
   (--------------------------------------------------------)

                          Art of Phreaking I
                         by Electronic Vampyre

   (--------------------------------------------------------)

Preface: With my dealings with PiRaTeS nationally i have found many know
little about phreaking. Furthermore, phreaking seems to be an arcane art few
know and only the reveared elite know. Every PiRaTe knows the basic k-rad
phreak stuff (c/na loops, ANI, COCOTs, etc.) and basic circumvention methods
(boxes, c0dez, etc.) but most lack the hard core info of phreaking. PiRaTiNG
encorperates all aspects of P.H.A.C.C.V. but the "P." seems to be replaced by
a "C." for c0dez. This is intended to inform the uneducated, if you are
already knowledged in the aspects of phreaking then skip this.

Initially i will examine the procedures of dialing (both domestic and
international) and the numbering plans for each.

DOMESTIC DIALING
----------------
In the United States and Canada telephone numbers are based on a ten digit
dialing code (better known as the network address or destination code), the
break down of this code is as follows:

        - a 3 digit Number Plan Area (NPA) code (aka Area Code). This tells
the switching equipment where to send the signal.
        - a 7 digit telephone number. This number consists of a 3 digit
Central Office (CO) code, to further direct the signal, and a 4 digit station
number.
        - all numbers consist of the following format:

            NPA    Telephone Number
            ---    ----------------
            N*X      NXX  .  XXXX

            N = a numerical digit with a value of 2-9
            * = a numerical digit with a value of 0 or 1
            X = a numerical digit with a single value (0-9)
            
The NPA breaks into two types of numbers, Area Codes and Special Access Codes
(SAC's). The area code represents an area within one state's boundaries and
all the numbers within it. A list of area codes can be obtained from your 
trusty white pages. SAC's are found nationally and can be used from any
telephone within the North American Numbering Plan. SAC's include the
following:

            510 - USA TWX services
            610 - Canadian TWX services
            700 - Specialized Telephone Company uses
            710 - USA TWX
            800 - Wide Area Telephone Services (WATS)
            900 - Dial-it services
            910 - USA TWX
            
    - TWX SAC's
The SAC's of TWX (Telix ][) consist of the above numbers, these are owned and 
utilized primarily by Western Union. Each number is routed to a normal
telephone number and will always respond with an answerback. The baud rate 
for these SAC's is 110.

    - 700 SAC
The 700 SAC is used for speciality services. The 700 SAC is similar to that 
of the WATS and 900's for it encompasses normal dial-in calls. When generated
the customer decides if the number is to be a toll (pay) call or charged to 
the generating customer. Examples of 700 SAC's:

            1.700.555.4141 (toll free) - this allows the customer to check
                                         their long distance carrier. 
            1.700.456.1000 (toll) - AT&T Alliance number to initiate an 
                                         immediate non-meet me conference.
            Others: AT&T Alliance toll meet me conferneces.
                    AT&T Easy Reach - This is a new service that allows a 
                                      customer to have all calls sent to the
                                      predetermined 700 to their present 
                                      location phone number. These calls to 
                                      the 700 number can be either free or
                                      toll depending on the type of service
                                      the customer requests. For more info 
                                      call 1.800.222.0300. 

     - 800 SAC
This SAC is the favorite of most PiRaTeS for it allows for toll-free calls. 
Many c0dez, dialups, VMB cities, etc. are found within this domain. There are
two type of WATS (800) services. 

         Inward WATS (INWATS) - The inward dial wide area telecommunications
service are most common and known. These are established in 6 service areas
or BANDS. A level 6 band is available nationally with the exception of the 
originating state (usually there is another INWATS number for this area, 
better known as INTRASTATE WATS). 
Band 5 INWATS encorperates the 48 continental states. This continues until
band 1 is reached; service is only included to the state and neighboring 
states. When dialed the INWATS number causes the CO to search for the 
companies first available line. It searches sequentially until an available 
port is found, if not then it returns a busy signal. Usually a minimum of 2 
lines is required for an INWATS number (personal 800 numbers differ). Billing 
of an INWATS number is based on time spent on the number.
    * NOTE - The ANI when calling an INWATS can be cirvumvented by having your 
local TSPS operator dial the number for you.

         Outward WATS (OUTWATS) - These are 800's used by large companies for
large, volume discount outward dialing. These are used primarily because 
these services are given with bulk-rate discounts. The DO NOT allow inward
calls. Their format consists of:

       (800) *XX.XXXX
       * - numerical digit of 0 or 1
       X - numerical digit of 0-9.
The specific *XX identifies the type of services and calling zones.                                                     

    - 900 SAC
This SAC allows for dial-it services. It has flat rate standardized costs. 
These are primarily used for voting, quiz calls, etc.

Along with the above listed SAC's there are also others known as CO Codes. 

        555 - Directory Services
        844 - Time    \_ these are more commonly found in the 976 exchange
        936 - Weather /  TIME - 1.800.844.3434  WEATHER - 1.800.936.XXXX
        950 - Extender Services
        958 - Plant Test
        959 - Plant Test
        976 - Dial-it Services
        
ANI and Ringback are considered special CO codes and vary from area to area.

  950
  ---
This is a code given to large companies to allow for thier employees call 
toll-free from any location and all charges are billed to the company.

  Plant Test Numbers
  ------------------
ANI (Automatic Number Identification) - This tells you the number that you are
calling from. This number is free and can be used from any phone within the 
network. This is intended for linemen to have access to the number they are 
dealing with when they clip into a line, etc.

Ringback - This allows for you to make the phone you are at ring. This number 
is free when dialed within the network. This is intended for linemen to be
able to test a phone's ringing capabilities and other related things. (This
is the number every elementary child uses to make the pay phones ring.)

  X11 Codes 
  ---------
          011 - International Dialing Prefix
          211 - Coin Refund Operator (in 6i9 this number also encorperates ANI)
          411 - Local Directory Assistance
          611 - Repair Services
          811 - Business Offices
          911 - Emergency
          
  976
  ---
This is the dial-it services that allow the destination number to set the 
billing rate (via ccd's). This is primarily used by party lines, prono lines, and live
interaction telephoning.

    * The following is a list of unpublished and unclaimed 3 digit prefixes 
and NPA numbers. The telephone company utilizes these for their own purposes
and testing. Scan away and see what you can find.

       Area             Numbers
       ----             -------
       200              201-10, 212-19, 227, 240-57
       300              320-36, 360-89
       400              391-419
       500              
       600              635-55
       700              769-81
       800              820-44, 846-99
       900              946-64
       

NON U.S. & CANADIAN DIALING
---------------------------
With international dialing the world has been separated into 9 zones. To dial
an international number the format must include:

        International Prefix + Country Code + National Number
   eg.    011                +  XXX         + XXX.XXXX
   
In making a call the prefix of 011 can be swithed with the prefix of 01. The
011 number is used in International Direct Distance Dialing (IDDD) with the 
remaining will contact an operator for assistance.
The country code is a number varying in size from 1-3 digits with the world
numbering code as the initial number.

For example:

        1 - North America (USA & Canada)
        2 - Africa
        3 - Europe
        4 - Europe
        5 - Non US North America
        6 - Australia
        7 - U.S.S.R.
        8 - Asia
        9 - Asia

   * Note the country code of 87X is reserved for Maritime Mobile
     communications. 

        871 - Atlantic Ship Communications
        872 - Pacific Ship Communications
        873 - Indian Ocean Ship Communications

All calls originating from the US & Canada are routed through "gateway" cities.
These 4ess's are the International Swithching Centers (ISC's) for country 
code 1. Each ISC must convert the US signaling system of MU-255 to the 
international system of CCITT.

                'Nuff Said 'bout the network.
                
Let's continue into the world of phone system operators and simple office 
structure.
In the NPA system of North America, every switching office is assigned an
official name and class of operation. Depending on the duties performed each 
is assigned a numerical value from 1-5. Your local CO is usually a non-toll 
facility that performs simple routing tasks and is thus a class 5 end office.
All long distance calls leave your CO and get routed to another non-class 5
toll office. In addition to the other class offices (1-4) there are also 
class 4x (called intermediate points) offices and Remote Switching Unit (RSU)
offices (a 4x office with an unattended exchange encorperated with it).

  Class       NAME           ABBREVATION
  -----       ----           -----------
   1     Regional Center          RC
   2     Sectional Center         SC
   3     Primary Center           PC
   4     Toll Center              TC
   4P    Toll Point               TP
   4X    Intermediate Point       IP
   5     End Office               EO 
   R     Remote Switching Unit    RSU
 
When a call is initiated from your house it is sent to your local CO (EO)
where it is sent along to its destination. The CO tries to find the shortest 
path from itself and its destination end office. It initially tries 
inter-office trunk lines, but if none exist it searches for the next highest
(usually a class 4 toll center of some sort) office. If that trunk line is
busy or cannot be handled it is sent to another office or descends the office 
hierarchy (next highest office) until it reaches it destination.
While end offices are in abundance the class 1 regional center (RC) is rare. 
These offices provide the foundation of the entire network.

   * NOTE - When directing the INWATS number through the TSPS operator the
ANI for your call will produce a number with the prefix of your closest RC 
and the remainder of 0's. The network assumes that your call is from within 
the system and is circumvented. From 6i9 the ANI when dialed this way would 
read 7i4.000.0000.

              More information of the network is another phyle.     
       This is just an overview to get you acquainted with the system.
       
In everyone's phone experience (especially any phreak or hack's), it is 
inevitable that you will speak to an operator at one time or another.
The following is a list of the more common operators and their abilities.

  TSPS Operator
  -------------
This is the standard "0" operator. Thier job is basically the host and 
general information giver of the network. They have the ability to connect
you to most of the other facilities within the network and execute simple (if 
need be) for the customers. The TSPS (Traffic Service Position System)
operator has immediate ANI and calll tracing abilities. They know when a call
originates from a non-COCOT (Customer Owned Coin Operated Telephone)  pay
phone and can pull info up on the origin telephone owner. Be cautious when 
dealing with these people. [i've found the TSPS op. to be quite nice and easy 
to acquire info from; every op. i've spoken to using the social engineer 
technique of a student doing a report has been VERY helpful.]

  INWARD Operator
  ---------------
This operator assists your local TSPS operator in making calls. They will 
never question a call within their service area. Usually a TSPS operator can 
direct dial and does not use an inward operator. [On occasion i've
encountered an inward op., they are not too well informed and tend to be 
robot-like ("Number please... Thank you").]

  Directory Assistance
  --------------------
When you dial "information" or any of the name search identification numbers
you speak with a directory assistance operator. They do not have automatic 
ANI nor would have access to immediate ANI from another location. At local
levels an operator can obtain a number of a person or place but cannot give
unlilsted numbers. They are basically an automated white pages. They cannot
cross reference a number by address but can cross reference after an inquiry 
is made. [These op.'s know nothing and are not easily succeptable to social 
engineering.]

  CN/A Operators
  --------------
The CN/A (Customer Name and Address, now changed to location only in some 
areas) operator is an operator accustomed with dealing with other telephone 
company employees. The CN/A bureau is designed for linemen (or other 
telephone employees) to easily obtain simple information on a customer solely
from their telephone number. These operators assume that you are an employee 
of the network and are quite liberal with information. Social engineering is 
quite easy and much useful information can be obtained on a person through
the CN/A operator. [In some areas this number is listed in the telephone
book, otherwise it can be obtained from most PiRaTeS.]

  Billing Operators
  -----------------
These are quite powerful operators. They have immediate access to the
information and ANI of the telephone you are calling from. They usually begin
with asking your name and calling number to verify if you are the billing 
person. Social engineering is possible if you are beige boxing, or if yo 
know all the information on the person paying the bill on the telephone you 
are using. They have the ability to perform any task on line maintenance etc.
They are quite knowledgeable and are willing to assist.

  Conference Operators
  --------------------
This operator knows little and can do less. They perform one task and only 
one task. Other than getting information on the different types of
conferences or establishing a conference they are a waste of time to talk to.

  Rogue Operators
  ---------------
These operators are quite knowledgeable and powerful. Their duty is to roam 
the network and assist when needed (They are usually powerful supervisers,
etc.). Because of their knowledge and experiences dealing with phreaks, etc.
they are reluctant to give out information (also they are not on the line to
talk, they are there because the operator they are filling in for is busy,
etc.). Like most people they are succeptable to social engineering.

Usually an operator is nice and helpful, if a problem arises with one be sure
to get their operator number (or name) and ask to speak to their supervisor.
The supervisor is quite helpful and will immediately rectify the situation.

For further information on the network or you have more questions on the
system contact your TSPS operator and request the number to the closest
Research Department.

Next time - Switching equipment, COCOTS, maybe more, maybe less.

                                                    ELeCTRoNiC VaMPYRe '93
