? HOW TO BYPASS OTP WITH SS7 ATTACK ?

[Carder]

Credits to pentester

BYPASSING OTP?

OTP IS MOSTLY A 4/6 DIGIT NUMERICAL/ALPHANUMERIC CODE USED AS ANOTHER WAY OF AUTHENTICATING A USER ALONG WITH THE CREDENTIALS.

STONE AGE

People used to just enter their email and pass to login.
It still is there for majority of sites but some have 2FA[OTP] as optional and some have it mandatory.

WHY OTP?

BECAUSE PEOPLE CAN HACK/CRACK YOUR EMAIL/PASS EASY
WITH OTP EVEN IF THEY CAN, THEY WONT BE ABLE TO LOGIN

WHATS THE OTHER WAY ROUND THIS?

There are tons of other ways to bypass OTP but the most popular and bit of HQ is SS7 Attack.
Comment down below the thread if you want me to write those up too.

So Where were we:
SS7 Tunneling/Attack = Same as MITM but operates on telephonic communication rather than data/wifi communication.Those who got no idea what MITM is can go through my previous thread about it.

Now Why is SS7 HQ

Because the global telephonic communication runs on it.
Old Protocal but hasnt been changed much.

What Tools needed for this Attack?
A Linux OS and SS7 SDK [They re on the Internet]

The Inside Workaround?
Take an Example: Our Freind Roobbin is having some cash piled up in his bank account. Forget it. FBI gonna bust my ass for this example.

Our freind roobbin got an app in his phone which lets him login to his account after entering the credentials and an OTP generated on Real-Time.
We as usual gets the credentials by hacking/cracking

But when we treid to log-in to the app using just the email/pass it generated the OTP [Take an example of Hotstar or BLockChain or anything that requires OTP].

When there is some kinda communication via our phone to any other service over the Network, Our Unique Phone address is stored in HLR [Home Location Register] and it acts as a medium to transmit data. See what i learned in "Wireless Communication" is coming in handy right now. The Enggineering guys would know if they had the subject taken.

Ok to be straight. Phone sends data to HLR and checks the unique address of our mobile device,

Then from there the HLR sends the request to VLR[Virtual Location Register - It temporarilhy stores our mobile info till connection time out.
SS7 Fakes VLR Address and put the hackers machine address in it. So, basically we are tricking the system into beleiving our address to be the users address we need to get the OTP from.
Now you know what. HLR will transmit the details to the fake VLR and hackers gonna get all the details flowing in and out the the victims mobile phone.

Enjoy!

 

[Carding 4 Carders]

Attack on the SS7 Protocol: how to intercept other people's calls and SMS​

How do we protect ourselves today from various attacks aimed at obtaining your password? Someone makes the most complex passwords, someone installs brute-force protection systems, etc. But the most confident in their security are those who use a popular service today-two-factor authorization via SMS. Such services are provided by banks, well-known instant messengers (viber, telegram, etc.), social networks (vkontakte, odnoklassniki, etc.), mail systems (Gmail, Yandex, etc.) and a large number of other Internet resources that require registration. This method is considered the safest for a reason. After all, a priori, your mobile phone is always with you, like a wallet and other personal items that you keep a close eye on. In addition, it is the second authentication factor (used only after entering the main password). But, as you know, if you forgot your password, you can always restore it by SMS to your phone.

And now, unexpectedly, the days of turmoil have come for SMS verification users as well. Even now it is possible for a small amount of money with an average skill level to get all your SMS messages so that you will never know about it!

The list of resources that can be accessed by an attacker is even difficult to imagine (social networks, instant messengers, confirmation of Bank transactions, etc.). After all, we have "all life" tied to our phone number. It is not without reason that an amendment was introduced that allows you to transfer the phone number when changing the operator. Now changing your phone number is like starting a new life from scratch.

There was such a gap in the template due to the vulnerability of the SS7 Protocol in the networks of mobile operators.

What is SS7?
The SS7 Protocol, also known as Signaling system No. 7, refers to a data network and to a set of technical protocols or rules that govern data exchange over them. It was developed in the 1970s to track and connect calls across carriers ' networks, but it is now commonly used to calculate cellular billing and send text messages in addition to routing mobile and landline calls between carriers and regional switching centers.

Vulnerability history
It is not surprising, but it became known about the presence of this vulnerability in ancient times. Even the well-known Steve jobs in his garage carried out the first attacks, making the so-called free cellular communication, using vulnerabilities. Since then, some of the bugs have been fixed, but SS7 is still susceptible to successful attacks.

In February 2014, the US Ambassador to Ukraine suffered a nasty leak. A secret conversation between him and assistant Secretary of state Victoria Nuland was posted on YouTube in which Nuland spoke disparagingly about the European Union.

The conversation took place over unencrypted phones, and U.S. officials told reporters that they suspected the call was intercepted in Ukraine, but did not say how it was done. Some experts believe that this happened by exploiting vulnerabilities in the mobile data network, known as SS7, which is part of the underlying infrastructure.

It wasn't until December 2014 that telecommunications companies began considering tools to stop SS7 attacks. It was then that Carsten Nohl of the Berlin security research laboratories and an independent researcher named Tobias Engel came forward with reports about SS7 at the Chaos communications Congress in Germany, a few months after the discovery of the Ukrainian incident. Engel demonstrated SS7, a method for tracking phones, in 2008, but it wasn't as flashy as the ones he and Nohl described in 2014. The latter prompted regulators in Northern Europe to demand that operators start implementing measures to prevent SS7 attacks by the end of 2015.

How to perform an attack on SS7?
The attacker connects to the SS7 signal network and sends the send Routing Info for SM (SRI4SM) service command to the network channel, specifying the phone number of the attacked subscriber as a parameter. The home subscriber network responds with the following technical information: IMSI (International Mobile Subscriber Identity) and the MSC address at which it is currently providing services to the subscriber.

After that, the attacker changes the billing system address in the subscriber's profile to the address of their own pseudo-billing system (for example, notifies that the subscriber has flown in for a vacation and has registered for a new billing system while roaming). As you know, this procedure does not pass any verification. The attacker then enters the updated profile into the VLR database via the "Insert Subscriber Data" (ISD) message.

When an attacked subscriber makes an outgoing call, their switchboard accesses the attacker's system instead of the actual billing system. The attacker's system sends a command to the switch to redirect the call to a third party controlled by the attacker.

In a third-party location, a conference call is established with three subscribers, two of them are real (caller A and called B), and the third is entered illegally by an attacker and is able to listen in and record the conversation.

We also receive the attacker's SMS accordingly. Having access to the pseudo-billing system that our subscriber has already registered for, you can get any information that comes or goes from their phone.

How do I get illegal access to the SS7 network?
As we have seen, having access to the SS7 network, it is not difficult to make an attack. How do I get illegal access to the network?

Access is sold on the darknet, and if desired, you can find it for free. This availability is due to the fact that in poorly developed countries it is very easy to get the status of an operator, respectively, and get access to SS7 hubs. There are also unscrupulous employees of operators.

What are providers and Internet resources doing with SMS verification?
At the moment, operators are slowly closing numerous holes in SS7, despite the fact that some do not even recognize their presence. Someone accuses of inciting panic around this problem, someone refrains from commenting, someone says streamlined phrases like: "The safety of our customers is our top priority." However, to date, this issue is not given due attention by operators, and the availability of exploiting this vulnerability is as high as ever.

How can I protect myself from TEXT message interception and wiretapping?
There is also some good news. Representatives of Internet services that really care about their customers already either have or are hastily preparing alternatives to SMS verification. For example, vk.com, you can enable two-factor authentication using Google Authenticator.

Apple is preparing a new two-factor authorization mechanism to protect your Apple ID. We remind you that once you have your Apple ID credentials, you can block and completely erase all your Apple devices remotely. Unfortunately, at the moment the password can be restored via SMS, which in turn, as you found out, can be intercepted.

I would like to highlight an important piece of advice that is rarely found on the Internet. It is very simple, but effective.

Given that the attackers ' pseudo-billing systems in most cases are presented by foreign operators (they report that you are in international roaming), it is enough to simply disable the possibility of international roaming on your phone. You can do this with your mobile operator for free. If you do not have an urgent need to communicate with roaming from this particular phone, then this solution will greatly protect you from the troubles that were described in this article.

Conclusion
How do such situations develop? The SS7 Protocol was created many years ago. His safety simply wasn't given enough attention during all this time. At the same time, at the moment, the leaders of many developed countries are focusing on "cyber weapons". The development of cyber espionage is developing rapidly. Crumbs from this table of "cyber tools" fall into the hands of intruders and then ordinary people suffer.

We must not forget about this and maintain mass-use tools at the current level of security.

You will be shocked, but even in such critical places as aviation, unsafe ways of communication between aircraft and ground stations are still used. Any mid-level hacker can falsify signals from the dispatcher or the plane board.