A while ago I was working on an assessment where I was exposed to General Packet Radio Service (GPRS) servers. Having not been familiar with this particular technology, I started to read about the details of the protocol and it’s implementation. One of the best resources I found was the presentation “Practical security research on 3G and 4G mobile telecommunications networks”, presented in 2011 at Hackinthebox by Daniel Mende and Enno Rey. This presentation provides an excellent overview of the architecture, the protocols in use and other details of interest to an attacker.
In summary, GTP is as the name implies, an IP based tunneling protocol for GPRS. It facilitates the traversal of GPRS frames over IP network backends such as internal corporate LANs as well as the internet. The protocol itself is then sub-divided into three variants, the most interesting of which is GTP-C or the control traffic. The other two variants are used for user and charging data transmission, although these two are not covered to the same degree as the control traffic.
When dealing with a newer service, one of the first things I often find myself doing is trying to identify all the instances of it within the scope of my assessment. This discovery process requires the ability to communicate with the servers, sometimes pulling version information. To that end, I took the direction of using the GTP-U ping command to identify servers which would respond to it. Daniel Mende released a gtp-scan.py script in 2011 around the time the presentation was released. The script is a little dated, targeting Python 2 and requiring a third party module so I took the opportunity to port it to Metasploit (a hat tip to Mende for releasing his original implementation under the MSF-compatible BSD license) so it would be available for myself and others as part of our standard toolkit. One notable feature that is missing in the Metasploit implementation is the ability to perform GTP echo enumeration via the SCTP protocol. The Metasploit module only supports UDP due to that being supported by the underlying Metasploit networking stack which enables things like routing through Meterpreter sessions.
The GTP protocol comes in two versions, 1 and 2. Version 1 appears to be more popular as more servers respond to probes in that version. The GTP echo request itself is a relatively simple 16-byte frame without any state-sensitive information. The GTP protocol itself does become stateful to an extent (specifically in regards to the sequence number), but for the purposes of transmitting echo requests it is irrelevant as the applicable fields are null. Since GTP echo requests are not stateful, it is an ideal candidate for prototyping using Protocon which I did prior to implementing the Metasploit module as I was experimenting with the request’s various fields. This allowed me to easily manipulate the specific fields and see if and how the remote server would respond.
After discovery, GTP being an unauthenticated protocol provides some interesting opportunities from an attackers perspective. The next phase to gain access to tunnel traffic however would require a valid Access Point Name (APN). Luckily Mende also implemented a tool for this as well aptly named apnbf which will actively enumerate valid APN names on a GTP end point.