Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking General Information :: ukphreak.txt

UK Phreaking, an intermediate guide

__________                       ____________________               ________
  <<      \________       __ !  /     __        ___  \____________/
____           |   \ /\  |  \| /     /    \   /|   \  ___     >
    \          |   |/__\ |__/|=     |      \ / |   | /___\         _________
__   \_________|___/    \|  \| \    |       !  |___/ \____________/   >>
  \      <               \   !  \    \___  /            ____           _____
   \______________________________________/                 \_________/
    _________DarkCyde_____________________   Communications  __UK/USA_ 
   /                                  ___ \             ____/         \_____
__/   ___<_________      /   ¡  /    /     \    ___   ____________
     /         |   \ __ /|__/| /    |       ¡  |   \ /___         \___>>____
____/          |   |\  / |  \|=     |      / \ |   | \___/   
	   ____|___/ \/  |__/| \     \__  /   \|___/  ________>___
__<<______/                  ¡  \____________________/            \_________
	    !                                 !              !
	    !        !            !           !        !     !
	    ! !      !   !      ! !   !   !   !    !   !   ! !
	  ! ! !  !   ! ! !  ! ! ! ! ! ! ! ! ! !  ! !   ! ! ! ! !
	  !           _d_C_RawDATA P-r-e-s-e-n-t-s             !

		    UK Phreaking, an Intermediate Guide

			       Sept'98 v1.0
				by Hybrid





			     Remote Phreaking

		      Basic US Phreaking from the UK

			       Voice Mail


		     Information Gathering Techniques



			  How not/to get busted

			Final Misc Phreaking Tips



UK Phreaking has always been a hazard, if you phreak, you always run the risk 
of being busted. Unlike hacking, it can be very difficult to cover your 
tracks in the world of phreaking. Of course, there are precautions you can 
take, which I will explain later in this phile. In this phile I intend to 
inform the masses of things that have never been discussed before. I have 
never seen a UK specific phile on TeleConferencing or call routing, here I 
intend to tell everyone all that I know, if you are reading this phile to 
learn how to execute free phone calls and bypass the charging system, then 
fuck off now... A person who just wants to know how to make free phone calls 
is not a phreak, they are just plain stupid. A phreak is someone who enjoys 
exploring areas of the phone network that are not generally available to the 
public... You have probably read this kind of shit before, but having the 
ability to make free calls is just an added bonus of phreaking. The most 
stupid thing you can do is find some lame companys PBX and just keep making 
free calls through it from your house, this is bad. The company will notice 
an increase in outgoing calls, and log them all. If you just do this, expect 
a nice call from our friends BT, complaining you owe some company you have 
never heard of loads of money. Later in this phile I will discuss how to 
avoid this. I got started in phreaking after reading various txt philes by 
people like coldfire, and the group PHILA. It was origionaly a phile by a 
phreak called Neondreamer that inspired me into phreaking. If you are not 
already a phreak, but want to learn more I would sudgest that you read 
*everything* you can download. Start scanning for interesting things, and 
take notes on your findings. I have noticed that the UK phreak scene is 
extreamly secretive, or even more or less dead. This is because no-one 
discusses or shares decent information anymore, and when they do, they face 
ridicule for leting the 'lamers' know about interesting things. Whats wrong 
with this? I have also noticed that most UK phreaks advatise as being 
'31337' but don't know shit.. People that say they are eleet are the 
'lamers'. Most of the *real* eleet phreaks don't need to advatise as being 
eleet, because they know it anyway. The problem is most real phreaks like to 
work alone, and don't like to discuss there aquired information.. Therefore 
it is becoming increasingly difficult for 'newbies' learn, they turn to 
reading newsgroups such as, and read postings like 'how do i make 
free calls?' and 'does blueboxing work?' These people give phreaking a bad 
name, if you want to know if blueboxing still works, then go away and try it. 
If you post something like that you are likely to get responces like, 'Go 
away lamer'.. The people that flame these postings have nothing better to do, 
they are probably lame as fuck them-selves and have probably posted similar 
things themselves in the past, been flammed for it, and then think they are 
31337 for flamming an inquisitive 'newbie'. To these people I say fuck off, 
and go learn something. You see, I don't give a flying fuck if I get flammed 
for writting this kind of stuff, because I know that the people that are 
likely to flame it don't know shit themselves. (excuse my German). Now thats 
enough of that, all i'm trying to say is.. If you find something good, tell 
others, fuck-it, tell the whole world.. Whats the point in keeping stuff to 
yourself, when you can tell others and get feedback from it, and learn more. 
OK, now you have finished reading my crap, on with the rest of the phile.


			  The Basics, DTMF tones:

DTMF stand for Dual Tone Multiplexed Frequency, it basically means 2 tones 
are played together at the same time. When you are pressing the buttons on 
your phone, you will notice a series of different tones assigned to different 
buttons. It is these tones that are sent to the other side of the line, the 
exchange. DTMF tones are your best friend in the world of phreaking. They 
allow you to remotely control any system, whether it be a PBX, VMB or other 
DTMF controled system.

Here is a map of your keypad, and the tones emited from each touch tone:


		   1209 Hz 1336 Hz 1477 Hz 1633 Hz

			    ABC     DEF
	 697 Hz      1       2       3       A

		    GHI     JKL     MNO
	 770 Hz      4       5       6       B

		    PRS     TUV     WXY
	 852 Hz      7       8       9       C

	 941 Hz      *       0       #       D

Decoding: If you are an electronics genius you could decode DTMF tones with 
the following procedure: ;) I will be honest here and say that this bit is 
extracted from a DTMF FAQ:

   One idea
   could be an eight sharp-tuned filter combination with detection
   circuits. Needless to say, this is very impractical, considering the
   various ICs (Integrated Circuits or 'chips') made by different
   manufacturers all over the world.
   Most of these ICs do not require more than one (inexpensive) 3.58 MHz
   x-tal or resonator and the power circuitry. Usually the output is
   4-bit binary + 1 strobe.

	   l              l- d3
	   l     DTMF     l- d2
signal in -l    Decoder   l- d1     4-bit binary out
	   l     chip     l- d0
	   l              l- strobe

If like me, you cannot be bothered to get the soldering iron out, you decode 
signals by feeding them into a password prompt on a VMB or something, the 
system will then read back the numbers for you. There is also an 0500 number 
that is designed for this, I think it is something like 0500-212-213, I can't 
remember at the moment. 

0800-969-388 Reads out 200327110, then speed dials, hmm..
0800-892-558 and 0800-892-282 both emit DTMF tones, very strange.


			     Remote Phreaking:

In this file I will explain the techniques used for long distance phreaking 
through the country direct numbers. In the UK many, if not most phreaks will 
concentrate most of there projects on the country direct numbers. For those 
of you who don't know what these numbers are for, they are numbers set up by 
various corporations / telcos etc so people can reach there contact in the 
terminating country for free. These numbers can be set up for various reasons 

- the 0800/0500-890-xxx area for example is packed full of country direct 
numbers that terminate on various foreign telco switchboards. For example- 
Presedent Clinton decides to come to the UK for a while to bum Tony Blair... 
He needs to call the white house ASAP, but being the cheapscate he is, he has 
no money. So he rings AT&T direct on 0800-890-011... Plugs in the US number 
and is then asked for his calling card number... His call is then placed to 
his requested destination. That is 1 example, another would be: Dick Dobbins 
of ABCD corperation is flying to the UK for a few days to attend some kind of 
conference. While he is in the UK he needs to check his voice mail, and 
report back to his company etc... So he uses the companys UK toll-free number 
which would be somthing like 0800-89x-xxx... He can now check his voicemail, 
whatever for free. Now you can see why UK phreaks give these numbers alot of 
attention. Here is a list of the UK country direct numbers:

0800-89x-xxx 0800-96x-xxx 0500-89x-xxx 0500-96x-xxx I have also found various 
numbers which terminate in foreign countrys via the 0800-733-xxx area, 
although this prefix is not designated to country direct services. 

In order to find interesting things on these prefixes you will need to start 
scanning. I recomend that you do all your country direct scans by hand, 
because a program like toneloc will be looking for carriers, while you are 
looking for PBXs, VMBs and various other things. I would not recomend that 
you scan 1000's of these numbers in any one night, because your telco will 
notice and put a nasty thing called a monologue on your phone line, which 
will record EVERY single DTMF tone you emit. If you are going to scan these 
numbers remember not to go over the top, and limit yourself to about 100 or 
so a night. On the end of these numbers you will find a massive range of 
interesting things, here are some of the things I have found:

PBXs, VMBs, Stange tones, Conference loops, Conference systems, Info lines, 
Emergency services, Government lines, Carriers, Chargecard services, extender 
lines, test lines, and various other EXTREAMLY strange things. 

Here are some examples of the delights you will come accross: ;)

0800-896-050 card no and pin 0800-896-373 STRANGE 0800-896-400 dialtone
0800-896-910 vangard voice network... 0800-897-010 Asks for Password
0800-897-235 4-did PIN 2222 then 6-did Protocol number 0800-897-357 Passcode
0800-897-414 4-did extender passcode, p=1234 PBX VMS 0800-897-815 GTS Global 
Access Calling Card 0800-897-850 Conference Centre 0800-961-230- God damn 
STRANGE¿¿! 0800-961-237- Call divert [no code] 0800-961-238- FBI!~ 
0800-961-341- MCI-service setup, number query 0800-961-351- Mad Fax LINK... 
0800-961-365- somthing police¿ 0800-961-371- Roles Royce Corp head office. 
Octel 0800-965-061 strange C5 line 0800-965-063 strange 0800-965-064 'please 
enter company code 0800-965-075 strange C5 line 0800-965-077 C5.
There are tons more things in the country direct numbers, these are just a 

These numbers can be abused by the phreak for many reasons:

Outdials: If you are scanning and you come accross a dialtone, or Meridian 
Mail system or similar you can access the systems outdialing features and 
dial various numbers in the terminating country, ie- US toll-free 1-800 
numbers. The system you are most likely to phreak will be US Meridian Mail 
systems. A more in-depth file on MM's can be found on the DarkCYDE website 
at Here is basic guide to hacking the MM systems:

Find a Meridian Mail system on the terminating end of an 89x/96x number.
You will know when you have found a MM system if: The terminating number    
directly ID's itself as, 'Meridian Mail, mailbox?' Or If you get a OGM 
recording such as, you have reached blah blah company after hours', Try 
hiting 81, if it is MM it will drop you into the MM login prompt. Or you 
may get, You have reached blah blah corp, please dial the extension of the 
person you are calling.. If you get this try dialing an eXt, if your call 
is put through you should get the persons recored voicemail greeting. Hit 81, 
and try to login to the persons box, the default passcode is the same as the 
box number. To find where the boxes are located you need to get yourself to 
the dial extension prompt, or dial by name prompt. On most systems you will 
be given the option to do this, but on some you are only given the option to 
leave a message, these type of systems are very unlikely to be 24hr... to get 
the dial eXt prompt on these systems, just hit 011# quickly... the system 
will then say 'name cancelled' and ask you to dial an eXt. On some systems I 
have noticed that you can still exploit the machines out dialing feature 
without even loging into a box, try hiting 0 for the operator, and then 
instantly hit 9-1-800-xxx-xxxx whatever. I have found this works on 1 out of 
10 systems. Once you have managed to get into a box. Try the following: 09, 
1-800-xxx-xxxx-# The system may let your call through if no call blocking is 
in place, on some systems only some boxes are configured for out-dialing so 
don't give up. Some systems will be programmed to only allow local calls, or 
not to allow any calls beggining with 1, or no calls at all. If your call is 
put through, you now have access to the intire US toll-free network, you may 
even get lucky and be able to dial ANY number in the world. Now you have a 
MM outdial you are ready to start remotely phreaking the US! 


			 Basic US Remote Phreaking:

I am not going to go into to much detail here because there are plenty of US 
specific philes all over the .net, if you want more information on US 
phreaking go and find some info.. The DarkCYDE website will soon have a US 
section headed by Elf and Downtime. So keep an eye on it. ;) 
The US toll free network is alot different to ours. They have 1-800-xxx-xxxx
1-888-xxx-xxxx 900-xxxx numbers etc. On the end of these numbers you will
find LOADS of cool stuff. If you want to find a specific US number just dial
1-800-555-1212 for toll-free directorys. The possibilitys are endless, 
remember, it is loads of hastle for them to even begin to try and find you, 
they think you are calling from the US! Just remember that if you call 
something dodgy in the US such as the CIA and give them loads of grief they 
will know the ANI of your PBX, in the UK you block this by dialing 141, in 
the US you would dial a * service to block your ANI. When dialing through a 
PBX this is not possible to use * services, so remember, if you don't want to 
lose your PBX don't use it for prank calls or anything like that. 1-800 
numbers are fun to scan because you will find alot more things on the end of 
them, than you would in the UK.  
It is not advisable to scan 1-800 numbers by constantly dialing up your PBX, 
remember the company whos PBX you are using have to pay about 15c every time 
you dial it up, they will notice an increse in toll-free number access and 
the next thing you know, BT will be busting down your door. The best thing 
to do if you are planning on scanning US 1-800 numbers is to find a 
chargecard service or similar, that lets you dial a 1-800 number, hang it 
up, and then re-dial. This way you will only have to dial 1 UK country direct 
number, stay on the line and then scan from that. Here is a small list of 
some of the 1-800 toll-free numbers that I have found myself:

1-800-466-2518          4-did pin, p=9999 Frontier Communications
1-800-466-3003          4-did pin, p=9999 Frontier Communications
1-800-476-3911          4-did pin p=9999 Frontier Communications
1-800-452-6993          4-did PIN p=9999 Frontier Communications
1-800-584-5692          4-did PIN p=9999 Frontier Communications
1-800-523-9142          4-did pin p=9999 Frontier Communications
1-800-482-3520          4-did code p=9999 Frontier Communications
1-800-455-2670          Strange (it's worth messing around with these)
1-800-455-6398          Personal vmb
1-800-455-3902          4-did access code
1-800-455-8223          Modem
1-800-455-6932          Skytell Pager
1-800-455-6980          Call forwarding (3-did)
1-800-455-1150          VMS OCTEL
1-800-227-5937          Sky Message
1-800-376-2903          Skyline Pager 80=help
1-800-632-8921          Pager (NationWide Messaging)
1-800-685-3910          VMS OCTEL 81000 Free
1-800-760-9256          Porn Line
1-800-673-6840          Somthing Testing services
1-800-256-3581          Modem (another thing, they think you are in the US)
1-800-638-8267          VMS 300 p=0000 Admin Box
1-800-780-9650          Syword Messaging System
1-800-507-8960          VMS
1-800-480-5802          Chargecard Service
1-800-322-5889          AUDIX Voice Power
1-800-381-5504          South Western Bell Call Notes
1-800-304-5887          Access code
1-800-362-8896          4-did PIN p=9999 (most of these eXtenders have this)
1-800-320-9651          VMS
1-800-395-5569          Porn Line
1-800-207-4482          Free porn line
1-800-605-3472          Central Command
1-800-633-8284          conference replay
1-800-280-1445          CIA
1-800-562-7242          CIA employment line
1-800-285-3222          bank, vmb MM. 3000-3000 (you would be suprised at 
						 amount of banks that leave
						 their default passcode
						 active)-Barklays :p

If you find a modem try dialing into it with terminal or somthing, most of 
the modems on these 1-800 numbers are *very* interesting. Remember, according 
to thier CLID software, you are in the US ;) You can also get *totaly* free 
internet access through your country-direct PBX... Just card a few earthlink 
accounts, they will give you a 1-800 dial-up number! Or if you have a PBX 
that lets you dial local numbers (local numbers in the US are free), get a 
trial account with an ISP in the US, they will give you a local number 
dial-up.. When you access the net, it will appear that you are in the US, 
cool? If you need to find out the local number of your PBX, you can use an 
ANI number, which will read out the number of the PBX you are calling from: 
here is the one I use: (1-800-487-9240) This number will read out everything 
about the line you are calling from. Just remember that all MM systems with 
dialout features will record every single number put through it, so be 



If you are a newbie phreak, I would sugest that you begin your telephoney 
adventures with voicemail. Voicemail systems can be very easy or very hard 
to penatrate, but most will be left in there default state with default 
passcodes still active. If you are scanning through the country direct 
numbers you are likely to come accross thousands of different voicemail 
systems, here is a list, along with example numbers of the systems you will 
come accross:

Meridian Mail Direct Dial: 0800-897-110
Meridian Mail Front End:   0800-969-580         
OCTEL Direct Dial:         0800-961-373
OCTEL Front End:           0800-961-384
AUDIX Direct:              0800-896-891
AUDIX Front End:           0800-967-012
AUDIX Voice Power:         0800-897-077
PhoneMail Direct:          0800-969-913
PhoneMail Front End:       0800-969-394
InfoStar VX:               0800-969-171
Partner Mail:              0800-897-467
Communications Gateway:    0800-896-500
?Standard vmb:             0800-960-305
Bell Atlantic:             0800-962-279

Those are just some of the main systems you will come accross, hint- The 
Infostar VX system admin boxes allow you to set up new boxes, the passcode 
for these boxes is always the same as the box. Voicemail is a very usefull 
tool for the phreak. They can be used for many purposes, you could set a 
system to communicate with other phreaks or get your own system, so you can 
give others your VMB number so they can contact you.. There are loads of 

			   Notes on Meridian Mail:

OK, I'm not going to go into detail here because there are some fairly 
decent philes on MM floating around on the .net. Here is a simple guide to 
managing your Meridian Mail box: (cut 'n' pasted from Coldfire's phile)

     0 - Zero on its own will transfer you to the operator assistance
     number. 011 will let you look up names in the directory. 0XXXX will
     dial that number, assuming its passes the call blocking mask.
     1 - Rewinds the current message about 10 seconds
     2 - Play message
     3 - Fast Forwards the current message by 10 seconds
     4 - Previous Message
     5 - Record, used when composing or forwarding a message.
     6 - Next Message
     7 - Message Commands(Sub Menu)

	  0 - Message Options (Sub Menu, can only be used on outgoing

	       1 - Urgent, tag a message for urgent delivery.
	       2 - Standard, tag a message for standard delivery.
	       3 - Economy, tag a message for economy deliver.
	       4 - Private, tag a message private (private messages cannot
	       be forwarded to other users)
	       5 - Acknowledgement, tag a message for acknowledgement,
	       you'll be send an acknowledgement message when the message is
	       6 - Timed Delivers, specify a time and date for delivery.

	  1 - Reply, sends a message to the sender of the message. Can only
	  be used on incoming messages from mailboxes on the same system.
	  2 - Play envelope - Gives all the details of the messages, such as
	  who its from, time, if it was urgent, attached messages etc., etc.
	  3 - Forward, forward the message to another user. 4 - Reply All,
	  record a message to all the senders of the messages in your
	  5 - Compose, compose a message to other users, either just one, a
	  distribution list, or several boxes.
	  6 - Delete, deletes message, or if used on an deleted message
	  restores it.
	  9 - Sends a message you've just recorded.

     8 - Mail Box Commands (Sub Menu)

	  0 - Mailbox Options (Sub Menu) (Not always available on earlier
	  versions of the software)

	       1 - Change Operator Assistance Number

	  1 - Login, enters the login process.
	  2 - Greeting (Sub Menu)

	       1 - External, record a greeting to be played to external
	       2 - Internal, record a greeting to be played to internal

	  3 - Log-off
	  4 - Password Change, change your password, enter your new password
	  twice and your old password.
	  5 - Distribution Lists, create distribution lists.
	  6 - Goto, goto a message number in your mailbox.
	  9 - Personal Verification, record a personal verification which
	  will be played instead of your mail box number to message

     9 - Call Sender, when used on an incoming message will dial the
     extension of the sender, if the number is known.
Hint- If you find a nice MM system, start scanning internal eXtensions, you 
will find some *very* interesting things. ;7) For the *ultimate* guide to 
Meridian Mail Systems keep an eye on the, PUBLiC_NUiSANCE 
stole a MM Admin Technical Manual!

OCTELs are generally very easy to hack. The typical OCTEL will behave like 
this: You dial up the number, hear some kind of company greeting.. Try hiting 
the # key, this should put you into the login prompt, if this dos'nt work 
try hitting * then #.. You should then get, a generic female voice asking 
you for your mailbox number. It is very easy to find a free box on an OCTEL 
system, just find a valid box, like 9999 (sysadmin) and keeping going back 
to it after 2 invalid login attempts, this way you will not get loged out of 
the system. When you find a valid box, scan around this until you get a box 
that says 'this mailbox can increase your communications productivity' it 
will then say a load of crap an then ask you for your passcode, which is 
usually the same as the box. If this is not the case try things like 1111 
2222 1234 etc. Once you have the default passcode you can own any box on the 
system, and givem to your phreaking friends. Once inside your new VMB, all 
the options are very self explantry.. you can even ajust the generic help 
voice to be abreviated, it gets anoying after a while. It is worth scanning 
the extensions on these systems because you will find loads of interesting 
things, such as dialtones and conference bridges. The system admin box will 
usually be on 9999, if you manage to get into one of these boxes you can do 
anything you want to the system, ie set up free boxes :). 

AUDIX AUDio Information eXcahange:

AUDIX Main Menu [Activity Menu]

1. Record and send Voice Mail messages to other users.  

	*D. Delete
	*L. Add a mailing list you have created or public list
	*1. Review or modify the list you are creating
	*#. Approve list
	*A. Name addressing
	*R. Restart at activity menu
	*T. Transfer to an ext
	*W. Have system wait
	**N. Access names and numbers dir

2. Get Messages.

	0. Listen
	1. Respond/forward
	#. Skip to next header
	2. Rewind
	3. Play
	*#. Skip to next category
	**H. Hold in current category
	5. Replay last few seconds
	6. Fast forward a few seconds
	4. Louder
	7. Softer
	9. Faster
	8. Slower
	*D. Delete
	*R. Restart
	*W. Wait
	**N. Names and numbers dir
	*T. Transfer

3. Record or change the greeting heard by outside callers.

	0. Listen to a greeting
	1. Create, change or delete a greeting
	2. Scan all greetings
	3. Activate a greeting
	4. Administer call types

		1. Identify calls as internal and external
		2. Identify calls as busy and no answer

	#. Finish
	*R. Restart

4. Check outgoing messages.

5. Administer mailing list, personal dir, password, or account name.

	1. Administer mailing lists
		1. Create a list
		2. Scan lists
		3. Review or modify lists

	2. Administer personal dir

		1. Add entries
		2. Review all entries
		3. Review a specific entry

	4. Change passcode

	5. Record name

6. Out-dialling [sometimes disabled by admin]

7. Scan incoming messages automatically

	1. Scan headers in messages
	2. Scan headers only
	3. Scan messages only

AUDIX systems can sometimes be quite hard to hack, especialy if the system is 
a direct dial. If the system is front end here are some of the techniques I 
use to find valid boxes... Dial the number, hit *8 you will be prompted to 
enter an eXtension number, if you cannot find any valid extensions try 
dialing by name- the owners of boxes usually say there extension number. On 
some AUDIX systems the passcode is the same as the box number. To login to 
AUDIX dial the number and hit *7 to login. If you are lucky the admin would 
have enabled outcalling on your box. To see if this works hit 6 at the main 
menu, you should get a dialtone.

Phonemail systems are very easy to hack, the passcode is always the same as 
the box. Try boxes such as 1000-1000 or 5000-5000 etc... You should get a 
female generic voice say, you have access to the system adminisator 
functions'. Again once inside your phonemail VMB, an anoying voice will 
guide you through it's functions. 

Infostar VX voice proccessing systems are very nice. If you manage to get 
into the admin box (usually 5000) you will be able to set up your own boxes. 
You will also be given the option to set up various different levels of 
service boxes, ie- more admin boxes etc. Here is a dictation of a VX admin 

1. System Greetings
	1. listen
	2. record
	3. erase

2. Broadcast message

	1. listen
	2. record
	3. erase

3. Mailbox administration

	1. Reset a mailbox access code
	2. Add a box

		...dial the box, ie-3666#
		...dial extension number
		...dial a class of service
		...dial a mailbox type
		...dial 0 destination number
		...dial dial depo number
		...dial subscibers name (p-h-r-e-a-k)
		...reviewing data
		...# proccessing * Correct a field
	3. Delete a mailbox
	8. Record mailbox greetings
	9. Reset message waiting indicators
	0. Link a mailbox

4. System group lists

	1. list members
	2. establish
	3. erase entire list
	4. modify

5. Set date of system mm/dd/yy

Partner Mail systems are basicaly rip-offs of AUDIX systems, the functions 
are suprisingly similar. These systems are usually 2-3 didgit mailbox 
numbers. Again the passcode is usually the same as the boxes. 

Communications Gateway systems are again very nice systems to use, although 
they are quite rare. The problem is you cannot stay on the line and guess 
boxes because it will log you out after 1 invalid attempt. There will be a 
more detailed phile on this on our website soon. Anway thats it for this 
part of the file. If you need more specific philes on this subject just look 
around, there are loads about.


		  UK Boxing: Red/Blue and other ideas

Red boxing:

Despite what some people say, red boxing does work from BT payphones. The 
only ones I have tried are the older models such as the ones with the crap 
buttons. You will need some sort of recording equipment (good quality). Here 
are the tones:

10p     (1000Hz for 200ms)
20p     (1K for 200ms, 50ms gap, 1K for 200ms)
50p     (1000Hz for 350ms)
œ1      (1K for 350ms, 66ms gap, 1K for 350ms).

You can get away with recording the tones from your computer onto a tape 
recorder, but if the operator gets the slightest hint that you are using 
recorded tones, they will either disalow the call and give you loads of 
abuse. Or they may connect the call for you and then send the gestapo to 
your payphone. Anway, here is what you do:

1. Ring the operator (100)
2. Say you are having trouble placing a call, make up some excuse like 
   someone has vomited all over the keypad.
3. Ask the operator to place the call for you
4. She will then ask you to diposite the amount of money it takes to 
   connect the call.
5. Play the tones and your call will be put through
6. The operator will come on the line when your time is up, or you may here
   some plucks, just play the tones again.

Blue boxing:

Blue boxing can be a real hasard from your own telephone so be carefull. I 
have never tried this from my own phone because I am to paranoid, although 
I have found a few numbers that seem pretty boxable. Blueboxing is the art 
of seizing C5 trunks and efectivly becoming an operator. C5 is an old 
signalling system, and can be heavly exploited because it is controled by 
various tones. The only countrys likely to still employ these systems are
3rd world countrys, or lesser developed countrys. To cut a long story short,
this is how you bluebox from the UK: You need to find a C5 line, a good 
place to start is by scaning the 0800=890-xxx area, although I have found 
them all over the prefixes. You will know when you have found a C5 line 
because when the other end picks up you will hear a distinctive 'pleep' 
'pleep' or something like that. As far as I can tell there are 2 ways to 
seize a trunk, 1 is to blast the line with your tones while the line is ring
ing, the other is to blast the tones when the other end picks up. If you are
considering trying blueboxing I would sugest that you get yourself a copy 
of bluebeep, or similar progy. These programs will allow you to configue the
different tone seizue patterns. Here are the tones you will need to 
successfully bluebox (cut'n'pasted from another file)

	   | Key  |  CCITT 5   | For | Gap |    DTMF    | For | Gap |
	   |  1   | 700 +  900 |  50 |  50 | 1209 + 697 |  50 |  50 |
	   |  2   | 700 + 1100 |  50 |  50 | 1336 + 697 |  50 |  50 |
	   |  3   | 900 + 1100 |  50 |  50 | 1477 + 697 |  50 |  50 |
	   |  4   | 700 + 1300 |  50 |  50 | 1209 + 770 |  50 |  50 |
	   |  5   | 900 + 1300 |  50 |  50 | 1336 + 770 |  50 |  50 |
	   |  6   |1100 + 1300 |  50 |  50 | 1477 + 770 |  50 |  50 |
	   |  7   | 700 + 1500 |  50 |  50 | 1209 + 852 |  50 |  50 |
	   |  8   | 900 + 1500 |  50 |  50 | 1336 + 852 |  50 |  50 |
	   |  9   |1100 + 1500 |  50 |  50 | 1477 + 852 |  50 |  50 |
	   |  0   |1300 + 1500 |  50 |  50 | 1336 + 941 |  50 |  50 |
	   |  11  | 700 + 1700 |  50 |  50 |    0 +   0 |   0 |   0 |
	   | C12  | 900 + 1700 |  50 |  50 |    0 +   0 |   0 |   0 |
	   |  *   |   0 +    0 |   0 |   0 | 1209 + 941 |  50 |  50 |
	   |  #   |   0 +    0 |   0 |   0 | 1477 + 941 |  50 |  50 |
	   | KP1  |1100 + 1700 | 100 |  50 | 1633 + 697 |  50 |  50 |
	   | KP2  |1300 + 1700 | 100 |  50 | 1633 + 770 |  50 |  50 |
	   | ST   |1500 + 1700 | 100 | 100 | 1633 + 852 |  50 |  50 |
	   | KP2E |   0 +    0 |   0 |   0 | 1633 + 941 |  50 |  50 |
	   | EO   |2100 +    0 |1000 | 100 |    0 +   0 |   0 |   0 |
			KP = Key Pulse, ST = Start
2400 Hz/2600 Hz   Clear Ahead Tone
2400 Hz/2400 Hz   Seize Tone

Most exchanges will hang up on you if you directly blast them with with 
2600/2400 tones, so you will need and additional tone like 2100, This will
'disguise' the other tones. As I said before the majourity of blueboxing is
executed on the 0800-890-xxx numbers, but I have found many other C5 lines
in other prefixes. Anyway, here is an example of how you would bluebox:

1. You dial the number of the country direct C5 line.

2. You either seize the line while the before the other end picks up, or 
   you can seize it when they pick up.

   This seize used to work while the line was ringing on the China country
   direct service:

   tone 1: 2600hz/2400hz for 340ms then delay for 50ms
   tone 2: 2400hz/2400hz for 180ms then delay for 300ms

   Or if the operator picked up:

   tone 1: 2600hz/2397hz for 180ms delay for 30ms
   tone 2: 2100hz/2100hz for 180ms delay for 30ms
   tone 3: 2400hz/2400hz for 180ms delay for 30ms

   After the 1 of the above seizures, you would get a responce from the C5
   equipment (the wink) 2 bleeps. You would then dial your number using the

   KP2-country code-area-number-ST

   This kind of seize would probably not work anymore, so you would use the
   following method:

   2600hz/2400hz/and an additional tone such as 2100hz to disguise the other
   tones. You will have to experiment with different tone lengths and
   variations for different numbers. Here I will be honest and say I have
   never attempted to bluebox from my own house, I'm paranoid like that. But
   here is a list of C5 lines to experiment with. (I have found ALL of these
   numbers myself, they have NEVER been realsed before) Some of them appear
   to terminate in the US!

   0800-965-060         strange (c5 after VERY strange tones)
   0800-965-061         strange C5 line
   0800-965-063         strange (c5 after VERY strange tones)
   0800-965-075         strange C5 line
   0800-965-077         C5
   0800-965-078         strange (VERY strange c5 line!)
   0800-965-079         strange (fault tones, then c5!)
   0800-967-796         VERY strange (Suidia rabian Bank)
   0500-892-200         VERY strange

These numbers should be very boxable, so have a go. Thats it for blueboxing
now for the next part of the file.


			 Information Gathering:

Information is the root of all phreaking. Without it you are lost, here I 
will discuss how to gain information, and how to use it. My favourite 
information source is other peoples VoiceMail. By listening to other peoples
voice mail messgaes you will learn alot about certain things. ie- Say you
wanted some CC details: Go through some magazine and note all of the numbers
that advatise as excepting Visa/Mastercard etc.. Ring the numbers after 
buisness hours to see if they have an answerphone or VMB. If they have a VMB
you will need to find the main outgoing greeting box and break-in. This is
simple because some companys are stupid and will leave there VMB systems in
deafault state, ie-with the passcode same as the box number. When you are
inside the box, all you have to do is get a pen and write all of the lovely
numbers down... I'm not into carding my-self, but this can be a VERY rich
source of info. If they have an answerphone, try guessing the remote log-in
passcode after you are prompted to record your message. Anwerphone passcodes
tend to be 2-dids long, so you won't have any trouble there. Once inside the
answerphone you will be able to do various things, such as listen to all of
the messages. Here is an example of what functions you will get inside one:

1. Menu
2. Play new messages
3. Turn machine ON/OFF
4. Play previous messages
5. Play all
6. Skip message
7. Repeat message
8. Play out-going greeting (OGM)
9. Record NEW OGM, 9-stop recording.
0- Erase message

If you get into a large companys voicemail system, you will here LOADS of 
interesting stuff. Here is a small list of some of the things I have heard:

-Conference numbers/codes
-Employee calling cards
-Workstation logins/passcodes
-Generaly how well the Corp is doing (shares ;)
-Peoples bank details/PINs etc (I'm not going to name any banks)
-Various other confidential stuff.

Also you should here some of the stuff on the CIA's AUDIX system! haha
US toll-free number 1-800-280-1445. *8 dial eXt 22222, then login to the 
Admin box, *7, 22222 passcode 22222- not to íntelegent are they? Mi5 also
have a Meridian Mail system, but I'm not going no-where near that! 

It can also be interesting listen to various Telcos VMB systems, example:

Vear Communications: 0800-962-832. 000-1234 Admin box

You should hear some of the stuff I have heard on certain (un-named) phone
companys VMBs..All I can say here is, If your reading this [¿], thanx for
the lovely test line codes. ;)



My favourite side of phreaking! A Teleconference system will allow you to
talk to LOADS of people similtaniously. Basically you and other people dial
into a number, enter an access code.. and your in. There are loads of 
different systems out there, most of them are in the country direct 
prefixes, do if you get one of these get the system operator and ask for the
US -1-800 number, you will then be able to give the number to people in the
US. The system you are most likely to come accross are Centrex conference
bridges. When you ring 1 of these numbers you will eiteher get a live 
operator who will ask you for a passcode and the host of the conf, or if
you are lucky you will get an automated attendant which will ask you for a
conf ID code (usually 4-did) If you come accross this there are 3 ways you
can get a conf. 

Example: 0800-898-734

1. You could guess the ID code and join the conf. Wait until ALL of the
   legit attendees have left, then tell all of the people you wan't to 
   attend your conf. The conf will auto-extend aslong as there are people
   in it all of the time.

2. You could dial the number and hit 0 for the operator. Tell her that you
   have just been paged to attend a conf on this number, that starts at a
   certain time, ie- 12pm. (Remember time zones) She will then look up
   what confs are scheduled for that time, and if she is stupid will give
   you the conf info!

3. Ring the number and say you need to setup a conf. (WARNING! use a string
   of PBXs, or a phone-box, they may try and trace the person who set up 
   the call) The operator will give you the conf reservation number, which
   will be a US 1-800 number, so you will need a PBX anyways to dial it.
checklist before ringing the conf reservation line:

-False name, Company name and US phone number (go through a US zine)

-They may ask for a Credit Card for validation, although the call is charged
 to the phone number you tell them.

-Time/Date you want to set up the conf

-How many people are going to be dialing in, and the duration of the call

Call up the 1-800 reservation line and say something like the following:

Her. [Welocome to ABCD teleconferencing, how may I help you?]
You. [Hi, this is John Smith from playboy corperation, I'd like to set up
      a conference call]
Her. [OK, Sir.. I'm going to need your billing information, Can I have the
      billing phone number for your company?]
You. [Sure, it's 510-555-1212.. I'm going to be out of the office today, but
      you can tell the operator to leave me a message...]
Her. [Your billing address?]- Make sure the address matches the number
You. [12 inatree avenue, blah blah blah, ZIP code 31337]
Her. [Reads out your billing information, and informs you that the bill will
      appear on your phone bill]
You. [Sure, thats ok... Erm, how much will it cost for each participant?]
Her. [48c a minute per person]
You. [That's good value!]
Her. [What time do you want your conf to start?]
You. [ASAP, erm.. How about in 15 mins?]
Her. [OK, how many people will be dialing in?] -Don't be dumb!
You. [I am expecting 10 people to attend] -The conf will allow more
Her. [How long will the duration of the call be?]
You. [About 1-2 hours] -it will auto-extend
Her. [OK Sir, You call has been scheduled, the dial in number for your 
      participents will be 1-800-xxx-xxxx and will be activated in 10 Mins.
      The PIN code for your call is xxxx]
You. [OK thanxs alot]
Her. [OK thanxs for using blah blah blah teleconferencing service, and have
      a nice day!]
You. [OK, cya l8er Baby]

Your conf will then be set up, make sure you don't call directly into your 
conf, if they see you are the first to join, they will know you set it up! 
So go through PBX's and stuff. Calls set up this way don't usaually last 
long, only about 1-2 hours.. But are phun while they last. Once inside your 
conf there will be various DTMF tone controled options, here is a list of the 
most common on these types of system:

71# lock meeting
70# un-lock meeting
81# Mute everyones phone so they can only hear you talking
80# Un-mute everyones phone
61# mute your own phone
60# un-mute your own phone

Thats just 1 of the conf systems I have come accross, there are tons more 
out there. The conf system I like to use the most is called 'MeetingPlace' 
produced by a company called Latitude Communications. Meeting Place is a 
powerful teleconferencing system designed to accommodate up to 120 ports in
any combination of simultaneous conference calls. 
Meeting Place is not generally available to the public, it is designed to 
be attached to eXtensions of corporations and companies that require a 
private teleconferencing system to communicate with other employees and 
associates. Meeting Place can also be found on some direct-dial 800 numbers.
Unlike other teleconferencing systems such as AT&T's Conference service, 
Latitude Meeting Place is much more advanced, allowing multi-user 
configuration and automated user interfaces. Basically with these systems 
you dial up the number, enter your profile number and schedule confs, via
automated user menus, the advantages being you don't need to do any
social engineering. I have wriiten a VERY detailed phile on MeetingPlace, 
you should be able to find a copy at or in various other
places, it will go into detail on how to 'hack' a MeetingPlace system.



Ionica are a fairly new Telco in the UK. Basically they are rivals with BT.
Instead of using wires to carry voice data, Ionica is based on radio 
transmissions to base towers. Here is a simpe diagram of how Ionica works:
(excude my crude ASCI drawing)
Base transmitting           
Equipment at house
Ie- Decryption/encryption          Tranceiver tower. Decoder/Encoder
radio equipment.                _/ Base station.
   |                           /
  /                           /
			    |\         _____       ____         _______
 /|                         | \       |     |____-|    |_______/
| |>.>.>.>.>.>.>.>.>.>.>.>.>|  |======|     |____-|    |        ______
| |>.>.>.>.>.>.>.>.>.>.>.>.>|  |======|     |____-|____|_______/
 \|                         | /       |_____|        \______________
					  Digital Switching Network

I should be writting a VERY detailed phile on the Ionica Nework soon. Here
are ALL of Ionica's * services, I scanned these because I need to find the
Ionica test line, the equivelent to 17070 etc. 

		       ...Full [*] service scan...

*00#            not available from this line
*02*37#         not available from this line
*03*37*         not available from this line }na
*21*            not available from this line
*227#           not available from this line
*231**          dial a number
*25*            na
*261#           na
*27#            same as [1471] 
*28#            you have no new calls to return
*331#           bars out going calls
*352#           na
*351*           na
*37#            sorry, ring back service cannot be used on this call
*40#            na
*411#           na
*43#            call waiting is in operation
*44*            [security code] * phone number # -you have dialed incorectly
*471*           na
*51*            na
*52#            na
*53*            na
*54#            na
*55*            na
*56*            na
*61*            na
*62*            na
*64*            [security code] * phone number # -you have dialed incorectly
*65*            [security code] * phone number # -you have dialed incorectly
*66*            na
*67*            na
*68*            na
*72*            na
**1             na
**2             na
**3             na
**4             na
**5             na
**6             na
**7             na
**8             na
**9             na
**0             na
#21#            na
#02*37#         na
#03*37*         na
#227#           na
#234#           na
#25#            na
#261#           na
#331*           na
#341*           [security code] #
#342*           same
#343*           same
#344*           same  } call baring cancellers 
#345*           same
#346*           same
#351*           na
#37*            *anything# ringback reqeust cancelled
#411#           na
#43#            call waiting cancelled
#44*            [security code] same as before
#471*           na
#51*            na
#51#            na
#52#            na
#53#            na
#55#            na
#56*            na
#56#            na
#61#            na
#62#            na
#64*            [security code] same as before
#65*            same as above
#66#            na
#67#            na
#68#            na
#72#            na
*#02*37#        na
*#03*37#        na
*#21#           na
*#227#          na
*#234#          na
*#25#           na
*#261#          na
*#331#          na
*#34#           tells you what call barring is in operation
*#35#           na
*#37*           dial the number of the ringback request you wish to control
*#441#          na
*#43#           call wainting is in operation
*#44*           [security code] same as before
*#51*           na
*#51#           na
*#52#           na
*#53#           na
*#55#           na
*#56#           na
*#61#           na
*#62#           na
*#64*           [security code] same as before
*#65*           same as above
*#67#           na
*#68#           na

	    ...Funny things I have noticed about ionica...

* On rare ocations I have droped into other peoples converstions, I can hear
  them but they can't hear me.

* On 1 ocation the phone rang, I picked up and I heard 2 people talking to 
  to each other. Again they could not hear me.

* In the early hours of the morning, usually about 3am, sometimes the phone
  seizes, and I can hear an alternating tone. This tone is usually present
  for exactly 1 hour (3am-4am) No dialtone can be retrieved. This has
  happend when I have been talking to someone, and even when I was in the
  middle of dialing a number. I have a suspision that this may be some kind 
  of test tone, considering the hours at which it happens... 

* If I hit * 4 times a tone is emitted... it will stop after a while. When
  someone trys to phone me, while the tone is present or after it has stoped
  they will hear no ring, but drop directly onto my line. Again I can hear
  them, but they can't hear me. 

* If you listen to the earpiece very carefully and gently push the hang-up 
  button, you can hear people talking for about a second or so. 

* Also I have noticed a lack of test numbers for ionica, so I decided to try
  out all of there [*] services to see if there was anything interesting


			 How to Get/Not get busted:

It can be very easy to get get busted phreaking in the UK if you are not 
carefull. If you follow the 1 golden 'rule' of phreaking (common sence) you
should be OK. Here are some simple guildlines to help you:

-Never BlueBox or 'manipulate' the switching system from home, if you can be
 bothered, use a phone box. :)

-Never heavely (ab)use a PBX from home. If you do use PBXs from home, you 
 should route your call through a string of PBXs before placing a call. 
 Even if you do this, it can be easy for the gestapo to find you, due to
 PBX internal logs.. They can trace you through a process called 'hoping'.
 It is a good idea to 'sit' on a PBX system for a few minutes before dialing
 out.. While you are sitting on a system, other legit user will be making 
 calls, it will harder for them to guess which calls you made, since your 
 call will be mixed in with others.

-Don't let anyone know you are a phreak, some people can be real bastards..
 all they have to do is ring BT, or whatever and tell them what you are doing
 They will then place a Monolouge on your line which will record all DTMF
 tones you emit. This will be used as evidence against you.

-Don't EVER tell ANYONE your real name, or any other self descriptive info.

-Don't trust ANYONE.

-Never dial direct into ANYTHING, even a VMB. Always route your call as 
 described before.

-Don't go on IRC with your own nick.

-Never dial your own number with a PBX.

-Don't scan to much in a short amount of time, spread your scans out over a
 long time period.

-Encrypt your WHOLE hard drive, have a 'logic bomb' ready to overwrite and 
 completly shred any information that could be used against you.

-When communicating through email always use strong encryption techniques
 such as PGP.

-Keep all mobile communications equipment anomonous, ie- Cell phones, pagers.

-Never post to Newsgroups from your own box, if you do post, do it 

-Never sell PBXs or any other code, if that person get's busted they WILL
 blame it on you.

-If someone manages to get your doc's, STOP phreaking. Detach yourself from
 the phreaking community for a long period of time.. Come back with a 
 different nick and tougher security.

-Phone your Telco and get them to automatically block your CLID.

-Use your brain! phreaking isn't just about exploring the phone network, it's
 also about out-smarting people, think 9 steps ahead!

If you follow these simple 'rules' you should be fine, it's just common sense


		      Final Misc Phreaking Tips: ;)

-ALL VodaPhone voicemail services have a default passcode of 3333. If you
 know someone with a VodaPhone, ring it when you know the voicemail will
 come on. Hit 9, then 3333. You will then be able to change the persons OGM
 and listen to there messages etc.

-ALL BT pagers have a default passcode of 0893. To enter someones pager, 
 phone it and enter * at the OGM, you will be prompted for a passcode, enter
 0893. You will then be ablt to do a variety of things, discussed in another
 phile of mine.

-Most extender tones will have a passcode of 9999.

-Most OCTEL VMB system Admin boxes will be 9999, the passcode is another 

A few cool numbers: (I just had to put these in!) ;7)

2600 =VOICE= BBS! (US number) [001]- 516-473-2626... Why can't we have 
something cool like this in the UK!?

DEFC0N =VOICE= BBS! (US number) [001]- 801-855-3326, you can sometimes find
me on the voice bridge. 

A few Carriers I have found:

0800-897-903 'Call Intercepted by DEFENDER 5000.. Unauthorised use of this
	      System is PROHIBITED'

0800-897-982 'Max 200 Server 2.01'

0800-897-967 'AT&T Info Access System' -guest/guest.. Telnet prompt.

0800-963-101 'WebTV

0800-897-359 'Starting RADIUS Authentication @UserID

0800-897-307 'PIPELINE Terminal Server'

Anyway that's it for this phile, I hope you have found it usefull. If you
need more detailed information, keep an eye on the DarkCYDE_Communications
website., it will be updated constantly.

-Peace.          ,
		/(       )`
		\ \__   / |
		/- _ `-/  '
	       (/\/ \ \   /\ 
	       / /   | `    \  
	       O O   )      |    
	       `-^--'`<     '  
	      (_.)  _ )    /   
	       `.___/`    /   
		 `-----' /
    <----.     __ / __   \   
    <----|====O)))==) \) /==== Hybrid
    <----'    `--' `.__,' \
		 |         |
		  \       /  
	      ____( (_   / \______
	    ,'  ,----'   |        \ 
	    `--{__________)       \/

                    ___ ___ _____.___.____________________  ____________    /   |   \\__  |   |\______   \______   \/_   \______ \  /    ~    \/   |   | |    |  _/|       _/ |   ||    |  \   \    Y    /\____   | |    |   \|    |   \ |   ||    `   \
----------------   \___|_  / / ______| |______  /|____|_  / |___/_______  /
                         \/  \/               \/        \/              \/



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH