P1 Training Description TS-270 v1.0 jbt · PDF fileo Huawei LTE-SAE-EPC UGW (GGSN, S-GW, PDN...
Transcript of P1 Training Description TS-270 v1.0 jbt · PDF fileo Huawei LTE-SAE-EPC UGW (GGSN, S-GW, PDN...
©2017P1Security.Allrightsreserved.
TS-270LTESecurityandInsecurity
Descriptionoftraining
Learnaboutmoderntelecom,mainlineandmobile,systemsandnetworksfor4GLTEmobilenetworkservice.Understand the securitymechanismof LTE and the Evolved Packet Core network securityandvulnerabilities.LearnindetailthevariousproblemsthatmayhappeninLTEnetworksanddefineaplanofstudytobecomeanLTENetworkauditor.DurationUniqueversion:2days.Attendeeswillreceive
• AccesstoEricsonDiameterstackandVM;• Diameterfuzzingtoolsandscripts;• GTPscanningtoolsandscripts;• Trainingmaterial:copyofthepresenter’sslides.
Prerequisitesfortraining
• Basicknowledgeoftelecom&networkprinciples:o Whatis2G,3G,4G;o OSInetworklayers;o Basicknowledgeoftelecomtechnologies.
• LaptopwithLinuxinstalledeitherinVMornative,BacktrackorUbuntuwithreverseengineeringandhackingtoolsrecommended;
• GoodknowledgeandusageofWireshark;
Coveredinthistraining
• LTEIntroduction;• LTESecurityarchitecture;• LTENetworkelementsoverviewandsecurityroles&functions;• LTECommunicationsecurity,cryptographyandkeymanagement;• StudyofLTEprotocols:
o S1AP;o X2AP;o Diameter;o GTP-C;o GTP-U;o GTPv2;o GTP’;o NAS.
©2017P1Security.Allrightsreserved.
• TypicalattacksonLTEinfrastructure;• RecapofSS7attackscenariosandcomparisonto4G;• RoleoflegacyinLTEsecurity;• Networkelementsandtheirfunctions,HSS,DRA/DEA,MME,PCRF,eNodeB,PGW,SGW;• DRAremoteandRCEcompromiseviaDiameter(Casestudy);• VulnerabilitiesinVoLTE;• AnalysisofNetworkelementandvulnerabilities:
o GenericLTENetworkelementvulnerabilities;o HuaweiLTE-SAE-EPCHSS:structure,vulnerabilities,integration,provisioning,
hardwareattacks;o HuaweiLTE-SAE-EPCUGW(GGSN,S-GW,PDNGW):role&structure.
• DiametersecurityandcomparisontoSIGTRANandRadiusprotocols;• Diameterfuzzingandscanning(hands-on);• Diameterinaroamingcontext;• NASsecurity,protocolreviewandknownattacks(casestudies);• SCTPprotocolbasics,scanningandattackscenarios(hands-on);• SGW–PGWinfrastructureanddesignandGTPv2scanningandfuzzing(hands-on);• S1APinterfaceprotocolstudyandknownvulnerabilities(casestudy);• AttackscenariosovertheS1APinterface(hands-on);• AttackingO&M(OAM&Management)ofnetworkelements(hands-on);• Crackingradiusprotocol(hands-on);• GRX/IPXcompromisecasestudies,architectureanddesignandknownvulnerabilities;• ScenariosofattackofLTEnetwork:
o Radio-based,subscriberrole;o Infrastructure-based,transmissionorRANvector;o Internal-basedattack;o Interconnectbasedattackscenrarios.