STATION ID - 7047/3.12 9x Datakit Network FOR OFFICIAL USE ONLY This is a 9x system, restricted to authorized persons and for official 9x business only. Anyone using this system, network or data is subject to being monitored at any time for system administration and for identifying unauthorized users or system misuse. Anyone using this system expressly consents to such monitoring and is advised that any evidence of criminal activity revealed through such monitoring may be provided to law enforcement for prosecution. The Switched Route of 1 8oo 746 2936 & 8oo Number setup Networks. By Hybrid (th0rn@coldmail.com) In this short file I am going to explain the journey of an 8oo number as it routes it's way through the SS7 Phone Protocols. I will use the number 8oo 746 2936 as a working example. I phoned the 8oo number and asked the switchboard operator at the company (a bank in West Palm Beach Florida) for the land line number (561 682 8577) I will explain why I did this later. Most people are oblivious to the fact that 8oo number allocation and routing is very complex, and sophisticated. In this file I am going to illustrate the step-by-step route of this standard 8oo number. Lets say for example you dialed 1 8oo 746 2936 from your home phone. All 8oo service calls are routed via TCAP (Transaction Capabilitys Applications Part) which is one of the many protocols in the Switching System 7 (SS7) network. TCAP is used for database queries. With the 8oo number, it is first starts at the TCAP level, and then goes to the SCCP and then finally to the MTP. Don't be put off by these abbreviations, I have made a list of these mysterious words at the end of this file with full explanations. From the MTP, the message continues to the next node in the layer of protocols, and then travels back through the SS7 protocol. To make this easier to understand, I have spent ages doing some diagrams, I know they look crude, but they show how this 8oo service routing works: Example 1 (8oo 746 2936 Service Examples) I cannot be botherd to make a geographicaly correct map of the US in this format, so in this example we will asume that the United States is a rectangle, ignore what you learn at school, 9x is skooling you now, and we say the US is a rectangle: _________________________________________________________________________ | You dialing | | 1 8oo 746 2936 | | / | | ___ ____ (Inter Exchange Carriers) | | | | ____| |===========\ | | |___| / |____|ICN _||_ | | | / | |_______________ | | | / |____| _____\___ | | \ | [1,2,3,4] ____ | | | | \ | __________| |============\ | LATA Boundrys | | __||/ |____|ICN _||_ / | |____ | | | | | |___/ |_________| \ | | |___| Central Office |____| \ | | || [5] | | | STP || | | | _|_\_ 8oo Applications | | | | | | Software | | | |__|__| (global translation) The terminating _|_ | | | | line: 561 682 8577 | | | | | || || | |___| | | |__| |__| | |_________________________________________________________________________| So whats happening here? If you cannot understand my diagram (like me) This is what happens: [1] You dial 1 8oo 746 2936 and the digits are sent to your central office, which recognises the 8oo number stored in it's 8oo applications software package. The central office, along with the SS7 protocol makes a querie message, which is then forworded to the STP. The coded querie message contains instructions to perform a global title translation on 8oo 746 2936. [2] The STP then looks up 8oo 746 2936 in it's translation table, and will produce a destination point code and a subsystem number. The destination point code is the location of the SCP and the subsystem number is the ID of the database within the SCP which is then accessed. The STP then encodes this information into a message and then makes the appropriate link selection and sends the message to the identified SCP. [3] The SCP then recieves your 8oo routing instruction, then a database will then translate 8oo 746 2936 into an ordinary ten digit POTS number (561 682 8577). The number along with the pre selected IC carrier and any information nessasery for handeling the call is then encoded into a responce message, and sent back to the STP. The STP then looks up the destination point code in the message. [4] The destination point code ID's the originating SSP, and then based upon this information the STP will select a link and forward the responce message. Using the information in the message the SSP will enter it's signalling mode and select a trunk where it will pass the message off to the appropriate interexchange carrier. [5] The IC will then send the message accross LATA boundaries to the final destination point. Finally SS7 signalling is used as the message is transmitted to the switchboard in Palm Beach Florida. All of this routing is determined by the customers arrangments with the telco. The customers 8oo routing configuration is stored in a database called the Call Managment Services Database (CMSDB) All of this proccess takes place in a split second and you don't even notice it. Using this method of routing the telcos are able to offer a wide range of 8oo routing options, such as: Universal numbers (In the UK we call these 'Country Directs', whereas a toll free number terminates in a foreign country. (Very interesting if the terminating country employs CCITT no.5 Switching ;) For all you people in the US that have no clue where to find 8oo country direct numbers, they are very random in placement. Here are a few: British Telecom Chargecard service: From Canada: 1 8oo 408 642o US: (MCI) 1 8oo 854 4826 (AT&T) 1 8oo 445 5688 (SPRINT) 1 8oo 825 49o4 Australia Direct: 1 8oo 682 2878 Austria Direct: 1 8oo 624 oo43 Belgium Direct: 1 8oo 472 oo32 Belize Direct: 1 8oo 235 1154 Bermuda Direct: 1 8oo 232 2o67 Brazil Direct: 1 8oo 344 1o55 British VI Direct: 1 8oo 248 6585 Cayman Direct: 1 8oo 852 3653 Chile Direct: 1 8oo 552 oo56 China Direct: 1 8oo 532 4462 Costa Rica Direct: 1 8oo 252 5114 Denmark Direct: 1 8oo 762 oo45 El Salvador Direct: 1 8oo 422 2425 Finland Direct: 1 8oo 232 o358 France Direct: 1 8oo 537 2623 Germany Direct: 1 8oo 292 oo49 Greece Direct: 1 8oo 443 5527 Guam Direct: 1 8oo 367 4826 Hong Kong Direct: 1 8oo 992 2323 Hungary Direct: 1 8oo 352 9469 Indonesia Direct: 1 8oo 242 4757 Ireland Direct: 1 8oo 562 6262 Italy Direct: 1 8oo 543 7662 Japan Direct (KDD): 1 8oo 543 oo51 Korea Direct: 1 8oo 822 8256 Macau Direct: 1 8oo 622 2821 Malaysia Direct: 1 8oo 772 7369 Netherlands Direct: 1 8oo 432 oo31 New Zealand Direct: 1 8oo 248 oo64 Norway Direct: 1 8oo 292 oo47 Panama Direct: 1 8oo 872 61o6 Phillippines Direct: 1 8oo 336 7445 Portugal Direct: 1 8oo 822 2776 Singapore Direct: 1 8oo 822 6588 Spain Direct: 1 8oo 247 7246 Sweden Direct: 1 8oo 345 oo46 Taiwan Direct: 1 8oo 626 o979 Thailand Direct: 1 8oo 342 oo66 Turkey Direct: 1 8oo 828 2646 UK Direct: 1 8oo 445 5667 Uruguay Direct: 1 8oo 245 8411 (Uruguay are on CCITT no.5, hint hint) Yugoslavia Direct: 1 8oo 367 9841 Aswell as universal numbering, SS7 8oo services can offer things like time of day/week/year routing, whereas the customer could have calls routed to different locations depending on the date etc. Also calls can also be routed depending on load distrobution or system capacity. Have you ever heard storys of people seting up there own 8oo services? (Illi- git of course) Most people that have done this social engineer telco operators into giving them the service, like setting up an 8oo number to a BBS for example. For anyone that is interested, here is a basic layout of 8oo number Service Managment System (SMS) SMS/8oo Network Layout: The telcos have terminals that have direct access links to the SMS so that 8oo services can be sold to customers via the telco companys. The SMS (Service Managment System) is the *primary* support system for managing the applications from the telcos to the Service Control Points (SCPs) ___________________________ | | | DSAC | | Dial Service Admin Center | |___________________________| | | (SNA) Modem Link | | (SNA) Modem Link ________________| |________________ / _____________ \ / | | \ | ________________| SCP |__________________ | | / |_____________| \ | | / Modem Link Modem Link \ | | / \ | | | | | ___|_|_ T1 Link _|_|___ | |=========================================================| | | |=========================================================| | |_______| T1 Link |_______| | | | | | | | | | | | | | | | | | | | | | | | | | | \ SMS *primary* System Network Layout / | | | \ \ (what the operator you social engineer / / | _|___|___|____ an 8oo number out of is directly ____|___|___|_ | | connected to) | | | Kansas City | | St. Louis | | Data Center | | Data Center | | *PRIMARY* | | *BACKUP* | |______________| |______________| This is what happens when someone wants to set up an 8oo number. The telco company/carrier have direct access to the SMS to determine the 8oo number availabilty and other stuff. The *PRIMARY* site for the SMS is a data center in Kansas city, which is directly conencted to the *BACKUP* facility in St. Louis (Via T1). The 2 locations are maintained by a body called The North American Numbering Plan Commitee Personnel. The SMS modem links are conencted nationwide, and provide the links to the Dial Service Administration Center (DSAC), which is the local access into the SMS 8oo service admin control gate. SS7 Acronyms: A-Links Access Links AC Automatic Callback ACM Address Complete Message AIN Advanced Intellegent Network ANM ANswer Message AR Automatic Recall B-Links Bridge Links C-Links Cross Links CCIS Common Channel Interoffice Signalling CCIS6 Common Channel Interoffice Signalling number 6 CCS/SS7 Common Channel Signalling Switching System 7 CCSSO Common channel Signalling Switching Office CIC Circuit Managment Service Database CMSDB Call Managment Service Database CND Calling Name Delivery CND Calling Number Delivery CNDB Calling Name/Number Blocking COT Customer Origionated Trace D-Links Diagonal Links DP Dial Pulse DPC Destination Point Code DR/CW Distinctive Ringing/Call Waiting DSAC Dialing Service Admin Center DSOA Digital Signal Zero DUS Data Summery EAEO Equal Access End Office EO End Office IAM Initial Address Message IC Interexchange Carrier ISDN-UP Intergrated Services Digital Network -User Part Kbps Kilobytes per second (duh) LSTP Local Signal Transfer Point MTD Message Transfer Point NPA Numbering Plan Area OCU Office Channel Unit OPC Origionation Point Code REL Relayed Message RES Resume Message RSTP Regional Signal Transfer Point SCA Selective Call Acceptance SCCP Signalling Connection Control Point SCF Selective Call Forwarding SCP Service Control Point SCR Selective Call Rejection SMS Service Managment System SP Siganlling Point SSP Service Switching Point STP Signal Transfer Point SUS Suspend Message TCAP Transaction Capabilitys Application Part Well thats it for this file, I'll be writting another file soon on CCS, Common Channel Signalling, and possible SS7 Network Security flaws. Shouts go to Substance and the whole 9x krew. (http://endless.insomnia.org/9x Also shouts to DownTime, D4RKCYDE (www.darkcyde.8m.com), W0D (www.wod.8m.com) #darkcyde #9x #b4b0 #legions.