Pre-loader

5G devices and Next-Generation Core Networks Hacking

Why choose this course?

Get ready to assess 5G devices and networks

With the emergence of 5G-NR NSA (Non-StandAlone) and the future deployment of SA (Standalone) mode, not only cellphones but also cars and infrastructures as many other objects will be actively connected to the internet. Moreover, using NR-U (New Radio Unlicensed) bands with 5G allows private companies, campuses, and other places to own their own 5G network. All of these changes introduce new risks that will see during this training.

Indeed, this course aims to focus on 5G NSA (Non-Standalone), and SA (Standalone) security, giving the techniques to perform security assessments on devices as well as on the current and Next Generation Core Network.

Contact us to request a quote! Look at the pricing

About the training

What the class will teach?

With this class, students will learn how to hunt for vulnerability in 5G mobile radio communications and current + Next-Generation Core Networks:

  • Learn the difference between 2G, 3G, 4G, and 5G technologies
  • Differences between 5G NSA and SA
  • Understand the new security mechanisms
  • Downgrading security mechanisms
  • How to setup an entire 5G lab/testbed
  • Get primary reflexes to attack embedded and IoT systems
  • Attacking the different Core Networks from the outside and the inside

Part 1: 5G radio

Day 1 will introduce the 5G NSA mode and the SA mode, which should appear in many countries in the fall of 2022. During this day, we will also introduce the radio aspect, the tools, and the setup to organize our RF assessments with Software-Defined Radio

Theory

  • Introduction to mobile networks and protocols (2G/3G/4G/5G)
  • Differences between 5G NSA and SA
  • Security mechanism on the radio
  • SIM/USIM/ISIM cards
  • Equipment and tools for our tests
  • Incoming tools
  • Possible attacks on 5G-NR
  • How to safely assess 5G devices
  • Hunting for vulnerabilities

Assignment 1: Manipulating secrets

  • Looking in-depth secrets generated during a registration
  • Manipulating them

Assignment 2: Observations and fingerprinting

  • Running a 5G virtual network
  • Inspecting captures
  • Fingerprinting devices

Assignment 3: Setup a 5G NSA network

  • Setup a 5G NSA network with Software-Defined Radio
  • Configuring an ISIM card

Assignment 4: Setup a 5G SA network

  • Setup a 5G SA network with Software-Defined Radio
  • Alternatives

Assignment 5: Capture The Flag

  • Analyzing communications between a client and a network
  • Capturing the secrets


Part 2: 5G Core Networks

The last day will be an opportunity to see the core network side, which could be very interesting when the operator exposes some nodes outside, as was the case many times. Moreover, it will focus more on the Standalone mode, which will drastically change from 2G-4G infrastructures and applications.

During this day, attendees will also realize why it is crucial to not only rely on the 5G-NR security mechanisms but also provide additional countermeasures in devices.

Theory

  • Introduction of the 5G SA infrastructure and REST APIs
  • Security Mechanisms
  • Possible attacks
  • Hunting for exposed nodes/gateways
  • Our latest feedbacks

Assignment 1: Hunting and intruding exposed nodes

  • Mapping a cloud
  • Look for exposed services
  • Finding and exploiting vulnerabilities to intrude the service

Assignment 2: REST API attacks

  • Attacking the API to get persistent
  • Hijack communications
  • Looking at 2 different Open-sourced stacks

Assignment 3: Attack devices

  • Map devices in remote from the exposed network
  • Find and exploit vulnerabilities on devices

Going further with future core network

  • Opportunities of attacks on OpenRAN


Content of private trainings can be arranged depending on your needs. We also provide additional content as follows:

  • Practical attacks on OpenRAN
  • Fuzzing the core network protocol stacks
  • etc.
  • Knowledge of Linux administration
  • Understanding of pentesting (network and applications) or Red teaming
  • All attendees must have a laptop running Linux, with 8GB of RAM min.
  • Basic knowledge of radio is not mandatory but is a plus

Trainer

Sébastien Dudek
Founder

Security researcher at Trend Micro, Sébastien is also the founder of the PentHertz consulting company, which specializes in wireless and hardware security.

Have any question?

If you need to send us a mail regarding the course, please write to us at [email protected] for more information.

Events hosting our courses

Pricing (prices exclude 20% VAT in France)

Contact us to request a quote
Remote Single person
2 450€ for one person

2-day remote live training, including a RF kits (bladeRF 2.0 mini), slides, a Virtual Machine, scripts/tools and captures. The content can be customized depending on the means and required days for the training.

Contact us!
POPULAR
Remote Private group
2 150€ /attendee
+ possible discount

2-day remote live training, including a RF kits (bladeRF 2.0 mini), slides, a Virtual Machine, scripts/tools and captures. The content can be customized depending on the means and required days for the training.

An extra discount can be negotiated depending on the number of attendees.

Contact us!
Tailored content

The content can be fully tailored depending on your needs.

Contact us for more information!

Subscribe to our mailing list

New content, events, products, services, and more!

* indicates required