____ __ / __ \\\\\\\\/ /_ ________ ____ ___ _____ ____ _______ __ / /_/ / __ \\\\\\\\/ ___/ _ \\\\\\\\/ __ `/ / / / _ \\\\\\\\/ __ \\\\\\\\/ ___/ / / / / ____/ / / / / / __/ /_/ / /_/ / __/ / / / /__/ /_/ / /_/ /_/ /_/_/ \\\\\\\\___/\\\\\\\\__, /\\\\\\\\__,_/\\\\\\\\___/_/ /_/\\\\\\\\___/\\\\\\\\__, / /_/ /____/ [ 12/08/01 ] ------ ISSUE #1 --> ~-~-~-~-~-~-~- Contents ~-~-~-~-~-~-~- 1. The Telstra Dial-IP Switched Data Network ..................... Marlinspike 2. Working Around The X2 FAST Block .............................. Dark Thief & Zaleth 3. Indigo Box .................................................... Dies Irae 4. Caller ID Program ............................................. Diab 5. Payphone Numbers .............................................. Zaleth & Dies Irae 6. RIM & COMNET Overview ......................................... Phreakau Team 7. BnE Into Telstra Exchanges Part II ............................ Marlinspike 8. Telstra News .................................................. Phreakau Team 9. Links ......................................................... Phreakau Team ~-~-~-~-~-~-~- Contacts ~-~-~-~-~-~-~- To contact us, or send feedback to the author of an article, select from the following email addresses : Dark Thief (dt) : darkthief@iamwasted.com Diab : diab@hackermail.com Dies Irae : speedy69@mailcity.com Marlinspike : p0lter_g@yahoo.com Zaleth : zaleth@hushmail.com ~-~-~-~-~-~-~- Intro ~-~-~-~-~-~-~- Welcome to the first issue of Phrequency Ezine. This has been in the works for months and has taken a shitload of work to get out to you. This issue was primarily written by Phreakau, a group best described as a "Phreaking Research Group". That is we are interested in the study and exploration of the inner workings of the Australian telecommunications network. Most of us are interested in other subjects, such as computer security, and if we end up working on any significant project that captures that right 'flavour' it might end up in a future issue. However, we are primarily a phreaking group. As you can see from the articles here written by more than one person, we have a strong leaning towards working together on projects and research. Largely, Phreakau is a contributors only group that has been closed off from the the rest of the scene due to concerns over things such as discussion based on raw information being too sensitive for public release. We were going to limit the distribution of this ezine, but a big reason we decided upon a full release is because phreaking has seen abit of a resurgence in the past months and we wanted to give some new phreaking information to the scene, show everyone that phreaking is not dead in AU and what kind of information is available if they have the initiative to simply go out and get it. So, start hanging around your local pits, cans, cabinets and exchanges. Start scanning local number exchanges, 1800 numbers and anything else you can think of. Go trashing. There are people out here willing to share information and help you with your research. You could be the one to uncover the lead by which the next big system or phreaking technique is discovered - all it takes is initiative. Will there be future issues of this ezine? We hope so. We've set this as a precedent in quality, so if we keep going, keep at our research and get the articles for a second issue that rivals this one then there mostly likely will. You are welcome to help, or provide your own touch, of course :) For now sit back, whack on some tunes and see what you can learn. ~-~-~-~-~-~-~- The Telstra Dial IP Switched Data Network ~-~-~-~-~-~-~- - By Marlinspike Contents ======== 1. What Is Dial IP? 2. Accessing Dial IP 3. Logging In 4. RADIUS 5. The Dial IP RADIUS Proxy 6. Scanning And Hax0ring 7. Free Calls 8. Logging 9. Further Reading What Is Dial IP? ================ Telstra Dial IP is one of the more recent Switched Data Network offerings from Telstra. It is designed to be a cost-effective and secure solution for dial up users to connect to corporate LANs running IP from anywhere in Australia. Dial IP is classed as a Switched Data Network as the underlying protocol uses packet switching as a transmission method. This is also why it is cost effective as many transmissions can use the same media at once. The theory goes that Dial IP is more secure than regular dialups as it consolidates remote access into one chokepoint using RADIUS rather than having a whole load of unmanageable dialup servers for different areas in the country. Yay. Accessing Dial IP ================= So what's the Dialup? Well, there ain't one. Note that I said 'one'. In the Dial IP network each customer gets their own dialup to the network which connects to their LAN and their LAN only. How does this work? Well, there is a range of numbers assigned as 'Data Network Access Services' for Dial IP. If you apply for a Dial IP service, your dialup will be in that range and you can use that number to call your network. The range of numbers that the Dial IP service uses are : 019830XXXX So that's 019830 followed by FOUR numbers. Just about every technical document I've seen (including the Telstra ones) have got this written wrong. Don't trust them, trust me :) That is 10,000 assignable numbers. Check the Austel website for 'Data Network Access Service' if you don't believe me. They got it right atleast. An example working Dial IP access number is 0198304107 which belongs to Edith Cowan University for their Remote Rural users (I found this on the net :) Logging In ========== Okay, you've dialed your number (right now we're examining the system from the perspective of a legitimate user, we'll get into the nefarious shit after I'm done explaining) so what happens next, here's the prompt you get if you've dialed with Hyperterminal or other VT100 emulator (Dial IP has support for PPP/PAP/CHAP so most legit users won't do it this way cause they'll be using windoze dial up networking), I've included all the prompts like you've gone through and got the authentication wrong so you can see : ** Dial IP ** Username: Password: ** Bad Password These are pretty much the standard prompts you will get. This is the RADIUS server talking to you. It may be that it is authenticating you against a UNIX password file, but note that it does not display the UNIX login. This is to prevent information leakage regarding the operating system (and therefore default accounts and so forth). The system can be configured to present a different prompt if wanted, for example, you can get a challenge between the Username and Password for CHAP or token based system and I have also seen custom error messages. The point is the above is the default and has to be deliberately modified if needed to be. You get three incorrect tries before losing the carrier. Once authenticated, you will be handed over to the LAN and can access all resources normally. Most of the time this will mean a PPP is fired back at you, but this can depend on what resource your account allowed you access to, PPPsh in UNIX for example. Yes, if the LAN you've connected to can reach the internet then you've just got net access dependant on the LAN or larger internal network's firewall egress filters etc. of course. RADIUS ====== While we've been logging in in the last section, this is what has been working behind the scenes to authenticate us. It is basically transparent and regular users need not know what it is, but seeing as we're not regular users (not to mention 'interested' in the authentication procedure) it might pay to know abit about it. RADIUS stands for (R)emote (A)uthentication (D)ial (I)n (U)ser (S)ervice and is specified in RFC 2138, with additional accounting details specified in RFC 2139. RADIUS is also Open Source and so can therefore be modified as the providers wish. In this way it can be customised to support various different authentication protocols. At the destination LAN resides the RADIUS server. This can be in synch with whatever table of usernames and passwords the LAN cares to use. When the user dials up, they are attached to the RADIUS client, which will issue a request for authentication (username and password etc.) The user types it in and the client sends the request to the server for verification. As you can see this centralises the authentication procedure to the one RADIUS server on the LAN which is completely under the control of the owner of the LAN. The RADIUS server and client share a secret key. This is used to encrypt the authentication request in transit. Although the medium used is a Telstra controlled dedicated frame relay service and therefore inaccessible to anyone but Telstra staff (theoretically anyway) the encryption provides an extra layer of security. The Dial IP RADIUS Proxy ======================== Despite the fact that Dial IP uses separate PSTN numbers for access to separate systems, Dial IP is still one big network. The communications media are not dedicated to each customer, they are interwoven with packets from each customer being transmitted alongside one another. What this means is that there needs to be another layer to the system directing traffic from the Dial Gateways (PoPs or Dialin Nodes etc.) to the various LAN controlled RADIUS servers. This makes Dial IP differ from a traditional RADIUS network somewhat, although still providing good transparency. This is where the Telstra Dial IP RADIUS proxy comes in. Once the dial in user has connected, the client actually forwards the authentication request to the RADIUS proxy. Then, the proxy determines which end RADIUS server the request needs to go to based upon the PSTN Dial IP access number dialed. Crap ASCII pr0n diagram follows : _______________ ___________ ____ ____ ________ | | | | / \\\\\\\\ / \\\\\\\\ | | | Dial IP | | Dial IP | | |_/ \\\\\\\\ | RADIUS | | Gateway & |------>| RADIUS |------> Dial IP ---|---->| Server | | RADIUS Client | | Proxy | | ____ / | At LAN | |_______________| |___________| \\\\\\\\__/ \\\\\\\\___/ |________| As far as the RADIUS server is concerned, it is talking to a regular client. The proxy is completely transparent. There are actually multiple proxies around Australia to ensure reliability and availability. Scanning And Hax0ring ===================== The fact that the prompts are standardised present an interesting problem in terms of hacking on Dial IP. Also, I have tried a whole load of numbers in all areas of the range and have never received a message stating the number is not connected, neither a voice message, nor a message in my terminal window. So, even if you ring a number that is not connected to a LAN, you will get : ** Dial IP ** Username: Password: ** Bad Password 3 tries and then NO CARRIER. So infact, you may not have even been hacking into a system at all. Of course, there is always the possibility that you get a non-standard login prompt or a challenge, which would certainly indicate a system present or a custom error message, like this one from the ECU number I mentioned earlier : ** Dial IP ** Username: Password: Login Failed: check your username, password and time limits. A classic case of user friendliness over security. As far as hacking is concerned, the obvious thing to note is that system identification is quite difficult and so what you'll have to do is have a generic set of usernames to try from various systems. As far as I can tell, the systems most in use on Dial IP are Windows NT/2000 and then UNIX. There is one other way to determine if a number connects to a valid system or not, which I will now 'splain you. Free Calls ========== Being a phreaking zine this was bound to come up. I am however, speaking of it here in a semi-legitimate capacity. You see, I do most of my scanning from payphones. When scanning these Dial IP numbers after I first learned of the network I noticed that some of the numbers were being connected and modem breath emitting without my having to insert coins/phreaking for the call. Many did require payment/phreaking. In documentation it does mention that you can provide the dialin at free call rate if desired. Obviously, if the number is not connected Telstra wouldn't be footing for a free call for you now would they? It is the default that the numbers are not free and if you scanned looking for free numbers you could probably get a lengthy list of valid numbers. Sure you'd miss afew, but in the meantime you've got a whole bunch of valid systems to play with that are free to ring continuosly. Logging ======= This is something I get asked about alot in regards to Austpac Public Access PADs. What kind of logging do they have? can they log with ANI/CLI? Well, here's what I know about Dial IP. Due to the nature of RADIUS, there is the potential to log alot of stuff. The logs for Dial IP at the RADIUS server are very verbose. There are two logs generated for a session, a start log and a stop log. They contain entries such as : Start Time Stop Time Username Logged in under Session Time Framing Protocol Used Allocated IP Address Reason For Disconnection Called Station ID - The last four digits of the number dialled AND ALSO CALLING STATION ID (!!!) - This is the number Dial IP was CALLED FROM. However, for most users the last 3 digits of the number will not be recorded in the RADIUS logs. Basically, this provides for administrators of the system to know what suburb the call came from. Note that often the 4th to last number is needed to make up the exchange prefix in some phone numbers. Some 'authorised' customers can receive logs of the full numbers, but I am unsure whether this is allowed for some kind of government security agencies, or just whether or not you grease Telstra's palms enough. Probably the latter. The fact of the matter is, this last item is necessary for us to know, but seeing as it can be defeated by a simple call to a number diverted to the relevant Dial IP access number (in the suburb the owner of the username resides) it is still not a security panacea. Further Reading =============== Linkage : http://www.telstra.com.au/dialip/ Documents: Telstra Remote Access Dial-In User Service (RADIUS) Information Document RFC 2138 Remote Authentication Dial In User Service (RADIUS) RFC 2139 RADIUS Accounting - Marlinspike 10/6/01 ~-~-~-~-~-~-~- Working Around The X2 FAST Block ~-~-~-~-~-~-~- - By Dark Thief & Zaleth Contents ======== Summary Of FAST The X2 FAST Block Zaleth's Workaround (Aka "Dick Smith's Revenge") Dark Thief's Workaround (Aka "#INCLUDE ") Summary Of FAST =============== FAST (F)ield (A)ccess to (S)ULTAN (T)esting is Telstra's field based access service for Telstra techs (linesmen etc.) to obtain remote (field) access to special functions such as electrical tests from an exchange along a customer's line. FAST is accessed via a 1800 number : 1800 050 051 This number is in the 1800 prefix 1800 05x xxx which denotes "Enhanced 1800" and in which calls are routed to destinations based on the location of the caller. The FAST number was originally discovered in a 1800 scan by APB (Australian Phone Brotherhood) and first detailed by ALOC in Morpheus Laughing #1. Subsequent 1800 scans in the 05 prefix haven't turned up anything more of special interest (although that doesn't mean we're not still trying ;) FAST seems to be constantly having features added to it and has had some options added since the 1999 Morpheus article. A Telstra employee number and its corresponding PIN are required to access the service, which makes it mostly inaccessible to people without contacts or the enterprise to get this info themselves. The X2 FAST Block ================= When FAST was first discovered it was relatively easy for us all to explore it as we could simply dial it up from a payphone and have fun. For some wierd reason Telstra does not want us screwing around with their system (or something like that anyway) and have taken measures to prevent FAST from being called from payphones. Bugger. Well, until now anyway. w00h00! So, you ring FAST from a payphone and what happens? Well, everything is fine until you get to 1800 050 05. The immediate moment you press the '1' that follows here is what happens : (1) The payphone disconnects the line (2) The screen displays "Service Not Available" (3) The payphone resets and you get dial-tone again This is similar to what would happen if you pressed the FOLLOW ON button. If 1800 050 052 or any other permutation on the last number apart from '1' is dialed, the phone will place the call and not reset. The reset occurs only on pressing the last '1' in FAST. It occurs without pause for connection or other signalling. Based on this, it follows that the payphone itself implements the FAST block. There are other ways for Telstra to administer a block on a service. For example, if some 127 xxx xxx numbers, such as ANI and RINGBACK are called from a payphone, it will call through and the service itself will announce "Access Denied To Customer Number" for ANI. This is a function of the payphone LINE and not because of any signalling from the payphone itself. If we think of the payphone as a 'client' then what we've got in terms of protection against us calling FAST is a protection scheme based on the restrictiveness of the client. However, in order for the payphone to work it requires a channel to send its signalling data (in the form of DTMF tones) to the exchange and a channel by which to send the user supplied voice communications. These two channels are one and the same. The 'protection' is implemented by limiting what signals the user can send by function of the payphone. The problem is - What if the user supplies his own signalling data on the common communications/signalling channel or subverts the client (payphone) to unwittingly send the right signals to the channel in an unexpected manner? This type of problem is analogous to users editing the URL in a web browser instead of submitting data through a controlled HTML form and also the good ole in-band inter-office signalling that has caused Telcos so many problems in the past. We've included two methods of exploiting this problem in this article and hopefully the discussion will spark some new ideas on how to get around the FAST block and other similar blocks. An obvious method would be to beige box off the pit near the payphone, or from the plugs in the wall, but we wanted to be more cool & doing this in broad daylight may attract the wrong kind of attention (ie ass whooping by irate store owner or police officer). This block is called the X2 FAST block because that (The Smartphone) was the phone it was originally discovered on, the most prevalent payphone around these days and hence the phone you'll most probably encounter it on. However, Zaleth checked out some other phones for the block as well. Bluephones don't seem to have a FAST block on them. This is probably because this type of blocking feature is unsupported. However, if it was, it could be worked around like the other phones. P2's or PHONECARD phones, pieces of antiquated crap from the early '90s that you insert a magstripe card into to make calls and have it punch holes in the card to show you how much credit you have left, believe it or not, have FAST blocks on them. Fortunately, both workarounds described below have been tested, and work, on P2's. Zaleth's Workaround (Aka "Dick Smith's Revenge") ================================================ Recently, Dick Smith bought out Tandy. This may have some kind of greater economic implications that we frankly couldn't care less about, but what we do care about is that as a result of the buyout a lot of Tandy's "low dollar" products (little stuff, electronic components etc.) have been discontinued presumably to give Dick Smith Electronics stores a monopoly in that area. One of the lines included in the discontinuation were Tandy's Tone Dialers. As a result, they were going out the door cheap cheap ($2.95 - Thanks to Nightscout for this info). Due to not wanting to be the poor bastard that didn't invest the price of a Big Mac to get a tone dialer in the instance a use was found for them we all went out and bought tone dialers. Ironically, this probably accounts for the fact that a use has now been found for them. Sucks if you didn't jump on the bandwagon (fact is if you hurry there are still some left :) So, back to FAST. Tone Dialers give us a useful ability. The ability to supply DTMF signalling on the shared communications/signalling channel from the payphone to the exchange. To put it simply, we can signal the exchange with the number we want to call using the tone dialer without the payphone being able to detect what we've dialed and hence not knowing to block us if we call FAST. Step by step : (1) Lift handset, dial 1800 (2) Whip out tone dialer, hold to mouthpiece of payphone, dial 050 051 (3) Get put through to FAST - Enter employee number + PIN as usual Dark Thief's Method (Aka "#INCLUDE ") ============================================= A nifty feature currently installed on the X2's is AUTO REDIAL. This is used when, you've put your coins in the phone and you've rung someone up, the line is engaged or the call rings out and you want to place another call without reinserting your coins. To call again, you press FOLLOW ON, then '*'. The '*' is the button that denotes AUTO REDIAL but it must be noted that AUTO REDIAL does not work if you replace the handset rather than pressing FOLLOW ON. You must press FOLLOW ON to use AUTO REDIAL. When you press the '*' the number will "fan" across the screen and the number will be redialed for you. Neato huh? OK, maybe its not that cool, but throw intended purposes out the window and you've got yourself a subversive little function so yes neato! How this is used to work around FAST is by inputting the first numbers of FAST into memory and using that as part of the number for the phone to dial (note that if you put all numbers of FAST into memory the phone would reset and it wouldn't work). It goes a little like this : (1) Dial 1800 050 05 (2) Hit FOLLOW ON (3) Wait for phone to reset whilst cackling insanely (4) Hit '*' (5) Dial '1' (6) Get put through to FAST What you've just done is put the first part of FAST (1800 050 05) into memory, reset the phone, redialled 1800 050 05 and then whacked in the last number of FAST (1) in order to complete the call without the payphone knowing you've called FAST and therefore bypassing the blocking mechanism. - Propz Dark Thief & Zaleth 10/8/01 ~-~-~-~-~-~-~- Indigo Box ~-~-~-~-~-~-~- - By Dies Irae This is a Brown, DLOC, Party, Pink Box, they all do basically the same thing...connect two phone lines together. so that you can take advantage of conference call, eg have 5 ppl instead of 3. All of those boxes i meantioned before were for america, so i decided to alter one for Australia. It wasn't to hard, but have fun and don't get caught. Because there are many things that they (Tel$tra and Austel) can screw you over for having and placing this on your line. (Just warning you). There has to be enough to phone wire from each of the male plugs so that the box can be in the middle of the two phone wall outlets.then you can mount a modular plug in the side of the box so you plug your phone in if you want. Also i presume that you have a grasp of electronics and know how to wire plugs up. THE SCHEMATIC WONT MAKE MUCH SENSE UNLESS YOU KNOW WHAT A KNIFE SWITCH LOOKS LIKE...SO BUY THE PARTS AND THEN LOOK AT IT... You Will Need ------------- Okay I'll be nice and include Dick $mith catalog numbers... 2 SPST Switches (i used P 7668) $2.60 2 Phone Lines 2 Male Phone Plugs (F 5117) $6.95 1 Knife Switch (P 7862) $4.95 2 alligator clips (P 6406) $0.80 1 Phone 1 White Plastic Box (you can buy them from Dick Smith, fairly small 10cm x 10cm max) 1 can Indigo spray paint (optional, to spray the box of course) SPST===============|blue or white wire to phone alligator clip | __________|_|__________ alligator clip | | | |=| | | male plug===|====to knife switch= | |++to knife switch+++|+++++male plug | knife switch | male plug--------to knife switch- | |,,to knife switch,,,,,male plug | | | | ---------|------------- |SPST++++++++++++|blue or white wire to phone = white line from line 1 - blue line from line 1 + blue line from line 2 , white line from line 2 instructions ------------ 1. assemble it like the crap schematic. where a wire hits the knife switch, screw it in. 2. where the connections from line 1 come in, also screw the wires connecting to the SPST switches. 3. strip back a bit of covering from one wire from either of the male plugs. and solder an alligator clip on. 4. no on the other wire coming from each of the male plugs, (not the one with the alligator clip) strip back enough covering to clip the alligator clip on. using it -------- well you have to built it right for it to work... IMPORTANT!!! MAKE SURE THAT BOTH OF THE SPST SWITCHES ARE OFF BEFORE YOU START DOING THIS BELOW! first put the handle of the knife switch to the left, (so line 1 is open) so you are dialing on line 1. dial your two ppl and conference them. then clip the alligator clip across these to lines. this is to keep the line open. now throw the knife switch over to the right, so that you are dialling on line 2. now dial and conference your two ppl on line 2. then open both of the SPST switches and you should have 5 ppl online. easy... ~-~-~-~-~-~-~- Caller ID Program ~-~-~-~-~-~-~- - By Diab /* * * Simple caller ID program for POSIX Compliant systems * Should work for: Linux, windows (providing you have a C compiler, * e.g. djgpp), and most *nix variants. * * Usage: ./callid * e.g. *nix: ./callid /dev/ttyS1 clid.log * e.g. win: ./callid COM2 clid.log * * * NOTE * : Your modem should be able to receive callerID information for * this program to work, consult your modem manual. Most modems * should have this feature. * * - diab < diab@hackermail.com > * */ #include #include #include #include #include #include #define ENABLE "AT#CID=1\\\\\\\\r" /* This enables Caller ID on my modem */ /* Change if you want... */ void set_terminal(void); int fd, send, n; struct termios options; FILE *logfile; int main(int argc, char *argv[]) { char recv[3024]; char s3nd[100]; fprintf(stderr,"\\\\\\\\n----------------------------------------\\\\\\\\n"); fprintf(stderr,"Callid by diab - < diab@hackermail.com >\\\\\\\\n"); fprintf(stderr,"----------------------------------------\\\\\\\\n\\\\\\\\n"); if(argc!=3){ fprintf(stderr,"Usage: %s \\\\\\\\n", argv[0]); exit(1); } /* open log file */ if((logfile = fopen(argv[2], "a")) == NULL){ fprintf(stderr,"Error opening log file: %s\\\\\\\\n", argv[2]); exit(0); } /* open modem port */ fd = open(argv[1], O_RDWR | O_NDELAY); if(fd==1){ fprintf(stderr, "Can not open modem port:[ %s ]\\\\\\\\n", argv[1]); exit(1); } fcntl(fd, F_SETFL, 0); sleep(1); /* set the terminal baud rate etc */ set_terminal(); /* send cid init string */ snprintf(s3nd, sizeof(s3nd),"%s", ENABLE); fprintf(stderr,"[!] Enabling caller id on your modem\\\\\\\\n"); fprintf(stderr,"[!] Waiting for call...\\\\\\\\n"); send = write(fd, s3nd, strlen(s3nd)); /* keep reading modem port until we get a ring and notify the user */ while ((n = read(fd, recv, sizeof(recv))) > 0) { fprintf(stderr,"%s", recv); if (strstr(recv, "RING") != NULL) { fprintf(stderr,"[!] Phone ringing... saving Caller ID info.\\\\\\\\n"); printf("\\\\\\\\a"); } fprintf(logfile, "%s", recv); fflush(logfile); sleep(1); bzero(recv,sizeof(recv)); } return 0; } /* terminal stuff */ void set_terminal(void) { tcgetattr(fd, &options); options.c_cflag |= (CLOCAL | CREAD); options.c_cflag &= ~PARENB; options.c_cflag &= ~CSTOPB; options.c_cflag &= ~CSIZE; options.c_cflag |= CS8; options.c_iflag |= (INPCK | ISTRIP); options.c_lflag &= ~(ICANON | ECHO | ISIG); options.c_oflag &= ~OPOST; cfsetispeed(&options, B115200); cfsetospeed(&options, B115200); tcsetattr(fd, TCSANOW, &options); } ~-~-~-~-~-~-~- Payphone Numbers ~-~-~-~-~-~-~- - By Zaleth & Dies Irae Shenton Park: - Onslow Rd: - X2 Outside Playgroup: (08)9381 2876 - X2 Near Newsagent: (08)9388 3527 - X2 Outside chemist: (08)9388 3535 - Smith Rd: - X2 near Abedare Rd near graveyard gates: (08)9388 1635 - Derby Rd: - X2 Corner of Nickleson Rd next to chemist: (08)9381 1033 Daglish: - Park (Near a lot of units) - Phonecard phone opposite park: (08)9381 5903 (weird ringer) Melbourne ... Mentone: - Blue Phone, Some School: (03) 9583 1179 - Blue Phone, Some School #2: (03) 9583 1189 - Blue Phone, Franklins: (03) 9585 3962 - Blue Phone, Safeways: (03) 9585 1556 ~-~-~-~-~-~-~- RIM & COMNET Overview ~-~-~-~-~-~-~- - By Phreakau Team 1. What Is A RIM? 2. Types Of RIMs 3. RIM Components 4. SULTAN And RIMs 5. COMNET-1 6. COMNET-2 7. Systems Interfaces If you have read Neurocactus #7, you would have read their article about RIM Remote System. Well, some of us at Phreakau have come across some information on this subject and so have decided to provide a further overview or sequel on this interesting technology and information about advances since 1996 when it was incepted. 1. What Is A RIM? ================= R.I.M. Stands for (R)emote (I)ntegrated (M)ultiplexer. The RIM System consists of several components. The main component is the RU (Remote Unit) itself. This is often seen as a green cabinet by the roadside although they can also be found indoors. There is also the EU (Exchange Unit) which is used to communicate between the servicing switch and the RIM Box (RU). These two components are manufactured by Alcatel. The RU has a communications channel for OAM (Operations, Administration & Maintenance) use, which is to say that it can be remotely controlled. In Australia this was implemented with COMNET, which we will get into later. A RIM is a highly modular electronic pair gain system. A pair gain system is defined in Telstra documentation as: "A system that cuts down on the number of wire pairs needed to carry telephone channels. They work by multiplexing analog conversations together into a digital transmission that can be sent more efficiently." So that would be that each customer's line feeds into the RIM, the RIM multiplexes the transmissions into a digital transmission and sends it off to the exchange. The speed of the RIM -> Exchange Bearer Cable is generally 2Mbits/s over copper cable with a higher rate of 8Mbits/s or 34Mbits/s using a fibre optic bearer. RIMs can also use radio if required. This is probably used only in rural deployments. RIMs can also, through their various modules, support various Special Services such as PABXes and Faxstream. Capabilities like providing a ring signal for incoming calls, DTMF and Call Progress Signalling are standard. 2. Types Of RIMs ================ Being extremely modular RIMs can come in many different configurations. However, there are some basic types of configuration that can be noted. Mode Of Integration ~~~~~~~~~~~~~~~~~~~ RIMs are capable of interfacing with their servicing/parent exchange in a few different ways. We already know that when transmissions are received, the RIM multiplexes them into a digital transmission. Where the modes of integration differ is how the RIM is further integrated into the Telephone Network as a whole. There are a few modes : (*) Non Integrated Mode:- In this mode the digital transmission is de-multiplexed at the parent exchange back into copper pairs. That means that for each pair going into the RIM there is still a corresponding pair at the exchange, as there would be in normal operation. This requires the EU to be present at the exchange. A RIM EU can be mounted via an Exchange Unit Rack Panel Adapter and can be fitted to a Type 84 or Type 92 exchange rack. (*) Integrated Mode:- In this mode the digital transmission is not de-multiplexed at the parent exchange but instead bypasses the racks and goes direct to the switching stage. This requires that the switch in use has a 'parenting' protocol for which it can communicate with equipment such as a RIM and handle its traffic directly. See below in IRIM Interface Protocol for more information. (*) Mixed Mode:- This is quite simply where the RIM utilises both modes for separate pairs. For whatever reason, probably to provide some type of special services this mode may be required. An EU and a direct link to the switch are both present in this mode. Size ~~~~ Depending upon the amount of pairs the RIM will need to service the size of the Remote Unit can differ. The standard amount of pairs that can fit into one access panel is 60 but RIMs have more than one access panel. There are three sizes currently in use depending on requirements, 240 Lines, 480 Lines & 180 Lines in the New CRIMS (Compact RIMs). IRIM Interface Protocol ~~~~~~~~~~~~~~~~~~~~~~~ Where the RIM is configured as integrated there needs to be a common protocol between the RIM and the switch at the exchange for communication of the various multiplexed transmissions and the switching instructions. There are a few different types of exchanges in use in Australia and the Parenting Protocol for each is different : Type Of Exchange Parenting Protocol Info Ericsson AXE ARK-P Stands for ARK-Parenting Ericsson AXE ESM Probably Newer Ericsson Protocol Alcatel Sys12 RSU CAN Or IEN ~~~~~~~~~~ RIMs were designed to save copper wiring and take the load off existing exchanges. There are two distinct situations in which they can be used. A RIM can be deployed in the CAN (Customer Access Network), that is a RIM serviced by a local exchange and used as support for an area within an exchange locality. However, A RIM can also be deployed as an exchange in its own right. Old Ericsson ARK exchanges in rural areas (ARK is a Crossbar exchange - very schick) are being outmoded and replaced by RIMs. In this type of deployment they are connected to the IEN, the Inter Exchange Network and are serviced by a transit exchange. 3. RIM Components ================= I will now attempt to explain the basic structure of components within RIM units. Bear in mind that the information we had was abit sketchy in this area, but we believe we have put it together correctly. The more specific cards are fitted to panels in the units, so we'll start with the panels : Exchange Unit Panels ~~~~~~~~~~~~~~~~~~~~ The Exchange Units for interface with the parent switch have a base selection of panels. Note that in Integrated Mode, there are no Access Panels as there is no need to demultiplex to individual pairs : (*) Access Panels - Provides the end copper pair connections to the switch with the various electrical capabilities of the pairs. (*) Line Transmission Panel - Reponsible for communicating on the optical or electrical bearer between the EU and RU. (*) Common Panel - Provides control, clock generation/distribution and OAM (ie COMNET) access functions at both EU and RU. (*) Power And Alarm Distribution Panel Remote Unit Compartments ~~~~~~~~~~~~~~~~~~~~~~~~ All RIM installations will have the following base compartments and panels. Where they differ will be the cards and the software on the cards used to implement differing jobs : (*) Cross Connect Facility Compartment (*) Equipment Compartment With The Following Panels (Same uses as in EU) : (*) Access Panels - Connected to customer side pairs (*) Line Transmission Panel (*) Common Panel And additionally : (*) Ring/Meter Panel - Provides RING and METER pulses (*) Terminal Regenerator Panel - Capable of boosting signals for further transmission (*) Trunk Interface Panel - Interfaces Between Common and Line Transmission Panels (OAM comms are multiplexed in with regular comms) (*) Environmental Control Panel - Cooling fans and climate control (*) Power And Battery Compartment Card Components ~~~~~~~~~~~~~~~ More specific components would include things like a module card for Access Panels that allows communication with 4/6 wire customer units such as PABXes and 4 Wire Modems. I won't go into much more detail about various cards that can be installed, as that is where the information gets really sketchy and it probably wouldn't make for much interesting reading anyway. However, there are two things I would like to explain. The first is the units used for OAM (Which stands for Operations, Administration & Maintenance), which in Australia is handled by COMNET and the second is RIM support for things like SULTAN. I will explain the first now, but SULTAN has a full section afterwards. Remote Management/OAM : The RMU (Remote Management Unit) is responsible for providing an integrated OAM system. It communicates with the counterpart remote or exchange unit and the NMQ (Network Management Units) via a Q2 Bus OAM link. The RMU is probably mounted on the Common Panel and seems to communicate over the Q2 Bus with the RAC Unit (Rate Adaptor Unit) which enables multiplexing of OAM communications onto the main bearer. The RAC Unit is probably mounted on the Trunk Interface Panel. The NMQ communicates with the RMU and the COP (COre Processor unit). It also receives some alarm messages from other RIM components. 4. SULTAN And RIMs ================== This section will be short but I believed it was important enough to warrant its own separate section. First of all S.U.L.T.A.N. stands for (SU)bscriber (L)ine (T)esting (A)ccess (N)etwork. This system is responsible for performing electrical tests on subscriber lines. Now, a little thing that not all of you may be aware of is that F.A.S.T. stands for (F)ield (A)ccess to (S)ULTAN (T)esting, however those of you that are familiar with the system may know about running a SULTAN test through FAST. The fact that to do an electrical test on a customer line you need a complete electric path (ie. coppper wiring path) along the length of the customer line poses a problem for RIMs as there is no constant path for each individual pair. They are multiplexed at the RIM. Alcatel has solved this with the CTU (C)ustomer (T)est (U)nit. This unit takes care of electrical testing from the RIM itself as directed via SULTAN through COMNET-1 or by COMNET-2 itself. The CTU is also capable of establishing a speech path for call setup between an operator and a customer as in ring testing. It can also perform busy line monitoring and testing of tones and pulses on the line. Altogether a pretty nifty unit. Typically, SULTAN can test the status of the RIM and if OK it can proceed with a line test from the RU to the customer equipment using the CTU. Yes. Using FAST you can test the status of a RIM and also any specific lines through the RIM. Remember FAST stands for Field Access to SULTAN Testing. I just had to explicitly state this or else I just know I would be asked the relevant stupid question by someone in the future heh. An electrical test on a line can also be initiated by a COMNET system terminal or, automatically by COMNET-2. 5. COMNET-1 =========== Okay, lets start by playing games with acronyms. Telstra, like most large telecommunications corporations and the military like acronyms cause they sound cool. Here's the explanation of the acronym COMNET. COMNET is actually a few acronyms within one another. First there is : COMNET : (C)AN (O)A(M) (NET)work CAN and OAM are acronyms themselves : CAN : (C)ustomer (A)ccess (N)etwork - This defines the telecommunications network area between an exchange and the customer premises. RIMs are installed in this area. OAM : (O)perations, (A)dministration & (M)aintenance. So COMNET actually stands for : Customer Access Network Operations, Adminstrations & Maintenance Network. Shame to all of you who thought it simply stood for "(COM)munications (NET)work". 'COMNET' refers to the network and associated systems that are required for interface between various core Telstra systems and RIM to provide the management that RIM requires to be a part of the telecommunications network. COMNET-1 was the initial stage of this product created to support the roll-out of the RIM system, and COMNET-2 is a further upgrade of the product. This upgrade has been implemented one location at a time and so depending on your area the available system may be either COMNET-1 or 2. The support provided by COMNET-1 can be broken down into the following applications : Service Activation ~~~~~~~~~~~~~~~~~~ (*) Automatic activation of RIM equipment in conjunction with the exchange interface to provide the physical service (*) Recording of newly commissioned RIMs Service Assurance ~~~~~~~~~~~~~~~~~ (*) Customer fault report handling (*) Efficient management of RIM equipment alarms (*) Pro-active planned outage and hazard advice (*) Repair workforce dispatch (*) Remote diagnostic handling Other Key Features ~~~~~~~~~~~~~~~~~~ (*) Remote software download (down to card level) (*) Remote network management of RIM systems (*) Remote customer line testing (Standard SULTAN functionality) (*) Remote configuration management (*) In service performance monitoring, fault location and alarm monitoring (Alarm and equipment fault reports are relayed to the NMG, which will then dispatch a service restorer) The management application used on COMNET-1 workstations is NECTAS : Network Element Craft Application Software. The network is X.25 based, and as you will see ALOT of Telstra systems seem to hang of X.25 and not just COMNET. Explanatory ASCII Pr0n diagram demonstrates : FIGURE 1 : COMNET-1 ARCHITECTURE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Customer Operations National Maintenance Centre Group Alarm COMNET <---- Terminal COMNET Handler Workstation Application Workstation | ___<>________|_____ is NECTAS ___|_____<>______ | / Lan Lan \\\\\\\\ / / \\\\\\\\ __________/ ___/ RIM \\\\\\\\/ \\\\\\\\ / / / COMNET \\\\\\\\/ / SULTAN --------| Data Comms |----------Mediator-------RIM \\\\\\\\ Network / \\\\\\\\ \\\\\\\\__________/ `--modem >-< modem -- RIM 6. COMNET-2 =========== As previously mentioned, the COMNET-1 architecture was largely an ad-hoc arrangement to support the initial RIM inception. According to Telstra, a number of problems existed with COMNET-1 that they sought to correct. Some of these were : (*) The distributed nature of the network made it hard to maintain things like security and integrity of the system. There was a lack of central management that they wished to address. (*) The Mediator between the RIMs and the COMNET Data Communications Network was not standard and so whenever the RIM software was upgraded by Alcatel, new support needed to be implemented in the Mediator. (*) Alarm management was inadequate. (Hehe, this is bad). (*) Integration with Telstra core systems was inadequate and Telstra wished to automate many tasks such as Activation without having to manually go to all the involved systems and Exchange Interfaces. COMNET-2 was the answer to these problems. Further upgrades are always being proposed. Here is a diagram of the COMNET-2 setup : FIGURE 2 : COMNET-2 ARCHITECTURE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Customer Operations Regional Maintenance Centre (Regional) Group COMNET COMNET Workstation Workstation ____|__________<>_____ ______<>__________|____ Lan \\\\\\\\ / Lan \\\\\\\\_____ _____/ \\\\\\\\ / _\\\\\\\\______/_ | | SULTAN _________________| Manager/ |__________________ Service | Agent | Activation |__________| | _____|____ / \\\\\\\\ / COMNET-2 \\\\\\\\ | Data Comm | \\\\\\\\ Network / \\\\\\\\__________/ / | \\\\\\\\ / | \\\\\\\\ / | \\\\\\\\ RIM RIM RIM As you can see this setup is much neater (The diagram is neater and was much easier to draw as well). Obvious differences between this and the COMNET-1 setup are : (*) The introduction of the central Manager/Agent. We are unclear on whether there are Manager/Agents for each region or whether this component is national. (*) Removal of the Mediator between the RIMs and the network. It is now standardised as much as possible and the rest handled by the Manager/Agent. (*) Removal of the modem connections to the RIMs. (*) Removal of the singular Alarm Handler which is now integrated and automated. RIM alarms are now forwarded to NICAD (National Integrated Customer Alarm Display). (*) Introduction of a Service Activation component which is an integration with Telstra core systems such as AXIS & RASS. (*) Communications with Regional centres rather than National. Additional features of COMNET-2 include : (*) Improved customer line testing capability. COMNET-2 will automatically test lines and not just when directed to by SULTAN or a system terminal. (*) Remote software download, backup and archiving. (*) Organised security management. (*) Operating on the HP OpenView software platform. If I had to speculate on the security architecture of COMNET-2 I'd say that the Telstra core mainframe etc systems and LANs around the country communicate with the Manager/Agent over X.25 and the requests are moderated and passed on to COMNET-2 as appropriate. In this manner the Manager/Agent acts as a kind of national application proxy firewall moderating requests for action. COMNET-2 may also communicate over the X.25 network, but the RIM access points would only accept connections from the Manager/Agent. Hence, a less distributed method of managing security/integrity with the Manager/Agent as a chokepoint. Of course, all this goes out the window if someone were to 0wn the Manager/Agent, make acceptable requests that do the job, or subvert the COMNET-2 communications protection. 7. Systems Interfaces ===================== COMNET, and particularly COMNET-2 support integration with existing Telstra core systems. COMNET-2 in particular is designed to be configured automatically by entering the details into the core systems. In the context of the information below, 'regular telephone lines' means regular voice grade telephone or P.O.T.S. lines and not lines supporting Special Services. Some systems and the ways in which they interact with RIM & COMNET are : (*) AXIS : The order system used by Telstra to order work to be done on regular telephone lines. This can involve ordering a linesman to set a line up, automatically configuring the exchange by interfacing with AUTOCAT or, remotely configuring a RIM via COMNET. (*) AUTOCAT : (AUTO)matic (C)onfigur(A)tion of (T)elephone Exchanges, or (AUTO)matic (CAT)egory Change System. The automated system that other Telstra systems integrate with to automatically configure a telephone exchange. Does this by changing 'categories' within the exchange. (*) DCRIS : (D)istributed (C)ustomer (R)ecord (I)nformation (S)ystem. COMNET initially accepted service orders from this system until it was replaced in 1997 by AXIS. (*) FACS : (F)rame (A)nd (C)able (S)ystem. A database used to record information and manage regular telephone lines. RIM configuration information is also stored in FACS. Used for some recording of copper RIM bearers. Also for recording of some Special Services lines such as ISDN. (*) MULTIMAN : Optical links recording system for CAN. If the RIM uses an optical bearer, it will be recorded in MULTIMAN rather than FACS or NPAMS. (*) NPAMS : (N)etwork (P)lant (A)ssignment and (M)anagement (S)ystem. Used for some recording of copper bearers from RIMs. Also used for recording RIMs in the IEN as cable pair groups. Used for some management of regular telephone lines. (*) RASS : (R)ecord (A)utomation for (S)pecial (S)ervices. Order system for Special Services rather than regular telephone lines. AXIS's Special Services counterpart. Two sub-systems : RASS-P (RASS-(P)rovisioning) & RASS-M (RASS-(M)aintenance). (*) TRAC : (T)ransmission (R)ecording (A)nd (C)ontrol System. Used for recording RIMs in the Inter Exchange Network. Recorded as multiplex links. Propz - Phreakau Team 5/8/01 ~-~-~-~-~-~-~- Bne Into Telstra Exchanges Part II ~-~-~-~-~-~-~- - By Marlinspike Intro Building And Security Whats Inside Area Sensors Slip & Pull Tool Contact Switches Door Destruction Schools Of Entry Appendix 1 : Responsibilities For Credential Users Appendix 2 : Social Engineering The After Hours Centre Intro ===== In your suburb right now, the coolest place by far in the entire area is inside your local telephone exchange. This is part II of my manuals on breaking into them with the intention of learning more about the telephone network and procuring information (such as hands-on experience & manuals) about the telephone network. Every successful Phreaker who got anywhere did this. Poulsen did it, Mitnick did it, The Phonemasters did it - and now you can do it too. The first manual was basically my conclusions on what techniques could be used to enter exchanges from afew basic observations. This manual will cover my conclusions based on my now extensive observations of many telephone exchanges and my own successful entries and explorations. This manual is meant as complementary to part I. If you find yourself wanting more techniques/options, refer to part I as it was very comprehensive in that regard. Finally, since the first manual was published, I have been asked what is my preferred entry method. The answer is : I have used many different methods for different exchanges and situations. This is more to do with expedience than concealing my Modus Operandi. It is true that professional burglars often use changing and the most rank amateur methods they can use to get away with the burglary to throw off the cops, but in regard to exchanges I think you have to make up your own mind about which techniques you want to use based on your situation. This file is meant to provide you with a choice of techniques. You might want to go trashing at your surrounding exchanges before actually breaking in. This will give you a chance to gain confidence, become used to the exchange and the surrounding area and escape routes and also ... get some pretty good information just from the trashing. You'll notice that in the appendices I have ommitted the numbers that you need to ring. This is because if you've even got of your butt and gone to an exchange a couple of times you'll probably get it and because if Telstra gets hold of this doc, they'd be able to change it quite simply. Building And Security ===================== This section covers basic understanding of exchange perimeter structure and some basic techniques so keep reading if it seems abit basic. The basic suburban telephone exchange is usually a relatively old structure in your area. It would seem from my observations that they have concentrated on perimeter security and haven't even really done a good job of that. The primary obvious entry points into the building would be the windows and the doors (unless you feel like breaking through a wall or going through the roof - which is still a viable method if you don't mind being destructive.) I have looked at the air-conditioning on exchanges and have come to the conclusion that they probably aren't safe to try and get in through. Some of the units though are mounted in windows and if you could pry one out or unscrew it, that would do but you'd probably be better off using a technique on the window itself. There are quite afew windows on exchanges funnily enough, on concealed walls as well as walls open to the road. Because of the focus on perimeter security these windows will usually have bars on them. They are locked and opened by a lever (see diagram in slip & pull tool section) if required. I have not seen contact switches or vibration detectors on these windows. A possibility for detecting broken windows is a 'shatter guard' which is a unit mounted in a concealed location inside the building that detects the high pitched sound of glass breaking. I have tested for this device by smashing a bottle near the doors of the exchange and no alarm has gone off. The windows it seems could be opened by smashing as long as the bars were gotten past. The bars on the windows are vertical only. I have seen some security grilles which are frail and offer no protection at all, but bars seem to be the predominant window protector. A simple trick to use here is to car jack them apart. Then, you can squeeze through the gap and do your stuff. Afterwards, you can re-close the bars (somewhat messily, but can often turn out ok) by instead of applying pressure to two bars side by side with the jack in the middle; applying pressure between one bar at a time and the window frame. That is to say, mount the jack on one bar and some pieces of wood reaching the window frame. It would also seem that the bars themselves have been mounted on a frame that has not been welded to the window frame itself, but instead have been screwed in. This opens up the opportuntiy for unscrewing the bar frame at one end and pushing your way past the slightly bent frame to get in and then rescrewing it back on later. There are doors on exchanges at the main entrance which is usually pretty standard and well protected (more on this later) and there are also other doors around exchanges, for moving in and out equipment. These doors are usually double doors and are made of wood, occasionally reinforced with metal. These doors are designed to be opened from the inside only and so do not have key locks but have bolts on the inside. There will usually be two vertical bolts at the top and bottom of the door which are just push in/pull out of the floor/ceiling numbers and a horizontal bolt between the doors which is like a bolt on a gate - not simply push in/pull out, but has to be manipulated past a stop which could (but never does) have a padlock in it. They will also have contact switches - usually mounted at the top of one of the doors. Examine the diagram : __________________________|____[__]______ | | | [ ] <----|------- Contact | | -> | | Switch | | | | | | | | | | --Vertical | | | Bolt 1 | | | | Well? Fucking | Horizontal --> --|-- | Examine it! You | Bolt | | will be needing this | | | information later. | | | (Sorry, just needed | | Vertical | something to fill this | | Bolt 2 | space ;) | | | | | | | <---- | |___________________|_______|_____________| | There are very limited intruder alarm systems in Telstra exchanges, however there are extensive fire/smoke, gas and equipment alarm systems which you should be aware of. One night on one of my trashing runs I jumped the fence completely prepared to grab some goods and noticed that an alarm was going off inside the exchange. Peering through the window I noticed it was coming from a panel marked 'VESDA MIMIC' a quick web search got me the following url : http://www.vsl.com.au/vesda/index.html Thanks to Phunki for helping me hack and search my way through this site! It would seem that this is the basic technology Telstra uses for fire and gas monitoring in its exchanges. The equipment itself has several alarm conditions. If you want some examples, have a look at the ICM docs in Infosurge #6. Needless to say, you wouldn't want to set off any of these alarms either. This could happen, if for example you decided to use an oxyacetylene torch to burn your way through one of the side doors. Getting back to the story though, I waited for 1 - 2 hours at a nearby property for *someone* to show up and no-one did. During this time two police cars cruised past blithely unknowing. After that I got sick of waiting and trashed the place and left. I have had similar reports from other people saying that no-one gives a shit about alarms (intruder or otherwise) going off at exchanges. Because there are no area sensors in Exchanges, if you only set off the contact switch on one door (all that is needed to gain entry) the maximum 'event' you could provoke would be a 'one-zone violation'. This is considered by the police to be a low priority event. In other alarm cases, all the police will respond to is a two-zone violation as a matter of policy. One-zone violations are deemed as being the responsibility of the owner or their security company. Still, its up to you how paranoid you want to be. I personally err to the side of caution and don't hang around longer than a minute or so if I've set off an alarm. Whats Inside ============ Airconditioning Plant Room : Gas pressure compressors etc. Large pipes. Battery Power Room : Room filled with wierd alien looking boxen. Uncrating Areas : Open spaces where secondary doors described above open onto, will have a monorail - a big metal support - running into it at ceiling level for supporting massive equipment being loaded in and out. Lunch Room : Token Amenity So Telstra Isn't Accused Of Slave Labor. Toilets : Guess it was either here or in the equipment room ;) Store : Filled with tools and other interesting items. Office/s : Mostly desks, occasionally have bookshelves and filing cabinets which are good for a rummage. Maintenance Control : Either used as storage space or has actual control equipment in - bookcase with manuals may be here. Equipment Rooms : These are the main rooms you'll want to concentrate on and that have the most interesting things in. Like a big warehouse floor. A block of pairs at one end with equipment (CMUXes, RIM boxes, Tran$end boxes, PABXes etc) hooked up to it. This room can also have a partitioned off area which has consoles for the equipment and a nice bookcase filled with nice manuals. The manuals come in four types I've seen, the more 'commercial' ones which come spiral bound, computer printouts hole punched and bound in a file folder, loose paper computer printouts and manuals still on disk in Microsoft Word Format. I think the main resource for manuals (Not for ALL manuals though) is the Telstra Intranet. A web based intranet for Telstra staff : http://www.cdn.telstra.com.au/ I have seen a number of things referring to this url, however it is not part of the regular internet and I have tried to break in via computer a number of times with varying degrees of success and have never been able to crack it. There is a directory called /cc-docs which seems to hold alot of manuals. Alot of the manuals they have gotten through third party by buying equipment are separate from these, probably due to copyright etc. Don't forget to bring a laptop though or be prepared to swipe disks as well as paper goods. Area Sensors ============ I have never seen area sensors (Passive Infa Red Sensors/Microwave Sensors) inside an exchange. I wondered whether this was because of them not working well with the equipment. A quick post to alt.security.alarms and some of my own observations brought up the following points : 1. Microwaves and exchange equipment do not mix 2. Equipment in an exchange can get quite warm and so temperature varies too much in the equipment room to maintain an environment where PIRs work well 3. Equipment more than three or four feet taller than a human being blocks area sensors making them effectively pointless and there is much of this equipment in exchanges 4. A security theory is that perimeter security is more effective in an exchange situation as 'once the intruder is inside the damage is already done' 5. Telstra exchanges have a mess of airconditioning pipes and ducts towards the ceiling, further blocking the range of area sensors So the moral of the story is there most likely won't be area sensors in your local exchange because they wouldn't work well if there were. I'd also like to re-iterate that I have never seen any in an exchange. Slip & Pull Tool ================ Ok, so you want a technique that is easy to use, untraceable and requires minimum resources to implement. Right! So I have come up with something that ought to fit the bill. It is an adaptation of a technique that I first read in a book called 'Lock Bypass Techniques'. If you're interested you can get it from Loompanics (www.loompanics.com) I got my copy direct from the author because at the time it came out we were both lurkers pretending to be locksmiths on alt.locksmithing ;) The tool itself is a long rectangle cut from a 2 litre coke bottle by cutting around the circumference in a spiral. Then, a hole is punched in one end and and a string passed through, you can also use fishing line or wire as a stronger substitute and you can also put abit of glue on the end of the string to help it catch on things better (read on). This diagram is not to scale : __________________________________________________ | |___________________________ | /| | Plastic Strip from Coke Bottle O-|--------------------------- | | ^^^^ |__________________________________________________| string Pretty simple huh? Due to the crappy nature of exchange security this bastard ought to get you in to most exchanges with relative ease. How is it used? Well, remember I told you to examine that diagram? (Yeah that's right - go back and look at it because you didn't listen to me) Well, those secondary doors are, for lack of a better word 'shithouse'. The gaps in between the doors and the door frame (door jamb) are too wide allowing things to be slipped in easily (and even looked through) as is the gap in between the two doors. Now, the vertical bolts have a stud on them for engaging/disengaging the bolt : _ Top of | | Sorry if this is abit patronizing, but a crappy ascii door _____| |_____ diagram is better than nothing. Now you have something to --> | | visualise. Now, how that slip & pull tool works is you | |O| <- stud hold the string in your hands at the other end from the Bolt |_| plastic strip and slip the plastic strip string end first through the gap in the door. Now, you loop the string around the stud on the bolt on the inside of the door. Slide the plastic strip out while keeping the string looped on the stud. You will now be able to pull the string and it in turn will pull the bolt to the open position. Tada! Here is a diagram of where to insert the tool : ________________________x_|____[__]______ | | | [ ] | The '*'s indicate the slip & | insertion --> * | | pull tool insertion points for | point for | | each bolt. So you slip the tool | vertical bolt 1 | | in, grab the bolt and then work | | | the string around the gap in the | | | door until you are at a point | x <-- horizontal | where you can provide a force | --|-- bolt --> * opposing the bolt. You'll notice | | insert points | there are also 'x's on the | | | diagram. These are for inserting | | | the tool closer to the bolt and | | | working the string around more | insertion | | afterwards. | point for vertical| | | bolt 2 --> * | | The horizontal bolt is opened |___________________|____x__|_____________| basically the same way, only you | either have to work the string right around the door frame afterwards, or grab the bolt from the other end of the door. Remember though, the horizontal bolt doesn't have a stud on the end. It is a bolt like the ones on a gate, it has a kind of angled end that you grab onto. You will also need to lift it up so that it can get past the stop before you apply your pulling action. If you don't understand, go to a gate with this type of bolt and examine it. When opening, the vertical bolt should be done last and first when closing. This is so that if you need to work the string around the door jamb, it will not get caught on the vertical bolts. Now, you know the technique, what you need to know now is the exact location of the bolts on the inside of a door that you can't see. Simple, the slip & pull tool was designed with this in mind. Take the end of the plastic strip that doesn't have the string through it and slip it through the gap in the door at about where you think the bolt is. Now slide it across until it gets stopped by the bolt ... and that's where the bolt is! You can also work out where the bolt is by pushing on the door and seeing where it won't push inwards but using the slip & pull tool is more specific (I should patent it I reckon!) I know you've been thoroughly amazed at the Slip & Pull Tool (TM) 2000 Marlin but there is another use for it! CLOSING the bolts. I'm not going to draw another diagram, but using the same principle, after you've had a merry night out and closed the doors of the exchange, you can grab hold of the stud on the bolts, work the string around to the opposite (now opposing) position and pull the bolts closed! Untraceablity++ !!! If you think you will have trouble with this, you could always leave by the main door after locking the bolts from the inside to increase your untraceability. Its not over yet. Windows can be opened similarly. I have gone over getting past the bars. But what about if you don't want to smash the window? Use the slip & pull tool. Remember in the first section I said they are locked and opened by a lever? Examine the diagram : __________________________ |--------------------------| Look! There is a '*' and an 'x' | | just like the diagram of the door! | | Same principle. Slide the tool in, | Pull this way to open | grab the end of the lever and pull | <------- | 90 degrees to the left to open. Can * / | be closed again by doing the | / | opposite. |_________x__|_____________| Contact Switches ================ I went over contact switches quite extensively in the first manual, but there is a new method I'd like to introduce that I have had some success with in test situations. From Jaycar electronics you can get some highly powerful 'rare earth geo' magnets. You can also purchase thin sheet magnets (the kind of thing that those fridge calendars from real estate agencies' magnets are cut from). The way you use them is by sliding the sheet magnet in between the contact switch with the powerful magnet on the protruding end increasing the power of the sheet magnet. The sheet magnets themselves are not powerful enough to pull the reed in the contact switch, but combined with the rare earth magnets, they are. If the door opens inwards the best thing to do (although the previous method can be used in combination) is to follow the part of the door where the contact switch is with your powerful magnet to keep up the magnetic field on the reed in the contact switch (if you need more explanation on what the reed is, read the first manual.) Remember that it is possible to locate the contact switch by using a compass to determine its location. In my tests at exchanges, the compass has merely pointed to the contact switch magnet rather than spinning which I guess is actually more convenient ;) Use this to check the internal doors for contact switches as well, or just avoid using them like I do. Lastly, keep rare earth geo magnets away from floppy disks you might be taking with you as they can fry them real good. Door Destruction ================ For getting into exchanges via the secondary doors we have identified two obstacles that need to be bypassed to gain entry : bolts and contact switches. For the more destructively minded, There are some additional techniques that can be used : For doors that open inwards, the top of the door jamb can be pried out to gain better access to the contact switches. Then of course, the jamb will be broken but it may be possible to glue it back on. When you go and have a look for yourself at these secondary doors, you will notice how weak and old they are. You may even notice that they are basically planks of wood glued or nailed together to form a door. It is entirely possible to take a crowbar and break a hole in the door by prying apart and snapping the pieces of wood, or, getting a hacksaw or grinder and cutting a hole in the door on a rainy night. This is destructive, but ensures complete bypass. Schools Of Entry ================ Just to summarise and to let you know what options you now have, let us examine how the techniques described can be used : 1. Non-Damaging, untraceable, but set off alarm : Quick in and out : Manipulate bolts on side door or pick lock on main door and don't worry about contact switches. 2. Non-Damaging, untraceable and try bypass the alarm : Prolonged stay : Manipulate bolts on side door or pick lock on main door and attempt to use one of the contact switch bypass techniques described above. 3. Damaging, but bypass the contact switches easily : Prolonged stay, but once off. You won't be able to go back : cut a hole in the door or pry out door jamb. 4. Non-Damaging and ring after hours centre : Prolonged Stay : Pick lock or use stolen credentials to open main door and ring the after hours centre. 5. Damaging and ring after hours centre : Prolonged stay but once off : Drill lock or EACS solenoid (see first manual) and ring after hours centre. There are, of course, variations on this and other schools of entry based on other techniques, this just puts it together for you and gives you an idea. I have no doubt that you can imagine some more 'schools' for you to use. The advantage to using a non-damaging method is that they will most likely think it a false alarm and you can come back and do the same thing again some other time. Appendix 1 : Responsibilities For Credential Users ================================================== This is basically a verbatim copy of a Telstra doco. It is highly relevant as you will see as you read : 001 813-F01 : Credential User Instructions, Obligations & Conduct Responsiblities For CREDENTIAL USERS GAINING ACCESS 1. Locate the EACS card reader, check normal operation by the presence of an orange LED. Report any other condition to the AMC or NSC (after hours). 2. Pass the EACS card within 100mm of the reader. A green LED will mean the subsequent unlocking of the door (within one second and the door will remain unlatched for approximately 10 seconds) A red LED will mean that the credential is not programmed for access; assistance should be sought via AMC, CMCC, or NSC (after hours). STANDING SECURITY INSTRUCTIONS 1. Ensure that door closes after entry; do not allow other unauthorised persons access. 2. If entry is required outside of normal working hours (Mon-Fri 07:30 - 17:00) Security Company MUST be advised. Phone 1800 xxx xxx (IVR) [<-- same as after hours centre #] 3. Locate the Intruder Alarm Panel (IAP) if required and enter PIN. (Not applicable in WA). This will disarm other door alarm inputs to EACS. Sites will progressively be retrofitted with LMO (LastMan Out) which will replace IAPs and automate disarming of non-EACS inputs. 4. Locate and notate Site Log. 5. Egress may be possible via other perimeter doors but DO NOT LEAVE THE BUILDING VIA ANY OTHER DOOR 6. When ready to leave ensure site SECURE AND RUBBISH REMOVED. 7. Before exit complete site log, re-arm control panel or activate LMO button as required. Notify AMC/NSC if LMO LED does not light. Advise Security Company 1800 xxx xxx (IVR) 8. Ensure door is locked OBLIGATIONS 1. It is the responsibility of ALL PEOPLE on Telstra property to work safely, to protect others from possible hazard, and abide by all Occupational, Health and Safety rules. 2. Welding, dust generation or other activity likely to cause equipment failure, or generate alarms must not be carried on without prior approval of Area Field Manager. 3. NO SMOKING in Telstra Buildings 4. When working in Exchanges all exterior doors must be kept locked 5. Wearing of ID passes is mandatory in all Telstra Buildings 6. No mobile phones, 2 way radios or camera flashes are to be used in any equipment room. 7. For security reasons, don't mark or attach EACS cards to any other identifiable item. CONDUCT 1. Credentials are not transferrable 2. No other person should be given access with your credential 3. Users must personally return credentials 4. The recipient of a Credential must take due care to guard against loss or damage 5. Loss must be reported to an CMCC or NSC (after hours). CMCC : Tel 08 9491 xxxx NSC : Tel 1800 xxx xxx [<-- same as after hours centre #] Appendix 2 : Social Engineering The After Hours Centre ====================================================== You might have seen a yellow sticker on the outside of exchanges : This Building Is Security Alarmed, Contact The After Hours Centre Upon Entry So, after you've entered the exchange, that's what you've got to ring to verify yourself. Well, the After Hours Number is: 1800 xxx xxx This is basically a paging service. You give the bitch the info, she types it in to her computer and it appears on the screen of the NSC (Network Surveillance Center) - (aka. NOC Network Operations Centre). Fire and Gas alarms are also monitored here, and I imagine network faults, trunk depressurisations etc. are monitored here as well. This is located in Melbourne so it should be pretty much Australia wide as I called it from Perth. When the bitch answers she will say something along the lines of: "Hello, welcome to Telstra Corporation, what is your name and designation?" You won't be prompted for the answer to each question, so you'll have to just give it. You need to tell her : YOUR NAME YOUR DESIGNATION (Department) THE NAME OF THE EXCHANGE CONTACT NUMBER (Number of the exchange or mobile number) REASON FOR BEING THERE WHAT TIME YOU'LL LEAVE Name : Don't know if any old name will be accepted, but you can get the names of legitimate exchange staff easily enough by going through the dumpsters for letters etc. Designation : This basically means the department in Telstra you work for. This one could have been hard, only I found an entire stash of exchange entry logbooks in a dumpster and so have a whole load of legitimate responses ... C&C (Commercial And Consumer : They are linesmen, exchange staff etc.) TBS (Telstra Business Solutions : Do some exchange work that is used by business for example servicing the Tran$end units.) NDC (Network Design & Construction : in charge of the hardware maintenance and setup) Exchange : Look on the sign outside (It is the suburb name.) Contact Number : Ring ANI directly before you ring the after hours centre. Reason : Back to the logbook ... You are supposed to tell them the exact pair, line etc. you are looking at, but looking through the logbooks, no-one actually does it and in some cases it is not applicable. You should also match your reason with your department eg : C&C : Check Main Pair TBS : Tran$end fault NDC : Equipment recovery (heh) I have heaps more, they are just the only ones I can remember off hand. What time you'll leave : Simple, just estimate how long whatever it is you're really going to do will take you (within reason) and if you want to take a long time .. the reason they need this info is because the NSC will get another alarm when the door is opened and closed by you on the way out because there are no area sensors in the exchanges. So, you can just open and shut the door and stay in. They'll crap themselves when you actually leave, but you'll be gone then anyway. ~-~-~-~-~-~-~- Telstra News ~-~-~-~-~-~-~- - Phreakau Team Here is a collection of the more interesting articles we obtained from various Telstra internal news publications over the 2000-2001 period. Be sure to check out the Keylink (Minerva) one just below. New Solutions For Customers As KEYLINK Shutdown Complete ======================================================== AFTER almost 20 years active service the KEYLINK electronic mail system has been withdrawn from the marketplace, with the operating platform closed last month. KEYLINK was widely used in Telstra and by over 1500 major customers including banks, insurance companies, retailers and suppliers. Most customers used it as an integral part of more complex communications applications, such as ATM networks, warehousing recording and distribution systems. As the system could not be made Year 2000 compliant, a project was set up to 'exit' KEYLINK and design and implement strategies to migrate users to new solutions. Robyn Batty, Project Director, Network and Technology Group (NTG), said it was a challenging task involving managers and work groups throughout the company. "The project team identified some standard options and solutions to be used by the Telstra Business Solutions (TBS) sales team to guide their customers through migration," Robyn said. 'Huge Undertaking' "The migration of 16,500 mailbox users was a huge undertaking. In a co-ordinated effort, Telstra's Year 2000 Programme, TBS sales teams and project staff from TBS, Convergent Business and NTG met challenging timeframes with minimal disruption to our customers." Many customers have migrated to other Telstra products such as Trading Solutions and Big Pond applications. To celebrate the success of the project, a 'twin' function was held in Sydney and Melbourne, linked by a videoconference. More than 40 staff were awarded Certificates of Achievement for their role in the exit project. Negba Weiss-Dolev, DIrector, Year 2000 Programme, said the success of the KEYLINK exit was a tribute to excellent cross business unit co-operation and team work. "The exit also featured outstanding project management and the keen desire of those involved to maintain services to customers, while meeting the challenging timelines imposed by the new year transition," Negba said. "Congratulations to all involved on a job well done." [This was an article on the X.25 Keylink system. Some of you may know this system as Minerva. Some replacement systems can be found at : http://www.albury.net.au/~asteris/ and http://partners.bigpond.com/tradelink/index.htm] Combating The Payphone Vandals ============================== TELSTRA has scored several important wins in the ongoing battle against payphone theft and vandalism. An undercover payphone surveillance operation in the Sydney CBD, conducted in partnership with the New South Wales Police, is catching out vandals and significantly reducing payphone vandalism and fraud. An operation in Melbourne also led to a number of arrests. Telstra continues to modify the standard payphone to deter criminal activity. Latest developments in this constant cycle of innovation to overcome criminal creativity includes and electronic shutter, which prevents tampering with the coin entry, modifyications to the payphone case, and improved remote monitoring of payphones. A number of fraud prevention activities have also been successfully carried out. Steven Cherry, national operations manager outn@bout, said staff played a key role in the latest breakthroughs against payphone vandalism. "Many outn@bout staff in the metropolitan areas and large regional centres, along with Infrastructure Services staff throughout the rest of Australia, are doing a magnificent job in maintaining payphone services," Steven said. "Overall, payphone serviceability - that is, the number of payphones operating properly at any one time - is now at 94 percent, an 18-month high. The target is to get this up to 97 percent by mid-year." People in the community have also done their bit to stamp out vandalism and fraud. According to Brendan Cass, national manager security, outn@bout, more than 20 people were given rewards by Telstra for reporting acts of vandalism that have led to convictions. Telstra offers a reward of up to $1000 for information that leads to the conviction of a payphone vandal. Vandalism of payphones costs Telstra $10 million a year. Telstra has 35,000 payphones and 600,000 customers using them every day. In the first two weeks of the ongoing campaign which began in the Sydney CBD late last year, dubbed Operation City Safe 7, police arrested 91 people on 152 charges for offences related to payphone vandalism. A further 12 were charged for more serious offences following their arrest for payphone vandalism. The ongoing operation is targeting a number of vandalism hotspots including the Town Hall, Martin Place, Wynard and Circular Quay precincts and Central Railway Station. "Operation City Safe 7 is significantly reducing the level of vandalism to our payphones and through our partnership with police in the coming months we will continue to catch and charge offenders," Steven said. In the targeted areas there has been a 13 percent reduction in visits by Telstra technicians and an 18 percent reduction in customer reported faults. Operation City Safe 7 builds on the success of Telstra's community-based initiative PhoneWatch, which encourges people to report acts of vandalism against payphones to Telstra on 132200 or to the police. The electronic shutter enables the payphone to sense that the coin entry is blocked, and shuts the entry so that thievescannot access the coins. The problem is reported automatically back to headquarters, and a technician can then go and clear the blockage, and the payphone is back in service. About 200 electronic shutters have been installed in the Sydney and Melbourne CBDs. They have been so successful that it is now planned to roll out about 11,000 nationally. Software And Staff Block Email Virus ==================================== TELSTRA fault system software, and the action of a number of global connect staff kept the crippling ILOVEYOU virus out of the network last week. Staff in IT Services and Internet Operations worked throughout the night on Thursday 4 May, to stop infected email messages contaminating the network and entering via the internet email gateway. In addition, the anti-virus technology operated by IT Services as part of the SOE Networks was able to deploy the most up-to-date anti-virus pattern file. These files can detect and clean any instances of the virus, or variations that result from the virus. There is anti-virus software in our email and messaging system, our internet firewall, the LAN servers, desktop and notebook PCs. All systems have software regularly upgraded with the most recent 'pattern files' so that the scanning programs can identify new viruses. If viruses are detected, alarms are sent via Telstra's intranet network to the FOCUS IT alarm system and the Network Control staff are notified. In the case of the Love Letter Virus, Telstra was also notified by two of its major SOE suppliers. The anti-virus company Trend Micro and the computer manufacturer Compaq both informed Telstra - and staff were able to swing into action. A filter was applied to all incoming email and the specific pattern file for the ILOVEYOU virus was deployed. Overall, Telstra systems and users were very well protected. In the few isolated instances where the virus did make it through the firewall before the filter was in place, staff worked tirelessly, scanning and cleaning the millions of mail messages that exist within the company. Graham Bull, general manager, IT Services said: "A critical situation such as this one highlights the risks which now exist in an online world and really tests the capabilities of both our contingency systems and our staff. "I am confident that we have the capacity and expertise within our workforce to protect our systems from elements that could be detrimental to the smooth running of our business. I congratulate the individuals that worked around the clock to ensure that the virus had little, if any, impact within Telstra," he said. ~-~-~-~-~-~-~- Links ~-~-~-~-~-~-~- Just to give you something to read until our next issue comes out : http://phreakaus.oz-net.org <=> Dark Thief's site http://phreakau.fuxya.org <=> Our homepage http://www.opentelco.net <=> Nice page for SS7 and GSM stuff http://www.scard.org/gsm/a3a8.txt <=> Info on algorithms http://jya.com/crack-a5.htm <=> Discussion of GSM encryption algorithms http://www.phreak.co.uk/teknix/phreaking/docs/axe10.html <=> Erriccson AXE10 Digital Switch Info By Keltic Phr0st http://dtmf.org/hybrid/files/hybrid-files/AXE10.txt <=> Local AXE10 Exchange Subsystems By Hybrid http://www.acif.org.au/ACIF/display/metapublist.cfm?page_id=5706&source=482 <=> Australian Communications Industry Forum Publications http://www.mindrape.org/zines <=> Australian Ezine Archive, Zines referred to here can be found there http://bbs.onecenter.com/ausphreak <=> Zaleth's great public phreaking forum ~-~-~-~-~-~-~- END ~-~-~-~-~-~-~-