AOH :: OBSPHRK.TXT
3500 Lines of Obsolete Phreaking Stuff
|
Subject: 3500 lines of obsolete phreaking stuff
Date: Thu May 12 13:13:03 1994
This is something I put together a few years ago. None of it was
written by me. I spellchecked it, made a table of contents, and
converted from 20 column all-caps and removed K0oL spellings.
I don't want comments, good or bad. I figured somebody might
want this, so I'm posting it, but that the extend of my involvement.
I'm sorry about the control-L's. I don't know how to remove them.
xxxxxxxxxxxxxxxxxxxxxxxxxxx
� Table of Contents
Introduction to hacking. . . . . . . . . . . . . . . . . . . . 1
Phone Hacking. . . . . . . . . . . . . . . . . . . . . . . . . 2
Basic Boxes Technically Explained . . . . . . . . . . . . 3
(BLUE,3); (BLACK,4); (CHEESE,5)
Voice mail box hacking. . . . . . . . . . . . . . . . . . 6
Blue Box Tones. . . . . . . . . . . . . . . . . . . . . . 9
Customer name and address . . . . . . . . . . . . . . . . 9
Lock In Trace . . . . . . . . . . . . . . . . . . . . . . 14
Pinkish Box . . . . . . . . . . . . . . . . . . . . . . . 16
Pearl Box . . . . . . . . . . . . . . . . . . . . . . . . 17
Brown Box . . . . . . . . . . . . . . . . . . . . . . . . 19
Scarlet box . . . . . . . . . . . . . . . . . . . . . . . 20
Day-Glow. . . . . . . . . . . . . . . . . . . . . . . . . 20
Gold Box Plans. . . . . . . . . . . . . . . . . . . . . . 22
Green Box . . . . . . . . . . . . . . . . . . . . . . . . 23
Blotto Box. . . . . . . . . . . . . . . . . . . . . . . . 23
Computer Hacking . . . . . . . . . . . . . . . . . . . . . . . 26
Tymnet. . . . . . . . . . . . . . . . . . . . . . . . . . 27
Telenet . . . . . . . . . . . . . . . . . . . . . . . . . 32
Hacking Unix. . . . . . . . . . . . . . . . . . . . . . . 34
Primenet. . . . . . . . . . . . . . . . . . . . . . . . . 36
Hacking DECs. . . . . . . . . . . . . . . . . . . . . . . 44
Crashing BBSs . . . . . . . . . . . . . . . . . . . . . . 45
Credit bureaus. . . . . . . . . . . . . . . . . . . . . . 54
File grabbing on large systems. . . . . . . . . . . . . . 64
Potpourri. . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Bugs. . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Wiretapping . . . . . . . . . . . . . . . . . . . . . . . 67
Lunch Box . . . . . . . . . . . . . . . . . . . . . . . . 72
Beep Time . . . . . . . . . . . . . . . . . . . . . . . . 76
Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . 77
8OO VMB Systems . . . . . . . . . . . . . . . . . . . . . 78
Extenders . . . . . . . . . . . . . . . . . . . . . . . . 78
Loops . . . . . . . . . . . . . . . . . . . . . . . . . . 79
PBXs. . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Sweeps. . . . . . . . . . . . . . . . . . . . . . . . . . 79
1-800 modem numbers . . . . . . . . . . . . . . . . . . . 79
Area Codes by State . . . . . . . . . . . . . . . . . . . 82
� INTRODUCTION TO HACKING
Most people who have never hacked or are beginners think that
hackers are a small community of very knowledgeable computer
"geniuses" that randomly break into systems for fun and then
create havoc or steal information. I will speak of my own views
on hacking which shouldn't reflect the feelings of the entire
hacking community but I would guess a large amount. First of all
hacking is getting more and more risky everyday. Because of this,
hacking for fun isn't as safe as it used to be (although most of
my hacking is for fun). The reason people (people I know) hack is
because we believe in free information exchange. This means that
I should be able to freely access any information that is
available over the modem that I want. There are obvious reasons
why this can't be achieved, but if people have information that
is that sensitive then it should not be put out over the modem.
Now the second and biggest misconception about hacking is how the
hacker actually "hacks". Most people think that hacking is just
basically getting lucky and guessing a password that lets you
into a system. This is *very* untrue. Let us take an example that
you have just broken into the CIA's computer system. So suddenly
you get a -> prompt. Now what do you do?!? This is the difference
between the hacker and some kid that is good at guessing. The kid
may be able to guess a password, but if he doesn't know what to
do once he's in then he might as well have not even hacked the
password at all. So, the main objective of the hacker is to
concentrate on learning how to use a system. After he has done
that then he can figure out ways to get around certain kinds of
security and get to the stuff he wants. So what you should do is
read all the manual's and text files that you can get your hands
on. Because before you can defeat a system, you must know how it
works (this works for life in general). Ok, now you understand
what hacking is and how you should go about learning it. �
Phone Hacking
� Basic Boxes Technically Explained
BLUE
The "Blue Box" was so named because of the color of the first
one found. The design and hardware used in the Blue Box is fairly
sophisticated, and its size varies from a large piece of
equipment to the size of a pack of cigarettes. The Blue Box
contains 12 or 13 buttons or switches that emit multi-frequency
tones characteristic of the tones used in the normal operation of
the telephone toll (long distance) switching network. The Blue
Box enables the user to place free long distance calls by
circumventing toll billing equipment. The Blue Box may be
directly connected to a phone line, or it may be acoustically
coupled to a telephone handset by placing the Blue Box's speaker
next to the transmitter or the telephone handset. To understand
the nature of a fraudulent Blue Box call, t is necessary to
understand the basic operation of the Direct Distance Dialing
(DDD) telephone network. When a DDD call is properly originated,
the calling number is identified as an integral part of
establishing the connection. This may be done either
automatically or, in some cases, by an operator asking the
calling party for his telephone number. This information is
entered on a tape in the Automatic Message Accounting (AMA)
office. This tape also contains the number assigned to the trunk
line over which the call is to be sent. The information relating
to the call contained on the tape includes: called number
identification, time of origination of call, and info that the
called number answered the call and time of disconnect at the end
of the call. Although the tape contains info with respect to many
different calls, the various data entries with respect to a
single call are eventually correlated to provide billing info for
use by your Bell's accounting department. The typical Blue Box
user usually dials a number that will route the call into the
telephone network without charge. For example, the user will very
often call a well-known INWATS (toll-free) customer's number. The
Blue Box user, after gaining this access to the network and, in
effect, "seizing" control and complete dominion over the line,
operates a key on the Blue Box which emits a 2600 Hertz (cycles
per second) tone. This tone causes the switching equipment to
release the connection to the INWATS customer's line. The 2600Hz
tone is a signal that the calling party has hung up. The Blue Box
simulates this condition. However, in fact the local trunk on the
calling party's end is still connected to the toll network. The
Blue Box user now operates the "KP" (Key Pulse) key on the Blue
Box to notify the toll switching equipment that switching signals
are about to be emitted. The user then pushes the "number"
buttons on the Blue Box corresponding to the telephone # being
called. After doing so he/she uses the "ST" (Start) key to tell
the switching equipment that signalling is complete. If the call
is completed, only the portion of the original call prior to the
'blast' of 2600Hz tone is recorded on the AMA tape. The tones
emitted by the Blue Box are not recorded on the AMA tape.
Therefore, because the original call to the INWATS # is toll-
free, no billing is rendered in connection with the call.
Although the above is a description of a typical Blue Box call
using a common way of getting into the network, the operation of
a Blue Box may vary in any one or all of the following respects:
The Blue Box may include a rotary dial to apply the 2600Hz tone
and the switching signals. This type of Blue Box is called a
"dial pulser" or "rotary SF" Blue box. Getting into the DDD toll
network may be done by calling any other toll-free # such as
Universal Directory ASSistance (555-1212) or any number in the
INWATS network, either inter-state or intra-state, working or
non-wrking. Entrance into the DDD toll network may also be in
the form of "short haul" calling. A "short haul" call is a call
to any # which will result in a lesser amount of toll charges
than the charges for the call to be completed by the Blue Box.
For example, a call to Birmingham from Atlanta may cost $.80 for
the first 3 minutes while a call from Atlanta to Los Angeles is
$1.85 for 3 minutes. Thus, a short haul, 3-minute call to
Birmingham from Atlanta, switched by use of a Blue Box to Los
Angeles, would result in a net fraud of $1.05 for a 3 minute
call. A Blue Box may be wired into the telephone line or
acoustically coupled by placing the speaker of the Blue Box near
the transmitter of the phone handset. The Blue Box may even be
built inside a regular Touch-Tone phone, using the phone's push-
buttons for the Blue Box's signalling tones. A magnetic tape
recording may be used to record the Blue Box tones for certain
phone numbers. This way, it's less conspicuous to use since you
just make it look like a walkman or whatever, instead of a box.
All Blue Boxes, except "dial pulse" or "Rotary SF" Blue Boxes,
must have the following 4 common operating capabilities:
It must have signalling capability in the form of a 2600Hz tone.
This tone is used by the toll network to indicate, either by its
presence or its absence, an "on hook" (idle) or "off hook" (busy)
condition of the trunk. The Blue Box must have a "KP" tones that
unlocks or readies the multi-frequency receiver at the called end
to receive the tones corresponding to the called phone #. The
typical Blue Box must be able to emit M tones which are used to
transmit phone #'s over the toll network. Each digit of a phone #
is represented by a combination of 2 tones. For example, the
digit 2 is transmitted by a combination of 700Hz and 1100Hz. The
Blue Box must have an "ST" key which consists of a combination of
2 tones that tell the equipment at the called end that all digits
have been sent and that the equipment should start switching the
call to the called number.
BLACK
This Box was named because of the color of the first one
found. It varies in size and usually has one or two switches or
buttons. Attached to the telephone line of a called party, the
Black Box provides toll-free calling *to* that party's line. A
Black Box user tells other people beforehand that they will not
be charged for any call placed to him. The user then operates the
device causing a "non-charge" condition ("no answer" or
"disconnect") to be recorded on the telephone company's billing
equipment. A Black Box is relatively simple to construct and is
much less sophisticated than a Blue Box. NOTE: This will not work
on any type of Electronic Switching Systems, (ESS, DMS100 etc.)
CHEESE
This Box was named after the container in which the first one was
found. Its design may be crude or very sophisticated. Its size
varies; one was found the size of a half-dollar. A Cheese Box was
used most often by bookmakers or betters to place wagers without
detection from a remote location. The device inter-connects 2
phone lines, each having different #'s but each terminating at
the same location. In effect, there are 2 phones at the same
location which are linked together through a Cheese Box. It is
usually found in an unoccupied apartment connected to a phone
jack or connecting block. The bookmaker, at some remote location,
dials one of the numbers and stays on the line. Various bettors
dial the other number but are automatically connected with the
book maker by means of the Cheese Box interconnection. If, in
addition to a cheese box, a Black Box is included in the
arrangement, the combined equipment would permit toll-free
calling on either line to the other line. If a police raid were
conducted at the terminating point of the conversations -the
location of the Cheese Box- there would be no evidence of
gambling activity. This device is sometimes difficult to
identify. Law enforcement officials have been advised that when
unusul devices are found associated with telephone connections
the phone company security representatives should be contacted to
assist in identification.
(This probably would be good for a BBS, especially with the Black
Box set up. and if you ever decided to take the board down, you
wouldn't have to change your phone #. It also makes it so you
yourself cannot be traced. I am not sure about calling out from
one though.)� VOICE MAIL BOX HACKING
Hello again, and welcome to another œegions f œucifer text file!
This text file has to do with hacking and scanning VMBs. The
reason I am writing this file is because I am very good at it,
and have had years of experience. In fact I have been called by
MCI for screwing them over by attacking and taking over a whole
damn system with a few friends of mine. Anyway, hacking VMBs is
very simple and basically safe, and not only that but they are
cool to have around. You can give them to friends, you can trade
them for access on bulletin boards, or you can use it for
yourself. As for this 'Tutorial on Hacking VMBs', we will be
talking about what systems to hack, how you go about hacking
them, default passwords, hints on better scanning, and having
your very own box.
VMB, in case you don't know, stands for 'Voice Mail Box'. Now a
VMB is like an answering machine. You can use it for all sorts of
things. Most VMB systems are dialed though 800 numbers. People
call up the VMB system that you have a box on, and dial in your
box number and then leave you a message. Whenever you want to
check your box, you just call up, enter your password and read
your messages. Inside a VMB you can do whatever, you can leave
messages to others on the system, you can change your 'Out Going'
message, you can have guest boxes (Explained later), you can have
the box call your house when you get an Urgent message, you can
do a lot of things. In fact, on some systems you can even CALL
OUT through them, so they can be used as a code of sorts! They
are cool to have.
You should scan/hack out Virgin Systems, this is another way of
calling a system that hasn't been hack out yet. Also, CINDI
Systems and ASPEN Systems have the best boxes and the most
options that VMB Systems can offer. I will be talking about ASPEN
System today since I know most about those.
Okay once you've found your Virgin VMB System, you start to scan.
Just incase you don't know what scanning is, that means you
search for boxes that are hackable (Explained later on). Now you
dial up the system and when it picks up and the bitch starts to
talk, press the "#" key. It will then ask you for your box
number... now there are two different way the ASPEN System can be
configured: 1) a "3 Digit Box Number System" or 2) a "4 Digital
Box Number System". Now lets just say this system is a 3 Digit
System. Okay, when it asks for your Box Number, enter in 999, now
it will say one of three things: [These are known as 'Greeting
Names']
1. John Doe [Box owners name]
2. "Box Number 999 Is Not a Valid Box Number"
3. "Box Number 999"
Now, if it either says 1 or 2, go to box number
998...997...996...995..etc, but if it says 3, then you are lucky,
now it will ask you for your password, now you are probably
saying 'Oh no this is where it gets difficult'... well you are
WRONG! This part is easy. Here is a list of ASPEN Default
Passwords:
* We will use box number 666 as an example box #
[ BN = Box Number ]
List of Default Password: Combination Result
1-BN 1666
BN+1 667
0-BN 0666
BN-0 6660
Most Common Äį BN 666
Now enter in a those defaults, try JUST the Box Number first,
ASPENs usually use that most. Now, if you try all those Defaults
and still can not get into that Voice Mail Box, then that means
that the box has been already taken, but the owner hasn't changed
his 'Generic Message', if you don't get in, you will just have to
search until you get in.
Okay, once you get your first box, *DO NOT* change anything!!
That will come later. Your first box is, as what is known as a
'Scanning Box'! What you do with your Scanning Box is this: You
enter "3" from the main commands menu, and it will ask you for
the box number. Now that command is the "Check for Receipt"
command, what it does it check Box #xxx for mail rom you. This
command is very convenient for us VMB Hackers. To use that
command to your advantage, you enter in box a box number and it
will say 1 of the three 'Greeting Names', like before, if it say
#3, then you write down that Box Number and hack it later. But if
it says 1 or 2, then just keep scanning! All boxes with the
number 3 Greeting Name is known as a 'Hackable Box'. Now you keep
scanning until you have gone all the way down to Box number 000
or whatever is the lowest box it supports. Now, once you have
your list this is when all the fun starts! Now you are ready to
hack!
Hacking Out Your New Found 'Hackable' Boxes:
Okay this is the easy part. After you spent most of your time by
scanning the system you should be used to the system and how it
works, that should make hacking the ASPEN all the easier. Now, if
you had a 'Scanning Box', you should know what the default
password was for your Scanning Box. Well if the password for your
Scanning Box was just the Box Number, then *EVERY* other hackable
box should have the SAME default password. VMB Systems have only
one default password, If one box has the BN for a Default PW, the
all the others will too.
Okay, you call up the VMB System will the list of 'Hackable'
boxes by your side, and when the bitch is talking, press the "#"
key. When it asks you for your box number, enter in the first box
number on your list. When it asks for your password, enter in the
Default Password Sequence. Now if you don't get into that box,
it's not a problem, just keep going down your list. You should
get into a few. But remember, just because a box is marked
'Hackable', it doesn't mean you will definitely get into it.
Okay, now you hav a few dozen boxes. You can now use you
Scanning Box to do whatever you please.
ASPEN Guest Boxes:
Once you have a box of your own, you can give out 'Guest Boxes'.
Guest Boxes are like Sub Boxes in your box. In ASPEN you have 4
of them. If you give out Guest Box #1 to John Doe, Mr. Doe can
call in, enter in the password YOU set for him, and leave you
messages, but not only that, you can leave messages to HIM! Which
means, if his is in New York, and you are in California, and
neither of you have codes to call each other, then you can leave
messages thru your 800 VMB. Here is a list and explanation of all
4 of the Guest Boxes:
0. Main Box - Your Voice Mail Box!
1. Guest Box #1 - Can Leave & Receive Messages
2. Guest Box #2 - Can Leave & Receive Messages
3. Home Box -Can Leave & Receive Messages
4. Secretary Box - Can Check How Many Messages You Have & Receive
Messages
Hints On Better Scanning:
A lot of people say hacking and scanning for VMBs is too damn
hard... well that's because they are going at it all wrong, they
probably read some lame piece of text file on Hacking VMBs that
was about 500 bytes long. Well, here is a small list of hints on
better scanning and hacking:
1. Do not use a Voice Mail Box hacking/scanning program (i.e.:
VMB v1.0, ASPEN v1.0, VMBHACK v2.3, etc..) 2. Do not hack in
random order (i.e.: B#999, 345, 810, etc) Always hack in order:
999, 998, 997, 996, 995...000. 3. Try to find out if it's virgin.
The newer the System, the better.
4. If you have a phone with memory dial, change one entry to the
number of the VMB System. 5. Don't hack the System Managers box
unless you really want to.
Ideas of Things To Do With Your Extra Boxes:
Well since you can have up to 500 extra Voice Mail Boxes, you
might not know what to do with them, here are a few ideas that
can help you out:
1. Give them to friends
2. Sell them to friends
3. Offer them to sysops for better access
4. Trade them for HSTs or whatever
5. Use them as a Voice Verifying line (So you don't have to give
out your real voice number to BBSs when you apply!)
Blue Box Tones
In this short section I will attempt to list some tones that Ma
Bell uses and what they are. Well here goes: Blue box
frequencies: 2600 hz - used to get on/off trunk tone matrix to
use after 2600 hz.
700: 1 : 2 : 4 : 7 : 11 :
900: + : 3 : 5 : 8 : 12 :
1100: + : + : 6 : 9 : KP :
1300: + : + : + : 10 : KP2 :
1500: + : + : + : + : ST :
900 :1100 :1300 :1500 : 1700 :
Use KP to start a call and ST (1500+1700) to stop. Use 2600 HZ to
disconnect. Red box freqs: 1700 hz and 2200 hz mixed together. A
nickel is 66 ms on (1 beep). A dime is 66ms on, 66ms off, 66ms on
(2 beeps) a quarter is 33ms on, 33ms off repeated 5 times. (Ms =
millisecond). For those of you who don't know, a red box
simulates money being put into a pay phone. You must put in some
money first though (the operator can tell if money was put in but
as to how much she lets the computer answer that. (Yeah for he
computer) TASI locking freq: TASI (time assignment speech
interpolation) is used on satellite trunks, and basically allows
more than one person to use a trunk by putting them on while the
other person isn't talking. Of course, you'd never hear the other
person talking on your trunk. When you start to talk, however,
the TASI controller has to find an open trunk for you. Because of
this, some of your speech is lost (because of the delay in
finding a trunk) this is called clipping. Well, if you were
transmitting data over a trunk, clipping would really mess up the
data. So there is something called a TASI locking frequency which
keeps the TASI from putting anyone else on your trunk or you on
anyone else's trunk. In any case the freq. is 1850 hz. (Sent
before the transmission). Have fun!!!
CUSTOMER NAME AND ADDRESS
The word CN/A stands for Customer's Name and Address ... Your
telephone company has set up little bureaus that will answer the
telephone all day and give numbers out to any authorized Bell
employees of the same city or any other city nationwide. The
bureau keeps everyone on file with their name and address,
INCLUDING those that are unlisted. So if you have a phone number
and you want to find out who owns it and where they live, you can
use this little handy system. In short, it is basically used to
get a persons real name and real address through just having a
phone number!
Lets sayyou are constantly being bugged by some little dick and
you don't know his name or address, BUT you have his phone
number.. well you can get his Name & Address just by having his
telephone number! For example, lets say you have this dicks phone
number, and it's (212) 555-1873, then just do the following:
Look up the CN/A Number for that NPA (NPA = AREA CODE) in the
list below. For this example, the NPA is 212 and the CN/A number
is 518-471-8111. So then call up the CN/A # (During regular
hours) and throw a line like, "Hello, This is Operator #321 from
the residential service center in California. And I need to get a
CN/A on a customer at 212-555-1873. Thank You."... Make sure not
too sound like a twelve year old dork or try and sound lame with
a really deep voice, just try to sound as real as possible. Okay,
if you got that far, and you sound pretty convincing, then the
CN/A operator should not in any means, ask questions and you
should get all the info you need!
Here is a list of just about EVERY CN/A Number in the Continental
United States, this list was supplied to Legions of Lucifer by
LawBreaker.
�ÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄ¿
Area ³ Account ³ Telephone ³ Call ³ Time ³ Requests ³
Code ³ Code ³ Number ³ Hours ³ Zone ³ per call ³
ÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄ´
201 ³ ³ (304)344-7935 ³ 8:00-4:10 ³ E ³ 3 ³
202 ³ ³ (304)343-7016 ³ 8:30-4:10 ³ E ³ 3 ³
203 ³ ³ (203)789-6815 ³ 8:10-4:45 ³ E ³ 7 ³
204 ³ ³ (204)949-0900 ³ 8:30-4:45 ³ C ³ N/A ³
205 ³ ³ (205)555-1212 ³ 24 hours ³ C ³ 2 ³
206 ³ I47128 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³
207 ³ 411 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³
208 ³ I47127 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³
209 ³ 1659 or ³ (415)781-5271 ³ 7:00-5:00 ³ P ³ 5 ³
209 ³ 2826 ³ ³ ³ ³ N/A ³
212 ³ 111 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³
213 ³1659/2826³ (415)781-5271 ³ 7:00-5:00 ³ P ³ 5 ³
214 ³ SW5167 ³ (817)461-4769 ³ 8:00-4:50 ³ C ³ 3 ³
215 ³ ³ (412)633-5600 ³ 8:30-5:00 ³ E ³ 3 ³
216 ³ 161 ³ (614)464-0511 ³ 8:00-5:00 ³ E ³ 3 ³
217 ³ 700 ³ (217)789-8290 ³ 8:00-5:00 ³ C ³ 2 ³
218 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ All ³ 2 ³
219 ³ 161 ³ (317)265-4834 ³ 7:30-4:45 ³ E ³ 3 ³
301 ³ ³ (304)343-7016 ³ 8:00-4:10 ³ E ³ 3 ³
302 ³ ³ (412)633-5600 ³ 8:30-5:00 ³ E ³ 3 ³
303 ³ I47126 ³ (402)572-5858 ³ 8:00-5:00 ³ M ³ 5 ³
304 ³ I47127 ³ (304)343-1401 ³ 8:00-4:10 ³ E ³ 3 ³
305 ³ 13402 ³ (803)251-0046 ³ 8:30-5:00 ³ E ³ 3-15 ³
306 ³ ³ (306)777-2878 ³ 8:00-12:00³ M ³ N/A ³
307 ³ I47127 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³
308 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³
309 ³ 700 ³ (217)789-8290 ³ 8:00-5:00 ³ C ³ 2 ³
312 ³ 500 ³ (312)796-9600 ³ 24hours ³ C ³ 2 ³
313 ³ 53423 or³ (313)424-0900 ³ 24 hours ³ E ³ 20 ³
313 ³ 61728 ³ ³ ³ ³ N/A ³
314 ³ SW1012 ³ (816)275-8460 ³ 8:30-4:30 ³ C ³ 3 ³
315 ³ 111 ³ (518)471-8111 ³ 8:00-4:55 ³ E ³ 16 ³
316 ³ SW2019 ³ (913)276-6708 ³ 8:00-4:45 ³ C ³ 3 ³
317 ³ 161 ³ (317)265-4834 ³ 7:30-4:45 ³ E ³ 3 ³
318 ³ ³ (318)555-1212 ³ 24 hours ³ C ³ 2 ³
319 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³
401 ³ 411 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³
402 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³
403 ³ ³ (403)493-6383 ³ 8:00-4:30 ³ M ³ N/A ³
404 ³ 13402 ³ (803)251-0046 ³ 8:30-5:00 ³ E ³ 3-15 ³
405 ³ SW4070 ³ (405)236-6121 ³ 7:30-4:15 ³ C ³ 3 ³
406 ³ I47127 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³
407 ³ 13402 ³ (803)251-0046 ³ 8:30-5:00 ³ E ³ 3-15 ³
408 ³1659/2826³ (415)781-5271 ³ 7:00-5:00 ³ P ³ 5 ³
409 ³ SW5167 ³ (713)961-2397 ³ 8:00-5:00 ³ C ³ 3 ³
412 ³ ³ (412)633-5600 ³ 8:30-5:00 ³ E ³ 3 ³
413 ³ 411 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³
414 ³ 767 ³ (608)252-6932 ³ 8:00-4:30 ³ C ³ 1-5 ³
415 ³1659/2826³ (415)781-5271 ³ 7:00-5:00 ³ P ³ 5 ³
416 ³ ³ (416)443-0542 ³ 8:30-5:00 ³ E ³ N/A ³
417 ³ SW1012 ³ (816)275-8460 ³ 8:30-4:30 ³ C ³ 3 ³
418 ³ ³ (514)391-7440 ³ 8:30-4:45 ³ ³ N/A ³
419 ³ 161 ³ (614)464-0511 ³ 8:00-5:00 ³ E ³ 3 ³
501 ³ SW3006 ³ (405)236-6121 ³ 7:30-4:30 ³ C ³ 3 ³
502 ³ ³ (502)555-1212 ³ 24 hours ³ E ³ 2 ³
503 ³ I47128 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³
504 ³ ³ (504)555-1212 ³ 24 hours ³ C ³ 2 ³
505 ³ I47127 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³
506 ³ ³ (506)694-6541 ³8:15-4:30 ³ A ³ N/A ³
507 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³
508 ³ 411 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³
509 ³ I47128 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³
512 ³ SW5167 ³ (512)828-2501 ³ 9:00-5:00 ³ C ³ 3 ³
513 ³ 161 ³ (614)464-0511 ³ 8:00-5:00 ³ E ³ 3 ³
514 ³ ³ (514)391-7440 ³ 8:00-4:30 ³ E ³ N/A ³
515 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³
516 ³ 111 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³
517 ³53423 or ³ (313)424-0900 ³ 24 hours ³ E ³ 20 ³
517 ³ 61728 ³ ³ ³ ³ N/A ³
518 ³ 111 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³
519 ³ ³ (416)443-0542 ³ 8:30-5:00 ³ E ³ N/A ³
601 ³ ³ (601)555-1212 ³ 24 hours ³ C ³ 2 ³
602 ³ I47127 ³ (402)572-5858 ³ 24 hours ³ M ³ 2 ³
603 ³ 411 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³
604 ³ ³ Contact Local ³ ³ ³ N/A ³
604 ³ ³Business Office³ ³ ³ N/A ³
605 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³
606 ³ ³ (606)555-1212 ³ 24 hours ³ E ³ 2 ³
607 ³ 111 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³
608 ³ 767 ³ (608)252-6932 ³ 8:30-4:30 ³ C ³ 5 ³
609 ³ ³ (304)344-7935 ³ 8:00-4:10 ³ E ³ 3 ³
612 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³
613 ³ ³ (416)443-0542 ³ 8:30-5:00 ³ E ³ N/A ³
614 ³ 161 ³ (614)464-0511 ³ 8:00-5:00 ³ E ³ 3 ³
615 ³ 13402 ³ (615)373-7663 ³ 8:00-4:10 ³ E ³ 3 ³
616 ³53423 or ³ (313)424-0900 ³ 24 hours ³ E ³ 20 ³
616 ³ 61728 ³ ³ ³ ³ N/A ³
617 ³ 411 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³
618 ³ 700 ³ (217)789-8290 ³ 8:00-5:00 ³ C ³ 2 ³
619 ³1659/2826³ (415)781-5271 ³ 7:00-5:00 ³ P ³ 5 ³
701 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³
702 ³1659/2826³ (415)781-5271 ³ 7:00-5:00 ³ P ³ 5 ³
703 ³ ³ (304)343-1401 ³ 8:00-4:10 ³ E ³ 3 ³
704 ³ 13402 ³ (803)251-0046 ³ 8:30-5:00 ³ E ³ 3-15 ³
705 ³ ³ (416)443-0542 ³ 8:30-5:00 ³ E ³ N/A ³
707 ³1659/2826³ (415)781-5271 ³ 7:00-5:00 ³ P ³ 5 ³
708 ³ 500 ³ (312)796-9600 ³ 24 hours ³ C ³ 2 ³
709 ³ ³ *NONE* ³ ³ ³ N/A ³
712 ³ I47126 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³
713 ³ SW5167 ³ (713)961-2397 ³ 8:00-5:00 ³ C ³ 2 ³
714 ³1659/2826³ (415)781-5271 ³ 7:00-5:00 ³ P ³ 5 ³
715 ³ 767 ³ (608)252-6932 ³ 8:00-4:30 ³ C ³ 5 ³
716 ³ 111 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³
717# ³ ³ (412)633-5600 ³ 8:30-5:00 ³ E ³ 3 ³
717@ ³6630109ATZ (717)245-6829 ³ ³ ³ N/A ³
718 ³ 111 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³
719 ³ I47127 ³ (402)572-5858 ³ 8:00-5:00 ³ M ³ 5 ³
801 ³ I47127 ³ (402)572-5858 ³ 24 hours ³ C ³ 2 ³
802 ³ 411 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³
803 ³ 3402 ³ (803)251-0046 ³ 8:30-5:00 ³ E ³ 3-15 ³
804 ³ ³ (304)343-1401 ³ 8:00-4:10 ³ E ³ 3 ³
805 ³1659/2826³ (415)781-5271 ³ 8:30-5:00 ³ P ³ 5 ³
806 ³ SW5167 ³ (512)828-2501 ³ 8:00-5:00 ³ C ³ 3 ³
807 ³ ³ (416)443-0542 ³ 8:30-5:00 ³ E ³ N/A ³
808 ³ ³ (800)852-8840 ³ 8:00-6:00 ³ E ³ N/A ³
809 ³ ³ (800)852-8840 ³ 8:30-5:00 ³ E ³ N/A ³
812 ³ 161 ³ (317)265-4834 ³ 8:30-4:45 ³ E ³ 3 ³
813 ³ 13402 ³ (803)251-0046 ³ 8:30-4:30 ³ E ³ N/A ³
813 ³GTE only ³ (813)442-7229 ³ 8:00-5:00 ³ E ³ N/A ³
814 ³ ³ (412)633-5600 ³ 8:30-5:00 ³ E ³ 3 ³
815 ³ 700 ³ (217)789-8290 ³ 8:00-5:00 ³ C ³ 2 ³
816 ³ SW1012 ³ (816)275-8460 ³ 8:00-4:45 ³ C ³ 3 ³
817 ³ SW5167 ³ (817)461-4769 ³ 8:00-5:00 ³ C ³ 3 ³
818 ³1659/2826³ (415)781-5271 ³ 6:45-5:00 ³ P ³ 5 ³
819 ³ ³ (514)391-7440 ³ 8:00-4:30 ³ E ³ N/A ³
901 ³ 13402 ³ (615)373-7663 ³ 8:00-4:10 ³ E ³ 3 ³
902 ³ ³ (902)421-4110 ³ 8:15-4:45 ³ A ³ N/A ³³
904 ³ 13402 ³ (803)251-0046 ³ 8:30-5:00 ³ E ³ 3-15 ³
906 ³ 61728 ³ (313)424-0900 ³ 24 hours ³ E ³ 20 ³
907 ³ ³ *NONE* ³ ³ ³ N/A ³
912 ³ 13402 ³ (803)251-0046 ³ 8:30-5:00 ³ E ³ 3-15 ³
913 ³ SW2019 ³ (913)276-6708 ³ 8:00-4:45 ³ C ³ 3 ³
914 ³ 111 ³ (518)471-8111 ³ 8:00-5:00 ³ E ³ 16 ³
915 ³ SW5167 ³ (512)828-2501 ³ 8:00-5:00 ³ P ³ 5 ³
916 ³1659/2826³ (415)781-5271 ³ 8:30-5:00 ³ P ³ 5 ³
918 ³ SW4070 ³ (405)236-6121 ³ 7:30-4:10 ³ C ³ 3 ³
919 ³ 13402 ³ (803)251-0046 ³ 8:30-5:00 ³ E ³ 3-5 ³
ÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÙ
# - Bell of PA
@ - United
Time Zones: P - Pacific 12:00 pm
M - Mountain 1:00 pm
C - Central 2:00 pm
E - Eastern 3:00 pm
A - Atlantic 4:00 pm
Note: The account code for Centel and CONTEL is CNAT, United
Tel. is 6630109ATZ
Well, that's about it. I tried to find any mistakes that
might have occurred during typing, but there's bound to be one or
two around... Two things to note here:
1> California has 2 codes listed (1659 and 2826). The first is
for people in California, the second is for everyone else outside
of California obtaining a CNA in those area codes.
2> Michigan ALSO has two codes. The first was the one currently
working when I last tried; the second is what the new code will
be if it hasn't been changed already... It's a totally automated
system, so try both codes.
Lock In Trace
A lock in trace is a device used by the F.B.I. to lock into the
phone users location so that he can not hang up while a trace is
in progress. For those of you who are not familiar with the
concept of 'locking in', then here's a brief description. The
F.B.I. can tap into a conversation, sort of like a three-way call
connection. Then, when they get there, they can plug electricity
into the phone line. All phone connections are held open by a
certain voltage of electricity. That is why you sometimes get
static and faint connections when you are calling far away,
because the electricity has trouble keeping the ine up. What the
lock in trace does is cut into the line and generate that same
voltage straight into the lines. That way, when you try and hang
up, voltage is retained. Your phone will ring just like someone
was calling you even after you hang up. (If you have call
waiting, you should understand better about that, for call
waiting intercepts the electricity and makes a tone that means
someone is going through your line. Then, it is a matter of which
voltage is higher. When you push down the receiver, then it see-
saws the electricity to the other side. When you have a person on
each line it is impossible to hang up unless one or both of them
will hang up. If you try to hang up, voltage is retained, and
your phone will ring. That should give you an understanding of
how calling works. Also, when electricity passes through a
certain point on your hone, the electricity causes a bell to
ring, or on some newer phones an electronic ring to sound.) So,
in order to eliminate the trace, you somehow must lower the
voltage level on your phone line. You should know that every time
someone else picks up the phone line, then the voltage does
decrease a little. In the first steps of planning this out, Xerox
suggested getting about a hundred phones all hooked into the same
line that could all be taken off the hook at the same time. That
would greatly decrease the voltage level. That is also why most
three-way connections that are using the bell service three way
calling (which is only $3 a month) become quite faint after a
while. By now, you should understand the basic idea. You have to
drain all of the power out of the line so the voltage can not be
kept up. Rather sudden draining of power could quickly short out
the F.B.I. voltage machine, because it was only built to sustain
the exact voltage necessary to keep the voltage out. For now,
imagine this. One of the normal Radio Shack generators that you
can go pick up that one end of the cord that hooks into the
central box has a phone jack on it and the other has an
electrical plug. This way, you can "flash" voltage through the
line, but cannot drain it. So, some modifications have to be
done.
Materials
----------
A BEOC (Basic Electrical Output Socket), like a small lamp-type
connection, where you just have a simple plug and wire that would
plug into a light bulb. One of cords metioned above, if you
can't find one then construct your own... Same voltage
connection, but the restrainer must be built in (I.E. The central
box)
Two phone jacks (one for the modem, one for if you are being
traced to plug the aqua box into)
Procedure
----------
All right, this is a very simple procedure. If you have the
BEOC, it could drain into anything: a radio, or whatever. The
purpose of having that is you are going to suck the voltage out
from the phone line into the electrical appliance so there would
be no voltage left to lock you in with.
Take the connection cord. Examine the plug at the end. It should
have only two prongs. If it has three, still, do not fear. Make
sure the electrical appliance is turned off unless you want to
become a crispy critter while making this thing. Most plugs will
have a hard plastic design on the top of them to prevent you from
getting in at the electrical wires inside. Well, remove it. If
you want to keep the plug (I don't see why...) then just cut the
top off. When you look inside, Lo and Behold, you will see that
at the base of the prongs there are a few wires connecting in.
Those wires conduct the power into the appliance. So, you
carefully unwrap those from the sides and pull them out until
they are about an inch ahead of the prongs. If you don't want to
keep the jack, then just rip the prongs out. If you are, cover
the prongs with insulation tape so they will not connect with the
wires when the power is being drained from the line. Do the same
thing with the prongs on the other plug, so you have the wires
evenly connectd. Now, wrap the end of the wires around each
other. If you happen to have the other end of the voltage cord
hooked into the phone, stop reading now, you're too stupid to
continue. After you've wrapped the wires around each other, then
cover the whole thing with the plugs with insulating tape. Then,
if you built your own control box or if you bought one, then cram
all the wires into it and close it. That box is your ticket out
of this. Re-check everything to make sure it's all in place. This
is a pretty flimsy connection, but on later models when you get
more experienced at it then you can solder away at it and form
the whole device into one big box, with some kind of cheap Mattel
hand-held game inside to be the power connector. In order to use
it, just keep this box handy. Plug it into the jack if you want,
but it will slightly lower the voltage so it isn't connected.
When you plug it in, if you see sparks, unplug it and restart the
whole thing. But if it just seems fine then leave it.
Now, so you have the whole thing plugged in and all... Do not use
this unless the situation is desperate! When the trace has gone
on, don't panic, unplug your phone, and turn on the appliance
that it was hooked to. It will need energy to turn itself on, and
here's a great source... The voltage to keep a phone line open is
pretty small and a simple light bulb should drain it all in and
probably short the F.B.I. computer at the same time. Happy boxing
and stay free!
Pinkish Box
The function of a "Pink Box" is a hold button that allows music
or anything else to be played into the telephone while person is
on hold. This modification either be done right in the telephone
as a separate box.
Materials Needed
1. Some Bell wire or Phone wire
2. A SPST momentary switch RS # 275-1547
3. 470 ohm resistor RS # 271-019
4. 1 LED (Approx 5V) RS # 276-041
5. An SCR, 2N5061 (Transistor)
6. Audio Transformer (Ratio 10K:600)
7. RCA phono Jack RS # 274-346
8. Screw drivers, soldering irons, solder, Etc.
1. Open the wall box and locate the RED and GREEN wires.
2. Take a piece or RED wire and strip tend and attach it to the
red lead on the wall box. Do the same for the GREEN.
3. Connect the GREEN wire to the ANODE of the LED.
4. Connect the CATHODE side of the LED the UPPER pin of the
primary side of the transformer.
5. Connect the pin directly across to one pole of the phono jack.
6. Connect the RED wire to one side of resistor and to the "C
pole" of the transistor.
7. Connect the open pin of the switch the other side of the
resistor and to the "G pole" of the transistor.�Wiring Diagram
RCA Jack X-former LED
_____ C A
Pole or Jack --/---! Top !---/--(*)--\------GREEN wire
-!View !- Primary --I---RED wire
Pole of Jack --/---!_____!---/-I (O)
I I
I [--I-----Pole of Switch
I
I--------/--m--Pole of Switch
Key to Symbols
-- Wire
I Connection or wire
/ Connection or wire
_/ C pole of transistor --(*)--
[_)-- G pole of transistor I
I A pole of transistor (O) Resister
I
_____
---! Top !---
-! View!- Primary Transformer
---!_____!---
Hook the RED and GREEN wires up to the appropriate terminals
and hook the RCA jack to the output on your stereo. Turn on your
stereo at a good volume. Now call a friend. To test the Box,
hold down the switch and hang up the phone. The LED should go
and your friend should hear music, If not then start over. The
hold is shut off if you pick up a phone on that line or your end
hangs up.
Pearl Box
The Pearl Box:Definition - This is a box that may substitute for
many boxes which produce tones in hertz. The Pearl Box when
operated correctly can produce tones from 1-999hz. As you can
see, 2600, 1633, 1336 and other crucial tones are obviously in
its sound spectrum.
Materials you will need in order to
build The Pearl Box:
=====================================
C1, C2:.5mf or .5uf ceramic disk
capacitors
Q1.....NPN transistor (2N2222 works
best)
S1.....Normally open momentary SPST
switch
S2.....SPST toggle switch
B1.....Standard 9-Volt battery
R1.....Single turn, 50k potentiometer
R2..... " " 100k potentiometer
R3..... " " 500k potentiometer
R4..... " " 1meg potentiometer
SPKR...Standard 8-ohm speaker
T1.....Mini transformer (8-ohm works
best)
Misc...Wire, solder, soldering iron, PC
board or perfboard, box to
contain the completed unit,
battery clip
Instructions for building Pearl Box:
======================================
Since the instruction are EXTREMELY difficult to explain in
words, you will be given a schematic instead. It will be quite
difficult to follow but try it any way. There is also a Hi-Res
picture you can get that shows the schematic in great detail.
Schematic for The Pearl Box
+---+------------+---------+
! ! \
C1 C2 \
! ! +
+ + -----+T1
!\ +------------+-+
! b c-------! +
! Q1 ! +-S1-
! e-----S2---+ ! SPKR
! ! ! +----
! B1 !
! ! !
! +-------+
!R1 R2 R3 R4!
/\/\ /\/\ /\/\ /\/\
+--+ +--+ +--+
Now that you are probably thoroughly confused, let me explain a
few minor details. The potentiometer area is rigged so that the
left pole is connected to the center pole of the potentiometer
next to it. The middle terminal of T1 is connected to the piece
of wire that runs down to the end of the battery.
Correct operation of The Pearl Box:
You may want to get some dry-transfer decals at Radio Shack to
make this job a lot easier. Also, some knobs for the tops of the
potentiometers may be useful too. Use the decals to calibrate the
knobs. R1 is the knob for the ones place, R2 is for the tens
place, R3 if for the hundreds place and R4 is for the thousands
place. S1 is for producing the all the tones and S2 is for power.
Step 1: Turn on the power and adjust the knobs for the desired
tone. (Example: For 2600 hz-
R1=0:R2=0:R3=6:R4=2)
Step 2: Hit the pushbutton switch and VIOLA! You have the tone.
If you don't have a tone recheck all connections and schematic.
If you still don't have a tone call Brainstorm BBS: 612-345-2815,
The Bay:415-775-2384 or Pirate's Harbor:617-720-3600 and leave me
e-mail stating what the scene is.
Brown Box
This is a fairly simple modification that can be made to any
phone. All it does is allow you to take any 2 lines in your house
and create a party line. So far I have not heard of any problems
with it from my friends that have set one up and I have not had
any either. There is one thing that you will notice when you are
one of the two people who is called by a person with this box.
The other person will sound a little bit faint. I could overcome
this with some amplifiers but then there wouldn't be very many of
these boxes made. I think that the convenience of having two
people on line at any one time will make up for the minor volume
loss.
Here is the diagram:
___________________________
PART SYMBOL
---------------------------
BLACK WIRE *
YELLOW WIRE =
RED WIRE +
GREEN WIRE -
SPDT SWITCH _/_
VERTICAL WIRE |
HORIZONTAL WIRE _
* = - +
* = - +
* = - +
* = - +
* = - +
* ==_/_- +
*******_/_++++++
| |
| |
| |
|_____PHONE____|
In some houses the black and yellow are already wired in others
you will have to go out to your box and rewire it. A goo way to
figure out which line is which is to take the phone you are
looking for off the hook. Then you only need to take the red and
green wires entering your phone and hook them to the different
pairs of red and green going into the house. You can't hurt
anything in the phone or telephone by probing. When you find the
pair that you want take the black from your line and attach it to
the red of the other line then take the yellow and attach it to
the green line. Now you are all set to go. For people with rotary
phones you can have one person call you then place the second
call out to the other person. Though not a phreaker's tool, the
brown box can be fun.
Scarlet box
The purpose of a Scarlet box is to create a very bad
connection, it can be used to crash a BBS or just make life
miserable for those you seek to avenge.
Materials: 2 alligator clips, 3 inch wire, or a resister
(plain wire will create greatest amount of static)
(Resister will decrease the amount of static in proportion to the
resister you are using)
Step (1): Find the phone box at your victims house, and pop the
cover off. Step (2): Find the two prongs that the phone line you
wish to box are connected to.
Step (3): Hook your alligator clips to your (wire/resister). Step
(4): Find the lower middle prong and take off all wires connected
to it, I think this disables the ground and call waiting and
stuff like that. Step (5): Now take one of the alligator clips
and attach it to the upper most prong, and take the other and
attach it to the lower middle prong. Step (6): Now put the cover
back on the box and take off!!
Day-Glow
A day-glow box is very easy to make, and very inexpensive to
build. It works like this: On the outside of every home that has
a phone, there is something called "the outside connection box,"
which is where the house is connected to Ma Bell's network. This
ingenious device connects to a) your phone, b) the victim's
outside box. You should be starting to get the idea.
Materials necessary:
1. Radio Shack modular conversion jack
2. A small experimenter's box (optional)
3. 1 foot of red wire. (better to overkill)
4. 1 foot of green wire. (same as above)
5. 2 medium alligator clips
In order to construct this box, you will need all of the above
materials. Note that your wire does not necessarily have to be
red or green, but it is necessary that you be able to tell them
apart. Also, you might want to use thick, easily bent wire (audio
hookup wire works best) instead of bell wire. Now, on to the
construction.
Remove the actual modular jack from the conversion box. This can
be done by pushing inward and then up, or you can just cut the
plastic. Remove the black and yellow wires from the jack. You can
either clip these or rip them out. To your newly isolated jack,
add the 1 foot wire extensions to the respective wires. Soldering
and then wrapping the connections with electrical tape works
best. Next, solder the alligator clips to the extended wires. If
you do not wish to solder them, then just wrap the clips with the
wire. Now, place this newly made contraption into a box
(optional). You may need to drill a few holes, and possibly
remove the alligator clips, but you should have read this file
first, anyway.
The day-glow box will work with any phone. First, you need to
locate a house that has a phone. Next, (it's preferable to do
this at night) go up to the and locate the outside connection
box. Pop the cover off. Locate prong 3 and prong 4. You will
attach the green wire clip to prong 3. The red wire clip will go
to prong 4. Now, plug your phone (preferably a trimline or
ranger) into your modular plug. You may now either listen in on
the call (wire tap) OR you may call out to anywhere in the world.
If you are really daring, you can bring your computer with you.
Note: This box may also be used in conjunction with the lunch box
in order to make a perfect phone bug.
Neat things you can do with your new box:
Call 976 numbers. This should be done very frequently. Also, I
find that after finding the victim's outside box, several calls
to the gay hotline will have interesting after-effects. Namely,
his parents wondering about him. Alliance teleconferencing can be
accomplished quite easily. Try it! Call 0-700-456-1000. Or, tell
the operator you'd like to initiate a conference. Of course, you
should place several calls to other countries. This can be
accomplished by looking in the front of your white pages for the
various country and city codes. You should be able to follow the
directions provided in there.
Have you ever wondered what those 6ft tall cabinets with the
bell logo on them were for? Well, if you've never seen them,
here's a quick description: They are 6ft tall by 3ft wide, and
painted the dull phone company green. They can be opened quite
easily with a 7/16ths inch socket wrench. After turning the bold
over the handle, turn the handle to the right and pull. It should
open, displaying over 100 different lines. Occasionally, you can
find tech. manuals and test kits inside. They are usually located
near phone lines. Okay, now, once you have opened one of these
calling cabinets, locate the line of your choice. You will have
to take out both the orange and the white insulated screws. The
purple and white wires should come off along with the screws. The
lines go out to the house, and the screw posts are the actual
line. Now, you should clip the alligators to the posts, with one
part of the clip on the insulation, and on.]Now, you should clip
the alligators to the nep parteli. Oh, if you want the home to
remain connected, clip the wires inside the hole using the
alligator clips. By the way, the red terminal on your box goes to
the orange post, and the green one to the white post... if that
doesn't work, reverse the connection. Now, to find out the number
you have taken over, dial 380-55555555. Yes, that's eight fives.
A computer voice should tell you what number you are on. I hope
you can take it from here. Oh, in apartments, you can find the
calling cabinet in the basement... remember, this is not your
line, so do anything you want. Call the President or something.
Gold Box Plans
Materials:
2 10k OHM resistors
3 1.4k OHM resistors
2 2N3904 transistors
2 Photocells
2 LED's (Make sure they're real bright)
1 Box to contain it in that will not allow sunlight in it.
(some) wire. Red and green for easiness sake
Light from the LED's must shine directly on the photocells. You
may have to have the LED touching the photocell for it to work.
[The 1.4k resistor is variable and if the second part of the box
is skipped the box will still work but if someone picks up the
phone they may report it to the Phone Co. The 1.4k will give you
good reception with little risk of the Gestapo knocking at your
door. Take two green wires and strip the ends. Twist one end of
each together so they make one wire. Connect it to Green #1.
Label this 'Line #1'. Do the same but with red wire and attach it
to Red #1. Repeat the process for Red #2 and Green #2 and label
it 'Line #2'. Find two phone lines that are close together. Label
one of them 'Line #1'. Cut [the phone lines and take off the
outer covering. You'l see 4 colored wires inside. Cut the yellow
and black wire off and strip the red and green wires on both
lines. Line #1 should be in two pieces. Take the green wire of
one end and connect to one of the green wires on the box. Take
the other half of the phone line green wire and connect it to the
other green wires on the gold box. Do the same for the red wires
on the other line and the red wires on the box. Now, find out
what number you hooked up the gold box to. Go home and call it.
You should get a dial tone and you can dial out. If not, re-check
everything. If it still doesn't work, pack up and go home.� Green Box
Paying the initial rate in order to use a red box (on certain
fortresses) left a sour taste in many red boxers mouths, thus the
green box was invented. The green box generates useful tones such
as COIN COLLECT, COIN RETURN, AND RINGBACK. These are the tones
that ACTS or the TSPS operator would send to the CO when
appropriate. Unfortunately, the green box cannot be used at the
fortress station but must be used by the CALLED party. Here are
the tones:
COIN COLLECT 700+1100hz
COIN RETURN 1100+1700hz
RINGBACK 700+1700hz
Before the called party sends any of these tones, an operator
release signal should be sent to alert the M detectors at the CO.
This can be done by sending 900hz + 1500hz or a single 2600 wink
(90 ms.)
Also, do not forget that the initial rate is collected shortly
before the 3 minute period is up.
Incidentally, once the above M tones for collecting and returning
coins reach the CO, they are convertedinto an appropriate DC
pulse (-130 volts for return and +130 for collect). This pulse is
then sent down the tip to the fortress. This causes the coin
relay to either return or collect the coins. The alleged "T-
network" takes advantage of this information. When a pulse for
coin collect (+130 VDC) is sent down the line, it must be
grounded somewhere. This is usually the yellow or black wire.
Thus, if the wires are exposed, these wires can be cut to prevent
the pulse from being grounded. When the three minute initial
period is almost up, make sure that the black and yellow wires
are severed, then hang up, wait about 15 seconds in case of a
second pulse, reconnect the wires, pick up the phone, an if all
goes well, it should be "JACKPOT" time.
Blotto Box
For years now every pirate has dreamed of the Blotto Box. It
was at first made as a joke to mock more ignorant people into
thinking that the function of it actually was possible. Well, if
you are The Voltage Master, it is possible. Originally conceived
by King Blotto of much fame, the Blotto Box is finally available
to the public.
The Blotto Box is every phreak's dream... you could hold AT&T
down on its knee's with this device. Be
cause, quite simply, it can turn off the phone lines everywhere.
Nothing. Blotto. No calls will be allowed out of an area code,
and no calls will be allowed in. No calls can be made inside it
for that matter. As long as the switching system stays the same,
this box will not stop at a mere area code. It will stop at
nothing. The electrical impulses that emit from this box will
open every line. Every line will ring and ring and ring... the
voltage will never be cut off until the box/generator is stopped.
This is no 200 volt job, here. We are talking GENERATOR. Every
phone line will continue to ring, and people close to the box may
be electrocuted if they pick up the phone.
But, the Blotto Box can be stopped by merely cutting of the
line or generator. If they are cut off then nothing will emit any
longer. It will take a while for the box to calm back down again,
but that is merely a superficial aftereffect. Once again:
Construction and use of this box is not advised! The Blotto Box
will continue as long as there is electricity to continue with.
OK, that is what it does, now, here are some interesting things
for you to do with it...
Once you have installed your Blotto, there is no turning back.
The following are the instructions for construction and use of
this box. Please read and heed all warnings in the above section
before you attempt to construct this box.
Materials:
- A Honda portable generator or a main power outlet like in a
stadium or some such place.
- A radm r=L L5I Z] ] for 400 volts that splices a female plug
into a phone line jack.
- A meter of voltage to attach to the box itself.
- A green base (i.e. one of the nice boxes about 3' by 4' that
you see around in your neighborhood. They are the main switch
boards and would be a more effective line to start with.
or: regular phone jack (not your own, and not in your area
code! - A soldering iron and much solder.
- A remote control or long wooden pole.
Now. You must have guessed the construction from that. If not,
here goes, I will explain in detail. Take the Honda Portable
Generator and all of the other listed equipment and go out and
hunt for a green base. Make sure it is one on the ground or
hanging at head level from a pole, not the huge ones at the top
of telephone poles. Open it up with anything convenient, if you
are two feeble then don't try this. Take a look inside... you are
hunting for color-coordinating lines of green and red. Now, take
out your radio shack cord and rip the meter thing off. Replace it
with the voltage meter about. A good level to set the voltage to
is about 1000 volts. Now, attach the voltage meter to the cord
and set the limit for one thousand. Plug the other end of the
cord into the generator. Take the phone jack and splice the jack
part off. Open it up and match the red and green wires with the
other red and green wires. NOTE: If you just had the generator on
and have done this in the correct order, you will be a crispy
critter. Keep the generator off until you plan to start it up.
Now, solder those lines together carefully. Wrap duck tape or
insulation tape around all of the wires. Now, place the remote
control right on to the startup of the generator. If you have the
long pole, make sure it is very long and stand back as far away
as you can get and reach the pole over. NOTICE: If you are going
right along with this without reading the file first, you should
realize now that your area code is about to become null! Then,
getting back, twitch the pole/remote control and run for your
damn life. Anywhere, just get away from it. It will be generating
so much electricity that if you stand to close you will kill
yourself. The generator will smoke, etc. but will not stop. You
are now killing your area code, because all of that energy is
spreading through all of the phone lines around you in every
direction.�
Computer Hacking
� TYMNET
Introduction:
Many people may or may not have heard of Tymnet. Tymnet is one of
the best information gathering networks that is around. It seems
as though it were set up with the hacker in mind, but we all know
this isn't true. After becoming experienced with the network, I
found there to be little information available to the newcomer,
with the exception of what is already available on the network,
but as we all know, this leaves the newcomer craving for more. As
this file was under construction, a great blow hit the hacker
community on the network; four of the most popular NUIs died
(NUIs to be discussed later). They were VIDEO, and the T.LLOYxx
Family. In hopes of having the community reborn, an additional
new NUI has been included.
For more information regarding Tymnet, Telenet, and other PSNs,
consult the Leigon's of Lucifer Text File #10-11. Although other
information on PSNs is available from Leigon's of Lucifer, this
file was written in mind that the reader is unfamiliar with
Tymnet. Terminology that would appear to be new to the reader is
explained, in hopes that you will gain a greater knowledge of the
networks.
Tymnet is an international network designed for two basic
reasons. One, to link computers worldwide in order to exchange
information. Two, so hackers can take advantage of the network
and connect to the as many computers available =).
Tymnet is linked to computers throughout the world including most
major continents (North/South America, Asia, Europe, Africa,
Australia, etc.). Tymnet is referred to as a PSN, which is an
acronym for Packet Switching Network. A PSN is any network that
sends information via packets, in Tymnet's case, 128 byte
packets.
The following is an example of a simple PSN, which
includes three major components:
1) The PAD (Your Local Dialup)
2) The PSN (The network that you are currently on)
3) The Host (The computer you connect to via the PSN)
Use of a PSN is quite simple. First you must connect to your
local PAD, and sign in with a NUI. If the NUI is valid, a colon
prompt will follow (;), at which you may enter any NUA (NUAs to
be discussed later), depending on what level of access the NUI
has. The PSN then connects you to the Host, posing as a relay
between you and the host. If this appears confusing, read through
the rest of this file, and browse back through it, and possibly
you will understand the concept a bit better.
Since Tymnet is not connected to nearly as many businesses as
Telenet, it turns to be more of a communication and information
gathering tool then a scanning one. Hackers on Tymnet, which can
be contacted on the many various chat systems are almost always
bound to have information to trade, or give away. Almost
everything is available, from telco, fraud, to hacking.
Connecting to Tymnet:
The first thing you must do is find your local Tymnet dialup. If
you already know your dialup, you can skip by this paragraph, and
move on. There are two ways to acquire your dialup. Voice, or
data. If you choose to find out your dialup voice, call 1-
(800)-222-0555. Use your touch-tone keypad and follow the voice
prompts. Data is quite simple if you are already familiar with
the logon process on Tymnet. Type 'Information', or 'Info' at the
NUI (Logon) prompt. It's self explanatory from there. You can
also dial 1-(800) 336-0149 to find out your local dial, this
includes HST Modems.
You must now prepare your terminal to communicate with Tymnet.
Switch your parity to either 7E1 or 8N1. 7E1 is preferred, as I
have encountered problems using 8N1. Toggle your Local Echo until
it appears satisfactory. Once connected, Hit return a few times
until the following message appears:
please type your terminal identifier
When this occurs, hit 'a' if you have 7E1, or 'o' if you have 8N1
set up. The 'a' / 'o' combination tells the PAD your parity
setting. Something to this effect will follow:
-4353:01-007-
please log in:
You have now successfully connected to Tymnet.
Usage of NUIs:
NUI is an acronym for Network User Identification. This is much
like the standard 'user name' on your favorite BBS. NUIs are
legitimate accounts given to paying members of Tymnet. Hackers
always seem to have a knack for setting up illegal NUIs though.
Unlike Telenet, Tymnet NUIs are easy to find. The NUI 'VIDEO',
which was by far one of the most popular hacker NUIs on Tymnet
was cancelled during the construction of this file. Along with
it, the T.LLOYxx Family died (T.LLOY01, T.LLOY02, T.LLOY03).
These NUIs are probably the most free accounts that have been
available; meaning they had extremely little restrictions. After
entering a legitimate NUI, a colon prompt will appear. This
notifies you that Tymnet is ready to receive a NUA. NUA is an
acronym for Network User Address. This could be associated with a
BBS telephone number, as they are much alike in certain aspects.
Types of NUAs:
Chat Systems-
Chat systems are probably the most popular of the NUAs to hackers
on the networks. You can find many other hackers that are willing
to trade new information. As well, in-depth conversations on
hacking do take place on chat systems, so they are an excellent
place to learn for the newcomer.
One of the most popular chat systems is QSD France. You can reach
QSD via 208057040540 NUA. It is not a 'Live' chat system, as
messages take some time to exchange. This chat system is also an
excellent place to find other hackers to exchange information
with. But be noted, QSD is like a local chat system in France, so
you will, certain times, run into people who know nothing about
hacking. It's best to avoid these people, because they are
usually gay/lesbian, or looking for a fight. Besides, what use do
you have for the general public? When reaching QSD, remember to
change your parity to 8N1. If you logged in with 8N1, don't worry
about it. Another note, QSD treats a destructive backspace as
return. Do NOT hit backspace. The only way to get around the
backspace problem, from my knowledge, is to use a Canadian PAD.
Most other chat systems are run off either custom software, like
QSD, or off a Unix Shell. The Unix Shell chat systems are a bit
harder to understand, but are much more powerful. When logging in
to a Unix chat system, you will see a Logon: prompt, as most
Unix's have. Try using default accounts to logon (x25, Guest,
etc.). When logging onto a Unix Chat System which automatically
places your NUA (Your PAD Address), use the FROM= command from
the logon. RMI Chat System is a perfect example of this. Use Gast
FROM=Hell/Gast as a Username/Password. If you want other hackers
to know the exact geographical location from which you are
calling, don't bother with this, otherwise, be safe, and use the
FROM= command.
Unix Chat Systems resemble closely to the conferences found on
most pay networks (Compuserve, Genie, BIX, etc), as they are
'Live', and you see messages as soon as the author writes them.
Outdials Explained:
Outdials that are available on Tymnet are PC-Pursuit (Telenet)
Outdials. PC-Pursuit is a pay service from Telenet where you sign
up and pay a monthly fee, and you are allowed a certain amount of
long distance data calls. Of course, when using PC-Pursuit
Outdials through Tymnet, you don't have to pay for anything.
Outdials are restricted only to dial numbers from within that
area code. If you logon to the 213 Outdial, you can only reach
data numbers in 213. These Outdials are referred to as Local
Outdials. There is another type of Outdials, and there are called
Global Outdials, or, abbreviated, GODs. GODs can call anywhere
within the United States with no restrictions, unlike LODs. The
dial format for GODs usually differs. Ask whomever you received
the GOD from for dialing procedures. Usage of Outdials is quite
simple, after logging into Tymnet, and entering the NUA of the
desired Outdial, you must hit one of three commands. If you are
new to Outdials, they have a help level available where a program
controls the modem for you via certain commands you send to it.
To reach this help level, hit either CTRL-E or '%' when you
connect to the Outdial. If you wish to use simplified AT
commands, type 'AT', and you are ready. Use the AT level just as
you would with your own modem. Entering a 1+AC+Number is not
necessary, and if done, will not work correctly. Remember, you
are logged into a certain area code, and you can only call
numbers within that area code, so just type the local 7 digit
phone number. File transferring through Tymnet/Telenet OutDial
through tymnet is tricky when you are on a BBS, you must ALWAYS
switch to 8n1,1 after you connect to a BBS through a OD, and when
you are about to transfer, the only protocol you can use is PCP
Z-Modem, aka MobyTurbo Zmodem, aka Z-Modem '90. This protocol was
made for tymnet OD's and if you don't use it, you will get a slew
of errors in your file and it will just corrupt the file and/or
abort your transfer.
DNIC Restrictions:
DNIC is an acronym for Data Network Identification Code. A DNIC
is made up of the first 4 digits of any NUA. There are plenty of
DNIC lists around, so I will not include one. A DNIC shows which
network, or country you are connecting to. Most of the NUIs that
have been around have had very little restrictions when it comes
to connecting to different DNICs, but as they are slowly dying,
you might run into trouble with new NUIs that have restrictions.
If you are trying to connect to a system in Germany, and your NUI
bars access to German DNICs, try connecting to another PAD, such
as an England PAD, and attempt connecting to the NUA again. You
should not run into many problems. It's harder to scan this way..
but it's a method around NUI restrictions. (Editor's Notes: In
this text file, the author refers to your local Tymnet dialup as
a PAD. Technically, it is. Technically, everything on Tymnet is a
PAD. When I use the acronym PAD, I mean an x28/x29 PAD, and not a
local dialup, and most of the rest of the hacker community on the
networks would agree. I find very rare instances where I see it
used in this way.)
Here is a list of Telenet PC-Pursuit Local Out Dials:
New Jersey:
3110 201 00 022 2400 Baud
District of Columbia:
3110 202 00 117 2400 Baud
Connecticut:
3110 203 00 105 2400 Baud
Washington:
3110 206000 208 2400 Baud
New York:
3110 212 00 028 2400 Baud
California:
3110 213 00 023 2400 Baud
3110 213 00 413 2400 Baud
3110 714 00 004 2400 Baud
3110 714 00 102 2400 Baud
3110 916 00 007 2400 Baud
3110 408 00 021 2400 Baud
Texas:
3110 214 00 022 2400 Baud
3110 713 00 024 2400 Baud
Pennsylvania:
3110 215 00 022 2400 Baud
Ohio:
3110 216 00 120 2400 Baud
Colorado:
3110 303 00 021 2400 Baud
3110 303 00 115 2400 Baud
Florida:
3110 305 00 122 2400 Baud
3110 813 00 124 2400 Baud
Illinois:
3110 312 00 024 2400 Baud
Michigan:
3110 313 00 024 2400 Baud
Missouri:
3110 314 00 005 2400 Baud
Alabama:
3110 404 00 022 2400 Baud
Wisconsin:
3110 414 00 120 2400 Baud
Arizona:
3110 602 00 026 2400 Baud
Minnesota:
3110 612 00 022 2400 Baud
Massachusetts:
3110 617 00 026 2400 Baud
Utah:
3110 801 00 012 2400 Baud
North Carolina:
3110 919 00 124 2400 Baud
TELENET
I am writing this assuming that the reader has no knowledge of
the Telenet network. In part 1 I will discuss the basic theory of
Telenet and how it can be used as a basically safe and fun
hacking tool. Telenet is a Packet Switching Network (PSN). Since
I want to make this as short as possible I will try to give you a
*basic* understanding of what a PSN is and how it works.
Basically there are 3 levels to the PSN. The 3rd and lowest is
the PAD that you dial-up. This is where you enter all of the
information. 2nd is the actual PSN which takes the data you enter
in 128k chunks (usually) and then transmits them to the host (1st
and highest level) at baud rates ranging from 9600 to 19,200.
This means that 2 computers with different baud rates are able to
communicate (See my really bad ASCII PSN map). Ok, now you have a
*basic* understanding of how Telenet works. Now to the fun stuff!
Remember, Telenet has access to computers all over the world.
When you consider all the networks that these other computers are
connected to then you can see that you can basically access the
entire world. It is also pretty safe because there is no way that
someone can monitor all the PADs at one time.
Ok, now first you must find a list of Telenet access numbers.
There are many lists out there (look in Phrack issue 21). If you
can't find one then to find the Telenet dialup nearest your
location, call 800-424-9494 at 300/1200 baud. At the '@' prompt,
type 'MAIL'. Enter user name 'PHONES' with password 'PHONES'. So
now you have a local access number. Remember it's (7E1), so if
your screen looks messed-up then you're not set right. After you
call this is what you do.....
*Inside the '<>' (of course <CR> is return) is what you have to
type....
CONNECT 2400 (or whatever baud rate it is)
<CR> <CR>
TERMINAL=<D1><CR>
@
Ok, now you're to the @ prompt. This is the telenet PAD
prompt. This prompt means that telenet is in "command" mode. Now
we will get to the *real* fun.
Telenet's computer systems are identified by NUA's. This stands
for Network User Address. The way you connect to the NUA's are
by either typing in 'c' <nua> or just typing in the nua by
itself. We will work w/ the 1st and most basic form on the NUA
since this is a file for people who don't know what the hell
they're doing (I'll make another G-phile for the more advanced
telenet hacker ). The easiest form is AAA XXX, this is where AAA
stands for an area code and XXX stands for random numbers. So if
I wanted to scan the Los Angeles area for example I would type
213 123. Here 213 is the area code and 123 are random numbers.
You must have a at least 4 numbers. So 213 1 would work as would
213 12.
Telenet doesn't recognize zeros or spaces so you could also
type 213 123 like this 213000000000000123 or like 213123. Ok, now
that you know how to use simple NUA's you can start messing
around. So, now you can access all the networks and
Unix/Vax/Primes/etc... that you want right? So, you enter 213
123 and suddenly it says.. COLLECT CONNECTION REFUSED
F4 E6 Well, you just learned life's first lesson. Nothing in
life is free! Yes, that's right, the "good" systems on telenet
you have to pay for. This is where a NUI comes in. This stands
for Network User ID. This is for users with "accounts" on
telenet. NUI's are very hard to find these days ( I've only had
1 in my hacking adventures ). They are in the form of a user
name ( anything ) and then a password (6 numbers). These are very
hard to hack since there are no "default" names or passwords. You
type in ID <name> and then the password to user one. if you can
hack out a NUI then you should be writing G-Philes instead of
reading them.
But don't worry though! There are *MANY* systems on telenet
that are free. The only ones that cost money are the big ones
like some BIG corporation. By just typing in an area code and
then a random number ( up to 3 digits ) you can find some really
cool systems (hey, yo can hack into McDonalds for free!!).
Anyway I have the most fun by turning on my Led Zeppelin CD and
just randomly typing in numbers. You will find at least 1 NUA
that connects for every 5 you type in . Its not like phreaking
where you find a code per 10 hours.... Of course there are the
lazy hackers who just want the NUA's with no work, there are many
good NUA lists ( check you local p/h/a board ). You can find a
NUA lists in a few Phrack issues or on DII (Data Infinty,
Incorporated (yes once again, I must plug my organization you
know). If you want to feel like you did something then get the
NUA Attacker. This is an IBM program that calls telenet and then
types in different NUA's ( you set the range ). It is basically a
code hacker for Telenet. This can be found on DII (Data Infinity,
Inc.) <once again> or most good p/h/a boards.� HACKING UNIX
Welcome to the basics of hacking Vax's and Unix. In this article,
we discuss the unix system that runs on the various vax systems.
If you are on another unix-type system, some commands may differ,
but since it is licensed to bell, they can't make many changes.
Hacking onto a unix system is very difficult, and in this case,
we advise having an inside source, if possible. The reason it is
difficult to hack a vax is this: Many vax, after you get a
carrier from them, respond=> Login: They give you no chance to
see what the login name format is. Most commonly used are single
words, under 8digits, usually the person's name. There is a way
around this: Most vax have an acct. called 'suggest' for people
to use to make a suggestion to the system root terminal. This is
usually watched by the system operator, but at late he is
probably at home sleeping. So we can write a program to send at
the vax this type of a message: A screen freeze (Ctrl-s), screen
clear (system dependant), about 255 garbage characters, and then
a command to create a login acct., after which you clear the
screen again, then un- freeze the terminal. What this does: When
the terminal is frozen, it keeps a buffer of what is sent. well,
the buffer is about 127 characters long. so you overflow it with
trash, and then you send a command line to create an acct.
(System dependant). after this you clear the buffer and screen
again, then unfreeze the terminal. This is a bad way to do it,
and it is much nicer if you just send a command to the terminal
to shut the system down, or whatever you are after... There is
always, *Always* an acct. called root, the most powerful acct. to
be on, since it has all of the system files on it. If you hack
your way onto this one, then everything is easy from here on...
On the unix system, the abort key is the Ctrl-d key. watch how
many times you hit this, since it is also a way to log off the
system! A little about unix architecture: The root directory,
called root, is where the system resides. After this come a few
'sub' root directories, usually to group things (stats here, priv
stuff here, the user log here...). Under this comes the superuser
(the operator of the system), and then finally the normal users.
In the unix 'Shell' everything is treated the same. By this we
mean: You can access a program the same way you access a user
directory, and so on. The way the unix system was written,
everything, users included, are just programs belonging to the
root directory. Those of you who hacked onto the root, smile,
since you can screw everything... the main level (exec level)
prompt on the unix system is the $, and if you are on the root,
you have a # (super- user prompt). Ok, a few basics for the
system... To see where you are, and what paths are active in
regards to your user account, then type > pwd This shows your
acct. separated by a slash with another pathname (acct.),
possibly many times. To connect through to another path, or many
paths, you would type: You=> path1/path2/path3 and then you are
connected all the way from path1 to path3. You can run the
programs on all the paths you are connected to. If it does not
allow you to connect to a path, then you have insufficient privs,
or the path is closed and archived onto tape. You can run
programs this way also:
you=> path1/path2/path3/program-name
unix treats everything as a program, and thus there a few
commands to learn... To see what you have access to in the end
path, type=> ls -- for list. this show the programs you can run.
You can connect to the root directory and run it's programs
with=> /root By the way, most unix systems have their log file on
the root, so you can set up a watch on the file, waiting for
people to log in and snatch their password as it passes thru the
file. To connect to a directory, use the command: => cd pathname
this allows you to do what you want with that directory. You may
be asked for a password, but this is a good way of finding other
user names to hack onto. The wildcard character in unix, if you
want to search down a path for a game or such, is the *. => ls /*
Should show you what you can access. The file types are the same
as they are on a dec, so refer to that section when examining
file. To see what is in a file, use the => pr filename command,
for print file. We advise playing with pathnames to get the hang
of the concept. There is on-line help available on most systems
with a 'help' or a '?'. We advise you look thru the help files
and pay attention to anything they give you on pathnames, or the
commands for the system. You can, as a user, create or destroy
directories on the tree beneath you. This means that root can
kill every- thing but root, and you can kill any that are below
you. These are the => mkdir pathname => rmdir pathname commands.
Once again, you are not alone on the system... type=> who to see
what other users are logged in to the system at the time. If you
want to talk to them=> write username Will allow you to chat at
the same time, without having to worry about the parser. To send
mail to a user, say => mail And enter the mail sub-system. To
send a message to all the users on the system, say => wall which
stands for 'write all' By the way, on a few systems, all you have
to do is hit the <return> key to end the message, but on others
you must hit the ctrl-d key. To send a single message to a user,
say => write username this is very handy again! If you send the
sequence of characters discussed at the very beginning of this
article, you can have the super-user terminal do tricks for you
again. Privs: If you want super-user privs, you can either log in
as root, or edit your acct. so it can say => su this now gives
you the # prompt, and allows you to completely by-pass the
protection. The wonderful security conscious developers at bell
made it very difficult to do much without privs, but once you
have them, there is absolutely nothing stopping you from doing
anything you want to. To bring down a unix system: => chdir /bin
=> rm * this wipes out the pathname bin, where all the system
maintenance files are.
Or try: => r -r This recursively removes everything from the
system except the remove command itself. Or try: => kill -1,1 =>
sync This wipes out the system devices from operation. When you
are finally sick and tired from hacking on the vax systems, just
hit your ctrl-d and repeat key, and you will eventually be logged
out. The reason this file seems to be very sketchy is the fact
that bell has 7 licensed versions of unix out in the public
domain, and these commands are those common to all of them. We
recommend you hack onto the root or bin directory, since they
have the highest levels of privs, and there is really not much
you can do (except develop software) without them.
Primenet
Well, we've all heard of Unix and Vax systems. We hear a little
bit now and then about Cyber or Tops systems, but what is Prime?
Well, prime is a system made by Primos which has a set-up
something like DOS. Prime is arguably not as powerful as a Vax or
Unix system, but it is more user friendly (I feel) than either of
them.
Now, you may say to yourself "Great, why should I even learn
about prime if nobody uses it". Well there are many people who
use it (just not as many as Unix of Vax), but the real reason I
wrote this is because a good percentage of the systems found on
Telenet are prime. Since I have already wrote a telenet G-Phile
(which is very good <grin>), I thought I'd follow it up with a
primos text phile since there are so many. Also, there are no
really good primenet hacking philes (except for a good one in a
LOD/H journal and in a Phrack issue which I forget) that cover
everything.
First of all find a prime system. This can be done by going on
Telenet and just scanning or picking-up the LOD/H journal #4
which has a great NUA list (or any NUA list for that matter). You
can also check at your local university for one. Ok, first I tell
you the way to identify a prime system. It should be easy because
almost all prime systems have a system header that looks
something like...
PRIMENET 22.1.1.R27 SWWCR
This means that this is a primenet version 22.1.1. If for some
reason you get VERY lucky and find a version 18.xx or lower then
you're in. See, most version 18's and lower have either no
password (So you enter System for the ID which is the sysop), or
if they do have a password then all you have to do is hit a few
^C (Control C for the beginner) for the password. Some prime
systems just sit still when you connect. On these try typing like
'hi'. If its a prime you will get a message like...
Now, in order to logon to a prime system you must type "Login
<UserName>" or just "Login". If you type in "Login" then it will
just ask you for your username anyway. Now, here is the hardest
part of hacking. You must get a working password. Primes are hard
to hack since they don't have any default passwords. Here is a
list that I have compiled ..... (passwords same as Username!)�ÉÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º Username º Password º
ÌÍÍÍÍÍÍÍÍÍÍÍÍÎÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹
º Prime º Prime º
º System º System º
º Primos º Primos º
º Admin º Admin º
º rje º rje º
º Demo º Demo º
º Guest º Guest º
º Games º Games º
º Netman º Netman º
º Telenet º Telenet º
º Tools º Tools º
º Dos º Dos º
º Prirun º Prirun º
º Help º Help º
º Test º Test º
º Netlink º Netlink º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
Not all these passwords and names are guaranteed to work. If none
of them work then try to mix-up the usernames and the passwords.
Hopefully you have now gotten into the system and get the "OK,"
prompt.
OK, so now you're in. If you have gotten in then that is a big
step in itself and I congratulate you. So, now you have the
prompt "OK," or something like that. This is the command prompt,
if you enter a bad command it may look different such as "ERR,"
or soething like that. This is nothing to worry about just an
error message. Ok, first I'm going to run down some basic
commands. First of all we must understand how primos is set-up.
The primos set-up is very much like MS-DOS There are separate
directories each with files and more directories in them . It is
pretty easy to navigate, so i will just give you the commands and
then explain what to do with them.... �
LD shows the contents of the current directory
you're in.
Attach attaches (move) to another directory.
Delete deletes a file or directory.
ED text editor to edit/create text.
Logout logs-off
Netlink enters the netlink section.
Slist lists the contents (text) of a file
CPL <filename> runs a .CPL program
Users lists the amount of users on the system.
Status Users gets the names, numbers and locations of the
users on line.
Help gets a list of the commands.
Help <command> gets help with a command
Ok, those should be enough for the time being. Now, lets start by
doing a 'LD' (anything in single quotes means to type it). The
name of the directory you're in right now should be the same as
your user name. There may be a few files in here so to see the
contents of the files type 'SLIST <filename>'. Now, lets do an
'Attach MFD'. This is the "Main File Directory" where most of the
major files and directories are found. So now we will do another
"LD" and look at all the directories and files. Ok, now to start
the hacking. This method works with most primes, but not all so
don't be to discouraged if it doesn't work. Ok, first of all you
probably noticed that when you first started-out the directory
you were in had the same name as your username (id). This is a
very important lesson. The reason this is important is because
now you can probably figure-out that *The name of every directory
is also the name of a
user* (NOTE: This is true for all directories, EXCEPT ones with
an asterix '*' by their name). This means 2 things, first of all
it means that you can basically find a fair amount of usernames
from the mfd directory and the odds are that a few of them will
have the same password as the name (This is an important lesson
in hacking, whenever you're on any kind of system et a user list
and then just go through the list, using the username as the
password and you should get a few accounts at least) Secondly it
means that you can access a certain users "private" directory.
What this means is that a lot of the usernames of actually people
may not be in the MFD directory. This means that once you find
out a username you can then simply say "attach <username>" and
your in their directory. So, now knowing that we will do a
'Status Users'. This will give you a list somewhat like this:
User Number Device
Guest 14 <MDF0>
System 1 <MDF0> <MFD1>
Hacker 81 <MDF0>
Sysmaint 19 <MDD0> (phantom)
From this list we can get all the usernames/directories of the
users on-line and start snooping. It is usually not ood to be on
when there are a lot of people on since a Sysop might notice that
you shouldn't be on at that time or something. You may notice
that the last one (Sysmaint) has the word Phantom by it. This
means that it is just a program that is doing house keeping
stuff. Its nothing to worry about. The devices are merely like a
tree in other software (UNIX/VAX), if there are 2 devices then it
means that the user is either interacting with another system or
has logged-off incorrectly. So, now we have some usernames /
directories to look at (and to try as passwords for the same
username). Now first of all we want to go back to the MFD
directory and look for a directory that is something like UTIL,
Utilities, CCUTIL or whatever. This part is very site dependant
so just try any thing that looks like a util. Now attach to that
directory which is 'Attach Util' (assuming the name is Util). Now
we get to another important part of Primenet. The different file
formats.....
FileSuffix How to execute/Description
ÉÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º .CPL º CPL<Pathaname>/Language º
º .SAVE º SAVE<Pathname> º
º .SEG º SEG<pathname> º
º .TXT º SLIST<pathname> º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
This list shows you the different file suffixes you'll see. Every
file will be followed by a suffix. If it is not then you can
assume its text. The only suffix we want to worry about now is
the CPL suffix. CPL (Command Procedure Language) is the primos
"programming language". So you can assume that anything with a
.CPL suffix is some type of program. Most often you will find
simple programs which tell the date, some "menus" that people
programmed in CPL to navigate the system easier, and then their
own misc CPL files. To run a CPL file you type 'CPL <pathname>'
(the pathname is simply the file name). Now, since CPL is a
language it's programs must some how be written. This means that
by doing a SLIST on a .CPL file will display the contents &
source code of the .CPL file.
Ok, so back to the hacking. So we're in the Util's library (or
whatever the name of the directory is). Ok, now do an 'LD' to see
the contents and look for any .CPL files. Lets say there's a CPL
file named "CleanUp.CPL". Now you'd type 'SLIST CleanUp.CPL',
this will display the source code of the CleanUp program. Now,
you will get a lot of trash but in it somewhere look for a line
that is something like...
A UTIL KEWL
³ ^Password
ÀÄ´ Directory name
So, what does this mean you ask?? Well first off we will remember
that every Directory (except for ones with stars by them) is a
username which you can log-on with. So this means that the
password for the username Util is KEWL !!! If you have found a
line like this then congratulate yourself..you have SYS1 access.
Just in case you don't really understand, lets say that there was
a directory's name was COUNT, and the password was ZER0. Now, if
you got lucky and were on a system where this works then you'd
see a line like...
A COUNT ZER0
Another way to find out directory/usernames is by using the
'List_Access' command. This shows the different directories that
the current directory has access to. This will look something
like...
ACL "<current directory":
JOHN : ALL
SALLY : LUR
ADMIN : NONE
GAMES : LUR
From this you can see the names of directories that you would
normally could not access, because if you don't know the name of
a directory then you can't access it. You can do this at
different directories and sometimes you will find a different set
of directory/username names. Ok, so you should pretty much
understand what we are looking for. If this doesn't work in one
directory then keep checking in other log-on able directories.
Remember this technique only works like 70% of the time so if it
doesn't work then don't worry. Since the above technique of
primos hacking is well known, by both hackers and Sysops I expect
to have a large percentage of readers still stuck in their
"Guest" account. I will now tell you how you can both defet
security and how you can secure yourself. First of all, lets
boost your account as much as you can (with your current access
of course). To do this we will use the CHAP command. This will
edit or priority levels. To do this we will use the 'CHAP UP'
command (remember anything in single quotes you type). You can
also use 'CHAP DOWN' or 'CHAP X' where X equals the amount of
levels you want to jump up to. Each system will have different
levels, so do it about 10 times and then stop (unless you get a
message that you have reached the limit already). The main reason
we want high security is so we can get into other directories and
run high-access programs (and access high-access commands). So
first I will discuss Directory security. Here is a diagram of the
different levels of security that can be put on directories....
ÚÄÄÄÄÄÄÄÄÄÄÄ¿
³Directories³
ÀÄÄÄÄÄÄÄÄÄÄÄÙ
Letter Description of Access
ÉÍÍÍÍÍÍÍÍËÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º P º To protect the directory º
º D º Delete entries to directory º
º A º To add entries to a directory º
º L º Read contents within a directoryº
º U º Lets you attach to the directoryº
º R º Read contents of file º
º All º All of the above º
º None º No access to others º
ÈÍÍÍÍÍÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
So, from this you can see the different options that one can put
to protect a library. These letters can also be combined to form
a "word" (so to speak), so that you can incorporate different
types of access. The most commonly found example of this would be
"LUR" access. So, using the chart this means that someone can
Read the contents of the directory, Attach to it, and Read the
contents of the files in the directory. Basically this means that
you can read all you want but you can't edit, which in some cases
can be good. Since this file is also geared towards the well
educated user I will discuss how to change the access on
directories, and how to create/delete directories. I would
strongly suggest that anyone who has hacked an account not try to
create delete files (unless you want to get back at someone on
the system, which will be discussed later), since it will lead to
detection and erasure of the account (This is a general rule of
hacking, read all the info you want, but keep a low profile). By
default most directories will be set to ALL access when created.
Prime is one of those big network, open systems, and many people
never bother or don't know how to make their account's more
secure. (this will be painfully obvious (to the users) when you
get one <grin>). Because of this you will find *MANY* directories
with ALL access. I have found many directories of people who have
SYS1 access, with ALL access. Most of the other people will have
LUR access. This is still very sufficient for your needs, since U
can still read files. Since I want to be slightly kind I will
discuss how to change access on directories, for the people who
have legit prime accounts. If you have a hacked account then
there should be no reason for you to change access on a
directory, first of all you will be detected in a second, and
second of all its not permanent at all and can't be used to crash
the board. First of all the command to create a directory is
'Create <directory name> [-password] [-access]'. So in other
words if I wanted to create a mail directory with the password of
HACK and LUR access hen I'd type.
Create Mail [-HACK] [-LUR]
The command for changing access on a directory is...
Set_Access ALL [-LUR]
In this example we are changing a directories access to LUR (you
can read but you can't edit) from ALL (everything). Since there
is no real reason you would want anyone else changing your files
I would suggest at least LUR access. If you are really worried
then I would not even think twice about going to NONE access, its
up to you. Although changing access is the most effective way to
secure your directory, there are some people who would like
others to read, or maybe even edit files in their directory. This
is why I usually tell people to just make a password, this
command has already been discussed.. That about wraps it up for
their directory part of this file. This is the major an most
important part. Now we get to the fun little features.
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³Creating Files and Writing Programs³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Creating files are a very important part of hacking prime net.
The main reason we want to create files is so we can take
advantage of the CPL language. I have not learned the CPL
language well enough so I really can't explain much about it. I'm
still looking for technical manuals. The easiest way to learn it
is by just looking at all the .CPL files. Once we learn the CPL
language we can simply add commands to create us new accounts to
house keeping programs. The reason we would want to do this is
because when it is run by the admin, or any user with high enough
access it will run these embedded commands and we will have a new
account with unlimited access!! The way to create a file is by
typing 'ED'. This will get you into the text editor. It should
look something like..
INPUT
This means you can type in what ever you want. So lets say you
are making a file that, when run will type out 'Count_ZER0 is the
ruler of heaven and earth', you would type...
Type Count_ZER0 is the ruler of heaven and earth
Now, you'd type just a <CR> alone and you'll get a line like...
COMMAND
This line varies a lot from system to system, but you'll get
something to that affect. Here you would now type 'Save
Count.CPL'. This would then save a program call Count.CPL in the
directory and when you ran it (Discussed earlier) it would type
'Count_ZER0 is the ruler of heaven and earth' on the screen.
The editor can also be used to write Basic, Fortran, C, and
pascal files (use the 'Languages' command to see what languages
it supports). All you do is write the program in the editor and
then save it with the correct suffix. Then you run/compile the
program. Since this file is much longer then I thought it would
be I won't discuss it, but it can easily be found out about by
using the 'HELP' command.
Communicating With Other Users And Systems
To send a message to another user On-Line you use the Message
command. Lets say using the status command (discussed earlier)
you found there was a user named JOE that you wanted to talk to.
So you'd type ..
Message JOE <CR>
Hello, how are you !
This will send a message to him unless you get some message that
says something like..
User Joe not accepting messages at this time.
This means that he is not accepting messages (duhhhhhh), so you
can try again later. You can also use the TALK command, which is
self-explanatory. Just type 'TALK', and then follow the
directions.
Accessing Remote Systems
The most exciting feature of primos (and this G-Phile), is
primenet's ability to access remote systems. See, they call it
primenet, because all primes are hooked-up to one big network.
This network is much like a "mini-telenet". This can be used with
the 'NETLINK' command. At a prompt, you must type 'NETLINK'. Then
you will be thrown into the netlink system. There is a good On-
Line help file which can be accessed with the 'HELP NETLINK'
command. Basically you type NC xxxxxxx <x's being the NUA>. Now,
you can scan this like telenet and see what you come up with. The
most exciting part of all this is that some primos systems on
telenet let you enter telenet NUA's in the netlink system. This
means that all those "Collect Connection" NUA's you can't call,
can be accessed through primos *FOR FREE*. This means that you
don't need to mess with NUI's anymore (see my hacking telenet
part 1 file). Now comes the part that will bring me fame in the
hacking community, fame to œegions f œucifer, and anyone who
knows me.............
The 'ANET' command
Yes, this is the first time this command has every been
"published" is a G-phile. The way I came about this command was
one day I was hacking around and I saw this lady's directory with
LUR access. So I looked at the files, and surprisingly there was
a file that was a *BUFFER* of her logging on to remote systems
(yes the password was there!!). I was very surprised to see that
she used a command like 'anet -8887613' to access the remote
system, instead of netlink. This is a beautiful example of how
you can do a lot even if the directory isn't ALL access, anyway
heres the good part...... What the anet command does is dial a
phone number out from the primos and connects to it!! Yes, this
is like a code (but used for data communications of course). I'm
still hacking the command, but basically you just type 'anet -
<phone number>' and you have it. I have only tried it on this one
system which is Primos version 22.1. This is a very exciting
command, so if you find any more things about it please contact
me.
HACKING DECs
Welcome to basics of hacking: DECs. In this article you will
learn how to log in to dec's, logging out, and all the fun stuff
to do in-between. All of this information is based on a standard
dec system. Since there are dec system s 10 and 20, and we favor,
the dec 20, there will be more info on them in this article. It
just so happens that the dec 20 is also the more common of the
two, and is used by much more interesting people (if you know
what we mean...) Ok , the first thing you want to do when you are
receiving carrier from a dec system is to find out the format of
login names. You can do this by looking at who is on the system.
Dec=> @ (the 'exec' level prompt) you=> sy sy is short for
sy(stat) and shows you the system status. You should see the
format of login names... A systat usually comes up in this form:
job line program user job: the job number (not important unless
you want to log them off later) line: what line they are on (used
to talk to them...) These are both two or three digit numbers.
Program: what program are they running under? If it says 'exec'
they aren't doing anything at all... User: ahhhahhhh! This is the
user name they are logged in under... Copy the format, and hack
yourself out a working code... Login format is as such: dec=> @
you=> login username pass word username is the username in the
format you saw above in the systat. After you hit the space after
your username, it will stop echoing characters back to your
screen. This is the password you are typing in... Remember ,
people usually use their name, their dog's name, the name of a
favorite character in a book, or something like this. A few
clever people have it setto a key cluster (qwerty or asdfg).
Pw's can be from 1 to 8 characters long, anything after that is
ignored. You are finally in... It would be nice to have a little
help, wouldn't it?
CRASHING BBSs
Fundamentals:
1) Never use YOUR account.. always go under JOHN DOE or some
lamer's password you figured out.
2) Never brag. It gets you in trouble. Tell some dudes in your
group or whatever but don't go posting on BBSs that you did it
unless the sysop doesn't really care (usually elite sysops
don't)
3) Always format. If you get in to dos, don't take the risk,
format the thing with out a boot sector. If you are going to JUST
use the format command be sure to corrupt and rename ALL the
files that might have records in them of you in his dos (in case
of a unformat command). Try low level formatting. De command:
g=c800:5 that calls up the low level format program. 4) Never
mess with a narc/fed. There ARE police boards and the like and it
just isn't worth it to mess with them. Don't be stupid.
5) Have class. The biggest thing to bear in mind is to do a good
job, or no job. If you really don't hate him, once you get into
his dos just add a line to his autoexec.bat file to show you got
in. Otherwise format it. 6) Don't call back. You never know if he
was keeping double logs in a hidden directory or some thing like
that. Just be damn sure never to call back and NEVER leave a
number.
7) Never delete. Never delete log files, always corrupt them by
ripping a few lines out with edlin and then rename them and
delete them. This, hopefully, will solve the undelete problem.
Another good thing to do is to start madly undoing zip files
after you delete something. This will also help the undelete
dilemma.
SLBBS:
The first thing you should do when in dos is to run config and
find out what his activity log file name is and where his data
files REALLY are. Use edlin or something and totally screw them
over so they are screwed and them rename them and delete them.
The most important ones are ACTIVITY.LOG, SYSTEM.BBS, INDEX.BBS,
LOG.BBS
Most of these files can be used to figure out who you are.
Another wise thing to do is to look in his EVENT.DEF file and see
if he copies the files to a backup directory. Check all batch
files that the sysop may run out of EVENT.DEF. They also might
have backup in them. I, being the clever thing I am, back up my
logs to a tape backup after every call. Many sysops use Return
to dos after logoff and a program called GODOS to run a batch
after every call. Check his config to see if go to dos after
logoff is set to yes. If so look for batch files or com files
that look like they may be run to start the bbs. If he has a tape
backup you have to find his tape software and run it (the
directory name will be in his EVENT.DEF file if he backs up
regularly). Once you are in the tape software you have to format
the tape, however this will take a LOOOOOONG time (1 to 2 hours)
so you may want to do that last. You want to do pretty much the
same thing but the *.BBS files will be *.SL2. Pretty easy.
After Shock 1.23:
After Shock is kind of annoying. The best thing to do is to run
his config program t find out what his directories REALLY are
and then delete everything in his board and after shock main
directory. Remember to look at his RUN.BAT or what ever he uses
to run the bbs with, he may be keeping backups. There is also a
config option of what batch file to run every night. That also
may have back up info in it.
Telegard:
All the data files will probably be in the main bbs directory
or the GOFILES directory (check config for sure). Get rid of
these and that will be about it.
Forum Hacks:
A lot of BBS programs have been written by altering the source
code of TG or another BBS program. The best thing to do with
these is to run the config programs and find the REAL directory
names then mess them up and delete everything in them.�CRASHING BBS's PART TWO
Table of Contents:
Section I : Crashing Emulex/2 & Forum Hacks
a: Emulex/2
b: Forum Hacks
Section II: Crashing WWIV & Telegard
a: WWIV
b: Telegard
Section Ia: Emulex/2
We'll start with one of the most known BBS softwares. Emulex/2.
As you all know, I, Tripin Face, stole the source code of
Emulex/2 last year from one of the programmers. Broke into his
house and grabbed a few diskettes and it just so happens that one
of the disks contained the source code to Emulex/2!!
Here are a few ways to access into Emulex/2 (or any Forum Clone
for that matter.. a list of Forum Clones will be shown later.)
When you get connected at the Matrix Menu, hack User ID #1. Of
course, its the Sysop Account. Always try the Password "Sysop",
some Sysops are SOO lame, you wouldn't believe it. If that
doesn't work, try anything that goes with the Sysop's handle...
But for the really stupid Sysops, the best way, is to get one of
his Passwords from another board and try that. Some lusers might
use the same Password. Also, if you don't hack the correct
password, don't hang up, wait for it to hang you up. Sometimes
the board hangup strings gets screwed and it doesn't get rid of
you, but lets you on the board with the account of the user you
attempted to hack! Ok, lets say you have a Sysop account. now,
the best thing to do is get a file on the board called "USERS."
Now, with Emulex/2, thanks to me, you can't add users, so what
you have to do is user edit each user by hand, and the view their
passwords and make sure you capture all of it. Now, lets get to
the crashing part. Hehehehe. Open a door,("P" from the Main Menu
and then "%" for Sysop Commands) and put any file for it, the
board will create any file you ask it to make. Now in the door
batch file, you must have the following commands:
Ctty comX
command
Now, comX, is the com port the bbs is set at. Now, if you know
the sysop is using com2, then put com2. DUH!!!. (Replace the "X"
with the Com Port #) Now this door should let you go to their
DOS, and the rest is easy. FORMAT ME PLEASE!. Or, run a virus or
a trojan.. Even a baby can do that.. If you can get an account,
but has no Sysop access. you can do many things. An easy way is
upload a file called "USERS. " with the following DSZ commands:
DSZ sz -fs \<dir>\<filename>
make sure you are in the DIR you want to upload to. What this
does is upload a file anywhere on the HD you want. Now, before
you do this you must edit the users file and change the sysops
password to anything you want and then you can enter it and get
on as him! This way, you can crash the board but you don't need
to get all the users passwords. Also, a way to do this and get
all the users passwords is get the BBS software's config, and the
change the co-sysop level to like Level 1 or something and then
you can call with your account and have sysop access. I found
that the best way to crash a board... Now, with old Emulex/2
there was a command for Net-Mail which was .. Shift 1 thru shift
0 ..like this -> !@#$%^&*() ..and with this command, the board
will receive any file. So you can use the DSZ on it. Works good,
but with the new Emulex/2 you set the Net-Mail command from the
config. Right now, in the new Emulex/2 there are only a few
backdoors. Sam Brown didn't want to add any more. Why, I don't
know. I think Emulex/2 has a upload a message command, you can
also use the DSZ command with that too. I am not sure though.. A
good way to hang a Emulex/2 board is go to the Database Area, if
there isn't one, keep on hitting "D", after a few times the board
will get screwed, you wont be able to tell unless you go the file
area, and it will say something like I/O errors, etc... then
upload and upload, and in the middle of the third or fourth
upload hang up, turn off the modem or pull the phone line out of
the wall, so it will hang on in the middle of the transfer.
Another way to hang Emulex/2 is by doing this: post a message,
and then edit a line, and insert a new line, but keep on hitting
anything until it gets to the last line. Then hang up, or try to
save. It should of hung, to make sure the hanging was cool, call
the board back and see. �Section Ib: Forum Clones
Now lets get to other software...
Well, all FORUM CLONES are the same.. so all commands for Em/2
should and will work for all the of the following BBS Softwares:
Emulex/2
LSD
Celerity
FCP all version
AfterShock
Monarch
Monarch/2
TCS 1 and 2
Havok
Forum Plus
ACS
UCI/Forum
Ghost Ship/2
USSR
Magnum
TCS/Cobra
Silicosis
Section IIa: WWIV BBS's
1) Hacking into WWIV - The Utilities Needed.
PkZip/PkUnZip
Zmodem (Or Any Other Protocol)
An Account at the WWIV BBS you wish to Crash.
A Terminal Program
2) Hacking into WWIV - First Steps
First of all, you might want to make a separate directory
for all of these files you're about to make. Although there
won't be that many total, it might still be a good idea. But if
you're like normal people (Messy), like me, just put it wherever.
Ok, Here's what you do. Make a text file called
PKUNZIP.BAT from your DOS, and put the line: command in it. This
is done like this: C:\HACKBBS> copy con pkunzip.bat
command
^Z (Press Ctrl-Z, Then Enter, and the file will save)
Second, go ahead and zip the file. Make it any filename
you want as long as it's not something too obvious (like
TEMP.ZIP). You can zip up the file with PKZIP.EXE. This is done
like this:
PKZIP [zipfile] [athname\filename.ext]
- or in other words:
PKZIP temp.zip pkunzip.bat
This will make a file called TEMP.ZIP with the file
pkunzip.bat in it. Go ahead and delete pkunzip.bat now, you
won't need it anymore. Now you've got the file temp.zip (or
whatever you called it). Go ahead and logon to your favorite WWIV
BBS.
Hacking into WWIV - The Way To Do It.
Go ahead and logon with your name and password, etc.
Go to the File section, and upload your file to any directory.
Now there is a temp file there. hit 'E' from the Transfer Menu
in the current directory that temp.zip is it, and when it asks
what file to extract, enter temp.zip as the filename. You'll
get something to the effect of:
Extract which file? (?=list, *=All files):
Hit '*'. What this just did is make a pkunzip in the current
working DOS directory. You'll be at the:
Extract which file? (?=list, *=All Files):
Hot the asterix (*) again.
Congratulations! You made it into the Sysops DOS! (If
not, the sysop is smarter than you think, and he's protected
himself against some little hackers like yourself!) Not much you
can do if you didn't make it here. �Hacking into WWIV - What to do while in DOS.
You'll be in the path of \WWIV\TEMP>, Immediately type this
in: C:\WWIV\TEMP> cd ..\files
C:\WWIV\FILES> del *.log - This deletes the log of what
you did. C:\WWIV\FILES> del laston.txt - this deletes the
list of users who were on today.
Now, you're into his/her DOS. Since dos interrupts are
currently ON, You can type anything anywhere. You can type del
*.* and get the Are you sure? (Y/N) sign, and from there, you
CAN hit 'Y'. Or you can do it the other way, and just type echo
y|del *.*. From here you got his userlist and some other fun
stuff, which is located in C:\WWIV\DATA. You can go there by
typing cd..\data. once there, do this:
C:\WWIV\DATA> type user.lst
and you'll find the Sysops Phone Number and password right next
to each other. Write those down. Next, type cd.. and you'll be
in C:\WWIV>. From there, type the file status.dat, and the first
legible text you can find will be the System Password, so if you
just want to scare the living hell out of him, just type exit
from there and you'll come back to the BBS, with the Sysops Name,
Pass, Phone Number and System Password. You can now logon under
the Sysop and do all the cool stuff like go into UEDIT and give
yourself like 254sl and DSL, etc.
Hacking into WWIV - Alternatives
Instead of the PKUNZIP.BAT file in the TEMP.ZIP file, go ahead
and put your favorite Virus/Trojan in there, and follow the same
exact steps, except this time skip the DOS part. The Virus should
spread from there, and a trojan will work immediately.
Hanging WWIV - The easiest thing to do in the world.
Just make a plain and simple text file, and in it include an
ANSI code. Not just any ANSI Code, it's gotta be an ANSI Code
that is not a real part of ANSI. For example, (ESCAPE
CODE)[349857m or something like that, anyway. Then just //UPLOAD
it to a message base, and read it. When WWIV Doesn't intercept
the correct ANSI Codes, it doesn't know what to do, so it'll just
hang itself there 'till the System Operator comes and resets the
flippin' computer. Hang up from there, and well, it'll be down. �Section IIb: Telegard BBSs
All right, Swabbies. Here's a way to hack into Telegard (One
of the easiest to hack into - Next to WWIV). There's a catch to
this system, tho. There's got to be an Archive Menu from the File
Area. Most new Telegard systems will have one, it comes stock
into it. But the Sysop (Probably not if the Sysop is a new Sysop)
may take it out. So, if he's got it, you're in luck. It's
basically the same idea, Just follow these rules and other
guidelines, etc., and you'll soon become a better crasher than
you know ...
Hacking into Telegard's DOS - Things Needed
Latest PkZip Utilities (c) PKWare
Terminal, Modem, Computer, etc.
A little knowledge of the use of DOS,
And a text file like this.
Hacking into Telegard's DOS - Steps
1) Logging on.
2) Finding your way.
3) Uploading/Extracting the File
4) What to do while in DOS.
First of all, You've got to establish an account with the so-
called 'friendly BBS' that you want to crash. It's probably a
good idea to logon with a fake account, fake information, etc.,
to protect yourself. Once you've logged on, try and talk to th
Sysop there. Try to social engineer your way into him validating
you with the highest possible access you can get. Be nice, offer
him stuff, basically, KISS HIS ASS. If he insists on Voice
Validating you, ask him just to pick up a phone at his end, and
you do the same (Pick up your phone), and you'll already be
connected so there should be no numbers dialing, and this will
obviously protect you.
Make the PKUNZIP.BAT file from DOS, by typing in this:
copy con pkunzip.bat
command
^Z
Go and zip the file up, call it something that sounds catchy, so
it doesn't look too inconspicuous, use the line:
pkzip myfile.zip pkunzip.bat
Now you have a myfile.zip with pkunzip.bat inside of it.
There's a way to get into the Telegard's File System, although
you may not haveaccess to it, you'll eventually get it if you
kiss the Sysop's ass for awhile. It's usually 'F' or 'T' from the
main menu. Once you're in there, upload a file to wherever it
tells you to, and if there's no certain directory, don't worry
about it. Just upload it. After you finish uploading the file, it
will kick you out to the transfer menu again. The Archive menu
from there is usually either '/A' or just 'A'. From there, you
will most likely get a prompt that is similar to the Transfer
prompt, (most likely containing the Area and Area Number that you
are currently in). Hit 'X' from there (Remember: Telegard has the
ability to change Command Letters, so if 'X' doesn't work, punch
in a '?' and look for Extract File). Extract the myfile.zip,
obviously extract *.*. If it kicks you back out, or whatever,
just go back into the menu and do the same thing over again.
Extract *.*, And this time it will run Pkunzip.bat, which
contains COMMAND.COM inside of it, and you'll have full access to
this guys DOS.
Now that you're in DOS, you'll be in the area C:\BBS\TEMP>. From
there, type in 'cd ..\files'. Then 'del *.log', 'del *.txt', then
do the same thing in the Afiles Directory. Here's a type of basic
structure that Telegard uses. (Assuming the main dir is BBS):
BBS
FILES
AFILES
TFILES
TEMP
1
2
3
DLS
TRAP
This is the basic format, del ALL *.log files from all of these
areas (The Sysop logs are kept in C:\BBS\TRAP>) You've now gotten
rid of all proof that you were ever on. Once in there, just do
whatever you'd like to do. Delete everything, run a few Virii,
execute a few trojans, give his computer herpes, or whatever. You
can simply exit by typing 'exit'. Another way is to upload a Game
or some file (Sysops never check the zip file to see what is in
it..) Make one of the files 'PKZIP.COM' or 'PKZIP.EXE' *.COM is
better because DOS runs COM files before EXE files. Anyway,
upload a PKZIP.COM that is a trojan or a virus, or even
COMMAND.COM (That will get you into DOS) and after you upload it
check and see if the file is 'Auto-Validated' if it isn't then
you have to wait until the Sysop Validates it.. otherwise if it
is Validated then type "/A" from the File Menu and then type "X"
or "E" for Extract ZIP File.. then it prompts you for the Zip
File, enter in the Fle you uploaded. Then it will ask you what
files to extract, just say all or just the PKZIP file.. When it
extracts it, type "Q" then type "W" for Work on Archive.. Then
you are at the 'Work on Archive Menu'. Type "A" for Add to
Archive, it will then proceed to ask you for a Archive Name,...
type in something like 'HACK.ZIP' or anything for that matter. It
will ask you for the files you want in the ZIP file, just do
'*.*'. Then it will ask you if you want to do it or add more
files, type "D" for 'Do It'. It will then run your "PKZIP.EXE" or
"PKZIP.COM"!!! Easy enough?? There are a bunch of great files you
can find in someone else's HD, try going to the Sysop Dir.
(C:\BBS\DLS\SYSOP) or just go to all the Directories right off
the root directory. After you are done having fun, take his/her
USER.LST & STATUS.DAT and you will have FOREVER Access.. or just
wipe out his drive! There are many more ways to access Telegard
DOS and have the System run what you upload, but I will not get
into that, I will leave some ways open for me, Captain
Swashbuckler, to crash those Telegard Boards!
CREDIT BUREAUS
Part One: What Is Credit Bureau, Incorporated?
As many of you know, CBI is a credit reporting agency, or
credit bureau. It keeps the credit history of millions of
Americans on file. Our friends at CBI have been kind enough to
make this information available to the public for a moderate
annual fee. If you are cheap, or if you just want to learn how to
hack CBI, "you have come to the right place."
Part Two: The CBI Account.
A CBI account follows this general format:
3 Numbers, 2 Letters, 2-5 Numbers, a dash{-}, followed by a
letter and a number.
A sample might look like this: 123ab4567-a1.
or: 123ab4567-a1,bc,d.
Either way is acceptable. The `bc,d' is not necessary.
Part Three: Connecting To CBI.
When calling CBI, I suggest you use at least one outdial if
you know for sure the account you have is valid. If you are going
to be hacking accounts, use at least three outdials. I don't
suggest calling direct, even if the dialup is local to you. If
you don't know why, you don't deserve to be reading this text.
CBI runs at either 300 baud, or that oh-so-technologically
advanced 1200 baud. This means you will need a 300 or 1200 baud
outdial for the NPA containing the CBI dialup. Make sure your
terminal program is set at E-7-1. I also find it easier to work
at half-duplex, because CBI does not echo a thing you type. So,
if you connect with full-duplex, and don't see your account
appearing on the screen, don't call your local P/H BBS and post
twenty messages saying, "N0thInG i tYpE aPPeArS 0n tHe sCrEEn aT
CbI!!!!!!!!!!!1!!1!1!!!!!!!!!!!!111!!!!!!!!!!!" (Note: the
exorbitant amount of exclamation points is a sign of the loser's
complete and utter idiocy.) Another thing I find useful is just
to have my capture log running as I work. This saves you the
trouble of having to write everything down, and it also serves as
a good reference.
Currently functioning CBI dialups are:
*[201/984-6297] Newark, New Jersey
*[503/226-1070] Portland, Oregon
[612/341-0023] Minneapolis/St. Paul, Minnesota
[713/591-8100] Houston, Texas
*[804/466-1619] Norfolk, Virginia
[916/635-3935] Sacramento, California
The starred numbers I have not verified.
Keep in mind some CBI accounts are only valid on certain
dialups. They still serve any part of the country, you just can't
use them on every dialup. I have found CBI accounts that work on
more than one dialup, so it can't hurt for you to try. The worst
thing you will get is a message saying it's NOT VALID ON THIS
PHONE NUMBER or something. If you are hacking accounts and get
this message, try the account that yields the message on
different dialups. Maybe you'll "get lucky".
CBI also has voice dialups. These numers are provided for
those "Social Engineers" out there. I have not verified these.
[201/842-7500] Newark, New Jersey (Equifax Credit
Information Services) [617/932-8163] Boston,
Massachusetts (CBI)
Part Four: Applied Password Use: Pulling Info.
Use is fairly straightforward. When you connect to CBI, hit
Control-S (^S) twice, then <RETURN> (<CR>) twice. You should get
a message that reads: (ND)PLEASE SIGN-ON
At this point you should enter the password. Make sure when
you enter the password that you include a period at the end.
This is very important; if you neglect to type the period, you
won't get in. Type the password: "123ab456-a1." then hit
CONTROL-S, and a <CARRIAGE RETURN>. The ^S is the CBI "wakeup"
command. CBI doesn't respond to regular <CR>s. If you ever
think CBI should be doing something, and it has just frozen, hit
^S. Chances are this will solve the problem. Anyway, you will
then get a message telling you to
WC5E - PROCEED
This is when the fun begins. You decide you want to know
your next door neighbor's credit history. Here is what you do:
NM-SMITH,ALAN,S. <CR>
CA-157,MAPLE,ST,YUTZVILLE,NY,10011. <CR>
ID-SSS-012-34-5678. ^S <CR>
This is, of course, based on the assumption that your
subject's name is "Alan S. Smith" and that he lives at 157 Maple
Street in Yutzville, New York, 10011, and that his Social
Security Number is 012-34-5678. Keep in mind, the ID-SSS line is
not ecessary, but it is necessary if you are to distinguish
between Alan S. Smith, Jr. and Alan S. Smith, Sr. Wait a moment.
The report will pop up. You may want to hunt someone down from
a Post Office Box. If this is the case, replace the above CA-
line with this:
CA-418#,POB,,YUTZVILLE,NY,10011.