Breaking

New Tool: s1ap_enum

As we continue our research in the 3GPP protocol world, there is a new tool for you to play with. It is called s1ap_enum and thats also what it does  😉

The tool itself is written in erlang, as i found no other free ASN.1 parser that is able to parse those fancy 3GPP protocol specs. It connects to an MME on sctp/36412 and tries to initiate a S1AP session by sending an S1SetupRequest PDU. To establish a S1AP session with an MME the right MCC and MNC are needed in the PLMNIdentity. The tool tries to guess the right MCC/MNC combinations. It comes with a preset of known MCC/MNC pairs from mcc-mnc.com, but can try all other combinations as well.

Download

So how’s S1 on the internetz?

A friendly neighbor did a masscan recently and we found some of those hosts still alive. And chatty as well 😉

enum

So we were able to establish a S1 session with this one, someone wants to (de-)reg some UE? xD

Others are not so nice, like this one here:

enum2

But the big question is, what are those MMEs doing in the internetzz? This isn’t your walled ISP garden! Or do you want to test how much S1AP garbage your equipment can take?

The same thing with X2AP. Seems to out there as well, waiting for some chitchat. I haven’t tried to build the ASN.1 spec yet, but if erlc is nice thats just a matter of seconds. xD

So have fun banging your head through tail recursion, play with the tool and have a nice day!

/daniel

Comments

  1. Hello, I am trying to do some testing with your s1ap_enum tool, can you give me some information on how to use the tool? And is it possible I do some coding on your programs? thank you in advance.

  2. Hey There..

    I would very much like to try this piece of sw… however.. I finding myself with very little info to go with.
    Is this s1ap_enum suppose to work in windows? … specifically win 7?
    Also … once unzip … the next stpe is …???

    Help please!

Comments are closed.