-
Notifications
You must be signed in to change notification settings - Fork 35
3 How to use the SS7 module
Before discussing the SS7 module, there are some terminologies that must be known;
Global Title (GT): Each node in the core of the operator (msc,vlr,..etc) have their own address (i.e public IP) in a format of an international number ,example: +441234567890. This is the address used for routing traffic to and from and the nodes between the operators
Point Code (PC): Communication in SS7 network is done on a hop by hop basis in order to reach the final destination (GT). PC is a 4-5 digits that determines the next peer hop that packets should go through (STP) in order to reach the destination. When you get an SS7 access your SS7 provider is your peer, and the peer PC should be set to their.
International Mobile Subscriber Identity (IMSI): Is the most important target parameter. It is the subscriber ID that used in all operations withing the home operator or for roaming operations between operators. This is the first subscriber info that should be gathered as all critical and important attacks (i.e interception, fraud) is done with IMSI.
Mobile Station International Subscriber Directory Number (MSISDN): The phone number
International Mobile Equipment Identity (IMEI): is a unique number for each mobile hardware. The IMEI number is used by a GSM network to identify valid devices and therefore can be used for stopping a stolen phone from accessing that network. For example, if a mobile phone is stolen, the owner can call their network provider and instruct them to blacklist the phone using its IMEI number.The importance of this info is that some extension of IMEI (IMEISV) provides the software version as well of the handset, allowing to initiated a more targeted client side attack
In order to attach the SS7 on real life target you should have an access to the SS7 network. It is often provided by VoIP providers, SMS providers, HLR lookup web application providers, you just need to dig deeper to find a suitable provider. The project provides to modes for attacks 1)Simulation Mode 2)Live mode.
In case you succeeded to get the access you can jump into the Live mode and use the parameters that are provided by your provider. The providers will provide you the following parameters
- The global title you will use
- The point code you will use (client PC)
- The peer point code of the provider (Peer PC)
- The IP address of the providers peer for SCTP associations and the used port (Peer IP, Peer Port)
All you need to do is to have a static public IP assigned to the sever/machine having the code and the provider will allow it access from its side and route it so you can reach all the operators this provider is connected to
In case of no access, and you need to have the sense of attacks and critically of such a threat, you can go to the simulation mode. The project provides the server side code of each and every attack that simulates the corresponding nodes responsible for the requests. The server side jar files be found under "SigPloit/Testing/Server/Attacks/". Each server side code provides the hard coded values that you need to use on the client side to simulate the attack