It’s challenge time, this time we’re going to be looking at an IMS PCAP, and answering some questions to test your IMS analysis chops!
Here’s the packet capture:
Easy Questions
- What QCI value is used for the IMS bearer?
- What is the registration expiry?
- What is the E-UTRAN Cell ID the Subscriber is served by?
- What is the AMBR of the IMS APN?
Intermediate Questions
- Is this the first or subsequent registration?
- What is the Integrity-Key for the registration?
- What is the FQDN of the S-CSCF?
- What Nonce value is used and what does it do?
- What P-CSCF Addresses are returned?
- What time would the UE need to re-register by in order to stay active?
- What is the AA-Request in #476 doing?
- Who is the(opens in a new tab)(opens in a new tab)(opens in a new tab) OEM of the handset?
- What is the MSISDN associated with this user?
Hard Questions
- What port is used for the ESP data?
- Which encryption algorithm and algorithm is used?
- How many packets are sent over the ESP tunnel to the UE?
- Where should SIP SUBSCRIBE requests get routed?
- What’s the model of phone?
The answers for each question are on the next page, let me know in the comments how you went, and if there’s any tricky ones!
Hi!
Nice challenge!
Are you using an IMS based in Kamailio in production/enterprise systems?
BR Kim
Nick, this was a fascinating journey, I got most of the things right, some things however were new to me.
One thing to note is that I’m fairly certain it is not OK to send over to the UE in the 401 the actual keys to be used, that packet and your interpretation of it is something I do not understand.
As far as I know the flow should be: REGISTER—401 (UE calculates keys using USIM) –> REGISTER –> OK –> ESP on separate ports (UDP ports I mean). Raw key material should not travel across at any point, that would render the whole protocol useless in case of a passive, listening adversary.
Thanks in advance.
Hi Nick,
thank you for putting together this awesome quiz. I wished I had scored higher but it was definitely a fun challenge. Looking forward to more such quizzes in future.
I do have a question though. Did you use a particular version/dissector of Wireshark to decode the NAS-EPS packets in the S1AP messages? I am on the latest version (Version 4.0.8 (v4.0.8-0-g81696bb74857)) on Windows 7 but was unable to do decode any of them in full.
For e.g. #269, which contained the Activate default bearer context message was decoded only until nAS-PDU: 278863adc012, and nothing after i.e. 6202c101050403696d730501c0a865055e02b38e58322729808021100200
I tried to google the answer but found results from 9-10 years ago which arent helpful..
Any advice on how to decode the NAS-EPS messages? Any wireshark settings you can share?