• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > R&D > Development > GTP Scanning

GTP Scanning

May 7, 2019 By Spencer

A while ago I was working on an assessment where I was exposed to General Packet Radio Service (GPRS) servers. Having not been familiar with this particular technology, I started to read about the details of the protocol and it’s implementation. One of the best resources I found was the presentation “Practical security research on 3G and 4G mobile telecommunications networks”, presented in 2011 at Hackinthebox by Daniel Mende and Enno Rey. This presentation provides an excellent overview of the architecture, the protocols in use and other details of interest to an attacker.

In summary, GTP is as the name implies, an IP based tunneling protocol for GPRS. It facilitates the traversal of GPRS frames over IP network backends such as internal corporate LANs as well as the internet. The protocol itself is then sub-divided into three variants, the most interesting of which is GTP-C or the control traffic. The other two variants are used for user and charging data transmission, although these two are not covered to the same degree as the control traffic.

When dealing with a newer service, one of the first things I often find myself doing is trying to identify all the instances of it within the scope of my assessment. This discovery process requires the ability to communicate with the servers, sometimes pulling version information. To that end, I took the direction of using the GTP-U ping command to identify servers which would respond to it. Daniel Mende released a gtp-scan.py script in 2011 around the time the presentation was released. The script is a little dated, targeting Python 2 and requiring a third party module so I took the opportunity to port it to Metasploit (a hat tip to Mende for releasing his original implementation under the MSF-compatible BSD license) so it would be available for myself and others as part of our standard toolkit. One notable feature that is missing in the Metasploit implementation is the ability to perform GTP echo enumeration via the SCTP protocol. The Metasploit module only supports UDP due to that being supported by the underlying Metasploit networking stack which enables things like routing through Meterpreter sessions.

The GTP protocol comes in two versions, 1 and 2. Version 1 appears to be more popular as more servers respond to probes in that version. The GTP echo request itself is a relatively simple 16-byte frame without any state-sensitive information. The GTP protocol itself does become stateful to an extent (specifically in regards to the sequence number), but for the purposes of transmitting echo requests it is irrelevant as the applicable fields are null. Since GTP echo requests are not stateful, it is an ideal candidate for prototyping using Protocon which I did prior to implementing the Metasploit module as I was experimenting with the request’s various fields. This allowed me to easily manipulate the specific fields and see if and how the remote server would respond.

After discovery, GTP being an unauthenticated protocol provides some interesting opportunities from an attackers perspective. The next phase to gain access to tunnel traffic however would require a valid Access Point Name (APN). Luckily Mende also implemented a tool for this as well aptly named apnbf which will actively enumerate valid APN names on a GTP end point.

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Spencer

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.