Sign in to follow this  
Followers 0
Strom Carlson

SS7 ISUP number delivery fields

24 posts in this topic

I finally got my hands on the official Telcordia specification for SS7 ISUP, so this should clear up a lot of general confusion with regards to number delivery.

In the ISUP IAM (Initial Address Message), there are the following fields for number delivery (this is not a complete list, but nonessential parameters of the number fields are being left out for the sake of simplicity):

• Called Party Number

• Charge Number

• Originating Line Information Parameter

• Calling Party Number

• Original Called Number

• Redirecting Number

Called Party Number is the only mandatory field; the rest are optional.

Charge Number is the field from which ANI is derived (ANI is a generic term, whilst Charge Number is the specific implementation in SS7 ISUP; the relationship between Charge Number and ANI appears to be similar to the relationship between Calling Party Number and Caller ID. Note that ANI is never transmitted across the network; only Charge Number is sent, and ANI is derived from that within the switch or AMA equipment).

OLIP is the field which contains, among other things, binary representation of the II digits (class of service) of the originating line.

Calling Party Number is the number of the calling party, and can be set as either "Network Provided" on calls originating from POTS lines, or as "Customer Provided" on calls originating from a PRI where the customer's station equipment specifies the Calling Party Number to the switch. If Calling Party Number and Charge Number are identical, Charge Number is omitted from the IAM.

Original Called Number and Redirecting Number are only used in cases of call forwarding.

0

Share this post


Link to post
Share on other sites

Thank you... I was just searching for that same info...

0

Share this post


Link to post
Share on other sites

Finally, finally, finally! I personally have been looking for the informaiton forever,

and it will definitely clear up some confusion. Thanks, this is the most usefull thing I've seen in a really long time. :heart:

0

Share this post


Link to post
Share on other sites

Strom, I don't know what it took for you to get that, but THANK YOU

0

Share this post


Link to post
Share on other sites
Strom, I don't know what it took for you to get that, but THANK YOU

Well, I can't tell you specifically, but it involved five cats, a chocolate bar, a chain-link fence, and two litres of extra-virgin olive oil.

0

Share this post


Link to post
Share on other sites
Strom, I don't know what it took for you to get that, but THANK YOU

Well, I can't tell you specifically, but it involved five cats, a chocolate bar, a chain-link fence, and two litres of extra-virgin olive oil.

Allow me to advance a theory.

First, Strom identifies a business with the appropriate Telcorida Licensing Agreement, in addition to a security guard who is a 'cat person.' We will call this business DocSource, Inc. He then calls the security guard on the phone, posing as a momma cat. The momma cat (who, remember, is really Strom) explains that she has an obligation to teach her kittens how to hunt, and that the area inside of the DocSource industrial campus is ideal for this activity. Furthermore, the momma cat elaborates, by setting up a chain-link fence around this hunting ground, DocSource is disturbing the local ecosystem and could incur major liability costs. The security guard gets really worried, and offers to let the cat and her babies in to hunt, despite the official corporate policy on cat hunting, because he is a 'cat person.' A fine social engineer, this Mr. Carlson is.

Next, Strom covers his naked body in the first litre of olive oil and puts fluffy chocolate bar shavings all over himself. He then releases the five cats in the direction the front gate, staying low and blending in among them. The security personnel in the guard shack have no chance to identify Strom in his clever animal disguise, especially in the heard of cats.

Of course, once he's in, Strom has access to the internal DocSource network, and can view Telcordia documents that the company will have made available to employees as pursuant to the standard Telcordia Licensing Agreement. He finds the SS7 ISUP document, emails it to himself, then soaks the DocSource building in the second litre of olive oil and lights it on fire to cover his tracks and make the break-in look like everyday arson. No one would be the wiser. Well played, Mr. Carlson.

Or at least that's what I think happened. Any other ideas?

0

Share this post


Link to post
Share on other sites

Thanks for sharing all the info with us though. First you set us straight with CPN and now CN.

0

Share this post


Link to post
Share on other sites

I think a lot of people are going to have to rethink their ideas on how this all works. Thanks for dropping that one Strom.

0

Share this post


Link to post
Share on other sites

Well this definitely clears up a ton of confusion in the past several years of understanding these packets of information sent along in SS7, that being ANI, Calling Party Number, Charge Number, and the so called "forward tag" (what seems to really be based on Original Called Number and Redirecting Number). Now if we could just spoof CLASS of service.....

0

Share this post


Link to post
Share on other sites
Well this definitely clears up a ton of confusion in the past several years of understanding these packets of information sent along in SS7, that being ANI, Calling Party Number, Charge Number, and the so called "forward tag" (what seems to really be based on Original Called Number and Redirecting Number).  Now if we could just spoof CLASS of service.....

well, Class of Service and CLASS (Custom Local Area Signaling Services) are two entirely different things...which are you talking about?

0

Share this post


Link to post
Share on other sites
Well this definitely clears up a ton of confusion in the past several years of understanding these packets of information sent along in SS7, that being ANI, Calling Party Number, Charge Number, and the so called "forward tag" (what seems to really be based on Original Called Number and Redirecting Number).  Now if we could just spoof CLASS of service.....

well, Class of Service and CLASS (Custom Local Area Signaling Services) are two entirely different things...which are you talking about?

I meant CLASS of service. Basically the ANI-II digits that represent the type of phone/phone line being used. I've heard test numbers such as 1-800-555-1170 which will ask you for test II digits, among other pieces of information such as test ANI, test DNIS, etc. A lot of us in the scene have always wondered if that would spoof the ANI-II digits if it directed your call to another destination other than that bank that it calls.

0

Share this post


Link to post
Share on other sites

well, Class of Service and CLASS (Custom Local Area Signaling Services) are two entirely different things...which are you talking about?

I meant CLASS of service. Basically the ANI-II digits that represent the type of phone/phone line being used. I've heard test numbers such as 1-800-555-1170 which will ask you for test II digits, among other pieces of information such as test ANI, test DNIS, etc. A lot of us in the scene have always wondered if that would spoof the ANI-II digits if it directed your call to another destination other than that bank that it calls.

OK - if you're talking about Class of Service, you don't put Class in all-caps, because CLASS indicates a group of custom calling features (caller ID, caller ID with name, call waiting. voicemail, and so on). I don't know if there's an equivalent to the OLIP field in the ISDN SETUP message; if there is, then II digits might be easy to spoof. Time to drag out my ISDN book I guess :)

0

Share this post


Link to post
Share on other sites

On ss7parser, I cannot find certain fields in the ISUP IAM message which

relate to II digits. I've scoured the entire packet with a friend to no avail.

Most likely the packets from ss7parser have been recreated from

the recommendations and are not actual packets, but now I am insanely curious about where the II digits are located, and in which message.

Are the II digits tacked onto the header in a seperate process,

message, or location? Are there unlimited 'redirect' fields? I noticed the IAM message counts how many times your call has been "rediected" (forwarded?), and lists the numbers from which you have been redirected.

0

Share this post


Link to post
Share on other sites

from what i understand the ii digits arent in the IAM. look through the data available for "ChargePartyStationType". i believe thats the ii digits field.

0

Share this post


Link to post
Share on other sites
from what i understand the ii digits arent in the IAM. look through the data available for "ChargePartyStationType". i believe thats the ii digits field.

The II digits are transmitted in the Originating Line Information Paramter (OLIP) of the IAM.

0

Share this post


Link to post
Share on other sites

Until we find a way of spoofing any Class of service, that meaning ANI-II digits, we can still manipulate it a little for now with call forwarding. The key thing to keep in mind is that most of the time, in the process of call forwarding, the CPN passes and the ANI/Charge Number (CN) remains the call forwarding number (the number that is forwarding your call). Well, one other thing that seems to pass from the call forwarding number are the ANI-II digits.

As an example, a few of us forwarded someone's cell phone to Strom's CPN and ANI-II digit reading ANAC. Then we spoofed a specific CPN to the cell phone; in this example we'll say it was 617-723-1234. Keeping in mind that cell phones' II digits are usually 61/62/63, the ANAC read ANI-II digits 61/62/63 (I forget which exact II digits it was) along with the spoofed CPN of 617-723-1234. So basically the CPN became known as a cell phone even though it was not.

0

Share this post


Link to post
Share on other sites

Doesn't Asterlink allow you to set CoS?

0

Share this post


Link to post
Share on other sites

SS7 Passes information that the call WAS CALL FORWARDED, and where it was call forwarded from so not much reason to use call forwarding. For example when you call my Broadvoice # and it's forwarded to my cell my cell's caller ID display says 'NPA-XXX-XXXX From Call Forwarding'

Until we find a way of spoofing any Class of service, that meaning ANI-II digits, we can still manipulate it a little for now with call forwarding.  The key thing to keep in mind is that most of the time, in the process of call forwarding, the CPN passes and the ANI/Charge Number (CN) remains the call forwarding number (the number that is forwarding your call).  Well, one other thing that seems to pass from the call forwarding number are the ANI-II digits.

  As an example, a few of us forwarded someone's cell phone to Strom's CPN and ANI-II digit reading ANAC.  Then we spoofed a specific CPN to the cell phone; in this example we'll say it was 617-723-1234.  Keeping in mind that cell phones' II digits are usually 61/62/63, the ANAC read ANI-II digits 61/62/63 (I forget which exact II digits it was) along with the spoofed CPN of 617-723-1234.  So basically the CPN became known as a cell phone even though it was not.

0

Share this post


Link to post
Share on other sites
SS7 Passes information that the call WAS CALL FORWARDED, and where it was call forwarded from so not much reason to use call forwarding.  For example when you call my Broadvoice # and it's forwarded to my cell my cell's caller ID display says 'NPA-XXX-XXXX From Call Forwarding'

Yes, hence "Original Called Number" and "Redirecting Number"

0

Share this post


Link to post
Share on other sites

People may not be aware of it, but the full international (ITU) SS7 specification is available online free of charge for quite some time now. The ITU ISUP specification differs from the ANSI specification in many ways (for example there is no OLI in ITU ISUP), but it might still be interesting to some of you.

See Q.761 to Q.764 here:

http://www.itu.int/rec/T-REC/e

For example the format of messages and their parameters sent across an ITU ISUP link are documented in Q.763.

0

Share this post


Link to post
Share on other sites

Hmm this is interesting. If ANI is derived from the Charge Number, then how come when you forward calls, the ANI comes up as the person who called you? Also, do businesses typically have access to originating line and other call forwarding information when you forward your number to them, or do they just receive the information of the person who called you?

Thanks,

Kaya

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0