 Hey, how are you doing? All right, that's what I like to hear. Hey, so today me and my friend Jay Falcon here gave him a short presentation on automated analog telephone logging or whatever. Anyways, really quick, a bit about myself. One of the founding members of Telefreak, which is kind of a little VoIP phone-freaking kind of community, really low-key laid back. I've also done a couple of books for Singress and I'll throw various different utilities. And I'll get on to Jay Falcon here. That's me. Note the first one. Okay, so we understand our target audience here, so we're not going to tell you things that you already know, but we do want to go through just a little bit of a history of basically it's war-dialing, but things have changed a little bit. But back in the beginning, you know, a lot of people are doing hand-scanning. Hand-scanning is okay, it's very slow, and typically the success rate of what you find depends on what the person knows about the telephone network, about what kind of equipment that they're hearing or listening to, and stuff like that. But it's still very popular pastimes for a lot of freaks. Then the 80s rolled around and people started buying modems and dialing into bulletin boards and stuff like that. So what the hell happened? Well, anyways, there was supposed to be a picture right there. Anyways, so a lot of people had just regular modems, you know, analog modems, and they had war-dial over a POTS line for the PSTN. The problem with that is that, well, you could only do one call per thing. You're typically looking for either modems or faxes, usually one thing at a time. If the ISP finds out, or ISP, excuse me, your telco provider finds out about this, they'll do things like flag your line and then turn it off. And then, through personal experience, trying to explain to them what you are doing isn't nearly that much fun. And the other part about it is modems are kind of lame about identifying things. They're set for either finding modems or carrier, and sometimes you can do little tricks that will help you identify other things, but overall they kind of suck. So then there was CTI hardware. Yeah, you could do tone detection, voice detection, stuff like that. Yeah, yeah, I don't hear you as much. But that stuff was kind of expensive, and a lot of times you needed a PRI connection, which is, you know, not a lot of us have sitting around in our home, and you could do certain things like, you know, set random times between scans and really limit the amount of dialing that you're doing and kind of get away with it for a little while, hopefully. But in the 80s there was this little device for the Apple called the Apple Cat, and it was kind of neat in that you could actually tell it to identify different types of tones and things like that. So your Apple Cat would plug into, you know, your phone line and you can do war dial, and then this thing would go through and go, oh there was a clicking sound, and then log it for you. But it was really expensive, and not a lot of people could afford it, and it had a proprietary kind of interface, proprietary API, didn't use like the haze command set. I'll give on this a little bit later. In 2002, we saw, you know, people kind of figured out, well, I got a modem and an ATA, if I put them together, maybe I can make this work over the internets. So they were using voiceover IP and then calling lots of numbers and whatnot and logging it that way. But again, you're still stuck with a crappy modem, which can only detect certain things. So, and that was like 2002-ish, 2001-ish people started doing that. But it is kind of nice, because you're not bound to a physical POTS line. A lot of carriers won't notice if you're dialing, say, a thousand numbers in a night, whereas a telco that would have gotten flagged and then, you know, you would be explaining yourself. And then also you can call everywhere in the world, it's super cheap. So you no longer have to worry about, oh, well, I guess I'm going to ward out my own local area. Why don't I ward out Moscow? That sounds like fun, and it's cheap. And there's still a lot of interesting stuff out there. X25 networks, which me and J Falcon have been known to play with. And SCADA systems, old BBSs, all that kind of fun stuff. But there's still problems with this. You're still with a crappy modem, as I said. And I don't care how good your Uber modem is, it's still a piece of crap. So, and not everything that's interesting is a carrier. It doesn't always depend that, you know, it's a modem that picked up. It doesn't go to equipment or test gear or something like that. And so, you know, there are things like THC scan, ToneLoc, and sure, they're great, and you'd hook up your ATA and your modem and go at it, but you're still kind of limited. So on a side note, so when I was doing a pen test in 2004-ish, I wanted to war-dial a certain exchange because believe it or not, people still have crap out there in their networks. A lot of times they don't even know about it. It'll be like some jackass with PC pursuit in his room and he used it to bypass and go right past their firewall and all that fun stuff. So I wanted to do an audit of their phone network. Well, I had a couple of choices. I could load a DAW simulator under Linux and run ToneLoc, but then I got to thinking about, you know, or I could buy a piece of software. Yeah, that's going to happen. So I thought, well, you know, I've written war-dialers in the past. This will only take me like a couple of days to do, like two weeks tops. That was 2004. So I started writing this little utility called IWAR. And it's a Unix base, has a curses front-end. I ripped off some things like ToneLoc's ToneLocation. There's no limitations on the device, so if you have 32 modems, you can use all 32 of them. It logs databases, has all your standard bells and whistles of the 80s for the win, not quite. So this was where another picture was supposed to be. That's supposed to be the PDF? I don't know if it's supposed to be the PDF or not, but we're just going to go ahead and go forward. Anyways, so a lot of ISPs around this time are starting to go out of business, and there's equipment out there. Like, these really big boxes, like the Cisco AS5200, it's basically a box that has 48 modems in it. And, you know, that's just like, well, crap, I can pick them off, right, I can pick them off off eBay for 50 bucks. And then you could get a PRI card and run Astrix, so the Astrix server becomes your telco, and then you feed that to your AS5200, and then you have 48 modems to slam onto the world and annoy people all over the place. So that's the way we were wrong. We thought that was kind of fun, and this all works through networks. It's a network-connected modem, if you kind of think of it that way. Yeah, absolutely. Okay. So we thought we were the shit. That's kind of fun. But we also kind of, you know, understood there's some limitations with that. So that's the setup here. Astrix, as your telco, which one PRI card we're using to T100P, which gives you 24 channels. So if you've got two of them, 48 channels, oops, and I forget you had a touchscreen. And so you fold it and, you know, away you went, it would just use the modems over the network. So I wrote that code in there. Yay, fun. So 48 modems, kind of fun. No cabling. Have you ever tried to wire 48 modems, like standalone modems? Yeah, it's kind of like a big screw that kind of thing. So these little boxes are nice. And don't let the AS5200, it could be any kind of network-based device, like a CIN pipeline. Livington Portmaster could be any of those. These things are dirt cheap. As he says here, 20 bucks, you know, off of eBay kind of thing. And also the other cool part is, since the functionality is in here, let's just say that you found a modem in Russia that you could connect to and type an AT. And then dial out onto the Russian network, not that I would say that this is the most... Advocate it. Right, advocate it so much. But if you were to find stuff like that, and if it was, and say Russia, and if you did find it, you could use IWARC. IWARC doesn't care if it's a local modem or if it's crossed in Russia. So you can tell those modems over in Russia, go out and go do my dirty work. So, but you're also, you're limited to ban what you have for voiceover IP. But that's always the case. So that's not a big deal. And you're still using damn modems. Modems are, as I said, not terribly reliable on this kind of stuff. Or they'll miss a lot of things that you might want to do or find. So this goes back onto the Apple Cat kind of thing. Remember how we were saying back in the 80s, there was a piece of hardware, Apple Cat. It would go through it, find, it would look for specific frequencies, tones, clicking and stuff like that. Well, it had, you know, voice detection, things like that. So the idea was that you could bring that kind of idea back into it for things like VoIP. So, VoIP and the DSP, the DSP's the digital signal processor that actually does the identification of stuff, is not a new idea. People have written war dialers with rudimentary DSP kind of stuff. And either it works or it semi-works or it doesn't work at all. It's just crap. And then... What's that? Oh, yeah, actually, we've seen several people do that. HD More, of course, just recently came out with WarVox, which is basically that kind of system that takes the audio and it records the phone call. Then it uses a DHP to find out what was there. So, anyways, that's kind of stuff that we were looking at adding in our stuff. So WarVox uses IAX2 protocol. It has Ruby back in. It's based off the Metaspoly framework. And HD, me and him, actually started exchanging emails back and forth and kind of talking about how he was doing it and he had some ways that he wanted to do it and we had some ways that we wanted to do it so we just kind of, you know, kind of split off from there. But it was basically the same thing. And his has a much prettier front end, I might add. But anyway, so here's WarVox for you, for example. So here, we're actually getting a... We've submitted a job, a new job, and you can tell it, you know, I want to go through certain ranges. So what we're all said and done with, you get really nice little graphics like this. As you can see, you can tell what was a modem, what was, you know, and it gives you, like, nice representation. You know, it's pretty and you can play back all the sounds and stuff like that. So we decided to do it on a similar system, but we went with more of like a signature-based system so that you could actually add into a configuration file saying, I want to look for these type of devices. And we, like WarVox, we use the KISS FFT back in for the DSP work to do the signal processing. Both of them do basically make the call, record the call, and then analyze the call, which is kind of good, but, you know, there's some other problems with that. And as you can see, my interface isn't nearly as pretty, but it does let you run it through a terminal, and as you can see, maybe down at the very bottom, analyzing the audio file, and it'll tell it what it is and whatnot, and everything gets color-coded. So you can look at it, like the greens there, keep forgetting it's a touch screen, the greens there are carriers, the red something skipped, the white is just nothing there that we were interested in. Okay, so the great thing about this, you no longer need hardware, so we don't need the VoIP adapter to cook up to the modem, we can throw that crap in the trash, not that I am. And it's all done in software, so basically you can load this up and all you need is a VoIP provider and in one pass, like back in the old days, if you were doing, you wanted to scan for faxes and modems, you had to do two scans over the same numbers, well that's crap. I don't want to, you know, if I have 100 numbers that I want to dial, I don't want to have to dial it twice just to find out if it's a friggin' fax machine. So anyways, right now, both pieces of software are limited to IAX2. Working on adding in SIP should be pretty trivial. Other things that we've come up with is things like back spoofing, people here are fairly familiar with. Yes? No? Anyways, back spoofing is where you set your caller ID to your target, then you basically make a call to yourself to get who owns that full number. The C name comes up as the owner of the full number. And it'll also do things like, we already have in there stuff like where it'll do C name lookups on databases across the internet, on the internet. One thing that HD was doing as well is there's a piece of software called Lumenbox, which is a speech-to-text recognition system. I was hoping to have that code based in IAWAR, but I didn't have that at the time to do it, but then you can do things you don't even have to really listen anymore. I can tell you what the person said when they, hello, this is such-and-such law firm or whatever. Another nice thing would be also to add in a software-based modem, basically a modem written in software, so when it does tone detection, it'll actually flip a little switch in the code right up to the carrier so it can identify banners and stuff like that. But we aren't quite there yet. To improving your hit ratio, that's where, you know, you want to go for, well, you want to know what your targets are basically. If you're going after, for instance, if I'm dialing state numbers, I typically go at off-peak times where I know they're not going to be able to, or they won't be there. C name lookups, Nampa? So you can actually get a little bit of information before you dial. You know, being able to identify like telcone lines, because telcones, tons and tons of lines, don't even give them out. They're just there. So you just skip over those sections of prefix and continue on your way with your part. Right. So with better tools, you have better results. A lot of VoIP carries allow multiple trunks. So if you can, you can tell IWARGO and use this VoIP provider, they allow me to dial out 10 times, use all 10 lines out. So now I'm no longer bound to that. The text of speech is way better. The back-end ability to data-mind, that's a, you know, lookup information about the number you're calling before you call it. So you already know who owns that line. And there's no reason, oh wait. This is the stuff that you were working on real quick. Let's see. Just set up carriers. You can set up, let's see, you have Chan Mobile where you can use your cell phone. You know, you got all these, you know, unlimited nights and weekends, stuff like that. Want to use Bluetooth. And, you know, if you have a whole bunch of handsets, prepaid, whatnot, hook them up to your asterisk and they're all treated as zapp lines. At that point, then you can have, you know, a whole bunch of dongles, which is, I think, 20, and then have a whole bunch of dongles. And, you know, if there's any FPGA hackers out there, you know, this is all DSP, it's, you know, it sort of works like that. And then we go into legislation. Do you want to talk about legislation? Yeah, well, now we're getting into kind of strange things, because as you probably know, CID, caller ID spoofing and whatnot, a lot of people want to outlaw it. So you'll notice that Warbox and Iowar record the phone calls. Well, if you're here in Nevada, for example, they just became a two-party recording system. Well, this works great for a single-party system, but legally you're not supposed to do, you know, recording of phone calls and stuff like that. So what we need to do is work on ways that it's actually analyzed in real time. There's a bunch of features that are in Iowar, which I can let you go read through later. And you can't read these links, but you can probably Google from them. Right now the CVS code is the best thing to use for Iowar because of the DSP work. And if we have just, like, a couple of minutes, we'll show a quick video of just what's out there. And if you see them, if you see them, are we two minutes? Okay, we can probably... Which one is it? This one? Okay, just real quick, this is really short. All right, so nobody uses Iowar anymore. The Department of Energy, of course, would never, ever use dial-up anymore. As you can see, because that would... Yeah, because nobody uses it. Everybody's cut off their carrier. Florida State, this is my home state. This is a NAS system that they have hooked up. As you can see, I'm connecting it fairly low speed, but it's all tech, so who cares? And then, let's see, we should be just about... All right. Possible Air Force, you go by the Air Force, do you see at the very top there, telling it to 131, 27, 91, 40, which is an HPUX box. So basically, what we did was looked up the IP block, assuming that they really do have this. It might not be Air Force, as far as we know. So we look it up and we see that's the 754th Electronic Systems Group. And FAA, this one's not that big of a deal. This is mostly, I think, for pilots to look up flight plan data and weather and stuff like that. As you can see, you have to enter your pilot number. You find a lot of random things, those three comms. Actually, since we have such limited time, I might skip through here just to get us down to the very end. SIN, pipelines, Cisco gear. But we all know what that looks like. What are we connecting to here? Oh, random crap that you have no freaking idea. There's lots of that stuff out there, which is kind of my goal. There's another random gear kind of thing. Oh, X25 networks. This one's in Germany. This is Datapax, yeah. Japan. And this is crap that you'll find while flying. But I wanted to get CIDA, which is an airline communication network, X25. And let's see, almost done here. Digipack. And I think we're done. Oh, and open routers, say, in Russia. So anyways, that's the kind of stuff that you'll find. As you can see, Russia was very nice enough to just let us go to the command prompt and start using it. Thanks, guys. But now the Russian mafia will probably shoot me at some point. But the idea is that a lot of this stuff isn't very well protected. But I think we're out of time here. So I'd like to thank you guys for coming out for our talk. We sped right through it. Thanks.