Professional Documents
Culture Documents
_____ _ _
| __ \| | | |
| |__) | |__ ___ _ __ ___ ___ __ _ _ __ __| |
| ___/| '_ \ / _ \| '_ \ / _ \/ __| / _` | '_ \ / _` |
| | | | | | (_) | | | | __/\__ \ | (_| | | | | (_| |
|_| |_| |_|\___/|_| |_|\___||___/ \__,_|_| |_|\__,_|
_______
|__ __|
| | ___ _ __ ___ ___
| |/ _ \| '_ \ / _ \/ __|
| | (_) | | | | __/\__ \
|_|\___/|_| |_|\___||___/
=====================
| Table of Contents |
=====================
I. Introduction
Acknowledgements
Legal Notice
Preface
Page 1
pnt
IV. Conclusion
Suggested Links
The Conclusion
====================
| Acknowledgements |
====================
Well first off I'd like to thank Julie for her love, understanding,
support, and for occasionally knocking some sense back into me. I'd
also like to thank Halla, BlueInferno, P(?)NYB(?)Y, StEvE, wobin,
fallen, MalevolenT, Pr0motion, and everybody else at informationleak.com for
being the best friends that a shut-in like me could have. Also to my hometown
friends David, Issac, and Kendall for occasionally dragging me out of my house.
Oh, and to sirfreshstunner, s_p_e_c_i_e_s_x, b_r_o_k_e_n_s_t_r_i_n_g_s,
eddybear172, onepebbleinthepond1, blueicefox_21, mr_nemster, hack_this_box,
hi_ioader2002, x1design, corndog_5000, skiddieleet, phreak0matic, bank_tech,
silenced_bearar, el_loco_moco2, cold_hearted_bitch, blinky_monkey88, dfg,
Zonkies, slayer6966669, and everyone else in Hackers' Lounge:3 (you know who you
are) for the endless hours of shits and giggles. Also to hurt4ever1, steven25t,
mt_dew_feen, cloud_on_line, and everyone I know from Hackers' Lounge:1. As well
as Mel, i11, synfire, megatron, and everyone else I know from Hackers' Lounge:2.
================
| Legal Notice |
================
Disclaimer
-----------
First and foremost the information provided within this guide is for
information purposes only. Any attempt to participate in any of the
activities within this guide is solely in the responsibility of the
reader, and neither I, Information Leak, any site that hosts this
material, anyone who prints this material, or anyone closely associated
with this guide is responsible for what you do with the following
information.
User Agreement
----------------
This guide may be freely distributed and printed as long as the content
of the guide is not altered in any way. This material may not however
be sold in any way, shape, or manner. The information provided within
this guide is free, and shall stay that way.
Page 2
pnt
=============
| Preface |
=============
If you have read my previous tutorials then you may remember that I wrote
something similar to this a while back called Phreak 2k. I suppose it was
a pretty nice tutorial for it's time. I got a lot of positive responses
after writing it, and even got a few comments from people stating that
it was what got them into phreaking. It was great to hear these kind of
responses, since it actually was what got me into phreaking. Before
writing it I was mostly into computers, and knew little of telecommunications.
I had always believed like many did and still do that phreaking is dead.
Then one day while hanging out in a room someone came in and said that
they were into phreaking. I being rather ignorant at the time laughed at
the guy, and told him that phreaking was dead. Boy was I wrong! After
some choice words that he had for me, he showed me a site that he ran
with some other people. I forgot what this site was called, but at the
time it was simply amazing for me. Pretty soon I was reading into every
site I could trying to find up-to-date information on phreaking. It was
very hard to find at the time through google, since most sites that had
anything on it had for the most part outdated texts from back in the 80s.
I eventually did find some sites with up-to-date information, but the pure
frustration of it made me decide to write a tutorial for people like me.
Beginners with seemingly nowhere to go. As well as to teach those who
didn't know the lesson that I had to learn that faithful day. That phreaking
is not dead. Not even close. Phreaking is as alive as ever, and it's
principles for the most part have remained the same (unlike "hacking").
Anyways, so getting back on topic, the tutorial was great, but I've always
felt that there were many points that I wished I had covered. Things I left
out, things I missed, and many things I just didn't even really know at the
time. So that's what brings me to writing this guide. During this guide I
will butcher some of my texts from other tutorials. I think I have all right
to do so since they are my works. At the same time though I will expand on
points that I have made in previous tutorials in order to offer you a
better glimpse into these concepts. As well as to of course offer you a
lot of information that I have never covered before. So I hope you enjoy
this guide, and that it offers you insight into the field of telecommunications.
============================
| Basic Telecommunications |
============================
What? Did you expect me to start you off immediately with phreaking? Perhaps
other tutorials do this in order to achieve better reader satisfaction, but
that's not the way I do things. If you skip over this part then you will
probably (unless you already have prior knowledge of telecommunications) have
a hard time understanding a lot of what I talk about in this guide. So don't
Page 3
pnt
be lazy, just read it through and try to absorb as much as you can of this
information.
\ | /
\|/
__(CO)__
/|\
/ | \
Sorry for the crappy ass ascii, but you get the basic point. As you can see
there are multiple lines going out from one centralized point. These lines are
the connections for all subscribers in the general area, and the CO in the
middle is the central office, which is the centralized point of operations
for a local telco network. Now of course if this is all there was to the
network then it wouldn't really be much of a network at all, but we're
approaching this understanding at phases. So from here lets talk about the
equipment at the central office, and then we'll extend out from there. Lets
start with switches. These are large computers located within the central
office that are used to route calls over the PSTN. To get you a basic idea
of how they look, here is a page with some pictures of different switches...
www.montagar.com/~patj/phone-switches.htm
As you can see there are many different types of switches. Around here
(I'm in the BellSouth region) most of our switches are either 1AESS or
DMS100. This may be different in your area, and there is a link I will
provide you at the end of this section that will give you a chance to
really get to know your local PSTN. Anyways, the next device you should
know about is a trunk. A trunk is a communications path that is used for
connecting two switching systems in a network in order to establish an
end-to-end connection. Meaning they are in charge of establishing connectivity
on a telecommunications network. However, trunks aren't the only devices
that are used for this purpose. In PSTNs there are also waypoints, devices
that are used in between trunks in order to help establish a connection
between the originating call and it's final destination. These devices are
known as tandems. When you refer to their position in the PSTN, you refer to
it as a tandem point. Now that I've reviewed you with some basic devices (I
will cover more later) I should probably go ahead and introduce you to some
basic terminology that you will hear (especially in this guide). The first
thing you must understand is what a LEC is. A LEC is a local exchange carrier,
and is the technical name for your local telco (telephone company). These
LECs, being again your local company, provide service for the local area
within a LATA. A LATA is a local access and transport area, and is what the
LEC is responsible for. Calls that are made from within this LEC's LATA (local
calls) are referred to as intraLATA calls. Calls that are made outside this
LATA (long distance calls) are referred to as interLATA calls, and are handled
by an IXC (IntereXchange Carrier). An IXC is of course a long distance
telephone company, and is used to connects LATAs thusly allowing interLATA
calls. It's also good to note that there are also CLECs, which are competative
local exchange carriers. This is simply a LEC besides your main LEC. Most
CLECs will use the same local loop that the main LEC owns. You may also see
in some texts LECs referred to as RBOCs, which stands for regional bell
operating company. This is because back whenever Ma Bell was split as one of the
first measures in order to keep the telephony industry from being one big
monopoly. It was originally split into 7 RBOCs, which later became companies
like SBC, Verizon, Qwest, and of course BellSouth. It's also good to note
Page 4
pnt
from here that the acronym for the typical analog-based telephone system
that you will see in your area is called POTS, which simply means plain old
telephone system. Now while we're cramming you with lingo I should go ahead
and explain exchanges. Exchanges are simply groups of numbers. You may
recognize it as the middle three numbers in your phone number. Like for
example if your number was 555-555-5555 then those middle three numbers
(i.e 555-XXX-5555) would be the exchange you belong to. This is simply a way
COs organize assigned subscriber lines (you, the customer). If you want to
be technical the exchange identifier in a number is known as the NXX, while
the area code (the first three numbers of course) is the NPA. So if we wanted
to be cool and down with the lingo then we can see our number as NPA-NXX-5555.
I would love to tell you what NPA and NXX stand for, but honestly I don't
know, and don't really think it's all that important (but by all means, feel
free to look it up if you like). I should also go ahead and explain CLLI codes
to you, since you're going to have to know at some point. A CLLI (common
language location identification) is an 11 character identifier used to
identify switches and other networking elements and such over a PSTN. You
should also be familiarized with ANI and ANACs. ANI stands for automatic
number identification, and is how the LECs identify the number of a
calling subscriber. The function is similar to caller ID, but the system
itself is completely different. Nowadays everyone uses ANI II, which adds a
whole bunch of features to the system. The most predominant of these changes
adds a 2 digit identifier on top of the ANI result, in order to identify the
service that the calling party is using. An ANAC serves somewhat of a similar
function, but is used by a field technician in order to identify the number
of the line that he/she is hooked up to. These are numbers that you call, and
read back the number of the line you are on. There is a list of toll-free
ANACs you can use on Information Leak...
www.informationleak.net/anacs.txt
While we're babbling on about the lingo it's cool from here to know what LASS
(local area signaling services) codes are. You probably know these as star
services, most notably being *69 (caller id), *67 (call block), *58 (anonymous
call rejection), etc. It's also nice to note that DTMF (dual tone multi
frequency) tones are those pretty little tones you hear when you dial a
number. They are called this of course because it is actually two separate
tones that construct the tone that you hear when you hit a number on your
numpad. So I don't have to list you all the other different tones out there,
here is another link to check out for a list of tones used...
www.tech-faq.com/telephone-tone-frequencies.shtml
Well I know that there is a lot I skipped out on, so when you get the chance
it would be wise to google up some telephony terminology to get aquainted
with. Verizon's website has a pretty nice list. Anyways, as promised earlier,
here is the site that if you don't know about, you really should. This site
will allow you to get all the information you could ever want to get to know
your LEC. Here is the site...
www.telcodata.us
The information it offers includes listed exchanges, CLLI codes, etc. etc.
Anywho, in the next section we will be talking about signaling protocols
over the PSTN. If you have read my Phreak 2k tutorial then you will remember
it being a section from that tutorial. It predominantly talks about ccss7,
since it's becoming the well adopted and adapted signaling protocol for
LECs across the world, though there are still some areas out there that have
not yet implemented ss7 so it's wise to look in your spare time into systems
like ESS as well. So lets move on, shall we?
Page 5
pnt
=================
| SS7 Explained |
=================
=====================
| Exchange Scanning |
=====================
Well now that you hopefully have a decent understanding of telephony, then I
can finally start you off into phreaking. A lot of people immediately want to
get into learning about all the boxes that you can build, since they are
dilluded into believing that building and using boxes is all there is to
phreaking. This is simply not true. So in my personal opinion, probably
the best way you can get into phreaking is by starting out with exchange
scanning. It's the method that you will use to discover all those interesting
numbers (VMBs, ANACs, test numbers, etc.), and the sooner you pick it up the
better. Some of you may be wondering what the hell exchange scanning even
is. Well, do you remember earlier when I was talking about exchanges? You
should. If you don't you need to quit reading now and go back and read Basic
Telecommunications again. Anyways, if you do remember, then you will remember
that exchanges are used in order to help group subscriber lines within an
NPA (being again the area code). Each LEC is of course given specific
exchanges that they can use for assigning numbers to. Well, exchange scanning
is dialing down that exchange for any interesting numbers. You may be familiar
with it as wardialing (as shown in the movie Wargames), but it's really only
wardialing if you use a wardialer, and not everybody uses one. In fact, in
many ways it's recommended not to, since a wardialer can't pick up on many
numbers that you might want to know (like VMBs). Personally I use PhoneTag,
because I'm too lazy to dial a whole bunch of numbers by hand, but that's
because I set it to ring 10 times, and listen closely to the modem speaker so
I can hear anything interesting. For your first exchange scan, you will
probably want to go with your own exchange. Not for any specific reason
really, it just happens to be where most people start. If you decide to go
with a wardialer make sure it's one that is capable of randomizing the call
list (like PhoneTag). Nothing says "monitor me" like sequentially dialing
down an exchange. Plus, many LECs have devices that disallow any subscriber
from dialing more than 10 or so numbers in sequence. It also helps if it's
capable of randomizing the time sequence between each call, but I haven't
done this myself and I haven't found it to really affect that much (then
again, BellSouth isn't all that bright at times, so you might want to look
into this in case your LEC is a little smarter than mine). Keep in mind
though that if you have the patience to do so, it really is much better to
Page 8
pnt
handscan, which is simply exchange scanning by hand. That way you can listen
out closely for any interesting numbers that you might miss with a wardialer,
and you can give a nice response to any residential numbers that you might
call, you know like "Oh sorry, I believe I have the wrong number". Most
people will accept this and be less prone to call you back, contrary to
the how a wardialer will treat them and just hang up on them (rude little
buggers those wardialers are). If you want to be a little less rude to
your fellow neighbors, it's best to remove them off your planned call list.
The best way to do this is to go to superpages.com, punch in your NPA and NXX,
and then use that site to look up all the listed numbers on your target
exchange. Then just remove these numbers off your list. That way you can kill
off some time on your scanning, and keep from bugging anyone. I should also
mention that it's well accepted that day time is the best time to do
exchange scanning. That way, again, you don't piss anyone off. Personally I
find the best time to do exchange scans is during the mid-morning, or
mid-afternoon hours. Really any daytime hours are ok, but if you are available
during any of these hours then I find it to be best for exchange scanning
since most people are off at work at the time. Now that I've gone over this,
it's good from here to establish exactly which part of the exchange you're
going to scan. If you have the time, then it's of course best to scan from
NPA-NXX-0000 to NPA-NXX-9999, but maybe you don't have this patience. So if
you are looking for the service numbers like the test numbers and such then
it's to help cut down on your scanning you might want to scan the low end
or high end of your target exchange. Different LECs have their service numbers
on different portions. Around here, most of the interesting numbers are on
the low ends, but I know a lot of other regions have more luck scanning the
high ends. So it's best to just scan both yourself, and get a feel for which
one you have better luck with. In case you don't understand what I'm talking
about with ends, NPA-NXX-00xx (where the last xx is 00-99) is a low end
scan, and of course NPA-NXX-99xx (where again, the last xx is 00-99) is a
high end scan. This is usually where those fun numbers you love are
located, but I also know of some areas that have these numbers thrown right
down in the middle. So if you have the time, you should try just scanning the
entire exchange, since there are still many other interesting numbers to
be found outside the low and high ends. So now that you're ready to scan, I'll
close this section out by helping you understand identifying the numbers you
come across...
Carriers - these are also known as dial-in modems, and are of course dial-in
devices that allow you to interface with the system behind it. You may
remember this if you watched Wargames as being how that kid in the movie
was breaking into all those networks. Well, you won't believe just how
many there still are. Carriers can easily be recognized as being the exact
same tone you hear when you connect to the internet with a dialup connection.
Fax Machines - I really doubt I need to explain to any of you what a fax
machine is, but I will help you identify when you've came across a fax
machine. When you dial into a fax machine, it will sound a little like a
carrier except that it will sound a bit off. It's kind of hard to explain,
but when you hear one and then the other then you will know what I'm talking
about.
Milliwatt Test Numbers - you may and probably will find a lot of these numbers
when exchange scanning, since I've found them to be probably the most
prominent of the types of test numbers there are. These are used by field
technicians for testing a whole range of problems with a line. You can recognize
these as having a low consistant tone.
Sweep Test Numbers - these numbers are a little harder to find, but can be
very useful for you if you come across them. They aren't very hard to miss
if you dial into one, since if you dial into one you will hear somewhat of
a wave of different tones blasting through your line that is approximately
Page 9
pnt
30 seconds long. If you come across them then you can use them to test for
any bugs on your line, specifically the infinity-transmitter style taps.
Just call the number and let it play. If you hear any audible clicks while
the tone is blaring down your line, then there is a good chance that you're
being tapped.
Loop Numbers - you will see these numbers mentioned in earlier phreaking
texts, but not quite as often mentioned anymore. This is because most loop
numbers have a voice filter now that makes them completely useless. How they
work is that you dial into the high end loop, and then have your buddy or
whoever dial into the low end. These numbers are usually assigned in
succession. Like say if you were to dial into the high end and the number was
NPA-NXX-9999, then you'd have your buddy call like NPA-NXX-9998. You can
recognize if you have dialed into a high end loop number, because you will
hear this constant annoying tone until your buddy or whoever calls the
low end. Then there will be dead silence. If it for some reason has not had
a filter placed, then this is where you would talk, but again, usually these
things are filtered so most are useless now.
Quiet Termination Numbers - these numbers are used in order to connect
the caller to a fixed resistance. If you dial a number, and you hear nothing
but dead silence then this is a quiet termination number (or perhaps the
low end of a loop, if you want to be sure call the number right after it
and see if you hear that familiar high end loop tone I was telling you about).
ANACs - these are a little bit harder to fish out immediately because they
are just a common recording. Some ANACs will read off the number immediately
after it picks up, while others may want you to go through a menu in order to
use the feature. The best thing for you to do in order to find ANACs is when
you dial into a recording just give it a chance for a second so you can hear
what it's telling you. If you hear the number, or hear a menu option that
says to read off your number or whatever then of course you have an ANAC.
PBXs - I will dedicate an entire section to this later concerning what they
are and how to exploit them, but it stands for private branch exchange, and
is like a internal phone network. I will explain more about this later, but
basically when you're scanning for these you'll be looking for the DISA
port, which is an administrative port for the PBX. There are wardialers
out there that can scan for these ports (i.e. PBX Scanner). You can recognize
these with a low sounding tone, here is a recording...
http://artofhacking.com/cgi-bin/wwfs/wwfs.cgi?AREA=109&FILE=PBX1.WAV
DATUs - these are fantastic finds if you come across them. They aren't
always called DATUs (like here they're called VoiceSystems), and some operate
differently than others. You can recognize these because they will start off
sounding like a DISA port, but will go through half of the ring and then
be cut off by the low tone. More will be explained on how to exploit
these later.
VMBs - fishing out for these is kind of like fishing out for ANACs. You have
to listen carefully to any recording you hear during your scanning, because
you never know what it is. These are of course voice mail boxes, and are used
by corporations and the likes as, well, basically answering machines. That
way they can keep up with the business of being business people, or whatever.
Anyways, the recording will identify itself as a someone's voicemail system, or
just ask you for your box number.
Also I should add that there are also special, unpublished exchanges that
you can try to scan once you get the hang of it. To get unpublished exchanges
that might be in your area you can go back to telcodata.us or nanpa.com. If
you go to NANPA look for Central Office Code Assignments that are close to
your area (keep in mind, Utilized means used). After you have a list of
Page 10
pnt
assigned exchanges, compare the results to exchanges that are listed in your
phone book. If you see one on the list that you got that isn't in the list in
the phone book then you have a special exchange. These can be a tressure
trove of interesting numbers if you give them a scan. Well that's it for this
section, by now you should be armed with enough information to take your
LEC by storm.
==================
| Hacking PBXs |
==================
Now lets get into hacking PBXs. To extend on what I was saying in the exchange
scanning section, PBX stands for Private Branch eXchange, which is an internal
phone network used by medium and large organizations for sharing a number of
external lines with a larger number of phones within. You remember when you
were in school (or are in school) and had to hit 9 before dialing a number?
That's because your school used a PBX. PBXs are used because they are much
more cost effective than having to give every phone it's own line. The structure
of a PBX is basically a bunch of lines hooked to an outbound trunk. There's a
little more to it than that, but that's just to give you a good idea of basically
how one is structured. Just to drive the point home here is another example of
my ascii artistry...
(1)
\
(2)___\___[trunk]---> LEC
/
/
(3)
Of course, this diagram is extremely dumbed down, but you get the point. The
()s are in this diagram the phones in the organization, and they are hooked
together to an outbound trunk that interfaces them with the outside, being the
LEC. So what is the benefit for you for exploiting one of these systems? Well
if you take control over a PBX, then you can dial out from there and call
wherever you want on leaving the organization who owns the PBX the tab.
So how do you exploit them? Well there are two ways that you can accomplish
this feat. One being hacking the DISA ports (don't worry, more will be
explained about this later), or social engineering someone within the PBX
to dialing out for you. We will discuss the latter of the two first since it
is the most easiest, and then talk about exploiting the DISA ports. The
social engineering scheme is pretty easy. What you do is either beige box
a line, or call up from a payphone to any midsized to large organization, and
give them the following ploy put together by my good friend Halla...
"Hello, My name is William Higgens with AT&T. We are doing
some work on the poles and need to get a line check so nothing gets
crossed. I've been asked from the field line engineers to call you
and have you dial 90 so that I can relay the line information to
them. Thank you, and sorry for any inconvience."
How does this help? Well of course as I said, you remember hitting 9 when you
had to dial out from within a PBX right? Well, 0 of course is the extension for
the operator. So when the poor employee that you contacted does you that nice
favor of dialing out extension 90 for you, then you have dialed out on that
Page 11
pnt
outbound trunk, and any charge you pull up will be thrown to organization. When
you reach the operator simply tell him/her that you are having trouble dialing
a number or something like that and need him/her to reach the number for you.
The operator will ask you what number you are attempting to reach, and you
should of course know what to do from here. You can improvise the social
engineering skit above to change the AT&T part to your local LEC, and the name
if you wish to whatever you like. It's just an example to give you an idea of
how it works. Also if you want to dial a number outside of your country, just
ask for extension 900. Keep in mind that it will be much harder obviously to
convince anyone that a field technician needs to reach an international
operator, but hey, there are stupid people out there. So now that you understand
how to social engineer a free long distance call out of a PBX, lets talk about
hacking the DISA ports. DISA stands for Direct Inward System Access, and these
ports are used for administration over a PBX by it's administrator. These
really aren't that hard to exploit at all. You just need to find the number for
a DISA port. So how do you do this? Well you are going to have to do a little
scanning. There are a lot of wardialers out there that you can configure to
scan for PBXs, but here is one you can use solely for this purpose...
www.informationleak.net/pr0g/pbx_scan.zip
Once you have this scanner downloaded, extracted to a folder, and configured
then just start scanning away. It shouldn't be that risky to scan from your
house, since you haven't done anything illegal just yet. If you are really
feeling that insecure about leaving your number with the target PBX then you
can take a laptop out on the field, and beige box your modem wire into
somebody elses line. It's also best to scan for toll-free PBXs, so you can
call them from anywhere, but locals are fine too I guess. Anyways, if you are
scanning from home don't EVER call back any PBX you find. I can't stress this
enough. One call in and hang up doesn't look all that suspicious to a PBX
administrator, but two definately will, and if you are trying to hack into it
from your house then you might as well go to the police station right now and
turn yourself in. Anyways, once you have a PBX you go out at a different time
to a payphone or a different line and call up the PBX.
After you have pushed through the tone what your
task will be from here is to guess the password used on the DISA port. This
isn't really as hard as it may sound. There are many common passwords that are
used on these ports that you can use to your advantage. You basically have two
options here. First try 9#, then 8#, and on down the keypad in this fashion.
This doesn't usually work anymore, but is worth a shot. After this you can try
the usual four digit pass codes. 1111, 1234, 1000, 4321, etc. Just try down the
keypad with the kind of pass code schemes mentioned above. If you hear a dial
tone when pushing through a pass code, then that means that you just hacked the
DISA port, and can use it as you like to dial out wherever you like. If you use
the above schemes down the keypad and come up with nothing, then just say fuck
it and move on to another PBX. There are too many out there to worry about one.
Also needless to say when you're hacking the DISA port you should be doing this
after office hours, like the middle of the night (though that depends on the
business running the PBX). Anyways, on to other things...
==================
| Hacking VMBs |
==================
You know, there have been so many tutorials on hacking VMBs written that anything
I wrote here would just be repeating the same crap. So instead of regurgitating
the same information that has been already so well documented I thought it best
to just link you to some tutorials on this subject. If for some reason any of
Page 12
pnt
these links die then go to a search engine (like google.com) and search for the
title that is listed by the link (including the quotations)...
===================
| Hacking DATUs |
===================
What can I say? I'm in a lazy mood today. So the same thing I did for the last
section is the same thing I will do for this section. The topic has been
very well-documented in the past, and I have nothing new to really add to it.
So as before here are links to different tutorials that you can read to become
familiar with DATUs and how to gain access to them...
DOCUMENTATION"
I'll try not to resort to this measure anymore or this won't be much of a guide
at all, but I just really didn't have anything new to add to this section, and
the last one. Still, the point of this guide is to introduce you to phreaking,
and these tutorials will definately help introduce you to accessing these
systems.
==================
| ANI Spoofing |
==================
hotels where they do not also automatically identify the room number.
07 - This caller requires special handling by an operator. Where this cannot be
accomplished, the caller is given a recording telling them their call could not
be completed.
08-19 Not used or reserved for specialized functions.
20 - Used by PBX systems where the caller is dialing out using the main number
rather than, say, a specific number assigned to that station on that PBX.
21-22 Not used.
23 - Status as to whether caller is using a coin telephone or non-coin telephone
cannot be determined.
24 - A call from a non-coin telephone to a toll-free number has been converted to
its regular telephone number.
25 - A call from a coin or prison telephone to a toll-free number has been
So now that we've gone over ANI lets get into the point of this section, how to
spoof ANI. Why would you even want to spoof ANI? Well there are two main reasons
for doing such. One is if you want to reach a system without revealing your
original point of calling (if this is your purpose then this should be used in
conjunction with beige boxing, which will be explained later). Two you can of
course use it for making free calls, which is what it's usually used for. This
technique was discovered and released by Lucky225, so show respect to the smart
little bugger that made this possible. Well what you will want to first do is
get some ANACs to use. For a list of toll-free ANACs that you can use go here...
http://www.informationleak.net/anacs.txt
Now call up your local operator and tell him/her that you are having trouble
dialing a number and if he/she will dial a number for you. The operator will
ask you for the number, and you give him/her the number of an ANAC (be sure to
test the ANAC first before you try to use it for ANI spoofing). Then when it
reaches the ANAC listen in for the number that is read back. If the number is
the area code and number of the line you're on then you know that the operator
has the ability to forward ANI. If the ANAC reads back your area code followed by
000-0000 then you know that it doesn't forward ANI. If this is the case, then
you can use this by getting the operator to forward you to the number of another
operator (look up on a search engine for numbers of different service operators).
Then when you're ready to ANI spoof the call call up the operator, and ask
him/her to call up the number of the other operator that you got. When you reach
the next operator and he/she asks for your number, give him/her any number. This
should be a real number, but not of anybody you know. Just pick one out of the
phone book or something. If they allow the line itself to be billed, then you
will be able to make your call on somebody else's tab. If your operator does
forward ANI another solution you have is to use a call forwarding service
to help aid in spoofing the ANI of your session. Here is one example of a service
that offers this...
www.yac.com
Simply use the call forwarding service to forward the session to an operator, and
then have the operator forward you to an ANAC. Then test to see if your ANI was
spoofed. If it was then do the same as above to spoof your point of origin, or
to just make free calls. Enjoy...
========================
| Caller ID Spoofing |
========================
Well I figured since I just finished teaching you how to spoof ANI, I might as
well teach you how to spoof caller ID. Never confuse caller ID spoofing with
ANI spoofing. They are two completely different services. Spoofing caller ID
will not spoof your ANI. So what good is caller ID spoofing then? Well it's
basically good for shits and giggles. It can be good for prank phone calls, but
shouldn't be depended on for keeping the source of the call anonymous since the
phone company can still trace the call back to it's origin. It can also be
Page 15
pnt
something slightly amusing to do when you're bored on the phone with one of
your friends. First before I get into spoofing caller ID I will explain how
caller ID works. It's basically like this. Your CO first sends two tones to
you when a call comes in. The first is a SAS (Subscriber Alert Signal) tone,
which is just a normal call waiting beep. The second is a CAS (Customer
Premise Equipment [CPE] Alert Signal) tone. The CAS tone informs your CPE
(caller ID device) that there is a call waiting call coming in. The CPE then
mutes your headset and sends through an acknowledgement DTMF tone to signal
to the CO that it's ok to send through the caller ID information. The CO then
responds to this by sending through a FSK transmission. Your CPE receives this
information and promptly displays it on the screen for you to see. So now that
you understand how caller ID works, lets get into how to spoof caller ID. Well
for this you are going to need an orange box. What the hell is an orange box?
Well an orange box is a device or software that spoofs the tone sent to the CPE
in order to display whatever information you want it to display. If you want
to build one yourself then what you will first want to do is get caller ID
on your service if you don't already have one. Then take off the CPE and call
your line from another line. You will hear the CAS send the acknowledgement
DTMF tone (A or D) to the CO, and the CO send back a FSK transmission. You will
take a microrecorder and record the FSK transmission that is sent back. Then you
can push this tone through after the phone is picked up to whoever you want,
and the CPE will read back to the caller the tone you sent through. You can
generate the CAS tones (an orange box) by buying a tone dialer from Radio
sHACK and replacing the 3.58mhz crystal with a 8.192mhz crystal. You can then
hit the * button to generate the CAS tone. You can generate the DTMF A and D
acknowledgement tones with a silver box, which you can get the plans for
below...
www.totse.com/en/phreak/boxes_old_and_new/silver02.html
Of course, all this is kind of pointless if you have a computer (which you
probably do if you are reading this) since you can just download a program to
generate the tone for you, without paying for all the equipment. The program
is S.O.B and you can download it from the link below...
www.artofhacking.com/orange.html
The use of this program is pretty simple to understand. You put whatever number
you want to be displayed in the Number field, and whatever name you want to be
displayed in the Name field. You can use the Privacy button to simply display
"Out of Area" or "Private" on the CPE (which isn't really fun, since it's just
like hitting *67). You can use the Format button to change the format that the
tone is to be sent as. Call Waiting if they have call waiting, Standard if
otherwise, and I'm not even sure about SDMF. You can use the Timestamp button in
order to change the timestamp that is recorded on the CPE. I guess just in case
you want to make it seem like the call was made at a different time. That's
pretty much the layout for how to use S.O.B. Before I close this section out
I need to remind you of a couple of things first. First off when using this
device your actual caller ID will be listed on the caller ID device first. You
can resolve this problem by using *67 in conjunction with the orange box, but
unless the person you are calling is an idiot it will not fool them a bit if they
checked the CPE before picking up the phone. Secondly to use the orange box
you have to wait till the party picks up. Nothing is listening for your tone
until the party picks up. At the earliest you can push through the tone the very
second the party picks up, but that's about it. Also I figured I'd repeat that
this will not keep the call from being traced. There is still a lot that is
left behind during these calls, including your ANI. So if you are using the
orange box for something criminal or extremely annoying then it's best to use
it in conjunction with ANI spoofing, beige boxing, or something of the sorts.
Also this will not spoof your caller ID on a cell phone subscriber (as in if you
try to spoof your caller ID when calling your buddy's cell phone). Cell phones
use a completely separate digital signal for identification of a caller, and
this tone will not do anything but give your buddy a loud, annoying tone to
Page 16
pnt
listen to. Anyways, moving on...
==================
| Beige Boxing |
==================
I don't even know why I'm making this topic it's own section, but here it is.
I'm not going to try to make this sound like a science, because it isn't. It's
just beige boxing. However, you will need to have one on hand for those anonymous
calls you need to make. There are many ways that you can beige box. The most
basic beige box is just a handheld phone with the end of the wire clipped and
alligator clips attached. We have a pretty extensive tutorial on the site on
how to put together a beige box that would be good for you to read into. You
can find this at the below link...
www.informationleak.net/beige.txt
So if you read through that then you should have a good idea of how to beige
box. The best part about that text that gives it an advantage over other beige
boxing texts is that it also gets more into detail on how to PROPERLY use it.
As an added tip on my front so that this isn't just a link I'd definately
suggest using a phone cord extension for your proper modifications. It's very
cheap to get one, will allow you to get farther back from the TNI, and won't
destroy a perfectly decent phone for your beige box construction. Also if you
are using this neat little tool to do something like break into PBXs, then it's
best to use this method in conjunction with ANI spoofing to make the trail just
that much harder to track down. Also what I think they didn't put enough emphasis
on is to use phone cards if you're doing this just to make calls. That way you
can hold access on the same TNI, without them getting reported on a huge toll
charge. If you are to cheap to even buy a phone card, then you can walk to
Walmart or anywhere that sells phone cards and discreetly (as in make DAMN sure
you aren't noticed) scratch off the bar on the back. Make sure the bar is
completely removed so it looks like the card just came that way. Then copy down
the phone card number, and the phone number to call to use the phone card. Then
just put the phone card back on the shelf. Then just call up the number you
got every couple of days or so until the card is activated (someone buys it).
Then there you go, you got minutes to use. This is pretty lame though, since
there are less risky ways to make free calls, and you're just stealing small
change right out of someone's pockets. I just figured I'd throw it out there.
Anyways, that's it for this section, on to red boxing...
================
| Red Boxing |
================
Well since I just got done reviewing beige boxing for you I figured I'd go ahead
and jump to red boxing. Red boxing is of course for the very few of you in the
world that for some reason don't know a device that allows you to make free
calls on a payphone. There is a lot of buzz going around over the last couple of
years that red boxing is dead. Well no, it's not dead yet, but it's pretty damn
close to being. The tones generated with a red box are called ACTS (Automated
Coin Toll System) tones, and are used on older systems for coin verification.
With the advent of digital signaling being implemented on many networks the
Page 17
pnt
use of this is starting to become dead. For example you can't use any equal
access code belonging to AT&T to red box your calls. As so many articles whining
about how dead red boxing is explained, AT&T doesn't accept red box tones
anymore. So how do you red box? Well first I'll tell you how to make one.
There are many ways to make a red box. The method I will be talking about is
probably the cheapest way to make a red box. Just download red box tones off
any site out there (the tone generator I mentioned earlier in the Hacking PBXs
section has this feature included). Hell, you can grab other tones as well
if you please and make what I'm about to get into a multi-purpose tool. Now
for this you will need a cd burner. If you don't have one, I'm sure you have a
friend who does. Now take the tones and burn them onto an Audio CD using some
software like Nero. Then test them out on your cd player. This is to make sure
that it burned correctly (I've noticed that sometimes Nero screws up when burning
small sound files like tones). For this idea you should have a portable cd
player. Now just take off the cotton bit on your headphones, and you have a
red box. To make it more efficient, you can get one of those rubber cups, cut it
a bit so that it fits over your headphones, and melt it back on. That way you
can use the rubber cup to obstruct outside noise. The key when using tones is
clarity. Phone networks are very precise when it comes to the tones used, and
if the tone is the least bit off then it'll give you away. Keep in mind you could
also just use an mp3 player. Anyways, so now that you have your red box, how do
you use it? Well go up to a payphone and hit 411. Give them some information in
order to "find" the phone number for you, and when they ask if you want them
to put you through to this number say yes. Then push through your tones. Be
sure before you do that you didn't do something stupid like leave Bass Boost
on your cd player. Remember, CLARITY IS THE KEY. I remember hearing one time
about this phreaker a couple of counties over that got busted for red boxing.
The operator apparently knew that he was trying to red box, but forwarded him
through anyways and then called them to go out there and arrest him. So yeah,
be careful. Try to keep your call as short as possible, and just in case don't
mention anything about red boxing the call when you're connected. Sometimes
operators have been known to stay on the line for a few seconds after the call
has been connected if they suspect that the call was red boxed. Maybe this isn't
true, but it's better to be safe than sorry. Anyways, I'm not sure exactly how
long this technique will be valid. Red boxing is little by little becoming more
of a piece of history than a currently valid technique, but until then you can
still have fun. Keep in mind that red boxing currently only works for local
calls so that might not make it very useful for many, but at least it saves you
some pocket change when you need to make a call. Also if you need anymore ideas
my homie G dogg P(?)NYB(?)Y wrote a pretty decent tutorial on red boxing modern
payphones which you can read here...
http://www.informationleak.net/redboxing.txt
Have fun...
===================
| Phone Tapping |
===================
Well there are many ways to listen in on phone conversations, and I figured that
instead of splitting them all off into different sections that I'd just throw
them all into one. So without further crap, here is how you spy in on phone
conversations...
(VoIP Traffic)
(Point A) ---------------------------------------> (Point B)
<---------------------------------------
|
|
|
(you)
Page 19
pnt
Point A would be the wireless network that you are dumping the traffic of
using tcpdump, and Point B would be the remote WAP that Point A is interfacing
with. So then you can use VOMIT in conjunction with tcpdump in order to assemble
the voip traffic being captured into a wav format. This will allow you to listen
in to the conversation that is being broadcasted between these two points with
absolute ease. So yeah, for all your voip users out there, I hope you aren't
discussing anything too secretive over your subscribed network.
====================
| Other Articles |
====================
Well I could have gone further into the topic of payphones and answering
machines, but oh wait, that's right, I already wrote on all that in the past.
So instead here are some useful links to other articles that you will want to
read...
==========================
| Articles & Resources |
==========================
Well originally when I was doing the layout for what would be this guide I had
planned to split it into two separate sections, landline & cellular, each with
equal amounts of information for you to absorb. However, there are a couple of
reasons why I didn't. For one I'm eager to see this guide get released. Also
there isn't much information I can provide that there aren't web sites dedicated
to. So instead of writing out the same codes and crap that entire web sites have
been built off of, I'll just give you those articles and resources to read for
yourself.
=====================
| Suggested Links |
=====================
It's impossible to simply read one guide and call yourself proficient. The
purpose of this guide is to introduce you to phreaking. From here it will be
your responsibility and hopefully your pleasure to expand on your current
knowledge and read more into phreaking. However, nowadays it can seem hard
to find up-to-date information on phreaking. I remember when I was starting
having a lot of trouble finding anything useful and up-to-date from the mass
of outdated information that was being shoved around. Now don't get me wrong,
it's important to keep archives so that we can remember the past, but that's
what we have textfiles.com for. There is no reason why so many sites need to
carry such outdated information. Of course, this is usually done so because
the web masters who put this information up know nothing about phreaking, and
therefore assume that they're valid. So to help you with this step I'm going
to list suggested links for you to read into in order to further expand your
knowledge in the field of phreaking...
www.informationleak.com - now you know I had to throw that one in. We try our
damnest to make sure that the only information we provide is usable information,
so it's always a good shot to keep in touch with what we're up to.
www.oldskoolphreak.com - this is probably one of the best sites out there to
learn about phreaking from. Definately a good visit.
http://9x.tc - what can I say? They write good stuff. Definately check them out.
www.hackcanada.com - the main purpose of this site is to aid to the H/P scene
in Canada, but a lot of the documentation they have has information that can be
useful outside Canada as well.
www.phonelosers.com - kind of a weird mix of useful information and random
ranting, but overall definately a good visit.
www.phreak.org - most of the information here is out-of-date, and some of the
information was never to-date to begin with. Kind of an unreliable source, but
there is a little useful information that is hidden in the mass of outdated
crap. If you've been doing good on your reading, then you should be able to
tell the difference between the two.
www.verizonfears.com - this is the site that Lucky225 runs. There isn't exactly
a huge mass of information here, but the information that is on there is for
the most part up-to-date (except for a few details) and useful.
http://artofhacking.com/boxrvw1.htm - if you plan on building a box, this is
the article to check. This is an updated review by The Fixer that rates
different phreak boxes for the skill it requires, risks associated, plausibility,
and obsolescence.
Page 21
pnt
====================
| The Conclusion |
====================
Well finally after a little work, and a LOT of slacking off this guide is
finally finished. Hopefully I've successfully introduced you into the field
of phreaking, and I hope that you continue reading from here. Telephony really
is a fascinating aspect of technology, and nothing makes you appreciate it
more than phreaking. I always appreciate feedback so if you want to get in
touch with me then you can do so by emailing me at
murdermouse@informationleak.net.
You can also chat with me live by going to Yahoo! Chat and going to either
Hackers' Lounge:1, :2, or :3. I'm usually loitering around there in one of the
rooms (usually in Hackers' Lounge:3) under the name Murder_Mouse. You can also
go to irc.2600.net and hit me up at #infoleak. Anyways, as I always say, until
next time...
www.informationleak.com
"laughing at your faith in technology since 2004"
#### ####
###### ######
####### #######
####### #######
/\ /\ ###############
/ \ / \ _______ ##| |###| |## _______ _________
/ /\ \/ /\ \ \ __ / ##|@ |###| @|## | ___ | | __ /
/ / \ / \ \ / ___ / ##| |###| |## | | | | | ___ /
\ \ / / / / / ___/ \ ##|__|###|__|## / | | | | | /
\ \/ / / / / /\ \ \###############/ | | | |_________| ____ \
\/ /___/ /_/ / \ \ ----#####[. .]#####----| | | __ ____| | \ \
/_____/ /___/ \ \______/###############\___| |__| | | |_ | | \ \
\ \/ / \______/_###| | | | |###_\_________| | __\ | | \ \
\ / /\ _______ ###| | | | |### | | | |____| | | |
/ \ / \ | ___ | ###|_|_|_|_|### | | |________| | |
/ /\ \/ /\ \ | | | | ###| | | | |### | | | |
/ / \ / \ \| | | | ###| | | | |### | | ________ _________| |
\ \ \/ / /| | | | ###|_|_|_|_|### | | | _____ |\ _________|
\ \ / /_| |___| | ############### | | | | | | | |
\ \ /____________| | | | | ___| | | |__
\ \ | |____________________________| |____| | | ___| | ___\
\ \ |_______________________________________| | | | |
\/ | |____| |____
|_____________\
Page 22