A SS7 pen testing toolkit

junho 23, 2026

Verdade Inconfortável

Qualquer pessoa pode rastrear você online em menos de 10 minutos — e é completamente legal. Visual: tela preta + cursor piscando. Subtítulo: "O que é OSINT e por que isso muda tudo para sua empresa." 02 Slide OSINT não é espionagem. É investigação com dados que você mesmo deixou para trás. Open Source Intelligence = inteligência gerada a partir de fontes públicas: redes sociais, registros, domínios, metadados. Tudo legal. Tudo disponível. E tudo sobre você. 03 Slide Empresas perdem processos por não saber o que está publicado sobre elas. Documentos vazados, e-mails esquecidos, fotos com metadados, contratos em cache. A prova que condena sua empresa pode estar indexada no Google agora. 04 Slide Provas digitais têm validade legal — mas só se coletadas corretamente. Print de tela não serve em juízo. Hash criptográfico, timestamp certificado e cadeia de custódia são o que diferenciam evidência de suposição. 05 Slide O erro mais comum: descobrir a prova e destruí-la sem querer ao ...

While running some SS7 pentests last year, I developed a small tool automating some of the well-known SS7 attack cases. Today I’m releasing the first version of ss7MAPer, a SS7 MAP (pen-)testing toolkit.

The toolkit is build upon the Osmocom SS7 stack and implements some basic MAP messages. At its current state tests against the HLR are ready for use, in future versions tests against VLR, MSC and SMSC will follow.
The source code of the tool is published on github, feel free to use and extend.
The tool is written in Erlang; to get it running you will need the Erlang runtime environment. It is developed for version 17.5.
As example, the screen shot below shows the output of the tool against a HLR, testing which MAP messages are accepted and the results given back.

As you can see in the picture, the demonstrated test cases for the HLR respond to most of the MAP messages regardless the fact that we are not registered as valid provider. The tool is not configured as a serving MSC nor a roaming contractor. Some of the information gathered can be seen as critical, as the MSISD -> IMSI resolution, the over-the-air crypto keys or the ability to create supplementary services e.g. call forwarding.
The code (and its dependencies) are not that easy to compile but I tried to give a complete step by step instructions in the README file.
The messages and test cases are gathered from public SS7 research of the last years (see 1, 2) and check for known weaknesses in the SS7 domain.
The tool itself was developed under a cooperation with the Belgium provider Proximus and aims to test the secure configuration of the internal and external SS7 network access. Thanks a lot for giving us the opportunity here, we are convinced that the tool gives the research community but also telecommunication providers a new, important and (especially) open-source-based possibility for SS7 testing.
More about the tool and SS7 testing on Troopers TelcoSecDay, Telco Network Security & Network Protocol Fuzzing Workshop.
That’s it, get the code, try the tool.
Best wishes from Heidelberg.
/daniel

Ache aqui

osintbrasil

Compartilhe

Verdade Inconfortável

A SS7 pen testing toolkit

ss7MAPer – A SS7 pen testing toolkit

Comentários

Postar um comentário

Manual de Fontes Abertas

Pericia Digital

Como usar um Agente OSINT IA

Postagens mais visitadas

Ferramentas de pesquisa

47988618255 Investigação Defensiva

Metadados

Investigação Digital | OSINT

Ferrari

https://x.com/RDSWEB

OSINT COM TERMUX

OSINT GRATIS

FORENSE

Osint