Jump to content


Photo
- - - - -

SS7 ISUP number delivery fields


  • Please log in to reply
23 replies to this topic

#1 Strom Carlson

Strom Carlson

    Nub

  • Members
  • 2,575 posts
  • Gender:Male
  • Location:Los Angeles

Posted 17 July 2005 - 03:13 PM

I finally got my hands on the official Telcordia specification for SS7 ISUP, so this should clear up a lot of general confusion with regards to number delivery.

In the ISUP IAM (Initial Address Message), there are the following fields for number delivery (this is not a complete list, but nonessential parameters of the number fields are being left out for the sake of simplicity):

• Called Party Number
• Charge Number
• Originating Line Information Parameter
• Calling Party Number
• Original Called Number
• Redirecting Number

Called Party Number is the only mandatory field; the rest are optional.

Charge Number is the field from which ANI is derived (ANI is a generic term, whilst Charge Number is the specific implementation in SS7 ISUP; the relationship between Charge Number and ANI appears to be similar to the relationship between Calling Party Number and Caller ID. Note that ANI is never transmitted across the network; only Charge Number is sent, and ANI is derived from that within the switch or AMA equipment).

OLIP is the field which contains, among other things, binary representation of the II digits (class of service) of the originating line.

Calling Party Number is the number of the calling party, and can be set as either "Network Provided" on calls originating from POTS lines, or as "Customer Provided" on calls originating from a PRI where the customer's station equipment specifies the Calling Party Number to the switch. If Calling Party Number and Charge Number are identical, Charge Number is omitted from the IAM.

Original Called Number and Redirecting Number are only used in cases of call forwarding.

#2 LexDysic

LexDysic

    DDP Fan club member

  • Members
  • 57 posts

Posted 17 July 2005 - 03:19 PM

Thank you... I was just searching for that same info...

#3 darkslider

darkslider

    Gibson Hacker

  • Members
  • 93 posts

Posted 17 July 2005 - 03:25 PM

Finally, finally, finally! I personally have been looking for the informaiton forever,
and it will definitely clear up some confusion. Thanks, this is the most usefull thing I've seen in a really long time. :heart:

#4 GIJoe

GIJoe

    0v3n /\/\1tt

  • Agents of the Revolution
  • 2,020 posts
  • Gender:Male

Posted 17 July 2005 - 09:44 PM

Strom, I don't know what it took for you to get that, but THANK YOU

#5 Strom Carlson

Strom Carlson

    Nub

  • Members
  • 2,575 posts
  • Gender:Male
  • Location:Los Angeles

Posted 17 July 2005 - 10:42 PM

Strom, I don't know what it took for you to get that, but THANK YOU

View Post

Well, I can't tell you specifically, but it involved five cats, a chocolate bar, a chain-link fence, and two litres of extra-virgin olive oil.

#6 downtime

downtime

    SCRiPT KiDDie

  • Members
  • 27 posts

Posted 17 July 2005 - 11:39 PM

:o

#7 Alkali Jack

Alkali Jack

    SUP3R 31337

  • Members
  • 187 posts

Posted 18 July 2005 - 07:19 PM

Strom, I don't know what it took for you to get that, but THANK YOU

View Post

Well, I can't tell you specifically, but it involved five cats, a chocolate bar, a chain-link fence, and two litres of extra-virgin olive oil.

View Post


Allow me to advance a theory.

First, Strom identifies a business with the appropriate Telcorida Licensing Agreement, in addition to a security guard who is a 'cat person.' We will call this business DocSource, Inc. He then calls the security guard on the phone, posing as a momma cat. The momma cat (who, remember, is really Strom) explains that she has an obligation to teach her kittens how to hunt, and that the area inside of the DocSource industrial campus is ideal for this activity. Furthermore, the momma cat elaborates, by setting up a chain-link fence around this hunting ground, DocSource is disturbing the local ecosystem and could incur major liability costs. The security guard gets really worried, and offers to let the cat and her babies in to hunt, despite the official corporate policy on cat hunting, because he is a 'cat person.' A fine social engineer, this Mr. Carlson is.

Next, Strom covers his naked body in the first litre of olive oil and puts fluffy chocolate bar shavings all over himself. He then releases the five cats in the direction the front gate, staying low and blending in among them. The security personnel in the guard shack have no chance to identify Strom in his clever animal disguise, especially in the heard of cats.

Of course, once he's in, Strom has access to the internal DocSource network, and can view Telcordia documents that the company will have made available to employees as pursuant to the standard Telcordia Licensing Agreement. He finds the SS7 ISUP document, emails it to himself, then soaks the DocSource building in the second litre of olive oil and lights it on fire to cover his tracks and make the break-in look like everyday arson. No one would be the wiser. Well played, Mr. Carlson.

Or at least that's what I think happened. Any other ideas?

#8 natas

natas

    De La Natas

  • Agents of the Revolution
  • 4,273 posts
  • Gender:Male
  • Location:The Old Skool

Posted 18 July 2005 - 07:37 PM

Thanks for sharing all the info with us though. First you set us straight with CPN and now CN.

#9 spoekalb

spoekalb

    DDP r0x0rz my s0x0rz

  • Agents of the Revolution
  • 1,280 posts
  • Gender:Male

Posted 18 July 2005 - 08:57 PM

I think a lot of people are going to have to rethink their ideas on how this all works. Thanks for dropping that one Strom.

#10 Royal

Royal

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 431 posts
  • Country:
  • Gender:Male
  • Location:Massachusetts

Posted 19 July 2005 - 09:50 PM

Well this definitely clears up a ton of confusion in the past several years of understanding these packets of information sent along in SS7, that being ANI, Calling Party Number, Charge Number, and the so called "forward tag" (what seems to really be based on Original Called Number and Redirecting Number). Now if we could just spoof CLASS of service.....

#11 Strom Carlson

Strom Carlson

    Nub

  • Members
  • 2,575 posts
  • Gender:Male
  • Location:Los Angeles

Posted 19 July 2005 - 10:47 PM

Well this definitely clears up a ton of confusion in the past several years of understanding these packets of information sent along in SS7, that being ANI, Calling Party Number, Charge Number, and the so called "forward tag" (what seems to really be based on Original Called Number and Redirecting Number).  Now if we could just spoof CLASS of service.....

View Post

well, Class of Service and CLASS (Custom Local Area Signaling Services) are two entirely different things...which are you talking about?

#12 spoekalb

spoekalb

    DDP r0x0rz my s0x0rz

  • Agents of the Revolution
  • 1,280 posts
  • Gender:Male

Posted 20 July 2005 - 02:05 AM

http://ss7parser.com/

#13 Royal

Royal

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 431 posts
  • Country:
  • Gender:Male
  • Location:Massachusetts

Posted 20 July 2005 - 03:11 AM

Well this definitely clears up a ton of confusion in the past several years of understanding these packets of information sent along in SS7, that being ANI, Calling Party Number, Charge Number, and the so called "forward tag" (what seems to really be based on Original Called Number and Redirecting Number).  Now if we could just spoof CLASS of service.....

View Post

well, Class of Service and CLASS (Custom Local Area Signaling Services) are two entirely different things...which are you talking about?

View Post

I meant CLASS of service. Basically the ANI-II digits that represent the type of phone/phone line being used. I've heard test numbers such as 1-800-555-1170 which will ask you for test II digits, among other pieces of information such as test ANI, test DNIS, etc. A lot of us in the scene have always wondered if that would spoof the ANI-II digits if it directed your call to another destination other than that bank that it calls.

#14 Strom Carlson

Strom Carlson

    Nub

  • Members
  • 2,575 posts
  • Gender:Male
  • Location:Los Angeles

Posted 20 July 2005 - 07:50 AM


well, Class of Service and CLASS (Custom Local Area Signaling Services) are two entirely different things...which are you talking about?

View Post

I meant CLASS of service. Basically the ANI-II digits that represent the type of phone/phone line being used. I've heard test numbers such as 1-800-555-1170 which will ask you for test II digits, among other pieces of information such as test ANI, test DNIS, etc. A lot of us in the scene have always wondered if that would spoof the ANI-II digits if it directed your call to another destination other than that bank that it calls.

View Post

OK - if you're talking about Class of Service, you don't put Class in all-caps, because CLASS indicates a group of custom calling features (caller ID, caller ID with name, call waiting. voicemail, and so on). I don't know if there's an equivalent to the OLIP field in the ISDN SETUP message; if there is, then II digits might be easy to spoof. Time to drag out my ISDN book I guess :)

#15 darkslider

darkslider

    Gibson Hacker

  • Members
  • 93 posts

Posted 21 July 2005 - 03:10 PM

On ss7parser, I cannot find certain fields in the ISUP IAM message which
relate to II digits. I've scoured the entire packet with a friend to no avail.
Most likely the packets from ss7parser have been recreated from
the recommendations and are not actual packets, but now I am insanely curious about where the II digits are located, and in which message.
Are the II digits tacked onto the header in a seperate process,
message, or location? Are there unlimited 'redirect' fields? I noticed the IAM message counts how many times your call has been "rediected" (forwarded?), and lists the numbers from which you have been redirected.

#16 natas

natas

    De La Natas

  • Agents of the Revolution
  • 4,273 posts
  • Gender:Male
  • Location:The Old Skool

Posted 21 July 2005 - 03:25 PM

from what i understand the ii digits arent in the IAM. look through the data available for "ChargePartyStationType". i believe thats the ii digits field.

#17 Strom Carlson

Strom Carlson

    Nub

  • Members
  • 2,575 posts
  • Gender:Male
  • Location:Los Angeles

Posted 21 July 2005 - 03:50 PM

from what i understand the ii digits arent in the IAM. look through the data available for "ChargePartyStationType". i believe thats the ii digits field.

View Post

The II digits are transmitted in the Originating Line Information Paramter (OLIP) of the IAM.

#18 Royal

Royal

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 431 posts
  • Country:
  • Gender:Male
  • Location:Massachusetts

Posted 22 July 2005 - 03:37 AM

Until we find a way of spoofing any Class of service, that meaning ANI-II digits, we can still manipulate it a little for now with call forwarding. The key thing to keep in mind is that most of the time, in the process of call forwarding, the CPN passes and the ANI/Charge Number (CN) remains the call forwarding number (the number that is forwarding your call). Well, one other thing that seems to pass from the call forwarding number are the ANI-II digits.
As an example, a few of us forwarded someone's cell phone to Strom's CPN and ANI-II digit reading ANAC. Then we spoofed a specific CPN to the cell phone; in this example we'll say it was 617-723-1234. Keeping in mind that cell phones' II digits are usually 61/62/63, the ANAC read ANI-II digits 61/62/63 (I forget which exact II digits it was) along with the spoofed CPN of 617-723-1234. So basically the CPN became known as a cell phone even though it was not.

#19 BlackRatchet

BlackRatchet

    Dangerous free thinker

  • Agents of the Revolution
  • 1,837 posts
  • Location:617/508

Posted 22 July 2005 - 12:42 PM

Doesn't Asterlink allow you to set CoS?

#20 lucky225

lucky225

    Mack Daddy 31337

  • Banned
  • 213 posts
  • Location:PO BOX 1111 Guasti, California 91743-1111

Posted 23 July 2005 - 02:29 PM

SS7 Passes information that the call WAS CALL FORWARDED, and where it was call forwarded from so not much reason to use call forwarding. For example when you call my Broadvoice # and it's forwarded to my cell my cell's caller ID display says 'NPA-XXX-XXXX From Call Forwarding'

Until we find a way of spoofing any Class of service, that meaning ANI-II digits, we can still manipulate it a little for now with call forwarding.  The key thing to keep in mind is that most of the time, in the process of call forwarding, the CPN passes and the ANI/Charge Number (CN) remains the call forwarding number (the number that is forwarding your call).  Well, one other thing that seems to pass from the call forwarding number are the ANI-II digits.
  As an example, a few of us forwarded someone's cell phone to Strom's CPN and ANI-II digit reading ANAC.  Then we spoofed a specific CPN to the cell phone; in this example we'll say it was 617-723-1234.  Keeping in mind that cell phones' II digits are usually 61/62/63, the ANAC read ANI-II digits 61/62/63 (I forget which exact II digits it was) along with the spoofed CPN of 617-723-1234.  So basically the CPN became known as a cell phone even though it was not.

View Post






BinRev is hosted by the great people at Lunarpages!