26 replies to this topic

[Partyline4]

Hello everyone! I recently got very interested in telephones and have found myself inveloped in some rotary, and pre-1980's telephones.

Playing with them constantly,  I pondered a curiosity. How did people find the numbers of anonymous payphones, or people for that matter?

I'm sure there was a directory, but there had to be those people who did not have a LISTED telephone number.

the question branched from reading about " Captain Crunch" and his crazy phreaking days. How did the blind kid, and himself know how to infiltrate the telephone systems?

I personally think someone on the inside leaked info, maybe just enough to lead them onto their discoveries. from the little I know, I think back then the carrier signal was not hidden? Correct me please.

I recall from his main website that he gave out the pay phones in the prison's numbers to the guys so the families could call back. How did he do it?

Just a curious knowledge seeker.

And since I am brand new, are there any threads that list the terms and info about everything thelephony?

Like the trunks, scanners, and all this stuff everyone else seems to know
ThanksknahT

- PartyLine4

Edited by Partyline4, 07 March 2013 - 09:09 PM.

[systems_glitch]

Yes, there were leaks about the internal workings of the Bell System, both intentional and unintentional. Leaked, found or published Bell System Practices, intended to explain the inner workings of the Bell System for the linemen, switchmen and other employees, also provided some insight into parts of the system.

 

With ANI and ANAC lines, you can dial a known number from a phone and get the number read back to you. Give (800) 444-4444 a call and MCI will read your number back to you. Not sure how long these particular services have been available. Test numbers in general can provide a lot of interesting information. Check around the forums for the "Some Numbers" thread!

[Partyline4]

Golly, thanks Glitch. Never even thought about Bell giving that info out. Seems pretty obvious.

I read that in canada, the payphones can not recieve calls. Pretty interesting.

Ever checked out the phone-project site? Gives you numbers of payphones across the US.

I tried a lot of them in my town, but many of them were probably stolen or have been removed.

I tried the 444-4444 Pretty cool!

*67 can't really block your ANI can it? seems to cliche.

I've heard about trunk stacking or something like that? Tricks to stay anonymous would be a good thread!

Edited by Partyline4, 07 March 2013 - 10:42 PM.

[systems_glitch]

Fortunately, a lot of the BSPs are available online for free, so it's easy to get them to read up on old equipment. I've made extensive use of them in figuring out the Bell 1A2 key telephone hardware, of which I have several bits and pieces.

 

know several pay phone lists have extisted in the past, don't know who's the most current anymore. BlackRatchet's YAPL (Yet Another Payphone List) appears to now be domain squatted by some Russian air conditioner company. Unfortunately, may of the pay phones in our area have been removed. There are at least two in town though.

 

I'm not too familiar with how *67 works, but I doubt it really blocks ANI, just CID for the destination number. Search around for "ANI fail" to look at ways people have used to get a true fail.

 

There's a good thread elsewhere in the forums about cheeseboxes. In short, it's a device that you connect to two phone lines that, in its simplest form, picks up on one and waits for the other to pick up, then connects the calls. More advanced versions allow one to dial out on the other line. Apparently these were left in telco boxes and telecom rooms for anonymous meetings.

[ThoughtPhreaker]

I'm not too familiar with how *67 works, but I doubt it really blocks ANI, just CID for the destination number. Search around for "ANI fail" to look at ways people have used to get a true fail.

 

 

The way it works is when you dial *67, your switch adds an extra bit into the SS7 initial address message (where both of your ANI fields, among other things are stored) telling the office you're calling not to deliver it to the end user. Since this isn't actually removing any fields, some equipment will just ignore this, or even strip the bit in some cases. The FCC frowns upon this, though, so it's usually a mistake or something that isn't talked about by providers.

 

I've heard about trunk stacking or something like that? Tricks to stay anonymous would be a good thread!

 

Tandem stacking? There's some good examples of Evan Doorbell doing that here; http://www.wideweb.com/phonetrips/

 

In everything except very rare cases, though, tracing is a matter of just looking at logs. Aside from using a phone that anyone has physical access to, you'd probably want to transmit an ANI fail over multiple providers.

Edited by ThoughtPhreaker, 08 March 2013 - 02:29 PM.

[Partyline4]

How does one do an ANI fail?

*67 definitely doesn't do much for anything outside of local calls. 1-800-444-4444 recongnizes the number through *67, so I guess anything could, really.

At my community college, there are these red emergency phones scattered all over the campus. Kids use these to make calls and such. They are the old style Bell wall phones, but made of cheap plastic.

I bet I could get the numbers from them, and have some fun

Also the teachers phones in their classrooms would be a good hit.

[phreeman]

Hello,

Well it's not really an ani fail but more so failing your charge number and then settinng your calling party number.

There's some voip carriers will send a fail behind your calling party, so.. just set your cpn to letters or something to break it and it'll pass unavailable. However 8004444444 will do weird things when you fail to it. 4443333 will just read cpn.

[phreeman]

 

know several pay phone lists have extisted in the past, don't know who's the most current anymore. BlackRatchet's YAPL (Yet Another Payphone List) appears to now be domain squatted by some Russian air conditioner company. Unfortunately, may of the pay phones in our area have been removed. There are at least two in town though. 

 

 

 

Oh man for real! that was a good site.. But yeah.. *67 just changes the presentation to withhold the calling party number from the called party. But it's usually in the p asserted identity or remote party id when using voip, even though the party called, will get private or anon displayed, it's in the headers. (depending on what's being sent from your downstream) 

 

 

[ThoughtPhreaker]

How does one do an ANI fail?

 

The tried and true way to do this is to just call the operator, say you're special, and ask her to dial something that's local or toll-free. There's also ways of changing one of your ANI fields using a combination of call forwarding and one other custom calling feature.

 

There's some voip carriers will send a fail behind your calling party, so.. just set your cpn to letters or something to break it and it'll pass unavailable. However 8004444444 will do weird things when you fail to it. 4443333 will just read cpn.

 

In practice, not all of them do this but most toll-free carriers require you to send a valid number for the call to route. This is why calling card services and equipment intentionally sending an ANI field will send your number as just an area code, if not a generic number. Some Paetec numbers in particular are actually pretty funny. If you send partial ANI as part of your CPN field but leave everything else intact, the call will fail.

[Partyline4]

 Do the phone companies monitor these threads? Probably...


I assume most of the users on binrev use cellular devices...

Edited by Partyline4, 12 March 2013 - 10:26 AM.

[ThoughtPhreaker]

How would you do it from a LandLIne?

 

The method I described with an operator works exclusively with landlines.

 

 Do the phone companies monitor these threads?

 

Better yet, does it matter? The ANI fail trick is something that's worked for a good while. Network security people almost assuredly know about it; this is caused by a bug in TOPS, the DMS-200 based platform that runs operator services. Dialing numbers for "special" people is a service the FCC requires the local phone company to offer, though, and the bug doesn't give any risk to the operating company's equipment being compromised or exploited. The motivation to fix it is probably very low.

[Partyline4]

So basically, your getting the O to make the call for you? Say, if you call the operator, wouldn't they know who you were? Possibly leaving a log behind?

Sorry about saying you didn't explain. I was viewing the site over a mobile device and flipped through your other post on this thread.


 

Edited by Partyline4, 12 March 2013 - 10:27 AM.

[ThoughtPhreaker]

So basically, your getting the O to make the call for you? Say, if you call the operator, wouldn't they know who you were? Possibly leaving a log behind?

 

If you do it frequently, they will start to recognize you. If this is a concern, you might want to consider calling in during a different shift. Most aren't going to care unless it's clear you're doing something like harassing someone, though. In that case, you might want to reconsider what you're doing - anonymity isn't a replacement for good judgement.

 

As for logs, sure. Even electromechanical equipment had ways of producing call logs. I'd be very surprised if you found anything that didn't. This all relies on what number the equipment received, though. If something that passes ANI receives an ANI fail, it's likely going to pass that fail on and leave nothing but a fail for incoming and outgoing in the logs.

[phreeman]

You can ask for special flag on your account that indicates you're special. Then you won't have to worry about it.. but just use sip and test.

[Bizurke]

So basically, your getting the O to make the call for you? Say, if you call the operator, wouldn't they know who you were? Possibly leaving a log behind?

Sorry about saying you didn't explain. I was viewing the site over a mobile device and flipped through your other post on this thread.


 

 

Getting, or convincing an operator to dial a number for you is known as 'Op-diverting' and was the standard method of anonymizing a call for a very long time.  Generally the op could find out who you were, or have "log" info, but in reality most telco employees were/are completely unaware of the idea of fraud or phreaks. "Hi there, I'm blind and having trouble dialing a number" worked for a long time, but then they got wise and some telcos started keeping track of which lines belonged to the blind and Deaf/HoH. It was much easier to fake an equipment malfunction like "I'm trying to call 555-1119 but the 9 button on my phone isn't working... I'm real sorry to bother you, but I'm really worried about my blah blah and need to make this call" worked like a charm for years. For a couple of years in the late 90s an early 2000s we were able to use an automated op-divert through a 10-code (later 10-10 code) system. The most popular was AT&T at 10-10-288 which is AT&Ts code. When you added a 0 to the end of the code you could get a prompt to dial even a toll free number, this would not only cause an ANI fail and re-assign a new ANI, sometimes it would assign an AT&T owned (ie; shows up as a phone in an office inside of AT&T) ANI and CID, or fail so hard it would assign a 6 digit ANI that started with a 1. the MCI ANAC 800-444-4444 is not a true ANAC and just reads back CID info, you can easily spoof this ANAC. There are still some good ANAC/Testing numbers out there that will give you true ANI, ANI II, and other test numbers. They're in the 800-555-xxxx exchange. I'll leave you to find them yourself

 

In the mid 2000s manually op diverting started to get pretty hard, and when you could pull it off they would generally forward your ANI. The way me and my friends got around this took a lot of work. We opened every large box we could find, we called them Junction Boxes but I have no idea if we were correct in that, and looked for phone numbers written by line techs. Over time we compiled a list of numbers that they seem to call quite often and devised part of an exchange that belonged to internal departments of our ILEC. We scanned them, social engineered info out of them, and eventually had enough names, numbers, and information to get pretty much anything we wanted. I could call Brenda at XXX-0806 and tell her I was another employee (and used a real name she would know, but someone in a different town than her) and I lost my company directory and get her to transfer me to "John in Atalanta" or something like that. Once I did that I was calling within the ILEC carrying an internal ANI and they would do anything I wanted, give me a line out, transfer me to RCMAC, run tests, or anything really. 

 

I know this doesn't really answer your question but it reminded me of how we (my friends and I) did it in the 90s and 2000s. 

Edited by Bizurke, 19 March 2013 - 02:09 AM.

[Partyline4]

excellent info " thought criminal"

I just tried 1800-555-1234 and it was some sweepstakes winner bit.

How would I find these ANI, and ANI 2 numbers other than just guessing?"

What is RCMAC?

I noticed that on my BELL 2500, if i press 5 AND 6 together, I get a pretty neat tone.

[Bizurke]

excellent info " thought criminal"

I just tried 1800-555-1234 and it was some sweepstakes winner bit.

How would I find these ANI, and ANI 2 numbers other than just guessing?"

What is RCMAC?

I noticed that on my BELL 2500, if i press 5 AND 6 together, I get a pretty neat tone.

 

We used to scan entire exchanges by hand. Say one guy will do 800-555-1XXX another will do 2XXX etc and make lists of what each number is. You can probably find old text files of scans to start with. It looks like the numbers I was thinking of are dead now days so that won't help anyway. There is an old post about it where you might find some numbers that work, or an exchange to scan to find more.  

 

http://www.binrev.co...-555-1140-dead/

 

Decoder explained RCMAC in a pervious post. 

http://www.binrev.co...-rcmac/?p=22797

 

It used to be like the Holy Grail of noob phreaks. 

 

It is ANI (annie) and ANI II (Annie Eye Eye) not ANI 2. Also, not everyone calls it "Annie". I've had some debate with other phreaks about this in the past. Strom and I still can't decide who is right on this subject. When I worked for phone companies we called it "Annie" but it seems other phreaks and some telcos just call it A-N-I. This was also part of our debate on "telephony" being "Tel-eff-in-ee" or "Tel-uh-phony". 

[ThoughtPhreaker]

It is ANI (annie) and ANI II (Annie Eye Eye) not ANI 2. Also, not everyone calls it "Annie". I've had some debate with other phreaks about this in the past. Strom and I still can't decide who is right on this subject. When I worked for phone companies we called it "Annie" but it seems other phreaks and some telcos just call it A-N-I. This was also part of our debate on "telephony" being "Tel-eff-in-ee" or "Tel-uh-phony".

 

 

Hah, you beat me to it! Yes, Annie Two sounds like a sequel to an overused movie title. I've never heard The Phone Company talk about II digits, but II digits are referred to in documents as "information integers". Officially, I've heard ANI pronounced as Annie. That being said, though, I think there's a bit of a mystery regarding how transmitted digits can end up being displayed to the distant equipment. For example, an ANI fail via the operator will show up at the distant end as 23 very often, but a more formal ANI fail from an exchange not programmed to send ANI for whatever reason will show up as something other than 02 even if the switch specifically sends that out - I think just 00.

 

None of this actually applies to attempts at an ANI fail from most voice over IP providers to the best of my knowledge. The reason being that if you assign no number to your call, a media gateway will often give you a generic number. Alternatively, if someone tries to assign 000-000-0000 to a call, it's literally 000-000-0000 instead of a fail (which sends nothing, or just area code). Though some ANACs will read a fail back as all zeroes, it'll do this simply because it's programmed to read back ten digits, but there's no digits to read. The reality is it still shows up in logs as 000-000-0000 if that's what you assign the number as. In a nutshell, it sounds as authentic as walking into a Mexican restaurant and ordering a crunchy taco supreme; you're distinguishing your call from other ANI fails, and someone - or something is likely to use that to identify you.

 

 

How would I find these ANI, and ANI 2 numbers other than just guessing?

 

I'd check blocks of numbers owned by IVR companies, such as West Interactive or First Data Voice Services. They're probably going to be the biggest users of them, and have enough resources at their disposal to construct it on a whim. Aside from checking local ranges they own, tollfreeda.com or 800-555-1212 have gotten lucky occasionally, and inadvertently listed test lines. That would be the first place I'd look.

 

In any event, we really do need a new II digit ANAC, though, maybe this should be an organized effort.

 

In the mid 2000s manually op diverting started to get pretty hard, and when you could pull it off they would generally forward your ANI. The way me and my friends got around this took a lot of work.

 

Maybe it's just a thing native to your telco, but I've never run into any trouble op diverting.

Edited by ThoughtPhreaker, 24 March 2013 - 08:24 PM.

[Partyline4]

The method that sounds the easiest is the op divert.

I am considering getting a job with my Telco, Verizon's Frontier, and maybe learn some more about the whole network.

I recall only seeing ONE telephone box being opened in my town and seeing the hundreds of red and green terminals.

They are placed in active locations, so no chance of busting in!

I would love to take this old Northern Electric butt and plug into a line!

Edited by Partyline4, 30 March 2013 - 01:34 AM.

[skywanter]

In all my years with an interest in phones I have only successfully op-diverted maybe ten times. As sad as this sounds that's not an exaggeration - but on the bright side two of those happened on a cruise I went on like seven years ago where I got to go though a ship-to-shore system that was pretty cool. I've never had my local operator put me through to a toll free number, even when I say i'm visually impaired (haven't tried any other medical issue), and it's the same things with PIC operators; they all claim they can't connect toll-free calls. I have ATT as my operator, if that helps.