From 866110fae57880620c27fb6def5c72cf21207b9e Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 3 Oct 2024 17:22:34 +0200 Subject: [PATCH] Flipper MAC + SS7 Protocol --- docs/gadgets/esp32.md | 14 ++++++++++- docs/gadgets/flipper-zero.md | 14 +++++++++++ docs/protocols/signaling-system-7.md | 37 ++++++++++++++++++++++++++++ 3 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 docs/protocols/signaling-system-7.md diff --git a/docs/gadgets/esp32.md b/docs/gadgets/esp32.md index d3da9a3c..28b08951 100644 --- a/docs/gadgets/esp32.md +++ b/docs/gadgets/esp32.md @@ -3,6 +3,12 @@ ![ESP32](../assets/esp32-pinout.png) +* [ESP32 datasheet: esp32_datasheet_en.pdf](https://www.espressif.com/sites/default/files/documentation/esp32_datasheet_en.pdf) +* [Xtensa®Instruction Set Architecture (ISA)](https://0x04.net/~mwk/doc/xtensa.pdf) + +ESP32 and ESP8266 share almost the same architecture. + + ## Tools * [espressif/esptool](https://github.com/espressif/esptool) - Espressif SoC serial bootloader utility @@ -56,4 +62,10 @@ The ESP32 microprocessor uses the Xtensa instruction set, use `Tensilica Xtensa * [ESP32-reversing - BlackVS](https://github.com/BlackVS/ESP32-reversing) * [ESP32 Wi-Fi Penetration Tool - GitHub - Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks](https://github.com/risinek/esp32-wifi-penetration-tool) * [ESP32 Wi-Fi Penetration Tool - Documentation - Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks](https://risinek.github.io/esp32-wifi-penetration-tool/) -* [Hacking a Smart Home Device - @jmswrnr - 03 Feb 2024](https://jmswrnr.com/blog/hacking-a-smart-home-device) \ No newline at end of file +* [Hacking a Smart Home Device - @jmswrnr - 03 Feb 2024](https://jmswrnr.com/blog/hacking-a-smart-home-device) +* [Reversing ESP8266 Firmware (Part 1) - Bored Pentester - 26th October 2018](https://boredpentester.com/reversing-esp8266-firmware-part-1/) +* [Reversing ESP8266 Firmware (Part 2) - Bored Pentester - 25th October 2018](https://boredpentester.com/reversing-esp8266-firmware-part-2/) +* [Reversing ESP8266 Firmware (Part 3) - Bored Pentester - 25th October 2018](https://boredpentester.com/reversing-esp8266-firmware-part-3/) +* [Reversing ESP8266 Firmware (Part 4) - Bored Pentester - 25th October 2018](https://boredpentester.com/reversing-esp8266-firmware-part-4/) +* [Reversing ESP8266 Firmware (Part 5) - Bored Pentester - 25th October 2018](https://boredpentester.com/reversing-esp8266-firmware-part-5/) +* [Reversing ESP8266 Firmware (Part 6) - Bored Pentester - 25th October 2018](https://boredpentester.com/reversing-esp8266-firmware-part-6/) \ No newline at end of file diff --git a/docs/gadgets/flipper-zero.md b/docs/gadgets/flipper-zero.md index 3080458e..4a431950 100644 --- a/docs/gadgets/flipper-zero.md +++ b/docs/gadgets/flipper-zero.md @@ -49,6 +49,20 @@ * [Unleashed Firmware - Update firmware](https://github.com/DarkFlippers/unleashed-firmware/blob/dev/documentation/HowToInstall.md) +## IOC + +[MAC addresses](https://standards-oui.ieee.org/oui/oui.txt) from IEEE for Flipper Zero: `0C:FA:22:XX:XX:XX`. +This applies to Bluetooth, Ethernet, WiFi interfaces. + +```ps1 +0C-FA-22 (hex) FLIPPER DEVICES INC +0CFA22 (base 16) FLIPPER DEVICES INC + 2803 Philadelphia Pike Suite B #551 + Claymont 19703 + US +``` + + ## References * [The Ultimate Guide / CheatSheet to Flipper Zero - Ilias Mavropoulos - 17/01/2024](https://infosecwriteups.com/the-ultimate-guide-cheatsheet-to-flipper-zero-d4c42d79d32c) diff --git a/docs/protocols/signaling-system-7.md b/docs/protocols/signaling-system-7.md new file mode 100644 index 00000000..1d7193bd --- /dev/null +++ b/docs/protocols/signaling-system-7.md @@ -0,0 +1,37 @@ +# SS7 - Signaling System No. 7 + +## Tools + +* [P1sec/SigFW](https://github.com/P1sec/SigFW) - Open Source Signaling Firewall for SS7, Diameter filtering, antispoof and antisniff +* [0xc0decafe/ss7MAPer](https://github.com/0xc0decafe/ss7MAPer) - SS7 MAP (pen-)testing toolkit +* [SigPloiter/SigPloit](https://github.com/SigPloiter/SigPloit) - SigPloit: Telecom Signaling Exploitation Framework - SS7, GTP, Diameter & SIP + + +## SMS 2FA Interception + +SS7 plays a part in the transportation of SMS messages. An attacker may be able to register a victims `MSISDN` (mobile number) on a fake `MSC` (Mobile Switching Centre), the victims operator's `HLR` (Home Location Register) that works as a kind of telephone directory for `MSISDNs`, operators and SMS service centres (`SMSC`) will set the new location for the Victim’s `MSISDN`. + +When, for this example the victims Bank sends them a 2FA authentication token the MSC transfers the SMS to the `SMSC` the real `MSMSC` asks the victims operator's `HLR` for the victims location, the `HLR` replies with the attacker operated `MSC`. The real operator's `SMSC` transfers the SMS to the fake `MSC` operated by the attack. + + +## SMS Spoofing + +One of the simplest and most accessible attacks is SMS spoofing, which doesn't require direct access to the SS7 network. Many people are unaware that the "from" field in an SMS message lacks authentication, allowing it to be easily forged. The sender can insert any alphanumeric word into the "from" section of a message. + +SMS spoofing attacks can be carried out with minimal cost by using an SMS gateway service, many of which are accessible on the clear web. According to SOS Intelligence, most of these services lack abuse monitoring or prevention mechanisms. As a result, it’s possible to send spoofed messages to a victim—much like phishing emails—prompting them to take action, often at little to no cost. + + +## Location Tracking + +Within the SS7 network of a network operator it may be possible to request the `LAC` (Location Area Code) and `Cell ID` and with that information get a reasonably good location for a victim. However, this may require the prior knowledge of the subscribers `IMEI` (International Equipment Identity) or/and `IMSI` (International Mobile Subscriber Identity) – A `MSISDN` alone may not be sufficient to be able to query this information. + + +## References + +* [Exposing The Flaw In Our Phone System - Veritasium - 22 sept. 2024](https://youtu.be/wVyu7NB7W6Y) +* [SS7 VULNERABILITIES AND ATTACK EXPOSURE REPORT - 2018](https://www.gsma.com/get-involved/gsma-membership/wp-content/uploads/2018/07/SS7_Vulnerability_2017_A4.ENG_.0003.03.pdf) +* [A Step by Step Guide to SS7 Attacks - Adam Weinberg - April 30, 2023](https://www.firstpoint-mg.com/blog/ss7-attack-guide/) +* [An investigation into SS7 Exploitation Services on the Dark Web - Amir Hadzipasic - November 17, 2021](https://sosintel.co.uk/an-investigation-into-ss7-exploitation-services-on-the-dark-web/) +* [SS7 ATTACK - Ahmet Göker - Apr 28, 2022](https://shadowintel.medium.com/ss7-attack-a068f45ef83f) +* [SCTPscan - Finding entry points to SS7 Networks & Telecommunication Backbones - Philippe Langlois - 19 Apr 2007](https://www.blackhat.com/presentations/bh-europe-07/Langlois/Presentation/bh-eu-07-langlois-ppt-apr19.pdf) +* [ss7MAPer – A SS7 pen testing toolkit - Daniel Mende - February 16, 2016](https://insinuator.net/2016/02/ss7maper-a-ss7-pen-testing-toolkit/) \ No newline at end of file