---------------------------------------------------------------------- | Http://telco-inside.tk - Lecture #1 - irc.chatnet.org #blotto | ---------------------------------------------------------------------- What? - Telco Inside Lecture #1 Who? - Conducted by: Cuebiz Where? - irc.chatnet.org ,Channel #blotto Why? - To explain in "plain english" basic 5ESS, and SS7 vulnerabilities When? - Saturday, April 6th 2002 - 10:00am PST /* I showed up an hour late */ *** Topic is 'YES !@# The IRC lecture is HERE! Get your agendas @ Http://telco-inside.spunge.org/agenda-lecture1-5ess-ss7.txt' [15:39] *** Cuebiz sets mode: +m [15:39] *** bsd-jenny sets mode: -o Cuebiz [15:40] *** bsd-jenny sets mode: +v Cuebiz [15:40] Aight, Welcome to the 1st Telco Inside lecture. as you already know, iam Cuebiz - the main speaker that was late for his own lecture. [15:41] for those of you who haven't gotten the programme for this lecture, I advise that you get one now @ Http://telco-inside.spunge.org/agenda-lecture1-5ess-ss7.txt [15:42] now, lets get down to it. [15:42] we all know what a switch is, right? [15:42] Its the heart of the public phone system, the network we know as the PSTN. [15:43] Its makes every connection possible. Billing, interoffice signalling, call logging, call tracing, and the like are all on some level controlled by the switch. [15:43] When you pickup the phone and get a dialtone, its the switch [15:43] that made it possible for them to conduct billing and [15:43] establish your call. [15:44] ESS is an acronym for "Electronic Switching System" which is a trademark of AT&T. This will be one of the two main subjects of this lecture. [15:44] The first ESS switch was put into action around 1959 over in Morris, Ill. [15:45] Two of its main purposes were to make telephone switching more "plug n play", and to increase switch productivity. [15:45] you see, before electronic switching, and average switch could only hold roughly about 4,300 subscribers - and thats only about 200 somethin' trunks. [15:46] Oh, yeah; if any of you were wondering - a "trunk" is pretty much a very vast version of a regular telephone line. [15:46] that allows switches to communicate with eachother. [15:46] it can be in one of three states. [15:46] open (busy) [15:47] closed (idle) [15:47] or of course, Out of Service. [15:47] When you pick up the phone and start dialing a number; you've just send a message to the switch - telling it to start finding an idle trunk for you to use to place your call. [15:48] There are several different "flavors" of trunks connected to a central office, but thats best for another lecture in itself. [15:48] Okay, a flaw in early "analogue" switching systems was the slow signalling system that it was made for. [15:49] though better than the stone-aged switching systems that required manual connections made by telephone operators, their current switching technology couldn't handle the sudden rush of people subscribing for service. [15:49] so [15:49] to save a whole lot of $$$$ to and make a whole lot more, they started the Electronic Switching System [15:50] Please note that during this time, two other types of Electronic Switches had been in the making. [15:50] like GTE's 1EAX [15:50] and later, Northern Telecomm's DMS. [15:50] DMS is an acronym for Digital Multiplex System. [15:51] I wont be going over them in this lecture, just thought that you guys should know that ESS wasn't the only electronic switching system of its time. [15:51] Now, going ahead several decades. [15:51] we'll find our current ESS foe. [15:51] ESS #5 [15:52] which has gone a long way since it started poping up all around the US. [15:52] 5ESS was first tested/used in 1982 after finding that the earlier 4ess had major potential. [15:52] Today's 5-ESS's are jam-packed with modules that make [15:52] switching easy enough for any printer monkey to run [15:52] (well, a printer monkey with an associates degree) [15:52] and just as easy to maintain (well, not security wise). [15:52] It can hold up to around 200,000 lines in an end office or [15:53] roughly around 94,000 trunks. [15:53] Its fast as hell compared to other switches. [15:54] run off of a 3B21D processor - nothing compared to our personal computers, but switching phones doesn't take much CPU anyways. [15:54] 5ess has the ability to modify anything and everything, "on the fly". [15:55] Today's CDX's or Compact Digital eXchange (mini 5ess's) are about 6 feet high, 3 feet wide and about 2 feet thick. [15:55] hehe, i actually remembered those #s. [15:55] Its 85% of the time enclosed in a neat looking blue and white locker labled with a bunch of 5ess and At&t stickers. [15:56] *BUT* regular plain 5ess machines are generally larger but does the exact same jobs. [15:57] Okay, it seems to be getting pretty boring. [15:57] *** bsd-jenny sets mode: +o Cuebiz [15:57] so I'll be opening the channel for discussion, questions. [15:57] *** Cuebiz sets mode: -m [15:57] okay. [15:57] any questions? [15:57] Nope. [15:57] so if they put a new cpu in there say like a [15:57] cuebiz [15:57] send me the logs in 20 mins or so, k? [15:58] i have to get offline [15:58] um big one it would be a more powerful system [15:58] aight. [15:58] thanks [15:58] actually, yeah. [15:58] http://www.ppchq.org/pictures.html has some interesting pictures towards the bottom of an AT&T 5ESS switch [15:58] why dont they just do that? [15:58] but the operating system itself was made for the processor they use. [15:58] the 3B2*D [15:59] the * could either be a 0 or 1 [15:59] how hard would it be to make a new OS? [15:59] pretty hard, seeing that the ess OS is about several billion lines of code. [15:59] herrrrm [15:59] decades of modified code. [15:59] yikes :/ [15:59] but they should of thought about it before hand. [15:59] that sucks [16:00] now they're stuck with that type of architecture. [16:00] Lower level language or higher? Probably lower since it's ancient? [16:00] hmmm [16:00] C code. [16:00] Rather, the other way around. [16:00] Nice. [16:00] competition could just do the same thing and and make it better [16:00] there goes their business [16:00] exactly. [16:00] but i guess noones thought of it yet. [16:01] =/ [16:01] i did [16:01] hehe. yeah - because we're generally smarter than they are. [16:01] well what if i started working for them and got their OS's source code [16:02] and made it better and for a diff processor and made my own business [16:02] um wait i have no point [16:02] it'd take forever to look through it all ... but you *could* do that in theory. [16:02] and take AT&T outta business with a better *cheaper* switch. [16:03] right that would be fun [16:03] okay. [16:03] how long do you think it would take? [16:03] years [16:03] decades? [16:03] probably decades. [16:03] i cant imagine anything like that taking more than three years [16:03] shit [16:04] okay. [16:04] next! [16:04] but then again i cant even make my own boot disks [16:04] hehe. [16:04] :) [16:04] *** Cuebiz sets mode: +m [16:05] If the heart of telephone switching is the switch (in this case our beloved, soon to be outta business 5ess *joke*). [16:05] then a main vain would definately be the SM's. [16:05] or switching modules. [16:05] which, in an nutshell, terminate trunks after use and performs time switching. [16:06] THe most recent SM is known as SM-2000 [16:06] pretty clever, huh? [16:07] which supports up to 30,000 time slost (the older 5ess's only handle about 600) and is based on a motorola 68060 processor (it has its own processor so it doesn't have to rely on the main switch processor). [16:07] slost = slots. [16:07] doh! [16:08] ESS hardware is esspecially complex, and not very well taught on IRC, so I wont go much further than this. [16:08] The basic components would be (of course), the SMs, the switch module, the switch terminal (the comptuers that alow you to send input commands to the switch). [16:08] AMA (automatic message accounting) units [16:09] which pretty much log calls for billing purposes or legal matters. [16:09] the Message switch, which acts as a relay between the processor and everything else. [16:09] the IOP or Input/Output processor. [16:09] the ROP. [16:09] better known as the Read Only Printer. [16:10] just a regular shitty printer [16:10] made for making print outs. [16:10] the NCLK or network clock. [16:10] and of course, its tape drives. [16:10] High level, low level, and special level. [16:10] its obviously more complex than that. [16:10] but i'll explain more in a text file where I can draw out pretty ASCII art pictures and stuff. [16:10] so, this is pretty much how its stacked up. [16:11] [ OSS link ] ---> [ I/O processor ] ---> [ AMA ] ---> [16:11] [Message Switch] ---> [Switching module ] ---> ROP/TAPE/TTY/ETC [16:12] The software for 5ess is distributed in "packages" [16:12] the last I've checked we're still somewhere around package 5e9(*) [16:12] Programmers background info on ESS code: [16:12] just a bit of infoz. [16:12] ;) [16:13] The 5ESS source code is divided into alot of sub-systems, which is [16:13] again divided into a set of modules, and each module contains a number [16:13] of source code files. [16:13] Everything is maintained by the SCCS or Source Code Control System [16:13] The 5ess prgrammers (tons of people, Iam sure of it) work within VE or [16:14] Version Editor. This piece of software makes viewing the 5ess C source [16:14] WAY easier. [16:14] Now, every time they modify 5ess code. [16:14] to make things more organized. [16:15] they'll mark it. [16:15] just FYI. [16:15] like this bunch of code. [16:15] routing = GetRoute() [16:15] #version (4A) [16:15] dest = GetDest(routing); [16:15] if (dest.port == 0) [16:15] return(ConnectLocal(routing)) [16:15] #endversion (4A) [16:15] Connect(routing); [16:16] Which doesn't really do much. but you can see how the format goes. [16:16] when they're modifying code. [16:16] they start a modify with #version (version #) [16:16] and end it with #endversion (version #) [16:16] I just thought that you guys would like to know that. [16:16] :) [16:16] Okay, now onto DMERT. [16:17] Which is another telco acronym for Duplex Multiple Enviroment Real Time Operating System [16:17] also known as Unix Real Time Reliable [16:17] or as some of you may know it, "AT&T Unix" [16:17] DMERT has its own set of commands, very similar to its System V relative. [16:18] So if you know "Unix" you'll take to DMERT like a fish to water. [16:18] To get to the DMERT shell, on the Recent Change/Verify channel; you could type "RCV:MENU:SH!" at the CRAFT shell (discussed next). [16:19] As most of you may know, 5ess is broken into seperate "Channels" of which each channel has its own "job". [16:19] So, say that you find a telco dialup, it *could* end up on a 5ess channel. [16:20] formally known as a 5ESS TTY. [16:20] so, once dialing into a channel (you could also connect via x.25 - ie: SprintNet). [16:20] thats all you're getting. [16:20] you can't jump into another channel. [16:20] The TEST channel is one of my favorites. [16:21] seeing taht its one of the only channels that have OSS's that doesn't need to operated via a computer. [16:21] like DATU, via the No.Test Trunk. [16:21] If you dont know what DATU is by now, I propose that you recognize !@# [16:21] Check out my file I wrote on it, Http://telco-inside.spunge.org/files/oh_datu.txt [16:22] No-Test Trunk - or Number Test Trunk. [16:22] is a trunk taht allows the switch to drop on a specific line to connect a testing device such as DATU. [16:22] LMOS: is an acronym for "Loop Maintenance and Operations System" [16:23] its job is to help handle problems that occur with subscriber loops. [16:23] so getting access to LMOS would allow you to view past and present line trouble of a specific subscriber. [16:23] along with a bit of specifics on the line itself. [16:23] (ie: if its a POTS line or SS line, etc). [16:24] Its closely tied in with MLT or Mechanized Loop Testing System. [16:24] This system (as mentioned before) works closely with LMOS; but MLT is the software itself that coordinates the actual testings. [16:25] as LMOS just displays results of these (and other) tests. [16:25] MLT can be run via its Web-GUI front end to test POTS, ISDN, and xDSL lines. [16:25] if you didn't know, POTS stands for Plain Old Telephone Service. [16:25] Now, BLV. [16:26] stands for Busy Line verify. [16:26] and its the trunk that operators use to do busy interrupts. [16:26] and busy line verifys. [16:26] i'll be discussing how to control BLV trunks next week when I'll be talking about blueboxing (from top to bottom). [16:26] so dont worry about this until next week. [16:27] RC/V or Recent Change/Verify is one of the most neatest things that I've ever seen. [16:27] upon connecting to a RC/V (via x25 or the PSTN) you'll be either stopped by a prompt that asks for your "Account Name" or youll be dropped into the CRAFT shell. [16:27] the RC/V command prompt. [16:27] which is simply a [16:27] < [16:28] From the CRAFT shell, you can pretty much control everything good about the 5ess. [16:28] such as its feature tables (CLASS services such as call forwarding and CLID) [16:28] trunk routing codes, and the like. [16:29] If you haven't read my post to alt.phreaking; then here's a good scenerio of what one could do with access to the 5ess via the RC/V port. [16:29] Lets say that you had my phone number. [16:29] okay? [16:29] and you also had access to the 5ess switch that covered my area. [16:29] Now, by getting access to RC/V on my area's switch. [16:29] which also happens to have a No-Test Trunk. [16:29] you could do the following. [16:30] 1. assign the BLV trunk to the chart column value of an OOS (out of service) number. [16:30] then [16:30] 2. call forward the OOS (now active) number to *MY* phone number. [16:30] now, by calling the OOS number. [16:30] you could listen to whats happening on *MY* phone line. [16:30] a successful tap. [16:30] This exploit still works as of today. [16:30] no patch has been made. [16:30] =/ [16:31] so they pretty much just have to watch their BLV trunks. [16:31] if they have any. [16:31] once again, iam opening up the channel for questions. [16:31] discussions. [16:31] ect. [16:31] *** Cuebiz sets mode: -m [16:31] damn. [16:31] everyone like, left [16:32] is it that boring? [16:32] Nah, we're listening. [16:32] no, heh [16:32] *** USE.ChatNet.Org sets mode: +m [16:32] cool. [16:32] any questions? [16:34] *** Cuebiz sets mode: -m [16:35] * HoppingGoblin kicks use.chatnet.org [16:36] no questions? [16:36] +m time. [16:36] *** Cuebiz sets mode: +m [16:37] Now, were're going to move into SS7 [16:37] which should be a lecture in itself. [16:37] but i'll give it the best i've got for the remainding time that we have. [16:37] SS7 stands for Signalling System 7 [16:37] which is the type of inter-office signalling that all of us in the united states are utilizing. [16:38] so, if you're in the US. you're using SS7 [16:38] SS7 is Common channel signalling at its prime. [16:39] signalling takes place via data lines and voice is carried via well ... voice! [16:39] you see, the problem back when we ran system r1 was that signalling and voice took place via voice lines. [16:39] which ment *you* could hear your central office talking to your buddy's central office. [16:39] obviously, if *we* can hear it, *we* can imitate it. [16:39] which brought about blueboxers. [16:40] but thats next week. [16:40] so I wont be talking about blueboxing. [16:40] Now-a-days, central offices speak to one another via t1 lines on x.25 data networks. [16:40] originally, SS7 was ment to be used by a small, closed community. [16:41] *but* due to the abuse of system r1, they decided to move in for the kill. [16:42] Now, they lease out SS7 connections to anone with the right sized pocket book. [16:42] (ie: D channel ISDN). [16:42] Signalling via x.25 goes through several "gate-ways" [16:42] or "nodes" [16:42] as we call them [16:42] to get to its destination point. [16:42] each node has its own point code. [16:42] to identify itself. [16:42] Difficulty level of imitating hese point codes, trivial. [16:43] hehe, okay; here's another crappy ascii diagram of how its all stacked up. [16:43] [SCP]=[OSS]--->[SSP]--->{[STP]=[STP]}--->[SCP]=[OSS] [16:43] SCP stands for Service Control points. [16:43] they're essentially OSS links. [16:44] no signal will go from one OSS to another without first reaching an SCP. [16:44] oh wait! [16:44] hehe, iam getting ahead of myself. [16:44] OSS stands for Operations Support System. [16:44] its a device. [16:44] ie: a computer [16:44] that interacts with the switch's processor. [16:44] some common OSS's are MLT. [16:44] LMOS [16:44] MARCH [16:44] SARTS [16:45] ect. [16:45] most of which I've alredy discussed. [16:45] The SS7 protocol is hard to explain. [16:45] there's the stack. [16:45] which pretty much defines the procedures [16:45] that everything must go throuh. [16:45] for those of you interested. [16:45] here's what the stack should look like. [16:45] in ascii form. [16:46] [TUP] [ISUP] [TCAP] [16:46] [SCCP] [16:46] [ MTP Level 3 ] [16:46] [ MTP Level 2 ] [16:46] [ MTP Level 1 ] [16:46] hehe [16:46] MTP, or Message Transfer Protocol 1-3 [16:46] just defines electrical characteristics. [16:47] of the signalling line and interfaces used in the network. [16:47] hehe, important - but boring. [16:47] ISUP. [16:47] the "ISDN User Part" provides connection related services. [16:47] in SS7 networks. [16:47] it sets up and breaks down connections between offices/exchanges [16:47] its like ueber-TUP [16:47] TUP. [16:47] or Telephone Users Part [16:48] handles regular call setup and breakdowns. [16:48] its not as k-rad as ISUP, but it suffices with SS7 [16:48] If you want to read more about it, go to: [16:48] Http://support.dialogic.com/ss7/SS7tutorial/tutorial.html [16:48] Attacking vulnerable SS7 nodes are just as cool as phone tapping via RC/V [16:49] lets say that you wanted to modify LIDB's or Line Information Databases which are held on SCP nodes. [16:49] you could (in theory) rent an ISDN line. [16:49] and imitate SS7 TCAP requests for user's calling card PINs. [16:49] and get it! [16:49] The same could be done with requesting other information. [16:50] okay, i've been blabbing for about 50 minutes already. [16:50] bleh. [16:50] oh, yesterday. [16:50] I was talking to Urmel (kick ass programmer) [16:50] and he let me in on some really cool VoIp vulnerability concepts. [16:50] and well, [16:50] i guess i'll share some of it with you two. [16:50] :-) [16:51] Now, SS7/5ESs are already setup for use of VoIp in residentials. [16:51] if anyone didn't know, VoIp stands for Voice Over IP. [16:51] cheaper means of talking. [16:51] not really better. [16:51] *but* with VoIp phones, you could d0s someone's phone. [16:52] really! [16:52] memset(query_string, 0x1, 256); [16:52] query_string[256]=0x0; [16:52] write(sock, query_string, sizeof(query_string)); [16:52] the above code actually defines attacking the http server on someones phone - causing denial of service. [16:53] now, the phones http server's remote managment interface sends its password IN PLAIN TEXT! [16:53] leaving it open for password sniffing. [16:53] or even Audio sniffing. [16:53] thats right. [16:54] a phone tapping vulnerability, again. [16:54] by using libcap, its very possible to sniff out unprotected RTP payloads to play back captured audio of a specific persons conversation. [16:55] oh well, thats about it. [16:55] for this lecture. [16:55] iam getting edgy without a ciggerette. [16:55] I'd like to thank you guys for showing up. [16:56] and those of you who are going to be reading the logs who showed up but left [16:56] anywho, i'll once again be opening up the channel. [16:56] for questions, comments, whatever. [16:56] *** Cuebiz sets mode: -m [16:56] ::claps:: thanks for taking the time to do this cuebiz :D hope you'll do more! [16:56] if anyone has any. [16:56] yea [16:56] very informative [16:56] yeah [16:57] from what i read it looked good [16:57] i wanna read the log though [16:57] its a huge chunk and its gonna ned some digesting [16:58] yeah, its kinda alot. [16:58] ::ending logging:: Session Close: Sat Apr 06 16:58:28 2002 ** IRC logs sent in by: HoppingGoblin (Thanks dude!) ** /* Cuebiz's Comments: "And fuck 5-0 (pow pow) - turn 'em into 49'ers" */