|
Phreak 2k
by protonigger
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Section 1: The Introduction
Lack of recent information on the internet in relations to phreaking
has been a real problem lately. This simple fact has lead many to
believe that phreaking itself is dead. Of course this is untrue.
Therefore, in writing this tutorial, I am giving you, the reader, the
chance to try out phreaking as it is today. Enjoy...
Section 2: Understanding How It All Works
One of my favorite lines I love to use when explaining such topics
is that one can not expect to break into something, or take advantage
of something without first understanding how it operates. So therefore
to start off this tutorial, I think it will be nice to first review
how telco operates. I welcome you, the reader, to the world of SS7
(Signaling System 7). SS7 is an architecture for performing
out-of-band signaling in support of functions established on the PSTN
(public switched telephone network). This includes call-establishment,
billing, routing, and information exchange.It identifies functions to
be performed by a signaling-system network and provides a protocol to
enable their performance. When I speak of out-of-band signaling, I
am refering to signaling that takes place on a separate path than
the path that the conversation is using. In this case, SS7 establishes
a separate digital channel for the exchange of signaling information,
which is called a signaling link. Therefore, when a call is placed,
all the necessary signaling messages (dialed digits, selected trunk,
etc.) are sent between switches using their signaling links, rather
than the trunks (which carry the conversation). This concept of
signaling is extended to the caller with the use of an ISDN D channel
(since SS7 deals with signaling between networking elements).
Therefore, the information that makes up the call is carried over B
channels, while the signaling information is carried over a D channel.
This makes the whole process more robust by allowing signaling
information to be transmitted during the entire duration of the call,
instead of just in the beginning. Now let's get into the structure
of SS7. The simplest design for the signaling network architecture is
called associated signaling. This works by allocating ones of the paths
between each interconnected pair of switches as the signaling link.
This architecture works quite efficiently as long as a switch's only
signaling requirements are between itself and other switches to which
it has trunks, and this is the architecture that you can find
implemented in Europe. However, the USA wanted to design a signaling
network that would enable any node to exchange signaling with
any other SS7-capable node. This of course makes signaling much more
complicated when the exchange of signaling is done between nodes that
have no direct connection. This concept of signaling spawned the
North American SS7 architecture. Under this architecture, a
completely new and separate signaling network is defined. There are
three essential components that the network is built on, and these
components are connected by signaling links. The first component we
will discuss is signal switching points (SSPs). These are telephone
switches (end offices or tandems) that are equipped with SS7-capable
software and terminating signaling links. They generally originate,
terminate, or switch calls. The next component is signal transfer
points (STPs), which are the packet switches of the SS7 network.
They receive and route incoming signaling messages towards the proper
destination, and perform specialized routing functions. And finally
there are signal control points (SCPs), that are databases that
provide the information necessary for advanced call-processing
capabilities. Now lets take a look at the link types that are used on
SS7. A links interconnect an STP with either an SSP or an SCP (the
A stands for access). This means that A links handle delivering
signaling to and from signaling end points. Now while an SSP is
connected to it's home STP pair through a set of A links, the
reliability of such a link can be provided by deploying an additional
set of links to a second STP pair. These are called E links (the E
means extended), which provide backup connectivity in the event
that the home STPs can not be reached via A links. C links are links
interconnecting mated STPs (the C in this instance, stands for cross).
These links are also used as well to provide reliability in the
instance that other links are unavailable. However, the actual
carrying of signaling messages beyond the initial entry point to the
signaling network, and on to their intended destination is handled by
B/D links. The B (which stands for bridge) describes the
interconnecting peer pairs of STPs, while the D means diagonal and
describes the quad of links interconnecting mated pairs of STPs. Then
there are F (fully associated) links which directly connect two
signaling end points. However, due to the fact that F links bypass
the security features that are provided by an STP, they are not
generally deployed between networks. So now that we understand the
types of links implemented in the switching system, we can discuss
exactly what goes over a signaling link. Well, basically signaling
information is transfered in messages that are called SUs (signaling
units). Now there are three types of SUs that are defined according
to the SS7 protocol. MSUs (message signaling units), LSSUs (link
status signal units), and FISUs (fill in signal units). These SUs are
transmitted continuously in both directions on any given link that is
in service. Signaling points that don't have MSUs or LSSUs to send
will send FISUs over the link (in other words, to make it easy for
those of you who may be scratching your heads now, whenever a
signaling point is not sending information during a call, it is
sending FISUs, which simply fill up the signaling link until it is
needed to send other types of signaling). Now lets take all this
SS7 networking that I have been discussing, and discuss the layers
that compose of this protocol. The most obvious layer of the SS7
protocol of course is the physical layer, which defines the physical
and electrical characteristics of the signaling links. The second
layer I will discuss is the MTP (message transfer part), which is
separated into two levels. MTP Level 2 provides the link-layer
functionality that ensures that messages can properly be sent between
signaling links, while MTP Level 3 extends MTP Level 2 to provide
network layer functionality. Another layer used is SCCP (signaling
connection control part), which allows for addressing applications
within a signaling point. These applications are referred to as
subsystems, and include 800 call processing, calling-card processing,
CLASS (custom local area signaling services) services like call
return, etc. Another function featured with SCCP is GTT (global title
translation), which provides the ability to perform incremential
routing. This allows originating signaling points to not have to know
every potential routing destination that will have to be used. The
next layer of discussion is ISUP (ISDN user part), which defines
the messages and protocol used in the establishment and tear down
of calls sent over the PSN (public switched network). In the North
American SS7 architecture, ISUP messages rely exclusively on MTP
to transport messages between nodes. Next is TCAP (transaction
capabilities application part), which defines the messages and
protocol used to communicate between subsystems. Of course, this means
that TCAP uses SCCP for transport. And finally, OMAP (operations,
management, and administration part), which defines messages and
protocol designed to assist administrators of the SS7 network. OMAP
uses both MTP and SCCP for routing. So now that we understand the
layers that compose SS7, lets discuss the addressing scheme used.
Individual signaling points on a SS7 network are assigned to a cluster,
or group of signaling points. Now within this cluster, each signaling
point is assigned a member number. In the North American SS7
architecture, each node is addressed by a three-level address number.
This address number is assigned based on it's network, cluster, and
member numbers. Each of these numbers is an 8-bit number and can range
in value from 0 to 255 (sound familiar?). The network number is based
nationwide by a neutral party. RBOCs (regional bell operating
companies), major independant telephone companies, and IXCs
(interexchange carriers) already have network numbers assigned. The
cluster that the nodes are assigned to is based on the state which
the node resides in. And of course, as with other network addressing
schemes, 0 is not available for assignment, and 255 is reserved for
future use. Well this pretty much wraps up my explanation of SS7.
If you have reached the end of this section utterly confused, feel
free to read over it again until you can better understand it. It's
important to understand how the PSTN works. It's also nice to note
that not every area on the globe has SS7 implemented in the switching
system, but unless you live in a third world country, then most likely
the switching system used is SS7.
Section 3: Understanding How To Make It Work For You
So now that we understand how the PSTN works, let's start discussing
the fun part. I clearly can not cover all areas, aspects, and
techniques used in phreaking. I am merely going to describe a few
activities that you can try, as a beginner, to get your feet wet in
the activity known as phreaking. One activity worthy of a brief mention
is handscanning. This is preferred over wardialing, due to the fact
that it is a tad less obvious, if properly done, and can pick up on a
few treasures that your average wardialer can't. To handscan you will
need to start off with a prefix (the prefix is those three numbers
you see in the middle of a phone number, for example, 555-xxx-5555,
where the x's indicate the prefix). Now to handscan properly, you will
not want to incrementially search for numbers (i.e. as in dial -0001,
-0002, -0003, etc). You will instead want to choose a more random
scheme for searching, in order to make such activities less obvious.
If you have the patience (which you will need), then there are a lot
of treasures to be found with handscanning. Such finds include
backdoors and VMBs (voice mail boxes), just to name a few. Now, since
there have already been articles written on what to do after finding
such things, I will not get into such concepts within this tutorial.
I will instead link you, the reader, to such articles at the end of
this one, so that you can further educate yourself after reading
this tutorial (hint: when choosing a prefix you aren't sure about, dial
1-800-xxx, the x's meaning the prefix you choose, and wait. If you get
some tones, then choose another prefix). Now let's discuss PBXs
(Private Branch eXchange). A PBX is, simply put, a private phone
switch used to provide an internal phone system. Remember in high
school when you had to press 9 before dialing out? That's because the
school used a PBX, and you needed to put in the extension, before
dialing out. Such internal phone systems consist of a small phone
switch, a group of outbound trunks (which are nothing more than phone
lines to the outside), a set of telephones, and a bunch of users.
So how are such internal phone systems useful to us? Well we can use
dialouts on the PBX to seize an outbound trunk, and make all the calls
we want at the PBX owner's expense. The best part of this trick is
it's a relatively simple task to accomplish. You simply break into the
DISA port. A DISA (Direct Inward System Access) port is a maintenance
feature on a PBX. You connect into the DISA port, input the pass code,
and there you go. You have just seized an outbound trunk of that
PBX. This is really not as hard as it sounds. These codes are usually
four digits, and are usually pass codes like 0000, 1111, 1234, etc.
The range for such codes are 4 - 6, but as I said, it's usually just
a 4 digit code. There is a tool that apparently is supposed to help
someone like yourself with accomplishing such a task. I haven't tried
it out myself, but I will add a link to the file nonetheless at the
end of this tutorial. There is also another option you can use if
breaking DISA ports seems like too much work for you. Just simply call
up the number of the PBX you want to snatch, and then ask to use
extension 90. If they ask why, say you are working for AT&T and need
to test the lines. This usually works, and will allow you to dialout
from the PBX (since 9 is the extension for dialing an outside number,
and 0 is for the operator). Now while we are on the subject of making
free long distance calls, let's get into the new wave trend of such
activities, ANI (Automatic Number Identification) spoofing. ANI is a
service in which the directory/equipment number of a calling station
is obtained. ANI is also often used interchangeably with ANAC by those
who don't know any better (consult google for further information on
how ANI operates). An ANAC (Automatic Number Announcement Circuit) is
a number you can call to tell you what number you are calling from.
A lineman and a phreak both use them for this purpose. There is also
ANI II, which is an additional feature of ANI which adds a pair of
digits to the ANI readout that tells what type of service the number
is. So how do we spoof ANI? Well one rather easy way of accomplishing
this is by op diverting (having the operator dial a number for you,
this works because most operator centers are not equipped to forward
ANI). This is pretty much a social engineering feat. As of the release
of this information, this tactic no longer works on AT&T via
800-call-att, but there are a lot of other ways of accomplishing this
that still work. An example of op diverting that I believe still works
is the 710 trick made popular by Lucky225 (as with the whole technique
of ani/caller id spoofing period). You perform this trick by op
diverting to 800-673-7286 and telling the operator that you want to
make a call from any number in the 710 area code and want to bill the
call collect. The party you are calling will not be billed because the
710 area code does not exist within the AT&T database. There are also
certain call forwarding services that you can use to op divert. A link
to a site that offers call forwarding services will be provided at the
end of this tutorial. Now since we have discussed ANI spoofing, we
might as well get into caller ID spoofing. Well if you have call
waiting ID, then you should notice that you hear two tones. The first
tone you hear is a SAS (Subscriber Alert Signal, also known as a
"call waiting beep"), and the second tone you hear is a CAS (Customer
Premise Equipment[CPE] Alert Signal). The first SAS signal is just a
normal call waiting beep, while the second CAS signal is a tone that
alerts the CPE (your call waiting box) that there is a call waiting
call. The CPE then mutes the handset and sends an acknowledgement
DTMF tone to the central office that tells the CO that it's ok to send
the caller ID information. The CO thusly sends the information in FSK
format. The name and number is then promptly displayed on the CPE, and
the handset is unmuted. So now that we understand how such a device
works, we will proceed to discuss how such a signal can be spoofed.
Well to do this manually, which we will discuss purely for educational
sakes (you'll understand why in a minute), we will need a recording
of a FSK transmission. You will do this by first ordering caller ID
on your phone, and call the phone when it is in use but without any
caller ID devices attached to the phone. You will hear the CAS send the
acknowledgement DTMF ("A" or "D") tone back to the CO, and the CO send
back the response FSK transmission. You will upon hearing these tones
record all this on a microrecorder. Once you have the FSK recorded,
call the number you want to call with the generated CID, and push in
the CAS signal. You will hear his/her CPE respond with a DTMF signal,
and you will then push in the FSK transmission. The CPE will thusly
display the signal that you sent through. You can create an orange box
(CAS tone generator) to generate this tone by modifying a tone dialer.
You will simply take out the 3.58mhz crystal and replace it with a
8.192mhz crystal. You then press the * button, which will generate the
CAS tone. You can also generate the DTMF tone with a silver box (which
information about I will link you to at the end of this tutorial). Now
why I said that this is for the sake of education is because there is
already software available that will allow you to generate these tones
on your computer. A link to an orange boxing application will, as with
many things, be linked to at the end of this tutorial. I was going
to carry this section further by explaining payphones, and what you can
do with them nowadays, but I feel that it's best to just wrap this up
and link you to information that you can use to further your knowledge
of such concepts in my links section. So this wraps up my section on
Understanding How to Make it Work For You. I have hopefully given you
some techniques and concepts that you can use to start off into
phreaking. It will be up to you to continue learning and exploring to
further your knowledge of such related concepts, and I wish you the
best of luck on that.
Section 4: VoIP
I decided to include a section for VoIP (Voice over Internet Protocol),
considering VoIP is becoming to be viewed as promising new technology,
is beginning to be implemented on phone networks, and has shown itself
to be quite flawed. I will in this section explain VoIP, so that you
will have a better understanding of it in the instance that you attempt
to exploit it. There are two protocols that are being utilized by VoIP.
H.323 and SIP (Session Initiation Protocol). H.323 is an complex suite
of protocols that provides specifications for real-time, interactive
videoconferencing, data sharing, and audio applications such as IP
telephony. Go to http://protocols.com/pbook/h323.htm to get more
detailed information on the suite of protocols within H.323. SIP on the
other hand is a more streamlined protocol developed specifically for IP
telephony. SIP is smaller, more efficient, and takes advantage of
existing protocols to handle certain parts of the process. MGCP (Media
Gateway Control Protocol), for example, is used by SIP to establish
a gateway connecting to the PSTN. Once again I will leave it up to
the smart individuals over at protocols.com to explain the specifics
of SIP with you. Go to http://www.protocols.com/pbook/VoIPFamily.htm#SIP for further
information on the SIP protocol. So now, if you have read both the
protocol links for information on protocols used within VoIP, then you
have a pretty good understanding about how VoIP operates. So now that
we understand how VoIP operates, let's discuss weaknesses within
VoIP that we can use to our advantage. Well, thanks to the wonderous
world of wireless technology, we can use a tool like Tcpdump to simply
attach to a wireless network and sniff out VoIP traffic. We would then
use a tool like VOMIT (Voice Over Misconfigured Internet Telephony)
and reassemble this traffic into a wave format, thusly listening in on
a conversation that is taking place over the network. We can also
perform a dns hijack to redirect this traffic to a specified server,
and perform the same action as above. As you can see from this, when
VoIP becomes the norm, you will be able to utilize wardriving to listen
in on VoIP client users. This makes invading others privacy very fun.
Of course, we are not quite at the point yet where VoIP is widely
used, but we can look towards tomorrow for such activities.
Section 5: Conclusion
I hope you all enjoy reading this as much as I enjoyed writing it.
Hopefully this tutorial will get some of you out there interested in
phreaking, and will help educate those who are already interested, but
don't know how to start. So good luck, and happy phreaking.
Section 6: Links
www.totse.com/en/phreak/vmb_pagers_e_mail/hackvmb.html - a rather old
tutorial on breaking VMBs, but it's pretty much the same concept.
www.artofhacking.com/orange.html - a program you can use to generate
CAS tones
www.totse.com/en/phreak/boxes_old_and_new/silver02.html - Silver Box
plans
www.phreak.org - a decent phreak site
www.phonelosers.org - another good phreak site
www.verizonfears.com - Lucky225's site
http://thc.pimmel.com/files/thc/thc-ph11.zip - the PBX tool previously
mentioned
http://artofhacking.com/boxrvw1.htm - offers rating on skill, risks,
plausibility, and obsolescence. Good for those of you who want to know
which boxes can and can't be used...
http://cal.phonelosers.org/cgi-bin/index.cgi?action=viewnews&id=46 -
a nice article that gets into how your modern payphone operates, and
weaknesses within such a payphone.
www.packetsurge.com - just because we 0wn! =)
www.cyberphaze.net - couldn't forget about these guys.
(the last two links are purely promotional, but make sure to visit
them, they're very good sites with lots of information that you may
find useful)
Note: I'd like to give recognition to Hallakaust for giving me the
information on the *90 trick, and for notifying me of the tool listed
above. As well as Stephen K. Gielda.
Note again: For those of you who have any questions or comments and
feel the need to reach me you can do so at [email protected]
(p.s: Love ya Julie!)
|
|