Demystifying 5G Security Understanding the Registration Prot...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://bishopfox.com/blog/demystifying-5g-security-understanding-the-registration-protocol
• Blog Title: Demystifying 5G Security: Understanding the Registration Protocol
• Suggested Section: Pentesting Network > Telecom Network Exploitation (add a subsection: "5G NAS Registration Attacks: SUCI leaks, downgrade to EEA0/EIA0, and NAS replay")

🎯 Content Summary

What this post delivers.
A hands-on, low-level walkthrough of 5G UE registration, where NAS security is not yet active, and how attackers can exploit that pre-security window. It explains packet flows, crypto negotiation, identifier protection, concrete replay rules, and tooling (Open5GS, Wireshark, 5GReplay, Sni5Gect, and an internal sniffer) so defenders can reproduce tests, detect weaknesses, and harden deployments.

Context and testing constraints.
5G adoption i...

🔧 Technical Details

Exploit the unauthenticated NAS window. Target Registration Request and early Authentication (steps 1–2) before Security Mode Command. Without integrity/ciphering, passively read or actively alter capability fields to influence later crypto selection.

Track subscribers via SUCI failures. If devices/USIMs transmit plaintext SUPI instead of SUCI, capture initial NAS to extract MCC/MNC/MSIN and perform persistent tracking across time and location.

Downgrade/bidding-down null algorithms. Use an on-path position or rogue gNB to modify the UE’s advertised EEA/EIA to force EEA0/EIA0, eliminating air-link confidentiality/integrity and enabling eavesdropping/tampering.

Replay initial registration. Record NGAP InitialUEMessage carrying NAS Registration Request and replay to the AMF. Example 5GReplay rule: trigger on ngap.procedure_code==15 and nas_5g.message_type==65 to forward matching packets. Acceptance indicate...

🤖 Agent Actions

I analyzed the Bishop Fox blog and updated HackTricks with the actionable 5G NAS registration attack techniques (SUCI leaks, null algorithm downgrade, and NAS replay) in the most relevant place: Telecom Network Exploitation under Pentesting Network.

What I did:

• Searched for existing telecom/5G content and selected src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md as the best target to extend (no existing 5G-specific page).
• Read multiple related files to understand structure and cross-links:
  • src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md
  • src/generic-methodologies-and-resources/pentesting-network/README.md
  • src/generic-methodologies-and-resources/pentesting-wifi/README.md
  • src/network-services-pentesting/pentesting-voip/basic-voip-protocols/README.md
  • src/generic-hacking/esim-javacard-exploitation.md
• Added a new section “9. 5G NAS Registration Attacks: SUCI leaks, downgrade to EEA0/EIA0, and NAS replay” to telecom-network-exploitation.md, including:
  • A concise primer on the pre-security NAS window (Registration Request/Authentication unprotected until Security Mode).
  • Identifier privacy testing for SUCI vs SUPI exposure with Wireshark filter hints.
  • Bidding-down attack details on UE Security Capability (EEA/EIA), coercing EEA0/EIA0 with Sni5Gect, and verification guidance.
  • NAS replay PoC with a 5GReplay rule snippet targeting NGAP InitialUEMessage and NAS Registration Request.
  • Tooling pointers (Open5GS, Wireshark, 5GReplay, Sni5Gect) for reproducibility.
  • Defensive checklist and mitigations (reject EEA0/EIA0 except narrowly for emergency, enforce EEA2/EIA2, detect replays and rogue infra).
  • Added two 5G-specific bullets to “Detection Ideas”.
• Updated the References section at the end of the file with:
  • The blog URL.
  • 3GPP specs relevant to NAS and 5G security (TS 24.501 and 33.501).

Files changed:

• Modified: src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md

Notes:

• No new files were needed; the content integrated well as a new section in the existing Telecom Network Exploitation page.
• The update contains concrete code blocks (5GReplay PoC rule), practical Wireshark filters, methodology, and mitigation guidance consistent with HackTricks style.
• References are consolidated at the end as required.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

• searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://bishopfox.com/blog/demystifying-5g-security-understanding-the-registration-protocol

Content Categories: Based on the analysis, this content was categorized under "Pentesting Network > Telecom Network Exploitation (add a subsection: "5G NAS Registration Attacks: SUCI leaks, downgrade to EEA0/EIA0, and NAS replay")".

Repository Maintenance:

• MD Files Formatting: 874 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge