ThoughtPhreaker

Members
  • Content count

    1,604
  • Joined

  • Last visited

Community Reputation

94 Knowledgable

1 Follower

About ThoughtPhreaker

  • Rank
    Dangerous free thinker
  • Birthday 11/02/1991

Profile Information

  • Gender
    Male

Contact Methods

  • Website URL
    http://
  • ICQ
    0

Recent Profile Visitors

28,581 profile views
  1. 303-223-9995 - Dialtone via Global Crossing Local Services DMS-500 213-455-9999 - Same thing, but via a CS-2000 in Anaheim. Both are toll restricted, so hopefully they'll be used to hone better switch playing techniques instead of being abused. Also, note the noticeable delay and comfort noise on the calls, even when you're local to them.
  2. Sure, but keep in mind that the one time password algorithm for the Definity is based on DES. I'm not a crypto guy, but based on what I know about DES, having faith in that even if an attacker doesn't have the keys seems like a dangerous game. Much like the passwords as well, the ASG keys for init and inads are probably the same for every processor using a specific build. Though I guess the problem with that is you don't know what build it is until you log in or physically look at the sticker on the processor. This'll definitely have to be explored further at some point - maybe they use the same inads or craft or whatever key on every build. Ostensibly, yeah. The header and object files we got from the RPM should allow anybody who uses it in their code to encode and decode license keys, and from the look of the functions, probably make and test valid ASG keys as well. The idea behind disassembling the object files was to try and get an idea of how the functions work - and that's still a valid choice, but it might be less work to just use them as is through trial and error. Of particular note in asg.h is this: struct lic_info { unsigned char version[4]; unsigned char filler[6]; unsigned char hexkey1[8]; unsigned char hexkey2[8]; }; along with the four functions in license.h . Since gewt has a switch with a valid license, I was hoping we could use this to test data we know for sure works against anything we happen to write with these ASG functions. Sure! I'll send you a PM.
  3. As much as I wish something like that were true, I don't think it is. Here's how I understand it: The server processing your calls has no involvement in the local calling area. It's, let's say for example, in Texas. Wherever Vonage feels is cheapest and has the best internet connectivity. When your call hits the switch - or really, the call agent (if I understand correctly) in voip terms in Texas, it does a ported number dip on what you're calling, and looks at a least cost routing database. From there, it determines the cheapest carrier to terminate traffic to whatever exchange you're calling. Sometimes this is via a switch in the terminating local calling area. Other times, it's terminated back onto a toll trunk and completes like a normal long distance call. It all depends on what's more practical for the carrier. If it's an expensive destination, sometimes a carrier will use under the table methods of terminating traffic. https://en.wikipedia.org/wiki/International_telecommunications_routes For incoming, it's a little different. A DID provider will have their own switch in your local calling area - probably something made by Sonus, and they sell those incoming numbers to Vonage. Vonage uses bandwidth.com DIDs if I remember right. Anyway, when it hits the number, it sends the call via the internet to that switch in Texas, which in turn knows to relay it to you. Anyway, as JCSwishMan said, the analog telephone adapter in your house counts rotary dial pulses itself. What it thinks you're done dialing, it'll put the digits in the SIP invite header along with other information, and send it to the switch in Texas. All good, man. Almost everybody starts in this sort of hobby in their teens. If someone implies they're in that age group, I think it's just an unspoken truth here.
  4. So I've been trying to make a push to find all the test ranges for Canada. So far, it's been going quite good. Remember if you don't have a plan for calling Canada that the recordings don't supe. 418-522-1111 - rec, "We are presently unable to route any more calls to this location. Please call back later. This is a recording." This particular switch serves a lot of Bell Canada's Montreal headquarters. So this particular range is *all* Bell, including all the Lync stuff. Some of the prompts are in French, so I wasn't entirely sure what VMS it was until later. 514-391 1100 - CBCAD rec 1101 - Dialing 1/0 not necessary rec 1102 - Dial 1/0 first rec 1103 - Permanent signal rec? "Please hang up immediately and try your call again. This is a recording." 1104 - NIS rec 1105 - PBX ringout 1106 - rec, "All our lines are now busy. Please hold, your call will be answered shortly. This is a recording." 1107 - Ringout to Lync VMB 1108 - rec, "We are presently unable to answer your call. Please call back during regular business hours. Thank you for your cooperation. This is a recording." 1109 - ACB rec 1110 - rec, "The party you are trying to reach has chosen not to take calls at this time." 1111 - 102-type test 1112 - Loopback test, supes 1113 - Ringout 1114 - Low speed modem 1115 - Low speed modem 1116 - Low speed modem 1117 - Low speed modem 1118 - Ringout to Octel VMS 1119 - PBX ringout to Bell employee VMB, possibly Lync 1120 - PBX ringout 1121 - PBX ringout 1123 - Ringout 1125 - AIS report, DISCO 1126 - PBX ringout, forward to cell 1127 - Weird platform, "Your call cannot be completed at this time, please try your call again." 1128 - PBX ringout 1129 - Same as 1127 1130 - PBX ringout 1131 - PBX ringout to VMB. Lync? 1133 - PBX ringout to VMB. Lync? 1134 - Ringout 1135 - PBX ringout to Bell Canada employee VMB. Lync? 1137 - PBX ringout 1138 - PBX ringout to Lync VMB 1141 - Weird platform, "Your call cannot be completed at this time, please try your call again." 416-368-4042 - rec on Octel VMB, supes, "You have reached the Advanced Intelligent Network. You are not authorized to call this number. Please hang up. Thank you." 416-353-6100 - rec on Octel VMB, supes, some sales pitch 416-353-1002 - Bell NOC 416-353 seems to be the Ontario analogue to the Montreal exchange. Things are looking up there .
  5. That's 437-7950. I wasn't paying attention when I found this, and it became sort of a happy accident.
  6. 800-473-7950. I ask because it sounds suspiciously like one of the Dominion Power tieline recordings; the trailers are always at the beginning of a recording, and typically follow the same format. For example, "Clarksburg Number Two" is a real ID from their network.
  7. I doubt it. You'd probably see the debugger command in there if it was doing that. From there, you can manually invoke the xmodem process, but I have no idea what sort arguments it wants. Every time I've tried, it just immediately kills itself. In any case, firmware updates for cards or translations and whatnot are typically what it's used for via the upload and download commands. You probably could; the only time it's ever bothered me about that sort of thing is when a process crashes, but there's easier ways to fool it. The real problem is under most translation cards, the inads user will prompt for ASG. You're fine if you boot the system with no card, but then you need to be able to feed it a license. That should be in the translations file. Using what we have in the ASG development headers, figuring out exactly what's going on shouldn't be too hard once we identify where the license is. Keep in mind it's designed explicitly for the product ID in the translations card, and probably the serial number on your CPU card though.
  8. Nope :/ . Sometime like ten years ago, I just happened to be lucky and snagged a copy. There was no announcement or anything like that, and it was quickly deleted.
  9. Yeah, you should be fine with something as far up as eleven. I think the PDF says you have to have 8.3 or above to get the IP media card working. If you're having trouble with IP stuff though, maybe try testing something as a softphone? I dunno why they'd differentiate between actual and softphones, but for whatever it's worth, a lot of Avaya's non-IP phones use the DCP protocol, their proprietary ISDN variant. Their IP phones use the same thing over H.323, but the difference might be because they don't feel comfortable having their secret sauce running on any old desktop PC. They might be using standard H.323 or something. That being said, do you happen to know much about how to upload/download license files? I actually have a release 11 card here that'll need some, er, liberating at some point. Unlike 9/-, even if you can convince the switch you're init, it doesn't like you trying to activate it without one. Which judging by that RPM, is just a matter of doing some legwork, but I'm still scratching my head on what command it wants. A quick hunt through Avaya's goofy license installer ( ftp://ftp2.veracomp.pl/net/avaya/Narzedzia/LIT/ ) shows there's a lot of strings related to reading the license details, but nothing for uploading it. Well, besides an xmodem implementation.
  10. 610-926-0030 - rec, "AT&T is no longer accepting coins for long distance services from this phone. To complete this call, please use a calling card, or dial 00 to make an operator assisted call. Thank you." 0037 - Time/temp number 0098 - DMS IVR, "Please enter a code to remotely access a feature"
  11. I think it's all stored in the place you described. There's a PIN if I'm not mistaken, that brings it up to 20 hex bytes right next to the key in question. You'll see that particular set of bytes change every time you change your key. It's less big than you might think . Some people with Avaya PBXes are less than responsible, and put development packages on the internet: ftp://ftp2.veracomp.pl/net/avaya/Software/SES_5_1_2/Releases/rpms/asgtools-1-0.AV10.i386.rpm ftp://ftp2.veracomp.pl/net/avaya/Software/SES_5_1_2/Releases/rpms/asgtools-devel-1-0.AV10.i386.rpm While you can't get the source, you can get some header and object files used for ASG functions in their x86 platforms. They're relatively readable with a trip through a decompiler and some deducing which variables are which ( http://pastebin.com/c6znKRUF ), but more importantly, it shows that the earlier ASG stuff is a one time password algorithm based on DES. At some point - probably in the mid 2000s, they got enough sense in their head to switch to AES. This is important not just because the one time passwords are annoying/used to lock down the switch, but because release 10 and up, where all the really fancy features come into play, want you to upload a license key based on ASG. Yeah, I think the IP media processor won't work without a relatively recent release; ftp://ftp.avaya.com/incoming/Up1cku9/tsoweb/media/minhardwarevintages.pdf . If your release is 7.1 or something though, allegedly you can put this crazy thing in your switch and get IP trunks. Though it's sorta like adding a car to your pool because you don't like getting rained on while you swim. http://www.ebay.com/itm/Avaya-Lucent-Definity-TN802-V2-MAPD-Board-w-8MB-Card-HDD-/391312141904?hash=item5b1c056e50:g:atcAAOSw5VFWOpHM That depends on what you can get to work. You absolutely do need to use that software with a Dialogic card, but they make T1 cards too. I'd be surprised if Avaya didn't put support for that into their software. I think there's something to differentiate between analog and digital interfaces in the software. But then again, I tried it with my Dialogic T1 card and it didn't want to cooperate. Though I think that was probably a good thing in the long run. It wound up being used for...better things. http://thoughtphreaker.omghax.ca/audio/ligatt_megaphone.mp3
  12. So earlier this month, I started scanning around 702-835, a CLEC 5ESS in Las Vegas. The stuff in the range I was scanning was mostly just recordings - 702-835-9157/9143 were probably the most interesting. But 9142 caught my ear, since it mentioned dialing 811 plus four more digits for customer service. Some asking around turned up that the voicemail system might be on here - and that there could be another internal exchange; 456. For whatever it's worth, this doesn't seem to apply to the ex-Mpower DMS-500s Telepacific owns. Just the 5ESSes they've always had.
  13. Ooooooh, nice! Is there a trailer code at the end? Off the top of my head, I think there's five DMSes with that recording in Portland; McLeodUSA's, MCI's, Integra's, TW/Level 3's (the one the conference is on) and XO's. Of them, McLeodUSA and XO would probably be the most inviting to analog customers
  14. It should say the software version on the terminal when you log in. Those stickers can be a little misleading if someone upgraded the switch, but release 6 was the last version to not have ASG permanently enabled on the init account. Maybe you have a different build of 6 or something? I think the exact version of the one I dumped was G3V6i.03.4.253.1 .
  15. A person that appreciates, understands, and likes to introduce unorthodox input into the phone network maybe? That might not be broad enough.