Sign in to follow this  
Followers 0
ic0n

c5 Trunks Today

2 posts in this topic

*note* acsii art is funked up *note*

6. c5 Trunks Today                                                    |Written By: phractal (phractal@teamphreak.net)                        |Written For: NPANXX010 (www.teamphreak.net)                           |Written On: 09.10.03                                                  |                                                                      |______________________________________________________________________|                                                            __    __    __----------------------------------------------||&%;;:'.    |1  | |2  | |3  |-Intro                                        ||&%;;:'.     __    __-C5?                                          ||&%;;:'.    |4  | |5  | |6  |-How can we bluebox from an SS7 served area?  ||&%;;:'.     __    _-Packet/MF signalling translation             ||&%;;:'.    |7  | |8  | |9  |-C5 Links Today (from US)                     ||&%;;:'.-Dialing Direct To Seize                      ||&%;;:'.    |KP | |0  | |ST |-Bouncing your Call To Seize                  ||&%;;:'.  -List Of Terms                                ||&%;;:'.    |KP2| |C11| |C12|----------------------------------------------||&%;;:'.Ok, if you haven't heard about CCITT5 Trunks, I would hardly consider yourself an "international phreak". Basically, CCITT5 or System 5 is a software protocol used to routetelephone traffic. What is interesting to phreaks is that it is an INTERNATIONAL PROTOCOL,and also it is analog. CCITT5 is the system loved by phreaks when they can get on it, because it is vulnerable and powerful. C5?It is a blueboxable system. If you want to learnhow to bluebox it, I'm going to refer you to Echelon Magazine, which a UK zine focused onCCITT5 blueboxing, but since it deals with international phreaking, it can be applied overhere as well. You should be able to find issues in the downloads section of TeamPhreak.How can we bluebox from an SS7 served area?The global PSTN, which the internet actually heavily relies on, connects various continentsand countries together with important gateways which then route to smaller offices. Each countries trunking throughout its land can be organized differently for differeant areas.A common generic example is the T-1 trunks used in North America and Japan and the E-1Trunks used over in Europe.US country DirectsSwitch software also varies from place to place around the globe. Because of this, gatewaysneed to be able to 'talk' to eachother and be able to translate information from digital to analog when necessary. An SS7 gateway has the capability of talking to a C5 system. When you call any of these numbers below your digital signalling from the SS7 packets is actuallyconverted to an analog format, into audible tones.1-800-532-4462   China Direct (nice ringing!)                 -Live Operator        -they hang up on me now! I call and hear "pleep!... plip!"1-800-235-1154   Belize Direct:                 -Automated Menu 	 -Press 1 for Calling Card Call 	 -Press 2 for Collect or Operator (ask to speak to a technician)1-800-680-7622   Palau Direct: (quite possibly routed via sattelite)   -NCC Palau Direct Service   -Automated Prompt for Card #, 3 tries sucka 1-800-680-8363   Venezuela Direct   -Recording, but i believe asks to dial a number in spanishPacket/MF Translation:The tones they are translated to are commonly called MF tones which are NOT the same as onthe normal DTMF dialset. analog             digital        digital incoming                        analogdial dtmf tones    SS7 packets    translated to MF digits outbound        MF tones1-800-532-4462---->C.O.----------->International Gateway------------------>Inbound C5 systemIt is commonly known that there are toll free numbers called "Home Country Directs" whichterminate in other countries. The previous numbers I gave you are all well-secured C5 countrydirects. Toll free calls to other country? Pretty nice eh? Country Directsare heavily monitored because keep in mind, they are still US numbers, the 1-800 number isstill located in the US. Thus Blueboxing off these is hard. What we are interested in areDirects that go through a C5 link. These are clearly recognizable by their "pleep" uponpickup and hangup. But if you find a C5 link that's only half the battle.C5 links today:Country Directs seem to be a waning, but ever slowly dying door to C5 boxing. They are nicebecause you need to pass through a C5 link and it's totally free  Abuse of Country Directshas driven up monitoring and hanging up any call that passes "blocked tones" , which would beany bluebox tones. I'm not sure if the US international gateways are doing the monitoring, orif it is a little more specific to the number itself. I know DMS-100's have BlueBox detectionsoftware to look for MF digits, but it isn't enabled by default. It is covered in an articleby di9ital in Ch4x Magazine Issue 5.Most Country Directs are actually digital all the way through, to avoid any funny business tobegin with. Unfortunatly for phreaks, this means that probably calling directly to the countryrather than using a 1-800 is probably going to work out better. There are countries that areC5 but have no 1-800 that take us there. Such as Libya and parts of Russia. There are even still trunks that accept incoming MF signalling INTO the United States, butthere are no outgoing stations that use analog signalling anymore. The real battle seems tobe getting into analog area when it seems like most of the gateways have been made to ensuredigital only signalling. Dialing Direct To Seize:What needs to be done is different routing. Certain routes pass through C5 while others don't.Venezuela actually has two directs, which both go to the same automated operator, but only onegoes through a C5 link, as obvious by the pleep.+1-800-488-0058 "..Bienvenidos a servicio Venezuela Direto.."+1-800-680-8363 "PLEEP!.. Bienvenidos...."From some beige box experience and helping myself to dial various countries, I've discovered that routes are a little more variable, sometimes I go through C5, sometimes I don't, whereasthe Country Directs pretty much have set routes. Bouncing Your Call To Seize:You might try bouncing your call via PBX, calling card or op that is located in another country.Other countries have country directs as well, that are toll free as well. The US and UK directsare pretty much brick walls when trying to bluebox today, but directs from other countries stilloffer possibilities.From Australia(CC +61) the following directs are C5:1800881860            China Direct1800881973            Bahrain Direct (SS7 from here) (nice ringing!)1800881701            Russia Direct (SS7 from here) 1800881682            Cook Islands Direct1800881688            Tuvalu DirectAll SE'd by yours truly from the lovely Australia Telstra Direct operator.So if you wanted to attempt to seize Russia?First, lose your ANI for good measure, as once you reach inband trunks from overseas, without an ANI, it really  isn't about to be found without serious tracing methods liketracing through electricity.Your call would look like______                    ___________________| US |---------ss7------->|Australian Outdial        (ANIF packet sent)        |                                 ss7 (ANI of Outdial unless you diverted)                                  |                                 \|/                          ___________________                  ___________________                          |Australian Gateway|------c5-------->| Russian Gateway  |                                              (no packets sent!)LIST OF TERMS:ANI-Automatic Number IdentificationANIF-Automatic Number Identification Failure, 02 is sent as ANI II digitsCCITT5/C5-Consultative Commitee for International Telegraphy and Telephony # 5          (outdated term, as c5 is an outdated system )CC-Country CodeMF Digits-MultiFrequency, Audible Tones used in analogue routing, can be spoofed!SS7-Signaling System 7, Routing sent in packet form, not audibly spoofable

Edited by StankDawg: Use the "CODE" function to maintain formatting/spacing and to ignore some source code from being executed. ;)

0

Share this post


Link to post
Share on other sites

I thought that China Direct disconnected if you tried to seize...

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0