Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- | Phones & Tones: Second Edition |
- ----------------------------------
- | by Murder Mouse |
- Section 1: The Introduction
- ----------------------------
- Greets and meets. Well it's definitely been a while since my last tutorial
- and with a new decade upon us now is as great a time as ever for a much
- needed update. Phreaking has definitely seen some changes since I wrote
- the original release. Joybubbles is gone, voip is now the standard for
- almost any PBX, and in most cities in the US payphones are just a memory.
- In fact as I'm writing this the FCC is already debating on how to convert
- the entire PSTN to voip. As decades come and go the landscape of telephony
- is constantly changing, and with it so does phreaking. Whether the calls
- are carried through tandems or routers (technically on landline it's both)
- the drive to explore and understand this landscape will always keep
- phreakers going. So it's in this spirit that I write this guide.
- One thing I'd like to point out before I get started is that I have
- decided to write this a little differently than my original release. I've
- stripped away much of the technical details in favor of keeping the guide
- as simple and straight forward as possible. However this means that I'm
- writing this guide with the assumption that you the reader already have at
- least a basic understanding of telecommunications. I've included some
- links and suggestions around the end of this guide and I'd suggest you
- check through them if you need to. So with all that said, lets begin.
- Section 2: Exchange Scanning
- -----------------------------
- Well as before lets start this discussion off with an explanation of
- exchange scanning. Exchange scanning for those of you who don't know is
- simply picking up the phone and dialing down a range of phone numbers to
- see what you come up with. This is how you will find all those interesting
- numbers you can fuck with and share (voicemail systems, test numbers,
- ANACs, strange recordings, etc). So how do you get started? Well an
- exchange, also known as the NXX, are the middle three numbers in any phone
- number (i.e 555-xxx-1337). Most people when they first really get started
- scan their own exchange, usually starting with the low end of the exchange
- (i.e NPA-NXX-00xx, NPA meaning the area code). So you would start off
- dialing NPA-NXX-0000, write down what you hear, then move on to 0001,
- 0002, and so on and so forth. If you're the paranoid type you might want
- to randomize your call sequence in order to make it slightly less obvious
- what you've been up to. As in go from 0000, to 0021, to 0076, to 0014, etc
- until you've scanned the first 100 numbers on the exchange. This of course
- is entirely up to you, and at least in the United States exchange scanning
- is legal in most areas (I think I remember reading about a law in
- Conneticut concerning this but I'm not really sure on that). So anyways
- when scanning you will probably want to make a list for yourself of the
- results for later review or to share. It's best to make some legends
- (acronyms) for yourself in order to abbreviate some of the most common
- finds while you're scanning. Provided below is the list I use for all of
- mine, which is partly based on the standard proposed on binrev a couple
- years back..
- CC- Cannot be completed
- CR - Cannot be reached from your calling area
- NS - Not in Service
- D - Disconnected
- CB - All circuits busy
- RO - Reorder
- B - Busy
- FX - Fax machine
- R - Rings
- HELO - Hello?
- VM - Voicemail
- VMS - Voicemail System
- Of course you're free to use whatever legends you like, but just be sure
- you leave a list of them at the top of your exchange scans if you plan on
- sharing them with anyone. If you need some examples to go on you can check
- out some of Information Leak's exchange scans below...
- www.informationleak.org/viewforum.php?f=43
- Anyways it's best to scan during different times of the day depending on
- what kind of exchange scan you are doing. For local exchange scans or any
- scans that involve the probability of hitting a lot of residential lines
- it's best to scan anywhere from mid-morning to mid-afternoon if you can.
- This is because most people will be up and out of the house (work, school,
- whatever). Of course any time that doesn't involve interrupting peoples'
- much needed sleep will work just fine. On the other hand if you're doing a
- toll free scan (1-800, 866, etc) or scanning a range assigned to a
- specific PBX (more on this later) then you'll want to scan in the middle
- of the night (after business hours).
- So with all that said I'll close this section as I did last time by
- helping you identify some of the sounds you'll be coming across while
- scanning..
- Fax Machines - No need to tell you what a fax machine is, but you'll come
- across many of them while scanning and being able to pick out their tones
- can be important. Most fax machines you'll come across will have a modem
- sound (like the sound a modem makes when using dialup), but with a
- slightly flatter sounding series of tones. It's kind of hard to describe,
- but once you hear it it's easy to notice. Of course some other fax
- machines have completely different tones. Some have a low pulsing tone,
- and some others have a much more drawn out series of tones than most.
- You'll hear all of them as your scanning so it's a good idea to get
- familiarized with these tones early on.
- Milliwatt Test Numbers - These are one of the most common test numbers,
- and you'll be painfully aware of what they are when you stumble across
- one, literally. The tone is a very loud consistant tone.
- ANACs - These are very common numbers to come across, but if you're not
- paying attention to the recordings you are stumbling across you can easily
- miss them. These are especially common during toll free scans due to how
- many business recordings will read off the ANI (and in some extremely rare
- cases even include the ANI II identifier, feel privileged if you manage to
- snag a number like this). On the other hand the ANACs that line
- technicians use are pretty easy to discern since the recording will just
- immediately read off the ANI. All I can tell you is pay attention.
- DISAs - These are the administrative lines for analog PBXs and needless to
- say are a lot less common to come across than they were just a few years
- ago. This like I said in the introduction is because most businesses,
- departments, etc have upgraded their PBXs to voip systems. If you do come
- across these though you will recognize them in a wide variety of ways.
- Some of the older analog systems have a more low consistant tone upon
- connecting, but I haven't really heard these anytime I scan. Most of the
- analog PBXs still up and kicking will pick up with either complete silence
- (meaning it's waiting for DTMF input), or a dial tone. Of course there are
- some other types of systems besides DISAs that may sit and wait for DTMF,
- but commonly the login process is still the same irregardless.
- DATUs - These are one of the best finds you can come across, but I'm not
- really sure how common of a find they are these days since DATUs have
- never really been a part of the telco here. Used to before AT&T bought the
- area out BellSouth was using VoiceSystems which functioned just like
- DATUs, but required a specific modem in order to access the prompt
- (otherwise it would just hang up as soon as you called it up). Either way
- these are administrative lines used by line technicians for basic repair
- and tests on subscriber lines within a given exchange, and you'll
- recognize one as a half ring followed by a low tone. I'll link some
- information on it later in the guide.
- VMBs - Of course by VMBs I don't mean the individual mailboxes you'll come
- across when scanning PBXs and such, but specifically the voicemail system
- lines for logging in and checking messages and such on the mailboxes. Just
- like ANACs to fish these out you have to really just pay attention to any
- recordings you come across. Some voicemail systems will announce what kind
- of system it is as soon as you connect, while others will just go straight
- to asking for your user id. What to do from here will be discussed in a
- later section.
- Also once you get a handle on exchange scanning you should look into
- unpublished exchanges. Most of these are the exchange numbers you normally
- dial to reach common services (411, 911, 211, etc), but depending on the
- LEC there may also be a telco exchange used just for test numbers (like
- 959 in the AT&T areas). To get unpublished exchanges just go to nanpa.com
- and look for Central Office Code Assignments that are close to your area
- (remember, Utilized means used). Compare this list to the list in your
- phone book, and any exchanges that aren't listed in the phone book besides
- the obvious services mentioned before can be considered special interest
- exchanges. Finally before I finish here I should mention that if
- handscanning seems too daunting for you and you really want to go the
- wardialer route (to each their own) and you're a Linux user then I'd
- suggest looking into iWar. Has plenty of nifty options, including support
- for protocols like IAX2. Check the link below for details..
- www.softwink.com/iwar/
- Section 3: Hacking PBXs
- ------------------------
- Well now that we're done with exchange scanning we can move on to PBXs.
- How you will go about exploring, exploiting, fondling, or whatever you
- feel like doing with a PBX varies greatly depending on the kind of PBX it
- is, but a great place to start either way is to do a little poking around
- on the phone. First crack open the phone book or go over to superpages.com
- and look up any business/department/etc you have in mind to see all the
- listed numbers for that organization. Some of the larger businesses in
- your area may have a range of numbers reserved. If so you will see that
- all of the listed numbers are basically the same. Say the main office line
- is NPA-NXX-5500, their fax line is NPA-NXX-5504, and their accounting
- department is NPA-NXX-5542. Then it's safe to assume that a great place to
- start is to scan the NPA-NXX-55xx range. Take note of all the numbers
- listed and start exchange scanning down the rest to see what you come
- across. Otherwise if there isn't a range to scan try calling the main line
- (after business hours of course) and listen through the recording.
- Sometimes the recording will go through a list of extensions for different
- departments that the caller might be inquiring about. Listening through
- this gives you the opportunity to figure out the extension range, which
- you can then scan through like you would an exchange scan. Say the main
- office is 10, the accounting department is 15, senior manager is 22, and
- so on and so forth then it's safe to assume that the range goes anywhere
- in between 10-99. So just like an exchange scan you would take note of all
- the extensions listed, and then just keep calling back and trying all the
- extensions that weren't mentioned. Most of the interesting extensions that
- you'll come across will be at the end of the range (50, 99, 9999, wherever
- the extension range ends) since all the office/department lines are going
- to be assigned at the start on up. If all your after is the voicemail
- system (more on these later) then you can cut short how many times you
- have to call back by scanning up in 10s. Say the main office line is 10,
- then you can start at 20 and just keep going up until you find what you
- were looking for. Otherwise trying them all will at the very least as
- would an exchange scan give you a decent idea of what kind of PBX you are
- dealing with. Say you hear a lot of Audix mailbox recordings, then you are
- dealing with an Avaya PBX (which is a very popular voip PBX). Just at the
- very least listen out for anything that could help you identify what
- exactly you're up against, and use google to do a little bit of homework
- on it. User guides, installation manuals, any of the vendor sites can give
- you a plethora of information that you can use later on (default
- passwords, etc).
- So lets say for starters that you're scanning an analog PBX and happen to
- come across a DISA line. Well from here you would try guessing the
- passcode and seeing if you get lucky. Try combinations like 9999#, 1234#,
- etc and if you catch a dial tone then consider yourself lucky and use it
- however you like (dial out, fuck around with a little, whatever). Of
- course a more likely scenerio when scanning is that you don't find a DISA
- line, but instead cop enough recordings to figure out what kind of voip
- PBX you're dealing with and get all the information you need on it (Avaya,
- Shoretel, etc). Well then you'd pack up your laptop with a softphone like
- X-Lite downloaded (in case you want to dial out), get over around the
- business you're targeting (during business hours), and see if there are
- any wireless access points you can use. How to crack the key if it's
- protected is beyond the scope of this tutorial so lets just say for shits
- and giggles that there is an AP and it's unprotected. Well a good start
- from here would be to start scanning the network for SIP servers. The port
- for these is 5060 on either UDP or TCP, so in nmap you would scan for
- these with the following..
- nmap -sU -p 5060 192.168.1.1-254
- Another more thorough option for Windows users is to download SiVuS and
- scan the network that way. SiVuS has an entire suite of tools that you can
- use in order to enumerate any information you can, and attempt some common
- hacks against the server (REGISTER attempts, all that good stuff). Link
- provided below...
- www.vopsecurity.org
- Also while I'm giving program suggestions I would also recommend checking
- out sipvicious, which is a series of python scripts that can be used for
- scanning, enumerating, and cracking SIP proxies and servers on the
- network.
- http://sipvicious.org/blog/
- So lets say of the three you decide to use SiVuS to scan for any weak
- points in the network you will first want to see if you can find any SIP
- servers. First go to SIP Component Discovery and in the "Target network"
- field enter something like 192.168.1.1-254 (whatever the network range is)
- and then click Scan. Let this play through and see if you find any SIP
- servers. If you do now you can scan the SIP server for any common attacks.
- Just go to the SIP Scanner tab, and click on Scanner Configuration. Enter
- the SIP server you found before and check "Probe Targets". From here you
- can also configure other aspects like what sort of authentication to use
- (most SIP servers use MD5, but cleartext still isn't completely out of the
- question), what sort of method checks to use, security checks, log file to
- save, and other aspects of the scan. Then just click over to the Scanner
- Control Panel tab and initiate the scan. Now what you can do from here
- depends on what you come across while scanning the network, and what your
- SIP server scan pulled. A great place to start if the scan didn't pull
- anything useful in your case is to try and grab some usernames on the
- server. To try this you have two options. You can either with SiVuS
- manually test usernames, or use Cain & Abel to try and sniff usernames
- over the network. To manually test possible usernames in SiVuS go to
- Utilities/Message Generator and fill out the appropriate information. For
- example Method to REGISTER, Called User being the user you are attempting
- to get a response from, Domain Host being the ip or hostname of the SIP
- server you discovered, change the To to usertotesthere
- <sip:usertotesthere@sipserverhere.com> and From to whatever, and change
- Subject and User Agent to make it less obvious on the network what exactly
- you are doing. Then click start and see what sort of response you get from
- the server. A 401 response means you have a valid username, and 403 means
- that it's an invalid username. A good scheme to use if you are somewhat
- familiar with the business/department you are dealing with is to try the
- names of employees who work there. For example the first name, first
- initial and last name, first name and last initial, etc. This is a popular
- scheme for a lot of places so it's definitely worth a try. Even if you
- aren't familiar with the place you can try to take a casual visit into the
- business/department and keep a mental note of any of the employee names
- for future reference. Of course depending on the network it can many times
- be a pretty hefty task trying to test any possible usernames that way so
- lets get into sniffing over the network for possible usernames. For this
- like I said earlier we will be using Cain & Abel, which can be downloaded
- here..
- www.oxid.it/cain.html
- Now what we first have to do is establish an ARP poison route on the
- network. To do so open up Cain & Abel and go to Configure. From here
- select your network card and click OK. From here click the + sign, and
- this will bring up the MAC Address Scanner. "All hosts in my subnet"
- should be active so just press OK. Now click the + sign again and you
- should see a list of hosts on the network on the left side. Click on the
- IP of the SIP server and select all the IPs on the right side, then just
- click OK. Now you can sniff all the usernames that pass over the server by
- looking through the To, From, and Contact fields on everything that passes
- through. Now from here one way or another you should have a decent list of
- usernames to use so now it's time to crack any of these users to get the
- password. From here you have two routes to go with, passive and active
- cracking. We'll first start off with active cracking. Open up SiVuS again
- and go to Utilities/Authentication Analysis. Here you will see Realtime
- Analysis on the left side of the window. Enter one of the users you found
- in the Called User field, and the IP of the SIP server in Domain/Host.
- Then enter the usernames and passwords files in and press Start. A good
- thing to go ahead and note is that a common password scheme is for the
- pass to be the same as the username, or the telephone/extension number of
- the user. So incorporating these into your password list would be a good
- idea. Of course the problem with active cracking is that most SIP servers
- will lock you out after 3 or so failed attempts, thus bringing us to our
- second option; passive cracking. For this lets assume that you still have
- Cain & Abel open from enumerating the usernames. From the Sniffer tab
- click on the Passwords tab, and scroll down till you see SIP. From here
- you should see some captured hashes, which you can then right click on and
- select either dictionary or brute force. If you choose dictionary crack
- just load the dictionary file the same way you would with an active crack,
- and then on the right side you will see some options you can choose to use
- with your dictionary file (reverse, double, numbered, etc). Brute force is
- pretty straight forward, but not recommended.
- You can also if you like while messing around with Cain & Abel use it to
- capture and listen in on conversations going over the LAN. To do this just
- establish an ARP poison route as you did before when sniffing out
- usernames, but instead of clicking on the SIP server just highlight all
- the hosts on the network, and any host connected to them. Then when you
- have the sniffer going after this just go to the VoIP tab from the Sniffer
- tab, and let that run for a while. That is basically it, from here Cain &
- Abel will start capturing, encoding, and recording any conversations going
- across the LAN. There are endless other vulnerabilities you can use
- related to the hard phones used, the software used (IAX vulns abound),
- etc. However for the sake of sanity I'm going to cut this section here and
- leave it to you to look into anything else you may want to try against the
- PBX.
- Section 4: Hacking Voicemail Systems
- -------------------------------------
- Well now that we're finished discussing PBXs lets move on to VMBs. In the
- original release of Phones & Tones I basically slacked through it by
- linking up some tutorials from oldskoolphreak. Unfortunately most of the
- VMB hack tutorials floating around nowadays are pretty dated so I couldn't
- really slack through this section even if I wanted to. The methods are
- pretty much the same as ever, except that some voicemail systems popular
- these days (Audix for example) have no system account accessable through a
- TUI. This means for these you have to be on the LAN itself to access any
- administrative functions.
- Lets start with Audix. This is by far one of the most popular voicemail
- systems, which is used on Avaya PBXs. As mentioned before the
- administrative functions themselves are handled on a server within the
- LAN, which is unavailable outside the LAN. However you can remotely try to
- break into individual mailboxes. Just dial in, and as the announcement is
- playing hit # to access the login. While default passwords are determined
- by the administrator there are some common schemes you can try. Passes can
- be any length between 1-15, but most will be between 4-15. Some common
- passes to try are passes like 111111, 123456, the phone number of the
- mailbox (or the last 5 digits), etc. Just hit # again after hitting the
- pass attempt and if you are successful you can hit 4 to review messages
- stored or hit 3 to record a new greeting.
- Now lets move on to Merlin Mail. Unlike Audix Merlin does have a system
- administrative box for you to use. In order to access this from the main
- line hit 9997#. From here you will be prompted to enter a pass. The
- default pass from here depends on the version being used. For version 1
- and 2 the default pass is 1234#, and for version 3 it's 123456#. The good
- thing about these is even if the default passes don't work you can reset
- the system to default (if you're feeling that malicious). Just hit 2537
- (CLER), and you should hear a "goodbye", which will then disconnect you.
- Just call back to the system and then punch in the default pass to access
- the system admin box. Now from here you can hit 9 to access the
- administrative functions. In version 1 and 2 it goes straight to these
- options upon selecting, while with version 3 it will prompt you for a
- second login (the default pass is 654321#). From there just shift through
- the options and take your pick.
- Another popular voicemail system is PartnerMail VS. This one is actually
- very insecure in my opinion and I have no clue why it's so popular on
- business PBXs. The problem for one is that the pass limit is 4 digits.
- That's it, 4 digits and under is all anyone has to work with. The system
- admin box is 99, and the default pass for these is 1234. Unlike other
- systems (Audix and CallPilot for example) the system doesn't force anyone
- to change the default pass so there is definitely a stronger chance that
- even the system admin account might be still set at default. Though even
- if not you can still try other combinations (4321, 1111, 2580, etc). From
- here you can create a mailbox for yourself on the system by hitting 4. The
- system will read back what mailbox numbers are available, and prompt you
- to enter one in. Just enter one in that isn't used (preferribly on the
- higher end of the range) and hit # to confirm your choice. Of course even
- if you can't access the admin box to create your own mailbox you can try
- to break into any of the other mailboxes on the system. They all have the
- same default pass, and if that doesn't work you can try the combinations
- mentioned before or the extension/mailbox number of the user.
- Now that we're done with that lets move on the Cisco Unity VMBs. These are
- popular on a lot of college campuses (as are Cisco SIP hardphones, and
- basically anything Cisco). For these as soon as you reach the main line
- you would hit *, and enter the ID of the mailbox. This would be the phone
- number of the user, and the pass that follows by default would be the same
- as the ID. If this doesn't work you can try the same combinations as
- always (1234567, 7654321, 1111111, 1235789, etc). If you manage to guess
- the right pass from here you can hit 1 to listen to any messages, 3 1 to
- listen to any saved messages, and 4 1 to change the VMB greeting.
- So now that we've gone over campus VMBs lets move on to hotels. A popular
- system that many hotels use is DuVoice. Now the beautiful thing about
- playing around with a system like this is how integrated it is with the
- hotel operations as you'll find out. First lets go over the voicemail
- system itself. Now from here there are two accounts that are going to be
- of interest to you. 0 is the operator mailbox, and 991 is the greeting
- box. This greeting box is used for recording greetings on the system for
- the following day. The default pass for these is * 1234. Even if the
- default has been changed the pass should still be in the 4 digit range so
- treat it as you would a PartnerMail VS system. However this isn't even the
- half of this story. DuVoice also has DuVoice Hospitality. This is the
- system used to give out temporary mailboxes for their guests to use, which
- is integrated into an administrative TUI. To access this from the main
- line hit **97. Now there are a few levels of access you can use, rated
- from basic to expert. For our interests it's best to go with expert. The
- default pass for this is 7890#. From here you have 3 options, automatic
- wakeup call, re-record hospitality prompts, and guest room administration.
- In case you want to be a dick and set someone up for an imprompt wakeup
- call select 1, enter the mailbox number, enter the hour (00-23, military
- time), enter the minute (00-59), then it'll ask you if the hour is between
- 1-12. So then after that prompt you'll select 1 for am, or 2 for pm. Then
- press 1 to accept, and then set the day for the wakeup call. 1 for today,
- 2 for tomorrow, and press 3 to set the date. If you decide to spare the
- guests you can also go in and re-record the prompts by selecting 2 from
- the main TUI menu. From here you can press 1 to re-record the wakeup
- message, 2 for the wakeup announcement, 3 for the manager's welcome
- message, 4 for the text message notification, and 5 for the default
- greeting. From any of these it should play the current message. You can
- from here hit 1 to accept, 2 to re-record (press # when done), 3 to
- delete, and 4 restores the original. Finally for guest room administration
- press 3 from the main TUI. From here you have three options, 1 to check
- in, 2 to check out, and 3 to move. From any of these it will prompt you to
- enter the mailbox number followed by the # sign.
- There are definitely other voicemail systems that I could cover, but I'm
- going to cut it short here. There is Mitel, which the mailboxes have a
- default password of 1234 (and a LAN http server for configurations,
- http://192.168.215.1:8180 by default). CallPilot mailboxes you would treat
- like Audix, which are both fairly secure compared to some other voicemail
- systems. By far the most secure I think is IP Office. By default it
- doesn't have any means of remote administration, and the configurations
- can only be accessed via the user's extension (not exactly impossible, but
- a lot of effort for just one VMB). With everything else you stumble across
- just do your homework, google what you can, and see what you can find on
- it.
- Section 5: ANI Spoofing
- ------------------------
- Well as before lets move on to ANI spoofing. ANI as you should know is the
- way in which you as the calling party is identified over the PSTN. This is
- of course completely separate from the CPN (caller ID), which is on an
- entirely separate channel. When ANI spoofing was first being popularized
- by Lucky225 it was as simple as picking the right operator (one that
- didn't forward ANI), and having them forward the call to it's destination.
- Nowadays of course any op is going to be able to forward ANI, however
- there are still plenty of toll free termination providers you can use.
- However before getting into that I'll first as before go over the list of
- ANI II assignments. These are the two digits proceeding the ANI that helps
- identify the type of call that is being placed. Linked below is a list of
- the assignments used..
- http://www.nanpa.com/number_resource_info/ani_ii_assignments.html
- I'm going to first start off with Google Voice. Google Voice of course has
- a lot of options, and if you can cop an invite I would suggest getting an
- account yourself. One of these features is an outgoing call feature. Now
- while this normally will pass your CPN you can use *67 before you call up
- your GV number in order to pull an ANI spoof. You can use this to dial any
- toll free number, or call 800-CALL-ATT or something in order to op divert
- to another number. Of course I'm not sure how long this will last (credits
- to JmanA9 for bringing this up in binrev) so try not to do anything too
- stupid with this. If however you don't have a GV account or this trick no
- longer works by the time you read this you can try some toll free
- termination numbers to try the same thing. Check the list below for
- details..
- http://www.voip-info.org/wiki/view/Toll+Free+Termination+Providers
- Section 6: CPN Spoofing
- ------------------------
- So lets move on from ANI to CPN spoofing. This is of course a bit more
- useless than ANI spoofing, and is really just something to play around
- with for shits and giggles. It won't really keep your call anonymous
- (since your ANI is still carried over). The first tip I really have is
- using SOB Caller ID Generator, which can be downloaded below..
- http://www.artofhacking.com/orange.htm
- Now it does have instructions on the download page and in the help file,
- but the use of this program is pretty straight forward. You can click
- Format to select the standard you will use. Unless you are hooking this up
- to the phone line in order to directly spoof the CPN on your own CPE (in
- which case you would use Standard) then the Call Waiting format is fine.
- So just punch in the name and number you wish to display, plug a pair of
- headphones into the speaker port on your computer, call the landline you
- want, and anytime after the person has picked up (yup, nothing to listen
- to your CAS tones before the other party picks up) put the headphones
- against the mouthpiece and go ahead and press the Play button to send over
- the spoofed CPN info. Of course all of this and anything that relies on
- tones will be completely outdated whenever the FCC successfully converts
- the entire PSTN over to voip, but for now this works just fine in the US
- (the tones can vary greatly in other countries). There are however plenty
- of other ways to spoof your caller ID which are far more effective. The
- best way to spoof caller ID is to use asterisk, which can be downloaded
- below..
- www.asterisk.org/downloads
- Asterisk is an open source voip PBX that you should really get familiar
- with. I'll include some links around the end of this guide so you can
- install and configure your asterisk setup. For now though lets talk about
- how to use asterisk to spoof your CPN. Lets say you have asterisk
- installed and have setup an account with a provider. From here you will
- need to create the call file. This is what you will use to specify who you
- are calling, and the spoof number you are providing. Lets say for this
- example that your number is NPA-NXX-1337, you are wanting to call
- NPA-NXX-5148, and you want to spoof the number as NPA-NXX-6798. Just
- create /tmp/spoof.call and insert the following...
- Channel: IAX2/username:password@provideraddress.com/1NPANXX1337
- Callerid: NPANXX6798
- MaxRetries: 5
- RetryTime: 60
- WaitTime: 30
- Context: spoofing
- Extension: NPANXX5148
- Priority: 1
- Then login as root, start up asterisk, and run the following command..
- cp /tmp/spoof.call /var/spool/asterisk/outgoing
- Asterisk will automatically detect the call file and call your number,
- then when you answer dial the number you are wanting to call using the
- spoofed caller ID you provided. I have to warn you of course that caller
- ID spoofing is against the TOS for most voip providers so don't try this
- trick with providers that you are wanting to keep around. If Linux just
- isn't your bag and you have the cash to burn then I have to at least
- mention all the caller ID spoofing providers out there. The two main ones
- these days is phonegangster.com, and of course spoofcard.com. Personally
- if you have to go this route I would suggest using spoofcard.com. It has
- an option to change your voice, though I haven't really used it before so
- I can't tell you how well it works. There's also SpoofApp
- (www.spoofapp.com), which if you have an iPhone handy allows you to
- forward any outgoing calls through the spoofcard service. The choice is
- yours, but I would really suggest to just use the asterisk technique
- assuming you don't need much mobility in your spoofing.
- Section 7: Suggested Links
- ---------------------------
- Well I was planning on continuing this guide with a section on asterisk,
- but in retrospect there was just too much information out there to really
- add on anything useful. So instead I will just include links on how to
- install and configure asterisk. You should consider trying it out. Setting
- up your own voicemail system, conference bridge, diverter, etc are just
- one of the few things you can do with asterisk so it's definitely a huge
- suggestion. I provided a link to download asterisk, but if you need help
- installing and setting up asterisk try the link below...
- www.asteriskguru.com
- This site includes installation guides and everything else you could need
- to help setup asterisk on your own LAN. Now that I'm done with that I
- should suggest some links for basic information on telephony. As you might
- have noticed I didn't spare the acronyms in this guide, and didn't even
- bother explaining half the terminology I used in this guide. So if you
- found yourself confused reading this guide then I'd suggest the two
- following links..
- www.tech-faq.com/telephone-wiring.shtml
- http://pt.com/page/tutorials/ss7-tutorial
- The first link would guide you through the inner workings of most of the
- protocols and terminology I went over briefly over the course of this
- guide, and the second link is a basic tutorial over ccss7, which is the
- current protocol the PSTN uses (until the FCC decides to convert it all).
- You will need to read through both in order to try understand how the
- phone system operates and if you're interested in truly exploring this
- sytem and understanding how it operates I'd suggest studying both. Also as
- promised is a brief text on DATU lines in case they're present in your
- LEC...
- http://www.nettwerked.net/datu.txt
- Now finally are my brief suggestions on sites to follow..
- www.informationleak.net - As always this is my first suggestion. I'm not
- nearly as active on IL as I used to be, but Halla has been doing a great
- job of keeping the site alive and there is always an active community here
- that keeps all the information (including the phreaking bit) up-to-date.
- So keep track.
- www.oldskoolphreak.com - This site isn't nearly as active as it used to
- be, but there is still some decent guides on this site and it's updated
- every now and then. Still a somewhat decent reference for some
- information.
- www.binrev.com - Besides IL I'd absolutely suggest this forum for
- up-to-date phreaking information. The community has a lot of sections, but
- the phreaking section is very active and is definitely worth a check.
- Section 8: The Conclusion
- --------------------------
- Well this is by far the longest time I slacked on any tutorial I had in
- mind. I had at least been thinking about writing this update since 2008,
- but for one reason or another always delayed it. Some decent reasons, but
- mostly just laziness. As before I hope that I've grabbed your interest in
- phreaking, but I'd like you to keep in mind that there is much (and MUCH
- and MUCH) more to phreaking than breaking the law. All the sections I
- wrote on breaking into random systems were more or less just teasers, but
- I hope out of this and playing around with all this you've snagged some
- sort of appreciation for telephony and will continue from here. If this
- guide grabbed your interest by all means learn what you can. If this is
- really your first introduction to telephony there is a lot to be learned
- and I hope you find it as fascinating as I do. I'm willing to help where I
- can, but I can't help everyone. I've included some contact information
- below if you need more help. I can't promise you any immediate help, but
- I'll help who I have time for.
- Murder Mouse
- fuck copyright, 2010
- pla229 [skat] gmail [rot] com
- Yahoo! ID: murder_mouse
- (Update: Op diverting through Google Voice no longer works. It was fun
- while it last, but you can still ANI spoof through voip termination
- numbers)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement