pnt

_____ _ _
| __ \| | | |
| |__) | |__ ___ _ __ ___ ___ __ _ _ __ __| |
| ___/| '_ \ / _ \| '_ \ / _ \/ __| / _` | '_ \ / _` |
| | | | | | (_) | | | | __/\__ \ | (_| | | | | (_| |
|_| |_| |_|\___/|_| |_|\___||___/ \__,_|_| |_|\__,_|

_______
|__ __|
| | ___ _ __ ___ ___
| |/ _ \| '_ \ / _ \/ __|
| | (_) | | | | __/\__ \
|_|\___/|_| |_|\___||___/

-= the definitive guide to phreaking in today's world =-

written by Murder Mouse

=====================
| Table of Contents |
=====================

I. Introduction

Acknowledgements
Legal Notice
Preface

II. Landline Telephony

Basic Telecommunications
SS7 Explained
Exchange Scanning
Hacking PBXs
Hacking VMBs
Hacking DATUs
ANI Spoofing
Caller ID Spoofing
Beige Boxing
Red Boxing
Phone Tapping
Other Articles

III. Cellular Telephony

Articles & Resources

Page 1
 pnt
IV. Conclusion

Suggested Links
The Conclusion

====================
| Acknowledgements |
====================

Well first off I'd like to thank Julie for her love, understanding,
support, and for occasionally knocking some sense back into me. I'd
also like to thank Halla, BlueInferno, P(?)NYB(?)Y, StEvE, wobin,
fallen, MalevolenT, Pr0motion, and everybody else at informationleak.com for
being the best friends that a shut-in like me could have. Also to my hometown
friends David, Issac, and Kendall for occasionally dragging me out of my house.
Oh, and to sirfreshstunner, s_p_e_c_i_e_s_x, b_r_o_k_e_n_s_t_r_i_n_g_s,
eddybear172, onepebbleinthepond1, blueicefox_21, mr_nemster, hack_this_box,
hi_ioader2002, x1design, corndog_5000, skiddieleet, phreak0matic, bank_tech,
silenced_bearar, el_loco_moco2, cold_hearted_bitch, blinky_monkey88, dfg,
Zonkies, slayer6966669, and everyone else in Hackers' Lounge:3 (you know who you
are) for the endless hours of shits and giggles. Also to hurt4ever1, steven25t,
mt_dew_feen, cloud_on_line, and everyone I know from Hackers' Lounge:1. As well
as Mel, i11, synfire, megatron, and everyone else I know from Hackers' Lounge:2.

(R.I.P Michelle...if there is an afterlife, I'll be sure to bring the

orange thong)

================
| Legal Notice |
================

Disclaimer
-----------
First and foremost the information provided within this guide is for
information purposes only. Any attempt to participate in any of the
activities within this guide is solely in the responsibility of the
reader, and neither I, Information Leak, any site that hosts this
material, anyone who prints this material, or anyone closely associated
with this guide is responsible for what you do with the following
information.

User Agreement
----------------
This guide may be freely distributed and printed as long as the content
of the guide is not altered in any way. This material may not however
be sold in any way, shape, or manner. The information provided within
this guide is free, and shall stay that way.
Page 2
 pnt

© Murder Mouse, 2005

www.informationleak.com

=============
| Preface |
=============

If you have read my previous tutorials then you may remember that I wrote
something similar to this a while back called Phreak 2k. I suppose it was
a pretty nice tutorial for it's time. I got a lot of positive responses
after writing it, and even got a few comments from people stating that
it was what got them into phreaking. It was great to hear these kind of
responses, since it actually was what got me into phreaking. Before
writing it I was mostly into computers, and knew little of telecommunications.
I had always believed like many did and still do that phreaking is dead.
Then one day while hanging out in a room someone came in and said that
they were into phreaking. I being rather ignorant at the time laughed at
the guy, and told him that phreaking was dead. Boy was I wrong! After
some choice words that he had for me, he showed me a site that he ran
with some other people. I forgot what this site was called, but at the
time it was simply amazing for me. Pretty soon I was reading into every
site I could trying to find up-to-date information on phreaking. It was
very hard to find at the time through google, since most sites that had
anything on it had for the most part outdated texts from back in the 80s.
I eventually did find some sites with up-to-date information, but the pure
frustration of it made me decide to write a tutorial for people like me.
Beginners with seemingly nowhere to go. As well as to teach those who
didn't know the lesson that I had to learn that faithful day. That phreaking
is not dead. Not even close. Phreaking is as alive as ever, and it's
principles for the most part have remained the same (unlike "hacking").
Anyways, so getting back on topic, the tutorial was great, but I've always
felt that there were many points that I wished I had covered. Things I left
out, things I missed, and many things I just didn't even really know at the
time. So that's what brings me to writing this guide. During this guide I
will butcher some of my texts from other tutorials. I think I have all right
to do so since they are my works. At the same time though I will expand on
points that I have made in previous tutorials in order to offer you a
better glimpse into these concepts. As well as to of course offer you a
lot of information that I have never covered before. So I hope you enjoy
this guide, and that it offers you insight into the field of telecommunications.

============================
| Basic Telecommunications |
============================

What? Did you expect me to start you off immediately with phreaking? Perhaps
other tutorials do this in order to achieve better reader satisfaction, but
that's not the way I do things. If you skip over this part then you will
probably (unless you already have prior knowledge of telecommunications) have
a hard time understanding a lot of what I talk about in this guide. So don't
Page 3
 pnt
be lazy, just read it through and try to absorb as much as you can of this
information.

So anyways to better help you understand the wonderful world of telephony

lets help you understand your local telco. Well what you must first understand
is that the whole telco network as a whole is referred to as the PSTN, meaning
the Public Switched Telephone Network. The architecture (being basically the
layout) for a PSTN is known as a star architecture. It's pretty easy to
understand...

\ | /
\|/
__(CO)__
/|\
/ | \
Sorry for the crappy ass ascii, but you get the basic point. As you can see
there are multiple lines going out from one centralized point. These lines are
the connections for all subscribers in the general area, and the CO in the
middle is the central office, which is the centralized point of operations
for a local telco network. Now of course if this is all there was to the
network then it wouldn't really be much of a network at all, but we're
approaching this understanding at phases. So from here lets talk about the
equipment at the central office, and then we'll extend out from there. Lets
start with switches. These are large computers located within the central
office that are used to route calls over the PSTN. To get you a basic idea
of how they look, here is a page with some pictures of different switches...

www.montagar.com/~patj/phone-switches.htm
As you can see there are many different types of switches. Around here
(I'm in the BellSouth region) most of our switches are either 1AESS or
DMS100. This may be different in your area, and there is a link I will
provide you at the end of this section that will give you a chance to
really get to know your local PSTN. Anyways, the next device you should
know about is a trunk. A trunk is a communications path that is used for
connecting two switching systems in a network in order to establish an
end-to-end connection. Meaning they are in charge of establishing connectivity
on a telecommunications network. However, trunks aren't the only devices
that are used for this purpose. In PSTNs there are also waypoints, devices
that are used in between trunks in order to help establish a connection
between the originating call and it's final destination. These devices are
known as tandems. When you refer to their position in the PSTN, you refer to
it as a tandem point. Now that I've reviewed you with some basic devices (I
will cover more later) I should probably go ahead and introduce you to some
basic terminology that you will hear (especially in this guide). The first
thing you must understand is what a LEC is. A LEC is a local exchange carrier,
and is the technical name for your local telco (telephone company). These
LECs, being again your local company, provide service for the local area
within a LATA. A LATA is a local access and transport area, and is what the
LEC is responsible for. Calls that are made from within this LEC's LATA (local
calls) are referred to as intraLATA calls. Calls that are made outside this
LATA (long distance calls) are referred to as interLATA calls, and are handled
by an IXC (IntereXchange Carrier). An IXC is of course a long distance
telephone company, and is used to connects LATAs thusly allowing interLATA
calls. It's also good to note that there are also CLECs, which are competative
local exchange carriers. This is simply a LEC besides your main LEC. Most
CLECs will use the same local loop that the main LEC owns. You may also see
in some texts LECs referred to as RBOCs, which stands for regional bell
operating company. This is because back whenever Ma Bell was split as one of the
first measures in order to keep the telephony industry from being one big
monopoly. It was originally split into 7 RBOCs, which later became companies
like SBC, Verizon, Qwest, and of course BellSouth. It's also good to note
Page 4
 pnt
from here that the acronym for the typical analog-based telephone system
that you will see in your area is called POTS, which simply means plain old
telephone system. Now while we're cramming you with lingo I should go ahead
and explain exchanges. Exchanges are simply groups of numbers. You may
recognize it as the middle three numbers in your phone number. Like for
example if your number was 555-555-5555 then those middle three numbers
(i.e 555-XXX-5555) would be the exchange you belong to. This is simply a way
COs organize assigned subscriber lines (you, the customer). If you want to
be technical the exchange identifier in a number is known as the NXX, while
the area code (the first three numbers of course) is the NPA. So if we wanted
to be cool and down with the lingo then we can see our number as NPA-NXX-5555.
I would love to tell you what NPA and NXX stand for, but honestly I don't
know, and don't really think it's all that important (but by all means, feel
free to look it up if you like). I should also go ahead and explain CLLI codes
to you, since you're going to have to know at some point. A CLLI (common
language location identification) is an 11 character identifier used to
identify switches and other networking elements and such over a PSTN. You
should also be familiarized with ANI and ANACs. ANI stands for automatic
number identification, and is how the LECs identify the number of a
calling subscriber. The function is similar to caller ID, but the system
itself is completely different. Nowadays everyone uses ANI II, which adds a
whole bunch of features to the system. The most predominant of these changes
adds a 2 digit identifier on top of the ANI result, in order to identify the
service that the calling party is using. An ANAC serves somewhat of a similar
function, but is used by a field technician in order to identify the number
of the line that he/she is hooked up to. These are numbers that you call, and
read back the number of the line you are on. There is a list of toll-free
ANACs you can use on Information Leak...

www.informationleak.net/anacs.txt
While we're babbling on about the lingo it's cool from here to know what LASS
(local area signaling services) codes are. You probably know these as star
services, most notably being *69 (caller id), *67 (call block), *58 (anonymous
call rejection), etc. It's also nice to note that DTMF (dual tone multi
frequency) tones are those pretty little tones you hear when you dial a
number. They are called this of course because it is actually two separate
tones that construct the tone that you hear when you hit a number on your
numpad. So I don't have to list you all the other different tones out there,
here is another link to check out for a list of tones used...
www.tech-faq.com/telephone-tone-frequencies.shtml

Well I know that there is a lot I skipped out on, so when you get the chance
it would be wise to google up some telephony terminology to get aquainted
with. Verizon's website has a pretty nice list. Anyways, as promised earlier,
here is the site that if you don't know about, you really should. This site
will allow you to get all the information you could ever want to get to know
your LEC. Here is the site...
www.telcodata.us
The information it offers includes listed exchanges, CLLI codes, etc. etc.
Anywho, in the next section we will be talking about signaling protocols
over the PSTN. If you have read my Phreak 2k tutorial then you will remember
it being a section from that tutorial. It predominantly talks about ccss7,
since it's becoming the well adopted and adapted signaling protocol for
LECs across the world, though there are still some areas out there that have
not yet implemented ss7 so it's wise to look in your spare time into systems
like ESS as well. So lets move on, shall we?

Page 5
 pnt
=================
| SS7 Explained |
=================

Again, as I explained in the previous section, this is an piece from my Phreak

2k tutorial. I knew signaling protocols needed to be covered, and I didn't
feel like writing a whole new piece on the subject so I just ripped it off
of one of my previous works. So here you go...

One of my favorite lines I love to use when explaining such topics

is that one can not expect to break into something, or take advantage
of something without first understanding how it operates. So therefore
to start off this tutorial, I think it will be nice to first review
how telco operates. I welcome you, the reader, to the world of SS7
(Signaling System 7). SS7 (which is a short acronym for common channel
signaling system 7, also known as ccss7) is an architecture for performing
out-of-band signaling in support of functions established on the PSTN
(public switched telephone network). This includes call-establishment,
billing, routing, and information exchange.It identifies functions to
be performed by a signaling-system network and provides a protocol to
enable their performance. When I speak of out-of-band signaling, I
am refering to signaling that takes place on a separate path than
the path that the conversation is using. In this case, SS7 establishes
a separate digital channel for the exchange of signaling information,
which is called a signaling link. Therefore, when a call is placed,
all the necessary signaling messages (dialed digits, selected trunk,
etc.) are sent between switches using their signaling links, rather
than the trunks (which carry the conversation). This concept of
signaling is extended to the caller with the use of an ISDN D channel
(since SS7 deals with signaling between networking elements).
Therefore, the information that makes up the call is carried over B
channels, while the signaling information is carried over a D channel.
This makes the whole process more robust by allowing signaling
information to be transmitted during the entire duration of the call,
instead of just in the beginning. Now let's get into the structure
of SS7. The simplest design for the signaling network architecture is
called associated signaling. This works by allocating ones of the paths
between each interconnected pair of switches as the signaling link.
This architecture works quite efficiently as long as a switch's only
signaling requirements are between itself and other switches to which
it has trunks, and this is the architecture that you can find
implemented in Europe. However, the USA wanted to design a signaling
network that would enable any node to exchange signaling with
any other SS7-capable node. This of course makes signaling much more
complicated when the exchange of signaling is done between nodes that
have no direct connection. This concept of signaling spawned the
North American SS7 architecture. Under this architecture, a
completely new and separate signaling network is defined. There are
three essential components that the network is built on, and these
components are connected by signaling links. The first component we
will discuss is signal switching points (SSPs). These are telephone
switches (end offices or tandems) that are equipped with SS7-capable
software and terminating signaling links. They generally originate,
terminate, or switch calls. The next component is signal transfer
points (STPs), which are the packet switches of the SS7 network.
They receive and route incoming signaling messages towards the proper
destination, and perform specialized routing functions. And finally
there are signal control points (SCPs), that are databases that
provide the information necessary for advanced call-processing
capabilities. Now lets take a look at the link types that are used on
Page 6
 pnt
SS7. A links interconnect an STP with either an SSP or an SCP (the
A stands for access). This means that A links handle delivering
signaling to and from signaling end points. Now while an SSP is
connected to it's home STP pair through a set of A links, the
reliability of such a link can be provided by deploying an additional
set of links to a second STP pair. These are called E links (the E
means extended), which provide backup connectivity in the event
that the home STPs can not be reached via A links. C links are links
interconnecting mated STPs (the C in this instance, stands for cross).
These links are also used as well to provide reliability in the
instance that other links are unavailable. However, the actual
carrying of signaling messages beyond the initial entry point to the
signaling network, and on to their intended destination is handled by
B/D links. The B (which stands for bridge) describes the
interconnecting peer pairs of STPs, while the D means diagonal and
describes the quad of links interconnecting mated pairs of STPs. Then
there are F (fully associated) links which directly connect two
signaling end points. However, due to the fact that F links bypass
the security features that are provided by an STP, they are not
generally deployed between networks. So now that we understand the
types of links implemented in the switching system, we can discuss
exactly what goes over a signaling link. Well, basically signaling
information is transfered in messages that are called SUs (signaling
units). Now there are three types of SUs that are defined according
to the SS7 protocol. MSUs (message signaling units), LSSUs (link
status signal units), and FISUs (fill in signal units). These SUs are
transmitted continuously in both directions on any given link that is
in service. Signaling points that don't have MSUs or LSSUs to send
will send FISUs over the link (in other words, to make it easy for
those of you who may be scratching your heads now, whenever a
signaling point is not sending information during a call, it is
sending FISUs, which simply fill up the signaling link until it is
needed to send other types of signaling). Now lets take all this
SS7 networking that I have been discussing, and discuss the layers
that compose of this protocol. The most obvious layer of the SS7
protocol of course is the physical layer, which defines the physical
and electrical characteristics of the signaling links. The second
layer I will discuss is the MTP (message transfer part), which is
separated into two levels. MTP Level 2 provides the link-layer
functionality that ensures that messages can properly be sent between
signaling links, while MTP Level 3 extends MTP Level 2 to provide
network layer functionality. Another layer used is SCCP (signaling
connection control part), which allows for addressing applications
within a signaling point. These applications are referred to as
subsystems, and include 800 call processing, calling-card processing,
CLASS (custom local area signaling services) services like call
return, etc. Another function featured with SCCP is GTT (global title
translation), which provides the ability to perform incremential
routing. This allows originating signaling points to not have to know
every potential routing destination that will have to be used. The
next layer of discussion is ISUP (ISDN user part), which defines
the messages and protocol used in the establishment and tear down
of calls sent over the PSN (public switched network). In the North
American SS7 architecture, ISUP messages rely exclusively on MTP
to transport messages between nodes. Next is TCAP (transaction
capabilities application part), which defines the messages and
protocol used to communicate between subsystems. Of course, this means
that TCAP uses SCCP for transport. And finally, OMAP (operations,
management, and administration part), which defines messages and
protocol designed to assist administrators of the SS7 network. OMAP
uses both MTP and SCCP for routing. So now that we understand the
layers that compose SS7, lets discuss the addressing scheme used.
Individual signaling points on a SS7 network are assigned to a cluster,
Page 7
 pnt
or group of signaling points. Now within this cluster, each signaling
point is assigned a member number. In the North American SS7
architecture, each node is addressed by a three-level address number.
This address number is assigned based on it's network, cluster, and
member numbers. Each of these numbers is an 8-bit number and can range
in value from 0 to 255 (sound familiar?). The network number is based
nationwide by a neutral party. RBOCs (regional bell operating
companies), major independant telephone companies, and IXCs
(interexchange carriers) already have network numbers assigned. The
cluster that the nodes are assigned to is based on the state which
the node resides in. And of course, as with other network addressing
schemes, 0 is not available for assignment, and 255 is reserved for
future use. Well this pretty much wraps up my explanation of SS7.
If you have reached the end of this section utterly confused, feel
free to read over it again until you can better understand it. It's
important to understand how the PSTN works. It's also nice to note
that not every area on the globe has SS7 implemented in the switching
system, but unless you live in a third world country (or the south), then
most likely the switching system used is SS7.

=====================
| Exchange Scanning |
=====================

Well now that you hopefully have a decent understanding of telephony, then I
can finally start you off into phreaking. A lot of people immediately want to
get into learning about all the boxes that you can build, since they are
dilluded into believing that building and using boxes is all there is to
phreaking. This is simply not true. So in my personal opinion, probably
the best way you can get into phreaking is by starting out with exchange
scanning. It's the method that you will use to discover all those interesting
numbers (VMBs, ANACs, test numbers, etc.), and the sooner you pick it up the
better. Some of you may be wondering what the hell exchange scanning even
is. Well, do you remember earlier when I was talking about exchanges? You
should. If you don't you need to quit reading now and go back and read Basic
Telecommunications again. Anyways, if you do remember, then you will remember
that exchanges are used in order to help group subscriber lines within an
NPA (being again the area code). Each LEC is of course given specific
exchanges that they can use for assigning numbers to. Well, exchange scanning
is dialing down that exchange for any interesting numbers. You may be familiar
with it as wardialing (as shown in the movie Wargames), but it's really only
wardialing if you use a wardialer, and not everybody uses one. In fact, in
many ways it's recommended not to, since a wardialer can't pick up on many
numbers that you might want to know (like VMBs). Personally I use PhoneTag,
because I'm too lazy to dial a whole bunch of numbers by hand, but that's
because I set it to ring 10 times, and listen closely to the modem speaker so
I can hear anything interesting. For your first exchange scan, you will
probably want to go with your own exchange. Not for any specific reason
really, it just happens to be where most people start. If you decide to go
with a wardialer make sure it's one that is capable of randomizing the call
list (like PhoneTag). Nothing says "monitor me" like sequentially dialing
down an exchange. Plus, many LECs have devices that disallow any subscriber
from dialing more than 10 or so numbers in sequence. It also helps if it's
capable of randomizing the time sequence between each call, but I haven't
done this myself and I haven't found it to really affect that much (then
again, BellSouth isn't all that bright at times, so you might want to look
into this in case your LEC is a little smarter than mine). Keep in mind
though that if you have the patience to do so, it really is much better to
Page 8
 pnt
handscan, which is simply exchange scanning by hand. That way you can listen
out closely for any interesting numbers that you might miss with a wardialer,
and you can give a nice response to any residential numbers that you might
call, you know like "Oh sorry, I believe I have the wrong number". Most
people will accept this and be less prone to call you back, contrary to
the how a wardialer will treat them and just hang up on them (rude little
buggers those wardialers are). If you want to be a little less rude to
your fellow neighbors, it's best to remove them off your planned call list.
The best way to do this is to go to superpages.com, punch in your NPA and NXX,
and then use that site to look up all the listed numbers on your target
exchange. Then just remove these numbers off your list. That way you can kill
off some time on your scanning, and keep from bugging anyone. I should also
mention that it's well accepted that day time is the best time to do
exchange scanning. That way, again, you don't piss anyone off. Personally I
find the best time to do exchange scans is during the mid-morning, or
mid-afternoon hours. Really any daytime hours are ok, but if you are available
during any of these hours then I find it to be best for exchange scanning
since most people are off at work at the time. Now that I've gone over this,
it's good from here to establish exactly which part of the exchange you're
going to scan. If you have the time, then it's of course best to scan from
NPA-NXX-0000 to NPA-NXX-9999, but maybe you don't have this patience. So if
you are looking for the service numbers like the test numbers and such then
it's to help cut down on your scanning you might want to scan the low end
or high end of your target exchange. Different LECs have their service numbers
on different portions. Around here, most of the interesting numbers are on
the low ends, but I know a lot of other regions have more luck scanning the
high ends. So it's best to just scan both yourself, and get a feel for which
one you have better luck with. In case you don't understand what I'm talking
about with ends, NPA-NXX-00xx (where the last xx is 00-99) is a low end
scan, and of course NPA-NXX-99xx (where again, the last xx is 00-99) is a
high end scan. This is usually where those fun numbers you love are
located, but I also know of some areas that have these numbers thrown right
down in the middle. So if you have the time, you should try just scanning the
entire exchange, since there are still many other interesting numbers to
be found outside the low and high ends. So now that you're ready to scan, I'll
close this section out by helping you understand identifying the numbers you
come across...

Carriers - these are also known as dial-in modems, and are of course dial-in
devices that allow you to interface with the system behind it. You may
remember this if you watched Wargames as being how that kid in the movie
was breaking into all those networks. Well, you won't believe just how
many there still are. Carriers can easily be recognized as being the exact
same tone you hear when you connect to the internet with a dialup connection.
Fax Machines - I really doubt I need to explain to any of you what a fax
machine is, but I will help you identify when you've came across a fax
machine. When you dial into a fax machine, it will sound a little like a
carrier except that it will sound a bit off. It's kind of hard to explain,
but when you hear one and then the other then you will know what I'm talking
about.
Milliwatt Test Numbers - you may and probably will find a lot of these numbers
when exchange scanning, since I've found them to be probably the most
prominent of the types of test numbers there are. These are used by field
technicians for testing a whole range of problems with a line. You can recognize
these as having a low consistant tone.
Sweep Test Numbers - these numbers are a little harder to find, but can be
very useful for you if you come across them. They aren't very hard to miss
if you dial into one, since if you dial into one you will hear somewhat of
a wave of different tones blasting through your line that is approximately
Page 9
 pnt
30 seconds long. If you come across them then you can use them to test for
any bugs on your line, specifically the infinity-transmitter style taps.
Just call the number and let it play. If you hear any audible clicks while
the tone is blaring down your line, then there is a good chance that you're
being tapped.
Loop Numbers - you will see these numbers mentioned in earlier phreaking
texts, but not quite as often mentioned anymore. This is because most loop
numbers have a voice filter now that makes them completely useless. How they
work is that you dial into the high end loop, and then have your buddy or
whoever dial into the low end. These numbers are usually assigned in
succession. Like say if you were to dial into the high end and the number was
NPA-NXX-9999, then you'd have your buddy call like NPA-NXX-9998. You can
recognize if you have dialed into a high end loop number, because you will
hear this constant annoying tone until your buddy or whoever calls the
low end. Then there will be dead silence. If it for some reason has not had
a filter placed, then this is where you would talk, but again, usually these
things are filtered so most are useless now.
Quiet Termination Numbers - these numbers are used in order to connect
the caller to a fixed resistance. If you dial a number, and you hear nothing
but dead silence then this is a quiet termination number (or perhaps the
low end of a loop, if you want to be sure call the number right after it
and see if you hear that familiar high end loop tone I was telling you about).
ANACs - these are a little bit harder to fish out immediately because they
are just a common recording. Some ANACs will read off the number immediately
after it picks up, while others may want you to go through a menu in order to
use the feature. The best thing for you to do in order to find ANACs is when
you dial into a recording just give it a chance for a second so you can hear
what it's telling you. If you hear the number, or hear a menu option that
says to read off your number or whatever then of course you have an ANAC.

PBXs - I will dedicate an entire section to this later concerning what they
are and how to exploit them, but it stands for private branch exchange, and
is like a internal phone network. I will explain more about this later, but
basically when you're scanning for these you'll be looking for the DISA
port, which is an administrative port for the PBX. There are wardialers
out there that can scan for these ports (i.e. PBX Scanner). You can recognize
these with a low sounding tone, here is a recording...
http://artofhacking.com/cgi-bin/wwfs/wwfs.cgi?AREA=109&FILE=PBX1.WAV
DATUs - these are fantastic finds if you come across them. They aren't
always called DATUs (like here they're called VoiceSystems), and some operate
differently than others. You can recognize these because they will start off
sounding like a DISA port, but will go through half of the ring and then
be cut off by the low tone. More will be explained on how to exploit
these later.
VMBs - fishing out for these is kind of like fishing out for ANACs. You have
to listen carefully to any recording you hear during your scanning, because
you never know what it is. These are of course voice mail boxes, and are used
by corporations and the likes as, well, basically answering machines. That
way they can keep up with the business of being business people, or whatever.
Anyways, the recording will identify itself as a someone's voicemail system, or
just ask you for your box number.
Also I should add that there are also special, unpublished exchanges that
you can try to scan once you get the hang of it. To get unpublished exchanges
that might be in your area you can go back to telcodata.us or nanpa.com. If
you go to NANPA look for Central Office Code Assignments that are close to
your area (keep in mind, Utilized means used). After you have a list of
Page 10
 pnt
assigned exchanges, compare the results to exchanges that are listed in your
phone book. If you see one on the list that you got that isn't in the list in
the phone book then you have a special exchange. These can be a tressure
trove of interesting numbers if you give them a scan. Well that's it for this
section, by now you should be armed with enough information to take your
LEC by storm.

==================
| Hacking PBXs |
==================

Now lets get into hacking PBXs. To extend on what I was saying in the exchange
scanning section, PBX stands for Private Branch eXchange, which is an internal
phone network used by medium and large organizations for sharing a number of
external lines with a larger number of phones within. You remember when you
were in school (or are in school) and had to hit 9 before dialing a number?
That's because your school used a PBX. PBXs are used because they are much
more cost effective than having to give every phone it's own line. The structure
of a PBX is basically a bunch of lines hooked to an outbound trunk. There's a
little more to it than that, but that's just to give you a good idea of basically
how one is structured. Just to drive the point home here is another example of
my ascii artistry...

(1)
\
(2)___\___[trunk]---> LEC
/
/
(3)

Of course, this diagram is extremely dumbed down, but you get the point. The
()s are in this diagram the phones in the organization, and they are hooked
together to an outbound trunk that interfaces them with the outside, being the
LEC. So what is the benefit for you for exploiting one of these systems? Well
if you take control over a PBX, then you can dial out from there and call
wherever you want on leaving the organization who owns the PBX the tab.
So how do you exploit them? Well there are two ways that you can accomplish
this feat. One being hacking the DISA ports (don't worry, more will be
explained about this later), or social engineering someone within the PBX
to dialing out for you. We will discuss the latter of the two first since it
is the most easiest, and then talk about exploiting the DISA ports. The
social engineering scheme is pretty easy. What you do is either beige box
a line, or call up from a payphone to any midsized to large organization, and
give them the following ploy put together by my good friend Halla...
"Hello, My name is William Higgens with AT&T. We are doing
some work on the poles and need to get a line check so nothing gets
crossed. I've been asked from the field line engineers to call you
and have you dial 90 so that I can relay the line information to
them. Thank you, and sorry for any inconvience."
How does this help? Well of course as I said, you remember hitting 9 when you
had to dial out from within a PBX right? Well, 0 of course is the extension for
the operator. So when the poor employee that you contacted does you that nice
favor of dialing out extension 90 for you, then you have dialed out on that
Page 11
 pnt
outbound trunk, and any charge you pull up will be thrown to organization. When
you reach the operator simply tell him/her that you are having trouble dialing
a number or something like that and need him/her to reach the number for you.
The operator will ask you what number you are attempting to reach, and you
should of course know what to do from here. You can improvise the social
engineering skit above to change the AT&T part to your local LEC, and the name
if you wish to whatever you like. It's just an example to give you an idea of
how it works. Also if you want to dial a number outside of your country, just
ask for extension 900. Keep in mind that it will be much harder obviously to
convince anyone that a field technician needs to reach an international
operator, but hey, there are stupid people out there. So now that you understand
how to social engineer a free long distance call out of a PBX, lets talk about
hacking the DISA ports. DISA stands for Direct Inward System Access, and these
ports are used for administration over a PBX by it's administrator. These
really aren't that hard to exploit at all. You just need to find the number for
a DISA port. So how do you do this? Well you are going to have to do a little
scanning. There are a lot of wardialers out there that you can configure to
scan for PBXs, but here is one you can use solely for this purpose...
www.informationleak.net/pr0g/pbx_scan.zip
Once you have this scanner downloaded, extracted to a folder, and configured
then just start scanning away. It shouldn't be that risky to scan from your
house, since you haven't done anything illegal just yet. If you are really
feeling that insecure about leaving your number with the target PBX then you
can take a laptop out on the field, and beige box your modem wire into
somebody elses line. It's also best to scan for toll-free PBXs, so you can
call them from anywhere, but locals are fine too I guess. Anyways, if you are
scanning from home don't EVER call back any PBX you find. I can't stress this
enough. One call in and hang up doesn't look all that suspicious to a PBX
administrator, but two definately will, and if you are trying to hack into it
from your house then you might as well go to the police station right now and
turn yourself in. Anyways, once you have a PBX you go out at a different time
to a payphone or a different line and call up the PBX.
After you have pushed through the tone what your
task will be from here is to guess the password used on the DISA port. This
isn't really as hard as it may sound. There are many common passwords that are
used on these ports that you can use to your advantage. You basically have two
options here. First try 9#, then 8#, and on down the keypad in this fashion.
This doesn't usually work anymore, but is worth a shot. After this you can try
the usual four digit pass codes. 1111, 1234, 1000, 4321, etc. Just try down the
keypad with the kind of pass code schemes mentioned above. If you hear a dial
tone when pushing through a pass code, then that means that you just hacked the
DISA port, and can use it as you like to dial out wherever you like. If you use
the above schemes down the keypad and come up with nothing, then just say fuck
it and move on to another PBX. There are too many out there to worry about one.
Also needless to say when you're hacking the DISA port you should be doing this
after office hours, like the middle of the night (though that depends on the
business running the PBX). Anyways, on to other things...

==================
| Hacking VMBs |
==================

You know, there have been so many tutorials on hacking VMBs written that anything
I wrote here would just be repeating the same crap. So instead of regurgitating
the same information that has been already so well documented I thought it best
to just link you to some tutorials on this subject. If for some reason any of
Page 12
 pnt
these links die then go to a search engine (like google.com) and search for the
title that is listed by the link (including the quotations)...

http://www.oldskoolphreak.com/tfiles/phreak/meridian.txt - "Hacking Meridian Mail

Boxes"
http://www.oldskoolphreak.com/tfiles/phreak/octel.txt - "Hacking Octel Voicemail
Boxes"

http://www.oldskoolphreak.com/tfiles/phreak/vmb.txt - "Hacking Voicemail Boxes"

http://9x.tc/9x/rawtext/9X_1CON.TXT - "Inpho on 1Connect VMBs"
http://9x.tc/9x/rawtext/9X_CINDI.TXT - "HACKING THE CINDI VOICEMAIL SYSTEM"

===================
| Hacking DATUs |
===================

What can I say? I'm in a lazy mood today. So the same thing I did for the last
section is the same thing I will do for this section. The topic has been
very well-documented in the past, and I have nothing new to really add to it.
So as before here are links to different tutorials that you can read to become
familiar with DATUs and how to gain access to them...

http://9x.tc/9x/rawtext/9X_DATU.TXT - "DATU FOR DUMMIES"

http://www.hackcanada.com/blackcrawl/telecom/datu.txt - "OFFICIAL DATU

DOCUMENTATION"

http://www.totse.com/en/phreak/phone_phun/165500.html - "Using Your Local DATU"

http://www.hackcanada.com/canadian/phreaking/datu_guide.txt - "An Introductory

Guide to DATU Systems"

I'll try not to resort to this measure anymore or this won't be much of a guide
at all, but I just really didn't have anything new to add to this section, and
the last one. Still, the point of this guide is to introduce you to phreaking,
and these tutorials will definately help introduce you to accessing these
systems.

==================
| ANI Spoofing |
==================

ANI is of course as I explained in the Basic Telecommunications section stands

Page 13
 pnt
for Automatic Number Identification, and is how a subscriber is identified over
a PSTN, and is a part of the Inward WATS Service (wide area telephone service).
This unlike caller ID is split into two separate identifications. A two digit
identifier for identifying the type of service that the caller is calling from,
and the number itself. The service currently used is ANI II. For your convenience
I'm going to list the ANI II service information digits as defined in the ANI II
standard, and presented by the all knowing wikipedia...

00 - Plain Old Telephone Service (POTS), a standard non-coin telephone.

01 - Multi-party line, typically 4-party or 8-party service. The operator will

come on to ask for the caller's telephone number.

02 - ANI failure. The operator will come on to ask for the caller's telephone
number.
03-05 Not used.
06 - Used for multiple customers from the same telephone number, such as in

hotels where they do not also automatically identify the room number.
07 - This caller requires special handling by an operator. Where this cannot be

accomplished, the caller is given a recording telling them their call could not
be completed.
08-19 Not used or reserved for specialized functions.
20 - Used by PBX systems where the caller is dialing out using the main number

rather than, say, a specific number assigned to that station on that PBX.
21-22 Not used.
23 - Status as to whether caller is using a coin telephone or non-coin telephone

cannot be determined.
24 - A call from a non-coin telephone to a toll-free number has been converted to
its regular telephone number.
25 - A call from a coin or prison telephone to a toll-free number has been

converted to its regular telephone number.

26 - Not used.
27 - Network signalling controlled coin telephone.
28 - Not used.
29 - Call from a prison telephone (which usually only allow 0+ collect service).
30 - Call to an unassigned number that is to be routed to a recording.
31 - Call to an assigned number that has been manually placed out of service.
32 - Call to a recently disconnected number.
33 - Not used.
34 - Operator assisted call that billing has been completed.
35-39 Not used.
40-49 Reserved for local use by carrier.
50-51 Not used.
52 - Outward WATS call.
53-59 Not used.
60 - Non-coin caller using a TRS (transport provider).
61 - Call from PCS/Cellular system user over Type 1 trunk.
62 - Call from PCS/Cellular system user over Type 2 trunk.
63 - Call from PCS/Cellular system user who is roaming on another provider's
network. Number is generally a temporary number assigned to that user while
roaming on that network.
64-65 Not used.
66 - Caller from a hotel using a TRS (Transport provider).
Page 14
 pnt
67 - Caller from a restricted line using a TRS (Transport provider).
68-69 Not used.
70 - Coin telephone which is not network signalling controlled.
71-92 Not used or reserved for other uses.
93 - Call coming from a Private Virtual Network.
94-99 Not used.

So now that we've gone over ANI lets get into the point of this section, how to
spoof ANI. Why would you even want to spoof ANI? Well there are two main reasons
for doing such. One is if you want to reach a system without revealing your
original point of calling (if this is your purpose then this should be used in
conjunction with beige boxing, which will be explained later). Two you can of
course use it for making free calls, which is what it's usually used for. This
technique was discovered and released by Lucky225, so show respect to the smart
little bugger that made this possible. Well what you will want to first do is
get some ANACs to use. For a list of toll-free ANACs that you can use go here...
http://www.informationleak.net/anacs.txt

Now call up your local operator and tell him/her that you are having trouble
dialing a number and if he/she will dial a number for you. The operator will
ask you for the number, and you give him/her the number of an ANAC (be sure to
test the ANAC first before you try to use it for ANI spoofing). Then when it
reaches the ANAC listen in for the number that is read back. If the number is
the area code and number of the line you're on then you know that the operator
has the ability to forward ANI. If the ANAC reads back your area code followed by
000-0000 then you know that it doesn't forward ANI. If this is the case, then
you can use this by getting the operator to forward you to the number of another
operator (look up on a search engine for numbers of different service operators).
Then when you're ready to ANI spoof the call call up the operator, and ask
him/her to call up the number of the other operator that you got. When you reach
the next operator and he/she asks for your number, give him/her any number. This
should be a real number, but not of anybody you know. Just pick one out of the
phone book or something. If they allow the line itself to be billed, then you
will be able to make your call on somebody else's tab. If your operator does
forward ANI another solution you have is to use a call forwarding service
to help aid in spoofing the ANI of your session. Here is one example of a service
that offers this...

www.yac.com
Simply use the call forwarding service to forward the session to an operator, and
then have the operator forward you to an ANAC. Then test to see if your ANI was
spoofed. If it was then do the same as above to spoof your point of origin, or
to just make free calls. Enjoy...

========================
| Caller ID Spoofing |
========================

Well I figured since I just finished teaching you how to spoof ANI, I might as
well teach you how to spoof caller ID. Never confuse caller ID spoofing with
ANI spoofing. They are two completely different services. Spoofing caller ID
will not spoof your ANI. So what good is caller ID spoofing then? Well it's
basically good for shits and giggles. It can be good for prank phone calls, but
shouldn't be depended on for keeping the source of the call anonymous since the
phone company can still trace the call back to it's origin. It can also be
Page 15
 pnt
something slightly amusing to do when you're bored on the phone with one of
your friends. First before I get into spoofing caller ID I will explain how
caller ID works. It's basically like this. Your CO first sends two tones to
you when a call comes in. The first is a SAS (Subscriber Alert Signal) tone,
which is just a normal call waiting beep. The second is a CAS (Customer
Premise Equipment [CPE] Alert Signal) tone. The CAS tone informs your CPE
(caller ID device) that there is a call waiting call coming in. The CPE then
mutes your headset and sends through an acknowledgement DTMF tone to signal
to the CO that it's ok to send through the caller ID information. The CO then
responds to this by sending through a FSK transmission. Your CPE receives this
information and promptly displays it on the screen for you to see. So now that
you understand how caller ID works, lets get into how to spoof caller ID. Well
for this you are going to need an orange box. What the hell is an orange box?
Well an orange box is a device or software that spoofs the tone sent to the CPE
in order to display whatever information you want it to display. If you want
to build one yourself then what you will first want to do is get caller ID
on your service if you don't already have one. Then take off the CPE and call
your line from another line. You will hear the CAS send the acknowledgement
DTMF tone (A or D) to the CO, and the CO send back a FSK transmission. You will
take a microrecorder and record the FSK transmission that is sent back. Then you
can push this tone through after the phone is picked up to whoever you want,
and the CPE will read back to the caller the tone you sent through. You can
generate the CAS tones (an orange box) by buying a tone dialer from Radio
sHACK and replacing the 3.58mhz crystal with a 8.192mhz crystal. You can then
hit the * button to generate the CAS tone. You can generate the DTMF A and D
acknowledgement tones with a silver box, which you can get the plans for
below...

www.totse.com/en/phreak/boxes_old_and_new/silver02.html
Of course, all this is kind of pointless if you have a computer (which you
probably do if you are reading this) since you can just download a program to
generate the tone for you, without paying for all the equipment. The program
is S.O.B and you can download it from the link below...
www.artofhacking.com/orange.html

The use of this program is pretty simple to understand. You put whatever number
you want to be displayed in the Number field, and whatever name you want to be
displayed in the Name field. You can use the Privacy button to simply display
"Out of Area" or "Private" on the CPE (which isn't really fun, since it's just
like hitting *67). You can use the Format button to change the format that the
tone is to be sent as. Call Waiting if they have call waiting, Standard if
otherwise, and I'm not even sure about SDMF. You can use the Timestamp button in
order to change the timestamp that is recorded on the CPE. I guess just in case
you want to make it seem like the call was made at a different time. That's
pretty much the layout for how to use S.O.B. Before I close this section out
I need to remind you of a couple of things first. First off when using this
device your actual caller ID will be listed on the caller ID device first. You
can resolve this problem by using *67 in conjunction with the orange box, but
unless the person you are calling is an idiot it will not fool them a bit if they
checked the CPE before picking up the phone. Secondly to use the orange box
you have to wait till the party picks up. Nothing is listening for your tone
until the party picks up. At the earliest you can push through the tone the very
second the party picks up, but that's about it. Also I figured I'd repeat that
this will not keep the call from being traced. There is still a lot that is
left behind during these calls, including your ANI. So if you are using the
orange box for something criminal or extremely annoying then it's best to use
it in conjunction with ANI spoofing, beige boxing, or something of the sorts.
Also this will not spoof your caller ID on a cell phone subscriber (as in if you
try to spoof your caller ID when calling your buddy's cell phone). Cell phones
use a completely separate digital signal for identification of a caller, and
this tone will not do anything but give your buddy a loud, annoying tone to
Page 16
 pnt
listen to. Anyways, moving on...

==================
| Beige Boxing |
==================

I don't even know why I'm making this topic it's own section, but here it is.
I'm not going to try to make this sound like a science, because it isn't. It's
just beige boxing. However, you will need to have one on hand for those anonymous
calls you need to make. There are many ways that you can beige box. The most
basic beige box is just a handheld phone with the end of the wire clipped and
alligator clips attached. We have a pretty extensive tutorial on the site on
how to put together a beige box that would be good for you to read into. You
can find this at the below link...

www.informationleak.net/beige.txt
So if you read through that then you should have a good idea of how to beige
box. The best part about that text that gives it an advantage over other beige
boxing texts is that it also gets more into detail on how to PROPERLY use it.
As an added tip on my front so that this isn't just a link I'd definately
suggest using a phone cord extension for your proper modifications. It's very
cheap to get one, will allow you to get farther back from the TNI, and won't
destroy a perfectly decent phone for your beige box construction. Also if you
are using this neat little tool to do something like break into PBXs, then it's
best to use this method in conjunction with ANI spoofing to make the trail just
that much harder to track down. Also what I think they didn't put enough emphasis
on is to use phone cards if you're doing this just to make calls. That way you
can hold access on the same TNI, without them getting reported on a huge toll
charge. If you are to cheap to even buy a phone card, then you can walk to
Walmart or anywhere that sells phone cards and discreetly (as in make DAMN sure
you aren't noticed) scratch off the bar on the back. Make sure the bar is
completely removed so it looks like the card just came that way. Then copy down
the phone card number, and the phone number to call to use the phone card. Then
just put the phone card back on the shelf. Then just call up the number you
got every couple of days or so until the card is activated (someone buys it).
Then there you go, you got minutes to use. This is pretty lame though, since
there are less risky ways to make free calls, and you're just stealing small
change right out of someone's pockets. I just figured I'd throw it out there.
Anyways, that's it for this section, on to red boxing...

================
| Red Boxing |
================

Well since I just got done reviewing beige boxing for you I figured I'd go ahead
and jump to red boxing. Red boxing is of course for the very few of you in the
world that for some reason don't know a device that allows you to make free
calls on a payphone. There is a lot of buzz going around over the last couple of
years that red boxing is dead. Well no, it's not dead yet, but it's pretty damn
close to being. The tones generated with a red box are called ACTS (Automated
Coin Toll System) tones, and are used on older systems for coin verification.
With the advent of digital signaling being implemented on many networks the
Page 17
 pnt
use of this is starting to become dead. For example you can't use any equal
access code belonging to AT&T to red box your calls. As so many articles whining
about how dead red boxing is explained, AT&T doesn't accept red box tones
anymore. So how do you red box? Well first I'll tell you how to make one.
There are many ways to make a red box. The method I will be talking about is
probably the cheapest way to make a red box. Just download red box tones off
any site out there (the tone generator I mentioned earlier in the Hacking PBXs
section has this feature included). Hell, you can grab other tones as well
if you please and make what I'm about to get into a multi-purpose tool. Now
for this you will need a cd burner. If you don't have one, I'm sure you have a
friend who does. Now take the tones and burn them onto an Audio CD using some
software like Nero. Then test them out on your cd player. This is to make sure
that it burned correctly (I've noticed that sometimes Nero screws up when burning
small sound files like tones). For this idea you should have a portable cd
player. Now just take off the cotton bit on your headphones, and you have a
red box. To make it more efficient, you can get one of those rubber cups, cut it
a bit so that it fits over your headphones, and melt it back on. That way you
can use the rubber cup to obstruct outside noise. The key when using tones is
clarity. Phone networks are very precise when it comes to the tones used, and
if the tone is the least bit off then it'll give you away. Keep in mind you could
also just use an mp3 player. Anyways, so now that you have your red box, how do
you use it? Well go up to a payphone and hit 411. Give them some information in
order to "find" the phone number for you, and when they ask if you want them
to put you through to this number say yes. Then push through your tones. Be
sure before you do that you didn't do something stupid like leave Bass Boost
on your cd player. Remember, CLARITY IS THE KEY. I remember hearing one time
about this phreaker a couple of counties over that got busted for red boxing.
The operator apparently knew that he was trying to red box, but forwarded him
through anyways and then called them to go out there and arrest him. So yeah,
be careful. Try to keep your call as short as possible, and just in case don't
mention anything about red boxing the call when you're connected. Sometimes
operators have been known to stay on the line for a few seconds after the call
has been connected if they suspect that the call was red boxed. Maybe this isn't
true, but it's better to be safe than sorry. Anyways, I'm not sure exactly how
long this technique will be valid. Red boxing is little by little becoming more
of a piece of history than a currently valid technique, but until then you can
still have fun. Keep in mind that red boxing currently only works for local
calls so that might not make it very useful for many, but at least it saves you
some pocket change when you need to make a call. Also if you need anymore ideas
my homie G dogg P(?)NYB(?)Y wrote a pretty decent tutorial on red boxing modern
payphones which you can read here...
http://www.informationleak.net/redboxing.txt

Have fun...

===================
| Phone Tapping |
===================

Well there are many ways to listen in on phone conversations, and I figured that
instead of splitting them all off into different sections that I'd just throw
them all into one. So without further crap, here is how you spy in on phone
conversations...

Method 1: Simple Line Tap

---------------------------
Page 18
 pnt
First I will discuss the most basic method of line tapping, which is simply
bugging the line. To do this you can go to your local Radio sHACK and pick up
a phone recorder. Every single one I've been to sells them, since there are a
lot of jealous spouses and paranoid parents that want to know what their
spouses/kids are up to. The price for these varies depending on what they
include, and the cheapest ones price in around 10 bucks. If you get the cheap
kind, you still need a tape recorder to plug into the recorder, but in the end
it's still cheaper than most of their other recording products. If you have
access to inside the house, as in if you are a perfect example of the kind of
person I just listed then no modification would be necessary. Just hook it up
exactly as they say, and you're set to go. If this is someone else outside your
house that you want to tap then you can do the same as mentioned, but hook it up
to a TNI box. To do this just get an phone jack extender, cut the majority of
the wire, and strip the last bit. Then hook your alligator clips to the line.
Then strip the wiring on the other side and do the same. Then hook this up to
the line inside the TNI box, hook up your tape recorder, and you're set to go.
I know that explanation wasn't exactly detailed, but you should see what I mean
when you have all your parts. It's basically the same concept as when you were
reading up on hooking up a beige box.

Method 2: Frequency Scanning

------------------------------
If you can afford it, then frequency scanning can be a better way to accomplish
this task. It works for cordless phones, both 900mhz, and even the ones that
enter into the ghz range, depending on the type of scanner you bought. The
cheapest ones will only reach up to around 500mhz, but the better ones will
reach higher. You can buy these from, again, Radio sHACK, or basically any
distributor (I'd suggest online shopping, like on ebay, you might get a cheaper
price on a good scanner that way). The use of frequency scanners actually
branches out into a whole new field of fun on it's own, since there is a lot
of fun to be had with these (like the Phone Losers prank against Wendys). This
also can be used on cell phone conversations if the cell phone user is using one
of those headsets. You just have to play around with your scanner.

Method 3: VoIP Sniffing

------------------------
Well VoIP has been the latest craze, and everyone is jumping on the bandwagon.
It's pretty interesting really, and has the potential to completely revolutionize
the telecommunications industry. However, in it's current phase voip has a huge
flaw that makes using voip telephony quite insecure. Why? Simple. There is no
encryption scheme. Nada. Zip. Nothing. It's just broadcasted openly for all to
hear from point A to point B. You can take advantage of this with simply a
laptop and a wireless network card. First you need two tools for this.
TcpDump, and VOMIT (Voice Over Misconfigured Internet Telephony). To use these
tools simply use TcpDump to attach yourself to the wireless network that is
broadcasting the voip traffic. This will dump the traffic going over to
your point, setting you up as a man-in-the-middle. Here is a diagram for the hell
of it, and to further illustrate this layout...

(VoIP Traffic)
(Point A) ---------------------------------------> (Point B)
<---------------------------------------
|
|
|
(you)

Page 19
 pnt
Point A would be the wireless network that you are dumping the traffic of
using tcpdump, and Point B would be the remote WAP that Point A is interfacing
with. So then you can use VOMIT in conjunction with tcpdump in order to assemble
the voip traffic being captured into a wav format. This will allow you to listen
in to the conversation that is being broadcasted between these two points with
absolute ease. So yeah, for all your voip users out there, I hope you aren't
discussing anything too secretive over your subscribed network.

====================
| Other Articles |
====================

Well I could have gone further into the topic of payphones and answering
machines, but oh wait, that's right, I already wrote on all that in the past.
So instead here are some useful links to other articles that you will want to
read...

www.informationleak.net/pp_me.txt - "Payphone Phreaking: Millennium Edition" -

this is a short tutorial I wrote on the inherant flaws in modern payphones
(like the Millennium payphones, and the newer AmeriTechs).

www.informationleak.net/amhack.txt - "The Hackers' Guide to Answering Machines" -

this is another tutorial I wrote on how to hack into answering machines. Good
for pranks, or just to feel important.

==========================
| Articles & Resources |
==========================

Well originally when I was doing the layout for what would be this guide I had
planned to split it into two separate sections, landline & cellular, each with
equal amounts of information for you to absorb. However, there are a couple of
reasons why I didn't. For one I'm eager to see this guide get released. Also
there isn't much information I can provide that there aren't web sites dedicated
to. So instead of writing out the same codes and crap that entire web sites have
been built off of, I'll just give you those articles and resources to read for
yourself.

www.informationleak.net/gsm_guide.txt - "The Hackers' Guide to GSM Phones" - this

is a guide I wrote sometime last year or so on exploiting GSM phones. This
had a pretty good if not extremely long explanation of the GSM protocol, and
inherant weaknesses and pranks like bluebugging, bluejacking, etc. etc. Many
of these weaknesses are being resolved with the implementation of 3g and other
such protocols, but still should be usable to many.
www.informationleak.net/cellvmb.txt - "Hacking Cell Phone VMBs" - this is a
simple tutorial I wrote on how to break into voice mail boxes for cell phones.
http://mobile.box.sk - this is probably the number one resource for codes,
tools, unlockers, and all those other nice things for cell phones. Have a look
Page 20
 pnt
around, you won't be disappointed.
http://9x.tc/9x/rawtext/9X_GSM00.TXT - "Undocumented Codes For GSM Phones" - this
is an article put together by m0nty, and if you can't find the codes your looking
for at mobile, you'll probably find them in this guide. Definately something to
check out.

=====================
| Suggested Links |
=====================

It's impossible to simply read one guide and call yourself proficient. The
purpose of this guide is to introduce you to phreaking. From here it will be
your responsibility and hopefully your pleasure to expand on your current
knowledge and read more into phreaking. However, nowadays it can seem hard
to find up-to-date information on phreaking. I remember when I was starting
having a lot of trouble finding anything useful and up-to-date from the mass
of outdated information that was being shoved around. Now don't get me wrong,
it's important to keep archives so that we can remember the past, but that's
what we have textfiles.com for. There is no reason why so many sites need to
carry such outdated information. Of course, this is usually done so because
the web masters who put this information up know nothing about phreaking, and
therefore assume that they're valid. So to help you with this step I'm going
to list suggested links for you to read into in order to further expand your
knowledge in the field of phreaking...

www.informationleak.com - now you know I had to throw that one in. We try our
damnest to make sure that the only information we provide is usable information,
so it's always a good shot to keep in touch with what we're up to.
www.oldskoolphreak.com - this is probably one of the best sites out there to
learn about phreaking from. Definately a good visit.

http://9x.tc - what can I say? They write good stuff. Definately check them out.
www.hackcanada.com - the main purpose of this site is to aid to the H/P scene
in Canada, but a lot of the documentation they have has information that can be
useful outside Canada as well.
www.phonelosers.com - kind of a weird mix of useful information and random
ranting, but overall definately a good visit.
www.phreak.org - most of the information here is out-of-date, and some of the
information was never to-date to begin with. Kind of an unreliable source, but
there is a little useful information that is hidden in the mass of outdated
crap. If you've been doing good on your reading, then you should be able to
tell the difference between the two.
www.verizonfears.com - this is the site that Lucky225 runs. There isn't exactly
a huge mass of information here, but the information that is on there is for
the most part up-to-date (except for a few details) and useful.
http://artofhacking.com/boxrvw1.htm - if you plan on building a box, this is
the article to check. This is an updated review by The Fixer that rates
different phreak boxes for the skill it requires, risks associated, plausibility,
and obsolescence.

Page 21
 pnt

====================
| The Conclusion |
====================

Well finally after a little work, and a LOT of slacking off this guide is
finally finished. Hopefully I've successfully introduced you into the field
of phreaking, and I hope that you continue reading from here. Telephony really
is a fascinating aspect of technology, and nothing makes you appreciate it
more than phreaking. I always appreciate feedback so if you want to get in
touch with me then you can do so by emailing me at
murdermouse@informationleak.net.
You can also chat with me live by going to Yahoo! Chat and going to either
Hackers' Lounge:1, :2, or :3. I'm usually loitering around there in one of the
rooms (usually in Hackers' Lounge:3) under the name Murder_Mouse. You can also
go to irc.2600.net and hit me up at #infoleak. Anyways, as I always say, until
next time...

This guide made possible by...

www.informationleak.com
"laughing at your faith in technology since 2004"

#### ####
###### ######
####### #######
####### #######
/\ /\ ###############
/ \ / \ _______ ##| |###| |## _______ _________
/ /\ \/ /\ \ \ __ / ##|@ |###| @|## | ___ | | __ /
/ / \ / \ \ / ___ / ##| |###| |## | | | | | ___ /
\ \ / / / / / ___/ \ ##|__|###|__|## / | | | | | /
\ \/ / / / / /\ \ \###############/ | | | |_________| ____ \
\/ /___/ /_/ / \ \ ----#####[. .]#####----| | | __ ____| | \ \
/_____/ /___/ \ \______/###############\___| |__| | | |_ | | \ \
\ \/ / \______/_###| | | | |###_\_________| | __\ | | \ \
\ / /\ _______ ###| | | | |### | | | |____| | | |
/ \ / \ | ___ | ###|_|_|_|_|### | | |________| | |
/ /\ \/ /\ \ | | | | ###| | | | |### | | | |
/ / \ / \ \| | | | ###| | | | |### | | ________ _________| |
\ \ \/ / /| | | | ###|_|_|_|_|### | | | _____ |\ _________|
\ \ / /_| |___| | ############### | | | | | | | |
\ \ /____________| | | | | ___| | | |__
\ \ | |____________________________| |____| | | ___| | ___\
\ \ |_______________________________________| | | | |
\/ | |____| |____
|_____________\

Page 22