Re: GPRS_UMTS

["Johan Mellberg" <johan.mellberg () gmail com>]

Hi,

I suggest that for ideas on what to do take a look at the reference
architecture in the GPRS second stage service description, found in
the specifikation numbered 23.060
(http://www.3gpp.org/ftp/Specs/2008-09/R1999/23_series/23060-3h0.zip).
Release 1999 is probably the lowest common denominator for the world's
GPRS implementations but feel free to check out newer releases. The
basic reference architecture doesn't really change much.

It's been a while but regarding PPP, few if any actual networks
support PDP type PPP, only IPv4, so PPP is usually only used for
instance between a laptop and a GPRS/UMTS phone being used as a modem.
But of course it doesn't hurt to investigate...

Google is nice, you could for example take a look at
http://student.grm.hia.no/master/ikt01/ikt6400/ekaasin/Master%20Thesis%20Web.htm.
The thesis is getting old but not much has changed, apart from network
equipment slowly being made more secure.

Network architecture design mistakes are probably common so try Gleb's
suggestions, and try to figure out the actual network topology - is it
possible to even access charging servers or network management servers
by mistake? Try to figure out the vendor of the GGSN, the DNS, MMS
system etc and see whether you can figure out what versions of OS and
software is running - perhaps by looking at vendor documentation. That
might open up interesting pen test ideas.

/Johan

2008/10/14 Gleb Paharenko <gpaharenko () gmail com>:
> Hi!
>
> You can penetrate WAP proxy which is often component of such networks.
> Also some providers can have intermediate devices which analyzes http
> requests and charge traffic for commercial sites, for example with
> content.
> This can be the subject of analysis as well.  Attack GGSN - for IP
> stack it is an ordinary router. Attack DNS.   Try to send spoofed
> packets to your first hop. With wrong firewall settings they can reach
> internal operators network.
> Try to get technical or opensource mobile and attack PPP stack which
> is a part of GPRS protocol.
> Very interesting attack - you can try to reach other handsets
> connected for example to WAP APN. In that case you will see IP of
> devices, not computer which connects as in case ordinary GPRS. In case
> you reach mobile devices over IP - there a lot of cases to try. Say
> you can try utilize WAP PUSH or even OMA DM over UDP bearer! Or turn
> in off by consuming all battery power.
> Attack on MMS infrastructure in case you have access to it.
>
>
> For a pity, I had no ability time to pen test gprs networks, but
> google should show some attacks on GPRS and UMTS security.
>
> See:
>  http://gpaharenko.livejournal.com/3563.html#cutid1
>
>
> I'm really interested in pen-testing mobile networks. Please let me
> know if you reach some interesting results, and do spent time to share
> it with community.
>
> 2008/10/14 Rafa <rafa.sgomez () gmail com>:
> > Hi all!
> >
> > I am about to begin an audit of a client access to a GPRS / UMTS.
> > Could someone tell me where to find information about analysis of this
> > type of network? types of attacks? possible approaches? etc.
> >
> > Thank you very much in advance!!
> >
> > --
> > Rafa Sánchez
> > http://rafasec.blogspot.com (cc)
> > --
>
>
>
> --
> Best regards.
> Gleb Pakharenko.
> http://gpaharenko.livejournal.com
> http://www.linkedin.com/in/gpaharenko
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------