 There we go. So my name is Josh for shares. I'm part of one of I think the baddest hacker collectives in the whole fucking world. DC 949. Okay. So this talk is called exploit archeology. Raiders of the lost pay phone. And god damn I hope it can get technical. Still need the pay phone. If not, I need some black bag operatives who make somebody disappear. All right. So moving on. You're probably thinking pay phones. How the fuck is this relevant? It will get technical. Okay. But there's first a couple things you need to know. I professionally am a penetration tester. That's how I get my paycheck. I'm a geek dad of a one year old and a five year old. It's the greatest thing in my life. I like to consider myself a phone freak. I'm probably one of the worst phone freaks to ever walk the earth. I'm certain that there are a lot of people in here that are way better at than me. And if so, I will buy you a drink. Let's talk about shit. Because really, I'm not the best at the world but I still think it's a super cool technology that people assume is dead. That it's not coming back and that it's no longer relevant anymore. And I disagree with you. So let's fight over it over drinks. Do you want to follow me on Twitter? I'm sure I'm going to feel my phone ringing right now as people are really disappointed. Anyway. But you know who I am. Who I'm not. I'm not that gangster. I'm not HD more or any of the other people that I seriously look up to. And I am a shit programmer. So you'll see why this becomes relevant. Because the fact that I was able to do anything at all is I'm pretty happy actually. I'm not a reverse engineer first of all. And I can't spell for a damn. So the reason that I'm giving this talk now in 2012 about pay phones has ostensibly been dead for 20 years is somebody tell 303 to cancel the body bag. Okay. Thank you. So the reason we're doing this talk is that a couple buddies of mine, one of them is here, was going to be a former buddy of mine. I'm just kidding. I got a pay phone as a gift. And I've always wanted one, right? Except I didn't have anything else for it. It's fucking 25 years old. So basically it was ostensibly an anvil. It was a 50 pound paperweight. And my whole goal in life was to get this piece of shit working again. But not only that is I wanted to see how can I make this relevant to what I do professionally as a penetration tester. And I know you're thinking nothing. But that's not true. And we'll get there. In this case, I truly believe that this is about the methodology. It's basically what I'm saying is if you take a complex enough problem that seems to be insurmountable, you know, just break it down into small pieces. If I can do it, I have no doubt that every one of you can do it. So hopefully you take at least that much away. The other thing you're gonna have to take away is that voice over IP over the DEF CON network is probably one of the stupidest decisions you can make if you want your demos to work. Moving on. And like I said, this is more about the journey and not the destination. And basically to see if I could do it. You might notice a theme in exploit archeology. No Shia La Bufa. We don't talk about that. So as I'm sure you are aware right fucking now, traveling with a pay phone to Vegas or anywhere else in the world, especially without receipts is a huge fucking pain in the ass. I've done this before. I went with FedEx. And basically this ended up happening. And so I was like this guy. That's pretty much how I was in the speaker room right now. Ask any of the proctors. These guys are amazing. Wait, give it a fucking the goons and the proctors. Seriously. Okay. So now that's done. So a little bit of back history. Has anybody never used a pay phone? Yeah, a couple people, right? Has anybody ever seen a pay phone? Because they are there. They're everywhere, right? But they're kind of like homeless people. You don't know them. They're so quiet that you kind of just step over them and look right past them except and they beg for your change. So pay phones kind of be useful like this picture grand central station et cetera, et cetera. Like this was before cell phones, pagers started to become a thing. And if you wanted to call somebody around the road, you used a pay phone, right? Nowadays, they're a little more like this. And I don't know if the chain link fence shows up in this picture but is immediately in front of the pay phone. They didn't bother tearing it down. They're like, fuck it, chain link fence. And they're like this. And that guy. And this is really useful. So nowadays, if you see a pay phone in your life, you're like, hey, you remember pay phones? Wasn't that shit cute? Hello. And now if you see somebody using a pay phone in a neighborhood you're driving through, you lock your fucking doors, you roll up the windows, and you drive as fast as possible. Even Indiana Jones is fucking done with it. So basically ever since I was a kid, and I kind of alluded to this before, I've always wanted my very own pay phone. It didn't happen until later in life. And some of you people born after the early 80s might not recognize this is from the young Indiana Jones chronicles. So anyway, again, going with that theme. So basically, having wanted this all my life and having been a huge nerd, I've been looking for this rare and precious artifact. One day, I got one. Thanks, large part of this guy. This is generic. Say hello. Thank you. And a very good friend of mine, Tiffany. Rick was actually holding on to this pay phone for a while, while I needed some help doing things. So a little background about where you see them anymore. I'm sure you've noticed that there's a few, a few in the casino, and they're not really relevant to this talk or I would have ripped one straight out of the fucking wall and brought it up on stage, because those are typically pro-tales and no-retails. They're a completely different beast, but we'll get into that. But where pay phones are still really relevant and popular right now is in correctional facilities. As in prisons, it's still kind of a big deal to them. And yeah, this one, or at least that one, is actually from a prison. And yeah, I cleaned the ever-loving shit out of that. I really don't want herpagana syphilis or any of that business. So hopefully being in Vegas for a week didn't set me back any. But let's talk a brief bit, whoops, about the different types of pay phones, right? So if you think about phone freaking lower traditionally, you're probably thinking of what is known as a bocott, colloquially, that is a bell-owned coin-operated telephone. Those are the ones that more often than not you see people phone freaking or trying to. The difference being these guys right here are cocots, customer-owned coin-operated telephone. This is an example, Pacific Bell, representing California. So basically, the bocots could be, or red box, because all of the shit, all of the coin management was basically done by tones back to the central office that had a special line classification that said, this is a pay phone. If I'm not hearing this tone, and I believe it's 1700 megahertz plus 2200 megahertz and 15 millisecond burst, feel free to correct me or throw shit at me if I'm wrong, it's from memory. So probably still possible, I know it was possible at least in 2006 in Tourcon San Diego, Tourcon. This is probably still possible somewhere in the U.S., but I haven't seen them in a while. If you know of any recently, I'd love to hear about it, I'll buy you a drink. But most of the regional bell-operating companies have basically outsourced all of that to private companies. So it's not really a lot of things you can do right now. Cocot pay phones like this one cannot be red boxed and the reason is they don't rely on the central office to handle all the call management shit. They basically have computers inside, albeit computers from the early 80s, but computers nonetheless, because they do not use ACTS. And I'm too tired to remember what ACTS stands for, but that's red box tones. So with smart pay phones, such as these, all the shit that happens actually happens right on the pay phone. So all the good stuff, right, whereas telco pay phones happen at the central office. So there's a couple ways to tell the difference. The most obvious one is the style of housing. Most, although not all, bell-operated coin owned telephones use a western electric style housing, whereas, oh, okay. So in this case, and again, this is not a rule. This is just kind of a guideline. You'll notice that the armored cable goes into the front and the coin returns on the left. That's not to say that cocots aren't like this. In fact, many, many, many of them are, even the Alcatel ones. But off the top of your head, if you see these, you're starting to build a profile in your mind. Conversely, the cocots use the GTE style housing, which I believe these bulls are. They are. The difference being right away that the armored cable's on the side and the coin slot's on the left. You're going to notice that all the pay phones, like both of them at the Rio, are using the GTE style housing. And if you do try to hack them, I will disavow telling you about any of this, but I don't even think it'll work. So anyway, generic brought his own, which I believe is relatively the same. This pay phone is an Alcatel series five line powered pay phone. And what's cool about this is Alcatel had a patent giant six-volt lead acid battery that basically trickle charged off the late electricity in most analog phone systems. And because it's a smart phone, all of the rate management shit, the long distance handling and all the special features, that all happens inside the pay phones. Kind of cool stuff. So Alcatel is the company that made this. They are long since gone. They are gone like the fucking dinosaurs, okay? So trying to accomplish my mission ended up being far more of a pain in the ass than I thought. But I got the pay phone, so now I too could dial the one nine hundred, two ninety five cents a minute Indiana Jones text tone adventure. This used to be in the back of comic books anyway. So we have a couple problems. Number one, at the time, I didn't have keys. I didn't have a working battery. I had fuck all for documentation. Not only that, but the phone was from a different area code, which meant if I wanted to call my wife like, hey, how you doing? It was like eight dollars and quarters. So then you have to go to the laundromat. Okay. That's not a good solution. So there's a couple things we need to do, the methodology, right? First, get the phone open. Second, replace the battery. And third, reprogram for free calls. And then afterwards, then we can start to do some interesting shit with it. So the first goal that I had was I wanted to open the pay phone, but I didn't want to drill it. I didn't want to use a crowbar. And I, I mean, I wanted to blow something up, but not my pay phone. So that was out. So the goal here was non-destructive entry and keep the phone as intact as possible. So we had to come up with some cool solutions. I had to pick these locks. Now at the time, I was really lousy at it, but I've since gotten better. Then there's three types of keys that you need. So there's the upper housing lock. All right, this is a bit lower security, which is weird, but we'll get into that later because really the important shit's in here. What you're going to find in here in the coin vault, which uses a completely separate higher security pin, is the money. And on average, they hold about $120 and quarters. If you're a penetration tester, you're probably going to make that money back before you'll get the pay phone open. So it's not necessarily worth your time, but we'll get into that in a second. Finally, there's a T-Wrench. And I believe I have it in my pocket. Dear God, I hope so. If not, not terribly relevant. But basically, this is a torque wrench. I don't know, I don't know if you can see this right away, but underneath on top of the coin vault, there is this little weird looking ratchet thing. And there's usually another one on the side right here. And find me later and we can actually take the difference. You need all three. If you want to open the phone and get it to do what you want, you need all of them. And I had shits. I had nothing. So interestingly enough, the upper housing lock only had three pins. They weren't security pins. They weren't mushroom or spool or anything ninja like that because they really didn't think when they designed pay phones that this would be where people would want to go. They figured everybody would want to go here. Okay. One interesting fact about these is that they did have anti-impressioning divots, which I didn't understand until Scorch from 949 helped explain that to me. Scorch are you here? Fucking lazy. I'm just kidding. So that was neat. And I was able to pick that pretty quickly. And if you find yourself with a pay phone, especially one of these in the GTE style housings, then the first thing you want to do is pick this lock. The lesson I learned is it's only going to rotate about 45 degrees. If you got it to do that, you've probably already opened it. So cool tip. It took me about 20 minutes to figure that out after I actually already picked the lock. So pro tip. Coin vault lock, not so much for some reason they decided that this should actually be slightly higher lock. Go figure. So there were four pins in this. There were a couple security pins. These are created by Medeco. You could still buy them today, although it's not the ultra high security Medeco by Axiolux. But at that time, I hadn't practiced enough and I was personally not able to pick it. So I brought it to a hacker con because fuck yeah, someone there is going to have the skill set. I took it to a really awesome hacker con and Mountain View called Bay Threat and I highly recommended it, but I digress. So I brought it. Everybody is like whoa, I haven't seen one of those in like decades. Where did you get it? And I'm like I don't want to talk about it. So it was cool. There was a long line of people that were trying to pick this because everyone was like nah, I got this shit. Four pins. Let's do this. Thirty people tried and failed. And then a guy came up to me and he's like, did you try raking it? And I'm like, fuck it and tried raking and I've been trying to pick this thing for several days. He's like, you mind if I give it a try? And I'm like, please, why not? Fucking open in 10 seconds. So I'm going to be honest with you here. I didn't even feel stripped out lock because I didn't want to know what was inside. I handed it to him right then and there and I said this is for you. I took it out of the pay phone and he kept it and I never want to see the damn thing again. So we've got the vault lock open. We've got the upper housing lock open. We still need a torque wrench which at the time I've since received one I did not have. So we had to do a little harder hacking. Virus, are you here? Are you still sleeping? Fuckin virus. Nine four nine. You'd think that we're alcoholics. Oh. So we took one of the old Def Con badges and we're actually able to kind of hack something together with a badge clip, a nice wrench and some faith. And what we came up with was a little bit something like this. You get the general idea. It looks a bit like a legitimate pay phone torque wrench but it worked. Now we got the damn thing open. Yes. Okay. Step two. Dead battery. So because these are line powered and all the computer shit on the inside needs enough juice to sort of make the calls once you take the phone off the hook you need to have a battery that actually retains a charge. And these are a lot harder to get or at least I thought at the time. So I went to payphone.com which did have the battery for a great price. Five dollars. Oh and it's only thirty five dollars to ship it or more if you want it expedited. So I paid it. What are you going to do? And yeah I was a mad bro. Okay so now that the phone is sort of alive we can get a dial tone theoretically. We can move on from that to the next step. Okay. So the problem we're still dealing with is the pay phone is from I don't know some Nigerian or some such PSTN extension. So actually using it was kind of out of the question at this point. So basically we needed a means to reprogram it. So we got a zero at the rates table which is basically determines how much money they're going to charge per call. Then I wanted to find some vulnerabilities in the software which would have been awesome except we'll get into that later and somehow maybe turn the profit. Step four. So the first hack I was able to do before I was able to actually get any sort of software was by law all telephones that actually have a dial tone are required to make 911 a free call. So with an analog telephone adapter and little asterisk linux PBX magic you dial 911 on my phone and it gives you a secondary dial tone. Sweet right? Cool. It's funny people come over to my house like oh no way a pay phone it's dial tone how do I call it? I'm like dial 911 and they're like fuck you buddy and I'm like no seriously dial 911 it's from my house if the cops show up I'll fucking deal with it. So they did and they're like oh okay. So that was cool and it worked but it was super sloppy and it was not really what I wanted. I wanted a working pay phone that worked for free. So the documentation was basically non-existent and for several months I put in the phrase Alcatel in eBay with the hope and pray and eventually I started to get some hits and it was cool to some extent it didn't talk about how to actually install the pay phone it was part two of a three part manual. So kind of helpful in the long run not so much. Okay so maybe I could contact Alcatel right maybe some of the engineers are around. Nope. Long gone. So I went to eBay and paid way too much money for a photocopy from a guy and I'm probably the only one who's ever bought one but you know at the very next week he had another one listed because they're fucking photocopies. So if anybody wants a copy contact me after the talk for free. So basically I had part two of the three part manual and it's ostensibly like looking at the rose out of stone because only having one piece of it didn't mean a whole hell of a lot to me but it was something right okay we're getting there. And this is Hackajar. I'm sure he's not here because we're hackers and we sleep in in 11s early for us. Okay so it was useful but only to some extent because I didn't actually have the software to reprogram it. So I found out from the manual that there are actually three ways to reprogram Alcatel pay phones. One software which I don't have because it's fucking old and they're gone. Two local telemetry. We'll get into that in a second and three remote telemetry. So software is gangster. If you manage to find a copy of though this is not freeware software. You have to then have a serial number from a company that has been dead in the ground for 20 years. So local telemetry is another option and if you've got the keys or some lock pick skills and you own the phone I have to emphasize that or EFF will probably not take my cause. Then you can open this up and you can do it from the field and I'm sorry I'm losing this guy. I'm trying to make this a little more interesting for you. So basically you push the button, you flash the hook, there's voice prompts, whatever you can reprogram it and remote telemetry is where you get bad ass and that's where I teach all of you guys how to own all the pay phones. So software based programming is cool and the cool thing about most phone freaks is that they keep everything. I believe that there's a closet somewhere that they all share space in that just has every type of hard disk from the beginning of time. So we got it, right? So it's time to crack the software because that was pretty much our only option at this point. But cracking 10 year old software, especially if you're not an RE, is actually pretty damn hard. I had a lot of help, especially from the 949 guys, but as it turns out, 16-bit NE binaries, new executables, not PE files, which you may be familiar now if you do any sort of RE. Even Iderpro is like WTF mate, no idea. At least not within the time frame that we needed. So I had a lot of help and by help I mean people way smarter than me to do this for me. Thank you guys. You know, you are basically a virus 001 in 80 in Frank 2. Eventually, we're able to run the installer program, hook into it, jump the actual serial number check, then uncompress the installer archives, and now we're talking, okay? Now I don't expect you guys to be able to have this software. Talk to me later. But now it's starting to make some sense, right? Okay, so now we're getting somewhere. Even with only part two of the manual, we're able to do some shit. So built into these pay phones is really interesting fact is they have a modem. So if you call the pay phone, it will eventually answer with a modem on the Alcatel series. Sometimes they're configured to pick up after one ring. Sometimes they're configured to pick up after eight rings. So that way if local ordinance requires that phone calls are able to have inbound calls, then they're legit, right? So basically it is a requirement on Alcatel pay phones. I got a confession. I didn't even, I didn't even have a landline at the time. Worst phone freak ever. So I had a solution. This guy right here. It's an unlocked Lynx's analog telephone adapter and a little USB modem which yeah, you can still buy at fries for too much money. But basically voiceover IP for doing anything other than making cheap calls to grandma is a giant fucking pain in the ass. If you're trying to do any sort of actual data connection type stuff, there's a lot of things you're going to have to know. And the tele freak boys, I hope some of you are here because you saved my ass. There are some things. First of all, disallow all codecs except for U law and A law. Disable noise cancellation or you're going to have a bad time. Echo suppression you want to get rid of that. And 9600 BOD is about the fastest you can reasonably expect. And I'm sure there's at least a handful of you who don't even know what 9600 BOD means. Realistically though I was getting 1200. But that's all that I needed. Okay. So a huge thanks to the tele freak guys. Hi B. I know you're not here, but maybe you'll see this someday. Oldschoolfreak.com guys. A lot of people along the way over the years have really helped me understand this. So real quick, let's briefly discuss defaulting the phone. When you open it up in the upper right hand corner, there's going to be a button. If you can push the button, you can default to all the known values. If this is your pay phone that you own, it's a reasonably acceptable option. Okay. If you just want to work with from known values, which I had to because I knew nothing else about it because it came from prison. So that's called local telemetry. Push the button, flash the hook, enter the code, and it'll actually speak to you in text to speech. Kind of cool. All right, boss. Is that a little better? Is that a little better? No. Is that worse? Okay. Give me what? Oh. I just wanted to show some skin. Okay. No, no, no. If you got it, if you got it, we're good, right? So basically local telemetry is the way to go if you know what the options are once you're in there. And if you have physical access to it, not that I would ever condone hooking into a payphone that you don't actually own, but it's kind of shady to be opening up payphones in a casino or an airport or someplace. They might get a little dodgy about that. So this is kind of dubious and you don't really want to do that. But okay, for the purpose of this example, in order to reverse engineer the protocol, I did at that point actually need the software. So we were able to get it. And what's cool is oftentimes telephone sys admins like many other sys admins, no disrespect to the sys admins here, tend to be lazy and everything in this entire world is on default for the most part. So Alcatel's the default phone ID, think of that as the username, is four nines. Cool, okay. The actual password is typically eight nines. And then there's a secondary password if you want to do remote telemetry, which again we'll talk about later. It's eight eights. So this is all in the CD. Once you're able to connect, the rest is actually pretty damn easy. But I don't think you guys are here this morning to hear me talk about how to use 15 year old software. It's kind of irrelevant. So what I needed to do at this point with some hacks, right? So the Alcatel engineers as it turns around were actually not complete idiots. There were a lot of really coins, I fraud mechanisms. Secondary dial tone detection where if you call an 800 number and you wait for them to hang up, the polarity of the line doesn't reverse. So what happens is you get dropped into an actual secondary dial tone without ever having to put any coins in there. That was a really popular trick for a while. So they figured that out and they stopped that. And then they decided, what the fuck? Red box detection. Even though you can't red box these phones, if you try, it's going to send an alarm to the central office. And if they were feeling not lazy, then maybe they'd send a guy over there, probably not. But what is relevant is that there actually are chassis alarms. There's little contact closures inside the phone. So if you open it, it's going to send an alarm. So if there's some like grizzled, dulled guy somewhere in a cave that's actually still running these things, and I assume that they're probably somewhere, he's going to get an alarm and if it feels like it, he's probably going to check it out. And there is a modicum of brute force protection for the credentials, right? So how do we do this? We need a harness to fuzz the phone. And in order to do that, in order to analyze the protocol, right? So I'm like, all right, well, I've got a SIP adapter. Every tool editor cap can enable has the ability, even Wireshark has the ability to capture SIPs packets, merge them together and you have call audio. Cool. I'm sure I could turn the call audio into ones of zeros, right? So it turns out frequency shift key demodulation is actually pretty fucking hard. At least for mere mortals like me. If you can do that, I'd love to hear about it. Obviously the law enforcement guys were able to do it back in the 90s because a lot of people went down over this stuff. But I digress. Anyway, I couldn't pull that off. So I decided I needed it another way and I was still gonna have to black box reverse engineer the protocol. So somehow, if I was able to analyze the actual protocol itself, then I could do it myself. But how the fuck do you hook a USB modem? I mean, like you might have been able to do it monitoring the PCI drivers, but this is a little bit different. So my employer at the time, AppSec Consulting, were awesome. They bought me a tool that I needed called advanced serial port monitor pro. And basically it treats USB modem as like actual serial devices. And unless you hook into them with spy mode or even like think of it like burp intruder for RS-232 whether they're serial port based ideas. It's very cool. So in pass through proxy mode it's called spy mode. You can see some cool shit. So now we know a couple values, right? We know the default password. We know the telemetry password based on the manuals. So using the actual software that I got, I was able to perform a known set of functions and then compare the hexadecimal output of that to what it was correlating to with PNM, which for me was actually kind of sweet. But anyway, it's able to figure out how some of it worked. A lot of it's still black magic even to me to this day. But the fact of the matter is I know the important shit, at least for now which is authentication. Don't expect to be doing any sort of crazy cool buffer overflows and injecting your own shell code because these things I think they have like 64K, which might be big enough from a interpreter, but what are you going to run it on? It's not an operating system. So typically speaking, if you're hacking these in the field, the I'm going to change this. This little guy right here under the hook flash, that's usually where the phone number is. And usually though that doesn't work, that's for the guy that services these to understand what the phone code is. And it's often the last four digits of the phone number. And the passwords, again, are almost never changed from the default if they even bother to change the username. So basically, here's PNM plus running in the background. And you can see behind that is advanced serial port monitor pro. All of the yellow is shit that we're sending. All of the red is the hardware. And all of the white stuff is actually what the phone is sending back. And you can see that I got awesome speeds at 1200 bits per second. 1200 BOD. Okay. You can probably yell characters faster than that now. So what's going to do a demo? But given our shortage on time, basically the demo was me dialing into the shit and you seeing what the protocol looked like. So I'm just going to spare you some time. And basically this is kind of what it looks like. So the ATDT is the setting. In this case I had it set up for seven ones. And then beyond that it sends a start and then a quick user ID. In this case it's 09090909, which also for some reason correlates to hexadecimal tab and then an intransmission. And the phone goes bangering, acknowledgment you're there. What do you want to do now? And then you say, well actually I'd kind of like to send you my password since that's what usually comes after user names. Kind of crazy. I know. So it sends this other code 02903. We don't really care what we care about is this next block of code and I'm sorry, I'm sure it's too hard to read. The important line is that the very end of that is what it looks like when you actually send a valid password. There's a header. It's cancel null start eight times. It doesn't really matter necessarily if they're using it for some proprietary means. We don't care. Then after that there's a time stamp. There's the minute. I wish I had a laser pointer. There's minute, hour and acknowledgment check some. And then after that there comes the actual pin that we care about. And finally a last check some. So it turns out other than the header the pin is the only thing that matters. As long as you send those two and something for those values you can actually start to interact with the phone. So it's not a direct hexadecimal to ASCII translation which kind of threw me for a loop. This phone uses the extended hex table and it's using some sort of X or basically I changed one character I flipped one bit at the end and what I found out was that the hexadecimal representation saved the same. So it's a simple X or it's not any sort of like rotation or crazy crypto bullshit that I don't understand. Thank God. So when you do it correctly it sends an acknowledgment or hexo sick but once you fail it sends a hex 15. Okay true or false starting to sound like cool. The problem is after three invalid login attempts it kicks your ass off. So brute forcing is kind of difficult if you have to keep dealing with this over and over again. Problem. Elcatel decided that the three attempts would be handled all in software and they never thought that anybody would ever be able to look at the actual authentication handshake and protocol so if we were able to write our own code we were going to keep trying until we got it. Yes. Okay finally some hacks. We're getting a little more technical. You guys still with me? Not too tired. So basically pseudo code. What the fuck? Nullify the PIN, send it. If it doesn't work if it's not an 06 increment send it again. Repeat until you're awesome. Python's got a bad ass serial library for this but mentioned before that I'm not a programmer, kind of an idiot. So I had some help and my heart friends is awesome and God willing the code will be up here at my GitHub site after the DEF CON hangover clears over. So if you guys can hang tight this slide is on the CD. They should be able to get it later. Generic you want to jump in and talk about the code real fast or at least how it would work if it wasn't Vegas and we were trying way too hard to get this done on time. No you want to skip it? All right. Case in check out the GitHub site. Shit will work. It's a very basic Python library that allows you to log into these things. Assuming you can find one and because this library is pretty simple it doesn't care about windows it doesn't care about Linux. What it cares about is comports. Okay. So cool stuff. We have the user ID. Check. We have the pin. Okay. Let's talk about profits. So here's where remote telemetry is. The manuals et cetera. It's cool. So you'll know that this is a PNM specific type of payphone. If you get the number you call it and a modem picks up. The first thing that's going to happen is it's going to scream at you in modem sound for about 30 seconds. The key here is after that, after exactly 30 seconds the handshake stops and then you have 10 seconds to enter in the password. Pound 8888 8888 and then it says thank you to the voice menu but it's kind of cryptic because all it's going to do is wait for you to enter in a 3 digit code and then it's either yes or no or it'll read back whatever the string value that you're trying to input into this. So you can use DTMF and in this instance registers our strings basically in programming and options are binary bits that you flip. So the first ones you might actually care about are 421 through 434. These are the anti-fraud. Set those to no. So 333 through 326 and 414 412. Remember those chassis alarms I talked about earlier? Yeah. Not that I would ever encourage that but if you did want to disable those chassis alarms this is how you would do it. You change these to zero. So some more cool shit. Phone number you can change what the phone thinks the phone number is although that doesn't really make a whole head of the phone. So earlier that's the 4 digit code in this case is 9999 by default that's important. The actual password once you've logged in and you don't need the actual PNM plus password at this point you need the bypass code which is slightly different. Real quick I forgot to put the slide in. We talked about how to brute force the actual user ID and password. Getting the telemetry password is a little bit different but if you think about it that's two attempts in a minute because you have to wait for the modem to stop screaming you have to use the voice modem tell it not to respond to the modem and then with asterisk you have to then start brute forcing. If you do it fast enough you could probably do it in a couple weeks. That's the telemetry password today you can change that. You can disable the battery remotely. Why? You know use case for that but it's interesting right and then there's the service desk number. So service desk is badass. It's kind of like sudo or operator mode for the pay phone right anytime you swore and kicked and screamed because some asshole put gum in the coin return you can't get your money back usually you call them it's like 611 or whatever. You can divert this money. So here you can do some cool shit you can give yourself free calls by applying credit without actually having to manipulate the rate tables you can issue refunds you can force numbers force it to dial numbers for free. What's also interesting is when you put coins in a pay phone it won't drop straight into the vault. What's going to happen is it's like $5. So if you want to get super rich $5 at a time this is the way right. Okay so whatever $5 that's that's less than the fucking McDonald's meal. But anyway so that's the idea you know you put the coins in the hopper you can use you call your cell phone press a dial a DTMF button on your phone and you get $5 you would make more money collecting and that demo is not going to work because it's DEF CON it's void and that shit crashed and burned. But I will try to do some other cool shit using a soft phone. I promise you it does work on the phone so bear with me. Okay so cool. We've owned the phone right we've seared out the rate tables we got the software we wrote some sweet tools to harness it but anyway fiber optic is here if you track him down shake his hand the dude is legendary in the 90s and still to this day very cool. He at hope 5 I believe it was released a mod for asterisk the open source voice pbx to actually fucking shovel in blue box capabilities back into an asterisk voice pbx so if you want to be old school you can blue box your own and then there's red boxing and this is more code that we couldn't fucking figure out because we were at the spider labs party a little too late last night to get it to work but basically asterisk has a concept of a script to pull language you can use any sort of programming language to programmatically interact with asterisk in various style plan functions bash web site but basically the idea is it records the audio using AGI my 949 buddies know a couple things about stocks I don't know if you heard about that whole shattering Google recapture thing over and over and over and over and over again there's some stocks magic involved in that so basically the idea is you record the audio you send it to the script the script says low band pass filter there are not there is not the presence of this frequency and if it's above a certain threshold bangerang you put in some money and if it's beneath that no fuck you try again so the coin value is greater than or equal to 25 cents pre-program that awesome you can now write whatever but but you know we're hackers we're pentesters at this point it's still just a novelty how can we use this in super evil ways and I came up with a couple things with some help so basically you take an unlocked pat 2 at a like this guy and a poem plug or something similar and an awful wireless USB and you get that because you're in this room right now check out asterisk it's got a lot of cool functionality especially the system options because everything needs a way to pass shit to the operating system but anyway we're kind of going to use that so the idea is to make macros simple wrappers for the most common penetration testing tools and using text-to-speaks engines there's a lot of help me write code in his mirror you in here god damn you would think 11 a.m. would have been late enough but I guess everybody had a good time so again the pay phones themselves are having some issues right now so what I want to do is send this shit over don't read my email dear god please work alright please I did not drink enough food for the demo gods apparently I swear to god just this oh I don't have internet awesome that's not going to work you're my laptop packing my stuff ten minutes alright I'm going to haul ass you guys find me after this and we will I will show you end map by phone it is actually quite fat ass but the idea is you actually enter in an IP address using touch tone one two seven star zero one pound and it says please stand by owning shit and then it will actually use end map parse the XML output and then read it back to you okay cool I can run fucking end map from the phone that's baller by itself so that's in his mirrors code and it's really sweet but the idea is you can really apply this logic to anything right now you just it's limited by your own imagination and skill and it's not made specifically for the phone plug but it uses the same arm pre-packaged sit that exists under things like open WRT DDWRT etc so using an alpha to hook into a wireless network initiate DETMF scans you could hypothetically roll a payphone up on a dolly to someplace like I don't know a casino something like that not that and then roll that fucker in there if you walk around after this talk I hope you start looking for them because basically now they're just empty wooden shells which is cool and basically yeah there are a lot easier ways to do this you know I get it but what the hell this is fun right and be honest with me if you saw a payphone would you really expect it to be it would I swear to God it worked in the demo in the other room right I think that always the way alright you guys this is what's going to happen right now and if any of you fuckers deed us my demo right now because I'm going to I'm going to go I'm going to go off the fucking radar here the reservoir and I'm going to try and do this over wireless okay so first before the knot kills me I'm going to disconnect to the private speaker network the point they can turn on for me yeah like you could yeah you can steal my shit just make sure it goes to the internet that's all I'm asking for there's CIP credentials and if you've never looked at CIP it's basically HTTP seriously look check it out sometimes what up I'm attempting the demo gods as it is right now I really do appreciate the option to tether but that shouldn't going to happen come on I asked for Corey Hey Corey Addison come age your iPad why don't you come it's your iPad oh I don't remember that password dude it's been a while I appreciate that that's Corey Monica by the way they're awesome game over you lose that sounds legit alright I know that feeling right now my idea is this now that you own the payphone and if you're clever enough to be able to get an analog telephone adapter into the payphone now you can start to do some really cool shit call interception so basically phone tapping it's a cool idea if you can get it to work it's where to God it works in the speaker room let's try this one more time okay one more inks it's working I'm going to call my cell phone you can call me on this but come on write it really already fuck you I'm not answering an unknown number I don't care which one of you it is the irony of course is that when I call myself it's going to be an unknown number let's try it one more time pro tip if you're going to do stuff messing around with asterisk and various voice over IP protocols I highly recommend IAX2 over SIP it's much lighter it plays if not find me afterwards and I'll make it work for you okay so the idea is roll the payphone into the casino wait for people magic I wish in summary so using this information we can actually use remote telemetry to own a local payphone did I miss that slide that's kind of important okay real fast so the idea is you can call any you have a dial-up phone you have a cell phone you have a way to do this you have the registry and the manual I pay too much goddamn money for I'll send it to you later then you can actually theoretically own any of these payphones so what's the use case for this right okay so number one we learn methodology about how to reverse black box shit if I can do it so can you and that should be a takeaway from that number two we learn that these things are still really possible being able to make free phone calls is it worth at least a couple carton of cigarettes as long as you don't think about how they actually got into the prison one at a time okay the other thing is if you running a gang inside prison you know you got the race wars or whatever else the ability to intercept the calls and divert the calls of your enemies in prison is actually a pretty old technology there's a lot of old shit out there as a pentester I still see IBM X400s ZOS skaters the new hotness right now so if you want to do that shit there you go and with the payphone and the asterisk system command dial through possibility you can basically do whatever you want with these things okay and not to get a little sentimental and cheesy and I wanted to be that guy so here's some more information Hack Canada did a really long time ago but talked about these in brief the Elcatel docs payphones.50mags.com actually has a pretty cool documentation you can get the nmap script from innismere Ben Jackson off of his site this is again on the CD the GitHub site will have the code and if you really want to build that acid battery okay questions I think we're running pretty low on time alright well if you think of something later and you want to buy me a drink that works so a bunch of people I want to thank Defconn thank you Tiffany generic here who gave me the damn payphone doc who for the fucking awesome title image my boys at DC949 innismere thank you thank you so much for your time find me later and we'll make the demos work I promise