5G Radio and Next-Generation Core Networks Hacking

Why choose this course?

Get ready to assess 5G devices, RAN and core networks

With the emergence of 5G-NR NSA (Non-StandAlone) and the future deployment of SA (Standalone) mode, not only cellphones but also cars and infrastructures as many other objects will be actively connected to the internet. Moreover, using NR-U (New Radio Unlicensed) bands with 5G allows private companies, campuses, and other places to own their own 5G network. All of these changes introduce new risks that will see during this training.

Indeed, this course aims to focus on 5G NSA (Non-Standalone), and SA (Standalone) security, giving the techniques to perform security assessments on devices as well as on the current and Next Generation Core Network.

Get also ready with upcoming OpenRAN networks representing new commercial opportunities, but also introducing new vectors for potential attackers.

Contact us to request a quote! Look at the pricing

About the training

With this class, students will learn how to hunt for vulnerability in 5G mobile radio communications and current + Next-Generation Core Networks:

  • Learn the difference between 2G, 3G, 4G, and 5G technologies
  • Differences between 5G NSA and SA
  • Understand the new security mechanisms
  • Downgrading security mechanisms
  • How to setup an entire 5G lab/testbed
  • Get primary reflexes to attack embedded and IoT systems
  • Attacking the different Core Networks from the outside and the inside

Part 1: 5G radio

Day 1 will introduce the 5G NSA mode and the SA mode, which should appear in many countries in the fall of 2022. During this day, we will also introduce the radio aspect, the tools, and the setup to organize our RF assessments with Software-Defined Radio


  • Introduction to mobile networks and protocols (2G/3G/4G/5G)
  • Differences between 5G NSA and SA
  • Security mechanism on the radio
  • SIM/USIM/ISIM cards
  • Equipment and tools for our tests
  • Incoming tools
  • Possible attacks on 5G-NR
  • How to safely assess 5G devices
  • Hunting for vulnerabilities

Assignment 1: Manipulating secrets

  • Looking in-depth secrets generated during a registration
  • Manipulating them

Assignment 2: Observations and fingerprinting

  • Running a 5G virtual network
  • Inspecting captures
  • Fingerprinting devices

Assignment 3: Setup a 5G NSA network

  • Setup a 5G NSA network with Software-Defined Radio
  • Configuring an ISIM card

Assignment 4: Setup a 5G SA network

  • Setup a 5G SA network with Software-Defined Radio
  • Alternatives

Assignment 5: Capture The Flag

  • Analyzing communications between a client and a network
  • Capturing the secrets

Part 2: 5G Core Networks

The last day will be an opportunity to see the core network side, which could be very interesting when the operator exposes some nodes outside, as was the case many times. Moreover, it will focus more on the Standalone mode, which will drastically change from 2G-4G infrastructures and applications.

During this day, attendees will also realize why it is crucial to not only rely on the 5G-NR security mechanisms but also provide additional countermeasures in devices.


  • Introduction of the 5G SA infrastructure and REST APIs
  • Security Mechanisms
  • Possible attacks
  • Hunting for exposed nodes/gateways
  • Our latest feedbacks

Assignment 1: Hunting and intruding exposed nodes

  • Mapping a cloud
  • Look for exposed services
  • Finding and exploiting vulnerabilities to intrude the service

Assignment 2: REST API attacks

  • Attacking the API to get persistent
  • Hijack communications
  • Looking at 2 different Open-sourced stacks

Assignment 3: Attack devices

  • Map devices in remote from the exposed network
  • Find and exploit vulnerabilities on devices

Part 3: OpenRAN

OpenRAN represents a good opportunities for manufacturers that are not part of the telecom ecosystem. This technology revisits all the architectures of a RAN with open-sources blocks and new AI concepts to handle and scale a network. But this new technology that is sold to be secure using open-sources blocks can also introduce new vulnerabilities and vectors of attacks.

In this section, we will learn about OpenRAN, and how to attack and secure such a network.


  • Introduction to RANs
  • OpenRAN’s architectures
  • Introduction to containers and Kubernetes
  • Current tools and attacks

Assignment 1: Fingerprinting OpenRAN network

  • Mapping OpenRAN assests
  • Enumerating vulnerabilities
  • Looking for interesting vectors

Assignment 2: Attacking the network

  • Intruding a network
  • Pivoting
  • Backdooring applications

Assignment 3: Securing

  • Avoid misconfigurations
  • Testing and auditing a setup in the cloud

Content of private trainings can be arranged depending on your needs. We also provide additional content as follows:

  • More practical attacks on vRAN and OpenRAN
  • Fuzzing the core network protocol stacks
  • etc.
  • Knowledge of Linux administration
  • Understanding of pentesting (network and applications) or Red teaming
  • All attendees must have a laptop running Linux, with 8GB of RAM min.
  • Basic knowledge of radio is not mandatory but is a plus
Events hosting our courses

Pricing (prices exclude 20% VAT in France)

Remote Single person
3 650€ for one person

3-day remote live training, including a RF kits (bladeRF 2.0 mini), slides, a Virtual Machine, scripts/tools and captures. The content can be customized depending on the means and required days for the training.

Contact us!
Remote Private group
3 170€ /attendee
+ possible discount

3-day remote live training, including a RF kits (bladeRF 2.0 mini), slides, a Virtual Machine, scripts/tools and captures. The content can be customized depending on the means and required days for the training.

An extra discount can be negotiated depending on the number of attendees.

Contact us!
Tailored content

The content can be fully tailored depending on your needs.

Contact us for more information!

Subscribe to our mailing list

New content, events, products, services, and more!

* indicates required