Sign in to follow this  
Followers 0
3d

Web-based Backspoofer

26 posts in this topic

So I've played with this idea for a while in my head and I discussed it with Lucky a bit at Defcon. What I want to do is create a website where a user can enter a 10 digit telephone number and the system will return the CNAM database entry for that number. What I need from the community at BinRev is constructive criticism on the best way to set this system up.

This is how I invision the system:

The frontend will be a form which submits the number to an SQL database. Asterisk will then place a call to itself with the caller ID NUMBER set to the user-specified telephone number. On the inbound call, Asterisk will update the SQL database entry for that number with the CNAM value. Once this process is complete, it will present the CNAM string to the user.

Does this setup sound good? What modifications to this system would you recommend? How will Asterisk know when a new number has been submited to the queue in the SQL database? On the call to itself, no supervision will occur but what DID VoIP provider passes full CNAM information on the call setup? Is this legal?

Edited by BlakeOPS
0

Share this post


Link to post
Share on other sites

Maybe it could automaticly submit every backspoofed number to Bellsmind?

0

Share this post


Link to post
Share on other sites

You would be my hero if you got this project up! I would be happy to contribute any help or some funds if necessary, although I don't think I can help with programming.

One suggestion I have for you to consider:

When new numbers are submitted have them be added to a database or queue. Have the backspoofer check numbers in its database say two or three times in a twentyfour hour period rather than as soon as a number is submitted.

You could have it email the list of numbers a person submitted once the system runs a backspoof on them, or have the backspoofs be searchable by the number submitted for a certain period of time like 48 hours.

This would make it more stable and also less prone to abuse... although I'm not sure exactly how it would be 'abused'. Just it would be important to make it 'abuse-proof'.

0

Share this post


Link to post
Share on other sites

The only problem is that there is different libby databases that have different CNAM info. Like on cox they have some mexican name as mine and then qwest has qhat it is. I know that if I spoof my number to MN to different numbers it comes up unavailable as with in NJ, but if I call the same numbers direct my CNAM pops up "YOU, FEAR" Its aas though they are depending on the information being sent to save money I would say for the lookups. So when this is going to be done make sure the database your pulling from is correct. peace.

0

Share this post


Link to post
Share on other sites

i dont like the idea just because i dont want to blow up backspoofing. i keep quiet about my backspoofing shit.

0

Share this post


Link to post
Share on other sites

(Sorry to post again, but I was going to edit my post until I saw what Natas wrote)

I was also thinking that this should be kept a little "under the radar" so to speak. I just can't help thnking that this is something that scammers or spammers or some other low-lifers are going to discover and abuse, then the telcos will be like :nono:

Ok, I'll shut up now

0

Share this post


Link to post
Share on other sites

I don't plan on going public with the project and BellsMind is way too public. Any other technical observations?

0

Share this post


Link to post
Share on other sites

Are you concerned your provider(s) will catch on to you making a billiion calls to yourself that never get answered?

0

Share this post


Link to post
Share on other sites

Such a system would be very suspetable to a DOS attack on it. As jberryman said previously, put the calls in a que then wait. Along with that, only allow certian people to make one backspoof in 20 seconds or whatever. The best way to do this would be to have a login system then keep track of calls via that.

But after you do that, you should be able to store all the CNAM entires into a database and only check for a new one once a week when its requested. (How long does it take for them to update the CNAM usually?)

0

Share this post


Link to post
Share on other sites
I don't plan on going public with the project and BellsMind is way too public. Any other technical observations?

Um... this is pretty public too. :P

0

Share this post


Link to post
Share on other sites

I think it's an interesting idea, for sure.

0

Share this post


Link to post
Share on other sites

they already got a webbased backspoofer at findusa.com, getting an account is the problem ;)

0

Share this post


Link to post
Share on other sites
I don't plan on going public with the project and BellsMind is way too public. Any other technical observations?

Um... this is pretty public too. :P

What I meant was not everyone in the public will be able to use it.

0

Share this post


Link to post
Share on other sites
Are you concerned your provider(s) will catch on to you making a billiion calls to yourself that never get answered?

If anyone gets nosey he can just say he is an asterisk developer and working on some code for doing blah, blah, blah

0

Share this post


Link to post
Share on other sites

greyarea had a good point. If you want a fair idea of what the number really is, it might be a good idea to pull data from a number of different CNAM's in different areas. What about making it a distributed project? Like, set up a number of asterisk systems in different areas, and when someone makes a call using the web-interface, your computer gets a bunch of other asterisk systems in different areas to also backspoof the call, and send the info to your computer. I'd be all for setting up my asterisk to do that. What do you think of that?

0

Share this post


Link to post
Share on other sites
Are you concerned your provider(s) will catch on to you making a billiion calls to yourself that never get answered?

If anyone gets nosey he can just say he is an asterisk developer and working on some code for doing blah, blah, blah

That's a pretty good idea, good stuff!

0

Share this post


Link to post
Share on other sites

The problems I've seen with the distributed approach:

1) People don't want to give out their numbers for fear of being owned.

2) Other people don't want to let their Asterisk box to take orders and place calls at any time because they still need their landline during "normal" hours.

3) Trust.

If anyone is not afraid of 1 or 2 I think it can work with enough boxes. I haven't found any yet.

0

Share this post


Link to post
Share on other sites

Fear of being owned is lame. I'm all up for letting people use my landline for backspoofing, too. I mean, backspoofing takes what...two or three seconds for a call. Maybe 10, tops. And I can always turn off the backspoofing thinger on my end if I need to make a call. I'm still all for the idea.

0

Share this post


Link to post
Share on other sites

Maybe there should be a signup page or something. :P

I'd be willing to put programming effort into it if there was enough interest. I'd also be willing to do the hosting for free. Let me know via e-mail if anyone is really serious about this.

0

Share this post


Link to post
Share on other sites
Maybe there should be a signup page or something.  :P

I'd be willing to put programming effort into it if there was enough interest.  I'd also be willing to do the hosting for free.  Let me know via e-mail if anyone is really serious about this.

I see this project as an advancement for people into the scene, but the kids that have no idea and just want to mess with shit will really make this hazarous .. I agree with natas .. it needs to be contained! :grr:

0

Share this post


Link to post
Share on other sites

I think this is an a-okay idea as long as access to it is limited to registered members, that you personally accept or decline.

0

Share this post


Link to post
Share on other sites

Findusa seems to be no more. I have several numbers I need to backspoof. What is the best modern way to get this done?

0

Share this post


Link to post
Share on other sites

I think the best way is an Asterisk box running a CID spoofing Perl script. I may be wrong though, heh.

0

Share this post


Link to post
Share on other sites
Findusa seems to be no more. I have several numbers I need to backspoof. What is the best modern way to get this done?

http://presnap.com/ works

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0