladdr 00:11:22:33:44:55 nud permanent dev eth0

Set ARP resolution off on one device

ifconfig -arp eth0
ip link set dev eth0 arp off

Show the routing table

route
ip route show

With ip you can query on which interface a packet to a given IP address would be routed to:

ip route get 192.168.88.77

Changing the routing table

Add a route:

route add -net 192.168.3.0/24 dev eth3
ip route add 192.168.3.0/24 dev eth3

Removing entries from a routing table:

route del -net 192.168.3.0/24 dev eth3
ip route del 192.168.3.0/24 dev eth3

Add a gateway:

route add -net 192.168.4.0/24 gw 192.168.4.1
ip route add 192.168.4.0/24 via 192.168.4.1

A most complete list of deprecated commands and them replacement is available on this post of Doug Vitale:

Deprecated Linux networking commands and their replacements


References

Deprecated Linux networking commands and their replacements
Deprecated Linux networking commands and their replacements
Deprecated Linux networking commands and their replacements

The Internet is still broken

BGP Hijacking is an actual problem that we need to solve


Yesterday i have read a brief but interesting article about BGP Hijacking written by Johannes B. Ullrich, published on SANS ISC InfoSec Forum.

About BGP Hijacking i have already written something about, you can read on https://www.andreafortuna.org/bgp-hijacking-current-state-and-future-developments-d4077c215d12.

Essentially, BGP Hijacking is the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables:

The Internet is a network of networks.

Each “Autonomous system” (AS) connects to the internet using a router that “speaks” the Border Gateway Protocol (BGP) to disseminate and receive routing information.

The problem is that there is no authoritative way to figure out who is supposed to receive which IP address space.

If I got a new IP address range assigned, or if I agree to route it as part of an agreement with another network, then I will use BGP to advertise this to the Internet.

Sadly, nobody has figured out yet how to validate these advertisements. As a result, it is somewhat common for BGP abused to advertise IP addresses that an organization doesn’t actually own. This can lead to a denial of service, or miscreants can start using it for a man-in-the-middle attack.

The article also refers to the recent event of BGP abuse that has allowed the hijack of a large chunks of network traffic belonging to MasterCard, Visa, and more than two dozen other financial services companies that were briefly routed through a Russian government-controlled telecom:

https://arstechnica.com/security/2017/04/russian-controlled-telecom-hijacks-financial-services-internet-traffic/

“Quite suspicious”

“I would classify this as quite suspicious,” Doug Madory, director of Internet analysis at network management firm Dyn, told Ars. “Typically accidental leaks appear more voluminous and indiscriminate. This would appear to be targeted to financial institutions. A typical cause of these errors [is] in some sort of internal traffic engineering, but it would seem strange that someone would limit their traffic engineering to mostly financial networks.”

Ullrich also suggest some mitigations for this kind of attacks:

So in short, what can you do about it?

1 — The internet is an untrusted network. Deal with it. Assume people are rerouting, eavesdropping and manipulating your traffic. Technologies like TLS will help you detect these issues if properly implemented. VPNs can help to secure trusted connections within an organization or between trusted partners. But this is exactly why you have to audit these configurations and make sure they are configured based on current best practices.

2 — Monitor if someone is trying to hijack IP address space you are using.

3 — If you do own IP address space, and if you do manage BGP yourself, then make sure you implement the few security features that are available.


For more information, please refers to original article on SANS Forum:

https://arstechnica.com/security/2017/04/russian-controlled-telecom-hijacks-financial-services-internet-traffic/


More references about BPJ Hijacking

https://arstechnica.com/security/2017/04/russian-controlled-telecom-hijacks-financial-services-internet-traffic/
https://arstechnica.com/security/2017/04/russian-controlled-telecom-hijacks-financial-services-internet-traffic/

VBA IP Functions: IP manipulation with Visual Basic for Applications

“Seriously? Are you still using VBA?”


Do you think that Visual Basic for Applications is ugly, slow, cumbersome, old and confusing?

Well … I agree with you!

But if you need to create a macro in Excel for IP lookup in a list of subnets, it can be useful exhume some code written several years ago.

And since now we have GitHub, why not publish it?

Maybe it can be useful to some other despairing programmer.


from the README on GitHub:

Functions List

IpIsValid

Returns true if an ip address is formated exactly as it should be: no space, no extra zero, no incorrect value

IpStrToBin

Converts a text IP address to binary

ex:

IpStrToBin(“1.2.3.4”) returns 16909060

IpBinToStr

Converts a binary IP address to text

ex:

IpBinToStr(16909060) returns “1.2.3.4”

IpAdd

ex:

IpAdd(“192.168.1.1”; 4) returns “192.168.1.5”

IpAdd(“192.168.1.1”; 256) returns “192.168.2.1”

IpAnd

IP logical AND

ex:

IpAnd(“192.168.1.1”; “255.255.255.0”) returns “192.168.1.0”

IpAdd2

another implementation of IpAdd which not use the binary representation

IpGetByte

get one byte from an ip address given its position

ex:

IpGetByte(“192.168.1.1”; 1) returns 192

IpSetByte

set one byte in an ip address given its position and value

ex:

IpSetByte(“192.168.1.1”; 4; 20) returns “192.168.1.20”

IpMask

returns an IP netmask from a subnet both notations are accepted

ex:

IpMask(“192.168.1.1/24”) returns “255.255.255.0”

IpMask(“192.168.1.1 255.255.255.0”) returns “255.255.255.0”

IpWildMask

returns an IP Wildcard (inverse) mask from a subnet both notations are accepted

ex:

IpWildMask(“192.168.1.1/24”) returns “0.0.0.255”

IpWildMask(“192.168.1.1 255.255.255.0”) returns “0.0.0.255”

IpInvertMask

returns an IP Wildcard (inverse) mask from a subnet mask or a subnet mask from a wildcard mask

ex:

IpWildMask(“255.255.255.0”) returns “0.0.0.255”

IpWildMask(“0.0.0.255”) returns “255.255.255.0”

IpMaskLen

returns prefix length from a mask given by a string notation (xx.xx.xx.xx)

ex:

IpMaskLen(“255.255.255.0”) returns 24 which is the number of bits of the subnetwork prefix

IpWithoutMask

removes the netmask notation at the end of the IP

ex:

IpWithoutMask(“192.168.1.1/24”) returns “192.168.1.1”

IpWithoutMask(“192.168.1.1 255.255.255.0”) returns “192.168.1.1”

IpSubnetLen

get the mask len from a subnet

ex: IpSubnetLen(“192.168.1.1/24”) returns 24

IpSubnetLen(“192.168.1.1 255.255.255.0”) returns 24

IpSubnetSize

returns the number of addresses in a subnet

ex:

IpSubnetSize(“192.168.1.32/29”) returns 8

IpSubnetSize(“192.168.1.0 255.255.255.0”) returns 256

IpClearHostBits

set to zero the bits in the host part of an address

ex:

IpClearHostBits(“192.168.1.1/24”) returns “192.168.1.0/24”

IpClearHostBits(“192.168.1.193 255.255.255.128”) returns “192.168.1.128 255.255.255.128”

IpIsInSubnet

returns TRUE if “ip” is in “subnet” subnet must have the / mask notation (xx.xx.xx.xx/yy)

ex:

IpIsInSubnet(“192.168.1.35”; “192.168.1.32/29”) returns TRUE

IpIsInSubnet(“192.168.1.35”; “192.168.1.32 255.255.255.248”) returns TRUE

IpIsInSubnet(“192.168.1.41”; “192.168.1.32/29”) returns FALSE

IpSubnetVLookup

tries to match an IP address against a list of subnets in the left-most column of table_array and returns the value in the same row based on the index_number

this function selects the smallest matching subnet

“ip” is the value to search for in the subnets in the first column of the table_array

“table_array” is one or more columns of data

“index_number” is the column number in table_array from which the matching value must be returned. The first column which contains subnets is 1.

note: add the subnet 0.0.0.0/0 at the end of the array if you want the function to return a default value

IpSubnetMatch

tries to match an IP address against a list of subnets in the left-most column of table_array and returns the row number this function selects the smallest matching subnet

“ip” is the value to search for in the subnets in the first column of the table_array

“table_array” is one or more columns of data

returns 0 if the IP address is not matched.

IpSubnetIsInSubnet

returns TRUE if “subnet1” is in “subnet2” subnets must have the / mask notation (xx.xx.xx.xx/yy)

ex:

IpSubnetIsInSubnet(“192.168.1.35/30”; “192.168.1.32/29”) returns TRUE

IpSubnetIsInSubnet(“192.168.1.41/30”; “192.168.1.32/29”) returns FALSE

IpSubnetIsInSubnet(“192.168.1.35/28”; “192.168.1.32/29”) returns FALSE

IpSubnetInSubnetVLookup

tries to match a subnet against a list of subnets in the left-most column of table_array and returns the value in the same row based on the index_number the value matches if ‘subnet’ is equal or included in one of the subnets in the array

“subnet” is the value to search for in the subnets in the first column of the table_array

“table_array” is one or more columns of data

“index_number” is the column number in table_array from which the matching value must be returned. The first column which contains subnets is 1.

note: add the subnet 0.0.0.0/0 at the end of the array if you want the function to return a default value

IpSubnetInSubnetMatch

tries to match a subnet against a list of subnets in the left-most column of table_array and returns the row number the value matches if ‘subnet’ is equal or included in one of the subnets in the array

“subnet” is the value to search for in the subnets in the first column of the table_array

“table_array” is one or more columns of data

returns 0 if the subnet is not included in any of the subnets from the list

IpFindOverlappingSubnets

this function must be used in an array formula it will find in the list of subnets which subnets overlap

“SubnetsArray” is single column array containing a list of subnets, the list may be sorted or not the return value is also a array of the same size if the subnet on line x is included in a larger subnet from another line, this function returns an array in which line x contains the value of the larger subnet if the subnet on line x is distinct from any other subnet in the array, then this function returns on line x an empty cell if there are no overlapping subnets in the input array, the returned array is empty

IpSortArray

this function must be used in an array formula

“ip_array” is a single column array containing ip addresses the return value is also a array of the same size containing the same addresses sorted in ascending or descending order

“descending” is an optional parameter, if set to True the addresses are sorted in descending order

IpSubnetSortArray

this function must be used in an array formula

“ip_array” is a single column array containing ip subnets in “prefix/len” or “prefix mask” notation the return value is also an array of the same size containing the same subnets sorted in ascending or descending order

“descending” is an optional parameter, if set to True the subnets are sorted in descending order

IpParseRoute

this function is used by IpSubnetSortJoinArray to extract the subnet and next hop in route the supported formats are

10.0.0.0 255.255.255.0 1.2.3.4

10.0.0.0/24 1.2.3.4

the next hop can be any character sequence, and not only an IP

IpSubnetSortJoinArray

this fuction car sort and summarize subnets or ip routes it must be used in an array formula

“ip_array” is a single column array containing ip subnets in “prefix/len” or “prefix mask” notation

the return value is also an array of the same size containing the same subnets sorted in ascending order any consecutive subnets of the same size will be summarized when it is possible each line may contain any character sequence after the subnet, such as a next hop or any parameter of an ip route in this case, only subnets with the same parameters will be summarized

IpDivideSubnet

divide a network in smaller subnets

“n” is the value that will be added to the subnet length

“SubnetSeqNbr” is the index of the smaller subnet to return

ex:

IpDivideSubnet(“1.2.3.0/24”; 2; 0) returns “1.2.3.0/26”

IpDivideSubnet(“1.2.3.0/24”; 2; 1) returns “1.2.3.64/26”

IpIsPrivate

returns TRUE if “ip” is in one of the private IP address ranges

ex:

IpIsPrivate(“192.168.1.35”) returns TRUE

IpIsPrivate(“209.85.148.104”) returns FALSE

IpDiff

difference between 2 IP addresses

ex:

IpDiff(“192.168.1.7”; “192.168.1.1”) returns 6

IpParse

Parses an IP address by iteration from right to left Removes one byte from the right of “ip” and returns it as an integer

ex:

if ip=”192.168.1.32″

IpParse(ip) returns 32 and ip=”192.168.1″ when the function returns

IpBuild

Builds an IP address by iteration from right to left Adds “ip_byte” to the left the “ip”

If “ip_byte” is greater than 255, only the lower 8 bits are added to “ip” and the remaining bits are returned to be used on the next IpBuild call

ex 1:

if ip=”168.1.1″

IpBuild(192, ip) returns 0 and ip=”192.168.1.1″

ex 2:

if ip=”1″

IpBuild(258, ip) returns 1 and ip=”2.1″

IpMaskBin

returns binary IP mask from an address with / notation (xx.xx.xx.xx/yy)

ex:

IpMask(“192.168.1.1/24”) returns 4294967040 which is the binary representation of “255.255.255.0”


More info and downloads on GitHub repository:

https://github.com/andreafortuna/VBAIPFunctions

Online PCAP analysis with PacketTotal

Why using Wireshark?


PacketTotal is an online engine for analyzing .pcap files and visualizing the network traffic within, useful for malware analysis and incident response.

PacketTotal leverages features of BRO IDS and Suricata to flag malicious/suspicious traffic, display detailed protocol information, and extract artifacts found inside the packet capture.

What does PacketTotal offer that a traditional packet-capture tool does not?

PacketTotal presents information at a higher level than a tools such as WireShark. When I built this tool I was less concerned about duplicating functionality of these tools and more about automating the extraction of information that would be useful to security analysts and researchers.

On top of extracting information useful to quickly understanding the scope of a security incident or how a particular piece of malware communicates, PacketTotal:

  • Extracts artifacts found inside the packet-capture and makes them available for download
  • Reconstructs a timeline of TCP, UDP, and ICMP connections within the capture
  • Provides drill-down analytics that can aid in understanding the behavior of traffic found within the capture

Can i use PacketTotal for analyze a traffic capture containing sensitive information?

I don’t recommend it.

Everything stored within the packet-capture including the file itself is stored on the backend. Your public IP address is also captured at the time of the upload for the purpose of analytics and security.

Concerning the possibility of a private report, the FAQs says this:

This is a very legitimate use-case, however one of the primary goals of this project was to allow open intel sharing of malicious packet-captures accross the InfoSec community. I am working on a private API which I plan on making available in mid-2017. For the time being, simply use one of the numerous .pcap editing tools to redact any information you do not want shared prior to upload.


References

http://www.packettotal.com/about.html

BlackNurse: DoS attacks for everyone

Overload firewalls from a laptop (but also from a mobile phone!)


When it comes to launching successful DDoS attacks, the equation is a simple:

more traffic and more devices generating that traffic = more chance of knocking down a server.

But recently researchers at TDC Security Operations Center (a Danish security firm) have discovered a new attack technique that lone attackers with limited resources can be used to take large servers offline.

The technique, named “BlackNurse”, an be used to launch several low-volume DoS attacks by sending specially formed ICMP packets that overwhelm the processors on server protected by firewalls from multiple vendors.


Products Affected

  • Cisco ASA 5506, 5515, 5525
  • Cisco ASA 5550 and 5515-X
  • Cisco Router 897
  • SonicWall
  • Some unverified Palo Alto
  • Zyxel NWA3560-N
  • Zyxel Zywall USG50

… and probably many more!


The attack

The attack is more traditionally known as a “ping flood attack” and is based on ICMP Type 3 (Destination Unreachable) Code 3 (Port Unreachable) requests.

By sending this type of ICMP, an attacker can cause a Denial of Service state by overloading the CPUs of certain types of server firewalls, regardless of the quality of internet connection:

Low bandwidth is in this case around 15–18 Mbit/s. This is to achieve the volume of packets needed which is around 40 to 50K packets per second. It does not matter if you have a 1 Gbit/s Internet connection.

The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops.


Test your devices

From blacknurse.dk:

The best way to test if your systems are vulnerable, is to allow ICMP on the WAN side of you firewall and do some testing with Hping3.

Use Hping3 with one of the following commands:

hping3 -1 -C 3 -K 3 -i u20 <target ip>
hping3 -1 -C 3 -K 3 — flood <target ip

Based on our test, we know that a reasonable sized laptop can produce approx. a 180 Mbit/s DoS attack with these commands. We have also made tests using a Nexus 6 mobile phone with Nethunter/Kali which only can produce 9.5 Mbit/s and therefore cannot single-handedly perform the BlackNurse attack.


A fast mitigation?

The researcher has published the following Snort/IPS rules for detecting Type 3 Code 3 flooding:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”TDC-SOC — Possible BlackNurseattack from external source “; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url, soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000012; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:”TDC-SOC –Possible BlackNurse attack from internal source”; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url, soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000013; rev:1;)

References and papers

http://blacknurse.dk/
https://soc.tdc.dk/blacknurse/blacknurse.pdfhttp://blacknurse.dk/

30 Nmap Command Examples from nixCraft

Userful for Sys/Network Admins


Great post from nixCraft about the famous security tool Nmap:

The purpose of this post is to introduce a user to the nmap command line tool to scan a host and/or network, so to find out the possible vulnerable points in the hosts. You will also learn how to use Nmap for offensive and defensive purposes.

The post propose a course of 30 commands that exposes the main features of nmap:

  1. Scan a single host or an IP address (IPv4)
  2. Scan multiple IP address or subnet (IPv4)
  3. Read list of hosts/networks from a file (IPv4)
  4. Excluding hosts/networks (IPv4)
  5. Turn on OS and version detection scanning script (IPv4)
  6. Find out if a host/network is protected by a firewall
  7. Scan a host when protected by the firewall
  8. Scan an IPv6 host/address
  9. Scan a network and find out which servers and devices are up and running
  10. How do I perform a fast scan?
  11. Display the reason a port is in a particular state
  12. Only show open (or possibly open) ports
  13. Show all packets sent and received
  14. Show host interfaces and routes
  15. How do I scan specific ports?
  16. The fastest way to scan all your devices/computers for open ports ever
  17. How do I detect remote operating system?
  18. How do I detect remote services (server / daemon) version numbers?
  19. Scan a host using TCP ACK (PA) and TCP Syn (PS) ping
  20. Scan a host using IP protocol ping
  21. Scan a host using UDP ping
  22. Find out the most commonly used TCP ports using TCP SYN Scan
  23. Scan a host for UDP services (UDP scan)
  24. Scan for IP protocol
  25. Scan a firewall for security weakness
  26. Scan a firewall for packets fragments
  27. Cloak a scan with decoys
  28. Scan a firewall for MAC address spoofing
  29. How do I save output to a text file?
  30. Not a fan of command line tools?

Yes, the last point isn’t a real command, but a tip to install a graphical frontend for Nmap, Zenmap:

$ sudo apt-get install zenmap