k-21-(10)-01 OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=> OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=> OoO=o=oOO=o=O=> : -`- -`- OoO=o=oOO=o=O=> ; _|_--oOO--(_)--OOo--_|_ OoO=oOO==OoO=o=oOO=o=O=> | ¡ K-1ine Zine ! | OoO=o=oOO=o=O=> ! issue 21, volume 10¡ OoO=o=oOO=o=O=OoO=o=oOO=o=O=> ---------O^O---- OoO=o=oOO=o=O=OoO=o=oOO=o=O=> ;. |__|__| oODestructionO=oOr=oOO=WorldooODomination?=o=o=O=> || || OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=> ooO Ooo OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=> OoO=o=oOO=o=O=OoO=o=oOO=o=O=O=o=ooO=o=> ;`-.> November 2001 <=o=O=o=O=o=O 'Come With Us' "As part of the conversion, computer specialists rewrote 1,500 programs; a process that traditionally requires some debugging." -- USA Today, referring to the IRS switchover _____________________________________________________________________________ » .- Words from the Editor -. « | *: [-] Introduction .......................................... The Clone :* *: (-) Contact Information ................................... The Clone :* *: (-) Advertisment .......................................... HackerSalvage:* *: (-) Link of the Month ..................................... The Clone :* *: (-) K-1ine Mirrors ........................................ The Clone :* *: (+) News: Chemical Brothers | 'Come With Us' .............. The Clone :* ____________________________________________________________________________ » .- Documents -. « | *: (x) 'The TRS(Telus Relay Service) Loophole' ............... Phlux :* *: (x) 'The Invisible Box' ................................... Lucky225 :* *: (x) 'Nortel Screen Phones Explored/ADSI Carrier Scan' ..... p1asm1c :* *: (x) 'An Introduction to Telus' Terminating Test Lines' .... The Clone :* *: (x) 'A Mobile Phone ANI-Diversion Technique' .............. The Clone :* _____________________________________________________________________________ » .- Conclusion -. « | *: [-] Credits ............................................... The Clone :* *: [-] Shouts ................................................ The Clone :* _____________________________________________________________________________ Introduction - Welcome to the newest issue of K-1ine... issue #21. We have a bunch of great article compilations for your liking. Take the time to read through them, and don't forget to submit something - you might just be in the next issue. I hope you enjoy this issue... see you next month! --> Contact Information; =-=-=-=-=-=-==-=-=-= Comments/Questions/Submissions: theclone@hackcanada.com On IRC: irc.2600.net - #hackcanada, #cpu (key) Check out my site: (Nettwerked) http://www.nettwerked.net --> -- -- Advertisment -- +++ WWW.HACKERSALVAGE.COM +++ HackerSalvage.com is a non-profit website dedicated to keeping old hardware in circulation. Many of us have piles of it sitting around but can't just toss it out. Here you can post computer items for sale or post a want ad for items you are looking for. A perfect place to get rid of perfectly good junk.... and get some new stuff to rebuild the pile. +++ +++ -- --=[ LINK OF THE MONTH ]=-- Every month I post one really great "link of the month" on every issue of K-1ine magazine. The link can be anything in the technology industry, music scene, rave scene, punk scene, or even a good article you read on a news site. I'll be taking submissions via e-mail or IRC right away; so get your links in and maybe you'll see it in the next issue of K-1ine! For the month of November, the link of the month is: http://www.peopleiworkwith.com Pure Craziness... [submitted by: The Clone] -- K-1ine Mirrors: http://the.wiretapped.net/security/info/textfiles/k1ine/ "Wiretapped.net is an Australian site offering an archive of open source software, informational and advisory textfiles and radio/conference broadcasts covering the areas of network security, network operations, host integrity, cryptography and privacy. We aim to become the largest archive of this nature in the Asia/Pacific region through steady growth of our archives and regular updates to them (most updated nightly). We are proudly telehoused on a 10Mbit/sec connection by Connect.com.au using OneGuard hardware donated by eSec Limited. The archive, along with its sister site on the same machine, The AusMac Archive, generates between 10 and 60 gigabytes of outbound traffic daily. Wiretapped.net is hosted in Sydney, Australia." -- News: Chemical Brothers | 'Come With Us' To celebrate the Chemical Brothers new album, I thought I'd title this issue of K-1ine with the same name as their newest album. Can't wait to check this album out since I've been a huge Chems fan since they were (temporarly) Dust Brothers in late 1994. Support these great artists by buying their newest album. The Chemical Brothers have announced details of their fourth studio album, the follow up to the hugely successful SURRENDER. Come With Us will be released on January 29, 2002. The tracklisting is as follows: * Come With Us * It Began In Afrika * Galaxy Bounce * Star Guitar * Hoops * My Elastic Eye * The State We’re In * Denmark * Pioneer Skies * The Test The album features two guest vocalists; Beth Orton on 'The State We’re In' and Richard Ashcroft on 'The Test'. Check out www.astralwerks.com/chemical for more details on the forthcoming single, "Star Guitar," released on January 15. -- Carnivore = TCPDUMP -- _______________________________________ : : : The TRS(Telus Relay Service) Loophole : :_______________________________________: _____________________ : 8/15/2001 : : by phlux : : phlux@fucktelus.com : ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ================================================================================================= $!@#$!@#$!@#$ $@ WARNING #@ &@#$*%@#&#@$& NONE OF THIS TEXT FILE MAY BE REPRODUCED IN PART OR ENTIRETY OR ELSE AND STUFF UNLESS YOU DON'T TELL ME THAT YOU DID IN WHICH CASE I MIGHT NOT FIND OUT BUT IF I DO THE STREETS WILL RUN RED WITH YOUR BLOOD AND ANYONE WHO COPPERATED AND HELPED AND THEY'RE DOGS MAYBE EVEN YODA SO BE FUCKING CAREFUL WHO YOU GIVE THIS TO SO THAT THIS KIND OF TECHNOLOGY DOESN'T GET INTO THE WRONG HANDS ================================================================================================= NOTE: This is not a really major finding, however I think its kind of funny, and it is usable so i felt it was txt worthy. I dont recomend you actually use this loophole, but rather just retain the knowledge, as knowledge is power.(ROUND 1 FIGHT!) ================================================================================================= Introduction: I needed to call a good friend of mine.. having no calling cards and not being able to call direct, I thought of the possibilities. I have PBXs, out dials, social engineering, but I didn't feel a need to make an illegal call as it was a serious matter. Rooting around some old back up CDs i found this one text, TTY.TXT, a text documenting the telus relay service.(by me!) I think it was just information i ripped from telus' site or something sometime ago, as it was all very basic. However I re-taught myself the terms used in TTY, then I read on, and got to the part about HCOs and VCOs. This loophole will alow you to make a phone call from alberta to anywhere in canada with 50% off the long distance charges. Also my phone book says gimps using TTY get free local calling (bring yer computer to the payphone). I am not sure if this is still true as the phone book is not the newest available... No biggie, but keep in mind its legit! (but you tie up gimpers relay service, kind of like parking in a handi-capped spot. Or maybe even that time you took a shit in the fat ass stall that has more square feet then your bedroom. This txt should be labeled as a DoS really) ================================================================================================= The Loophole: VCO stands for Voice Carry Over, while HCO means Hearing Carry Over. If you do not have basic knowledge on TTY, go read my TTY text. I will rip the important stuff; In a TTY call, VCO enables you to speak directly to the person you are calling, for hearing impaired people who can speak clearly. When you connect to a CA, just say 'requesting VCO, GA' or equivelant to use this feature. VCO can only be turned on when the call is answered, to which she will announce 'VCO on GA' or something. HCO, Hearing Carry Over(you can hear but can't talk, same as above but reverse.) If you don't already know where this is going..... TTY your ass to 711: - Heres an example transcript; TRS CA: "Telus Relay Service this is Anne, may I help you q, GA" You: "Yes please, im trying to call my friend Steven Thrasher at 403-265-2307 GA" TRS CA: "One moment please GA" You: "No problem, GA" ...CA rings Steven, confirms he knows how to use TTY, the call is connected... TRS CA: "Hey Jon, whats up q GA" You: "Sup stevie... oh yo yo yo I found my hearing aids CA can i request an HCO q GA" TRS CA: "Heh you always lose them things... HCO on GA" You: "GA on HCO" HCO is now enabled. You still type your messages to the TRC CA to Stevie, but you save the op having to type what Steve says, so you request a VCO; You: "CA: That dirty dog steve wants me to tell him this joke myself! requesting VCO" When the CA does a VCO press your thumb onto your neck, putting pressure on your voice box, and emulate an electronic voice box(practise finding the right spot before requesting the VCO), and tell the operator that you can take things from here. Thats all there is too it. To do this you will need a TTY that supports HCO and VCO(can be expensive) However, i have fathomed the idea of building&coding a baudot emulator to be used with an acoustic coupler from the handset to the soundcard speaker/mic and a parallel port for toggling HCO and VCO to your headset. Firstly i would need a job, or an accomplise to help me rob radio shack. props: pooly, Lucky225, theclone, Mark Hubber, PSYKO, and the Zig-Zag man. plops: TRON(fag teeth) -- The Invisible Box By Lucky225 Email: Lucky225@verizonfears.com Introduction: The invisible box will make it so that when you pick up a phone on your phone line any of those in-use lights that tell if an extension phone is picked up, wont light. Theory: The theory is based off the same principles as the infamous blackbox that used a 1.8k resistor to keep the phone line at 50v when you pick up, which actually still works, but because of SS7 the voice path is cut off from the party calling you, and the phone company doesn't allow a voice connection any more until your phone goes off hook and there's supervision. The invisible box works by using high resistance to keep the voltage at about 20 volts. This is accomplished by placing a resistor of about 470ohms in series with your phone. The phone is approximately 215ohms and draws 28ma of current, which means when your phone is off-hook there is approximately 6 volts on the phone line. When you place the resistor in series with the phone line there is a total resistance of 685ohms. Using ohm's law, 685 ohms times 28ma gets you 19.2 Volts! So the resistor keeps the phone line at about 20 volts, and most in use lights only go off when there is about 15 volts or less on the phone line. Construction: You will need a phone cord and a 470ohm resistor(Yellow, Purple, Brown). You can get the resistor in a 5 pack at radioshack for $0.49. It wouldn't hurt to have some wire stripers, and possibly electrical tape or solder. Strip the phone cord in the middle, dont cut the modular jacks off. You'll see 4 or 2 wires, usually black, red, green, and yellow. Dont worry about the black and yellow wires, in fact cut them off they'll get in the way. Leave the green wire alone, thats the positive wire, and sense current flows from negative to positive and we're trying to opose current so the voltage wont drop we leave it alone! Finally, cut the red wire (that's the negative!) in half and strip both ends, you're going to insert the resistor here. Diagram: (-) Red wire 470ohm -------------/\/\/\---------- ----------------------------- (+) Green wire Conclusion: That's it, pretty simple huh? You might be thinking that maybe there is no real use for this because all it does it make it so that an in-use light doesn't light when you pick up the phone. But think of the possibilities, you could go beigeboxing with this box and it might save you if the person your beigeing off of has an in-use light and they always look at it to see if their kid is on the phone, but because of your trusty invisible box hooked up to the phone line that light never comes on and they never pick up to yell at what they would think is their kid. Personally, I use it when I'm talking on my phone line but want to use my main line to go on the internet, my mom is always checking that damn in-use light and yelling at me, "You're on the internet with my phone line! GET OFF NOW!" HA-HA! Now she'll never know! The sad thing is I bet this even bypasses those lame $200 phone tap detectors you always see on TV. Okay time for greets: Yari my beloved!, Spoonm!, Pooly, BigB9000, Xhype, Gizmo, Morbid Angel, Lancomandr, phlux, cry0, syncron, Omega2, phreak2000.com! and anyone else I left out! ------- UPDATE ------- After recently purchasing the 43-443 in-use light from radioshack, I noticed that they detected current, not voltage, unlike the in-use light on my mom's phone that only detects voltage drop. However you can defeat these by placing a 220ohm resistor in parallel with the phone line and when your using your phone there won't be enough current to light the light. I have made an improved "invisible box" that defeats both the voltage and current detector in-use lights. Below is the diagram: Red Ring(-) 470ohm ---------/\/\/\-------> < 220ohm > ----------------------- Tip(+) Green If your in-use light still lights trying changing the resistor values as the resistance of your phone may vary. -- ---------------------------------------------------------------------------------- Nortel Screen Phones Explored/ADSI Carrier Scan 06/07/01 :: by p1asm1c ---------------------------------------------------------------------------------- Note: most of this information applies to the new vista screenphones (Vista 390, Cybiolink 8000; See below on more info on these phones) A few years ago, due to my impeccable bill paying and courteous mannerisms with bell operators I was given the opportunity to receive a free Vista 350 phone, that's right, FREE!. Ecstatic, I sent back the necessary paperwork to our friends at bell, and in a few weeks my coveted vista 350 had arrived. The couriers kept on coming at the wrong times, so I decided to go pick it up myself. My companion and I grabbed our bikes and ventured to Puralator headquarters, located in the urban-industrial lakeshore wasteland east of downtown Toronto. But sulfur fumes wouldn't stop us from obtaining the grail, I mean phone... While we were on our way back home, we decided to check out the fabulous collection of dumpsters nearby the warehouses. I spotted an old rackmount server under a garbage bag. Unfortunately, it wasn't meant to be, as we had a load to carry already. The mysterious box would have to wait for another day. We stopped by a local Pizza place and ordered some food, while I hastily ripped open the box. Inside the parts were many: 1. Manual for Vista 350 Phone 2. LCD Screen Module 3. Vista 350 Phone 4. Setup Guide 5. Feature 'HotSheet' 6. Standard RJ-14 Headset w/ Cord 7. 9 foot RJ-11 cord 8. Nortel AC Adapter 9. 2 Position desk stand As I paged through the manual, it explains that the vista phone is structured in 2 basic parts.  Firstly, the main part of the phone, containing the dialer, speakerphone, and 4 buttons: Hold, Link, Goodbye (Terminates an open line when using data services), and Options. Lastly a blood red indication light which has become standard on most Nortel phones. On the underside there were 3 jacks, 2 RJ-11, and 1 RJ-14 for the receiver. The second RJ11 jack can be used for your fax/data device. Along side was a standard 16Vac 50-60Hz Power adapter. Also a pass through for an optional printer for the data module.   Receiver (+)  || ||   \/ ______{_______ /@|LED| _____ \ |+|...| |LCD | | { |+|123| |SCR | | { = Removable Module |+|456| |____| | { |@|789| ... | ...= Interface Buttons \_______{__..._ / Module 1 - Module 2 The data module has 17 buttons on it's face. 4 are used as directional buttons, 6 for Interface, and 6 for service selection. On the underside there is a single RJ11 Connector which can be used for an optional printer. And on the side is the male connector for the aforementioned 20pin AMP connector. As I read through more of the documentation I was advised to call a phone number to initialize my vista phone, this isn't required for normal operation but is necessary to use the online services. So when we arrived at the house I plugged in the phone and dialed up the number. A small load indicator flashes while the speaker gives of a discrete bleep while the phone is downloading information, your prompted to download the services the phone has to offer. Dialing this number again later on is also a good idea as new services are often added (read: the new automated directory services, email, etc...) After removing the 6 star shaped screws on the main module, I lifted of the back side of the phone. Inside there were a few things that caught my eye. One, that Nortel have a very innovative form of directing led light. A large arc of plastic directed from one small standard 2.5v led is projected it into a 2 inch light as mentioned above. Similar engineering was used for the speakerphone led indicator. Looking onto the main circuit board, most of everything was on par compared to a standard nortel phone. With exception to the new data module chipsets and connectors. The connector seems to connect to a 20 pin AMP (SN: QMV6368T5) connector labeled P1 on the board. Accompanied by what looks like a new chipset developed by Nortel. And finally a vanilla 5 volt speaker used for the speakerphone. Pictures and Hi-Res shots of the boards will be availible soon at: http://www.cpj.f2s.com The way the phone works software-wise is the phone connects using the ADSI protocol to connect to an NT box running the appropriate software, this connection is established at 1200bps, the phone then downloads prefabricated scripts which reside on the server.The modification of these scripts could be done for many purposes, Since the ADSI is being used more and more for interactive services over telephones, (most notably a recent project involving a diabetic database entry client developed in Ontario) Generic Sample Scripts in C availible for download at http://www.cpj.f2s.com. This scripts could have endless uses. Possibilities include a script when dialed could tie up the phone line unless it is physically disconnected. This could come in handy if one came into contact with the box that almost every vista phone calls ever so often (3-4 times a week) and downloads automatic updates. Or you could create a script that would send all information from electronic banking carriers to your machine, this would not stand for long but as the volume of users is large, a few minutes would prove useful, and would embarrass and scandalize a financial institution of your choice. Recently, as I was activating one of these phones, it asked me to input my vitals...... low and behold, when i pressed next, the name, address, and postal code of the person I was setting it up for was displayed on the screen for editing. It would not be suprising if the vista phone went about keeping you name, address and postal code on the phone before it's shipped to you. Perhaps bell we're even ahead of the rest, because like digital convergence's recent manufacturing of the cuecat, it looks like the vista uses the same tactics or consumer intrusion. This would explain the sudden generousity and enthusiastic ad campaign for 'free' vista phones. 416 ADSI/ACMS Carrier Scan: - Note: Numbers in this exchange which were not ADSI carriers are not listed. Most of these numbers were out of service with the exception of a fax machine at 416.421.1096. - 416.462.5231 -Not in Service 416.462.5232 -Not in Service 416.462.5233 -Not in Service 416.462.5234 -Screen Phone (Recording/Non ADSI) 416.462.5235 -Screen Phone (Recording/Non ADSI) 416.462.5236 -Screen Phone (Recording/Non ADSI) 416.462.5237 -Screen Phone (Recording/Non ADSI) 416.462.5238 -Presently the number you have reached is busy 416.462.5239 -Ads 416.462.5240 -Presently the number you have reached is busy 416.462.5241 -Ads 416.462.5242 -Sorry, we are presently experiancing difficulties 416.462.5243 -Ads 416.462.5244 -Ads 416.462.5245 -Ads 416.462.5246 -Ads 416.462.5247 -Ads 416.462.5248 -One moment please... (Bell PBX) 416.462.5249 -Ads 416.462.5250 -Sorry, we are presently experiencing difficulties 416.462.5251 -Sorry, we are presently experiencing difficulties 416.462.5252 -Sorry, we are presently experiencing difficulties 416.462.5253 -Sorry, we are presently experiencing difficulties 416.462.5254 -Sorry, we are presently experiencing difficulties 416.462.5255 -Sorry, we are presently experiencing difficulties 416.462.5256 -Sorry, we are presently experiencing difficulties 416.462.5257 -Sorry, we are presently experiencing difficulties 416.462.5258 -Sorry, we are presently experiencing difficulties 416.462.5259 -Sorry, we are presently experiencing difficulties 416.462.5260 -Sorry, we are presently experiencing difficulties 416.462.5261 -Sorry, we are presently experiencing difficulties 416.462.5262 -Sorry, we are presently experiencing difficulties 416.462.5263 -Sorry, we are presently experiencing difficulties 416.462.5264 -Sorry, we are presently experiencing difficulties 416.462.5265 -Sorry, we are presently experiencing difficulties 416.462.5266 -Sorry, we are presently experiencing difficulties 416.462.5267 -Sorry, we are presently experiencing difficulties 416.462.5268 -Canada Trust Bank Profile Updating system 416.462.5269 -Busy 416.462.5270 -Not In Service ----- 416.406.4140 -Electronic Phonebook 416.421.1097 -Email 416.421.1696 -Stocks 416.462.5244 -Bell Direct 888.419.1717 -Financial Services Download * Vista 390, an identical clone of the Vista 350 with the only difference being less ROM and a few cosmetic changes. * Cybiolink 8000 a new screen phone introduced last Christmas which has a larger screen and more Flash memory. In any case both of these modifications use the same method and hardware to communicate to ADSI/ACMS boxes, so most of the information in this document can be applied to these models. -- 'An Introduction to Telus' Terminating Test Lines' < Written by: The Clone < Date: Tuesday, November 6, 2001 (Updated: Thursday, November 8, 2001) -- InDEX; * Disclaimer * Definition * Introduction * Default Prefixes * Additional Terminating Test Lines * Other Test Numbers * Conclusion * Credit * Contact Information * Shout-Outs -- Disclaimer: The content within this file is for informational and entertainment purposes only. Unauthorized access of the test systems spoken about in this file may get you in trouble with local and/or national law enforcement. By reading this, you agree not to try any of this. Definition: "Test numbers are dialups to testing equipment or test features set up by the phone company or private entities." Introduction: Back in early 1999 when the 403/780 area code split went on, Telus decided to set up a series of test numbers called "Alberta Terminating Test Lines" in the 403 and 780 area codes. Since the split affected millions of landline/cellular customers, Telus thought that permissive phone numbers would be the best way to keep the information flowing between employees. Alberta Terminating Test Lines gave Telus tech's the ability to call up a private number and leave detailed messages regarding any technical issues (problems) that may have arised with 780 to 403 (and 403 to 780) long distance call routing. To this day, Telus still uses Terminating Test Lines as a way for local and long- distance carriers to communicate. By dialing up the specific number, you will be greeted by an automated female voice; "You have reached an Alberta 780 Terminating Test Line", followed by an Octel system voice telling you that you either have messages waiting (which it then plays it for you), or it'll tell you: "No messages are waiting. Please try again later. Thank you. Good-bye." Default Prefixes: These prefixes are in the 780 area code only. If you have a list of Alberta Terminating Test Line prefixes the in 403 area code, please pass them on and I'll add them to this particular listing. More prefixes are being added as more Terminating Test Line numbers are discovered. Prefixes; ` 423-XXXX ` 425-XXXX ` 428-XXXX ` 429-XXXX ` 455-XXXX ` 459-XXXX -- Additional Terminating Test Lines: British Columbia; (604/778), Overlay: NPA 778 introduced for service on 11/03/01. ` 778-510-XXXX (Call-Net Communications, Southwestern B.C.) ` 778-610-XXXX (Telus, Southwestern B.C.) ` 778-810-XXXX (AT&T Canada, Southwestern B.C.) ` Ontario: (905/289), Overlay: NPA 289 introduced for service on 06/09/01. ` 289-210-8378 (Bell Canada, Southern Ont.) ` 289-510-8378 (Call-Net, Southern Ont.) ` 289-810-8378 (AT&T Canada, Southern Ont.) Other Test Numbers: [Taken from "ALT.PHREAKING FAQ 1.41", http://members.tripod.com/~SeusslyOne] 1004 hz test tone - This is a vanilla 1004 hz tone. Nothing too useful here, without a loop analyser anyway. ANAC - This test dial up will read off the number of the line you’re calling from. On rare occasions you will find ANACs with a DTMF response for use with remote test terminals. DATUs - DATUs (Digital Audio Test Units) are a godsend to technicians and phone phreaks everywhere. DATUs allow a caller to monitor lines (don't get too excited), open and short pairs, and put trace tones on the pair. While it might not sound too exciting, it has more applications than most people think. Loops - These numbers exist in linked pairs. Call one number and you’ll get a tone. Call the other number and you get dead silence. If both are called at the same time they make a connection. It used to be that you could then talk over this connection, but now there are filters that block speech placed on most loops. Ringback - Calls back the originating number in an annoying fashion. Dialing all the touch-tone digits in order (starting with 1 and ending in # going across the keypad rows) will generate 2 tones saying the keypad is ok. Milliwatt test - These are 1004 hz tones sent out at 0 db. Milliwatt tests are used to check for line loss and other complex tests. Sweep Tones - Tone sweeps are a test tone ranging from 304hz to 3204hz. A common use for sweep tones is to check for infinity-transmitter style taps. Dial up a sweep tone. If an audible clicking is heard during the sweep then a transmitter could be installed on your line. Telco maintenance uses sweep tones to check for the presence of loading coils, and other such nasties that eat high frequency tones in order to qualify a line for high speed services. Quiet termination - This feature connects the caller to a port with fixed resistance, 600 ohms or 900 ohms being the most common. There should be nothing but dead silence on connection. Clicks, static or crosstalk will be clearly evident if a noisy line is used to dial this test. - Conclusion; I hope this paper was of interest and of benefit to you. Test numbers are quite interesting little toys to play around with, while travelling through the land of the telephone system. One never knows what they can find until they start actually taking the time to hand-scan... (see: http://www.nettwerked.net/files.html | "Scanning (Manual)"). Peace out! - Credit: Thanks to Phlux for the additional input. Support Phlux's HASH project (http://www.hackcanada.com/hash.txt). - Contact Information: E-MAIL: theclone@hackcanada.com IRC: irc.2600.net (#hackcanada, #cpu) URL: www.nettwerked.net - Shout-Outs: Hack Canada (#hackcanada / www.hackcanada.com), Canadian Phreakers Union (#cpu / www.nettwerked.net/cpu), CYB0RG/ASM, H410g3n, Phlux, Alan, Seuss, Lucky225. .END. -- . A Mobile Phone ANI-Diversion Technique . Date: Monday, October 29, 2001 Author: The Clone [ inDEX ] . - Disclaimer . - Introduction . - Explanation . - Conclusion . - Credit . - Contact Information -_- Disclaimer: The content within this file is for informational and entertainment purposes only. Unauthorized access of the systems spoken about in this file using this ANI-spoofing technique may get you in trouble with local and/or national law enforcement. Don't do naughty things... thanks. - Introduction: Several months ago while sitting at home having nothing better to do but mess around with various phone numbers on my cell phone, I discovered something rather interesting. By calling up specific toll-free ANAC systems in the United States belonging to AT&T and other carriers, the Automatic Number Identification (ANI) information that I was read was completely different than the information that actually belongs to me. This got me a bit curious as to why this might be occurring. The rest of this file will delve a little bit into the steps I took in order to conclude the theory of my misread ANI account data. Explanation: With my Pre-Paid FIDO GSM phone calling from the 780 area code in Edmonton, I called up several ANAC systems and on every one of these systems the ANI information read back was: 780-707-0000, which didn't appear to be my phone number. After calling that phone number back, I was suprised that FIDO's "this number is not in service" recording came on. When calling from a Rogers AT&T Pay-As-You-Go TDMA cellphone, the ANI information read back was: 780-965-0000, which didn't appear to be my phone number either. After calling that phone number back, I got a similar message from ROGERS AT&T telling me the number I called was not in service. When calling from a Telus / Clearnet CDMA cellphone, the ANI information read back was: 780-427-5700, which didn't appear to be my phone number either. After calling that number back, I got a message from Telus telling me the number I called wasn't in service. The Potential? By simply using a cell phone without any physical/mode modification whatsoever, one may spoof their ANI information from American Toll-free Carriers such as; AT&T, MCI WORLDCOM, TRACFONE, VERIZON, etc. With your actual phone number information not being registered with the end-carrier, you have the ability to bruteforce a large number of the blocked carriers without fear of being tracked - perfect diversion techniques. If one wanted to call in a bomb threat, they could get away with it. If someone wanted to prank call, harrass, or otherwise piss someone off over the phone without fear of being tracked (through basic means), they could. Want an ANAC # to test your cell phone on? http://groups.google.com/groups?q=ANAC+%23%27s Conclusion: Instead of your phone's MIN (MSISDN in GSM terms) passing through to the end- carrier, the information passing through is that of the mobile switches' aliased phone number - often called "pseudo ANI". Please keep in mind that the MSSC (Mobile Services Switching Center, Home Location Register in GSM terms) do keep records of what customers ESN/MIN called what phone number at any given time. Please be aware of the consequences, and DO USE other diversion techniques in addition to this if you wish to be 100% anonymous in all of your future phreaking escapades! Credit: Thanks to 'TRON' for the additional information. Contact Information: E-MAIL: theclone@hackcanada.com URL: www.nettwerked.net -- -- Credits Without the following contributions this zine issue would be fairly delayed or not released, so thank you to the following people: Lucky225, Phlux, plasm1c, and The Clone (dats me!) -- Shouts: Hack Canada (#HackCanada), Canadian Phreakers Union (#cpu), The Grasshopper Unit, Flippersmack, Pyrofreak, soap, Kybo_ren, Flopik, Pinguino, and lastly to everyone and anyone who contributes to the Canadian H/P scene. ;. .;.. ; ;. ;.. ;.. .;..; .;.; .;; ;.. .;..;. .;..; .;.;...; ;..;.. .;. A .;. .;. ;.. N E T T W E R K E D ;.. ;..;.. P R O D U C T ;..;.. .;..; ;..;.. ; .;..;.;.. .; . .;. ..;.. .;.. . .; ..;..;..;.. .; ;..;. .;.. . .;.. .;.;. ..;. ..;.. .;. ;.;..;;..;.; ;.;;..;.. ;.;.; .; . ;.;..;. .;. ;.;:.;. ,;....;. .;.;. .;.; .;.;.; .;.; ;..;. .;.;;.; .;. ..; ;. > > > > > > STOP THAT! I SAID STOP-IT!