SS7 network part 1

So based on my researches i wanna share with you guys what i’ve got so far about SS7

1.you can find out a lot of documents about the possible ways to attack SS7 network and download it for free (https://www.slideshare.net/search/slideshow?searchfrom=header&q=ss7)

2.there’s variety of documents but none of them pointed out about how exactly we can do it.
3.also there are tons of Ethical hacking courses but again I couldn’t find any course about SS7 over the internet

alright so let’s talk about SS7 network itself
well i was thinking that i know anything about network and its functionality
and i thought there’s only one network and that is computer network!!
but after reading about SS7 network and PSTN and LTE and other networks out there that our daily basis conversation relies on, I realised there is a lot of other so called hidden networks exist that nobody wants we know or talk about them because of the security reasons…

so i’m gonna cut to the point:
SS7 has many acronym stuff which Even if you aren’t an acronym fan, you’ll have to memorize them so then when you saw for example
HLR/HSS you know what the heck they’re talking about.

HERE is some of acronyms with the description of what they’re doing:

STP (Signal Transfer Point)
The “knots” that hold the network together. These nodes serve to provide network access to other
nodes (by connection with Access Links). STPs transfer messages around the network. STPs
maintain routing tables for the purposes of directing messages to their intended destinations.

SSP (Service Switching Point)
The Service Switching Point is a switch associated node which handles call set-up and has the
ability to stop call processing, make queries of even unknown databases, and perform actions
appropriate to the response. In general, the SS7 messages which originate or terminate here are
either circuit or call routing related.

SCP (Service Control Point)
In general, Service Control Points provide access to databases. These nodes are the residences of
processes which can access the database, extract the required data and return it to the node
requesting the data. The database(s) to which the SCP has access may or may not reside at the
same location as the SCP. The same capabilities that allow the SCP to access databases lend themselves to other uses such as providing access to an IP.

IP (Intelligent Peripheral)
The IP is the residence of processes which manage resources such as signalling sensors and voice
response equipment. The resource management capabilities become available to switches on
demand, thereby freeing switch locations from the need to equip with a myriad of such devices,
and providing highly efficient use of both aging and up-to-date technologies.

CRP (Customer Routing Point)
The CRP provides on-premises control of the routing information requested by switches for translation of 800 type dialing (not limited to 800 numbers). The operator of the CRP is a customer
who requires rapid update and control of the translation of their own numbers.

MSC (Mobile Switching Center)
The Mobile Switching Center maintains control over its own Transceiver network. Part of this
control includes tracking subscribers and performing “hand offs.” The MSC also provides the
landline connections into the PSTN to complete the connection of subscriber calls. Finally, the
MSC makes use of the SS7 network to convey circuit related information to the PSTN and to
communicate with the service providers of “roamers.”

HLR/VLR (Home Location Register/Visitor Location Register)
A database that contains customer information about local subscribers is maintained by each provider. This is the Home Location Register. Another company will access this information when a
“roamer” appears, and use the data for an entry into its Visitor Location Register

==BUT gentleman, this desctiptions aren’t helpful that much
we need to see the steps with the explanation about how exactly we can perform ss7 network attack and i promise you guys there are many ways to do that…

lets look at some ss7 network nodes and how they look like:

HLR/HSS
HLR.HSS

Signaling Converter SS7, ISDN PRI, CAS

STP
STP

these are some of ss7 nodes , so obviously they are running some sort of OS (operation system)

so now i hope after reading some documents about ss7 network you won’t get surprised when you see this picture

as you see in the above picture, we’ve some nodes that you should know at least what’s their functionality in the network.

alright
now it’s time to see the steps that we should take in order to perform a successful attack :

===first thing first, we have to get access to SS7 network,
here is some entry points:
but wait, what are ss7 entry points?
how we can recognize entry points?

well here’s some of them

  • STP connectivity
  • SIGTRAN protocols
    
  • VAS systems e.g. SMSC, IN
    
  • Signaling Gateways, MGW
    
  • SS7 Service providers (GRX, IPX)
    
  • GTT translation
    
  • ISDN terminals
    
  • GSM phones
    
  • LIG (Legal Interception Gateway)
    
  • 3G Femtocell
    
  • SIP encapsulation
    

how we get access to entry points ?
you can do many things, you can find your find your telecommunications company ip range and do some nmap port scanning to finding some open ports and do some exploitation.
proxychains nmap -A -p 21-1000 -Pn [ip]

===more to come for part 2

if you know anything about ss7 attack please let us know because this is far more interesting topic than boring computer network

5 Likes