phrequency
Austech.Info - Phrequency- A Very Good Australian Phreaking Ezine
 |
|
09-03-2002, 07:34 AM
|
#1 |
|
Registered User
|
Phrequency- A Very Good Australian Phreaking Ezine
____ __
/ __ \/ /_ ________ ____ ___ _____ ____ _______ __ / /_/ / __ \/ ___/ _ \/ __ `/ / / / _ \/ __ \/ ___/ / / / / ____/ / / / / / __/ /_/ / /_/ / __/ / / / /__/ /_/ / /_/ /_/ /_/_/ \___/\__, /\__,_/\___/_/ /_/\___/\__, / /_/ /____/ [ 12/08/01 ] ------ ISSUE #1 --> ~-~-~-~-~-~-~- Contents ~-~-~-~-~-~-~- 1. The Telstra Dial-IP Switched Data Network ..................... Marlinspike 2. Working Around The X2 FAST Block .............................. Dark Thief & Zaleth 3. Indigo Box .................................................. .. Dies Irae 4. Caller ID Program ............................................. Diab 5. Payphone Numbers .............................................. Zaleth & Dies Irae 6. RIM & COMNET Overview ......................................... Phreakau Team 7. BnE Into Telstra Exchanges Part II ............................ Marlinspike 8. Telstra News .................................................. Phreakau Team 9. Links .................................................. ....... Phreakau Team ~-~-~-~-~-~-~- Contacts ~-~-~-~-~-~-~- To contact us, or send feedback to the author of an article, select from the following email addresses : Dark Thief (dt) : darkthief@iamwasted.com Diab : diab@hackermail.com Dies Irae : speedy69@mailcity.com Marlinspike : p0lter_g@yahoo.com Zaleth : zaleth@hushmail.com ~-~-~-~-~-~-~- Intro ~-~-~-~-~-~-~- Welcome to the first issue of Phrequency Ezine. This has been in the works for months and has taken a shitload of work to get out to you. This issue was primarily written by Phreakau, a group best described as a "Phreaking Research Group". That is we are interested in the study and exploration of the inner workings of the Australian telecommunications network. Most of us are interested in other subjects, such as computer security, and if we end up working on any significant project that captures that right 'flavour' it might end up in a future issue. However, we are primarily a phreaking group. As you can see from the articles here written by more than one person, we have a strong leaning towards working together on projects and research. Largely, Phreakau is a contributors only group that has been closed off from the the rest of the scene due to concerns over things such as discussion based on raw information being too sensitive for public release. We were going to limit the distribution of this ezine, but a big reason we decided upon a full release is because phreaking has seen abit of a resurgence in the past months and we wanted to give some new phreaking information to the scene, show everyone that phreaking is not dead in AU and what kind of information is available if they have the initiative to simply go out and get it. So, start hanging around your local pits, cans, cabinets and exchanges. Start scanning local number exchanges, 1800 numbers and anything else you can think of. Go trashing. There are people out here willing to share information and help you with your research. You could be the one to uncover the lead by which the next big system or phreaking technique is discovered - all it takes is initiative. Will there be future issues of this ezine? We hope so. We've set this as a precedent in quality, so if we keep going, keep at our research and get the articles for a second issue that rivals this one then there mostly likely will. You are welcome to help, or provide your own touch, of course  For now sit back, whackon some tunes and see what you can learn. ~-~-~-~-~-~-~- The Telstra Dial IP Switched Data Network ~-~-~-~-~-~-~- - By Marlinspike Contents ======== 1. What Is Dial IP? 2. Accessing Dial IP 3. Logging In 4. RADIUS 5. The Dial IP RADIUS Proxy 6. Scanning And Hax0ring 7. Free Calls 8. Logging 9. Further Reading What Is Dial IP? ================ Telstra Dial IP is one of the more recent Switched Data Network offerings from Telstra. It is designed to be a cost-effective and secure solution for dial up users to connect to corporate LANs running IP from anywhere in Australia. Dial IP is classed as a Switched Data Network as the underlying protocol uses packet switching as a transmission method. This is also why it is cost effective as many transmissions can use the same media at once. The theory goes that Dial IP is more secure than regular dialups as it consolidates remote access into one chokepoint using RADIUS rather than having a whole load of unmanageable dialup servers for different areas in the country. Yay. Accessing Dial IP ================= So what's the Dialup? Well, there ain't one. Note that I said 'one'. In the Dial IP network each customer gets their own dialup to the network which connects to their LAN and their LAN only. How does this work? Well, there is a range of numbers assigned as 'Data Network Access Services' for Dial IP. If you apply for a Dial IP service, your dialup will be in that range and you can use that number to call your network. The range of numbers that the Dial IP service uses are : 019830XXXX So that's 019830 followed by FOUR numbers. Just about every technical document I've seen (including the Telstra ones) have got this written wrong. Don't trust them, trust me That is 10,000 assignable numbers. Check the Austel website for 'Data Network Access Service' if you don't believe me. They got it right atleast. An example working Dial IP access number is 0198304107 which belongs to Edith Cowan University for their Remote Rural users (I found this on the net Logging In ========== Okay, you've dialed your number (right now we're examining the system from the perspective of a legitimate user, we'll get into the nefarious shit after I'm done explaining) so what happens next, here's the prompt you get if you've dialed with Hyperterminal or other VT100 emulator (Dial IP has support for PPP/PAP/CHAP so most legit users won't do it this way cause they'll be using windoze dial up networking), I've included all the prompts like you've gone through and got the authentication wrong so you can see : ** Dial IP ** Username: Password: ** Bad Password These are pretty much the standard prompts you will get. This is the RADIUS server talking to you. It may be that it is authenticating you against a UNIX password file, but note that it does not display the UNIX login. This is to prevent information leakage regarding the operating system (and therefore default accounts and so forth). The system can be configured to present a different prompt if wanted, for example, you can get a challenge between the Username and Password for CHAP or token based system and I have also seen custom error messages. The point is the above is the default and has to be deliberately modified if needed to be. You get three incorrect tries before losing the carrier. Once authenticated, you will be handed over to the LAN and can access all resources normally. Most of the time this will mean a PPP is fired back at you, but this can depend on what resource your account allowed you access to, PPPsh in UNIX for example. Yes, if the LAN you've connected to can reach the internet then you've just got net access dependant on the LAN or larger internal network's firewall egress filters etc. of course. RADIUS ====== While we've been logging in in the last section, this is what has been working behind the scenes to authenticate us. It is basically transparent and regular users need not know what it is, but seeing as we're not regular users (not to mention 'interested' in the authentication procedure) it might pay to know abit about it. RADIUS stands for (R)emote (A)uthentication (D)ial (I)n (U)ser (S)ervice and is specified in RFC 2138, with additional accounting details specified in RFC 2139. RADIUS is also Open Source and so can therefore be modified as the providers wish. In this way it can be customised to support various different authentication protocols. At the destination LAN resides the RADIUS server. This can be in synch with whatever table of usernames and passwords the LAN cares to use. When the user dials up, they are attached to the RADIUS client, which will issue a request for authentication (username and password etc.) The user types it in and the client sends the request to the server for verification. As you can see this centralises the authentication procedure to the one RADIUS server on the LAN which is completely under the control of the owner of the LAN. The RADIUS server and client share a secret key. This is used to encrypt the authentication request in transit. Although the medium used is a Telstra controlled dedicated frame relay service and therefore inaccessible to anyone but Telstra staff (theoretically anyway) the encryption provides an extra layer of security. The Dial IP RADIUS Proxy ======================== Despite the fact that Dial IP uses separate PSTN numbers for access to separate systems, Dial IP is still one big network. The communications media are not dedicated to each customer, they are interwoven with packets from each customer being transmitted alongside one another. What this means is that there needs to be another layer to the system directing traffic from the Dial Gateways (PoPs or Dialin Nodes etc.) to the various LAN controlled RADIUS servers. This makes Dial IP differ from a traditional RADIUS network somewhat, although still providing good transparency. This is where the Telstra Dial IP RADIUS proxy comes in. Once the dial in user has connected, the client actually forwards the authentication request to the RADIUS proxy. Then, the proxy determines which end RADIUS server the request needs to go to based upon the PSTN Dial IP access number dialed. Crap ASCII pr0n diagram follows : _______________ ___________ ____ ____ ________ | | | | / \ / \ | | | Dial IP | | Dial IP | | |_/ \ | RADIUS | | Gateway & |------>| RADIUS |------> Dial IP ---|---->| Server | | RADIUS Client | | Proxy | | ____ / | At LAN | |_______________| |___________| \__/ \___/ |________| As far as the RADIUS server is concerned, it is talking to a regular client. The proxy is completely transparent. There are actually multiple proxies around Australia to ensure reliability and availability. Scanning And Hax0ring ===================== The fact that the prompts are standardised present an interesting problem in terms of hacking on Dial IP. Also, I have tried a whole load of numbers in all areas of the range and have never received a message stating the number is not connected, neither a voice message, nor a message in my terminal window. So, even if you ring a number that is not connected to a LAN, you will get : ** Dial IP ** Username: Password: ** Bad Password 3 tries and then NO CARRIER. So infact, you may not have even been hacking into a system at all. Of course, there is always the possibility that you get a non-standard login prompt or a challenge, which would certainly indicate a system present or a custom error message, like this one from the ECU number I mentioned earlier : ** Dial IP ** Username: Password: Login Failed: check your username, password and time limits. A classic case of user friendliness over security. As far as hacking is concerned, the obvious thing to note is that system identification is quite difficult and so what you'll have to do is have a generic set of usernames to try from various systems. As far as I can tell, the systems most in use on Dial IP are Windows NT/2000 and then UNIX. There is one other way to determine if a number connects to a valid system or not, which I will now 'splain you. Free Calls ========== Being a phreaking zine this was bound to come up. I am however, speaking of it here in a semi-legitimate capacity. You see, I do most of my scanning from payphones. When scanning these Dial IP numbers after I first learned of the network I noticed that some of the numbers were being connected and modem breath emitting without my having to insert coins/phreaking for the call. Many did require payment/phreaking. In documentation it does mention that you can provide the dialin at free call rate if desired. Obviously, if the number is not connected Telstra wouldn't be footing for a free call for you now would they? It is the default that the numbers are not free and if you scanned looking for free numbers you could probably get a lengthy list of valid numbers. Sure you'd miss afew, but in the meantime you've got a whole bunch of valid systems to play with that are free to ring continuosly. Logging ======= This is something I get asked about alot in regards to Austpac Public Access PADs. What kind of logging do they have? can they log with ANI/CLI? Well, here's what I know about Dial IP. Due to the nature of RADIUS, there is the potential to log alot of stuff. The logs for Dial IP at the RADIUS server are very verbose. There are two logs generated for a session, a start log and a stop log. They contain entries such as : Start Time Stop Time Username Logged in under Session Time Framing Protocol Used Allocated IP Address Reason For Disconnection Called Station ID - The last four digits of the number dialled AND ALSO CALLING STATION ID (!!!) - This is the number Dial IP was CALLED FROM. However, for most users the last 3 digits of the number will not be recorded in the RADIUS logs. Basically, this provides for administrators of the system to know what suburb the call came from. Note that often the 4th to last number is needed to make up the exchange prefix in some phone numbers. Some 'authorised' customers can receive logs of the full numbers, but I am unsure whether this is allowed for some kind of government security agencies, or just whether or not you grease Telstra's palms enough. Probably the latter. The fact of the matter is, this last item is necessary for us to know, but seeing as it can be defeated by a simple call to a number diverted to the relevant Dial IP access number (in the suburb the owner of the username resides) it is still not a security panacea. Further Reading =============== Linkage : http://www.telstra.com.au/dialip/ Documents: Telstra Remote Access Dial-In User Service (RADIUS) Information Document RFC 2138 Remote Authentication Dial In User Service (RADIUS) RFC 2139 RADIUS Accounting - Marlinspike 10/6/01 ~-~-~-~-~-~-~- Working Around The X2 FAST Block ~-~-~-~-~-~-~- - By Dark Thief & Zaleth Contents ======== Summary Of FAST The X2 FAST Block Zaleth's Workaround (Aka "Dick Smith's Revenge") Dark Thief's Workaround (Aka "#INCLUDE <Dark.*>") Summary Of FAST =============== FAST (F)ield (A)ccess to (S)ULTAN (T)esting is Telstra's field based access service for Telstra techs (linesmen etc.) to obtain remote (field) access to special functions such as electrical tests from an exchange along a customer's line. FAST is accessed via a 1800 number : 1800 050 051 This number is in the 1800 prefix 1800 05x xxx which denotes "Enhanced 1800" and in which calls are routed to destinations based on the location of the caller. The FAST number was originally discovered in a 1800 scan by APB (Australian Phone Brotherhood) and first detailed by ALOC in Morpheus Laughing #1. Subsequent 1800 scans in the 05 prefix haven't turned up anything more of special interest (although that doesn't mean we're not still trying  FAST seems to be constantly having features added to it andhas had some options added since the 1999 Morpheus article. A Telstra employee number and its corresponding PIN are required to access the service, which makes it mostly inaccessible to people without contacts or the enterprise to get this info themselves. The X2 FAST Block ================= When FAST was first discovered it was relatively easy for us all to explore it as we could simply dial it up from a payphone and have fun. For some wierd reason Telstra does not want us screwing around with their system (or something like that anyway) and have taken measures to prevent FAST from being called from payphones. Bugger. Well, until now anyway. w00h00! So, you ring FAST from a payphone and what happens? Well, everything is fine until you get to 1800 050 05. The immediate moment you press the '1' that follows here is what happens : (1) The payphone disconnects the line (2) The screen displays "Service Not Available" (3) The payphone resets and you get dial-tone again This is similar to what would happen if you pressed the FOLLOW ON button. If 1800 050 052 or any other permutation on the last number apart from '1' is dialed, the phone will place the call and not reset. The reset occurs only on pressing the last '1' in FAST. It occurs without pause for connection or other signalling. Based on this, it follows that the payphone itself implements the FAST block. There are other ways for Telstra to administer a block on a service. For example, if some 127 xxx xxx numbers, such as ANI and RINGBACK are called from a payphone, it will call through and the service itself will announce "Access Denied To Customer Number" for ANI. This is a function of the payphone LINE and not because of any signalling from the payphone itself. If we think of the payphone as a 'client' then what we've got in terms of protection against us calling FAST is a protection scheme based on the restrictiveness of the client. However, in order for the payphone to work it requires a channel to send its signalling data (in the form of DTMF tones) to the exchange and a channel by which to send the user supplied voice communications. These two channels are one and the same. The 'protection' is implemented by limiting what signals the user can send by function of the payphone. The problem is - What if the user supplies his own signalling data on the common communications/signalling channel or subverts the client (payphone) to unwittingly send the right signals to the channel in an unexpected manner? This type of problem is analogous to users editing the URL in a web browser instead of submitting data through a controlled HTML form and also the good ole in-band inter-office signalling that has caused Telcos so many problems in the past. We've included two methods of exploiting this problem in this article and hopefully the discussion will spark some new ideas on how to get around the FAST block and other similar blocks. An obvious method would be to beige box off the pit near the payphone, or from the plugs in the wall, but we wanted to be more cool & doing this in broad daylight may attract the wrong kind of attention (ie ass whooping by irate store owner or police officer). This block is called the X2 FAST block because that (The Smartphone) was the phone it was originally discovered on, the most prevalent payphone around these days and hence the phone you'll most probably encounter it on. However, Zaleth checked out some other phones for the block as well. Bluephones don't seem to have a FAST block on them. This is probably because this type of blocking feature is unsupported. However, if it was, it could be worked around like the other phones. P2's or PHONECARD phones, pieces of antiquated crap from the early '90s that you insert a magstripe card into to make calls and have it punch holes in the card to show you how much credit you have left, believe it or not, have FAST blocks on them. Fortunately, both workarounds described below have been tested, and work, on P2's. Zaleth's Workaround (Aka "Dick Smith's Revenge") ================================================ Recently, Dick Smith bought out Tandy. This may have some kind of greater economic implications that we frankly couldn't care less about, but what we do care about is that as a result of the buyout a lot of Tandy's "low dollar" products (little stuff, electronic components etc.) have been discontinued presumably to give Dick Smith Electronics stores a monopoly in that area. One of the lines included in the discontinuation were Tandy's Tone Dialers. As a result, they were going out the door cheap cheap ($2.95 - Thanks to Nightscout for this info). Due to not wanting to be the poor bastard that didn't invest the price of a Big Mac to get a tone dialer in the instance a use was found for them we all went out and bought tone dialers. Ironically, this probably accounts for the fact that a use has now been found for them. Sucks if you didn't jump on the bandwagon (fact is if you hurry there are still some left So, back to FAST. Tone Dialers give us a useful ability. The ability to supply DTMF signalling on the shared communications/signalling channel from the payphone to the exchange. To put it simply, we can signal the exchange with the number we want to call using the tone dialer without the payphone being able to detect what we've dialed and hence not knowing to block us if we call FAST. Step by step : (1) Lift handset, dial 1800 (2) Whip out tone dialer, hold to mouthpiece of payphone, dial 050 051 (3) Get put through to FAST - Enter employee number + PIN as usual Dark Thief's Method (Aka "#INCLUDE <Dark.*>") ============================================= A nifty feature currently installed on the X2's is AUTO REDIAL. This is used when, you've put your coins in the phone and you've rung someone up, the line is engaged or the call rings out and you want to place another call without reinserting your coins. To call again, you press FOLLOW ON, then '*'. The '*' is the button that denotes AUTO REDIAL but it must be noted that AUTO REDIAL does not work if you replace the handset rather than pressing FOLLOW ON. You must press FOLLOW ON to use AUTO REDIAL. When you press the '*' the number will "fan" across the screen and the number will be redialed for you. Neato huh? OK, maybe its not that cool, but throw intended purposes out the window and you've got yourself a subversive little function so yes neato! How this is used to work around FAST is by inputting the first numbers of FAST into memory and using that as part of the number for the phone to dial (note that if you put all numbers of FAST into memory the phone would reset and it wouldn't work). It goes a little like this : (1) Dial 1800 050 05 (2) Hit FOLLOW ON (3) Wait for phone to reset whilst cackling insanely (4) Hit '*' (5) Dial '1' (6) Get put through to FAST What you've just done is put the first part of FAST (1800 050 05) into memory, reset the phone, redialled 1800 050 05 and then whacked in the last number of FAST (1) in order to complete the call without the payphone knowing you've called FAST and therefore bypassing the blocking mechanism. - Propz Dark Thief & Zaleth 10/8/01 ~-~-~-~-~-~-~- Indigo Box ~-~-~-~-~-~-~- - By Dies Irae This is a Brown, DLOC, Party, Pink Box, they all do basically the same thing...connect two phone lines together. so that you can take advantage of conference call, eg have 5 ppl instead of 3. All of those boxes i meantioned before were for america, so i decided to alter one for Australia. It wasn't to hard, but have fun and don't get caught. Because there are many things that they (Tel$tra and Austel) can screw you over for having and placing this on your line. (Just warning you). There has to be enough to phone wire from each of the male plugs so that the box can be in the middle of the two phone wall outlets.then you can mount a modular plug in the side of the box so you plug your phone in if you want. Also i presume that you have a grasp of electronics and know how to wire plugs up. THE SCHEMATIC WONT MAKE MUCH SENSE UNLESS YOU KNOW WHAT A KNIFE SWITCH LOOKS LIKE...SO BUY THE PARTS AND THEN LOOK AT IT... You Will Need ------------- Okay I'll be nice and include Dick $mith catalog numbers... 2 SPST Switches (i used P 7668) $2.60 2 Phone Lines 2 Male Phone Plugs (F 5117) $6.95 1 Knife Switch (P 7862) $4.95 2 alligator clips (P 6406) $0.80 1 Phone 1 White Plastic Box (you can buy them from Dick Smith, fairly small 10cm x 10cm max) 1 can Indigo spray paint (optional, to spray the box of course) SPST===============|blue or white wire to phone alligator clip | __________|_|__________ alligator clip | | | |=| | | male plug===|====to knife switch= | |++to knife switch+++|+++++male plug | knife switch | male plug--------to knife switch- | |,,to knife switch,,,,,male plug | | | | ---------|------------- |SPST++++++++++++|blue or white wire to phone = white line from line 1 - blue line from line 1 + blue line from line 2 , white line from line 2 instructions ------------ 1. assemble it like the crap schematic. where a wire hits the knife switch, screw it in. 2. where the connections from line 1 come in, also screw the wires connecting to the SPST switches. 3. strip back a bit of covering from one wire from either of the male plugs. and solder an alligator clip on. 4. no on the other wire coming from each of the male plugs, (not the one with the alligator clip) strip back enough covering to clip the alligator clip on. using it -------- well you have to built it right for it to work... IMPORTANT!!! MAKE SURE THAT BOTH OF THE SPST SWITCHES ARE OFF BEFORE YOU START DOING THIS BELOW! first put the handle of the knife switch to the left, (so line 1 is open) so you are dialing on line 1. dial your two ppl and conference them. then clip the alligator clip across these to lines. this is to keep the line open. now throw the knife switch over to the right, so that you are dialling on line 2. now dial and conference your two ppl on line 2. then open both of the SPST switches and you should have 5 ppl online. easy... ~-~-~-~-~-~-~- Caller ID Program ~-~-~-~-~-~-~- - By Diab /* * * Simple caller ID program for POSIX Compliant systems * Should work for: Linux, windows (providing you have a C compiler, * e.g. djgpp), and most *nix variants. * * Usage: ./callid <modem-port> <outfile> * e.g. *nix: ./callid /dev/ttyS1 clid.log * e.g. win: ./callid COM2 clid.log * * * NOTE * : Your modem should be able to receive callerID information for * this program to work, consult your modem manual. Most modems * should have this feature. * * - diab < diab@hackermail.com > * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <termios.h> #define ENABLE "AT#CID=1\r" /* This enables Caller ID on my modem */ /* Change if you want... */ void set_terminal(void); int fd, send, n; struct termios options; FILE *logfile; int main(int argc, char *argv[]) { char recv[3024]; char s3nd[100]; fprintf(stderr,"\n----------------------------------------\n"); fprintf(stderr,"Callid by diab - < diab@hackermail.com >\n"); fprintf(stderr,"----------------------------------------\n\n"); if(argc!=3){ fprintf(stderr,"Usage: %s <Modem-Port> <OutFile>\n", argv[0]); exit(1); } /* open log file */ if((logfile = fopen(argv[2], "a")) == NULL){ fprintf(stderr,"Error opening log file: %s\n", argv[2]); exit(0); } /* open modem port */ fd = open(argv[1], O_RDWR | O_NDELAY); if(fd==1){ fprintf(stderr, "Can not open modem port:[ %s ]\n", argv[1]); exit(1); } fcntl(fd, F_SETFL, 0); sleep(1); /* set the terminal baud rate etc */ set_terminal(); /* send cid init string */ snprintf(s3nd, sizeof(s3nd),"%s", ENABLE); fprintf(stderr,"[!] Enabling caller id on your modem\n"); fprintf(stderr,"[!] Waiting for call...\n"); send = write(fd, s3nd, strlen(s3nd)); /* keep reading modem port until we get a ring and notify the user */ while ((n = read(fd, recv, sizeof(recv))) > 0) { fprintf(stderr,"%s", recv); if (strstr(recv, "RING") != NULL) { fprintf(stderr,"[!] Phone ringing... saving Caller ID info.\n"); printf("\a"); } fprintf(logfile, "%s", recv); fflush(logfile); sleep(1); bzero(recv,sizeof(recv)); } return 0; } /* terminal stuff */ void set_terminal(void) { tcgetattr(fd, &options); options.c_cflag |= (CLOCAL | CREAD); options.c_cflag &= ~PARENB; options.c_cflag &= ~CSTOPB; options.c_cflag &= ~CSIZE; options.c_cflag |= CS8; options.c_iflag |= (INPCK | ISTRIP); options.c_lflag &= ~(ICANON | ECHO | ISIG); options.c_oflag &= ~OPOST; cfsetispeed(&options, B115200); cfsetospeed(&options, B115200); tcsetattr(fd, TCSANOW, &options); } ~-~-~-~-~-~-~- Payphone Numbers ~-~-~-~-~-~-~- - By Zaleth & Dies Irae Shenton Park: - Onslow Rd: - X2 Outside Playgroup: (08)9381 2876 - X2 Near Newsagent: (08)9388 3527 - X2 Outside chemist: (08)9388 3535 - Smith Rd: - X2 near Abedare Rd near graveyard gates: (08)9388 1635 - Derby Rd: - X2 Corner of Nickleson Rd next to chemist: (08)9381 1033 Daglish: - Park (Near a lot of units) - Phonecard phone opposite park: (08)9381 5903 (weird ringer) Melbourne ... Mentone: - Blue Phone, Some School: (03) 9583 1179 - Blue Phone, Some School #2: (03) 9583 1189 - Blue Phone, Franklins: (03) 9585 3962 - Blue Phone, Safeways: (03) 9585 1556 ~-~-~-~-~-~-~- RIM & COMNET Overview ~-~-~-~-~-~-~- - By Phreakau Team 1. What Is A RIM? 2. Types Of RIMs 3. RIM Components 4. SULTAN And RIMs 5. COMNET-1 6. COMNET-2 7. Systems Interfaces If you have read Neurocactus #7, you would have read their article about RIM Remote System. Well, some of us at Phreakau have come across some information on this subject and so have decided to provide a further overview or sequel on this interesting technology and information about advances since 1996 when it was incepted. 1. What Is A RIM? ================= R.I.M. Stands for (R)emote (I)ntegrated (M)ultiplexer. The RIM System consists of several components. The main component is the RU (Remote Unit) itself. This is often seen as a green cabinet by the roadside although they can also be found indoors. There is also the EU (Exchange Unit) which is used to communicate between the servicing switch and the RIM Box (RU). These two components are manufactured by Alcatel. The RU has a communications channel for OAM (Operations, Administration & Maintenance) use, which is to say that it can be remotely controlled. In Australia this was implemented with COMNET, which we will get into later. A RIM is a highly modular electronic pair gain system. A pair gain system is defined in Telstra documentation as: "A system that cuts down on the number of wire pairs needed to carry telephone channels. They work by multiplexing analog conversations together into a digital transmission that can be sent more efficiently." So that would be that each customer's line feeds into the RIM, the RIM multiplexes the transmissions into a digital transmission and sends it off to the exchange. The speed of the RIM -> Exchange Bearer Cable is generally 2Mbits/s over copper cable with a higher rate of 8Mbits/s or 34Mbits/s using a fibre optic bearer. RIMs can also use radio if required. This is probably used only in rural deployments. RIMs can also, through their various modules, support various Special Services such as PABXes and Faxstream. Capabilities like providing a ring signal for incoming calls, DTMF and Call Progress Signalling are standard. 2. Types Of RIMs ================ Being extremely modular RIMs can come in many different configurations. However, there are some basic types of configuration that can be noted. Mode Of Integration ~~~~~~~~~~~~~~~~~~~ RIMs are capable of interfacing with their servicing/parent exchange in a few different ways. We already know that when transmissions are received, the RIM multiplexes them into a digital transmission. Where the modes of integration differ is how the RIM is further integrated into the Telephone Network as a whole. There are a few modes : (*) Non Integrated Mode:- In this mode the digital transmission is de-multiplexed at the parent exchange back into copper pairs. That means that for each pair going into the RIM there is still a corresponding pair at the exchange, as there would be in normal operation. This requires the EU to be present at the exchange. A RIM EU can be mounted via an Exchange Unit Rack Panel Adapter and can be fitted to a Type 84 or Type 92 exchange rack. (*) Integrated Mode:- In this mode the digital transmission is not de-multiplexed at the parent exchange but instead bypasses the racks and goes direct to the switching stage. This requires that the switch in use has a 'parenting' protocol for which it can communicate with equipment such as a RIM and handle its traffic directly. See below in IRIM Interface Protocol for more information. (*) Mixed Mode:- This is quite simply where the RIM utilises both modes for separate pairs. For whatever reason, probably to provide some type of special services this mode may be required. An EU and a direct link to the switch are both present in this mode. Size ~~~~ Depending upon the amount of pairs the RIM will need to service the size of the Remote Unit can differ. The standard amount of pairs that can fit into one access panel is 60 but RIMs have more than one access panel. There are three sizes currently in use depending on requirements, 240 Lines, 480 Lines & 180 Lines in the New CRIMS (Compact RIMs). IRIM Interface Protocol ~~~~~~~~~~~~~~~~~~~~~~~ Where the RIM is configured as integrated there needs to be a common protocol between the RIM and the switch at the exchange for communication of the various multiplexed transmissions and the switching instructions. There are a few different types of exchanges in use in Australia and the Parenting Protocol for each is different : Type Of Exchange Parenting Protocol Info Ericsson AXE ARK-P Stands for ARK-Parenting Ericsson AXE ESM Probably Newer Ericsson Protocol Alcatel Sys12 RSU CAN Or IEN ~~~~~~~~~~ RIMs were designed to save copper wiring and take the load off existing exchanges. There are two distinct situations in which they can be used. A RIM can be deployed in the CAN (Customer Access Network), that is a RIM serviced by a local exchange and used as support for an area within an exchange locality. However, A RIM can also be deployed as an exchange in its own right. Old Ericsson ARK exchanges in rural areas (ARK is a Crossbar exchange - very schick) are being outmoded and replaced by RIMs. In this type of deployment they are connected to the IEN, the Inter Exchange Network and are serviced by a transit exchange. 3. RIM Components ================= I will now attempt to explain the basic structure of components within RIM units. Bear in mind that the information we had was abit sketchy in this area, but we believe we have put it together correctly. The more specific cards are fitted to panels in the units, so we'll start with the panels : Exchange Unit Panels ~~~~~~~~~~~~~~~~~~~~ The Exchange Units for interface with the parent switch have a base selection of panels. Note that in Integrated Mode, there are no Access Panels as there is no need to demultiplex to individual pairs : (*) Access Panels - Provides the end copper pair connections to the switch with the various electrical capabilities of the pairs. (*) Line Transmission Panel - Reponsible for communicating on the optical or electrical bearer between the EU and RU. (*) Common Panel - Provides control, clock generation/distribution and OAM (ie COMNET) access functions at both EU and RU. (*) Power And Alarm Distribution Panel Remote Unit Compartments ~~~~~~~~~~~~~~~~~~~~~~~~ All RIM installations will have the following base compartments and panels. Where they differ will be the cards and the software on the cards used to implement differing jobs : (*) Cross Connect Facility Compartment (*) Equipment Compartment With The Following Panels (Same uses as in EU) : (*) Access Panels - Connected to customer side pairs (*) Line Transmission Panel (*) Common Panel And additionally : (*) Ring/Meter Panel - Provides RING and METER pulses (*) Terminal Regenerator Panel - Capable of boosting signals for further transmission (*) Trunk Interface Panel - Interfaces Between Common and Line Transmission Panels (OAM comms are multiplexed in with regular comms) (*) Environmental Control Panel - Cooling fans and climate control (*) Power And Battery Compartment Card Components ~~~~~~~~~~~~~~~ More specific components would include things like a module card for Access Panels that allows communication with 4/6 wire customer units such as PABXes and 4 Wire Modems. I won't go into much more detail about various cards that can be installed, as that is where the information gets really sketchy and it probably wouldn't make for much interesting reading anyway. However, there are two things I would like to explain. The first is the units used for OAM (Which stands for Operations, Administration & Maintenance), which in Australia is handled by COMNET and the second is RIM support for things like SULTAN. I will explain the first now, but SULTAN has a full section afterwards. Remote Management/OAM : The RMU (Remote Management Unit) is responsible for providing an integrated OAM system. It communicates with the counterpart remote or exchange unit and the NMQ (Network Management Units) via a Q2 Bus OAM link. The RMU is probably mounted on the Common Panel and seems to communicate over the Q2 Bus with the RAC Unit (Rate Adaptor Unit) which enables multiplexing of OAM communications onto the main bearer. The RAC Unit is probably mounted on the Trunk Interface Panel. The NMQ communicates with the RMU and the COP (COre Processor unit). It also receives some alarm messages from other RIM components. 4. SULTAN And RIMs ================== This section will be short but I believed it was important enough to warrant its own separate section. First of all S.U.L.T.A.N. stands for (SU)bscriber (L)ine (T)esting (A)ccess (N)etwork. This system is responsible for performing electrical tests on subscriber lines. Now, a little thing that not all of you may be aware of is that F.A.S.T. stands for (F)ield (A)ccess to (S)ULTAN (T)esting, however those of you that are familiar with the system may know about running a SULTAN test through FAST. The fact that to do an electrical test on a customer line you need a complete electric path (ie. coppper wiring path) along the length of the customer line poses a problem for RIMs as there is no constant path for each individual pair. They are multiplexed at the RIM. Alcatel has solved this with the CTU (C)ustomer (T)est (U)nit. This unit takes care of electrical testing from the RIM itself as directed via SULTAN through COMNET-1 or by COMNET-2 itself. The CTU is also capable of establishing a speech path for call setup between an operator and a customer as in ring testing. It can also perform busy line monitoring and testing of tones and pulses on the line. Altogether a pretty nifty unit. Typically, SULTAN can test the status of the RIM and if OK it can proceed with a line test from the RU to the customer equipment using the CTU. Yes. Using FAST you can test the status of a RIM and also any specific lines through the RIM. Remember FAST stands for Field Access to SULTAN Testing. I just had to explicitly state this or else I just know I would be asked the relevant stupid question by someone in the future heh. An electrical test on a line can also be initiated by a COMNET system terminal or, automatically by COMNET-2. 5. COMNET-1 =========== Okay, lets start by playing games with acronyms. Telstra, like most large telecommunications corporations and the military like acronyms cause they sound cool. Here's the explanation of the acronym COMNET. COMNET is actually a few acronyms within one another. First there is : COMNET : (C)AN (O)A(M) (NET)work CAN and OAM are acronyms themselves : CAN : (C)ustomer (A)ccess (N)etwork - This defines the telecommunications network area between an exchange and the customer premises. RIMs are installed in this area. OAM : (O)perations, (A)dministration & (M)aintenance. So COMNET actually stands for : Customer Access Network Operations, Adminstrations & Maintenance Network. Shame to all of you who thought it simply stood for "(COM)munications (NET)work". 'COMNET' refers to the network and associated systems that are required for interface between various core Telstra systems and RIM to provide the management that RIM requires to be a part of the telecommunications network. COMNET-1 was the initial stage of this product created to support the roll-out of the RIM system, and COMNET-2 is a further upgrade of the product. This upgrade has been implemented one location at a time and so depending on your area the available system may be either COMNET-1 or 2. The support provided by COMNET-1 can be broken down into the following applications : Service Activation ~~~~~~~~~~~~~~~~~~ (*) Automatic activation of RIM equipment in conjunction with the exchange interface to provide the physical service (*) Recording of newly commissioned RIMs Service Assurance ~~~~~~~~~~~~~~~~~ (*) Customer fault report handling (*) Efficient management of RIM equipment alarms (*) Pro-active planned outage and hazard advice (*) Repair workforce dispatch (*) Remote diagnostic handling Other Key Features ~~~~~~~~~~~~~~~~~~ (*) Remote software download (down to card level) (*) Remote network management of RIM systems (*) Remote customer line testing (Standard SULTAN functionality) (*) Remote configuration management (*) In service performance monitoring, fault location and alarm monitoring (Alarm and equipment fault reports are relayed to the NMG, which will then dispatch a service restorer) The management application used on COMNET-1 workstations is NECTAS : Network Element Craft Application Software. The network is X.25 based, and as you will see ALOT of Telstra systems seem to hang of X.25 and not just COMNET. Explanatory ASCII Pr0n diagram demonstrates : FIGURE 1 : COMNET-1 ARCHITECTURE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Customer Operations National Maintenance Centre Group Alarm COMNET <---- Terminal COMNET Handler Workstation Application Workstation | ___<>________|_____ is NECTAS ___|_____<>______ | / Lan Lan \ / / \ __________/ ___/ RIM \/ \ / / / COMNET \/ / SULTAN --------| Data Comms |----------Mediator-------RIM \ Network / \ \__________/ `--modem >-< modem -- RIM 6. COMNET-2 =========== As previously mentioned, the COMNET-1 architecture was largely an ad-hoc arrangement to support the initial RIM inception. According to Telstra, a number of problems existed with COMNET-1 that they sought to correct. Some of these were : (*) The distributed nature of the network made it hard to maintain things like security and integrity of the system. There was a lack of central management that they wished to address. (*) The Mediator between the RIMs and the COMNET Data Communications Network was not standard and so whenever the RIM software was upgraded by Alcatel, new support needed to be implemented in the Mediator. (*) Alarm management was inadequate. (Hehe, this is bad). (*) Integration with Telstra core systems was inadequate and Telstra wished to automate many tasks such as Activation without having to manually go to all the involved systems and Exchange Interfaces. COMNET-2 was the answer to these problems. Further upgrades are always being proposed. Here is a diagram of the COMNET-2 setup : FIGURE 2 : COMNET-2 ARCHITECTURE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Customer Operations Regional Maintenance Centre (Regional) Group COMNET COMNET Workstation Workstation ____|__________<>_____ ______<>__________|____ Lan \ / Lan \_____ _____/ \ / _\______/_ | | SULTAN _________________| Manager/ |__________________ Service | Agent | Activation |__________| | _____|____ / \ / COMNET-2 \ | Data Comm | \ Network / \__________/ / | \ / | \ / | \ RIM RIM RIM As you can see this setup is much neater (The diagram is neater and was much easier to draw as well). Obvious differences between this and the COMNET-1 setup are : (*) The introduction of the central Manager/Agent. We are unclear on whether there are Manager/Agents for each region or whether this component is national. (*) Removal of the Mediator between the RIMs and the network. It is now standardised as much as possible and the rest handled by the Manager/Agent. (*) Removal of the modem connections to the RIMs. (*) Removal of the singular Alarm Handler which is now integrated and automated. RIM alarms are now forwarded to NICAD (National Integrated Customer Alarm Display). (*) Introduction of a Service Activation component which is an integration with Telstra core systems such as AXIS & RASS. (*) Communications with Regional centres rather than National. Additional features of COMNET-2 include : (*) Improved customer line testing capability. COMNET-2 will automatically test lines and not just when directed to by SULTAN or a system terminal. (*) Remote software download, backup and archiving. (*) Organised security management. (*) Operating on the HP OpenView software platform. If I had to speculate on the security architecture of COMNET-2 I'd say that the Telstra core mainframe etc systems and LANs around the country communicate with the Manager/Agent over X.25 and the requests are moderated and passed on to COMNET-2 as appropriate. In this manner the Manager/Agent acts as a kind of national application proxy firewall moderating requests for action. COMNET-2 may also communicate over the X.25 network, but the RIM access points would only accept connections from the Manager/Agent. Hence, a less distributed method of managing security/integrity with the Manager/Agent as a chokepoint. Of course, all this goes out the window if someone were to 0wn the Manager/Agent, make acceptable requests that do the job, or subvert the COMNET-2 communications protection. 7. Systems Interfaces ===================== COMNET, and particularly COMNET-2 support integration with existing Telstra core systems. COMNET-2 in particular is designed to be configured automatically by entering the details into the core systems. In the context of the information below, 'regular telephone lines' means regular voice grade telephone or P.O.T.S. lines and not lines supporting Special Services. Some systems and the ways in which they interact with RIM & COMNET are : (*) AXIS : The order system used by Telstra to order work to be done on regular telephone lines. This can involve ordering a linesman to set a line up, automatically configuring the exchange by interfacing with AUTOCAT or, remotely configuring a RIM via COMNET. (*) AUTOCAT : (AUTO)matic (C)onfigur(A)tion of (T)elephone Exchanges, or (AUTO)matic (CAT)egory Change System. The automated system that other Telstra systems integrate with to automatically configure a telephone exchange. Does this by changing 'categories' within the exchange. (*) DCRIS : (D)istributed (C)ustomer (R)ecord (I)nformation (S)ystem. COMNET initially accepted service orders from this system until it was replaced in 1997 by AXIS. (*) FACS : (F)rame (A)nd (C)able (S)ystem. A database used to record information and manage regular telephone lines. RIM configuration information is also stored in FACS. Used for some recording of copper RIM bearers. Also for recording of some Special Services lines such as ISDN. (*) MULTIMAN : Optical links recording system for CAN. If the RIM uses an optical bearer, it will be recorded in MULTIMAN rather than FACS or NPAMS. (*) NPAMS : (N)etwork (P)lant (A)ssignment and (M)anagement (S)ystem. Used for some recording of copper bearers from RIMs. Also used for recording RIMs in the IEN as cable pair groups. Used for some management of regular telephone lines. (*) RASS : (R)ecord (A)utomation for (S)pecial (S)ervices. Order system for Special Services rather than regular telephone lines. AXIS's Special Services counterpart. Two sub-systems : RASS-P (RASS-(P)rovisioning) & RASS-M (RASS-(M)aintenance). (*) TRAC : (T)ransmission (R)ecording (A)nd (C)ontrol System. Used for recording RIMs in the Inter Exchange Network. Recorded as multiplex links. Propz - Phreakau Team 5/8/01 ~-~-~-~-~-~-~- Bne Into Telstra Exchanges Part II ~-~-~-~-~-~-~- - By Marlinspike Intro Building And Security Whats Inside Area Sensors Slip & Pull Tool Contact Switches Door Destruction Schools Of Entry Appendix 1 : Responsibilities For Credential Users Appendix 2 : Social Engineering The After Hours Centre Intro ===== In your suburb right now, the coolest place by far in the entire area is inside your local telephone exchange. This is part II of my manuals on breaking into them with the intention of learning more about the telephone network and procuring information (such as hands-on experience & manuals) about the telephone network. Every successful Phreaker who got anywhere did this. Poulsen did it, Mitnick did it, The Phonemasters did it - and now you can do it too. The first manual was basically my conclusions on what techniques could be used to enter exchanges from afew basic observations. This manual will cover my conclusions based on my now extensive observations of many telephone exchanges and my own successful entries and explorations. This manual is meant as complementary to part I. If you find yourself wanting more techniques/options, refer to part I as it was very comprehensive in that regard. Finally, since the first manual was published, I have been asked what is my preferred entry method. The answer is : I have used many different methods for different exchanges and situations. This is more to do with expedience than concealing my Modus Operandi. It is true that professional burglars often use changing and the most rank amateur methods they can use to get away with the burglary to throw off the cops, but in regard to exchanges I think you have to make up your own mind about which techniques you want to use based on your situation. This file is meant to provide you with a choice of techniques. You might want to go trashing at your surrounding exchanges before actually breaking in. This will give you a chance to gain confidence, become used to the exchange and the surrounding area and escape routes and also ... get some pretty good information just from the trashing. You'll notice that in the appendices I have ommitted the numbers that you need to ring. This is because if you've even got of your butt and gone to an exchange a couple of times you'll probably get it and because if Telstra gets hold of this doc, they'd be able to change it quite simply. Building And Security ===================== This section covers basic understanding of exchange perimeter structure and some basic techniques so keep reading if it seems abit basic. The basic suburban telephone exchange is usually a relatively old structure in your area. It would seem from my observations that they have concentrated on perimeter security and haven't even really done a good job of that. The primary obvious entry points into the building would be the windows and the doors (unless you feel like breaking through a wall or going through the roof - which is still a viable method if you don't mind being destructive.) I have looked at the air-conditioning on exchanges and have come to the conclusion that they probably aren't safe to try and get in through. Some of the units though are mounted in windows and if you could pry one out or unscrew it, that would do but you'd probably be better off using a technique on the window itself. There are quite afew windows on exchanges funnily enough, on concealed walls as well as walls open to the road. Because of the focus on perimeter security these windows will usually have bars on them. They are locked and opened by a lever (see diagram in slip & pull tool section) if required. I have not seen contact switches or vibration detectors on these windows. A possibility for detecting broken windows is a 'shatter guard' which is a unit mounted in a concealed location inside the building that detects the high pitched sound of glass breaking. I have tested for this device by smashing a bottle near the doors of the exchange and no alarm has gone off. The windows it seems could be opened by smashing as long as the bars were gotten past. The bars on the windows are vertical only. I have seen some security grilles which are frail and offer no protection at all, but bars seem to be the predominant window protector. A simple trick to use here is to car jack them apart. Then, you can squeeze through the gap and do your stuff. Afterwards, you can re-close the bars (somewhat messily, but can often turn out ok) by instead of applying pressure to two bars side by side with the jack in the middle; applying pressure between one bar at a time and the window frame. That is to say, mount the jack on one bar and some pieces of wood reaching the window frame. It would also seem that the bars themselves have been mounted on a frame that has not been welded to the window frame itself, but instead have been screwed in. This opens up the opportuntiy for unscrewing the bar frame at one end and pushing your way past the slightly bent frame to get in and then rescrewing it back on later. There are doors on exchanges at the main entrance which is usually pretty standard and well protected (more on this later) and there are also other doors around exchanges, for moving in and out equipment. These doors are usually double doors and are made of wood, occasionally reinforced with metal. These doors are designed to be opened from the inside only and so do not have key locks but have bolts on the inside. There will usually be two vertical bolts at the top and bottom of the door which are just push in/pull out of the floor/ceiling numbers and a horizontal bolt between the doors which is like a bolt on a gate - not simply push in/pull out, but has to be manipulated past a stop which could (but never does) have a padlock in it. They will also have contact switches - usually mounted at the top of one of the doors. Examine the diagram : __________________________|____[__]______ | | | [ ] <----|------- Contact | | -> | | Switch | | | | | | | | | | --Vertical | | | Bolt 1 | | | | Well? ****ing | Horizontal --> --|-- | Examine it! You | Bolt | | will be needing this | | | information later. | | | (Sorry, just needed | | Vertical | something to fill this | | Bolt 2 | space | | | | | | | <---- | |___________________|_______|_____________| | There are very limited intruder alarm systems in Telstra exchanges, however there are extensive fire/smoke, gas and equipment alarm systems which you should be aware of. One night on one of my trashing runs I jumped the fence completely prepared to grab some goods and noticed that an alarm was going off inside the exchange. Peering through the window I noticed it was coming from a panel marked 'VESDA MIMIC' a quick web search got me the following url : http://www.vsl.com.au/vesda/index.html Thanks to Phunki for helping me hack and search my way through this site! It would seem that this is the basic technology Telstra uses for fire and gas monitoring in its exchanges. The equipment itself has several alarm conditions. If you want some examples, have a look at the ICM docs in Infosurge #6. Needless to say, you wouldn't want to set off any of these alarms either. This could happen, if for example you decided to use an oxyacetylene torch to burn your way through one of the side doors. Getting back to the story though, I waited for 1 - 2 hours at a nearby property for *someone* to show up and no-one did. During this time two police cars cruised past blithely unknowing. After that I got sick of waiting and trashed the place and left. I have had similar reports from other people saying that no-one gives a shit about alarms (intruder or otherwise) going off at exchanges. Because there are no area sensors in Exchanges, if you only set off the contact switch on one door (all that is needed to gain entry) the maximum 'event' you could provoke would be a 'one-zone violation'. This is considered by the police to be a low priority event. In other alarm cases, all the police will respond to is a two-zone violation as a matter of policy. One-zone violations are deemed as being the responsibility of the owner or their security company. Still, its up to you how paranoid you want to be. I personally err to the side of caution and don't hang around longer than a minute or so if I've set off an alarm. Whats Inside ============ Airconditioning Plant Room : Gas pressure compressors etc. Large pipes. Battery Power Room : Room filled with wierd alien looking boxen. Uncrating Areas : Open spaces where secondary doors described above open onto, will have a monorail - a big metal support - running into it at ceiling level for supporting massive equipment being loaded in and out. Lunch Room : Token Amenity So Telstra Isn't Accused Of Slave Labor. Toilets : Guess it was either here or in the equipment room Store : Filled with tools and other interesting items. Office/s : Mostly desks, occasionally have bookshelves and filing cabinets which are good for a rummage. Maintenance Control : Either used as storage space or has actual control equipment in - bookcase with manuals may be here. Equipment Rooms : These are the main rooms you'll want to concentrate on and that have the most interesting things in. Like a big warehouse floor. A block of pairs at one end with equipment (CMUXes, RIM boxes, Tran$end boxes, PABXes etc) hooked up to it. This room can also have a partitioned off area which has consoles for the equipment and a nice bookcase filled with nice manuals. The manuals come in four types I've seen, the more 'commercial' ones which come spiral bound, computer printouts hole punched and bound in a file folder, loose paper computer printouts and manuals still on disk in Microsoft Word Format. I think the main resource for manuals (Not for ALL manuals though) is the Telstra Intranet. A web based intranet for Telstra staff : http://www.cdn.telstra.com.au/ I have seen a number of things referring to this url, however it is not part of the regular internet and I have tried to break in via computer a number of times with varying degrees of success and have never been able to crack it. There is a directory called /cc-docs which seems to hold alot of manuals. Alot of the manuals they have gotten through third party by buying equipment are separate from these, probably due to copyright etc. Don't forget to bring a laptop though or be prepared to swipe disks as well as paper goods. Area Sensors ============ I have never seen area sensors (Passive Infa Red Sensors/Microwave Sensors) inside an exchange. I wondered whether this was because of them not working well with the equipment. A quick post to alt.security.alarms and some of my own observations brought up the following points : 1. Microwaves and exchange equipment do not mix 2. Equipment in an exchange can get quite warm and so temperature varies too much in the equipment room to maintain an environment where PIRs work well 3. Equipment more than three or four feet taller than a human being blocks area sensors making them effectively pointless and there is much of this equipment in exchanges 4. A security theory is that perimeter security is more effective in an exchange situation as 'once the intruder is inside the damage is already done' 5. Telstra exchanges have a mess of airconditioning pipes and ducts towards the ceiling, further blocking the range of area sensors So the moral of the story is there most likely won't be area sensors in your local exchange because they wouldn't work well if there were. I'd also like to re-iterate that I have never seen any in an exchange. Slip & Pull Tool ================ Ok, so you want a technique that is easy to use, untraceable and requires minimum resources to implement. Right! So I have come up with something that ought to fit the bill. It is an adaptation of a technique that I first read in a book called 'Lock Bypass Techniques'. If you're interested you can get it from Loompanics (www.loompanics.com) I got my copy direct from the author because at the time it came out we were both lurkers pretending to be locksmiths on alt.locksmithing The tool itself is a long rectangle cut from a 2 litre cokebottle by cutting around the circumference in a spiral. Then, a hole is punched in one end and and a string passed through, you can also use fishing line or wire as a stronger substitute and you can also put abit of glue on the end of the string to help it catch on things better (read on). This diagram is not to scale : __________________________________________________ | |___________________________ | /| | Plastic Strip from Coke Bottle O-|--------------------------- | | ^^^^ |_________________________________________________ _| string Pretty simple huh? Due to the crappy nature of exchange security this bastard ought to get you in to most exchanges with relative ease. How is it used? Well, remember I told you to examine that diagram? (Yeah that's right - go back and look at it because you didn't listen to me) Well, those secondary doors are, for lack of a better word 'shithouse'. The gaps in between the doors and the door frame (door jamb) are too wide allowing things to be slipped in easily (and even looked through) as is the gap in between the two doors. Now, the vertical bolts have a stud on them for engaging/disengaging the bolt : _ Top of | | Sorry if this is abit patronizing, but a crappy ascii door _____| |_____ diagram is better than nothing. Now you have something to --> | | visualise. Now, how that slip & pull tool works is you | |O| <- stud hold the string in your hands at the other end from the Bolt |_| plastic strip and slip the plastic strip string end first through the gap in the door. Now, you loop the string around the stud on the bolt on the inside of the door. Slide the plastic strip out while keeping the string looped on the stud. You will now be able to pull the string and it in turn will pull the bolt to the open position. Tada! Here is a diagram of where to insert the tool : ________________________x_|____[__]______ | | | [ ] | The '*'s indicate the slip & | insertion --> * | | pull tool insertion points for | point for | | each bolt. So you slip the tool | vertical bolt 1 | | in, grab the bolt and then work | | | the string around the gap in the | | | door until you are at a point | x <-- horizontal | where you can provide a force | --|-- bolt --> * opposing the bolt. You'll notice | | insert points | there are also 'x's on the | | | diagram. These are for inserting | | | the tool closer to the bolt and | | | working the string around more | insertion | | afterwards. | point for vertical| | | bolt 2 --> * | | The horizontal bolt is opened |___________________|____x__|_____________| basically the same way, only you | either have to work the string right around the door frame afterwards, or grab the bolt from the other end of the door. Remember though, the horizontal bolt doesn't have a stud on the end. It is a bolt like the ones on a gate, it has a kind of angled end that you grab onto. You will also need to lift it up so that it can get past the stop before you apply your pulling action. If you don't understand, go to a gate with this type of bolt and examine it. When opening, the vertical bolt should be done last and first when closing. This is so that if you need to work the string around the door jamb, it will not get caught on the vertical bolts. Now, you know the technique, what you need to know now is the exact location of the bolts on the inside of a door that you can't see. Simple, the slip & pull tool was designed with this in mind. Take the end of the plastic strip that doesn't have the string through it and slip it through the gap in the door at about where you think the bolt is. Now slide it across until it gets stopped by the bolt ... and that's where the bolt is! You can also work out where the bolt is by pushing on the door and seeing where it won't push inwards but using the slip & pull tool is more specific (I should patent it I reckon!) I know you've been thoroughly amazed at the Slip & Pull Tool (TM) 2000 Marlin but there is another use for it! CLOSING the bolts. I'm not going to draw another diagram, but using the same principle, after you've had a merry night out and closed the doors of the exchange, you can grab hold of the stud on the bolts, work the string around to the opposite (now opposing) position and pull the bolts closed! Untraceablity++ !!! If you think you will have trouble with this, you could always leave by the main door after locking the bolts from the inside to increase your untraceability. Its not over yet. Windows can be opened similarly. I have gone over getting past the bars. But what about if you don't want to smash the window? Use the slip & pull tool. Remember in the first section I said they are locked and opened by a lever? Examine the diagram : __________________________ |--------------------------| Look! There is a '*' and an 'x' | | just like the diagram of the door! | | Same principle. Slide the tool in, | Pull this way to open | grab the end of the lever and pull | <------- | 90 degrees to the left to open. Can * / | be closed again by doing the | / | opposite. |_________x__|_____________| Contact Switches ================ I went over contact switches quite extensively in the first manual, but there is a new method I'd like to introduce that I have had some success with in test situations. From Jaycar electronics you can get some highly powerful 'rare earth geo' magnets. You can also purchase thin sheet magnets (the kind of thing that those fridge calendars from real estate agencies' magnets are cut from). The way you use them is by sliding the sheet magnet in between the contact switch with the powerful magnet on the protruding end increasing the power of the sheet magnet. The sheet magnets themselves are not powerful enough to pull the reed in the contact switch, but combined with the rare earth magnets, they are. If the door opens inwards the best thing to do (although the previous method can be used in combination) is to follow the part of the door where the contact switch is with your powerful magnet to keep up the magnetic field on the reed in the contact switch (if you need more explanation on what the reed is, read the first manual.) Remember that it is possible to locate the contact switch by using a compass to determine its location. In my tests at exchanges, the compass has merely pointed to the contact switch magnet rather than spinning which I guess is actually more convenient Use this to check the internal doors for contact switches as well,or just avoid using them like I do. Lastly, keep rare earth geo magnets away from floppy disks you might be taking with you as they can fry them real good. Door Destruction ================ For getting into exchanges via the secondary doors we have identified two obstacles that need to be bypassed to gain entry : bolts and contact switches. For the more destructively minded, There are some additional techniques that can be used : For doors that open inwards, the top of the door jamb can be pried out to gain better access to the contact switches. Then of course, the jamb will be broken but it may be possible to glue it back on. When you go and have a look for yourself at these secondary doors, you will notice how weak and old they are. You may even notice that they are basically planks of wood glued or nailed together to form a door. It is entirely possible to take a crowbar and break a hole in the door by prying apart and snapping the pieces of wood, or, getting a hacksaw or grinder and cutting a hole in the door on a rainy night. This is destructive, but ensures complete bypass. Schools Of Entry ================ Just to summarise and to let you know what options you now have, let us examine how the techniques described can be used : 1. Non-Damaging, untraceable, but set off alarm : Quick in and out : Manipulate bolts on side door or pick lock on main door and don't worry about contact switches. 2. Non-Damaging, untraceable and try bypass the alarm : Prolonged stay : Manipulate bolts on side door or pick lock on main door and attempt to use one of the contact switch bypass techniques described above. 3. Damaging, but bypass the contact switches easily : Prolonged stay, but once off. You won't be able to go back : cut a hole in the door or pry out door jamb. 4. Non-Damaging and ring after hours centre : Prolonged Stay : Pick lock or use stolen credentials to open main door and ring the after hours centre. 5. Damaging and ring after hours centre : Prolonged stay but once off : Drill lock or EACS solenoid (see first manual) and ring after hours centre. There are, of course, variations on this and other schools of entry based on other techniques, this just puts it together for you and gives you an idea. I have no doubt that you can imagine some more 'schools' for you to use. The advantage to using a non-damaging method is that they will most likely think it a false alarm and you can come back and do the same thing again some other time. Appendix 1 : Responsibilities For Credential Users ================================================== This is basically a verbatim copy of a Telstra doco. It is highly relevant as you will see as you read : 001 813-F01 : Credential User Instructions, Obligations & Conduct Responsiblities For CREDENTIAL USERS GAINING ACCESS 1. Locate the EACS card reader, check normal operation by the presence of an orange LED. Report any other condition to the AMC or NSC (after hours). 2. Pass the EACS card within 100mm of the reader. A green LED will mean the subsequent unlocking of the door (within one second and the door will remain unlatched for approximately 10 seconds) A red LED will mean that the credential is not programmed for access; assistance should be sought via AMC, CMCC, or NSC (after hours). STANDING SECURITY INSTRUCTIONS 1. Ensure that door closes after entry; do not allow other unauthorised persons access. 2. If entry is required outside of normal working hours (Mon-Fri 07:30 - 17:00) Security Company MUST be advised. Phone 1800 xxx xxx (IVR) [<-- same as after hours centre #] 3. Locate the Intruder Alarm Panel (IAP) if required and enter PIN. (Not applicable in WA). This will disarm other door alarm inputs to EACS. Sites will progressively be retrofitted with LMO (LastMan Out) which will replace IAPs and automate disarming of non-EACS inputs. 4. Locate and notate Site Log. 5. Egress may be possible via other perimeter doors but DO NOT LEAVE THE BUILDING VIA ANY OTHER DOOR 6. When ready to leave ensure site SECURE AND RUBBISH REMOVED. 7. Before exit complete site log, re-arm control panel or activate LMO button as required. Notify AMC/NSC if LMO LED does not light. Advise Security Company 1800 xxx xxx (IVR) 8. Ensure door is locked OBLIGATIONS 1. It is the responsibility of ALL PEOPLE on Telstra property to work safely, to protect others from possible hazard, and abide by all Occupational, Health and Safety rules. 2. Welding, dust generation or other activity likely to cause equipment failure, or generate alarms must not be carried on without prior approval of Area Field Manager. 3. NO SMOKING in Telstra Buildings 4. When working in Exchanges all exterior doors must be kept locked 5. Wearing of ID passes is mandatory in all Telstra Buildings 6. No mobile phones, 2 way radios or camera flashes are to be used in any equipment room. 7. For security reasons, don't mark or attach EACS cards to any other identifiable item. CONDUCT 1. Credentials are not transferrable 2. No other person should be given access with your credential 3. Users must personally return credentials 4. The recipient of a Credential must take due care to guard against loss or damage 5. Loss must be reported to an CMCC or NSC (after hours). CMCC : Tel 08 9491 xxxx NSC : Tel 1800 xxx xxx [<-- same as after hours centre #] Appendix 2 : Social Engineering The After Hours Centre ================================================== ==== You might have seen a yellow sticker on the outside of exchanges : This Building Is Security Alarmed, Contact The After Hours Centre Upon Entry So, after you've entered the exchange, that's what you've got to ring to verify yourself. Well, the After Hours Number is: 1800 xxx xxx This is basically a paging service. You give the bitch the info, she types it in to her computer and it appears on the screen of the NSC (Network Surveillance Center) - (aka. NOC Network Operations Centre). Fire and Gas alarms are also monitored here, and I imagine network faults, trunk depressurisations etc. are monitored here as well. This is located in Melbourne so it should be pretty much Australia wide as I called it from Perth. When the bitch answers she will say something along the lines of: "Hello, welcome to Telstra Corporation, what is your name and designation?" You won't be prompted for the answer to each question, so you'll have to just give it. You need to tell her : YOUR NAME YOUR DESIGNATION (Department) THE NAME OF THE EXCHANGE CONTACT NUMBER (Number of the exchange or mobile number) REASON FOR BEING THERE WHAT TIME YOU'LL LEAVE Name : Don't know if any old name will be accepted, but you can get the names of legitimate exchange staff easily enough by going through the dumpsters for letters etc. Designation : This basically means the department in Telstra you work for. This one could have been hard, only I found an entire stash of exchange entry logbooks in a dumpster and so have a whole load of legitimate responses ... C&C (Commercial And Consumer : They are linesmen, exchange staff etc.) TBS (Telstra Business Solutions : Do some exchange work that is used by business for example servicing the Tran$end units.) NDC (Network Design & Construction : in charge of the hardware maintenance and setup) Exchange : Look on the sign outside (It is the suburb name.) Contact Number : Ring ANI directly before you ring the after hours centre. Reason : Back to the logbook ... You are supposed to tell them the exact pair, line etc. you are looking at, but looking through the logbooks, no-one actually does it and in some cases it is not applicable. You should also match your reason with your department eg : C&C : Check Main Pair TBS : Tran$end fault NDC : Equipment recovery (heh) I have heaps more, they are just the only ones I can remember off hand. What time you'll leave : Simple, just estimate how long whatever it is you're really going to do will take you (within reason) and if you want to take a long time .. the reason they need this info is because the NSC will get another alarm when the door is opened and closed by you on the way out because there are no area sensors in the exchanges. So, you can just open and shut the door and stay in. They'll crap themselves when you actually leave, but you'll be gone then anyway. ~-~-~-~-~-~-~- Telstra News ~-~-~-~-~-~-~- - Phreakau Team Here is a collection of the more interesting articles we obtained from various Telstra internal news publications over the 2000-2001 period. Be sure to check out the Keylink (Minerva) one just below. New Solutions For Customers As KEYLINK Shutdown Complete ================================================== ====== AFTER almost 20 years active service the KEYLINK electronic mail system has been withdrawn from the marketplace, with the operating platform closed last month. KEYLINK was widely used in Telstra and by over 1500 major customers including banks, insurance companies, retailers and suppliers. Most customers used it as an integral part of more complex communications applications, such as ATM networks, warehousing recording and distribution systems. As the system could not be made Year 2000 compliant, a project was set up to 'exit' KEYLINK and design and implement strategies to migrate users to new solutions. Robyn Batty, Project Director, Network and Technology Group (NTG), said it was a challenging task involving managers and work groups throughout the company. "The project team identified some standard options and solutions to be used by the Telstra Business Solutions (TBS) sales team to guide their customers through migration," Robyn said. 'Huge Undertaking' "The migration of 16,500 mailbox users was a huge undertaking. In a co-ordinated effort, Telstra's Year 2000 Programme, TBS sales teams and project staff from TBS, Convergent Business and NTG met challenging timeframes with minimal disruption to our customers." Many customers have migrated to other Telstra products such as Trading Solutions and Big Pond applications. To celebrate the success of the project, a 'twin' function was held in Sydney and Melbourne, linked by a videoconference. More than 40 staff were awarded Certificates of Achievement for their role in the exit project. Negba Weiss-Dolev, DIrector, Year 2000 Programme, said the success of the KEYLINK exit was a tribute to excellent cross business unit co-operation and team work. "The exit also featured outstanding project management and the keen desire of those involved to maintain services to customers, while meeting the challenging timelines imposed by the new year transition," Negba said. "Congratulations to all involved on a job well done." [This was an article on the X.25 Keylink system. Some of you may know this system as Minerva. Some replacement systems can be found at : http://www.albury.net.au/~asteris/ and http://partners.bigpond.com/tradelink/index.htm] Combating The Payphone Vandals ============================== TELSTRA has scored several important wins in the ongoing battle against payphone theft and vandalism. An undercover payphone surveillance operation in the Sydney CBD, conducted in partnership with the New South Wales Police, is catching out vandals and significantly reducing payphone vandalism and fraud. An operation in Melbourne also led to a number of arrests. Telstra continues to modify the standard payphone to deter criminal activity. Latest developments in this constant cycle of innovation to overcome criminal creativity includes and electronic shutter, which prevents tampering with the coin entry, modifyications to the payphone case, and improved remote monitoring of payphones. A number of fraud prevention activities have also been successfully carried out. Steven Cherry, national operations manager outn@bout, said staff played a key role in the latest breakthroughs against payphone vandalism. "Many outn@bout staff in the metropolitan areas and large regional centres, along with Infrastructure Services staff throughout the rest of Australia, are doing a magnificent job in maintaining payphone services," Steven said. "Overall, payphone serviceability - that is, the number of payphones operating properly at any one time - is now at 94 percent, an 18-month high. The target is to get this up to 97 percent by mid-year." People in the community have also done their bit to stamp out vandalism and fraud. According to Brendan Cass, national manager security, outn@bout, more than 20 people were given rewards by Telstra for reporting acts of vandalism that have led to convictions. Telstra offers a reward of up to $1000 for information that leads to the conviction of a payphone vandal. Vandalism of payphones costs Telstra $10 million a year. Telstra has 35,000 payphones and 600,000 customers using them every day. In the first two weeks of the ongoing campaign which began in the Sydney CBD late last year, dubbed Operation City Safe 7, police arrested 91 people on 152 charges for offences related to payphone vandalism. A further 12 were charged for more serious offences following their arrest for payphone vandalism. The ongoing operation is targeting a number of vandalism hotspots including the Town Hall, Martin Place, Wynard and Circular Quay precincts and Central Railway Station. "Operation City Safe 7 is significantly reducing the level of vandalism to our payphones and through our partnership with police in the coming months we will continue to catch and charge offenders," Steven said. In the targeted areas there has been a 13 percent reduction in visits by Telstra technicians and an 18 percent reduction in customer reported faults. Operation City Safe 7 builds on the success of Telstra's community-based initiative PhoneWatch, which encourges people to report acts of vandalism against payphones to Telstra on 132200 or to the police. The electronic shutter enables the payphone to sense that the coin entry is blocked, and shuts the entry so that thievescannot access the coins. The problem is reported automatically back to headquarters, and a technician can then go and clear the blockage, and the payphone is back in service. About 200 electronic shutters have been installed in the Sydney and Melbourne CBDs. They have been so successful that it is now planned to roll out about 11,000 nationally. Software And Staff Block Email Virus ==================================== TELSTRA fault system software, and the action of a number of global connect staff kept the crippling ILOVEYOU virus out of the network last week. Staff in IT Services and Internet Operations worked throughout the night on Thursday 4 May, to stop infected email messages contaminating the network and entering via the internet email gateway. In addition, the anti-virus technology operated by IT Services as part of the SOE Networks was able to deploy the most up-to-date anti-virus pattern file. These files can detect and clean any instances of the virus, or variations that result from the virus. There is anti-virus software in our email and messaging system, our internet firewall, the LAN servers, desktop and notebook PCs. All systems have software regularly upgraded with the most recent 'pattern files' so that the scanning programs can identify new viruses. If viruses are detected, alarms are sent via Telstra's intranet network to the FOCUS IT alarm system and the Network Control staff are notified. In the case of the Love Letter Virus, Telstra was also notified by two of its major SOE suppliers. The anti-virus company Trend Micro and the computer manufacturer Compaq both informed Telstra - and staff were able to swing into action. A filter was applied to all incoming email and the specific pattern file for the ILOVEYOU virus was deployed. Overall, Telstra systems and users were very well protected. In the few isolated instances where the virus did make it through the firewall before the filter was in place, staff worked tirelessly, scanning and cleaning the millions of mail messages that exist within the company. Graham Bull, general manager, IT Services said: "A critical situation such as this one highlights the risks which now exist in an online world and really tests the capabilities of both our contingency systems and our staff. "I am confident that we have the capacity and expertise within our workforce to protect our systems from elements that could be detrimental to the smooth running of our business. I congratulate the individuals that worked around the clock to ensure that the virus had little, if any, impact within Telstra," he said. ~-~-~-~-~-~-~- Links ~-~-~-~-~-~-~- Just to give you something to read until our next issue comes out : http://phreakaus.oz-net.org <=> Dark Thief's site http://phreakau.fuxya.org <=> Our homepage http://www.opentelco.net <=> Nice page for SS7 and GSM stuff http://www.scard.org/gsm/a3a8.txt <=> Info on algorithms http://jya.com/crack-a5.htm <=> Discussion of GSM encryption algorithms http://www.phreak.co.uk/teknix/phre...docs/axe10.html <=> Erriccson AXE10 Digital Switch Info By Keltic Phr0st http://dtmf.org/hybrid/files/hybrid-files/AXE10.txt <=> Local AXE10 Exchange Subsystems By Hybrid http://www.acif.org.au/ACIF/display...5706&source=482 <=> Australian Communications Industry Forum Publications http://www.mindrape.org/zines <=> Australian Ezine Archive, Zines referred to here can be found there http://bbs.onecenter.com/ausphreak <=> Zaleth's great public phreaking forum ~-~-~-~-~-~-~- END ~-~-~-~-~-~-~-
__________________
.::viper::. |
|
|
| Sponsored Links |
|
09-03-2002, 07:38 AM
|
#2 |
|
Registered User
|
PHREQUENCY- A VERY GOOD AUSTRALIAN PHREAKING EZINE
_______
ÞÛÛÛÛÛÛÛÛÜ ÞÛÛßßßßßÛÛÛ ÞÛÛ ÞÛÛ ÞÛÛ____ÜÛÛÛ "Telefono Modularr Spectacularrrr" ,ÜÜÜ ÞÛÛÛÛÛÛÛÛÛ ÞÛÛÛÛÛÝÔßßßßßß'_ ÞÛÛÛÛÛÛ ÛÛÛÛÜ ÞÛÛÛ ÜÛÛÜ ÜÛÛÛÝ ÛÝ ÞÛ ÜÛÛÜ ÞÛÜÛÛÝ ÜÛÛÛ_ÞÛ ÛÝ ÞÛÛÛÛÛÛ ÞÜ ÛÝ ÞÛ ÞÛ"'ÞÛ ^ÛÝÞÛ ÛÝ ÛÝ ÞÛ ÞÛ ^ÛÝÞÛÝ ÛÝ ÛÝ ßß ÛÝJÛ ÞÛÛÛÛÛ ÞÛÛ_ ÛÝ ÞÛ ÞÛ ÛÛßßßÝÞÛ ÛÝ ÛÝ ÞÛ ÛÛßßßÝÞÛ ÛÝJÛÝ ÞÛÞÛ 'ÛÛÛÛÛ ÞÛÛÛ ÛÝ ÞÛ ÞÛ ÞÛÜÜÛ ÔÛÜÜÛÝ ÞÛÜÛÛ ÞÛÜÜÛ ÞÛ ÛÝ ÛÛÜÛÛ ÛÛ ßÛÛÛÜÜÜÛÛÛÛ ß' Ôß Ôß "ßß "ß"ÛÝ ßß"ß "ßß ß "' ßßß ÛÛ ßÛÛÛÛÛÛÛÛÛ, ÛÝ ÛÛ "ÛÛÛÛÛÛÛÛ' ÔßÛÛÛÛß Phrequency Issue #2 -------> 18/02/02 CONTENTS #+#+#+#+ Introduction .................................... Phreakau Team Hacking Optus Voicemail ......................... Zaleth RIM Identifiers ................................. Zaleth Updated FAST Map ................................ Zaleth Credit Phone (B1/B2) FAST Block Workaround ...... Zaleth Le Fone : Epic Journey of a Phreak .............. No Protocol Features and Telecommunications Security ........ Marlinspike Cable Pressurisation and Alarm Systems .......... Dataclysm Locating Telstra Exchanges ...................... Dataclysm Automatic Line Testers in Australia ............. Dataclysm Australian Phreaking News ....................... Phreakau Team CONTACTS #+#+#+#+ To send feedback regarding one of the articles in this ezine please select from one of the following email addresses : Dataclysm - dataclysm@tokyo.com Marlinspike - p0lter_g@yahoo.com Zaleth - zaleth@hushmail.com IMPORTANT SITES #+#+#+#+#+#+#+# Here is a listing of links to sites that contributors maintain and where further information can be found : http://phreakau.linuxphreaks.org/ = Phreakau Homepage http://forum.onecenter.com/ausphreak/ = Public Australian Phreaking Forum http://www.zaleth.f2s.com = Zaleth's Phreaking Homepage http://dataclysm.wiggerz.net = Digital Infraction Homepage INTRODUCTION #+#+#+#+#+#+ If you only knew how much effort went into getting this issue out. The good thing is we're not a one night wonder anymore. This issue has more instructional articles than the last. I have a feeling this issue will become required reading for this and future generations of phreaks. Its all relevant to phreaking in .au, its all original and each article took vast amounts of blood and sweat to research. We are also pleased to announce that every writer for this issue is a certified sociopath with deep seated and complex problems stemming from far beyond a mere desire "to be bad". Don't believe me? Read on. I feel so grateful to have the opportunity to work with such talented and fine fellows. Just remember, we put this ezine out to increase the skill and knowledge of Australian phreaks. Don't just leech this information. Use it to build on with your own research, learn from what you can see of our techniques of gathering information. You won't know what it is all about until you do your own research. It may seem hard, but little will you know that you'll look back on those times as some of the best in your life. Enjoy. Propz to Forbze for the logo. Now we are l33t. Just one last thing before we continue. If you are one of these crack toking rebels that take us for nothing more than over-glorified beige boxers and/or you are reading this ezine with nothing more than the intention of finding a beige boxing like technique to exploit and be k-rad with, you need go no further than the following instructions : Beige Box ----------------------<======================= Phone Line | Extension ----> \ \ Ring 12722199 \_}====< Attach to ur testicles kthx. #+#+#+#+#+#+#+#+#+#+# HACKING OPTUS VOICEMAIL #+#+#+#+#+#+#+#+#+#+#+#+# - Zaleth - Recently a friend of mine purchased a mobile from Optus and was also given this booklet called "Optus Mobile Digital" which gave me the information Optus gives its mobile phone customers information about getting their own voice mail box (VMB). I will keep this tutorial short, here are a few steps on hacking into the target's VMB, mainly covering the authentication process. From a Touchtone phone (DTMF Tones, Not Pulse) do the following: Dial: 0411 000 321 When Prompted type in your targets mobile number (04xx xxxxxx) and press Hash (#). You will now get prompted for a pin, this may be difficult, so here are the defaults: 0000 12345 If the person has setup up their mailbox correctly they have chosen a pin from 4 to 9 digits, now people have a habit of using the code, 123456789 to fill up the max digits thinking no one will guess it or 987654321 & 098765432. It is relatively easy to find the phone pin by going through these steps, Say the last six digits of the mobile are 123456 then the pin maybe 123456. Say the person lives in the Postcode 9898 then their pin maybe 9898. Another goodie I found was people tended to use years which held memories such as 1999, 2000 and 2001. So check for pins which use year dates. If you know the target well and they often use the net and have a good idea of what 'leet talk' is then check 31337 & 313370 I have found one person using this. Aren't they shockers. Here are a few more tips MN (Mobile Number(Will refer to the last 6 digits)). MN - 1 MN + 1 MN (1st Digit) + 1 MN (1st Digit) - 1 (All the way to 6) Hopefully that was some help, as you can tell you're on your own for finding the pin. The Menu: Voice Prompt Guide- [4] Record your Greeting [6] Record your Name [7] Set your pin [8] User Options [9] Exit the System [0] Help If Voice Mail starts playing messages wait till the message finishes and you will get prompted with the following: Voice Prompt Guide- [6] Return the call [5] Save the message [3] Delete the Message [7] Replay the message If you want to keep eavesdropping on this account avoid changing pins, otherwise the person could ring the support line and get it changed. Covering your tracks, if your hacking someone else vmb make sure you're not calling from your phone or anyone else's you know otherwise you will be found out. #+#+#+#+#+#+#+#+#+#+#+#+# RIM IDENTIFIERS #+#+#+#+#+#+#+#+#+#+#+#+#+#+# - Zaleth - You may be walking the dog, driving in a car, riding your push bike (and a hard earned thirst needs a cold beer and the best known beer is VIC, Vic Bitter.) and you may see a RIM. Not only are RIM's on the ground they can be found up in the air on power poles (Feeling lucky?). Over last year I collected a few RIM identification codes. I haven't got every single code nor do I have every identification type. _____________________________________ | Pair Gain System | Category | |==========================|==========| | ALCATEL RCM | R1 | | SCADS | P4 | | SCADS RADIO | P6 | | TELSPEC 2 DPGS | N4 | | TELSPEC 4 DPGS | P2 | | RAM8 PHASE 1 | B5 | | RAM8/2 | B7 | | EXTEL6/16MLC | B2 | | INTEGRATED RIM | AA | | NON INTEGRATED RIM | ZZ | | RIM | C1 | | TELSPEC6/15 MLC | B1 | '=====================================' A few more RIMs I would like to grab are: AE, X1 & A1 X1's are seen everywhere (not the smartphone). #+#+#+#+#+#+#+#+#+#+#+#+# UPDATED FAST MAP #+#+#+#+#+#+#+#+#+#+#+#+#+# - Zaleth (Field Access to SULTAN Testing) During June last year Nelix and myself saw a very old map of FAST. We looked around to see if there were any more up-to-date maps with little success, so Nelix and I bring to you the current map of FAST. ANT1 - Analogue Network Terminator 1 ____FAST_____ / \ |¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯| [1] Test this line [2] Other (Test another line) | "Reads out number" | "Enter full national number (1) Sultan Test (9 or 10 digits) then # if (2) Ringback Test you make a mistake press ** " | (1) Right number (2) Wrong number (4) Line and ANT1 (1) Sultan Test (5) Technical support (3) To activate an ANT1 and pair gain system (4) Line and ANT1 (5) Technical support and pair gain system #+#+#+#+#+#+# CREDIT PHONE (B1/B2) FAST BLOCK WORKAROUND #+#+#+#+#+#+#+# - Zaleth - I was at the airport one afternoon examining a B2. I picked up the receiver and it was asking my to swipe a plastic card, I looked around the keypad and noticed a SERVICE CALL button so I pressed that and I got a dial tone. What we have done is enabled a direct dial out of the phone to service only calls excluding 127x prefixed numbers. So I dial FAST and try an ID & PIN but when I press one number I get cut off. So what I did next was hang up, picked up the receiver pressed service call and dialled FAST when I got through I held down service call and input the ID & PIN and I was in. You can also use a tone dialler for the authentication process but since this was an airport with hundreds of camera's I thought it was probably best not too. You can use the iPrimus DCX on credit phones as well. So here are the steps: 1] Pick up the receiver. 2] Hold down SERVICE CALL button. 3] Dial in the service number (e.g. DCX &/or FAST). 4] When asked for Authorisation hold down the SERVICE CALL button and input what ever is necessary. Enjoy this for whatever reasons #+#+#+#+#+#+#+# LE FONE : AN EPIC JOURNEY OF A PHREAK #+#+#+#+#+#+#+#+# - No Protocol - Thanks to my mate Baldy (for access to tools I didn't have) & Others (no names mentioned), for their zany brand of inspiration. -------- Prologue -------- Early 1990 the obsession to computing was under way, there were 3 different types of PCs on our school grounds 8086, 80286 and a single Mac, which sadly exist as of today. From basic computer exploration spawned many other interesting underground activities, from DIY bomb making, basic forgery... to the more mundane activities of vandalism & practical jokes, naturally phreaking came along as well. The journey was born from thoughts of stupidity to inspiration. The idea, to steal a payphone. Talk to many hackers provided useless yet entertaining theories on how this could be achieved, from : Chaining the fone to my van & driving off, Smashing the fone up, to Cutting the fone out using an angle grinder. Each had huge implications counter to a guarantee of success. -------------------------- PRIMARY TARGET ACQUISITION -------------------------- In order to successfully complete such a task there were a few fone selection criteria that had to be met : 1. the fone must be a fair distance away 2. it must be new (personal choice) 3. it must not be too close to any houses or main roads I talked to my friend about my upcoming 'stunt', he told me of a payphone in his area that fit the above criteria, all I had to was go get it. ----------------------- DAY 1 - SATURDAY 3.30AM ----------------------- The air was crisp & rigid, the eagerness of the mind, a bottle of Jolt & 2 layers of clothing made it almost non existant, it was 3.30am on a Saturday morning. With a specific fone located & no plan in mind, today's objectives were simple, remove as many screws & bolts as possible & look the fone over for possible entry points. Later on in the night I started drawing plans in order to aid me to some conclusive methods. (Available with this document If I decide to release it.) With basic drawings & some possible ideas the plan was now set; "There are not too many ways to steal the fone by itself, so I'd have to steal either the whole payphone booth or just the back section, you can guess which I chose." My only concern was cutting the power for the light & fone lines. I know that the gestapo put alarms on the fones which sound when if there is any damage done to them, so the wires would have to be the last thing to go. --------------------------- NEXT WEEK - SATURDAY 1.00AM --------------------------- There where a few too many cars on the road that night for my liking, a car pulls up, its my mum's ex boyfriend thinking I've broken down. SHIT!. In order to kill some time I decided to go trashing for a few hours & then return back when the din had subsided. "MEANWHILE BACK AT THE FONE" Like trying to climb Everest in a suit of armour and a pair of tight jeans, I managed to climb on top of the box using a milk crate & a bin close by, removed the 2 back bolts, loosened the front 2 & looked for any additional screws on top, these came out suprisingly easy. --------------- SATURDAY 1.00PM --------------- During the day I did some measurments to my van to see if the fone booth would fit in & how close I could back up to the booth to stick it in; 1.3m close & 2.2m in, hmmmm excellent. ------------- SUNDAY 2.00AM ------------- Darkness, rain, air colder than dry ice, its 1.40am, warm & tired, "to go or not to go?, that is the question". I, unlike this generation of giveruppers, fought the temptation of staying in bed & decided I should press on. To pass the time till 2am, I read yet another inspiring chapter of cyberpunk. I've come this far, Hey! Why the **** not. That night I came across a snag, 2 screws that hold the back on were slightly worn & damaged making it harder to remove them, torn between whether or not to give up, I pressed on with the others. In order to avoid suspicion that the fone was being removed, I prepared a few screws on Saturday by cutting the heads off some from last week's escapade & superglued them back into place as to give the illusion that the box was solid, yet was hanging by a thread. 2 1/2 hours later, after finishing tonight's objectives, I decided to go home, a kid walked passed just after I finished for the night (phew, close). ----------------- WEDNESDAY 10.00AM ----------------- One day prior to WED my friend noticed a kid leaning on the inside of the fone booth as he was driving by. "This would be good, for he would certainly loosen the fone for the big day." Surely enough I was right, I was contacted during the day about the fone, my mate noticed the whole side had completely detached from the back (NOT GOOD), as surely the gestapo would march back into Poland & 'fix it'. In order for it not be fixed, I managed to talk my friend into going to the scene of the crime during the day & cleaning the mess up. Thursday, pre Friday jitters are trying to beat me from D-Day. Its not that I'm afraid of getting caught, its more a case of "What happens the day after when & if I pull this off?" "What project will come next?" In some ways I feel as though I'm retiring, yet it is only the beginning. A hilarious scenario enters my head, what if I attached an old rotary fone to what remained of the booth, would people be so stupid as to use it? Unfortunately I couldn't find a spare fone for this little joke. ----------------------- BIG DAY - FRIDAY 1.00PM ----------------------- Collected caution tape from down the road, so people will get the impression that the fone is being fixed & won't report anything. "Chances are that the fone will stay this way for a few weeks before anything gets done to it." The alarm was set to go off at 2am but woke up at 1 so I decided to do a pre- trash to pass the time till around 2.20am, didn't find much. Some trashers had already done the area & left one of my favorite bins upside down, garbage strewn everywhere. ASSHOLES, "The point of trashing is to get as much stuff as possible over a long time". In order to keep this place available I cleaned the mess up which wasn't very pleasant. ------ 2.20AM ------ I parked the van in a park several blocks from the fone so as to avoid too much exposure near it. The trek to the site was long, many thoughts paced through my head. Should I? Shouldn't I? The problem screws where the only things left holding the fone booth together which I managed to remove with some force. A bit of prying & the booth started to wobble as though an earthquake were a happening. A small black spider scuttled away. Just as well. The moment of truth had arrived, feeling really sweaty I trekked back to the van & pondered whether or not to remove my number plates. I'll only be 5 min at the most, why trouble my escape? Backed my van behind the fone, to roughly 1.3m as previously measured, & left the handbrake off so I could push it to suit. I tried to lean the fone panel on an angle so it would support itself on what remained of the box, but the sheer weight was too much. The booth wobbled, the back cracked out from under the plastic domed roof on top & onto my foot, OOOWWW! not wanting an accident involving my back windscreen I pushed the van to another meter & tried to drop the beast to the ground, but the power cable just wouldn't let it. Van back at 1.3m, using all my strength I lowered the beast into the back with me underneath & onto a couple of PVC tubes I'd prepared earlier. SHIT I thought, its too late to back out now as the fone line had severed when I lowered it. An image of Police car pulling up with lights flashing & bright light from a flashlight enters my mind. I grabbed my mum's tree secateurs from out the front seat & cut the power cable, sparks burst everywhere like fireworks on a new year. Not wanting to hang around & tape the box up liked I'd planned to do, I quickly pushed the booth into the back & drove off. "SHIT, I did it YYYYYYYYYYYEEEEEEEEEEHHHHHHH!!!! I'm screwed Now, WOOOHOO!!!" ------------ 1 WEEK LATER ------------ Feeling EXTREMELY Paranoid! Peering out my window every time a car passes. ------------- 2 Weeks Later ------------- I've realized that if anyone knew I did it, I would have had a visit by the gestapo by now. Its now sitting on my desk fully operational. I regret not filming the event. XX/XX/0X Diagrams of the X2 and screws can be found at the phreakau site : http://phreakau.linuxphreaks.org/ Thanks to Zaleth for the computerized version. #+#+#+#+#+#+#+# FEATURES AND TELECOMMUNICATIONS SECURITY #+#+#+#+#+#+#+# - Marlinspike - 0.01 : Contents =-=-=-=-=-=-=-= 0.01 Contents 0.02 Introduction 1.01 Common Channel Signalling 1.02 Switch(SSP)-Based Features 1.03 Intelligent Networking 1.04 So What Is Intelligent Networking, Really? 1.05 STP's - Signal Transfer Points 1.06 SSP's - Service Switching Points 1.07 IP's - Intelligent Peripherals 1.08 SCP's - Service Control Points 1.09 SCE - Service Creation Environment 1.10 SMS - Service Management System 1.11 IN Services 2.01 Interfaces 2.02 Concerns Over Interfaces 2.03 Customer Interfaces 2.04 Basic CPE Signalling 2.05 Undocumented Telstra Home/BusinessLine 2.06 Telstra Remote Access 2.07 Intelligent Peripheral-Based Interfaces 2.08 Security of PIN-Based Authentication 2.09 Customer Interfaces To The SMS 3.01 Telco Interfaces 3.02 OAM&P Interfaces 3.03 CCS7 Interfaces 3.04 Basic CCS7 Security 3.05 Basic CCS7 Vulnerability Taxonomy 3.06 Service Control Point Attacks 3.07 Signal Transfer Point Attacks 3.08 Service Switching Point Attacks 3.09 Intelligent Peripheral Attacks 4.01 What Are Feature Interactions? 4.02 Theoretical Examples of Feature Interaction 4.03 The Feature Interaction Landscape 4.04 Feature Interaction Causal Classification Approaches 4.05 Feature Interactions In The Australian Phone Network 5.03 Conclusion And Further Research 0.02 : Introduction =-=-=-=-=-=-=-=-=-= Like it or not, a part of your security, whether you are a large corporation, small business or home user, is outsourced. Think about this, in the OSI network model you have a protocol stack and at the bottom is the Data Link Layer. You think that layer is secure? Nothing can influence and indeed completely control that layer, route it to wherever, insert data, interrupt, monitor that layer at will? You are wrong. The data network that is the telecommunication system controls the media you use for data transfer and communication. Its security is your security. When you look at technological advances in telecommunications systems over the last 20 years you think digital switching and common channel signalling. The introduction of common channel signalling and its outmoding of in-band signalling greatly increased security of the telecommunication network. Blue boxes and the like became obsolete. However, with the introduction of new technology comes new capability. Telecommunication companies are always quick to exploit new capability of the phone network to offer value added (hence revenue generating) services to the community. Extra features in the telephone network are those value added services. A feature is a service that supplements or modifies the basic POTS service that we know and love. Typical examples of features include Call Waiting, Call Forwarding Unconditional & Calling Card Calling. In the last decade a significant advance in offering new features is Intelligent Networking. As a result of this advance many features have been streamlined and many more features are on the way. This article discusses the security ramifications of offering features in a phone network with some emphasis on the use of Intelligent Networking to do so. This article has four appreciable sections. The first describes the technology involved, pay attention here as the material is necessary for understanding the rest of the article. The second section describes the customer interfaces to features, how they work and their security vulnerabilities, the third discusses telco interfaces and goes into security of the CCS7 protocol. The fourth and final chapter details a fascinating field of telecommunication security that stems from the use of features, feature interactions. We will follow the concept of "give a man a fish, feed him for a day. Teach a man to fish, feed him for life". That is, I will present some working examples of exploits, but the article is based around getting you to understand how the exploits work and how to locate, identify and exploit new vulnerabilities yourself. This article is the result of around 3 months worth of research and writing and formed from information gathered from around 50 - 100 obscure academic and research papers and hands on experimentation. I've learned a lot from my research on this subject and I've tried to include all the juicy stuff here so I hope you enjoy it. 1.01 : Common Channel Signalling =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Before Intelligent Networking, the introduction of Common Channel signalling was one of the most significant upgrades to the PSTN. That is, the upgrade from analogue signalling between exchanges to digital signalling. The basic concept of Common Channel signaling can be depicted as such : _____ _____ ---- : Are CCS7 Links | | | | | STP |-------| STP | ==== : Are Voice Links |_____| |_____| / \ STP : Signalling Transfer Point ___/_ _\___ - Data switching point. / \ / \ | SSP |=============| SSP | SSP : Service Switching Point \_____/ \_____/ - Telephone Exchange. Single lines are CCS7 links and Double lines are voice links. In models previous to this one, voice and signalling information were transmitted on the same single trunk. This had a number of security and efficiency ramifications. We know why it had security ramifications, regular users ended up sending signalling information along with voice. It was the same channel, so they were able to. It was less efficient because an entire voice link needed to be established whether the call could eventually be connected or not. If the end line was busy the entire process would generate no customer payment, but would incur costs. Using data to set the call up cuts these costs. The way this model works is, when someone wishes to place a call, their SSP, the originating SSP, generates a request for call setup, addresses it to the SSP that services the called party, the terminating SSP and then sends the request to its nearest STP, which forwards the request to the terminating SSP. If the call is able to be completed, there is a bit of an exchange of data and the voice trunk is then activated in both directions, connecting the call. Its alot more complicated, but that's an overview. The communications protocol used for the transfer of call setup data is CCSS7 Common Channel Signaling System 7 or CCS7 / SS7 for short. CCS7 is the abbreviation Telstra and other Australian telco professionals use so that's what I use. CCS7 was approved by the CCITT in November of 1980 and most telecommunications providers around the world began migrating their networks to it shortly afterwards. Within Australia, CCS7 was approved by Telecom/OTC management somewhere in 1982 and after an intial testing and planning period, cutover began around 1986. The CCS7 protocol was designed with future intelligent networking application in mind although when first implemented it did not include this capability to any great extent. Intelligent Networking builds upon the CCS7 network to create the feature rich telephone network we know today. 1.02 : Switch(SSP)-Based Features =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Before we go on to describe IN and the concept of Intelligence in the network, let us first examine the method by which many features were (and still are) provided within the SSP (switch) itself. The step directly before digital signalling between exchanges was the introduction of exchanges with Stored Program Control. Before this, analogue exchanges could be made to perform certain tasks only by hardwired logic. To provide a new feature to customers, the switches would require hardware such as relays and springs added to perform a new logical task. Obviously, this was a slow process and changing or adding new services would take a long time. Stored Program Control exchanges perform logical operations just like a modern computer. They have a central processor that runs commands. Service Logic Programs (SLPs) and subroutines that build them, the programs that the exchange uses to perform its logical tasks, are stored in memory and run by the processor when required. Also, there is volatile storage, like RAM in a personal computer for storage and manipulation of call 'state' information and 'variables' regarding the call. There will also be volatile storage for the processor to interrogate regarding things such as state information of the switch, for example which lines and switches are busy and which are available. Finally, the processor will have some kind of interface to the electro-mechanical parts of the switch such as the voice circuits. Typical exchange processing tasks would include the examination of digits for routing analysis, or the selection of a path through the switching matrix as two examples. To build upon the basic capabilities of Stored Program Control exchanges, more advanced Service Logic Programs can be implemented. These would include such features as Call Waiting. As an example, a Call Waiting SLP would work by detecting an incoming call to a number serviced by the switch, detecting that the line to which that call is trying to reach is busy, detecting that the Call Waiting feature is active on the line, returning a Call Waiting 'stutter' tone to the caller and sending an audible pip down the line to alert the called party. If the called party signals the switch that they wish to accept the call, the switch detects this signal (switch-hook flash, followed by '2' etc.) and puts the current voice circuit on hold and puts the caller through. Other features that work in a similar way include Call Forward, Conference Calling, Abbreviated Dialing and so forth. An important fact to note here is that the times that a switch determines a feature or SLP is to be run can map to the PICs (Points In Call) and TDPs (Trigger Detection Points) described in [Section 1.06] relatively accurately. For example, in the Call Waiting system described above, at the Terminating Switch - Line Busy Check trigger detection point, the switch knew to check for active Call Waiting and if so, run the Call Waiting SLP. Being cognizant of this commonality will be especially helpful to us when we go on to describe feature interactions between IN Based and SSP based features. Another type of Switch-Based feature are the CLASS (Custom Local/Load Area Signalling System) features. These features are the same in terms of Service Logic types, but are capable of receiving information from the incoming CCS7 packets. Namely the ANI (Automatic Number Identification - or caller's number) from the ISUP (ISDN User Part) portion of an incoming CCS7 call. So, the ANI of the caller becomes a variable used within the Service Logic Program. An example, of this type of service would be CND (Calling Number Display), Selective Call Screening (Based on an inputted table of calls to deny/allow, stored at the switch) or *10# Call Return (The switch keeps an accessible record of the last number to call each subscriber.) These Switch Based features are marketed by Telstra as packages under the title HomeLine or BusinessLine depending on the feature. They used to be called EasyCall, but they are now called HomeLine and BusinessLine. A large difference between these features and IN features is that switch-based features are coded on the switch as the platform. This requires specialised knowledge, standard hardware and cutover to many locations at once, rather than one centralised location. It is obviously alot slower to implement new Switch-Based services rather than new IN based services as we will see. 1.03 : Intelligent Networking =-=-=-=-=-=-=-=-=-=-=-=-=-=-= While the CCS7 concept cut costs relating to call setup, there were still many other benefits that could be realised from full exploitation of a common channel signalling technology. For example, many corporations in Australia have offices in diverse geographical locations around the nation and may change or add locations quickly. They face the problem of consolidating their communication systems. The profits of offering value added services to customers that can be tailored specifically to individual needs can be enormous. This is where Intelligent Networking came in. In short, Intelligent Networking or IN, enables the telephone network to make decisions on the routing and processing of calls autonomously. Not just that though. It also allows the rapid addition of new methods it uses for processing calls, new features, as required. Intelligent Networking was phased into the Australian phone network by OTC in the early '90s. We'll start with a topological diagram of an IN network and explain each system, known as Network Elements or NEs, individually : _____ IN Network Topology | | =-=-=-=-=-=-=-=-=-= | SCE | |_____| o __o__ ooooooooooooooooooooooo| |ooooooooooooooooooooo o | SMS |ooooooooooooooooo o --- : CCS7 Links o oooooooooooo|_____|ooooooooooo o o o __o__ o o __o__ o o === : Voice Links o (_____) o o (_____) o o o | | o o | | o o ooo : OAM Links o | SCP |----------------------| SCP | o o - Usually X.25 o \_____/ o o \_____/ o o o \___ oooooo oooo ____/ o o o _\_o_ _o_/_ o o o | | | | o o o <------| STP |-----------| STP |---------------> o |_____| |_____|-----\ o o oooooooo ______/ | \ o o _o_/_ ___/_ _\o_ o / \ / \ | | o <=======| SSP |================| SSP |========| IP | o \_____/ \_____/ |____| o o o oooooooooooooooooooo AIN : Acronym Intensive Network AIN : Advanced Intelligent Network; Aka IN (The heading is really a crap joke) CCS7 : Common Channel Signalling No. 7 - Inter Exchange Data Signalling Protocol IP : Intelligent Peripheral - Usually a collection of IVR's IVR : Interactive Voice Response - Automated voice system controlled by DTMF tones OAM : Operations Administration & Maintenance - Service system and links aka OAM&P SCP : Service Control Point - Database server for IN SLP : Service Logic Program - Feature application, code run on nodes SMS : Service Management System - Controls, updates and Maintains the IN SSP : Service Switching Point - Telephone Exchange upgraded for IN STP : Signalling Transfer Point - CCS7 Router The acronyms are there as a reference. In the diagram, there are arrows leading off on trunk lines and CCS7 links from an SSP and the STPs. This is because this is all part of a network. The STPs are connected to other STPs and the SSPs can be connected to other SSPs. Even though this ASCII diagram sucks I have tried to adhere to the standards for representing each type of Network Element. Circles for SSPs, Squares for STPs & Cylinders for SCPs 1.04 : So What Is Intelligent Networking, Really? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= I know you haven't noticed this, but the question of what Intelligent Networking actually IS can be hard to describe . This is because thesystem is deliberately designed to have a multi-function capability. It may be helpful at this stage to briefly describe a basic IN service. We'll use placing a call to a 1800 number as an example. OK, so a user connected to an SSP wishes to make a call to a 1800 number which is terminated at another SSP. First thing is, the user dials the number. As soon as this is done, logic in the SSP is triggered. It requires the intelligence of the network to route the call. A CCS7 packet is formulated, addressed to an SCP and sent to the nearest STP. The STP then forwards the packet to the SCP. This is where the magic happens. The SCP will examine the query and notice that a certain originating user (presumably there is a field analogous to ANI in proprietary & application specific TCAP component portion parameters) has called a certain 1800 number. The SCP then consults it's database, coming up with the number for which this call should be routed to, the number that corresponds to the called 1800 number. The SCP then constructs a reply packet with the number to route the call to and sends it to the originating user's SSP. When the SSP receives this information it can begin the process of routing the call as a regular CCS7 call as shown above until the call is completed. A more advanced function would be the SCP routing the call to a certain number based on time of day, day of the week, originating ANI or any number of other factors regarding the call. The key concept to note here is that in use of the Intelligent Network, the intelligence, or knowledge of how to route calls, is taken out of the SSP and placed in the SCP or SCP's. In the network itself. Let's now go a little deeper into each node or Network Element in the Intelligent Network and use them to explain the more advanced concepts behind Intelligent Networking. 1.05 : STP's - Signal Transfer Points =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= These are the simplest Network Element to understand, so I will start with them. They are basically CCS7 routers. They route data over the CCS7 network. In the IN, their function is essentially the same as in regular CCS7 networks. A node such as an SSP will address a CCS7 packet to another node on the network and send it to an STP for routing. The STP will then send it on it's way. IN uses the CCS7 protocol and existing CCS7 networks as they are, it simply adds new elements and stretches CCS7's capabilities. STP's are usually deployed in pairs. That is, two STP's basically do the job of one of the STP's in the above diagram. Infact, where one STP is in the above diagram, imagine there are two, doing the same job. This is basically a redundancy measure. If one STP becomes congested or goes down, the other STP can take up its workload. STP's can also provide a function known as Global Title Translation. Addresses on a CCS7 network are 3 byte values known as 'Point Codes'. Every node or even STP knowing exactly how to route to every Point Code on the CCS7 network is infeasible, especially when we are talking about sending a packet to a node on another Telco's interconnected CCS7 network. This is where GTT comes in. When a CCS7 packet is addressed, it's Point Code address can be the nearest STP and the Global Title field can be filled in to indicate the final destination. Upon receipt of this packet, the STP can translate the GT to a Point Code and route the packet. In addition to this, based on the Global Title, the STP can forward the packet to an intermediate STP, or an STP that it knows will be better able to forward the packet to its fully translated destination. A Global Title is typically something like an untranslated 800 number, calling card number etc. GTT translates a GT to point code and subsystem number, which identifies a specific application at the destination signalling point (ie. SCP). The CCITT has assigned Australia initially with 16,000 point codes to use for its network, with an additional 16,000 in anticipation of a second CCS7 network. These point codes have been distributed among the states for use in the hierarchial by state CCS7 network in Australia. 1.06 : SSP's - Service Switching Points =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= These are the Telephone Exchanges in the network, your Ericsson AXE'es, System 12 and DMS-100 exchanges all fall into this category. They are the points of the network where calls terminate to customer telephone lines and where voice lines to other SSP's / Exchanges are served. To serve in an Intelligent Network, SSP's must be able to determine when they require the intelligence of the network to complete the call. For this purpose they are outfitted with systems that detect 'triggers' during processing of calls. Under IN two Basic Call Models (BCMs) were created complementary to the existing call models in telecommunication systems. These BCMs model a series of Points In Call (PICs) that an SSP goes through when processing a call. Each PIC can have one or more Trigger Detection Points (TDPs) checked upon reaching it, that is circumstances where special handling of the call may be required. If a PIC has TDPs that indicate a need for special handling if triggered, that TDP can be said to be active and the PIC to which it belongs can be said to have an active trigger. The Basic Call Models, modelling the PICs in a call come in the Originating Basic Call Model and the Terminating Basic Call Model which look something along the lines of : Originating Basic Call Model Terminating Basic Call Model =-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-=-=-=-=-=-=- O_NULL T_NULL | | AUTHORISE_ORIG_ATTEMPT AUTHORISE_TERMINATION | | COLLECT_INFORMATION SELECT_FACILITY | | ANALYZE_INFORMATION PRESENT_CALL | | SELECT_ROUTE T_ALERTING | | AUTHORISE_CALL_SETUP ACTIVE | | SEND_CALL RELEASE_PENDING | O_ALERTING | ACTIVE | RELEASE_PENDING These PICs will correspond to Trigger Detection Points like : INFO_COLLECTED & COLLECT_TIMEOUT for COLLECT_INFORMATION. Essentially you will have some times in the call that information can be tested like : * Immediately after phone is taken off-hook * After some of the digits are collected (ie. if a long distance prefix is entered on a phone line that has STD barring). * After all the digits have been collected and can be analysed. * When the route to the destination has to be determined (ie. may require assistance if the route is congested.) * Check whether terminating resources are available. * Present call (for example to determine if the called party will accept a call from the calling ANI). * Line busy check (eg. maybe calls can be routed to an alternate number in this instance, such as call diversion or message bank). * Line answer check (ie. did the call timeout?). If an active trigger is detected by the SSP, a request for information on how to process the call is sent by TCAP to the appropriate SCP. As you can see from the number of PICs above, there is considerable opportunity for intelligent routing of calls. In the big picture of the Intelligent Network, the PICs that have active triggers depend upon the type of service and the Service Logic Program (SLP) that the SSP is playing a part of. 1.07 : IP's - Intelligent Peripherals =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Often, an Intelligent Network feature will require additional information from the customer besides the number they have called in order to route the call. Usually an IVR (Interactive Voice Response) system can be used for this purpose. A common application of IP's is to play a message and wait for input from the caller via their DTMF keypad on their phone. For example, a subcriber to a prepaid calling card service can call his service's access number, an active trigger will be hit at his SSP and the call will be routed to the SCP, the SCP then routes the call to an IP that plays a message requesting that the customer enter his calling card number and PIN on his phone keypad, it can then collect the entered digits and request verification from the SCP. Once the card number and PIN are verified by the SCP and the corresponding message sent to the IP, the IP can prompt the caller for the number they wish to call. Another example would be messagebank services. IP's can also play a part during the immediate off-hook point in call if voice activated dialling is supported. This is one instance where an SSP might encounter an active trigger at this first PIC. The call is initially routed to the IP for collection of the number, the caller says for example "Dial Miss September" and the digits are eventually sent to the SSP so it can continue processing the call. The voice line from an IP is usually an ISDN line hanging off one SSP or another in the network. It should be noted here, to avoid confusion, that an Intelligent Network IP is not the only system capable of IVR around. Customer terminating equipment such as a PABX is perfectly capable of generating complex IVR queries from a connected customer and processing it on its own. A PABX can't interface with the IN however. 1.08 : SCP's - Service Control Points =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Often referred to as the brains of the Intelligent Network, these are the database servers that hold the information on routing of special calls. These are not switches or routers, usually they are commercially available computing machines such as SUN, running operating systems such as UNIX (Sun hardware and UNIX seem popular with Telstra anyway :p) Queries and Replies between an SSP and an SCP (and IP and SCP) after a trigger hit are performed using CCS7 TCAP, Transaction Capabilities Application Part. TCAP messages use SCCP (Signalling Connection Control Part) for transport. SCCP is where the Global Title or Point Code + Subsystem Number are sent. A TCAP message is comprised of a Transaction Portion and a Component Portion. The Transaction Portion contains information regarding what type of information is being transferred. This information is known as the package type, there are seven different package types. I may as well include them here : (*) Unidirectional: Transfers component(s) in one direction only (no reply expected). (*) Query with Permission: Initiates a TCAP transaction (e.g., a 1800 query). The destination node may end the transaction. (*) Query without Permission: Initiates a TCAP transaction. The destination node may not end the transaction. (*) Response: Ends the TCAP transaction. A response to an 1800 query with permission may contain the routing number(s) associated with the 800 number. (*) Conversation with Permission: Continues a TCAP transaction. The destination node may end the transaction. (*) Conversation without Permission: Continues a TCAP transaction. The destination node may not end the transaction. (*) Abort: Terminates a transaction due to an abnormal situation. As you can see, a query to the SCP may result in a response or may result in a finite set of conversation messages exchanged between the SSP and SCP. The Component Portion contains components. There are six kinds of components (again literally ^C^V'ed from the specs) : (*) Invoke (Last): Invokes an operation. For example, a Query with Permission transaction may include an Invoke (Last) component to request SCP translation of a dialed 800 number. The component is the "last" component in the query. (*) Invoke (Not Last): Similar to the Invoke (Last) component except that the component is followed by one or more components. (*) Return Result (Last): Returns the result of an invoked operation. The component is the "last" component in the response. (*) Return Result (Not Last): Similar to the Return Result (Last) component except that the component is followed by one or more components. (*) Return Error: Reports the unsuccessful completion of an invoked operation. (*) Reject: Indicates that an incorrect package type or component was received. The interesting part of the Component Portion is that components include parameters. These are call variables that the SCP might need to read and use for call processing. It can also include variables that the SCP wants to write to the SSP for call processing. Variables typically come in such forms as CallingPartyID, CalledPartyID, AlternateBillingNumber etc. In this manner, an SSP can query the SCP for applications such as where to route a call, send the neccessary information regarding the call and receive a reply with the information on where to route it. The application depends upon the Service Logic Program. (Note: That the ANI as it is sent between SSPs during call setup is sent in ISUP messages and therefore is not sent along with TCAP messages, TCAP must send it as a parameter just like any other call variable.) SCP's are often deployed in mated pairs, just like STP's. This is less common than with STP's though. If there are a redundant pair of STP's, there will be a CCS7 link between them so that they can ensure their data is uniform. Just a small note here on billing systems. How billing is performed in an Intelligent Network is not a part of any IN standard, probably due to the fact that many of these systems are run by telcos on proprietary (and therefore varying) platforms. Sometimes, the SCP includes back-end databases that perform billing functionality (ie. changing who a call is billed to in the case of a 1800 call), sometimes it merely stores the information and is queried for it at a later date or periodically by another system, sometimes there is a separate SCP on the network that the IN SCP sends call information to, sometimes it is run as a part of the SMS. It is also possible for an SCP to write to a variable such as AlternateBillingNumber at the SSP. SSP's are perfectly capable of handling the sending of information to billing systems for straightforward calls. It really depends on the telco that runs the network. I believe that in the Australian phone network the last option, the SCP writing variables to the SSP, is what is used. This seems like the most robust option anyway. 1.09 : SCE - Service Creation Environment =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= When a service, or in terms of what the IN can use - a Service Logic Program, is created it must specify the different jobs that each Network Element must perform to provide the service. In regards to the SSP it must specify upon which Trigger Detection Point/s an active trigger must be placed to halt the call and query the SCP for further information at the correct time. In regards to the SCP it must formulate the variable processing databases the SCP must use in order for the call to be routed to the correct line or IVR at an IP at the correct time and under the correct circumstances. The SCE is the environment where these services are created and tested. The hardware used, like the SCP's are commercially available operating platforms like SUN hardware and UNIX. IN service logic programs are created in the SCE by using a building block type approach. Each component of the IN is modular and can have many different applications based on how it is used and how it is used in relation to other components. A graphical programming approach is preferred. At Telstra, they based their SCE systems around the CASE (Computer Aided Software Engineering) tools. Later in this article, I will explain some examples of IN services and you can see how use of triggering at different TDP's and performing number translation in different ways can result in almost limitless IN services. A big part of the SCE and the modular nature of IN is to reduce the lead-time for new services and introduce them very rapidly. 1.10 : SMS - Service Management System =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- As you can see from the diagram above, the SMS is not connected to the CCS7 network. The OAM (Operations Administration & Maintenance) links are usually run over an X.25 network. Papers describe the SMS as the heart of the IN. The same papers describe the SCP as the brains of the IN. Maybe the human body analogy doesn't sit too well hehe, but it illustrates that while the SCP's make decisions in the IN, the SMS is responsible for the upkeep and control of the IN. To begin with, when a new feature has been created in the SCE and is ready for deployment, it is sent to the SMS for activation in each of the IN nodes. The SMS distributes the database schema to the SCP's and distributes information on which trigger detection points should have active triggers to the SSP's. Generally, master records of the SCP databases are kept in the SMS. These are checked against the SCP databases during times of low activity (SCP's a real-time systems and must be able to process calls quickly) to ensure that all data is up to date. Furthermore, the SMS contains the management functions for provisioning the IN services to customers and also for modifying the service details for various services (for example, in the case that a customer wishes to modify where a number is routed.) If the customer has an interface by which to modify their IN service, it is likely that this either directly or indirectly interfaces with the SMS. The full scope of functionalities provided by an SMS are largely network and system dependant. The SMS may be capable of performing a large number of tasks however, such as monitoring the network for faults and collecting stored billing data from the SCP's. As you can imagine it is a very powerful system with control over all other parts of the IN. 1.11 : IN Services =-=-=-=-=-=-=-=-=- Now that we know how the IN works, I will explain some IN services offered in Australia. This will help to illustrate the multi-function capability of IN and give us a wide variety of solid examples to work with later in this article. e1800 - Enhanced 1800 This is basically, the example used above. When an SSP receives a call to a 1800 number it contacts the SCP for further information. The enhanced 1800 service is customisable enough to be able to route calls based on the caller location, caller ANI, time of day, day of the week and so forth. A simple example. Priority 13 This is the service provided by the numbers in the 13 nn nn prefix. A major factor in this case is that calls to 13 numbers are all billed at local call rates. Most of the time, they will be diverted to a number based on the caller location and the call will be a local call due to the service. At other times, it is likely that the call will have been placed outside the 13 number's service area and the call refused. The call can also be diverted based on a number of other criteria, such as whether the first preference number is busy, the time of day and so forth. In Telstra literature, they are always hawking the value of this type of service in an advertising campaign, the theory being that one number Australia-wide is easy for customers to remember, now go out and make a gay song with your 13 number in it. ---> Just FYI, the above two services are known as enhanced InWATS services, that is - Enhanced Inward Wide Area Telephone Services. It's terminology Customnet Spectrum ACD (Automatic Call Distribution) This is a service often used in call centres, or call centres with multiple working sites. The service will handle large volumes of incoming calls, routing to a group of numbers based upon which number has been idle the longest. If no numbers can be found to route the call to, the call can be routed to an IVR until a number becomes available. This enables the customer to handle their ACD in the phone network rather than purchasing and maintaining termination equipment for the purpose. There are also interfaces, ACD MIS (Management Information System) interfaces, that allow supervisors to change the length of queues coming into the system, the numbers that calls are routed to and also receive data based on where calls have been routed etc. for management purposes. Customnet Spectrum Network Wide Centrex Centrex is PABX service offered by telcos. Instead of having a PABX system at the local site, the PABX functionality is managed by the telco. Users can call extensions and at cheaper rates and so forth just like a regular PABX. Before IN, Centrex was only available if the users were all in the same exchange area. Using Intelligent Networking, calling an extension type number can cause a trigger hit and the Intelligent Network routes the call to its destination, a Centrex user at a remote exchange. Telecard - Automatic Calling Card Service This is a prepaid or account calling card service offered by Telstra. The user dials an access number, a trigger hit is envoked at the exchange and the user is routed to an IVR. Here, the user enters their calling card number and PIN. If this is verified, the call is put through and is billed to the user or credit is reduced on their account. 2.01 : Interfaces =-=-=-=-=-=-=-=-= Features are added to a service to give the customer more personalised, more customisable options and provide a degree of control over how they use the service. In order to do this, they must have an interface to the service in order to provide input in order to issue the service the necessary instructions so it can perform the desired actions. Likewise, in a feature rich environment there is alot more management and requirement for instructions, programming etc. to be issued via telco staff in order to maintain the system and ensure it is working in the manner by which they offer the features as products. In a feature rich environment, these interfaces are a necessity. There are also likely to be alot of them. In addition, a feature rich environment creates a need for a more complex underlying infrastructure with a large amount of Network Elements performing the many tasks required to create the environment. Any accessibility of this kind creates a vulnerability. Vulnerability can be mitigated, but it can never be completely removed. The facts that authentication technology over current phone lines is limited and that many required Network Elements in an infrastructure such as IN are running on operating platforms with known vulnerabilities do not help either. We will begin by describing the types of interfaces that can cause problems within the telecommunication network, will then go on to describe some examples of attacks on Customer Interfaces and will complete this section with examples of attacks on Telco Interfaces. This is by no means a concise compendium of attacks of this kind. There are definitely other attacks not mentioned here. This section is designed to give you a feel for and knowledge of attacks possible. 2.02 : Concerns Over Interfaces =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= So, in regards to the many interfaces in a feature rich environment like the modern telecommunication network, what are the risks. How can an insecure interface be used to leverage a security breach or act in a manner it was not intended? Defeats of Authentication on Privileged Interfaces An interface that provides an advanced interface to the network, that allows control over some kind of functionality in the network poses a threat if that control is allowed into unauthorised hands. Likewise an interface by which privileged resources or confidential material are accessed is by nature designed to be kept out of unauthorised hands. To mitigate this, these kinds of advanced and private systems require authentication. The level of authentication required depending on the privilege of the functionality or the value of the commodity protected. This class of interface comes in two particular types; customer interfaces (eg. control over where a number is routed) and telco interfaces (eg. OAM&P systems). The concern here is the authentication mechanism being defeated or bypassed, thereby allowing an unauthorised person privileges over the network. Interfaces Where There Was Not Supposed To Be An Interface Obviously, a certain kind of less privileged interface to the phone network is required to begin with in this case. The concern here is interfaces that do not control everything as well as the designers intended and if leveraged correctly can provide a more privileged level of interface to the network than was intended. An example of this, is the old in-band signalling problems described in [Section 1.01]. This type of attack could be described as bypassing access controls in an interface. Naturally if there was no interface, there would be no potential for this attack. Interfaces To Functions That Can Interact And Behave Incorrectly This problem can actually be inherent in how the interface is designed, as we will see later when we go into feature interactions. Features are by nature advanced and depend on many properties and variables within the controlling environment. Often a badly designed pair (or larger number) of features can interact with one another creating an unintended result. This problem can be compounded when combined with the first type of problem and a function or feature requiring authentication and therefore a greater degree of functionality is one of the interacting routines. 2.03 : Customer Interfaces =-=-=-=-=-=-=-=-=-=-=-=-=- These are the interfaces that are allowed by the telecommunications carrier to customers. The interfaces mostly enable control over the functionality of the specific customer's service only unless access controls can be attacked which is described in a later section. 2.04 : Basic CPE Signalling =-=-=-=-=-=-=-=-=-=-=-=-=-= Lets start with the basics. CPE Customer Premises Equipment must be able to signal the exchange with the information it wishes to send. This is typically done by DTMF (Dual Tone Multi Frequency) tones down the phone line. This is used to indicate to the exchange numbers to be dialled and also, special DTMF sequences can be sent to the exchange to indicate instructions as to operating features such as activate call-waiting (*43#). The path between the customer and the exchange is an analog sound path via copper wiring, that is why DTMF is used. DTMF can also be used, once a sound path is created between the caller and a remote system in order to instruct the system. An example of this would be entering a PIN or entering a choice of options from an IVR's menu. In the past, decadic signalling was used to signal digits to the exchange. Older rotary telephones (the phones with a dial instead of a keypad) use this type of signalling & many exchanges still accept it for dialling numbers. It works by quickly 'pulsing' or disconnecting the line for the size of each number (ie. 1 pulse for 1, 2 pulses for 2 etc.). This system is not used today as it will not work on circuits multiplexed together at pair gain systems before the exchange, will not work on remote systems and does not provide the kind of interface required to activate and manipulate features of the telephone service (HomeLine features cannot be used with a decadic/rotary phone). Another type of signalling possible with standard Customer Premises Equipment on a standard analogue telephone line is the switch-hook flash. This can be implemented in a button on the phone (ie. Recall/Flash) or by the user depressing and rapidly releasing the switch-hook. This is often used in-call to interact with features on the line, such as call-waiting where if a call-waiting pip is received, flashing the switch-hook and pressing '2' on the DTMF keypad to switch to the incoming caller. An interesting thing to note here is that the switch-hook flash and the decadic dialling signals are the same types of signalling. Unwitting owners of telephones have occasionally placed a protective gate over a keypad or dial or a lock on the dial of a phone expecting that people will not be able to dial numbers. However, with a switch-hook, decadic dial pulses can be simulated by flashing the switch-hook the size of the number wished to dial, pausing for a small interval and flashing the switch-hook for the size of the next number and so on. This would fall into the second type of problems with interfaces listed above [Section 2.02]. 2.05 : Undocumented Telstra Home/BusinessLine =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Telstra Home/BusinessLine features are typically activated and controlled on the line which you wish to manipulate the features of. So, to divert a call to a number from your home phone, you pick up your Touchfone 400 and go : [Call Divert] <phone number to divert to> [Call Divert] And any calls to that number will be diverted. First thing to note here is that the 'authentication' is physical access to the phone line you wish to manipulate. So, a phreaker can connect a beige box to a line outside your house and forward all your calls to a line under their control effectively 'becoming' you. So, many of you will have seen a phone like a Telstra Touchfone 400 and seen that there are separate buttons for a number of features. You're thinking that these must indicate additional types of signalling than I've described above. Well, sit back and learn chuck because this is a function of the user-friendly way the phone is designed and infact, the above signalling types are incorporated into the new buttons. I'll explain two of the Touchfone 400 functions below and how they work in order to demonstrate how this works : Call Divert OK, just scroll up a little to see how this is activated using the Touchfone 400. In addition to this, prior to diverting a phone number, you can set the 'type' of diversion. Press : [STORE] then, depending upon which type of call diversion you wish to activate and set : [1] For Forward Immediate {*21} {#} [2] For Forward On Busy {*24} {#} [3] For Forward On No Answer (upon timeout) {*61} {#} And then [Call Forward]. On the surface, it appears that you are merely pressing afew buttons here, but what is actually going on is you are instructing the Touchfone to store one of the actual Home/BusinessLine DTMF tone sequences in [Call Forward]. When the Touchfone detects your pressing [Call Forward] a second time, it will send [#] rather than the tone sequence, so for the default, Forward Immediate : [Call Forward] <number to divert to> [Call Forward] Sends: {*21} {#} As you can see, this works out exactly the same as just entering the regular DTMF tone sequence. Call Waiting Call Waiting depends on the [Call Waiting] button. During a call : {pip tone on line} [Call Waiting] [2] - To switch to the other call. The [Call Waiting] button, or [Recall/Flash] on different phones, equates to a switch-hook flash, or even a decadic dialed '1' (not that you will be able to dial '2' afterwards though). Activating Call-Waiting is similar to activating Call-Forward : [Store] [Call-Waiting] Sends : {*43#} If you listen when you use these features on a Touchfone, you will hear these tones being sent. The point of this is, there is no new signalling that a Touchfone 400 uses and in addition, lines that have a feature activated using a Touchfone or, using the regular DTMF tones sequences have essentially both been activated the same way and can therefore be further manipulated either way. 2.06 : Telstra Remote Access =-=-=-=-=-=-=-=-=-=-=-=-=-=- This has grown to become one of my favourite features offered by Telstra. It is designed to be a way of remotely controlling features of a telephone line. That is for example, from your home telephone line (or indeed any telephone line) controlling the call forwarding parameters enabled on your office telephone line (at a different location). Costs an extra 5 bucks a month I believe. Authentication is required because otherwise any random individual can change where anyone else's Call Forwarding forwards to, thereby rendering the system pretty darned unreliable. A PIN is required for authentication. To begin with, you dial the access number for the exchange in which the number you wish to control is in. That is, the access number is different for each exchange the manipulable numbers are in. This is due to the fact that the state tables and service logic for features controlled by Remote Access are in the local exchanges rather than the intelligent network. They are not different depending upon the user, they are different depending upon the exchange the service is in. To begin with, a user dials their Remote Access (access) number, they will then be prompted with the announcement : BEEP. Welcome to the Telstra Remote Access service. Please enter the telephone service you wish to control, followed by a star, and then your PIN followed by a star. Once this is done, you can control the telephone service (ie. call diversion etc.) as you would if you were physically connected to the line. It is possible to use this service to determine whether or not the Remote Access feature is available on the line you are trying to control, the IVR will notify you if you have tried to control an invalid number after you have entered the number and PIN combination. The feature you have tried to use is not provided as part of your service. To add this feature, please call Telstra on 13 22 00 during business hours. Calls to this number are free. So this means that you can enumerate valid Telephone numbers, by determining when you receive the different error message than you would if you entered an incorrect PIN. This highlights two implications : (1) After performing a wardial to determine which telephone numbers service a specific company, you can then test each number to see if it is possible to remotely forward this number to a number under your control. (2) If your goal is to determine ANY number which you can remotely control because you do not wish to physically access the line it is on (ie. reducing your area of vulnerability, timing, because you are lazy), then it is possible to do so. This would be used in for example, exploitation of a feature interaction (see section below), or having a number you can route to you whilst having people whom you don't want knowing your direct phone number, among other things. Changing regular services' call diversion is not the only thing that can be done with Remote Access. Features of a Centel centrex service can be controlled via Remote Access as well. In the latter case, if you are forwarding to a number external to the specific Centel system it must be prefixed with a '0' as when requiring an outside line from a Centel system. 2.07 : Intelligent Peripheral-Based Interfaces =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The Intelligent Network is designed to offer a wide and customiseable variety of interfaces to people using Intelligent Network based Service Logic Programs. These are provided through the Intelligent Peripherals in the form of various Interactive Voice Recordings. Some typical examples of these interfaces would be : PIN Access To Freecall Number If a company does not wish unauthorised people, or unauthorised people not in a table of certain numbers, unauthorised people in certain distant areas etc. access to their freecall service they can protect the service with a PIN. PIN For Accessing Stored Information An example of this would be MessageBank Advanced Virtual, where during congested periods at a call center calls are routed to a MessageBank where they can be taken and later retrieved, by calling an access number and using a PIN as authentication. PIN To Determine Routing Often, instead of offering a caller a long list of IVR options for where their call may be routed and especially if some access control is required to prevent specific users going to areas other than those assigned to them, an IVR can be set up to prompt the caller for a PIN and route depending on which PIN was entered. An example of this is the Telstra HomeLink service, although it can be found in many other applications, such as used by specific companies or for access to conference calling resources (where the PIN may be longer than just four digits). Telstra Telecard Calling Card Service To use this service the caller calls the access number, which sends the caller to an IP IVR where they are prompted to enter their account number, then their PIN and once authenticated they can have their call billed to an account that has been setup for the purpose rather than having the call billed to the line they are physically using. 2.08 : Security of PIN-Based Authentication =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= As you can see above, many of the interfaces that require authentication use a four digit PIN for the authentication. The purpose of this section is to familiarise you with the security properties of the humble PIN as it is used in telecommunication systems. As you will see, it is a suitable authentication system when used to keep out curious unauthorised users, but is unlikely to keep out a determined attacker. Two important things that affect security in the context of PINs used in telecommunication systems rather than say banking or computer network security applications are : (1) There is no audit trail. That is, the user of the system has no way of determining how many incorrect attempts have been made to access and when the last access to was for their privileged interface, and they have no way of determining what "address" (ie. ip address equates to telephone number) that has been used to access their interface. Sure, the telephone company has access to this information (if they try hard enough to extract it from their massive databases) but the user of the system does not. This means a user cannot modify his behaviour in the event of an attempted attack (often meaning a more successful one may follow) and the eyes of many (the users) are replaced by the eyes of a few (telco staff). Adding an audit trail that users can view would be costly, driving up the price of the feature and would add too many complicated options for the average "assumed stupid" (and for good reason) user to fathom. (2) There is no retry counter. In banking security applications, if a certain number of incorrect PINs are entered, an ATM machine will keep the card, thereby preventing further brute force attacks. In telecommunication applications, the risk of attack vs the cost of service loss of availability to the user and service by the telco in order to restore it when every "actually stupid" user keeps entering the incorrect PIN means it is not viable to offer a retry counter. Henceforth, an attacker can sit there and try every possible PIN without being thwarted. (3) Users can usually pick their own PIN. A bank chooses your PIN for you, ensuring randomness, while in telecommunication systems you are usually able to choose it yourself. This is desirable as otherwise a secure method would need to be established for getting the PINs to customers and in the event of a possible compromise, a user being removed from a group of people authorised to know the PIN or maybe just a change of mind the PIN would need to be changed. This creates a situation where it is possible for a user to choose an easily guessed PIN, or atleast a PIN that is easier to guess than a randomly generated one. As you can see, the security issues relating to PINs in telecommunication systems come down to ease of use, or the "assumed stupid user" problem (as I like to call it) and costs of providing a more secure service. As in many other areas, security is forsaken for marketability. Of course, in order to attack a PIN, you need to know the access number to dial in order to even make the attempt. For many systems, especially those with many independant users, the access numbers will be public knowledge and obtainable with a little digging. If all else fails, the service can simply be subscribed to in order to obtain the access number. It does help to notice that lists of such numbers are an important thing for a phreaking community to compile. OK, so hacking a PIN by going from 0000 - 9999 is possible, but takes a hell of a long time. What can we do to minimise the amount of tries we have to make before we get the correct PIN? One thing is that humans, being naturally the finders and users of shortcuts and fond of reliability, will pick a PIN that is easy for them to remember. Ultimately, I recommend thinking about it and making your own list of likely PINs. Here is a list you might like to include : (*) All the same number : 1111, 2222, 3333 ... (*) Incrementing Numbers : 1234, 2345, 3456 ... (*) Decrementing Numbers : 9876, 8765, 7654 ... (*) Last four digits of access/service number backwards : 1234 - 4321 Access number would be the number rung to access the interface; Service number would be, in the case of HomeLine, the line whose feature is being controlled, or a MessageBank number etc. (*) Last four digits of access/service number +1 : 1234 - 1235 (*) Corners or edges of keypad : 1379, 2468 (*) Keypad down/up : 1472, 4725 ; 5274, 2741 ... Another approach that can be taken once the most likely PINs are exhausted are trying large, but more likely combinations of PINs. To brute force a 4 digit PIN you would ordinarily require roughly 10,000 attempts (5000 on average), however searches aimed at likely combinations can reduce the amount of tries required : (*) Birthdate (dd/mm) PINs : ie. [00 - 31] [00 - 12] equates to 372 attempts, 366 if you eliminate the non-dates in that space. (*) Double digits : ie. 1100, 1122, 1133 ... requires an attack space of 90 (remembering to eliminate all same pairs as they have been tried.) (*) Repeated Pair : ie. 0101, 0202, 1919 ... requires an attack space of 90 if remove all same numbers. Extra 10 if include 0 at the start and end of pairs. If that doesn't work and you do not wish to move to another user on the system, then you can eliminate those numbers and do a brute force search on the rest. In the case of Home/BusinessLine etc services, when a service is first activated, the PIN is set to the last four digits of the service number (telephone number for those of you who have bad retention). Many people would not change their PIN from this number and would continue to use it. Telstra has recently changed this, probably due to security problems. In order to activate a new feature on your line you must change the PIN from the default. One PIN is stored in the exchange for each user, so when you change your PIN for one feature it is changed for all other features as well. [Pickup] *30 [Old PIN] * [New PIN] * [New PIN]# [Hangup] For those of you that wanted to know. Note the reliability of the double New PIN entering requirement to prevent idiots forgetting their PIN. Secondly, you can automate the task of PIN brute forcing by using tools designed for the purpose. PABX/VMB hackers will work depending on how customisable they are. If they can issue the PIN after any number of prompts, then its ok. They basically come in two types, the ones with which you have to press a key on to indicate the next prompt from the system (such as the Telix VMB Hacker in Phrack 35 Loopback) and the ones that use voice response to determine where the prompts are (like THC-PABX hacker). You might be wondering now, why is a PIN used for authentication if it sucks so badly? The answer is, it is really the only type of authentication that can be used. Remember, POTS is limited in the type of signalling it can handle. It only has the hook-switch and the DTMF keypad for signalling. In the future, when we are all using data connections such as ISDN to connect to the telephone network, we might be able to use something more advanced like digital certificates or biometrics (ugghhhh - both of these are another article anyway) but for now we're stuck with a PIN. Actually an advanced challenge/response type of authentication is possible. Users have a token into which they enter a challenge issued by an IVR from the system they wish to authenticate themselves to and the token returns a series of digits which are entered via the DTMF keypad. I've actually heard they use a system like this on some PABX Direct Inward Systems Access Services. However, Telstra issuing every ****wit HomeLine user with a token at this time is non-cost-feasible and non-user-friendly in the extreme. So for now, PINs it is. 2.09 : Customer Interfaces To The SMS =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= For customers with an advanced Intelligent Network service, a great deal of control is required over the service. A simple DTMF-IVR interface would be lacking in regards to the amount of configuration that would be required for say, an advanced CustomNet system. Telstra offers a few data based interfaces to the SMS for this purpose. Security is a significant issue in relation to these interfaces, particularly in relation to customers jumping across multi-lateral security boundaries and affecting other customer's services and also, gaining higher privileges on the system, the implications of which are described in [Sections 3.1 - 3.9]. Attacks on these interfaces are essentially a computer security issue, these issues are already well-known and are beyond the scope of this article. It does however, do good to note that vulnerabilities in such interfaces are already well-known and so the provision of these interfaces create security issues. It is also a good example of the modern convergence of telecommunication and data systems. SCAI (Switch to Computer Applications Interface) This interface is usually provided on a Basic Rate ISDN interface (ie. OnRamp MicroLink) and is a way by which applications running on a customer server can interface with the SMS or intelligent switch to control the Intelligent Network service in real time. I believe, from diagrams I have seen in Telstra documentation, that the data is transferred on the ISDN D-Channel, through Austpac and to the SMS / Intelligent Switch as a host on the Austpac network. Naturally, this would mean as long as the NUA is known, it could be called into by other types of devices and authentication would likely by something such as a user / password pair or challenge / response etc. Using the SCAI interface, an application can receive and send data to the Intelligent Network. It can receive information like ACD Data such as status reports in real-time and Caller information (ie. ANI, locality etc). Caller information can be provided to ACD agents as calls come through. The SCAI can also send instructions to the network, such as where to route calls. A primary use for the SCAI is to allow the customer computer application to make automated decisions based on information, for example upon receipt of caller information from the SCAI an application can request to the switch to route the call to a location based upon its own processing of the data. Web - CustomNet Control CustomNet Control is a Telstra.com online service that is used by CustomNet users to configure their CustomNet service. Staff movements and changes in departments can mean that a CustomNet service may need to be reconfigured and CustomNet Control is an available tool by which to accomplish this. Online reports on the status of the service are also available. CustomNet Control is a web-based application, accessed by using the digital certificate Telstra.com issues its users. Functions offered include : (*) The ability to view and then change or modify the features on CustomNet services such as updating the name display or changing call barring access. (*) Move services between call pick up groups. (*) Swap the telephone numbers on analogue extensions. (*) View and change members of Call Pick Up, Hunt Group, Intercom and Speed Call Groups. (*) Provide reports on telephone features. (*) Update service address details. (*) Apply pre determined feature sets to CustomNet services. (*) Copy feature sets between CustomNet services. Other Other interfaces to the SMS exist, such as dialup and of course voice - ringing up your Account Manager (for corporate clients) and having them change your service parameters manually. I believe an Identification Number is required. 3.01 : Telco Interfaces =-=-=-=-=-=-=-=-=-=-=-= As with customer interfaces, an advanced network such as an AIN requires many more management interfaces for OAM&P (Operations, Administration, Maintenance & Provisioning) purposes. The increased number of nodes in an AIN means increased interfaces to those nodes, and by the compromise of one node, other functionality within the network can also become compromised as we will see. Many interfaces to the nodes of an AIN are computer based, interfaces from other nodes that can be usurped by a human. Interfaces designed to be used by human operators are naturally authenticated and are not allowed to customers. They must either have the authentication compromised or be somehow interfaced from a higher level. 3.02 : OAM&P Interfaces =-=-=-=-=-=-=-=-=-=-=-= In the AIN model itself there is a standard OAM&P interface to all nodes on the network, the SMS. Typically these interfaces will be over X.25 and will be a part of a Closed User Group (they only accept connections from a trusted group of X.25 hosts) and/or will require authentication for access. At the very least an SMS will be able to control AIN Service Logic variables in the nodes (ie. Trigger Detection Points in the SSP's, databased entries in the SCP's) and so compromise of an SMS or the SMS'es OAM&P interface to a node will result in access to this kind of functionality at the least. The SCE environment is also a point of vulnerability. Third party software developers can introduce Service Logic Programs that contain backdoors. There are dangers in regular application development as well. Broad capabilities of features can introduce feature interactions which we will get into in a later section. There are certainly other OAM&P interfaces to nodes other than the SMS interface. This is especially true for the SSP which may have many separate interfaces to different equipment within, for monitoring and changing of parameters. Mediator, AUTOCAT & AXE AOM are interfaces that provide an especially high degree of control over SSP's. STP's may require an interface for modification of routing tables and so forth. A full description of all interfaces to these nodes is far beyond the scope of this article, but let us just note that there are many different OAM&P interfaces to the broad variety of nodes on an AIN/CCS7 network. These interfaces would typically be over X.25 or PSTN dialup. Another important fact to note is that many of the nodes, the SCP's, SCE's and SMS'es are running on operating systems such as UNIX in which security issues and vulnerabilities are already well known. 3.03 : CCS7 Interfaces =-=-=-=-=-=-=-=-=-=-=- The CCS7 protocol was never designed to be secure. It was designed as a call setup communication system within a closed network of trusted nodes. Compromise of a CCS7 interface is akin to the in-band signalling problem of the analog telephone networks, only worse. Much more functionality is offered and a hacker on a rogue CCS7 interface can do alot more than the Blue Boxers of the old days. In a modern day, enhanced and feature rich environment there are a few circumstances that can make certain interfaces a security issue in this sense : Compromise of a Node on the Network This is an obvious point, but often missed. If a node on a CCS7 network is compromised, so is its interface to the CCS7 network. It is now untrustworthy and a large security issue. ISDN ISDN D-Channel (Data Channel) provides a powerful signalling interface to the CCS7 network. There is much functionality and with more powerful functionality comes the risk that some unexpected interface can result. The D-Channel is a Common Channel signalling link just as CCS7. Infact, ISDN was originally meant to extend the concept of Common Channel signalling all the way to the customer. Certain CCS7 data can be fabricated from a malicious ISDN connection. For example, in the Telecommunications Digest in Jan, 4, 1997 it states : "It is to this day possible to spoof ANI/CNID with certain PRI connected PBXs on certain models of switch." Provisioning of CCS7 Connections to Outsiders In these days of deregulation, one thing that introduces untrusted parties to a trusted network is the provisioning of CCS7 connections to various telecommunication service providers. They can't provide the service without the CCS7 connection so they have to have it. 3.04 : Basic CCS7 Security =-=-=-=-=-=-=-=-=-=-=-=-=- Okay, so the protocol was never designed with security in mind. However, a few basic add-ons and precautions can be taken to mitigate the vulnerability of a CCS7 network. I will explain them here before I go on with the vulnerabilities. Gateway Call Screening Typically, the way to deal with untrusted parties on the network is to screen packets, for things like unauthorised requests and packets that appear to be coming from a Point Code outside those allotted to the network a packet is coming from (hence indicating a spoofing attempt). You would have seen above, that many interfaces are capable of causing a vulnerability under certain circumstances only. This is because of screening in place. This screening would typically be implemented on an STP with Access Control Lists or the like, in a manner analogous to a firewall. A company named Sevis Systems formerly had a CCS7 firewall offering, however they went out of business. As with TCP/IP firewalls though, the network remains vulnerable if the attack is from a trusted node, a node on the internal network where it is not subject to screening or the attack involves exploitation that the firewall does not recognise and will pass as regular traffic. Point Codes Secrecy As mentioned in [Section 1.05] Global Title Translation is often used to obscure the final destination Point Code from untrusted nodes as it traverses the network. There is very little information that I could find on this, but Point Codes are considered sensitive information by Telecommunication companies and are mostly considered proprietary. With the destination Point Codes it would be possible to accurately map a CCS7 network and understand which nodes offered which services. Gateway Call Screening and that secret Point Codes only provide security through obscurity are often given as reasons why provision of Point Codes to third party providers etc is not considered a security risk, but it sounds to me that in such a flimsy security environment any security is better than none at all. Presumably, knowledge of exact Point Codes can lead to things like sending of queries to specific SCP's that are known to provide certain (ie. cheaper, confusing etc.) results. 3.05 : Basic CCS7 Vulnerability Taxonomy =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This section is designed to familiarise you with some of the vulnerabilities in the CCS7 _Protocol_. That is, as mentioned before, attacking the OAM&P interfaces to the nodes is not covered here. The reason for this section is to add a discussion on security of a CCS7 network in the AIN context, enhanced, complex and as such vulnerable. We will primarily be dealing with how a compromised node or rogue interface can influence security of the entire network, rather than specifically going into what can occur within the node itself (ie. altering of number routing tables, activation of lines and monitoring of circuits with an SSP as an individual node and the like are not covered here.) This information was compiled from a number of sources. I had also toyed with the idea of adding a "quick and dirty" CCS7 overview here, so that you would not need to refer to anywhere else for a full understanding of the material. However, some excellent references already exist and replication of CCS7 protocol information has already been attempted in .txts & zines and I am not willing to join them. Instead, when I mention a particular instruction sent within a CCS7 message I will briefly describe the surrounding part of the protocol. For a full understanding of CCS7 I recommend one (or all) of the following professional tutorials : Telecommunications Journal of Australia (Vol 31, No.3) : The CCITT No. 7 Common Channel Signalling System for Digital Networks - Subocz, M. Performance Technologies : SS7 Tutorial : http://www.pt.com/ Illuminet : Signaling System 7 (SS7) : http://www.iec.org/ As you can see the last two are available on the internet while the first, although specifically Australian is not. The information is the same as CCS7 is an international standard. The attacks end up falling into four categories : (*) Fabrication : This refers to complete creation of CCS7 messages, possibly spoofed and containing information designed to achieve some purpose. (*) Disruption : This refers to the ability of a node to prevent a message from getting through to somewhere, or garbling checksums to prevent them from being accepted at its destination, for example. (*) Modification : This refers to the action of taking a message going through or from a compromised node and altering it to convey a different meaning at some level. (*) Monitoring : All CCS7 nodes are vulnerable to this attack. In common computer security parlance it is known as 'sniffing'. It involves examining messages enroute for sensitive information. 3.06 : Service Control Point Attacks =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Attacks on an SCP involve fabrication or modification of TCAP messages sent to the SCP in order to generate a request or instruction of the attackers choosing. Queries / Requests For Sensitive Information Typically, a node will send a TCAP message to the SCP asking for information and the SCP will reply with the information. So, sensitive information can be requested by a rogue node. This could be PIN or Calling Card information designed to allow the attacker authenticated access to an application of the Intelligent Network, or it could be private customer information, depending upon which SCP or application on an SCP was being attacked and what information it held. Instructions And Writes To The SCP If the application running on the SCP allows for modification of its databases via TCAP, sensitive and control information can be changed to arbitrary values. This could mean an attacker could change the PIN of another application so he could authenticate himself or modify billing information, forward 1800 numbers to arbitrary locations and so forth. Naturally, being able to write to an SCP via TCAP will depend on the application, it would be possible for customer interfaces to send changes to the SCP by their node's (IP, SSP) OAM&P links to the SMS and make the changes that way. On the other hand, if the IN application Service Logic an attacker is hoping to subvert requires a 'conversation' of TCAP messages with the SCP, then values will be written to the SCP, if perhaps only temporarily. 3.07 : Signal Transfer Point Attacks =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Denial of Service The fact that CCS7 makes use of ways to route around faulty links and such opens up the possible for such information to be deliberately introduced in order to _completely_ isolate a node. An STP is the optimal location to introduce this information as other nodes rely on them for relay of their communications. LSSU DoS One way reliability is enhanced is by sending of LSSU Link Status Signalling Units between signalling points on the network. These convey information of the status of the signalling point that the LSSU is coming from. The are sent on direct links between nodes only, that is they do not traverse the network and one particular node will only see LSSU's from its neighbouring nodes. One field within the LSSU, the checksum, is included to ensure correctness of the signalling unit transferred. A simple attack is to deliberately corrupt this field. Requests for resending will be sought and the checksum field corrupted once again. The neighbouring node will shortly assume the checksum corruption indicates an unreliable link and use another one (that is, if another one is available and hasn't been Dos'ed as well.) MTP3 DoS The Message Transfer Part - 3 or Network Layer of the CCS7 protocol stack, in addition to provision of network addressing and distribution of CCS7 packets includes provision for such network reliability functions as controlling traffic during congestion, routing traffic away from failed links and alternate routing. Such services are naturally a hotbed for fabricated denial of service attacks. Attacks On Global Title Translation Databases The STP stores the translation tables for Global Title Translation. An attacker could modify these tables to redirect traffic to malicious or confusing databases, thus gaining control of every call requiring a query to such a database. In addition to this, being able to read the translation tables will provide the attacker with exact point codes for nodes on the network and how they correlate with the various Global Titles. As was mentioned above, Point Codes are considered sensitive and proprietary information. Modifying Gateway Screening Logic STPs are often deployed as CCS7 firewalls by use of ACLs (Access Control Lists) that screen packets. Access to an STP would facilitate the modification of these ACLs, to allow packets that breach the network's security policy through, or to deny service to legitimate packets. Access to these tables would also provide an attacker with information regarding what packets he can or can't get onto the internal network or past the firewalls on the network. Sniffing Traffic All nodes on a CCS7 network are vulnerable to monitoring attacks, an STP however is worth special note as all traffic must flow through STPs making them an optimal host for sniffing attacks on the network. 3.08 : Service Switching Point Attacks =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ISUP IAM Flooding DoS During standard CCS7 call setup, the first type of message sent from the originating exchange to the destination exchange is the so-called IAM or Initial Address Message. This includes information such as the called number and the CIC (Circuit Identification Code - Identifies inter-SSP voice trunks), the _calling_ number is optional as technically only the originating exchange need know this information to complete the call (not that it doesn't end up getting sent anyway - flags are usually used to indicate Caller ID Blocking. Whether those flags are honoured or not is another story ..) Both attacks involve sending a large number of IAM messages to a single SSP on the network, but with different goals that both deny service. The first DoS goal is to reserve all the outgoing/incoming Circuits by reserving all the outgoing/incoming Circuit Identification Codes. The target SSP will send ISUP ANM (Answer Messages) messages in reply, but these are discarded or disrupted enroute to the SSP the messages are spoofed to be from. This is easy if the rogue node claims to be an intermediate SSP in a chain from the originating SSP for example. The second type of DoS goal is to simply send so many spoofed IAMs that the target SSP cannot handle the load and becomes congested. The target SSP will send ANM messages to the SSPs the IAMs are spoofed to be from and receive error messages. That means its links will be receiving or sending 3 different types of messages concurrently, whilst the DoS'ing node need only send one, thus conquering it in terms of bandwidth. 3.09 : Intelligent Peripheral Attacks =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Like other nodes used in Intelligent Network applications, the IPs must make use of TCAP to communicate with SCPs. Attacks on IPs can involve modification and fabrication of TCAP messages to gain access to the authenticated interfaces they provide. Fabrication of Replies From SCP When an IP requires a PIN, Calling Card number and so forth to compare to user entered input it queries the SCP. This information could be intercepted, disrupted and replaced, or wholly fabricated (eg. from an 0wned SCP) to include a known value that can then be input to the IP. Modification of Queries To SCP On the way out, queries regarding authentication information and such can be modified to query the SCP for information from an account for which the authentication information is known to the attacker. 4.01 : What Are Feature Interactions? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= To put it simply, a Feature Interaction is a circumstance when two or more features, when used in combination, produce some result other than that which they would when used separately. This result can often be unwanted, making one of the features misbehave. For its seeming simplicity it is in actual fact a highly complex problem. The features may be activated at application level, a customer pressing numbers on a keypad, but the interactions stem from causes deep within the phone network, often right down to the binary code running at exchanges and telecommunication control systems. So far in this article we've seen that the exchange stores call data variables and variables containing status information of calls. We've seen that feature Service Logic Programs can run at the exchange and through the Intelligent Network via TCAP messages to and from an SCP. We know that an executing feature may need to read and write to the call and status variables. Finally, we have seen how calls can be modelled around Originating and Terminating Basic Call Models, Points In Call at which features can be triggered. A feature would be activated and run at a PIC, read and write the call variables it requires to perform its function and continue the call. What would happen however, if one feature ran, read and used a call variable and continued the call only to be followed at a later PIC in the same call by another feature that wrote to that same call variable already used in the course of its execution? The first feature would now have utilised information that is incorrect for the eventuating call. The first feature may have become completely undermined. This is a general type of feature interaction. The feature interaction problem is exascerbated by the introduction of the Intelligent Network and the Rapid Service Creation concept it is built to envisage. At the same time it undermines that concept as with every new feature introduced the potential interactions between them grow exponentially. The fact that I want to teach you to find new exploits is truer here than in any other section of this article. As such, I will detail working exploits in the Australian phone system (mainly in the final part), however, there will be many theoretical, obsolete and overseas examples designed to teach you concepts regarding how feature interactions work and what kinds of things you are looking for. 4.02 : Theoretical Examples of Feature Interaction =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The problem may be easier explained by example, so here I will present three _theoretical_ examples. These potential interactions are not necessarily active in the Australian phone network and have been chosen due to their coverage of concepts necessary for understanding. In this section I will also explain these interactions in the context of the common feature interaction causes, which are further explained in [Section 4.04]. Call Waiting & Three-Way Chat Call Waiting is a feature designed so that a user can be on a call with someone and a third party can call them, the exchange alerts the user to an incoming call and to switch to the incoming call, the user does : [Hook-Switch Flash (Or Equivalent ie. RECALL button)] and presses [2] The user has put the first party on hold and is now talking to the third party. Three-Way Chat is a feature designed so that a user can be talking to one party, decide to add a third party to the call and so ring them up and add them in to the conversation. This is done by going : [Hook-Switch Flash (Or Equivalent ie. RECALL button)] : To Get a dialtone Entering : [Phone Number of Third Party] And once connected to the third party : [Hook-Switch Flash] [3] To conference the calls together. Note that the feature control signalling procedure as shown above is equivalent to other methods of doing it with different CPE equipment (as explained in [Section 2.04 & 2.05]). The problem arises if a user is subscribed to both features. Usually, the features will work correctly depending on the context of the call at hand. But consider the situation in which a user is on a call to someone and wishes to establish a three way call. At this exact same time, someone has placed a call to the user activating his call waiting feature. In this situation, the context is ambiguous and so should the exchange : 1. Issue the user with a blank noise and wait for them to press [2] to switch conversations? or 2. Issue the user with a Three-Way Chat dialtone so he can call someone else? As you can see, if one feature is activated over another, the other feature will not be working properly. This interaction brings up four issues : (*) The feature that is activated over the other actually depends upon which feature's execution thread is run through the exchange processor first. This can generally be considered random and is known as a 'Race Condition'. (*) This interaction could be avoided if the feature activation control signals issued by the user for each feature were different. However, this is why I explained how there are only limited signals available from CPE equipment [Section 2.04 & 2.05]. The exchange must interpret which signal means what depending upon the CONTEXT. The true meaning of the signals depends upon the customer's intentions which may become different from the context in certain situations. (*) Storing information about the context of a call involves storing STATE information regarding the call at the exchange. Both features share this information and can both write to it. If one feature takes over because it was the first to respond to the signal it will have control of the state information at that time. (*) Both these features often require the use of only one three-way bridge available to a user at the exchange. If one feature is active, it will be using the user's bridge and the other feature will not be able to activate as it requires that same resource. Call Forwarding & Originating Call Screening Call Forwarding enables a user to 'forward', or redirect, calls to their number to another number. This would be useful, for example, if a user redirects their office number to their home number outside of office hours. Originating Call Screening enables a user to block certain numbers, or certain types of numbers such as STD, Premium Rate numbers etc. from being called on his line. In this case, a telecommunications carrier would be able to foresee an interaction such as when a user blocks Premium Rate numbers from being called from their line with OCS, and a young ne'er-do-well in the house forwards the line to a Premium Rate service and calls their own number thus bypassing the Call Screening feature. But what about something involving two lines? User A has screened the number of one of his hated enemies from being called on his line. User B has forwarded his line to that of User A's hated enemy. User A calls User B's number. What happens? Does the call get forwarded thus violating User A's Originating Call Screening feature? Or Does the call not go through, thus leaving User A wondering why he can't ring User B and violating User B's Call Forwarding feature? This interaction can also come into play when the forwarding is invoked by an AIN feature. For example, a local number is on the OCS list and the user rings a 1800 number which the IN translates to the screened local number. (*) This interaction overwrites one call variable (the called number) used by one feature, by another. (*) Note the crossing of Originating Basic Call Model and Terminating Basic Call Model. The fact that a relied upon variable is passed over these models makes this a hard interaction to deal with. In most phone networks, this interaction would go undealt with and the call would thus go through. (*) We see here, one feature assuming that the 'name' (number) addressed refers to one specific end party. This is a violation of naming assumptions made by the OCS feature (sorry if this sounds abit cryptic right now). (*) This interaction might lay dormant for a large period of time as it takes two people configuring their features in just the right way for them to interact before it becomes apparent. Automatic ReCall & Caller ID Blocking This one is a cool one! In addition, with abit of modification, this interaction has been known to affect PABX systems as well. Caller-ID Blocking is the opt-out feature that can be used to prevent your number from being sent to and displayed on CND boxes of people that you call. Enhances privacy and so forth. Automatic ReCall allows a user to Automatically Return a call that was made to them when they were busy. More than one call can come through to the line and they are placed in an Automatic ReCall queue at the exchange. When the user becomes free, their line is rung and so is the caller's. The queue of incoming caller's is then gone through one by one. Alternate services may only offer the LAST incoming caller without offering a queue. The interaction works simply thus : User A who has activated caller-id blocking ringing user B who is engaged. User B then uses his Automatic ReCall feature to ring back User A. User B has itemised billing and so receives User A's number with his next bill. There are many variations on this interaction. For example, in the context of PABXes rather than general telecommunications switching systems, a NIST PABX Vulnerability Analysis paper discusses an interaction between Caller-ID Blocking, Automatic ReCall & Call Waiting : User A calls User B with Caller-ID Blocking activated. User B Does not answer the call or is engaged. User B later uses Automatic ReCall to call back User A. User A answers and User B immediately hangs up. User B quickly calls back User A hoping to invoke User A's Call Waiting. User A hangs up and if Call Waiting had been invoked, the PABX rings back both User A and User B. In this case, User B gets User A's number on his CND box as he is rung. Note: That in some PABXes and Phone Systems, Call Waiting is controlled by a hook-switch flash only to switch between callers. There is no pressing '2' after the flash to indicate what you wish to do, you are immediately switched. This differs from the Australian / Telstra system. (*) Automatic ReCall changes the status of a Callee to that of a Caller. Assumptions made regarding the types of calls that can result from calls in which a feature is involved can result in the feature not operating correctly if the type of call is changed. The ability of parties in a call to control this status of the call can result in interactions of this kind. 4.03 : The Feature Interaction Landscape =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Feature Interactions are a rather pervasive problem, and as such vary in degrees of damage they may be perceived to cause. The use of the term Feature Interaction in the context of damage is slightly misleading. Features will interact and some are designed to. Some can be allowed to interact as long as they do so in a certain way or within certain constraints. In the literature, Feature Interaction refers to an INTERACTION between features that may or may not be desirable. An undesirable feature interaction is formally termed 'Service Interference' so as to avoid confusion. In addition to some feature interactions being benign, some Service Interferences are not perceived as predictably exploitable by a party bent on subversion. On the other hand however, whether a feature interaction is perceived as damaging, exploitable, or predictably exploitable depends upon the situations in which they have been encountered. With a bit of imagination in its use, a perceived benign, or perceived constrained feature interaction may possibly become a fully exploitable feature interaction. As with other fields of data security, a feature interaction could be termed as a feature or a bug depending upon the viewpoint of the user and the situation. Resolvable Feature Interactions When a Feature Interaction is discovered in a set of features, it is not immediately the end of the feature. Typically, one feature reads and uses a call variable that another feature writes to. This may be handled by giving one of the features PRECEDENCE (or priority) over the other feature. Generally, this is done by making sure that the features are in order in the Basic Call Model. One feature is triggered at an earlier Trigger Detection Point and the other is triggered at a later Trigger Detection Point. Presumably priority can also be set by setting a flag during the execution of one feature that another feature is not allowed to overwrite a variable of if it encounters that flag. CCS7 employs a technique like this for a large amount of call forwards, it can set a flag to prevent calls from being forwarded again. It is also important to let the customer know which feature will have priority over another feature so that their intentions cannot be removed from the intention of the features involved. The features will still interact, just in a set manner. If the customer does not know how they interact then their intentions can easily be removed from the intentions of the features and this is considered a Service Interference. Priority of features will be aimed at serving the predicted preferred priority of the customer if possible. Telstra has set priority of some of its features in this manner. To aid illustration of this concept by example, I will include them here as they are in the Telstra HomeLine User Guide which documents feature priority during incoming calls : 1. Call Forward overrides all other HomeLine features. 2. Call Forward Set the Time overrides Call Forward Busy and Call Forward No Answer. 3. Call Forward Immediate overrides Call Waiting. Call Forward No Answer takes over if Call Waiting is not answered. Call Forward Busy takes over if you are in a three-party conference. For example, if Call Forward Busy and 3-Way Chat were both turned on and you were in the middle of a conference call, any incoming calls would be automatically forwarded to your programmed number. 4. 3-Way Chat overrides Call-Waiting. For example, during a 3-Way Chat call, you will not receive the Call-Waiting tone. 5. Variable Number Forward overrides Fixed Number Forward. If you program a Variable Number Forward, calls will be forwarded to that number rather than a Fixed Number Forward (stored at the exchange). This applies to all three Call Forward Features. 6. Abbreviated Dialling and Call Forward override Call Control. For example, when Call Control is turned on, any Abbreviated Dialling numbers may be called, and any calls forwarded by Call Forward will still occur. If you wish to program numbers for Abbreviated Dialling or Call Forward which are already restricted by Call Control, you must turn Call Control off prior to programming. 7. If you have both Call Waiting and Call Forward No Answer, the forward time selected for Call Forward No Answer will determine how long Call Waiting tones will be delivered (unless the forward time is longer than 45 seconds). You may alter the length of time your phone will ring before it forwards. The time may be set from 5 to 60 seconds. This new time, once set, remains as the default time. Lastly, something to note is that some feature interactions can be considered DESIRABLE. That is, they are supposed to interact. An example of this would be Call Forwarding & an AIN Call Logging Feature. Call logging would read and use variables like CallingPartyID and CalledPartyID which Call Forward then writes to. Unresolvable Feature Interactions An unresolvable feature interaction is one that cannot be mitigated by setting priority. This may be because of for example, that they both overwrite essential variables or because offering one in priority over another would not match most customer's wishes in the least, or simply due to other technical reasons. An unresolvable feature interaction may still be desirable, or it may still be possible to offer the service as the potential misuse is outweighed by the value of the feature. The interaction described above involving Call Forward & Originating Call Screening would be an example of this. Various arguments could be used to show that the potential misuse is limited. In the example above one would probably be that seeing as the forwarding party pays for extra charges incurred by the call, it is fine for someone with say, STD barring to have their call forwarded through them. After we are done with this, we are left with true Service Interference type feature interactions. These interactions, if discovered, are highly likely to result in one of the features being removed from service, fixed or never deployed in the first place. As you can see, it is rather sketchy classifying feature interactions in this way. In the end, this is probably up to management of a telco which offers the services. I'd say though that whether a feature with a known interaction is deployed or not depends on four factors : (1) Frequency of occurrence : If the interaction constantly plagues the set of features and not just under certain conditions. (2) Damage caused by the occurrence : If the damage is only a possible momentary confusion or a feature not working some of the time then this wouldn't be too bad, however if it completely undermines another highly relied upon feature such as Caller ID, or disconnects the call, causes major inconvenience etc. then it would be bad. (3) Predictability of occurrence : This is whether it is easy to make the feature interact to perform some nefarious purpose. It would be safe to assume that an interaction capable of say, creating free calls but under normal use would rarely occur, but could be predictably induced would have a much higher frequency of occurrence than it would under normal use. (4) The value of the feature : It may make the phone service easier to use or it may generate obscene amounts of revenue. This is a factor that the others would be judged against. The point of all this is, assuming that a telco knows about an interaction, they may try to mitigate it and they may allow it dependent on a number of factors. Therefore, with abit of imagination, an 'allowed' feature can easily become something that can be exploited. The Stupid User Problem Above, we saw that a feature interaction can become a service interference based upon the situation or whether it corresponds to the user's intentions or not. Many 'interferences' I have seen documented seem to be feature interactions with nothing more than a user's stupidity, gullibility, or lack of knowledge of feature capabilities in their phone network. The flip side of this coin is the cleverness of an attacker who attempts to exploit the flaw deliberately, adding a social engineering element to the equation. Lets us take for example, the case of Betty, An elderly pensioner living in an area that is quiet during her usual out and about hours of between 4.00 and 10.00am but plagued with thugs and delinquents later in the day. Now Betty is getting a tad lonely at 6.00am and decides to ring up her friend across the road. Little does she know that at the exact moment she picks up the phone to ring her friend, she receives a telemarketing call from Save The Dolphins International. Infact, the incoming call is so well timed that she picks up to dial out before her phone has rung to announce the incoming call. While expecting to get a dial-tone she gets "Greetings fellow dolphin lover". Betty is baffled! While any normal person would realise that a freak occurrence has occured, Betty can't handle it. She is so baffled, that infact, in her highly medicated state, she drops dead from brain implosion. The telephone company is sued by the proprietors of her estate for millions of dollars. This is an example of a mild feature interaction gone extremely wrong due to the stupidity of the user. Naturally, while the telephone company would want to guard against such an interaction, they will accept the risk of running it in the telephone network. Now, let us see how this interaction could possibly be manipulated by an attacker to deliberately fool someone else : John is a gentleman living on his own after his wife passed away. He is feeling lonely (yes, at 6.00am) and so decides to call his friend "Miss September" to arrange an appointment for later in the day. Little does he know that across the road is Marvin who is watching his every move through a pair of binoculars. As John picks up the phone to dial out, Marvin whips out his cellphone and rings John's number, hoping to time it exactly right so that his call is put through before the first ring and just before John picks up the handset. Lets say he succeeds. Marvin has control of the line. Marvin plays dial-tone down the line and John dials numbers on his phone not realising that they are doing nothing. Marvin plays a ring tone and then a high-pitched "Hello?". "Hoho!", John says, "Miss September. How about an appointment later in the day?". But it is not Miss September, it is Marvin. "Hoho!", Marvin says, "This is a private investigator hired by the proprietors of your dead wife Betty's estate. You've just cost yourself millions of dollars by violating the infidelity clause in your dead wife's will." The feature has been exploited. Another example of this kind of stupid user interaction is a jail trick from the US. The phone company introduced an automated reverse charges service where you gave it the number to call, record who you are and the service would ring the callee and say "Would you like to accept a reverse charges call from" and then the recording of you saying who you are, followed by "Please press 1". A feature of this service was that, in America's multi-lingual environment, you could have the "Would you like to accept a reverse charge call from" in Spanish. People would make the service send the recording in Spanish, but then, instead of their name, they would say ... "If you would like to hear this message in English Please press 1". Seeing as most people wouldn't understand the Spanish, they would press 1, but doing that would really accept the charges thus leaving them talking to a crim who promptly attempts to social engineer them into forwarding the calls through their PABX entirely on their own money instead. These are examples of seemingly innocuous feature interactions that while not a problem that can be easily foreseen, if widely exploited become a major problem. I have to admit the first example is abit far-fetched and is really a conceptual understanding example. The second, became a major real-world problem. 4.04 : Feature Interaction Causal Classification Approaches =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Studying the causes of feature interaction can be very helpful for someone interested in discovering new interactions as it can educate them regarding what capabilities and situations to look for. A causal classification method we have already become familiar with is the Data Sharing classification. That is, features in a call share the call and state variables of the call. If a feature reads and uses a variable which is later written to by another feature we have an interaction. This is a low level approach to examining the causes of feature interaction. A method that I have seen used examines problem features and how they might interact with other features (and stupid users) is also used. I will use a classification scheme like this to go into real world feature interactions in a the last part of this section. This method helps to understand what the capabilities of a feature are and what other interactions it may be capable of introducing. Another, and I think, complementary approach to identifying and classifying the causes of feature interaction lies in examination of the causes of interaction at a higher level pointing towards the functions and capabilities of features rather than purely variable competition. A highly regarded scheme from academic literature identifies three classes of feature interaction causes; Violation of feature assumptions, limitations on network support and problems intrinsic in distributed systems. There are many different sub-classes within these, some of the more widespread of which we will discuss as examples. I will overview these classes here, hopefully in an easier to understand manner or atleast provide you with a commentary on existing material. Be aware, that a feature interaction can be caused by one or more of these causes. Violation of Feature Assumptions Not realising that a variable may be later written to in a call is an assumption made by a feature. Due to features often being developed over a long time and/or separately from other features in a network, they can make many assumptions regarding the environment they are operating in. Some of these assumptions are : (*) Assumptions about Naming : A 'name' refers to a means by which a node or a party in a network is known. A common assumption made by features is that addressing a call to one 'name' will address that call to one party. Certain other features violate this assumption, Call Forwarding and similar services (AIN 1800, line hunt etc.) can make one name refer to any other party or even multiple parties depending upon call variables (ie. CallingPartyID). Remember the interaction between Call Forwarding and Originating Call Screening? That was an interaction of this type. Call Forwarding violated assumptions made by OCS. (*) Assumptions about Call Control : My personal favourite. A feature may assume that they are going to be used only in a certain type of call. For example an originating call. However, features such as Automatic Recall can alter the call type from Callee to Caller. This has ramifications in regards to PICs that are passed and which party's exchange they are passed at. Limitations on Network Support Bandwidth, signalling sophistication. These are examples of network support. If this is lacking there may not be enough resources to give the feature all the information it requires and a feature has to intepret much based on context which can frequently be ambiguous. (*) Limited CPE Signalling Capabilities : As we mentioned before, an end user has only a small number of signals they can send to the exchange in order to control their features. DTMF, Flash and disconnect. If the context in which they are used in not clear a mistake can easily be made. (*) Limited Network Communication Capability : It is common in AIN setups to only allow a certain amount of TCAP queries for each call. This is enforced due to the possibility of feature interactions causing a continuous loop. However, a consequence of this action may be that features triggered legitimately, if triggered after many others, may not be allowed to go through. Intrinsic Problems in Distributed Systems The problem of managing systems with millions of users and in which the users have access to more than a small amount of functionality is a major problem, not just regarding security in the computer science industry. (*) Resource Contention : We saw an example of this in the Call Waiting vs 3-Way Chat interaction. They both compete for a 3-way bridge at the exchange. If one feature is activated, other features may not be able to due to resources having been used. (*) Timing & Race Conditions : Combined with ambiguous signalling, race conditions (which control thread 'wins the race') in terms of which control thread is currently active in the processor can cause interactions. Also, things like how long the switch-hook is depressed can indicate a flash or a disconnection depending upon the timing of the depression. (*) Distributed Support of Features : A simple example of this is AIN vs Switch Based Features. It might be easier to track and coordinate the features and their capabilities on one of those network elements, but tracking them across network elements becomes much harder. (*) Non Atomic Operations : If a feature cannot execute in a call while another feature is executing it can be said to be atomic (smallest possible type of execution sequence building block; analogous to atom). If a second feature executes before another is done, you may not just have a problem of data sharing between PICs, you have the problem of data sharing between execution cycles, within the time the features are executing and reading, writing and using variables. Spaghetti. 4.05 : Feature Interactions In The Australian Phone Network =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= OK, this is the part you've probably all skipped to. This is where I apply the techniques we've learned to the Australian phone network and detail feature interactions that are alive and working in the Australian phone network. I will classify by Call Forwarding problems, then Call Control Assumption problems and will go on to give you abit of additional info on how to find new feature interactions. :: Call Forwarding Interactions :: Toll Free STD We've seen a couple of ways HomeLine feature settings can be altered by an unauthorised individual (Remote Control, Biege Box). An obvious example would be to forward the number to a number interstate. Calling the number would incur the cost of a local call, however the forwarding number would pay for the STD charges. Telstra has attempted to mitigate this problem, or atleast make it more obvious to a customer, by allowing forwarding to STD numbers only on Call Forwarding Unconditional. Call Forward Busy & Call Forward Timed do not allow forwarding to STD numbers. The forwarding party always pays for any extra costs incurred for calls to an STD number. If the caller paid, there would be greater problems. Imagine an unscrupulous 1800 number owner forwarding calls to his other number, a 1900 number. It is far more easily exploitable. The fact of the matter is, Telstra are fully aware this feature interaction is operational in their network, but know that businesses wish to forward their numbers to interstate locations when off on the road and homeowners when they are on holiday. The result? Telstra accept the risk. Impersonation Your target in this case could be a dialup or a person. Simply put, you forward their number to a number under your control and pretend to be them. This could mean offering them a login screen or trying to social engineer them. Harrasment Its been done plenty of times before. Forward their number to a porn line or see how many porn shops and brothels you can social engineer or beige box into forwarding their lines to your target's number. Man-In-The-Middle Attack Lets see now what happens if we add a conference calling capability to the equation. We will use a "third party" service (ie. either a bridge with a tap or a computer with two modems sending data between). Imagine a list of dialup numbers in a call centre or for remote access to a computer system. They are set up in Line Hunt, that is if the dialed number is busy the call goes through to another number and if that number is busy, another one and so on. The next available line is "hunted" for. Take one of those lines (not the main one) and unconditionally forward it to a line under your control. Your line connects to your "tap" device and then calls out to the main line number again. This causes serious problems for dialup security. If the authentication system on a dialup uses challenge/response, this can be bypassed by getting a legitimate challenge and feeding it to the caller in real time. Receive his legitimate response and use it to gain access, then disconnecting the real caller from the conference. The same thing can be done with Selective Call Forward. You configure the feature so that whenever anyone but you calls a number they are forwarded to your "incoming conference" line. When you call back the number (now monitoring everything and in complete control of the call) your number is put through. It would also be possible to do this if you kept the caller idling on the line when the call was forwarded to you and turned call forwarding off before making the call to the same number, it might be a bit difficult to implement though. Malicious Malicious Call Trace No its not a typo, I've typed malicious twice. So someone is ringing you up with Caller ID Blocking enabled and you want to know who it is. Maybe they're hassling you, maybe its your ex-girlfriend trying to gain your acceptance for breaking up with you (whatever). You want their number. Malicious Call Trace could get it, but in that case the number would be printed out at the exchange and a polite letter sent out to the caller. That scenario is unacceptable. You want to go round their house and beat the shit out of them or ring them up and hassle them! Here's what you do. Forward their number to a 1800 number owned by a local business with Itemised Billing. People with 1800 numbers pay for the calls made to them and so can get the number of the caller regardless of Caller ID blocking (You know which business has itemised billing because you frequently go through people's mail looking for documents you can use to create false identities.) Now, when they call you up, they will be forwarded to the 1800 number, be momentarily confused but get recorded on their bill. Now, when their next bill is due you nick their mail. Viola, stalker surprise. Hidden Called Number This is the reverse of silent line. They don't know the number that they call. Sounds impossible huh? Well, you want someone to be able to contact you, but you don't want to give them your real number. What do you do? You forward someone else's number to your number. It will be changed after a while but its good for those on the fly social engineering attempts where they demand to call you back or they have to call you back the next day or in an hour. :: Call Control Assumption Interactions :: This section details interactions that are a result of feature assumptions regarding call control and not the Telstra call barring feature Call Control (although the feature Call Control is discussed as an interacting feature). Call Return (*10#) Call Return is the Australian version of Automatic Recall. If someone calls you and you miss the call, you can DTMF dial *10# to get a recorded message of who it was that called you. This is actually an old vulnerability that has been fixed. I found it in a post to the newsgroup aus.comms : On Wed, 25 Nov 1998 08:50:20 GMT, mobile@poboxes.com (Robert Bozinovski) It detailed an interaction between EasyCall Call Control (Allows barring of numbers such as STD numbers) and EasyCall Call Return (*10#). A feature of this service was that, you are prompted to dial '1' if you wish to call the number that it gives you. If the number that it gave you was an STD number, or a number that was blocked under your Call Control configuration, the call would be put through. Call Control is a CLASS feature and was implemented in Australian phone network 30 October 1998. The vulnerability was reported to Telstra on 27 October 1998, the vulnerability was fixed 1 December 1998 nationally. My best guess on what the cause of the interaction was is that when the Call Control feature allowed you to immediately call the number it skipped over a number of PICs, the result of which the Call Control feature was not activated. Call Return will not allow you to find out or call back without knowledge the number of a caller with a silent line, although I wish they would as it could possibly introduce some nice vulnerabilities. That is probably why they don't. 12456, 12455 & Call Control This was a test I did after reading about the Call Return interaction. I remembered that on calling directory assistance (12455) one weekend, after I received the number, I was given the option to dial '1' and immediately be put through to the number I had requested. My test was to determine whether this feature, or 12456 (always automatically put through) would put me through to an STD number while my phone had STD barring enabled. Calling from a line with STD barring enabled I found that I was unable to call 12456, but what surprised me was that when I called directory assistance I didn't receive the prompt to press '1' and be immediately put through. Not exactly groundbreaking news, but it is interesting. Technically, it could still be classed as a feature interaction as it denies the use of features that aren't directly related to the type of things that are wished to be denied. The optimal response to this kind of thing would be that I could not be automatically put through to an STD number, however, it would give the option to be put through via 12456 or pressing '1' in 12455 for non-std numbers. Could this be a quick fix for a feature interaction previously noticed? It certainly points to some interesting ground for potential interactions in Telstra's network anyway. Payphones This is a test I did around 2 hours before writing this. In the UK, they had a similar problem when they introduced a feature called Ringback. If they dialed an engaged number, they could enter a special DTMF sequence and when the number was free both phones would be rung back. The call would be billed to the subscriber. However, when used from payphones, due to the phone being rung back there was no time that they had to put coins in the phone. For starters, I tried out Call Return (*10#) on payphones. Had problems with entering the activation code on X2s because '*' means redial. Had to be done with a tone dialler. Also tried it on a Blue Phone. I got a "The feature you have tried to use is not provided as part of your service" message. This is interesting because Call Return is enabled on all Telstra landline phones by default. They would have to be taken off payphone lines specifically. So what would happen if someone used a payphone on a regular line? My guess is they'd be vulnerable. We have a feature synonymous with the UK's Ringback over here, its called Call Back Busy, when you get an engaged tone you go : [Switch-hook flash] *37# I haven't specifically tried this on payphones, but I tried *#37* which tells you whether you have a Call Back Busy arranged and I got a "The feature you have tried to use is not provided as part of your service" so don't expect it to work. BTW did you know if you type in *nn# with n as any old number like 89 you still get the "this feature is not provided as part of your service" message even if the numbers don't correspond to any feature available? :: Finding New Feature Interactions :: If you want to find a new interaction there are two approaches that you can take : 1. Exploit a feature or interaction deemed acceptable by discovering an imaginitive use. 2. Find an actual 'bug' type feature interaction. Finding a new feature interaction is pretty much brainstorming, lateral thinking. If there were a technically accurate method of discovering interactions they would most likely be fixed. However, if you understand how features & interactions work, what cases & situations to look for you are better equipped to make educated guesses or do tests along a particular line as you saw me doing in the last section. For discovering some types of feature interactions you do have a technical option when attempting to discover actual bug type interactions. There are regular International Workshops on Feature Interaction detection and some of the analysis methods that are used in the development process can be used to detect interactions based upon things like analysis of call variables and their use. Naturally a major barrier is that we do not have the source code for features and therefore do not know what variables to use. However, you can create abstract variable sets based upon what you know about how the feature needs to work. Example variables I have used throughout this article, CalledPartyID and CallingPartyID may not be what the variables are called, but I know that for some features, this information is needed and so a variable that stores this information exists. 5.03 : Conclusion And Further Research =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- So there you have it. While not as conducive from a user point of view as something like the internet, a modern day telecommunications network is still a viable breeding ground for security flaws. This paper described security flaws regarding mostly to applications for users (features), but do not think that this is the only type of security bug that is present. This article may have covered a lot of ground, but there is far more that it did not cover. In addition, you should treat this article as an overview or introduction to the topics discussed, there is still much more research that can be done into various topics only touched upon here. Some further research topics are discussed below for those who are just interested or those who wish to learn some more : (*) To start with, there are in all likelihood plently of working feature interactions in the Australian phone network. I studied a few features for interactions while writing this, but I didn't examine all of them. Someone interested in discovering new interactions would do good to regularly check the telstra.com.au newsroom for new features being introduced into the network and what possible interactions they might cause. (*) A full taxonomy of features was not presented here. It is considered a user exercise to find out features currently in use in the Australian phone network. It is quite easy and the only reason they weren't included was because of space constraints. Check out http://www.telstra.com.au/products/ for starters. In addition, exact specifications or source code of features would certainly make interesting reading, especially as pertaining to the exact variables used by the features. (*) Not all user interfaces were detailed here. Plently will spring up all the time and, even for systems that aren't to do with phone network feature control. (*) OAM&P Systems were talked about, but none were detailed in this article. This is a particularly interesting area of research as hacks on these systems can provide an intruder with amazing amounts of functionality. I'd certainly be interested in any information regarding these systems, not just including how to bypass authentication, but where they reside, what capabilities they have, instruction sets and so forth. (*) Feature interactions between user features and telecommunication test systems were not gone into in detail here. This has lead to some of the most interesting bugs of recent years, such as the 199 bug. (*) Check out http://www.openss7.org/ They have created a free CCS7 stack for Linux boxes. Why not put some proof of concept code together for some of the CCS7 protocol hacks outlined in section 3. For that chapter I mostly only chose the vulnerabilities that made sense to me, others exist, but a lot of them are mainly concerns from the telecommunication research and academic community. Actual CCS7 stacks will probably have different APIs for interface and so the code would have to be ported to a system used by actual telcos, but it would teach a lot. (*) Something that I didn't end up having time to research was exactly how much signalling on ISDN-D Channel could interface with CCS7 signalling, particularly in the ISDN User Part. Apparently it is quite significant. (*) The next generation in Intelligent Networking is TINA, I haven't looked too much into it so I don't know too much about it (time constraints), but check out http://www.tinac.com/ for the TINA Consortium. Telstra is a part of it. Particularly check out papers to do with CRYSTINA, CRYptographically Secure TINA. - Marlinspike : p0lter_g@yahoo.com 08/02/02 05:18AM #+#+#+#+#+#+#+# CABLE PRESSURISATION AND ALARM SYSTEMS #+#+#+#+#+#+#+#+# - Dataclysm - 'DISCLAIMER' I'd be surprised if any information in this article could *directly* be used for illegal purposed by your average phreaker. This article is intended for educational purposes, it doesn't really list any 'k-rad payphone exploits', so unless you need to intercept high security transmissions from the actual cable itself, this file won't give you any illegal information. Although I have *attempted* to make this article interesting for phreakers of all levels of skill, the sheer nature of the topic will probably write this article off as 'one of those technical documents that people always skip over in zines'. Life's a bitch. ___________________________________________ CONTENTS Introduction Pressurisation Principles Alarms & Bypass - Contactor Alarm Principles External Type Contactor Gauge In-joint Bellows Type - Electromechanical Pressure Transducer - Identifying Alarm-related Components - Contactor Bypass - EMPT Bypass - Universal Bypass System Design & Components Interaction with Networks Faults Outro, References & Shouts ___________________________________________ INTRODUCTION If you lived in rural Australia back in the 1950s, you can probably relate to having the un-insulated 200km telephone 'pair' made from fencing wire drop out every time it rained. Well, too bad Telstra hadn't yet thought up cable pressurisation, because it would have increased the efficiency and clarity of your pair ten fold. This file will *hopefully* give you a basic understanding of Cable Pressurisation Alarm Systems - it will help you distinguish between lines you can beige off of, and trunks that will spew molten metal at your face if you cut them (I'm not making that up). This topic has absoluteley no documentation on the internet (official or hpa) that I can find, so I thought I should at least summarise the system. Anyway, enough rambling, into the technical discussion. ___________________________________________ PRESSURISATION PRINCIPLES Some time during the 1950s, some bright young field SME, full of potential, came up with the idea of using air pressure to stop moisture entering cables and thus shorting the connection. Prior to this, only defense and emergency services had used cable pressurisation on their private trunks. Telstra (then Australian Post Office {wow, pre-Telecom stuff... must be interesting...}), realised the logic in 'prevention', and declared that from this day forth, 'all large size junction and trunk cables', 'all large size customer main and branch cables down to the cabinet and/or pillar', and 'all special circuit cables in need of individual consideration' would be protected by the awesome power of 'pressurized air'. Cable pressurisation is not too complex a principle; simply put, the air inside the cable insulation/piping is of a higher pressure than the outside air. Therefore, if the cable is punctured, moisture will not be able to get it due to the air being *rapidly* expelled from the trunk. Cable pressurisation also makes it easier for a field SME to locate the fault in the cable, by testing at given points they can narrow the puncture down to a distance of roughly 200 metres. There are two main types of Cable pressurisation systems: the static pressure system, and the continuous supply system. The static pressurisation system is only effective if all openings and leaks in the cable are sealed. All pillars and branch cables need to be properly sealed, as does the exchange end. A technician at the exchange pumps air into the cable from cylinders, until the pressure reaches a set density - 70kPa to be exact. More air is only pumped in when the pressure falls. The continuous supply system is pretty self-explanatory. It is the main system used by Telstra, and dry air generators for the system are installed at most exchanges. These generators continuously pump air into the cables, keeping it at a steady pressure of 70kPa. This makes it ok for there to be small air leaks, as they are countered by more air being pumped into the trunk. "So how does this affect me?", I hear you ask. Well, if probably won't unless you're either very smart, or very stupid. Unless you want to intercept inter-exchange datel communication lines, which is above the skill level of your average phreaker, or attempt to beige from say, a trunk in a manhole, which is below the skill level of your average phreaker, chances are you won't have to deal with pressurised cables. But it always pays to be prepared, and documenting obscure parts of the Telstra network can lead to discovering new exploits. ___________________________________________ ALARMS & BYPASS The two main types of alarms you need to be concerned with are contactor alarms and electro mechanical pressure transducer alarms. Cable Pressurisation Alarm Systems (CPA Systems), all use these types of alarms to alert an exchange when cable pressure has dropped below 50kPa. Other less relevant alarms are also listed in the next section, 'System Design & Components'. I will deal with contactor alarms first. ~Contactor Alarms Principles~ These little gadgets are kind of like micro switches, except they are triggered by air pressure, rather than physical pressure. When the air pressure is high, the two contacts (metal bellows) are forced apart. However, when the pressure drops below 50kPa, they spring back together, looping the circuit and triggering the alarm. These alarms are spaced at such a distance that in the event of a sheath fault occurring, a contractor will be able to rectify the fault before the pressure drops below 20kPa, usually every two kilometres. The two main types of contactor alarms are 'external type' and 'in-joint', but both operate and work in the same way. However, obviously there _are_ some differences, as I've attempted to outline below: External type, in-joint and contactor gauge type contactor alarms all detect air pressure using similar pressure-influenced internal bellows. Infact, the only real difference is where the alarm is located and therefore how air is routed through it. Basically, external type contactor alarms are 'external', as the name would suggest , thus they are situated in a rectangular box whichbranches off from the cable. Essentially, they 'sample' the air, rather than act as part of the conduit itself. In-joint type contactor sensors intersect the cable. They come factory-calibrated and then cannot by bypassed using the 'contactor alarm bypass' method. They are mainly used on coaxial cables, sealed at atmospheric pressure. Contactor gauge pressure sensors have a gauge, and are slightly larger, but work on the same principles as in-joint type contactor alarms. However, the 'bellows' are slightly different. They are attached to a tube, which the air flows through. When the pressure is !high, the tube is full of air, and the bellows are spaced apart. When pressure drops to a certain level, the contacts touch each other and short the circuit. All contactor alarms on a cable are connected in parallel to a single pair. When a contactor is switched it shorts the the alarm pair, and a scanner monitoring the line at the exchange raises an alarm, which is then forwarded to a WMC (Work Management Centre). The scanners can also be used to detect the resistance, which can be used to locate the fault more precicely by detecting which contactor triggered. Where the cable is used for the operation of carrier systems, the pair with the worst crosstalk characteristics can also be used for the alarm pair. ~Electromechanical Pressure Transducer Alarm Principles~ In essence, this sensor is a sort of potentiometer (variable resistor), in that the air pressure influences a contact which can pivot along a row of several resistors, connected to the other contact. The air pressure forces the pivot contact to connect in series a set resistance. For this reason, EMPT alarm pairs must be individual, rather than in series like contactor alarm circuits. The resistance ranges from 100 kOhms to 3.82 MOhms and corresponds to a pressure range of 0 kPa - 65 kPa. Both in-joint and external (manhole wall mounted) EMPT sensors are in use, in much the same was as contactor alarms. At the time at which the information used to write this article was written, a new EMPT alarm was being developed, which worked in series rather than requiring dedicated alarm pair circuits for each sensor. It could possibly be in use, but it is likely, even if it is, that it is only used on rather new cables and links. It would not be very common, but if encountered, it should be treated like a cross between a contactor and an EMPT alarm, and the bypass modified as such. ~Identifying the Contactor Alarm and Pair~ Ever noticed a rectangular box (a.k.a. pressure test point) in a manhole roughly 15cm by 8cm? No? Thats because contactor alarms aren't installed in most manholes . You're best bet, when looking for a CPA sensor, is to aim forlarge manholes, or even a cable well near an exchange. Don't bother with the wussy 2x1 manholes, etc. Alarm pairs are a different matter altogether. If you do, for some reason, want to manipulate an alarm pair, I suggest you do it on a relatively isolated and unimportant trunk, since to access the pair itself you're going to need to first sever the cable. Remember, contactor alarms are connected in parallel, not in series, so short circuiting one alarm will decrease the resistance, enabling a Field SME to easily locate the fault by comparing results to a table (talked about further in Network Interactions). Alarm pairs will usually be kind of separate from the rest of the trunk. While the other pairs will mostly likely be coated in shitty plastic insulation, the alarm pair will *usually* have thicker polyethylene insulation. I guess the motivation behind this is 'how can an alarm pair alert the exchange that there is moisture in the circuit if there is moisture in the circuit?'. I'm not complaining though, as this is the only way I can think of to actually distinguish between a normal pair and an alarm pair. Sometimes, an alarm pair will also be protected by paper insulation; usually on much older cable circuits. ~Contactor Bypass~ Contactor alarms can be bypassed quite easily with a little knowledge of cable pressurisation. Now, I'm going to presume that seeing as you have read to this point, you are an 'above-average' phreaker and/or have a use for this information. Say you wanted to intercept some Datel communications travelling from one exchange to another along a main trunk. These trunks do not connect to any Cross Connection Units (CCUs) such as a pillar or cabinet, so you will need to find a service point such as a manhole and cut the actual cable. This will trigger alarms - not immediately, but to intercept any inter-exchange sensitive communications you'll need to be there for a while, and you don't want to be interrupted by a friendly technician enquiring why you've severed a major trunk. The first point I would like to bring up is that these cables will probably be pressurised at the high-security level of 95kPa because they contain SECURITEL DDL lines. A little tip for j00... DON'T ****ING CUT THE TRUNK IN HALF!!@#%! If you sever inter-exchange transmissions you'll get half of Telstra arriving in their little vans. In order to bypass this alarm, one method involves re-calibrating the alarm to a new pressure, in effect reducing its sensitivity. While hard to do correctly, it is still probably the easiest bypass available for these types of alarms. (btw, remember that while it would be good, you do NOT have to bypass all alarms in a series, just the one you are working on at that time. It probably won't effect you if a technician turns up at the next testing point along the cable.) Now... contactor type pressure alarms, be they external type or gauge type, have an external 'testing point'. Using this point they can be calibrated. The testing point should be rather easy to spot. It looks like a small rectangular box attached to the conduit for an in-joint type alarm, or is simply an extension of the external type contactor alarm. Using these test points, the sensors can be calibrated to the required level by a Field SME, or by a phreaker > .Firstly, a tip - don't open it up unless you have social engineered the WMC or disconnected the alarm pair. While this makes it harder to calibrate to your required level (as you have to guesstimate what pressure setting you have it at), it stops the alarm from triggering before you have a chance to calibrate it. Ok... now find the test point. It is simply a schrader valve poking out of the conduit, and looks a lot like the valve on a bicycle tyre. With one hand, slowly unscrew the test point, releasing air and de-pressurising the cable. With the other hand, adjust the screw on the top side of the contactor alarm test point quickly anti-clockwise. Without a pressure guage attached you are just going to have to guess at which point you are at, but thankfully, and inconsitencies will probably go unnoticed as long as by the time the test point is completely opened, the contactor calibration screw has been turned as far as it will go to the left. Remember, 'high pressure' alarms are usually only installed at the exchange, and so as long as you open the test valve afterwards, you could probably completely adjust the calibrator screw before opening up the cable for safety. (I hope this made sense. I _have_ done this before, so I know from personal experience that it works, but it is rather difficult to explain. If you are intending to do this and are not completely comfortable with how to complete this procedure, feel free to contact me at dataclysm@tokyo.com with questions or for further details). Bourdon Tube Gauge type contactor alarms have external contacts. These can just be removed. Simply open the box and either hold the tube in its extended position, or remove a contact itself (carefully). These alarms are much easier to bypass than the more common external type, but unfortunately I didn't add "more common external type" for laughs. In-joint contactor alarms are used mostly to guard coaxial cables, and CANNOT by bypassed by using the above method, since they have no external calibration point. If, for some reason, you want to tap a coaxial cable, you will need to sever the alarm pair itself, or use a universal bypass. ~EMPT Bypass~ External Electromechanical Pressure Transducer sensor alarms have a Schrader calibration test valve fitted, and therefore can be bypassed in much the same way as external and guage type contactor alarms can be. However, since the resistance values are different (and MUCH more sensitive), care must be taken to either precicely synchronise the bypass calibration movements. If I encountered an EMPT alarm, I would prefer to take my chances with cutting the alarm pair itself. However, its your choice. Once again, I can be contacted for enquiries and/or further details on EMPT bypass methods. ~Universal Bypass (both contactor and EMPT)~ Since cable take a while to fall below 50kPa, you may be able to take advantage of the continuous flow pressure system. It tolerates small leaks... If you locate your pair quickly you can patch up the cable (leaving a small area for your tap to connect of course). Depending on how much air is being lost, you may be able to leave the tap unnoticed (at least by the CPA scanners) for up to a week. You could always attach your own air pressure source through a bypass valve or testing point valve, although you would need a regulator to prevent trigerring any high-pressure alarms. Perhaps this equipment could be taken from an exchange? Social engineering an exchange, or better a WMC may also provide you with limited time, and is probably the best method if you want to simply intercept some data. Just ring up the WMC of your area (numbers can commonly be found trashing at an exchange in the area), and notify them that you will be servicing a cable in the selected area. Remember to pretend that you are new, as an excuse for not following the correct procedure. Don't be afraid to ask procedure-related questions to the operators! They will take for granted that you are a legitimate technician since (1) you have the controlled WMC number, (2) you are actually notifying them, & (3) no phreakers are stupid enough to beige of a major trunk for the purpose of obtaining free calls, and they know this. My personal choice of method? - Social engineering the WMC followed by re-calibrating the contactor alarm. If intending to tap a trunk I'd ring my local WMC informing them of my intention to 're-calibrate' the alarm at a certain point, something along the lines of "...have been asked specifically to fix a fault not yet listed in the DIRECTOR database, proceeding to so-and-so point, please ignore any cable pressurisation alarms coming from this area under maintenance...". Secondly, I'd try to be as discreet as possible when tapping the actual line, by using the afforementioned bypass methods. The more 'ninja' like you are, the less likely they are to send another technican to 'help' you rectify the fault, and the less likely they are to become suspicious. ___________________________________________ SYSTEM DESIGN & COMPONENTS CPA systems are designed following several guidelines: - All large size underground trunk, junction and main customer cables from MDF's to pillars are to be protected by continuous pressure. - Long distance coaxial cables and other cables requiring higher security have a pressure of 95kPa, and alarms are triggered when the pressure falls below 70kPa. - Some cables may have higher pneumatic resistance than others, and thus any pressurisation alarm systems installed on these cables are only good for a longer-term alarm rather than immediate. Such cables include the 'special' cables mentioned before, requiring high security. Because they are usually under 100 pairs, there is much less space for the air to get through, therefore there is a higher pneumatic resistance. I suppose it could be compared to blowing air through a pipe and a straw. In the exchanges I have seen during my travels, I have noticed a room 'connected' to the back with large air vents. I presume that this is the pressurisation room, because I can hear fans and motors coming from inside. The machines inside this room are called 'compressor/dehydrators', gathering air from outside, removing all moisture from it before pumping it into a cable. Some smaller exchanges may replace this equipment with cylinders containing the air. These cylinders are pressurised at approximately 14MPa, and are fitted with double reduction regulators to control the release of the air into the cables and keep it at 70kPa. RAX and unmanned exchanges usually use cylinders. Because these cylinders only contain either 1.3, 3.2 or 6.4 cubic metres of air, when there is a major sheath fault a portable compressor/dehydrator is moved to the exchange. Portable compressor/dehydrators come in two types, the P129 Electric Motor Driven, and the P130 Engine Driven. If pressure is urgently needed in the field, cylinders can be used to supply it. D" size cylinders (1.3m^3, 10kg) are used mainly for 'flash testing' of cable joints and CPA fittings. E" size (3.2m^3, 32kg) are used to charge new cables initially, and after service. G" size (6.4m^3, 56kg) are stored at exchanges not using compressors/dehydrators. Cylinders are only drained to a minimum pressuer of 1000kPa, otherwise moisture in the cylinders may enter the cables. If a cylinder neck is damaged, it can 'become a deadly missile' (quote from over-excited Telstra manual). In a typical CPA system, air is pumped into the cable using a compressor/dehydrator, which cools the air and dries it using a heatless air dryer. However, before it enters the actual cable, the air is stored in an Air Reciever to regulate the flow. Along the cable are located several different alarms sensors, including the contactor switch which I have already talked about. Other alarms include sensors which trigger if it no longer senses a supply of air from the compressor, humidity alarms and high pressure contactor alarms. I can guarantee these alarms wont affect you during any 'legitimate' phreaking activities, ie. not stupidly vandalising trunks. Many phreakers wonder what the point of manholes are. Manholes are mainly used for CPA monitoring and service rather than cross-connecting pairs. For this reason, manholes can often contain dangerous gas, such as nitrogen, due to leaks in cable sheaths or joints. Its not a good idea to screw around with bypass valves, test points and the such inside manholes, as it (1) could be dangerous, and (2) would be pretty damn pointless. ___________________________________________ INTERACTION WITH NETWORKS Most of the info I used to write this article is slightly outdated, so I added this section to cover the more up-to-date interaction with Telstra networks. Such interactions include Exchange Systems and Work Distribution Systems [WDSs] such as DIRECTOR - with regards to fault reporting and restoration, etc., but I have focused more on the alarm interaction side of things. All the info I have refers to internal exchange alarms being triggered by contactors and humidity sensors, etc., but I also caught a referral to 'a new WDS being introduced to handle these alarms'. Well, we all know most exchanges aren't usually occupied at night, so it would seem unlikely that Telstra have chosen to stick with *any* exchange based alarms whatsoever, and the introduction DIRECTOR and WMCs [Work Management Centres], as well as the increased responisibilities of the GOC [Global Operation Centre] with regards to faults and CAN activities, it would be not only more efficient, but much more convenient to have the alarms automatically notify such networks and systems. Basically, upon being triggered, an alarm will send data directly to a WMC via DDLs [Dedicated Data Lines]. They will be automatically filtered by a CAN Fault System (thats another article in itself... hmmm...), and classified to a degree between 'urgent' and 'non-urgent', much like other CAN system faults, like RIM/RCM equipment (PGSs). This alarm (fault) is then forwarded to DIRECTOR, all still at the WMC. All the alarm detection processes, such as matching the resistance of the alarm pair up to a table to determine the rough location of the fault, etc, is also done by the CAN Fault System. What this means for us is that once an alarm is triggered, depending on how important you judge it would be classified as, it would be best to finish up and get out of there quickly. This only stresses the importance of a ninja like approach to alarm bypass, rather than a 'hit and run'. ___________________________________________ FAULTS Contactor alarms are relatively quick in signalling faults a distance from the exchange, but closer faults may be recognised by air flow readings at the exchange. Either way, it is quite easy to locate the exact where-abouts of a sheathing or jointing fault. The process of rectifying the fault begins with exchange staff calling in a CPA technician, done through a Work Dispatch System such as DIRECTOR. The CPA technician visually inspects the line, keeping an eye out for leakage from valves and test points, leaking seals or pillar/cabinet tails, leaking contactor alarm cases and low insulation resistance across contactor terminals. If the visual inspections do not succeed in locating the fault, halide gas is pumped through the cable from a test point and detected with an electronic gas detector (Krowkon gas detector is used by Telstra). Once the fault has been located and sealed, a report is filed to the Supervising Engineer, Lines Practices and Protection Section again using DIRECTOR. Fixing the fault can range from simply tightening/sealing a loose connection, to up-rooting a 200m section of cable between manholes. Usually, the leak will be located in a manhole, since it is as these points that the conduit is exposed to the 'outside' world. Faults can be localised further by using a technique known as 'soaping' the joints, which basically consists of applying a liquid over the entire exposed length which reacts when the dry air is pumped out. Other fault location methods include filling the trunk with a gas which reacts with phenophalene and using a solution called 'Sherlock B' which, unlike the soap solution, does not shrink and crack the polyethylene cable coating sometimes used. ___________________________________________ OUTRO, REFERENCES & SHOUTS Well, with any luck that may have proved to be of some use to some people. It was certainly a learning experience for me documenting this more obscure part of the CAN, but then again, I have a use for it . Other 'Mega Super Happy'articles are available at the digital infraction homepage. Check it out at http://www.digital-infraction.org As always, comments and constructive criticism are welcome. For example 'dataclysm, I hate your writing style' is NOT constructive. A better alternative would be 'dataclysm, I hate your writing style because you include too irrelevant lame jokes and seem to be partially illiterate, and this is what you can do about it...' Shouts go to Psyincerise for helping with the info for this article, and Marlinspike for checking the speling, etc. <--- note witty joke. Which brings me to my next point: any errors in this document, be they grammatical or spelling, are his fault. Muaahaahaha. .eof. #+#+#+#+#+#+#+#+#+#+# LOCATING TELSTRA EXCHANGES #+#+#+#+#+#+#+#+#+#+#+# - Dataclysm - Disclaimer: Disclaimers shouldn't really have to be written on such material. Freedom of speech, and equally important, of information, are basic rights which are somewhat deprived, such as our right to a private home life, and our right as humans to private communications. The information presented in this tutorial may be used to discover further information, which can directly be used to somewhat secure our right to private communications. In my 'anti-disclaimer' idealogy, I'm not going to say "use these methods at your own risk". Rather, get the **** out there and find some of these Exchange locations, share them with the rest of the hacking and phreaking community, and trash the hell out of them. If you get caught, tell them that "dataclysm brain-washed me". Most of all, don't be pressured into accepting this reality as the only possible version. Contribute to the growing change in the world by understanding the technology which makes civilisation tick. Introduction: So, you're an aspiring phreaker, desperately looking for a cleverly hidden Telstra exchange so you can trash it and become elite... or maybe you're slightly more advanced and are compiling a list of local manned exchanges so as to find the right one to break into? Either way, this text can help you. Firstly, I'd just like to give a bit of background as to why I wrote this text. When I first started phreaking, months ago now, I only knew the location of one Telstra Exchange. I quickly became bored with scavenging through the dumpster, and set out in search of more 'profitable' exchanges. Up until this day I'd never done a search quite as big as this one was, for exchange locations in my area. But I found nothing. I realised that while exchange locations in NSW and WA had been mapped out in Morpheus Laughing, many phreakers in other states faced the grim challenge of locating their exchanges on their own. Further more, there were absolutely NO ****ING TEXTS on doing this. Eventually I found a method which, although innefficient and difficult, bore the results I was looking for. I located a lot of exchanges in my local area, but my dream of compiling a national listing was still far from complete. I set out in search of another, easier, more efficient method. When I read about Pulse Echo Testing I finally found what I was looking for... Oh yeah, and even if you are really elite and know all the locations in your area, this text still may be of interest to you since it also outlines ESA and therefore LRD location as well. In this text I have outlined two different methods of locating Telstra Exchanges. Chances are, one of the methods listed will help you locate you're closest exchange, no matter where you are. If, like me, you are interested in compiling whole area databases, a combination of the methods will probably be your key to success. Some methods have been discovered by others in the past, but they never wrote anything in detail on it. THE FIRST METHOD - COMPILED RESOURCES This was the first method I discovered, and was also the one I used to locate ALL my local exchanges. The idea first came to me when I was searching on the internet for "exchange locations", and found reference to an exchange zone and location map available to ISPs. Firstly, to clear up any discrepancies, these maps DO exist. Don't even bother trying to obtain one, though, unless you actually ARE an ISP, or you are ****ing brilliant at social engineering. Most lower level Telstra customer operators have no idea that these maps actually exist, so you'll need to speak to some one quite high up in the ranks, and even then your chances of actually successfully obtaining such a map are slim at best. If you want to try to get an Exchange Location and Zone map, remember, that you *don't* want it for the locations of the exchanges, rather the zones, so you can calculate call costs for your customers and thus service areas. If you actually manage to obtain this map, you'll find it is rather big, and has small dots on it. These are the exchange locations, and you'll probably have to layer the map itself over a street directory to find the actual addresses.. In itself, I don't consider the exchange map to actually be a 'method' as such, since the chances of actually obtaining one are not very good. The actual method listed here is slightly more complicated. To start off, search on the internet for your local council home page. Now, I've yet to find a council that doesn't keep summaries of their meetings on the internet. You are looking for a section entitled 'minutes'. It shouldn't be to hard to find if you have an IQ over 70. Once in this section, there should be a search field (again, I've yet to see a homepage without one...), in which you should type several combinations of the words 'exchange', 'Telstra', 'telephone', and 'telecommunications'. With any luck, you should find reference to a 'Telstra Exchange' in one of the minutes. It will probably be mentioned either as the topic (eg. for renovations, or putting up signage fronting a main road), or as part of the neighbourhood (ie. "nearby the construction site are several facilities, including a Telephone Exchange"). If you decide to go with this method, I suggest you try not only your actual area, but a few neighboring ones as well, if you are serious about finding an exchange in your area. This method is rather shaky, and you may experience limited success with it, but I thought it was worth a mention in here since I found it quite useful. To date, I've found about 40 exchanges nation-wide this way. They're all mentioned in my listing. THE SECOND METHOD - AUTOMATIC LINE PULSE ECHO TESTING My personal favourite method. Works well in metro areas, but don't even bother if you live in the sticks. Now, the theory behind this method is slightly complicated, but I'll go into that later on. You will need: - A payphone nearby - An AGS (FAST) ID and PIN - A relatively recent edition of the White Pages - (optional) A reverse directory - Paper and a pencil - A street directory - A ruler - An IQ over 70 (or a calculator, its your choice) - Access to the Internet Once your little 'arsenal' has been assembled, its time to choose the exchange you want to find. Lets say, for example, that I lived in Kensington, SA, and I want to find my closest exchange. 1. Right, its time to give the Telstra homepage a few hits. Go to www.telstra.com.au and navigate your way to the ADSL section of the site. Now, lets find if my area is ADSL enabled? I enter in my phone number, and up comes a results page listing my ESA [Exchange Service Area] as 'NRWD' in the top right corner of the screen. Alternatively, if your area isn't ADSL enabled, it will give you an error screen. You will need to go throuh the prefix section in the back of the white pages by hand to match up your prefix with your Exchange. In step one we established that the closest exchange to my area, Kensington, was the Norwood Exchange. 2. Ok, lets hit the books. In the back of the White Pages Telstra has kindly provided us with a list of prefixes, matching their exchanges. I'm looking for the Norwood Exchange prefixes. Best to write down a few - 83346xxx, 83664xxx, 840143xx. If I'm fortunate enough to have a reverse directory, I can just enter in these prefixes and find numbers in that range, complete with addresses. However, lets say I don't, so I have to go through the White Pages by hand and locate addresses with corresponding phone numbers in those prefixes. I want roughly 6 addresses, and when I find them I write the addresses and their phone number down. 3. Now for the fun part, lets trundle down to the nearest payphone and work around the FAST block. (courtesy of Zaleth and Dies Irae, where would we be without these two...? Probably doing the tests from a beige box hooked up to some one else's line, but thats a hassle). 180005005, follow on, * (redial), hold down '1'. I enter my AGS ID and PIN and am presented with a menu. I press '2', to perform a test on a remote line. I enter in the FNN [Full National Number] and then press hash. 0883664178#. The number is read back to me, and to confirm I press '1'. I perform a SULTAN test on the line, and listed to the results playback. If the SULTAN test is unable to be performed, if could be one of three things: 1. The line is part of a PBX, try a different line. 2. The line goes through a PGS, try a different line. 3. Repeated failure may suggest that SULTAN equipment is not installed for that prefix. Try a different prefix for the same ESA. Patiently ignore all the crap which is read back to you. After the SULTAN test has been completed, I want to perform "further testing". I dial '7' for the "A-B Open Circuit" test, and listen for the final result. A recorded voice will give a figure in metres, saying 'virtual distance'. Write this figure down next to the address of the number. 4. Repeat step 3 for the remaining numbers, 6 numbers should provide you with at least 4 successful distances. Usually 4 will be enough, narrowing the exchange location down to within about 50-100m, but for the perfectionists out there you may want to try 5 successful numbers. 5. Return home, and get the ruler, calculator, and street directory. Mark out all the addresses in the street directory (using pencil). Then, divide all the distances you got by two, to get the virtual length of one leg to the exchange. Using basic trigonometry, pinpoint the intersection of the 4 distances for a pretty accurate stab at the exchange location. It will probably be on a main road, usually at an intersection of a side street or lane. All you need to do now is confirm the location. If you can't be ****ed getting down there, ask a friend who lives nearby to look around for a base station, since exchanges usually have mobile phone towers on their grounds. Congratulations, you've dealt Telstra a blow by finding a 'classified' location. Arghh... I guess its time to go into the theory now... Well, most ALTs [Automatic Line Testers] are equipped with an A-B O/C [Open Circuit] test function. The way an automatic tester would perform this test is by using a Pulse Echo Tester. Basically, how this works is by sending a ping (or 'pulse') down the line, and timing the 'echo', or 'return'. The ping can only travel through an open circuit, so this test is used in most ALTs do determine whether the line is open or not. SULTAN, however, uses flashy little RVAs [Recorded Voice Announcements] to give a virtual line distance. I presume it would factor in stuff like line resistance, inductance, insulation to earth resistance, and other variables, but knowing Telstra... (heh) It all seems nice and convenient until you realise that theres not feasable way that Telstra could (or would, for that matter) actually calculate the distance from the exchange. The reading we receive is a total line distance. Lines don't go straight from the exchange to the CPE [Customer Premise Equipment], they take a windy road, passing through CCUs [Cross Connecting Units], such as pillars and cabinets (btw, a single pillar or cabinet is referred to as a CCP [Cross Connection Point]), and cable looping in junction pits and manholes. A single triangulation using these results would probably be quite innaccurate, but using 4 or 5 can yield usable results. A basic layout might be something like this: (please excuse crappy ascii diagram...) ______CPE J (pit) | | X (pillar) \ \ \ O (cabinet) | | | # (exchange) As you can see, the line does NOT go directly from the Exchange to the CPE, rather it passes first through a cabinet, then through a pillar, and finally branches off from a junction pit. The cable distance might be up to a hundred metres longer than the actual distance. There is a way, however, to combat this innaccuracy. If you have a reverse directory, you can afford to be picky and select houses that are *closer* to the exchange (ie directly in the ESA suburb), leaving less room for error. At first, I tested the Pulse Echo Tester triangulation method in an ESA in which I knew all the CCU locations, and I was able to locate the exchange to within a metre, but this is a LOT more effort, and I only have CCU location listings for metro SA suburbs. MAKING AN EXCHANGE LOCATION AND ZONE MAP Its always been a sad and twisted fantasy of mine, to walk back into the Telstra shops and give them a map of so-called 'classified' exchange locations and zones. Anyway, if you want to be /<-r4d 31337, and have an exchange map of your own, you'll need to go to the Telstra site (www.telstra.com.au), and download an ADSL map of your general area (eg. SA rural, Sydney metro, etc). Simply use a graphics editor which supports layering, such as Photoshop, and apply the map over a digital state suburb map. Alternatively, you could always guesstimate as to which zones match up with which ESAs. Next, take your compiled list of Exchange locations and possibly ESAs, and either pinpoint the locations on the ADSL map, or just include an attached location table. If you're feeling really 0-d4y, add your stolen CCU and cable location listing to have a virtual network map! I haven't personally bothered to do this. Cool; yes. Time consuming, relatively pointless, difficult; also 'yes'. LOCATION LISTING "Theres no use in re-inventing the weel". To get you started, I've included my current exchange listing, which has been contributed to by several other people. A fair few of the locations were also taken from Morpheus Laughing ezine, and the proper sources have been credited. ESAs have been added to the Morpheus listing, as well as more locations. [Notes: Distribute this freely, but don't take credit for it Submit any locations or LRDs/ESAs you have, and they will be added List by dataclysm, WA & NSW locations from Morpheus Laughing SA locations found using techniques listed in Phrequency #2, dataclysm Most NSW locations by Lord Hades, Morpheus Laughing #3 Most WA locations by iMoRtAl, Morpheus Laughing #2 Multiple contributors include: Psyincerise, LoC, Czar, Zaleth, Cheeba, gOdFraY, SubCom, RiOtEr Single contributors include: boris_G, crisis^, OrIgIn, Vertisch, Alian, xtc_teckno Last updated: 12 February 2002] ***************************** * South Australia: 34 * * Northern Territory: 4 * * Queensland: 8 * * Victoria: 13 * * Tasmania: 3 * * New South Wales: 140 * * Western Australia: 95 * * ACT: 4 * * Other: 5 * ***************************** __________________________________________________ ____________________________ ================================SOUTH AUSTRALIA=============================== ------------------------------------------------------------------------------ Exchange LRD/ESA Location ------------------------------------------------------------------------------ Adelaide ADEL Flinders and Waymouth Exchanges American River AMRV Andamooka ANDM Balhannah BLNH Bangham BHAM Bangham Tce, Bangham Bangor BGOR Birdwood BDWD Blackwood BKWD Bordertown Decourcey St, Bordertown Borrika BRKA Boston Island BNIS Braemar BEMR Brighton BRIH Bundaleer North BNLN Carpentaria CRIA Carrieton CRRN Chain Of Ponds COPS Clarendon CRDN Colona COLA Coober Pedy CRPY Coonalpyn COPN Coorabie CRAE Coorang CRNG Coromandel Vly CLVY Croydon CRYD Crystal Brook CLBR Cundalabie CUND Cygnet River CGRV Edwardstown EDWN 688-692 South Rd, Glandore Elizabeth EZBH Cnr Elizabeth & Phillip Hwy, Elizabeth Elliston A ELNA Everard A EVRA Flinders FLNF Cnr Flinders & Pulteney St, Adelaide Flinders Island FLIS Frome A FROA Frome FROM Gairdner A GARB Gairdner C GARC Gairdner D GARD Garra Lands GRAL Gawler GWLR High St, Gawler Gepps Cross GPCS 558 Main North Rd, Blair Athol Geranium GNNM Glendambo GLBO Glenelg GLLG Glenunga GUGA 111 Sydney St, Glenunga Golden Grove GNGE Cnr The Grove Way & Golden Grove Rd, Surrey Downs Goss GOSS Great Bight GTBT Greenwith GWTH Gumeracha GUMA Gurrai GRRI Hammond HAND Hampstead HPSD Handorf HNDF Harriet HRET Hawker HAER Henley Beach HNLY Herbert A HBTA Herbert B HBTB Hiview HIVW Hope Forrest HEFT Indian Pacific INPC Iron Baron INBN Iron Knob INKB Jabuck JBUK Kadina 4 Hay St, Kadina Kangarilla KANG Karoonda KRND Karratta KRTA Kersbrook KSBK Kingscote KNGE Koonalda KLDA Kringin KRGN Kyancutta Section 101, Head of Wannamana Lameroo LMRO Laura LURA Leigh Creek LECK Lenswood LSWD Lobethal LOBL Lonsdale LSDE Nth Side Flaxmill Rd, Christies Downs Louth Island LHIS Loxton North Balfour Ogalvy Rd, Loxton MacGillivray MRAY Maralinga MALA Marla MRAA Mclaren Vale MNVE Melrose MLSE Meningie East MGEE Millicent Sixth St, Millicent Mintabie MIIE Modbury MDBY 134 Reservoir Rd, Modbury Montacute MTCT Montacute Rd, Rostrevor Morchard MCHD Morgan MRGN Morphett Vale MTVX Mt Barker MTBK Mt Gambier MTGA James St, Mt Gambier Mt Hope MTHR Mt Pleasant MTPT Mt Torrens MTTS Murtho MTHO Nairne NRNE Naracoorte Moore St, Naracoorte Neptune Island NEIS Normanville Ronald St, Normanville North Adelaide NALE O'Connell St, North Adelaide Norwood NRWD Cnr The Parade & Maesbury St, Kensington Nullabor NULA Nundroo NDRO Nuriootpa 12 Murray St, Nuriootpa Oak Valley OKVY Orroroo OROO Osborne OSBN Paradise PRDS Parndana PRDA Parrakie PRKE Peebinga PBGA Peneshaw PNSW Pinnaroo PNRO Prospect PROT Policemans Pt. PCPT Port Adelaide PTAD Port Augusta 5 Mackay St, Port Augusta Port Elliot Cnr Port Elliot Rd & Sturt St, Port Elliot Port Lincoln 22 Park Tce, Port Lincoln Quorn QURN Reynella RELA Roper ROPR Rosedale Roseworthy Rd, Rosedale Salisbury SALA Seaford SEFD Semaphore SEMC Sheringa SHGA Smithfield SMFD Spilsbury Isl. SYIS St Marys STMF Cnr Daws Rd & Perry Ave, St Marys St Peters STPE 96 Payneham Rd, St Peters Stirling STIC Stokes Bay SKBY Tanunda 3 Sobels St, Tanunda Tarcoola TCLA Tarcowie TCOW Terowie TROW The Ranges TRNG The Ranges (H) THRG The Ranges (K) TKRG Thistle Island THIS Tooperang TPNG Unley UNLY Victor Harbour VRHR Ocean St, Victor Harbour Victoria River VIER Waymouth WAYM Cnr Waymouth & Bentham St, Adelaide Wedge Island WGIS West Adelaide WESA West Coast DRCS WTCT Wilkawatt WKWT Williamstown WLTN Willowie WLOW Wilmington WLMG Wilpena WIPA Wisanger WSGR Whyalla 55 Playford Ave, Whyalla Woodville WDVL Wynarka WYKA Yalata YATA Yankallila Main Sth Rd, Yankallila Yumali YMLI Yundi YNDI Yunta YUNT ------------------------------------------------------------------------------ __________________________________________________ ____________________________ ==============================NORTHERN TERRITORY============================== ------------------------------------------------------------------------------ Exchange LRD/ESA Location ------------------------------------------------------------------------------ Alyangula AYLB Arnhem ARNN Berrimah Stuart Highway, Winnellie Causarina Vanderlin Dve, Wanguri Daly DLLY Darwin Smith St, Darwin Davenport DAVE Galiwinku GWKU Gove GOVE Maningrida MNGA Milimgimbi MGRP Nhulunbuy NLNF Petermann PETN Plenty PLNY Ramingining RAMI Ranken River RANK Rodinga RODG Simpson SIMN Tablelands TABS Tanami TNMI Tiwi TIWI Wagait WGAT Winnellie RAAF Gates, Winnellie Yuendumu YUEM ------------------------------------------------------------------------------ __________________________________________________ ____________________________ ==================================QUEENSLAND====== ============================ ------------------------------------------------------------------------------ Exchange LRD/ESA Location ------------------------------------------------------------------------------ Boundary Road, Narangba Bay Terrace, Wynnum Charlotte Street, Brisbane River Road, Caboolture Bli Bli Bli Bli Rd, Bli Bli Chapel Hill Moggil Rd Sandgate Rainbow St, Brisbane Wangaratta Fosang Lane, King Valley ------------------------------------------------------------------------------ __________________________________________________ ____________________________ ===================================VICTORIA======= ============================ ------------------------------------------------------------------------------ Exchange LRD/ESA Location ------------------------------------------------------------------------------ Belmont 173 High St, Belmont Corio Princes Hwy, Corio Exhibition GOC 5/300 Exhibition St, Melbourne (Echelon is here) Glen Eira 19-21 Selwyn St, Elsternwick Geelong 19 Lt Ryrie St, Geelong Lara Station Lake Rd, Lara Leopold Ballarine Hwy, Leopold Lonsdale Lonsdale St, Melbourne Moolap Bellarine Hwy, Moolap Newport 88 Hall St, Newport North Geelong 189 Melbourne Rd, North Geelong Ocean Grove The Terrace, Ocean Grove Queenscliff Bowen St, Pt Lonsdale Tooradin Tooradin/Station Rd, Tooradin ------------------------------------------------------------------------------ __________________________________________________ ____________________________ ===================================TASMANIA======= ============================ ------------------------------------------------------------------------------ Exchange LRD/ESA Location ------------------------------------------------------------------------------ Davey St, Hobart Sandy Bay Rd Runnymede Tasman Hwy ------------------------------------------------------------------------------ __________________________________________________ ___________________________ ===============================NEW SOUTH WALES=============================== ------------------------------------------------------------------------------ Exchange LRD/ESA Location ------------------------------------------------------------------------------ Arndell Park ARDK Lot 6 Kenoma PL Ashfield ASHF 11 Hercules ST Austral AUST 4th and 12 AVE Avalon AVAL 15th Old Barrenjoey RD Balgowlah BALG Sydney Rd and Woodlands St Balmain BALM Montague and Dowling ST Bankstown BANK 18 Kitchener PDE Bankstown Airport BAKA Lot 4 Marion ST Baulkahm Hills BAUL Russel and Windsor RD Berambering Pk BMBG Berkshire Pk BKPK Berowra BERO CNR Berwora Waters Bilpin BLPN Bells line of Road Birralee BIRR CNR Mccallums and Chilcott Blackheath BLKH Wentworth ST Blacktown BLAC 69 Fluscombe DR Blakehurst BLAK 507 Princess Highway Blaxland's Rdg BLAX Bondi BOND 16 Roscoe ST Botany BOTA 38 Tenderson RD Bringelly BRGY Lot 1 Badgery's Creek RD Brooklyn BROO Burwoood BURD 32 Railway PDE Campsie CAMP 395 Canterbury RD Canoelands CALD Carlingford CARL 413 North Rocks RD Carramar CARR 6 The Horsley DRV Castle Hill CAST Old Northern RD Castlereagh CRGH Catai CATI Chatswood CHAT Victoria AVE Chipping Norton CHIP 23 Earnest RD City East EAST 330 Liverpool ST Darlinghurst City South CYSH Coffs Harbour Moonee St Colo COLO Colo Heights CHTS 219 Putty RD Como COMO 11 Ortona PDE Concord CONC 35 Yarralla ST Coogee COOG 56 Dolphin ST Cranebrook CNBK Lot 111 Borrowdale Way Cremorne CREM 219 Military RD Cronulla CRON 4 Wilbar AVE Dalley DALL Dee Why DEEW 1/7 Cumberland ST Drummoyne DRUM 60 Lyons RD Dural DURA 969 Old Northern RD Eaglevale EGVL Lot 54 Cornelian AVE Eastwood EWOO 101-105 Chatham RD Ebenezer EBEN Wilberforce and Wisemans Edensor Park ERPK 8 Bonnyrigg AVE Edgecliff EDGE 369 Edgecliff RD Emu Plains EUPS Lot 1 Russle ST Engadine ENGA 1091 Princess HWY Epping EPPI 3 Oxford ST Erskine Park ESPK Altham PL Fiddletown FIDD Hollands RD Five Dock FIVE 192 Great North RD Freeman's Reach FRCH Lot 19 Creek Ridge RD Frenchs Forest FREN 510 Warringah RD Galston GALS 47 Schools RD Glebe GLEB ST Johns RD Glenbrook GLBK Glenbrook and Haynet ST Glenorie GLEN Old Northern RD and Harrison Granville GRAN Maud and Hutchinson ST Grosse Vale GVLE Grossewold RD Guildford GUIL 2 Guildford RD Gunderman GDMN Wisemans Ferry RD Harboard HARB 375 Oliver ST Haymarket HMKT Hazelbrook HZBK 16 Great Western HWY Helensburgh Walker St Holsworthy HOLS Labuan RD Homebush HOME 68 Beresford RD Hornsby HORN 290 Pacific HWY Horsley Park HORS Hunters Hill HUHL 3 John ST Hurstville HURS 39 Bridge ST Ingleburn INGL 29 Albert ST Katoomba KTBA 144 Katoomba ST Kelly Ville KELL Old Windsor RD and Windsor RD Kemps Creek KEMP Elizabeth DRV Kensington KENS 113 Todman AVE Kent Street KNST Kenthurst KENT Kenthurst and Volunteer RD Kenthurst North KNTH Blue Gum RD Killara KILL 637 Pacific HWY Kingsgrove KING |
|
|
|
Linear Mode
