----------------------------------------------------------------------
| Http://telco-inside.tk - Lecture #1 - irc.chatnet.org #blotto |
----------------------------------------------------------------------
What? - Telco Inside Lecture #1
Who? - Conducted by: Cuebiz
Where? - irc.chatnet.org ,Channel #blotto
Why? - To explain in "plain english" basic 5ESS, and SS7 vulnerabilities
When? - Saturday, April 6th 2002 - 10:00am PST /* I showed up an hour late */
*** Topic is 'YES !@# The IRC lecture is HERE! Get your agendas @
Http://telco-inside.spunge.org/agenda-lecture1-5ess-ss7.txt'
[15:39] *** Cuebiz sets mode: +m
[15:39] *** bsd-jenny sets mode: -o Cuebiz
[15:40] *** bsd-jenny sets mode: +v Cuebiz
[15:40] <Cuebiz> Aight, Welcome to the 1st Telco Inside lecture. as you
already know, iam Cuebiz - the main speaker that was late for
his own lecture.
[15:41] <Cuebiz> for those of you who haven't gotten the programme for this
lecture, I advise that you get one now @
Http://telco-inside.spunge.org/agenda-lecture1-5ess-ss7.txt
[15:42] <Cuebiz> now, lets get down to it.
[15:42] <Cuebiz> we all know what a switch is, right?
[15:42] <Cuebiz> Its the heart of the public phone system, the network we know
as the PSTN.
[15:43] <Cuebiz> Its makes every connection possible. Billing, interoffice signalling,
call logging, call tracing, and the like are all on some level controlled
by the switch.
[15:43] <Cuebiz> When you pickup the phone and get a dialtone, its the switch
[15:43] <Cuebiz> that made it possible for them to conduct billing and
[15:43] <Cuebiz> establish your call.
[15:44] <Cuebiz> ESS is an acronym for "Electronic Switching System" which is a trademark
of AT&T. This will be one of the two main subjects of this lecture.
[15:44] <Cuebiz> The first ESS switch was put into action around 1959 over in Morris, Ill.
[15:45] <Cuebiz> Two of its main purposes were to make telephone switching more "plug n
play", and to increase switch productivity.
[15:45] <Cuebiz> you see, before electronic switching, and average switch could only hold
roughly about 4,300 subscribers - and thats only about 200 somethin' trunks.
[15:46] <Cuebiz> Oh, yeah; if any of you were wondering - a "trunk" is pretty much a
very vast version of a regular telephone line.
[15:46] <Cuebiz> that allows switches to communicate with eachother.
[15:46] <Cuebiz> it can be in one of three states.
[15:46] <Cuebiz> open (busy)
[15:47] <Cuebiz> closed (idle)
[15:47] <Cuebiz> or of course, Out of Service.
[15:47] <Cuebiz> When you pick up the phone and start dialing a number; you've just
send a message to the switch - telling it to start finding an idle
trunk for you to use to place your call.
[15:48] <Cuebiz> There are several different "flavors" of trunks connected to a
central office, but thats best for another lecture in itself.
[15:48] <Cuebiz> Okay, a flaw in early "analogue" switching systems was the slow signalling
system that it was made for.
[15:49] <Cuebiz> though better than the stone-aged switching systems that required manual
connections made by telephone operators, their current switching technology
couldn't handle the sudden rush of people subscribing for service.
[15:49] <Cuebiz> so
[15:49] <Cuebiz> to save a whole lot of $$$$ to and make a whole lot more, they started the
Electronic Switching System
[15:50] <Cuebiz> Please note that during this time, two other types of Electronic Switches
had been in the making.
[15:50] <Cuebiz> like GTE's 1EAX
[15:50] <Cuebiz> and later, Northern Telecomm's DMS.
[15:50] <Cuebiz> DMS is an acronym for Digital Multiplex System.
[15:51] <Cuebiz> I wont be going over them in this lecture, just thought that you guys
should know that ESS wasn't the only electronic switching system of
its time.
[15:51] <Cuebiz> Now, going ahead several decades.
[15:51] <Cuebiz> we'll find our current ESS foe.
[15:51] <Cuebiz> ESS #5
[15:52] <Cuebiz> which has gone a long way since it started poping up all around the US.
[15:52] <Cuebiz> 5ESS was first tested/used in 1982 after finding that the earlier 4ess
had major potential.
[15:52] <Cuebiz> Today's 5-ESS's are jam-packed with modules that make
[15:52] <Cuebiz> switching easy enough for any printer monkey to run
[15:52] <Cuebiz> (well, a printer monkey with an associates degree)
[15:52] <Cuebiz> and just as easy to maintain (well, not security wise).
[15:52] <Cuebiz> It can hold up to around 200,000 lines in an end office or
[15:53] <Cuebiz> roughly around 94,000 trunks.
[15:53] <Cuebiz> Its fast as hell compared to other switches.
[15:54] <Cuebiz> run off of a 3B21D processor - nothing compared to our personal
computers, but switching phones doesn't take much CPU anyways.
[15:54] <Cuebiz> 5ess has the ability to modify anything and everything, "on the fly".
[15:55] <Cuebiz> Today's CDX's or Compact Digital eXchange (mini 5ess's) are about
6 feet high, 3 feet wide and about 2 feet thick.
[15:55] <Cuebiz> hehe, i actually remembered those #s.
[15:55] <Cuebiz> Its 85% of the time enclosed in a neat looking blue and white locker
labled with a bunch of 5ess and At&t stickers.
[15:56] <Cuebiz> *BUT* regular plain 5ess machines are generally larger but does
the exact same jobs.
[15:57] <Cuebiz> Okay, it seems to be getting pretty boring.
[15:57] *** bsd-jenny sets mode: +o Cuebiz
[15:57] <Cuebiz> so I'll be opening the channel for discussion, questions.
[15:57] *** Cuebiz sets mode: -m
[15:57] <Cuebiz> okay.
[15:57] <Cuebiz> any questions?
[15:57] <MindLink> Nope.
[15:57] <ilikemyownbum> so if they put a new cpu in there say like a
[15:57] <l4m3n00b> cuebiz
[15:57] <l4m3n00b> send me the logs in 20 mins or so, k?
[15:58] <l4m3n00b> i have to get offline
[15:58] <ilikemyownbum> um big one it would be a more powerful system
[15:58] <Cuebiz> aight.
[15:58] <l4m3n00b> thanks
[15:58] <Cuebiz> actually, yeah.
[15:58] <HoppingGoblin> http://www.ppchq.org/pictures.html has some interesting
pictures towards the bottom of an AT&T 5ESS switch
[15:58] <ilikemyownbum> why dont they just do that?
[15:58] <Cuebiz> but the operating system itself was made for the processor they use.
[15:58] <Cuebiz> the 3B2*D
[15:59] <Cuebiz> the * could either be a 0 or 1
[15:59] <ilikemyownbum> how hard would it be to make a new OS?
[15:59] <Cuebiz> pretty hard, seeing that the ess OS is about several billion
lines of code.
[15:59] <ilikemyownbum> herrrrm
[15:59] <Cuebiz> decades of modified code.
[15:59] <HoppingGoblin> yikes :/
[15:59] <Cuebiz> but they should of thought about it before hand.
[15:59] <ilikemyownbum> that sucks
[16:00] <Cuebiz> now they're stuck with that type of architecture.
[16:00] <MindLink> Lower level language or higher? Probably lower since it's ancient?
[16:00] <ilikemyownbum> hmmm
[16:00] <Cuebiz> C code.
[16:00] <MindLink> Rather, the other way around.
[16:00] <MindLink> Nice.
[16:00] <ilikemyownbum> competition could just do the same thing and and
make it better
[16:00] <ilikemyownbum> there goes their business
[16:00] <Cuebiz> exactly.
[16:00] <Cuebiz> but i guess noones thought of it yet.
[16:01] <Cuebiz> =/
[16:01] <ilikemyownbum> i did
[16:01] <Cuebiz> hehe. yeah - because we're generally smarter than they are.
[16:01] <ilikemyownbum> well what if i started working for them and got their OS's
source code
[16:02] <ilikemyownbum> and made it better and for a diff processor and made my own business
[16:02] <ilikemyownbum> um wait i have no point
[16:02] <Cuebiz> it'd take forever to look through it all ... but you *could*
do that in theory.
[16:02] <Cuebiz> and take AT&T outta business with a better *cheaper* switch.
[16:03] <ilikemyownbum> right that would be fun
[16:03] <Cuebiz> okay.
[16:03] <ilikemyownbum> how long do you think it would take?
[16:03] <ilikemyownbum> years
[16:03] <ilikemyownbum> decades?
[16:03] <Cuebiz> probably decades.
[16:03] <ilikemyownbum> i cant imagine anything like that taking more than three years
[16:03] <ilikemyownbum> shit
[16:04] <Cuebiz> okay.
[16:04] <Cuebiz> next!
[16:04] <ilikemyownbum> but then again i cant even make my own boot disks
[16:04] <Cuebiz> hehe.
[16:04] <HoppingGoblin> :)
[16:04] *** Cuebiz sets mode: +m
[16:05] <Cuebiz> If the heart of telephone switching is the switch (in this case our
beloved, soon to be outta business 5ess *joke*).
[16:05] <Cuebiz> then a main vain would definately be the SM's.
[16:05] <Cuebiz> or switching modules.
[16:05] <Cuebiz> which, in an nutshell, terminate trunks after use and performs
time switching.
[16:06] <Cuebiz> THe most recent SM is known as SM-2000
[16:06] <Cuebiz> pretty clever, huh?
[16:07] <Cuebiz> which supports up to 30,000 time slost (the older 5ess's only handle
about 600) and is based on a motorola 68060 processor (it has its
own processor so it doesn't have to rely on the main switch processor).
[16:07] <Cuebiz> slost = slots.
[16:07] <Cuebiz> doh!
[16:08] <Cuebiz> ESS hardware is esspecially complex, and not very well taught on IRC,
so I wont go much further than this.
[16:08] <Cuebiz> The basic components would be (of course), the SMs, the switch module,
the switch terminal (the comptuers that alow you to send input commands
to the switch).
[16:08] <Cuebiz> AMA (automatic message accounting) units
[16:09] <Cuebiz> which pretty much log calls for billing purposes or legal matters.
[16:09] <Cuebiz> the Message switch, which acts as a relay between the processor
and everything else.
[16:09] <Cuebiz> the IOP or Input/Output processor.
[16:09] <Cuebiz> the ROP.
[16:09] <Cuebiz> better known as the Read Only Printer.
[16:10] <Cuebiz> just a regular shitty printer
[16:10] <Cuebiz> made for making print outs.
[16:10] <Cuebiz> the NCLK or network clock.
[16:10] <Cuebiz> and of course, its tape drives.
[16:10] <Cuebiz> High level, low level, and special level.
[16:10] <Cuebiz> its obviously more complex than that.
[16:10] <Cuebiz> but i'll explain more in a text file where I can draw out
pretty ASCII art pictures and stuff.
[16:10] <Cuebiz> so, this is pretty much how its stacked up.
[16:11] <Cuebiz> [ OSS link ] ---> [ I/O processor ] ---> [ AMA ] --->
[16:11] <Cuebiz> [Message Switch] ---> [Switching module ] ---> ROP/TAPE/TTY/ETC
[16:12] <Cuebiz> The software for 5ess is distributed in "packages"
[16:12] <Cuebiz> the last I've checked we're still somewhere around package 5e9(*)
[16:12] <Cuebiz> Programmers background info on ESS code:
[16:12] <Cuebiz> just a bit of infoz.
[16:12] <Cuebiz> ;)
[16:13] <Cuebiz> The 5ESS source code is divided into alot of sub-systems, which is
[16:13] <Cuebiz> again divided into a set of modules, and each module contains a number
[16:13] <Cuebiz> of source code files.
[16:13] <Cuebiz> Everything is maintained by the SCCS or Source Code Control System
[16:13] <Cuebiz> The 5ess prgrammers (tons of people, Iam sure of it) work within VE or
[16:14] <Cuebiz> Version Editor. This piece of software makes viewing the 5ess C source
[16:14] <Cuebiz> WAY easier.
[16:14] <Cuebiz> Now, every time they modify 5ess code.
[16:14] <Cuebiz> to make things more organized.
[16:15] <Cuebiz> they'll mark it.
[16:15] <Cuebiz> just FYI.
[16:15] <Cuebiz> like this bunch of code.
[16:15] <Cuebiz> routing = GetRoute()
[16:15] <Cuebiz> #version (4A)
[16:15] <Cuebiz> dest = GetDest(routing);
[16:15] <Cuebiz> if (dest.port == 0)
[16:15] <Cuebiz> return(ConnectLocal(routing))
[16:15] <Cuebiz> #endversion (4A)
[16:15] <Cuebiz> Connect(routing);
[16:16] <Cuebiz> Which doesn't really do much. but you can see how the format goes.
[16:16] <Cuebiz> when they're modifying code.
[16:16] <Cuebiz> they start a modify with #version (version #)
[16:16] <Cuebiz> and end it with #endversion (version #)
[16:16] <Cuebiz> I just thought that you guys would like to know that.
[16:16] <Cuebiz> :)
[16:16] <Cuebiz> Okay, now onto DMERT.
[16:17] <Cuebiz> Which is another telco acronym for Duplex Multiple Enviroment Real Time
Operating System
[16:17] <Cuebiz> also known as Unix Real Time Reliable
[16:17] <Cuebiz> or as some of you may know it, "AT&T Unix"
[16:17] <Cuebiz> DMERT has its own set of commands, very similar to its System V relative.
[16:18] <Cuebiz> So if you know "Unix" you'll take to DMERT like a fish to water.
[16:18] <Cuebiz> To get to the DMERT shell, on the Recent Change/Verify channel; you could
type "RCV:MENU:SH!" at the CRAFT shell (discussed next).
[16:19] <Cuebiz> As most of you may know, 5ess is broken into seperate "Channels" of which
each channel has its own "job".
[16:19] <Cuebiz> So, say that you find a telco dialup, it *could* end up on a 5ess channel.
[16:20] <Cuebiz> formally known as a 5ESS TTY.
[16:20] <Cuebiz> so, once dialing into a channel (you could also connect via x.25 -
ie: SprintNet).
[16:20] <Cuebiz> thats all you're getting.
[16:20] <Cuebiz> you can't jump into another channel.
[16:20] <Cuebiz> The TEST channel is one of my favorites.
[16:21] <Cuebiz> seeing taht its one of the only channels that have OSS's that doesn't need to
operated via a computer.
[16:21] <Cuebiz> like DATU, via the No.Test Trunk.
[16:21] <Cuebiz> If you dont know what DATU is by now, I propose that you recognize !@#
[16:21] <Cuebiz> Check out my file I wrote on it, Http://telco-inside.spunge.org/files/oh_datu.txt
[16:22] <Cuebiz> No-Test Trunk - or Number Test Trunk.
[16:22] <Cuebiz> is a trunk taht allows the switch to drop on a specific line to connect
a testing device such as DATU.
[16:22] <Cuebiz> LMOS: is an acronym for "Loop Maintenance and Operations System"
[16:23] <Cuebiz> its job is to help handle problems that occur with subscriber loops.
[16:23] <Cuebiz> so getting access to LMOS would allow you to view past and present line
trouble of a specific subscriber.
[16:23] <Cuebiz> along with a bit of specifics on the line itself.
[16:23] <Cuebiz> (ie: if its a POTS line or SS line, etc).
[16:24] <Cuebiz> Its closely tied in with MLT or Mechanized Loop Testing System.
[16:24] <Cuebiz> This system (as mentioned before) works closely with LMOS; but MLT is the
software itself that coordinates the actual testings.
[16:25] <Cuebiz> as LMOS just displays results of these (and other) tests.
[16:25] <Cuebiz> MLT can be run via its Web-GUI front end to test POTS, ISDN,
and xDSL lines.
[16:25] <Cuebiz> if you didn't know, POTS stands for Plain Old Telephone Service.
[16:25] <Cuebiz> Now, BLV.
[16:26] <Cuebiz> stands for Busy Line verify.
[16:26] <Cuebiz> and its the trunk that operators use to do busy interrupts.
[16:26] <Cuebiz> and busy line verifys.
[16:26] <Cuebiz> i'll be discussing how to control BLV trunks next week when I'll
be talking about blueboxing (from top to bottom).
[16:26] <Cuebiz> so dont worry about this until next week.
[16:27] <Cuebiz> RC/V or Recent Change/Verify is one of the most neatest things
that I've ever seen.
[16:27] <Cuebiz> upon connecting to a RC/V (via x25 or the PSTN) you'll be either stopped
by a prompt that asks for your "Account Name" or youll be dropped
into the CRAFT shell.
[16:27] <Cuebiz> the RC/V command prompt.
[16:27] <Cuebiz> which is simply a
[16:27] <Cuebiz> <
[16:28] <Cuebiz> From the CRAFT shell, you can pretty much control everything good
about the 5ess.
[16:28] <Cuebiz> such as its feature tables (CLASS services such as call forwarding and CLID)
[16:28] <Cuebiz> trunk routing codes, and the like.
[16:29] <Cuebiz> If you haven't read my post to alt.phreaking; then here's a good
scenerio of what one could do with access to the 5ess via the
RC/V port.
[16:29] <Cuebiz> Lets say that you had my phone number.
[16:29] <Cuebiz> okay?
[16:29] <Cuebiz> and you also had access to the 5ess switch that covered my area.
[16:29] <Cuebiz> Now, by getting access to RC/V on my area's switch.
[16:29] <Cuebiz> which also happens to have a No-Test Trunk.
[16:29] <Cuebiz> you could do the following.
[16:30] <Cuebiz> 1. assign the BLV trunk to the chart column value of an OOS
(out of service) number.
[16:30] <Cuebiz> then
[16:30] <Cuebiz> 2. call forward the OOS (now active) number to *MY*
phone number.
[16:30] <Cuebiz> now, by calling the OOS number.
[16:30] <Cuebiz> you could listen to whats happening on *MY* phone line.
[16:30] <Cuebiz> a successful tap.
[16:30] <Cuebiz> This exploit still works as of today.
[16:30] <Cuebiz> no patch has been made.
[16:30] <Cuebiz> =/
[16:31] <Cuebiz> so they pretty much just have to watch their BLV trunks.
[16:31] <Cuebiz> if they have any.
[16:31] <Cuebiz> once again, iam opening up the channel for questions.
[16:31] <Cuebiz> discussions.
[16:31] <Cuebiz> ect.
[16:31] *** Cuebiz sets mode: -m
[16:31] <Cuebiz> damn.
[16:31] <Cuebiz> everyone like, left
[16:32] <Cuebiz> is it that boring?
[16:32] <MindLink> Nah, we're listening.
[16:32] <HoppingGoblin> no, heh
[16:32] *** USE.ChatNet.Org sets mode: +m
[16:32] <Cuebiz> cool.
[16:32] <Cuebiz> any questions?
[16:34] *** Cuebiz sets mode: -m
[16:35] * HoppingGoblin kicks use.chatnet.org
[16:36] <Cuebiz> no questions?
[16:36] <Cuebiz> +m time.
[16:36] *** Cuebiz sets mode: +m
[16:37] <Cuebiz> Now, were're going to move into SS7
[16:37] <Cuebiz> which should be a lecture in itself.
[16:37] <Cuebiz> but i'll give it the best i've got for the
remainding time that we have.
[16:37] <Cuebiz> SS7 stands for Signalling System 7
[16:37] <Cuebiz> which is the type of inter-office signalling
that all of us in the united states are utilizing.
[16:38] <Cuebiz> so, if you're in the US. you're using SS7
[16:38] <Cuebiz> SS7 is Common channel signalling at its prime.
[16:39] <Cuebiz> signalling takes place via data lines and voice is
carried via well ... voice!
[16:39] <Cuebiz> you see, the problem back when we ran system r1 was
that signalling and voice took place via voice lines.
[16:39] <Cuebiz> which ment *you* could hear your central office talking to
your buddy's central office.
[16:39] <Cuebiz> obviously, if *we* can hear it, *we* can imitate it.
[16:39] <Cuebiz> which brought about blueboxers.
[16:40] <Cuebiz> but thats next week.
[16:40] <Cuebiz> so I wont be talking about blueboxing.
[16:40] <Cuebiz> Now-a-days, central offices speak to one another via t1 lines on
x.25 data networks.
[16:40] <Cuebiz> originally, SS7 was ment to be used by a small, closed community.
[16:41] <Cuebiz> *but* due to the abuse of system r1, they decided to move in
for the kill.
[16:42] <Cuebiz> Now, they lease out SS7 connections to anone with the right
sized pocket book.
[16:42] <Cuebiz> (ie: D channel ISDN).
[16:42] <Cuebiz> Signalling via x.25 goes through several "gate-ways"
[16:42] <Cuebiz> or "nodes"
[16:42] <Cuebiz> as we call them
[16:42] <Cuebiz> to get to its destination point.
[16:42] <Cuebiz> each node has its own point code.
[16:42] <Cuebiz> to identify itself.
[16:42] <Cuebiz> Difficulty level of imitating hese point codes, trivial.
[16:43] <Cuebiz> hehe, okay; here's another crappy ascii diagram of how its all stacked up.
[16:43] <Cuebiz> [SCP]=[OSS]--->[SSP]--->{[STP]=[STP]}--->[SCP]=[OSS]
[16:43] <Cuebiz> SCP stands for Service Control points.
[16:43] <Cuebiz> they're essentially OSS links.
[16:44] <Cuebiz> no signal will go from one OSS to another without first reaching an SCP.
[16:44] <Cuebiz> oh wait!
[16:44] <Cuebiz> hehe, iam getting ahead of myself.
[16:44] <Cuebiz> OSS stands for Operations Support System.
[16:44] <Cuebiz> its a device.
[16:44] <Cuebiz> ie: a computer
[16:44] <Cuebiz> that interacts with the switch's processor.
[16:44] <Cuebiz> some common OSS's are MLT.
[16:44] <Cuebiz> LMOS
[16:44] <Cuebiz> MARCH
[16:44] <Cuebiz> SARTS
[16:45] <Cuebiz> ect.
[16:45] <Cuebiz> most of which I've alredy discussed.
[16:45] <Cuebiz> The SS7 protocol is hard to explain.
[16:45] <Cuebiz> there's the stack.
[16:45] <Cuebiz> which pretty much defines the procedures
[16:45] <Cuebiz> that everything must go throuh.
[16:45] <Cuebiz> for those of you interested.
[16:45] <Cuebiz> here's what the stack should look like.
[16:45] <Cuebiz> in ascii form.
[16:46] <Cuebiz> [TUP] [ISUP] [TCAP]
[16:46] <Cuebiz> [SCCP]
[16:46] <Cuebiz> [ MTP Level 3 ]
[16:46] <Cuebiz> [ MTP Level 2 ]
[16:46] <Cuebiz> [ MTP Level 1 ]
[16:46] <Cuebiz> hehe
[16:46] <Cuebiz> MTP, or Message Transfer Protocol 1-3
[16:46] <Cuebiz> just defines electrical characteristics.
[16:47] <Cuebiz> of the signalling line and interfaces used in the network.
[16:47] <Cuebiz> hehe, important - but boring.
[16:47] <Cuebiz> ISUP.
[16:47] <Cuebiz> the "ISDN User Part" provides connection related services.
[16:47] <Cuebiz> in SS7 networks.
[16:47] <Cuebiz> it sets up and breaks down connections between
offices/exchanges
[16:47] <Cuebiz> its like ueber-TUP
[16:47] <Cuebiz> TUP.
[16:47] <Cuebiz> or Telephone Users Part
[16:48] <Cuebiz> handles regular call setup and breakdowns.
[16:48] <Cuebiz> its not as k-rad as ISUP, but it suffices
with SS7
[16:48] <Cuebiz> If you want to read more about it, go to:
[16:48] <Cuebiz> Http://support.dialogic.com/ss7/SS7tutorial/tutorial.html
[16:48] <Cuebiz> Attacking vulnerable SS7 nodes are just as cool as
phone tapping via RC/V
[16:49] <Cuebiz> lets say that you wanted to modify LIDB's or Line Information
Databases which are held on SCP nodes.
[16:49] <Cuebiz> you could (in theory) rent an ISDN line.
[16:49] <Cuebiz> and imitate SS7 TCAP requests for user's calling card PINs.
[16:49] <Cuebiz> and get it!
[16:49] <Cuebiz> The same could be done with requesting other information.
[16:50] <Cuebiz> okay, i've been blabbing for about 50 minutes already.
[16:50] <Cuebiz> bleh.
[16:50] <Cuebiz> oh, yesterday.
[16:50] <Cuebiz> I was talking to Urmel (kick ass programmer)
[16:50] <Cuebiz> and he let me in on some really cool VoIp vulnerability concepts.
[16:50] <Cuebiz> and well,
[16:50] <Cuebiz> i guess i'll share some of it with you two.
[16:50] <Cuebiz> :-)
[16:51] <Cuebiz> Now, SS7/5ESs are already setup for use of VoIp in
residentials.
[16:51] <Cuebiz> if anyone didn't know, VoIp stands for Voice Over IP.
[16:51] <Cuebiz> cheaper means of talking.
[16:51] <Cuebiz> not really better.
[16:51] <Cuebiz> *but* with VoIp phones, you could d0s someone's
phone.
[16:52] <Cuebiz> really!
[16:52] <Cuebiz> memset(query_string, 0x1, 256);
[16:52] <Cuebiz> query_string[256]=0x0;
[16:52] <Cuebiz> write(sock, query_string, sizeof(query_string));
[16:52] <Cuebiz> the above code actually defines attacking the http
server on someones phone - causing denial of service.
[16:53] <Cuebiz> now, the phones http server's remote managment interface
sends its password IN PLAIN TEXT!
[16:53] <Cuebiz> leaving it open for password sniffing.
[16:53] <Cuebiz> or even Audio sniffing.
[16:53] <Cuebiz> thats right.
[16:54] <Cuebiz> a phone tapping vulnerability, again.
[16:54] <Cuebiz> by using libcap, its very possible to sniff out unprotected RTP
payloads to play back captured audio of a specific persons
conversation.
[16:55] <Cuebiz> oh well, thats about it.
[16:55] <Cuebiz> for this lecture.
[16:55] <Cuebiz> iam getting edgy without a ciggerette.
[16:55] <Cuebiz> I'd like to thank you guys for showing up.
[16:56] <Cuebiz> and those of you who are going to be reading the logs
who showed up but left
[16:56] <Cuebiz> anywho, i'll once again be opening up the channel.
[16:56] <Cuebiz> for questions, comments, whatever.
[16:56] *** Cuebiz sets mode: -m
[16:56] <HoppingGoblin> ::claps:: thanks for taking the time to do this
cuebiz :D hope you'll do more!
[16:56] <Cuebiz> if anyone has any.
[16:56] <ilikemyownbum> yea
[16:56] <ilikemyownbum> very informative
[16:56] <l4m3n00b> yeah
[16:57] <l4m3n00b> from what i read it looked good
[16:57] <ilikemyownbum> i wanna read the log though
[16:57] <ilikemyownbum> its a huge chunk and its gonna ned some digesting
[16:58] <Cuebiz> yeah, its kinda alot.
[16:58] <HoppingGoblin> ::ending logging::
Session Close: Sat Apr 06 16:58:28 2002
** IRC logs sent in by: HoppingGoblin (Thanks dude!) **
/* Cuebiz's Comments: "And fuck 5-0 (pow pow) - turn 'em into 49'ers" */