• Content count

  • Joined

  • Last visited

Community Reputation

87 Knowledgable

1 Follower

About ThoughtPhreaker

  • Rank
    Dangerous free thinker
  • Birthday 11/02/1991

Profile Information

  • Gender

Contact Methods

  • Website URL
  • ICQ

Recent Profile Visitors

28,224 profile views
  1. *dusts thread off* Here's a couple nice things I found. 416-640-0000 - Ringout bridge on Allstream exchange 800-242-2121, extension 44009 - Modem on Avaya's Highland Ranch PBX I could've sworn I gave these out a few years ago, but a cursory search seems to suggest otherwise. Given it's election season, it only seems right to give them out. These're all a bunch of audio couplers on a Definity at CNN's Atlanta studios: 404-878 6040-6048 - Beep + program audio? 8041-8052 - Beep + talkback audio; mostly the director giving commands to the production staff, like when to switch cameras and whatnot. You don't get to hear anything back from the people operating the equipment. Most of these guys assume nobody but the crew is listening, so they'll occasionally comment on whatever is going on or make an off-color remark. Of all these, this is probably the least frequently used group of couplers. 9901-9912 - Beep + Program audio. This seems to be a fairly complete mix, but prior to the master control room, where they switch to commercials. Much like the director channel, they pretty much assume all eyes are off them when they're at a commercial. 9982-9996 - Beep + Program audio. This seems to be where after-hours or remote stuff occasionally comes from. 2037,38,39, and 40 are all music on hold sources that have the final mixes that go on air.
  2. Heh! Wow, you're way better at this than I am. I like the idea of the plot involving a relationship with the government in one way or another. If we're telling this from a telco perspective, it'd be fun to and portray the government as cartoonishly overreaching. Though that sorta limits the incompetent mistakes you can present to users on the system. I mean, a company's idealistic vision of itself doesn't include a bunch of security holes, right? You could probably get away with things they don't feel is wrong, like extensions that prompt for ACTS tones or making it really easy to "service observe" employees, but you can only go so far without being prompted for a passcode. That, and over/under-regulation sorta gets into partisan politics. Anyway, I might put this on hold for a little while; granted it's half done, but the amount of interest it's kicked up has been lukewarm at best. I'll probably keep the toll-free up until my trial account expires, though. In the meantime, I added a test application that came with the Audix system on 1192. Since it does blind transfers to any extension you give it, I figure it'll be nice to let it dial things the voicemail system won't let you, like the DISA on 1190. Also, the bulletin board on 1117 has a bunch of crap left over from other projects stuck on it right now. For context, the idea is to make it more of a water cooler talk-ish forum for the characters; not just a bunch of random stuff. There's just nothing to put on there quite yet.
  3. So I had this idea of creating a wargame on a Definity, Audix system, and some custom software I wrote. If you'd like to play with it, the number for the next few days or so is 800-224-0116. When it answers, press *8, and you pretty much have the run of the place. 1116 and 1117 are some custom doohickeys I made with the intention of being plot devices in one way or another. The rest of the extensions (you'll find them in the name directory with *2. If you're not sure what else to press, use *4 and it'll help you out) are fake employees for the company - the idea being you're supposed to investigate something shady or another going on. A lot of these voicemail boxes are on default, and have random stuff lying around for anybody who manages to find the passcode, if there even is one. And so I think it has potential - and it's something I'm trying to get the attention of the hacking community at large with, but I have absolutely no idea where to go with the plot. The main idea I have now is Shadytel could be doing something really, really shady and it's your job to figure out what, but the whole schtick behind that group is to make it as outlandishly shady as possible, so nothing I can think of seems particularly shocking or out of character. Something in the other direction, like an employee going out of their way to donate to charity seems sort of weak too. Anyway, thoughts? EDIT: There were a few missing words in the post; some of the sentences made no sense. Sorry guys, it's been a long week.
  4. Maybe, yeah. I made sure it did this for a couple T-Mobile users before posting. On the topic of traffic pumping though, I think my favorite has to be the Doorbell partyline, or the Mexican partyline as it's often referred to in private. Basically, there's this CLEC in California, North County Communications (the same one that hosts the socal bridge), that redirects all their non-working numbers to a fairly large partyline. It's sort of become a shining example of the lowest common denominator in action. The parts of it that aren't a giant, festering pool of sexual frustration are typically dominated by a junior high level of shit talking. If you think this opens it up to being a wonderful trolling opportunity (and you'd most certainly be right. It's always the first place I go to test reactions to sound boards or improv characters), you're definitely not alone. The sheer amount of trolling has made the usual participants pretty thick skinned. To help with that, the bridge automatically mutes anybody playing anything loud for several seconds. On a technical note, I've been told the system runs a very old build of Asterisk - like, 1.0ish, with custom meetme drivers and a couple T1s. If you'd like to try calling it, there appears to be a couple instances. I think the official number is 213-227/619-364/909-661/714-629/818-685/etc-1234, but occasionally, you'll find some disused incarnation of it if you happen to call around these exchanges looking for non-partyline things. From the documents I can find, it looks like North County opts not to buy SS7 trunking from the ILECs, and instead does everything, including ANI, over MF. Also, if you happen to look the exchanges up in LERG, you'll see they supposedly have DMSes and 5Es. This is a filthy, filthy lie; they've always had some unrelated, goofy switch.
  5. So all credit goes to Ramsaso; he pointed this out on the bridge last night. If you have a T-Mobile phone, try calling 712-451-0011. You should get a recording saying they now charge 1 cent a minute to call it, even if you're on their unlimited plan.
  6. 'kay, so I wrote a ridiculously big reply for this and binrev logged me out for inactivity. Also, for some reason, the clipboard seems to insist I have a link on it, even when I just pasted my whole post (this one. I didn't think to try this on the old one :/) into notepad. So, er, I'm going to rewrite this fast. Let me know if you thought I left anything out. Anyway, if you're looking to do a small exchange with not a lot of subscribers, you could just record the whole thing and manually look at the waveform with some editing software; . The caveat is it really isn't practical for things with a lot of variety, like toll-frees or big exchanges and such, since the idea is to just look for patterns in the waveform. I understand Chronomex did something similar with a spectrogram a while ago. Under the right circumstances, this is sort of ideal since it's a good compromise between the efficiency of something automatic and the precision of manual signal detection. And that's sort of the catch 22 here. There's so much detail to look at (imho, anyway. If you have no idea what I'm talking about, have a look at this; ) that you're always going to miss something - like IDing the switch you're calling, the PBX/auto-attendant at the other end, what brand of answering machine, CO test recordings, telco voice response systems, etcetera. As I see it, wardialers as they are sorta were designed in an era when people mostly just gave a shit about finding other modems. One thing I'll say as well is if you want to learn how to listen for small details in the network, hand scanning is really the best way for that. Before I come off as too preachy though, I get it; nobody has time to do all this crap by hand. If someone is up for helping build/adding to a wardialer though, and we can find some sort of signal detection library (the two big things are something that can detect repetition in waveforms, and the shape of one), we can at least get stuff like switch detection down. A lot of auto-attendants and whatnot are identified by the voice prompts on the system. I'm not really sure where to start with that, but I know it's possible. My voice is my passport or something. Anyway, JCSwishman, as for a modem, this would probably be a good bet; It's got a built-in USB to RS-232 converter, though the drivers can be sorta hard to find. The basic signal detection (voice, tone, etc), or so I've heard, is actually fairly good; it isn't cringeworthy (SIT tones? Voice! Milliwatt? Ring! Fax tone? Voice!) like on the Couriers. Finally, being a voice modem, you can more than likely make it directly send/receive PCM. EDIT: This page explains Fast Fourier Transform techniques. Wow. This does not look fun to implement in software. Maybe some of the audio fingerprinting programs designed for music can do it.
  7. I think Verizon sold it's payphones off to Pacific Telemanagement Services sometime earlier in the decade. I've heard some rumors saying they still have ACTS phones around somewhere in Verizon territory, but they're primarily a COCOT operator. A redboxable, CO controlled payphone sounds something like this; That particular type was an in-LATA toll call (basically, a nearby place that's still long distance) via a TOPS tandem. For local calls, the phones typically just do a ground test where the tones aren't used. As for COCOTs, pretty much all of them prompt for any non-free call using voice samples. Unlike the fortress phone, where the 5ESS serving it does a coin return and who knows what else before connecting the call (DMS-100/GTD-5/DCO coin phones are a lot quieter. DMS-10s a little less so), a COCOT just blocks audio from the phone line and plays samples directly into the earpiece, so it's a lot quicker and basically noiseless. Also, that voice in the recording only happens on TOPS; you won't hear it from any COCOTs. Ever. COCOTs can be fooled as well, but it depends more on what sort of switch you're calling from, and how it feels like behaving. Though there's no boxing involved.
  8. *pokes his head up out of the ground* Did someone say free calls?! It's been a busy week, but I've had some time to mess around in Bermuda. 441-295 is a DMS-100. No luck finding anything too interesting so far, but 1001 is the business office number for the telco running it.
  9. Did you try running the start_vs script used to start Audix? The Dialogic executable is driver related, and is started by the start_vs script normally (though starting it manually won't hurt it; the shell scripts aren't particularly bad). If there's any problems starting the system, it should let you know. I think /vs/bin/start_vs_now is responsible for doing a lot of the legwork, so if you think there's something it's not telling you, that's probably the first place to look.
  10. That depends on what you're referring to; if you're referring to the ISDN signaling flavors, I assume it'll work with both. The 4ESS and 5ESS are both phone switches though, and probably support pretty much the same interoffice trunk interfaces (analog 2-wire, 4-wire, DS1, DS3, ethernet) as the DMS-10. Though the 5ESS was made to work mostly in larger markets and the 4ESS was exclusively made to work as a tandem, so they might not support the same interoffice signaling types. For example, the 5ESS (and probably the 4E) can support an obscure signaling method called revertive pulsing. The only place this ever was used was in Crossbar 1 and Panel; electromechanical switches used almost exclusively in big cities. The DMS-10 being mostly a rural switch, it probably never got support for this.
  11. Did either of those ever work for you? If you're still having trouble, I can dig in a little deeper. Especially now since it's cooling down; the Definity/Audix box/other crap sits in my closet. When the temperature starts reaching forty degrees or so it's great, but when it's almost a hundred, it's a little less pleasant to have running for hours.
  12. Yup. There's some DMS-250s in there as well, but that particular one is a 5ESS. 800-877-0230 should give you one of the 4Es that 5E sends traffic to. If you do it during business hours on the weekday, your chances of getting more than one tandem are much higher. What you get is different from one switch to the next, but loops do tend to answer with milliwatts. On a DMS-10, getting a distant reorder next to a milliwatt is the only good indication that I know of. On Redcom switches, you don't tend to have that sort of luck; 907-293-1108/1109. It takes a little trial and error to figure out which switches do what. All good, man! Glad to help - a lot of people don't even anticipate the possibility of a loop being in a range.
  13. I tried giving 518-234-9624 a 300 baud modem handshake on one call and DTMF on another, but it didn't seem to really care for either. As for 9960, keep in mind DMS-10s have an implementation of loops in software (one of the few I've seen, actually. The vast majority of loops I've found are on them) that gives you reorder on the high end by default when nobody is on. In this case, the reorder distinguishes itself by actually being played by the DMS-10; usually when you hear a reorder, the switch you're calling from is generating it based on an SS7 cause code the one you're calling pushes back. The reorder thing is pretty common, but I've also seen one send back a busy cause code in that case. There's a loop on the scan I put below if you want to get a hands on experience with one. Finally, 9811 is sending a cause code back. AT&T's 4ESS tandems have a habit of playing back their own recording instead of passing the message on, so that was probably the one you were getting. If you're homing directly on a 4E for toll calls on their network, you'll probably get the same recording every time you call it. If not though, you'll get a bunch of different tandems during the day. To figure out how your calls are routing, give 800-466-3728 a call. If you get a message from a 4E (usually xxxT, or occasionally just a reorder when the recording stops working), well, that's what's you're homing on. Anyway, nice! One thing you've got to keep in mind though, are the Bell Atlantic DMS-10s are sort of a mixed bunch. On some, most things sit around in 99xx. Though for some reason, there's others (like this one) where they stick things elsewhere. For all I know, they've lumped everything together with all the other super secret CO stuff elsewhere. Here's one of the more successful 99xx DMS-10 ranges: 716-257 9999 - Ringout 9997 - Ringout 9992 - Ringout 9991 - Switchroom phone? # not accepting calls w/privacy bits 9990 - Ringout 9984 - Ringout 9983 - Ringout 9982 - Ringout 9981 - Ringout 9980 - No supe, faint noise 9972 - Reorder via distant end 9970 - Busy signal via distand end 9967 - Coin deposit rec 9966 - Ringout 9965 - Busy via SS7 9960 - Pat Fleet CBCAD rec 9959 - Weird noises. Broken trunk? 9958 - Cornbreath CBCAD rec 9957 - Cornbreath dial 1 first rec 9956 - 100-type test 9955 - Ringout. Picks up when 9954 is offhook? 9954 - Thingie, picks up silently 9953 - Permanent signal rec 9952 - Weird noises. Broken trunk? 9951 - Switch tech CBCAD rec 9949 - Ringout 9948 - Ringout 9947 - Ringout 9946 - Ringout 9945 - Ringout 9944 - Ringout 9943 - Ringout 9942 - Ringout 9941 - Ringout 9939 - Forward to 5ESS? 5E ring + 15A CAC required rec 9936 - Line with nasty hum, 300 baud modem? 9935 - Ringout 9934 - Ringout 9933 - Ringout 9932 - Ringout 9931 - Ringout 9930 - Ringout 9921 - Ringout 9920 - Ringout 9917 - Broken trunk? 9916 - Reorder via distant end 9915 - CBCAD via SS7 9914 - Broken trunk? 9912 - Reorder via distant end\ 9911 - 102-type test / Loop! Mutes conversation after ~1 minute, though 9910 - 102-type test 9902 - Reorder via distant end 9901 - Reorder via distant end
  14. I don't think it'll make much of a difference, but here's my options file if you want it; . Interestingly, there's a program used by sell_chans; /vs/bin/.cras that claims to attach channels so they're recognized by the system. I assume the Dialogic card has to be running for this to work, but what does '.cras card 0' give you back?