Phrequency Issue #1

All you've ever wanted to know about Phreaking. Many of the actions described in these tuts are illegal. They are presented for informational purposes only.
Post Reply
User avatar
Net Battle Bot
Owns you
Posts: 1816
Joined: Fri Jun 04, 2004 6:44 am
Location: Groom Lake

Phrequency Issue #1

Post by Net Battle Bot » Wed Mar 16, 2005 11:04 pm

____ __
/ __ \/ /_ ________ ____ ___ _____ ____ _______ __
/ /_/ / __ \/ ___/ _ \/ __ `/ / / / _ \/ __ \/ ___/ / / /
/ ____/ / / / / / __/ /_/ / /_/ / __/ / / / /__/ /_/ /
/_/ /_/ /_/_/ \___/\__, /\__,_/\___/_/ /_/\___/\__, /
/_/ /____/

[ 12/08/01 ] ------ ISSUE #1 -->



~-~-~-~-~-~-~- Contents ~-~-~-~-~-~-~-

1. The Telstra Dial-IP Switched Data Network ..................... Marlinspike
2. Working Around The X2 FAST Block .............................. Dark Thief & Zaleth
3. Indigo Box .................................................... Dies Irae
4. Caller ID Program ............................................. Diab
5. Payphone Numbers .............................................. Zaleth & Dies Irae
6. RIM & COMNET Overview ......................................... Phreakau Team
7. BnE Into Telstra Exchanges Part II ............................ Marlinspike
8. Telstra News .................................................. Phreakau Team
9. Links ......................................................... Phreakau Team


~-~-~-~-~-~-~- Contacts ~-~-~-~-~-~-~-

To contact us, or send feedback to the author of an article, select from the following
email addresses :

Dark Thief (dt) : darkthief@iamwasted.com
Diab : diab@hackermail.com
Dies Irae : speedy69@mailcity.com
Marlinspike : p0lter_g@yahoo.com
Zaleth : zaleth@hushmail.com


~-~-~-~-~-~-~- Intro ~-~-~-~-~-~-~-

Welcome to the first issue of Phrequency Ezine. This has been in the works for
months and has taken a shitload of work to get out to you. This issue was primarily
written by Phreakau, a group best described as a "Phreaking Research Group". That
is we are interested in the study and exploration of the inner workings of the
Australian telecommunications network. Most of us are interested in other subjects,
such as computer security, and if we end up working on any significant project that
captures that right 'flavour' it might end up in a future issue. However, we are
primarily a phreaking group.

As you can see from the articles here written by more than one person, we have a
strong leaning towards working together on projects and research. Largely, Phreakau
is a contributors only group that has been closed off from the the rest of the
scene due to concerns over things such as discussion based on raw information being
too sensitive for public release. We were going to limit the distribution of this
ezine, but a big reason we decided upon a full release is because phreaking has
seen abit of a resurgence in the past months and we wanted to give some new
phreaking information to the scene, show everyone that phreaking is not dead in AU
and what kind of information is available if they have the initiative to simply go
out and get it.

So, start hanging around your local pits, cans, cabinets and exchanges. Start
scanning local number exchanges, 1800 numbers and anything else you can think of.
Go trashing. There are people out here willing to share information and help you
with your research. You could be the one to uncover the lead by which the next big
system or phreaking technique is discovered - all it takes is initiative.

Will there be future issues of this ezine? We hope so. We've set this as a
precedent in quality, so if we keep going, keep at our research and get the articles
for a second issue that rivals this one then there mostly likely will. You are
welcome to help, or provide your own touch, of course :) For now sit back, whack
on some tunes and see what you can learn.



~-~-~-~-~-~-~- The Telstra Dial IP Switched Data Network ~-~-~-~-~-~-~-
- By Marlinspike

Contents
========

1. What Is Dial IP?
2. Accessing Dial IP
3. Logging In
4. RADIUS
5. The Dial IP RADIUS Proxy
6. Scanning And Hax0ring
7. Free Calls
8. Logging
9. Further Reading


What Is Dial IP?
================

Telstra Dial IP is one of the more recent Switched Data Network offerings from
Telstra. It is designed to be a cost-effective and secure solution for dial up users to
connect to corporate LANs running IP from anywhere in Australia.

Dial IP is classed as a Switched Data Network as the underlying protocol uses packet
switching as a transmission method. This is also why it is cost effective as many
transmissions can use the same media at once.

The theory goes that Dial IP is more secure than regular dialups as it consolidates
remote access into one chokepoint using RADIUS rather than having a whole load of
unmanageable dialup servers for different areas in the country. Yay.


Accessing Dial IP
=================

So what's the Dialup? Well, there ain't one. Note that I said 'one'. In the Dial IP
network each customer gets their own dialup to the network which connects to their
LAN and their LAN only. How does this work? Well, there is a range of numbers assigned
as 'Data Network Access Services' for Dial IP. If you apply for a Dial IP service,
your dialup will be in that range and you can use that number to call your network.
The range of numbers that the Dial IP service uses are :

019830XXXX

So that's 019830 followed by FOUR numbers. Just about every technical document I've
seen (including the Telstra ones) have got this written wrong. Don't trust them, trust
me :) That is 10,000 assignable numbers. Check the Austel website for 'Data Network
Access Service' if you don't believe me. They got it right atleast. An example working
Dial IP access number is 0198304107 which belongs to Edith Cowan University for their
Remote Rural users (I found this on the net :)


Logging In
==========

Okay, you've dialed your number (right now we're examining the system from the
perspective of a legitimate user, we'll get into the nefarious shit after I'm done
explaining) so what happens next, here's the prompt you get if you've dialed with
Hyperterminal or other VT100 emulator (Dial IP has support for PPP/PAP/CHAP so most
legit users won't do it this way cause they'll be using windoze dial up networking),
I've included all the prompts like you've gone through and got the authentication
wrong so you can see :


** Dial IP **


Username:
Password:

** Bad Password


These are pretty much the standard prompts you will get. This is the RADIUS server
talking to you. It may be that it is authenticating you against a UNIX password file,
but note that it does not display the UNIX login. This is to prevent information
leakage regarding the operating system (and therefore default accounts and so forth).
The system can be configured to present a different prompt if wanted, for example,
you can get a challenge between the Username and Password for CHAP or token based
system and I have also seen custom error messages. The point is the above is the
default and has to be deliberately modified if needed to be. You get three incorrect
tries before losing the carrier.

Once authenticated, you will be handed over to the LAN and can access all resources
normally. Most of the time this will mean a PPP is fired back at you, but this can
depend on what resource your account allowed you access to, PPPsh in UNIX for example.

Yes, if the LAN you've connected to can reach the internet then you've just got net
access dependant on the LAN or larger internal network's firewall egress filters etc.
of course.


RADIUS
======

While we've been logging in in the last section, this is what has been working behind
the scenes to authenticate us. It is basically transparent and regular users need not
know what it is, but seeing as we're not regular users (not to mention 'interested' in
the authentication procedure) it might pay to know abit about it.

RADIUS stands for (R)emote (A)uthentication (D)ial (I)n (U)ser (S)ervice and is
specified in RFC 2138, with additional accounting details specified in RFC 2139.

RADIUS is also Open Source and so can therefore be modified as the providers wish. In
this way it can be customised to support various different authentication protocols.

At the destination LAN resides the RADIUS server. This can be in synch with whatever
table of usernames and passwords the LAN cares to use. When the user dials up, they are
attached to the RADIUS client, which will issue a request for authentication (username
and password etc.) The user types it in and the client sends the request to the
server for verification. As you can see this centralises the authentication procedure
to the one RADIUS server on the LAN which is completely under the control of the
owner of the LAN.

The RADIUS server and client share a secret key. This is used to encrypt the
authentication request in transit. Although the medium used is a Telstra controlled
dedicated frame relay service and therefore inaccessible to anyone but Telstra staff
(theoretically anyway) the encryption provides an extra layer of security.


The Dial IP RADIUS Proxy
========================

Despite the fact that Dial IP uses separate PSTN numbers for access to separate
systems, Dial IP is still one big network. The communications media are not dedicated
to each customer, they are interwoven with packets from each customer being transmitted
alongside one another. What this means is that there needs to be another layer to the
system directing traffic from the Dial Gateways (PoPs or Dialin Nodes etc.) to the
various LAN controlled RADIUS servers. This makes Dial IP differ from a traditional
RADIUS network somewhat, although still providing good transparency.

This is where the Telstra Dial IP RADIUS proxy comes in. Once the dial in user has
connected, the client actually forwards the authentication request to the RADIUS proxy.
Then, the proxy determines which end RADIUS server the request needs to go to based
upon the PSTN Dial IP access number dialed. Crap ASCII pr0n diagram follows :

_______________ ___________ ____ ____ ________
| | | | / \ / \ | |
| Dial IP | | Dial IP | | |_/ \ | RADIUS |
| Gateway & |------>| RADIUS |------> Dial IP ---|---->| Server |
| RADIUS Client | | Proxy | | ____ / | At LAN |
|_______________| |___________| \__/ \___/ |________|


As far as the RADIUS server is concerned, it is talking to a regular client. The
proxy is completely transparent. There are actually multiple proxies around Australia
to ensure reliability and availability.


Scanning And Hax0ring
=====================

The fact that the prompts are standardised present an interesting problem in terms
of hacking on Dial IP. Also, I have tried a whole load of numbers in all areas of the
range and have never received a message stating the number is not connected, neither
a voice message, nor a message in my terminal window. So, even if you ring a number
that is not connected to a LAN, you will get :


** Dial IP **


Username:
Password:

** Bad Password


3 tries and then NO CARRIER. So infact, you may not have even been hacking into a
system at all. Of course, there is always the possibility that you get a non-standard
login prompt or a challenge, which would certainly indicate a system present or a
custom error message, like this one from the ECU number I mentioned earlier :

** Dial IP **


Username:
Password:
Login Failed: check your username,
password and time limits.

A classic case of user friendliness over security.

As far as hacking is concerned, the obvious thing to note is that system
identification is quite difficult and so what you'll have to do is have a generic
set of usernames to try from various systems. As far as I can tell, the systems most
in use on Dial IP are Windows NT/2000 and then UNIX.

There is one other way to determine if a number connects to a valid system or not,
which I will now 'splain you.


Free Calls
==========

Being a phreaking zine this was bound to come up. I am however, speaking of it here
in a semi-legitimate capacity. You see, I do most of my scanning from payphones. When
scanning these Dial IP numbers after I first learned of the network I noticed that
some of the numbers were being connected and modem breath emitting without my having
to insert coins/phreaking for the call. Many did require payment/phreaking. In
documentation it does mention that you can provide the dialin at free call rate if
desired. Obviously, if the number is not connected Telstra wouldn't be footing for a
free call for you now would they? It is the default that the numbers are not free and
if you scanned looking for free numbers you could probably get a lengthy list of valid
numbers. Sure you'd miss afew, but in the meantime you've got a whole bunch of valid
systems to play with that are free to ring continuosly.


Logging
=======

This is something I get asked about alot in regards to Austpac Public Access PADs.
What kind of logging do they have? can they log with ANI/CLI? Well, here's what I know
about Dial IP. Due to the nature of RADIUS, there is the potential to log alot of
stuff. The logs for Dial IP at the RADIUS server are very verbose. There are two logs
generated for a session, a start log and a stop log. They contain entries such as :

Start Time
Stop Time
Username Logged in under
Session Time
Framing Protocol Used
Allocated IP Address
Reason For Disconnection
Called Station ID - The last four digits of the number dialled

AND ALSO

CALLING STATION ID (!!!) - This is the number Dial IP was CALLED FROM. However, for
most users the last 3 digits of the number will not be recorded in the RADIUS logs.
Basically, this provides for administrators of the system to know what suburb the call
came from. Note that often the 4th to last number is needed to make up the exchange
prefix in some phone numbers. Some 'authorised' customers can receive logs of the
full numbers, but I am unsure whether this is allowed for some kind of government
security agencies, or just whether or not you grease Telstra's palms enough. Probably
the latter.

The fact of the matter is, this last item is necessary for us to know, but seeing as
it can be defeated by a simple call to a number diverted to the relevant Dial IP access
number (in the suburb the owner of the username resides) it is still not a security
panacea.


Further Reading
===============

Linkage :
http://www.telstra.com.au/dialip/

Documents:
Telstra Remote Access Dial-In User Service (RADIUS) Information Document
RFC 2138 Remote Authentication Dial In User Service (RADIUS)
RFC 2139 RADIUS Accounting

- Marlinspike 10/6/01



~-~-~-~-~-~-~- Working Around The X2 FAST Block ~-~-~-~-~-~-~-
- By Dark Thief & Zaleth

Contents
========

Summary Of FAST
The X2 FAST Block
Zaleth's Workaround (Aka "Dick Smith's Revenge")
Dark Thief's Workaround (Aka "#INCLUDE <Dark.*>")


Summary Of FAST
===============

FAST (F)ield (A)ccess to (S)ULTAN (T)esting is Telstra's field based access service for
Telstra techs (linesmen etc.) to obtain remote (field) access to special functions such
as electrical tests from an exchange along a customer's line. FAST is accessed via a
1800 number :

1800 050 051

This number is in the 1800 prefix 1800 05x xxx which denotes "Enhanced 1800" and in
which calls are routed to destinations based on the location of the caller. The FAST
number was originally discovered in a 1800 scan by APB (Australian Phone Brotherhood)
and first detailed by ALOC in Morpheus Laughing #1. Subsequent 1800 scans in the 05
prefix haven't turned up anything more of special interest (although that doesn't mean
we're not still trying ;) FAST seems to be constantly having features added to it and
has had some options added since the 1999 Morpheus article. A Telstra employee number
and its corresponding PIN are required to access the service, which makes it mostly
inaccessible to people without contacts or the enterprise to get this info themselves.


The X2 FAST Block
=================

When FAST was first discovered it was relatively easy for us all to explore it as we
could simply dial it up from a payphone and have fun. For some wierd reason Telstra does
not want us screwing around with their system (or something like that anyway) and have
taken measures to prevent FAST from being called from payphones. Bugger. Well, until
now anyway. w00h00!

So, you ring FAST from a payphone and what happens? Well, everything is fine until you
get to 1800 050 05. The immediate moment you press the '1' that follows here is what
happens :

(1) The payphone disconnects the line

(2) The screen displays "Service Not Available"

(3) The payphone resets and you get dial-tone again

This is similar to what would happen if you pressed the FOLLOW ON button. If
1800 050 052 or any other permutation on the last number apart from '1' is dialed, the
phone will place the call and not reset. The reset occurs only on pressing the last '1'
in FAST. It occurs without pause for connection or other signalling.

Based on this, it follows that the payphone itself implements the FAST block. There
are other ways for Telstra to administer a block on a service. For example, if some
127 xxx xxx numbers, such as ANI and RINGBACK are called from a payphone, it will call
through and the service itself will announce "Access Denied To Customer Number" for
ANI. This is a function of the payphone LINE and not because of any signalling from the
payphone itself.

If we think of the payphone as a 'client' then what we've got in terms of protection
against us calling FAST is a protection scheme based on the restrictiveness of the
client. However, in order for the payphone to work it requires a channel to send its
signalling data (in the form of DTMF tones) to the exchange and a channel by which to
send the user supplied voice communications. These two channels are one and the same.
The 'protection' is implemented by limiting what signals the user can send by function
of the payphone. The problem is - What if the user supplies his own signalling data on
the common communications/signalling channel or subverts the client (payphone) to
unwittingly send the right signals to the channel in an unexpected manner?

This type of problem is analogous to users editing the URL in a web browser instead
of submitting data through a controlled HTML form and also the good ole in-band
inter-office signalling that has caused Telcos so many problems in the past. We've
included two methods of exploiting this problem in this article and hopefully the
discussion will spark some new ideas on how to get around the FAST block and other
similar blocks. An obvious method would be to beige box off the pit near the payphone,
or from the plugs in the wall, but we wanted to be more cool & doing this in broad
daylight may attract the wrong kind of attention (ie ass whooping by irate store owner
or police officer).

This block is called the X2 FAST block because that (The Smartphone) was the phone it
was originally discovered on, the most prevalent payphone around these days and hence
the phone you'll most probably encounter it on. However, Zaleth checked out some other
phones for the block as well.

Bluephones don't seem to have a FAST block on them. This is probably because this type
of blocking feature is unsupported. However, if it was, it could be worked around like
the other phones.

P2's or PHONECARD phones, pieces of antiquated crap from the early '90s that you insert
a magstripe card into to make calls and have it punch holes in the card to show you how
much credit you have left, believe it or not, have FAST blocks on them. Fortunately,
both workarounds described below have been tested, and work, on P2's.


Zaleth's Workaround (Aka "Dick Smith's Revenge")
================================================

Recently, Dick Smith bought out Tandy. This may have some kind of greater economic
implications that we frankly couldn't care less about, but what we do care about is
that as a result of the buyout a lot of Tandy's "low dollar" products (little stuff,
electronic components etc.) have been discontinued presumably to give Dick Smith
Electronics stores a monopoly in that area. One of the lines included in the
discontinuation were Tandy's Tone Dialers. As a result, they were going out the door
cheap cheap ($2.95 - Thanks to Nightscout for this info). Due to not wanting to be the
poor bastard that didn't invest the price of a Big Mac to get a tone dialer in the
instance a use was found for them we all went out and bought tone dialers. Ironically,
this probably accounts for the fact that a use has now been found for them. Sucks if
you didn't jump on the bandwagon (fact is if you hurry there are still some left :)

So, back to FAST. Tone Dialers give us a useful ability. The ability to supply DTMF
signalling on the shared communications/signalling channel from the payphone to the
exchange. To put it simply, we can signal the exchange with the number we want to call
using the tone dialer without the payphone being able to detect what we've dialed and
hence not knowing to block us if we call FAST. Step by step :

(1) Lift handset, dial 1800

(2) Whip out tone dialer, hold to mouthpiece of payphone, dial 050 051

(3) Get put through to FAST - Enter employee number + PIN as usual


Dark Thief's Method (Aka "#INCLUDE <Dark.*>")
=============================================

A nifty feature currently installed on the X2's is AUTO REDIAL. This is used when,
you've put your coins in the phone and you've rung someone up, the line is engaged
or the call rings out and you want to place another call without reinserting your
coins. To call again, you press FOLLOW ON, then '*'. The '*' is the button that
denotes AUTO REDIAL but it must be noted that AUTO REDIAL does not work if you
replace the handset rather than pressing FOLLOW ON. You must press FOLLOW ON to use
AUTO REDIAL. When you press the '*' the number will "fan" across the screen and the
number will be redialed for you. Neato huh? OK, maybe its not that cool, but throw
intended purposes out the window and you've got yourself a subversive little function
so yes neato!

How this is used to work around FAST is by inputting the first numbers of FAST into
memory and using that as part of the number for the phone to dial (note that if you
put all numbers of FAST into memory the phone would reset and it wouldn't work). It
goes a little like this :

(1) Dial 1800 050 05

(2) Hit FOLLOW ON

(3) Wait for phone to reset whilst cackling insanely

(4) Hit '*'

(5) Dial '1'

(6) Get put through to FAST

What you've just done is put the first part of FAST (1800 050 05) into memory, reset
the phone, redialled 1800 050 05 and then whacked in the last number of FAST (1) in
order to complete the call without the payphone knowing you've called FAST and therefore
bypassing the blocking mechanism.

- Propz Dark Thief & Zaleth 10/8/01



~-~-~-~-~-~-~- Indigo Box ~-~-~-~-~-~-~-
- By Dies Irae


This is a Brown, DLOC, Party, Pink Box, they all do basically the same thing...connect
two phone lines together. so that you can take advantage of conference call, eg have 5 ppl
instead of 3. All of those boxes i meantioned before were for america, so i decided to
alter one for Australia. It wasn't to hard, but have fun and don't get caught. Because
there are many things that they (Tel$tra and Austel) can screw you over for having and
placing this on your line. (Just warning you).

There has to be enough to phone wire from each of the male plugs so that the box can be in
the middle of the two phone wall outlets.then you can mount a modular plug in the side of the
box so you plug your phone in if you want. Also i presume that you have a grasp of
electronics and know how to wire plugs up.

THE SCHEMATIC WONT MAKE MUCH SENSE UNLESS YOU KNOW WHAT A KNIFE SWITCH LOOKS LIKE...SO BUY
THE PARTS AND THEN LOOK AT IT...

You Will Need
-------------
Okay I'll be nice and include Dick $mith catalog numbers...
2 SPST Switches (i used P 7668) $2.60
2 Phone Lines
2 Male Phone Plugs (F 5117) $6.95
1 Knife Switch (P 7862) $4.95
2 alligator clips (P 6406) $0.80
1 Phone
1 White Plastic Box (you can buy them from Dick Smith, fairly small 10cm x 10cm max)
1 can Indigo spray paint (optional, to spray the box of course)


SPST===============|blue or white wire to phone
alligator clip | __________|_|__________ alligator clip
| | | |=| | |
male plug===|====to knife switch= | |++to knife switch+++|+++++male plug
| knife switch |
male plug--------to knife switch- | |,,to knife switch,,,,,male plug
| | |
| ---------|-------------
|SPST++++++++++++|blue or white wire to phone

= white line from line 1
- blue line from line 1
+ blue line from line 2
, white line from line 2

instructions
------------
1. assemble it like the crap schematic. where a wire hits the knife switch, screw it in.
2. where the connections from line 1 come in, also screw the wires connecting to the SPST
switches.
3. strip back a bit of covering from one wire from either of the male plugs. and solder an
alligator clip on.
4. no on the other wire coming from each of the male plugs, (not the one with the alligator
clip) strip back enough covering to clip the alligator clip on.

using it
--------
well you have to built it right for it to work...

IMPORTANT!!! MAKE SURE THAT BOTH OF THE SPST SWITCHES ARE OFF BEFORE YOU START DOING THIS
BELOW! first put the handle of the knife switch to the left, (so line 1 is open) so you are
dialing on line 1. dial your two ppl and conference them. then clip the alligator clip
across these to lines. this is to keep the line open. now throw the knife switch over to
the right, so that you are dialling on line 2. now dial and conference your two ppl on
line 2. then open both of the SPST switches and you should have 5 ppl online. easy...



~-~-~-~-~-~-~- Caller ID Program ~-~-~-~-~-~-~-
- By Diab

/*
*
* Simple caller ID program for POSIX Compliant systems
* Should work for: Linux, windows (providing you have a C compiler,
* e.g. djgpp), and most *nix variants.
*
* Usage: ./callid <modem-port> <outfile>
* e.g. *nix: ./callid /dev/ttyS1 clid.log
* e.g. win: ./callid COM2 clid.log
*
* * NOTE * : Your modem should be able to receive callerID information for
* this program to work, consult your modem manual. Most modems
* should have this feature.
*
* - diab < diab@hackermail.com >
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <termios.h>

#define ENABLE "AT#CID=1\r" /* This enables Caller ID on my modem */
/* Change if you want... */

void set_terminal(void);
int fd, send, n;
struct termios options;
FILE *logfile;

int main(int argc, char *argv[])
{
char recv[3024];
char s3nd[100];

fprintf(stderr,"\n----------------------------------------\n");
fprintf(stderr,"Callid by diab - < diab@hackermail.com >\n");
fprintf(stderr,"----------------------------------------\n\n");

if(argc!=3){
fprintf(stderr,"Usage: %s <Modem-Port> <OutFile>\n", argv[0]);
exit(1);
}

/* open log file */
if((logfile = fopen(argv[2], "a")) == NULL){
fprintf(stderr,"Error opening log file: %s\n", argv[2]);
exit(0);
}

/* open modem port */
fd = open(argv[1], O_RDWR | O_NDELAY);
if(fd==1){
fprintf(stderr, "Can not open modem port:[ %s ]\n", argv[1]);
exit(1);
}
fcntl(fd, F_SETFL, 0);
sleep(1);

/* set the terminal baud rate etc */
set_terminal();

/* send cid init string */
snprintf(s3nd, sizeof(s3nd),"%s", ENABLE);
fprintf(stderr,"[!] Enabling caller id on your modem\n");
fprintf(stderr,"[!] Waiting for call...\n");
send = write(fd, s3nd, strlen(s3nd));

/* keep reading modem port until we get a ring and notify the user */
while ((n = read(fd, recv, sizeof(recv))) > 0) {
fprintf(stderr,"%s", recv);
if (strstr(recv, "RING") != NULL) {
fprintf(stderr,"[!] Phone ringing... saving Caller ID info.\n");
printf("\a");
}
fprintf(logfile, "%s", recv);
fflush(logfile);
sleep(1);
bzero(recv,sizeof(recv));
}

return 0;
}
/* terminal stuff */
void set_terminal(void)
{
tcgetattr(fd, &options);

options.c_cflag |= (CLOCAL | CREAD);
options.c_cflag &= ~PARENB;
options.c_cflag &= ~CSTOPB;
options.c_cflag &= ~CSIZE;
options.c_cflag |= CS8;
options.c_iflag |= (INPCK | ISTRIP);
options.c_lflag &= ~(ICANON | ECHO | ISIG);
options.c_oflag &= ~OPOST;

cfsetispeed(&options, B115200);
cfsetospeed(&options, B115200);

tcsetattr(fd, TCSANOW, &options);
}



~-~-~-~-~-~-~- Payphone Numbers ~-~-~-~-~-~-~-
- By Zaleth & Dies Irae


Shenton Park:
- Onslow Rd:
- X2 Outside Playgroup: (08)9381 2876
- X2 Near Newsagent: (08)9388 3527
- X2 Outside chemist: (08)9388 3535
- Smith Rd:
- X2 near Abedare Rd near graveyard gates: (08)9388 1635
- Derby Rd:
- X2 Corner of Nickleson Rd next to chemist: (08)9381 1033

Daglish:
- Park (Near a lot of units)
- Phonecard phone opposite park: (08)9381 5903 (weird ringer)

Melbourne ...

Mentone:

- Blue Phone, Some School: (03) 9583 1179
- Blue Phone, Some School #2: (03) 9583 1189
- Blue Phone, Franklins: (03) 9585 3962
- Blue Phone, Safeways: (03) 9585 1556



~-~-~-~-~-~-~- RIM & COMNET Overview ~-~-~-~-~-~-~-
- By Phreakau Team


1. What Is A RIM?
2. Types Of RIMs
3. RIM Components
4. SULTAN And RIMs
5. COMNET-1
6. COMNET-2
7. Systems Interfaces


If you have read Neurocactus #7, you would have read their article about RIM Remote System.
Well, some of us at Phreakau have come across some information on this subject and so have
decided to provide a further overview or sequel on this interesting technology and
information about advances since 1996 when it was incepted.


1. What Is A RIM?
=================

R.I.M. Stands for (R)emote (I)ntegrated (M)ultiplexer. The RIM System consists of several
components. The main component is the RU (Remote Unit) itself. This is often seen as a
green cabinet by the roadside although they can also be found indoors. There is also the EU
(Exchange Unit) which is used to communicate between the servicing switch and the RIM Box
(RU). These two components are manufactured by Alcatel. The RU has a communications channel
for OAM (Operations, Administration & Maintenance) use, which is to say that it can be
remotely controlled. In Australia this was implemented with COMNET, which we will get into
later.

A RIM is a highly modular electronic pair gain system. A pair gain system is defined in
Telstra documentation as:

"A system that cuts down on the number of wire pairs needed to carry telephone channels.
They work by multiplexing analog conversations together into a digital transmission that
can be sent more efficiently."

So that would be that each customer's line feeds into the RIM, the RIM multiplexes the
transmissions into a digital transmission and sends it off to the exchange. The speed of
the RIM -> Exchange Bearer Cable is generally 2Mbits/s over copper cable with a higher
rate of 8Mbits/s or 34Mbits/s using a fibre optic bearer. RIMs can also use radio if
required. This is probably used only in rural deployments.

RIMs can also, through their various modules, support various Special Services such as
PABXes and Faxstream. Capabilities like providing a ring signal for incoming calls, DTMF
and Call Progress Signalling are standard.


2. Types Of RIMs
================

Being extremely modular RIMs can come in many different configurations. However, there
are some basic types of configuration that can be noted.

Mode Of Integration
~~~~~~~~~~~~~~~~~~~

RIMs are capable of interfacing with their servicing/parent exchange in a few
different ways. We already know that when transmissions are received, the RIM
multiplexes them into a digital transmission. Where the modes of integration differ is
how the RIM is further integrated into the Telephone Network as a whole. There are a
few modes :

(*) Non Integrated Mode:-
In this mode the digital transmission is de-multiplexed at the parent exchange back
into copper pairs. That means that for each pair going into the RIM there is still
a corresponding pair at the exchange, as there would be in normal operation. This
requires the EU to be present at the exchange. A RIM EU can be mounted via an
Exchange Unit Rack Panel Adapter and can be fitted to a Type 84 or Type 92 exchange
rack.

(*) Integrated Mode:-
In this mode the digital transmission is not de-multiplexed at the parent exchange
but instead bypasses the racks and goes direct to the switching stage. This requires
that the switch in use has a 'parenting' protocol for which it can communicate with
equipment such as a RIM and handle its traffic directly. See below in IRIM Interface
Protocol for more information.

(*) Mixed Mode:-
This is quite simply where the RIM utilises both modes for separate pairs. For
whatever reason, probably to provide some type of special services this mode may
be required. An EU and a direct link to the switch are both present in this mode.


Size
~~~~

Depending upon the amount of pairs the RIM will need to service the size of the Remote
Unit can differ. The standard amount of pairs that can fit into one access panel is 60
but RIMs have more than one access panel. There are three sizes currently in use depending
on requirements, 240 Lines, 480 Lines & 180 Lines in the New CRIMS (Compact RIMs).


IRIM Interface Protocol
~~~~~~~~~~~~~~~~~~~~~~~

Where the RIM is configured as integrated there needs to be a common protocol between the
RIM and the switch at the exchange for communication of the various multiplexed
transmissions and the switching instructions. There are a few different types of exchanges
in use in Australia and the Parenting Protocol for each is different :

Type Of Exchange Parenting Protocol Info

Ericsson AXE ARK-P Stands for ARK-Parenting
Ericsson AXE ESM Probably Newer Ericsson Protocol
Alcatel Sys12 RSU


CAN Or IEN
~~~~~~~~~~

RIMs were designed to save copper wiring and take the load off existing exchanges. There
are two distinct situations in which they can be used. A RIM can be deployed in the CAN
(Customer Access Network), that is a RIM serviced by a local exchange and used as support
for an area within an exchange locality. However, A RIM can also be deployed as an exchange
in its own right. Old Ericsson ARK exchanges in rural areas (ARK is a Crossbar exchange -
very schick) are being outmoded and replaced by RIMs. In this type of deployment they are
connected to the IEN, the Inter Exchange Network and are serviced by a transit exchange.


3. RIM Components
=================

I will now attempt to explain the basic structure of components within RIM units. Bear in
mind that the information we had was abit sketchy in this area, but we believe we have put
it together correctly. The more specific cards are fitted to panels in the units, so we'll
start with the panels :

Exchange Unit Panels
~~~~~~~~~~~~~~~~~~~~

The Exchange Units for interface with the parent switch have a base selection of panels.
Note that in Integrated Mode, there are no Access Panels as there is no need to
demultiplex to individual pairs :

(*) Access Panels - Provides the end copper pair connections to the switch with the
various electrical capabilities of the pairs.

(*) Line Transmission Panel - Reponsible for communicating on the optical or electrical
bearer between the EU and RU.

(*) Common Panel - Provides control, clock generation/distribution and OAM (ie COMNET)
access functions at both EU and RU.

(*) Power And Alarm Distribution Panel


Remote Unit Compartments
~~~~~~~~~~~~~~~~~~~~~~~~

All RIM installations will have the following base compartments and panels. Where they
differ will be the cards and the software on the cards used to implement differing jobs :


(*) Cross Connect Facility Compartment

(*) Equipment Compartment With The Following
Panels (Same uses as in EU) :

(*) Access Panels - Connected to customer side pairs
(*) Line Transmission Panel
(*) Common Panel

And additionally :

(*) Ring/Meter Panel - Provides RING and METER pulses
(*) Terminal Regenerator Panel - Capable of boosting signals for
further transmission
(*) Trunk Interface Panel - Interfaces Between Common and Line
Transmission Panels (OAM comms are
multiplexed in with regular comms)
(*) Environmental Control Panel - Cooling fans and climate control

(*) Power And Battery Compartment


Card Components
~~~~~~~~~~~~~~~

More specific components would include things like a module card for Access Panels
that allows communication with 4/6 wire customer units such as PABXes and 4 Wire Modems. I
won't go into much more detail about various cards that can be installed, as that is where
the information gets really sketchy and it probably wouldn't make for much interesting
reading anyway. However, there are two things I would like to explain. The first is the
units used for OAM (Which stands for Operations, Administration & Maintenance), which in
Australia is handled by COMNET and the second is RIM support for things like SULTAN. I will
explain the first now, but SULTAN has a full section afterwards.

Remote Management/OAM :

The RMU (Remote Management Unit) is responsible for providing an integrated OAM system.
It communicates with the counterpart remote or exchange unit and the NMQ (Network
Management Units) via a Q2 Bus OAM link. The RMU is probably mounted on the Common Panel
and seems to communicate over the Q2 Bus with the RAC Unit (Rate Adaptor Unit) which
enables multiplexing of OAM communications onto the main bearer. The RAC Unit is probably
mounted on the Trunk Interface Panel. The NMQ communicates with the RMU and the COP
(COre Processor unit). It also receives some alarm messages from other RIM components.


4. SULTAN And RIMs
==================

This section will be short but I believed it was important enough to warrant its own
separate section. First of all S.U.L.T.A.N. stands for (SU)bscriber (L)ine (T)esting
(A)ccess (N)etwork. This system is responsible for performing electrical tests on
subscriber lines. Now, a little thing that not all of you may be aware of is that F.A.S.T.
stands for (F)ield (A)ccess to (S)ULTAN (T)esting, however those of you that are familiar
with the system may know about running a SULTAN test through FAST.

The fact that to do an electrical test on a customer line you need a complete electric
path (ie. coppper wiring path) along the length of the customer line poses a problem for
RIMs as there is no constant path for each individual pair. They are multiplexed at the
RIM.

Alcatel has solved this with the CTU (C)ustomer (T)est (U)nit. This unit takes care of
electrical testing from the RIM itself as directed via SULTAN through COMNET-1 or by
COMNET-2 itself. The CTU is also capable of establishing a speech path for call setup
between an operator and a customer as in ring testing. It can also perform busy line
monitoring and testing of tones and pulses on the line. Altogether a pretty nifty unit.

Typically, SULTAN can test the status of the RIM and if OK it can proceed with a line
test from the RU to the customer equipment using the CTU.

Yes. Using FAST you can test the status of a RIM and also any specific lines through the
RIM. Remember FAST stands for Field Access to SULTAN Testing. I just had to explicitly
state this or else I just know I would be asked the relevant stupid question by someone
in the future heh.

An electrical test on a line can also be initiated by a COMNET system terminal or,
automatically by COMNET-2.


5. COMNET-1
===========

Okay, lets start by playing games with acronyms. Telstra, like most large telecommunications
corporations and the military like acronyms cause they sound cool. Here's the explanation of
the acronym COMNET. COMNET is actually a few acronyms within one another. First there is :

COMNET : (C)AN (O)A(M) (NET)work

CAN and OAM are acronyms themselves :

CAN : (C)ustomer (A)ccess (N)etwork - This defines the telecommunications network area
between an exchange and the customer premises. RIMs are installed in this area.

OAM : (O)perations, (A)dministration & (M)aintenance.

So COMNET actually stands for :

Customer Access Network Operations, Adminstrations & Maintenance Network. Shame to all of
you who thought it simply stood for "(COM)munications (NET)work".

'COMNET' refers to the network and associated systems that are required for interface
between various core Telstra systems and RIM to provide the management that RIM requires to
be a part of the telecommunications network. COMNET-1 was the initial stage of this product
created to support the roll-out of the RIM system, and COMNET-2 is a further upgrade of the
product. This upgrade has been implemented one location at a time and so depending on your
area the available system may be either COMNET-1 or 2.

The support provided by COMNET-1 can be broken down into the following applications :

Service Activation
~~~~~~~~~~~~~~~~~~

(*) Automatic activation of RIM equipment in conjunction with the exchange interface
to provide the physical service
(*) Recording of newly commissioned RIMs

Service Assurance
~~~~~~~~~~~~~~~~~

(*) Customer fault report handling
(*) Efficient management of RIM equipment alarms
(*) Pro-active planned outage and hazard advice
(*) Repair workforce dispatch
(*) Remote diagnostic handling

Other Key Features
~~~~~~~~~~~~~~~~~~

(*) Remote software download (down to card level)
(*) Remote network management of RIM systems
(*) Remote customer line testing (Standard SULTAN functionality)
(*) Remote configuration management
(*) In service performance monitoring, fault location and alarm monitoring
(Alarm and equipment fault reports are relayed to the NMG, which will
then dispatch a service restorer)

The management application used on COMNET-1 workstations is NECTAS : Network Element
Craft Application Software. The network is X.25 based, and as you will see ALOT of Telstra
systems seem to hang of X.25 and not just COMNET.

Explanatory ASCII Pr0n diagram demonstrates :


FIGURE 1 : COMNET-1 ARCHITECTURE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Customer Operations National Maintenance
Centre Group
Alarm COMNET <---- Terminal
COMNET Handler Workstation Application
Workstation | ___<>________|_____ is NECTAS
___|_____<>______ | / Lan
Lan \ / /
\ __________/ ___/ RIM
\/ \ / /
/ COMNET \/ /
SULTAN --------| Data Comms |----------Mediator-------RIM
\ Network / \
\__________/ `--modem >-< modem -- RIM



6. COMNET-2
===========

As previously mentioned, the COMNET-1 architecture was largely an ad-hoc arrangement
to support the initial RIM inception. According to Telstra, a number of problems existed
with COMNET-1 that they sought to correct. Some of these were :

(*) The distributed nature of the network made it hard to maintain things like security
and integrity of the system. There was a lack of central management that they wished
to address.

(*) The Mediator between the RIMs and the COMNET Data Communications Network was not
standard and so whenever the RIM software was upgraded by Alcatel, new support
needed to be implemented in the Mediator.

(*) Alarm management was inadequate. (Hehe, this is bad).

(*) Integration with Telstra core systems was inadequate and Telstra wished to automate
many tasks such as Activation without having to manually go to all the involved
systems and Exchange Interfaces.

COMNET-2 was the answer to these problems. Further upgrades are always being proposed.
Here is a diagram of the COMNET-2 setup :


FIGURE 2 : COMNET-2 ARCHITECTURE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Customer Operations Regional Maintenance
Centre (Regional) Group

COMNET COMNET
Workstation Workstation
____|__________<>_____ ______<>__________|____
Lan \ / Lan
\_____ _____/
\ /
_\______/_
| |
SULTAN _________________| Manager/ |__________________ Service
| Agent | Activation
|__________|
|
_____|____
/ \
/ COMNET-2 \
| Data Comm |
\ Network /
\__________/
/ | \
/ | \
/ | \
RIM RIM RIM


As you can see this setup is much neater (The diagram is neater and was much easier to
draw as well). Obvious differences between this and the COMNET-1 setup are :

(*) The introduction of the central Manager/Agent. We are unclear on whether there are
Manager/Agents for each region or whether this component is national.

(*) Removal of the Mediator between the RIMs and the network. It is now standardised as
much as possible and the rest handled by the Manager/Agent.

(*) Removal of the modem connections to the RIMs.

(*) Removal of the singular Alarm Handler which is now integrated and automated. RIM
alarms are now forwarded to NICAD (National Integrated Customer Alarm Display).

(*) Introduction of a Service Activation component which is an integration with Telstra
core systems such as AXIS & RASS.

(*) Communications with Regional centres rather than National.


Additional features of COMNET-2 include :

(*) Improved customer line testing capability. COMNET-2 will automatically test lines and
not just when directed to by SULTAN or a system terminal.

(*) Remote software download, backup and archiving.

(*) Organised security management.

(*) Operating on the HP OpenView software platform.


If I had to speculate on the security architecture of COMNET-2 I'd say that the Telstra
core mainframe etc systems and LANs around the country communicate with the Manager/Agent
over X.25 and the requests are moderated and passed on to COMNET-2 as appropriate. In this
manner the Manager/Agent acts as a kind of national application proxy firewall moderating
requests for action. COMNET-2 may also communicate over the X.25 network, but the RIM
access points would only accept connections from the Manager/Agent. Hence, a less
distributed method of managing security/integrity with the Manager/Agent as a chokepoint.
Of course, all this goes out the window if someone were to 0wn the Manager/Agent, make
acceptable requests that do the job, or subvert the COMNET-2 communications protection.


7. Systems Interfaces
=====================

COMNET, and particularly COMNET-2 support integration with existing Telstra core systems.
COMNET-2 in particular is designed to be configured automatically by entering the details
into the core systems. In the context of the information below, 'regular telephone lines'
means regular voice grade telephone or P.O.T.S. lines and not lines supporting Special
Services. Some systems and the ways in which they interact with RIM & COMNET are :

(*) AXIS : The order system used by Telstra to order work to be done on regular telephone
lines. This can involve ordering a linesman to set a line up, automatically
configuring the exchange by interfacing with AUTOCAT or, remotely configuring
a RIM via COMNET.

(*) AUTOCAT : (AUTO)matic (C)onfigur(A)tion of (T)elephone Exchanges, or (AUTO)matic
(CAT)egory Change System. The automated system that other Telstra systems
integrate with to automatically configure a telephone exchange. Does this
by changing 'categories' within the exchange.

(*) DCRIS : (D)istributed (C)ustomer (R)ecord (I)nformation (S)ystem. COMNET initially
accepted service orders from this system until it was replaced in 1997 by
AXIS.

(*) FACS : (F)rame (A)nd (C)able (S)ystem. A database used to record information and
manage regular telephone lines. RIM configuration information is also stored in
FACS. Used for some recording of copper RIM bearers. Also for recording of some
Special Services lines such as ISDN.

(*) MULTIMAN : Optical links recording system for CAN. If the RIM uses an optical bearer,
it will be recorded in MULTIMAN rather than FACS or NPAMS.

(*) NPAMS : (N)etwork (P)lant (A)ssignment and (M)anagement (S)ystem. Used for some
recording of copper bearers from RIMs. Also used for recording RIMs in the
IEN as cable pair groups. Used for some management of regular telephone lines.

(*) RASS : (R)ecord (A)utomation for (S)pecial (S)ervices. Order system for Special
Services rather than regular telephone lines. AXIS's Special Services
counterpart. Two sub-systems : RASS-P (RASS-(P)rovisioning) & RASS-M
(RASS-(M)aintenance).

(*) TRAC : (T)ransmission (R)ecording (A)nd (C)ontrol System. Used for recording RIMs in
the Inter Exchange Network. Recorded as multiplex links.

Propz - Phreakau Team 5/8/01




~-~-~-~-~-~-~- Bne Into Telstra Exchanges Part II ~-~-~-~-~-~-~-
- By Marlinspike

Intro
Building And Security
Whats Inside
Area Sensors
Slip & Pull Tool
Contact Switches
Door Destruction
Schools Of Entry

Appendix 1 : Responsibilities For Credential Users
Appendix 2 : Social Engineering The After Hours Centre


Intro
=====

In your suburb right now, the coolest place by far in the entire area is inside
your local telephone exchange. This is part II of my manuals on breaking into
them with the intention of learning more about the telephone network and
procuring information (such as hands-on experience & manuals) about the telephone
network. Every successful Phreaker who got anywhere did this. Poulsen did it,
Mitnick did it, The Phonemasters did it - and now you can do it too.

The first manual was basically my conclusions on what techniques could be used to
enter exchanges from afew basic observations. This manual will cover my
conclusions based on my now extensive observations of many telephone exchanges
and my own successful entries and explorations. This manual is meant as
complementary to part I. If you find yourself wanting more techniques/options,
refer to part I as it was very comprehensive in that regard.

Finally, since the first manual was published, I have been asked what is my
preferred entry method. The answer is : I have used many different methods for
different exchanges and situations. This is more to do with expedience than
concealing my Modus Operandi. It is true that professional burglars often use
changing and the most rank amateur methods they can use to get away with the
burglary to throw off the cops, but in regard to exchanges I think you have to
make up your own mind about which techniques you want to use based on your
situation. This file is meant to provide you with a choice of techniques.

You might want to go trashing at your surrounding exchanges before actually
breaking in. This will give you a chance to gain confidence, become used to the
exchange and the surrounding area and escape routes and also ... get some pretty
good information just from the trashing. You'll notice that in the appendices I
have ommitted the numbers that you need to ring. This is because if you've even
got of your butt and gone to an exchange a couple of times you'll probably get it
and because if Telstra gets hold of this doc, they'd be able to change it quite
simply.


Building And Security
=====================

This section covers basic understanding of exchange perimeter structure and some
basic techniques so keep reading if it seems abit basic.

The basic suburban telephone exchange is usually a relatively old structure
in your area. It would seem from my observations that they have concentrated on
perimeter security and haven't even really done a good job of that. The primary
obvious entry points into the building would be the windows and the doors (unless
you feel like breaking through a wall or going through the roof - which is still
a viable method if you don't mind being destructive.)

I have looked at the air-conditioning on exchanges and have come to the
conclusion that they probably aren't safe to try and get in through. Some of the
units though are mounted in windows and if you could pry one out or unscrew it,
that would do but you'd probably be better off using a technique on the window
itself.

There are quite afew windows on exchanges funnily enough, on concealed walls
as well as walls open to the road. Because of the focus on perimeter security
these windows will usually have bars on them. They are locked and opened by a
lever (see diagram in slip & pull tool section) if required. I have not seen
contact switches or vibration detectors on these windows. A possibility for
detecting broken windows is a 'shatter guard' which is a unit mounted in
a concealed location inside the building that detects the high pitched sound of
glass breaking. I have tested for this device by smashing a bottle near the
doors of the exchange and no alarm has gone off. The windows it seems could be
opened by smashing as long as the bars were gotten past.

The bars on the windows are vertical only. I have seen some security grilles
which are frail and offer no protection at all, but bars seem to be the
predominant window protector. A simple trick to use here is to car jack them
apart. Then, you can squeeze through the gap and do your stuff. Afterwards, you
can re-close the bars (somewhat messily, but can often turn out ok) by instead of
applying pressure to two bars side by side with the jack in the middle; applying
pressure between one bar at a time and the window frame. That is to say, mount
the jack on one bar and some pieces of wood reaching the window frame.

It would also seem that the bars themselves have been mounted on a frame that
has not been welded to the window frame itself, but instead have been screwed in.
This opens up the opportuntiy for unscrewing the bar frame at one end and pushing
your way past the slightly bent frame to get in and then rescrewing it back on
later.

There are doors on exchanges at the main entrance which is usually pretty
standard and well protected (more on this later) and there are also other doors
around exchanges, for moving in and out equipment. These doors are usually
double doors and are made of wood, occasionally reinforced with metal. These
doors are designed to be opened from the inside only and so do not have key locks
but have bolts on the inside. There will usually be two vertical bolts at the
top and bottom of the door which are just push in/pull out of the floor/ceiling
numbers and a horizontal bolt between the doors which is like a bolt on a gate -
not simply push in/pull out, but has to be manipulated past a stop which could
(but never does) have a padlock in it. They will also have contact switches -
usually mounted at the top of one of the doors. Examine the diagram :

__________________________|____[__]______
| | | [ ] <----|------- Contact
| | -> | | Switch
| | | |
| | | |
| | --Vertical |
| | Bolt 1 |
| | | Well? f***ing
| Horizontal --> --|-- | Examine it! You
| Bolt | | will be needing this
| | | information later.
| | | (Sorry, just needed
| | Vertical | something to fill this
| | Bolt 2 | space ;)
| | | |
| | | <---- |
|___________________|_______|_____________|
|

There are very limited intruder alarm systems in Telstra exchanges, however there
are extensive fire/smoke, gas and equipment alarm systems which you should be aware
of. One night on one of my trashing runs I jumped the fence completely prepared to
grab some goods and noticed that an alarm was going off inside the exchange. Peering
through the window I noticed it was coming from a panel marked 'VESDA MIMIC' a
quick web search got me the following url :

http://www.vsl.com.au/vesda/index.html

Thanks to Phunki for helping me hack and search my way through this site! It would
seem that this is the basic technology Telstra uses for fire and gas monitoring in
its exchanges. The equipment itself has several alarm conditions. If you want some
examples, have a look at the ICM docs in Infosurge #6. Needless to say, you wouldn't
want to set off any of these alarms either. This could happen, if for example you
decided to use an oxyacetylene torch to burn your way through one of the side doors.
Getting back to the story though, I waited for 1 - 2 hours at a nearby property for
*someone* to show up and no-one did. During this time two police cars cruised past
blithely unknowing. After that I got sick of waiting and trashed the place and left.


I have had similar reports from other people saying that no-one gives a shit about
alarms (intruder or otherwise) going off at exchanges. Because there are no area
sensors in Exchanges, if you only set off the contact switch on one door (all that
is needed to gain entry) the maximum 'event' you could provoke would be a 'one-zone
violation'. This is considered by the police to be a low priority event. In other
alarm cases, all the police will respond to is a two-zone violation as a matter of
policy. One-zone violations are deemed as being the responsibility of the owner or
their security company. Still, its up to you how paranoid you want to be. I
personally err to the side of caution and don't hang around longer than a minute or
so if I've set off an alarm.


Whats Inside
============

Airconditioning Plant Room : Gas pressure compressors etc. Large pipes.
Battery Power Room : Room filled with wierd alien looking boxen.
Uncrating Areas : Open spaces where secondary doors described above open onto,
will have a monorail - a big metal support - running into it at ceiling
level for supporting massive equipment being loaded in and out.
Lunch Room : Token Amenity So Telstra Isn't Accused Of Slave Labor.
Toilets : Guess it was either here or in the equipment room ;)
Store : Filled with tools and other interesting items.
Office/s : Mostly desks, occasionally have bookshelves and filing cabinets
which are good for a rummage.
Maintenance Control : Either used as storage space or has actual control
equipment in - bookcase with manuals may be here.
Equipment Rooms : These are the main rooms you'll want to concentrate on and
that have the most interesting things in. Like a big warehouse floor. A block
of pairs at one end with equipment (CMUXes, RIM boxes, Tran$end boxes, PABXes
etc) hooked up to it. This room can also have a partitioned off area which has
consoles for the equipment and a nice bookcase filled with nice manuals.

The manuals come in four types I've seen, the more 'commercial' ones which
come spiral bound, computer printouts hole punched and bound in a file folder,
loose paper computer printouts and manuals still on disk in Microsoft Word
Format. I think the main resource for manuals (Not for ALL manuals though) is
the Telstra Intranet. A web based intranet for Telstra staff :

http://www.cdn.telstra.com.au/

I have seen a number of things referring to this url, however it is not
part of the regular internet and I have tried to break in via computer a number
of times with varying degrees of success and have never been able to crack it.
There is a directory called /cc-docs which seems to hold alot of manuals.
Alot of the manuals they have gotten through third party by buying equipment
are separate from these, probably due to
Without practice one cannot prove; without proof one cannot be trusted; without trust one cannot be respected.

User avatar
Net Battle Bot
Owns you
Posts: 1816
Joined: Fri Jun 04, 2004 6:44 am
Location: Groom Lake

Post by Net Battle Bot » Wed Mar 16, 2005 11:06 pm

copyright etc. Don't forget to bring a
laptop though or be prepared to swipe disks as well as paper goods.


Area Sensors
============

I have never seen area sensors (Passive Infa Red Sensors/Microwave Sensors)
inside an exchange. I wondered whether this was because of them not working well
with the equipment. A quick post to alt.security.alarms and some of my own
observations brought up the following points :

1. Microwaves and exchange equipment do not mix
2. Equipment in an exchange can get quite warm and so temperature varies too
much in the equipment room to maintain an environment where PIRs work well
3. Equipment more than three or four feet taller than a human being blocks
area sensors making them effectively pointless and there is much of this
equipment in exchanges
4. A security theory is that perimeter security is more effective in an
exchange situation as 'once the intruder is inside the damage is already
done'
5. Telstra exchanges have a mess of airconditioning pipes and ducts towards the
ceiling, further blocking the range of area sensors

So the moral of the story is there most likely won't be area sensors in your
local exchange because they wouldn't work well if there were. I'd also like to
re-iterate that I have never seen any in an exchange.


Slip & Pull Tool
================

Ok, so you want a technique that is easy to use, untraceable and requires
minimum resources to implement. Right! So I have come up with something that
ought to fit the bill. It is an adaptation of a technique that I first read in a
book called 'Lock Bypass Techniques'. If you're interested you can get it from
Loompanics (http://www.loompanics.com) I got my copy direct from the author because at
the time it came out we were both lurkers pretending to be locksmiths on
alt.locksmithing ;) The tool itself is a long rectangle cut from a 2 litre coke
bottle by cutting around the circumference in a spiral. Then, a hole is punched
in one end and and a string passed through, you can also use fishing line or wire
as a stronger substitute and you can also put abit of glue on the end of the string
to help it catch on things better (read on). This diagram is not to scale :

__________________________________________________
| |___________________________
| /|
| Plastic Strip from Coke Bottle O-|---------------------------
| | ^^^^
|__________________________________________________| string


Pretty simple huh? Due to the crappy nature of exchange security this bastard
ought to get you in to most exchanges with relative ease. How is it used? Well,
remember I told you to examine that diagram? (Yeah that's right - go back and
look at it because you didn't listen to me) Well, those secondary doors are, for
lack of a better word 'shithouse'. The gaps in between the doors and the door
frame (door jamb) are too wide allowing things to be slipped in easily (and even
looked through) as is the gap in between the two doors. Now, the vertical bolts
have a stud on them for engaging/disengaging the bolt :
_
Top of | | Sorry if this is abit patronizing, but a crappy ascii
door _____| |_____ diagram is better than nothing. Now you have something to
--> | | visualise. Now, how that slip & pull tool works is you
| |O| <- stud hold the string in your hands at the other end from the
Bolt |_| plastic strip and slip the plastic strip string end first
through the gap in the door. Now, you loop the string
around the stud on the bolt on the inside of the door. Slide the plastic strip
out while keeping the string looped on the stud. You will now be able to pull the
string and it in turn will pull the bolt to the open position. Tada! Here is a
diagram of where to insert the tool :

________________________x_|____[__]______
| | | [ ] | The '*'s indicate the slip &
| insertion --> * | | pull tool insertion points for
| point for | | each bolt. So you slip the tool
| vertical bolt 1 | | in, grab the bolt and then work
| | | the string around the gap in the
| | | door until you are at a point
| x <-- horizontal | where you can provide a force
| --|-- bolt --> * opposing the bolt. You'll notice
| | insert points | there are also 'x's on the
| | | diagram. These are for inserting
| | | the tool closer to the bolt and
| | | working the string around more
| insertion | | afterwards.
| point for vertical| |
| bolt 2 --> * | | The horizontal bolt is opened
|___________________|____x__|_____________| basically the same way, only you
| either have to work the string
right around the door frame
afterwards, or grab the bolt from the other end of the door. Remember though,
the horizontal bolt doesn't have a stud on the end. It is a bolt like the ones
on a gate, it has a kind of angled end that you grab onto. You will also need to
lift it up so that it can get past the stop before you apply your pulling action.
If you don't understand, go to a gate with this type of bolt and examine it. When
opening, the vertical bolt should be done last and first when closing. This is so
that if you need to work the string around the door jamb, it will not get caught
on the vertical bolts.

Now, you know the technique, what you need to know now is the exact location of
the bolts on the inside of a door that you can't see. Simple, the slip & pull
tool was designed with this in mind. Take the end of the plastic strip that
doesn't have the string through it and slip it through the gap in the door at
about where you think the bolt is. Now slide it across until it gets stopped by
the bolt ... and that's where the bolt is! You can also work out where the bolt
is by pushing on the door and seeing where it won't push inwards but using the
slip & pull tool is more specific (I should patent it I reckon!)

I know you've been thoroughly amazed at the Slip & Pull Tool (TM) 2000 Marlin
but there is another use for it! CLOSING the bolts. I'm not going to draw another
diagram, but using the same principle, after you've had a merry night out and
closed the doors of the exchange, you can grab hold of the stud on the bolts,
work the string around to the opposite (now opposing) position and pull the bolts
closed! Untraceablity++ !!! If you think you will have trouble with this, you could
always leave by the main door after locking the bolts from the inside to increase
your untraceability.

Its not over yet. Windows can be opened similarly. I have gone over getting past
the bars. But what about if you don't want to smash the window? Use the slip &
pull tool. Remember in the first section I said they are locked and opened by a
lever? Examine the diagram :

__________________________
|--------------------------| Look! There is a '*' and an 'x'
| | just like the diagram of the door!
| | Same principle. Slide the tool in,
| Pull this way to open | grab the end of the lever and pull
| <------- | 90 degrees to the left to open. Can
* / | be closed again by doing the
| / | opposite.
|_________x__|_____________|


Contact Switches
================

I went over contact switches quite extensively in the first manual, but there is a
new method I'd like to introduce that I have had some success with in test
situations. From Jaycar electronics you can get some highly powerful 'rare earth
geo' magnets. You can also purchase thin sheet magnets (the kind of thing that those
fridge calendars from real estate agencies' magnets are cut from). The way you use
them is by sliding the sheet magnet in between the contact switch with the powerful
magnet on the protruding end increasing the power of the sheet magnet. The sheet
magnets themselves are not powerful enough to pull the reed in the contact switch,
but combined with the rare earth magnets, they are.

If the door opens inwards the best thing to do (although the previous method can be
used in combination) is to follow the part of the door where the contact switch is
with your powerful magnet to keep up the magnetic field on the reed in the contact
switch (if you need more explanation on what the reed is, read the first manual.)

Remember that it is possible to locate the contact switch by using a compass to
determine its location. In my tests at exchanges, the compass has merely pointed
to the contact switch magnet rather than spinning which I guess is actually more
convenient ;) Use this to check the internal doors for contact switches as well,
or just avoid using them like I do.

Lastly, keep rare earth geo magnets away from floppy disks you might be taking with
you as they can fry them real good.


Door Destruction
================

For getting into exchanges via the secondary doors we have identified two obstacles
that need to be bypassed to gain entry : bolts and contact switches. For the more
destructively minded, There are some additional techniques that can be used :

For doors that open inwards, the top of the door jamb can be pried out to gain
better access to the contact switches. Then of course, the jamb will be broken but
it may be possible to glue it back on.

When you go and have a look for yourself at these secondary doors, you will notice
how weak and old they are. You may even notice that they are basically planks of
wood glued or nailed together to form a door. It is entirely possible to take a
crowbar and break a hole in the door by prying apart and snapping the pieces of
wood, or, getting a hacksaw or grinder and cutting a hole in the door on a rainy
night. This is destructive, but ensures complete bypass.


Schools Of Entry
================

Just to summarise and to let you know what options you now have, let us examine
how the techniques described can be used :

1. Non-Damaging, untraceable, but set off alarm : Quick in and out : Manipulate
bolts on side door or pick lock on main door and don't worry about contact
switches.

2. Non-Damaging, untraceable and try bypass the alarm : Prolonged stay : Manipulate
bolts on side door or pick lock on main door and attempt to use one of the
contact switch bypass techniques described above.

3. Damaging, but bypass the contact switches easily : Prolonged stay, but once off.
You won't be able to go back : cut a hole in the door or pry out door jamb.

4. Non-Damaging and ring after hours centre : Prolonged Stay : Pick lock or use
stolen credentials to open main door and ring the after hours centre.

5. Damaging and ring after hours centre : Prolonged stay but once off : Drill lock
or EACS solenoid (see first manual) and ring after hours centre.

There are, of course, variations on this and other schools of entry based on other
techniques, this just puts it together for you and gives you an idea. I have no
doubt that you can imagine some more 'schools' for you to use. The advantage to using
a non-damaging method is that they will most likely think it a false alarm and you
can come back and do the same thing again some other time.


Appendix 1 : Responsibilities For Credential Users
==================================================

This is basically a verbatim copy of a Telstra doco. It is highly relevant as you
will see as you read :

001 813-F01 : Credential User Instructions, Obligations & Conduct

Responsiblities For CREDENTIAL USERS

GAINING ACCESS

1. Locate the EACS card reader, check normal operation by the
presence of an orange LED. Report any other condition to the AMC
or NSC (after hours).

2. Pass the EACS card within 100mm of the reader.

A green LED will mean the subsequent unlocking of the door
(within one second and the door will remain unlatched for
approximately 10 seconds)

A red LED will mean that the credential is not programmed
for access; assistance should be sought via AMC, CMCC, or
NSC (after hours).

STANDING SECURITY INSTRUCTIONS

1. Ensure that door closes after entry; do not allow other
unauthorised persons access.

2. If entry is required outside of normal working hours (Mon-Fri
07:30 - 17:00) Security Company MUST be advised.
Phone 1800 xxx xxx (IVR) [<-- same as after hours centre #]

3. Locate the Intruder Alarm Panel (IAP) if required and enter PIN.
(Not applicable in WA).
This will disarm other door alarm inputs to EACS. Sites will
progressively be retrofitted with LMO (LastMan Out) which will
replace IAPs and automate disarming of non-EACS inputs.

4. Locate and notate Site Log.

5. Egress may be possible via other perimeter doors but DO NOT
LEAVE THE BUILDING VIA ANY OTHER DOOR

6. When ready to leave ensure site SECURE AND RUBBISH REMOVED.

7. Before exit complete site log, re-arm control panel or activate
LMO button as required. Notify AMC/NSC if LMO LED does not light.
Advise Security Company 1800 xxx xxx (IVR)

8. Ensure door is locked

OBLIGATIONS

1. It is the responsibility of ALL PEOPLE on Telstra property to
work safely, to protect others from possible hazard, and abide by
all Occupational, Health and Safety rules.

2. Welding, dust generation or other activity likely to cause
equipment failure, or generate alarms must not be carried on
without prior approval of Area Field Manager.

3. NO SMOKING in Telstra Buildings

4. When working in Exchanges all exterior doors must be kept
locked

5. Wearing of ID passes is mandatory in all Telstra Buildings

6. No mobile phones, 2 way radios or camera flashes are to be used
in any equipment room.

7. For security reasons, don't mark or attach EACS cards to any other
identifiable item.

CONDUCT

1. Credentials are not transferrable

2. No other person should be given access with your credential

3. Users must personally return credentials

4. The recipient of a Credential must take due care to guard against
loss or damage

5. Loss must be reported to an CMCC or NSC (after hours).

CMCC : Tel 08 9491 xxxx
NSC : Tel 1800 xxx xxx [<-- same as after hours centre #]



Appendix 2 : Social Engineering The After Hours Centre
======================================================

You might have seen a yellow sticker on the outside of exchanges :

This Building Is Security Alarmed,
Contact The After Hours Centre Upon Entry

So, after you've entered the exchange, that's what you've got to ring to verify
yourself. Well, the After Hours Number is:

1800 xxx xxx

This is basically a paging service. You give the bitch the info, she types it in
to her computer and it appears on the screen of the NSC (Network Surveillance
Center) - (aka. NOC Network Operations Centre). Fire and Gas alarms are also
monitored here, and I imagine network faults, trunk depressurisations etc. are
monitored here as well. This is located in Melbourne so it should be pretty much
Australia wide as I called it from Perth. When the bitch answers she will say
something along the lines of:

"Hello, welcome to Telstra Corporation, what is your name and designation?"

You won't be prompted for the answer to each question, so you'll have to just
give it. You need to tell her :

YOUR NAME
YOUR DESIGNATION (Department)
THE NAME OF THE EXCHANGE
CONTACT NUMBER (Number of the exchange or mobile number)
REASON FOR BEING THERE
WHAT TIME YOU'LL LEAVE

Name : Don't know if any old name will be accepted, but you can get the names of
legitimate exchange staff easily enough by going through the dumpsters for
letters etc.

Designation : This basically means the department in Telstra you work for. This
one could have been hard, only I found an entire stash of exchange entry logbooks
in a dumpster and so have a whole load of legitimate responses ...

C&C (Commercial And Consumer : They are linesmen, exchange staff etc.)
TBS (Telstra Business Solutions : Do some exchange work that is used by
business for example servicing the Tran$end units.)
NDC (Network Design & Construction : in charge of the hardware maintenance and
setup)

Exchange : Look on the sign outside (It is the suburb name.)

Contact Number : Ring ANI directly before you ring the after hours centre.

Reason : Back to the logbook ... You are supposed to tell them the exact pair,
line etc. you are looking at, but looking through the logbooks, no-one actually
does it and in some cases it is not applicable. You should also match your reason
with your department eg :

C&C : Check Main Pair
TBS : Tran$end fault
NDC : Equipment recovery (heh)

I have heaps more, they are just the only ones I can remember off hand.

What time you'll leave : Simple, just estimate how long whatever it is you're
really going to do will take you (within reason) and if you want to take a long
time .. the reason they need this info is because the NSC will get another alarm
when the door is opened and closed by you on the way out because there are no area
sensors in the exchanges. So, you can just open and shut the door and stay
in. They'll crap themselves when you actually leave, but you'll be gone then
anyway.



~-~-~-~-~-~-~- Telstra News ~-~-~-~-~-~-~-
- Phreakau Team

Here is a collection of the more interesting articles we obtained from various Telstra
internal news publications over the 2000-2001 period. Be sure to check out the Keylink
(Minerva) one just below.


New Solutions For Customers As KEYLINK Shutdown Complete
========================================================

AFTER almost 20 years active service the KEYLINK electronic mail system has
been withdrawn from the marketplace, with the operating platform closed
last month.

KEYLINK was widely used in Telstra and by over 1500 major customers
including banks, insurance companies, retailers and suppliers.
Most customers used it as an integral part of more complex communications
applications, such as ATM networks, warehousing recording and distribution
systems. As the system could not be made Year 2000 compliant, a project was
set up to 'exit' KEYLINK and design and implement strategies to migrate
users to new solutions.

Robyn Batty, Project Director, Network and Technology Group (NTG), said it
was a challenging task involving managers and work groups throughout the
company. "The project team identified some standard options and solutions
to be used by the Telstra Business Solutions (TBS) sales team to guide
their customers through migration," Robyn said.

'Huge Undertaking'

"The migration of 16,500 mailbox users was a huge undertaking. In a
co-ordinated effort, Telstra's Year 2000 Programme, TBS sales teams and
project staff from TBS, Convergent Business and NTG met challenging
timeframes with minimal disruption to our customers."
Many customers have migrated to other Telstra products such as Trading
Solutions and Big Pond applications.

To celebrate the success of the project, a 'twin' function was held in
Sydney and Melbourne, linked by a videoconference. More than 40 staff were
awarded Certificates of Achievement for their role in the exit project.
Negba Weiss-Dolev, DIrector, Year 2000 Programme, said the success of the
KEYLINK exit was a tribute to excellent cross business unit co-operation
and team work.

"The exit also featured outstanding project management and the keen desire
of those involved to maintain services to customers, while meeting the
challenging timelines imposed by the new year transition," Negba said.
"Congratulations to all involved on a job well done."

[This was an article on the X.25 Keylink system. Some of you may know this
system as Minerva. Some replacement systems can be found at :

http://www.albury.net.au/~asteris/

and

http://partners.bigpond.com/tradelink/index.htm]


Combating The Payphone Vandals
==============================

TELSTRA has scored several important wins in the ongoing battle against payphone
theft and vandalism. An undercover payphone surveillance operation in the Sydney
CBD, conducted in partnership with the New South Wales Police, is catching out
vandals and significantly reducing payphone vandalism and fraud. An operation in
Melbourne also led to a number of arrests.

Telstra continues to modify the standard payphone to deter criminal activity.

Latest developments in this constant cycle of innovation to overcome criminal
creativity includes and electronic shutter, which prevents tampering with the coin
entry, modifyications to the payphone case, and improved remote monitoring of
payphones.

A number of fraud prevention activities have also been successfully carried out.

Steven Cherry, national operations manager outn@bout, said staff played a key
role in the latest breakthroughs against payphone vandalism.

"Many outn@bout staff in the metropolitan areas and large regional centres,
along with Infrastructure Services staff throughout the rest of Australia, are
doing a magnificent job in maintaining payphone services," Steven said.

"Overall, payphone serviceability - that is, the number of payphones
operating properly at any one time - is now at 94 percent, an 18-month high. The
target is to get this up to 97 percent by mid-year."

People in the community have also done their bit to stamp out vandalism and fraud.
According to Brendan Cass, national manager security, outn@bout, more than 20
people were given rewards by Telstra for reporting acts of vandalism that have led
to convictions. Telstra offers a reward of up to $1000 for information that leads
to the conviction of a payphone vandal.

Vandalism of payphones costs Telstra $10 million a year. Telstra has
35,000 payphones and 600,000 customers using them every day.

In the first two weeks of the ongoing campaign which began in the Sydney CBD late
last year, dubbed Operation City Safe 7, police arrested 91 people on 152 charges
for offences related to payphone vandalism.

A further 12 were charged for more serious offences following their arrest for
payphone vandalism.

The ongoing operation is targeting a number of vandalism hotspots including the
Town Hall, Martin Place, Wynard and Circular Quay precincts and Central Railway
Station.

"Operation City Safe 7 is significantly reducing the level of vandalism to our
payphones and through our partnership with police in the coming months we will
continue to catch and charge offenders," Steven said.

In the targeted areas there has been a 13 percent reduction in visits by Telstra
technicians and an 18 percent reduction in customer reported faults.

Operation City Safe 7 builds on the success of Telstra's community-based
initiative PhoneWatch, which encourges people to report acts of vandalism
against payphones to Telstra on 132200 or to the police.

The electronic shutter enables the payphone to sense that the coin entry is
blocked, and shuts the entry so that thievescannot access the coins.

The problem is reported automatically back to headquarters, and a technician can
then go and clear the blockage, and the payphone is back in service.

About 200 electronic shutters have been installed in the Sydney and
Melbourne CBDs. They have been so successful that it is now planned to roll out
about 11,000 nationally.


Software And Staff Block Email Virus
====================================

TELSTRA fault system software, and the action of a number of global connect
staff kept the crippling ILOVEYOU virus out of the network last week.

Staff in IT Services and Internet Operations worked throughout the night on
Thursday 4 May, to stop infected email messages contaminating the network
and entering via the internet email gateway.

In addition, the anti-virus technology operated by IT Services as part of
the SOE Networks was able to deploy the most up-to-date anti-virus pattern
file. These files can detect and clean any instances of the virus, or
variations that result from the virus.

There is anti-virus software in our email and messaging system, our internet
firewall, the LAN servers, desktop and notebook PCs.

All systems have software regularly upgraded with the most recent 'pattern
files' so that the scanning programs can identify new viruses. If viruses are
detected, alarms are sent via Telstra's intranet network to the FOCUS IT alarm
system and the Network Control staff are notified. In the case of the Love Letter
Virus, Telstra was also notified by two of its major SOE suppliers. The
anti-virus company Trend Micro and the computer manufacturer Compaq both informed
Telstra - and staff were able to swing into action.

A filter was applied to all incoming email and the specific pattern file for the
ILOVEYOU virus was deployed. Overall, Telstra systems and users were very well
protected. In the few isolated instances where the virus did make it through the
firewall before the filter was in place, staff worked tirelessly, scanning and
cleaning the millions of mail messages that exist within the company.

Graham Bull, general manager, IT Services said: "A critical situation such as
this one highlights the risks which now exist in an online world and really tests
the capabilities of both our contingency systems and our staff.

"I am confident that we have the capacity and expertise within our workforce to
protect our systems from elements that could be detrimental to the smooth running
of our business. I congratulate the individuals that worked around the clock to
ensure that the virus had little, if any, impact within Telstra," he said.



~-~-~-~-~-~-~- Links ~-~-~-~-~-~-~-


Just to give you something to read until our next issue comes out :

http://phreakaus.oz-net.org
<=> Dark Thief's site

http://phreakau.fuxya.org
<=> Our homepage

http://www.opentelco.net
<=> Nice page for SS7 and GSM stuff

http://www.scard.org/gsm/a3a8.txt
<=> Info on algorithms

http://jya.com/crack-a5.htm
<=> Discussion of GSM encryption algorithms

http://www.phreak.co.uk/teknix/phreakin ... axe10.html
<=> Erriccson AXE10 Digital Switch Info By Keltic Phr0st

http://dtmf.org/hybrid/files/hybrid-files/AXE10.txt
<=> Local AXE10 Exchange Subsystems By Hybrid

http://www.acif.org.au/ACIF/display/met ... source=482
<=> Australian Communications Industry Forum Publications

http://www.mindrape.org/zines
<=> Australian Ezine Archive, Zines referred to here can be found there

http://bbs.onecenter.com/ausphreak
<=> Zaleth's great public phreaking forum


~-~-~-~-~-~-~- END ~-~-~-~-~-~-~-
Without practice one cannot prove; without proof one cannot be trusted; without trust one cannot be respected.

User avatar
infinite_
Bat Country
Posts: 1353
Joined: Fri Jun 04, 2004 7:19 pm
Location: Australia

Post by infinite_ » Wed Mar 16, 2005 11:14 pm

quote tags work wonders :)
My effort to help you will never exceed your effort to explain the problem.

User avatar
Net Battle Bot
Owns you
Posts: 1816
Joined: Fri Jun 04, 2004 6:44 am
Location: Groom Lake

Post by Net Battle Bot » Thu Mar 17, 2005 5:11 pm

You think I haven't tried? You try fscking using quote tags on text this big.
Without practice one cannot prove; without proof one cannot be trusted; without trust one cannot be respected.

User avatar
infinite_
Bat Country
Posts: 1353
Joined: Fri Jun 04, 2004 7:19 pm
Location: Australia

Post by infinite_ » Thu Mar 17, 2005 7:45 pm

Code: Select all

                 ____  __                                                              
                 / __ \\\\\\\\/ /_  ________  ____ ___  _____  ____  _______  __              
                / /_/ / __ \\\\\\\\/ ___/ _ \\\\\\\\/ __ `/ / / / _ \\\\\\\\/ __ \\\\\\\\/ ___/ / / /              
               / ____/ / / / /  /  __/ /_/ / /_/ /  __/ / / / /__/ /_/ /               
              /_/   /_/ /_/_/   \\\\\\\\___/\\\\\\\\__, /\\\\\\\\__,_/\\\\\\\\___/_/ /_/\\\\\\\\___/\\\\\\\\__, /                
                                       /_/                      /____/  

                                 [ 12/08/01 ]  ------ ISSUE #1 -->



                         ~-~-~-~-~-~-~- Contents ~-~-~-~-~-~-~-

  1. The Telstra Dial-IP Switched Data Network ..................... Marlinspike
  2. Working Around The X2 FAST Block .............................. Dark Thief & Zaleth
  3. Indigo Box .................................................... Dies Irae
  4. Caller ID Program ............................................. Diab
  5. Payphone Numbers .............................................. Zaleth & Dies Irae
  6. RIM & COMNET Overview ......................................... Phreakau Team
  7. BnE Into Telstra Exchanges Part II ............................ Marlinspike
  8. Telstra News .................................................. Phreakau Team
  9. Links ......................................................... Phreakau Team


                          ~-~-~-~-~-~-~- Contacts ~-~-~-~-~-~-~-

 To contact us, or send feedback to the author of an article, select from the following
email addresses :

                    Dark Thief (dt) : darkthief@iamwasted.com
                               Diab : diab@hackermail.com
                          Dies Irae : speedy69@mailcity.com
                        Marlinspike : p0lter_g@yahoo.com
                             Zaleth : zaleth@hushmail.com


                           ~-~-~-~-~-~-~- Intro ~-~-~-~-~-~-~-

      Welcome to the first issue of Phrequency Ezine. This has been in the works for
     months and has taken a shitload of work to get out to you. This issue was primarily 
     written by Phreakau, a group best described as a "Phreaking Research Group". That
     is we are interested in the study and exploration of the inner workings of the
     Australian telecommunications network. Most of us are interested in other subjects,
     such as computer security, and if we end up working on any significant project that
     captures that right 'flavour' it might end up in a future issue. However, we are
     primarily a phreaking group.

      As you can see from the articles here written by more than one person, we have a
     strong leaning towards working together on projects and research. Largely, Phreakau
     is a contributors only group that has been closed off from the the rest of the
     scene due to concerns over things such as discussion based on raw information being
     too sensitive for public release.  We were going to limit the distribution of this
     ezine, but a big reason we decided upon a full release is because phreaking has 
     seen abit of a resurgence in the past months and we wanted to give some new
     phreaking information to the scene, show everyone that phreaking is not dead in AU
     and what kind of information is available if they have the initiative to simply go 
     out and get it.

      So, start hanging around your local pits, cans, cabinets and exchanges. Start
     scanning local number exchanges, 1800 numbers and anything else you can think of.
     Go trashing. There are people out here willing to share information and help you
     with your research. You could be the one to uncover the lead by which the next big
     system or phreaking technique is discovered - all it takes is initiative.

      Will there be future issues of this ezine? We hope so. We've set this as a
     precedent in quality, so if we keep going, keep at our research and get the articles 
     for a second issue that rivals this one then there mostly likely will. You are 
     welcome to help, or provide your own touch, of course :) For now sit back, whack
     on some tunes and see what you can learn.



          ~-~-~-~-~-~-~- The Telstra Dial IP Switched Data Network ~-~-~-~-~-~-~-
                                    - By Marlinspike

 Contents
 ========

 1. What Is Dial IP?
 2. Accessing Dial IP
 3. Logging In
 4. RADIUS
 5. The Dial IP RADIUS Proxy
 6. Scanning And Hax0ring
 7. Free Calls
 8. Logging
 9. Further Reading


 What Is Dial IP?
 ================

  Telstra Dial IP is one of the more recent Switched Data Network offerings from
 Telstra. It is designed to be a cost-effective and secure solution for dial up users to
 connect to corporate LANs running IP from anywhere in Australia.

  Dial IP is classed as a Switched Data Network as the underlying protocol uses packet
 switching as a transmission method. This is also why it is cost effective as many
 transmissions can use the same media at once.

  The theory goes that Dial IP is more secure than regular dialups as it consolidates
 remote access into one chokepoint using RADIUS rather than having a whole load of
 unmanageable dialup servers for different areas in the country. Yay.


 Accessing Dial IP
 =================


  So what's the Dialup? Well, there ain't one. Note that I said 'one'. In the Dial IP
 network each customer gets their own dialup to the network which connects to their
 LAN and their LAN only. How does this work? Well, there is a range of numbers assigned
 as 'Data Network Access Services' for Dial IP. If you apply for a Dial IP service,
 your dialup will be in that range and you can use that number to call your network.
 The range of numbers that the Dial IP service uses are :

                                   019830XXXX

  So that's 019830 followed by FOUR numbers. Just about every technical document I've 
 seen (including the Telstra ones) have got this written wrong. Don't trust them, trust 
 me :) That is 10,000 assignable numbers. Check the Austel website for 'Data Network 
 Access Service' if you don't believe me. They got it right atleast. An example working
 Dial IP access number is 0198304107 which belongs to Edith Cowan University for their
 Remote Rural users (I found this on the net :)


 Logging In
 ==========

  Okay, you've dialed your number (right now we're examining the system from the
 perspective of a legitimate user, we'll get into the nefarious shit after I'm done
 explaining) so what happens next, here's the prompt you get if you've dialed with
 Hyperterminal or other VT100 emulator (Dial IP has support for PPP/PAP/CHAP so most 
 legit users won't do it this way cause they'll be using windoze dial up networking), 
 I've included all the prompts like you've gone through and got the authentication 
 wrong so you can see :

 
 ** Dial IP **


 Username:
 Password:

 ** Bad Password


  These are pretty much the standard prompts you will get. This is the RADIUS server
 talking to you. It may be that it is authenticating you against a UNIX password file,
 but note that it does not display the UNIX login. This is to prevent information
 leakage regarding the operating system (and therefore default accounts and so forth).
 The system can be configured to present a different prompt if wanted, for example,
 you can get a challenge between the Username and Password for CHAP or token based
 system and I have also seen custom error messages. The point is the above is the
 default and has to be deliberately modified if needed to be. You get three incorrect
 tries before losing the carrier.

  Once authenticated, you will be handed over to the LAN and can access all resources
 normally. Most of the time this will mean a PPP is fired back at you, but this can
 depend on what resource your account allowed you access to, PPPsh in UNIX for example.

  Yes, if the LAN you've connected to can reach the internet then you've just got net
 access dependant on the LAN or larger internal network's firewall egress filters etc. 
 of course.


 RADIUS
 ======

  While we've been logging in in the last section, this is what has been working behind
 the scenes to authenticate us. It is basically transparent and regular users need not
 know what it is, but seeing as we're not regular users (not to mention 'interested' in
 the authentication procedure) it might pay to know abit about it.

  RADIUS stands for (R)emote (A)uthentication (D)ial (I)n (U)ser (S)ervice and is
 specified in RFC 2138, with additional accounting details specified in RFC 2139.

  RADIUS is also Open Source and so can therefore be modified as the providers wish. In
 this way it can be customised to support various different authentication protocols.

  At the destination LAN resides the RADIUS server. This can be in synch with whatever 
 table of usernames and passwords the LAN cares to use. When the user dials up, they are
 attached to the RADIUS client, which will issue a request for authentication (username
 and password etc.) The user types it in and the client sends the request to the
 server for verification. As you can see this centralises the authentication procedure
 to the one RADIUS server on the LAN which is completely under the control of the
 owner of the LAN.

  The RADIUS server and client share a secret key. This is used to encrypt the
 authentication request in transit. Although the medium used is a Telstra controlled
 dedicated frame relay service and therefore inaccessible to anyone but Telstra staff
 (theoretically anyway) the encryption provides an extra layer of security.


 The Dial IP RADIUS Proxy
 ========================

  Despite the fact that Dial IP uses separate PSTN numbers for access to separate
 systems, Dial IP is still one big network. The communications media are not dedicated
 to each customer, they are interwoven with packets from each customer being transmitted
 alongside one another. What this means is that there needs to be another layer to the 
 system directing traffic from the Dial Gateways (PoPs or Dialin Nodes etc.) to the 
 various LAN controlled RADIUS servers. This makes Dial IP differ from a traditional
 RADIUS network somewhat, although still providing good transparency.

  This is where the Telstra Dial IP RADIUS proxy comes in. Once the dial in user has
 connected, the client actually forwards the authentication request to the RADIUS proxy.
 Then, the proxy determines which end RADIUS server the request needs to go to based
 upon the PSTN Dial IP access number dialed. Crap ASCII pr0n diagram follows :

      _______________         ___________       ____    ____        ________
     |               |       |           |     /    \\\\\\\\  /    \\\\\\\\      |        |
     |   Dial IP     |       |  Dial IP  |    |     |_/      \\\\\\\\     | RADIUS |
     |  Gateway &    |------>|  RADIUS   |------> Dial IP ---|---->| Server |
     | RADIUS Client |       |   Proxy   |    |    ____     /      | At LAN |
     |_______________|       |___________|     \\\\\\\\__/    \\\\\\\\___/       |________|


  As far as the RADIUS server is concerned, it is talking to a regular client. The
 proxy is completely transparent. There are actually multiple proxies around Australia
 to ensure reliability and availability.


 Scanning And Hax0ring
 =====================

  The fact that the prompts are standardised present an interesting problem in terms
 of hacking on Dial IP. Also, I have tried a whole load of numbers in all areas of the
 range and have never received a message stating the number is not connected, neither
 a voice message, nor a message in my terminal window. So, even if you ring a number
 that is not connected to a LAN, you will get :

 
 ** Dial IP **


 Username:
 Password:

 ** Bad Password

  3 tries and then NO CARRIER. So infact, you may not have even been hacking into a 
 system at all. Of course, there is always the possibility that you get a non-standard 
 login prompt or a challenge, which would certainly indicate a system present or a 
 custom error message, like this one from the ECU number I mentioned earlier :
 
 ** Dial IP **


 Username: 
 Password:
 Login Failed: check your username,
 password and time limits.

  A classic case of user friendliness over security.

  As far as hacking is concerned, the obvious thing to note is that system
 identification is quite difficult and so what you'll have to do is have a generic
 set of usernames to try from various systems. As far as I can tell, the systems most
 in use on Dial IP are Windows NT/2000 and then UNIX.

  There is one other way to determine if a number connects to a valid system or not,
 which I will now 'splain you.


 Free Calls
 ==========

  Being a phreaking zine this was bound to come up. I am however, speaking of it here
 in a semi-legitimate capacity. You see, I do most of my scanning from payphones. When
 scanning these Dial IP numbers after I first learned of the network I noticed that
 some of the numbers were being connected and modem breath emitting without my having
 to insert coins/phreaking for the call. Many did require payment/phreaking. In 
 documentation it does mention that you can provide the dialin at free call rate if 
 desired. Obviously, if the number is not connected Telstra wouldn't be footing for a 
 free call for you now would they? It is the default that the numbers are not free and
 if you scanned looking for free numbers you could probably get a lengthy list of valid
 numbers. Sure you'd miss afew, but in the meantime you've got a whole bunch of valid
 systems to play with that are free to ring continuosly.


 Logging
 =======

  This is something I get asked about alot in regards to Austpac Public Access PADs. 
 What kind of logging do they have? can they log with ANI/CLI? Well, here's what I know
 about Dial IP. Due to the nature of RADIUS, there is the potential to log alot of 
 stuff. The logs for Dial IP at the RADIUS server are very verbose. There are two logs 
 generated for a session, a start log and a stop log. They contain entries such as :

 Start Time
 Stop Time
 Username Logged in under
 Session Time
 Framing Protocol Used
 Allocated IP Address
 Reason For Disconnection
 Called Station ID - The last four digits of the number dialled

 AND ALSO

 CALLING STATION ID (!!!) - This is the number Dial IP was CALLED FROM. However, for
 most users the last 3 digits of the number will not be recorded in the RADIUS logs.
 Basically, this provides for administrators of the system to know what suburb the call
 came from. Note that often the 4th to last number is needed to make up the exchange
 prefix in some phone numbers. Some 'authorised' customers can receive logs of the
 full numbers, but I am unsure whether this is allowed for some kind of government
 security agencies, or just whether or not you grease Telstra's palms enough. Probably
 the latter.

  The fact of the matter is, this last item is necessary for us to know, but seeing as
 it can be defeated by a simple call to a number diverted to the relevant Dial IP access 
 number (in the suburb the owner of the username resides) it is still not a security
 panacea.


 Further Reading
 ===============

  Linkage :
  http://www.telstra.com.au/dialip/

  Documents:
  Telstra Remote Access Dial-In User Service (RADIUS) Information Document
  RFC 2138 Remote Authentication Dial In User Service (RADIUS)
  RFC 2139 RADIUS Accounting

 - Marlinspike 10/6/01



             ~-~-~-~-~-~-~- Working Around The X2 FAST Block ~-~-~-~-~-~-~-
                               - By Dark Thief & Zaleth
             
 Contents
 ========

 Summary Of FAST
 The X2 FAST Block
 Zaleth's Workaround (Aka "Dick Smith's Revenge")
 Dark Thief's Workaround (Aka "#INCLUDE <Dark.*>")


 Summary Of FAST
 ===============

 FAST (F)ield (A)ccess to (S)ULTAN (T)esting is Telstra's field based access service for
Telstra techs (linesmen etc.) to obtain remote (field) access to special functions such
as electrical tests from an exchange along a customer's line. FAST is accessed via a
1800 number :

    1800 050 051

 This number is in the 1800 prefix 1800 05x xxx which denotes "Enhanced 1800" and in
which calls are routed to destinations based on the location of the caller. The FAST
number was originally discovered in a 1800 scan by APB (Australian Phone Brotherhood)
and first detailed by ALOC in Morpheus Laughing #1. Subsequent 1800 scans in the 05
prefix haven't turned up anything more of special interest (although that doesn't mean
we're not still trying ;) FAST seems to be constantly having features added to it and
has had some options added since the 1999 Morpheus article. A Telstra employee number
and its corresponding PIN are required to access the service, which makes it mostly
inaccessible to people without contacts or the enterprise to get this info themselves.


 The X2 FAST Block
 =================

 When FAST was first discovered it was relatively easy for us all to explore it as we
could simply dial it up from a payphone and have fun. For some wierd reason Telstra does
not want us screwing around with their system (or something like that anyway) and have
taken measures to prevent FAST from being called from payphones. Bugger. Well, until
now anyway. w00h00!

 So, you ring FAST from a payphone and what happens? Well, everything is fine until you
get to 1800 050 05. The immediate moment you press the '1' that follows here is what
happens :

(1) The payphone disconnects the line

(2) The screen displays "Service Not Available"

(3) The payphone resets and you get dial-tone again

 This is similar to what would happen if you pressed the FOLLOW ON button. If
1800 050 052 or any other permutation on the last number apart from '1' is dialed, the
phone will place the call and not reset. The reset occurs only on pressing the last '1'
in FAST. It occurs without pause for connection or other signalling.

 Based on this, it follows that the payphone itself implements the FAST block. There 
are other ways for Telstra to administer a block on a service. For example, if some
127 xxx xxx numbers, such as ANI and RINGBACK are called from a payphone, it will call
through and the service itself will announce "Access Denied To Customer Number" for
ANI. This is a function of the payphone LINE and not because of any signalling from the
payphone itself.

 If we think of the payphone as a 'client' then what we've got in terms of protection
against us calling FAST is a protection scheme based on the restrictiveness of the
client. However, in order for the payphone to work it requires a channel to send its
signalling data (in the form of DTMF tones) to the exchange and a channel by which to
send the user supplied voice communications. These two channels are one and the same.
The 'protection' is implemented by limiting what signals the user can send by function
of the payphone. The problem is - What if the user supplies his own signalling data on 
the common communications/signalling channel or subverts the client (payphone) to
unwittingly send the right signals to the channel in an unexpected manner?

 This type of problem is analogous to users editing the URL in a web browser instead
of submitting data through a controlled HTML form and also the good ole in-band
inter-office signalling that has caused Telcos so many problems in the past. We've
included two methods of exploiting this problem in this article and hopefully the
discussion will spark some new ideas on how to get around the FAST block and other
similar blocks. An obvious method would be to beige box off the pit near the payphone,
or from the plugs in the wall, but we wanted to be more cool & doing this in broad
daylight may attract the wrong kind of attention (ie ass whooping by irate store owner
or police officer).

 This block is called the X2 FAST block because that (The Smartphone) was the phone it
was originally discovered on, the most prevalent payphone around these days and hence
the phone you'll most probably encounter it on. However, Zaleth checked out some other
phones for the block as well.

 Bluephones don't seem to have a FAST block on them. This is probably because this type
of blocking feature is unsupported. However, if it was, it could be worked around like
the other phones.

 P2's or PHONECARD phones, pieces of antiquated crap from the early '90s that you insert
a magstripe card into to make calls and have it punch holes in the card to show you how
much credit you have left, believe it or not, have FAST blocks on them. Fortunately,
both workarounds described below have been tested, and work, on P2's.


 Zaleth's Workaround (Aka "Dick Smith's Revenge")
 ================================================

 Recently, Dick Smith bought out Tandy. This may have some kind of greater economic
implications that we frankly couldn't care less about, but what we do care about is 
that as a result of the buyout a lot of Tandy's "low dollar" products (little stuff,
electronic components etc.) have been discontinued presumably to give Dick Smith
Electronics stores a monopoly in that area. One of the lines included in the
discontinuation were Tandy's Tone Dialers. As a result, they were going out the door
cheap cheap ($2.95 - Thanks to Nightscout for this info). Due to not wanting to be the
poor bastard that didn't invest the price of a Big Mac to get a tone dialer in the
instance a use was found for them we all went out and bought tone dialers. Ironically,
this probably accounts for the fact that a use has now been found for them. Sucks if
you didn't jump on the bandwagon (fact is if you hurry there are still some left :)

 So, back to FAST. Tone Dialers give us a useful ability. The ability to supply DTMF
signalling on the shared communications/signalling channel from the payphone to the
exchange. To put it simply, we can signal the exchange with the number we want to call
using the tone dialer without the payphone being able to detect what we've dialed and 
hence not knowing to block us if we call FAST. Step by step :

(1) Lift handset, dial 1800

(2) Whip out tone dialer, hold to mouthpiece of payphone, dial 050 051

(3) Get put through to FAST - Enter employee number + PIN as usual


 Dark Thief's Method (Aka "#INCLUDE <Dark.*>")
 =============================================

 A nifty feature currently installed on the X2's is AUTO REDIAL. This is used when,
you've put your coins in the phone and you've rung someone up, the line is engaged
or the call rings out and you want to place another call without reinserting your
coins. To call again, you press FOLLOW ON, then '*'. The '*' is the button that
denotes AUTO REDIAL but it must be noted that AUTO REDIAL does not work if you
replace the handset rather than pressing FOLLOW ON. You must press FOLLOW ON to use
AUTO REDIAL. When you press the '*' the number will "fan" across the screen and the
number will be redialed for you. Neato huh? OK, maybe its not that cool, but throw
intended purposes out the window and you've got yourself a subversive little function
so yes neato!

 How this is used to work around FAST is by inputting the first numbers of FAST into
memory and using that as part of the number for the phone to dial (note that if you 
put all numbers of FAST into memory the phone would reset and it wouldn't work). It
goes a little like this :

(1) Dial 1800 050 05

(2) Hit FOLLOW ON

(3) Wait for phone to reset whilst cackling insanely

(4) Hit '*'

(5) Dial '1'

(6) Get put through to FAST

 What you've just done is put the first part of FAST (1800 050 05) into memory, reset
the phone, redialled 1800 050 05 and then whacked in the last number of FAST (1) in
order to complete the call without the payphone knowing you've called FAST and therefore
bypassing the blocking mechanism.

 - Propz Dark Thief & Zaleth 10/8/01



                         ~-~-~-~-~-~-~- Indigo Box ~-~-~-~-~-~-~-
                                       - By Dies Irae


 This is a Brown, DLOC, Party, Pink Box, they all do basically the same thing...connect 
two phone lines together. so that you can take advantage of conference call, eg have 5 ppl 
instead of 3. All of those boxes i meantioned before were for america, so i decided to 
alter one for Australia. It wasn't to hard, but have fun and don't get caught. Because 
there are many things that they (Tel$tra and Austel) can screw you over for having and 
placing this on your line. (Just warning you).

There has to be enough to phone wire from each of the male plugs so that the box can be in 
the middle of the two phone wall outlets.then you can mount a modular plug in the side of the 
box so you plug your phone in if you want. Also i presume that you have a grasp of 
electronics and know how to wire plugs up.

THE SCHEMATIC WONT MAKE MUCH SENSE UNLESS YOU KNOW WHAT A KNIFE SWITCH LOOKS LIKE...SO BUY 
THE PARTS AND THEN LOOK AT IT...

You Will Need
-------------
Okay I'll be nice and include Dick $mith catalog numbers...
2 SPST Switches (i used P 7668) $2.60
2 Phone Lines 
2 Male Phone Plugs (F 5117) $6.95
1 Knife Switch (P 7862) $4.95
2 alligator clips (P 6406) $0.80
1 Phone 
1 White Plastic Box (you can buy them from Dick Smith, fairly small 10cm x 10cm max)
1 can Indigo spray paint (optional, to spray the box of course)


                        SPST===============|blue or white wire to phone
      alligator clip      |       __________|_|__________              alligator clip
            |             |       |         |=|         |                    |
male plug===|====to knife switch= |                     |++to knife switch+++|+++++male plug
                                  |      knife switch   |
male plug--------to knife switch- |                     |,,to knife switch,,,,,male plug
                          |       |                     |
                          |       ---------|-------------                                
                          |SPST++++++++++++|blue or white wire to phone

= white line from line 1
- blue line from line 1
+ blue line from line 2
, white line from line 2 

instructions
------------
1. assemble it like the crap schematic. where a wire hits the knife switch, screw it in. 
2. where the connections from line 1 come in, also screw the wires connecting to the SPST 
   switches.
3. strip back a bit of covering from one wire from either of the male plugs. and solder an 
   alligator clip on.
4. no on the other wire coming from each of the male plugs, (not the one with the alligator 
clip) strip back enough covering to clip the alligator clip on.

using it
--------
well you have to built it right for it to work...

IMPORTANT!!! MAKE SURE THAT BOTH OF THE SPST SWITCHES ARE OFF BEFORE YOU START DOING THIS 
BELOW! first put the handle of the knife switch to the left, (so line 1 is open) so you are 
dialing on line 1. dial your two ppl and conference them. then clip the alligator clip 
across these to lines. this is to keep the line open.  now throw the knife switch over to 
the right, so that you are dialling on line 2. now dial and conference your two ppl on 
line 2. then open both of the SPST switches and you should have 5 ppl online. easy...



                     ~-~-~-~-~-~-~- Caller ID Program ~-~-~-~-~-~-~-
                                       - By Diab

/*
 *
 * Simple caller ID program for POSIX Compliant systems
 * Should work for: Linux, windows (providing you have a C compiler,
 *                  e.g. djgpp), and most *nix variants.
 *
 *      Usage: ./callid <modem-port> <outfile>
 *  e.g. *nix: ./callid /dev/ttyS1 clid.log
 *  e.g.  win: ./callid COM2 clid.log
 * 
 * * NOTE * : Your modem should be able to receive callerID information for
 *            this program to work, consult your modem manual. Most modems
 *            should have this feature.
 *
 * - diab  < diab@hackermail.com >
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <termios.h>

#define  ENABLE  "AT#CID=1\\\\\\\\r" /* This enables Caller ID on my modem */
                              /* Change if you want...              */

void set_terminal(void);
int fd, send, n;
struct termios options; 
FILE *logfile;

int main(int argc, char *argv[])
{
  char recv[3024];
  char s3nd[100];

  fprintf(stderr,"\\\\\\\\n----------------------------------------\\\\\\\\n");
  fprintf(stderr,"Callid by diab - < diab@hackermail.com >\\\\\\\\n");
  fprintf(stderr,"----------------------------------------\\\\\\\\n\\\\\\\\n");

  if(argc!=3){
    fprintf(stderr,"Usage: %s <Modem-Port> <OutFile>\\\\\\\\n", argv[0]);
    exit(1);
  }
  
  /* open log file */
  if((logfile = fopen(argv[2], "a")) == NULL){
      fprintf(stderr,"Error opening log file: %s\\\\\\\\n", argv[2]);
      exit(0);
   }
  
  /* open modem port */
  fd = open(argv[1], O_RDWR | O_NDELAY);
  if(fd==1){
      fprintf(stderr, "Can not open modem port:[ %s ]\\\\\\\\n", argv[1]);
      exit(1);
  }
  fcntl(fd, F_SETFL, 0);
  sleep(1);
  
  /* set the terminal baud rate etc */
  set_terminal();

  /* send cid init string */
  snprintf(s3nd, sizeof(s3nd),"%s", ENABLE);
  fprintf(stderr,"[!] Enabling caller id on your modem\\\\\\\\n");
  fprintf(stderr,"[!] Waiting for call...\\\\\\\\n");
  send = write(fd, s3nd, strlen(s3nd));

  /* keep reading modem port until we get a ring and notify the user */
  while ((n = read(fd, recv, sizeof(recv))) > 0) {
    fprintf(stderr,"%s", recv);
    if (strstr(recv, "RING") != NULL) {
    fprintf(stderr,"[!] Phone ringing... saving Caller ID info.\\\\\\\\n");
    printf("\\\\\\\\a");
    }
    fprintf(logfile, "%s", recv);
    fflush(logfile);
    sleep(1);
    bzero(recv,sizeof(recv));
  }

  return 0;
}
/* terminal stuff */
void set_terminal(void)
{
  tcgetattr(fd, &options);

  options.c_cflag |= (CLOCAL | CREAD);
  options.c_cflag &= ~PARENB;
  options.c_cflag &= ~CSTOPB;
  options.c_cflag &= ~CSIZE;
  options.c_cflag |= CS8;
  options.c_iflag |= (INPCK | ISTRIP);
  options.c_lflag &= ~(ICANON | ECHO | ISIG);
  options.c_oflag &= ~OPOST;

  cfsetispeed(&options, B115200);
  cfsetospeed(&options, B115200);

  tcsetattr(fd, TCSANOW, &options);
}
 


                      ~-~-~-~-~-~-~- Payphone Numbers ~-~-~-~-~-~-~-
                                   - By Zaleth & Dies Irae


Shenton Park:
- Onslow Rd:
- X2 Outside Playgroup: (08)9381 2876
- X2 Near Newsagent: (08)9388 3527
- X2 Outside chemist: (08)9388 3535
- Smith Rd:
- X2 near Abedare Rd near graveyard gates: (08)9388 1635
- Derby Rd:
- X2 Corner of Nickleson Rd next to chemist: (08)9381 1033

Daglish:
- Park (Near a lot of units)
- Phonecard phone opposite park: (08)9381 5903 (weird ringer)

Melbourne ...

Mentone:

- Blue Phone, Some School: (03) 9583 1179
- Blue Phone, Some School #2: (03) 9583 1189
- Blue Phone, Franklins: (03) 9585 3962
- Blue Phone, Safeways: (03) 9585 1556



                    ~-~-~-~-~-~-~- RIM & COMNET Overview ~-~-~-~-~-~-~-
                                    - By Phreakau Team


 1. What Is A RIM?
 2. Types Of RIMs
 3. RIM Components
 4. SULTAN And RIMs
 5. COMNET-1
 6. COMNET-2
 7. Systems Interfaces


 If you have read Neurocactus #7, you would have read their article about RIM Remote System.
Well, some of us at Phreakau have come across some information on this subject and so have
decided to provide a further overview or sequel on this interesting technology and 
information about advances since 1996 when it was incepted.


 1. What Is A RIM?
 =================

 R.I.M. Stands for (R)emote (I)ntegrated (M)ultiplexer. The RIM System consists of several
components. The main component is the RU (Remote Unit) itself. This is often seen as a 
green cabinet by the roadside although they can also be found indoors. There is also the EU 
(Exchange Unit) which is used to communicate between the servicing switch and the RIM Box 
(RU). These two components are manufactured by Alcatel. The RU has a communications channel 
for OAM (Operations, Administration & Maintenance) use, which is to say that it can be 
remotely controlled. In Australia this was implemented with COMNET, which we will get into 
later.

 A RIM is a highly modular electronic pair gain system. A pair gain system is defined in
Telstra documentation as: 

 "A system that cuts down on the number of wire pairs needed to carry telephone channels. 
They work by multiplexing analog conversations together into a digital transmission that 
can be sent more efficiently."

 So that would be that each customer's line feeds into the RIM, the RIM multiplexes the
transmissions into a digital transmission and sends it off to the exchange. The speed of
the RIM -> Exchange Bearer Cable is generally 2Mbits/s over copper cable with a higher 
rate of 8Mbits/s or 34Mbits/s using a fibre optic bearer. RIMs can also use radio if 
required. This is probably used only in rural deployments.

 RIMs can also, through their various modules, support various Special Services such as
PABXes and Faxstream. Capabilities like providing a ring signal for incoming calls, DTMF
and Call Progress Signalling are standard.


 2. Types Of RIMs
 ================

 Being extremely modular RIMs can come in many different configurations. However, there
are some basic types of configuration that can be noted.

 Mode Of Integration
 ~~~~~~~~~~~~~~~~~~~

 RIMs are capable of interfacing with their servicing/parent exchange in a few 
different ways. We already know that when transmissions are received, the RIM 
multiplexes them into a digital transmission. Where the modes of integration differ is 
how the RIM is further integrated into the Telephone Network as a whole. There are a 
few modes :

 (*)  Non Integrated Mode:- 
       In this mode the digital transmission is de-multiplexed at the parent exchange back
      into copper pairs. That means that for each pair going into the RIM there is still
      a corresponding pair at the exchange, as there would be in normal operation. This 
      requires the EU to be present at the exchange. A RIM EU can be mounted via an
      Exchange Unit Rack Panel Adapter and can be fitted to a Type 84 or Type 92 exchange
      rack.

 (*)  Integrated Mode:-
       In this mode the digital transmission is not de-multiplexed at the parent exchange
      but instead bypasses the racks and goes direct to the switching stage. This requires
      that the switch in use has a 'parenting' protocol for which it can communicate with
      equipment such as a RIM and handle its traffic directly. See below in IRIM Interface
      Protocol for more information.

 (*)  Mixed Mode:-
       This is quite simply where the RIM utilises both modes for separate pairs. For
      whatever reason, probably to provide some type of special services this mode may
      be required. An EU and a direct link to the switch are both present in this mode.


 Size
 ~~~~

 Depending upon the amount of pairs the RIM will need to service the size of the Remote
Unit can differ. The standard amount of pairs that can fit into one access panel is 60
but RIMs have more than one access panel. There are three sizes currently in use depending
on requirements, 240 Lines, 480 Lines & 180 Lines in the New CRIMS (Compact RIMs).


 IRIM Interface Protocol
 ~~~~~~~~~~~~~~~~~~~~~~~

 Where the RIM is configured as integrated there needs to be a common protocol between the
RIM and the switch at the exchange for communication of the various multiplexed 
transmissions and the switching instructions. There are a few different types of exchanges 
in use in Australia and the Parenting Protocol for each is different :

 Type Of Exchange               Parenting Protocol            Info

  Ericsson AXE                       ARK-P                 Stands for ARK-Parenting
  Ericsson AXE                       ESM                   Probably Newer Ericsson Protocol
  Alcatel Sys12                      RSU

                  
 CAN Or IEN
 ~~~~~~~~~~

 RIMs were designed to save copper wiring and take the load off existing exchanges. There
are two distinct situations in which they can be used. A RIM can be deployed in the CAN 
(Customer Access Network), that is a RIM serviced by a local exchange and used as support
for an area within an exchange locality. However, A RIM can also be deployed as an exchange
in its own right. Old Ericsson ARK exchanges in rural areas (ARK is a Crossbar exchange -
very schick) are being outmoded and replaced by RIMs. In this type of deployment they are
connected to the IEN, the Inter Exchange Network and are serviced by a transit exchange.
 

 3. RIM Components
 =================

 I will now attempt to explain the basic structure of components within RIM units. Bear in
mind that the information we had was abit sketchy in this area, but we believe we have put 
it together correctly. The more specific cards are fitted to panels in the units, so we'll 
start with the panels :

 Exchange Unit Panels
 ~~~~~~~~~~~~~~~~~~~~

 The Exchange Units for interface with the parent switch have a base selection of panels. 
Note that in Integrated Mode, there are no Access Panels as there is no need to 
demultiplex to individual pairs :

 (*) Access Panels - Provides the end copper pair connections to the switch with the 
                     various electrical capabilities of the pairs.

 (*) Line Transmission Panel - Reponsible for communicating on the optical or electrical 
                               bearer between the EU and RU.

 (*) Common Panel - Provides control, clock generation/distribution and OAM (ie COMNET) 
                    access functions at both EU and RU.

 (*) Power And Alarm Distribution Panel


 Remote Unit Compartments
 ~~~~~~~~~~~~~~~~~~~~~~~~

 All RIM installations will have the following base compartments and panels. Where they
differ will be the cards and the software on the cards used to implement differing jobs :

 
 (*) Cross Connect Facility Compartment

 (*) Equipment Compartment With The Following 
     Panels (Same uses as in EU) :

                        (*) Access Panels - Connected to customer side pairs
                        (*) Line Transmission Panel
                        (*) Common Panel

     And additionally :

                        (*) Ring/Meter Panel - Provides RING and METER pulses
                        (*) Terminal Regenerator Panel - Capable of boosting signals for 
                                                         further transmission
                        (*) Trunk Interface Panel - Interfaces Between Common and Line
                                                    Transmission Panels (OAM comms are
                                                    multiplexed in with regular comms)
                        (*) Environmental Control Panel - Cooling fans and climate control

 (*) Power And Battery Compartment


 Card Components
 ~~~~~~~~~~~~~~~

 More specific components would include things like a module card for Access Panels
that allows communication with 4/6 wire customer units such as PABXes and 4 Wire Modems. I
won't go into much more detail about various cards that can be installed, as that is where
the information gets really sketchy and it probably wouldn't make for much interesting
reading anyway. However, there are two things I would like to explain. The first is the
units used for OAM (Which stands for Operations, Administration & Maintenance), which in
Australia is handled by COMNET and the second is RIM support for things like SULTAN. I will
explain the first now, but SULTAN has a full section afterwards.

 Remote Management/OAM :

 The RMU (Remote Management Unit) is responsible for providing an integrated OAM system. 
It communicates with the counterpart remote or exchange unit and the NMQ (Network 
Management Units) via a Q2 Bus OAM link. The RMU is probably mounted on the Common Panel 
and seems to communicate over the Q2 Bus with the RAC Unit (Rate Adaptor Unit) which 
enables multiplexing of OAM communications onto the main bearer. The RAC Unit is probably 
mounted on the Trunk Interface Panel. The NMQ communicates with the RMU and the COP 
(COre Processor unit). It also receives some alarm messages from other RIM components.


 4. SULTAN And RIMs
 ==================

 This section will be short but I believed it was important enough to warrant its own
separate section. First of all S.U.L.T.A.N. stands for (SU)bscriber (L)ine (T)esting
(A)ccess (N)etwork. This system is responsible for performing electrical tests on
subscriber lines. Now, a little thing that not all of you may be aware of is that F.A.S.T.
stands for (F)ield (A)ccess to (S)ULTAN (T)esting, however those of you that are familiar
with the system may know about running a SULTAN test through FAST.

 The fact that to do an electrical test on a customer line you need a complete electric
path (ie. coppper wiring path) along the length of the customer line poses a problem for
RIMs as there is no constant path for each individual pair. They are multiplexed at the
RIM.

 Alcatel has solved this with the CTU (C)ustomer (T)est (U)nit. This unit takes care of
electrical testing from the RIM itself as directed via SULTAN through COMNET-1 or by
COMNET-2 itself. The CTU is also capable of establishing a speech path for call setup
between an operator and a customer as in ring testing. It can also perform busy line
monitoring and testing of tones and pulses on the line. Altogether a pretty nifty unit.

 Typically, SULTAN can test the status of the RIM and if OK it can proceed with a line
test from the RU to the customer equipment using the CTU.

 Yes. Using FAST you can test the status of a RIM and also any specific lines through the
RIM. Remember FAST stands for Field Access to SULTAN Testing. I just had to explicitly 
state this or else I just know I would be asked the relevant stupid question by someone 
in the future heh.

 An electrical test on a line can also be initiated by a COMNET system terminal or, 
automatically by COMNET-2.


 5. COMNET-1
 ===========
 
 Okay, lets start by playing games with acronyms. Telstra, like most large telecommunications
corporations and the military like acronyms cause they sound cool. Here's the explanation of 
the acronym COMNET. COMNET is actually a few acronyms within one another. First there is :

 COMNET : (C)AN (O)A(M) (NET)work

 CAN and OAM are acronyms themselves :

 CAN : (C)ustomer (A)ccess (N)etwork - This defines the telecommunications network area
        between an exchange and the customer premises. RIMs are installed in this area.

 OAM : (O)perations, (A)dministration & (M)aintenance.

 So COMNET actually stands for :

 Customer Access Network Operations, Adminstrations & Maintenance Network. Shame to all of 
you who thought it simply stood for "(COM)munications (NET)work".

 'COMNET' refers to the network and associated systems that are required for interface 
between various core Telstra systems and RIM to provide the management that RIM requires to 
be a part of the telecommunications network. COMNET-1 was the initial stage of this product 
created to support the roll-out of the RIM system, and COMNET-2 is a further upgrade of the 
product. This upgrade has been implemented one location at a time and so depending on your 
area the available system may be either COMNET-1 or 2.

 The support provided by COMNET-1 can be broken down into the following applications :

 Service Activation
 ~~~~~~~~~~~~~~~~~~

 (*) Automatic activation of RIM equipment in conjunction with the exchange interface
     to provide the physical service
 (*) Recording of newly commissioned RIMs

 Service Assurance
 ~~~~~~~~~~~~~~~~~

 (*) Customer fault report handling
 (*) Efficient management of RIM equipment alarms
 (*) Pro-active planned outage and hazard advice
 (*) Repair workforce dispatch
 (*) Remote diagnostic handling

 Other Key Features
 ~~~~~~~~~~~~~~~~~~

 (*) Remote software download (down to card level)
 (*) Remote network management of RIM systems
 (*) Remote customer line testing (Standard SULTAN functionality)
 (*) Remote configuration management
 (*) In service performance monitoring, fault location and alarm monitoring
     (Alarm and equipment fault reports are relayed to the NMG, which will
     then dispatch a service restorer)

 The management application used on COMNET-1 workstations is NECTAS : Network Element 
Craft Application Software. The network is X.25 based, and as you will see ALOT of Telstra 
systems seem to hang of X.25 and not just COMNET.

 Explanatory ASCII Pr0n diagram demonstrates :


   FIGURE 1 : COMNET-1 ARCHITECTURE
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


          Customer Operations          National Maintenance
                Centre                        Group         
                                      Alarm             COMNET <---- Terminal
                COMNET               Handler          Workstation   Application
              Workstation               |    ___<>________|_____     is NECTAS
               ___|_____<>______        |       /    Lan
                    Lan  \\\\\\\\              /      /
                          \\\\\\\\  __________/   ___/                RIM
                           \\\\\\\\/          \\\\\\\\  /                    /
                           /   COMNET   \\\\\\\\/                    /
            SULTAN --------| Data Comms |----------Mediator-------RIM
                           \\\\\\\\  Network   /              \\\\\\\\      
                            \\\\\\\\__________/                `--modem >-< modem -- RIM



 6. COMNET-2
 ===========

 As previously mentioned, the COMNET-1 architecture was largely an ad-hoc arrangement 
to support the initial RIM inception. According to Telstra, a number of problems existed 
with COMNET-1 that they sought to correct. Some of these were :

 (*) The distributed nature of the network made it hard to maintain things like security 
     and integrity of the system. There was a lack of central management that they wished 
     to address.

 (*) The Mediator between the RIMs and the COMNET Data Communications Network was not 
     standard and so whenever the RIM software was upgraded by Alcatel, new support 
     needed to be implemented in the Mediator.

 (*) Alarm management was inadequate. (Hehe, this is bad).

 (*) Integration with Telstra core systems was inadequate and Telstra wished to automate 
     many tasks such as Activation without having to manually go to all the involved 
     systems and Exchange Interfaces.

 COMNET-2 was the answer to these problems. Further upgrades are always being proposed. 
Here is a diagram of the COMNET-2 setup :

 
   FIGURE 2 : COMNET-2 ARCHITECTURE
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

              Customer Operations                      Regional Maintenance
               Centre (Regional)                             Group
 
                    COMNET                                        COMNET 
                  Workstation                                   Workstation
                  ____|__________<>_____           ______<>__________|____
                        Lan       \\\\\\\\                      /      Lan
                                   \\\\\\\\_____          _____/
                                         \\\\\\\\        /
                                         _\\\\\\\\______/_
                                        |          |
                SULTAN _________________| Manager/ |__________________ Service
                                        |   Agent  |                  Activation 
                                        |__________|                  
                                             |
                                        _____|____
                                       /          \\\\\\\\
                                      /  COMNET-2  \\\\\\\\
                                      | Data Comm  |
                                      \\\\\\\\  Network   /
                                       \\\\\\\\__________/
                                         /   |   \\\\\\\\
                                        /    |    \\\\\\\\
                                       /     |     \\\\\\\\
                                     RIM    RIM    RIM

 
 As you can see this setup is much neater (The diagram is neater and was much easier to 
draw as well). Obvious differences between this and the COMNET-1 setup are :

 (*) The introduction of the central Manager/Agent. We are unclear on whether there are 
     Manager/Agents for each region or whether this component is national.

 (*) Removal of the Mediator between the RIMs and the network. It is now standardised as 
     much as possible and the rest handled by the Manager/Agent.

 (*) Removal of the modem connections to the RIMs.

 (*) Removal of the singular Alarm Handler which is now integrated and automated. RIM 
     alarms are now forwarded to NICAD (National Integrated Customer Alarm Display).

 (*) Introduction of a Service Activation component which is an integration with Telstra 
     core systems such as AXIS & RASS.

 (*) Communications with Regional centres rather than National.


 Additional features of COMNET-2 include :

 (*) Improved customer line testing capability. COMNET-2 will automatically test lines and 
     not just when directed to by SULTAN or a system terminal.

 (*) Remote software download, backup and archiving.

 (*) Organised security management.

 (*) Operating on the HP OpenView software platform.


 If I had to speculate on the security architecture of COMNET-2 I'd say that the Telstra 
core mainframe etc systems and LANs around the country communicate with the Manager/Agent 
over X.25 and the requests are moderated and passed on to COMNET-2 as appropriate. In this 
manner the Manager/Agent acts as a kind of national application proxy firewall moderating 
requests for action. COMNET-2 may also communicate over the X.25 network, but the RIM 
access points would only accept connections from the Manager/Agent. Hence, a less 
distributed method of managing security/integrity with the Manager/Agent as a chokepoint. 
Of course, all this goes out the window if someone were to 0wn the Manager/Agent, make 
acceptable requests that do the job, or subvert the COMNET-2 communications protection.


 7. Systems Interfaces
 =====================

 COMNET, and particularly COMNET-2 support integration with existing Telstra core systems.
COMNET-2 in particular is designed to be configured automatically by entering the details
into the core systems. In the context of the information below, 'regular telephone lines'
means regular voice grade telephone or P.O.T.S. lines and not lines supporting Special 
Services. Some systems and the ways in which they interact with RIM & COMNET are :

 (*) AXIS : The order system used by Telstra to order work to be done on regular telephone 
            lines. This can involve ordering a linesman to set a line up, automatically 
            configuring the exchange by interfacing with AUTOCAT or, remotely configuring
            a RIM via COMNET.

 (*) AUTOCAT : (AUTO)matic (C)onfigur(A)tion of (T)elephone Exchanges, or (AUTO)matic 
               (CAT)egory Change System. The automated system that other Telstra systems 
               integrate with to automatically configure a telephone exchange. Does this 
               by changing 'categories' within the exchange.

 (*) DCRIS : (D)istributed (C)ustomer (R)ecord (I)nformation (S)ystem. COMNET initially 
             accepted service orders from this system until it was replaced in 1997 by 
             AXIS.

 (*) FACS : (F)rame (A)nd (C)able (S)ystem. A database used to record information and 
            manage regular telephone lines. RIM configuration information is also stored in 
            FACS. Used for some recording of copper RIM bearers. Also for recording of some 
            Special Services lines such as ISDN.

 (*) MULTIMAN : Optical links recording system for CAN. If the RIM uses an optical bearer, 
                it will be recorded in MULTIMAN rather than FACS or NPAMS.

 (*) NPAMS : (N)etwork (P)lant (A)ssignment and (M)anagement (S)ystem. Used for some 
             recording of copper bearers from RIMs. Also used for recording RIMs in the 
             IEN as cable pair groups. Used for some management of regular telephone lines.

 (*) RASS : (R)ecord (A)utomation for (S)pecial (S)ervices. Order system for Special 
            Services rather than regular telephone lines. AXIS's Special Services 
            counterpart. Two sub-systems : RASS-P (RASS-(P)rovisioning) & RASS-M 
            (RASS-(M)aintenance).

 (*) TRAC : (T)ransmission (R)ecording (A)nd (C)ontrol System. Used for recording RIMs in 
            the Inter Exchange Network. Recorded as multiplex links.

  Propz - Phreakau Team 5/8/01




               ~-~-~-~-~-~-~- Bne Into Telstra Exchanges Part II ~-~-~-~-~-~-~-
                                    - By Marlinspike

Intro
Building And Security
Whats Inside
Area Sensors
Slip & Pull Tool
Contact Switches
Door Destruction
Schools Of Entry

Appendix 1 : Responsibilities For Credential Users
Appendix 2 : Social Engineering The After Hours Centre


 Intro
 =====

 In your suburb right now, the coolest place by far in the entire area is inside
your local telephone exchange. This is part II of my manuals on breaking into 
them with the intention of learning more about the telephone network and
procuring information (such as hands-on experience & manuals) about the telephone
network. Every successful Phreaker who got anywhere did this. Poulsen did it, 
Mitnick did it, The Phonemasters did it - and now you can do it too. 

 The first manual was basically my conclusions on what techniques could be used to 
enter exchanges from afew basic observations. This manual will cover my 
conclusions based on my now extensive observations of many telephone exchanges 
and my own successful entries and explorations. This manual is meant as
complementary to part I. If you find yourself wanting more techniques/options,
refer to part I as it was very comprehensive in that regard.

 Finally, since the first manual was published, I have been asked what is my 
preferred entry method. The answer is : I have used many different methods for 
different exchanges and situations. This is more to do with expedience than 
concealing my Modus Operandi. It is true that professional burglars often use 
changing and the most rank amateur methods they can use to get away with the 
burglary to throw off the cops, but in regard to exchanges I think you have to 
make up your own mind about which techniques you want to use based on your
situation. This file is meant to provide you with a choice of techniques.

 You might want to go trashing at your surrounding exchanges before actually
breaking in. This will give you a chance to gain confidence, become used to the
exchange and the surrounding area and escape routes and also ... get some pretty
good information just from the trashing. You'll notice that in the appendices I
have ommitted the numbers that you need to ring. This is because if you've even
got of your butt and gone to an exchange a couple of times you'll probably get it
and because if Telstra gets hold of this doc, they'd be able to change it quite
simply.

 
 Building And Security
 =====================

 This section covers basic understanding of exchange perimeter structure and some
basic techniques so keep reading if it seems abit basic.

 The basic suburban telephone exchange is usually a relatively old structure
in your area. It would seem from my observations that they have concentrated on 
perimeter security and haven't even really done a good job of that. The primary
obvious entry points into the building would be the windows and the doors (unless
you feel like breaking through a wall or going through the roof - which is still
a viable method if you don't mind being destructive.) 

 I have looked at the air-conditioning on exchanges and have come to the 
conclusion that they probably aren't safe to try and get in through. Some of the
units though are mounted in windows and if you could pry one out or unscrew it,
that would do but you'd probably be better off using a technique on the window
itself.

 There are quite afew windows on exchanges funnily enough, on concealed walls
as well as walls open to the road. Because of the focus on perimeter security
these windows will usually have bars on them. They are locked and opened by a 
lever (see diagram in slip & pull tool section) if required. I have not seen
contact switches or vibration detectors on these windows. A possibility for
detecting broken windows is a 'shatter guard' which is a unit mounted in
a concealed location inside the building that detects the high pitched sound of
glass breaking. I have tested for this device by smashing a bottle near the 
doors of the exchange and no alarm has gone off. The windows it seems could be
opened by smashing as long as the bars were gotten past. 

 The bars on the windows are vertical only. I have seen some security grilles
which are frail and offer no protection at all, but bars seem to be the
predominant window protector. A simple trick to use here is to car jack them
apart. Then, you can squeeze through the gap and do your stuff. Afterwards, you
can re-close the bars (somewhat messily, but can often turn out ok) by instead of
applying pressure to two bars side by side with the jack in the middle; applying 
pressure between one bar at a time and the window frame. That is to say, mount
the jack on one bar and some pieces of wood reaching the window frame.

 It would also seem that the bars themselves have been mounted on a frame that
has not been welded to the window frame itself, but instead have been screwed in.
This opens up the opportuntiy for unscrewing the bar frame at one end and pushing
your way past the slightly bent frame to get in and then rescrewing it back on
later.
 
 There are doors on exchanges at the main entrance which is usually pretty
standard and well protected (more on this later) and there are also other doors
around exchanges, for moving in and out equipment. These doors are usually 
double doors and are made of wood, occasionally reinforced with metal. These
doors are designed to be opened from the inside only and so do not have key locks
but have bolts on the inside. There will usually be two vertical bolts at the
top and bottom of the door which are just push in/pull out of the floor/ceiling
numbers and a horizontal bolt between the doors which is like a bolt on a gate -
not simply push in/pull out, but has to be manipulated past a stop which could
(but never does) have a padlock in it. They will also have contact switches - 
usually mounted at the top of one of the doors. Examine the diagram :

    __________________________|____[__]______    
   |                   |      |    [  ] <----|------- Contact
   |                   |   -> |              |        Switch
   |                   |  |                  |
   |                   |  |                  |
   |                   |   --Vertical        |
   |                   |     Bolt 1          |
   |                   |                     |       Well? f***ing
   | Horizontal -->  --|--                   |       Examine it! You 
   | Bolt              |                     |       will be needing this
   |                   |                     |       information later.
   |                   |                     |       (Sorry, just needed
   |                   |          Vertical   |       something to fill this
   |                   |          Bolt 2     |       space ;)
   |                   |              |      |
   |                   |       | <----       |
   |___________________|_______|_____________|
                               | 

 There are very limited intruder alarm systems in Telstra exchanges, however there
are extensive fire/smoke, gas and equipment alarm systems which you should be aware 
of. One night on one of my trashing runs I jumped the fence completely prepared to
grab some goods and noticed that an alarm was going off inside the exchange. Peering
through the window I noticed it was coming from a panel marked 'VESDA MIMIC' a
quick web search got me the following url :

                 http://www.vsl.com.au/vesda/index.html
Last edited by infinite_ on Fri Mar 18, 2005 1:14 am, edited 2 times in total.
My effort to help you will never exceed your effort to explain the problem.

User avatar
Net Battle Bot
Owns you
Posts: 1816
Joined: Fri Jun 04, 2004 6:44 am
Location: Groom Lake

Post by Net Battle Bot » Thu Mar 17, 2005 9:49 pm

v0idE wrote:[code:1:42fbe3fb69]
Well I'll be damned... isn't as easy as it looks huh?
Without practice one cannot prove; without proof one cannot be trusted; without trust one cannot be respected.

User avatar
infinite_
Bat Country
Posts: 1353
Joined: Fri Jun 04, 2004 7:19 pm
Location: Australia

Post by infinite_ » Fri Mar 18, 2005 1:22 am

Not really, I just pasted four sentences more than I should have :)
My effort to help you will never exceed your effort to explain the problem.

User avatar
Net Battle Bot
Owns you
Posts: 1816
Joined: Fri Jun 04, 2004 6:44 am
Location: Groom Lake

Post by Net Battle Bot » Sat Mar 19, 2005 2:50 am

That's what I'm talking about. The whole thing is so damn big that to keep placing quote tags in just the right place is a pain in the ass and doesn't help the concentration. I tried to make it just right but in the end gave up and posted the whole thing as one (two) chunks without tags. By the way, could a mod delete replies and move this to the phreaking tutorials section?
Without practice one cannot prove; without proof one cannot be trusted; without trust one cannot be respected.

User avatar
infinite_
Bat Country
Posts: 1353
Joined: Fri Jun 04, 2004 7:19 pm
Location: Australia

Post by infinite_ » Sat Mar 19, 2005 7:02 am

This thread is a pain to load on dialup, so I have nothing else to post :P
My effort to help you will never exceed your effort to explain the problem.

jolimensn
n00b
Posts: 1
Joined: Mon Sep 08, 2014 9:09 am

Re: Phrequency Issue #1

Post by jolimensn » Mon Sep 08, 2014 9:17 am

Phreaking Is good and i want to learn more, kuddos m big guys

Post Reply