23 replies to this topic

[Strom Carlson]

I finally got my hands on the official Telcordia specification for SS7 ISUP, so this should clear up a lot of general confusion with regards to number delivery.

In the ISUP IAM (Initial Address Message), there are the following fields for number delivery (this is not a complete list, but nonessential parameters of the number fields are being left out for the sake of simplicity):

• Called Party Number
• Charge Number
• Originating Line Information Parameter
• Calling Party Number
• Original Called Number
• Redirecting Number

Called Party Number is the only mandatory field; the rest are optional.

Charge Number is the field from which ANI is derived (ANI is a generic term, whilst Charge Number is the specific implementation in SS7 ISUP; the relationship between Charge Number and ANI appears to be similar to the relationship between Calling Party Number and Caller ID. Note that ANI is never transmitted across the network; only Charge Number is sent, and ANI is derived from that within the switch or AMA equipment).

OLIP is the field which contains, among other things, binary representation of the II digits (class of service) of the originating line.

Calling Party Number is the number of the calling party, and can be set as either "Network Provided" on calls originating from POTS lines, or as "Customer Provided" on calls originating from a PRI where the customer's station equipment specifies the Calling Party Number to the switch. If Calling Party Number and Charge Number are identical, Charge Number is omitted from the IAM.

Original Called Number and Redirecting Number are only used in cases of call forwarding.

[LexDysic]

Thank you... I was just searching for that same info...

[darkslider]

Finally, finally, finally! I personally have been looking for the informaiton forever,
and it will definitely clear up some confusion. Thanks, this is the most usefull thing I've seen in a really long time.

[GIJoe]

Strom, I don't know what it took for you to get that, but THANK YOU

[Strom Carlson]

Strom, I don't know what it took for you to get that, but THANK YOU

Well, I can't tell you specifically, but it involved five cats, a chocolate bar, a chain-link fence, and two litres of extra-virgin olive oil.

[downtime]

[Alkali Jack]

Strom, I don't know what it took for you to get that, but THANK YOU

Well, I can't tell you specifically, but it involved five cats, a chocolate bar, a chain-link fence, and two litres of extra-virgin olive oil.

Allow me to advance a theory.

First, Strom identifies a business with the appropriate Telcorida Licensing Agreement, in addition to a security guard who is a 'cat person.' We will call this business DocSource, Inc. He then calls the security guard on the phone, posing as a momma cat. The momma cat (who, remember, is really Strom) explains that she has an obligation to teach her kittens how to hunt, and that the area inside of the DocSource industrial campus is ideal for this activity. Furthermore, the momma cat elaborates, by setting up a chain-link fence around this hunting ground, DocSource is disturbing the local ecosystem and could incur major liability costs. The security guard gets really worried, and offers to let the cat and her babies in to hunt, despite the official corporate policy on cat hunting, because he is a 'cat person.' A fine social engineer, this Mr. Carlson is.

Next, Strom covers his naked body in the first litre of olive oil and puts fluffy chocolate bar shavings all over himself. He then releases the five cats in the direction the front gate, staying low and blending in among them. The security personnel in the guard shack have no chance to identify Strom in his clever animal disguise, especially in the heard of cats.

Of course, once he's in, Strom has access to the internal DocSource network, and can view Telcordia documents that the company will have made available to employees as pursuant to the standard Telcordia Licensing Agreement. He finds the SS7 ISUP document, emails it to himself, then soaks the DocSource building in the second litre of olive oil and lights it on fire to cover his tracks and make the break-in look like everyday arson. No one would be the wiser. Well played, Mr. Carlson.

Or at least that's what I think happened. Any other ideas?

[natas]

Thanks for sharing all the info with us though. First you set us straight with CPN and now CN.

[spoekalb]

I think a lot of people are going to have to rethink their ideas on how this all works. Thanks for dropping that one Strom.

[Royal]

Well this definitely clears up a ton of confusion in the past several years of understanding these packets of information sent along in SS7, that being ANI, Calling Party Number, Charge Number, and the so called "forward tag" (what seems to really be based on Original Called Number and Redirecting Number). Now if we could just spoof CLASS of service.....

[Strom Carlson]

Well this definitely clears up a ton of confusion in the past several years of understanding these packets of information sent along in SS7, that being ANI, Calling Party Number, Charge Number, and the so called "forward tag" (what seems to really be based on Original Called Number and Redirecting Number).  Now if we could just spoof CLASS of service.....

well, Class of Service and CLASS (Custom Local Area Signaling Services) are two entirely different things...which are you talking about?

[spoekalb]

http://ss7parser.com/

[Royal]

Well this definitely clears up a ton of confusion in the past several years of understanding these packets of information sent along in SS7, that being ANI, Calling Party Number, Charge Number, and the so called "forward tag" (what seems to really be based on Original Called Number and Redirecting Number).  Now if we could just spoof CLASS of service.....

well, Class of Service and CLASS (Custom Local Area Signaling Services) are two entirely different things...which are you talking about?

I meant CLASS of service. Basically the ANI-II digits that represent the type of phone/phone line being used. I've heard test numbers such as 1-800-555-1170 which will ask you for test II digits, among other pieces of information such as test ANI, test DNIS, etc. A lot of us in the scene have always wondered if that would spoof the ANI-II digits if it directed your call to another destination other than that bank that it calls.

[Strom Carlson]

well, Class of Service and CLASS (Custom Local Area Signaling Services) are two entirely different things...which are you talking about?

I meant CLASS of service. Basically the ANI-II digits that represent the type of phone/phone line being used. I've heard test numbers such as 1-800-555-1170 which will ask you for test II digits, among other pieces of information such as test ANI, test DNIS, etc. A lot of us in the scene have always wondered if that would spoof the ANI-II digits if it directed your call to another destination other than that bank that it calls.

OK - if you're talking about Class of Service, you don't put Class in all-caps, because CLASS indicates a group of custom calling features (caller ID, caller ID with name, call waiting. voicemail, and so on). I don't know if there's an equivalent to the OLIP field in the ISDN SETUP message; if there is, then II digits might be easy to spoof. Time to drag out my ISDN book I guess

[darkslider]

On ss7parser, I cannot find certain fields in the ISUP IAM message which
relate to II digits. I've scoured the entire packet with a friend to no avail.
Most likely the packets from ss7parser have been recreated from
the recommendations and are not actual packets, but now I am insanely curious about where the II digits are located, and in which message.
Are the II digits tacked onto the header in a seperate process,
message, or location? Are there unlimited 'redirect' fields? I noticed the IAM message counts how many times your call has been "rediected" (forwarded?), and lists the numbers from which you have been redirected.

[natas]

from what i understand the ii digits arent in the IAM. look through the data available for "ChargePartyStationType". i believe thats the ii digits field.

[Strom Carlson]

from what i understand the ii digits arent in the IAM. look through the data available for "ChargePartyStationType". i believe thats the ii digits field.

The II digits are transmitted in the Originating Line Information Paramter (OLIP) of the IAM.

[Royal]

Until we find a way of spoofing any Class of service, that meaning ANI-II digits, we can still manipulate it a little for now with call forwarding. The key thing to keep in mind is that most of the time, in the process of call forwarding, the CPN passes and the ANI/Charge Number (CN) remains the call forwarding number (the number that is forwarding your call). Well, one other thing that seems to pass from the call forwarding number are the ANI-II digits.
As an example, a few of us forwarded someone's cell phone to Strom's CPN and ANI-II digit reading ANAC. Then we spoofed a specific CPN to the cell phone; in this example we'll say it was 617-723-1234. Keeping in mind that cell phones' II digits are usually 61/62/63, the ANAC read ANI-II digits 61/62/63 (I forget which exact II digits it was) along with the spoofed CPN of 617-723-1234. So basically the CPN became known as a cell phone even though it was not.

[BlackRatchet]

Doesn't Asterlink allow you to set CoS?

[lucky225]

SS7 Passes information that the call WAS CALL FORWARDED, and where it was call forwarded from so not much reason to use call forwarding. For example when you call my Broadvoice # and it's forwarded to my cell my cell's caller ID display says 'NPA-XXX-XXXX From Call Forwarding'

Until we find a way of spoofing any Class of service, that meaning ANI-II digits, we can still manipulate it a little for now with call forwarding.  The key thing to keep in mind is that most of the time, in the process of call forwarding, the CPN passes and the ANI/Charge Number (CN) remains the call forwarding number (the number that is forwarding your call).  Well, one other thing that seems to pass from the call forwarding number are the ANI-II digits.
  As an example, a few of us forwarded someone's cell phone to Strom's CPN and ANI-II digit reading ANAC.  Then we spoofed a specific CPN to the cell phone; in this example we'll say it was 617-723-1234.  Keeping in mind that cell phones' II digits are usually 61/62/63, the ANAC read ANI-II digits 61/62/63 (I forget which exact II digits it was) along with the spoofed CPN of 617-723-1234.  So basically the CPN became known as a cell phone even though it was not.