WAP Hacking

Jose Ramon Palanco
by Jose Ramon Palanco April 2, 2003
old-school
#wap #mobile #hacking
WAP Hacking

It turns out that to start working comfortably in mobile environments on a wireless network, it’s necessary to have clients identified. Moreover, when third-party services need to be billed, there’s a need to create some type of identifier. The first thing we do is think that we can identify a user of an application by their MSISDN (phone number), but it turns out that the operator doesn’t have permission to offer that information to a third party. What it can do is create a WAP gateway from which mobile phones access application servers. From that WAP gateway, some operator-defined variable can be added to the header. The most normal thing is that the operator assigns as the value of that variable a hash of the MSISDN: md5, sha1, sha256, etc. It will be used in the subscription process as an ID.

The operation of these third-party tools is usually the same when they use this method. To subscribe or charge for some service, it’s done through a payment URL. When the WAP proxy detects that access to one of those URLs is attempted, the client is notified that they’re going to be charged an extra. The application server knows the ID as soon as the client accesses the URL and stores it in a database.

This is the reason why many applications need to use a special connection. A first ‘hack’ would be to access the URL by adding the necessary arguments ourselves. To see the arguments that our WAP proxy injects, it’s as simple as putting netcat to listen on port 80 and reading the headers:

# nc -l 80
GET / HTTP/1.1
...
headers
...

The headers have the following format:

Variable-Name: value

The next step would be to register on the application server, but without being charged. For this, we’ll make the request from the internet, with telnet.

Suppose the subscription URL is: http://wap.servidor.es/app/subscribe?session_id=346345347832146

$ telnet wap.servidor.es 80
Trying 10.10.10.10...
Connected to 10.10.10.10.
Escape character is '^]'.
GET /app/subscribe?session_id=346345347832146 HTTP/1.1
Host:  wap.servidor.es:80
User-Agent: telnet command appeared in 4.2BSD
Variable-ID: fa8853aa22023920e9f06d34a8536b8b_proxy23

With this, we would have subscribed the ID fa8853aa22023920e9f06d34a8536b8b_proxy23. As you can see in this example, there’s noise at the end of the hash. Keep in mind that it can be in different forms. In this case, it’s “_proxy23”.

Suppose they use sha1, and the noise is “local_” before the string. What we would do is register an ID like this for the number 346232323232:

$ # generate the hash
$ sha1 -s "346232323232"
SHA1 ("346232323232") = 2f5e05a6a96866e11a0d5920e582bfb4f06e7cc6
$ # so the ID would be: local_2f5e05a6a96866e11a0d5920e582bfb4f06e7cc6

The proper thing would be to use the hash they use, so that the WAP proxy injects the ID for us, and since it’s registered on the application server, we could use it as another registered user.

There can be another point of view. Suppose someone has registered for a service restricted to very few people, and we wanted to use it. We could extract their hash and modify the application to use that ID in the header, but we would also have to use a connection that doesn’t put an ID, but would “overwrite” the one we put (i.e., a direct connection to the internet instead of WAP proxy).

In case we couldn’t figure out what the hashing algorithm is, or the noise gave us many problems, we could register an ID invented by us in the database. To use that ID, we would also have to modify the application.

We would have to decompile a midlet application and add a couple of functions that add an ID like the application’s to the headers. To decompile the application, we must download the jar of the midlet and decompress the classes.

$ unzip AppMvl.jar
   creating: META-INF/
  inflating: META-INF/MANIFEST.MF
   creating: com/
   creating: com/enterprise/
   creating: com/enterprise/AppMvl/
  inflating: com/enterprise/AppMvl/AppMvl.class
  inflating: com/enterprise/AppMvl/CoreComm.class
  inflating: com/enterprise/AppMvl/CoreGraph.class

We can use JAD, a Java decompiler. It’s likely that the developers have obfuscated the code, but for what we’re going to do, it doesn’t matter much.

$ # from the directory where the .class files are located
$ jad *.class

This will generate several .jad files, which are Java sources. We’ll need to look for the communications part. In this example, it seems clear that CoreComm.class handles communications.

For communications, Connectors are used, and they’re used like this:

miConector.open("http://wap.servidor.es");

We should modify it to:

miConector.open("http://wap.servidor.es;variable=miID");

miID is the ID we’ve registered in the request header or the one of the person we want to spoof.

We rename the .jad files to .java:

$ for i in *.jad; do mv $i \
          $(echo $i|sed -e s/\.jad/\.java/g); done

And we compile. If you want a good IDE with compiler and everything, you can download it for free from: http://netbeans.org/

When we have our jar, we install it and access the internet directly, not through WAP proxy. With this, we could use the application perfectly.

If the application server is poorly designed and adequate measures are not taken in the subscription URL, we could try to work with the database through SQL Injection and add, for example, the null ID.

Another point of view…

Cracking MD5

We start from the fact that we know some information. We assume that what they hash is the MSISDN. The MSISDN consists of 9 or 11 numbers (there are never characters). In case it’s 11 characters, they start with 346 in Spain, and if it’s 9, they start with 6. We can figure out what some of the following digits might be, since the operators divided up the ranges that only vary in particular cases (operator portability). You can find a list at:

http://docs.linenoise.info/crackwap/prefijos.txt

Suppose someone has compromised an application server and has a quantity of IDs, and what they want is to extract someone’s MSISDN. They could try to remove the noise from the ID and extract it by cracking md5 or whatever.

We download mdcrack: http://membres.lycos.fr/mdcrack/download/mdcrack-1.2.tar.gz

We should modify the program a bit since we already know some characters. I’m running out of time, and such… see you later.

I don’t remember having read anything about the operation of the WAP proxy, or about the techniques of “tagging” clients in WAP. I think there are currently a large number of vulnerable services and the solution is complicated.

Moreover, some mobile phones like Siemens cannot go out through WAP proxy. As a workaround, the IMEI can be sent as an identifier. If we find some application that uses this system, we could modify our mobile’s IMEI.

(I had a lot of fun writing these lines, I hope you did too reading them)

About the Author

Jose Ramon Palanco
Jose Ramon Palanco

Jose Ramón Palanco is the CEO/CTO of Plexicus, a pioneering company in ASPM (Application Security Posture Management) launched in 2024, offering AI-powered remediation capabilities. Previously, he founded Dinoflux in 2014, a Threat Intelligence startup that was acquired by Telefonica, and has been working with 11paths since 2018. His experience includes roles at Ericsson's R&D department and Optenet (Allot). He holds a Telecommunications Engineering degree from the University of Alcala de Henares and a Master's in IT Governance from the University of Deusto. As a recognized cybersecurity expert, he has been a speaker at various prestigious conferences including OWASP, ROOTEDCON, ROOTCON, MALCON, and FAQin. His contributions to the cybersecurity field include multiple CVE publications and the development of various open source tools such as nmap-scada, ProtocolDetector, escan, pma, EKanalyzer, SCADA IDS, and more.

Share