What is SIGTRAN? SS7? SCTP?
SIGTRAN is the name, derived from signaling transport, of the former Internet Engineering Task Force (IETF) working group that produced specifications for a family of protocols that provide reliable Datagram service and user layer adaptations for Signaling System 7 (SS7) and ISDN communications. The SIGTRAN protocols are an extension of the SS7 protocol family. It supports the same application and call management paradigms as SS7 but uses an Internet Protocol (IP) transport called Stream Control Transmission Protocol (SCTP). Indeed, the most significant protocol defined by the SIGTRAN group is SCTP, which is used to carry PSTN signaling over IP. (source wikipedia).
In this post we will cover a third Protocol SCTP that is often missed by Penetration Testers in Telephony based environments…
The SIGTRAN protocols specify the means by which SS7 messages can be reliably transported over IP networks (with SCTP). The architecture identifies two components: a common transport protocol for the SS7 protocol layer being carried and an adaptation module to emulate lower layers of the protocol. For example:
- If the native protocol is MTP (Message Transport Layer) Level 3, the SIGTRAN protocols provide the equivalent functionality of MTP Level 2.
- If the native protocol is ISUP or SCCP, the SIGTRAN protocols provide the same functionality as MTP Levels 2 and 3.
- If the native protocol is TCAP, the SIGTRAN protocols provide the functionality of SCCP (connectionless classes) and MTP Levels 2 and 3.
SCTP Handshake Protocol
The SCTP Handshake is a 4 step process (or known as 4-way handshake). The client initially sends a INIT, and the server should respond with INIT-ACK, and which point the client responds to the INIT-ACK with COOKIE-ECHO, and the server finally responds with COOKIE-ACK to confirm the connection. At any point the server can send ABORT to indicate a closed port.
A valid connection is depicted below:
The packet of course changes its shape and size based on CHUNK type, there is a lot to cover here…
Small list of CHUNK types:
I recommend reading http://en.wikipedia.org/wiki/SCTP_packet_structure for a full breakdown on all the available CHUNK types.
SCTP Scanning (Network Mapping SIGTRAN)
Nmap has integrated SCTP scanning since mmap v5.00 (2009 by Daniel Roethlisberger); The hardly known options are:
-PY SCTP INIT based ping scan -sY SCTP INIT scan -sZ SCTP COOKIE-ECHO scan
Host is up (0.069s latency). Scanned at 2013-11-06 17:49:38 GMT for 1s PORT STATE SERVICE 7/sctp open echo 9/sctp open discard 20/sctp closed ftp-data 21/sctp closed ftp 22/sctp closed ssh 80/sctp open http 179/sctp closed bhp
More information on Nmap and SCTP can be found here: http://www.roe.ch/Nmap_SCTP
What Flows over SCTP?
- M2PA (MTP2 Peer-2-Peer Adaption Layer)- functionally replaces MTP2 and below.
- M3UA (MTP3 User Adaptation Layer) – enables the SS7 protocol’s User Parts (e.g. ISUP, SCCP and TUP) to run over IP instead of telephony equipment like ISDN and PSTN
- RANAP (Radio Access Network Application Part) – used in UMTS signaling between the Core Network, which can be a MSC or SGSN, and the UTRAN. RANAP is carried over Iu-interface.
- SUA (SCCP User Adaption) – alternative to M3UA to transmit SCCP across the network.
How To Audit SS7
- SCTP Scans
- DPC (Destination Point Code) Scan (1x M3UA)
- SSN (Sub-System Number) Scan (1x NI (Network Indicator)
- Application Tests (CAP, MAP, INAP)
Similar to IP addresses Point Code (PC) is a unique address for a node or Signalling Point (SP) used in MTP Layer 3 to identify the destination of a Message Signal Unit (MSU). Depending on the network, a point code can be 24 bits (North America, China), 16 bits (Japan), or 14 bits (ITU standard, International SS7 network and most countries) in length.
- OPC Originating Point Code
- DPC Destination Point Code
- ISPC International Signaling Point Code
Sub-System Numbers (SSNs)
(SCCP) subsystem numbers are used to identify applications within network entities which use SCCP signalling.
The following globally standardised subsystem numbers have been allocated for use by GSM/UMTS:
- 0 Not used/Unknown
- 1 SCCP MG
- 6 HLR (MAP)
- 7 VLR (MAP)
- 8 MSC (MAP)
- 9 EIR (MAP)
- 10 is allocated for evolution (possible Authentication Centre).
The following are national subsystem numbers used within GSM/UMTS:
- 248 CSS (MAP)
- 249 PCAP
- 250 BSC (BSSAP-LE)
- 251 MSC (BSSAP-LE)
- 252 SMLC (BSSAP-LE)
- 253 BSS O&M (A interface)
- 254 BSSAP (A interface)
The following are national subsystem numbers used within and between GSM/UMTS:
- 142 RANAP
- 143 RNSAP
- 145 GMLC (MAP)
- 146 CAP
- 147 gsmSCF (MAP) or IM-SSF (MAP) or Presence Network Agent
- 148 SIWF (MAP)
- 149 SGSN (MAP)
- 150 GGSN (MAP)
Network Indicator (NI)
The NI indicates whether the message is for a national or international network. A national network can also discriminate between different Point Code structures used by different countries and invoke the appropriate version of the message handling functions accordingly.
|1||= International Spare|
|3||= National Spare|
Messages are usually routed using the national or international values. The spare values are often used for testing and for temporary use during Point Code conversions. The national spare value can also be used for creating an additional national network. For example, in some European countries, network operators have used the national spare network indicator for creating a national interconnect network. Using this method, the switches between operator networks have two Point Codes assigned: one for the interconnect network using the national network indicator, and the other for the operator network using the national spare network indicator. This allows the network operator to administer Point Codes as he chooses within his national network, while using the interconnect network to interface with other network operators.