Lab 9: Open5GS + UERANSIM 5G Registration Capture

Module: 8 — 5G Core Network and Protocol Security
Points: 15
Time estimate: 90 min lab + 2 hr independent
Deliverable: lab-9-report.md + lab9/ directory

Objectives

1. Deploy an Open5GS 5G SA core via Docker Compose.
2. Register a UERANSIM simulated UE and observe the NAS lifecycle.
3. Capture N1/NAS traffic and annotate the 5G-AKA sequence in Wireshark.
4. Write a Suricata rule for abnormal NAS Registration Reject rate.

Prerequisites

• Docker and Docker Compose installed
• Wireshark with NGAP and NAS-5GS dissectors (Wireshark 3.6+)
• Suricata installed (any version)
• Read handouts/cross-chapter-wireless-aka-progression.md before starting (5G-AKA sequence coverage)

Setup

mkdir lab9 && cd lab9

# Clone Open5GS Docker Compose configuration
git clone https://github.com/herlesupreeth/docker_open5gs.git open5gs
cd open5gs

# For machines with < 8 GB RAM: use the slim configuration (omits PCF/NSSF)
# For full deployment: use the standard docker-compose.yaml

Subscriber Provisioning

Before starting the core, provision a test subscriber. Edit open5gs/open5gs/ue-db.yaml (or use the web UI at http://localhost:3000 after startup):

# Subscriber provisioning for UERANSIM test UE
imsi: "001010000000001"
key: "465B5CE8B199B49FAA5F0A2EE238A6BC"
opc: "E8ED289DEBA952E4283B54E88E6183CA"
apn: "internet"
slice_nssai:
  - sst: 1
    sd: "000001"

Start the 5G Core

cd open5gs
docker-compose -f base.yaml -f 5gc_ngap.yaml up -d

# Verify all core functions are running
docker-compose ps
# Expected: amf, smf, upf, ausf, udm, pcf, nrf all running

Start UERANSIM

In a separate terminal:

cd lab9

# Download UERANSIM
git clone https://github.com/aligungr/UERANSIM.git ueransim
cd ueransim && make

# Configure gNodeB to connect to Open5GS AMF
# Edit config/open5gs-gnb.yaml: set linkIp/ngapIp to host IP, amfConfigs to AMF IP
./build/nr-gnb -c config/open5gs-gnb.yaml &

# Configure UE with the provisioned subscriber credentials
# Edit config/open5gs-ue.yaml: supi, key, op/opc must match provisioned subscriber
./build/nr-ue -c config/open5gs-ue.yaml

Part A: Capture the 5G Registration Sequence (30 min)

Start a Wireshark capture on the interface connecting to the Open5GS AMF (typically docker0 or a custom Docker network bridge) before starting UERANSIM:

# Identify the Docker network bridge
docker network ls
docker inspect open5gs_default | grep Subnet

# Start capture (replace docker0 with actual interface)
sudo tshark -i docker0 -w lab9/5g_registration.pcap &

# Now start the UERANSIM UE registration
./ueransim/build/nr-ue -c ueransim/config/open5gs-ue.yaml

Allow the registration to complete (watch the UERANSIM console for Registration Complete), then stop the capture:

kill %1   # stop tshark

Verify the capture contains registration traffic:

tshark -r lab9/5g_registration.pcap -Y ngap | head -20
tshark -r lab9/5g_registration.pcap -Y nas-5gs | head -20

Expected output: lines showing NGAP Initial UE Message, Authentication Request, Authentication Response, Security Mode Command, Registration Complete.

Part B: Annotate the 5G-AKA Sequence in Wireshark (30 min)

Open lab9/5g_registration.pcap in Wireshark. Apply the filter ngap || nas-5gs to isolate signaling traffic.

Locate and screenshot (or record frame numbers for) each of the following NAS events:

For Step 1, expand the 5GS Mobile Identity field in Wireshark and record: what Protection Scheme ID is shown? What is the Home Network Public Key ID?

Part C: Suricata Rule for Registration Reject Rate (20 min)

A sudden spike in NAS Registration Reject messages from the AMF is a potential indicator of an IMSI-catcher-adjacent attack: a fake base station trying different SUCIs to probe for valid subscribers, or a denial-of-service against the registration pathway.

Write a Suricata rule that detects more than 5 NAS Registration Reject messages from the same source IP within 60 seconds. Because NAS messages are carried inside NGAP/SCTP, match on the NGAP content using the content keyword.

# NAS Registration Reject rate detection
# NAS message type 0x44 = Registration Reject (5GS message type)
# Triggered when AMF sends > 5 Registration Rejects from one IP in 60s

alert tcp any any -> any 38412 (
    msg:"NET-301 Abnormal NAS Registration Reject Rate - potential IMSI probe";
    content:"|44|";          # NAS Registration Reject message type byte
    threshold: type both, track by_src, count 5, seconds 60;
    classtype:attempted-recon;
    sid:8000001; rev:1;
)

Note: Port 38412 is the standard NGAP port. If your Open5GS deployment uses a different AMF port, adjust accordingly.

Test the rule against the capture:

suricata -r lab9/5g_registration.pcap -S lab9/nas_reject_rule.rules \
    -l /tmp/lab9-suricata/ --no-random-seed

cat /tmp/lab9-suricata/fast.log

Lab Report

Create lab-9-report.md with:

1. Deployment confirmation: screenshot or tshark output confirming all Open5GS core functions running and UERANSIM UE reaching Registration Complete state.

2. 5G-AKA sequence annotation: For each of the 6 steps in Part B, provide: the Wireshark frame number, the NAS message name, and the key field you observed (SUCI Protection Scheme ID, RAND length, RES* presence, Security Mode algorithm choice, 5G-GUTI format).

3. SUCI field analysis: From the Registration Request in Step 1: what Protection Scheme ID was used? What does this ID indicate about the SUCI concealment algorithm? (Reference: handouts/cross-chapter-wireless-aka-progression.md Axis 2.)

4. Suricata rule: Paste the rule text and the fast.log output (even if no alerts fired -- explain why no alerts fired if the registration was successful).

5. AKA architecture question: In Step 2, the AMF sends the Authentication Request containing RAND and AUTN. The AUTN field allows the UE to authenticate the network. Explain in two sentences: what would happen in a fake-base-station scenario if the FBS did not know the subscriber's K and tried to send a crafted AUTN?

Grading