TCIP T0 USA, AUS, CAN, GER, NZLH20291123 i 1 Extra October 2009 elem-5m DERIVED R- -- mag; TOP SECRETHCOMINTHREL TO USA, AUS, CAN, GER, NZLH20291123 a SECRETHCUMINTHHEL TU USA, AUS, CAN, GEIR, MEL Where are Phone Numbers seenin 4-3 Phone Numbers are located in MANY parts of DNI traffic I ?Contact Us? parts of web pages - Signature Lines - Address Books - ?Leaked? as METADATA in Mobile HTTP traffic - Collected as converged data from LL traffic . Collected in signaling of VOIP traffic TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL To USA, we, CAN, GEL Phone Numbers in tater?? Looking inside the body of content, the Phone Number Extractor Looks for: - Telephony-related terms in the body of traffic and parses out any digits after that Ex: ?Tel:? or "Mobile" or ?Fax? or - Note that all punctuation is removed. Le. (92) 928555-555 becomes 92928555555 TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL To use. ALIS, oi?. gamma; mbers e??ee ,Ph one Nu Many times phone numbers are in the body of a website - ?Contact-Us? - Craigslist-Iike websites listing items for sale - Forums, Traffic can be T0 or FROM Port 80 (client) ?Repiy: Contact Me 00-91-123456? (Server) r1 POST to the Web server To Port 3434 From Port 80 (client) ?For more information, contact. . . (Sewer) HTTP Response TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL . '1 we lee; zati 0 When a phone number is in the ?body? of traf Ic, like a signature block or a ?contact us? line on a webpage, it doesn?t have to be normalized. XKS will extract the number exactly how it appears (minus punctuation and leading 0?s) which can create problems. 01 {n i I up!? H1 In 1 Hint JalUIULH Look what happens to the happen here: Best Finelgreurljir manna teleel?tene TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL .- Phone Numbers on Websites? Search: Phane Number Extractar Query Mama: Justification: Iranian Pnana nnmbara far Recent Justificai additinnaljnati?aatinn: wl Miranda Numb-at: Datatirna: 3 Day-5 Start: 2009?10?03 4: emp- Phnna Numb-at: Tl] Frurn Part: 80 Part: Cnuntry: V. TD in! TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Phone Numbers on Websites If Phone Number Highlights Number Type Fm Enuntr Fm F'an Tn CDUHTW Tn F'an telephnne US EU IR If. :1 ti}: :21 ?1 ad E: I121 de: E: - rut-h E?tEll? til 535W thqui Laptup p11 PII Ram lQ??Hard 9 E4 ng ML: Winduws XPIEM mqufvm [Ell 5'TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, mbers in SIG pk: "Phone Nu Signature lines are SELECTOR-RICH environments (Emails, phones, names, titles, etc..) - Many SIG blocks have extraneous characters/numbers 1: XKS ignores clashes, parenthesis, etc.. a XKS only parses out the numbers after TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, MEL 1 Phone Numbers in SIG Blocil< Queryr Name: Justifieatien: ciditiebel Justification: Mirebde Number: Detetime: Phebe Number: Search: Phene Number Extrecter Eggb Precurement frent eempeby Jbetifieetie ivi 3 Days etart: Step: TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL Phone Numbers in SIG Bloc SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL I?l' State ID Phene Numher Highlighte Numher Tyree Fm Ceuntr F'tlrt Te . i "at. far-r ue en Le I dtahdrr FrdniIP merrPert 'Td Frdtetdl ere-(E Un' ed States} ee_ {2 Lebanen} TCP mu Enter TEI dednet rrem tne related te werke alread} aelf te he annmitted my eentraeter taking inte eeneideratien any and executed submit Separately effer fer marhle te he Supplied by I menld like m2 I need te buy and he inte eenaideratien any Haater Eedree ef the Teilet Seat A5 at this atage all end?naer?a requests are elearr me kindly aak yen te give the releeaJ makimnm within a eenpje ef daye. Thanke and Heat regards a change the ceramic tilea fer the twe ether bathreema- What is thu mneh yen will dednet frem the price? Under by eentrae' ahertiee werke related te werke already ekeeuted. I wduld like td make it bigger and td eahnge the leeatir ave deuhel ainka- Deuelepment Manager Jr Ten can view enr new prejeeta en TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL II 3' Phone Numbers in HTTP 1 HTTP GET Requests contain many ?leaked? phone numbers from the providers - GPRS activity commonly seen with DNR selectors TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Phone Numbers in f? Search: Phana Number Extractar Quaw Mama: IHWEB Iranian web brawaiag fram mab Justification: ping-HE Recarit Jaatif additional Juati?catiaa: v Miranda Number: Datatima: 3am - Start: s- Pharia Number: Part: Fram Part: 80 Tu Cauritry: IR *r TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Phone Numbers in HTTP Number Highlights Number Type Fm Ceuntr Fm F'ert Te Ceuntw telephune Ie 57e75 Eieer-z: r'I tE? DJ 5 Earth JUTID FDRMATTER: epp_ic:l= Uiewer= ASCII Fermet Fentent?length: Fix?Netwerk?infe: I GEES Hwefe.1KEuild113 Cenneetien: TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Phone Numbers in HTTP P03: Many times a phone number is submitted in an HTTP session I If a person fills in a form or replies to an email, the information in the body will be collected TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Phone Numbers in SHEIW Hid?en SEEIFEH VENUES HEIDEIU L331: SEEFEH VEIUES Search: Phune Number Extractur Name: Justificatinn: ?dditim?al Juati?catian: Mira?da Number: Datetime: th?e Number: Part: Part: iranhruwsing web browsing from p055 Recer?: Justi?cations 2 Weeks Frum BU Tn IR Etart: [2009?09?24El [00:00 Stop: L. ?r".nu .I @541 TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL Phone Numbers in HTTP POSTS SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL F'herle Nurntzuer Highlights Number Type Frr: Eeurltr F'ert Te Te F'ert mutJile re 3511 us an Frem 1P Frern Tr:- Pert Le?gth 3511 134mg ?nale? [in C: an; ELIE E: Eng-H .21: LII 3:12:51 Sear-:1 El?n rrter r- '1'13' E: I POST Heet: mail.geegle.cem I User?Agent: Me:illaf5.? [Windew?r Accept: Windewe 5.1; en?US; rv:l.9.l.3} Firef Accept?Language: fa Accept?Enceding: gziprdeflate I Accept?Chareet: Heep?Alive: EDD lCennectien: keep?alive Centent?Type: Referer: http:ffmeil.geegle.cemf eilf?ui=2eview=jeenem= ICeekie: w? Pragma: ne?cache ICeche?Centrel: ne?ceche I r3312! 16131:?) ii] ?321.24 H3313 he ?rm! EjiiriE?! H. rm =iII:i?iiI' E511 e3 A: TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL Phone Numbers in HTTP POSTs Highlights Number Type Fm Ceuntr Fm F'ert Te Ceuntr?y Te Pen 5 r_ is:- meeile Ie sen es en Bessie-n Header Meta I:le \ttsehments Ire-r: em ls ?i?ie [Sissies its? 33K :l Quick Clicks Sessien m?tteehments j?web :1 test Find eppesite side ef sessien 92 3511?2:- :ElEl Find traffic: en 2Ere- l. limits lb??ly lithe ii is 2x rsng\l?1TML Fermetter Thanks Deer Hubert, . Mebile: unknown_152. eazl te eel] frem Here, But is sen; Dif?cult te Cell UK Here. Cell - 1 pie. Gris-E111}r Centset er te- Him te Call me urgently: [freely lie mi emi ll 3) Hires seen results TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Mobile NI Mobile DNI Collect comes in two main types: Cenuergenee ef DNR 8: DNI eeleetere! Meetly frem F6 eelleetien Meet neede te be ?near? the infrastructure Leeke like regular DNI but with ?hints? that the source is 3 cell phene Celleetien eeuld be FE, FORNSAT, 880, FISA TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Mobile NI: HTTP Activity HTTP activity comes in two types: ?Hints? at DNR erigins Publietpresy} IP addresses Server .1 Cenvergenee ef DNR 8: DNI seleeters! Usuallyr private IP addresses TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, I 'u I 'Phohe Numbers From Converged}le USE A CTIVITT EDDEIE AC gear: with mael?ne D3 -=:3rehee:: 252.- F'berle Number: Detetime Dete?me End F'bene Number Number Type Ceuntr'r Cede 2555-15-55 1:512:55 2555-15-55 1512255 imei pr: 21555-1 5-55 15:15:45 5555-15-55 15:15:55 imei uh Melmilinlr: 21555-1 5-55 15:15:11 21555-1 5-55 1?:15:11 imei pH Melmilinliz 15:55r 21555-1 5-55 imei pH Melmilinlr: 15:15 51555?1 5?55 imei pk 5555-15?55 5555-15-55 15:15:11r imei pk M??llilillk 2555-15-55 15:15:25 2555-15-55 15:15:25 imei Melmilinlr 2555-15-55 15:15:25 2555-15-55 1151595 imei MelmilinI-r 51555-1 5-55 15:15:11 5555-15-55 15:15:15 imei uh Mela-"ink: TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL