_______ ______ _ _ (_______) (_____ \| | | | _ _____ _____ ____ _____) ) |__ ____ _____ _____| | _ | | ___ (____ | \ | ____/| _ \ / ___) ___ (____ | |_/ ) | | ____/ ___ | | | | | | | | | | | | ____/ ___ | _ ( |_|_____)_____|_|_|_| |_| |_| |_|_| |_____)_____|_| \_) ========================================== | ,dP""8a "888888b, d8b "888b ,888" | | 88b " 888 d88 dPY8b 88Y8b,8888 | | `"Y8888a 888ad8P'dPaaY8b 88 Y88P888 | | a, Y88 888 dP Y8b 88 YP 888 | | `"8ad8P'a888a a88a;*a888aa88a a888a | | ;*;;;;*;;;*;;;*,, | | _,---'':::';*;;;*;;;*;;*d;, | Volume 003 - Issue 002 | .-' ::::::::::';*;;*;dII; | 09/10/2003 | .' ,<<<,. :::::::::::::::ffffff`. | | / ,<<<<<<<<,::::::::::::::::fffffI,\ | "Nobody expects the | .,<<<<<<<<<;,::::::::::fffKKIP | | | ``<<<<<<>>>>;,::::fffKKIPf ' | | \ `mYMMV?;;;;;;;\>>>>>>>>>,YIIPP"` / | | `. "":;;;;;;;;;i>>>>>>>>>>>>>, ,' | | `-._``":;;;sP'`"?>>>>>=========. | | `---..._______...| Hormel | | | `=========' | ========================================== _ __ __ ___| |_ __ _ / _|/ _| / __| __/ _` | |_| |_ \__ \ || (_| | _| _| |___/\__\__,_|_| |_| bor (bor@teamphreak.net) - Webmaster/Admin - Tampa, Florida parenomen (parenomen@teamphrak.net) - Editor - Macon, Georgia phractal (phractal@teamphreak.net) - Writer - New Jersey ************************************************************************* ********* NPANXX - Volume 3 - Issue 2 September 10, 2003 ******** ************************************************************************* ************************************************************************* ** 1. The basics of CDMA......................................paranoia ** ** 2. Verizon's Expanded Announcement System.................Captain B ** ** 3. The basics of E911...........................................bor ** ** 4. An interview with John Draper..........................parenomen ** ** 5. Verizon Codes (August 2001 Release) Part I...................bor ** ** 6. c5 Trunks Today.........................................phractal ** ** 7. Sprintnet England Access Numbers........................phractal ** ************************************************************************* ************************************************************************* ******** Shout Outs ********** ************************************************************************* ** ** ** j0o div' axion ** ** vap0r fragnificent netmad ** ** ozlo LPH telhack ** ** zylone paranoia Everyone else that we haven't mentioned ** ** aphrax darkfairytale that hangs out in #teamphreak on EFNet ** ** almightyA janus ** ** ** ************************************************************************* ------------------- Note about npanxx | ------------------- Team Phreak contributes to the scene. We write our own articles and do not rely heavily on outside sources for our issues (unless otherwise noted). We may use other materials for news articles or in research purposes to verify what we type is fact, but we guarantee that all articles are written by us and anyone who wishes to contribute original texts. Please come and visit us on irc at EFNet. You may use the following servers to connect to EFNet; irc.flamed.net, irc.rt.ru, irc.prison.net, and irc.vrfx.com. Also join us on the world wide web at www.teamphreak.net _ _ _ (_) _ | | _ (_) _ ____ _| |_ ____ ___ __| |_ _ ____ _| |_ _ ___ ____ | | _ (_ _)/ ___) _ \ / _ | | | |/ ___|_ _) |/ _ \| _ \ | | | | || |_| | | |_| ( (_| | |_| ( (___ | |_| | |_| | | | | |_|_| |_| \__)_| \___/ \____|____/ \____) \__)_|\___/|_| |_| I never thought the time would come when I would have to sit here and type something out like this. This zine has been going strong for nearly two years now, without much going wrong at all. Sure, we've had a revolving door of members, which leave, come back, and leave again, but despite that we've always had enough articles to publish a well put together zine. Apparently times change. While all the members of Team Phreak knew that things would eventually slow down with some of us entering college, and just getting on with our lives, we never thought that the influx of articles from the outside would just totally stop, and that's exactly what has happened. npanxx cannot be published without outside sources of information. It's simply impossible for the 3 current members of team phreak to publish enough info for the zine to be current and important. This is the entire reason that we rely on the outside. It took forever to get npanxx010 together. Barely anyone submitted anything, and even our own members are running out of ideas, and time. This is why we must now beg for you to write articles for the zine. Whatever you know, just submit them. Of course we're not going to lower our standards, but you don't know, our standards might be pretty low already, so just submit that really bad article that you always wanted to write. I don't want npanxx010 to be our last issue, but without any outside help, we might have to go on a hiatus for more months than we usually do between issues, and this doesn't help us at all. Thanks for visiting the site, and for those of you who submit articles, thank you. bor (bor@teamphreak.net) ------------------------------------------------------------------------------ ______________________________________________________________________ | | 1. The basics of CMDA | Written By: prism (no e-mail)... | Written For: NPANXX010 (www.teamphreak.net) | Written On: 07.xx.03 | | ______________________________________________________________________| CDMA is the latest and most advanced cellular technology around. It is able to carry more conversations than any other network. In my opinion, it is also most secure. Sprint and Verizon us CDMA (code division multiple access). Verizon used to be analog, so when they upgraded to CDMA they just overlaid it on their analog frequencies. 824mhz-849mhz. This is the reason their CDMA phone have a a/b carrier selection. Back in the analog days the FCC required that there be two cellular carriers per area, so they divided the spectrum into two. A would be one carrier, and b would be the second Sprint uses the 1900mhz band. This simplifies things. There is no a/b carrier because the entire band is digital. Carrier separation can be done by digital coding. A base station (tower) is links all the cellular traffic to a MSC (mobile switching center). This is a central office for use with cellular networks. Inside that there are several computers. One is the home location register. The HLR keeps a log of what base station each phone number is using, so incoming calls can be routed. Next to that is the Visitor location register. The VLR does the same job as the HLR, except for the roamers using their network. When someone roams, their carrier's HLR transfers all the customer's billing information to the VLR for billing and authentication porpoises. There is the authentication center. The AuC stores all the ESNs (electronic serial numbers) and a-keys (encryption keys). It also performs calculations for authentication as described later in this file. Each MSC is linked together like a network so calls can be routed around. Inside that network, there are a few gateway mobile switching centers (GMSC). They are use for routing calls between the cellular network and the outside PSTN. (public service telephone network). The amount of hertz represents the amount of times a carrier wave goes up and down. The higher the frequency, the closer together the peaks of the wave are, since all radio signals travel at the speed of light. 1900mhz has a six inch gap (wavelength) between peaks. 800mhz has a 15 inch wavelength. The antenna of the phone should be ideally half the wavelength. Higher frequencies are absorbed easier. 1900mhz has a shorter range than 800mhz. The advantage of this is that cell sites can be smaller, so the frequency can be reused on a nearby cell site without interference. This allows more phones to use the network at a time. Analog has such a large coverage area because of its low frequency. Verizon's CDMA network has similar. This is also why GSM coverage in the US isn't too good either, because it sprint shares the 1900mhz band with cingular's towers. Scanners capable of listening in on the 1900mhz or 800mhz band are illegal. A eavesdropper would have to heavily modify a scanner to do this. The information transmitter has to be represented in a way. Since we are using digital technology, there are only two pieces of information that need to be sent, 1 and 0. Early digital networks used FM (frequency modulation). In this the amplitude (the height of the wave) would remain constant. The frequency changed slightly. For example, the tower would be listening in on 824.5mhz. To represent a 0, the phone would transmit at 824.5001, and for a 1 it would transmit at 824.5002. The phone changes frequency, but the tower still receives everything transmitted within the 824.5mhz range. Since there can be an infinite amount of decimal points, this technology works for analog also, such as analog cell phones or radio stations. AM (amplitude modulation) uses the amplitude of the wave to represent the information sent in the same way. The frequency stays constant. The amplitude of a wave can be easily interfered with by things such as weather. FM is clearer. Modern digital cellular technology uses a technology called phase modulation. With phase modulation, the frequency and amplitude of the signal stay constant. Phase modulation changes a radio wave's normal pattern. It shifts or alters a wave's natural fall to rest or 0 degrees. By forcing changes in a sine wave you can convey information. You don't stop or abbreviate the sine wave, you change its shape or angle of attack. As an example, 90 degrees, 0 degrees, 180 degrees, and 270 degrees might be representing binary digits 00,01,10, and 11 respectively. Phase modulation allows for more frequencies in a spectrum, since there doesn't need to be a frequency change to represent information. This also allows more bandwidth, because you can transmit several 1s and 0s per wave cycle completion, instead of just one bite. This is also slightly more secure, because a eavesdropper would have to write a program that could interpret the phase modulated waves and binary information. Code Division Multiple Access is spread spectrum, aka frequency hopping. The phone and the tower and constantly hopping from one frequency to another, extremely fast. When a call is initiated, the tower and phone have knowledge of the pattern of frequencies for them to communicate on. This is a 42 bit PN code. It is calculated from the SSD_1 key and the CAVE encryption algorithm. Since the SSD_1 is never sent over the air, the pattern cannot be determined over the air. All this is explained in the paragraph below. CDMA technology provides extra security, and also allows for more phones to be used per cell site. It would be extremely difficult and complicated for an eavesdropper to build a scanner device to listen in the 800mhz or 1900mhz band and be able to hop frequencies within that range, much less have the knowledge of the pattern. CDMA uses a technology called Authentication. Each CDMA phone has a network set 64-bit (8 digit) number inside of it called an A-key. The a-key is randomly set by the dealer's computers. After the key is programmed into the phone, the dealer uses a encrypted dialup to program the ESN and a-key into the network's authentication center. There is no further record of the a-key, and it is not visible to any human during this process. The a-key can be changed by the network over the air in some cases. When this is done, it uses a 512-bit Diffie-Helleman key agreement algorithm, a strong algorithm well suited for job. The AcU (authentication center) has knowledge of the phone's ESN (electronic serial number) and the phone's A-key. The AcU is a computer inside the MSC. The Tower sends the phone and AcU a random number, referred to as a RAND challenge. The phone then uses this number, the phone's A-key and the ESN each as variables in complex calculations. So does the AcU. These calculations are part of the CAVE(cellular authentication and voice encryption) encryption algorithm. The result is referred to the SSD_1 (secret shared data, always 64-bits), or the AUTHSIGNATURE. The AUTHSIGNATURE is then sent to the tower and compared with the AUTHSIGNATURE the AcU came up with. If the it matches, the phone is authenticated and allowed to make the call. The tower also uses the SSD_1 to calculate a pattern of frequencies for the phone and tower to communicate on. Then the AcU and the phone run the same variables through the other part of the CAVE to create the SSD_2. This number is then used as a variable in voice encryption. The CAVE has no known flaws. There is no way to break the encryption. The A-key and ESN cannot be determined over the air, no matter how much information is intercepted or obtained over the air. The CAVE algorithm has also been published and open to public scrutiny. No flaws have been found. The A-key is kept very secure. The only place it is stored is in the AuC, and in the handset itself. Unlike the ESN, the a-key isn't written on the phone, nor viewable through the handset in any way. To determine the a-key, you must extract the memory chips from the victim's phone, then use a EPROM reader/writer to do a core dump onto a computer. It is more logical for a clone to get it from the AcU. Very few people have access to the AuC, so social engineering would also be extremely hard. On top of the CAVE encryption, there are several other encryption algorithms used for communicating information over the air. These algorithms use the SSD_2 as a variable in their calculations. One is the E-CMEA (Enhanced- Cellular message encryption algorithm) used for encrypting DTMF tones. The DTMF tones must be secure because many people use them to enter credit card numbers while ordering this over the phone. The ORYX algorithm is used on top of CAVE for encrypting control information, such as tower handoffs. ( A handoff occurs when you are leaving the range of one cellular tower and entering another one. The network need to have your phone switch towers without loosing the call). On top of encryption and a-key authentication, CDMA uses two other security measures. The tower can request past call logs from the phone's stored records and match the phone numbers and times up to the ones in the tower's call logs. If they don't match, the phone is not authenticated. Also the network is smart enough to notice if two identical phones are active at the same time, drop the calls and not authenticate either of them until the problem is resolved. RF (radio frequency) fingerprinting is a technology that was used to combat fraud back in the analog days. The tower and AcU would use the RF signature and radio properties of the transmitter on the cell phone to determine if it matched the one used on the legit subscriber's phone. There were a few ways around this. One is to use a transmitter identical to the one on the victim's phone. Another would be to warp the crystal to change the rf signature. Another would be to make the signal strength so low that the tower couldn't get a good fingerprint, and would hopefully let the call go through anyway. If it uncertain if CDMA networks use this technology, however it is most likely that they do not. If they do, this would just be another step that would make CDMA cloning less worth the time. Next article I Will discuss potential strategies to eavesdrop and clone a cdma network, among any other potential security weaknesses I can think of during that time. --------------------------------------------------------------------------- ______________________________________________________________________ | | 2. Verizon's Expanded Announcement System | Written By: ic0n@oldschoolphreak.com | Written For: NPANXX010 (www.teamphreak.net) | Written On: 09.06.03 | | ______________________________________________________________________| To skip directly to listening to the supplemental audio file first, which will let you hear the menu prompts from inside the Expanded Announcement System, go to: http://goblin.crappyhosting.com/Expanded_Announcement.mp3 Telco error messages... We've all heard one at some point. An atypical error message usually starts off with those 3 tones, known as S.I.T. (Special Information Tones) followed by, "We're sorry. The number you have reached... etc". But, have you ever wondered about the recording process for phone company error messages, or how they're stored, accessed, modified, or deleted when need be? Well, if you happen to live in my part of Verizon's service area, Verizon maintains a phone system they call their Expanded Announcement System. Now, due to the fairly potent nature of this system, I won't be disclosing certain important specifics here, such as the phone number to dial, or the passcode to enter in. But, I will tell you that once inside the system, you can listen to, record, modify, or delete error messages. The thing I was kind of surprised to learn about is that a single telco error message is usually 2 or more individual recordings pieced together to form a single error message. And actually, the system refers to those individual recordings as a "message". And, an entire error message put together from those individual message recordings is called an "announcement". Each individual message in an announcement is stored in a slot, which the system refers to as a "position". And, every other position in an announcement seems to be blank. (Doesn't contain a message). I think this is because it contains a "message function" instead. Which, I believe tells the system whether to play another message for the next position in the announcement. And, if so, it would also tell it which one to play. Otherwise, the announcement is deemed finished, and therefore ends if no message function is contained in the next position. In other words, a message function serves as the parameters within an announcement. And, as you probably guessed, there exists a feature in the menus to "define a message function". And, although I didn't mess with that feature to play it safe, I imagine it could be a fairly involved process. By the way, if you were to record over an existing message with one of your own, all announcements that used that particular message within it would now feature your re-recording of that message. However, the system seems to not allow for any recorded messages assigned for use in many announcements to be recorded over. Apparently, this is some sort of failsafe measure. However, you can always re-record a message that's hardly assigned much for use within announcements, or Isn't assigned for use in any announcement. Also, you can record a brand new message within any blank "message number" that doesn't already contain a recorded message. Or, just use option 5 from within the message administration menu (accessible from the main menu) to create a new message/message number from scratch. The system information feature in the main menu lets you listen to a list of open announcement numbers, message functions, and open or unused message numbers. Unused message numbers are recorded, but unassigned messages. Different announcements and message functions are stored seperately in individual announcement numbers, and message function numbers on the system. Just like how the different messages are stored seperately in individual message numbers. All in all, Verizon's Expanded Announcement System is pretty complex and vast, with a storage of thousands of messages, and lots of announcements and message functions. And, an almost limitless number of ways to combine them all. As a result, I would guess it could take a pretty good amount of time to put together an entire announcement. Especially if It's all done from scratch, rather than through modifying or using any existing messages, message functions, or announcements. But, I don't think I recommend spending long sessions logged into the Expanded Announcement System in the first place. Especially not during regular Verizon business hours. (It's just good common sense). Also, I don't know whether this system is logging ANI, either. Besides, It's pretty obvious that they intended this system to be for telco tech personnel use only, anyway. By the way, you don't have to live in my local or regional area to access the Expanded Announcement System, since It's dialable through a standard 10 digit phone number. Shout outs: ic0n (as always), Hopping Goblin, OldSkoolPhreak.com and all the Agents of Freedom, Dual Parallel, Stankdawg.com and all the forum krew over there, all the people behind the screens at hackerhost.com, Cue Biz and the Telco Insiders, Decoder, Unity, Phreakblaze, White Raven, Bagel, Reaver, and all the old LPH krew. And, the countless people who've helped me and ic0n make our site www.hackerhost.com/lph what It's grown into. ---------------------------------------------------------------------------- ______________________________________________________________________ | | 3. The basics of E911 | Written By: bor (bor@teamphreak.org) | Written For: NPANXX010 (www.teamphreak.net) | Written On: 07.15.03 | | ______________________________________________________________________| Table Of Contents ----------------- Introduction Part I: Definition of E911 Part II: E911 for PBX/ALI users Part III: Master Street Address Guide (MSAG) Part IV: Glossary of Terms Introduction ------------ Recently, 911 centers all across the United States have been changing from their classic, simple call-in 911 centers, to more complicated, and versitile E911 centers. These centers offer advantages to the police/medical/fire departments far beyond what used to be possible. In this article is typed out different portions of documents by BellSouth which deal with their E911 system. This document deals with various areas of the E911 system from it's uses with PBX/ALI users, to numerical codes used in the File Transfer System (FTS). Part I: Defintion of E911 ------------------------- "911" has been designated in the United States as the number to be used by the public to summon emergency aid or to report a crime, fire, or accident. It's main purpose is to make it easier for people in time of emotional stress to contact the proper emergency agency. An important advantage of 911 emergency service is improved (reduced) response time. The original 911 service, known as Basic 911 (B911), routes a call to one centralized answering location. The attendant at the answering location obtains the pertinent information that identifies the call and the caller's need. The attendant then determines the appropriate agency and dials a seven didget number to transfer the caller to that gency. The calling party's emergency information is verbally relayed to the responding agency and a unit is dispatched to the caller's location. Enhanced 911 service, or E911, is a full featured electronic system that provides three (3) major enhancements to basic 911 service: SELECTIVE ROUTING - Electronically routes 911 emergency calls to the proper Public Safety Answering Point (PSAP) based on the Emergency Services Number (ESN) code that has been assigned to the caller's address. AUTOMATIC NUMBER IDENTIFICATION (ANI) - Provides the calling party's seven digit telephone number on a display at the PSAP. AUTOMATIC LOCATION IDENTIFICATION (ALI) - Provides the name and address associated with the calling party's telephone number on the display at the PSAP. NOTE: To receive the maximum benefit of E911, the area served must be assigned valid house numbers. Without a house number, dispatching is delayed and the responding agency has difficulty finding the correct address. Part II: E911 for PBX/ALI users ------------------------------- The E911 Private Branch Exchange/Automatic Location Identification (PBX/ALI) Service provides a PBX customer, located in an E911 serving area, with the ability to offer full E911 service to it's station users. Ordinarily, the location identification information displayed on a Public Service Answering Point (PSAP) attendant screen for a caller from a PBX not equipped with this service will be a billing or service number and address of the PBX. This information may not indicate the actual physical location from which the call is placed. With the PBX/ALI service the "off premise" location identification information is available to the PSAP when a caller, using a connecting station of the PBX, dials 911. The PBX/ALI service provides the PBX customer with private E911 trunks from their PBX. (i.e., private switch) to the E911 Tandem. To utilize this service, the PBX must be capable of sending the calling station's telephone number to the BellSouth E911 network in a specified Multifreq. (MF) Address Signaling "protocol". This "addressing protocol" information is known as Automatic Number Identification (ANI), and when received, is routed by the BellSouth E911 Tandem to the appropriate PSAP. At the PSAP the data specific to the calling station is accessed from ALI databases maintained by BellSouth. This critical data associated with the calling location, including the telephone number, name, address, and the nearest responding emergency agencies, greatly enhances the speed and efficiency of the PSAP dispatch operation. Updates to this station data are supplied to BellSouth by the customer as required by moves and changes in a dial-up access basis. The manner and frequency in which these updates are accomplished is negotiated between the customer and BellSouth. Part III: Master Street Address Guide (MSAG) -------------------------------------------- The Master Street Address Guide (MSAG) is the portion of the 911 database which contains address and Emergency Service Number (ESN) information. The MSAG associates customer accounts with the appropriate ESN based on the customer's address. ESNs designate the routing of each E911 call to the proper PSAP. Once the mapping and ESN assignment is complete, the ICO will use the map to associate an ESN with each street in their territory. The ESN assignment along with other specific street address data will be used to create the MSAG. The ICO should provide the MSAG data by the date agreed upon with BST. It is the responsibility of each Telephone Company participating in the E911 system implementation to provide specific street address data to INTRADO based on their customer account records. This data must include all streets in a wire center. The MSAG is loaded directly into the E911 database via magnetic tape or sent via electronic transfer as agreed upon with INTRADO. A printed copy of the MSAG will be provided to the ICO once the data is loaded into the E911 database. The ICO should obtain approval of the MSAG data from the city/county/parish. An MSAG ledger should be used to make updates to the MSAG once it is loaded into the E911 database. That's the jist of it. It's a nice upgrade from what a lot of places used to use, and some still do, but normal E911 isn't what a lot of people think it is. Hope this shed some light on the subject. Part IV: Glossary of Terms (In order of appearance) --------------------------------------------------- SELECTIVE ROUTING - Electronically routes 911 emergency calls to the proper Public Safety Answering Point (PSAP) based on the Emergency Services Number (ESN) code that has been assigned to the caller's address. AUTOMATIC NUMBER IDENTIFICATION (ANI) - Provides the calling party's seven digit telephone number on a display at the PSAP. AUTOMATIC LOCATION IDENTIFICATION (ALI) - Provides the name and address associated with the calling party's telephone number on the display at the PSAP. PBX/ALI SERVICE - The PBX/ALI service provides the PBX customer with private E911 trunks from their PBX. (i.e., private switch) to the E911 Tandem. MASTER STREET ADDRESS GUIDE - The Master Street Address Guide (MSAG) is the portion of the 911 database which contains address and Emergency Service Number (ESN) information. The MSAG associates customer accounts with the appropriate ESN based on the customer's address. ESNs designate the routing of each E911 call to the proper PSAP. Well, that's all of the important stuff that I can think of. I'm sure that there's a ton of things that I forgot, but that's it for now. --------------------------------------------------------------------------------------------------------- ______________________________________________________________________ | | 4. An interview with John Draper | Written By: parenomen (parenomen@teamphreak.org) | Written For: NPANXX010 (www.teamphreak.net) | Written On: 07.xx.03 | | ______________________________________________________________________| NOTE from bor: When pare conducted this interview, it was meant to be a serious interview about John Draper, and his views on different subjects such as spam. However, through the interview it became more about his business than anything else and became a pretty bad interview. However, because of who the interview is with, we will publish it anyways because there is most likely some interest. ------------------------------------------------------------------------------- pare: What exactly is spamcrunchers, and how will it work? John: Spamcrunchers works on both the client level and server level. It consists of a server, acting as a pop3proxy. Or a person can get their mail through our very secure web based server. On the client side are filters, customized to the user. Each person's ham and spam are different. Spamcrunchers will first be introducted as an "online" system pare: Will there be any beta testers for spam cunchers? John: I will be soliciting for beta testers first. I would want about 2-3 beta testers. John: So the user will log into the online service, and setup their POP proxy stuff. By making one or more proxy connections to their normal proxy servers. They would read their mail normally, using Eudora or Outlook. As they read their mail, ham is seperated from spam by adding a special header to the mail. Then the local Outlook or Eudora would make the final filtering, but there is also pre-filtering at the server level. So, when you get a spam email, you click just ONE button, and the IP of the mail gateway is then blocked, and you won't get anymore spam. Spam email is also encoded differently than regular email. This is also picked up. Once you collect your spam, then you can do a lot of cool things. You can analyze it. The program goes through the body of the spam message and interperts the code. John: If user interprets this encoding as "unauthorized" all further spam with this encoding is blocked before it even sees the Baysian filtering. It also extracts the embedded URL's and email addresses. Then it validates the opt out link or mailbox and determines if the opt out is real. If it is not real, then you move that message to the "Report FTC" mailbox for later reporting. Same for spamcop, Spews, and other anti-spam groups as well as the DCC list. John: It then digs even deeper. It analyzes the headers, and determines which ones are bogus. It then does a whois lookup on the website promoted in the spammers message. pare: What kind of information would be shown about the spammer? John: Determines if the info is valid. If not valid, it sends a pre-composed message to the registrant complaining that they have breached their contract. John (in response to question): The entire mail path it took to get to me. Open relay's IP address, SMTP proxy IP addresses, traceroutes to get the IP block the spammer used. Does a "dig" to extract the DNS info. It also un-obfusgates the URL's the spammers put in their mail. Most URL's advertized in the spam mail goes to a totally tweaked URL, making it all but impossible to do the whois to find out who they are. This program unravels this url to get the REAL domain it's using. It then probes the spammer's gateway, doing fingerprints to determine if it's a spammer's gateway, or an open one. pare: Ah, what is the planned release date for spamcrunchers? John: No official date yet, but we are working on it as hard as we can. Like there is no tomorrow. pare: Will this service be free or will there be a charge. And if so, how much are you planning to charge? John: It then keeps a record of all the opt in addresses. Invalid ones are marked, and sent to FTC or cpamcop. It will be free for the 2-3 beta testers, but after initial testing and shakedown, then we go commercial. We intend to charge for it. pare: Are you worried about the new laws being passed that will outlaw spamming? John: No - not at all. Spammers are just going to ignore the laws. Reguardless of what they are. Spamming is an international problem to be worked out at economic summits. U.S. laws are not going to stop spammers. Spammers just move offshore, like they have been doing for the past four years. Most just go to China, setup their own spam relays, and spam from there. Then they hire americans to spam for them. by giving them spam kits. And programs they run that accesses the chinese servers. pare: You mentioned that in the state of California, you can sue spammers. Are you starting any Spam lawsuits, yourself? John: Working on it. Getting confirmation is the problem. You better be darned sure you are suing the right group. Not getting any cooperation from the government. Actually, it is a federal law now that says you can sue spammers. Once I find the system they use, I still have to find out who owns the system. Getting the provider to tell me that is very problematic. So I go to the providers provider and work on them. pare: How accurate do you think SMS will be at tracking down the right spammers? John: As accurate as the user using it I suppose. It can and does nail down the IP address of the spammers machine. And can tell with certainty that this is the spammers machine. but determining the owner of the machine is the problem. There are two main ways of tracking them down. 1.) Follow the mail path it took to get to me. 2.) Dig into the domain name info of the site the spammer promotes 3.) And one more - follow the money trail, but for me, being poor and morally not up to the task of ordering that penis enlargment system. We are also working on spam alert system. It's more on a system admin level. Involves the Snort IDS. Spam signatures can be written in such that if spam enters a protected network, the IDS sends a message to spamcrunchers causing an alert, so the instant the spammer launches their spammer system, the spamcrunchers sends an instant messenger alert to participating ISP's to shut down the spam operation. Of course this would only happen if mail happened to enter my network, and I know in advance the exact signature the spam message would have. This would be useful in situations where spammers messages are well known, and gives us a way to fight the more prolific spammer, and perhaps allow us to catch them in "real time", but cooperation of their ISP or internet provider is paramount. pare: Do you expect any harassment from spammers that you are tracking down? John: I'm already getting death threats. Yes...and this is yet another reason why I'm still a little reluctant to go too public on this just yet. pare: What kind of death threats? John: I've been responsible for shutting down the HGH2000 site "As seen on NBC..." spam. Up until about 2 years ago, I stopped allowing visitors to visit me in my home. Now I only allow relatives and old friends to visit me where I live. Before that, I would invite anyone to visit me, but when I learned of the Defcon threats, I changed my policy. -------------------------------------------------------------------------------------------- ______________________________________________________________________ | | 5. Verizon Codes (August 2001 Release) Part I | Written By: bor (bor@teamphreak.org) | Written For: NPANXX010 (www.teamphreak.net) | Written On: 09.10.03 | | ______________________________________________________________________| INTRODUCTION ------------ The following file is the first of a two part article of the Verizon codes from the August 2001 release. Because of how many codes there are, we are seperating it into two articles. the Error and Trouble Type codes are in this article, and the rest of the codes, including Override Handle, Disposition, Cause, and test result codes. I'm not sure how many of these codes are published, but I'm sure that they're useful for something, so they will all be published. Part I: Error Codes ------------------- Error Code - Error Attribute - Explanation 0000 - Success - Transaction completed successfully. 0101 - Trouble Report Already Exists - A trouble report already exists on this line circuit. 0103 - Mandatory Attribute Missing - There is a required attribute missing from the message set or there is an attribute tag with no value. For Groups: this error is reported only at the ground level. That is, only the group DD tag will be listed and not the individual DD tags within the group. Will occour on formatting errors. 0104 - Invalid Attribute Value - There has been an attribute edit failure. For Groups: this error is reported only at the group level. That is, only the group DD tag will be listed and not the individual DD tags within the group. Will occour on formatting errors. 0201 - No Such Object Instance - Ticket does not exist. In case of end customer originated queries will contain "Last Trouble Cleared Date =" with the last trouble cleared date appended to it. Will occour when using Status Inquiry, Modify, or Close transactions. 0301 - Cannot Verify Or Deny At This Time - Ticket is in a state of cleared; no additional changes can be performed. Will occour when ticket is being worked on by a Bell Atlantic employee. 0302 - Can Not Close - "Ticket cannot be closed." Trouble to be closing pending work in progress message. 0303 - Trouble Report Change Denied - Ticket is in a state of cleared; no changes allowed. Similar to Code 0301. Use same logic. 0304 - Line Condition Is Not Working Transaction Denied - The working condition of the line is equal to "NWKG", "UNAS", "WKG LID", "DISC", or spaces. The field will contain "Working Condition Of Line=" with the working condition of the line appended to the message. 1001 - Processing Failure No Value - Will occour on system timeouts. Resubmit transaction. 1002 - Fall-Back Reporting - A security error has been detected. circuit/owner mismatch or circuit not found. Will occour when CKT ID cannot be found in Bell Atlantic records. 1003 - Resource Limitation - Host OS not available; some link is broken. Similar to Code 1001. Use same logic. 1004 - Access Denied or Access Failure - "A security error has been detected; access to the system is disallowed. Will occour whenever your company is |-s RSID/AECN is not marked as "owner" on Bell Atlantic Records." 1005 - Routing Failure - Unable to detect Request to the correct testing center. 1006 - Invalid Service Recovery Request - Service Recovery Request was denied. For example: Predictor was down, Commitment has expired, the circuit was a PBX. 1007 - Commitment Request Failure - Commitment Modify Request was denied. 1008 - Invalid DSL Test Request - DSL Test Request was denied. Part II: Trouble Type Codes --------------------------- RETAS 4-Digit T1M1 TroubleTypeCode - T1M1 Trouble Type Code Text 0100 - noDialToneGroup 0101 - noDialTone 0102 - slowDialTone 0103 - circuitDead 0200 - canNotCallOutGroup 0201 - canNotCallOut 0203 - canNotBreakDialTone 0204 - dialToneAfterDialing 0205 - highAndDry 0206 - canNotRaise 0207 - allAccessBusy 0208 - canNotCallOut2 0209 - canNotCallLongDistance 0210 - canNotCallOverseas 0211 - speedCall 0212 - cannotCall911 0213 - cannotCall700 0214 - cannotCall800/888 0215 - cannotCall900 0216 - cannotCallDA 0217 - cannotCallIntraLATAToll 0300 - canNotBeCalledGroup 0301 - canNotBeCalled 0302 - canNotBeCalledBusy 0303 - doNotGetCalled 0304 - canNotTripRing 0305 - falseRings 0306 - doNotAnswer 0307 - reachRecording 0308 - canNotRaiseAStation 0309 - canNotRaiseADrop 0310 - canNotRaiseACircuitLocation 0311 - ringNoAnswer 0312 - reorder 0313 - alwaysBusy 0314 - bellDoesNotRing 0315 - bellDoesNotRing2 0316 - bellRingsCanNotAnswer 0317 - bellRingsAfterAnswer 0318 - noRingNoAnswer 0319 - otherRingTrouble 0320 - receivesCallForWrongNumber 0321 - RecordingOnLine 0322 - ringsThenGoesBusy 0400 - canNotBeHeardGroup 0401 - canNotBeHeard 0402 - canNotHear 0403 - fading 0404 - distant 0500 - reachedWrongNumberGroup 0501 - wrongNumber 0600 - circuitOperationGroup 0601 - open 0602 - falseDisconnect 0603 - grounded 0604 - canNotBeSignalled 0605 - canNotSignal 0607 - improperSupervision 0608 - supervision 0609 - canNotMeet 0610 - canNotReleaseCircuit 0611 - hungUp 0612 - noWinkStart 0613 - NoSF 0614 - lowSF 0615 - noContinuity 0616 - CutCable 0617 - openToDemarc 0618 - noRingGenerator 0619 - badERL 0620 - echo 0621 - hollow 0622 - circuitDead 0623 - circuitDown 0624 - failingCircuit 0625 - noSignal 0626 - seizureOnCircuit 0627 - lossEPSCSorSwitchedServices 0628 - monitorCircuit 0629 - newServiceNotWorking 0630 - openEPSCSorSwitchedServices 0631 - otherVoiceDescribeAdditlInfo 0632 - trunkBlockedFarEnd 0633 - badBalance 0634 - highRateIncompleteIncoming 0635 - outgoingFailureAfterWink 0700 - cutOffGroups 0701 - cutOff 0800 - noiseProblemGroup 0801 - intermittenNoise 0802 - noisy 0803 foreignTone 0804 - clipping 0805 - crossTalk 0806 - staticOnLine 0807 - groundHum 0808 - hearsOtherOnLine 0809 - humOnLine 0810 - clicking 0811 - noiseEPSCorSwitchedServices 0812 - borIsGod 0900 - levelTroublesGroup 0901 - lowLevels 0902 - highLevels 0903 - longLevels 0904 - hotLevels 0905 - highEndRollOff 0906 - lowEndRollOff 0907 - needEqualized 0908 - lineLoss 0909 - doesNotPassReqResponse 0910 - levelsOutOfLimit 0911 - propertyOfTeamP 1000 - miscellaneousTroubleGroup 1001 - hiCapDown 1002 - carrierDown 1003 - biPolarViolations 1004 - frameErrorsHiCap 1005 - outOfFrame 1006 - lossOfSync 1007 - FrameSlips 1008 - noLoopback 1009 - canNotLoopbackDemarc 1010 - recordingOnCircuit 1011 - LinesNeedTagging 1012 - outwatsRingingh 1013 - remoteAccess 1014 - other 1015 - alarm 1016 - multipleShortDurationHit 1017 - frameErrors 1018 - facilityAlarm 1019 - softwareGroupAlarm 1020 - dChannelDown 1021 - degradationOfT1.5 1022 - networkFailure 1100 - memoryServiceProblemGroup 1101 - speedCall 1102 - callTransferProblem 1103 - callWaitingProblem 1104 - customCallFeature 1105 - threeWayCalling 1106 - callTraceNotWorking 1107 - callTraceBlockNotWorking 1108 - repeatDialNotWorking 1109 - repeatDialBlockNotWorking 1110 - callReturnNotWorking 1111 - callReturnBlockNotWorking 1112 - callerIdentificationNotWorking 1113 - callBlockingNotWorking 1114 - voiceMessagingServicesProblem 1115 - callForwardingNotWorking 1116 - callForwardingBusyLineNotWorking 1117 - callForwardingNoAnswerNotWorking 1118 - HuntingNotWorking 1119 - selectiveCallForwardingNotWorking 1120 - cannotSetupUniqueRingID 1121 - callerIDBlockNotWorkingPerLine 1122 - callerIDBlockNotWorkingPerCall 1123 - cannotRemoveBlockingOnASingleCall 1200 - dataTroubleGroup 1201 - canNotReceiveData 1202 - canNotSendData 1203 - canNotTransmitCanNotReceive 1204 - noReceive 1205 - noResponse 1206 - delay 1207 - impulseNoise 1208 - phaseJitter 1209 - harmonicDistortion 1210 - highDistortion 1211 - noDataLoopback 1212 - noCarrier 1213 - notPolling 1214 - dataFramingError 1215 - dropOuts 1216 - hits 1217 - noAnswerBack 1218 - streamer 1219 - outOfSpecification 1220 - canNotRunToCSU 1221 - canNotRunToOCU 1222 - deadDataCircle 1223 - circuitInLoopBack 1224 - errors 1225 - garbledData 1226 - invalidData 1227 - crossModulation 1228 - slowResponse 1229 - otherDataDescribeAdditlInfo 1230 - gettingAllOnes 1231 - slip 1300 - stationTroubleGroup 1301 - voiceEquipment 1302 - dataEquipment 1303 - videoEquipment 1304 - otherEquipment 1305 - stationWiring 1400 - physicalTroubleGroup 1401 - lightBurnedOut 1402 - dataset 1403 - ttySet 1404 - highSpeedPrinter 1405 - aNI 1406 - aLI 1407 - canNotActivatePC 1408 - modem 1409 - cathodeRayTube 1410 - looseJack 1411 - offHook 1412 - physicalProblem 1413 - processorDead 1414 - wiringProblem 1415 - wireBrokenSetBrokenPoleDown 1416 - noRegister 1417 - stuckSender 1418 - otherStationTrouble 1500 - otherCaseGroup 1501 - callTransferProblem 1502 - callWaitingProblem 1503 - customCallFeatureDoNotWork 1504 - information 1505 - threeWayCallingProblem 1506 - orderWork 1507 - releaseCktRequestedBylC 1508 - releaseCktRequestedByEC 1511 - requestForRoutine 1512 - release 1513 - requestDispatch 1514 - requestMonitorOfCircuit 1515 - routineTestFailed 1516 - lostTimerReports 1517 - historicalReports 1518 - switchOrTrunkRelated 1519 - requestTestAssist 1520 - analogTestLine 1521 - digitalTestLine 1522 - manualInterventionRequested 1600 - recovery 1601 - recoveryReport 1700 - switchedNetworkProblemsGroup 1701 - aNITimeout 1702 - extraDigit 1703 - extraPulse 1704 - falseKeyPulse 1705 - misplacedStartPulse 1706 - mutilatedDigitalGroup 1707 - noKeyPulse 1708 - partialDialTimeout 1709 - signalingNetworkFailureIncoming 1710 - stationGroupDesignationDigitFailure 1711 - aniproblem 1712 - ospsequalaccesssignaling 1713 - missingani 1714 - vacantcodeannoucenemtn 1715 - invaliddigit 1716 - highandwet 1800 - payphoneproblemgroup 1801 - nocoinreturn 1802 - coinstuck 1803 - cannotdepositcoin 1804 - coinfallthrough 1805 - coinsdonotregister 1806 - payphonedamage --------------------------------------------------------------------------- ______________________________________________________________________ | | 6. c5 Trunks Today | Written By: phractal (phractal@teamphreak.net) | Written For: NPANXX010 (www.teamphreak.net) | Written On: 09.10.03 | | ______________________________________________________________________| __ __ __ ----------------------------------------------||&%;;:'. |1 | |2 | |3 | -Intro ||&%;;:'. __ __ -C5? ||&%;;:'. |4 | |5 | |6 | -How can we bluebox from an SS7 served area? ||&%;;:'. __ _ -Packet/MF signalling translation ||&%;;:'. |7 | |8 | |9 | -C5 Links Today (from US) ||&%;;:'. -Dialing Direct To Seize ||&%;;:'. |KP | |0 | |ST | -Bouncing your Call To Seize ||&%;;:'. -List Of Terms ||&%;;:'. |KP2| |C11| |C12| ----------------------------------------------||&%;;:'. Ok, if you haven't heard about CCITT5 Trunks, I would hardly consider yourself an "international phreak". Basically, CCITT5 or System 5 is a software protocol used to route telephone traffic. What is interesting to phreaks is that it is an INTERNATIONAL PROTOCOL, and also it is analog. CCITT5 is the system loved by phreaks when they can get on it, because it is vulnerable and powerful. C5? It is a blueboxable system. If you want to learn how to bluebox it, I'm going to refer you to Echelon Magazine, which a UK zine focused on CCITT5 blueboxing, but since it deals with international phreaking, it can be applied over here as well. You should be able to find issues in the downloads section of TeamPhreak. How can we bluebox from an SS7 served area? The global PSTN, which the internet actually heavily relies on, connects various continents and countries together with important gateways which then route to smaller offices. Each countries trunking throughout its land can be organized differently for differeant areas. A common generic example is the T-1 trunks used in North America and Japan and the E-1 Trunks used over in Europe. US country Directs Switch software also varies from place to place around the globe. Because of this, gateways need to be able to 'talk' to eachother and be able to translate information from digital to analog when necessary. An SS7 gateway has the capability of talking to a C5 system. When you call any of these numbers below your digital signalling from the SS7 packets is actually converted to an analog format, into audible tones. 1-800-532-4462 China Direct (nice ringing!) -Live Operator -they hang up on me now! I call and hear "pleep!... plip!" 1-800-235-1154 Belize Direct: -Automated Menu -Press 1 for Calling Card Call -Press 2 for Collect or Operator (ask to speak to a technician) 1-800-680-7622 Palau Direct: (quite possibly routed via sattelite) -NCC Palau Direct Service -Automated Prompt for Card #, 3 tries sucka :( 1-800-680-8363 Venezuela Direct -Recording, but i believe asks to dial a number in spanish Packet/MF Translation: The tones they are translated to are commonly called MF tones which are NOT the same as on the normal DTMF dialset. analog digital digital incoming analog dial dtmf tones SS7 packets translated to MF digits outbound MF tones 1-800-532-4462---->C.O.----------->International Gateway------------------>Inbound C5 system It is commonly known that there are toll free numbers called "Home Country Directs" which terminate in other countries. The previous numbers I gave you are all well-secured C5 country directs. Toll free calls to other country? Pretty nice eh? Country Directs are heavily monitored because keep in mind, they are still US numbers, the 1-800 number is still located in the US. Thus Blueboxing off these is hard. What we are interested in are Directs that go through a C5 link. These are clearly recognizable by their "pleep" upon pickup and hangup. But if you find a C5 link that's only half the battle. C5 links today: Country Directs seem to be a waning, but ever slowly dying door to C5 boxing. They are nice because you need to pass through a C5 link and it's totally free :) Abuse of Country Directs has driven up monitoring and hanging up any call that passes "blocked tones" , which would be any bluebox tones. I'm not sure if the US international gateways are doing the monitoring, or if it is a little more specific to the number itself. I know DMS-100's have BlueBox detection software to look for MF digits, but it isn't enabled by default. It is covered in an article by di9ital in Ch4x Magazine Issue 5. Most Country Directs are actually digital all the way through, to avoid any funny business to begin with. Unfortunatly for phreaks, this means that probably calling directly to the country rather than using a 1-800 is probably going to work out better. There are countries that are C5 but have no 1-800 that take us there. Such as Libya and parts of Russia. There are even still trunks that accept incoming MF signalling INTO the United States, but there are no outgoing stations that use analog signalling anymore. The real battle seems to be getting into analog area when it seems like most of the gateways have been made to ensure digital only signalling. Dialing Direct To Seize: What needs to be done is different routing. Certain routes pass through C5 while others don't. Venezuela actually has two directs, which both go to the same automated operator, but only one goes through a C5 link, as obvious by the pleep. +1-800-488-0058 "..Bienvenidos a servicio Venezuela Direto.." +1-800-680-8363 "PLEEP!.. Bienvenidos...." From some beige box experience and helping myself to dial various countries, I've discovered that routes are a little more variable, sometimes I go through C5, sometimes I don't, whereas the Country Directs pretty much have set routes. Bouncing Your Call To Seize: You might try bouncing your call via PBX, calling card or op that is located in another country. Other countries have country directs as well, that are toll free as well. The US and UK directs are pretty much brick walls when trying to bluebox today, but directs from other countries still offer possibilities. From Australia(CC +61) the following directs are C5: 1800881860 China Direct 1800881973 Bahrain Direct (SS7 from here) (nice ringing!) 1800881701 Russia Direct (SS7 from here) 1800881682 Cook Islands Direct 1800881688 Tuvalu Direct All SE'd by yours truly from the lovely Australia Telstra Direct operator. So if you wanted to attempt to seize Russia? First, lose your ANI for good measure, as once you reach inband trunks from overseas, without an ANI, it really isn't about to be found without serious tracing methods like tracing through electricity. Your call would look like ______ ___________________ | US |---------ss7------->|Australian Outdial (ANIF packet sent) | ss7 (ANI of Outdial unless you diverted) | \|/ ___________________ ___________________ |Australian Gateway|------c5-------->| Russian Gateway | (no packets sent!) LIST OF TERMS: ANI-Automatic Number Identification ANIF-Automatic Number Identification Failure, 02 is sent as ANI II digits CCITT5/C5-Consultative Commitee for International Telegraphy and Telephony # 5 (outdated term, as c5 is an outdated system :)) CC-Country Code MF Digits-MultiFrequency, Audible Tones used in analogue routing, can be spoofed! SS7-Signaling System 7, Routing sent in packet form, not audibly spoofable ------------------------------------------------------------------------------------------------------ ______________________________________________________________________ | | 7. Sprintnet England Access Numbers | Written By: phractal (phractal@teamphreak.net) | Written For: NPANXX010 (www.teamphreak.net) | Written On: 09.10.03 | | ______________________________________________________________________| -a gift to british phreaks across the pond +44 01256600061 basingstoke +44 01232778605 belfast +44 01213862713 birmingham +44 01214541110 +44 08409000002 bristol +44 08450900002 cambridge +44 01227877240 cantebury +44 01302325755 boncastar +44 08450900002 dundee +44 08450900001 edenburg +44 01392490288 exter +44 01415582302 glassgow +44 01412214033 +44 08450900002 leeds/london +44 01617949620 manchester +44 01617941405 +44 01908200361 milton ceynes +44 01912245914 new castle +44 01914711889 +44 08450900002 nottingham +44 01733394894 petersborough +44 08450900002 portsmouth --------------------------------------------------------------------------------------------------------------- ***************** *****The********* **********END**** ***************** Advertisement ___________________________________________________________ Sonicwall SOHO/10 Internet Security Appliance for sale. $100 or your best offer. This internet security appliance has a 4-port 10Base-T switch built in and is a firewall with packet inspection and content filtering. This system is is like new and works great. Comes with power converter. Shipping is $8. Email me if you have any questions or want to buy it. - lnxe@charter.net ___________________________________________________________ Links of interest ========================= www.ppchq.org www.f41th.org www.chaph.org www.phonelosers.org/.net www.hackerhost.com/lph/ www.calculatinginfinity.com and...... _ _ _ _ ____ _____ ____ ____ ____ ___ _ _ _ _ ____ _ _ _____ _ _ _____ | | | | \ | | _ \| ____| _ \ / ___| _ \ / _ \| | | | \ | | _ \ | \ | | ____\ \ / /|___ | | | | | \| | | | | _| | |_) | | _| |_) | | | | | | | \| | | | | | \| | _| \ \ _ / / / / | |_| | |\ | |_| | |___| _ <| |_| | _ <| |_| | |_| | |\ | |_| | | |\ | |___ \ \| |/ / / <_ \___/|_| \_|____/|_____|_| \_\\____|_| \_\\___/ \___/|_| \_|____/ |_| \_|_____| \_____/ /____| _ _ ____ _ _ _ ___ ____ _ __ | \ | | ___|__| |__\ \ / // _ \ | _ \ | | / / http://UnderGroundNewsNetwork.com | \| | _||__ __|\ \ _ / /| | | || |_) | / / http://UnderGroundNewsNetwork.com | |\ | |__ | | \ \| |/ / | |_| || _ < | |\ \ http://UnderGroundNewsNetwork.com |_| \_|____| |_| \_____/ \___/ |_| \_\| | \ \ http://UndergroundNewsNetwork.com