My First SS7 attack

I got a pm today asking me if I had “fully figured out and gained access to SS7 ?” Sadly the answer to parts A and B of that question is no, but I could have, I think. After much searching & scanning, I stumbled across a SGFW running default creds.
Winner johnny… Full card…

I followed the guide here:

Unfortunately, to log in would have been crossing a line I’m not interested in crossing right now, so its treasures will remain a mystery. Fortunately, I have less illegal way to get my SS7 fix.

My whole interest in SS7 is location data. I don’t want to intercept password resets or OTP, I just want to be able to know the location of my POI. Turns out there is an easier way than an AnytimeInterrogation attack to get that data. My friends, let me introduce:

SMS Type 0

Originally, it was intended for specific tasks such as debugging or updating software on a mobile device without disturbing the user. Turns out it’s pretty handy for getting location data too. Silent SMS for the win. Here’s how it works.

A silent SMS is delivered to the target phone. This SMS, like all others, passes through the signaling system of the mobile network. When the SMS reaches its intended recipient, the phone automatically notifies the network that it has arrived, even though it does not sound an alert or appear in the recipient’s message list. Lucky us, this is a standard message delivery feature of the GSM protocol.

Information about the cell tower the message was routed through is included in the network’s response to this silent SMS. This can contain information that is essential for determining the precise location of the mobile device, such as the cell ID and location area code (LAC).

The device’s approximate location can be ascertained by examining the cell tower that was utilised to transmit the message. 14 is great for this, as is 10.

How are we going to send our silent SMS? With our very own SMSC.

Part 1. Setting up the server

Kannel is a powerful and widely used open source SMSC that supports various communication protocols including SMPP, HTTP, and UDP. I chose this option as it is actively maintained by a community of great developers and I just dig the vibe of the site. A momentary flash of an internet gone by. Ok lets rumble.

  1. You can find the latest version on the Kannel website at
  2. Getting Kannel:
    The daily snapshots are what you are looking for. Grab yourself some documentation while you at it, will probably come in handy.
  3. Step-by-Step Guide to Getting It Up and Running:
    • Install Dependencies:
      • Ensure you have the necessary build tools and libraries installed. On a Debian-based system, you might need to run:sudo apt-get install build-essential libssl-dev libcurl4-openssl-dev libdbi-dev libpcre3-dev libspeex-dev libspeexdsp-dev libgsm1-dev libasound2-dev libusb-dev libsctp-dev libqmi-dev libgps-dev libgoogle-glog-dev libopencv-dev libgcrypt20-dev libgnutls28-dev libmysqlclient-dev libpq-dev libradcli-dev libsctp-dev libspandsp-dev libtalloc-dev libvorbis-dev libxslt1-dev libyaml-dev portaudio19-dev python-dev python-pip python-setuptools python-twisted-bin python-zope.interface swig unixodbc-dev
  4. Navigate to the Kannel directory:
    • Extract you code to /kannel and cd in…
    mkdir kannel cd kannel wget chmod +x kannel-snaphot.tar.gz tar -xzvf kannel-snaphot.tar.gz
  5. Run the configure script:
    • Run the ./configure script to start the configuration process.
  6. Choose the options for your system:
    • The ./configure script will prompt you to choose options for your system. Here are some common options:
    • Adding MySQL support:--with-mysql=/usr/local/mysql
    • Adding PostgreSQL support:--with-postgresql=/usr/local/pgsql
    • Enabling SSL support:--enable-ssl
    • Enabling shared libraries:--enable-shared
    • Enabling debugging:--enable-debug
    • Adding a prefix for installation:--prefix=/usr/local/kannel
    • You can also see all the options by running ./configure --help.
  7. Continue with the configuration process:
    • After setting the options, the script will continue to run and check for dependencies and other configurations.
  8. Compile Kannel:
    • After configuring Kannel, you can compile it by running make.
  9. Install Kannel:
    • Install Kannel by running sudo make install.
  10. Configure Kannel Daemon:
    • Edit the /etc/kannel/kannel.conf file to configure the SMSC settings.
  11. Start the Kannel Daemon:
    • Run sudo kannel start to start the Kannel daemon.
  12. Test the SMSC:
  • Use the sendsms or bearerbox command to test the SMSC.

Please note that the actual options and configurations may vary depending on your system and the features you need. Refer to the Kannel documentation for the most up-to-date information.

In our next installment… setting up our SMS gateway & the moneyshot… See you then.


You can also apt-get install kannel on Debian devices but I prefer to DL the snapshots :slight_smile:

Found a killer resource if you want to get your head around routing messages in SS7 52 43
Pretty handy little sandbox & a SS7 SMS demo app to spin up…
good times… good times…

Leave a Reply

Your email address will not be published. Required fields are marked *