guide to the switched route of an 8oo number via the means of SS7 network protocols. also information on DSAC(dial service admin center).
220b86d49b3fc6c96f1c7ea9d4b3dd63bec785bbccf620093c36e68705940e40STATION ID - 7047/3.12
9x Datakit Network
FOR OFFICIAL USE ONLY
This is a 9x system, restricted to authorized persons and for
official 9x business only. Anyone using this system, network or data
is subject to being monitored at any time for system administration and
for identifying unauthorized users or system misuse. Anyone using this
system expressly consents to such monitoring and is advised that any
evidence of criminal activity revealed through such monitoring may be
provided to law enforcement for prosecution.
The Switched Route of 1 8oo 746 2936
& 8oo Number setup Networks.
By Hybrid (th0rn@coldmail.com)
In this short file I am going to explain the journey of an 8oo number as it
routes it's way through the SS7 Phone Protocols. I will use the number 8oo
746 2936 as a working example. I phoned the 8oo number and asked the
switchboard operator at the company (a bank in West Palm Beach Florida) for
the land line number (561 682 8577) I will explain why I did this later.
Most people are oblivious to the fact that 8oo number allocation and routing
is very complex, and sophisticated. In this file I am going to illustrate the
step-by-step route of this standard 8oo number.
Lets say for example you dialed 1 8oo 746 2936 from your home phone. All 8oo
service calls are routed via TCAP (Transaction Capabilitys Applications Part)
which is one of the many protocols in the Switching System 7 (SS7) network.
TCAP is used for database queries. With the 8oo number, it is first starts at
the TCAP level, and then goes to the SCCP and then finally to the MTP. Don't
be put off by these abbreviations, I have made a list of these mysterious
words at the end of this file with full explanations. From the MTP, the
message continues to the next node in the layer of protocols, and then
travels back through the SS7 protocol. To make this easier to understand, I
have spent ages doing some diagrams, I know they look crude, but they show
how this 8oo service routing works:
Example 1 (8oo 746 2936 Service Examples)
I cannot be botherd to make a geographicaly correct map of the US in this
format, so in this example we will asume that the United States is a
rectangle, ignore what you learn at school, 9x is skooling you now, and we
say the US is a rectangle:
_________________________________________________________________________
| You dialing |
| 1 8oo 746 2936 |
| / |
| ___ ____ (Inter Exchange Carriers) |
| | | ____| |===========\ |
| |___| / |____|ICN _||_ |
| | / | |_______________ |
| | / |____| _____\___ |
| \ | [1,2,3,4] ____ | | |
| \ | __________| |============\ | LATA Boundrys |
| __||/ |____|ICN _||_ / | |____ |
| | | | |___/ |_________| \ |
| |___| Central Office |____| \ |
| || [5] | |
| STP || | |
| _|_\_ 8oo Applications | |
| | | | Software | |
| |__|__| (global translation) The terminating _|_ |
| | | line: 561 682 8577 | | |
| | || || | |___| |
| |__| |__| |
|_________________________________________________________________________|
So whats happening here? If you cannot understand my diagram (like me) This
is what happens:
[1]
You dial 1 8oo 746 2936 and the digits are sent to your central office, which
recognises the 8oo number stored in it's 8oo applications software package.
The central office, along with the SS7 protocol makes a querie message, which
is then forworded to the STP. The coded querie message contains instructions
to perform a global title translation on 8oo 746 2936.
[2]
The STP then looks up 8oo 746 2936 in it's translation table, and will
produce a destination point code and a subsystem number. The destination point
code is the location of the SCP and the subsystem number is the ID of the
database within the SCP which is then accessed. The STP then encodes this
information into a message and then makes the appropriate link selection and
sends the message to the identified SCP.
[3]
The SCP then recieves your 8oo routing instruction, then a database will then
translate 8oo 746 2936 into an ordinary ten digit POTS number (561 682 8577).
The number along with the pre selected IC carrier and any information
nessasery for handeling the call is then encoded into a responce message, and
sent back to the STP. The STP then looks up the destination point code in the
message.
[4]
The destination point code ID's the originating SSP, and then based upon this
information the STP will select a link and forward the responce message.
Using the information in the message the SSP will enter it's signalling mode
and select a trunk where it will pass the message off to the appropriate
interexchange carrier.
[5]
The IC will then send the message accross LATA boundaries to the final
destination point. Finally SS7 signalling is used as the message is
transmitted to the switchboard in Palm Beach Florida. All of this routing is
determined by the customers arrangments with the telco. The customers 8oo
routing configuration is stored in a database called the Call Managment
Services Database (CMSDB)
All of this proccess takes place in a split second and you don't even notice
it. Using this method of routing the telcos are able to offer a wide range of
8oo routing options, such as:
Universal numbers (In the UK we call these 'Country Directs', whereas a toll
free number terminates in a foreign country. (Very interesting if the
terminating country employs CCITT no.5 Switching ;) For all you people in the
US that have no clue where to find 8oo country direct numbers, they are very
random in placement. Here are a few:
British Telecom Chargecard service:
From Canada: 1 8oo 408 642o
US: (MCI) 1 8oo 854 4826 (AT&T) 1 8oo 445 5688 (SPRINT) 1 8oo 825 49o4
Australia Direct: 1 8oo 682 2878
Austria Direct: 1 8oo 624 oo43
Belgium Direct: 1 8oo 472 oo32
Belize Direct: 1 8oo 235 1154
Bermuda Direct: 1 8oo 232 2o67
Brazil Direct: 1 8oo 344 1o55
British VI Direct: 1 8oo 248 6585
Cayman Direct: 1 8oo 852 3653
Chile Direct: 1 8oo 552 oo56
China Direct: 1 8oo 532 4462
Costa Rica Direct: 1 8oo 252 5114
Denmark Direct: 1 8oo 762 oo45
El Salvador Direct: 1 8oo 422 2425
Finland Direct: 1 8oo 232 o358
France Direct: 1 8oo 537 2623
Germany Direct: 1 8oo 292 oo49
Greece Direct: 1 8oo 443 5527
Guam Direct: 1 8oo 367 4826
Hong Kong Direct: 1 8oo 992 2323
Hungary Direct: 1 8oo 352 9469
Indonesia Direct: 1 8oo 242 4757
Ireland Direct: 1 8oo 562 6262
Italy Direct: 1 8oo 543 7662
Japan Direct (KDD): 1 8oo 543 oo51
Korea Direct: 1 8oo 822 8256
Macau Direct: 1 8oo 622 2821
Malaysia Direct: 1 8oo 772 7369
Netherlands Direct: 1 8oo 432 oo31
New Zealand Direct: 1 8oo 248 oo64
Norway Direct: 1 8oo 292 oo47
Panama Direct: 1 8oo 872 61o6
Phillippines Direct: 1 8oo 336 7445
Portugal Direct: 1 8oo 822 2776
Singapore Direct: 1 8oo 822 6588
Spain Direct: 1 8oo 247 7246
Sweden Direct: 1 8oo 345 oo46
Taiwan Direct: 1 8oo 626 o979
Thailand Direct: 1 8oo 342 oo66
Turkey Direct: 1 8oo 828 2646
UK Direct: 1 8oo 445 5667
Uruguay Direct: 1 8oo 245 8411 (Uruguay are on CCITT no.5, hint hint)
Yugoslavia Direct: 1 8oo 367 9841
Aswell as universal numbering, SS7 8oo services can offer things like time of
day/week/year routing, whereas the customer could have calls routed to
different locations depending on the date etc. Also calls can also be routed
depending on load distrobution or system capacity.
Have you ever heard storys of people seting up there own 8oo services? (Illi-
git of course) Most people that have done this social engineer telco
operators into giving them the service, like setting up an 8oo number to a
BBS for example. For anyone that is interested, here is a basic layout of
8oo number Service Managment System (SMS)
SMS/8oo Network Layout:
The telcos have terminals that have direct access links to the SMS so that
8oo services can be sold to customers via the telco companys. The SMS
(Service Managment System) is the *primary* support system for managing the
applications from the telcos to the Service Control Points (SCPs)
___________________________
| |
| DSAC |
| Dial Service Admin Center |
|___________________________|
| |
(SNA) Modem Link | | (SNA) Modem Link
________________| |________________
/ _____________ \
/ | | \
| ________________| SCP |__________________ |
| / |_____________| \ |
| / Modem Link Modem Link \ |
| / \ |
| | | |
___|_|_ T1 Link _|_|___
| |=========================================================| |
| |=========================================================| |
|_______| T1 Link |_______|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | \ SMS *primary* System Network Layout / | |
| \ \ (what the operator you social engineer / / |
_|___|___|____ an 8oo number out of is directly ____|___|___|_
| | connected to) | |
| Kansas City | | St. Louis |
| Data Center | | Data Center |
| *PRIMARY* | | *BACKUP* |
|______________| |______________|
This is what happens when someone wants to set up an 8oo number. The telco
company/carrier have direct access to the SMS to determine the 8oo number
availabilty and other stuff. The *PRIMARY* site for the SMS is a data center
in Kansas city, which is directly conencted to the *BACKUP* facility in St.
Louis (Via T1). The 2 locations are maintained by a body called The North
American Numbering Plan Commitee Personnel.
The SMS modem links are conencted nationwide, and provide the links to the
Dial Service Administration Center (DSAC), which is the local access into the
SMS 8oo service admin control gate.
SS7 Acronyms:
A-Links Access Links
AC Automatic Callback
ACM Address Complete Message
AIN Advanced Intellegent Network
ANM ANswer Message
AR Automatic Recall
B-Links Bridge Links
C-Links Cross Links
CCIS Common Channel Interoffice Signalling
CCIS6 Common Channel Interoffice Signalling number 6
CCS/SS7 Common Channel Signalling Switching System 7
CCSSO Common channel Signalling Switching Office
CIC Circuit Managment Service Database
CMSDB Call Managment Service Database
CND Calling Name Delivery
CND Calling Number Delivery
CNDB Calling Name/Number Blocking
COT Customer Origionated Trace
D-Links Diagonal Links
DP Dial Pulse
DPC Destination Point Code
DR/CW Distinctive Ringing/Call Waiting
DSAC Dialing Service Admin Center
DSOA Digital Signal Zero
DUS Data Summery
EAEO Equal Access End Office
EO End Office
IAM Initial Address Message
IC Interexchange Carrier
ISDN-UP Intergrated Services Digital Network -User Part
Kbps Kilobytes per second (duh)
LSTP Local Signal Transfer Point
MTD Message Transfer Point
NPA Numbering Plan Area
OCU Office Channel Unit
OPC Origionation Point Code
REL Relayed Message
RES Resume Message
RSTP Regional Signal Transfer Point
SCA Selective Call Acceptance
SCCP Signalling Connection Control Point
SCF Selective Call Forwarding
SCP Service Control Point
SCR Selective Call Rejection
SMS Service Managment System
SP Siganlling Point
SSP Service Switching Point
STP Signal Transfer Point
SUS Suspend Message
TCAP Transaction Capabilitys Application Part
Well thats it for this file, I'll be writting another file soon on CCS,
Common Channel Signalling, and possible SS7 Network Security flaws.
Shouts go to Substance and the whole 9x krew. (http://endless.insomnia.org/9x
Also shouts to DownTime, D4RKCYDE (www.darkcyde.8m.com), W0D (www.wod.8m.com)
#darkcyde #9x #b4b0 #legions.
___ ___ _____.___.____________________ ____________
hybrid@b4b0.org / | \\__ | |\______ \______ \/_ \______ \
hybrid@ninex.com / ~ \/ | | | | _/| _/ | || | \
hybrid.dtmf.org \ Y /\____ | | | \| | \ | || ` \
---------------- \___|_ / / ______| |______ /|____|_ / |___/_______ /
\/ \/ \/ \/ \/
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed