 Welcome to the annual DEF CON conversion. This meeting was held in exciting Las Vegas, Nevada from July 9th through the 11th, 1999. This is video tape number 5. Greeting and TVX Trails. Talk about doing scans and checking scans and breakings. This is meant as to take you from the beginning to moderate levels so you understand what we're talking about. Here's Ghost, he's got a lecture about phone freaking. I don't have any fancy PowerPoint presentations or anything like that because I'm a very serious pro-cast in this. I'm just going to ramble on. To start off towards the beginning of the middle to late 80s, AT&T got broke up into our box. They're original Bell operating companies. Basically they're local dial tone, they own all the facilities, copper, things like that. About two years, well actually it's been about five years, local service could be provided by anybody. And those were CLEX, competitive local exchange carriers. Basically CLEX are a little easier to get to, I think, for freaking. They borrow all their facilities from an art box or they lease their own or they run their own. I work for a CLEX, I'm not going to give you a name because I don't want to get in trouble. We as a CLEX use the 5VSS switch, it's a nice piece of gear. Mostly let's use the Nortel DFMS 250, which is originally used for long distance carrier, but it's been upgraded for local. I was going to have manuals to give out, but once again, procrastination. Starting off with the basics. In telco terms, you have what's known as a DS0, which is your everyday average phone line. That's DS0. If you go up one step, you have a DS1, also referred to as a T1. It's 24 channels, which is 24 DS0s. If you go up one more step, you have a DS3, which is 28 T1s. I believe it's 684 regular lines. That can be run over fiber or coax. The next step up would be an OC1, which is optical carrier one. It's one DS3 being transported over single mode fiber. Next step up is an OC3 DS3s, OC12, OC48, OC192. Recently, there has been an addition of dense wave division multiplexing, which is basically running the lasers for fiber through a prism, breaking it into different wavelengths, so you can run multiple optical gear over the same piece of single mode fiber. In most central offices, you'll have a switch, which is 5DSS, the majority of the time if it's an RBAC, or a DFMS 250 if it's a C-LAC. You'll also have some sort of digital cross-connect system to do your cross-connects inside the CO. Between COs, they use what is known as A-links, which uses the SS7 protocol. SS7 is essentially the commands to initiate a phone call. Basically, one switch sends the information to the switch of the number that you're calling, says, we're calling this number, is it busy, whatever, is it open, and then it sends the information back. The specifications on the SS7, I believe it can carry the control information for one SS7 link, which is a DS0, can carry 1,275 actual phone call information for it. And then much research on that. I'm sure there's probably some way to manipulate it. Moving on to equipment and techniques for freaking. Redboxing doesn't really work anymore, unless you're in some rural back country that has a older switch. Basically, the essential tools are a B-box key, and a B-box is those boxes you see on the side of the road, green. Normal B-box will carry about 1,500 lines. B-box key, apparently one of those players works too. And a butt set or a beige box. I use a butt set, beige boxes are easy enough. Basically, the cabling system for the B-boxes run in pairs of 25, color coded, going through color codes. And once you get past 25, it just duplicates. But you have binders around it so you know which one you're dealing with. There are certain numbers known as diverters, or, I can't think of any other term for it, but basically what it is, is it's a number that you dial that asks you for an access code. And once you enter the access code, you get battle tone again. And basically what they're used for is, say alignment was at a B-box, clipped onto your line and needed to make a long distance call. He'd call this diverter, get battle tone and dial out from there. So it wouldn't show up on your bill. I find that there's usually three to four in every area code. So they're pretty easy to find, getting the code. Sometimes you can social engineer it out of a long man, sometimes not. Test equipment, if you can get your hands on it. It's a good thing to have. There are certain T1 test equipments that you can clip onto a T1 line and actually break it out from there. So you can break down each individual channel. PBXes. There are two types of systems used for PBXes and they get confused quite a lot, quite often. There's a, what's known as a key system, which if you look at the phone, you'll have buttons with the actual phone numbers on them and you can select whatever numbers on the phone. That's known as a key system. It's smaller for smaller businesses, homes, whatever. Then there's a PBX public branch exchange. Basically, you pick up the line, hit line one and it picks a line out of a pool. Those are a lot bigger, a lot more lines, easier to deal with. Probably the easiest way to hack a PBX would be through the first mailbox system. Most mailboxes when they're set up are the access code to get into the PBX. This is when they put in is either the number of the voice mailbox or all zeros. And normally people don't make a habit of changing that. So that would probably be the easiest way to get in and once you get in, you can change it to dial out once you get into the mailbox. Another thing if you can find them is what's known as direct trunk access codes. Basically what that is is you dial into the switch and you enter your code and basically it gives you dial tone. Excuse me. And normally most places have long distance restricted. It just depends on the tech who installed it. Most of the time it's pretty default. Another way to get calls out of a PBX is social engineering. For instance, calling up or getting a receptionist and asking a transfer to extension 9024. When she transfers you, it dials nine which grabs the outside line, then dials zero which grabs you the operator and it truncates the last two numbers. So basically that's one of the easier ways to get to it. For the most part, most key system and PBX installation techs leave things default. I know this because I was one. As far as your high speed data lines, ISDN, ISDN, DSL, T1s, for the most part, if you try and clip onto the lines that they're on, you're not going to hear anything. For certain T1s, if you clip onto the line, you'll take them down without the test equipment. Nextel. Nextel actually uses a DMS250s throughout their traffic. Are there any questions, anything I can elaborate on? For the most part, when certain PBXs are set up, that if a certain number of attempts are tried on the voicemail box, it hangs up. A lot of the systems now have color ID included on their voicemail box and normally they won't let any calls from that number be transferred into voicemail box after a certain number of attempts. Do you know if the pie is a group or not? Uh-huh. Is the trunk access to the PBX, or the load access, to be considered to be as much of a record in the plan as possible? No. Usually the trunk access numbers are either default or they're set by the tech who installed them, most of the time they're default, which would be all zeroes, one, two, three, four, five, things like that. Actually it depends on the PBX. Some PBXs are four digits, some PBXs are eight, and the most I've ever seen was on a roam switch and it was 12. Uh-huh. As far as a program to use for getting the password, there really isn't one that I could think of. Most passwords are default, admin, admin, things like that. Once you're inside, most of the software on PBXs is menu-driven, so it's pretty self-explanatory once you're inside. You just kind of have to cruise around a little. Yes? Right. That was probably installed by the technician or administration told everybody to change their passwords that way. That's probably programming in the 5.0. That's probably programming in the 5.0. I know that on certain lines that the pay phones are on, that it's actually set in the 5.0 VSS as a pay phone class line, so some... I've never run into that. For the most part, all the newer PBXs are being installed with Color ID, so they can tell what number's being dialed and they do get logged. I wouldn't really suggest doing it from your home. Beige boxing would work. Pay phones would work. Sometimes on certain PBXs, on the NEC 2000, for instance, trunk number 11, if you let it ring for, I believe it's 10 times, the internal modem will automatically pick up. It's a programming feature. Programming feature. Pretty much lets you dial in and it automatically picks up. Most PBXs are installed with internal modems, usually 2400, or 2400 or 9600, sometimes 12 depending on the age, but you won't see many past 9600. The Merilion pay phones, the new ones with all the fancy LCD displays where you can hang out and make new call, things like that. If you dial one of those, and I think if it rings 14 times, it has an internal modem that picks up, and once you get inside the phone, you can actually change the amount for a local call, local call, things like that. You can change what the display reads out, you can change everything. That depends on the way the line itself is set up in the switch. Some of the switch techs kind of leave that out and let the pay phones accept phone calls. You would probably have to open up the phone to get to it. I don't think you could do it through the handset because all that's doing is picking up dial tone. For the most part, they are customer-owned, customer-operated. Sometimes you'll find where I live, PacBell owns them, GTE owns them, and with those, those are the ones that if you let it ring long enough, the modem picks up. The easiest way of doing it. Oh, I'm sorry. He said if you wanted to go about acquiring a pay phone, how would you do it? Well, my suggestion would be to sit in a park for about a week and wait for the person to come around and actually check the pay phones. He'll put his key in, open up the box, pull out the change. Have one of your buddies come and distract him and nine out of ten times they'll leave the key in the phone. You just come up, pick it up, and then from there, once you open up the pay phone, you just unbolt it from where it is. What was that? Oh, hypothetically, sorry. Now, I'm not condoning that we steal pay phones or anything, but this is all hypothetical. Yeah, but if you want to pay $2,500 for a pay phone that's six years old... Okay. There is also a way to acquire a booth itself. It's a very large pickup truck. You need a prescription of your life, and you can unbolt the pay phones hypothetically. Okay. No, they actually set up... It used to be that you could, they were set up as ground start lines, which means in order to pull dial tone, it has to be applied to the tip of the pair. And now they actually have a line class for pay phone. So even if you were clipped on the line, you applied ground, you dialed the number, it's still wait for the tone. The Redbox tone, 25 cent deposit tone. Is that stuff? Oh, I'm sorry. What is that true for? Is that true for Pac-Bell telephones as well as Cocots? He said is that true for Pac-Bell as well as Cocots? For the most part, if it's a Cocot, the owner of the pay phone just gets a ground start line and puts it up. As far as the telephone company goes, they normally put it in as line class of a pay phone. Yes, it's a... I haven't had the chances to hypothetically pull one apart yet. Can you remotely rewrite the EEPROM? I've never tried. Hypothetically yes? Yes. When you initially connect to the millennium pay phone, it asks password and then you get in and it's menu driven. Hypothetical default passwords. Millennium. Actually, if you look on the phone, I think there's three different manufacturers. It's hypothetically an abbreviation of the manufacturer's name. Admin. Password. All zeros. I haven't found one that says secret, but... Yeah, just your plain default passwords. The password is generally six characters, four to six characters. I haven't seen any that are any longer. If you were dialing into it. Okay. Well, some of the... He asked if you call into a PBX, do they collect just caller ID or ANI information as well? Some of the older PBXs, a lot of your ROM switches, the older bulkier PBXs, they don't have caller ID or ANI. They just accept the phone call. Some of the new ones, the NEC 2000s, 2400s, the Hotel Option 11s, they have caller ID. They don't take ANI information. I'm sorry? You can... Star 67. That doesn't always actually work. Star 67 is funny because what it's doing is it's telling your switch that you don't want your caller ID information sent to the next switchover that you're calling and it sends the information anyways. Basically what the switch on the receiving end is doing is saying, okay, they don't want the information sent so we won't send it any farther. Basically what it tells is the caller ID box to ignore this information. Yes. Yeah, when the 800 number... On 800 numbers, the... I believe it's the phone number. I'm not sure if it's the ANI information but that's definitely recorded and sent as part of the bill. Okay. Yes. On the newer phones, I've heard of it. I've heard of techs actually having to go out and plug their laptops into it to upgrade firmware or new releases, things like that. So do I need parts to be... Not that I know of. I don't think they download it from the 5VSS. Yes. He's asking if the older PBX's actually had normally DIDs, direct inward dial numbers that basically all you could do was dial in from them. You couldn't clip on them and dial out. You wouldn't get anything. And then they had separate lines for dialing out. They're not really separated. I mean they're not really connected anymore. A lot of people go with DIDs and then a group of maybe 10, 12 trunks to dial out depending on the size of the company. Most PBX's that are being set up now, the DID number, like outside of the PBX you'll dial a number and it'll hit an extension inside the PBX because that's the way it's supposed to route. And then they can do internal PBX calls. But those are simply DID. You can't dial out from this. And then they have a group of trunks. Usually a T1 to dial out on. Yes. They keep it standardized. Standard connection. Basically when it picks up, you handshake and then it comes up the password. I believe it's software. It's all on one chip. Like I said, hypothetically I haven't taken one apart and looked at it yet. I'm sure it has the capability to be logged but then again, if that payphone's receiving quite a few calls a day from different numbers eventually it'd run out of space because I don't think they're putting hard drives or anything in them to log numbers that are calling. Future for the video phones. She asked if there was a future in the video phones, video conferencing, things like that. There's a company, Vivex, that's actually doing video conferencing over fiber. And it's very good bandwidth. It's just you've got to have the bandwidth to be able to do it. And once fibers to every house, then yeah, they'll be feasible. But until then, it's still very choppy and not practical. Thank you. He asked if, once you're into one of the millennium farms, if there was any indication that the telephone company knew that you were in there and were sending men after you. As far as I know, it's a single line. It can only be accessed one person at a time. I don't really think that a telephone company would put the resources to put in multiple trunks on a single payphone line so they can monitor things like that. Yes. He's asking on the millennium phones if something's wrong with the phone, if it actually automatically dials out to the phone company and says, hey, something's wrong. Yes, they do. When the coin box is full, they call a computer and say, hey, I need to be emptied. If there's something wrong with the line, if they can call, they do. As far as attempts to log on to it, I don't know about that. I'm sure that's probably a feature. Like a callback system? He's asking if there's like a callback system on the millennium phones. If you call them up, log in to them and then disconnect if they actually call back to their central computer and double check. It's a possibility. I don't think they would. Just because if that happened, there are so many millennium phones out there now that that would just be too much resources. The telephone companies try to do as much as they can with as little as possible. Yes. Is there any way to hook up your laptop to a pay phone? Yes. There's actually an acoustic coupler out there that connects at, I think it's 26, or no, it's 288. It'll connect. It's a handset coupler. That's one way to do it. Another way would be taking a regular phone cord, snipping the end off like you're making a beige box, putting alligator clips on it, and either putting it on the line at the B-box or actually cutting through the metal sheath of the handset. Hypothetically. Thank you. Yes. The phone is a mobile phone. It's a monitoring device. It's a mobile phone. Mm-hmm. The phone box is full. There's a big problem with the handsets, things like that. The phone is there. Mm-hmm. The GTE or the other things, some of these use those mobile phones. No. He's asking if there's devices that, when the phone box is full, he'd crack me if I'm wrong. Mm-hmm. Private payphone companies. Uh-huh. Right. Uh-huh. There's actually a guy that's helping out. No, the phone companies don't do things like that. On the other side of payphones, they actually have a guy go out there once a week. Right. The phone companies won't put anything like that in their phones. Like I said, the phone companies try to do as much as they can with as little as possible. Resources and manpower. What were they screaming? Huh? As far as that's concerned, that might be something internal for like anti-red box device, something like that. But as far as messing with the handset, messing with keypad things like that, hypothetically, I know somebody who's actually demolished a phone and nothing's happened. Yeah, so, that might be like an anti-red box device. Yes. Okay, he's asking on credit card calls. You mean like on the ones where you slide your credit card in? Yeah. He's asking how the sequence of events goes. It reads the information off the magnetic strip, sends a dials out real quick, sends a burst of information to a computer, and then gets a reply yes or no based on whether or not the card is valid, things like that. Yes. Do the PBXs or pay funds actually store credit card information that goes through there, or numbers that are dialed, you mean? I've seen certain external voicemail systems that are connected as a secondary thought to PBXs that will actually record what gets dialed out. And on a PBX point of view, it usually logs all traffic going through it. Yes, you can access the logs. Yes. The format for the transmission is not SS7. SS7 is simply a control protocol that basically says we want to dial this number and the responding switch says, okay, it's clear, go ahead and send the information through. It's not really meant to send anything. I'm not sure there's any specific protocol for it. As far as I know, it's just plain text, the number, the credit card number, expiration date, name, and waits for authorization. Yes. I haven't done that much research on SS7, but I've seen it work and it's got real flexibility, so it's a possibility. Okay, if you're in an office and you see a hardwired line, but they also have a PBX, how would you tell which one's hardwired? Is that what you're asking? You probably have to trace it through the 66 blocks. Most of the time, though, unless it's a modem line or something that doesn't need to go through the PBX, it will. And some of the newer PBXs, you actually plug your computer into the side of the phone and it dials out from there through the PBX. Yes. Okay. The Blue Box was a device that did credit the 2600 MHz tone that was used to grab trunks. That doesn't work anymore because it's all digital signaling between switches. Red Boxing duplicates the sound that change makes when it's deposited into a payphone. That doesn't really work much anymore. It depends on the switch that the line's on. If it's an older switch, I've heard of it working. I've never been in an area where it has worked. But I hear some of the 1A switches. You can sell Red Box off of, but I'm not sure. The Beige Box is simply a phone with alligator clips on it. So it's basically a lineman's headset, $20 version instead of $250. There used to be a time where tones were sent like so you deposited money in a payphone and you're called and go through and it kept your change. You call the operator and say, I just made a call, it kept my change. And she'd send tones back down the line and it'd give you your money back. Those were the Green Box, I believe. Yes. Yes. How did you tell the difference? Are you? Yeah, I was very lost. Some of it is oily, others are dirty. Some are cold and light. Even if you're not sure even if it's cold or if it's such a cold, I'm not happy. Either it's going to give you a chance to tie a little bit of a cover. Either it goes with the operator because, you know, high quality, you put in a pretty sense. The work goes to a person who plays the pop songs and it opens up the mic. It opens up something that works. One, yeah, fear, questions don't work with switches too. Um, as far as the recording that opens up the mic, that happens where I live too and we have 5 ESS's and even though it opens up the mic, it doesn't accept the tones. You're saying that you had a bad... You're saying that you had a bad... You're saying that you actually had a bad... GTE-5s? GTE-5. GTE-5. I've never run into something like that. Um, most companies usually either use the AT&T 5 ESS switch, the Nordtel DMS 100 for long distance or the Nordtel DMS 250 for local. Um, some of the more rural... Some of the more rural areas still use the under switches, the 1A, things like that. So, that might be what it is. Theoretically? Jackpotting a payphone. He's saying, um, hypothetically, if there are any ways to rob a payphone of all its change without actually having to have the key or lockpicking the lock open. Basically what happens is when you deposit the money, it slides between two contacts and creates an electrical charge. That's the first mechanism that actually tells that you've deposited money and then it goes through weight and mathematics and all this to determine what kind of coin it was. A piece of very thin coax or two pieces of wire, something to differentiate positive and negative. I'm sure if you were to hook it up to, say, a 9-volt battery and slide it into the coin slot and play with it a little, hypothetically, of course, I've never tried this. You could probably get it to register that you're putting in more money than you are and then it'd probably be giving you change for it. Yes? I'm sorry? Oh, he's asking there's an old trick where you could dial an 800 number, wait for them to hang out and then dial a turn again and dial out. Yes, actually, that still works on quite a few lines. Basically what's happening is when you first deposit your money and dial the number, well, for an 800 number you don't have to, but when it hits the switch that you're dialing an 800 number, it opens up the line and when they hang up and then the line resets itself, it still keeps the line open. Yes? Uh-huh. Uh-huh. Okay, he's talking about the new millennium phones where they have a slot for credit cards or smart cards. From what I understand, the way that works, the PCS style phones where they use the smart cards, I know Pacific Bell uses them, I believe it charges the call to your account. I haven't seen any actual credit cards or anything that use smart cards yet, so I'm not sure how that would go about working. Uh-huh. He's saying that in US West turf, is it, that they sell smart cards like proof-paid calling cards or something similar to that? Yeah. But they basically have a dollar amount to them or... Oh, wow, okay. What's that? Oh, wow, I didn't know that. Okay, I'm out of time.