![Page 1: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/1.jpg)
FemtoCell Hacking From Zero to Zero Day!
singi (jeonghoon shin) fb : @sjh21a
![Page 2: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/2.jpg)
Who Am I?
• Researcher at ***
• Software bug researcher
• mentor of the B.o.B
(an education program in search of Korea’s next generation security leader.)
• a.k.a singi
• fb : @sjh21a
![Page 3: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/3.jpg)
Today, Talk Point
0x00. Basic LTE Network
0x01. Femtocell Vendors in South Korea
0x02. How i pwn femtocell device?
0x03. reach to HeMS / pwned!
0x04. when got femto control, what can you do?
![Page 4: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/4.jpg)
Basic LTE Network
![Page 5: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/5.jpg)
Basic LTE Network•UE (User Equipment)
•Mobile device
•FAP (Femto Access-Point)
• It Connects to the service provider’s network via broadband.
•SeGW (Security Gateway)
•Border gateway of the operator’s core network
• installed in an operator’s network
•Femto-GW (Femtocell Gateway)
•Provision itself
• Interact with core network entities
• Installed in an operator’s network
![Page 6: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/6.jpg)
What is femtocell?
• Small Base Station
• Gap Filler
• Out of Service Area
• Cell area : 10~12m
• In LTE Standard, defined to Home evolved Node B(HeNB)
• 3G? Home Node B (HNB)
• Recently, called to “Small Cell”, which is better? :]
![Page 7: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/7.jpg)
why femtocell?
• Vital part of the LTE network.
• already been widespread.
• Easily can sniff the mobile device packets.
• Can control the mobile devices connected to the femtocell.
![Page 8: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/8.jpg)
a few years later?
![Page 9: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/9.jpg)
Femtocell Vendors/devices
![Page 10: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/10.jpg)
Femtocell Service Providers in South Korea
![Page 11: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/11.jpg)
Femtocell Vendors in South Korea
InnoWireless Contela
… …
InnoWireless JuniKorea
… …
CNSLink …
![Page 12: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/12.jpg)
Femtocell Vendors in South Korea
• In South Korea, femtocell device are not sell to individuals.
• one of reason is that is under development.
• they’re testing on public LTE network.
• As know you, LTE is All over IP! :D
![Page 13: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/13.jpg)
LTE Network Overview
펨토 AP 세션제어, 페이징, MME 연동기능
펨토 AP 와 펨토 G/W 간 보안(Ipsec) 기능
eNode B 관리, eNode B / S-G/W의 신호제어,핸드오버
관리 기능
3G/LTE 간 단말의 anchoring/로밍기능, P-GW로 Packet 전달
Packet 라우팅, 단말 IP 할당,과금, Qos 제
어기능
펨토 AP 인증 시스템으로 WIBRO AAA 시스템 공용
고객위치정보 및 인증정보 시스템
가입자 정책 및 요금체계정보 시스템
고객전화번호 IP 동기화 시스템 과금장비
Attack Vector
![Page 14: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/14.jpg)
How I pwn Femtocell device?
• In Case #1,
• started from zero. because, i never touch/have any femtocell device
• I searched on web, any femtocell informations.
• I focus on internet news/articles
• “Google Search” is best of best hacking tool! :D
![Page 15: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/15.jpg)
How I pwn Femtocell device?
• femto is installed to Gangnam Station Starbucks.
![Page 16: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/16.jpg)
How I pwn Femtocell device?
![Page 17: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/17.jpg)
How I pwn Femtocell device?
![Page 18: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/18.jpg)
How I pwn Femtocell device?
• got IP address, Device ID information.
• from IP address, got some interesting information.
• Vendor name
• Service Port
![Page 19: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/19.jpg)
i knew vendor name, what next?
• read all product manual pdf file in vendor website.
• Actually, i didn’t expect much :(
![Page 20: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/20.jpg)
i knew vendor name, what next?
• However, there was critical information.
• but, where IP address? read more :(
![Page 21: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/21.jpg)
Huh, got root easy :( anyway, read more…
![Page 22: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/22.jpg)
last page, got ip address!
![Page 23: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/23.jpg)
so, easy… next?
![Page 24: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/24.jpg)
root is anything do it! :)
• get firmware/check firmware update routine.
• because, i want to download femtocell firmware.
• digging interesting files in femtocell.
• at that time, i found HeNB info/XML files
• femto LTE configure values.
• and looking for RCE Attack vector!
![Page 25: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/25.jpg)
detail of femto RCE
• when i analysis femto firmware, found RCE attack vector.
• This femtocell device open/using “debug” port on public network :)
![Page 26: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/26.jpg)
same debugging feature, several demons
![Page 27: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/27.jpg)
detail of femto RCE
a1 is recv string pointer . if a1 is 0x01 or 0x02
then, bypass unknown MsgType
![Page 28: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/28.jpg)
detail of femto RCE
![Page 29: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/29.jpg)
make simple payloads!
• payload length is greater then 8 bytes.
• first 1 byte must be 0x01 or 0x02. (message Format)
• “0x01”*8 + “system\x20” + “shell command”
• get root shell! :(
![Page 30: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/30.jpg)
femto RCE exploit code
![Page 31: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/31.jpg)
got root easily
![Page 32: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/32.jpg)
okay, what’s next?• access to HeMS.
• HeMS is HeNB Management System.
• HeNB is each femtocell device.
• will use KT femtocell, because LG U+ are closed service soon.
• have to reverse engineering binaries/looking for system files.
![Page 33: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/33.jpg)
Access to HeMS• when I got a shell on femtocell device, will looking for interesting file/
firmware update routine.
• At that time, i have some information of HeMS.
• HeMS is provide ftp, http, cwmp service. (show 3-ways.)
• HeMS is management server to femtocell devices via tr-069(cwmp) protocol. (also, expose to cwmp agent id/password)
• manage of femto device firmware update.
• manage of femto device check/save daily device log.
• send to control message to each femtocell device.
![Page 34: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/34.jpg)
exposed HeMS Account
![Page 35: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/35.jpg)
XML Command List
![Page 36: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/36.jpg)
how to use xml command?
![Page 37: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/37.jpg)
where to find HeMS account information?
F.Y.I, HeMS FTP service is only allow access via femto device.
digging /tmp directory
![Page 38: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/38.jpg)
it is just ftp service. not sftp :(
*PLTE*.tar.bz2 is our femtocell firmware
![Page 39: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/39.jpg)
here is xml log file!
CM_*.xml have a information of femto devices.
![Page 40: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/40.jpg)
daily device log file6550 node in the CM_170306.xml file.
I did interesting work via GPS value…
![Page 41: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/41.jpg)
Femto stop :D
Gotta catch’em all
![Page 42: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/42.jpg)
Pwn HeMS via Web Service
• At this time, finding 0-day at HeMS HTTP service.
• connect to HTTP service through browser, we can see “flash” index file.
• we can decompile this swf file!
![Page 43: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/43.jpg)
HeMS Web Page. just 1 flash file
![Page 44: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/44.jpg)
decompile swf file using open source tool.
much action script file.
![Page 45: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/45.jpg)
HeMS Web Vulnerability
![Page 46: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/46.jpg)
where define to RemoteObject
• Classes name implemented by RemoteObject class.
• Total 24 classes.
![Page 47: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/47.jpg)
using this RemoteObject function.
![Page 48: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/48.jpg)
HeMS Web exploit code
![Page 49: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/49.jpg)
![Page 50: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/50.jpg)
get HeMS shell?
![Page 51: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/51.jpg)
got hems, dirty shot!
![Page 52: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/52.jpg)
Conclusion
• we found 2+ vulnerability in femtocell device.
• access to debug daemon, stack overflow, …
• we can access femtocell management server.
• through info files and exploiting Web Vulnerability.
• we can choose certain femto device via GPS value, and we can sniffing certain femto device.
![Page 53: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/53.jpg)
Any Questions? :D
![Page 54: FemtoCell Hacking - Hack In The Boxconference.hackinthebox.org/hitbsecconf2017ams/materials...FemtoCell Hacking From Zero to Zero Day! singi (jeonghoon shin) fb : @sjh21a Who Am I?](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa72bf57f8b9a50528bfb1a/html5/thumbnails/54.jpg)
Thanks to
• @reum
• She is Mentee of B.o.B 4th
• She helped in preparing the presentation script.
• @jack2
• He is Co-work partner.