Everyone has a phone, using at least one phone number. Phone numbers are a very common resource for Social Engineering. It’s something we use almost every day to communicate and sometimes we may have to deal with unsolicited phone calls or messages. We may have to gather information about a phone number we found about a company or an individual. Basic information such as line type and carrier can be very useful for a Social Engineer.

Supposing I know your name and your phone number, I could send you a phishing threat using your carrier’s mail template. Or I may call your carrier’s support service to gather as much information as I can on you. Another example, if the number is a land line, some of the digits will tell me the area where it comes from. These information are very simple to get without using a tool, but what about going further ?

The goal is to gather as much information as possible on the given phone number, including the ITSP or the owner.

An Internet telephony service provider (ITSP) offers digital telecommunications services based on Voice over Internet Protocol (VoIP) that are provisioned via the Internet. Wikipedia

Getting technical

First I have to understand the composition of a phone number and how to handle it. A phone number has different formats :

E.164: +3396360XXXX

International: +33 9 63 60 XX XX

National: 09 63 60 XX XX

RFC3966: tel:+33–9–63–60-XX-XX

Out-of-country format from US: 011 33 9 63 60 XX XX

E.164 formatting for phone numbers entails the following:

A + (plus) sign

International Country Calling code

Local Area code

Local Phone number

For example, here’s a US-based number in standard local formatting: (415) 555–2671

© Twilio

Here’s the same phone number in E.164 formatting: +14155552671

© Twilio

In the UK, and many other countries internationally, local dialing may require the addition of a ‘0’ in front of the subscriber number. With E.164 formatting, this ‘0’ must usually be removed.

Another example, here’s a UK-based number in standard local formatting: 020 7183 8750

© Twilio

Here’s the same phone number in E.164 formatting: +442071838750

The country code is essential. Without it, I can’t scan the phone number and determine the country. So the tool will only support E.164 and International formats.

But wait.. what if there was a library to automatically parse information from the number ? Meanwhile searching for resources about phone numbers, I found this magical Google’s repository which is a Java, C++ and JavaScript library for parsing, formatting, and validating international phone numbers. The library also exists in Go, PHP, Ruby, Rust and Python. Hooray! I don’t have to do all the job by myself.

To identify basics information, I select some lookup sites I can use for free, even if I have to use an “hack” to use them. Because some websites allow a reverse search for free using the web page but requires an API key as soon as you want to use their API. For example, I can trick the Ajax call to make an API call in my tool. I want my tool to be usable without any API registration.

Identify the carrier is quit simple because each carrier has number ranges. For example, if we know the number +33679368314 is from Orange (french carrier), it’s easy to understand that +3367936XXXX number range is owned by Orange as well. Google, like a lot of other services, has a huge database of these number ranges associated to their carriers. However, in some case, people change carrier but keep their phone number so the information about the number range becomes invalid.

Using Open Source Intelligence & open data

On my way learning about security, I discovered months ago Open Source Intelligence (OSINT). OSINT is the collection of information from publicly available and open data sources to be used in an intelligence context.

In the intelligence community, the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources). It is not related to open-source software or public intelligence. -Wikipedia

Open Source Intelligence (OSINT) takes three forms: Passive, Semi-passive, and Active. There are several way to deal with information in an intelligence context. Especially when it comes to footprinting. I’m gonna practice Passive Information Gathering (or Passive Reconnaissance), it means I will not store data gathered and mostly use third party sources. But I’ll gather information from many sources and filter the results to find the owner or the ITSP.

Learn more about OSINT reconnaissance techniques and footprinting here.