Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking General Information :: obsphrk.txt

3500 Lines of Obsolete Phreaking Stuff

Subject: 3500 lines of obsolete phreaking stuff
Date: Thu May 12 13:13:03 1994

This is something I put together a few years ago. None of it was               
written by me. I spellchecked it, made a table of contents, and                
converted from 20 column all-caps and removed K0oL spellings.                  

I don't want comments, good or bad. I figured somebody might
want this, so I'm posting it, but that the extend of my involvement.

I'm sorry about the control-L's. I don't know how to remove them.

                        Table of Contents

Introduction to hacking. . . . . . . . . . . . . . . . . . . .  1

Phone Hacking. . . . . . . . . . . . . . . . . . . . . . . . .  2
     Basic Boxes Technically Explained . . . . . . . . . . . .  3
          (BLUE,3); (BLACK,4); (CHEESE,5)
     Voice mail box hacking. . . . . . . . . . . . . . . . . .  6
     Blue Box Tones. . . . . . . . . . . . . . . . . . . . . .  9
     Customer name and address . . . . . . . . . . . . . . . .  9
     Lock In Trace . . . . . . . . . . . . . . . . . . . . . . 14
     Pinkish Box . . . . . . . . . . . . . . . . . . . . . . . 16
     Pearl Box . . . . . . . . . . . . . . . . . . . . . . . . 17
     Brown Box . . . . . . . . . . . . . . . . . . . . . . . . 19
     Scarlet box . . . . . . . . . . . . . . . . . . . . . . . 20
     Day-Glow. . . . . . . . . . . . . . . . . . . . . . . . . 20
     Gold Box Plans. . . . . . . . . . . . . . . . . . . . . . 22
     Green Box . . . . . . . . . . . . . . . . . . . . . . . . 23
     Blotto Box. . . . . . . . . . . . . . . . . . . . . . . . 23

Computer Hacking . . . . . . . . . . . . . . . . . . . . . . . 26
     Tymnet. . . . . . . . . . . . . . . . . . . . . . . . . . 27
     Telenet . . . . . . . . . . . . . . . . . . . . . . . . . 32
     Hacking Unix. . . . . . . . . . . . . . . . . . . . . . . 34
     Primenet. . . . . . . . . . . . . . . . . . . . . . . . . 36
     Hacking DECs. . . . . . . . . . . . . . . . . . . . . . . 44
     Crashing BBSs . . . . . . . . . . . . . . . . . . . . . . 45
     Credit bureaus. . . . . . . . . . . . . . . . . . . . . . 54
     File grabbing on large systems. . . . . . . . . . . . . . 64

Potpourri. . . . . . . . . . . . . . . . . . . . . . . . . . . 65
     Bugs. . . . . . . . . . . . . . . . . . . . . . . . . . . 66
     Wiretapping . . . . . . . . . . . . . . . . . . . . . . . 67
     Lunch Box . . . . . . . . . . . . . . . . . . . . . . . . 72
     Beep Time . . . . . . . . . . . . . . . . . . . . . . . . 76

Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . 77
     8OO VMB Systems . . . . . . . . . . . . . . . . . . . . . 78
     Extenders . . . . . . . . . . . . . . . . . . . . . . . . 78
     Loops . . . . . . . . . . . . . . . . . . . . . . . . . . 79
     PBXs. . . . . . . . . . . . . . . . . . . . . . . . . . . 79
     Sweeps. . . . . . . . . . . . . . . . . . . . . . . . . . 79
     1-800 modem numbers . . . . . . . . . . . . . . . . . . . 79
     Area Codes by State . . . . . . . . . . . . . . . . . . . 82
                     INTRODUCTION TO HACKING

Most people who have never hacked or are beginners think that
hackers are a small community of very knowledgeable computer
"geniuses" that randomly break into systems for fun and then
create havoc or steal information. I will speak of my own views
on hacking which shouldn't reflect the feelings of the entire
hacking community but I would guess a large amount. First of all
hacking is getting more and more risky everyday. Because of this,
hacking for fun isn't as safe as it used to be (although most of
my hacking is for fun). The reason people (people I know) hack is
because we believe in free information exchange. This means that
I should be able to freely access any information that is
available over the modem that I want. There are obvious reasons
why this can't be achieved, but if people have information that
is that sensitive then it should not be put out over the modem.
Now the second and biggest misconception about hacking is how the
hacker actually "hacks". Most people think that hacking is just
basically getting lucky and guessing a password that lets you
into a system. This is *very* untrue. Let us take an example that
you have just broken into the CIA's computer system. So suddenly
you get a -> prompt. Now what do you do?!? This is the difference
between the hacker and some kid that is good at guessing. The kid
may be able to guess a password, but if he doesn't know what to
do once he's in then he might as well have not even hacked the
password at all. So, the main objective of the hacker is to
concentrate on learning how to use a system. After he has done
that then he can figure out ways to get around certain kinds of
security and get to the stuff he wants. So what you should do is
read all the manual's and text files that you can get your hands
on. Because before you can defeat a system, you must know how it
works (this works for life in general). Ok, now you understand
what hacking is and how you should go about learning it. 

                          Phone Hacking
                Basic Boxes Technically Explained

   The "Blue Box" was so named because of the color of the first
one found. The design and hardware used in the Blue Box is fairly
sophisticated, and its size varies from a large piece of
equipment to the size of a pack of cigarettes. The Blue Box
contains 12 or 13 buttons or switches that emit multi-frequency
tones characteristic of the tones used in the normal operation of
the telephone toll (long distance) switching network. The Blue
Box enables the user to place free long distance calls by
circumventing toll billing equipment. The Blue Box may be
directly connected to a phone line, or it may be acoustically
coupled to a telephone handset by placing the Blue Box's speaker
next to the transmitter or the telephone handset. To understand
the nature of a fraudulent Blue Box call, t is necessary to
understand the basic operation of the Direct Distance Dialing
(DDD) telephone network. When a DDD call is properly originated,
the calling number is identified as an integral part of
establishing the connection. This may be done either
automatically or, in some cases, by an operator asking the
calling party for his telephone number. This information is
entered on a tape in the Automatic Message Accounting (AMA)
office. This tape also contains the number assigned to the trunk
line over which the call is to be sent. The information relating
to the call contained on the tape includes: called number
identification, time of origination of call, and info that the
called number answered the call and time of disconnect at the end
of the call. Although the tape contains info with respect to many
different calls, the various data entries with respect to a
single call are eventually correlated to provide billing info for
use by your Bell's accounting department. The typical Blue Box
user usually dials a number that will route the call into the
telephone network without charge. For example, the user will very
often call a well-known INWATS (toll-free) customer's number. The
Blue Box user, after gaining this access to the network and, in
effect, "seizing" control and complete dominion over the line,
operates a key on the Blue Box which emits a 2600 Hertz (cycles
per second) tone. This tone causes the switching equipment to
release the connection to the INWATS customer's line. The 2600Hz
tone is a signal that the calling party has hung up. The Blue Box
simulates this condition. However, in fact the local trunk on the
calling party's end is still connected to the toll network. The
Blue Box user now operates the "KP" (Key Pulse) key on the Blue
Box to notify the toll switching equipment that switching signals
are about to be emitted. The user then pushes the "number"
buttons on the Blue Box corresponding to the telephone # being
called. After doing so he/she uses the "ST" (Start) key to tell
the switching equipment that signalling is complete. If the call
is completed, only the portion of the original call prior to the
'blast' of 2600Hz tone is recorded on the AMA tape. The tones
emitted by the Blue Box are not recorded on the AMA tape.
Therefore, because the original call to the INWATS # is toll-
free, no billing is rendered in connection with the call.
Although the above is a description of a typical Blue Box call
using a common way of getting into the network, the operation of
a Blue Box may vary in any one or all of the following respects:
The Blue Box may include a rotary dial to apply the 2600Hz tone
and the switching signals. This type of Blue Box is called a
"dial pulser" or "rotary SF" Blue box. Getting into the DDD toll
network may be done by calling any other toll-free # such as
Universal Directory ASSistance (555-1212) or any number in the
INWATS network, either inter-state or intra-state, working or
non-wrking. Entrance into the DDD toll network may also be in
the form of "short haul" calling. A "short haul" call is a call
to any # which will result in a lesser amount of toll charges
than the charges for the call to be completed by the Blue Box.
For example, a call to Birmingham from Atlanta may cost $.80 for
the first 3 minutes while a call from Atlanta to Los Angeles is
$1.85 for 3 minutes. Thus, a short haul, 3-minute call to
Birmingham from Atlanta, switched by use of a Blue Box to Los
Angeles, would result in a net fraud of $1.05 for a 3 minute
call. A Blue Box may be wired into the telephone line or
acoustically coupled by placing the speaker of the Blue Box near
the transmitter of the phone handset. The Blue Box may even be
built inside a regular Touch-Tone phone, using the phone's push-
buttons for the Blue Box's signalling tones. A magnetic tape
recording may be used to record the Blue Box tones for certain
phone numbers. This way, it's less conspicuous to use since you
just make it look like a walkman or whatever, instead of a box.  
   All Blue Boxes, except "dial pulse" or "Rotary SF" Blue Boxes,
must have the following 4 common operating capabilities:
It must have signalling capability in the form of a 2600Hz tone.
This tone is used by the toll network to indicate, either by its
presence or its absence, an "on hook" (idle) or "off hook" (busy)
condition of the trunk. The Blue Box must have a "KP" tones that
unlocks or readies the multi-frequency receiver at the called end
to receive the tones corresponding to the called phone #. The
typical Blue Box must be able to emit M tones which are used to
transmit phone #'s over the toll network. Each digit of a phone #
is represented by a combination of 2 tones. For example, the
digit 2 is transmitted by a combination of 700Hz and 1100Hz. The
Blue Box must have an "ST" key which consists of a combination of
2 tones that tell the equipment at the called end that all digits
have been sent and that the equipment should start switching the
call to the called number.

   This Box was named because of the color of the first one
found. It varies in size and usually has one or two switches or
buttons. Attached to the telephone line of a called party, the
Black Box provides toll-free calling *to* that party's line. A
Black Box user tells other people beforehand that they will not
be charged for any call placed to him. The user then operates the
device causing a "non-charge" condition ("no answer" or
"disconnect") to be recorded on the telephone company's billing
equipment. A Black Box is relatively simple to construct and is
much less sophisticated than a Blue Box. NOTE: This will not work
on any type of Electronic Switching Systems, (ESS, DMS100 etc.)

This Box was named after the container in which the first one was
found. Its design may be crude or very sophisticated. Its size
varies; one was found the size of a half-dollar. A Cheese Box was
used most often by bookmakers or betters to place wagers without
detection from a remote location. The device inter-connects 2
phone lines, each having different #'s but each terminating at
the same location. In effect, there are 2 phones at the same
location which are linked together through a Cheese Box. It is
usually found in an unoccupied apartment connected to a phone
jack or connecting block. The bookmaker, at some remote location,
dials one of the numbers and stays on the line. Various bettors
dial the other number but are automatically connected with the
book maker by means of the Cheese Box interconnection. If, in
addition to a cheese box, a Black Box is included in the
arrangement, the combined equipment would permit toll-free
calling on either line to the other line. If a police raid were
conducted at the terminating point of the conversations -the
location of the Cheese Box- there would be no evidence of
gambling activity. This device is sometimes difficult to
identify. Law enforcement officials have been advised that when
unusul devices are found associated with telephone connections
the phone company security representatives should be contacted to
assist in identification.

(This probably would be good for a BBS, especially with the Black
Box set up. and if you ever decided to take the board down, you
wouldn't have to change your phone #. It also makes it so you
yourself cannot be traced. I am not sure about calling out from
one though.)                     VOICE MAIL BOX HACKING

Hello again, and welcome to another ťegions f ťucifer text file!
This text file has to do with hacking and scanning VMBs. The
reason I am writing this file is because I am very good at it,
and have had years of experience. In fact I have been called by
MCI for screwing them over by attacking and taking over a whole
damn system with a few friends of mine. Anyway, hacking VMBs is
very simple and basically safe, and not only that but they are
cool to have around. You can give them to friends, you can trade
them for access on bulletin boards, or you can use it for
yourself. As for this 'Tutorial on Hacking VMBs', we will be
talking about what systems to hack, how you go about hacking
them, default passwords, hints on better scanning, and having
your very own box.

VMB, in case you don't know, stands for 'Voice Mail Box'. Now a
VMB is like an answering machine. You can use it for all sorts of
things. Most VMB systems are dialed though 800 numbers. People
call up the VMB system that you have a box on, and dial in your
box number and then leave you a message. Whenever you want to
check your box, you just call up, enter your password and read
your messages. Inside a VMB you can do whatever, you can leave
messages to others on the system, you can change your 'Out Going'
message, you can have guest boxes (Explained later), you can have
the box call your house when you get an Urgent message, you can
do a lot of things. In fact, on some systems you can even CALL
OUT through them, so they can be used as a code of sorts! They
are cool to have.

You should scan/hack out Virgin Systems, this is another way of
calling a system that hasn't been hack out yet. Also, CINDI
Systems and ASPEN Systems have the best boxes and the most
options that VMB Systems can offer. I will be talking about ASPEN
System today since I know most about those.

Okay once you've found your Virgin VMB System, you start to scan.
Just incase you don't know what scanning is, that means you
search for boxes that are hackable (Explained later on). Now you
dial up the system and when it picks up and the bitch starts to
talk, press the "#" key. It will then ask you for your box
number... now there are two different way the ASPEN System can be
configured: 1) a "3 Digit Box Number System" or 2) a "4 Digital
Box Number System". Now lets just say this system is a 3 Digit
System. Okay, when it asks for your Box Number, enter in 999, now
it will say one of three things: [These are known as 'Greeting

1. John Doe [Box owners name]
2. "Box Number 999 Is Not a Valid Box Number"
3. "Box Number 999"
Now, if it either says 1 or 2, go to box number
998...997...996...995..etc, but if it says 3, then you are lucky,
now it will ask you for your password, now you are probably
saying 'Oh no this is where it gets difficult'... well you are
WRONG! This part is easy. Here is a list of ASPEN Default

* We will use box number 666 as an example box #
 [ BN = Box Number ]

List of Default Password: Combination  Result

                            1-BN           1666
                            BN+1           667
                            0-BN           0666
                            BN-0           6660
         Most Common ──»    BN             666

Now enter in a those defaults, try JUST the Box Number first,
ASPENs usually use that most. Now, if you try all those Defaults
and still can not get into that Voice Mail Box, then that means
that the box has been already taken, but the owner hasn't changed
his 'Generic Message', if you don't get in, you will just have to
search until you get in.

Okay, once you get your first box, *DO NOT* change anything!!
That will come later. Your first box is, as what is known as a
'Scanning Box'! What you do with your Scanning Box is this: You
enter "3" from the main commands menu, and it will ask you for
the box number. Now that command is the "Check for Receipt"
command, what it does it check Box #xxx for mail rom you. This
command is very convenient for us VMB Hackers. To use that
command to your advantage, you enter in box a box number and it
will say 1 of the three 'Greeting Names', like before, if it say
#3, then you write down that Box Number and hack it later. But if
it says 1 or 2, then just keep scanning! All boxes with the
number 3 Greeting Name is known as a 'Hackable Box'. Now you keep
scanning until you have gone all the way down to Box number 000
or whatever is the lowest box it supports. Now, once you have
your list this is when all the fun starts! Now you are ready to

Hacking Out Your New Found 'Hackable' Boxes:

Okay this is the easy part. After you spent most of your time by
scanning the system you should be used to the system and how it
works, that should make hacking the ASPEN all the easier. Now, if
you had a 'Scanning Box', you should know what the default
password was for your Scanning Box. Well if the password for your
Scanning Box was just the Box Number, then *EVERY* other hackable
box should have the SAME default password. VMB Systems have only
one default password, If one box has the BN for a Default PW, the
all the others will too.

Okay, you call up the VMB System will the list of 'Hackable'
boxes by your side, and when the bitch is talking, press the "#"
key. When it asks you for your box number, enter in the first box
number on your list. When it asks for your password, enter in the
Default Password Sequence. Now if you don't get into that box,
it's not a problem, just keep going down your list. You should
get into a few. But remember, just because a box is marked
'Hackable', it doesn't mean you will definitely get into it.

Okay, now you hav a few dozen boxes. You can now use you
Scanning Box to do whatever you please.

ASPEN Guest Boxes:

Once you have a box of your own, you can give out 'Guest Boxes'.
Guest Boxes are like Sub Boxes in your box. In ASPEN you have 4
of them. If you give out Guest Box #1 to John Doe, Mr. Doe can
call in, enter in the password YOU set for him, and leave you
messages, but not only that, you can leave messages to HIM! Which
means, if his is in New York, and you are in California, and
neither of you have codes to call each other, then you can leave
messages thru your 800 VMB. Here is a list and explanation of all
4 of the Guest Boxes:

0. Main Box      - Your Voice Mail Box!
1. Guest Box #1  - Can Leave & Receive Messages
2. Guest Box #2  - Can Leave & Receive Messages
3. Home Box      -Can Leave & Receive Messages
4. Secretary Box - Can Check How Many Messages You Have & Receive

Hints On Better Scanning:
A lot of people say hacking and scanning for VMBs is too damn
hard... well that's because they are going at it all wrong, they
probably read some lame piece of text file on Hacking VMBs that
was about 500 bytes long. Well, here is a small list of hints on
better scanning and hacking:

1. Do not use a Voice Mail Box hacking/scanning program (i.e.:
VMB v1.0, ASPEN v1.0, VMBHACK v2.3, etc..) 2. Do not hack in
random order (i.e.: B#999, 345, 810, etc) Always hack in order:
999, 998, 997, 996, 995...000. 3. Try to find out if it's virgin.
The newer the System, the better.
4. If you have a phone with memory dial, change one entry to the
number of the VMB System. 5. Don't hack the System Managers box
unless you really want to.

Ideas of Things To Do With Your Extra Boxes:

Well since you can have up to 500 extra Voice Mail Boxes, you
might not know what to do with them, here are a few ideas that
can help you out:

1. Give them to friends
2. Sell them to friends
3. Offer them to sysops for better access
4. Trade them for HSTs or whatever
5. Use them as a Voice Verifying line (So you don't have to give
out your real voice number to BBSs when you apply!)

                         Blue Box Tones
In this short section I will attempt to list some tones that Ma
Bell uses and what they are. Well here goes: Blue box
frequencies: 2600 hz - used to  get on/off trunk tone matrix to
use after 2600 hz.
 700:  1  :  2  :  4  :  7  :  11  :  
 900:  +  :  3  :  5  :  8  :  12  : 
1100:  +  :  +  :  6  :  9  :  KP  : 
1300:  +  :  +  :  +  :  10 :  KP2 : 
1500:  +  :  +  :  +  :  +  :  ST  : 
      900 :1100 :1300 :1500 : 1700 :
Use KP to start a call and ST (1500+1700) to stop. Use 2600 HZ to 
disconnect. Red box freqs: 1700 hz and 2200 hz mixed together. A
nickel is 66 ms on (1 beep). A dime is 66ms on, 66ms off, 66ms on
(2 beeps) a quarter is 33ms on, 33ms off repeated 5 times. (Ms =
millisecond). For those of you who don't know, a red box
simulates money being put into a pay phone. You must put in some
money first though (the operator can tell if money was put in but
as to how much she lets the computer answer that. (Yeah for he
computer) TASI locking freq: TASI (time assignment speech
interpolation) is used on satellite trunks, and basically allows
more than one person to use a trunk by putting them on while the
other person isn't talking. Of course, you'd never hear the other
person talking on your trunk. When you start to talk, however,
the TASI controller has to find an open trunk for you. Because of
this, some of your speech is lost (because of the delay in
finding a trunk) this is called clipping. Well, if you were
transmitting data over a trunk, clipping would really mess up the
data. So there is something called a TASI locking frequency which
keeps the TASI from putting anyone else on your trunk or you on
anyone else's trunk. In any case the freq. is 1850 hz. (Sent
before the transmission). Have fun!!!

                    CUSTOMER NAME AND ADDRESS
The word CN/A stands for Customer's Name and Address ... Your
telephone company has set up little bureaus that will answer the
telephone all day and give numbers out to any authorized Bell
employees of the same city or any other city nationwide. The
bureau keeps everyone on file with their name and address,
INCLUDING those that are unlisted. So if you have a phone number
and you want to find out who owns it and where they live, you can
use this little handy system. In short, it is basically used to
get a persons real name and real address through just having a
phone number!

Lets sayyou are constantly being bugged by some little dick and
you don't know his name or address, BUT you have his phone
number.. well you can get his Name & Address just by having his
telephone number! For example, lets say you have this dicks phone
number, and it's (212) 555-1873, then just do the following:

Look up the CN/A Number for that NPA (NPA = AREA CODE) in the
list below. For this example, the NPA is 212 and the CN/A number
is 518-471-8111. So then call up the CN/A # (During regular
hours) and throw a line like, "Hello, This is Operator #321 from
the residential service center in California. And I need to get a
CN/A on a customer at 212-555-1873. Thank You."... Make sure not
too sound like a twelve year old dork or try and sound lame with
a really deep voice, just try to sound as real as possible. Okay,
if you got that far, and you sound pretty convincing, then the
CN/A operator should not in any means, ask questions and you
should get all the info you need!

Here is a list of just about EVERY CN/A Number in the Continental
United States, this list was supplied to Legions of Lucifer by
Area │ Account │ Telephone     │ Call      │ Time │ Requests │ 
Code │   Code  │ Number        │ Hours     │ Zone │ per call │
201  │         │ (304)344-7935 │ 8:00-4:10 │  E   │     3    │ 
202  │         │ (304)343-7016 │ 8:30-4:10 │  E   │     3    │ 
203  │         │ (203)789-6815 │ 8:10-4:45 │  E   │     7    │ 
204  │         │ (204)949-0900 │ 8:30-4:45 │  C   │    N/A   │ 
205  │         │ (205)555-1212 │ 24 hours  │  C   │     2    │ 
206  │ I47128  │ (402)572-5858 │ 24 hours  │  C   │     2    │ 
207  │   411   │ (518)471-8111 │ 8:00-5:00 │  E   │    16    │ 
208  │ I47127  │ (402)572-5858 │ 24 hours  │  C   │     2    │ 
209  │ 1659 or │ (415)781-5271 │ 7:00-5:00 │  P   │     5    │ 
209  │ 2826    │               │           │      │    N/A   │ 
212  │   111   │ (518)471-8111 │ 8:00-5:00 │  E   │    16    │ 
213  │1659/2826│ (415)781-5271 │ 7:00-5:00 │  P   │     5    │ 
214  │ SW5167  │ (817)461-4769 │ 8:00-4:50 │  C   │     3    │ 
215  │         │ (412)633-5600 │ 8:30-5:00 │  E   │     3    │ 
216  │   161   │ (614)464-0511 │ 8:00-5:00 │  E   │     3    │ 
217  │   700   │ (217)789-8290 │ 8:00-5:00 │  C   │     2    │ 
218  │ I47126  │ (402)572-5858 │ 24 hours  │ All  │     2    │ 
219  │   161   │ (317)265-4834 │ 7:30-4:45 │  E   │     3    │ 
301  │         │ (304)343-7016 │ 8:00-4:10 │  E   │     3    │ 
302  │         │ (412)633-5600 │ 8:30-5:00 │  E   │     3    │ 
303  │ I47126  │ (402)572-5858 │ 8:00-5:00 │  M   │     5    │ 
304  │ I47127  │ (304)343-1401 │ 8:00-4:10 │  E   │     3    │ 
305  │ 13402   │ (803)251-0046 │ 8:30-5:00 │  E   │   3-15   │ 
306  │         │ (306)777-2878 │ 8:00-12:00│  M   │    N/A   │ 
307  │ I47127  │ (402)572-5858 │ 24 hours  │  C   │     2    │ 
308  │ I47126  │ (402)572-5858 │ 24 hours  │  C   │     2    │ 
309  │   700   │ (217)789-8290 │ 8:00-5:00 │  C   │     2    │ 
312  │   500   │ (312)796-9600 │ 24hours  │  C   │     2    │ 
313  │ 53423 or│ (313)424-0900 │ 24 hours  │  E   │    20    │ 
313  │ 61728   │               │           │      │    N/A   │ 
314  │ SW1012  │ (816)275-8460 │ 8:30-4:30 │  C   │     3    │ 
315  │   111   │ (518)471-8111 │ 8:00-4:55 │  E   │    16    │ 
316  │ SW2019  │ (913)276-6708 │ 8:00-4:45 │  C   │     3    │ 
317  │   161   │ (317)265-4834 │ 7:30-4:45 │  E   │     3    │ 
318  │         │ (318)555-1212 │ 24 hours  │  C   │     2    │ 
319  │ I47126  │ (402)572-5858 │ 24 hours  │  C   │     2    │ 
401  │   411   │ (518)471-8111 │ 8:00-5:00 │  E   │    16    │ 
402  │ I47126  │ (402)572-5858 │ 24 hours  │  C   │     2    │ 
403  │         │ (403)493-6383 │ 8:00-4:30 │  M   │    N/A   │ 
404  │ 13402   │ (803)251-0046 │ 8:30-5:00 │  E   │   3-15   │ 
405  │ SW4070  │ (405)236-6121 │ 7:30-4:15 │  C   │     3    │ 
406  │ I47127  │ (402)572-5858 │ 24 hours  │  C   │     2    │ 
407 │ 13402   │ (803)251-0046 │ 8:30-5:00 │  E   │   3-15   │ 
408  │1659/2826│ (415)781-5271 │ 7:00-5:00 │  P   │     5    │ 
409  │ SW5167  │ (713)961-2397 │ 8:00-5:00 │  C   │     3    │ 
412  │         │ (412)633-5600 │ 8:30-5:00 │  E   │     3    │ 
413  │   411   │ (518)471-8111 │ 8:00-5:00 │  E   │    16    │ 
414  │   767   │ (608)252-6932 │ 8:00-4:30 │  C   │    1-5   │ 
415  │1659/2826│ (415)781-5271 │ 7:00-5:00 │  P   │     5    │ 
416  │         │ (416)443-0542 │ 8:30-5:00 │  E   │    N/A   │ 
417  │ SW1012  │ (816)275-8460 │ 8:30-4:30 │  C   │     3    │ 
418  │         │ (514)391-7440 │ 8:30-4:45 │      │    N/A   │ 
419  │   161   │ (614)464-0511 │ 8:00-5:00 │  E   │     3    │ 
501  │ SW3006  │ (405)236-6121 │ 7:30-4:30 │  C   │     3    │ 
502  │         │ (502)555-1212 │ 24 hours  │  E   │     2    │ 
503  │ I47128  │ (402)572-5858 │ 24 hours  │  C   │     2    │ 
504  │         │ (504)555-1212 │ 24 hours  │  C   │     2    │ 
505  │ I47127  │ (402)572-5858 │ 24 hours  │  C   │     2    │ 
506  │         │ (506)694-6541 │8:15-4:30 │  A   │    N/A   │ 
507  │ I47126  │ (402)572-5858 │ 24 hours  │  C   │     2    │ 
508  │   411   │ (518)471-8111 │ 8:00-5:00 │  E   │    16    │ 
509  │ I47128  │ (402)572-5858 │ 24 hours  │  C   │     2    │ 
512  │ SW5167  │ (512)828-2501 │ 9:00-5:00 │  C   │     3    │ 
513  │   161   │ (614)464-0511 │ 8:00-5:00 │  E   │     3    │ 
514  │         │ (514)391-7440 │ 8:00-4:30 │  E   │    N/A   │ 
515  │ I47126  │ (402)572-5858 │ 24 hours  │  C   │     2    │ 
516  │   111   │ (518)471-8111 │ 8:00-5:00 │  E   │    16    │ 
517  │53423 or │ (313)424-0900 │ 24 hours  │  E   │    20    │ 
517  │ 61728   │               │           │      │    N/A   │ 
518  │   111   │ (518)471-8111 │ 8:00-5:00 │  E   │    16    │ 
519  │         │ (416)443-0542 │ 8:30-5:00 │  E   │    N/A   │ 
601  │         │ (601)555-1212 │ 24 hours  │  C   │     2    │ 
602  │ I47127  │ (402)572-5858 │ 24 hours  │  M   │     2    │ 
603  │   411   │ (518)471-8111 │ 8:00-5:00 │  E   │    16    │ 
604  │         │ Contact Local │           │      │    N/A   │ 
604  │         │Business Office│           │      │    N/A   │ 
605  │ I47126  │ (402)572-5858 │ 24 hours  │  C   │     2    │ 
606  │         │ (606)555-1212 │ 24 hours  │  E   │     2    │ 
607  │   111   │ (518)471-8111 │ 8:00-5:00 │  E   │    16    │ 
608  │   767   │ (608)252-6932 │ 8:30-4:30 │  C   │     5    │ 
609  │         │ (304)344-7935 │ 8:00-4:10 │  E   │     3    │ 
612  │ I47126  │ (402)572-5858 │ 24 hours  │  C   │     2    │ 
613  │         │ (416)443-0542 │ 8:30-5:00 │  E   │    N/A   │ 
614  │   161   │ (614)464-0511 │ 8:00-5:00 │  E   │     3    │ 
615  │ 13402   │ (615)373-7663 │ 8:00-4:10 │  E   │     3    │ 
616  │53423 or │ (313)424-0900 │ 24 hours  │  E   │    20    │ 
616  │ 61728   │               │           │      │    N/A   │ 
617  │   411   │ (518)471-8111 │ 8:00-5:00 │  E   │    16    │ 
618  │   700   │ (217)789-8290 │ 8:00-5:00 │  C   │     2    │ 
619  │1659/2826│ (415)781-5271 │ 7:00-5:00 │  P   │     5    │ 
701  │ I47126  │ (402)572-5858 │ 24 hours  │  C   │     2    │ 
702  │1659/2826│ (415)781-5271 │ 7:00-5:00 │  P   │     5    │ 
703  │         │ (304)343-1401 │ 8:00-4:10 │  E   │     3    │ 
704  │ 13402   │ (803)251-0046 │ 8:30-5:00 │  E   │   3-15   │ 
705  │         │ (416)443-0542 │ 8:30-5:00 │  E   │    N/A   │ 
707  │1659/2826│ (415)781-5271 │ 7:00-5:00 │  P   │     5    │ 
708  │   500   │ (312)796-9600 │ 24 hours  │  C   │     2    │ 
709  │         │     *NONE*    │           │      │    N/A   │ 
712  │ I47126  │ (402)572-5858 │ 24 hours  │  C   │     2    │ 
713  │ SW5167  │ (713)961-2397 │ 8:00-5:00 │  C   │     2    │ 
714  │1659/2826│ (415)781-5271 │ 7:00-5:00 │  P   │     5    │ 
715  │   767   │ (608)252-6932 │ 8:00-4:30 │  C   │     5    │ 
716  │   111   │ (518)471-8111 │ 8:00-5:00 │  E   │    16    │ 
717# │         │ (412)633-5600 │ 8:30-5:00 │  E   │     3    │ 
717@ │6630109ATZ (717)245-6829 │           │      │    N/A   │ 
718  │   111   │ (518)471-8111 │ 8:00-5:00 │  E   │    16    │ 
719  │ I47127  │ (402)572-5858 │ 8:00-5:00 │  M   │     5    │ 
801  │ I47127  │ (402)572-5858 │ 24 hours  │  C   │     2    │ 
802  │   411   │ (518)471-8111 │ 8:00-5:00 │  E   │    16    │ 
803  │ 3402   │ (803)251-0046 │ 8:30-5:00 │  E   │   3-15   │ 
804  │         │ (304)343-1401 │ 8:00-4:10 │  E   │     3    │ 
805  │1659/2826│ (415)781-5271 │ 8:30-5:00 │  P   │     5    │ 
806  │ SW5167  │ (512)828-2501 │ 8:00-5:00 │  C   │     3    │ 
807  │         │ (416)443-0542 │ 8:30-5:00 │  E   │    N/A   │ 
808  │         │ (800)852-8840 │ 8:00-6:00 │  E   │    N/A   │ 
809  │         │ (800)852-8840 │ 8:30-5:00 │  E   │    N/A   │ 
812  │   161   │ (317)265-4834 │ 8:30-4:45 │  E   │     3    │ 
813  │ 13402   │ (803)251-0046 │ 8:30-4:30 │  E   │    N/A   │ 
813  │GTE only │ (813)442-7229 │ 8:00-5:00 │  E   │    N/A   │ 
814  │         │ (412)633-5600 │ 8:30-5:00 │  E   │     3    │ 
815  │   700   │ (217)789-8290 │ 8:00-5:00 │  C   │     2    │ 
816  │ SW1012  │ (816)275-8460 │ 8:00-4:45 │  C   │     3    │ 
817  │ SW5167  │ (817)461-4769 │ 8:00-5:00 │  C   │     3    │ 
818  │1659/2826│ (415)781-5271 │ 6:45-5:00 │  P   │     5    │ 
819  │         │ (514)391-7440 │ 8:00-4:30 │  E   │    N/A   │ 
901  │ 13402   │ (615)373-7663 │ 8:00-4:10 │  E   │     3    │ 
902  │         │ (902)421-4110 │ 8:15-4:45 │  A   │    N/A  ││ 
904  │ 13402   │ (803)251-0046 │ 8:30-5:00 │  E   │   3-15   │ 
906  │ 61728   │ (313)424-0900 │ 24 hours  │  E   │    20    │ 
907  │         │     *NONE*    │           │      │    N/A   │ 
912  │ 13402   │ (803)251-0046 │ 8:30-5:00 │  E   │   3-15   │ 
913  │ SW2019  │ (913)276-6708 │ 8:00-4:45 │  C   │     3    │ 
914  │   111   │ (518)471-8111 │ 8:00-5:00 │  E   │    16    │ 
915  │ SW5167  │ (512)828-2501 │ 8:00-5:00 │  P   │     5    │ 
916  │1659/2826│ (415)781-5271 │ 8:30-5:00 │  P   │     5    │ 
918  │ SW4070  │ (405)236-6121 │ 7:30-4:10 │  C   │     3    │ 
919  │ 13402   │ (803)251-0046 │ 8:30-5:00 │  E   │    3-5   │

 # - Bell of PA
 @ - United

 Time Zones: P - Pacific   12:00 pm
             M - Mountain   1:00 pm
             C - Central    2:00 pm
             E - Eastern    3:00 pm
             A - Atlantic    4:00 pm

 Note:  The account code for Centel and CONTEL is CNAT, United
Tel. is 6630109ATZ
     Well, that's about it. I tried to find any mistakes that
might have occurred during typing, but there's bound to be one or
two around... Two things to note here: 
1> California has 2 codes listed (1659 and 2826). The first is
for people in California, the second is for everyone else outside
of California obtaining a CNA in those area codes.

2> Michigan ALSO has two codes. The first was the one currently
working when I last tried; the second is what the new code will
be if it hasn't been changed already... It's a totally automated
system, so try both codes.

                          Lock In Trace
A lock in trace is a device used by the F.B.I. to lock into the
phone users location so that he can not hang up while a trace is
in progress. For those of you who are not familiar with the
concept of 'locking in', then here's a brief description. The
F.B.I. can tap into a conversation, sort of like a three-way call
connection. Then, when they get there, they can plug electricity
into the phone line. All phone connections are held open by a
certain voltage of electricity. That is why you sometimes get
static and faint connections when you are calling far away,
because the electricity has trouble keeping the ine up. What the
lock in trace does is cut into the line and generate that same
voltage straight into the lines. That way, when you try and hang
up, voltage is retained. Your phone will ring just like someone
was calling you even after you hang up. (If you have call
waiting, you should understand better about that, for call
waiting intercepts the electricity and makes a tone that means
someone is going through your line. Then, it is a matter of which
voltage is higher. When you push down the receiver, then it see-
saws the electricity to the other side. When you have a person on
each line it is impossible to hang up unless one or both of them
will hang up. If you try to hang up, voltage is retained, and
your phone will ring. That should give you an understanding of
how calling works. Also, when electricity passes through a
certain point on your hone, the electricity causes a bell to
ring, or on some newer phones an electronic ring to sound.) So,
in order to eliminate the trace, you somehow must lower the
voltage level on your phone line. You should know that every time
someone else picks up the phone line, then the voltage does
decrease a little. In the first steps of planning this out, Xerox
suggested getting about a hundred phones all hooked into the same
line that could all be taken off the hook at the same time. That
would greatly decrease the voltage level. That is also why most
three-way connections that are using the bell service three way
calling (which is only $3 a month) become quite faint after a
while. By now, you should understand the basic idea. You have to
drain all of the power out of the line so the voltage can not be
kept up. Rather sudden draining of power could quickly short out
the F.B.I. voltage machine, because it was only built to sustain
the exact voltage necessary to keep the voltage out. For now,
imagine this. One of the normal Radio Shack generators that you
can go pick up that one end of the cord that hooks into the
central box has a phone jack on it and the other has an
electrical plug. This way, you can "flash" voltage through the
line, but cannot drain it. So, some modifications have to be

A BEOC (Basic Electrical Output Socket), like a small lamp-type
connection, where you just have a simple plug and wire that would
plug into a light bulb. One of cords metioned above, if you
can't find one then construct your own... Same voltage
connection, but the restrainer must be built in (I.E. The central
Two phone jacks (one for the modem, one for if you are being
traced to plug the aqua box into)

 All right, this is a very simple procedure. If you have the
BEOC, it could drain into anything: a radio, or whatever. The
purpose of having that is you are going to suck the voltage out
from the phone line into the electrical appliance so there would
be no voltage left to lock you in with.

Take the connection cord. Examine the plug at the end. It should
have only two prongs. If it has three, still, do not fear. Make
sure the electrical appliance is turned off unless you want to
become a crispy critter while making this thing. Most plugs will
have a hard plastic design on the top of them to prevent you from
getting in at the electrical wires inside. Well, remove it. If
you want to keep the plug (I don't see why...) then just cut the
top off. When you look inside, Lo and Behold, you will see that
at the base of the prongs there are a few wires connecting in.
Those wires conduct the power into the appliance. So, you
carefully unwrap those from the sides and pull them out until
they are about an inch ahead of the prongs. If you don't want to
keep the jack, then just rip the prongs out. If you are, cover
the prongs with insulation tape so they will not connect with the
wires when the power is being drained from the line. Do the same
thing with the prongs on the other plug, so you have the wires
evenly connectd. Now, wrap the end of the wires around each
other. If you happen to have the other end of the voltage cord
hooked into the phone, stop reading now, you're too stupid to
continue. After you've wrapped the wires around each other, then
cover the whole thing with the plugs with insulating tape. Then,
if you built your own control box or if you bought one, then cram
all the wires into it and close it. That box is your ticket out
of this. Re-check everything to make sure it's all in place. This
is a pretty flimsy connection, but on later models when you get
more experienced at it then you can solder away at it and form
the whole device into one big box, with some kind of cheap Mattel
hand-held game inside to be the power connector. In order to use
it, just keep this box handy. Plug it into the jack if you want,
but it will slightly lower the voltage so it isn't connected.
When you plug it in, if you see sparks, unplug it and restart the
whole thing. But if it just seems fine then leave it.

Now, so you have the whole thing plugged in and all... Do not use
this unless the situation is desperate! When the trace has gone
on, don't panic, unplug your phone, and turn on the appliance
that it was hooked to. It will need energy to turn itself on, and
here's a great source... The voltage to keep a phone line open is
pretty small and a simple light bulb should drain it all in and
probably short the F.B.I. computer at the same time. Happy boxing
and stay free!

                           Pinkish Box
  The function of a "Pink Box" is a hold button that allows music
or anything else to be played into the telephone while person is
on hold. This modification either be done right in the telephone
as a separate box.

Materials Needed

1. Some Bell wire or Phone wire
2. A SPST momentary switch       RS # 275-1547
3. 470 ohm resistor              RS # 271-019
4. 1 LED (Approx 5V)             RS # 276-041
5. An SCR, 2N5061  (Transistor)
6. Audio Transformer (Ratio 10K:600)
7. RCA phono Jack                RS # 274-346
8. Screw drivers, soldering irons, solder, Etc.

1. Open the wall box and locate the RED and GREEN wires.
2. Take a piece or RED wire and strip tend and attach it to the
red lead on the wall box.  Do the same for the GREEN.
3. Connect the GREEN wire to the ANODE of the LED.
4. Connect the CATHODE side of the LED the UPPER pin of the
primary side of the transformer.
5. Connect the pin directly across to one pole of the phono jack.
6. Connect the RED wire to one side of  resistor and to the "C
pole" of the transistor.
7. Connect the open pin of the switch the other side of the
resistor and to the "G pole"  of the transistor.Wiring Diagram

          RCA Jack    X-former    LED
                      _____      C   A
  Pole or Jack --/---! Top !---/--(*)--\------GREEN wire
                    -!View !- Primary   --I---RED wire
  Pole of Jack --/---!_____!---/-I       (O)
                                 I        I
                                 I     [--I-----Pole of Switch    
I--------/--m--Pole of Switch

Key to Symbols

--  Wire
I   Connection or wire
/   Connection or wire

 _/    C pole of transistor    --(*)--
[_)--  G pole of transistor    I
 I     A pole of transistor   (O)  Resister
 ---! Top !---
   -! View!- Primary    Transformer

    Hook the RED and GREEN wires up to the appropriate terminals
and hook the RCA jack to the output on your stereo.  Turn on your
stereo at a good volume. Now call a friend.  To test the Box,
hold down the switch and hang up the phone.  The LED should go
and your friend should hear music, If not then start over.  The
hold is shut off if you pick up a phone on that line or your end
hangs up.

                            Pearl Box
The Pearl Box:Definition - This is a box that may substitute for
many boxes which produce tones in hertz. The Pearl Box when
operated correctly can produce tones from 1-999hz. As you can
see, 2600, 1633, 1336 and other crucial tones are obviously in
its sound spectrum.

Materials you will need in order to
build The Pearl Box:
C1, C2:.5mf or .5uf ceramic disk
Q1.....NPN transistor (2N2222 works
S1.....Normally open momentary SPST
S2.....SPST toggle switch
B1.....Standard 9-Volt battery
R1.....Single turn, 50k potentiometer
R2.....  "     "    100k potentiometer
R3.....  "     "    500k potentiometer
R4.....  "     "    1meg potentiometer
SPKR...Standard 8-ohm speaker
T1.....Mini transformer (8-ohm works
Misc...Wire, solder, soldering iron, PC
         board or perfboard, box to
         contain the completed unit,
         battery clip

Instructions for building Pearl Box:

Since the instruction are EXTREMELY difficult to explain in
words, you will be given a schematic instead. It will be quite
difficult to follow but try it any way. There is also a Hi-Res
picture you can get that shows the schematic in great detail.

Schematic for The Pearl Box

    !             !          \
    C1            C2          \
    !             !            +
    +             +       -----+T1
    !\            +------------+-+
    !  b  c-------!              +
    !   Q1                   !   +-S1-
    !     e-----S2---+       !    SPKR
    !                !       !   +----
    !               B1       !
    !                !       !
    !                +-------+
    !R1   R2   R3   R4!
    /\/\ /\/\ /\/\ /\/\
      +--+ +--+ +--+

Now that you are probably thoroughly confused, let me explain a
few minor details. The potentiometer area is rigged so that the
left pole is connected to the center pole of the potentiometer
next to it. The middle terminal of T1 is connected to the piece
of wire that runs down to the end of the battery.

Correct operation of The Pearl Box:
You may want to get some dry-transfer decals at Radio Shack to
make this job a lot easier. Also, some knobs for the tops of the
potentiometers may be useful too. Use the decals to calibrate the
knobs. R1 is the knob for the ones place, R2 is for the tens
place, R3 if for the hundreds place and R4 is for the thousands
place. S1 is for producing the all the tones and S2 is for power.

Step 1: Turn on the power and adjust the knobs for the desired
tone.        (Example: For 2600 hz-

Step 2: Hit the pushbutton switch and VIOLA! You have the tone.
If you don't have a tone recheck all connections and schematic.
If you still don't have a tone call Brainstorm BBS: 612-345-2815,
The Bay:415-775-2384 or Pirate's Harbor:617-720-3600 and leave me
e-mail stating what the scene is.

                            Brown Box
 This is a fairly simple modification that can be made to any
phone. All it does is allow you to take any 2 lines in your house
and create a party line. So far I have not heard of any problems
with it from my friends that have set one up and I have not had
any either. There is one thing that you will notice when you are
one of the two people who is called by a person with this box.
The other person will sound a little bit faint. I could overcome
this with some amplifiers but then there wouldn't be very many of
these boxes made. I think that the convenience of having two
people on line at any one time will make up for the minor volume
Here is the diagram:
PART                 SYMBOL 
BLACK WIRE              *
YELLOW WIRE             =
RED WIRE                +
GREEN WIRE              -
SPDT SWITCH            _/_
VERTICAL WIRE           |

       *    =    -    +
       *    =    -    +
       *    =    -    +
       *    =    -    +
       *    =    -    +
       *    ==_/_-    +
       |              |
       |              |
       |              |

In some houses the black and yellow are already wired in others
you will have to go out to your box and rewire it. A goo way to
figure out which line is which is to take the phone you are
looking for off the hook. Then you only need to take the red and
green wires entering your phone and hook them to the different
pairs of red and green going into the house. You can't hurt
anything in the phone or telephone by probing. When you find the
pair that you want take the black from your line and attach it to
the red of the other line then take the yellow and attach it to
the green line. Now you are all set to go. For people with rotary
phones you can have one person call you then place the second
call out to the other person. Though not a phreaker's tool, the
brown box can be fun.

                           Scarlet box
   The purpose of a Scarlet box is to create a very bad
connection, it can be used to crash a BBS or just make life
miserable for those you seek to avenge.

   Materials: 2 alligator clips, 3 inch wire, or a resister
(plain wire will create greatest amount of static)
(Resister will decrease the amount of static in proportion to the
resister you are using)
Step (1): Find the phone box at your victims house, and pop the
cover off. Step (2): Find the two prongs that the phone line you
wish to box are connected to.
Step (3): Hook your alligator clips to your (wire/resister). Step
(4): Find the lower middle prong and take off all wires connected
to it, I think this disables the ground and call waiting and
stuff like that. Step (5): Now take one of the alligator clips
and attach it to the upper most prong, and take the other and
attach it to the lower middle prong. Step (6): Now put the cover
back on the box and take off!!

  A day-glow box is very easy to make, and very inexpensive to
build. It works like this: On the outside of every home that has
a phone, there is something called "the outside connection box,"
which is where the house is connected to Ma Bell's network. This
ingenious device connects to a) your phone, b) the victim's
outside box. You should be starting to get the idea.

Materials necessary:
1. Radio Shack modular conversion jack
2. A small experimenter's box (optional)
3. 1 foot of red wire. (better to overkill)
4. 1 foot of green wire. (same as above)
5. 2 medium alligator clips

In order to construct this box, you will need all of the above
materials. Note that your wire does not necessarily have to be
red or green, but it is necessary that you be able to tell them
apart. Also, you might want to use thick, easily bent wire (audio
hookup wire works best) instead of bell wire. Now, on to the

Remove the actual modular jack from the conversion box. This can
be done by pushing inward and then up, or you can just cut the
plastic. Remove the black and yellow wires from the jack. You can
either clip these or rip them out. To your newly isolated jack,
add the 1 foot wire extensions to the respective wires. Soldering
and then wrapping the connections with electrical tape works
best. Next, solder the alligator clips to the extended wires. If
you do not wish to solder them, then just wrap the clips with the
wire. Now, place this newly made contraption into a box
(optional). You may need to drill a few holes, and possibly
remove the alligator clips, but you should have read this file
first, anyway.

  The day-glow box will work with any phone. First, you need to
locate a house that has a phone. Next, (it's preferable to do
this at night) go up to the and locate the outside connection
box. Pop the cover off. Locate prong 3 and prong 4. You will
attach the green wire clip to prong 3. The red wire clip will go
to prong 4. Now, plug your phone (preferably a trimline or
ranger) into your modular plug. You may now either listen in on
the call (wire tap) OR you may call out to anywhere in the world.
If you are really daring, you can bring your computer with you.
Note: This box may also be used in conjunction with the lunch box
in order to make a perfect phone bug.

Neat things you can do with your new box:
Call 976 numbers. This should be done very frequently. Also, I
find that after finding the victim's outside box, several calls
to the gay hotline will have interesting after-effects. Namely,
his parents wondering about him. Alliance teleconferencing can be
accomplished quite easily. Try it! Call 0-700-456-1000. Or, tell
the operator you'd like to initiate a conference. Of course, you
should place several calls to other countries. This can be
accomplished by looking in the front of your white pages for the
various country and city codes. You should be able to follow the
directions provided in there.

  Have you ever wondered what those 6ft tall cabinets with the
bell logo on them were for? Well, if you've never seen them,
here's a quick description: They are 6ft tall by 3ft wide, and
painted the dull phone company green. They can be opened quite
easily with a 7/16ths inch socket wrench. After turning the bold
over the handle, turn the handle to the right and pull. It should
open, displaying over 100 different lines. Occasionally, you can
find tech. manuals and test kits inside. They are usually located
near phone lines. Okay, now, once you have opened one of these
calling cabinets, locate the line of your choice. You will have
to take out both the orange and the white insulated screws. The
purple and white wires should come off along with the screws. The
lines go out to the house, and the screw posts are the actual
line. Now, you should clip the alligators to the posts, with one
part of the clip on the insulation, and on.]Now, you should clip
the alligators to the nep parteli. Oh, if you want the home to
remain connected, clip the wires inside the hole using the
alligator clips. By the way, the red terminal on your box goes to
the orange post, and the green one to the white post... if that
doesn't work, reverse the connection. Now, to find out the number
you have taken over, dial 380-55555555. Yes, that's eight fives.
A computer voice should tell you what number you are on. I hope
you can take it from here. Oh, in apartments, you can find the
calling cabinet in the basement... remember, this is not your
line, so do anything you want. Call the President or something.

                         Gold Box Plans

2 10k OHM resistors
3 1.4k OHM resistors
2 2N3904 transistors
2 Photocells
2 LED's (Make sure they're real bright)
1 Box to contain it in that will not allow sunlight in it.
(some) wire. Red and green for easiness sake

Light from the LED's must shine directly on the photocells. You
may have to have the LED touching the photocell for it to work.

[The 1.4k resistor is variable and if the second part of the box
is skipped the box will still work but if someone picks up the
phone they may report it to the Phone Co. The 1.4k will give you
good reception with little risk of the Gestapo knocking at your
door. Take two green wires and strip the ends. Twist one end of
each together so they make one wire. Connect it to Green #1.
Label this 'Line #1'. Do the same but with red wire and attach it
to Red #1. Repeat the process for Red #2 and Green #2 and label
it 'Line #2'. Find two phone lines that are close together. Label
one of them 'Line #1'. Cut [the phone lines and take off the
outer covering. You'l see 4 colored wires inside. Cut the yellow
and black wire off and strip the red and green wires on both
lines. Line #1 should be in two pieces. Take the green wire of
one end and connect to one of the green wires on the box. Take
the other half of the phone line green wire and connect it to the
other green wires on the gold box. Do the same for the red wires
on the other line and the red wires on the box. Now, find out
what number you hooked up the gold box to. Go home and call it.
You should get a dial tone and you can dial out. If not, re-check
everything. If it still doesn't work, pack up and go home.                            Green Box
 Paying the initial rate in order to use a red box (on certain
fortresses) left a sour taste in many red boxers mouths, thus the
green box was invented. The green box generates useful tones such
that ACTS or the TSPS operator would send to the CO when
appropriate. Unfortunately, the green box cannot be used at the
fortress station but must be used by the CALLED party. Here are
the tones:

COIN COLLECT     700+1100hz
COIN RETURN      1100+1700hz
RINGBACK         700+1700hz

Before the called party sends any of these tones, an operator
release signal should be sent to alert the M detectors at the CO.
This can be done by sending 900hz + 1500hz or a single 2600 wink
(90 ms.)

Also, do not forget that the initial rate is collected shortly
before the 3 minute period is up.

Incidentally, once the above M tones for collecting and returning
coins reach the CO, they are convertedinto an appropriate DC
pulse (-130 volts for return and +130 for collect). This pulse is
then sent down the tip to the fortress. This causes the coin
relay to either return or collect the coins. The alleged "T-
network" takes advantage of this information. When a pulse for
coin collect (+130 VDC) is sent down the line, it must be
grounded somewhere. This is usually the yellow or black wire.
Thus, if the wires are exposed, these wires can be cut to prevent
the pulse from being grounded. When the three minute initial
period is almost up, make sure that the black and yellow wires
are severed, then hang up, wait about 15 seconds in case of a
second pulse, reconnect the wires, pick up the phone, an if all
goes well, it should be "JACKPOT" time.

                           Blotto Box
  For years now every pirate has dreamed of the Blotto Box. It
was at first made as a joke to mock more ignorant people into
thinking that the function of it actually was possible. Well, if
you are The Voltage Master, it is possible. Originally conceived
by King Blotto of much fame, the Blotto Box is finally available
to the public.
  The Blotto Box is every phreak's dream... you could hold AT&T
down on its knee's with this device. Be
cause, quite simply, it can turn off the phone lines everywhere.
Nothing. Blotto. No calls will be allowed out of an area code,
and no calls will be allowed in. No calls can be made inside it
for that matter. As long as the switching system stays the same,
this box will not stop at a mere area code. It will stop at
nothing. The electrical impulses that emit from this box will
open every line. Every line will ring and ring and ring... the
voltage will never be cut off until the box/generator is stopped.
This is no 200 volt job, here. We are talking GENERATOR. Every
phone line will continue to ring, and people close to the box may
be electrocuted if they pick up the phone.
  But, the Blotto Box can be stopped by merely cutting of the
line or generator. If they are cut off then nothing will emit any
longer. It will take a while for the box to calm back down again,
but that is merely a superficial aftereffect. Once again:
Construction and use of this box is not advised! The Blotto Box
will continue as long as there is electricity to continue with.
  OK, that is what it does, now, here are some interesting things
for you to do with it...

  Once you have installed your Blotto, there is no turning back.
The following are the instructions for construction and use of
this box. Please read and heed all warnings in the above section
before you attempt to construct this box.

- A Honda portable generator or a main power outlet like in a
stadium or some such place.
- A radm r=L L5I Z] ] for 400 volts that splices a female plug
into a phone line jack.
- A meter of voltage to attach to the box itself.
- A green base (i.e. one of the nice boxes about 3' by 4' that
you see around in your neighborhood. They are the main switch
boards and would be a more effective line to start with.
or:  regular phone jack (not your own, and not in your area
code! - A soldering iron and much solder.
- A remote control or long wooden pole.

 Now. You must have guessed the construction from that. If not,
here goes, I will explain in detail. Take the Honda Portable
Generator and all of the other listed equipment and go out and
hunt for a green base. Make sure it is one on the ground or
hanging at head level from a pole, not the huge ones at the top
of telephone poles. Open it up with anything convenient, if you
are two feeble then don't try this. Take a look inside... you are
hunting for color-coordinating lines of green and red. Now, take
out your radio shack cord and rip the meter thing off. Replace it
with the voltage meter about. A good level to set the voltage to
is about 1000 volts. Now, attach the voltage meter to the cord
and set the limit for one thousand. Plug the other end of the
cord into the generator. Take the phone jack and splice the jack
part off. Open it up and match the red and green wires with the
other red and green wires. NOTE: If you just had the generator on
and have done this in the correct order, you will be a crispy
critter. Keep the generator off until you plan to start it up.
Now, solder those lines together carefully. Wrap duck tape or
insulation tape around all of the wires. Now, place the remote
control right on to the startup of the generator. If you have the
long pole, make sure it is very long and stand back as far away
as you can get and reach the pole over. NOTICE: If you are going
right along with this without reading the file first, you should
realize now that your area code is about to become null! Then,
getting back, twitch the pole/remote control and run for your
damn life. Anywhere, just get away from it. It will be generating
so much electricity that if you stand to close you will kill
yourself. The generator will smoke, etc. but will not stop. You
are now killing your area code, because all of that energy is
spreading through all of the phone lines around you in every
                        Computer Hacking


Many people may or may not have heard of Tymnet. Tymnet is one of
the best information gathering networks that is around. It seems
as though it were set up with the hacker in mind, but we all know
this isn't true. After becoming experienced with the network, I
found there to be little information available to the newcomer,
with the exception of what is already available on the network,
but as we all know, this leaves the newcomer craving for more. As
this file was under construction, a great blow hit the hacker
community on the network; four of the most popular NUIs died
(NUIs to be discussed later). They were VIDEO, and the T.LLOYxx
Family. In hopes of having the community reborn, an additional
new NUI has been included.

For more information regarding Tymnet, Telenet, and other PSNs,
consult the Leigon's of Lucifer Text File #10-11. Although other
information on PSNs is available from Leigon's of Lucifer, this
file was written in mind that the reader is unfamiliar with
Tymnet. Terminology that would appear to be new to the reader is
explained, in hopes that you will gain a greater knowledge of the

Tymnet is an international network designed for two basic
reasons. One, to link computers worldwide in order to exchange
information. Two, so hackers can take advantage of the network
and connect to the as many computers available =).

Tymnet is linked to computers throughout the world including most
major continents (North/South America, Asia, Europe, Africa,
Australia, etc.). Tymnet is referred to as a PSN, which is an
acronym for Packet Switching Network. A PSN is any network that
sends information via packets, in Tymnet's case, 128 byte

        The following is an example of a simple PSN, which
includes three major components:

        1) The PAD      (Your Local Dialup)
        2) The PSN      (The network that you are currently on)   
        3) The Host     (The computer you connect to via the PSN)

Use of a PSN is quite simple. First you must connect to your
local PAD, and sign in with a NUI. If the NUI is valid, a colon
prompt will follow (;), at which you may enter any NUA (NUAs to
be discussed later), depending on what level of access the NUI
has. The PSN then connects you to the Host, posing as a relay
between you and the host. If this appears confusing, read through
the rest of this file, and browse back through it, and possibly
you will understand the concept a bit better.

Since Tymnet is not connected to nearly as many businesses as
Telenet, it turns to be more of a communication and information
gathering tool then a scanning one. Hackers on Tymnet, which can
be contacted on the many various chat systems are almost always
bound to have information to trade, or give away. Almost
everything is available, from telco, fraud, to hacking.

Connecting to Tymnet:

The first thing you must do is find your local Tymnet dialup. If
you already know your dialup, you can skip by this paragraph, and
move on. There are two ways to acquire your dialup. Voice, or
data. If you choose to find out your dialup voice, call 1-
(800)-222-0555. Use your touch-tone keypad and follow the voice
prompts. Data is quite simple if you are already familiar with
the logon process on Tymnet. Type 'Information', or 'Info' at the
NUI (Logon) prompt. It's self explanatory from there. You can
also dial 1-(800) 336-0149 to find out your local dial, this
includes HST Modems.

You must now prepare your terminal to communicate with Tymnet.
Switch your parity to either 7E1 or 8N1. 7E1 is preferred, as I
have encountered problems using 8N1. Toggle your Local Echo until
it appears satisfactory. Once connected, Hit return a few times
until the following message appears:

please type your terminal identifier

When this occurs, hit 'a' if you have 7E1, or 'o' if you have 8N1
set up. The 'a' / 'o' combination tells the PAD your parity
setting. Something to this effect will follow:

    please log in:

You have now successfully connected to Tymnet.

Usage of NUIs:

NUI is an acronym for Network User Identification. This is much
like the standard 'user name' on your favorite BBS. NUIs are
legitimate accounts given to paying members of Tymnet. Hackers
always seem to have a knack for setting up illegal NUIs though.
Unlike Telenet, Tymnet NUIs are easy to find. The NUI 'VIDEO',
which was by far one of the most popular hacker NUIs on Tymnet
was cancelled during the construction of this file. Along with
it, the T.LLOYxx Family died (T.LLOY01, T.LLOY02, T.LLOY03).
These NUIs are probably the most free accounts that have been
available; meaning they had extremely little restrictions. After
entering a legitimate NUI, a colon prompt will appear. This
notifies you that Tymnet is ready to receive a NUA. NUA is an
acronym for Network User Address. This could be associated with a
BBS telephone number, as they are much alike in certain aspects.

Types of NUAs:

Chat Systems-

Chat systems are probably the most popular of the NUAs to hackers
on the networks. You can find many other hackers that are willing
to trade new information. As well, in-depth conversations on
hacking do take place on chat systems, so they are an excellent
place to learn for the newcomer.

One of the most popular chat systems is QSD France. You can reach
QSD via 208057040540 NUA. It is not a 'Live' chat system, as
messages take some time to exchange. This chat system is also an
excellent place to find other hackers to exchange information
with. But be noted, QSD is like a local chat system in France, so
you will, certain times, run into people who know nothing about
hacking. It's best to avoid these people, because they are
usually gay/lesbian, or looking for a fight. Besides, what use do
you have for the general public? When reaching QSD, remember to
change your parity to 8N1. If you logged in with 8N1, don't worry
about it. Another note, QSD treats a destructive backspace as
return. Do NOT hit backspace. The only way to get around the
backspace problem, from my knowledge, is to use a Canadian PAD.

Most other chat systems are run off either custom software, like
QSD, or off a Unix Shell. The Unix Shell chat systems are a bit
harder to understand, but are much more powerful. When logging in
to a Unix chat system, you will see a Logon: prompt, as most
Unix's have. Try using default accounts to logon (x25, Guest,
etc.). When logging onto a Unix Chat System which automatically
places your NUA (Your PAD Address), use the FROM= command from
the logon. RMI Chat System is a perfect example of this. Use Gast
FROM=Hell/Gast as a Username/Password. If you want other hackers
to know the exact geographical location from which you are
calling, don't bother with this, otherwise, be safe, and use the
FROM= command.

Unix Chat Systems resemble closely to the conferences found on
most pay networks (Compuserve, Genie, BIX, etc), as they are
'Live', and you see messages as soon as the author writes them.

Outdials Explained:

Outdials that are available on Tymnet are PC-Pursuit (Telenet)
Outdials. PC-Pursuit is a pay service from Telenet where you sign
up and pay a monthly fee, and you are allowed a certain amount of
long distance data calls. Of course, when using PC-Pursuit
Outdials through Tymnet, you don't have to pay for anything.
Outdials are restricted only to dial numbers from within that
area code. If you logon to the 213 Outdial, you can only reach
data numbers in 213. These Outdials are referred to as Local
Outdials. There is another type of Outdials, and there are called
Global Outdials, or, abbreviated, GODs. GODs can call anywhere
within the United States with no restrictions, unlike LODs. The
dial format for GODs usually differs. Ask whomever you received
the GOD from for dialing procedures. Usage of Outdials is quite
simple, after logging into Tymnet, and entering the NUA of the
desired Outdial, you must hit one of three commands. If you are
new to Outdials, they have a help level available where a program
controls the modem for you via certain commands you send to it.
To reach this help level, hit either CTRL-E or '%' when you
connect to the Outdial. If you wish to use simplified AT
commands, type 'AT', and you are ready. Use the AT level just as
you would with your own modem. Entering a 1+AC+Number is not
necessary, and if done, will not work correctly. Remember, you
are logged into a certain area code, and you can only call
numbers within that area code, so just type the local 7 digit
phone number. File transferring through Tymnet/Telenet OutDial
through tymnet is tricky when you are on a BBS, you must ALWAYS
switch to 8n1,1 after you connect to a BBS through a OD, and when
you are about to transfer, the only protocol you can use is PCP
Z-Modem, aka MobyTurbo Zmodem, aka Z-Modem '90. This protocol was
made for tymnet OD's and if you don't use it, you will get a slew
of errors in your file and it will just corrupt the file and/or
abort your transfer.

DNIC Restrictions:

DNIC is an acronym for Data Network Identification Code. A DNIC
is made up of the first 4 digits of any NUA. There are plenty of
DNIC lists around, so I will not include one. A DNIC shows which
network, or country you are connecting to. Most of the NUIs that
have been around have had very little restrictions when it comes
to connecting to different DNICs, but as they are slowly dying,
you might run into trouble with new NUIs that have restrictions.
If you are trying to connect to a system in Germany, and your NUI
bars access to German DNICs, try connecting to another PAD, such
as an England PAD, and attempt connecting to the NUA again. You
should not run into many problems. It's harder to scan this way..
but it's a method around NUI restrictions. (Editor's Notes: In
this text file, the author refers to your local Tymnet dialup as
a PAD. Technically, it is. Technically, everything on Tymnet is a
PAD. When I use the acronym PAD, I mean an x28/x29 PAD, and not a
local dialup, and most of the rest of the hacker community on the
networks would agree. I find very rare instances where I see it
used in this way.) 
Here is a list of Telenet PC-Pursuit Local Out Dials:

     New Jersey:
3110 201 00 022   2400 Baud

     District of Columbia:
3110 202 00 117   2400 Baud

3110 203 00 105   2400 Baud

3110 206000 208   2400 Baud

     New York:
3110 212 00 028   2400 Baud

3110 213 00 023   2400 Baud
3110 213 00 413   2400 Baud
3110 714 00 004   2400 Baud
3110 714 00 102   2400 Baud
3110 916 00 007   2400 Baud
3110 408 00 021   2400 Baud

3110 214 00 022   2400 Baud
3110 713 00 024   2400 Baud

3110 215 00 022   2400 Baud

3110 216 00 120   2400 Baud

3110 303 00 021   2400 Baud
3110 303 00 115   2400 Baud

3110 305 00 122   2400 Baud
3110 813 00 124   2400 Baud

3110 312 00 024   2400 Baud

3110 313 00 024   2400 Baud

3110 314 00 005   2400 Baud

3110 404 00 022   2400 Baud

3110 414 00 120   2400 Baud

3110 602 00 026   2400 Baud

3110 612 00 022   2400 Baud

3110 617 00 026   2400 Baud

3110 801 00 012   2400 Baud

     North Carolina:
3110 919 00 124   2400 Baud

I am writing this assuming that the reader has no knowledge of
the Telenet network. In part 1 I will discuss the basic theory of
Telenet and how it can be used as a basically safe and fun
hacking tool. Telenet is a Packet Switching Network (PSN). Since
I want to make this as short as possible I will try to give you a
*basic* understanding of what a PSN is and how it works.
Basically there are 3 levels to the PSN. The 3rd and lowest is
the PAD that you dial-up. This is where you enter all of the
information. 2nd is the actual PSN which takes the data you enter
in 128k chunks (usually) and then transmits them to the host (1st
and highest level) at baud rates ranging from 9600 to 19,200.
This means that 2 computers with different baud rates are able to
communicate (See my really bad ASCII PSN map). Ok, now you have a
*basic* understanding of how Telenet works. Now to the fun stuff!
Remember, Telenet has access to computers all over the world.
When you consider all the networks that these other computers are
connected to then you can see that you can basically access the
entire world. It is also pretty safe because there is no way that
someone can monitor all the PADs at one time.
Ok, now first you must find a list of Telenet access numbers.
There are many lists out there (look in Phrack issue 21). If you
can't find one then to find the Telenet dialup nearest your
location, call 800-424-9494 at 300/1200 baud. At the '@' prompt,
type 'MAIL'. Enter user name 'PHONES' with password 'PHONES'. So
now you have a local access number. Remember it's (7E1), so if
your screen looks messed-up then you're not set right. After you
call this is what you do.....

*Inside the '<>' (of course <CR> is return) is what you have to

CONNECT 2400 (or whatever baud rate it is)
<CR> <CR>

     Ok, now  you're to the @ prompt.  This is the telenet PAD
prompt.  This prompt means that telenet is in "command" mode. Now
we will get to the *real* fun.
  Telenet's computer systems are identified by NUA's. This stands
for Network User Address.  The way you connect to the NUA's are
by either typing in 'c' <nua> or just typing in the nua by
itself.  We will work w/ the 1st and most basic form on the NUA
since this is a file for people who don't know what the hell
they're doing (I'll make another G-phile for the more advanced
telenet hacker ).  The easiest form is AAA XXX, this is where AAA
stands for an area code and XXX stands for random numbers.  So if
I wanted to scan the Los Angeles area for example I would type
213 123.  Here 213 is the area code and 123 are random numbers. 
You must have a at least 4 numbers.  So 213 1 would work as would
213 12.
      Telenet doesn't recognize zeros or spaces so you could also
type 213 123 like this 213000000000000123 or like 213123. Ok, now
that you know how to use simple NUA's you can start messing
around.    So, now you can access all the networks and
Unix/Vax/Primes/etc... that you want right?  So, you enter 213
123 and suddenly it says..             COLLECT CONNECTION REFUSED
F4 E6  Well, you just learned life's first lesson. Nothing in
life is free! Yes, that's right,  the "good" systems on telenet
you have to pay for. This is where a NUI comes in. This stands
for Network User ID. This is for users with "accounts" on
telenet.  NUI's are very hard to find these days ( I've only had
1 in my hacking adventures ).  They are in the form of a user
name ( anything ) and then a password (6 numbers). These are very
hard to hack since there are no "default" names or passwords. You
type in ID <name> and then the password to user one. if you can
hack out a NUI then you should be writing G-Philes instead of
reading them.
    But don't worry though! There are *MANY* systems on telenet
that are free. The only ones that cost money are the big ones
like some BIG corporation.  By just typing in an area code and
then a random number ( up to 3 digits ) you can find some really
cool systems (hey, yo can hack into McDonalds for free!!). 
Anyway I have the most fun by turning on my Led Zeppelin CD and
just randomly typing in numbers. You will find at least 1 NUA
that connects for every 5 you type in . Its not like phreaking
where you find a code per 10 hours....    Of course there are the
lazy hackers who just want the NUA's with no work, there are many
good NUA lists ( check you local p/h/a board ). You can find a
NUA lists in a few Phrack issues or on DII (Data Infinty,
Incorporated (yes once again, I must plug my organization you
know). If you want to feel like you did something then get the
NUA Attacker. This is an IBM program that calls telenet and then
types in different NUA's ( you set the range ). It is basically a
code hacker for Telenet. This can be found on DII (Data Infinity,
Inc.) <once again> or most good p/h/a boards.                          HACKING UNIX

Welcome to the basics of hacking Vax's and Unix. In this article,
we discuss the unix system that runs on the various vax systems.
If you are on another unix-type system, some commands may differ,
but since it is licensed to bell, they can't make many changes.
Hacking onto a unix system is very difficult, and in this case,
we advise having an inside source, if possible. The reason it is
difficult to hack a vax is this: Many vax, after you get a
carrier from them, respond=> Login: They give you no chance to
see what the login name format is. Most commonly used are single
words, under 8digits, usually the person's name. There is a way
around this: Most vax have an acct. called 'suggest' for people
to use to make a suggestion to the system root terminal. This is
usually watched by the system operator, but at late he is
probably at home sleeping. So we can write a program to send at
the vax this type of a message: A screen freeze (Ctrl-s), screen
clear (system dependant), about 255 garbage characters, and then
a command to create a login acct., after which you clear the
screen again, then un- freeze the terminal. What this does: When
the terminal is frozen, it keeps a buffer of what is sent. well,
the buffer is about 127 characters long. so you overflow it with
trash, and then you send a command line to create an acct.
(System dependant). after this you clear the buffer and screen
again, then unfreeze the terminal. This is a bad way to do it,
and it is much nicer if you just send a command to the terminal
to shut the system down, or whatever you are after... There is
always, *Always* an acct. called root, the most powerful acct. to
be on, since it has all of the system files on it. If you hack
your way onto this one, then everything is easy from here on...
On the unix system, the abort key is the Ctrl-d key. watch how
many times you hit this, since it is also a way to log off the
system! A little about unix architecture: The root directory,
called root, is where the system resides. After this come a few
'sub' root directories, usually to group things (stats here, priv
stuff here, the user log here...). Under this comes the superuser
(the operator of the system), and then finally the normal users.
In the unix 'Shell' everything is treated the same. By this we
mean: You can access a program the same way you access a user
directory, and so on. The way the unix system was written,
everything, users included, are just programs belonging to the
root directory. Those of you who hacked onto the root, smile,
since you can screw everything... the main level (exec level)
prompt on the unix system is the $, and if you are on the root,
you have a # (super- user prompt). Ok, a few basics for the
system... To see where you are, and what paths are active in
regards to your user account, then type > pwd This shows your
acct. separated by a slash with another pathname (acct.),
possibly many times. To connect through to another path, or many
paths, you would type: You=> path1/path2/path3 and then you are
connected all the way from path1 to path3. You can run the
programs on all the paths you are connected to. If it does not
allow you to connect to a path, then you have insufficient privs,
or the path is closed and archived onto tape. You can run
programs this way also:
you=> path1/path2/path3/program-name
unix treats everything as a program, and thus there a few
commands to learn... To see what you have access to in the end
path, type=> ls -- for list. this show the programs you can run.
You can connect to the root directory and run it's programs
with=> /root By the way, most unix systems have their log file on
the root, so you can set up a watch on the file, waiting for
people to log in and snatch their password as it passes thru the
file. To connect to a directory, use the command: => cd pathname
this allows you to do what you want with that directory. You may
be asked for a password, but this is a good way of finding other
user names to hack onto. The wildcard character in unix, if you
want to search down a path for a game or such, is the *. => ls /*
Should show you what you can access. The file types are the same
as they are on a dec, so refer to that section when examining
file. To see what is in a file, use the => pr filename command,
for print file. We advise playing with pathnames to get the hang
of the concept. There is on-line help available on most systems
with a 'help' or a '?'. We advise you look thru the help files
and pay attention to anything they give you on pathnames, or the
commands for the system. You can, as a user, create or destroy
directories on the tree beneath you. This means that root can
kill every- thing but root, and you can kill any that are below
you. These are the => mkdir pathname => rmdir pathname commands.
Once again, you are not alone on the system... type=> who to see
what other users are logged in to the system at the time. If you
want to talk to them=> write username Will allow you to chat at
the same time, without having to worry about the parser. To send
mail to a user, say => mail And enter the mail sub-system. To
send a message to all the users on the system, say => wall which
stands for 'write all' By the way, on a few systems, all you have
to do is hit the <return> key to end the message, but on others
you must hit the ctrl-d key. To send a single message to a user,
say => write username this is very handy again! If you send the
sequence of characters discussed at the very beginning of this
article, you can have the super-user terminal do tricks for you
again. Privs: If you want super-user privs, you can either log in
as root, or edit your acct. so it can say => su this now gives
you the # prompt, and allows you to completely by-pass the
protection. The wonderful security conscious developers at bell
made it very difficult to do much without privs, but once you
have them, there is absolutely nothing stopping you from doing
anything you want to. To bring down a unix system: => chdir /bin
=> rm * this wipes out the pathname bin, where all the system
maintenance files are.
Or try: => r -r This recursively removes everything from the
system except the remove command itself. Or try: => kill -1,1 =>
sync This wipes out the system devices from operation. When you
are finally sick and tired from hacking on the vax systems, just
hit your ctrl-d and repeat key, and you will eventually be logged
out. The reason this file seems to be very sketchy is the fact
that bell has 7 licensed versions of unix out in the public
domain, and these commands are those common to all of them. We
recommend you hack onto the root or bin directory, since they
have the highest levels of privs, and there is really not much
you can do (except develop software) without them.

Well, we've all heard of Unix and Vax systems. We hear a little
bit now and then about Cyber or Tops systems, but what is Prime?
Well, prime is a system made by Primos which has a set-up
something like DOS. Prime is arguably not as powerful as a Vax or
Unix system, but it is more user friendly (I feel) than either of

Now, you may say to yourself "Great, why should I even learn
about prime if nobody uses it". Well there are many people who
use it (just not as many as Unix of Vax), but the real reason I
wrote this is because a good percentage of the systems found on
Telenet are prime. Since I have already wrote a telenet G-Phile
(which is very good <grin>), I thought I'd follow it up with a
primos text phile since there are so many. Also, there are no
really good primenet hacking philes (except for a good one in a
LOD/H journal and in a Phrack issue which I forget) that cover

First of all find a prime system. This can be done by going on
Telenet and just scanning or picking-up the LOD/H journal #4
which has a great NUA list (or any NUA list for that matter). You
can also check at your local university for one. Ok, first I tell
you the way to identify a prime system. It should be easy because
almost all prime systems have a system header that looks
something like...


This means that this is a primenet version 22.1.1. If for some
reason you get VERY lucky and find a version 18.xx or lower then
you're in. See, most version 18's and lower have either no
password (So you enter System for the ID which is the sysop), or
if they do have a password then all you have to do is hit a few
^C (Control C for the beginner) for the password. Some prime
systems just sit still when you connect. On these try typing like
'hi'. If its a prime you will get a message like...
Now, in order to logon to a prime system you must type "Login
<UserName>" or just "Login". If you type in "Login" then it will
just ask you for your username anyway. Now, here is the hardest
part of hacking. You must get a working password. Primes are hard
to hack since they don't have any default passwords.  Here is a
list that I have compiled ..... (passwords same as Username!)╔════════════╦════════════════╗
║ Username   ║ Password       ║
║  Prime     ║  Prime         ║
║  System    ║  System        ║
║  Primos    ║  Primos        ║
║  Admin     ║  Admin         ║
║  rje       ║  rje           ║
║  Demo      ║  Demo          ║
║  Guest     ║  Guest         ║
║  Games     ║  Games         ║
║  Netman    ║  Netman        ║
║  Telenet   ║  Telenet       ║
║  Tools     ║  Tools         ║
║  Dos       ║  Dos           ║
║  Prirun    ║  Prirun        ║
║  Help      ║  Help          ║
║  Test      ║  Test          ║
║  Netlink   ║  Netlink       ║

Not all these passwords and names are guaranteed to work. If none
of them work then try to mix-up the usernames and the passwords.
Hopefully you have now gotten into the system and get the "OK,"

OK, so now you're in. If you have gotten in then that is a big
step in itself and I congratulate you. So, now you have the
prompt "OK," or something like that. This is the command prompt,
if you enter a bad command it may look different such as "ERR,"
or soething like that. This is nothing to worry about just an
error message. Ok, first I'm going to run down some basic
commands. First of all we must understand how primos is set-up.
The primos set-up is very much like MS-DOS There are separate
directories each with files and more directories in them . It is
pretty easy to navigate, so i will just give you the commands and
then explain what to do with them.... 
LD                shows the contents of the current directory
                  you're in.
Attach            attaches (move) to another directory.
Delete            deletes a file or directory.
ED                text editor to edit/create text.
Logout            logs-off
Netlink           enters the netlink section.
Slist             lists the contents (text) of a file
CPL <filename>    runs a .CPL program
Users             lists the amount of users on the system.
Status Users      gets the names, numbers and locations of the
                  users on line.
Help              gets a list of the commands.
Help <command>    gets help with a command

Ok, those should be enough for the time being. Now, lets start by
doing a 'LD' (anything in single quotes means to type it). The
name of the directory you're in right now should be the same as
your user name. There may be a few files in here so to see the
contents of the files type 'SLIST <filename>'. Now, lets do an
'Attach MFD'. This is the "Main File Directory" where most of the
major files and directories are found. So now we will do another
"LD" and look at all the directories and files. Ok, now to start
the hacking. This method works with most primes, but not all so
don't be to discouraged if it doesn't work. Ok, first of all you
probably noticed that when you first started-out the directory
you were in had the same name as your username (id). This is a
very important lesson. The reason this is important is because
now you can probably figure-out that *The name of every directory
is also the name of a
user* (NOTE: This is true for all directories, EXCEPT ones with
an asterix '*' by their name). This means 2 things, first of all
it means that you can basically find a fair amount of usernames
from the mfd directory and the odds are that a few of them will
have the same password as the name (This is an important lesson
in hacking, whenever you're on any kind of system et a user list
and then just go through the list, using the username as the
password and you should get a few accounts at least) Secondly it
means that you can access a certain users "private" directory.
What this means is that a lot of the usernames of actually people
may not be in the MFD directory. This means that once you find
out a username you can then simply say "attach <username>" and
your in their directory.  So, now knowing that we will do a
'Status Users'. This will give you a list somewhat like this:

User               Number          Device
Guest              14              <MDF0>
System             1               <MDF0> <MFD1>
Hacker             81              <MDF0>
Sysmaint           19              <MDD0>  (phantom)

From this list we can get all the usernames/directories of the
users on-line and start snooping. It is usually not ood to be on
when there are a lot of people on since a Sysop might notice that
you shouldn't be on at that time or something. You may notice
that the last one (Sysmaint) has the word Phantom by it. This
means that it is just a program that is doing house keeping
stuff. Its nothing to worry about. The devices are merely like a
tree in other software (UNIX/VAX), if there are 2 devices then it
means that the user is either interacting with another system or
has logged-off incorrectly. So, now we have some usernames /
directories to look at (and to try as passwords for the same
username). Now first of all we want to go back to the MFD
directory and look for a directory that is something like UTIL,
Utilities, CCUTIL or whatever. This part is very site dependant
so just try any thing that looks like a util. Now attach to that
directory which is 'Attach Util' (assuming the name is Util). Now
we get to another important part of Primenet. The different file

FileSuffix      How to execute/Description
║   .CPL     ║  CPL<Pathaname>/Language  ║
║   .SAVE    ║  SAVE<Pathname>           ║
║   .SEG     ║  SEG<pathname>            ║
║   .TXT     ║  SLIST<pathname>          ║

This list shows you the different file suffixes you'll see. Every
file will be followed by a suffix. If it is not then you can
assume its text. The only suffix we want to worry about now is
the CPL suffix. CPL (Command Procedure Language) is the primos
"programming language". So you can assume that anything with a
.CPL suffix is some type of program. Most often you will find
simple programs which tell the date, some "menus" that people
programmed in CPL to navigate the system easier, and then their
own misc CPL files. To run a CPL file you type 'CPL <pathname>'
(the pathname is simply the file name). Now, since CPL is a
language it's programs must some how be written. This means that
by doing a SLIST on a .CPL file will display the contents &
source code of the .CPL file.

Ok, so back to the hacking. So we're in the Util's library (or
whatever the name of the directory is). Ok, now do an 'LD' to see
the contents and look for any .CPL files. Lets say there's a CPL
file named "CleanUp.CPL". Now you'd type 'SLIST CleanUp.CPL',
this will display the source code of the CleanUp program. Now,
you will get a lot of trash but in it somewhere look for a line
that is something like...

       │        ^Password
       └─┤ Directory name

So, what does this mean you ask?? Well first off we will remember
that every Directory (except for ones with stars by them) is a
username which you can log-on with. So this means that the
password for the username Util is KEWL !!! If you have found a
line like this then congratulate have SYS1 access.
Just in case you don't really understand, lets say that there was
a directory's name was COUNT, and the password was ZER0. Now, if
you got lucky and were on a system where this works then you'd
see a line like...


Another way to find out directory/usernames is by using the
'List_Access' command. This shows the different directories that
the current directory has access to. This will look something

ACL "<current directory":


From this you can see the names of directories that you would
normally could not access, because if you don't know the name of
a directory then you can't access it. You can do this at
different directories and sometimes you will find a different set
of directory/username names. Ok, so you should pretty much
understand what we are looking for. If this doesn't work in one
directory then keep checking in other log-on able directories.
Remember this technique only works like 70% of the time so if it
doesn't work then don't worry. Since the above technique of
primos hacking is well known, by both hackers and Sysops I expect
to have a large percentage of readers still stuck in their
"Guest" account. I will now tell you how you can both defet
security and how you can secure yourself. First of all, lets
boost your account as much as you can (with your current access
of course). To do this we will use the CHAP command. This will
edit or priority levels. To do this we will use the 'CHAP UP'
command (remember anything in single quotes you type). You can
also use 'CHAP DOWN' or 'CHAP X' where X equals the amount of
levels you want to jump up to. Each system will have different
levels, so do it about 10 times and then stop (unless you get a
message that you have reached the limit already). The main reason
we want high security is so we can get into other directories and
run high-access programs (and access high-access commands). So
first I will discuss Directory security. Here is a diagram of the
different levels of security that can be put on directories....


  Letter   Description of Access
║   P    ║ To protect the directory        ║
║   D    ║ Delete entries to directory     ║
║   A    ║ To add entries to a directory   ║
║   L    ║ Read contents within a directory║
║   U    ║ Lets you attach to the directory║
║   R    ║ Read contents of file           ║
║  All   ║ All of the above                ║
║ None   ║ No access to others             ║

So, from this you can see the different options that one can put
to protect a library. These letters can also be combined to form
a "word" (so to speak), so that you can incorporate different
types of access. The most commonly found example of this would be
"LUR" access. So, using the chart this means that someone can
Read the contents of the directory, Attach to it, and Read the
contents of the files in the directory. Basically this means that
you can read all you want but you can't edit, which in some cases
can be good. Since this file is also geared towards the well
educated user I will discuss how to change the access on
directories, and how to create/delete directories. I would
strongly suggest that anyone who has hacked an account not try to
create delete files (unless you want to get back at someone on
the system, which will be discussed later), since it will lead to
detection and erasure of the account (This is a general rule of
hacking, read all the info you want, but keep a low profile). By
default most directories will be set to ALL access when created.
Prime is one of those big network, open systems, and many people
never bother or don't know how to make their account's more
secure. (this will be painfully obvious (to the users) when you
get one <grin>). Because of this you will find *MANY* directories
with ALL access. I have found many directories of people who have
SYS1 access, with ALL access. Most of the other people will have
LUR access. This is still very sufficient for your needs, since U
can still read files. Since I want to be slightly kind I will
discuss how to change access on directories, for the people who
have legit prime accounts. If you have a hacked account then
there should be no reason for you to change access on a
directory, first of all you will be detected in a second, and
second of all its not permanent at all and can't be used to crash
the board. First of all the command to create a directory is
'Create <directory name> [-password] [-access]'. So in other
words if I wanted to create a mail directory with the password of
HACK and LUR access hen I'd type. 

Create Mail [-HACK] [-LUR]

 The command for changing access on a directory is...

Set_Access ALL [-LUR]

In this example we are changing a directories access to LUR (you
can read but you can't edit) from ALL (everything). Since there
is no real reason you would want anyone else changing your files
I would suggest at least LUR access. If you are really worried
then I would not even think twice about going to NONE access, its
up to you. Although changing access is the most effective way to
secure your directory, there are some people who would like
others to read, or maybe even edit files in their directory. This
is why I usually tell people to just make a password, this
command has already been discussed.. That about wraps it up for
their directory part of this file. This is the major an most
important part. Now we get to the fun little features.

                     │Creating Files and Writing Programs│

Creating files are a very important part of hacking prime net.
The main reason we want to create files is so we can take
advantage of the CPL language. I have not learned the CPL
language well enough so I really can't explain much about it. I'm
still looking for technical manuals. The easiest way to learn it
is by just looking at all the .CPL files. Once we learn the CPL
language we can simply add commands to create us new accounts to
house keeping programs. The reason we would want to do this is
because when it is run by the admin, or any user with high enough
access it will run these embedded commands and we will have a new
account with unlimited access!! The way to create a file is by
typing 'ED'. This will get you into the text editor. It should
look something like.. 


This means you can type in what ever you want. So lets say you
are making a file that, when run will type out 'Count_ZER0 is the
ruler of heaven and earth', you would type...

Type Count_ZER0 is the ruler of heaven and earth

Now, you'd type just a <CR> alone and you'll get a line like...


This line varies a lot from system to system, but you'll get
something to that affect. Here you would now type 'Save
Count.CPL'. This would then save a program call Count.CPL in the
directory and when you ran it (Discussed earlier) it would type
'Count_ZER0 is the ruler of heaven and earth' on the screen.

The editor can also be used to write Basic, Fortran, C, and
pascal files (use the 'Languages' command to see what languages
it supports). All you do is write the program in the editor and
then save it with the correct suffix. Then you run/compile the
program. Since this file is much longer then I thought it would
be I won't discuss it, but it can easily be found out about by
using the 'HELP' command.

Communicating With Other Users And Systems 

To send a message to another user On-Line you use the Message
command. Lets say using the status command (discussed earlier)
you found there was a user named JOE that you wanted to talk to.
So you'd type .. 

Message JOE <CR>
Hello, how are you !

This will send a message to him unless you get some message that
says something like..

User Joe not accepting messages at this time.

This means that he is not accepting messages (duhhhhhh), so you
can try again later. You can also use the TALK command, which is
self-explanatory. Just type 'TALK', and then follow the

Accessing Remote Systems

The most exciting feature of primos (and this G-Phile), is
primenet's ability to access remote systems. See, they call it
primenet, because all primes are hooked-up to one big network.
This network is much like a "mini-telenet". This can be used with
the 'NETLINK' command. At a prompt, you must type 'NETLINK'. Then
you will be thrown into the netlink system. There is a good On-
Line help file which can be accessed with the 'HELP NETLINK'
command. Basically you type NC xxxxxxx <x's being the NUA>. Now,
you can scan this like telenet and see what you come up with. The
most exciting part of all this is that some primos systems on
telenet let you enter telenet NUA's in the netlink system. This
means that all those "Collect Connection" NUA's you can't call,
can be accessed through primos *FOR FREE*. This means that you
don't need to mess with NUI's anymore (see my hacking telenet
part 1 file). Now comes the part that will bring me fame in the
hacking community, fame to ťegions f ťucifer, and anyone who
knows me............. 

The 'ANET' command
Yes, this is the first time this command has every been
"published" is a G-phile. The way I came about this command was
one day I was hacking around and I saw this lady's directory with
LUR access. So I looked at the files, and surprisingly there was
a file that was a *BUFFER* of her logging on to remote systems
(yes the password was there!!). I was very surprised to see that
she used a command like 'anet -8887613' to access the remote
system, instead of netlink. This is a beautiful example of how
you can do a lot even if the directory isn't ALL access, anyway
heres the good part...... What the anet command does is dial a
phone number out from the primos and connects to it!! Yes, this
is like a code (but used for data communications of course). I'm
still hacking the command, but basically you just type 'anet -
<phone number>' and you have it. I have only tried it on this one
system which is Primos version 22.1. This is a very exciting
command, so if you find any more things about it please contact

                        HACKING DECs     
Welcome to basics of hacking: DECs. In this article you will
learn how to log in to dec's, logging out, and all the fun stuff
to do in-between. All of this information is based on a standard
dec system. Since there are dec system s 10 and 20, and we favor,
the dec 20, there will be more info on them in this article. It
just so happens that the dec 20 is also the more common of the
two, and is used by much more interesting people (if you know
what we mean...) Ok , the first thing you want to do when you are
receiving carrier from a dec system is to find out the format of
login names. You can do this by looking at who is on the system.
Dec=> @ (the 'exec' level prompt) you=> sy sy is short for
sy(stat) and shows you the system status. You should see the
format of login names... A systat usually comes up in this form:
job line program user job: the job number (not important unless
you want to log them off later) line: what line they are on (used
to talk to them...) These are both two or three digit numbers.
Program:   what program are they running under? If it says 'exec'
they aren't doing anything at all... User: ahhhahhhh! This is the
user name they are logged in under... Copy the format, and hack
yourself out a working code... Login format is as such: dec=> @
you=> login username pass word username is the username in the
format you saw above in the systat. After you hit the space after
your username, it will stop echoing characters back to your
screen. This is the password you are typing in... Remember ,
people usually use their name, their dog's name, the name of a
favorite character in a book, or something like this. A few
clever people have it setto a key cluster (qwerty or asdfg).
Pw's can be from 1 to 8 characters long, anything after that is
ignored. You are finally in... It would be nice to have a little
help, wouldn't it?

                          CRASHING BBSs
1) Never use YOUR account.. always go under JOHN DOE or some
lamer's password you figured out.
2) Never brag. It gets you in trouble. Tell some dudes in your
group or whatever but don't go posting on BBSs that you did it
unless the sysop doesn't really care (usually elite sysops  
3) Always format. If you get in to dos, don't take the risk,
format the thing with out a boot sector. If you are going to JUST
use the format command be sure to corrupt and rename ALL the
files that might have records in them of you in his dos (in case
of a unformat command). Try low level formatting. De command:
g=c800:5 that calls up the low level format program. 4) Never
mess with a narc/fed. There ARE police boards and the like and it
just isn't worth it to mess with them. Don't be stupid.
5) Have class. The biggest thing to bear in mind is to do a good
job, or no job. If you really don't hate him, once you get into
his dos just add a line to his autoexec.bat file to show you got
in. Otherwise format it. 6) Don't call back. You never know if he
was keeping double logs in a hidden directory or some thing like
that. Just be damn sure never to call back and NEVER leave a
7) Never delete. Never delete log files, always corrupt them by
ripping a few lines out with edlin and then rename them and
delete them. This, hopefully, will solve the undelete problem.
Another good thing to do is to start madly undoing zip files
after you delete something. This will also help the undelete


 The first thing you should do when in dos is to run config and
find out what his activity log file name is and where his data
files REALLY are. Use edlin or something and totally screw them
over so they are screwed and them rename them and delete them.
The most important ones are ACTIVITY.LOG, SYSTEM.BBS, INDEX.BBS,

 Most of these files can be used to figure out who you are.
Another wise thing to do is to look in his EVENT.DEF file and see
if he copies the files to a backup directory. Check all  batch
files that the sysop may run out of EVENT.DEF. They also might
have backup in them. I, being the clever thing I am, back up my
logs to a tape backup after every call. Many sysops  use Return
to dos after logoff and a program called GODOS to run a batch
after every call. Check his config to see if go to dos after
logoff is set to yes. If so look for batch files or  com files
that look like they may be run to start the bbs. If he has a tape
backup you have to find his tape software and run it (the
directory name will be in his EVENT.DEF file if he  backs up
regularly). Once you are in the tape software you have to format
the tape, however this will take a LOOOOOONG time (1 to 2 hours)
so you may want to do that last. You want to do pretty much the
same thing but the *.BBS files will be *.SL2. Pretty easy.

After Shock 1.23:

  After Shock is kind of annoying. The best thing to do is to run
his config program t find out what his directories REALLY are
and then delete everything in his board and after shock  main
directory. Remember to look at his RUN.BAT or what ever he uses
to run the bbs with, he may be keeping backups. There is also a
config option of what batch file to run every  night. That also
may have back up info in it.


  All the data files will probably be in the main bbs directory
or the GOFILES directory (check config for sure). Get rid of
these and that will be about it.

Forum Hacks:

  A lot of BBS programs have been written by altering the source
code of TG or another BBS program. The best thing to do with
these is to run the config programs and find the REAL directory
names then mess them up and delete everything in them.CRASHING BBS's PART TWO

Table of Contents:

Section I : Crashing Emulex/2 & Forum Hacks
    a: Emulex/2
    b: Forum Hacks
Section II: Crashing WWIV & Telegard
    a: WWIV
    b: Telegard

Section Ia: Emulex/2

We'll start with one of the most known BBS softwares. Emulex/2.
As you all know, I, Tripin Face, stole the source code of
Emulex/2 last year from one of the programmers. Broke into his
house and grabbed a few diskettes and it just so happens that one
of the disks contained the source code to Emulex/2!!

Here are a few ways to access into Emulex/2 (or any Forum Clone
for that matter.. a list of Forum Clones will be shown later.)

When you get connected at the Matrix Menu, hack User ID #1. Of
course, its the Sysop Account. Always try the Password "Sysop",
some Sysops are SOO lame, you wouldn't believe it. If that
doesn't work, try anything that goes with the Sysop's handle...
But for the really stupid Sysops, the best way, is to get one of
his Passwords from another board and try that. Some lusers might
use the same Password. Also, if you don't hack the correct
password, don't hang up, wait for it to hang you up. Sometimes
the board hangup strings gets screwed and it doesn't get rid of
you, but lets you on the board with the account of the user you
attempted to hack!  Ok, lets say you have a Sysop account. now,
the best thing to do is get a file on the board called "USERS." 
Now, with Emulex/2, thanks to me, you can't add users, so what
you have to do is user edit each user by hand, and the view their
passwords and make sure you capture all of it.  Now, lets get to
the crashing part. Hehehehe. Open a door,("P" from the Main Menu
and then "%" for Sysop Commands) and put any file for it, the
board will create any file you ask it to make. Now in the door
batch file, you must have the following commands: 

  Ctty comX

Now, comX, is the com port the bbs is set at. Now, if you know
the sysop is using com2, then put com2. DUH!!!. (Replace the "X"
with the Com Port #)  Now this door should let you go to their
DOS, and the rest is easy. FORMAT ME PLEASE!. Or, run a virus or
a trojan.. Even a baby can do that..   If you can get an account,
but has no Sysop access. you can do many things. An easy way is
upload a file called "USERS.   " with the following DSZ commands: 
         DSZ sz -fs \<dir>\<filename>
make sure you are in the DIR you want to upload to. What this
does is upload a file anywhere on the HD you want. Now, before
you do this you must edit the users file and change the sysops
password to anything you want and then you can enter it and get
on as him! This way, you can crash the board but you don't need
to get all the users passwords. Also, a way to do this and get
all the users passwords is get the BBS software's config, and the
change the co-sysop level to like Level 1 or something and then
you can call with your account and have sysop access. I found
that the best way to crash a board...   Now, with old Emulex/2
there was a command for Net-Mail which was .. Shift 1 thru shift
0 this -> !@#$%^&*() ..and with this command, the board
will receive any file. So you can use the DSZ on it. Works good,
but with the new Emulex/2 you set the Net-Mail command from the
config. Right now, in the new Emulex/2 there are only a few
backdoors. Sam Brown didn't want to add any more. Why, I don't
know. I think Emulex/2 has a upload a message command, you can
also use the DSZ command with that too. I am not sure though.. A
good way to hang a Emulex/2 board is go to the Database Area, if
there isn't one, keep on hitting "D", after a few times the board
will get screwed, you wont be able to tell unless you go the file
area, and it will say something like I/O errors, etc... then
upload and upload, and in the middle of the third or fourth
upload hang up, turn off the modem or pull the phone line out of
the wall, so it will hang on in the middle of the transfer.
Another way to hang Emulex/2 is by doing this: post a message,
and then edit a line, and insert a new line, but keep on hitting
anything until it gets to the last line. Then hang up, or try to
save. It should of hung, to make sure the hanging was cool, call
the board back and see.  Section Ib: Forum Clones

Now lets get to other software...

Well, all FORUM CLONES are the same.. so all commands for Em/2
should and will work for all the of the following BBS Softwares:

FCP all version
TCS 1 and 2
Forum Plus
Ghost Ship/2

Section IIa:  WWIV BBS's

1) Hacking into WWIV - The Utilities Needed.
        Zmodem (Or Any Other Protocol)
        An Account at the WWIV BBS you wish to Crash.
        A Terminal Program
2) Hacking into WWIV - First Steps
        First of all, you might want to make a separate directory
for all of these files you're about to make.  Although there
won't be that many total, it might still be a good idea.  But if
you're like normal people (Messy), like me, just put it wherever.

        Ok, Here's what you do.  Make a text file called
PKUNZIP.BAT from your DOS, and put the line: command in it.  This
is done like this:  C:\HACKBBS> copy con pkunzip.bat
^Z  (Press Ctrl-Z, Then Enter, and the file will save)

        Second, go ahead and zip the file.  Make it any filename
you want as long as it's  not something too obvious (like
TEMP.ZIP). You can zip up the file with PKZIP.EXE.  This is done
like this: 
PKZIP [zipfile] [athname\filename.ext]
- or in other words:
PKZIP pkunzip.bat

       This will make a file called TEMP.ZIP with the file
pkunzip.bat in it.  Go ahead and delete pkunzip.bat now, you
won't need it anymore. Now you've got the file  (or
whatever you called it). Go ahead and logon to your favorite WWIV

Hacking into WWIV - The Way To Do It.

        Go ahead and logon with your  name and password,  etc. 
Go to the File section, and upload your file to any directory. 
Now there is a temp file there.  hit 'E' from the Transfer Menu
in the current directory that is it, and when it asks
what file to extract,  enter as the filename.  You'll
get something to the effect of:
        Extract which file?  (?=list, *=All files):
Hit '*'.  What this just did is make a pkunzip in the current
working DOS directory.  You'll be at the:
        Extract which file?  (?=list, *=All Files):
Hot the asterix (*) again.

        Congratulations!  You made it into the Sysops DOS!   (If
not, the sysop is smarter than you think, and he's protected
himself against some little hackers like yourself!)  Not much you
can do if you didn't make it here. Hacking into WWIV - What to do while in DOS.

   You'll be in the path of \WWIV\TEMP>, Immediately type this
in:    C:\WWIV\TEMP> cd ..\files
   C:\WWIV\FILES> del *.log       - This deletes the log of what
you did.    C:\WWIV\FILES> del laston.txt  - this deletes the
list of users who were on today.
        Now, you're into his/her DOS.  Since dos interrupts are
currently ON, You can  type anything  anywhere.  You can type del
*.*  and get  the Are you sure? (Y/N) sign, and from there, you
CAN hit 'Y'.  Or you can do it the other way,  and just type echo 
y|del *.*.  From here  you got his userlist and some other fun
stuff, which is located in C:\WWIV\DATA.  You can go there by
typing cd..\data.  once there, do this: 
C:\WWIV\DATA> type user.lst 
and you'll find the Sysops Phone Number and password right next
to each other.  Write those down. Next, type cd.. and you'll be
in C:\WWIV>. From there, type the file status.dat, and the first
legible text you can find will be the System Password, so if you
just want to scare the living hell out of him, just type exit
from there and you'll come back to the BBS, with the Sysops Name,
Pass, Phone Number and System Password. You can now logon under
the Sysop and do all the cool stuff like go into UEDIT and give
yourself like 254sl and DSL, etc.

Hacking into WWIV - Alternatives

Instead of the PKUNZIP.BAT file in the TEMP.ZIP file, go ahead
and put your favorite Virus/Trojan in there, and follow the same
exact steps, except this time skip the DOS part. The Virus should
spread from there, and a trojan will work immediately.

Hanging WWIV - The easiest thing to do in the world.

    Just make a plain and simple text file, and in it include an
ANSI code. Not just any ANSI Code, it's gotta be an ANSI Code
that is not a real part of ANSI. For example, (ESCAPE
CODE)[349857m or something like that, anyway. Then just //UPLOAD
it to a message base, and read it. When WWIV Doesn't intercept
the correct ANSI Codes, it doesn't know what to do, so it'll just
hang itself there 'till the System Operator comes and resets the
flippin' computer. Hang up from there, and well, it'll be down. Section IIb: Telegard BBSs

    All right, Swabbies. Here's a way to hack into Telegard (One
of the easiest to hack into - Next to WWIV). There's a catch to
this system, tho. There's got to be an Archive Menu from the File
Area. Most new Telegard systems will have one, it comes stock
into it. But the Sysop (Probably not if the Sysop is a new Sysop)
may take it out. So, if he's got it, you're in luck. It's
basically the same idea, Just follow these rules and other
guidelines, etc., and you'll soon become a better crasher than
you know ... 

Hacking into Telegard's DOS - Things Needed
        Latest PkZip Utilities (c) PKWare
        Terminal, Modem, Computer, etc.
        A little knowledge of the use of DOS,
        And a text file like this.

Hacking into Telegard's DOS - Steps

        1) Logging on.
        2) Finding your way.
        3) Uploading/Extracting the File
        4) What to do while in DOS.

First of all, You've got to  establish an account with the so-
called 'friendly BBS' that you want to crash. It's probably a
good idea to logon with a fake account, fake information, etc.,
to protect yourself. Once you've logged on, try and talk to th
Sysop there. Try to social engineer your way into him validating
you with the highest possible access you can get. Be nice, offer
him stuff, basically, KISS HIS ASS. If he insists on Voice
Validating you, ask him just to pick up a phone at his end, and
you do the same (Pick up your phone), and you'll already be
connected so there should be no numbers dialing, and this will
obviously protect you.

Make the PKUNZIP.BAT file from DOS, by typing in this:
                copy con pkunzip.bat

Go and zip the file up, call it something that sounds catchy, so
it doesn't look too inconspicuous, use the line:
pkzip pkunzip.bat

Now you have a with pkunzip.bat inside of it.
There's a way to get into the Telegard's File System, although
you may not haveaccess to it, you'll eventually get it if you
kiss the Sysop's ass for awhile. It's usually 'F' or 'T' from the
main menu. Once you're in there, upload a file to wherever it
tells you to, and if there's no certain directory, don't worry
about it. Just upload it. After you finish uploading the file, it
will kick you out to the transfer menu again. The Archive menu
from there is usually either '/A' or just 'A'. From there, you
will most likely get a prompt that is similar to the Transfer
prompt, (most likely containing the Area and Area Number that you
are currently in). Hit 'X' from there (Remember: Telegard has the
ability to change Command Letters, so if 'X' doesn't work, punch
in a '?' and look for Extract File). Extract the,
obviously extract *.*. If it kicks you back out, or whatever,
just go back into the menu and do the same thing over again.
Extract *.*, And this time it will run Pkunzip.bat, which
contains COMMAND.COM inside of it, and you'll have full access to
this guys DOS.

Now that you're in DOS, you'll be in the area C:\BBS\TEMP>. From
there, type in 'cd ..\files'. Then 'del *.log', 'del *.txt', then
do the same thing in the Afiles Directory. Here's a type of basic
structure that Telegard uses. (Assuming the main dir is BBS):

This is the basic format, del ALL *.log files from all of these
areas (The Sysop logs are kept in C:\BBS\TRAP>) You've now gotten
rid of all proof that you were ever on. Once in there, just do
whatever you'd like to do. Delete everything, run a few Virii,
execute a few trojans, give his computer herpes, or whatever. You
can simply exit by typing 'exit'. Another way is to upload a Game
or some file (Sysops never check the zip file to see what is in
it..) Make one of the files 'PKZIP.COM' or 'PKZIP.EXE' *.COM is
better because DOS runs COM files before EXE files. Anyway,
upload a PKZIP.COM that is a trojan or a virus, or even
COMMAND.COM (That will get you into DOS) and after you upload it
check and see if the file is 'Auto-Validated' if it isn't then
you have to wait until the Sysop Validates it.. otherwise if it
is Validated then type "/A" from the File Menu and then type "X"
or "E" for Extract ZIP File.. then it prompts you for the Zip
File, enter in the Fle you uploaded. Then it will ask you what
files to extract, just say all or just the PKZIP file.. When it
extracts it, type "Q" then type "W" for Work on Archive.. Then
you are at the 'Work on Archive Menu'. Type "A" for Add to
Archive, it will then proceed to ask you for a Archive Name,...
type in something like 'HACK.ZIP' or anything for that matter. It
will ask you for the files you want in the ZIP file, just do
'*.*'. Then it will ask you if you want to do it or add more
files, type "D" for 'Do It'. It will then run your "PKZIP.EXE" or
"PKZIP.COM"!!! Easy enough?? There are a bunch of great files you
can find in someone else's HD, try going to the Sysop Dir.
(C:\BBS\DLS\SYSOP) or just go to all the Directories right off
the root directory. After you are done having fun, take his/her
USER.LST & STATUS.DAT and you will have FOREVER Access.. or just
wipe out his drive! There are many more ways to access Telegard
DOS and have the System run what you upload, but I will not get
into that, I will leave some ways open for me, Captain
Swashbuckler, to crash those Telegard Boards!

                         CREDIT BUREAUS
Part One: What Is Credit Bureau, Incorporated?

  As many of you know, CBI is a credit reporting agency, or
credit bureau. It keeps the credit history of millions of
Americans on file. Our friends at CBI have been kind enough to
make this information available to the public for a moderate
annual fee. If you are cheap, or if you just want to learn how to
hack CBI, "you have come to the right place."

Part Two: The CBI Account.

A CBI account follows this general format:
3 Numbers, 2 Letters, 2-5 Numbers, a dash{-}, followed by a
letter and a number.

A sample might look like this:  123ab4567-a1.
                           or:  123ab4567-a1,bc,d.

Either way is acceptable.  The `bc,d' is not necessary.

Part Three: Connecting To CBI.

    When calling CBI, I suggest you use at least one outdial if
you know for sure the account you have is valid. If you are going
to be hacking accounts, use at least three outdials. I don't
suggest calling direct, even if the dialup is local to you. If
you don't know why, you don't deserve to be reading this text.
    CBI runs at either 300 baud, or that oh-so-technologically
advanced 1200 baud. This means you will need a 300 or 1200 baud
outdial for the NPA containing the CBI dialup. Make sure your
terminal program is set at E-7-1. I also find it easier to work
at half-duplex, because CBI does not echo a thing you type. So,
if you connect with full-duplex, and don't see your account
appearing on the screen, don't call your local P/H BBS and post
twenty messages saying, "N0thInG i tYpE aPPeArS 0n tHe sCrEEn aT
CbI!!!!!!!!!!!1!!1!1!!!!!!!!!!!!111!!!!!!!!!!!" (Note: the
exorbitant amount of exclamation points is a sign of the loser's
complete and utter idiocy.) Another thing I find useful is just
to have my capture log running as I work. This saves you the
trouble of having to write everything down, and it also serves as
a good reference.

    Currently functioning CBI dialups are:

       *[201/984-6297] Newark, New Jersey
       *[503/226-1070] Portland, Oregon
        [612/341-0023] Minneapolis/St. Paul, Minnesota
        [713/591-8100] Houston, Texas
       *[804/466-1619] Norfolk, Virginia
        [916/635-3935] Sacramento, California

    The starred numbers I have not verified.

    Keep in mind some CBI accounts are only valid on certain
dialups. They still serve any part of the country, you just can't
use them on every dialup. I have found CBI accounts that work on
more than one dialup, so it can't hurt for you to try. The worst
thing you will get is a message saying it's NOT VALID ON THIS
PHONE NUMBER or something. If you are hacking accounts and get
this message, try the account that yields the message on
different dialups. Maybe you'll "get lucky".

    CBI also has voice dialups.  These numers are provided for
those "Social Engineers" out there.  I have not verified these.

        [201/842-7500] Newark, New Jersey (Equifax Credit
Information Services)         [617/932-8163] Boston,
Massachusetts (CBI)

Part Four: Applied Password Use: Pulling Info.

    Use is fairly straightforward.  When you connect to CBI, hit
Control-S (^S) twice, then <RETURN> (<CR>) twice.  You should get
a message that reads:         (ND)PLEASE SIGN-ON

    At this point you should enter the password.  Make sure when
you enter the password that you include a period at the end. 
This is very important; if you neglect to type the period, you
won't get in.  Type the password: "123ab456-a1." then hit
CONTROL-S, and a <CARRIAGE RETURN>.  The ^S is the CBI "wakeup"
command.  CBI doesn't respond to regular <CR>s.  If you ever
think CBI should be doing something, and it has just frozen, hit
^S.  Chances are this will solve the problem.  Anyway, you will
then get a message telling you to

        WC5E - PROCEED

    This is when the fun begins.  You decide you want to know
your next door neighbor's credit history.  Here is what you do:

        NM-SMITH,ALAN,S. <CR>
        CA-157,MAPLE,ST,YUTZVILLE,NY,10011. <CR>
        ID-SSS-012-34-5678. ^S <CR>

    This is, of course, based on the assumption that your
subject's name is "Alan S. Smith" and that he lives at 157 Maple
Street in Yutzville, New York, 10011, and that his Social
Security Number is 012-34-5678. Keep in mind, the ID-SSS line is
not ecessary, but it is necessary if you are to distinguish
between Alan S. Smith, Jr. and Alan S. Smith, Sr. Wait a moment.
The report will pop up.   You may want to hunt someone down from
a Post Office Box. If this is the case, replace the above CA-
line with this:


    If you only have the subject's Social Security Number, type

        DTEC-012-34-5678. ^S <CR>

    This will give you a name and address to enter in the above

Part Five: A Sample CBI Report.

                     S A M P L E    C B I    R E P O R T
  Note: All information in this report is fictional, including
the ACCOUNT                          NOs and the BUS/ID CODEs.

*SMITH,ALAN,S   SINCE 04/00/75  FAD 10/21/89           FN-700 
 SEX-M,MAR-M,DEPS- 2,AGE-38,SSS-012-34-5678

*SUM-01/85-01/91,PR/OI-NO,FB-NO, ACCTS:11,HC$6-1600, 3-ONES.

*INQS-450DC81 02/24/89,178BB20089 02/06/89.

03 S*178BB34860 11/90 05/85  500 171   521  139 R5 01 01 01 66
           PREV HI RATES:  R4 10/90, R3 09/90, R2 08/90
04 I*178CD8712  10/90 03/89  123 123   123      O1           
003/88  048286423 05 I*342IH34    10/90 12/85 1600       500 1600
R9 00 00 03           462642892            PREV HI RATES:  R5
11/88, R5 10/88, R5 09/88
06 I*905PZ82    11/90 12/86  700         0  390 R9 00 00 00 16   
3482684629331            PREV HI RATES:  R9 03/89, R9 02/89, R9
01/89                            CHARGED OFF ACCOUNT              
                                              AMOUNT IN H/C
COLUMN IS CREDIT LIMIT                                         07
U*178BQ282   10/90 01/85            231  231 R9 00 00 03   
4560337134046711            PREV HI RATES:  R5 04/90, R5 03/90,
R4 02/90                            CHARGED OFF ACCOUNT
08 I*956BB115   10/90 05/86 1100         0      R9 00 00 03       
   714827012            PREV HI RATES:  R5 05/90, R5 04/90, R5
07/89                            CLOED ACCOUNT
09 I*178AC10870 07/90 05/87  123 123   123  123 R9                
 38812604654    CHARGED OFF ACCOUNT
10 A*906OC69    01/90 10/87              0      O5 00 00 01 09
01/90 4906124373            PREV HI RATES:  O5 04/89.             
                                 COLLECTION ACCOUNT               
                                              PAID-CREDIT LINE
CLOSED                                                      11
I*906OF259   12/89 11/87    6         6    6 O9 00 00 02      
3724962236703            PREV HI RATES:  O5 11/89, O5 10/89, O9
12 I*416DC1577  11/88 11/87  300                R1 00 00 00 12  
32134882735921    SETTLEMENT ACCEPTED ON THIS ACCOUNT             
                                         13 I*421DC4566  07/89
10/87  401       390  372 R9 00 00 01      18736847728634
           PREV HI RATES:  R9 02/89, R9 01/89, R5 12/88           
                CHARGED OFF ACCOUNT                               

END OF REPORT    CBI AND AFFILIATES  -  01/30/91              

                  E N D   S A M P L E   C B I   R E P O R T 
                      S A M P L E   D T E C   R E P O R T
     SS-012-34-5678  AGE 38&


                   E N D   S A M P L E   D T E C   R E P O R T

Part Six: Making Sense Out of All That.
    SMITH,ALAN,S - is the subject's last name, first name, and
middle initial. SINCE 04/00/75 - I imagine this is how long
they've had a file on the subject.  (Since April, 1975). On the
next line is his address- his current address is listed first,
and his past addresses are listed underneath.
    SEX-M is pretty self explanatory.  (It indicates he is a
MALE.) MAR-M is the subject's marital status (single, married,
widowed, divorced).
    DEPS- 2 is the number of dependents the subject has. A
dependant is most often a son or daughter of the subject who is
still under 21. SS-012-34-5678 is the subject's Social Security
Number. ES- is the subject's current employer.
    EF- are his past employers, listed in order, from most recent
to least recent.
    SUM-01/85-01/91 indicates that the report is a summary from
January 1985 to January 1991. This really just tells you how far
back in time the report covers.
    PR/OI-NO - Public Record/Other Information. This indicates
whether or not the subject has been involved in any court cases
(Public Record), and how those cases turned out (usually that is
what Other Information is.) Obviously, the NO indicates the
subject has not had any legal involvement during the period which
the report covers.
    FB-NO - Firm/Business. I assume this signifies the subject is
not a business.
    ACCTS:11,HC$6-1600 tells you that there are 11 entries listed
below, and that the credit limit (or amount loaned, in the case
of a loan) ranges from $6 to $1600.
    3-ONES - This tells you the credit rating. The "3" indicates
that there are 3 of the following type ("ONES" in this case). The
more "ONES" a subject has, the better his rating. This particular
person has a lousy credit rating. Out of 11 accounts, only 3 are
ONES. There can also be TWOS, THREES, FOURS, et cetera, up
through NINES. NINES are incredibly bad; the more of these the
subject has, the worse his credit rating is. ZEROS indicate that
the account was too new to be rated at the time the creditor last
reported.     INQS - This line tells what creditors have checked
on the subject's credit. While interesting, it is more of a
hassle than anything. You see, when YOU pull the subject's info,
a little line will be added saying that your hacked account
pulled the file. Now, this won't look funny until the subject
reports fraudulent charging on his card. Then, CBI may check on
who has pulled the guy's info. When they see that The First
National Bank of Ethiopia has pulled his info, they will know
something is up. They will probably call the First National Bank
of Ethiopia and say, "Did you pull this guy's info?" And of
course they'll say "No." Actually, I've made more out of this
than it's worth. Anyway, the most recent credit check is listed
first, and then it works backwards. It lists the ID CODE and the
date the file was pulled.
    The next line contains the headings for the columns that fall
under them.     BUS/ID CODE is the CBI account (minus the
password) of the creditor that holds the subject's credit card,
loan, or whatever. In front of the actual ID CODE, there is a
letter and an asterisk (*). The letter signifies what type of
account it is. A - Authorized, C - Co-maker, I - Individual, J -
Joint, S -Shared, T- Terminated, U - Undesignated. Consult your
Local Library to find out what each type of account is. This
isn't really relevant to what you are after.
    RPTD - The last time the creditor reported on the subject.    
OPND - tells when that account was opened.
    H/C - you will notice throughout the report that the "AMOUNT
IN H/C COLUMN IS CREDIT LIMIT".  On a loan, this column reports
the amount loaned.     TRMS - clarifies the terms of a loan.
Usually in the case of a credit card, this column is blank. A
"48M" in this column iiicates that the amount in the H/C column
will be paid back over a period of 48 months, or four years. In
such a case, the number in the MR column subtracted from the 48
will tell you how many more months the subject has to go before
paying off that loan.
    BAL is an abbreviation for BALANCE OWING.  This is how much
of the credit limit (on a credit card) has been used, or how much
of the loan has been paid back.  On a credit card entry, the BAL
subtracted from the H/C is how much the subject is authorized to
    P/D- Past Due.  Every month, a minimum amount of money is due
on your credit card payment.  This may be as little as 10% of the
total amount due.  Now, the credit card company would be damned
happy to see you only pay the minimum amount, because then they
can charge interest on every thing you owe.  But, if you do not
pay this minimum amount (say you pay $75 out of a $100 minimum),
then $25 will be PAST DUE. It isn't good to owe money.     RT -
Rating. This column gives the credit rating for that particular
account. An 'R' means the account is a revolving or option
payment plan, an 'I' means it is an installment payment plan, and
an 'O' means it is an open account. Consult your library for
definitions. The number following it is the credit rating for
that account. Remember, a '1' is good, and a '9' is really bad.
The number of '1's here should match the number "X" in "X-ONES"
on the first line.
    30/60/90 - the number in the 30 column means that the subject
has been between 30 and 59 days delinquent on his payment that
many times. If a "2" is in the 60 column, this indicates that the
subject has been between 60 and 89 days late with the minimum
payment twice during the number of months in the MR column. A
number in the 90 column would indicate that the minimum payment
has been over 90 days past due "X" number of times.     +MR -
Months Reviewed. Indicates how many months have been reviewed.
(Obviously.) Say you have a "1" in the 30 column, and a 49 in the
MR column. This indicates that the subject has been 30-59 days
late with the minimum payment in the past 49 months. It's not
really too hard to understand.

    DLA/ACCOUNT NO - This column contains the credit card
numbers. Visa and Mastercard both have 16 digits. American
Express (Amex) hs 13 digits. DLA is the Date Last Activity. If
there is a date in this column, it is NOT a credit card
expiration date, it is telling you the last time that account was
    PREV HI RATES - This indicates the past ratings of the
account on the date listed.

    Explanation of the DTEC report:

    "1 of 1" means that the first report of one is being listed.
Remember, no two people have the same Social Security Numbers. NM
is the subject's name. CA is the subject's current address. The
date at the end of this line should match the most recent date on
the address line in the subject's full report. The FA line lists
former addresses. The ES line lists the subject's current
employer. Following this is the subject's Social Security Number,
which you must have already had to get the DTEC report. And
lastly, the subject's age.

Part Seven: Practical Use of CBI.

    You may have a question now, "Whose file do I pull?" You want
to pull the file of someone who is rich. Usually Lawyers and
Doctors will fit the bill. Look in the Yellow Pages under
"Lawyers" and "Doctors" and find the names of some upper class
bastards. You can use your local White Pages to cross-reference
and get their home addresses. From here, you call CBI, and pull
their file.
    Once you get the file, look in the DLA/ACCOUNT NO column.
Find all the 13 and 16 digit numbers. 16 digit numbers starting
with "4" are Visas. 16 digit numbers starting with "5" are
Mastercards. 13 digit numbers starting with "37" are American
Express. The first four digits of the card number signify the
bank that issued the card. A list is supplied below, taken from
the Narc Infofile #7, Update A. I have not done any work toward
verifying these myself, either.

4428  Bank of Hoven
4128  Citibank           CV
4271  Citibank           PV
4929  Barclay Card       CV  (from England)
4040  Wells Fargo        CV
4019  Bank of America    CV
4024  Bank of America    PV or CV
4019  Bank of America    Gold (This card looks like a CV but
without a CV after                                 the expiration
4678  Home Federal
4726  Wells Fargo        CV
4424  Security Pacific National Bank
4428  Choice Visa    [Citibank(Maryland)]???
4226  Chase Manhattan Bank
4048                     CV
4121  Signet Bank        CV

5419  Bank of Hoven
5410  Wells Fargo
5412  Wells Fargo
5273  Bank of America             Gold
5273  Bank of America
5254  Bank of America
5286  Home Federal
5031  Maryland Bank of North America
5424  Citibank
5465  Chase Manhattan Bank
5329  Maryland Bank of North 5308
5291  Signet Bank
American Express
3728      GOLD
3713      Regular
3732      Regular
3782      Small Corporate Card
3787      Small Corporate Card

    At this point, your rendezvous with CBI is complete.  Write
the credit card number you obtained, and the subject's basic info
in your notebook.  Destroy the CBI report you have- there's no
need to have evidence sitting around.

Part Eight:  Getting the CBI account.

    Okay kids, here's the hard part. Actually, it's not very hard
at all. Just time consuming. First, you have to find an ID CODE.
You know, the part of the account BEFORE the dash. Remember, the
part following the dash is the password. To get the ID CODE, go
trashing at a car dealership. You should find some printed out
reports. On these reports (they should look like what I supplied
above), you will find the "usernames" in the BUS/ID CODE column,
and in the INQS line. All you have to add to this ID CODE is the
password (obviously). Remember, the password is a letter and a
number. So, say your ID CODE is 123ab4567. When CBI asks you to
PLEASE SIGN ON, you begin hacking. Two common passwords are -c2
and -c3. So, the first two things you try to enter should be
"123ab4567-c2. ^S <CR>" and "123ab4567-c3. ^S <CR>". If neither
of these work, start at "123ab4567-a1." and work to "123ab4567-
z9." If I don't find something by the time I get hrough -d9, I
will usually pick another ID CODE and start over. You can do it
however you like.     The lazy way to do this is hang around on
QSD with the sex freaks and see if you can find someone who will
trade with you. Chances are you'll get screwed, because almost
everyone there is a leech. They'll either give you something
fake, or nothing at all. If you want to trade, there are more
trustworthy and knowledgeable people on Lucifer.

Part Nine: ID CODEs.

   This section is a list of ID CODEs for you to hack on. This
list is taken from The Ghost's file on CBI, because I am too lazy
to make up my own list.

426DC33     465IG14     444BB7072   906ON259    906ON267
906BB5130   458ON2792   906BB206    444FP289    882AN137
444FS1399   843BB342    404BB539    404DC21     496ON747
496BB82     404CG94     426DC1577   401BB4880   872BB213
444FS1381   728B10420  905BB587    496ON598    426BB756
426BB3859   444BB3469   444BB3626   444BB5605   444FP2137
906FA26     906BB115    906BB40     906FM6418   447FS844

906BB289    496ON291    901BB5101   906FM6335   496ON218
458ON3022   402RE30375  426CG544    872BB31     872BB205
444BB143    444BB6173   444FM11838  458ON3014   155ON44
905ON1497   444ZB361    496ON648    444BB5654   496BB587
906CG2913   444BB5704   416FM2092   444BB465    444BB5282
444BB5308   444BB5290   404FF262    906FF278    906FF260
404FF1039   404FF825    906FF252    426DC561    181FS320

444FA483    906FA34     163DC2280   444BB2719   163BB17526
404HZ141    444AN1082   444ZB00577  906DC185    444DC10639
906DC193    444JA591    906DC151    444DC49     405BB280
801ON119    801BB2942   496BB74     496FM271    426BB238
426BB541    426BB1895   426BB2406   444BB804    444BB3253
444BB9466   906OC99     404BB3483   444BB1315   444FM12285
805BB2492   906DC656    444FA848    444BB6173   444BB1869

444YC1311   444BB6363   444BB6496   444BB564    444BB3436
444BB952    891BB186    496ON44     444AN2452   444CS315
906DC29     444DC510    905DC3081   180BB19097  444CG377
496FZ45     404TZ19     444AN4177   906DM10     403DC1426
496DC319    496DC20     444KI54     606OC10587  414BB917
906FA67     444FA814    444BB5035   444BB9466   444BB978
444BB2248   444BB1182   444BB4491   444ON366    444ON200

444ON358    444ON341    404HF375    444AN4491   496FS380
404BB182    155ON85     163BB19418  444ZB668    801ON1182
444BB2958   444BB1331   465ZB134

I haven't collected these myself, so I don't know if they all are
valid.                 File grabbing on large systems

Salami......Program that takes a selected amount of money from a
group of specified accounts and deposits it into another account.

Trojan......Program that does one honest function but meanwhile
caries out a series of secret commands.
Say you are working for a company that uses a large central
computer network that is slightly old. You want to get at the
accounts file to make your self a salami. Most old systems have
two pointers at the head of the file, a write access and a read
access. The write means you can edit and delete the file while
the copy mean you can only run and copy the file. Your goal is to
gain write access to the accounts file. The best form of action
would be to take a program everybody has read access to (data
base, spreadsheet, whatever) and make a trojan out of it.
Probably the spreadsheet would be the best idea since the
accountant must use it a lot. The first problem you are going to
have is that you are only going to have read access to the
spreadsheet program because all you need to do is run it.
(Business policy is to give no more access than is needed.) So
you make a file and give your self read and write access to it.
Then simply copy the spreadsheet file into your file. You can now
edit the spreadsheet and add a feature to it (diagonal adding or
something make it VERY attractive). Then you add a little trojan
to the program that copies the accounts file to a file in your
directory, then copies another file from your directory in place
of the true accounts fie. You then give the spreadsheet program
to the accountant showing him the new feature and hope to God he
likes it. When he uses your spreadsheet program you will get the
accounts file in your directory. You should write a program and
leave it in memory so that as soon as it sees this file it copies
it into the other file name so your trojan can copy the other
file back the first time with out error. Once this has happened
delete the TSR program and edit the accounts file as you please.
You can then rename it to the file in your directory the trojan
copies back and your payroll will be changed!
                            Potpourri                              BUGS
   As far as bugs go, don't worry about not being able to obtain
them. Sure, there are some suppliers around that only sell to
'Law Enforcement Agencies' only, but most will sell to you, so
there is no reason to bother with social engineering yourself
one. Anyway, most suppliers that will only sell to law
enforcement agencies usually have their products so marked up,
its unrealistic. Good bargains, and very high quality equipment
can be found offered by a Japanese company called CONY. Usually
their products are so reasonable that it makes the competitors
cry in shame. I suggest you write to them.

                          CONY MFG CORP
                       Rm 301 Hirooka Bldg
                         No 59, 2 Chome
                          Kangetsu cho
                        Chikusa ku Nagoya
                            464 JAPAN

                   WHERE AND HOW TO STICK THEM

     Assuming you obtain a bug, or any combination of different
types of bugs, you will want to use them, for any number of
particular purposes. The safest and easiest way to plant a is to
send the person that you want to know better a nice gift with you
know what hidden inside it. Something that they could, say, place
on their desk, or display prominently in their place or work or
residence. Wrap it nice, and include a small card, and do
whatever you feel is appropriate. A more dangerous method is to
actually obtain entry into the office or residence of the person
that you want to know better. If you have success in getting in,
planting it, and getting out unnoticed, then you will be safe.
Once a is planted, you will leave it there even after it becomes
inoperative, because, if you have placed considerable risk on
yourself to plant it, you do not want to go through that risk
again just to retrieve it. Just forget about it. It won't miss
you. There are a number of places to hide your electronic friend:
o Carefully [!] unscrew a wall socket. There, you will notice
some extra, unused space inside. Figure out the rest.

o Do like the shows on TV. Hide them under a table, or chair. Let
your imagination run wild [use good judgement]. You are
relatively free, due to today's technology, and the short
antennas. Pick an area that is not subject to 'search or routine
o Dress up like a workman and show up at their house. Make up a
good excuse. Gain access. Plant it.


   You will want to record all that you can get with this for
later review. Also, take into consideration, that you can't be at
the receiver 24 hours a day. The setup to use for maximum
efficiency is a recorder with a VOX. Therefore, tape waste will
be at a bare minimum. That's also good, because you don't want to
be at the receiver just to flip tapes every half hour to 45
minutes. Also, it would be difficult to review these tapes,
becasse you would have to listen to a half hour recording for an
actual half hour, and so on. Well, those half hours will add up
into hours, into hours, into hours. Not smart. As said, invest in
a VOX. This will make it able to have the recorder skip over
those quiet times in your target's house. To save tape you could
slow down the recorder with electronics, if you have the
electronics. You might not be successful, because it becomes
difficult to tell the speech of people from background noise.
Please note that not every technique is discussed here. This is a
scratch of the surface. If you can, use metal tapes [if the
recorder has that capability]. If not, use low noise/extended
range tapes. As with most surveillance equipment, be sure that
you know what you are doing. This is a game in which you can be
charged hundreds of dollars for something that you could do
yourself with 35 bucks. Some companies sell recorders which claim
to be able to record 14 hours on a standard cassette. They have
simply removed the pulley from the drive shaft of a Panasonic or
Sony recorder that costs less than 50 dollars and jacked up the
price 300%. Try it yourself, save money.


   There is a nice device called a shotgun mic that allows you to
point it at a window and listen in on a conversation in the
immediate room, because of the room's sound waves causing the
window glass to vibrate. The window must be closed. Since all you
have to do is point it and go, well, they become obviously
convenient. And fun. Find one. They might cost a litle more, but
worth it. And the target is not likely to know he is being
watched, so he will not be smart enough to enact countermeasures.

Everyone has at sometime wanted to hear what a friend, the
principal, the prom queen, or a neighbor has to say on the phone.
There are several easy ways to tap into a phone line. None of the
methods that I present will involve actually entering the house.
You can do everything from the backyard. I will discuss four
methods of tapping a line. They go in order of increasing
difficulty. 1. The " beige box ": a beige box (or bud box) is
actually better known as a "lineman" phone. They are terribly
simple to construct, and are basically the easiest method to use.
They consist of nothing more than a phone with the modular plug
that goes into the wall cut off, and two alligator clips attached
to the red and green wires. The way to use this box, is to
venture into the yard of the person you want to tap, and put it
onto his line. This is best done at the bell phone box that is
usually next to the gas meter. It should only have one screw
holding it shut, and is very easily opened. Once you are in, you
should see 4 screws with wires attached to them. If the house has
one line, then clip the red lead to the first screw, and the
green to the second. you are then on the "tappee's" phone. You
will hear any conversation going on. I strongly recommend that
you remove the speaker from the phone that your using so the
"tappee" can't hear every sound you make. If the house has two
lines, then the second line is on screws three and four. If you
connect everything right, but you don't get on the line, then you
probably have the wire's backward. Switch the red to the second
screw and the green to the first. If no conversation is going on,
you may realize that you can't tap the phone very well because
you don't want to sit there all night, and if you are on the
phone, then the poor tappee can't dial out, and that could be method two. 2. The recorder: This method is
probably the most widespread, and you still don't have to be a
genius to do it. There are LOTS of ways to tape conversations.
The two easiest are either to put a "telephone induction pickup"
(radio shack $1.99) on the beige box you were using, then
plugging it into the microphone jack of a small tape recorder,
and leaving it on record. Or plugging the recorder right into the
line. This can be done by taking a walkman plug, and cutting off
the earphones, then pick one of the two earphone wires, and strip
it. There should be another wire inside the one you just
stripped. Strip that one too, and attach alligators to them. Then
follow the beige box instructions to tape the conversation. In
order to save tape, you may want to use a voice activated
recorder (Radio shack $59), or if your recorder has a "remote"
jack, you can get a "telephone recorder control" at Radio shack
for $19 that turns the recorder on when the phone is on, and off
when the phone is off. This little box plugs right into the wall
(modularly of course), so it is best NOT to remove the modular
plug for it. Work around it if you can. If not, then just do you
best to get a good connection. When ecording, it is good to keep
your recorder hidden from sight (in the bell box if possible),
but in a place easy enough to change tapes from.  The wireless
microphone: this is the tap. It transmits a signal from the phone
to the radio (Fm band). You may remember Mr microphone (from
kaytel fame), these wireless microphones are available from radio
shack for $19. They are easy to build and easy to hook up. There
are so many different models, that it is almost impossible to
tell you exactly what to do. The most common thing to do, is to
cut off the microphone element, and attach these two wires to
screws one and two. the line MIGHT, depending on the brand, be
"permanently off hook" this is bad, but by mucking around with it
for a while, you should get it working. There are two drawbacks
to using this method. One, is that the poor asshole who is
getting his phone tapped might hear himself on "FM 88, the
principal connection". The second problem is the range. The store
bought transmitters have a VERY short range. I suggest that you
build the customized version I will present in part four (it's
cheaper too). Now on to the best of all the methods.... 4. The
"easy-talks": This method combines all the best aspects of all
the other methods. It only has one drawback... You need a set of
"Easy-talk" walkie talkies. They are voice activated, and cost
about $59. You can find them at toy stores, and "hi-tech"
catalogs. I think that any voice activated walkie talkies will
work, but I have only tried the easy-talks. First, you have to
decide on one for the "transmitter" and one for the "receiver".
It is best to use the one with the strongest transmission to
transmit, even though it may receive better also. Desolder the
speaker of the "transmitter", and the microphone of the
"receiver". now, go to the box. put the walkie talkie on "VOX"
and hook the microphone leads (as in method three) to the first
and second screws in the box. Now go home, and listen on your
walkie talkie. if nothing happens, then the phone signal wasn't
strong enough to "activate" the transmission. If this happens
there are two things you can do. One, add some ground lines to
the microphone plugs. This is the most inconspicuous, but if it
doesn't work then you need an amplifier, like a walkman with two
earphone plugs. Put the first plug on the line, and then into one
of the jacks. Then turn the volume all the way up (w/out pressing
play). Next connect the second earphone plug to the mice wires,
and into the second earphone outlet on the walkman. now put the
whole mess in the box, and lock it up. This should do the trick.
It gives you a private radio station to listen to them on, you
can turn it off when something boring comes on, and you can tape
off the walkie talkie speaker that you have!


Here the plans for a tiny transmitter that consists on a one
colpitts oscillator that derives it's power from the phone line.
Since the it puts on the line is less than 100 ohms, it has no
effect on the telephone performance, and can not be detected by
the phone company, or the tappee. Since it is a low-powered
device using no antenna for radiation, it is legal to the FCC.
(That is it complies with part 15 of the FCC rules and
regulations). It, however is still illegal to do, it's just that
what your using to do it is legal. This is explained later in
part 15... "no person shall use such a device for eavesdropping
unless authorized by all parties of the conversation" (then it's
not eavesdropping is it?). What this thing does,is use four
diodes to form a "bridge rectifier". It produces a varying dc
voltage varying with the auto-signals on the line. That voltage
is used to supply the voltage for the oscillator transistor.
Which is connected to a radio circuit. From there, you can tune
it to any channel you want. The rest will all be explained in a

C1                  | 47-Pf ceramic disk capacitor
C2,C3               | 27-Pf mica capacitor
CR1,CR2,CR3,CR4     | germanium diode 1n90 or equivalent
R1                  | 100 ohm, 1/4 watt 10% composition resistor
R2                  | 10k, 1/4 watt 10% composition resistor 
R3                  | .7k, 1/4 watt 10% composition resistor
L1                  | 2 uH radio frequency choke (see text)
L2                  | 5 turns No.20 wire (see text)
Q1                  | Npn rf transistor 2N5179 or equivalent

One may be constructed by winding approximately 40 turns of No.
36 enamel wire on a megohm, 1/2 watt resistor. The value of L1 is
not critical. L2 can be made by wrapping 5 turns of No. 20 wire
around a 1/4 inch form. After the wire is wrapped, the form can
be removed. Just solder it into place on the circuit board. It
should hold quite nicely. Also be sure to position Q1 so that the
Emitter, Base, and collector are in the proper holes. The
schematic should be pretty easy to follow. Although it has an
unusual number of grounds, it still works. 

                 --                                    |
            CR1 /  \ CR2              |----------------|
A--------------/    \ --|         ----|          |     |
       |       \    /   |         |   |          C2    L2
       |    CR3 \  /CR4 |         C1  R2    |----|     |
      R1         --     |         |   |    gnd   C3    |
       |         |      |         ----|          |-----|
       |        gnd     |             |                |
       |                |             |-----|----Base  collector  
     |                |                   R3     \   /
B-----------------------|                   |       \/\ <- Q1     
                                      gnd       \/

One odd thing about this  that we haven't encountered yet, is
that it is put on only one wire (either red or green) so go to
the box, remove the red wire that was ALREADY on screw #1 and
attack it to wire 'A' of the  then attach wire 'B' to the screw
itself. you can adjust the frequency which it comes out on (the
FM channel by either tightening, or widening the coils of L2. It
takes a few minutes to get to work right, but it is also very
versatile. You can change the frequency at will, and you can
easily record off your radio.HELPFUL HINTS
First of all, With method one, the beige box, you may notice that
you can also dial out on the phone you use. I don't recommend
that you do this. If you decide to anyway, and do something
conspicuous like set up a 30 person conference for three hours,
then I suggest that you make sure the people are either out of
town or dead. In general when you tap a line, you must be
careful. I test everything I make on my line first, then install
it late at night. I would not recommend that you leave a recorder
on all day. Put it on when you want it going, and take it off
when your done. As far as recording goes, I think that if there
is a recorder on the line it sends a sporadic beep back to the
phone co. I know that if you don't record directly off the line
(i.e off your radio) then even the most sophisticated equipment
can't tell that your recording. Also, make sure that when you
install something the people are NOT on the line. Installation
tends to make lots of scratchy sounds, clicks and static. It is
generally a good thing to avoid. It doesn't take too much
intelligence to just make a call to the house before you go to
install the thing. If it's busy then wait a while. (This of
course does not apply if you are making a "midnight run").  All
in all, if you use common sense, and are *VERY* Careful, chances
are you won't get caught. Never think that you're unstoppable,
and don't broadcast what your doing. Keep it to yourself, and you
can have a great time.                            Lunch Box
The Lunch Box is a VERY simple transmitter which can be handy for
all sorts of things. It is quite small and can easily be put in a
number of places. I have successfully used it for tapping phones,
getting inside info, blackmail and other such things. The
possibilities are endless. I will also include the plans for an
equally small receiver for your newly made toy. Use it for just
about anything. You can also make the transmitter and receiver
together in one box and use it as a walkie talkie.

Materials you will need

1 9 volt battery with battery clip
1 25-mfd, 15 volt electrolytic capacitor
2 0.0047 mfd capacitors
1 0.022 mfd capacitor
1 51 pf capacitor
1 365 pf variable capacito
1 Transistor antenna coil
1 2N366 transistor
1 2N464 transistor
1 100k resistor
1 5.6k resistor
1 10k resistor
1 2meg potentiometer with SPST switch
Some good wire, solder, soldering iron,
board to put it on, box (optional)Schematic for The Lunch Box

This may get a tad confusing but just
print it out and pay attention.]

        51 pf
          !                  BASE
       ---+----  ------------COLLECTOR
      !        )(               2N366
    365 pf     ()              emitter           !
      !        )(                 !              !
      +--------  ---+----         !              !
      !             !    !        !              !
     GND            /  .022mfd    !              !
                 10k\    !        !              !
                    /   GND
                    !             !              !
                    /           .0047            !
base   collector
              2meg  \----+        !              !
+--------+       !
                    /    !       GND             !   !
                        GND                      !   !
        +-------------+.0047+--------------------+   !
        -----------------------------------------+   !
 100k     !


                        switch                  Battery
                    from 2meg pot.

Notes about the schematic

1.  GND means ground
2.  The GND near the switch and the GND by the 2meg potentiometer
should be connected
3.  Where you see:  )(
                    )( it is the transistor antenna coil with 15
turns of  regular hook-up wire around it.
4.  The middle of the loop on the left side (the left of "()")
you should run a wire down to the "+" which has nothing attached
to it. There is a .0047  capacitor on the correct piece of wire.
5.  For the microphone use a magnetic earphone (1k to 2k).
6.  Where you see "[!]" is the antenna. Use about 8 feet of wire
to broadcast approx 300ft. Part 15 of the FCC rules and
regulation says you can't broadcast over 300 feet without a
license. (Hahaha). Use more wire for an antenna for longer
distances. (Attach it to the black wire on the phone line for
about a 250 foot antenna!)

Operation of the Lunch Box

This transmitter will send the signals over the AM radio band.
You use the variable capacitor to adjust what freq. you want to
use. Find a good unused freq. down at the lower end of the scale
and you're set. Use the 2 meg pot. to adjust gain. Just screw
with it until you get what sounds good. The switch  on the 2meg
is for turning the Lunch Box on and off. When everything is
adjusted, turn on an AM radio adjust it to where you think the
signal is. Have  a friend say something thru the Box and tune in
to it. That's all there is to  it. The plans for a simple
receiver are shown below: 
9 volt battery with battery clip
365 pf variable capacitor
51 pf capacitor
1N38B diode
Transistor antenna coil
2N366 transistor
SPST toggle switch
1k to 2k magnetic earphone

Schematic for receiver

        51 pf
     !         !
     )       365 pf
     (----+    !
     )    !    !
          +---*>!----base  collector-----
[             diode      2N366           earphone
                        emitter    +-----
                          !        !
                         GND       !
                                   - battery

  Closing statement
This two devices can be built for under total of $10.00. Not too
bad. Using these devices in illegal ways is your option. If you
get caught, I accept NO responsibility for your actions. This can
be a lot of fun if used correctly. Hook it up to the green wire
(I think) on the phone line and it will send the conversation
over the air waves.
Daniel    N2SXX

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH