asset-group / 5ghoul-5g-nr-attacks Goto Github PK

I'm sure you're already aware, but sharing anyways.

mkdir 5ghoul # Create 5ghoul folder
curl -LJO https://github.com/asset-group/5ghoul-5g-nr-attacks/raw/master/container.sh
chmod +x container.sh # Give exec. permission to the 5Ghoul container script
./container.sh release-5g # This will pull and start the terminal of the 5Ghoul container
sudo bin/5g_fuzzer --MCC=001 --MNC=01 # This will start the rogue base station inside the container

Assuming there needs to be a "pull" in between container.sh and release-5g. Also, looking over the container.sh it assumes we have a username/password?

I installed open5gs, and successfully started usrp, followed the steps https://github.com/asset-group/5ghoul-5g-nr-attacks#2--quick-start-docker-container to start the rogue base station, but encountered a problem.
These are partial outputs from the command line：

----------LTE Fuzzer----------
Loading Model...
Model Loaded!
[Machine] Layer:"NAS"
[Machine] --> States:0, Transitions:0
[Machine] Layer:"RRC"
[Machine] --> States:0, Transitions:0
[Machine] Layer:"RLC"
[Machine] --> States:0, Transitions:0
[Machine] Layer:"MAC-NR"
[Machine] --> States:0, Transitions:0
[Machine] Total States: 38
[Machine] Total Transitions: 308
[Monitor] Connection string: adb -s UWEUW4XG8XCA8PWS shell "logcat -b radio,crash,system,main"
[Monitor] ADB Connected to device: UWEUW4XG8XCA8PWS
[SHMDriver] SHM:/tmp/wshm, Channel:0, Mode:1, MQUEUE:/wshm
adb: device 'UWEUW4XG8XCA8PWS' not found
sh: 1: ulimit: Illegal option -q
[SHMDriver] SHM:/tmp/wshm, Channel:1, Mode:1
[SHMDriver] SHM:/tmp/wshm, Channel:2, Mode:1
[SHMDriver] SHM:/tmp/wshm, Channel:3, Mode:1
[SHMDriver] SHM:/tmp/wshm, Channel:4, Mode:1
[SHMDriver] SHM:/tmp/wshm, Channel:5, Mode:1
[SHMDriver] SHM:/tmp/wshm, Channel:6, Mode:1
[Open5GS] Adding IMSI 001010000000001 with K=00112233445566778899AABBCCDDEEFF, OPC=00112233445566778899AABBCCDDEEFF, APN=default
......
......
......
OPC=4242F3B4D58A5DA39336E1F8CB643B2A, APN=internet
[Open5GS] Subscribers registered to core network: 14
./3rd-party/hostapd/idemptables -A INPUT -i ogstun -j ACCEPT
./3rd-party/hostapd/idemptables -A FORWARD ! -i ogstun -o ogstun -j ACCEPT
./3rd-party/hostapd/idemptables -A FORWARD -i ogstun ! -o ogstun -j ACCEPT
./3rd-party/hostapd/idemptables -t nat -A POSTROUTING -s 45.45.0.0/16 ! -o ogstun -j MASQUERADE
adb: device 'UWEUW4XG8XCA8PWS' not found
[GlobalTimeout] Not enabled in config. file
[AnomalyReport] Added Logging Sink: PacketLogger
[AnomalyReport] Added Logging Sink: SvcReportSender
[USBHubControl] Disabled in config. file
[ReportSender] Credentials file not found: modules/reportsender/credentials.json
[ReportSender] Ready
[!] Open5GS stopped
[!] Base-Station process stopped
[Optimizer] Optimization disabled. Using default population:

[Optimizer]` Iter=1 Params=[0.2,0.2,0.2,0.2,0.2,0.2,...,0.2]

[Optimizer] Fitness=1e+06 Adj. Fitness=-1e+06

--------------------------------------------------------`

[Optimizer]` Initialized with X Size=293, Population Size=5
[Main] Fuzzing not enabled! Running only target reconnection
[PacketHandler] Added "proto:nas-5gs", Dir:0, Realtime:0, TID:1563
[PacketHandler] Added "proto:nas-5gs", Dir:1, Realtime:0, TID:1564
[PacketHandler] Added "proto:pdcp-nr-framed", Dir:0, Realtime:1, TID:1565
[PacketHandler] Added "proto:pdcp-nr-framed", Dir:1, Realtime:1, TID:1566
[PacketHandler] Added "proto:mac-nr-framed", Dir:0, Realtime:1, TID:1571
[PacketHandler] Added "proto:mac-nr-framed", Dir:0, Realtime:1, TID:1574
[PacketHandler] Added "proto:mac-nr-framed", Dir:1, Realtime:0, TID:1575
[!] Open5GS stopped
[!] Open5GS stopped
adb: device 'UWEUW4XG8XCA8PWS' not found
[!] Open5GS stopped
[!] Open5GS stopped
[!] Open5GS stopped
adb: device 'UWEUW4XG8XCA8PWS' not found
[!] Open5GS stopped
[!] Open5GS stopped
[!] Open5GS stopped
adb: device 'UWEUW4XG8XCA8PWS' not found
[!] Open5GS stopped
[!] Open5GS stopped
[!] Open5GS stopped

Why does this happen? My system version is ubuntu22.04, but my colleagues using 18.04 also encountered these problems

You all wouldn't happen to have more details on the intent of all the profiles/device info left in the configs? I gave a run a quick try, but it's looking for an adb device with serial number specified in one of the config files. I'm not seeing the base station start and I wasn't sure if that's because of the left behind settings or due to me trying to use a b205 instead of the b210. I can't see anywhere that you may have SDR hardware pre-configured.

Hello, I noticed in Chapter 3, titled 'Launching a 5Ghoul Attack,' a reference stating, 'More details are provided in the Section on Phone Configuration.' Could you please direct me to the specific chapter or section where I can find information about Phone Configuration?

CPU：AMD Ryzen 7 7840HS
Memory: 32GB
SDR: USRP B210

Run the command ./container.sh run release-5g Start the container and use the command sudo bin/5g_ Fuzzer -- MCC=001-- MNC=01-- Enabling Mutation=true Executes the fuzz program with the following error！

[Optimizer] Optimization disabled. Using default population:
--------------------------------------------------------
[Optimizer] Iter=1  Params=[0.2,0.2,0.2,0.2,0.2,0.2,...,0.2]
[Optimizer] Fitness=1e+06  Adj. Fitness=-1e+06
Mutation Probability: 0.2
--------------------------------------------------------
[Optimizer] Initialized with X Size=293, Population Size=5
[PacketHandler] Added "proto:nas-5gs", Dir:0, Realtime:0, TID:2175
[PacketHandler] Added "proto:nas-5gs", Dir:1, Realtime:0, TID:2176
[PacketHandler] Added "proto:pdcp-nr-framed", Dir:0, Realtime:1, TID:2177
[PacketHandler] Added "proto:pdcp-nr-framed", Dir:1, Realtime:1, TID:2188
[PacketHandler] Added "proto:mac-nr-framed", Dir:0, Realtime:1, TID:2189
[PacketHandler] Added "proto:mac-nr-framed", Dir:0, Realtime:1, TID:2194
[PacketHandler] Added "proto:mac-nr-framed", Dir:1, Realtime:0, TID:2196
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[GlobalTimeout] Timeout triggered. TimeoutCounter=1, TotalTimeoutCounter=1
[GlobalTimeout] Signalling WDAnomalyReport
[AnomalyReport] [Timeout] Target is not responding
[PacketLogger] Packet Number:21, Comment: [Timeout] Target is not responding
--------------------------------------------------------
[Optimizer] Iter=1  Params=[0.2,0.2,0.2,0.2,0.2,0.2,...,0.2]
[Optimizer] Fitness=0  Adj. Fitness=-0
Mutation Probability: 0.2
--------------------------------------------------------
[GlobalTimeout] Restarting ProcessRunner
[!] Base-Station process stopped
[GlobalTimeout] Restarting ProcessRunner
[!] Open5GS stopped
[GlobalTimeout] Signalling SvcUSBHubControl
[GlobalTimeout] Signalling SvcModemManager
[ModemManager] Reconnection Timeout (4000 ms)
[GlobalTimeout] Timeout Finished with 6 callbacks executed
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped

Hello @Matheus-Garbelini and everyone!
I am using your tool in Ubuntu 20.04 and I wanted to know if your tool can only be used with the suggested setup or can it also be used in a simulated environment e.g. using UERANSIM to simulate both gNodeB and UE?

Waiting for a reply, best regards.

Hello, I built it from an Ubuntu 18.04 host environment and connected a USRP B210, when running the bin/5g_fuzzer I noticed there always return the multiple duplicated follwing message:

"adb: device 'UWEUW4XG8XCA8PWS' not found"

Could you please give me any insights on this information? will this be an issue when doing the test? Thanks!

Hi,

I have gone through the details and I have USRP N310 with Ubuntu 18.04. I want to ask If I need to change any configuration files or if I should continue with the given source files. Hope to hear back from you soon. Thank you.

Best,
Purva Joshi

Hello, I'm currently working on Ubuntu 18.04, with cmake version 3.24.1 and clang 15. However, I encounter an error when executing either './build.sh all' or './build.sh'. The error reads:

'ninja: Entering directory `build'
ninja: error: '/home/Desktop/5ghoul-5g-nr-attacks/libs/wireshark/ui/qt/-silent', needed by 'libs/wireshark/ui/qt/-silent.qm', missing and no known rule to make it'

Interestingly, executing './build.sh dev' results in a successful build, but when I run bin/5g_fuzzer, it appears that 'hostapd/idemptables' is missing from './3rd-party/'. Can you confirm if the absence of './3rd-party/hostapd/idemptables' will been an issue?

A pack of sysmoISIM-SJA2 programmable SIM/USIM/ISIM cards arrived today. I finally got around to inserting one into the Edge 20 and to my surprise, under prefer preferred network type, 5g is not an option. However, if I insert a Tmobile sim the option is available.

I noticed the SJA2 was mentioned in the README, just curious now if that exact one has enabled you all to access 5G?

Hello,

I keep getting this error when installing from source:

5ghoul-5g-nr-attacks/bindings/python/wdissector_wrap.cxx
cd /home/user/5ghoul-5g-nr-attacks && echo -------------------SWIG----------------------- && swig -lbin -c++ -python bindings/python/wdissector.i || true && sed -i '1i import sys;sys.path.insert ( 0, "bin" ) ' bindings/python/wdissector.py && echo -------------------SWIG-----------------------
-------------------SWIG-----------------------
src/MiscUtils.hpp:738: Error: Nothing known about namespace 'lni'
src/Machine.hpp:42: Error: Nothing known about namespace 'fmt'
src/Machine.hpp:46: Error: Nothing known about namespace 'React'
sed: can't read bindings/python/wdissector.py: No such file or directory
[3/110] Building CXX object CMakeFiles/5g_fuzzer.dir/src/5g_fuzzer.cpp.o
ninja: build stopped: subcommand failed.

Is anyone else having this issue?

Hi,

When I built the docker images I noticed the error in the image. The output was generated when I ran the script container.sh.

I created the corresponding directory but when I reran the shell script, I received the same error indicating the container was not running. Also, it seems that no docker container is running:

I'm using Ubuntu 18.04 and the Docker version is the same as suggested. What should I do to solve this problem?

Thanks,

Dustin12138

Love It!

I notice on 22.04 when running ./container.sh run release-5g that it'll almost immediately kill my remote vnc desktop connection. I'll have to jump over to a local monitor to pick up where I was working.

When I go looking at the container.sh script I can see the start_container_dev/release functions and it got me trying to understand what's going on there with the X11. I should note that the command does spit out a failure to connect to the bus when ran through a vnc connection.

What is the intent of that portion of the script? Does it need to be altering x11 settings?

I've observed that a state machine file named "configs/nr-softmodem.json" is being loaded within 5g_fuzzer.cpp. Could you kindly share where this state machine file comes from or instruct on how it was constructed? Thanks!

Hello, may I ask which version of open5gs the author is using? I have installed the latest version 2.7.0 and the latest OAI RAN, but the mobile phone has no signal.

Looking forward to your reply, best wishes.

Hello, I am very interested in your work and would like to try it. Now, I have usrp and installed a brand new ubuntu environment. I want to know what software needs to be pre-installed in advance. Looking forward to your reply, best wishes

I swear I had this running without issue before, but this is on a fresh install of 22.04 w/ Nvidia CUDA 12 setup. I try to start the GUI within the docker and this is now the result, just wondered if this has been encountered before? Currently researching the errors, but it's not clear to me if it's a host issue or a docker container issue.

Waiting GUI Thread Startup...
Chromium Embedded Framework Initialized
libGL error: No matching fbConfigs or visuals found
libGL error: failed to load driver: swrast
[CEF] WebView Document Ready
WebView Module Loaded
GLX: Failed to create context: BadMatch (invalid parameter attributes)

Hello, after reviewing the demo video, I observed that the COT UE initially connects with the benign gNB. Subsequently, the 5GHOUL infiltrates and initiates the attack.

Could you please provide more details on how the benign gNB is configured in these demos?

docker images：megarbelini/5ghoul:release-5g-x86_64
USRP: B210
UHD Version: UHD 4.4.0.HEAD-0-8e54b58d

command: sudo ./bin/5g_fuzzer --exploit=mac_sch_rrc_setup_crash_var --MCC=466 --MNC=92

[Open5GS] Subscribers registered to core network: 15
./3rd-party/hostapd/idemptables -A INPUT -i ogstun -j ACCEPT
./3rd-party/hostapd/idemptables -A FORWARD ! -i ogstun -o ogstun -j ACCEPT
./3rd-party/hostapd/idemptables -A FORWARD -i ogstun ! -o ogstun -j ACCEPT
./3rd-party/hostapd/idemptables -t nat -A POSTROUTING -s 45.45.0.0/16 ! -o ogstun -j MASQUERADE
[GlobalTimeout] Not enabled in config. file
[AnomalyReport] Added Logging Sink: PacketLogger
[AnomalyReport] Added Logging Sink: SvcReportSender
[USBHubControl] Disabled in config. file
[ReportSender] Credentials file not found: modules/reportsender/credentials.json
[ReportSender] Ready
[Optimizer] Optimization disabled. Using default population:
--------------------------------------------------------
[Optimizer] Iter=1  Params=[0.2,0.2,0.2,0.2,0.2,0.2,...,0.2]
[Optimizer] Fitness=1e+06  Adj. Fitness=-1e+06
--------------------------------------------------------
[Optimizer] Initialized with X Size=293, Population Size=5
[Main] Fuzzing not enabled! Running only target reconnection
[PacketHandler] Added "proto:nas-5gs", Dir:0, Realtime:0, TID:3034
[PacketHandler] Added "proto:nas-5gs", Dir:1, Realtime:0, TID:3035
[PacketHandler] Added "proto:pdcp-nr-framed", Dir:0, Realtime:1, TID:3036
[PacketHandler] Added "proto:pdcp-nr-framed", Dir:1, Realtime:1, TID:3037
[PacketHandler] Added "proto:mac-nr-framed", Dir:0, Realtime:1, TID:3048
[PacketHandler] Added "proto:mac-nr-framed", Dir:0, Realtime:1, TID:3050
[PacketHandler] Added "proto:mac-nr-framed", Dir:1, Realtime:0, TID:3056
[Main] eNB/gNB started!
[!] Waiting UE task to start...
[ModemManager] StartModemConnection: Modem not initialized
[ModemManager] Reconnection Timeout (4000 ms)
[ModemManager] StartModemConnection: Modem not initialized
[ModemManager] Reconnection Timeout (4000 ms)
[ModemManager] StartModemConnection: Modem not initialized
[ModemManager] Reconnection Timeout (4000 ms)
[ModemManager] StartModemConnection: Modem not initialized
[ModemManager] Reconnection Timeout (4000 ms)
[ModemManager] StartModemConnection: Modem not initialized
[ModemManager] Reconnection Timeout (4000 ms)

Hello, Thank you for your exceptional work! I was reviewing the information on your website at https://asset-group.github.io/disclosures/5ghoul/, and I noticed something that I'd like to clarify.

In Table 1, titled "Devices and Monitoring Used for Evaluation of 5Ghoul Vulnerabilities," the UE S22 is listed. However, I observed that the S22 is not included in Table 2, which provides a "Summary of 5G Implementation Vulnerabilities and Affected Software or Products."

Could you please confirm whether the UE S22 is impacted by the V7 vulnerability? I am particularly interested in understanding the scope of this vulnerability and its effects on the S22 device. Your clarification on this matter would be greatly appreciated.

Hello, I wonder except set 001/01 for MCC and MNC, is there anything else need to pay attention to set up the programmable SIM card?