image image

Pedro Cabrera Camara

Telco networks for pentesters: 2G, 3G, 4G and 5G  calender


Trainer: Pedro Cabrera Camara & Miguel Gallego

Date: 21st OCT - 23rd OCT 2024

Time: 9:00am to 5:00pm CEST

Venue: Amsterdam Marriott Hotel

Training Level: Intermediate to Advance


Please note: the training ticket does not include access to the conference. Similarly, the conference ticket does not grant access to the trainings. If you have any questions, reach out to us.

Training Objectives:

The objective of the training is to provide the student through practical (hands-on) sessions with all the knowledge that will allow him to easily implement in his laboratory mobile networks of any technology to study the security of mobile devices and core network protocols, perform attacks such as traffic interception, analyze how to perform a downgrade attack and play with encryption or authentication algorithms, between others.

Each student will have their own SDR b200 mini as well as their programmable SIM card, mobile device and a quectel modem. After the course, they will take their laptop with all mobile network technology implementations installed and configured to further research on mobile network security.

Detailed Description:

Day 1:

  • Introduction to 2G and 3G mobile networks: architecture and elements.
  • SDRs, drivers, Gr-OsmoSDR and GnuRadio
  • Why Ubuntu?
  • Baseband Modems
  • 2G and 3G SIMcards
  • 2G practical implementation: Osmocom GSM
  • 2G GSM Exercises (non-exhaustive list):
    • Analyze authentication and encryption in GSM.
    • Binary SMS
  • 2G practical implementation: Osmocom GPRS
  • 2G GPRS Exercises (non-exhaustive list):
    • APN as a Linux interface
  • Extra time for hands-on if needed

Day 2:

  • 3G practical implementation: OpenBTS-UMTS
  • 3G Exercises, (non-exhaustive list):
    • Detecting subscribers activity
  • Introduction to 4G networks: architecture and elements
  • IMS: VoLTE ReVoLution
  • 4G SIMCards
  • 4G practical implementation: OAI & srsRAN
  • 4G exercises (non-exhaustive list):
    • Analysis of integrity algorithms
    • Fake/rogue DNS attack.
    • Using software UE
    • Extra time for hands-on if needed

Day 3:

  • Introduction to 5G mobile networks: architecture and elements
  • NFV/CaaS: Containers as a Living
  • New identities and new protocols: SUCI and HTTP2
  • 5G SIMCards and terminals
  • Current status of 5G NSA implementation (srsRAN, OAI)
  • 5G NSA practical implementation: OAI
  • Current status of 5G SA implementation (srsRAN, OAI, Open5GS)
  • 5G SA practical implementation: OAI/Open5GS & OAI/srsRAN
  • 5G exercises, (non-exhaustive list):
    • Registration with the SUCI
    • Attacking the HTTP2 protocol in 5G networks
    • NGAP rogue gNB and SCTP-Hijacker
  • Advanced exercises, non-exhaustive list:
    • Downgrade attacks
    • NTP time travel
  • Training closure

What to Expect? | Key Learning Objectives:

  • Understanding telco mobile networks architecture and protocols.
  • Hands-on compilation of Linux source code in ubuntu 20.04, resurrecting old code!
  • A fully functional platform to start researching or developing new attacks on mobile networks of any technology.

Who Should Attend? | Target Audience:

  • Pentesters and security auditors
  • Telecommunications professionals and telecom operators
  • Telecommunications and IoT device researchers

What to Bring? | Software and Hardware Requirements:

For the correct operation of the training, it will be necessary for the students to have computers with administrator access (root). The laptops must have the following characteristics:

  • A laptop with Linux OS (no VM, physical machine).
  • i7 processor
  • Ubuntu 20.04
  • Free USB3 port.
  • Each trainee is recommended to bring several mobile devices to the training to test the functionality of the different mobile networks implemented


What to Bring? | Prerequisite Knowledge and Skills:

  • Intermediate/advanced knowledge of Linux Ubuntu operating system.
  • Basic knowledge of communication networks.

Resources Provided at the Training | Deliverables:

  • Master slides (kept by student at the end of the training)
  • Hand on guide and exercises (kept by student at the end of the training)
  • Software Defined Radio Ettus USRP b200 mini (returned at the end of the training)
  • Mobile device per student (returned at the end of the training)
  • Programmable SIM card (kept by student at the end of the training)
  • Card reader (returned at the end of the training)
  • 2G/3G/4G Modem (kept by student at the end of the training)
  • 3G/4G/5G Modem (returned at the end of the training)

ABOUT THE TRAINERS

Pedro Cabrera Camara: Industrial engineer, software defined radio (SDR) and drones enthusiast, he has worked in the main Spanish telecommunications operators, performing security audits and pentesting in mobile and fixed networks. In recent years he has led the Ethon Shield project, a startup focused on communications security and the development of new monitoring and defense products. He has participated in security events in the United States (RSA, CyberSpectrum, Defcon), Asia (BlackHat Trainings) and Europe (Rootedcon, Troopers TSD)


Miguel Gallego: Industrial engineer, currently working on vulnerabilities in non-commercial open-source networks, attacks on mobile identities of subscribers to such mobile networks. Main focus on 5G networks. Implementation and automation of attacks on SDR platforms. Participated in security conferences as a speaker to expose the research carried out: in the United States (DEFCon), Europe (RootedCON, Troopers TSD) and Argentina (EKOParty).