Skip to content

[Open5GS] Error while registering subscribers #33

New issue
New issue
Open
Open
[Open5GS] Error while registering subscribers#33
@Edm0ndDantes

Description

@Edm0ndDantes
Edm0ndDantes
opened on Dec 16, 2024

First of all, thank you for the work you've done creating this software.

I have setup 5Ghoul on an Ubuntu server 24.04 LTS with a USRP B210 as directed.
I have NOT connected any UEs via ADB or any USB modems to my setup as I'd like to launch the rogue base station on my machine and the "victim controls" on another.
I have modified the configuration files (5gnr_gnb_config.json and global_config.json)accordingly.
After running the command described in the documentation:
sudo bin/5g_fuzzer --MCC=001 --MNC=01 --GlobalTimeout=false --EnableMutation=false
my setup fails to start with the following output:

# sudo bin/5g_fuzzer --MCC=001 --MNC=01 --GlobalTimeout=false --EnableMutation=false

Logical Cores: 4
No SMT support, running on all cores
Assigned CPUSET:
0, 1, 23
Disabling Core dump for this process: ulimit -c 0
[ParseArgs] "MCC" unchanged ("001")
[ParseArgs] "MNC" unchanged ("01")
[ParseArgs] "GlobalTimeout" unchanged (false)
[ParseArgs] "EnableMutation" unchanged (false)
[Modules] Loading C++ Modules at "modules/exploits/5gnr_gnb"
[Modules] --> mac_sch_mtk_rrc_setup_crash_6.so loaded
[Modules] --> mac_sch_nas_unknown_pdu_crash.so loaded
[Modules] --> mac_sch_rrc_setup_crash.so loaded
[Modules] --> mac_sch_rrc_reconfiguration_crash.so loaded
[Modules] --> mac_sch_mtk_rrc_setup_crash_1.so loaded
[Modules] --> mac_sch_mtk_rrc_setup_crash_7.so loaded
[Modules] --> mac_sch_mtk_rrc_setup_crash_3.so loaded
[Modules] --> mac_sch_mac_rlc_crash.so loaded
[Modules] --> mac_sch_mtk_rrc_setup_crash_4.so loaded
[Modules] --> mac_sch_mtk_rrc_setup_crash_2.so loaded
[Modules] --> mac_sch_rrc_setup_crash_var.so loaded
[Modules] --> mac_sch_mtk_rlc_crash.so loaded
[Modules] 12/12 Modules Compiled / Loaded
[Modules] All modules using prefix
----------LTE Fuzzer----------
Loading Model...
Model Loaded!
[Machine] Layer:"NAS"
[Machine] --> States:0, Transitions:0
[Machine] Layer:"RRC"
[Machine] --> States:0, Transitions:0
[Machine] Layer:"RLC"
[Machine] --> States:0, Transitions:0
[Machine] Layer:"MAC-NR"
[Machine] --> States:0, Transitions:0
[Machine] Total States: 38
[Machine] Total Transitions: 308
[Monitor] ERROR: ADB Could not connect to device UWEUW4XG8XCA8PWS
[SHMDriver] SHM:/tmp/wshm, Channel:0, Mode:1, MQUEUE:/wshm
sh: 1: ulimit: Illegal option -q
[SHMDriver] SHM:/tmp/wshm, Channel:1, Mode:1
[SHMDriver] SHM:/tmp/wshm, Channel:2, Mode:1
[SHMDriver] SHM:/tmp/wshm, Channel:3, Mode:1
[SHMDriver] SHM:/tmp/wshm, Channel:4, Mode:1
[SHMDriver] SHM:/tmp/wshm, Channel:5, Mode:1
[SHMDriver] SHM:/tmp/wshm, Channel:6, Mode:1
[Open5GS] Adding IMSI 001010000000001 with K=00112233445566778899AABBCCDDEEFF, OPC=00112233445566778899AABBCCDDEEFF, APN=default
[Open5GS] Adding IMSI 001010100011321 with K=12345678901234567890123456789012, OP=12345678901234561234567890123456, APN=default
[Open5GS] Adding IMSI 001010000064950 with K=3ac9ec861c3d5209ddb00d88b8b2c933, OPC=ad3d5e6e6df84bf3fd799b39c70e7c74, APN=default
[Open5GS] Adding IMSI 001010000064951 with K=3ac9ec861c3d5209ddb00d88b8b2c933, OPC=ad3d5e6e6df84bf3fd799b39c70e7c74, APN=default
[Open5GS] Adding IMSI 001020000064951 with K=3ac9ec861c3d5209ddb00d88b8b2c933, OPC=ad3d5e6e6df84bf3fd799b39c70e7c74, APN=default
[Open5GS] Adding IMSI 001010000064952 with K=3ac9ec861c3d5209ddb00d88b8b2c933, OPC=ad3d5e6e6df84bf3fd799b39c70e7c74, APN=default
[Open5GS] Adding IMSI 001010000064953 with K=3ac9ec861c3d5209ddb00d88b8b2c933, OPC=ad3d5e6e6df84bf3fd799b39c70e7c74, APN=default
[Open5GS] Adding IMSI 999700000064959 with K=5FBC6D9274D7D3F03E32B12DBF582424, OPC=32B95812161923774B71D508A1D4D3B6, APN=internet
[Open5GS] Adding IMSI 901700000039907 with K=33CD0E15C56301487706C843E5BC53C1, OPC=3E91AD887FB569F4A68EEB8282872B0F, APN=internet
[Open5GS] Adding IMSI 222010000039900 with K=3ac9ec861c3d5209ddb00d88b8b2c933, OPC=ad3d5e6e6df84bf3fd799b39c70e7c74, APN=internet
[Open5GS] Adding IMSI 208950000039900 with K=3ac9ec861c3d5209ddb00d88b8b2c933, OPC=ad3d5e6e6df84bf3fd799b39c70e7c74, APN=internet
[Open5GS] Adding IMSI 525070000039900 with K=3ac9ec861c3d5209ddb00d88b8b2c933, OPC=ad3d5e6e6df84bf3fd799b39c70e7c74, APN=internet
[Open5GS] Adding IMSI 222010100000002 with K=0c2d427dc188ed0284c4dd0fde705060, OPC=64f4f96c49dfac6a89b45dfa15574a75, APN=internet
[Open5GS] Adding IMSI XXXXXXXXXXXXXXXXXXX with K=XXXXXXXXXXXXXXXXXXX , OPC=XXXXXXXXXXXXXXXXXXX , APN=internet
[Open5GS] Error while registering subscribers
./3rd-party/hostapd/idemptables -A INPUT -i ogstun -j ACCEPT
./3rd-party/hostapd/idemptables -A FORWARD ! -i ogstun -o ogstun -j ACCEPT
./3rd-party/hostapd/idemptables -A FORWARD -i ogstun ! -o ogstun -j ACCEPT
./3rd-party/hostapd/idemptables -t nat -A POSTROUTING -s 45.45.0.0/16 ! -o ogstun -j MASQUERADE
[GlobalTimeout] Not enabled in config. file
[AnomalyReport] Added Logging Sink: PacketLogger
[ReportSender] Disabled in config file
[AnomalyReport] Added Logging Sink: SvcReportSender
[USBHubControl] Disabled in config. file
[ModemManager] ModemManager not started!
[Optimizer] Optimization disabled. Using default population:
--------------------------------------------------------
[Optimizer] Iter=1  Params=[0.2,0.2,0.2,0.2,0.2,0.2,...,0.2]
[Optimizer] Fitness=1e+06  Adj. Fitness=-1e+06
--------------------------------------------------------
[Optimizer] Initialized with X Size=293, Population Size=5
[Main] Fuzzing not enabled! Running only target reconnection
[PacketHandler] Added "proto:nas-5gs", Dir:0, Realtime:0, TID:638
[PacketHandler] Added "proto:nas-5gs", Dir:1, Realtime:0, TID:639
[PacketHandler] Added "proto:pdcp-nr-framed", Dir:0, Realtime:1, TID:640
[PacketHandler] Added "proto:pdcp-nr-framed", Dir:1, Realtime:1, TID:641
[PacketHandler] Added "proto:mac-nr-framed", Dir:0, Realtime:1, TID:642
[PacketHandler] Added "proto:mac-nr-framed", Dir:0, Realtime:1, TID:643
[PacketHandler] Added "proto:mac-nr-framed", Dir:1, Realtime:0, TID:644
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
[!] Base-Station process stopped
^C
[!] Open5GS stopped
[PacketHandler] Stopping Threads
[SignalHandler] Exiting 5g_fuzzer

Note: the XXXXXXXXXXXXXXXXXXX represent my victim's IMSI.
I have not changed the K and OPC values from the default in 5gnr_gnb_config.json.

This results in failing to start the application and experiment with it in any way.

My Questions:

  1. I do not seem to be able to get it started. Is there something wrong with my configuration and/or setup?
  2. Is connecting a modem as the "controlled victim" absolutely necessary? Could this impact the deployment of a setup?
  3. I noticed that configuring 5Ghoul is not documented whatsoever other than the issues, whose answers could give an insight like Issue open5gs stopped & adb: device 'UWEUW4XG8XCA8PWS' not found #19 and Issue adb: device 'UWEUW4XG8XCA8PWS' not found #14 . Is the documentation of the configuration something we could expect? It would be really helpful for the ones trying to experiment with 5Ghoul.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions