# Tracking Phone ## # DISCLAIMER \# The following information could be illegal and very sensitive. If you are by any means a sensitive person, please do not read. If you want to proceed anyway don't say I didn't warn you. ## Origin For a part of my life, I moved for the first time and was afraid of losing my friends. After 2 years I did in fact lose them and when I made new friends I made it where if I needed I could find you. At first, I had in mind evil but eventually, it turned into good as I knew it was illegal to do \[well kind of] and only used if 100% necessary. ### Only Time Use I have only used the program once EVER \[besides the test]. It was a "normal" day as I was working on the computer and just about to pack up for school when I get a knock on the door. I open it a little thrown off when it is the police. Which went like this > Police: Hello, we have reason that \[Person 1] is in danger. Do you know where they are?\ > Me: No not really, who referred to contact me\ > Police: I can't say more than someone in \[Town], but \[Person 2] said you could help us.\ > Me: Well sure thing, come in and we can boot back up the software. I load up the computer and launch the software and get a call from my mom who was just notified of the situation. I have the police catch them up on my alternate phone. I get a call from Dad to have other police take that call while I am tracing the phone. I narrow it down and send police in that area to know I am accurate because those dispatched find \[Person 1] car. I then pinpoint closer based on longer time tracing to find \[Person 1]. After they found \[Person 1] everyone left the house and later on during my time out at lunch with my friends I get a call. I get the full story and couldn't believe what actually was happening. A lot of What If.. go through my head but it is ok due to the final result. ### Impact The software saved someone's life as they were going to commit suicide, and I didn't even know it at the time. I won't forget that day and it took me a day to process once I was told the full story. ## Overview It would find the IP of close servers to a phone and triangulate the location based on response time. ### Process The program would send an MX packet to a target phone number as each phone number could have a corresponding email address. \ A packet with information in the header gives information about the server which is what I am signifying below ``` Delivered-To: ezekielsmith14007@gmail.com Received: by 2002:aa7:c993:0:0:0:0:0 with SMTP id c19csp1516712edt; Sun, 8 Aug 2021 15:46:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyoAOVPp9jtnyi0W916dzDsTCffQvlzF5d45Fs5ezqjM8tzJ87DMvPfuz43kR7RfyIguzzp X-Received: by 2002:a92:d483:: with SMTP id p3mr167064ilg.50.1628462776857; Sun, 08 Aug 2021 15:46:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628462776; cv=none; d=google.com; s=arc-20160816; b=fUNmX3T65km3+kXwftmZGU1v+jdNlrxWHgH9ConFlQYP8jPng8URq0eOQT4XigCj5b b7F24jee6QL0jHwWbMSHs3CyjetL0FncvSmXRr2UiwXmTo+G7/I/VIMV7EOtrlv/32YW 4TsLFz4RjdYrWQaSjpcmEFnUVzRiCevOOY9c22Zgp+PsD1jfjk3KYchDduP+M6bli7ru r4eQ17mDADf7wE+ufce9EH3o75ZOKNG0NEf/NYuoX15i1WGzaUBzg9Z1vuHbD6AXXfkB uwry4KJo2BzWZkC+vRtAGpWndgDea+8aau92uh7t+BIX0Qw4VyDHEjH96cY5Xy/tY8jd UucA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=dkim-signature:mime-version:date:from:to:in-reply-to:message-id; bh=sydMyzUCE8MwZdWe16SmWbGQLXGqwGuAe0F4J5eXAfI=; b=zqq97C9iB5Ek1l5vCvlOtdjW6as1y9IMeU6UOdD4/TouyOJHMz2zzEWml7TnuHfI75 kf68z54ObijZple81mOZiKnM2LtFM5KLZNFvyBBGraBvgSqvE/COSChd5n/qpaJPnaY5 I4kkYhhhFjnK8lgdgZXgWGpgi+vKwmlkuYpbOSv0Pic7rS7p5suk9M5/ZeZJpW8YrWNQ PdwpjGLLqKabZw/z7/rspwjwVQhZqh3mvJq8yxDNSOQxnPB/20iHUyyas6K1Xyixfi7p KkVHhw0SJC4BVHvv8SibJC6NYM+ItEiqmWw24VDBK6hS0kmLGerfU8cGkU3/quGtykhX kw3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mms.att.net header.s=EMG20171113 header.b=FswNGpoq; spf=neutral (google.com: 108.166.43.128 is neither permitted nor denied by domain of 5555555555@mms.att.net) smtp.mailfrom=5555555555@mms.att.net Return-Path: <5555555555@mms.att.net> Received: from gate.forward.smtp.ord1c.emailsrvr.com (gate.forward.smtp.ord1c.emailsrvr.com. [108.166.43.128]) by mx.google.com with ESMTPS id q12si16586335jas.12.2021.08.08.15.46.16 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 08 Aug 2021 15:46:16 -0700 (PDT) Received-SPF: neutral (google.com: 108.166.43.128 is neither permitted nor denied by domain of 5555555555@mms.att.net) client-ip=108.166.43.128; Authentication-Results: mx.google.com; dkim=pass header.i=@mms.att.net header.s=EMG20171113 header.b=FswNGpoq; spf=neutral (google.com: 108.166.43.128 is neither permitted nor denied by domain of 5555555555@mms.att.net) smtp.mailfrom=5555555555@mms.att.net Return-Path: <5555555555@mms.att.net> X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: jake@thewardserver.com X-Originating-Ip: [166.216.152.40] Authentication-Results: smtp19.gate.ord1c.rsapps.net; iprev=pass policy.iprev="166.216.152.40"; spf=pass smtp.mailfrom="55555555555@mms.att.net" smtp.helo="stcceg-mtmta04.wnsnet.attws.com"; dkim=pass header.d=mms.att.net; dmarc=none (p=nil; dis=none) header.from=mms.att.net X-Suspicious-Flag: NO X-Classification-ID: 70385464-f89a-11eb-b6f9-bc305bf036e4-1-1 Received: from [166.216.152.40] ([166.216.152.40:43175] helo=stcceg-mtmta04.wnsnet.attws.com) by smtp19.gate.ord1c.rsapps.net (envelope-from <5555555555@mms.att.net>) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES128-SHA) id 8E/33-30853-7BE50116; Sun, 08 Aug 2021 18:46:15 -0400 Received: from ZAKR1BMMSC01NFE002.wnsnet.attws.com ([107.79.70.27]) by stcceg-mtmta04.wnsnet.attws.com with bizsmtp id f7sG2500m0bJV4j01AmFAm; Sun, 08 Aug 2021 17:46:15 -0500 Message-ID: In-Reply-To: 730187161.42157016.1628462775442.JavaMail.nems@ZAKR1BMMSC01NFE002 X-Mms-Message-Type: m-send-req X-Mms-Transaction-Id: 1628462773-2 X-Mms-MMS-Version: 1.2 To: jake@thewardserver.com From: 5555555555@mms.att.net Date: Sun, 8 Aug 2021 22:46:15 +0000 (UTC) X-Mms-Sender-Visibility: Show Content-Type: multipart/mixed; boundary="----=_Part_42157015_1530013835.1628462775441" MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mms.att.net; s=EMG20171113; t=1628462775; bh=sydMyzUCE8MwZdWe16SmWbGQLXGqwGuAe0F4J5eXAfI=; h=In-Reply-To:To:From:Date; b=FswNGpoq+rxOG3+IluSwroD8x2EDZsYHSCT0OzM+Nrj4Q3Bk+J3CDW5+Drake4xyi BPBIyeoRl9hw6a1ST401rBEuefzKEvN6UdcYrtLmXw9dVvJ9O4yG6PROkRrSAJ2dRk N3dbtt5tmqHr8rgzq4ubGSkToWM1thPSr+Eh+z12JL5Srk5SOKnck+AKKqY5YYoyiX ZSPcastJI0aapdclWgeEin3hFU1+HFZy/JY1srXJgTdda4JYQQMk5OeICl9ziMW6Fh TM6BXHJ2Gq5jVLGU3UyFSSy5XLNh1wlK8W+bFzaEstXW42V1OJcQqa+ecXKCzdK5h0 H7xZYD/6CkVPw== ``` Sending 10 packets would get a good set of times and various close DNS servers that the packet made through before making it to the phone. With the location and time \[strength] of each response, we can calculate the phone location by triangulation ### Breakdown So if you don't know all these technologies right now it is an oh fuck moment. So back from the beginning. Using python I sent a packet with the From and To. From was my email and To was the target phone. I used the translation by searching [emailing a phone](https://www.makeuseof.com/tag/email-to-sms/). More specifically it is the phone number in my example I use 555-555-5555 and the knowledge of the target phone is using AT\&T. When sending this it would look like this from a protocol standpoint ![](https://980792987-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Md9Bzo_DCKomMglV10a%2F-MgkvAB3TBQ9ziXb5bl7%2F-Mgkx6HXjumMjKy1ooLN%2Fimage.png?alt=media\&token=f8973941-2fda-4ac2-8d7b-d744bb4ebdfb) In my program, we are focusing on the target server right before it switches protocols. The response would look like above which removing some information as from the time I wrote the program improvements have been made to this process. (I wrote it 5 years or so ago) ``` Delivered-To: ezekielsmith14007@gmail.com Received: by 2002:aa7:c993:0:0:0:0:0 with SMTP id c19csp1516712edt; Sun, 8 Aug 2021 15:46:17 -0700 (PDT) X-Received: by 2002:a92:d483:: with SMTP id p3mr167064ilg.50.1628462776857; Sun, 08 Aug 2021 15:46:16 -0700 (PDT) Return-Path: <5555555555@mms.att.net> Received-SPF: neutral (google.com: 108.166.43.128 is neither permitted nor denied by domain of 5555555555@mms.att.net) client-ip=108.166.43.128; Return-Path: <5555555555@mms.att.net> X-Orig-To: jake@thewardserver.com X-Originating-Ip: [166.216.152.40] Authentication-Results: smtp19.gate.ord1c.rsapps.net; iprev=pass policy.iprev="166.216.152.40"; spf=pass smtp.mailfrom="5555555555@mms.att.net" smtp.helo="stcceg-mtmta04.wnsnet.attws.com"; dkim=pass header.d=mms.att.net; dmarc=none (p=nil; dis=none) header.from=mms.att.net Received: from [166.216.152.40] ([166.216.152.40:43175] helo=stcceg-mtmta04.wnsnet.attws.com) by smtp19.gate.ord1c.rsapps.net (envelope-from <5555555555@mms.att.net>) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES128-SHA) id 8E/33-30853-7BE50116; Sun, 08 Aug 2021 18:46:15 -0400 Received: from ZAKR1BMMSC01NFE002.wnsnet.attws.com ([107.79.70.27]) by stcceg-mtmta04.wnsnet.attws.com with bizsmtp id f7sG2500m0bJV4j01AmFAm; Sun, 08 Aug 2021 17:46:15 -0500 To: jake@thewardserver.com From: 5555555555@mms.att.net Date: Sun, 8 Aug 2021 22:46:15 +0000 (UTC) X-Mms-Sender-Visibility: hidden ``` From this data, we can grab the different IP of servers nearby which using some IP tracking software get Longitude and Latitude location which repeating this process gives more accuracy ## Current Status Due to Anycast in DNS, this method does not work anymore. I can still get the IP address, but it is not going to be accurate. The IP address for the google servers are all the same so I could be getting the same IP address but different servers. ### Example So run through the program we send 10 packets. And receive\ \[x packets] from \[address] \[average response time] \ 5 from 2.2.2.2 4.2 ms\ 1 from 2.2.2.3 5 ms\ 2 from 3.3.2.1 4.5 ms\ 2 from 3.3.4.4 7.5 ms From this, we could draw a rough draft of what the program things it would be doing ![](https://980792987-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Md9Bzo_DCKomMglV10a%2F-Mgut1mXinXcUFFkw2Ag%2F-MguwlovnebqGLaWwXfv%2Fgrid2.jpg?alt=media\&token=60a713dd-58b2-4d62-855b-8c2c303ab93f) This could be the case if there are less servers, but nowadays, 6 years later it would most likely look more like this ![](https://980792987-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Md9Bzo_DCKomMglV10a%2F-Mgut1mXinXcUFFkw2Ag%2F-MguwxZkKlDNDo1Oe3Ui%2Fgrid.jpg?alt=media\&token=5aeae305-8226-4867-b3a6-91dc73d14faf) Which is significantly different. We still get a rough area but we are considering in this grid that the time is also average so it could also be a little skewed. For the most part, it was a good algorithm until a lot more of it changed.