SS7 Tool: Full Guide For Linux Users

July 23, 2017

Hello Guys,
Before I Start my small tutorial on using SS7 Stack, here is some basic information about SS7...
  Signaling System 7 - SS7

The signaling system #7 (SS7) is an international standard network signaling protocol that allows common channel (independent) signaling for call-establishment, billing, routing, and information-exchange between nodes in the public switched telephone network (PSTN). SS7 system protocols are optimized for telephone system control connections and they are only directly accessible to telephone network operators.

Common channel signaling (CCS) is a separate signaling system that separates content of telephone calls from the information used to set up the call (signaling information). When call-processing information is separated from the communication channel, it is called "out-of-band" signaling. This signaling method uses one of the channels on a multi-channel network for the control, accounting, and management of traffic on all of the channels of the network.

An SS7 network is composed of service switching points (SSPs), signaling transfer points (STPs), and service control points (SCPs). The SSP gathers the analog signaling information from the local line in the network (end point) and converts the information into an SS7 message. These messages are transferred into the SS7 network to STPs that transfer the packet closer to its destination. When special processing of the message is required (such as rerouting a call to a call forwarding number), the STP routes the message to a SCP. The SCP is a database that can use the incoming message to determine other numbers and features that are associated with this particular call.

In the SS7 protocol, an address, such as customer-dialed digits, does not contain explicit information to enable routing in a signaling network. It then will require the signaling connection control part (SCCP) translation function. This is a process in the SS7 system that uses a routing tables to convert an address (usually a telephone number) into the actual destination address (forwarding telephone number) or into the address of a service control point (database) that contains the customer data needed to process a call.

Intelligence in the network can be distributed to databases and information processing points throughout the network because the network uses common channel signaling A set of service development tools has been developed to allow companies to offer advanced intelligent network (AIN) services

This diagram shows the basic structure of the SS7 control signaling system. This diagram shows that a customer's telephone is connected to a local switch end office (EO). The service switching point (SSP) is part of the EO and it converts dialed digits and other signaling indicators (e.g. off-hook answer) to SS7 signaling messages. The SS7 network routes the control packet to its destination using its own signal transfer point (STP) data packet switches using separate interconnection lines. In some cases, when additional services are provided, service control point (SCP) databases are used to process requests for advanced telephone services. This diagram also shows that the connections used for signaling are different than the voice connections. This diagram shows that there are multiple redundant links between switches, switching points, and network databases to help ensure the reliability of the telephone network. The links between points in the SS7 system have different functions and message structures. Access links (A-links) are used for access control between EOs and SCPs. Bridge links (B-links), cross links (C-links), and diagonal links (D-links) interconnect STPs. Extended links (E-links) are optionally used to provide backup connections from an EO to the SS7 network. Fully associated links (F-links) share (associate with) the connection between EOs.

          

                  Today I'm Just going to show you a little tutorial on using ss7 tools without building full program. i'm using telscale opensource ss7 stack in here, which is compiled by akib sayyed. you don't have to do anything like building it or downloading lots of tools. this tool is in Java .jar format.

##$$ Requirements:

* Linux OS with SCTP support
* JRE 1.7(Java SE Runtime Environment) or above

Here is a Link to Download SS7 Assessment Tool:  SafeSeven.Zip

And Here is Link To Download JRE 8 (Java SE Runtime Environment): JRE 8 For Linux.tar.gz

JDK 7u6 and later releases include JavaFX SDK (version 2.2 or later). The JavaFX SDK and Runtime are installed and integrated into the standard JDK directory structure.



For information about how to work with JavaFX, see http://docs.oracle.com/javase/8/javase-clienttechnologies.html





Installation of the 64-bit JRE on Linux Platforms 





This procedure installs the Java Runtime Environment (JRE) for 64-bit Linux, using an archive binary file (.tar.gz). These instructions use the following file:


jre-8uversion-linux-x64.tar.gz

Download the file.                                Before the file can be downloaded, you must accept the license agreement. The archive binary can be installed by anyone (not only root users), in any location that you can write to. However, only the root user can install the JDK into the system location.
Change directory to the location where you would 
like the JDK to be installed, then move the .tar.gz 
archive binary to the current directory.

Unpack the tarball and install the JRE:

        % tar zxvf jre-8uversion-linux-x64.tar.gz


The Java Development Kit files are installed in a directory called jdk1.8.0_version in the current directory.


Delete the .tar.gz file if you want to save disk space.


Now, Extract the safeseven files to your home directory. Now Open WireShark.(well, wireshark is preinstalled in Kali Linux)


Choose "SCTP" Protocol & Start capturing data packets. 


Then Open Terminal. I'm Writing Here Few Commands For Using the Java .Jar Files;

                                                    
 

<Before Running Client On Actual SS7 Network>
Edit client_config file(Edit Details of Orange Marked Area)
```

//Client 

SERVER_IP="IP of STP you are connecting to"

CLIENT_IP="IP address provisioned for you in STP"

SERVER_PORT="STP port"

CLIENT_PORT="client provisioned port"

IS_SERVER=FALSE "should be always false"

Local_SPC="point code assigned to you"

Remote_SPC="point code of STP"

Local_SSN="local ssn"

Remote_SSN="remote ssn"

Routing_Context="routing context assigned to you by STP"

NETWORK_INDICATOR="Network indicator"

Local_GT="Local global title assigned to you"

Remote_GT="remote Global title you are testing"

``` 









<#Commands For Simulating SS7 Network/#>
 
Simulating HLR: 
       java -jar server.jar hlr_config 

Simulating MSC/VLR: 
       java -jar server.jar vlr_config

Running STP: 
       java -jar STP.jar stp_config

 
 
<#Commands For Running SafeSeven/#>



SMS Related Operations:
 
       java -jar SMS.jar client_config
 
USSD Related Operations:
 
       java -jar ussd.jar client_config
 
Call Related Operations:
 
       java -jar Call_Handling.jar client_config
 
Mobility Related Operations:
 
       java -jar Mobility.jar client_config




Here Are Some Steps To Intercepting SMS By Using MapSMS.jar:
Step 1. 
1. Attacker sends request SendRoutingInfoForSM addressing MAP(Mobile Application Part) message by MSISDN(Target Phone Number)
2.HLR(Home Resource Locater) replies with: own address, serving MSC address, IMSI(The International Mobile Subscriber Identity (IMSI) is an internationally standardized unique number to identify a mobile subscriber. The IMSI is defined in ITU-T Recommendation E.212. The IMSI consists of a Mobile Country Code (MCC), a Mobile Network Code (MNC) and a Mobile Station Identification Number (MSIN).)


Step 2.
1. Attacker registers Target Phone Number On the fake MSC
2. HLR sets up new location for our target number
3.HLR asks real MSC to release a memory




Step 3.
1. Someone sends SMS to Target Number 
2. MSC translates the SMS to SMS-C
3. SMS-C requests HLR for Target number's location
4. HLR replies with a fake MSC address
5. SMS-C translates SMS to the fake MSC & Your Wireshark captures SMS

There It is...






If you want to more develop on this by your self so you can download following program:

Eclipse Javascript IDE Download

Xampp Download For Linux 

JDK(Java Development Kit) 8 Download









How to find Info For Accessing SS7 Network(Sending SRISM)












Share to your Friends,

Thank You
https://nienderkp.blogspot.com.br/2017/07/ss7-tool-small-guide-for-linux-users.html