Tracking Phone

# DISCLAIMER #

The following information could be illegal and very sensitive. If you are by any means a sensitive person, please do not read. If you want to proceed anyway don't say I didn't warn you.

Origin

For a part of my life, I moved for the first time and was afraid of losing my friends. After 2 years I did in fact lose them and when I made new friends I made it where if I needed I could find you. At first, I had in mind evil but eventually, it turned into good as I knew it was illegal to do [well kind of] and only used if 100% necessary.

Only Time Use

I have only used the program once EVER [besides the test]. It was a "normal" day as I was working on the computer and just about to pack up for school when I get a knock on the door. I open it a little thrown off when it is the police. Which went like this

Police: Hello, we have reason that [Person 1] is in danger. Do you know where they are? Me: No not really, who referred to contact me Police: I can't say more than someone in [Town], but [Person 2] said you could help us. Me: Well sure thing, come in and we can boot back up the software.

I load up the computer and launch the software and get a call from my mom who was just notified of the situation. I have the police catch them up on my alternate phone. I get a call from Dad to have other police take that call while I am tracing the phone. I narrow it down and send police in that area to know I am accurate because those dispatched find [Person 1] car. I then pinpoint closer based on longer time tracing to find [Person 1]. After they found [Person 1] everyone left the house and later on during my time out at lunch with my friends I get a call. I get the full story and couldn't believe what actually was happening. A lot of What If.. go through my head but it is ok due to the final result.

Impact

The software saved someone's life as they were going to commit suicide, and I didn't even know it at the time. I won't forget that day and it took me a day to process once I was told the full story.

Overview

It would find the IP of close servers to a phone and triangulate the location based on response time.

Process

The program would send an MX packet to a target phone number as each phone number could have a corresponding email address. A packet with information in the header gives information about the server which is what I am signifying below

Delivered-To: ezekielsmith14007@gmail.com
Received: by 2002:aa7:c993:0:0:0:0:0 with SMTP id c19csp1516712edt;
        Sun, 8 Aug 2021 15:46:17 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyoAOVPp9jtnyi0W916dzDsTCffQvlzF5d45Fs5ezqjM8tzJ87DMvPfuz43kR7RfyIguzzp
X-Received: by 2002:a92:d483:: with SMTP id p3mr167064ilg.50.1628462776857;
        Sun, 08 Aug 2021 15:46:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1628462776; cv=none;
        d=google.com; s=arc-20160816;
        b=fUNmX3T65km3+kXwftmZGU1v+jdNlrxWHgH9ConFlQYP8jPng8URq0eOQT4XigCj5b
         b7F24jee6QL0jHwWbMSHs3CyjetL0FncvSmXRr2UiwXmTo+G7/I/VIMV7EOtrlv/32YW
         4TsLFz4RjdYrWQaSjpcmEFnUVzRiCevOOY9c22Zgp+PsD1jfjk3KYchDduP+M6bli7ru
         r4eQ17mDADf7wE+ufce9EH3o75ZOKNG0NEf/NYuoX15i1WGzaUBzg9Z1vuHbD6AXXfkB
         uwry4KJo2BzWZkC+vRtAGpWndgDea+8aau92uh7t+BIX0Qw4VyDHEjH96cY5Xy/tY8jd
         UucA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=dkim-signature:mime-version:date:from:to:in-reply-to:message-id;
        bh=sydMyzUCE8MwZdWe16SmWbGQLXGqwGuAe0F4J5eXAfI=;
        b=zqq97C9iB5Ek1l5vCvlOtdjW6as1y9IMeU6UOdD4/TouyOJHMz2zzEWml7TnuHfI75
         kf68z54ObijZple81mOZiKnM2LtFM5KLZNFvyBBGraBvgSqvE/COSChd5n/qpaJPnaY5
         I4kkYhhhFjnK8lgdgZXgWGpgi+vKwmlkuYpbOSv0Pic7rS7p5suk9M5/ZeZJpW8YrWNQ
         PdwpjGLLqKabZw/z7/rspwjwVQhZqh3mvJq8yxDNSOQxnPB/20iHUyyas6K1Xyixfi7p
         KkVHhw0SJC4BVHvv8SibJC6NYM+ItEiqmWw24VDBK6hS0kmLGerfU8cGkU3/quGtykhX
         kw3Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@mms.att.net header.s=EMG20171113 header.b=FswNGpoq;
       spf=neutral (google.com: 108.166.43.128 is neither permitted nor denied by domain of 5555555555@mms.att.net) smtp.mailfrom=5555555555@mms.att.net
Return-Path: <5555555555@mms.att.net>
Received: from gate.forward.smtp.ord1c.emailsrvr.com (gate.forward.smtp.ord1c.emailsrvr.com. [108.166.43.128])
        by mx.google.com with ESMTPS id q12si16586335jas.12.2021.08.08.15.46.16
        for <ezekielsmith14007@gmail.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 08 Aug 2021 15:46:16 -0700 (PDT)
Received-SPF: neutral (google.com: 108.166.43.128 is neither permitted nor denied by domain of 5555555555@mms.att.net) client-ip=108.166.43.128;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@mms.att.net header.s=EMG20171113 header.b=FswNGpoq;
       spf=neutral (google.com: 108.166.43.128 is neither permitted nor denied by domain of 5555555555@mms.att.net) smtp.mailfrom=5555555555@mms.att.net
Return-Path: <5555555555@mms.att.net>
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: jake@thewardserver.com
X-Originating-Ip: [166.216.152.40]
Authentication-Results: smtp19.gate.ord1c.rsapps.net; iprev=pass policy.iprev="166.216.152.40"; spf=pass smtp.mailfrom="55555555555@mms.att.net" smtp.helo="stcceg-mtmta04.wnsnet.attws.com"; dkim=pass header.d=mms.att.net; dmarc=none (p=nil; dis=none) header.from=mms.att.net
X-Suspicious-Flag: NO
X-Classification-ID: 70385464-f89a-11eb-b6f9-bc305bf036e4-1-1
Received: from [166.216.152.40] ([166.216.152.40:43175] helo=stcceg-mtmta04.wnsnet.attws.com) by smtp19.gate.ord1c.rsapps.net (envelope-from <5555555555@mms.att.net>) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES128-SHA) id 8E/33-30853-7BE50116; Sun, 08 Aug 2021 18:46:15 -0400
Received: from ZAKR1BMMSC01NFE002.wnsnet.attws.com ([107.79.70.27]) by stcceg-mtmta04.wnsnet.attws.com with bizsmtp id f7sG2500m0bJV4j01AmFAm; Sun, 08 Aug 2021 17:46:15 -0500
Message-ID: <f7sG2500m0bJV4j01AmFAm@txt.att.net>
In-Reply-To: 730187161.42157016.1628462775442.JavaMail.nems@ZAKR1BMMSC01NFE002
X-Mms-Message-Type: m-send-req
X-Mms-Transaction-Id: 1628462773-2
X-Mms-MMS-Version: 1.2
To: jake@thewardserver.com
From: 5555555555@mms.att.net
Date: Sun, 8 Aug 2021 22:46:15 +0000 (UTC)
X-Mms-Sender-Visibility: Show
Content-Type: multipart/mixed; boundary="----=_Part_42157015_1530013835.1628462775441"
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mms.att.net; s=EMG20171113; t=1628462775; bh=sydMyzUCE8MwZdWe16SmWbGQLXGqwGuAe0F4J5eXAfI=; h=In-Reply-To:To:From:Date; b=FswNGpoq+rxOG3+IluSwroD8x2EDZsYHSCT0OzM+Nrj4Q3Bk+J3CDW5+Drake4xyi
	 BPBIyeoRl9hw6a1ST401rBEuefzKEvN6UdcYrtLmXw9dVvJ9O4yG6PROkRrSAJ2dRk
	 N3dbtt5tmqHr8rgzq4ubGSkToWM1thPSr+Eh+z12JL5Srk5SOKnck+AKKqY5YYoyiX
	 ZSPcastJI0aapdclWgeEin3hFU1+HFZy/JY1srXJgTdda4JYQQMk5OeICl9ziMW6Fh
	 TM6BXHJ2Gq5jVLGU3UyFSSy5XLNh1wlK8W+bFzaEstXW42V1OJcQqa+ecXKCzdK5h0
	 H7xZYD/6CkVPw==

Sending 10 packets would get a good set of times and various close DNS servers that the packet made through before making it to the phone.

With the location and time [strength] of each response, we can calculate the phone location by triangulation

Breakdown

So if you don't know all these technologies right now it is an oh fuck moment. So back from the beginning.

Using python I sent a packet with the From and To. From was my email and To was the target phone. I used the translation by searching emailing a phone. More specifically it is the phone number in my example I use 555-555-5555 and the knowledge of the target phone is using AT&T.

When sending this it would look like this from a protocol standpoint

In my program, we are focusing on the target server right before it switches protocols.

The response would look like above which removing some information as from the time I wrote the program improvements have been made to this process. (I wrote it 5 years or so ago)

Delivered-To: ezekielsmith14007@gmail.com
Received: by 2002:aa7:c993:0:0:0:0:0 with SMTP id c19csp1516712edt;
        Sun, 8 Aug 2021 15:46:17 -0700 (PDT)
X-Received: by 2002:a92:d483:: with SMTP id p3mr167064ilg.50.1628462776857;
        Sun, 08 Aug 2021 15:46:16 -0700 (PDT)
Return-Path: <5555555555@mms.att.net>
Received-SPF: neutral (google.com: 108.166.43.128 is neither permitted nor denied by domain of 5555555555@mms.att.net) client-ip=108.166.43.128;
Return-Path: <5555555555@mms.att.net>
X-Orig-To: jake@thewardserver.com
X-Originating-Ip: [166.216.152.40]
Authentication-Results: smtp19.gate.ord1c.rsapps.net; iprev=pass policy.iprev="166.216.152.40"; 
        spf=pass smtp.mailfrom="5555555555@mms.att.net" smtp.helo="stcceg-mtmta04.wnsnet.attws.com"; 
        dkim=pass header.d=mms.att.net; dmarc=none (p=nil; dis=none) header.from=mms.att.net
Received: from [166.216.152.40] ([166.216.152.40:43175] helo=stcceg-mtmta04.wnsnet.attws.com) by smtp19.gate.ord1c.rsapps.net 
        (envelope-from <5555555555@mms.att.net>) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES128-SHA) 
        id 8E/33-30853-7BE50116; Sun, 08 Aug 2021 18:46:15 -0400
Received: from ZAKR1BMMSC01NFE002.wnsnet.attws.com ([107.79.70.27]) by stcceg-mtmta04.wnsnet.attws.com with bizsmtp 
        id f7sG2500m0bJV4j01AmFAm; Sun, 08 Aug 2021 17:46:15 -0500
To: jake@thewardserver.com
From: 5555555555@mms.att.net
Date: Sun, 8 Aug 2021 22:46:15 +0000 (UTC)
X-Mms-Sender-Visibility: hidden

From this data, we can grab the different IP of servers nearby which using some IP tracking software get Longitude and Latitude location which repeating this process gives more accuracy

Current Status

Due to Anycast in DNS, this method does not work anymore. I can still get the IP address, but it is not going to be accurate. The IP address for the google servers are all the same so I could be getting the same IP address but different servers.

Example

So run through the program we send 10 packets. And receive [x packets] from [address] [average response time] 5 from 2.2.2.2 4.2 ms 1 from 2.2.2.3 5 ms 2 from 3.3.2.1 4.5 ms 2 from 3.3.4.4 7.5 ms

From this, we could draw a rough draft of what the program things it would be doing

This could be the case if there are less servers, but nowadays, 6 years later it would most likely look more like this

Which is significantly different. We still get a rough area but we are considering in this grid that the time is also average so it could also be a little skewed. For the most part, it was a good algorithm until a lot more of it changed.