Phones & Tones
22
pnt _____ _ _ | __ \| | | | | |__) | |__ ___ _ __ ___ ___ __ _ _ __ __| | | ___/| '_ \ / _ \| '_ \ / _ \/ __| / _` | '_ \ / _` | | | | | | | (_) | | | | __/\__ \ | (_| | | | | (_| | |_| |_| |_|\___/|_| |_|\___||___/ \__,_|_| |_|\__,_| _______ |__ __| | | ___ _ __ ___ ___ | |/ _ \| '_ \ / _ \/ __| | | (_) | | | | __/\__ \ |_|\___/|_| |_|\___||___/ -= the definitive guide to phreaking in today's world =- written by Murder Mouse ===================== | Table of Contents | ===================== I. Introduction Acknowledgements Legal Notice Preface II. Landline Telephony Basic Telecommunications SS7 Explained Exchange Scanning Hacking PBXs Hacking VMBs Hacking DATUs ANI Spoofing Caller ID Spoofing Beige Boxing Red Boxing Phone Tapping Other Articles III. Cellular Telephony Articles & Resources Page 1
-
Upload
murder-mouse -
Category
Documents
-
view
473 -
download
3
description
the definitive guide to phreaking in today's world
Transcript of Phones & Tones
pnt _____ _ _ | __ \| | | | | |__) | |__ ___ _ __ ___ ___ __ _ _ __ __| | | ___/| '_ \ / _ \| '_ \ / _ \/ __| / _` | '_ \ / _` | | | | | | | (_) | | | | __/\__ \ | (_| | | | | (_| | |_| |_| |_|\___/|_| |_|\___||___/ \__,_|_| |_|\__,_| _______ |__ __| | | ___ _ __ ___ ___ | |/ _ \| '_ \ / _ \/ __| | | (_) | | | | __/\__ \ |_|\___/|_| |_|\___||___/
-= the definitive guide to phreaking in today's world =-
written by Murder Mouse
===================== | Table of Contents | =====================
I. Introduction
AcknowledgementsLegal NoticePreface
II. Landline Telephony
Basic TelecommunicationsSS7 ExplainedExchange ScanningHacking PBXsHacking VMBsHacking DATUsANI SpoofingCaller ID SpoofingBeige BoxingRed BoxingPhone TappingOther Articles
III. Cellular Telephony
Articles & Resources
Page 1
pnt
IV. Conclusion
Suggested LinksThe Conclusion
==================== | Acknowledgements | ====================
Well first off I'd like to thank Julie for her love, understanding,support, and for occasionally knocking some sense back into me. I'dalso like to thank Halla, BlueInferno, P(?)NYB(?)Y, StEvE, wobin, fallen, MalevolenT, Pr0motion, and everybody else at informationleak.com for being the best friends that a shut-in like me could have. Also to my hometown friends David, Issac, and Kendall for occasionally dragging me out of my house. Oh, and to sirfreshstunner, s_p_e_c_i_e_s_x, b_r_o_k_e_n_s_t_r_i_n_g_s,eddybear172, onepebbleinthepond1, blueicefox_21, mr_nemster, hack_this_box, hi_ioader2002, x1design, corndog_5000, skiddieleet, phreak0matic, bank_tech,silenced_bearar, el_loco_moco2, cold_hearted_bitch, blinky_monkey88, dfg, Zonkies, slayer6966669, and everyone else in Hackers' Lounge:3 (you know who you are) for the endless hours of shits and giggles. Also to hurt4ever1, steven25t, mt_dew_feen, cloud_on_line, and everyone I know from Hackers' Lounge:1. As well as Mel, i11, synfire, megatron, and everyone else I know from Hackers' Lounge:2.
(R.I.P Michelle...if there is an afterlife, I'll be sure to bring the orange thong)
================ | Legal Notice | ================
Disclaimer-----------
First and foremost the information provided within this guide is forinformation purposes only. Any attempt to participate in any of theactivities within this guide is solely in the responsibility of thereader, and neither I, Information Leak, any site that hosts thismaterial, anyone who prints this material, or anyone closely associatedwith this guide is responsible for what you do with the followinginformation.
User Agreement----------------
This guide may be freely distributed and printed as long as the contentof the guide is not altered in any way. This material may not howeverbe sold in any way, shape, or manner. The information provided withinthis guide is free, and shall stay that way.
Page 2
pnt
© Murder Mouse, 2005
www.informationleak.com
============= | Preface | =============
If you have read my previous tutorials then you may remember that I wrotesomething similar to this a while back called Phreak 2k. I suppose it wasa pretty nice tutorial for it's time. I got a lot of positive responses after writing it, and even got a few comments from people stating thatit was what got them into phreaking. It was great to hear these kind ofresponses, since it actually was what got me into phreaking. Before writing it I was mostly into computers, and knew little of telecommunications.I had always believed like many did and still do that phreaking is dead.Then one day while hanging out in a room someone came in and said thatthey were into phreaking. I being rather ignorant at the time laughed atthe guy, and told him that phreaking was dead. Boy was I wrong! After some choice words that he had for me, he showed me a site that he ranwith some other people. I forgot what this site was called, but at thetime it was simply amazing for me. Pretty soon I was reading into everysite I could trying to find up-to-date information on phreaking. It wasvery hard to find at the time through google, since most sites that had anything on it had for the most part outdated texts from back in the 80s.I eventually did find some sites with up-to-date information, but the purefrustration of it made me decide to write a tutorial for people like me.Beginners with seemingly nowhere to go. As well as to teach those who didn't know the lesson that I had to learn that faithful day. That phreakingis not dead. Not even close. Phreaking is as alive as ever, and it's principles for the most part have remained the same (unlike "hacking").Anyways, so getting back on topic, the tutorial was great, but I've alwaysfelt that there were many points that I wished I had covered. Things I leftout, things I missed, and many things I just didn't even really know at thetime. So that's what brings me to writing this guide. During this guide I will butcher some of my texts from other tutorials. I think I have all rightto do so since they are my works. At the same time though I will expand onpoints that I have made in previous tutorials in order to offer you a better glimpse into these concepts. As well as to of course offer you alot of information that I have never covered before. So I hope you enjoy this guide, and that it offers you insight into the field of telecommunications.
============================ | Basic Telecommunications | ============================
What? Did you expect me to start you off immediately with phreaking? Perhapsother tutorials do this in order to achieve better reader satisfaction, butthat's not the way I do things. If you skip over this part then you willprobably (unless you already have prior knowledge of telecommunications) havea hard time understanding a lot of what I talk about in this guide. So don't
Page 3
pntbe lazy, just read it through and try to absorb as much as you can of this information.
So anyways to better help you understand the wonderful world of telephonylets help you understand your local telco. Well what you must first understandis that the whole telco network as a whole is referred to as the PSTN, meaningthe Public Switched Telephone Network. The architecture (being basically thelayout) for a PSTN is known as a star architecture. It's pretty easy to understand...
\ | / \|/ __(CO)__ /|\ / | \
Sorry for the crappy ass ascii, but you get the basic point. As you can seethere are multiple lines going out from one centralized point. These lines arethe connections for all subscribers in the general area, and the CO in the middle is the central office, which is the centralized point of operationsfor a local telco network. Now of course if this is all there was to thenetwork then it wouldn't really be much of a network at all, but we're approaching this understanding at phases. So from here lets talk about theequipment at the central office, and then we'll extend out from there. Letsstart with switches. These are large computers located within the centraloffice that are used to route calls over the PSTN. To get you a basic ideaof how they look, here is a page with some pictures of different switches...
www.montagar.com/~patj/phone-switches.htm
As you can see there are many different types of switches. Around here(I'm in the BellSouth region) most of our switches are either 1AESS orDMS100. This may be different in your area, and there is a link I willprovide you at the end of this section that will give you a chance toreally get to know your local PSTN. Anyways, the next device you should know about is a trunk. A trunk is a communications path that is used forconnecting two switching systems in a network in order to establish anend-to-end connection. Meaning they are in charge of establishing connectivityon a telecommunications network. However, trunks aren't the only devices that are used for this purpose. In PSTNs there are also waypoints, devicesthat are used in between trunks in order to help establish a connection between the originating call and it's final destination. These devices areknown as tandems. When you refer to their position in the PSTN, you refer toit as a tandem point. Now that I've reviewed you with some basic devices (Iwill cover more later) I should probably go ahead and introduce you to some basic terminology that you will hear (especially in this guide). The first thing you must understand is what a LEC is. A LEC is a local exchange carrier,and is the technical name for your local telco (telephone company). These LECs, being again your local company, provide service for the local area within a LATA. A LATA is a local access and transport area, and is what theLEC is responsible for. Calls that are made from within this LEC's LATA (localcalls) are referred to as intraLATA calls. Calls that are made outside thisLATA (long distance calls) are referred to as interLATA calls, and are handledby an IXC (IntereXchange Carrier). An IXC is of course a long distance telephone company, and is used to connects LATAs thusly allowing interLATAcalls. It's also good to note that there are also CLECs, which are competativelocal exchange carriers. This is simply a LEC besides your main LEC. MostCLECs will use the same local loop that the main LEC owns. You may also seein some texts LECs referred to as RBOCs, which stands for regional bell operating company. This is because back whenever Ma Bell was split as one of thefirst measures in order to keep the telephony industry from being one big monopoly. It was originally split into 7 RBOCs, which later became companieslike SBC, Verizon, Qwest, and of course BellSouth. It's also good to note
Page 4
pntfrom here that the acronym for the typical analog-based telephone systemthat you will see in your area is called POTS, which simply means plain oldtelephone system. Now while we're cramming you with lingo I should go aheadand explain exchanges. Exchanges are simply groups of numbers. You may recognize it as the middle three numbers in your phone number. Like for example if your number was 555-555-5555 then those middle three numbers(i.e 555-XXX-5555) would be the exchange you belong to. This is simply a wayCOs organize assigned subscriber lines (you, the customer). If you want tobe technical the exchange identifier in a number is known as the NXX, whilethe area code (the first three numbers of course) is the NPA. So if we wantedto be cool and down with the lingo then we can see our number as NPA-NXX-5555.I would love to tell you what NPA and NXX stand for, but honestly I don't know, and don't really think it's all that important (but by all means, feelfree to look it up if you like). I should also go ahead and explain CLLI codesto you, since you're going to have to know at some point. A CLLI (commonlanguage location identification) is an 11 character identifier used to identify switches and other networking elements and such over a PSTN. You should also be familiarized with ANI and ANACs. ANI stands for automaticnumber identification, and is how the LECs identify the number of a calling subscriber. The function is similar to caller ID, but the system itself is completely different. Nowadays everyone uses ANI II, which adds awhole bunch of features to the system. The most predominant of these changesadds a 2 digit identifier on top of the ANI result, in order to identify theservice that the calling party is using. An ANAC serves somewhat of a similarfunction, but is used by a field technician in order to identify the number of the line that he/she is hooked up to. These are numbers that you call, andread back the number of the line you are on. There is a list of toll-freeANACs you can use on Information Leak...
www.informationleak.net/anacs.txt
While we're babbling on about the lingo it's cool from here to know what LASS(local area signaling services) codes are. You probably know these as starservices, most notably being *69 (caller id), *67 (call block), *58 (anonymouscall rejection), etc. It's also nice to note that DTMF (dual tone multi frequency) tones are those pretty little tones you hear when you dial anumber. They are called this of course because it is actually two separate tones that construct the tone that you hear when you hit a number on yournumpad. So I don't have to list you all the other different tones out there,here is another link to check out for a list of tones used...
www.tech-faq.com/telephone-tone-frequencies.shtml
Well I know that there is a lot I skipped out on, so when you get the chanceit would be wise to google up some telephony terminology to get aquainted with. Verizon's website has a pretty nice list. Anyways, as promised earlier,here is the site that if you don't know about, you really should. This sitewill allow you to get all the information you could ever want to get to knowyour LEC. Here is the site...
www.telcodata.us
The information it offers includes listed exchanges, CLLI codes, etc. etc.Anywho, in the next section we will be talking about signaling protocolsover the PSTN. If you have read my Phreak 2k tutorial then you will rememberit being a section from that tutorial. It predominantly talks about ccss7,since it's becoming the well adopted and adapted signaling protocol forLECs across the world, though there are still some areas out there that havenot yet implemented ss7 so it's wise to look in your spare time into systemslike ESS as well. So lets move on, shall we?
Page 5
pnt
================= | SS7 Explained | =================
Again, as I explained in the previous section, this is an piece from my Phreak2k tutorial. I knew signaling protocols needed to be covered, and I didn'tfeel like writing a whole new piece on the subject so I just ripped it offof one of my previous works. So here you go...
One of my favorite lines I love to use when explaining such topicsis that one can not expect to break into something, or take advantageof something without first understanding how it operates. So thereforeto start off this tutorial, I think it will be nice to first reviewhow telco operates. I welcome you, the reader, to the world of SS7(Signaling System 7). SS7 (which is a short acronym for common channelsignaling system 7, also known as ccss7) is an architecture for performing out-of-band signaling in support of functions established on the PSTN(public switched telephone network). This includes call-establishment,billing, routing, and information exchange.It identifies functions to be performed by a signaling-system network and provides a protocol to enable their performance. When I speak of out-of-band signaling, Iam refering to signaling that takes place on a separate path thanthe path that the conversation is using. In this case, SS7 establishesa separate digital channel for the exchange of signaling information,which is called a signaling link. Therefore, when a call is placed,all the necessary signaling messages (dialed digits, selected trunk, etc.) are sent between switches using their signaling links, rather than the trunks (which carry the conversation). This concept of signaling is extended to the caller with the use of an ISDN D channel(since SS7 deals with signaling between networking elements). Therefore, the information that makes up the call is carried over Bchannels, while the signaling information is carried over a D channel.This makes the whole process more robust by allowing signalinginformation to be transmitted during the entire duration of the call,instead of just in the beginning. Now let's get into the structureof SS7. The simplest design for the signaling network architecture iscalled associated signaling. This works by allocating ones of the pathsbetween each interconnected pair of switches as the signaling link.This architecture works quite efficiently as long as a switch's onlysignaling requirements are between itself and other switches to whichit has trunks, and this is the architecture that you can find implemented in Europe. However, the USA wanted to design a signalingnetwork that would enable any node to exchange signaling withany other SS7-capable node. This of course makes signaling much morecomplicated when the exchange of signaling is done between nodes thathave no direct connection. This concept of signaling spawned theNorth American SS7 architecture. Under this architecture, a completely new and separate signaling network is defined. There arethree essential components that the network is built on, and thesecomponents are connected by signaling links. The first component wewill discuss is signal switching points (SSPs). These are telephoneswitches (end offices or tandems) that are equipped with SS7-capablesoftware and terminating signaling links. They generally originate,terminate, or switch calls. The next component is signal transferpoints (STPs), which are the packet switches of the SS7 network.They receive and route incoming signaling messages towards the properdestination, and perform specialized routing functions. And finallythere are signal control points (SCPs), that are databases that provide the information necessary for advanced call-processingcapabilities. Now lets take a look at the link types that are used on
Page 6
pntSS7. A links interconnect an STP with either an SSP or an SCP (the A stands for access). This means that A links handle delivering signaling to and from signaling end points. Now while an SSP is connected to it's home STP pair through a set of A links, the reliability of such a link can be provided by deploying an additionalset of links to a second STP pair. These are called E links (the Emeans extended), which provide backup connectivity in the eventthat the home STPs can not be reached via A links. C links are linksinterconnecting mated STPs (the C in this instance, stands for cross).These links are also used as well to provide reliability in the instance that other links are unavailable. However, the actual carrying of signaling messages beyond the initial entry point to the signaling network, and on to their intended destination is handled byB/D links. The B (which stands for bridge) describes the interconnecting peer pairs of STPs, while the D means diagonal anddescribes the quad of links interconnecting mated pairs of STPs. Thenthere are F (fully associated) links which directly connect two signaling end points. However, due to the fact that F links bypassthe security features that are provided by an STP, they are not generally deployed between networks. So now that we understand the types of links implemented in the switching system, we can discuss exactly what goes over a signaling link. Well, basically signalinginformation is transfered in messages that are called SUs (signalingunits). Now there are three types of SUs that are defined accordingto the SS7 protocol. MSUs (message signaling units), LSSUs (linkstatus signal units), and FISUs (fill in signal units). These SUs aretransmitted continuously in both directions on any given link that isin service. Signaling points that don't have MSUs or LSSUs to sendwill send FISUs over the link (in other words, to make it easy forthose of you who may be scratching your heads now, whenever a signaling point is not sending information during a call, it is sending FISUs, which simply fill up the signaling link until it isneeded to send other types of signaling). Now lets take all this SS7 networking that I have been discussing, and discuss the layers that compose of this protocol. The most obvious layer of the SS7 protocol of course is the physical layer, which defines the physicaland electrical characteristics of the signaling links. The secondlayer I will discuss is the MTP (message transfer part), which isseparated into two levels. MTP Level 2 provides the link-layerfunctionality that ensures that messages can properly be sent betweensignaling links, while MTP Level 3 extends MTP Level 2 to provide network layer functionality. Another layer used is SCCP (signalingconnection control part), which allows for addressing applicationswithin a signaling point. These applications are referred to as subsystems, and include 800 call processing, calling-card processing,CLASS (custom local area signaling services) services like callreturn, etc. Another function featured with SCCP is GTT (global titletranslation), which provides the ability to perform incrementialrouting. This allows originating signaling points to not have to knowevery potential routing destination that will have to be used. The next layer of discussion is ISUP (ISDN user part), which definesthe messages and protocol used in the establishment and tear downof calls sent over the PSN (public switched network). In the NorthAmerican SS7 architecture, ISUP messages rely exclusively on MTPto transport messages between nodes. Next is TCAP (transactioncapabilities application part), which defines the messages and protocol used to communicate between subsystems. Of course, this meansthat TCAP uses SCCP for transport. And finally, OMAP (operations,management, and administration part), which defines messages and protocol designed to assist administrators of the SS7 network. OMAPuses both MTP and SCCP for routing. So now that we understand the layers that compose SS7, lets discuss the addressing scheme used.Individual signaling points on a SS7 network are assigned to a cluster,
Page 7
pntor group of signaling points. Now within this cluster, each signalingpoint is assigned a member number. In the North American SS7 architecture, each node is addressed by a three-level address number.This address number is assigned based on it's network, cluster, and member numbers. Each of these numbers is an 8-bit number and can rangein value from 0 to 255 (sound familiar?). The network number is basednationwide by a neutral party. RBOCs (regional bell operating companies), major independant telephone companies, and IXCs (interexchange carriers) already have network numbers assigned. Thecluster that the nodes are assigned to is based on the state whichthe node resides in. And of course, as with other network addressingschemes, 0 is not available for assignment, and 255 is reserved forfuture use. Well this pretty much wraps up my explanation of SS7.If you have reached the end of this section utterly confused, feel free to read over it again until you can better understand it. It'simportant to understand how the PSTN works. It's also nice to notethat not every area on the globe has SS7 implemented in the switchingsystem, but unless you live in a third world country (or the south), then most likely the switching system used is SS7.
===================== | Exchange Scanning | =====================
Well now that you hopefully have a decent understanding of telephony, then Ican finally start you off into phreaking. A lot of people immediately want toget into learning about all the boxes that you can build, since they are dilluded into believing that building and using boxes is all there is to phreaking. This is simply not true. So in my personal opinion, probablythe best way you can get into phreaking is by starting out with exchange scanning. It's the method that you will use to discover all those interestingnumbers (VMBs, ANACs, test numbers, etc.), and the sooner you pick it up thebetter. Some of you may be wondering what the hell exchange scanning evenis. Well, do you remember earlier when I was talking about exchanges? Youshould. If you don't you need to quit reading now and go back and read BasicTelecommunications again. Anyways, if you do remember, then you will rememberthat exchanges are used in order to help group subscriber lines within anNPA (being again the area code). Each LEC is of course given specific exchanges that they can use for assigning numbers to. Well, exchange scanningis dialing down that exchange for any interesting numbers. You may be familiarwith it as wardialing (as shown in the movie Wargames), but it's really onlywardialing if you use a wardialer, and not everybody uses one. In fact, inmany ways it's recommended not to, since a wardialer can't pick up on manynumbers that you might want to know (like VMBs). Personally I use PhoneTag,because I'm too lazy to dial a whole bunch of numbers by hand, but that's because I set it to ring 10 times, and listen closely to the modem speaker soI can hear anything interesting. For your first exchange scan, you will probably want to go with your own exchange. Not for any specific reason really, it just happens to be where most people start. If you decide to gowith a wardialer make sure it's one that is capable of randomizing the calllist (like PhoneTag). Nothing says "monitor me" like sequentially dialingdown an exchange. Plus, many LECs have devices that disallow any subscriberfrom dialing more than 10 or so numbers in sequence. It also helps if it'scapable of randomizing the time sequence between each call, but I haven'tdone this myself and I haven't found it to really affect that much (then again, BellSouth isn't all that bright at times, so you might want to look into this in case your LEC is a little smarter than mine). Keep in mind though that if you have the patience to do so, it really is much better to
Page 8
pnthandscan, which is simply exchange scanning by hand. That way you can listenout closely for any interesting numbers that you might miss with a wardialer,and you can give a nice response to any residential numbers that you mightcall, you know like "Oh sorry, I believe I have the wrong number". Most people will accept this and be less prone to call you back, contrary tothe how a wardialer will treat them and just hang up on them (rude littlebuggers those wardialers are). If you want to be a little less rude toyour fellow neighbors, it's best to remove them off your planned call list.The best way to do this is to go to superpages.com, punch in your NPA and NXX,and then use that site to look up all the listed numbers on your targetexchange. Then just remove these numbers off your list. That way you can killoff some time on your scanning, and keep from bugging anyone. I should alsomention that it's well accepted that day time is the best time to do exchange scanning. That way, again, you don't piss anyone off. Personally Ifind the best time to do exchange scans is during the mid-morning, or mid-afternoon hours. Really any daytime hours are ok, but if you are availableduring any of these hours then I find it to be best for exchange scanningsince most people are off at work at the time. Now that I've gone over this,it's good from here to establish exactly which part of the exchange you'regoing to scan. If you have the time, then it's of course best to scan fromNPA-NXX-0000 to NPA-NXX-9999, but maybe you don't have this patience. So if you are looking for the service numbers like the test numbers and such thenit's to help cut down on your scanning you might want to scan the low endor high end of your target exchange. Different LECs have their service numberson different portions. Around here, most of the interesting numbers are onthe low ends, but I know a lot of other regions have more luck scanning thehigh ends. So it's best to just scan both yourself, and get a feel for whichone you have better luck with. In case you don't understand what I'm talkingabout with ends, NPA-NXX-00xx (where the last xx is 00-99) is a low endscan, and of course NPA-NXX-99xx (where again, the last xx is 00-99) is a high end scan. This is usually where those fun numbers you love are located, but I also know of some areas that have these numbers thrown rightdown in the middle. So if you have the time, you should try just scanning theentire exchange, since there are still many other interesting numbers tobe found outside the low and high ends. So now that you're ready to scan, I'llclose this section out by helping you understand identifying the numbers youcome across...
Carriers - these are also known as dial-in modems, and are of course dial-indevices that allow you to interface with the system behind it. You may remember this if you watched Wargames as being how that kid in the moviewas breaking into all those networks. Well, you won't believe just how many there still are. Carriers can easily be recognized as being the exactsame tone you hear when you connect to the internet with a dialup connection.
Fax Machines - I really doubt I need to explain to any of you what a faxmachine is, but I will help you identify when you've came across a fax machine. When you dial into a fax machine, it will sound a little like a carrier except that it will sound a bit off. It's kind of hard to explain,but when you hear one and then the other then you will know what I'm talkingabout.
Milliwatt Test Numbers - you may and probably will find a lot of these numberswhen exchange scanning, since I've found them to be probably the most prominent of the types of test numbers there are. These are used by fieldtechnicians for testing a whole range of problems with a line. You can recognizethese as having a low consistant tone.
Sweep Test Numbers - these numbers are a little harder to find, but can bevery useful for you if you come across them. They aren't very hard to missif you dial into one, since if you dial into one you will hear somewhat ofa wave of different tones blasting through your line that is approximately
Page 9
pnt30 seconds long. If you come across them then you can use them to test forany bugs on your line, specifically the infinity-transmitter style taps.Just call the number and let it play. If you hear any audible clicks whilethe tone is blaring down your line, then there is a good chance that you'rebeing tapped.
Loop Numbers - you will see these numbers mentioned in earlier phreakingtexts, but not quite as often mentioned anymore. This is because most loopnumbers have a voice filter now that makes them completely useless. How theywork is that you dial into the high end loop, and then have your buddy orwhoever dial into the low end. These numbers are usually assigned in succession. Like say if you were to dial into the high end and the number wasNPA-NXX-9999, then you'd have your buddy call like NPA-NXX-9998. You canrecognize if you have dialed into a high end loop number, because you willhear this constant annoying tone until your buddy or whoever calls thelow end. Then there will be dead silence. If it for some reason has not hada filter placed, then this is where you would talk, but again, usually thesethings are filtered so most are useless now.
Quiet Termination Numbers - these numbers are used in order to connect the caller to a fixed resistance. If you dial a number, and you hear nothingbut dead silence then this is a quiet termination number (or perhaps thelow end of a loop, if you want to be sure call the number right after itand see if you hear that familiar high end loop tone I was telling you about).
ANACs - these are a little bit harder to fish out immediately because theyare just a common recording. Some ANACs will read off the number immediatelyafter it picks up, while others may want you to go through a menu in order touse the feature. The best thing for you to do in order to find ANACs is whenyou dial into a recording just give it a chance for a second so you can hearwhat it's telling you. If you hear the number, or hear a menu option that says to read off your number or whatever then of course you have an ANAC.
PBXs - I will dedicate an entire section to this later concerning what theyare and how to exploit them, but it stands for private branch exchange, andis like a internal phone network. I will explain more about this later, butbasically when you're scanning for these you'll be looking for the DISAport, which is an administrative port for the PBX. There are wardialersout there that can scan for these ports (i.e. PBX Scanner). You can recognizethese with a low sounding tone, here is a recording...
http://artofhacking.com/cgi-bin/wwfs/wwfs.cgi?AREA=109&FILE=PBX1.WAV
DATUs - these are fantastic finds if you come across them. They aren't always called DATUs (like here they're called VoiceSystems), and some operatedifferently than others. You can recognize these because they will start offsounding like a DISA port, but will go through half of the ring and thenbe cut off by the low tone. More will be explained on how to exploitthese later.
VMBs - fishing out for these is kind of like fishing out for ANACs. You haveto listen carefully to any recording you hear during your scanning, becauseyou never know what it is. These are of course voice mail boxes, and are usedby corporations and the likes as, well, basically answering machines. Thatway they can keep up with the business of being business people, or whatever.Anyways, the recording will identify itself as a someone's voicemail system, orjust ask you for your box number.
Also I should add that there are also special, unpublished exchanges thatyou can try to scan once you get the hang of it. To get unpublished exchangesthat might be in your area you can go back to telcodata.us or nanpa.com. Ifyou go to NANPA look for Central Office Code Assignments that are close toyour area (keep in mind, Utilized means used). After you have a list of
Page 10
pntassigned exchanges, compare the results to exchanges that are listed in yourphone book. If you see one on the list that you got that isn't in the list inthe phone book then you have a special exchange. These can be a tressure trove of interesting numbers if you give them a scan. Well that's it for thissection, by now you should be armed with enough information to take yourLEC by storm.
================== | Hacking PBXs | ==================
Now lets get into hacking PBXs. To extend on what I was saying in the exchangescanning section, PBX stands for Private Branch eXchange, which is an internalphone network used by medium and large organizations for sharing a number ofexternal lines with a larger number of phones within. You remember when youwere in school (or are in school) and had to hit 9 before dialing a number?That's because your school used a PBX. PBXs are used because they are muchmore cost effective than having to give every phone it's own line. The structureof a PBX is basically a bunch of lines hooked to an outbound trunk. There's a little more to it than that, but that's just to give you a good idea of basicallyhow one is structured. Just to drive the point home here is another example ofmy ascii artistry...
(1) \ (2)___\___[trunk]---> LEC / / (3)
Of course, this diagram is extremely dumbed down, but you get the point. The()s are in this diagram the phones in the organization, and they are hookedtogether to an outbound trunk that interfaces them with the outside, being theLEC. So what is the benefit for you for exploiting one of these systems? Wellif you take control over a PBX, then you can dial out from there and call wherever you want on leaving the organization who owns the PBX the tab. So how do you exploit them? Well there are two ways that you can accomplishthis feat. One being hacking the DISA ports (don't worry, more will be explained about this later), or social engineering someone within the PBXto dialing out for you. We will discuss the latter of the two first since itis the most easiest, and then talk about exploiting the DISA ports. Thesocial engineering scheme is pretty easy. What you do is either beige boxa line, or call up from a payphone to any midsized to large organization, andgive them the following ploy put together by my good friend Halla...
"Hello, My name is William Higgens with AT&T. We are doingsome work on the poles and need to get a line check so nothing getscrossed. I've been asked from the field line engineers to call youand have you dial 90 so that I can relay the line information tothem. Thank you, and sorry for any inconvience."
How does this help? Well of course as I said, you remember hitting 9 when you had to dial out from within a PBX right? Well, 0 of course is the extension forthe operator. So when the poor employee that you contacted does you that nicefavor of dialing out extension 90 for you, then you have dialed out on that
Page 11
pntoutbound trunk, and any charge you pull up will be thrown to organization. Whenyou reach the operator simply tell him/her that you are having trouble dialinga number or something like that and need him/her to reach the number for you.The operator will ask you what number you are attempting to reach, and you should of course know what to do from here. You can improvise the social engineering skit above to change the AT&T part to your local LEC, and the nameif you wish to whatever you like. It's just an example to give you an idea ofhow it works. Also if you want to dial a number outside of your country, justask for extension 900. Keep in mind that it will be much harder obviously to convince anyone that a field technician needs to reach an internationaloperator, but hey, there are stupid people out there. So now that you understandhow to social engineer a free long distance call out of a PBX, lets talk abouthacking the DISA ports. DISA stands for Direct Inward System Access, and theseports are used for administration over a PBX by it's administrator. These really aren't that hard to exploit at all. You just need to find the number fora DISA port. So how do you do this? Well you are going to have to do a littlescanning. There are a lot of wardialers out there that you can configure to scan for PBXs, but here is one you can use solely for this purpose...
www.informationleak.net/pr0g/pbx_scan.zip
Once you have this scanner downloaded, extracted to a folder, and configuredthen just start scanning away. It shouldn't be that risky to scan from yourhouse, since you haven't done anything illegal just yet. If you are reallyfeeling that insecure about leaving your number with the target PBX then youcan take a laptop out on the field, and beige box your modem wire into somebody elses line. It's also best to scan for toll-free PBXs, so you cancall them from anywhere, but locals are fine too I guess. Anyways, if you arescanning from home don't EVER call back any PBX you find. I can't stress thisenough. One call in and hang up doesn't look all that suspicious to a PBXadministrator, but two definately will, and if you are trying to hack into itfrom your house then you might as well go to the police station right now andturn yourself in. Anyways, once you have a PBX you go out at a different timeto a payphone or a different line and call up the PBX. After you have pushed through the tone what yourtask will be from here is to guess the password used on the DISA port. Thisisn't really as hard as it may sound. There are many common passwords that areused on these ports that you can use to your advantage. You basically have twooptions here. First try 9#, then 8#, and on down the keypad in this fashion.This doesn't usually work anymore, but is worth a shot. After this you can trythe usual four digit pass codes. 1111, 1234, 1000, 4321, etc. Just try down thekeypad with the kind of pass code schemes mentioned above. If you hear a dialtone when pushing through a pass code, then that means that you just hacked theDISA port, and can use it as you like to dial out wherever you like. If you usethe above schemes down the keypad and come up with nothing, then just say fuckit and move on to another PBX. There are too many out there to worry about one.Also needless to say when you're hacking the DISA port you should be doing thisafter office hours, like the middle of the night (though that depends on thebusiness running the PBX). Anyways, on to other things...
================== | Hacking VMBs | ==================
You know, there have been so many tutorials on hacking VMBs written that anythingI wrote here would just be repeating the same crap. So instead of regurgitatingthe same information that has been already so well documented I thought it bestto just link you to some tutorials on this subject. If for some reason any of
Page 12
pntthese links die then go to a search engine (like google.com) and search for thetitle that is listed by the link (including the quotations)...
http://www.oldskoolphreak.com/tfiles/phreak/meridian.txt - "Hacking Meridian Mail
Boxes"
http://www.oldskoolphreak.com/tfiles/phreak/octel.txt - "Hacking Octel Voicemail
Boxes"
http://www.oldskoolphreak.com/tfiles/phreak/vmb.txt - "Hacking Voicemail Boxes"
http://9x.tc/9x/rawtext/9X_1CON.TXT - "Inpho on 1Connect VMBs"
http://9x.tc/9x/rawtext/9X_CINDI.TXT - "HACKING THE CINDI VOICEMAIL SYSTEM"
=================== | Hacking DATUs | ===================
What can I say? I'm in a lazy mood today. So the same thing I did for the lastsection is the same thing I will do for this section. The topic has been very well-documented in the past, and I have nothing new to really add to it.So as before here are links to different tutorials that you can read to becomefamiliar with DATUs and how to gain access to them...
http://9x.tc/9x/rawtext/9X_DATU.TXT - "DATU FOR DUMMIES"
http://www.hackcanada.com/blackcrawl/telecom/datu.txt - "OFFICIAL DATU
DOCUMENTATION"
http://www.totse.com/en/phreak/phone_phun/165500.html - "Using Your Local DATU"
http://www.hackcanada.com/canadian/phreaking/datu_guide.txt - "An Introductory
Guide to DATU Systems"
I'll try not to resort to this measure anymore or this won't be much of a guideat all, but I just really didn't have anything new to add to this section, andthe last one. Still, the point of this guide is to introduce you to phreaking,and these tutorials will definately help introduce you to accessing thesesystems.
================== | ANI Spoofing | ==================
ANI is of course as I explained in the Basic Telecommunications section standsPage 13
pntfor Automatic Number Identification, and is how a subscriber is identified overa PSTN, and is a part of the Inward WATS Service (wide area telephone service).This unlike caller ID is split into two separate identifications. A two digitidentifier for identifying the type of service that the caller is calling from,and the number itself. The service currently used is ANI II. For your convenienceI'm going to list the ANI II service information digits as defined in the ANI IIstandard, and presented by the all knowing wikipedia...
00 - Plain Old Telephone Service (POTS), a standard non-coin telephone.01 - Multi-party line, typically 4-party or 8-party service. The operator will
come on to ask for the caller's telephone number.02 - ANI failure. The operator will come on to ask for the caller's telephone
number.03-05 Not used.06 - Used for multiple customers from the same telephone number, such as in
hotels where they do not also automatically identify the room number.07 - This caller requires special handling by an operator. Where this cannot be
accomplished, the caller is given a recording telling them their call could not
be completed.08-19 Not used or reserved for specialized functions.20 - Used by PBX systems where the caller is dialing out using the main number
rather than, say, a specific number assigned to that station on that PBX.21-22 Not used.23 - Status as to whether caller is using a coin telephone or non-coin telephone
cannot be determined.24 - A call from a non-coin telephone to a toll-free number has been converted to
its regular telephone number.25 - A call from a coin or prison telephone to a toll-free number has been
converted to its regular telephone number.26 - Not used.27 - Network signalling controlled coin telephone.28 - Not used.29 - Call from a prison telephone (which usually only allow 0+ collect service).30 - Call to an unassigned number that is to be routed to a recording.31 - Call to an assigned number that has been manually placed out of service.32 - Call to a recently disconnected number.33 - Not used.34 - Operator assisted call that billing has been completed.35-39 Not used.40-49 Reserved for local use by carrier.50-51 Not used.52 - Outward WATS call.53-59 Not used.60 - Non-coin caller using a TRS (transport provider).61 - Call from PCS/Cellular system user over Type 1 trunk.62 - Call from PCS/Cellular system user over Type 2 trunk.63 - Call from PCS/Cellular system user who is roaming on another provider's
network. Number is generally a temporary number assigned to that user while
roaming on that network.64-65 Not used.66 - Caller from a hotel using a TRS (Transport provider).
Page 14
pnt67 - Caller from a restricted line using a TRS (Transport provider).68-69 Not used.70 - Coin telephone which is not network signalling controlled.71-92 Not used or reserved for other uses.93 - Call coming from a Private Virtual Network.94-99 Not used.
So now that we've gone over ANI lets get into the point of this section, how tospoof ANI. Why would you even want to spoof ANI? Well there are two main reasonsfor doing such. One is if you want to reach a system without revealing your original point of calling (if this is your purpose then this should be used inconjunction with beige boxing, which will be explained later). Two you can ofcourse use it for making free calls, which is what it's usually used for. Thistechnique was discovered and released by Lucky225, so show respect to the smartlittle bugger that made this possible. Well what you will want to first do isget some ANACs to use. For a list of toll-free ANACs that you can use go here...
http://www.informationleak.net/anacs.txt
Now call up your local operator and tell him/her that you are having troubledialing a number and if he/she will dial a number for you. The operator willask you for the number, and you give him/her the number of an ANAC (be sure totest the ANAC first before you try to use it for ANI spoofing). Then when itreaches the ANAC listen in for the number that is read back. If the number isthe area code and number of the line you're on then you know that the operatorhas the ability to forward ANI. If the ANAC reads back your area code followed by000-0000 then you know that it doesn't forward ANI. If this is the case, thenyou can use this by getting the operator to forward you to the number of anotheroperator (look up on a search engine for numbers of different service operators).Then when you're ready to ANI spoof the call call up the operator, and askhim/her to call up the number of the other operator that you got. When you reachthe next operator and he/she asks for your number, give him/her any number. Thisshould be a real number, but not of anybody you know. Just pick one out of thephone book or something. If they allow the line itself to be billed, then youwill be able to make your call on somebody else's tab. If your operator doesforward ANI another solution you have is to use a call forwarding serviceto help aid in spoofing the ANI of your session. Here is one example of a servicethat offers this...
www.yac.com
Simply use the call forwarding service to forward the session to an operator, andthen have the operator forward you to an ANAC. Then test to see if your ANI wasspoofed. If it was then do the same as above to spoof your point of origin, orto just make free calls. Enjoy...
======================== | Caller ID Spoofing | ========================
Well I figured since I just finished teaching you how to spoof ANI, I might aswell teach you how to spoof caller ID. Never confuse caller ID spoofing withANI spoofing. They are two completely different services. Spoofing caller IDwill not spoof your ANI. So what good is caller ID spoofing then? Well it's basically good for shits and giggles. It can be good for prank phone calls, butshouldn't be depended on for keeping the source of the call anonymous since thephone company can still trace the call back to it's origin. It can also be
Page 15
pntsomething slightly amusing to do when you're bored on the phone with one ofyour friends. First before I get into spoofing caller ID I will explain howcaller ID works. It's basically like this. Your CO first sends two tones toyou when a call comes in. The first is a SAS (Subscriber Alert Signal) tone,which is just a normal call waiting beep. The second is a CAS (CustomerPremise Equipment [CPE] Alert Signal) tone. The CAS tone informs your CPE(caller ID device) that there is a call waiting call coming in. The CPE thenmutes your headset and sends through an acknowledgement DTMF tone to signalto the CO that it's ok to send through the caller ID information. The CO thenresponds to this by sending through a FSK transmission. Your CPE receives thisinformation and promptly displays it on the screen for you to see. So now thatyou understand how caller ID works, lets get into how to spoof caller ID. Wellfor this you are going to need an orange box. What the hell is an orange box?Well an orange box is a device or software that spoofs the tone sent to the CPEin order to display whatever information you want it to display. If you wantto build one yourself then what you will first want to do is get caller IDon your service if you don't already have one. Then take off the CPE and callyour line from another line. You will hear the CAS send the acknowledgementDTMF tone (A or D) to the CO, and the CO send back a FSK transmission. You willtake a microrecorder and record the FSK transmission that is sent back. Then youcan push this tone through after the phone is picked up to whoever you want, and the CPE will read back to the caller the tone you sent through. You cangenerate the CAS tones (an orange box) by buying a tone dialer from RadiosHACK and replacing the 3.58mhz crystal with a 8.192mhz crystal. You can thenhit the * button to generate the CAS tone. You can generate the DTMF A and Dacknowledgement tones with a silver box, which you can get the plans for below...
www.totse.com/en/phreak/boxes_old_and_new/silver02.html
Of course, all this is kind of pointless if you have a computer (which youprobably do if you are reading this) since you can just download a program togenerate the tone for you, without paying for all the equipment. The programis S.O.B and you can download it from the link below...
www.artofhacking.com/orange.html
The use of this program is pretty simple to understand. You put whatever numberyou want to be displayed in the Number field, and whatever name you want to bedisplayed in the Name field. You can use the Privacy button to simply display"Out of Area" or "Private" on the CPE (which isn't really fun, since it's justlike hitting *67). You can use the Format button to change the format that thetone is to be sent as. Call Waiting if they have call waiting, Standard if otherwise, and I'm not even sure about SDMF. You can use the Timestamp button inorder to change the timestamp that is recorded on the CPE. I guess just in caseyou want to make it seem like the call was made at a different time. That's pretty much the layout for how to use S.O.B. Before I close this section outI need to remind you of a couple of things first. First off when using this device your actual caller ID will be listed on the caller ID device first. Youcan resolve this problem by using *67 in conjunction with the orange box, butunless the person you are calling is an idiot it will not fool them a bit if theychecked the CPE before picking up the phone. Secondly to use the orange boxyou have to wait till the party picks up. Nothing is listening for your toneuntil the party picks up. At the earliest you can push through the tone the verysecond the party picks up, but that's about it. Also I figured I'd repeat thatthis will not keep the call from being traced. There is still a lot that isleft behind during these calls, including your ANI. So if you are using the orange box for something criminal or extremely annoying then it's best to useit in conjunction with ANI spoofing, beige boxing, or something of the sorts.Also this will not spoof your caller ID on a cell phone subscriber (as in if youtry to spoof your caller ID when calling your buddy's cell phone). Cell phonesuse a completely separate digital signal for identification of a caller, and this tone will not do anything but give your buddy a loud, annoying tone to
Page 16
pntlisten to. Anyways, moving on...
================== | Beige Boxing | ==================
I don't even know why I'm making this topic it's own section, but here it is. I'm not going to try to make this sound like a science, because it isn't. It'sjust beige boxing. However, you will need to have one on hand for those anonymouscalls you need to make. There are many ways that you can beige box. The mostbasic beige box is just a handheld phone with the end of the wire clipped andalligator clips attached. We have a pretty extensive tutorial on the site onhow to put together a beige box that would be good for you to read into. Youcan find this at the below link...
www.informationleak.net/beige.txt
So if you read through that then you should have a good idea of how to beige box. The best part about that text that gives it an advantage over other beigeboxing texts is that it also gets more into detail on how to PROPERLY use it.As an added tip on my front so that this isn't just a link I'd definately suggest using a phone cord extension for your proper modifications. It's verycheap to get one, will allow you to get farther back from the TNI, and won't destroy a perfectly decent phone for your beige box construction. Also if you are using this neat little tool to do something like break into PBXs, then it'sbest to use this method in conjunction with ANI spoofing to make the trail justthat much harder to track down. Also what I think they didn't put enough emphasison is to use phone cards if you're doing this just to make calls. That way youcan hold access on the same TNI, without them getting reported on a huge tollcharge. If you are to cheap to even buy a phone card, then you can walk to Walmart or anywhere that sells phone cards and discreetly (as in make DAMN sureyou aren't noticed) scratch off the bar on the back. Make sure the bar is completely removed so it looks like the card just came that way. Then copy downthe phone card number, and the phone number to call to use the phone card. Thenjust put the phone card back on the shelf. Then just call up the number you got every couple of days or so until the card is activated (someone buys it).Then there you go, you got minutes to use. This is pretty lame though, since there are less risky ways to make free calls, and you're just stealing smallchange right out of someone's pockets. I just figured I'd throw it out there.Anyways, that's it for this section, on to red boxing...
================ | Red Boxing | ================
Well since I just got done reviewing beige boxing for you I figured I'd go aheadand jump to red boxing. Red boxing is of course for the very few of you in theworld that for some reason don't know a device that allows you to make freecalls on a payphone. There is a lot of buzz going around over the last couple ofyears that red boxing is dead. Well no, it's not dead yet, but it's pretty damnclose to being. The tones generated with a red box are called ACTS (AutomatedCoin Toll System) tones, and are used on older systems for coin verification.With the advent of digital signaling being implemented on many networks the
Page 17
pntuse of this is starting to become dead. For example you can't use any equalaccess code belonging to AT&T to red box your calls. As so many articles whiningabout how dead red boxing is explained, AT&T doesn't accept red box tones anymore. So how do you red box? Well first I'll tell you how to make one.There are many ways to make a red box. The method I will be talking about isprobably the cheapest way to make a red box. Just download red box tones offany site out there (the tone generator I mentioned earlier in the Hacking PBXssection has this feature included). Hell, you can grab other tones as wellif you please and make what I'm about to get into a multi-purpose tool. Nowfor this you will need a cd burner. If you don't have one, I'm sure you have afriend who does. Now take the tones and burn them onto an Audio CD using somesoftware like Nero. Then test them out on your cd player. This is to make surethat it burned correctly (I've noticed that sometimes Nero screws up when burningsmall sound files like tones). For this idea you should have a portable cd player. Now just take off the cotton bit on your headphones, and you have ared box. To make it more efficient, you can get one of those rubber cups, cut ita bit so that it fits over your headphones, and melt it back on. That way youcan use the rubber cup to obstruct outside noise. The key when using tones isclarity. Phone networks are very precise when it comes to the tones used, and if the tone is the least bit off then it'll give you away. Keep in mind you couldalso just use an mp3 player. Anyways, so now that you have your red box, how doyou use it? Well go up to a payphone and hit 411. Give them some information inorder to "find" the phone number for you, and when they ask if you want themto put you through to this number say yes. Then push through your tones. Besure before you do that you didn't do something stupid like leave Bass Booston your cd player. Remember, CLARITY IS THE KEY. I remember hearing one time about this phreaker a couple of counties over that got busted for red boxing.The operator apparently knew that he was trying to red box, but forwarded himthrough anyways and then called them to go out there and arrest him. So yeah,be careful. Try to keep your call as short as possible, and just in case don'tmention anything about red boxing the call when you're connected. Sometimesoperators have been known to stay on the line for a few seconds after the callhas been connected if they suspect that the call was red boxed. Maybe this isn'ttrue, but it's better to be safe than sorry. Anyways, I'm not sure exactly howlong this technique will be valid. Red boxing is little by little becoming moreof a piece of history than a currently valid technique, but until then you canstill have fun. Keep in mind that red boxing currently only works for localcalls so that might not make it very useful for many, but at least it saves yousome pocket change when you need to make a call. Also if you need anymore ideasmy homie G dogg P(?)NYB(?)Y wrote a pretty decent tutorial on red boxing modernpayphones which you can read here...
http://www.informationleak.net/redboxing.txt
Have fun...
=================== | Phone Tapping | ===================
Well there are many ways to listen in on phone conversations, and I figured thatinstead of splitting them all off into different sections that I'd just throwthem all into one. So without further crap, here is how you spy in on phoneconversations...
Method 1: Simple Line Tap---------------------------
Page 18
pnt
First I will discuss the most basic method of line tapping, which is simply bugging the line. To do this you can go to your local Radio sHACK and pick upa phone recorder. Every single one I've been to sells them, since there are a lot of jealous spouses and paranoid parents that want to know what their spouses/kids are up to. The price for these varies depending on what they include, and the cheapest ones price in around 10 bucks. If you get the cheapkind, you still need a tape recorder to plug into the recorder, but in the endit's still cheaper than most of their other recording products. If you have access to inside the house, as in if you are a perfect example of the kind ofperson I just listed then no modification would be necessary. Just hook it upexactly as they say, and you're set to go. If this is someone else outside yourhouse that you want to tap then you can do the same as mentioned, but hook it upto a TNI box. To do this just get an phone jack extender, cut the majority of the wire, and strip the last bit. Then hook your alligator clips to the line.Then strip the wiring on the other side and do the same. Then hook this up tothe line inside the TNI box, hook up your tape recorder, and you're set to go.I know that explanation wasn't exactly detailed, but you should see what I meanwhen you have all your parts. It's basically the same concept as when you werereading up on hooking up a beige box.
Method 2: Frequency Scanning------------------------------
If you can afford it, then frequency scanning can be a better way to accomplishthis task. It works for cordless phones, both 900mhz, and even the ones that enter into the ghz range, depending on the type of scanner you bought. The cheapest ones will only reach up to around 500mhz, but the better ones will reach higher. You can buy these from, again, Radio sHACK, or basically anydistributor (I'd suggest online shopping, like on ebay, you might get a cheaperprice on a good scanner that way). The use of frequency scanners actually branches out into a whole new field of fun on it's own, since there is a lotof fun to be had with these (like the Phone Losers prank against Wendys). Thisalso can be used on cell phone conversations if the cell phone user is using oneof those headsets. You just have to play around with your scanner.
Method 3: VoIP Sniffing------------------------
Well VoIP has been the latest craze, and everyone is jumping on the bandwagon.It's pretty interesting really, and has the potential to completely revolutionizethe telecommunications industry. However, in it's current phase voip has a hugeflaw that makes using voip telephony quite insecure. Why? Simple. There is noencryption scheme. Nada. Zip. Nothing. It's just broadcasted openly for all tohear from point A to point B. You can take advantage of this with simply a laptop and a wireless network card. First you need two tools for this.TcpDump, and VOMIT (Voice Over Misconfigured Internet Telephony). To use thesetools simply use TcpDump to attach yourself to the wireless network that is broadcasting the voip traffic. This will dump the traffic going over to your point, setting you up as a man-in-the-middle. Here is a diagram for the hellof it, and to further illustrate this layout...
(VoIP Traffic)(Point A) ---------------------------------------> (Point B) <--------------------------------------- | | | (you)
Page 19
pnt
Point A would be the wireless network that you are dumping the traffic ofusing tcpdump, and Point B would be the remote WAP that Point A is interfacingwith. So then you can use VOMIT in conjunction with tcpdump in order to assemblethe voip traffic being captured into a wav format. This will allow you to listenin to the conversation that is being broadcasted between these two points withabsolute ease. So yeah, for all your voip users out there, I hope you aren'tdiscussing anything too secretive over your subscribed network.
==================== | Other Articles | ====================
Well I could have gone further into the topic of payphones and answering machines, but oh wait, that's right, I already wrote on all that in the past.So instead here are some useful links to other articles that you will want toread...
www.informationleak.net/pp_me.txt - "Payphone Phreaking: Millennium Edition" - this is a short tutorial I wrote on the inherant flaws in modern payphones(like the Millennium payphones, and the newer AmeriTechs).
www.informationleak.net/amhack.txt - "The Hackers' Guide to Answering Machines" -this is another tutorial I wrote on how to hack into answering machines. Goodfor pranks, or just to feel important.
========================== | Articles & Resources | ==========================
Well originally when I was doing the layout for what would be this guide I hadplanned to split it into two separate sections, landline & cellular, each withequal amounts of information for you to absorb. However, there are a couple ofreasons why I didn't. For one I'm eager to see this guide get released. Alsothere isn't much information I can provide that there aren't web sites dedicatedto. So instead of writing out the same codes and crap that entire web sites havebeen built off of, I'll just give you those articles and resources to read foryourself.
www.informationleak.net/gsm_guide.txt - "The Hackers' Guide to GSM Phones" - thisis a guide I wrote sometime last year or so on exploiting GSM phones. Thishad a pretty good if not extremely long explanation of the GSM protocol, andinherant weaknesses and pranks like bluebugging, bluejacking, etc. etc. Manyof these weaknesses are being resolved with the implementation of 3g and othersuch protocols, but still should be usable to many.
www.informationleak.net/cellvmb.txt - "Hacking Cell Phone VMBs" - this is asimple tutorial I wrote on how to break into voice mail boxes for cell phones.
http://mobile.box.sk - this is probably the number one resource for codes, tools, unlockers, and all those other nice things for cell phones. Have a look
Page 20
pntaround, you won't be disappointed.
http://9x.tc/9x/rawtext/9X_GSM00.TXT - "Undocumented Codes For GSM Phones" - thisis an article put together by m0nty, and if you can't find the codes your lookingfor at mobile, you'll probably find them in this guide. Definately something tocheck out.
===================== | Suggested Links | =====================
It's impossible to simply read one guide and call yourself proficient. The purpose of this guide is to introduce you to phreaking. From here it will beyour responsibility and hopefully your pleasure to expand on your currentknowledge and read more into phreaking. However, nowadays it can seem hardto find up-to-date information on phreaking. I remember when I was startinghaving a lot of trouble finding anything useful and up-to-date from the massof outdated information that was being shoved around. Now don't get me wrong,it's important to keep archives so that we can remember the past, but that'swhat we have textfiles.com for. There is no reason why so many sites need tocarry such outdated information. Of course, this is usually done so becausethe web masters who put this information up know nothing about phreaking, andtherefore assume that they're valid. So to help you with this step I'm goingto list suggested links for you to read into in order to further expand yourknowledge in the field of phreaking...
www.informationleak.com - now you know I had to throw that one in. We try ourdamnest to make sure that the only information we provide is usable information,so it's always a good shot to keep in touch with what we're up to.
www.oldskoolphreak.com - this is probably one of the best sites out there tolearn about phreaking from. Definately a good visit.
http://9x.tc - what can I say? They write good stuff. Definately check them out.
www.hackcanada.com - the main purpose of this site is to aid to the H/P scenein Canada, but a lot of the documentation they have has information that can beuseful outside Canada as well.
www.phonelosers.com - kind of a weird mix of useful information and random ranting, but overall definately a good visit.
www.phreak.org - most of the information here is out-of-date, and some of theinformation was never to-date to begin with. Kind of an unreliable source, butthere is a little useful information that is hidden in the mass of outdatedcrap. If you've been doing good on your reading, then you should be able totell the difference between the two.
www.verizonfears.com - this is the site that Lucky225 runs. There isn't exactlya huge mass of information here, but the information that is on there is forthe most part up-to-date (except for a few details) and useful.
http://artofhacking.com/boxrvw1.htm - if you plan on building a box, this isthe article to check. This is an updated review by The Fixer that rates different phreak boxes for the skill it requires, risks associated, plausibility,and obsolescence.
Page 21
pnt
==================== | The Conclusion | ====================
Well finally after a little work, and a LOT of slacking off this guide is finally finished. Hopefully I've successfully introduced you into the fieldof phreaking, and I hope that you continue reading from here. Telephony reallyis a fascinating aspect of technology, and nothing makes you appreciate itmore than phreaking. I always appreciate feedback so if you want to get intouch with me then you can do so by emailing me at
[email protected] can also chat with me live by going to Yahoo! Chat and going to eitherHackers' Lounge:1, :2, or :3. I'm usually loitering around there in one of therooms (usually in Hackers' Lounge:3) under the name Murder_Mouse. You can alsogo to irc.2600.net and hit me up at #infoleak. Anyways, as I always say, untilnext time...
This guide made possible by...
www.informationleak.com"laughing at your faith in technology since 2004"
#### #### ###### ###### ####### ####### ####### ####### /\ /\ ############### / \ / \ _______ ##| |###| |## _______ _________ / /\ \/ /\ \ \ __ / ##|@ |###| @|## | ___ | | __ / / / \ / \ \ / ___ / ##| |###| |## | | | | | ___ / \ \ / / / / / ___/ \ ##|__|###|__|## / | | | | | / \ \/ / / / / /\ \ \###############/ | | | |_________| ____ \ \/ /___/ /_/ / \ \ ----#####[. .]#####----| | | __ ____| | \ \ /_____/ /___/ \ \______/###############\___| |__| | | |_ | | \ \ \ \/ / \______/_###| | | | |###_\_________| | __\ | | \ \ \ / /\ _______ ###| | | | |### | | | |____| | | | / \ / \ | ___ | ###|_|_|_|_|### | | |________| | | / /\ \/ /\ \ | | | | ###| | | | |### | | | | / / \ / \ \| | | | ###| | | | |### | | ________ _________| | \ \ \/ / /| | | | ###|_|_|_|_|### | | | _____ |\ _________| \ \ / /_| |___| | ############### | | | | | | | | \ \ /____________| | | | | ___| | | |__ \ \ | |____________________________| |____| | | ___| | ___\ \ \ |_______________________________________| | | | | \/ | |____| |____ |_____________\
Page 22
