Joyrider Issue One

All you've ever wanted to know about Phreaking. Many of the actions described in these tuts are illegal. They are presented for informational purposes only.

Joyrider Issue One

Postby Net Battle Bot » Tue Feb 22, 2005 7:23 pm

Code: Select all
"JOYRIDER" The Ezine for the Aussie Phreaking Elite Issue One Contents Editoral - Boris Grishenko Basic Electronics - Thrashbarg Modems - Bluefire Argus Telecommunications - Boris Grishenko DTMF - Hector Ethics - Hector (edited by Boris Grishenko) Networking - Shyft SS7 Speech - Boris Grishenko +-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Editorial - Boris Grishenko Well folks, its that time of the year again, when I have to crank out an editorial. In this editorial I hope to make sense of the political infighting in the Ausphreak forum. As we all know, Ausphreak was being administered by Xen0crates. I have known Xen0 ever since the original Zaleth board. He came across as a bit of a newbie, but eager to learn. There were many incarnations of the Ausphreak forum, some good, some bad. There have also been talks about a secret group, which doesn't surprise me. Then finally, Xen0 got wise, and made his own Ausphreak, the present The Ausphreak forum is a phpBB board, which isn't really administered properly. There might be over 700 people using it, but how many of them post? How many of them WANT to post? I try to be active as I can, but even I have been told I am flogging a dead horse. Just recently, NyCoN, the other admin of the board, took control away from Xen0. Under normal circumstances, I would say "yay." But this time, I have to disagree. NyCoN is proving he's just as bad an admin as Xen0. Plus he's in it for the power games. Politics have been described to me as the second oldest profession, and its remarkably similar to the oldest profession (for those of you who don't know what I'm talking about, I mean prostitution). Now power is ok, in the hands of the right people. But you give the wrong person the power, and you have a disaster on your hands. Look at Hitler... Stalin... Sadaam... These people and more are prime examples of power going to peoples heads. And in our own phreaking community, N3t and $GX have let the power that the ESA afforded them go to their heads, and thus expelling me when they learnt the "truth" about my knowledge of the Avatar incident. The ESA was a move in the right direction, but once again, politics intervened and people went mad. They had very active plans to bring Ausphreak down. I no longer talk to N3t or $GX, so I don't have to worry about their shit any longer. Plus the ESA, which was mostly my idea, was a good idea, but its implementation, especially with the php Nuke interface, was fucked up. So, now, what do we have? A meeting place for over 700 people, that is not being run the way it should be. In older times, I'd say come over to the ESA, but being expelled from my own idea really pissed me off. Well, I can't really suggest a future of Ausphreak. That's not my place. But there are a few interested people gathering, and seeing what they can mould out of the eventual ashes of Ausphreak. This ezine is the combined effort of the Aussie Phreaking Elite guys, and I'm proud of all them. We hope to be able to bring you more quality articles soon. For the time being, have a read, and enjoy our efforts. We intend to start off basic, and work our way up. Cause thats how you learn, right? +-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Basic Electronics - Thrashbarg When you begin to look at electronics on this level, then compare its relative simplicity to what it is capable of in satellites, fibre optics, radio and computers, it really shows how much technology has advanced over the past one hundred years. No, it is not essential to understand what is going on in electronics at this level, but to have a little extra understanding about what electronics precisely is, you will have an edge on your knowledge that others don't. Enough with the yabbering, on with the article. To have a good understanding of what electricity is it is necessary to have an understanding of matter. All matter in the Universe is created from atoms. Atoms are composed of three founding particles -- the electron, the proton and the neutron. The electron is the lightest of all the particles and can move around freely. It has a negative charge. The proton and the neutron are much heavier and sit in the middle of atoms to form the nucleus. The proton has a positive charge and is about eighteen hundred times heavier than electrons. There are two rules that apply to charges: - Opposites attract - Likes repel This simply means that two positively charged protons will repel each other, or two negatively charged electrons will repel, but a proton and an electron will attract each other. These three particles are arranged much like our Solar System. The heavy, immovable nucleus sits in the middle and the light, mobile electrons orbit the nucleus very quickly. Different amounts of protons in the nucleus are responsible for the different types of elements that exist in the Universe. Hydrogen has only one proton in its nucleus, helium has two, lithium has three and so on. The neutrons are there to space out the protons so they don't repel and destroy the atom. They can also create isotopes, which I won't go into here. The electrons are responsible for what charge the atom has. An atom with no charge is just that - an atom. An atom with a charge is called an ion. Atoms become ions when electrons are removed or added to the orbiting rings. If there are fewer atoms than protons, there is a positive charge and if there are more electrons, there is a negative charge. What this creates is static electricity. Static electricity is different to the flowing electricity that is used every day. As its name suggests, it simply sits there. A charge exists with static electricity but there is no movement of electrons. This force can have affects on other materials that surround the charged material. For example, a statically charged balloon will stick to the wall for a short time. It doesn't stick for long because the charge is soon lost through the wall itself. In the case of a battery, there is a constant pull which causes electrons to flow from the negative terminal to the positive. There is a lack of electrons at the positive terminal or an excess of electrons at the negative terminal. This is created by a chemical reaction that involves the movement of electrons. This movement of electrons is directed to the batteries terminals where it can be used for what ever purpose you want. The pull on the batteries terminals is called an electromotive force, or EMF. It is measured in volts or V. There are three commonly used terms in simple electronics: - Current - Voltage - Resistance Current is a flow of electrons in a circuit, which is measured in Amperes (Amps or A). Voltage is the force that pushes or pulls electrons between two terminals, which is measured in Volts (V). Resistance is the opposition to the movement of the electrons in a circuit, which is measured in Ohms. Its symbol is the Greek letter Omega. Anyway, I hope you have learnt something from this, perhaps some new terms or just for some catching up on the founding theory. I'll get into something slightly more interesting next issue. Until then, have fun. Oh, and I don't guarantee that this information is 100% accurate either. Don't go using this as a reference for physics tests or anything. :P +-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Modems - BlueFire Modems got their name from putting two words together (Modeulator and Demodulator). The Sending modem "Modeulator" the digital data into a signal so it can be passed over the telephone network then the receiving modem "Demodulators" the signal back into digital data. Modems are called "Data Communication Equipment"(DCE) and computer are called "Data Terminal Equipment"(DTE) Computer Modem Telephone lines Modem Computer ______ -------------------------- _______ (DTE) (DCE) (DCE) (DTE) ----= Telephone line and the Teleco network ____= Cable betwen ur modem and computer Between the Computer(DTE) and the modem (DCE) need a signaling standards the three main ones are RS-232 (EIA/TIA-232) V.35 HSSI(High-Speed Serial Interface) RS-232 (EIA/TIA-232) 8 pins are used to connect the DTE-to-DCE For Data transfer, Flow control and modem control For DB 25 pins are Pin Definition Description 2 transmits Data DTE-to-DCE data transfer 3 Receives Data DCE-to-DTE data transfer 4 Request to send DTE signal buffer available 5 Clear to send DCE signal buffer available 6 Data set ready DCE is ready 7 Signal ground 8 Carrier detect DCE senses Carrier 20 Data Termainal ready DTE is ready When the DTE raises the voltage on Pin 4, The DTE is telling the DCE that is has buffer space and to start sending data. When the DCE raises voltage on Pin 5, The DCE is telling the DTE that it can start sending data. When the modem is turned on, voltage is raise on Pin 6 to tell the DTE that the DCE is available to send and receive data. When the computer is turned on and the drivers are loaded, voltag us raise on Pin 20 to tell the DCE the DTE is available to send and receive data. Pin 8 is controlled by the DCE and voltage is raises when it has established an acceptable carrier signal with a remote DCE Modem Modulation Standards Modulalation techniques determine how modems convert digital data into signals. an analog waveform can be modulated in terms of Amplitude (Which is it hight of the signal) its Frequency , its phase (position of the sine waves), or a combination of these qualities. The V.?? series modulation standards use now days but befor V.?? series were the AT&T Bell 103 and Bell 212A But these supported the low speed of 300 bps(b. By altering the height (amplitude), Frequency, and the phase(positiion) of analog waveforms, the V.?? series has higher speeds ITU-T Modulation Standards Standard Maximum Transfer Rate V.22 1200 bps V.22Bis 2400 bps V.32 9600 bps V.32Bis 14,400 bps V.34 28,800 bps V.34bis 33,600 bps V.90 56,000 bps When Modems initially connect sometimes called the handshake, they agree on the highest standard tranfer rate that both can achieve Modems can have a range of 300 bps to 56 Kbps. Most modem can adapt their transmission rate to meet the remote modem and speed the local loop(the telephone line between you and the exchange) can support They do this by the modem frist try its highest rate and see if the remote modem talks back, if it doesnt it lows the rate and trys again. Error Control and Data Compression Data Comperssion algorithms typically require a error-correction algoithms. So of the many use Compression algorithms are V.42bis, MNP 5 and V.44 these three Compression algorithms operate with the error correction algoithms LAPM and MNP 4 Data Comperssion depends on the type of file being transfered a standard text file can be compression by 50%. but compression algorithms cant com compress a file well if it has already been compress by software, what may lead to larger files need to transfered. Hardware comperssion is alot faster than software comperssion so the modem should do the compression not software. Most people muck up the speed of the modem with the speed at which the computer talks to the modem. DTE to DCE is how fast the computer communicataion to attack modem DCE to DCE is how fast the two modems communicataion with each other over the telephone network To get full benefit out of ur compreesion. The computer should be set to clock the modem at its fastest rate, to take advantages of compression DTE DCE DCE DTE ______ ------------ ______ Computer Modem Modem Computer <------------> 28.8 kbps <----------> 115.2 Kbps <------------------> 115.2 Kbps Part 2 to come later +-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Telecommunications - Boris Grishenko Argus Telecommunications is the telecommunications arm for the NSW State Railways. The government are trying to merge it back with the Rail Infrastructure Corporation (RIC), but at the moment, they exist as a separate entity. They supply and maintain the telecommunications network for the railway, which is becoming ever more complex. Most of the information I have in this document is from a railway telephone directory from 1992, someone who works for Argus (who doesn't like saying anything, but will confirm what I already know), and someone who was contracted to Argus. While this is "slim pickings" its better then knowing nothing at all. The exchanges used by Argus (at least in 1992) were Ericsson M110s, and Philips 1200s. The Philips systems are actually over glorified PABXes. I found one scrap of information about the Philips systems, a Year 2000 compliance statement. It pretty much said that they weren't Year 2000 compliant. As for the Ericsson switches, they are now called the Ericsson MD110. No wonder I couldn't find out any information about them. They did support call waiting and other advanced features, which was real news for 1992. Not even Telstra had this kind of capabilities at this time, even with the roll out of Ericsson AXE and Alcatel System 12. The MD110 is also an over glorified PABX. Now, the systems exist over an ATM backbone up each of the main lines. This document will mainly focus on my observations on the Blue Mountains line. This ATM backbone is probably capable of about 155Mbit/sec. Most of the traffic is digital camera data, from each station, which is piped into a head end in Sydney, and then into a monitoring room. There are a few head ends up the lines, Katoomba has been mentioned to me, but there are enough Argus installations to sink a battleship. What to look for? The distinctive "Welcome to Argus Telecommunications" sign. At major places, like Lithgow, Blackheath, and Lawson, there are actual "exchange" buildings. Other places, there are the "older" style huts, green, with concrete walls, and metal doors. These usually have a vent on the top, with a cage around it. There is also a demountable, also green, with two doors (one is a metal bar type). These are usually in their own compound. Then finally there are the green concrete huts with a "car port" over them, and an extraordinarily large air vent on the top. These usually exist within 500metres of a station, so if you are looking, don't look too far. Usually the green hut types are near sectioning huts, which aren't always near the station. The demountable type has a guard around the bottom, so pesky people like phreaks can't get under there, and cut the cables. Trying to find the cables in a cable loom (in the ducts) would be nigh on impossible, and would be in the raw fibre/ ATM format, requiring fibre tools and an ATM switch. This is beyond the means of most phreaks, although, if you have the money, and time, I'm willing to try. Onto the computers, I wasn't able to get the actual types out of my contacts, although I am trying. I do know, however, that Argus runs their own OS and software, and these are developed by the RIC at Lidcombe. To tell the truth, I wouldn't mind getting into this facility, and having a look through their computers and manuals. Perhaps I will release errata to this document, as more information comes to hand. There are a few other exchanges and facilities in Sydney, namely, Petersham (an office if I recall correctly), Central Station (on the south side there is a large exchange, on the north side there is the monitoring room), and a few others, which my contacts did not explain to me. My interest in Argus? When I was a kid, I was interested in trains. Now I've grown up, I'm interested in computers and phones (which have more a future then trains, which I am told are losing money everyday). However, this allows me to combine two of my loves, even though I'm not that interested in trains anymore. Plus, their network interests me, how they've set it up, and maintained it. The software development place would be an absolute gem to visit, even if part of a TAFE course or something. I am told there are monitors there larger then I can imagine (I've seen a 21inch CRT in real life, that was pretty cool). In conclusion, Argus are a company that have braved the tough Australian conditions, and come back with one hell of a network. They are doing quite well, even though they charge twice as much as most other government departments. And, even though they are probably working with primitive gear, they still maintain this network, and keep it running. Argus would be one hell of a phreak/ hack opportunity. Their system is unique, and spread out over a physically large area. I haven't touched on the radio communications used by the railways, because I'm not sure if that falls under Argus. I would expect it would, but I don't have anyone in my family or friends who still work for the railways. Boris Grishenko. ERRATA: I have gained another contact in Argus, and had a good talk to him. Hopefully, I will find out more from him, as he seems quite talkative and knowledgable. He gave me the impression that Argus workers are akin to line techies from Telstra. He also went on to say the ATM link that was installed had equipment from Siemens. "Their only big contract." He used to work at the Central Exchange in Sydney for a period of time, back in the days when it was an actual crossbar system. (That same system is now used in computers, like SGIs Octane). He said that it took three semitrailer loads to take the old crossbar out. The software development centre at Lidcombe isn't actually part of Argus. Apparently, its a part of RIC, and they develop signalling system software there (and I don't mean SS7). Argus also take care of the station Public Address systems, and the Digital Voice Annoucement systems. There is a centralised control for the DVA, but most of the time, it plays automatic messages (waiting for the next train to Blue Mountains, and having the DVA say its at the platform, when its actually 5 minutes away, really pisses me off). +-+-+-+-+-+-+-+-+-+-+-+-+-+-+ DTMF - Hector ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º º º Dual Tone Multiple Frequency º º º º A Guide to Understanding and Exploiting Australia's º º Most Common Telecommunications Signaling Method º º º º Written by Hector of SCP December 10th 2003 º º º º Editited for 80 columns and DOS ASCII by Thrashbarg º º º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ CONTENTS ~~~~~~~~ SECTION 1: INTRODUCTION SECTION 2: UNDERSTANDING DTMF SECTION 3: DTMF EXPLOITS SECTION 4: PROGRAMMING WITH DTMF SECTION 5: HISTORY OF DTMF SECTION 6: ACRONYMS AND TECHNICAL LANGUAGE DEFINITIONS FOREWORD ~~~~~~~~ This text was written for the purpose of others who wish to further their knowledge on Australia's most common telecommunications signaling method - DTMF. Most Australian phreak enthusiasts who have little experience in the field of phreaking will find this text very useful. However a more experienced phreaker will most probably find that they know most of the information within this text. If this is the case, please do not complain to the author of this text, as it was intended for inexperienced phreakers who are only in the beginning stages of learning the art of phreaking. In this guide you will learn the basics of DTMF as well as more advanced and complex uses for DTMF. The information included in this text is in no way intended to be used to defy any laws of any sort. All topics covered in this text are for informational purposes only and informational purposes only. INTRODUCTION ~~~~~~~~~~~~ In this article you will learn the basic and advanced uses of Australia's most common voice communications signaling method, DTMF. From basics of DTMF through to its advanced uses, you will learn some important information, exploits and flaws in the telephone system regarding DTMF. DTMF is the most common telecommunications signaling method used in Australia. DTMF stands for Dual Tone Multiple Frequency; it is used to send information through phone lines to and from your local exchange. Dual Tone Multiple Frequency (DTMF) is also known as Touch-tone, Tone Dialling, VF Signaling and MF Dialling. Each DTMF tone consists of two simultaneous tones (one from the high group and one from the low group), which are used to indicate which number or symbol you press on your telephone's keypad. For example if you press number 5 on your telephone's keypad, the tone you will hear is 1336hz and 770hz played simultaneously. DTMF is an extremely reliable signaling method used by all Australian telecommunications companies to receive information from their customers. Whenever a number is dialled on a home phone, office phone, public or private payphone, DTMF is decoded and used by certain equipment inside that particular area's local exchange to call the number you have dialled. DTMF tones travel through the Red and Green wires (or Blue and White) wires on your standard home and office telephone line, as do voice signals. Dual Tone Multiple Frequency is the basis of voice communications control. Modern telephone circuits use DTMF to dial numbers, configure telephone exchanges (switchboards) from remote locations, program certain equipment and so on. Almost any mobile phone is capable of generating DTMF, providing a connection has already been established. This is for the use of phone banking; voicemail services and other DTMF controlled applications. If your mobile phone can not generate DTMF (or your home or office telephone uses Decadic Dialling (Pulse Dialling) you can use a standalone Tone Dialler or White Box, which you may or may not be able to find on the market. DTMF was designed so that it is possible to use acoustic transfer. The DTMF tones can be sent from a standard speaker and be received using a standard microphone (providing it is connected to a decoding circuit of some type). UNDERSTANDING DTMF ~~~~~~~~~~~~~~~~~ DTMF tones are simply two frequencies played simultaneously by a standard home phone/fax or mobile phone. Each key on your telephone's keypad has a unique frequency assigned to it. When any key is pressed on your telephone's keypad the circuit plays the corresponding DTMF tone and sends it to your local exchange for processing. DTMF tones can be imitated by using a White Box or Tone Dialler. It is also possible to record DTMF tones using a tape recorder or computer microphone, then played into the mouthpiece of your telephone to dial numbers. However if there is a significant amount of background sound behind the recorded DTMF tones, the tones may not work properly and cause problems when trying to dial numbers. You can also download DTMF tones via the S.C.P website in WAV or MP3 format. Below is a Dual Tone Multi Frequency (DTMF) map for a 4X4-matrix keypad, the map shows each unique frequency which is assigned to each key on a standard 4X4 telephone keypad. The frequencies are exactly the same for a 3X4 Matrix keypad, without the keys A, B, C and D. ÚÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄ¿ ³ FREQUENCY ³ 1209hz ³ 1336hz ³ 1477hz ³ 1633hz ³ ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄ´ ³ 697hz ³ 1 ³ 2 ³ 3 ³ A ³ ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄ´ ³ 770hz ³ 4 ³ 5 ³ 6 ³ B ³ ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄ´ ³ 852hz ³ 7 ³ 8 ³ 9 ³ C ³ ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄ´ ³ 941hz ³ * ³ 0 ³ # ³ D ³ ÀÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÙ As you will notice this is not a standard keypad, this keypad has 4 more keys than a standard keypad (3X4-matrix). The keys A, B, C and D are not commonly used on standard home phone/fax, office phone or payphone. Each of the keys A, B, C and D are system tones/codes and are mainly used to configure telephone exchanges or to perform other special functions at an exchange. For example, the corresponding tone/code assigned to the A key is used on some networks to move through various carriers (this function is prohibited by most carriers). When DTMF was created individual and unique frequencies were chosen so that it would be quite easy to design frequency filters, and so that the tones could easily pass through telephone lines (the maximum guaranteed bandwidth for a standard telephone line extends from around 300 Hz to 3.5 kHz). DTMF was not intended for data transfer; it was designed for control signals only. With a standard DTMF encoder/decoder, it is possible to signal at a rate of around 10 tones/signals per second. A standard DTMF tone should always be played for at least 50ms with a further 50ms space duration for maximum reliability. DTMF EXPLOITS ~~~~~~~~~~~~~ Exploiting DTMF is a relatively easy task to accomplish. First of all some general knowledge about DTMF is required, as well as a device which will produce at least the 12 standard DTMF tones. Although a DTMF decoder is not always essential when performing simple DTMF exploits, it will save you a lot of time if DTMF decoding is required. If you are unable to obtain a Tone Dialler and you are also unable to build a White Box, it is possible to use a CD with each of the 12 or 16 DTMF tones assigned to each track, then played through a portable CD player. Another possible substitute for a DTMF producing device is a portable MP3 player used in the same manner as the CD method. Numbers which have been blocked from being dialled on a payphone (by the specific telecommunications company who owns the payphone) can be easily be bypassed with a simple DTMF exploit (so long as it is a software block and not blocked at the exchange level). When a number is blocked on a payphone the only thing that is preventing the payphone user from dialling that specific number is the payphone's software. This software can be easily bypassed by using a DTMF emitting device. For example, if the payphone which the user is using has the number 1234567890 blocked from being dialled, you can bypass the payphone's software block by dialling 123, then with your DTMF emitting device dial the rest of the number (4567890). This should connect the payphone user to the blocked number, regardless of any software the payphone might have to prevent that specific number from being dialled. The theory behind this DTMF exploit procedure is that the lowest number prefix that is possible to be dialled from a payphone is three digits long. The most common payphone you will come across is the Telstra Smartphone. These specific payphones only enable the microphone (mouthpiece) to be used after 3 DTMF tones have been registered and decoded at the payphone's local exchange. After the third DTMF tone/signal has been played, the mouthpiece must be able to receive voice signals (and other signals such as DTMF) because if someone dialled 000, they would not be able to speak to the operator, because the microphone would be disabled. You are unable to use your DTMF emitting device to play the first three DTMF tones/signals because the Smartphone's microphone (mouthpiece) is disabled. To enable the Smartphone's mouthpiece you will need to dial the 3 DTMF tones via the payphone's keypad itself. Once the mouthpiece is enabled you are now able to send your DTMF tones/signals into the mouthpiece via your DTMF emitting device. Decoding DTMF is a relatively easy task to accomplish, providing you have access to DTMF decoding hardware and or software. DTMF tones are always used for entering PIN numbers, ID numbers and other similar personal information via a telephone keypad. All that is involved to gain a PIN number via DTMF is some general telephone social engineering skills and a DTMF decoder of some sort (hardware or Software), as well as a tape recorder or other audio recording device. First of all, to gain a PIN number using DTMF you will need to know what company or business the account holder (victim) is using and find out if the account can be accessed via a telephone. If you already know what business your victim has an account with, try to find a members access number with a login facility. For example, if you are attempting to gain a corresponding PIN number for a FAST (Field Access to Sultan Testing) ID number, the access number would be the number for FAST (notdisclosed here for certain reasons). Dial the access number for the certain company in which your victim owns an account, then record the welcome message. If you do not think the welcome message is appropriate for your social engineer (which you will be performing to your victim), you should either edit the welcome message or use a good text to speech program. If you do use a Text to Speech program, try to make sure you use a program with an Australian accent (female voices sound more convincing and professional). Once you have successfully accomplished the above tasks you are now ready to begin your social engineer. Use a fake name in full (last name and first name), and make sure you tell your victim exactly what you want them to do, without stuttering or pausing in your speech. Try to make your voice sound as if you have already done this a million times and you are looking forward to it all being done with. Never ask straight out for your victim's PIN number. Make sure you always ask a couple of simple questions then play the recorded welcome message asking the customer to enter their PIN and or ID number, you will need to record the DTMF sequence your victim enters, this is for later decoding. Once your victim is done entering their personal information (in this case their FAST ID number and their corresponding PIN), either hang up if appropriate or begin to talk with them once again. The following script is an example of gaining a corresponding PIN for a FAST account. Ring Luke Gresham - Telstra Employee Victim: Hello, Luke speaking. Phreak: Good afternoon Luke, my name is George Bualic, I am one of Telstra's administrators for the FAST system. I have been scanning through some FAST access statistics and have found your ID number, 34750086 has been experiencing some problems when attempting to login. Have you had any trouble accessing FAST? Victim: No Phreak: Ok, I will just need to perform some tests on our system to clear up some of these errors, would you be so kind as to enter the required information once I forward you through to our test section? Victim: Yeah, I guess that is ok. Phreak: Ok, thank you Luke. Play your edited FAST message. Example: Welcome to Telstra's FAST test facility, please enter your employee number followed by your PIN. Once your victim has entered the required information hang up. Now that you have recorded the previous tones your victim pressed, use your DTMF decoding hardware or software to decode the frequencies. Your DTMF decoding equipment or software should now display the digits your victim previously entered via his or her keypad in DTMF format, thus showing the PIN they had previously entered. PROGRAMMING WITH DTMF ~~~~~~~~~~~~~~~~~~~~~ There are multiple different DTMF sequences to program the same character, it depends on the equipment, system or application you are using and or programming. For example, on a standard 3X4-matrix keypad the (1) key has no alphabetic value, only numeric. So no alphabetic characters can be programmed using the (1) key. The (2) key will usually have 4 different values, A, B, C and 2 whereas a differently designed keypad may have alphabetic value assigned to the (1) key, thus changing the alphabetic value of the (2) key. When programming alphanumeric characters with DTMF, the tones are most commonly repeated until the specific character is displayed on the LCD screen or other type of monitor. Then either * or # (depending on the DTMF receiving equipment) is used to enter the currant character and begin to program the next. The * and # keys are used for entering characters and deleting characters, most commonly * is used for deleting and exiting and # is used for entering. Not all equipment, applications or systems use DTMF to program words, they also use DTMF strings for different commands to perform certain functions on a system, application or piece of equipment. The table below shows the alphabetic values and functions assigned to each of the 12 standard numeric keys on a standard alphanumeric keypad. ÚÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÒÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÒÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Key ³ Character º Key ³ Character º Key ³ Character ³ ÃÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ×ÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄ×ÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 1 ³ 1 º 2 ³ A, B, C, 2 º 3 ³ D, E, F, 3 ³ ÃÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ×ÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄ×ÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 4 ³ G, H, I, 4 º 5 ³ J, K, L, 5 º 6 ³ M, N, O, 6 ³ ÃÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ×ÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄ×ÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 7 ³ P, Q, R, S, 7 º 8 ³ T, U, V, 8 º 9 ³ W, X, Y, Z, 9 ³ ÃÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ×ÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄ×ÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ * ³ (Clear) º 0 ³ (Zero) º # ³ (Enter) ³ ÀÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÐÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÐÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Note: This is the most common layout of an alphanumeric keypad. There are many different variations of keypads but generally all DTMF programming software and hardware run under the same principles. On this specific design of alphanumeric keypad the DTMF sequence to type the letters DTMF is 3#8#6#333#. To type the word PHREAK, the DTMF sequence is 7#44#777#33#2#55#. The table below shows each standard DTMF sequence and the assigned alphanumeric values and functions of each tone and tone sequence. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ DTMF Sequence ³ Alphanumeric Character ³ ³ ³ or Function ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 0 ³ 0 ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 1 ³ 1 ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 2222 ³ 2 ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 3333 ³ 3 ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 4444 ³ 4 ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 5555 ³ 5 ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 6666 ³ 6 ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 77777 ³ 7 ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 8888 ³ 8 ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 99999 ³ 9 ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 2 ³ A ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 22 ³ B ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 222 ³ C ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 3 ³ D ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 33 ³ E ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 333 ³ F ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 4 ³ G ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 44 ³ H ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 444 ³ I ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 5 ³ J ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 55 ³ K ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 555 ³ L ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 6 ³ M ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 66 ³ N ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 666 ³ O ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 7 ³ P ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 77 ³ Q ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 777 ³ R ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 7777 ³ S ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 8 ³ T ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 88 ³ U ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 888 ³ V ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 9 ³ W ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 99 ³ X ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 999 ³ Y ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ 9999 ³ Z ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ * ³ Clear, Reset, Back, ³ ³ ³ Exit (equipment varies) ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ # ³ Enter, Ok, Next ³ ³ ³ (equipment varies) ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ HISTORY OF DTMF ~~~~~~~~~~~~~~~ Before DTMF was created, telephone networks used a dialling system called Decadic (also known as Pulse Dial). The Decadic system was used extensively in modern telephone networks to dial numbers, which were entered by the telephone companies users. The Decadic (Pulse Dialling) system used a series of clicks (which could be heard through the speaker of the phone) to dial the numbers which were dialled via a keypad or rotary dial. The clicking sounds were actually the connection of the phone line being connected, disconnected, and reconnected again in a certain pattern. The Decadic (Pulse Dialling) system was very useful, but was limited to the local exchange connections, requiring an operator to connect long distance calls. In the late years of 1950, DTMF was being developed at Bell Labs for the purpose of allowing tone signals to dial long distance numbers, which could be potentially be dialled not only via standard wire networks, but also via radio links and or satellites. DTMF was being developed for the future of electronic telecommunications switching systems, as opposed to the mechanical crossbar systems, which were currently in use at the time. After DTMF was created, Decadic dialling was made pointless to continue, it made no sense to continue using that particular dialling system in the equipment circuits which the telephone exchanges were using at the time. Plans were then made to begin the manufacture of DTMF controlled switching systems in the communications exchanges and later standard customer owned telephones were upgraded to using DTMF circuits rather than Decadic (Pulse Dial). After various tests were performed on the DTMF system throughout the 1960s (when DTMF became known as Touch-Tone), DTMF was made official, and was then used as the main telecommunications dialling and switching system, and remains that way to this day. ACRONYMS AND TECHNICAL LANGUAGE DEFINITIONS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Throughout this text, technical language and acronyms were used to specify certain equipment and types of systems. The acronyms and technical language definitions below are for the use of better understanding the technical language and acronyms used in this text. ÚÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Acrony ³ Meaning ³ ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ DTMF ³ Dual Tone Multiple Frequency ³ ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ FAST ³ Field Access to Sultan Testing ³ ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ ID ³ Identification ³ ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ MF ³ Multiple Frequency ³ ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ PIN ³ Personal Identification Number ³ ÃÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ VF ³ Voice Frequency ³ ÀÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³Technical Term ³Definition ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ Acoustic ³The sending of DTMF tones/signals from a standard ³ ³ Transfer ³speaker to a standard telephone or decoder microphone. ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ Carrier ³A company that offers telecommunications services ³ ³ ³either interstate or internationally via a telephone ³ ³ ³network. ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ Decadic ³The dialling and switching system used by ³ ³ ³telecommunications companies prior to Dual Tone ³ ³ ³Multiple Frequency. ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ Decode ³To visually see the corresponding digits assigned to ³ ³ ³each unique frequency via a decoder circuit of some ³ ³ ³sort. ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ Encoder ³A specific piece of hardware or software, which is ³ ³ ³used to play the unique frequencies assigned to each ³ ³ ³of the keys on a telephone's keypad. ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ Exploit ³A way of bypassing and or breaching some kind of ³ ³ ³security, which has been intentionally put in place by ³ ³ ³someone else. ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ Flaw ³A security hole is a specific system or application, ³ ³ ³which is a fault in the equipment, application or ³ ³ ³system. ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ Frequency ³The number of cycles, oscillations or vibrations of a ³ ³ ³wave motion or oscillation which is measured in unit ³ ³ ³time. ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ Keypad ³A device consisting of the 12 or 16 standard ³ ³ ³alphanumeric keys, which is part of a telephone's ³ ³ ³dialling mechanism. ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ Phreak ³One who studies and exploits telephone systems and ³ ³ ³networks to further their knowledge of its workings. ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ Pulse Dial ³The non-technical term for Decadic, a system where ³ ³ ³numbers are dialled by connecting, disconnecting, then ³ ³ ³reconnecting the phone line. ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ Rotary Dial ³The dialling mechanism used prior to keypads. A Rotary ³ ³ ³Dial is a circular piece of plastic, which it turned ³ ³ ³by your fingers to dial numbers. ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ Social ³The art of tricking certain people (in this case, ³ ³ Engineering ³Telsra employees) into doing something they would not ³ ³ ³usually do. ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ Tone Dialler ³A standard handheld DTMF producing device, which is ³ ³ ³used to control applications and equipment remotely ³ ³ ³using acoustic transfer. ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ Touch-Tone ³The name given to the DTMF system in the 1960s, ³ ³ ³Touch-Tone is the non-technical name for Dual Tone ³ ³ ³Multiple Frequency. ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ White Box ³The name given to a homemade Tone Dialler, a White Box ³ ³ ³is used in exactly the same way as a standard Tone ³ ³ ³Dialler. ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Ethics - Hector (edited by Boris Grishenko) S.C.P has very strong beliefs that knowledge can be found and acquired without any malicious behavior what so ever. Respect for Telco employees should always be shown. You may lie to and social engineer a telco employee without doing any damage to his / her job or reputation in the process. Trashing is stealing, but it is stealing rubbish - papers and devices which others do not wish to keep any longer. When you trash you are trespassing on private property, but if you think about it, what harm are you doing? Care should always be taken when beige boxing so as to not cut any lines. Beige boxing is an important part of phreaking, however, you do not have to use your Beige Box to charge a random person for your calls, if you are using a line which belongs to a random person only dial toll free numbers (1800s). Remember these people are just people - with jobs and a family to look after. Try to use your Beige Box on a payphone line if you are wanting a free call and not a random person's line. Never endanger a telco employee in any way. You must never physically or verbally abuse a telco employee because of something you do not like about the company they are apart of. Remember they are just doing their job. The S.C.P Code. 1) Telephone lines must never be cut under any circumstances while beige boxing. 2) You must never vandalise any telecommunications equipment, payphones or anything else which belongs to a telco company. 3) You must never do anything to discredit the reputation of Australian phreakers by doing anything which is inappropriate - e.g Vandalism. 4) Phreaking is not anarchy, phreaking is an art learned by those with a particular interest in the workings of telephone systems and finding exploits and holes. 5) An S.C.P member must never use their skills to make profit of any kind. Whether it be at their own expense or anothers. 6) Try your best to leave everything to look as if it has been untouched - e.g Exchange bin, Cables after beige boxing. These are all very good ethics. As Hector mentioned, phreaking is an art, learned and perfected after many years of study and experimentation. I *ALWAYS* show respect for the gear that I phreak from, or break into. And you should too. Without the telephone network, how would you talk to your mate down the road? Or across the world? You take it for granted that the telephone system is there for you, a modern miracle. Now, why should you deny someones right to use the network, by cutting their line, or running up their phone bill? I've been asked by a number of people "why haven't you smashed up the GSM base station at TAFE?" I was digusted. Sure, it isn't mine, but I treat it like it is. You do not learn by smashing the shit out of something. And how am I supposed to learn about hacking SMSCs like I want to, if someone else takes to it with a sledgehammer? Phreak to learn, because this is the essence of phreaking. Sure, the free calls are nice. So is the free SMS. But wishing and hoping for another straw trick and smashing up random bits of telco equipment in the meantime? This isn't phreaking, and if you're one of these people, go away. We don't want you. Respect is the key word. The authorities and telco companies believe we don't have respect. But like any group, there is always a small few who try to bring down the whole house. Practice moderation. If you start running up calls to 1900/ 1902 numbers on someones line how are they expected to pay it? You know you wouldnt like it, so why do it to someone else, soneone you probably don't even know. I'm not trying to sound all preachy and shit. I'm just helping lay down the ground rules for our exciting hobby. Or, for some of us, our life. So yes, phreak, but please, consider... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Networking - Shyft What is networking? Networking is basically connecting two or more computers so they can communicate, share internet connections, applications, printers, etc. In this tutorial i will be explaining what equipment you need and how to put it all together. This is designed to be a beginners guide so if you've ever set uo a network there will be nothing new for you. Equipment NIC (network interface card) A network card allows you to plug a network cable (see below) into your your computer. Every computer you want to have on the network need a NIC. Some motherboards have onboard NIC's so if you have theis then you don't need a NIC. They are pretty dam cheap and the plug straight into a PCI slot on your motherboard. NIC's are rated at how fast they can transmit/recieve data. 10 means 10 Mbits/sec, 10/100 means its compatible with 10 and 100 Mbits/sec networks. Cables You need one cable per computer. There are many different types of cables available but i suggest using Cat5e. This cable will support 10 and 100 Mbit LAN's. There are two different types of Cat5e. They are straight through and crossover. A crossover cable is used to connect only two computers. A straight through cable is used to connect a computer to a hub or switch (see below). Hubs/Switches Hubs and switches are devices that allow a lot of computers to communicate at once. The only difference between a hub and a switch is that a hub shares bandwidth and a switch dedicates bandwidth. This means that if you have a 100 Mbit hub with 5 computers connected to it, then each computer will get 20 Mbit/sec badwidth. On the other hand with a 100 Mbit switch with 5 computers connected, each computer will have 100 Mbit/sec bandwidth. Hubs are pretty much obsolete nowdays and you can pick up an 8 port switch really cheap. Installation Now that you have all your equipment it's time to put it all together. This is extremely easy. First you put your NIC into your computer. If you dont know how to put a card onto the motherboard find someone who does. Next, if you are using a crossover cable for only 2 computers you just simply plg one end of the cable into one NIC and the other end into the other NIC. If you are using 2 or more computers and a hub or switch just plug a cable from the NIC to one of the hub/switch ports. Do this for every computer. Well thats pretty much it. A LAN at home is pretty cheap and simple. Although i will make a note here. At this point you network will NOT be working becaus configuration of the software side still needs to be done. Stay posted for my next tutorial which will be configuring a network using windows 2000. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+ SS7 Speech - Boris Grishenko Introduction My name is Boris Grishenko. I am the leader of a group known as EMHi Research and Development. We operate in the Sydney and Blue Mountains areas. Our main focus is programming and development of software. We have a few members, and hope to get some more. We are all phreaks, and hackers of sorts. Our common interests are what links us together. Why am I so qualified to talk about SS7? Because I have been studying the subject for about a year now, and wish to get right into, if my mother gives me the money she owes me. I have an interest in OpenSS7, and HPs OpenCall. These are switching platforms. What is SS7? SS7, or Signalling System 7, is a relatively new development in the world of telephony. It has been around for almost 15 years in one form or another. It is a switching system, which uses "out of band" signalling. This is opposed to the older CCITT signalling that used "in band" signalling. Since the signalling was in band, it could be easily phreaked, and was easily phreaked. This is where the Blue Box came in. Although more expensive to implement, SS7 has the benefits of using the out of band signalling. This means you can't blow a 2600Hz tone, and drop onto the carrier. As the world converges into the digital age, the line between hacking and phreaking is becoming more and more blurred. Practically everything on a telephone network that you can think of hangs off SS7, including SMSCs, exchanges, and other network elements. They communicate to each other using X25 links. For reference, X25 is a packet switching system, akin to the internet, but much harder to use. You don't have URLs on X25! X25 was introduced in the 70s, and alot of the Telstra core systems hang off it. The core systems are mostly HP9000s and IBM RS6000s. Network Elements There are many network elements in SS7. I've described some, and will go into detail in this section. I've heard this described as an Acronym Intensive Network, which is what it is. The SSP, or Service Switching Point, is your basic, butt ugly exchange. These are usually Ericsson AXE, although I have heard of Alcatel System 12 exchanges too. I'm not really familiar with the Alcatel ones, but I know a little bit about AXE. I was lucky to find a file that kind of describes the interior layout of an AXE exchange. The STP, or Signaling Transfer Point, is the next step up. These control the exchanges. They make sure that the links are made between exchanges, in the correct order, and make sure calls go through. They are akin to a router. The data links, as described earlier, take place on a different circuit to the voice links, so trying to phreak from your phone line is impossible. The SCP, or Service Control Point, is the database servers for the IN, or Intelligent Network. I expect this is where billing is recorded, and sent out from. Other nice things, like whom you called, how long you were on the phone, and what colour your toilet is would be recorded in this. If you were looking to modify data on a persons link status, such as upgrading your phone line service from incoming calls only, to full link, then this is where you would attack. The SMS, not to be confused with Short Message Service, is the Service Managment System. I expect this to be a mainframe, with a bunch of terminals hooked up to it. It controls, updates and otherwise maintains the Intelligent Network. It would be from here that the commands to update status of phone lines would be issued. The references I have don't go into mobile phone switching. It is a whole new ballgame, having such network elements as the SMSC, the Short Message SErvice Centre, the HLR, the Home Location Register, and other database type elements. So how would I phreak the SS7 Network? Well, Telstra have a X25 network that I have heard referred to as the CDN, or the Corporate Data Network. This was in a document I have about security in exchanges, and how the security system interacts with some Digital Equipment Corporation VAX servers. Apart from that, there is no information. Then again, there isn't much information about Transcend, the banks X25 network, but I do know it exists. To phreak the SS7 network, you would need to hack into the CDN, get the right core server that you want, and I bet theres quite a few, and make the changes from there. In theory, you could make it that whole exchanges get free phone calls until Telstra get wise, and stop it. The phreaking, or hacking, if you will, of the SS7 network will give you more power then the blue boxers of the olden days. They were restricted to the limitations of the networks of the time. Now we have an increasingly complex telephone system, with more and more options and featured being added everyday. For example, the "101" service, it is an intelligent service, run on a few database servers in the core systems. This pretty much made the answering machine redundant, and its being offered free to Telstra subscribers. I'm with AAPT, and haven't used it, so I don't know how it works. I just know its a recent example of an intelligent service. Other intelligent services are things such as *10#. This is a nifty little program that I use a lot. As long as it isn't my mother calling, I pretty much know whos calling. Its almost essential now, and you wonder how you got along without it. All these services and features are programs being run on exchanges and the core servers. Conclusion Now you know a little about the SS7 network. I hope you found this interesting and informative. If you have any more questions, I'll be happy to answer them later on, or on the board after this meeting. And I hope it inspires you to go out and do something about this new generation in phreaking. Even if you try something like OpenSS7 on a Linux box, and muck around with that, which is exactly what I'm going to do until I get my hands on a copy of OpenCall. Until the next time gentlemen...
Without practice one cannot prove; without proof one cannot be trusted; without trust one cannot be respected.
User avatar
Net Battle Bot
Owns you
Posts: 1816
Joined: Fri Jun 04, 2004 6:44 am
Location: Groom Lake

Return to “%s” Phreaking Tutorials

Who is online

Users browsing this forum: No registered users and 0 guests