title: "Methodology: Telecom Penetration Testing Lifecycle" description: "TelcoSec telecom penetration testing lifecycle: SS7/Diameter exploitation, RAN attacks, 5G core vectors, and MITRE FiGHT framework mapping." date: "2024-03-03" lastModified: "2026-05-15" author: "Ruben F. Silva" authorName: "TelcoSec Research" category: "SIGNALING_ATTACKS" severity: "CRITICAL" image: "/images/articles/telecom-pentest-hero.webp" imageAlt: "Telecom Penetration Testing Methodology - Signaling Protocol Attack Vectors" readingTime: 22
Traditional penetration testing focuses on enterprise perimeters, web applications, and cloud endpoints. However, attacking a telecommunications network requires an entirely different methodology, specialized toolsets, and a deep understanding of legacy telecom protocols alongside modern cloud-native infrastructures. The target surface spans from SS7 vulnerabilities on legacy interconnects to 5G SBA vulnerabilities — a range that no single standard methodology covers.
This guide outlines the comprehensive, multi-layer methodology used by TelcoSec's offensive teams to evaluate the security posture of Mobile Network Operators (MNOs), MVNOs, and critical telecom infrastructure providers. Every phase maps to the MITRE FiGHT framework for standardized threat contextualization and SOC integration.
RESOURCES: Telecom Red Teaming Framework
Download the complete TTP mapping for 4G/5G networks, including signaling, radio, and edge assault vectors (PDF).
This methodology covers six distinct assault phases: Intelligence Gathering, Radio Access Network exploitation, Signaling/Interconnect attacks, 5G Core cloud-native assault, Edge and MEC penetration, and Post-Exploitation persistence. Each phase requires specialized tools, legal authorizations, and domain-specific expertise.
- SS7/Diameter signaling remains a critical intercept vector even for 5G subscribers.
- MITRE FiGHT framework as the standard for 5G threat modeling.
- Rogue base stations (IMSI catchers) evolve with downgrade attacks targeting 5G.
- Cloud-native 5G core introduces Kubernetes, API, and container escape attack surfaces.
- Telecom pentesting requires dedicated lab infrastructure for safe execution.
I. The Telecom Pentesting Lifecycle
Reconnaissance Priority
# Searching for potentially exposed 5G Core AMF endpoints
shodan search 'port:38412 SCTP'
# Searching for exposed Diameter nodes
shodan search 'port:3868 Diameter'
# Searching for exposed GTP-C endpoints (very dangerous if found)
shodan search 'port:2123 GTPv2'
The telecom pentesting lifecycle follows six distinct phases, each targeting a different layer of the network architecture:
Phase 1: Intelligence Gathering and OSINT
Before transmitting a single packet, attackers map the target's footprint. In telecom, this goes beyond finding IP subnets — it requires understanding the operator's entire technology stack, vendor relationships, and interconnect topology.
Passive OSINT Sources
| Source | Intelligence Gathered | Risk Level |
|---|---|---|
| Spectrum Analysis (SDR) | Active frequencies, bands, EARFCNs, cell IDs, TACs | Low — passive reception |
| BGP/ASN Mapping | Core network borders, peering points, IPX transit providers | Low — public data |
| Vendor Fingerprinting | Core vendor (Ericsson/Nokia/Huawei/Samsung), management structure | Low — public procurement records |
| Job Postings | Technology stack, security tool gaps, platform versions | None — public data |
| DNS Enumeration | APN gateways, management portals, NF endpoints | Low — public DNS |
| Leaked Configs | APN settings, internal IP ranges, PLMN identifiers | None — public paste sites |
| GSMA RAEX/IR.21 | Roaming interconnect details, SCCP GT addresses | Medium — requires roaming access |
# Enumerate MNO's public-facing infrastructure
# 1. Find the operator's ASN
whois -h whois.radb.net -- '-i origin AS12345'
# 2. Reverse DNS for management interfaces
for ip in $(host -t A *.operator.com | awk '{print $NF}'); do
nmap -sV -p 80,443,3000,8080,8443,9090 $ip
done
# 3. Certificate transparency log analysis
curl 'https://crt.sh/?q=%.operator.com&output=json' | jq '.[].name_value'
Phase 2: Radio Access Network (RAN) Exploitation
The most accessible part of any mobile network is the air interface. Any attacker with a $300 SDR can receive and analyze broadcast signaling — and with a properly configured lab, they can transmit.
RAN Attack Vectors
| Attack | Target | Equipment | MITRE FiGHT ID |
|---|---|---|---|
| Rogue eNB/gNB (IMSI Catcher) | UE identity capture | USRP B210 + srsRAN | FGT1589 |
| Bidding-down Attack | Force UE to weaker encryption | Modified gNB firmware | FGT5012 |
| Paging Channel Flood | Localized DoS | SDR + custom broadcast | FGT1498 |
| SIB/MIB Manipulation | UE redirection, denial of service | Modified srsRAN | FGT1496 |
| O-RAN E2/O1 Exploitation | RAN resource manipulation | Network access to O-RAN controllers | FGT5001 |
| NR Sidelink Interception | V2X/ProSe communication capture | Passive SDR on n47/n53 | FGT5015 |
Rogue Base Station Deployment Methodology
- Perform spectrum analysis to identify the target operator's active frequencies and strongest serving cells
- Configure the rogue eNB/gNB to broadcast on the same PLMN with a stronger signal
- UEs perform cell reselection to the rogue cell
- Capture IMSI/IMEI during initial attach (pre-authentication in 4G; SUCI in 5G — requires key compromise for SUPI extraction)
- Execute downgrade attacks by refusing to support strong security algorithms in the SecurityModeCommand
Phase 3: Signaling and Interconnect Attacks (SS7/Diameter)
The "soft underbelly" of global telecommunications is the interconnect network used for roaming. Despite decades of documented vulnerabilities, SS7 vulnerabilities and Diameter protocol signaling networks remain exploitable through roaming interconnects and compromised IPX providers.
SS7 Attack Categories
| Attack | MAP Operation | Impact | Defense |
|---|---|---|---|
| Location Tracking | SendRoutingInfo + ProvideSubscriberInfo | Real-time subscriber location | Category 1 SMS firewall |
| SMS Interception | UpdateLocation (re-register to rogue MSC) | MFA bypass, message theft | Category 2/3 firewall rules |
| Call Interception | InsertSubscriberData (forwarding modification) | Voice wiretapping | Signaling monitoring |
| DoS | CancelLocation / PurgeMS | Service disruption | GSMA FS.11 filtering |
| Subscriber Profiling | AnyTimeInterrogation | Metadata harvesting | Category 1 blocking |
Diameter Attack Categories
| Attack | Application | Impact | Defense |
|---|---|---|---|
| Subscriber DoS | S6a Cancel-Location-Request | Drop subscriber from network | Diameter DEA/DRA filtering |
| Fraud | S6a Insert-Subscriber-Data (QoS manipulation) | Free data, billing bypass | AVP validation |
| Location Tracking | S6a Provide-Location | Real-time positioning | Strict peer validation |
| HSS Data Theft | S6a Authentication-Information-Request | Auth vector exfiltration | IPSec between peers |
Phase 4: The 5G Core (5GC) Cloud-Native Assault
As networks transition to 5G Standalone (SA), the core becomes a Kubernetes cluster running HTTP/2 microservices. This imports the entire cloud-native threat landscape into telecom infrastructure.
5GC Attack Methodology
- API Discovery: Enumerate NF service endpoints via NRF queries or SCP traffic interception
- BOLA Exploitation: Test subscriber data enumeration through SUPI iteration against UDM APIs
- NRF Poisoning: Attempt rogue NF registration to intercept authentication traffic
- Container Escape: Exploit kernel vulnerabilities from compromised border-facing NFs (AMF)
- Lateral Movement: Pivot through the Kubernetes cluster to reach high-value NFs (AUSF, UDM)
- Slice Pivot: Test 5G network slicing security by attempting to access resources in adjacent network slices
<CodeBlock
language="bash"
is-terminal
code=" # Example: Scanning for exposed 5G NF APIs within a compromised cluster
# After initial access to any pod in the 5gc namespace:
# 1. Discover NRF endpoint
curl -s http://nrf.5gc.svc:80/nnrf-disc/v1/nf-instances?target-nf-type=UDM
# 2. Query UDM for subscriber data (BOLA test)
curl -s -H 'Authorization: Bearer
http://udm.5gc.svc:80/nudm-sdm/v1/imsi-001010123456789/am-data
# 3. Attempt NRF registration with rogue NF profile
curl -s -X POST http://nrf.5gc.svc:80/nnrf-nfm/v1/nf-instances/rogue-ausf
-H 'Content-Type: application/json'
-d '{"nfType":"AUSF","nfStatus":"REGISTERED","priority":1}'"
/>
II. Specialized Telco Frameworks and Tools
Telecom red teaming requires specialized, often proprietary, toolsets. Standard enterprise pentesting tools (Nessus, Metasploit) are largely ineffective against telecom-specific protocols and interfaces.
Tool Categories
> SDR Hardware
USRPs, HackRF, or BladeRF combined with software like srsRAN or OpenAirInterface to simulate network nodes, deploy IMSI catchers, or perform over-the-air baseband exploitation in smartphones. See our private LTE/5G lab for detailed hardware recommendations.
> Signaling Scanners
Tools like SigPloit, SS7MAPer, and proprietary SS7 vulnerabilities/Diameter protocol scanners that automate malformed TCAP, MAP, or Diameter AVP message injection. These tools require legal authorization and typically operate through authorized interconnect test facilities.
> Core Emulators
Customized deployments of Open5GS, free5GC, and OpenAirInterface used by researchers for zero-day exploitation development and 5G SBA vulnerabilities. TelcoSec maintains hardened lab instances accessible through our Academy platform.
Comprehensive Tooling Matrix
| Category | Tool | Target | License |
|---|---|---|---|
| Signaling | SigPloit | SS7/Diameter/GTP | Open-source |
| Signaling | SS7MAPer | SS7 MAP operations | Open-source |
| Signaling | TelcoSec Scanner Suite | SS7/Diameter/5G SBA | Commercial |
| RAN | srsRAN + USRP | LTE/5G air interface | Open-source |
| RAN | FalseBase | IMSI catcher research | Open-source |
| Core | Open5GS / free5GC | EPC/5GC testing | Open-source |
| Core | Burp Suite + HTTP/2 | 5G SBA API testing | Commercial |
| Firmware | Ghidra / IDA Pro | Baseband analysis | Mixed |
| K8s | kube-hunter / Trivy | Container security | Open-source |
| Protocol | Wireshark + TelcoSec dissectors | Protocol analysis | Open-source |
III. The MITRE FiGHT Framework Integration
Finding vulnerabilities is only half the battle; remediating them without causing a nationwide outage is the true challenge. Every finding from a telecom pentest must be contextualized within a standard threat model that SOC teams can operationalize.
TelcoSec aligns all offensive findings with the MITRE FiGHT (5G Hierarchy of Threats) framework — the telecom-specific equivalent of MITRE ATT&CK. This ensures that every finding is mapped to standardized TTPs, enabling operators to build detection rules for SIEM platforms and prioritize remediation based on adversarial impact.
FiGHT Tactic Mapping for Telecom Pentests
| FiGHT Tactic | Corresponding Pentest Phase | Key Techniques |
|---|---|---|
| Reconnaissance | Phase 1: OSINT | FGT1595 (Active Scanning), FGT1592 (Gather Victim Network Info) |
| Initial Access | Phase 2/3: RAN + Signaling | FGT1589 (Rogue Base Station), FGT5012 (Exploit Public-Facing App) |
| Execution | Phase 4: 5GC Assault | FGT1059 (Command & Scripting), FGT5019 (NF API Exploitation) |
| Persistence | Post-Exploitation | FGT5003 (Valid NF Credentials), FGT1078 (Compromised Accounts) |
| Collection | Data Exfiltration | FGT1040 (Network Sniffing), FGT5010 (Subscriber Data Collection) |
| Impact | Impact Assessment | FGT1498 (Network DoS), FGT1496 (Service Disruption) |
IV. Reporting and Remediation Framework
Telecom pentest reports must be structured differently from standard IT assessments because the audience spans security engineers, network architects, regulatory compliance teams, and executive leadership.
Report Structure
- Executive Summary: Business impact in terms of subscriber count at risk, regulatory exposure (GDPR, national security frameworks), and financial liability
- Technical Findings: Each finding includes:
- Attack vector and kill chain
- MITRE FiGHT TTP mapping
- Evidence (PCAP captures, API responses, screenshots)
- CVSS score (adapted for telecom context)
- Remediation priority (P0–P4)
- Remediation Roadmap: Phased remediation with timelines:
- P0 (Immediate): Exposed management interfaces, default credentials, unfiltered SS7 vulnerabilities signaling
- P1 (7 days): Missing mTLS in 5G SBA vulnerabilities, overly permissive NetworkPolicies
- P2 (30 days): Incomplete Diameter DEA/DRA filtering, weak OAuth scoping
- P3 (90 days): Missing eBPF monitoring, incomplete 5G network slicing security
- P4 (Strategic): Architecture redesign, per-SUPI authorization, zero-trust mesh
- Regulatory Mapping: Findings mapped to GSMA NESAS, ENISA 5G security controls, and national certification schemes
V. Authoritative References
- 01 GSMA FS.04Signaling Security Vulnerability ProcessGSMA FS.04 Signalling Security Process →
- 02 OWASP MASTGMobile Application Security Testing GuideOWASP Mobile Security Testing Guide →
- 03 MITRE FiGHT5G Hierarchy of Threats MappingMITRE FiGHT Threat Framework →
- 04 GSMA FS.11SS7 Interconnect Security Monitoring GuidelinesGSMA Security Resources & Guidelines →
- 05 3GPP TS 33.501Security architecture and procedures for 5G system3GPP TS 33.501 – 5G Security Architecture →
- 06 ENISA Threat Landscape for 5GComprehensive 5G risk assessmentENISA 5G Security Assessment →
VI. Frequently Asked Questions
How does telecom pentesting differ from standard IT pentesting? ▼
Telecom pentesting involves specialized equipment (SDRs, programmable SIMs, lab infrastructure) and protocols (SS7 vulnerabilities, Diameter protocol, GTP, NAS/RRC) that are not found in enterprise IT. It requires understanding RF physics, cellular signaling state machines, and 3GPP specifications in addition to traditional network and web application security skills.
What is the MITRE FiGHT framework? ▼
The 5G Hierarchy of Threats (FiGHT) is a knowledge base of adversary tactics and techniques specifically tailored to 5G systems. It provides a common language for describing threats to the 5G ecosystem, similar to the standard MITRE ATT&CK framework but with telecom-specific techniques (rogue base stations, NRF poisoning, signaling interception) that ATT&CK doesn't cover.
Are signaling attacks like SS7 interception still possible in 5G? ▼
Yes, because most 5G networks still interoperate with legacy 4G and 3G infrastructure for roaming and voice (VoLTE/VoNR). Interworking Functions (IWF) translate between 5G SBA HTTP/2 and Diameter protocol. If the gateways between generations aren't properly secured, legacy signaling vulnerabilities can still be exploited to track or intercept 5G subscribers.
What legal authorizations are required for telecom pentesting? ▼
Telecom pentesting requires explicit written authorization from the MNO, often including specific scope limitations (e.g., "test environment only," "no production subscriber data"). For RAN testing, RF transmission must occur within a Faraday cage or under a spectrum research license. Signaling tests on live interconnects may require additional regulatory approvals.
How long does a typical telecom security assessment take? ▼
A comprehensive assessment covering all six phases typically requires 4-8 weeks for a Tier-1 MNO. Phase 1 (OSINT) takes 1 week, Phase 2-3 (RAN + Signaling) 2-3 weeks, Phase 4 (5GC) 1-2 weeks, and reporting 1 week. Scope, network size, and access limitations significantly affect the timeline.
Can automated scanning tools replace manual telecom pentesting? ▼
Automated tools can cover basic checks (exposed ports, default credentials, known CVEs), but the most critical telecom vulnerabilities — NRF poisoning, SS7 signaling interception, cross-slice pivoting, and baseband exploitation in smartphones — require manual expertise and specialized equipment. Automation is a force multiplier for skilled teams, not a replacement.
Conclusion & Next Steps
Telecom penetration testing requires a hybrid skill set: RF engineering, legacy protocol manipulation (SS7 vulnerabilities, Diameter protocol), advanced cloud-native Kubernetes exploitation (5G SBA vulnerabilities), and deep knowledge of 3GPP specifications. Minimum viable compliance scanning is no longer sufficient to protect national critical infrastructure against advanced threat actors.
The evolution of the attack surface demands continuous reassessment:
- Quarterly: Signaling firewall rule validation and Diameter protocol interconnect testing
- Semi-annually: RAN security assessment including IMSI catchers resilience
- Annually: Full 5GC cloud-native assessment with container escape and 5G network slicing security testing
- On-change: Assessment after any major infrastructure upgrade, vendor swap, or roaming agreement modification
When to Engage a Professional Telecom Pentesting Firm
In-house teams can execute many phases of this methodology — particularly OSINT, protocol analysis, and signaling firewall validation. However, certain scenarios warrant engaging a specialist telecom penetration testing provider:
- Regulatory compliance mandates (GSMA NESAS, ETSI TS 33.117, national telecom regulator requirements) require independent third-party assessments
- New technology deployment — launching 5G SA, opening new roaming corridors, or deploying O-RAN introduces unfamiliar attack surfaces that benefit from external expertise
- Post-incident validation — following a suspected SS7 exploit, SIM swap campaign, or interconnect compromise, independent verification of remediation is essential
- No internal signaling competency — SS7, Diameter, and GTP require protocol-specific expertise that few enterprise security teams possess
- Board or investor assurance — external assessment reports carry greater weight with regulators and investors than internal audits
When evaluating a telecom security assessment provider, verify that their team has documented experience across signaling protocols, RAN testing, and cloud-native 5G core environments — not generic network penetration testing rebranded as telecom.
Is your core hardened against an advanced threat actor? Leverage TelcoSec's offensive capabilities to preemptively discover critical vulnerabilities in your deployment. Build your own research capabilities with our private LTE/5G lab, or explore the TelcoSec research library for deep-dive technical intelligence.
BECOME A TELECOM PENTESTER?
Master the end-to-end telecom penetration testing lifecycle. Learn to audit SS7, Diameter, and 5G SBA interfaces in our professional Academy tracks. Access exclusive signaling fuzzers and private 5G core labs.