Copy Link
Add to Bookmark
Report
Hackers Unlimited 01
The Mickey Mouse Club Presents...
__ __ ____ __ __ __ ______ _____ ______
__ __ __ __ __ __ __ __ __ __ __ __
______ ________ __ ___ ____ _____ ______
__ __ __ __ __ __ __ __ __ __ __ __
__ __ __ __ __ __ __ ______ __ __ ______
Hackers
Unlimited
__ __ __ __ __ ______ __ __ ______ ______ ______ ____
__ __ ___ __ __ __ ___ ___ __ __ __ __ __
__ __ __ __ __ __ __ __ __ __ __ __ ____ __ __
__ __ __ ___ __ __ __ __ __ __ __ __ __
____ __ __ ______ ______ __ __ ______ __ ______ ____
Magazine
Volume 1
Issue 1
Released 10/02/89
Editors The Dark Lord
Cardiac Arrest
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Hackers Unlimited
Volume 1, Issue 1
Table Of Contents
# Title Author
------==========================================-------------------------------
1 How Ma Bell Crushed The Blue Box Cardiac Arrest
2 Beige Boxing Cardiac Arrest
3 Basic Information About Credit Cards Midnight Caller
4 MMC Guide To Hacking, Phreaking, Carding The Dark Lord
5 A Novice's Guide To Hacking - 1989 Ed. The Mentor
6 Cable Piracy Psycho Bear
7 Pyro File 1 Fallen Angel
8 Pyro File 2 Fallen Angel
9 Pyro File 3 Fallen Angel
10 Social Engineering Fallen Angel
11 Listings Compilations
12 Closing Notes Editors
------==========================================-------------------------------
Downloaded From P-80 International Information Systems 304-744-2253 12yrs+
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"The Blue Box And Ma Bell"
Herb Friedman, Communications Editor
Radio Electroncs Magazine
November 1987
Typed By :
Cardiac Arrest
Before the breakup of AT&T, Ma Bell was everyone's favorite enemy. So it was
not surprising that so many people worked so hard and so successfully at
perfecting various means of making free and untracable telephone calls.
Whether it was a "Red Box" used by Joe and Jane College to call home, or a
"Blue Box" used by organized crime to lay off untracable bets, the technology
that provided the finest telephone system in the world contained the seeds of
it's own destruction.
The fact of the matter is that the Blue Box was so effective at making
untracable calls that there is no estimate as to how many calls were made or
who made them. No one knows for certain whether Ma Bell lost revenues of $100,
$100-million, or $1-billion on the Blue Box. Blue Boxes were so effective at
making free, untracable calls that Ma Bell didn't want anyone to know about
them, and for many years denied their existence. They even went as far as
strong-arming a major consumer science magazine into killing an article that
had already been prepared on the Blue and Red boxes. Further, the police
records of a major city contain a report concerning a break-in at the residence
of the author of that article. The only item missing following the break-in
was the folder containing copies of the earliest Blue-Box designs and a
Bell-System booklet that described how subscriber billing was done by the AMA
machine--a booklet that Ma Bell denied ever existed [article includes picture
proving otherwise - Cardiac]. Since the AMA (Automatic Message Accounting)
machine was the means whereby Ma Bell eventually tracked down both the Blue
and Red Boxes, we'll take time out to explain it. Besides, knowing how the AMA
machine works will help you to better understand "phone phreaking."
WHO MADE THE CALL
Back in the early days of the telephone, a customer's billing was
originated in a mechanical counting device, which was usually called a
"register" or a "meter." Each subscriber's line was connected to a meter that
was part of a wall of meters. The meter clicked off the message units, and
once a month someone simply wrote down the meter's reading, which was later
interpolated into message-unit billing for those subscriber's who were charged
by the message unit. (Flat rate subscriber's could make unlimited calls only
within a designated geographic area. The meter clicked off message units for
calls outside that area.) Because eventually there were too many meters to
read individually, and because more subscribers started questioning their
monthly bills, the local telephone companies turned to photography. A
photograph of a large number of meters served as an incontestable record of
their reading at a given date and time, and was much easier to convert to
customer billing by the accounting department.
As you might imagine, even with photographs billing was cumbersome and
did not reflect the latest technical developments. A meter didn't provide any
indication of what the subscriber was doing with the telephone, nor did it
indicate how the average subscriber made calls or the efficiency of the
information service (how fast the operators could handle requests). So the
meters were replaced by the AMA machine. One machine handled up to 20,000
subscribers. It produced a punched tape for a 24-hour period that showed,
among other things, the time a phone was picked up (went off-hook), the number
dialed, the time the called party answered, and the time the originating phone
was hung up (placed on-hook).
One other point, which will answer some questions that you're certain
to think of as we discuss the Red and Blue boxes: Ma Bell did not want persons
outside their system to know about the AMA machine. The reason? Almost
everyone had complaints--usually unjustified--about their billing. Had the
public been aware of the AMA machine they would have asked for a monthly list
of their telephone calls. It wasn't that Ma Bell feared errors in billing;
rather, they were fearful of being buried under an avalanche of paperwork and
customer complaints. Also, the public beleived their telephone calls were
personal and untraceable, and Ma Bell didn't want to admit that they knew about
the who, when, and where of every call. And so Ma Bellalways insisted that
billing was based on a meter unit that simply "clicked" for each message unit;
thatthere was no record, other than for long-distance calls, as to who called
whom. Long distance was handled by, and the billing information was done by
and operator, so there was a written record Ma Bell could not deny.
The secrecy surrounding the AMA machine was so pervasive that local,
state, and even federal police were told that local calls made by criminals
were untraceable, and that people who made obscene telephone calls could not be
tracked down unless the person receiving the cals could keep the caller on the
line for some 30 to 50 minutes so the connections could be physically traced by
technicians. Imagine asking a woman or child to put up with almost an hours
worth of the most horrendous obscenities in the hope someone could trace the
line. Yet in areas where the AMA machine had replaced meters, it would have
been a simple, though perhaps time-consuming task, to track down the numbers
called by any telephone during a 24-hour period. But Ma Bell wanted the AMA
machince kept as secret as possible, and so many a criminal was not caught, and
many a woman was harried by the obscene calls of a potential rapist, because
existence of the AMA machine was denied.
As a sidelight as to the secrecy surrounding the AMA machine, someone
at Ma Bell or the local operating company decided to put the squeeze on the
author of the article on Blue Boxes, and reported to the treasury Department
that he was, in fact, manufacturing them for organized crime--the going rate in
the mid 1960's was supposedly $20,000 a box. (Perhaps Ma Bell figured the
author would get the obvious message: Forget about the Blue Box and the AMA
machine or you'll spend lots of time, and much money on lawyer's fees to get
out of the hassles it will cause.) The author was suddenly visited ay his
place of employment by a Treasury agent. Fortunately, it took just a few
minutes to convince the agent that the author was really just that, and
the a technical wizard working for the mob. But one conversation led to
another, and the Treasury agent was astounded to learn about the AMA machine.
(Wow! Can an author whose story is squelched spill his guts.) According to
the treasury agent, his department had been told that it was impossible to get
a record of local calls made by gangsters: The Treasury department had never
been informed of the existence of automatic message accounting. Needless to
say, the agent left with his own copy of the Bell System publication about the
AMA machine, and the author had an appointment with the local Treasury-Bureau
director to fill him in on the AMA Machine. That information eventually ended
up with Senator Dodd, who was conducting a congressional investigation into,
among other things, telephone company surveillance of subscriber lines--which
was a common practice for which there was detailed instructions, Ma Bell's own
switching equipment ("crossbar") manual.
THE BLUE BOX
The Blue Box permitted free telephone calls because it used Ma Bell's
own internal frequency-sensitive circuits. When direct long-distance dialing
was introduced, the crossbar equipment knew a long-distance call was being
dialed by the three-digit area code. The crossbar then converted the dial
pulses the the CCITT tone groups, shown in Table 1 [I'll put the table in at
the end of the file - Cardiac], that are used for international and truckline
signalling. (Not that those do not correspond to Touch-Tone frequencies.) As
you can see in that table, the tone groups represent more than just numbers;
among other things there are tone groups indentified as KP (prime) and ST
(start)--keep them in mind. When a subscriber dialed an area code and a
telephone number on a rotary-dial telephone, the crossbar automatically
conneceted the subscriber's telephone to a long-distance truck, converted the
dial pulses to CCITT tones sent out on the long-distance trunk that set up or
selected the routing and caused electro-mechanical equipment in the target city
to dial the called telephone.
Operator-assisted long-distance calls worked the same way. The
operator simply logged into a long-distance trunk and pushed the appropriate
buttons, which generated the same tones as direct-dial equipment. The button
sequence was KP (which activated the long-distance equipment), then the
complete area code and telephone number. At the target city, the connection
was made to the called number but ringing did not occur until the operator
there pressed the ST button. The sequence of events of early Blue Boxes went
like this: The caller dialed information in a distant city, which
caused his AMA machine to record a free call to information. When the
information operator answered, he pressed the KP key on the Blue Box, which
disconnected the operator and gave him access to a long-distance trunk. He
then dialed the desired number and ended with an ST, which caused the target
phone to ring. For as long as the conversation took place, the AMA machine
indicated a free call to an information operator. The technique required a
long-distance information operator because the local operator, not being on a
long-distance trunk, was accessed through local wire switching, not the CCITT
tones.
CALL ANYWHERE
Now imagine the possibilities. Assume the Blue Box user was in
Philadelphia. He would call Chicago information, disconnect from the operator
with a KP tone, and then dial anywhere that was on direct-dialing service: Los
Angeles, Dallas, or anywhere in the world in the Blue Boxer could get the
internatioal codes.
The legend often told of one Blue Boxer who, in the 1960's, lived in
New York and had a girlfriend at a college near Boston. Now back in the
1960's, making a telephone call to a college town on the weekend was even more
difficult than it is today to make a call from New York to Florida on a
reduced-rate holiday using one of the cut-rate long-distance carriers. So our
Blue Boxer got on an international operator's circuit to Rome, Blue Boxed
through to a Hamburg operator, and asked Hamburg to patch through to Boston.
The Hamburg operator thought the call originated in Rome and inquired as to the
"operator's" good English, to which the Blue Boxer replied that he was an
expatriate hired to handle calls by American tourists back to their homeland.
Every weekend, while the Northeast was strangled by reduced-rate long-distance
calls, our Blue Boxer had no trouble sending his voice almost 7,000 miles for
free.
VACUUM TUBES
Assembly plans for Blue Boxes were sold through classified
advertisements in the electronic-hobbyist magazines. One of the earliest
designs was a two-tube poertable model that used a 1.5-volt "A" battery for the
filaments and a 125-volt "B" battery for the high-voltage (B+) power supply.
The portable Blue Box's functional circuit in shown in Fig. 2 [It's nothing you
can't find in any good Blue Box g-file, so I won't try to draw it - Cardiac].
it consisted of two phase-shift oscillators sharing a common speaker that mixed
the tones from both oscillators. Switches S1 and S2 each represent 12
switching circuits used to generate the tones. (No, we will not supply a
working circuit, so please don't write in and ask--Editor)[That's the real
editor, not me - Cardiac] The user placed the speaker over the telephone
handset's transmitter and simply pressed the buttons that corresponded to the
disired CCITT tones. It was just that simple.
Actually, it was even easier then it reads because Blue Boxers
dicovered they did not need the operator. If they dialed an active telephone
located in certain nearby, but different, area codes, they could Blue Box just
as if they had Blue Boxed through an information operator's circuit. The
subscriber whose line was blue Box conversatio was short, the "dead" phone
suddenly came to life the next time it was picked up. Using a list of
"distant" numbers, a Blue Boxer would never hassle plain to the telephone
company. The difference between Blue Boxing off a subscriber rather
than an informatio operator was that the Blue Boxer's AMA tape indicated a real
long-distance telephone call--perhaps costing 15 or 25 cents--instead of a
freebie. Of course, that is the reason why when Ma Bell finally decided to go
public with "assisted" newspaper articles about the Blue Box users they had
apprehended, it was usually about some college kid or "phone phreak." One
never read of a mobster being caught. Greed and stupidity were the reasons why
the kid's were caught. It was the transistor that led to Ma Bell going public
with the Blue Box. By using transistors and RC phase-shift networks for the
oscillators, a portable Blue Box could be made inexpensively, and small enough
to be used unobstrusively from a public telephone. The college crowdin the
many technical schools went crazy with the partable Blue Box; they could call
the folks back home, their friends, or get a free network (the Alberta and
Carolina connections--which could be a topic for a whole separate article) and
never pay a dime to Ma Bell. Unlike the mobsters who were willing to pay a
small long-distance charge when Blue Boxing, the kids wanted it, wanted it all
free, and so they used the information operator routing, and would often talk
"free-of-charge" for hours on end.
Ma Bell finally realized that Blue Boxing was costing them big bucks,
and decided a few articles on the criminal penalties might scare the Blue
Boxers enough to cease and desist. But who did Ma Bell catch? The college
kids and the greedies. When Ma Bell decided to catch the Blue Boxers she
simply examined the AMA tapes for calls to an information operator that were
excessively long. No one talked to an operator for 5, 10, 30 minutes, or
several hours. Once a long call to an operator appeared several times on an
AMA tape, Ma Bell simply monitored the line and the Blue Boxer was caught.
(Now do you understand why we opened with an explanation of the AMA machince?)
If the Blue Boxer worked from a telephone boothk, Ma Bell simply monitored the
booth. Ma Bell might not have known who originated the call, but she did know
who got the call, and getting that party to spill their guts was no problem.
The mob and a few Blue Box hobbyists (maybe even thousands) knew of the AMA
machine, and so they used a real telephone number for the KP skip. Their AMA
tapes looked perfectly legitimate. Even if Ma Bell had told the authorities
they could provide a list of direct-dialed calls made by local mobsters, the
AMA tapes would never show who was called through a Blue Box. For example, if
a bookmaker in New York wanted to lay off some action in Chicago, he could make
a legitimate call to a phone in New Jersey and then Blue Box to Chicago. Of
course, automatic tone monitoring, computerized billing, and ESS (Electronic
Switchin Systems) now make that all virtually impossible. but that's the way it
was.
You might wonder how Ma Bell discovered the tricks of the Blue Boxers.
Simple, they hired the perpetrators as consultants. While the initial
newspaper articles detailed the potential jail penalties for apprehended Blue
Boxers, except for Ma Bell employees who assisted a Blue Boxer, it is almost
impossible to find an article on the resolution of the cases because most
hobbyist Blue Boxers got suspended sentences and/or probation if they assisted
Ma Bell in developing anti-Blue Box techniques. It is asserted, although it
can't be easily proven, that cooperating ex-Blue Boxers were paid as
consultants. (If you can't beat them, hire them to work for you.)
Should you get any ideas about Blue Boxing, keep in mind that modern
switching equipment has the capacity to recognize unauthorized tones. It's the
reason why a local office can leave their subscriber Touch-Tone circuits
actives, almost inviting you to use the Touch-Tone service. A few days after
you use an unauthorized Touch-Tone service, the business office will call and
inquire whether you'd like to pay for the service or have it disconnected. The
very same central-office equipment that knows you're using Touch-Tone
frequencies knows if your line is originating CCITT signals.
THE RED BOX
The Red Box was primarily used by the college crowd to avoid charges
when fequent calls were made between two particular locations, say the college
and a student's home. Unlike the somewhat complex circuitry of the Blue Box, a
Red Box was nothing more than a modified telephone; in some instances nothing
more than a capacitor, a momentary switch, and a battery. As you recall from
our discussion of the Blue Box, a telephone circuit is really
established before the target phone ever rings, and the circuit is capable of
carrying an AC signal in either direction. When the caller hears the ringing
in his or her handset, nothing is happening at the receiving end because the
ringing signal he hears is really a tone generator at his local telephone
office. The target (called) telephone actually gets it 20 pulses-per-second
ringing voltage when the person who dialed hears nothing--in the "dead" spaces
between hearing the ringing tone. When the called phone is answered and taken
off hook, the telephone completes a local-office DC loop that is the signal to
stop the ringing voltage. About three seconds later the DC loop results in a
signal being sent all the way back to the caller's AMA machine that the called
telephone was answered. Keep that three-second AMA delay in mind. (By now you
should have a pretty good idea of what's coming!) [I'm skipping a paragraph
talking about how a telephone circuit works. It is referring to a
simple phone schematic that isn't worth drawing, so I ommited the whole
paragraph - Cardiac] Now as we said earlier, the circuit can actually carry AC
before the DC loop is closed. The Red Box is simply a device that
provides a telephone with a local battery so that the phone can generate an AC
signal without having a DC connection to the telephone line. The earliest of
the Red Boxes was the surplus military field telephone, of which there were
thousands upon thousands in the marketplace during the 1950's and 1960's. The
field telephone was a portable telephone unit having a manual ringer worked by
a crank--just like the telephone Grandpa used on the farm--and two D-cells. A
selector switch set up the unit so that it could be connected to a combat
switchboard, with the DC power supplied by the switchboard. But if a combat
unit wasn't connected to a switchboard, and the Lieutenant yelled "Take a
wire," the signalman threw a switch on his field telephone that switched in the
local batteries. To prevent the possibility of having both ends of the
circuit feeding battery current into the line in opposite polarity--thereby
resulting in silence--the output from the field telephone when running from its
internal batteries was only the AC representing the voice input, not modulated
DC. [I ommited the next two paragraphs, which talk about how to make one. It
too has a complicated schematic, so I wont draw it. It's the same stuff you
get from any Red Box g-file - Cardiac]
PRESS ONCE TO TALK
The Red Box was used at the receiving end; let's assume it's the old
homestead. The call was originated by Junior (or Sis) at their college 1000
miles away from home. Joe gave the family one ring and then hung up, which
told them that he's calling. Pop set up the Red Box. Then Junior redialed the
old homestead. Pop lifted the handset when the phone rang. Then Pop closed a
momentary-switch for about a half-second, which caused the local telephone
office to silence the ringing signal. When Pop released the switch, the folks
cantalk to Junior without Junior getting charged because his AMA tape did not
show his call was answered--the DC loop must be closed for at least
three-seconds for the AMA tape to show Junior's call was answered. All the AMA
tape showed is that Junior let the phone ring at the old homestead for almost
30 minutes; a length of time that no Bell Operating Company is likely to
believe twice!
A modern Red Box is simpy a conventional telephone that's been modified to
emulate the vintage 1940 military field telephone. Aside from the fact that
the operating companies can now nail every Red Box user because all modern
billing equipment shows the AMA information concerning the length of time a
caller let the target phone ring, it's use has often put severe psychological
strain on the users.
[I ommited another paragraph here. It was just some closing stuff.
Nothing special - Cardiac]
There are no hard facts concerning how many Red Boxes were in use, or
how much money Ma Bell lost, but one thing is known: she had little difficulty
in closing down Red Boxes in virtually all instances where the old folks were
involved because Mom and Pop usually would not tolerate what to them was
stealing. If you as a reader have any ideas about using a Red Box, bear in
mind that the AMA machine (or it's equivilent) will get you every time, even if
you use a phone booth, because the record will show the number being called,
and as with the Blue Box, the people on the receiving end will spill their guts
to the cops.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Downloaded From P-80 International Information Systems 304-744-2253 12yrs+
The Mickey Mouse Club's Guide To
-+ Beige Boxing +-
Written By :
Cardiac Arrest
[09/26/89]
Introduction : Well, I KNOW that nearly everybody and their brother knows how
~~~~~~~~~~~~ to beige box, but what magazine is complete without a file as
basic as that. Anyways, if you know how to beige box, and consider yourself
master beiger, skip this and go on to the next file. Otherwise, I'll try to
help beginners and maybe give some experienced boxers food for thought.
What IS Beige Boxing : If you've ever payed any attention to the phone
~~~~~~~~~~~~~~~~~~~~ company, you've definately seen a guy in funny Ma Bell
overalls running around with a funny-looking telephone with gator clips coming
out the bottom. That's the Ma Bell version of the "beige box", called a
Lineman's Handset. There are literally TONS of uses for a beige boxes, and
they are simple to make, so it's usually a good introduction to the phreaking
world.
The Purpose Of This File : If even one person reads this file and learns
~~~~~~~~~~~~~~~~~~~~~~~~ something, I've accomplished what I set out to do
(how cliche, right?). But seriously, I'm going to attempt to provide several
easy methods of beige boxing. Some experienced beigers will definately see
some familiar designs, but they might also see a new twist or two. I'll also
include (hopefully) easy but complete directions of some of the possibilities
for use.
Back To Reality : Ok, on with the file. There are about as many beige box
~~~~~~~~~~~~~~~ designs as there are uses, and with both, new ideas are
always popping up. The designs in this file are by no means the best designs.
I HOPE that they're some of the easiest, but who am I to say.
Method #1 (Generic, Phone Destroying, Design)
Required Materials
1 Telephone that you wont miss (it'll be a permanent beige box)
2 Gator clips
1 Telephone cord
1 Screwdriver
1 Pair of wire cutters
1 Soldering iron
Solder
Construction
1. Open up the telephone with the screwdriver. I can't give exact
directions, because different models vary, but if you can't find
the screws, try checking under the plastic plate that holds the
phone number of the location.
2. Look at the modular jack (the thingy the phone cord plugs into).
Find the red and green wires. These are the ones you want.
Trace these wires with your finger to the screw that holds them
down. Connect your phone cord to these screws, either by
soldering them, or by wrapping them around the screw and
tightening it down.
3. Run the telephone cord out the modular jack's hole. If you can't
squeeze it through the jack, take the wire cutters the cut the
wires leading to it, and yank it out. That should leave planty
of room.
4. Re-assemble your phone.
5. At the end of the telephone cord hanging out of the phone,
connect the gator clips to the same wires hooked up to the screws
inside the housing of the phone. You can connect them either by
soldering, or by splicing the wire to them (twisting them around
the hole and praying that it holds).
Method #2 (A spin-off of #1, but less permanent)
Required Materials
1 Telephone (Don't worry, you wont wreck this one)
1 Telephone cord (You can use one of the springy ones that you
always tangle up when you're on the phone)
2 Gator clips
1 Pair of wire cutters
1 Soldering iron
Solder
Construction
1. Cut the modular plug (the thing that plugs into the wall or
telephone set) off ONE end of the telephone cord.
2. Find the red and green wires and connect the gator clips to
these by soldering or splicing them.
3. Connect the other end (the that still has a plug) to a telephone.
Method #3 (Similar to #2, but using a wall jack instead of a cord)
Required Materials
1 Telephone (This wont get wrecked, either)
1 Modular telephone wall jack (This WILL get wrecked)
2 Gator clips
1 Pair of wire cutters
1 Soldering iron
Solder
Construction
1. Look on the back of the wall jack. You should see the typical
red and green wires going into the back of the jack. Leave the
end going into the jack alone, but trace them to where the go
into the plate holding the jack. Cut them here (being sure, as I
said, to leave the jack end alone).
2. Hook the gator clips up to the red/green wires.
3. Plug the phone into the wall jack.
Testing Your Box : Ok, now that you've got one of the boxes described above
~~~~~~~~~~~~~~~~ (or a different one...I really don't care), you ready to
go. Go outside, and on the side of your house, you should be able to find a
small, approximately 3" X 3", puke-green box, with a bolt in the middle of it.
Take a wrench (I'm not sure what the size is, but a 10mm wrench works for me,
and that's all I really care about. But be careful, since it's not exact, you
might strip it) and take off the bolt. You'll probably have to clear out some
cobwebs, since it hasn't been used in a while. Inside the box, you should see
four screws (one on each corner) with the typical red/green wires connected to
them. (If you have two phone lines, the bottom screws will have black/yellow
wires, if you have one phone line, the bottom wont have any). You can probably
guess what happens from here--Hook the gator clips up to the screws. You
should get a dial tone. If you didn't, make sure the connection is clean, that
you're hooked up to the right terminals(screws), etc. If you still don't get
one, you're screwed. That means there's something wrong with your box. If you
do get a dial tone, you're probably guessing what you can do from here.
Where Can You Use The Beige Box : You can use the beige box on several pieces
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ of equipment. You can go to you're best
friend's house and use it like I described. You can open up one of those ugly
green boxes about 3' high in the back yard of every couple houses. Inside
you'll see pretty much the same thing as at individual houses, only there's
several houses running through the box, not just yours. I have heard that you
can use a beige inside a Ma Bell manhole, but I crawled down one (not fun) and
there was a huge plastic tube. You can see the telephone wires inside, but I
have no idea how to get to them. There are definately more uses, but these are
the ones I've been exposed to.
The Box Of Many Uses : As I've mentioned, there are TONS of uses for beige
~~~~~~~~~~~~~~~~~~~~ boxes, and the ones I explain are merely the ones I've
had some fun with. It's all basically the same, but there are some interesting
twists.
Conferences : Definately one of the funnest. It's easier to do than explain,
~~~~~~~~~~~ but I'll give it a shot. First, call up a conference service
(I'll list them in a second). From here, you'll pretty much get instructions
(at least on the ones I've used). Basically, you call up your buddies, tell
them what's going on, and hit a key (usually *) and they get put into the
conference. From there, you and all your friends can all talk to each other,
trade codes, etc. Get the idea? (You can even call foreign numbers. On our
conference, we voiced a user from Italy and called a hotel in Madrid for
someone to practice Spanish....)
Conference Services :
0-700-456-1000
0-700-456-1001
0-700-456-1002
0-700-456-1003
0-700-456-1004
0-700-456-2000
0-700-456-2001
0-700-456-2002
0-700-456-2003
0-700-456-2004
Tapping : If you hook up your beige box, and hear voices, the rightful owner
~~~~~~~ of the line is obviously using it. Well, that's about all there is
to phone tapping. Just shut up and listen.
L/D Calling : Hey, it's not YOUR bill, so go ahead and call your pal in
~~~~~~~~~~~ France. Maybe voice verify some users on your BBS....
Dial-A-Porn : Hey, wait!! How'd that get in here?
~~~~~~~~~~~
Conclusion : That's about it. I wont pretend to be an expert on beige boxes,
~~~~~~~~~~ so I wont say that these are the limits, or that these are the
best methods. I'm just trying to provide a non-technical introduction to
phreaking. Well, if anyone has any comments, questions, or come up with any
new ideas, let me know.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Downloaded From P-80 International Information Systems 304-744-2253 12yrs+
===============================================================================
Basic Information About Credit Cards
===============================================================================
There are at least three types of security devices on credit cards that
you aren't supposed to know about. They are the account number, the signature
panel, and the magnetic strip.
The Account Number
------------------
A Social Security card has nine digits. So do two-part Zip codes.
A domestic phone number, including area code, has ten digits. Yet a
complete MasterCard number has twenty digits. Why so many?
It is not mathematically necessary for any credit-card account number
to have more than eight digits. Each cardholder must, of course, have a
unique number. Visa and MasterCard are estimated to have about sixty-five
million cardholders each. Thus their numbering systems must have at least
sixty-five million available numbers.
There are one hundred million possible conbinations of eight digits--
00000000, 00000001, 00000002, 00000003, all the way up to 99999999. So
eight digits would be enough. To allow for future growth, an issuer the
size of Visa of MaserCard could opt for nine digits---enough for a billion
differnt numbers.
In fact, a Visa card has thirteen digits and sometimes more. An
American Express card has fifteen digits. Diners Club cards have fourteen.
Carte Blanche has ten. Obviously, the card issuers are not projecting
that they will have billions and billions of cardholders and need those
digits to ensure a different number for each. The extra digits are actually
a security device.
Say your Visa number is 4211 503 417 268. Each purchase must be
entered into a computer from a sales slip. The account number tags the
purchase to your account. The persons who enter account numbers into
computers get bored and sometimes make mistakes. They might enter
4211 503 471 268 or 4211 703 417 268 instead.
The advantage of the thirteen-digit numbering system is that it is
unlikely any Visa cardholder has 4211 503 471 268 or 4211 703 417 268
for an account number. There are 10 trillion possible thirteen-digit
Visa numbers (0000 000 000 000;0000 000 000 0001;... 9999 999 999 999).
Only about sixty-five million of those numbers are numbers of actual
active accounts. The odds that an incorrectly entered number would
correspond to a real number are something like sixty-five million in
ten trillion, or about one in one hundred and fifty thousand.
Those are slim odds. You could fill up a book the size of this one
{note, book is 228 pgs long} with random thirteen-digit numbers such as
these:
3901 160 943 791
1090 734 231 410
1783 205 995 561
9542 425 195 969
2358 862 307 845
9940 880 814 778
8421 456 150 662
9910 441 036 483
3167 186 869 267
6081 132 670 781
1228 190 300 350
4563 351 105 207
Still you would not duplicate a Visa account number. Whenever an account
number is entered incorrectly, iw will almose certainly fail to match up
with any of the other account nubmers in the computer's memory. The
computer can then request that the number be entered again.
Other card-numbering systems are even more secure. Of the quadrillion
possible fifteen-digit American Express card numbers, only about 11 million
are assigned. The chance of a random number happening to correspond to an
existing account number is about one in ninety million. Taking into account
all twenty digits on a MasterCard, there are one hundred quintillion
(100,000,000,000,000,000,000) possible numvers for sixy-five million card-
holders. The chance of a random string of digits matching a real MasterCard
number is about one in one and a half trillion.
Among other things, this makes possible those television ads inviting
holders of credit cards to phone in to order merchandise. The operators
who take the calls never see the callers' cards nor their signatures.
How can they be sure the callers even have credit cards?
They base their confidence on the security of the credit-card numbering
systems. If someone calls in and makes up a creditcard number--even being
careful to get the right number of digits--the number surely will not be
an existing real credit-card number. The deception can be spotted instantly
by plugging into the credit-card company's computers. For all practical
purposes, the only way to come up with a genuine credit-card number is to
read it off a credit card. The number, not the piece of plastic, is
enough.
Neiman-Marcus' Garbage Can
--------------------------
The converse of this is the fact that anyone who knows someone else's card
number can charge to that person's account. Police sources say this is a
major problem, but card issuers, by and large, do their best to keep these
crimes a secret. The fear is that publicizing the crimes may tempt more
people to commit them. Worse yet, there is alomost nothing the average
person can do to prevent being victimized {muhaha} -- short of giving up
credit cards entirely.
Lots of strangers know your credit-card numbers. Everyone you hand
a card to--waiters, sales clerks, ticket agents, hairdressers, gas station
attendants, hotel cashiers--sees the account number. Every time a card is
put in an imprinter, three copies are made, and two are left with the clerk.
If you charge anything by phone or mail order, someone somewhere sees the
number.
Crooks don't have to be in a job with normal access to creditcard numbers.
Occasional operations have discovered that the garbage cans outside prestige
department or specialty stores are sources of high-credit-limit account
numbers. The crooks look for the discarded carbon paper from sales slips.
The account number is usually legible--as are the expiration date, name,
and signature. (A 1981 operation used carbons from Koontz Hardware, a
West Hollywood, California, store frequented by many celebrities.)
Converting a number into cash is less risky than using a stolen
credit card. The crook need only call an airline, posing as the cardholder,
and make a reservation on a heavily traveled flight. He usually requests
that tickets be issued in someone else's name for pickup at the airport
(airlines don't always ask for ID on ticket pickups, but the crook has it
if needed) and is set. The tickets can be sold at a discount on the hot-
ticket market operating in every major airport.
There are other methods as well. Anyone with a Visa or MasterCard
merchant account can fill out invoices for nonexistent sales and submit
them to the bank. As long as the account numbers and names are genuine,
the bank will pay the merchant immediately.
For an investment of about a thousand dollars, an organized criminal
operation can get the pressing machines needed to make counterfeit credit
cards. Counterfeiting credit cards in relatively simple. There are no
fancy scrolls and filigree work, just blocky logos in primary colors.
From the criminal's standpoint, the main advantage of a counterfeit card
is that it allows him to get cash advances. For maximum plundering of a
line of credit, the crook must know the credit limit as well as the account
number. To learn both, he often calls an intended victim, posing as the
victim's bank:
CROOK: This is Bank of America. We're calling to tell you that the
credit limit on your Visa card has been raised to twelve
hundred dollars.
VICTIM: But my limit has always been ten thousand dollars.
CROOK: There must be some problem with the computers. Do you have
your card handy? Could you read off the embossed number?
On a smaller scale, many struggling rock groups have discovered the
knack of using someone else's telephone company credit card. When a
cardholder wants to make a long-distance call from a hotel or pay phone,
he or she reads the card number to the operator. The call is then billed
to the cardholder's home phone. Musicians on tour sometimes wait by the
special credit-card-and-collect-calls-only booths at airports and jot
down a few credit card numbers. In this way, unsuspecting businesspeople
finance a touring act's calls to friends at home. If the musicians call
from public phones, use a given card number only once, and don't stay
in one city long, the phone company seems helpless to stop them.
What makes all of these scams so hard to combat is the lead
time afforded the criminal. Theft of a credit card--a crime that
card issuers will talk about--is generally reported immediately.
Within twenty-four hours, a stolen card's number is on the issuer's
"hot list" and can no longer be used. But when only a card number is
being used illicitly, the crime is not discovered until the
cardholder recieves his first inflated bill. That's at least two
weeks later; it could be as much as six weeks later. As long as the
illicit user isn't too greedy, he has at least two weeks to tap into
a credit line with little risk.
The Signature Panel
-------------------
You're now supposed to erase the signature panel, of course. Card
issuers fear that crooks might erase the signature on a stolen credit
card and replace it with their own. To make alteration more difficult,
many card signature panels have a background design that rubs off if
anyone tries to erase. There's the "fingerprint" design on the American
Express panel, repeated Visa or MasterCard logos on some bank cards, and the
"Safesig" desgn on others. The principle is the same as with the security
paper used for checks. If you try to earse a check on security paper, the
wavy-line pattern erases, leaving a white area-- and it is obvious that the
check has been altered.
Rumors hint of a more elaborate gimmick in credit-card panels.
It is said that if you erase the panel, a secret word--VOID--appears
to prevent use of the card. To test this rumor, fifteen common credit
cards were sacrificed.
An ordinary pen eraser will erase credit-card signature panels, if
slowly. The panels are more easily removed with a cloth and a dry-cleaning
fluid such as Energine. This method dissolves the panels cleanly. Of the
fifteen cards tested, six had nothing under the panel(other than a
continuation of the card back design, where there was one). Nine cards
tested had the word "VOID" under the panel. In all cases, the VOIDs
were printeed small and repeated many times under the panel. The breakdown:
Void Device Nothing
--------------------------------------
Bloomingdale's American Express Gold Card
Bonwit Teller Broadway
Bullock's MasterCard(Citibank)
Chase Convenience B.C. Neiman-Marcus
I. Magnin Robinson's
Joseph Magnin Saks Fifth Avenue
First Interstate B.C.
Montgomery Ward
Visa (Chase Manhattan)
When held to a strond light, the VOIDs were visible through the Blooming-
dales's card even without removing the panel.
The VOID device isn't foolproof. Any crimianl who learns the secret
will simply refrain from trying to earse the signature. Most salesclerks
don't bother to check signatures anyway.
Moreover, it is possible to paint the signature panel back in, over
the VOIDs--at least on those cards that do not have a design on the
panel. (Saks' panel is a greenish-tan khaki coler that would be difficult
to match with paint.) The panel is first removed with dry-cleaning fluid.
The back of the card is covered with masking tape, leaving a window where
the replacement panel is to go. A thin coat of flat white spray paint
simulates the original panel.
The Magnetic Strip
------------------
The other security device on the back of the card, the brown magnetic
strip, is more difficult to analyze. Some people think there are sundry
personal details about the cardholder stored in the strip. But the
strip has no more information capacitythan a similar snippet of recording tape.
For the most part banks are reticent about the strip.
The strip need not contain any information other than the account
number or similar indentification. Any futher information needed to
complete an automatic-teller transaction-- such as current account
balances--can be called up from bank computers and need not be encoded
in the strip.
Evidently, the card expiration date is in the strip. Expired cards
are "eaten" by automatic-teller machines even when the expired card has
the same account number and name as its valid replacement card. Credit
limit, address, phone number, employer, etc, must not be indicated in
this strip, for banks do not issue new cards just because this info changes.
It is not clear if the personal identification number is in the strip
or called up from the bank computer. Many automatic-teller machines have
a secret limit of three attempts for provideing the correct personal
identification nubmer. After three wround attempts, the "customer" is
assumed to be a crook with a stolen card, going through all possible
permutations--and the card is eaten.
It is possible to scramble the information in the strip by rubbing
a pocket magnet over it. Workers in hspitals or research facilites with
large electromagnets sometimes find that their cards no longer work in
automatic-teller machines. (If you try to use a magnetically doctored
card, you usually get a message to the effect, "Your card may be inserted
incorrectly. Please remove and insert according to the diagram.")
The Bloomingdale's Color Code
-----------------------------
Only in a few cases does the color of a credit card mean anything.
There are, of course, the American Express, Visa, and MasterCard gold
cards for preferred customers. The Air Travel Card comes in red and green, of
which green is better. (With red, you can charge tickets for travel within
North America only.) The most elaborate color scheme, and a source of some
confusion to status-conscious queues, is that of Bloomingdale's credit
department, here is how it works: Low color in the pecking order is blue,
issued to Bloomingdale employees as a perk in their compensation packages. The
basic Bloomingdale card is yellow. Like most department store cards, it can be
used to spread payments over several months with the payment of a finance
charge. The red card gives holders three months' free interest and is issued
to customers who regularly make large purchases. The silver card is good for
unlimited spending, but as with a travel and entertainment card, all charges
must be paid in thirty days. The gold card offers the same payment options as
the yellow card but is reserved for the store's biggest spenders.
The End
---------------------------------------------------------------------------
Comments and Acknowledgements-
The above has been copied from "Big Secrets" WITHOUT permission.
Big Secrets is written by Willian Poundstone. This is a great
book that tells you hundreds of things you weren't suppose to
find out about. The above artical, was only 5 pages out of
a book 288 pages long! He also has a new book out called
"Bigger Secrets", which is also good. You can find both at
almost anybook store, they should be able to special order it.
Well it's now midnight, and i'm getting tried... so I hope
you have enjoyed this artical, if you wanna talk to me I'm
on many boards all over the country. Well later, i'm gonna go
watch Star Trek the Next Generation...
The above was written by
The
/\/\idnight
Caller
a.k.a.
Pizzia Man
Downloaded From P-80 International Information Systems 304-744-2253 12yrs+
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The Mickey Mouse Club
Presents.......
The M.M.C. Guide to Hacking, Phreaking, Carding
By: The Dark Lord
Introduction:
~~~~~~~~~~~~~~
This is a text file is made by The Mickey Mouse Club and we ask
that it would be distibuted to others for their use. This file is going to
go into depth on how to hack, phreak, and card. There will be information
that should help everyone, hopefully!!
Hacking:
~~~~~~~~~~
Hacking is a long hard process, unless you get lucky. There are many
programs and aids out to make the job a lot easier, but the concept is
the same no matter how you use it. First, at least on most things that you
hack, you need to get some type of account or vacancy, etc... This is done
by randomly entering numbers and or letters until you come up with the
proper combination to find the account. Knowing the size of the account
number makes this job one-hundred times easier. Thats why I suggest you
find out from someone who allready has one or card one. By carding the
account, it will die quickly but at least it will give you the length
of the account numbers (More on that topic will be expained in the carding
section). The accound numbers, do not always just contain numbers or have
numbers at all in it. If it has a mix, it makes it a hell of a lot harder
to get. You will just have to experiment to find out what charactors are
contained in the account. Some Examples of ones that do have mixes of
numbers and letters would be Pc Persuit accounts. The forms of them are
usuall as such:
Account: Pgp014764g
Password: 23632k
It looks from these that you are pretty much screw because of the way
letters are mixed with numbers, thats what makes having a program so much
easier. In a lot of circumstances, getting the account is the hardest part
that is why having a good background of the system is a major plus in your
favor.
Once you have got the account, it is time to get the password for this
account. Once again having the length and such makes this process not only
easier, but faster. just keep entering random passwords of the length or
the thought length in until you get a stoke of luck and get it. You MUST
remember that 99.5 out of 100 times, this is a long process, and you have
to have patience. If you don't you might as well forget ever getting on
to the system or have someone else do it for you. Once you have gotten
the password, look it over long and hard. Write it down and keep it,
examine it. 99% of the time there is a pattern to all the account
passwords. Things to look at is the password in reference to the account
number. check to see if things have been added to the end or beginning
like 00 or 01 or 99 of 0010 thing like that. If you see no relations,
the only other way to really find out the pattern in to get another one.
Look at both of them together, see if there the same or it account 400's
password is 3456 and 402's password is 3458 (they go in order) then just
those as a reference to other passwords, take away so much from accounts
with a lower number and add the required amounts to accounts with a higher
number, etc.... But bassicly, LOOK FOR A PATTERN! Once you have got the
password and the account, you have got yourself a passage way in.
Although this is what you do to succeed, you have to take
many precautions. They do NOT like us messing with the system and they
obviously want you to pay just like the others, so they will take necessary
means to nail you. They trace like you wouldn't belive. They will trace
right as you get on, if you happen to be unlucky, you will never know when
they are doing it either, you must ALWAYS be aware of the dangers and take
precautions!!! Even on things that you wouldn't think that they would trace
you but, be carfull. Whether they trace depends on a couple of things, here
are a few major ones:
1. There bank balance
2. There desire to catch you
3. The amount of infestation in there system
There are things that you can do to protect yourself, these are not all
of them and none of them are sure fire ways, but hey, cutting down your
chances of getting caught makes a world of difference, because remember,
All the fun is taken away if you caught. Some things to do to protect
yourself is:
1. Use a diverter
2. Use false information about you
3. Never stay On-line too long
4. Call during late or early hours, were there is most likely no one
monitoring the system
5. Don't call frequently or during the same hours, regulate it
Once again these are not all of them but these are some of the "More"
helpfull things. If you follow all the step, you can reduce the change of
getting caught by about 40%.
If you do get caught there is not a whole lot that you can do, but some
tips are, first, don't reveal any information on what you have done. Deny
all charges. Sencond, plea bargin with knowladge of things, like hacked
sytems etc.. But never admit that you did it. Three, and most important,
get a GOOD LAWYER!!!!!!!
DIFFERENT TYPES OF SYSTEMS:
Pc Persuit Cp\m
Trw
Unix
Vmb
Vms
These are just a few systems, if I made a complete list There would
be pratically no end to it, there are millions.
Phreaking:
~~~~~~~~~~~~
Phreaking, Ahhhwwww, the wonderfull world of phreaking. Well to start
with Phreaking is "The use of Telecommunications to others besides people
of the Phone Company". Well thats my version of the definition at least.
Using codes is wuit easy, there are different parts to it, the Dial-up,
the code, and the number. First you will have to dial in the dial-up and
on most dial ups you will get a tone or a buzz or click or something to
that effect. Once you hear this, and you will know when you hear it you
dial in the code. Sometime you will get another tone or beep etc. and when
you do that is when you dial in the number. If you do not get another tone
or whatever you just dial in the number right after you enter the code.
You might have to have a test dial up to see how the tones go.
In dialing the number once agian the nubers differ. You must enter the
area code and then the nuber. Some require that you have a one before the
area code but most that I have used do not. You can tell if the code worked
right after the number has been put in not just by the error recording that
you get but if right off the bat the phone begins to ring, it doesn't work.
A code can also be busy. If it is busy it could mean that the code is
dead or that too many people are using it at once. You might experiance
this often.
There are numbers that make phreaking much safer, they are called
diverters. What the do is when the number that you have dial is being
traced it diverts it to that number. Unless this is virgin or nobody else
uses it, you will find that with in a couple of days after it is out, it
will be busy, that is the annoyance about diverters, and they are also hard
to get.
Hacking is also put into play in phreaking by using programs to get
dial ups and the codes. Getting these are done in the same way you hack
anything else. Just get a program like code thief or code hacker, or make
one yourself, it is quite easy.
There is a danger with useing the codes. If you hack a code yourself,
not just the code but the dial up amd no one else has it you can pretty well
bet that it is safe. A newly hacked dial-up/code is considered "Virgin".
those Ma bell is not having the problem with people phreaking off of it
so they don't bother doing anything with it. But after a while, it will
either Die (No Longer work) or they will start tracing off of it. The
whole pain about it is, is you will never positively no when they started
doing traces or things like that. The codes might be being traced but you
are getting the luck of the draw. On most codes they don't trace on every
call, they just file it away and watch for like the 50th or 100th caller
and then that person gets nailed. You might think if they do trace every
100 calls, that means you have a 1 in 100 chance of getting caught and those
are really good odds. Well the odd is 100 to 1 but the is a lot of people
that live in areas that they can call with that code. If you figure about
10 million people could use it then about 100,000 of them are. 100,000,
hummmmmmm, how odes your odds look now. In a couple minute time spand
99 peoplecould have used it, and lucky you might be the 100th caller. A
lot of times the take like every hundered calls and then when they get the
100th caller, that don't just trace one, they trace 100, 101, 102, 103, 104
200, 201, 202 etc. So you chances of getting caught when the heat is on
the code is pretty good. There are a couple different types of codes and
the two major ones are 1-800's and 950's. 800's can pretty much be dialed
from anywhere in the states, but 950's stay in certain areas. Some 950
dial ups are:
9501001
9500266
9500355
9501388
And there are others, but like take me for example, where I live you
cannot use 9500266. It will tell you that you cannot use that number from
your dialing range or it just won't work. You might get to the point where
the dial-up works but not the code. If this is the case it will say:
"Invalid authorization Code"
Some examples of 1-800's are as follows:
1-800-255-2255
1-800-759-2345
1-800-959-8255
There are many others but those are just a few, very few. There are
also 1-800's and others that will send you directly to the operator, you
must tell her the code and the number you are dialing. These are NEVER
safe to use. but in one case they are alot better. I am out of town a lot
so I have to use pay phones right? Well, you are safe with anything with
pay phones, so that is a good way to call people. The real good thing
them though, is since you must go throught th operator, the codes stay valid
for up to 10 times as long as the others. But thenm again another draw back
is it is not a line that you want to give real names or numbers over.
Because these are often tapped, since the operator know that you used the
code, they will listen in quite often, and you will never even notice.
Another problem experianced with them is if you are what MMC calls
"Petite Flowers",
our home made word for, someone that sounds like a little kid, then they
really give you a hastle about using the code.
I have had a lot of people ask me if the person you are calling with the
codes can get busted. The answer is "No". They cannot do anything to the
person, just ask him who is calling him with the codes, and they rarely do
that. Just let the person you are talking to, if they don't already know,
not to tell anyone that you are calling with the codes. The phone
companies do have to option of setting up a trace on that persons line and
bust you when you do call him with a code. I have never seen this done but
do be aware that the phone companies are made up of intellegent adults and
they are very smart and can and will nail you in many ways.
I am a firm beliver that you should share a the information that you
other phreakers and hackers as they should do the same with you. I also
see an execption, inexperianced people. They can run it for everyone be not
have the knowladge and screwing up. I realize that they need someway to
build themselves up to a good phreaker but be cautions in what you give to
them.
Codes die really often and you really have to keep up with the phone
company. Its kinda of a pain to keep up with it on your own as quickly as
they work but thats why there is phreaking communities and groups such
as Fhp and MMC, the gives the edge to the phreakers in the way that, you
have help in keeping up with the phone companies, and in most cases if
the groups or communities are working well together, you can eve stay
one step ahead of good 'ole Ma bell and others. You really need to find
ways of getting codes either from getting acess to the phreaking sections
on the pirate boards you call or throught friends, Vmb's Loops, Confrences,
etc., just try to find a good connection to people that are into phreaking
too.
Carding:
~~~~~~~~~~
Although everything talked about in the text file to this point is
illegal, and you will get busted if you get caught, this is one one the
one that you can get in some major shit over. About the only thing I have
talked about that this falls short of is hacking a government compter, and
thats one of the Grand daddies of them all. Well, although it is a major
crime, it is really cool!!!! This is the process in which you find the card
number of someone and use it to purchase things. In order to card, there
are a few things that you must have or it will not work. You will need to
have........
1. The Card Number
2. The Experation date
3. Card type (Master Card, Visa, etc...)
Those are the main things tha you will need. Having the name of the owner
is very helpfull but it is not a must. You can get by without it.
You have to order everything you want by mail. A couple of "Beginner"
carder that I talked to didn't understand how you would do it, but thats
when they had the misconception that you actually go to the store and
purchase things. That is a complete No, no. You do everything from a
phone ordering service.
When you call make sure that you are a t a pay phone. Don't do it
your house or anywhere where it can come back to you. When you order
the merchandice, once again do send it to anywhere that it can come back to
you like your home, work, etc. Find a vacant house or building or anywhere
else that you can send it to. Also, don't send it to a P.O. box that you
have, just as dangerous. When you do order it and you think its around the
time that you will be reciving it, check the mailbox frequently. But do it
during odd hours. I mean, hows it going to look you taking a package from a
vacant house?
Most bills are sent at the end of the month or at the biginning, so
try to time it to where the bill won't come to the person untill a couple of
days after you have recived the package. Ok heres how to figure it. I
have found out that the bills are sent out up around the 26-30th of the
month, so they will actually recive the bill around the 31-4th. Have it
sent right after you think the bill has been sent. Find what you want, but
try to order it from the place that guarentees the fastest delivery. When
you order the item, make sure they have it in stock and don't have to get
the item in first. Order the highest class of delivery but not COD or
next day service. Thats cutting it too close. It should take around 2-4
weeks before you get it and if you timed it right, then it sound get there
right before the person gets the bill. You need to have it in your
possesion before the bill gets to the person because if they complain, they
can keep it from being sent, or watch who actually gets it even while its
going throught the mail process. Don't order more than a couple of things
or overcharge the card, if the people at the Credit card office, see
irregular charging on the card, they will follow up on it.
To actually order the item you will call up the place that you will
be ordering from, and when the operator answers let her know what you need
to as far as what you are purchasing, etc. When she ask how you will be
paying just tell her "Charge" and the the type of card like Master Card,
Visa, ect. Then Tell them your name, if you don't know the name of the
actuall owner of the card, Make up a false name that has NO relation to
your name, not the same first, last middle what ever, nothing relating to
your real name. Then continue answering all the operators questions,
address (Not your own remember!) state, area code etc. They will also ask
for your phone number. Make one up, not your own. If something happens
to go wrong as far as delivery or if they are checking if you are who you
say, then your screwed, unless of course, hehehe, the number is ALWAYS
busy. Find the busiest number there is and leave them that. When they
ask for the card number and experation, just tell them and do what all
else you need. Wish them a good day, and hope you get it.
Ok heres how you check if the card is good, and how much money
can be charged on the card.......
1. Dail 1-800-554-2265
2. it will ask for the type of the card. you must put in 10 for Master
Card and 20 for Visa, I am not sure about the others.
3. Next it will ask for the Identification. You will need to enter
1067
4. After all that you will have to enter the Mecrchant number, which
you will either need to put in 24 or 52. One of them should work.
5. You will then have to enter (When Prompted) the card number itself.
6. Next, the experation date of the card.
7. Last but not least the amount you want to try to get on the card.
The procedure for this is enter dollars, astricks, then cents.
(Example:)
100*30 = One hundred dollars and thirty cents.
One thing I do need to mention, after you type in everything you must press
pound (#). Like when it asks you for the type of card, if you had a Master
Card you would put: 10#. when it asked for identification you would enter
1067#. If it says invalid, that either means that the card is no good or
you can't charge that amount on the card. Try it again, but try a lower
amount. If you get down to $1 and it still doesn't work, hehehe, you can
probably guess that the card is no good.
You might not be ordering just merchandice you might be ordering
accounts and things like that and if you are, fine, but you have to
remember, the accounts do not stay good for very long, the owner of the
card gets the bill, complains and its no longer any good. And when you
card and account, Nine out of ten times, they won't kill the account, they
will trace in and that is when you butts really in a sling. So carding
accounts and things, isn't the safest way to go, of course. nothing we
have talked about it, right?
Conclusion:
~~~~~~~~~~~~~~
Well thats about it for now, there should be a BIG newsletter by
The Mickey Mouse Club comming out soon that you have to be sure NOT to miss.
I sincerely hope that you have gotten alot out of this file and I would like
to ask for suggestions and ideas to make MMC a better orginazation. At this
time myself and Cardiac Arresst have a VMB at:
1-800-444-7207 [Ext] 4001.
All ideas and suggestions, please bring there. Also, since your making
the trip anyways, bring along some phreaking codes and all and any types
of accounts. I would be greatly appreciated by:
The Mickey Mouse Club.
09/89
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Downloaded From P-80 International Information Systems 304-744-2253 12yrs+
+++++++++++++++++++++++++++++++++++++++++++++++++
| The LOD/H Presents |
++++++++++++++++ ++++++++++++++++
\ A Novice's Guide to Hacking- 1989 edition /
\ ========================================= /
\ by /
\ The Mentor /
\ Legion of Doom/Legion of Hackers /
\ /
\ December, 1988 /
\ Merry Christmas Everyone! /
\+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/
**********************************************************************
| The author hereby grants permission to reproduce, redistribute, |
| or include this file in your g-file section, electronic or print |
| newletter, or any other form of transmission that you choose, as |
| long as it is kept intact and whole, with no ommissions, delet- |
| ions, or changes. (C) The Mentor- Phoenix Project Productions |
| 1988,1989 512/441-3088 |
**********************************************************************
Introduction: The State of the Hack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
After surveying a rather large g-file collection, my attention was drawn to
the fact that there hasn't been a good introductory file written for absolute
beginners since back when Mark Tabas was cranking them out (and almost
*everyone* was a beginner!) The Arts of Hacking and Phreaking have changed
radically since that time, and as the 90's approach, the hack/phreak community
has recovered from the Summer '87 busts (just like it recovered from the Fall
'85 busts, and like it will always recover from attempts to shut it down), and
the progressive media (from Reality Hackers magazine to William Gibson and
Bruce Sterling's cyberpunk fables of hackerdom) is starting to take notice
of us for the first time in recent years in a positive light.
Unfortunately, it has also gotten more dangerous since the early 80's.
Phone cops have more resources, more awareness, and more intelligence that they
exhibited in the past. It is becoming more and more difficult to survive as
a hacker long enough to become skilled in the art. To this end this file
is dedicated . If it can help someone get started, and help them survive
to discover new systems and new information, it will have served it's purpose,
and served as a partial repayment to all the people who helped me out when I
was a beginner.
Contents
~~~~~~~~
This file will be divided into four parts:
Part 1: What is Hacking, A Hacker's Code of Ethics, Basic Hacking Safety
Part 2: Packet Switching Networks: Telenet- How it Works, How to Use it,
Outdials, Network Servers, Private PADs
Part 3: Identifying a Computer, How to Hack In, Operating System
Defaults
Part 4: Conclusion- Final Thoughts, Books to Read, Boards to Call,
Acknowledgements
Part One: The Basics
~~~~~~~~~~~~~~~~~~~~
As long as there have been computers, there have been hackers. In the 50's
at the Massachusets Institute of Technology (MIT), students devoted much time
and energy to ingenious exploration of the computers. Rules and the law were
disregarded in their pursuit for the 'hack'. Just as they were enthralled with
their pursuit of information, so are we. The thrill of the hack is not in
breaking the law, it's in the pursuit and capture of knowledge.
To this end, let me contribute my suggestions for guidelines to follow to
ensure that not only you stay out of trouble, but you pursue your craft without
damaging the computers you hack into or the companies who own them.
I. Do not intentionally damage *any* system.
II. Do not alter any system files other than ones needed to ensure your
escape from detection and your future access (Trojan Horses, Altering
Logs, and the like are all necessary to your survival for as long as
possible.)
III. Do not leave your (or anyone else's) real name, real handle, or real
phone number on any system that you access illegally. They *can* and
will track you down from your handle!
IV. Be careful who you share information with. Feds are getting trickier.
Generally, if you don't know their voice phone number, name, and
occupation or haven't spoken with them voice on non-info trading
conversations, be wary.
V. Do not leave your real phone number to anyone you don't know. This
includes logging on boards, no matter how k-rad they seem. If you
don't know the sysop, leave a note telling some trustworthy people
that will validate you.
VI. Do not hack government computers. Yes, there are government systems
that are safe to hack, but they are few and far between. And the
government has inifitely more time and resources to track you down than
a company who has to make a profit and justify expenses.
VII. Don't use codes unless there is *NO* way around it (you don't have a
local telenet or tymnet outdial and can't connect to anything 800...)
You use codes long enough, you will get caught. Period.
VIII. Don't be afraid to be paranoid. Remember, you *are* breaking the law.
It doesn't hurt to store everything encrypted on your hard disk, or
keep your notes buried in the backyard or in the trunk of your car.
You may feel a little funny, but you'll feel a lot funnier when you
when you meet Bruno, your transvestite cellmate who axed his family to
death.
IX. Watch what you post on boards. Most of the really great hackers in the
country post *nothing* about the system they're currently working
except in the broadest sense (I'm working on a UNIX, or a COSMOS, or
something generic. Not "I'm hacking into General Electric's Voice Mail
System" or something inane and revealing like that.)
X. Don't be afraid to ask questions. That's what more experienced hackers
are for. Don't expect *everything* you ask to be answered, though.
There are some things (LMOS, for instance) that a begining hacker
shouldn't mess with. You'll either get caught, or screw it up for
others, or both.
XI. Finally, you have to actually hack. You can hang out on boards all you
want, and you can read all the text files in the world, but until you
actually start doing it, you'll never know what it's all about. There's
no thrill quite the same as getting into your first system (well, ok,
I can think of a couple of bigger thrills, but you get the picture.)
One of the safest places to start your hacking career is on a computer
system belonging to a college. University computers have notoriously lax
security, and are more used to hackers, as every college computer depart-
ment has one or two, so are less likely to press charges if you should
be detected. But the odds of them detecting you and having the personel to
committ to tracking you down are slim as long as you aren't destructive.
If you are already a college student, this is ideal, as you can legally
explore your computer system to your heart's desire, then go out and look
for similar systems that you can penetrate with confidence, as you're already
familar with them.
So if you just want to get your feet wet, call your local college. Many of
them will provide accounts for local residents at a nominal (under $20) charge.
Finally, if you get caught, stay quiet until you get a lawyer. Don't vol-
unteer any information, no matter what kind of 'deals' they offer you.
Nothing is binding unless you make the deal through your lawyer, so you might
as well shut up and wait.
Part Two: Networks
~~~~~~~~~~~~~~~~~~
The best place to begin hacking (other than a college) is on one of the
bigger networks such as Telenet. Why? First, there is a wide variety of
computers to choose from, from small Micro-Vaxen to huge Crays. Second, the
networks are fairly well documented. It's easier to find someone who can help
you with a problem off of Telenet than it is to find assistance concerning your
local college computer or high school machine. Third, the networks are safer.
Because of the enormous number of calls that are fielded every day by the big
networks, it is not financially practical to keep track of where every call and
connection are made from. It is also very easy to disguise your location using
the network, which makes your hobby much more secure.
Telenet has more computers hooked to it than any other system in the world
once you consider that from Telenet you have access to Tymnet, ItaPAC, JANET,
DATAPAC, SBDN, PandaNet, THEnet, and a whole host of other networks, all of
which you can connect to from your terminal.
The first step that you need to take is to identify your local dialup port.
This is done by dialing 1-800-424-9494 (1200 7E1) and connecting. It will
spout some garbage at you and then you'll get a prompt saying 'TERMINAL='.
This is your terminal type. If you have vt100 emulation, type it in now. Or
just hit return and it will default to dumb terminal mode.
You'll now get a prompt that looks like a @. From here, type @c mail <cr>
and then it will ask for a Username. Enter 'phones' for the username. When it
asks for a password, enter 'phones' again. From this point, it is menu
driven. Use this to locate your local dialup, and call it back locally. If
you don't have a local dialup, then use whatever means you wish to connect to
one long distance (more on this later.)
When you call your local dialup, you will once again go through the
TERMINAL= stuff, and once again you'll be presented with a @. This prompt lets
you know you are connected to a Telenet PAD. PAD stands for either Packet
Assembler/Disassembler (if you talk to an engineer), or Public Access Device
(if you talk to Telenet's marketing people.) The first description is more
correct.
Telenet works by taking the data you enter in on the PAD you dialed into,
bundling it into a 128 byte chunk (normally... this can be changed), and then
transmitting it at speeds ranging from 9600 to 19,200 baud to another PAD, who
then takes the data and hands it down to whatever computer or system it's
connected to. Basically, the PAD allows two computers that have different baud
rates or communication protocols to communicate with each other over a long
distance. Sometimes you'll notice a time lag in the remote machines response.
This is called PAD Delay, and is to be expected when you're sending data
through several different links.
What do you do with this PAD? You use it to connect to remote computer
systems by typing 'C' for connect and then the Network User Address (NUA) of
the system you want to go to.
An NUA takes the form of 031103130002520
\___/\___/\___/
| | |
| | |____ network address
| |_________ area prefix
|______________ DNIC
This is a summary of DNIC's (taken from Blade Runner's file on ItaPAC)
according to their country and network name.
DNIC Network Name Country DNIC Network Name Country
_______________________________________________________________________________
|
02041 Datanet 1 Netherlands | 03110 Telenet USA
02062 DCS Belgium | 03340 Telepac Mexico
02080 Transpac France | 03400 UDTS-Curacau Curacau
02284 Telepac Switzerland | 04251 Isranet Israel
02322 Datex-P Austria | 04401 DDX-P Japan
02329 Radaus Austria | 04408 Venus-P Japan
02342 PSS UK | 04501 Dacom-Net South Korea
02382 Datapak Denmark | 04542 Intelpak Singapore
02402 Datapak Sweden | 05052 Austpac Australia
02405 Telepak Sweden | 05053 Midas Australia
02442 Finpak Finland | 05252 Telepac Hong Kong
02624 Datex-P West Germany | 05301 Pacnet New Zealand
02704 Luxpac Luxembourg | 06550 Saponet South Africa
02724 Eirpak Ireland | 07240 Interdata Brazil
03020 Datapac Canada | 07241 Renpac Brazil
03028 Infogram Canada | 09000 Dialnet USA
03103 ITT/UDTS USA | 07421 Dompac French Guiana
03106 Tymnet USA |
There are two ways to find interesting addresses to connect to. The first
and easiest way is to obtain a copy of the LOD/H Telenet Directory from the
LOD/H Technical Journal #4 or 2600 Magazine. Jester Sluggo also put out a good
list of non-US addresses in Phrack Inc. Newsletter Issue 21. These files will
tell you the NUA, whether it will accept collect calls or not, what type of
computer system it is (if known) and who it belongs to (also if known.)
The second method of locating interesting addresses is to scan for them
manually. On Telenet, you do not have to enter the 03110 DNIC to connect to a
Telenet host. So if you saw that 031104120006140 had a VAX on it you wanted to
look at, you could type @c 412 614 (0's can be ignored most of the time.)
If this node allows collect billed connections, it will say 412 614
CONNECTED and then you'll possibly get an identifying header or just a
Username: prompt. If it doesn't allow collect connections, it will give you a
message such as 412 614 REFUSED COLLECT CONNECTION with some error codes out to
the right, and return you to the @ prompt.
There are two primary ways to get around the REFUSED COLLECT message. The
first is to use a Network User Id (NUI) to connect. An NUI is a username/pw
combination that acts like a charge account on Telenet. To collect to node
412 614 with NUI junk4248, password 525332, I'd type the following:
@c 412 614,junk4248,525332 <---- the 525332 will *not* be echoed to the
screen. The problem with NUI's is that they're hard to come by unless you're
a good social engineer with a thorough knowledge of Telenet (in which case
you probably aren't reading this section), or you have someone who can
provide you with them.
The second way to connect is to use a private PAD, either through an X.25
PAD or through something like Netlink off of a Prime computer (more on these
two below.)
The prefix in a Telenet NUA oftentimes (not always) refers to the phone Area
Code that the computer is located in (i.e. 713 xxx would be a computer in
Houston, Texas.) If there's a particular area you're interested in, (say,
New York City 914), you could begin by typing @c 914 001 <cr>. If it connects,
you make a note of it and go on to 914 002. You do this until you've found
some interesting systems to play with.
Not all systems are on a simple xxx yyy address. Some go out to four or
five digits (914 2354), and some have decimal or numeric extensions
(422 121A = 422 121.01). You have to play with them, and you never know what
you're going to find. To fully scan out a prefix would take ten million
attempts per prefix. For example, if I want to scan 512 completely, I'd have
to start with 512 00000.00 and go through 512 00000.99, then increment the
address by 1 and try 512 00001.00 through 512 00001.99. A lot of scanning.
There are plenty of neat computers to play with in a 3-digit scan, however,
so don't go berserk with the extensions.
Sometimes you'll attempt to connect and it will just be sitting there after
one or two minutes. In this case, you want to abort the connect attempt by
sending a hard break (this varies with different term programs, on Procomm,
it's ALT-B), and then when you get the @ prompt back, type 'D' for disconnect.
If you connect to a computer and wish to disconnect, you can type <cr> @
<cr> and you it should say TELENET and then give you the @ prompt. From there,
type D to disconnect or CONT to re-connect and continue your session
uninterrupted.
Outdials, Network Servers, and PADs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In addition to computers, an NUA may connect you to several other things.
One of the most useful is the outdial. An outdial is nothing more than a modem
you can get to over telenet- similar to the PC Pursuit concept, except that
these don't have passwords on them most of the time.
When you connect, you will get a message like 'Hayes 1200 baud outdial,
Detroit, MI', or 'VEN-TEL 212 Modem', or possibly 'Session 1234 established
on Modem 5588'. The best way to figure out the commands on these is to
type ? or H or HELP- this will get you all the information that you need to
use one.
Safety tip here- when you are hacking *any* system through a phone dialup,
always use an outdial or a diverter, especially if it is a local phone number
to you. More people get popped hacking on local computers than you can
imagine, Intra-LATA calls are the easiest things in the world to trace inexp-
ensively.
Another nice trick you can do with an outdial is use the redial or macro
function that many of them have. First thing you do when you connect is to
invoke the 'Redial Last Number' facility. This will dial the last number used,
which will be the one the person using it before you typed. Write down the
number, as no one would be calling a number without a computer on it. This
is a good way to find new systems to hack. Also, on a VENTEL modem, type 'D'
for Display and it will display the five numbers stored as macros in the
modem's memory.
There are also different types of servers for remote Local Area Networks
(LAN) that have many machine all over the office or the nation connected to
them. I'll discuss identifying these later in the computer ID section.
And finally, you may connect to something that says 'X.25 Communication
PAD' and then some more stuff, followed by a new @ prompt. This is a PAD
just like the one you are on, except that all attempted connections are billed
to the PAD, allowing you to connect to those nodes who earlier refused collect
connections.
This also has the added bonus of confusing where you are connecting from.
When a packet is transmitted from PAD to PAD, it contains a header that has
the location you're calling from. For instance, when you first connected
to Telenet, it might have said 212 44A CONNECTED if you called from the 212
area code. This means you were calling PAD number 44A in the 212 area.
That 21244A will be sent out in the header of all packets leaving the PAD.
Once you connect to a private PAD, however, all the packets going out
from *it* will have it's address on them, not yours. This can be a valuable
buffer between yourself and detection.
Phone Scanning
~~~~~~~~~~~~~~
Finally, there's the time-honored method of computer hunting that was made
famous among the non-hacker crowd by that Oh-So-Technically-Accurate movie
Wargames. You pick a three digit phone prefix in your area and dial every
number from 0000 --> 9999 in that prefix, making a note of all the carriers
you find. There is software available to do this for nearly every computer
in the world, so you don't have to do it by hand.
Part Three: I've Found a Computer, Now What?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This next section is applicable universally. It doesn't matter how you
found this computer, it could be through a network, or it could be from
carrier scanning your High School's phone prefix, you've got this prompt
this prompt, what the hell is it?
I'm *NOT* going to attempt to tell you what to do once you're inside of
any of these operating systems. Each one is worth several G-files in its
own right. I'm going to tell you how to identify and recognize certain
OpSystems, how to approach hacking into them, and how to deal with something
that you've never seen before and have know idea what it is.
VMS- The VAX computer is made by Digital Equipment Corporation (DEC),
and runs the VMS (Virtual Memory System) operating system.
VMS is characterized by the 'Username:' prompt. It will not tell
you if you've entered a valid username or not, and will disconnect
you after three bad login attempts. It also keeps track of all
failed login attempts and informs the owner of the account next time
s/he logs in how many bad login attempts were made on the account.
It is one of the most secure operating systems around from the
outside, but once you're in there are many things that you can do
to circumvent system security. The VAX also has the best set of
help files in the world. Just type HELP and read to your heart's
content.
Common Accounts/Defaults: [username: password [[,password]] ]
SYSTEM: OPERATOR or MANAGER or SYSTEM or SYSLIB
OPERATOR: OPERATOR
SYSTEST: UETP
SYSMAINT: SYSMAINT or SERVICE or DIGITAL
FIELD: FIELD or SERVICE
GUEST: GUEST or unpassworded
DEMO: DEMO or unpassworded
DECNET: DECNET
DEC-10- An earlier line of DEC computer equipment, running the TOPS-10
operating system. These machines are recognized by their
'.' prompt. The DEC-10/20 series are remarkably hacker-friendly,
allowing you to enter several important commands without ever
logging into the system. Accounts are in the format [xxx,yyy] where
xxx and yyy are integers. You can get a listing of the accounts and
the process names of everyone on the system before logging in with
the command .systat (for SYstem STATus). If you seen an account
that reads [234,1001] BOB JONES, it might be wise to try BOB or
JONES or both for a password on this account. To login, you type
.login xxx,yyy and then type the password when prompted for it.
The system will allow you unlimited tries at an account, and does
not keep records of bad login attempts. It will also inform you
if the UIC you're trying (UIC = User Identification Code, 1,2 for
example) is bad.
Common Accounts/Defaults:
1,2: SYSLIB or OPERATOR or MANAGER
2,7: MAINTAIN
5,30: GAMES
UNIX- There are dozens of different machines out there that run UNIX.
While some might argue it isn't the best operating system in the
world, it is certainly the most widely used. A UNIX system will
usually have a prompt like 'login:' in lower case. UNIX also
will give you unlimited shots at logging in (in most cases), and
there is usually no log kept of bad attempts.
Common Accounts/Defaults: (note that some systems are case
sensitive, so use lower case as a general rule. Also, many times
the accounts will be unpassworded, you'll just drop right in!)
root: root
admin: admin
sysadmin: sysadmin or admin
unix: unix
uucp: uucp
rje: rje
guest: guest
demo: demo
daemon: daemon
sysbin: sysbin
Prime- Prime computer company's mainframe running the Primos operating
system. The are easy to spot, as the greet you with
'Primecon 18.23.05' or the like, depending on the version of the
operating system you run into. There will usually be no prompt
offered, it will just look like it's sitting there. At this point,
type 'login <username>'. If it is a pre-18.00.00 version of Primos,
you can hit a bunch of ^C's for the password and you'll drop in.
Unfortunately, most people are running versions 19+. Primos also
comes with a good set of help files. One of the most useful
features of a Prime on Telenet is a facility called NETLINK. Once
you're inside, type NETLINK and follow the help files. This allows
you to connect to NUA's all over the world using the 'nc' command.
For example, to connect to NUA 026245890040004, you would type
@nc :26245890040004 at the netlink prompt.
Common Accounts/Defaults:
PRIME PRIME or PRIMOS
PRIMOS_CS PRIME or PRIMOS
PRIMENET PRIMENET
SYSTEM SYSTEM or PRIME
NETLINK NETLINK
TEST TEST
GUEST GUEST
GUEST1 GUEST
HP-x000- This system is made by Hewlett-Packard. It is characterized by the
':' prompt. The HP has one of the more complicated login sequences
around- you type 'HELLO SESSION NAME,USERNAME,ACCOUNTNAME,GROUP'.
Fortunately, some of these fields can be left blank in many cases.
Since any and all of these fields can be passworded, this is not
the easiest system to get into, except for the fact that there are
usually some unpassworded accounts around. In general, if the
defaults don't work, you'll have to brute force it using the
common password list (see below.) The HP-x000 runs the MPE operat-
ing system, the prompt for it will be a ':', just like the logon
prompt.
Common Accounts/Defaults:
MGR.TELESUP,PUB User: MGR Acct: HPONLY Grp: PUB
MGR.HPOFFICE,PUB unpassworded
MANAGER.ITF3000,PUB unpassworded
FIELD.SUPPORT,PUB user: FLD, others unpassworded
MAIL.TELESUP,PUB user: MAIL, others
unpassworded
MGR.RJE unpassworded
FIELD.HPPl89 ,HPPl87,HPPl89,HPPl96 unpassworded
MGR.TELESUP,PUB,HPONLY,HP3 unpassworded
IRIS- IRIS stands for Interactive Real Time Information System. It orig-
inally ran on PDP-11's, but now runs on many other minis. You can
spot an IRIS by the 'Welcome to "IRIS" R9.1.4 Timesharing' banner,
and the ACCOUNT ID? prompt. IRIS allows unlimited tries at hacking
in, and keeps no logs of bad attempts. I don't know any default
passwords, so just try the common ones from the password database
below.
Common Accounts:
MANAGER
BOSS
SOFTWARE
DEMO
PDP8
PDP11
ACCOUNTING
VM/CMS- The VM/CMS operating system runs in International Business Machines
(IBM) mainframes. When you connect to one of these, you will get
message similar to 'VM/370 ONLINE', and then give you a '.' prompt,
just like TOPS-10 does. To login, you type 'LOGON <username>'.
Common Accounts/Defaults are:
AUTOLOG1: AUTOLOG or AUTOLOG1
CMS: CMS
CMSBATCH: CMS or CMSBATCH
EREP: EREP
MAINT: MAINT or MAINTAIN
OPERATNS: OPERATNS or OPERATOR
OPERATOR: OPERATOR
RSCS: RSCS
SMART: SMART
SNA: SNA
VMTEST: VMTEST
VMUTIL: VMUTIL
VTAM: VTAM
NOS- NOS stands for Networking Operating System, and runs on the Cyber
computer made by Control Data Corporation. NOS identifies itself
quite readily, with a banner of 'WELCOME TO THE NOS SOFTWARE
SYSTEM. COPYRIGHT CONTROL DATA 1978,1987'. The first prompt you
will get will be FAMILY:. Just hit return here. Then you'll get
a USER NAME: prompt. Usernames are typically 7 alpha-numerics
characters long, and are *extremely* site dependent. Operator
accounts begin with a digit, such as 7ETPDOC.
Common Accounts/Defaults:
$SYSTEM unknown
SYSTEMV unknown
Decserver- This is not truly a computer system, but is a network server that
has many different machines available from it. A Decserver will
say 'Enter Username>' when you first connect. This can be anything,
it doesn't matter, it's just an identifier. Type 'c', as this is
the least conspicuous thing to enter. It will then present you
with a 'Local>' prompt. From here, you type 'c <systemname>' to
connect to a system. To get a list of system names, type
'sh services' or 'sh nodes'. If you have any problems, online
help is available with the 'help' command. Be sure and look for
services named 'MODEM' or 'DIAL' or something similar, these are
often outdial modems and can be useful!
GS/1- Another type of network server. Unlike a Decserver, you can't
predict what prompt a GS/1 gateway is going to give you. The
default prompt it 'GS/1>', but this is redifinable by the
system administrator. To test for a GS/1, do a 'sh d'. If that
prints out a large list of defaults (terminal speed, prompt,
parity, etc...), you are on a GS/1. You connect in the same manner
as a Decserver, typing 'c <systemname>'. To find out what systems
are available, do a 'sh n' or a 'sh c'. Another trick is to do a
'sh m', which will sometimes show you a list of macros for logging
onto a system. If there is a macro named VAX, for instance, type
'do VAX'.
The above are the main system types in use today. There are
hundreds of minor variants on the above, but this should be
enough to get you started.
Unresponsive Systems
~~~~~~~~~~~~~~~~~~~~
Occasionally you will connect to a system that will do nothing but sit
there. This is a frustrating feeling, but a methodical approach to the system
will yield a response if you take your time. The following list will usually
make *something* happen.
1) Change your parity, data length, and stop bits. A system that won't re-
spond at 8N1 may react at 7E1 or 8E2 or 7S2. If you don't have a term
program that will let you set parity to EVEN, ODD, SPACE, MARK, and NONE,
with data length of 7 or 8, and 1 or 2 stop bits, go out and buy one.
While having a good term program isn't absolutely necessary, it sure is
helpful.
2) Change baud rates. Again, if your term program will let you choose odd
baud rates such as 600 or 1100, you will occasionally be able to penetrate
some very interesting systems, as most systems that depend on a strange
baud rate seem to think that this is all the security they need...
3) Send a series of <cr>'s.
4) Send a hard break followed by a <cr>.
5) Type a series of .'s (periods). The Canadian network Datapac responds
to this.
6) If you're getting garbage, hit an 'i'. Tymnet responds to this, as does
a MultiLink II.
7) Begin sending control characters, starting with ^A --> ^Z.
8) Change terminal emulations. What your vt100 emulation thinks is garbage
may all of a sudden become crystal clear using ADM-5 emulation. This also
relates to how good your term program is.
9) Type LOGIN, HELLO, LOG, ATTACH, CONNECT, START, RUN, BEGIN, LOGON, GO,
JOIN, HELP, and anything else you can think of.
10) If it's a dialin, call the numbers around it and see if a company
answers. If they do, try some social engineering.
Brute Force Hacking
~~~~~~~~~~~~~~~~~~~
There will also be many occasions when the default passwords will not work
on an account. At this point, you can either go onto the next system on your
list, or you can try to 'brute-force' your way in by trying a large database
of passwords on that one account. Be careful, though! This works fine on
systems that don't keep track of invalid logins, but on a system like a VMS,
someone is going to have a heart attack if they come back and see '600 Bad
Login Attempts Since Last Session' on their account. There are also some
operating systems that disconnect after 'x' number of invalid login attempts
and refuse to allow any more attempts for one hour, or ten minutes, or some-
times until the next day.
The following list is taken from my own password database plus the data-
base of passwords that was used in the Internet UNIX Worm that was running
around in November of 1988. For a shorter group, try first names, computer
terms, and obvious things like 'secret', 'password', 'open', and the name
of the account. Also try the name of the company that owns the computer
system (if known), the company initials, and things relating to the products
the company makes or deals with.
Password List
=============
aaa daniel jester rascal
academia danny johnny really
ada dave joseph rebecca
adrian deb joshua remote
aerobics debbie judith rick
airplane deborah juggle reagan
albany december julia robot
albatross desperate kathleen robotics
albert develop kermit rolex
alex diet kernel ronald
alexander digital knight rosebud
algebra discovery lambda rosemary
alias disney larry roses
alpha dog lazarus ruben
alphabet drought lee rules
ama duncan leroy ruth
amy easy lewis sal
analog eatme light saxon
anchor edges lisa scheme
andy edwin louis scott
andrea egghead lynne scotty
animal eileen mac secret
answer einstein macintosh sensor
anything elephant mack serenity
arrow elizabeth maggot sex
arthur ellen magic shark
asshole emerald malcolm sharon
athena engine mark shit
atmosphere engineer markus shiva
bacchus enterprise marty shuttle
badass enzyme marvin simon
bailey euclid master simple
banana evelyn maurice singer
bandit extension merlin single
banks fairway mets smile
bass felicia michael smiles
batman fender michelle smooch
beauty fermat mike smother
beaver finite minimum snatch
beethoven flower minsky snoopy
beloved foolproof mogul soap
benz football moose socrates
beowulf format mozart spit
berkeley forsythe nancy spring
berlin fourier napoleon subway
beta fred network success
beverly friend newton summer
bob frighten next super
brenda fun olivia support
brian gabriel oracle surfer
bridget garfield orca suzanne
broadway gauss orwell tangerine
bumbling george osiris tape
cardinal gertrude outlaw target
carmen gibson oxford taylor
carolina ginger pacific telephone
caroline gnu painless temptation
castle golf pam tiger
cat golfer paper toggle
celtics gorgeous password tomato
change graham pat toyota
charles gryphon patricia trivial
charming guest penguin unhappy
charon guitar pete unicorn
chester hacker peter unknown
cigar harmony philip urchin
classic harold phoenix utility
coffee harvey pierre vicky
coke heinlein pizza virginia
collins hello plover warren
comrade help polynomial water
computer herbert praise weenie
condo honey prelude whatnot
condom horse prince whitney
cookie imperial protect will
cooper include pumpkin william
create ingres puppet willie
creation innocuous rabbit winston
creator irishman rachmaninoff wizard
cretin isis rainbow wombat
daemon japan raindrop yosemite
dancer jessica random zap
Part Four: Wrapping it up!
~~~~~~~~~~~~~~~~~~~~~~~~~~
I hope this file has been of some help in getting started. If you're
asking yourself the question 'Why hack?', then you've probably wasted a lot
of time reading this, as you'll never understand. For those of you who
have read this and found it useful, please send a tax-deductible donation
of $5.00 (or more!) in the name of the Legion of Doom to:
The American Cancer Society
90 Park Avenue
New York, NY 10016
********************************************************************************
References:
1) Introduction to ItaPAC by Blade Runner
Telecom Security Bulletin #1
2) The IBM VM/CMS Operating System by Lex Luthor
The LOD/H Technical Journal #2
3) Hacking the IRIS Operating System by The Leftist
The LOD/H Technical Journal #3
4) Hacking CDC's Cyber by Phrozen Ghost
Phrack Inc. Newsletter #18
5) USENET comp.risks digest (various authors, various issues)
6) USENET unix.wizards forum (various authors)
7) USENET info-vax forum (various authors)
Recommended Reading:
1) Hackers by Steven Levy
2) Out of the Inner Circle by Bill Landreth
3) Turing's Man by J. David Bolter
4) Soul of a New Machine by Tracy Kidder
5) Neuromancer, Count Zero, Mona Lisa Overdrive, and Burning Chrome, all
by William Gibson
6) Reality Hackers Magazine c/o High Frontiers, P.O. Box 40271, Berkeley,
California, 94704, 415-995-2606
7) Any of the Phrack Inc. Newsletters & LOD/H Technical Journals you can find.
Acknowledgements:
Thanks to my wife for putting up with me.
Thanks to Lone Wolf for the RSTS & TOPS assistance.
Thanks to Android Pope for proofreading, suggestions, and beer.
Thanks to The Urvile/Necron 99 for proofreading & Cyber info.
Thanks to Eric Bloodaxe for wading through all the trash.
Thanks to the users of Phoenix Project for their contributions.
Thanks to Altos Computer Systems, Munich, for the chat system.
Thanks to the various security personel who were willing to talk to
me about how they operate.
Boards:
I can be reached on the following systems with some regularity-
The Phoenix Project: 512/441-3088 300-2400 baud
Hacker's Den-80: 718/358-9209 300-1200 baud
Smash Palace South: 512/478-6747 300-2400 baud
Smash Palace North: 612/633-0509 300-2400 baud
P-80 Systems 304-744-2253 300-2400 baud
************************************* EOF **************************************
Downloaded From P-80 International Information Systems 304-744-2253 12yrs+
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|==========================|
|| Cable Piracy ||
|| by ||
|| Psycho Bear ||
|| Thanks: Mad Poo Bandit ||
|==========================|
After reading another G-file on cable theft that was almost completely
inaccurate and totally wrong, I felt that I was obligated to write a G-file
about cable piracy that really does work.
BACKGROUND:
-----------
There are two ways to scramble pay-channels (HBO, Showtime, Cinemax, The
Movie Channel, Disney, Playboy, Bravo, etc.). I call them the "old" way and
the "new" way. (Yeah I know it's dumb)
The "old" way of scrambling channels works this way: The cable company
sends a clean, unscrambled signal of ALL the pay-channels, and only at the
"junction box", "cable box", "green dome" or "beige dome" are they scrambled
(this is not really true...a few channels like Disney, in my area, are
scrambled...so you'll just have to go without Goofy).
The cable company sends a clean signal out to a neighborhood in large 2
inch diameter underground cable. At every 4 houses; 4 houses square, that is
to say you, your next door neighbor, the house behind you, and the house
behind your next door neighbor (or every 2 if your house backs up to a street
or a park etc.) this underground cable comes out of the ground and into a
"green dome" ("beige dome" if it's every 2 houses) is split into 4 separate
coaxial cables (the same size as the cable in the back of your TV), and the
signal boosted. Then, depending on what each of the 4 houses subscribes to,
certain channels are scrambled.
The cable company scrambles channels by screwing the cable into a 3"
metal cylinder. These cylinders can range in size from 2" to 4" but it is
usually 3". The cylinder will have a sticker on it with one or more letters
telling what channel(s) is scrambles. For instance if it scrambles channel
20, it will say "NF-G", the last F being the important letter. If it
scrambles channels 20,21,22 it will say "NF-GHI". Cable companies are weird,
so they might put two of these cylinders on, say one "NF-G" and one "NF-HI",
but it will do the same job the as the aforementioned.
GETTING CABLE IF YOU DON'T SUBSCRIBE:
-------------------------------------
This is for the "old" way you've just read about. First, you'll have to
find where the "green dome" is. The "green dome" will be either a green dome
(of course) or a beige dome, with a yellow "Cable theft is naughty" sticker on
it. Like I said above, you have a one in 4 (or 1 in 2) chance of having it in
your own backyard. If it's not in your backyard, then find out whose backyard
it is in, and go over there some day when they're at work or something.
Now that you've located it, you must get the master lock off. There are
three proven methods of doing this. You can either kick the living shit out
of it, or take some pliers and grab the loop that the lock goes into, and bend
it off by twisting it back and forth, or take heavy duty wire cutters and cut
the loop off. And don't worry about the damage you've done; cable men do the
exact same thing, and if you're lucky they might have done it already! So it
won't appear to be anything out of the ordinary.
Once you've got the lock off, you can take the big green dome off. You
will see a box with 4 terminals (places to screw in cable):
_______
/ \
| o o |
| | <-- the "box", each "o" is a
| o o | terminal to screw in a
\_______/ cable
| |
| | <-- metal pole/big cable
| |
they may or may not be any cable currently screwed into these depending on if
you and your neighbors subscribe to cable. If someone does not subscribe to
cable, there will simply be a terminal where the cable is not screwed in. The
terminal where the cable is not screwed in might have a little dull grey 1"
cylinder to prevent you from getting cable free. See, the cylinder is hollow
and will carry no signal, so if you reconnect the cable to it, you will get
nothing. DO NOT RIP IT OUT!!! I have, and it will rip the terminal right out
with it and then the cable company WILL come out to fix it. These things use
the same idea as child-proof bottles; you have to push "in"/towards the "box"
and then unscrew. It will take awhile to do this, so don't get perturbed.
So, if you are not currently subscribing to cable at all, there will be
an unused terminal, and one end of a cable lying somewhere in the dome. All
you have to do is reconnect the unused cable to the unused terminal, and there
you go! Instant Cable with all pay-channels included!
If you are paranoid, you can connect it at 6 pm (when the cable company
closes for the day), and then disconnect it before 9 or 10 am. This way, even
if they come out and look at it, it will be disconnected--nothing unusual.
Of course you can leave it hooked up ALL the time. It sounds crazy, but
Mad Poo has had the cable company come to his house four times and work on his
box, and they didn't say a word! I guess the cable linemen don't have records
of what everyone subscribes to.
GETTING PAY-CHANNELS IF YOU ARE ALREADY A BASIC SUBSCRIBER:
-----------------------------------------------------------
If you are currently subscribing to the basic cable service, and you want
all the pay-channels that you aren't already subscribing for, read this.
First you'll want to find out which cable/terminal you are. Go turn on your
TV and then go out to the green dome and unscrew one of the cables from a
terminal. Go back inside and see if you've disconnected the cable for
yourself. Once you find which cable disconnects yours, your done. And DON'T
leave your neighbors unconnected or the cable company WILL come out.
Remember how I said that cable companies scramble the pay-channels?
(above, in the BACKGROUND section) Well, those 3" metal cylinders are kept in
black plastic cases about 9" long. There are a few ways of getting the
cylinders off. The first is to get some pliers and grab the cable tight,
close to the black cylinder. Then grabbing the black cylinder as tight as you
can (so that it grips the cylinder inside), unscrew the cable. Once you've
got one side unscrewed, do the other side.
The second way is to get wire cutters and cut up the edge of the black
plastic cylinder. This is a lot easier, and this way you actually get to see
the 3" metal cylinders inside. I recommend this one.
When you're done with that, either attach the cable coming out of the
ground to the terminal (leaving you with one short length of cable; go use it
inside your house or something), or get a male-to-male coaxial cable converter
and attach the two (this will not look suspicious, as the cable company uses
them too).
THE "NEW" WAY OF SCRAMBLING SIGNALS:
------------------------------------
Just like phreaking has it's ESS, so cable piracy has it's Addressable
Converter Box. The "new" way works like this. You have an Addressable
Converter Box at your house, which means that the cable company can talk to
your converter box and tell it which channels you are currently subscribing
to. ALL pay-channels are pre-scrambled (there is never a "clean" signal to
tap into, so the "old" way of cable piracy won't work). If you are currently
subscribing to HBO/channel 33, then the cable company will send a signal to
your converter box saying "un-scramble channel 33". So your converter box
will unscramble that channel.
The Addressable Converter Box is weird. Every hour or so, the cable
company will send out a signal to EVERY Addressable Converter Box and
depending on it's Address, it will tell it which services it gets.
Say my Converter Box's Address is 12345679 and I get HBO. So I take my
Converter Box to Mad Poo Bandit's house (who doesn't get HBO), and hook it up.
Then we can watch HBO over at his house now. See, the Converter Box can be
ANYWHERE. The only thing the cable company looks for is the Address of the
Box.
There are a couple of reasons you can't pirate cable with the "new" way.
One G-file talked about subscribing to ALL the pay-channels, waiting for the
cable company to send the signal to your Addressable Converter Box telling it
to un-scramble ALL the pay-channels. Then disconnecting the cable from the
Addressable Convert Box, calling them up and unsubscribing to all the
channels. Then when the cable company sends the signal to NOT un-scramble any
pay-channels, it will not reach the Addressable Converter Box because you have
disconnected it.
There are two problems with this idea. First, the cable company (in my
area anyway) sends out the signal telling Addressable Converter Boxes what to
un-scramble, and what not to, every hour or so. So once you re-connect cable
after the little scheme, you'd lose the channels in about an hour or two.
The second problem is that if you leave it unconnected for too long (a
few weeks-a few months) the RAM of the Addressable Converter Box will go bad
and forget even how to work at all! This is no bullshit! When it happens,
you have to call up the cable company and ask for them to re-initialize your
Addressable Converter Box.
AFTERWORD:
----------
In some areas, they have not made the transition from the "old" way to
the "new" way completely. This is obvious: not everyone is going to go out of
THEIR way to get a stupid Addressable Converter Box. So the cable company
must use BOTH ways. So you'll have a the "old" scrambled HBO on say channel
20, and the "new" scrambled HBO on channel 33. If you are in the transition,
you can still use the "old" way of cable piracy.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Downloaded From P-80 International Information Systems 304-744-2253 12yrs+
--------------------------------------------------------------------------
- -
- How to get some quick flames going from a remote spot -
- File Created by Fallen Angel -
- -
--------------------------------------------------------------------------
There is a nifty chemical called potassium permanganate. It's used for
getting chickens the dietary potassium they need, and I've heard it is
used in snake bite kits. Today's lesson will cover making this stuff burn.
All you need is some potassium permanganate and common glyceryn alcohol.
Materials
---------
Something to experiment on.
I played with this on the underside of a large coffee can, then
I store my things in the can too.
A jar of potassium permanganate.
I will refer to it here as potassium pmgt. Get as much as you think
you will need for your purposes. $20.00 worth should last a while.
Glyceryn alchahol.
I got mine at the Safeway near me. This is very common stuff so you
will not look suspicious in the least when you are buying it.
Empty medicine bottle with a dropper.
This is optional. I used it for activating just a small amount of
potassium pmgt.
Procedure
---------
Put some of the potassium pmgt. on a flat surface to experiment with. Fill
your dropper with glyceryn and put a drop or two in the middle of a spoonful
of the potassium pmgt. If it doesn't spark immediately give it a few seconds.
Notice that it burns only where you put the glyceryn. That is because the
chemical reaction between glyceryn and potassium pmgt. is what causes the
flame; potassium pmgt. is not inherently flammable, but a little glyceryn
changes that.
Miscelaneous
------------
You can now figure out numerous ways of incorporating this into letter bombs,
car pranks or touch explosives. Be careful though, the mixture throws beads
of hot lava-like stuff out about a foot. Watch for more files coming soon
from Fallen Angel!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Downloaded From P-80 International Information Systems 304-744-2253 12yrs+
--------------------------------------------------------------------------
- -
- How to make a great hot flame with two common ingredients. -
- File Created by Fallen Angel -
- -
--------------------------------------------------------------------------
Two common things that you will find at any grocery store are saltpeter and
powdered sugar. Alone, they are harmless. Putting them together makes a
powder that is easy to ignite and will burn like crazy. I first tested this
with one of those old plastic Jaws toys. I mexed up the powder and put some
in his head. It just melted through the top and the plastic jaw dropped
letting the burning powder fall on the ground.
Materials
---------
Saltpeter (potassium nitrate).
Get this at a grocery store. Make sure it is the first thing you buy
since they will g
et suspicious sometimes but there is nothing they can
do except joke with you about it! It costs around $2.50 a bottle.
Powdered sugar or powdered carbon.
The finer the sugar the better. 10x confectioners sugar should work.
1 lighter with a high flame setting or "strike anywhere" matches.
Procedure
---------
Mix exactly equal amounts of saltpeter and powdered sugar in a container.
This stuff isn't caustic, so you can store it in plastic. Scoop out the
desired amount and place it where ever you want it to burn. Light it and
move so the wind doesn't blow smoke in your face.
Miscelaneous
------------
This mixture is very smoky and burns with a high temperature. Remember: you
don't need to use the whole bottle just to fry a small helpless stuffed toy.
Save some for a rainy day fooling around in the garage. Watch for more files coming soon
from Fallen Angel!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Downloaded From P-80 International Information Systems 304-744-2253 12yrs+
--------------------------------------------------------------------------
- -
- How to extract the hydrogen from plain water -
- File Created by Fallen Angel -
- -
--------------------------------------------------------------------------
To separate the hydrogen and oxygen contained in water is a simple process. I
made this file so that anyone with minimal equipment could have himself a
glass jar full of flamable hydrogen. When the process fills your jar, the
hydrogen won't be compressed, hot or radioactive. It will be room temperature
and room pressure. The same goes for the oxygen.
Materials
---------
1 large bowl.
Preferably clear glass so you can see through it.
2 carbon rods.
These can be take from carbon batteries such as Radio Shack's battery
club batteries. The bigger the better.
1 DC power source.
I use a Sears 36-watt car battery charger.
4 feet of insulated copper wire
2 small jars.
Small enough to fit two in the bowl. I used some narrow, tall olive
jars.
1 roll of duct tape.
1 packet of sodium carbonate.
This is NOT baking soda which is sodium bicarbonate. Sodium carbonate
usually comes in a plastic package with tie-dye kits. It is a grainy
white powder.
Procedure
---------
Fill the large bowl with water and dissolve half the packet of sodium
carbonate in it. Attach one carbon rod to a stripped end of each of the
copper wires with duct tape after you have cut it evenly into two pieces. Be
sure that no metal is showing on the end where you connected the carbon rods.
Somehow, make an electrical connection between the remaining ends of the wires
and the power source. If everything is working properly, you can now turn on
the power source and stick the carbon rods in the bowl. Watch them closely to
see which one is emitting bubbles twice as fast as the other once, as that
will be hydrogen and the slower one will be oxygen. If you want to burn this
hydrogen or inhale the oxygen, you can fill one of the small jars with water
from the bowl and turn it over on top of the rod with your favorite gas. Have
fun with this and be sure to keep your hands out of the way when you put a
match under the upside-down jar full of hydrogen when you light it!
Miscellaneous
------------
I have tested this method for getting hydrogen gas and it works. I captured
it into a mayonaisse jar, then put a match underneath it and it blew leaves up
that were four feet away from me. It is powerful stuff. Watch for more files
coming soon from Fallen Angel!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Downloaded From P-80 International Information Systems 304-744-2253 12yrs+
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ S o c i a l E n g i n e e r i n g ³
³ How to get Information ³
³ By Fallen Angel ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Have you ever wished you had the finesse of calling some high-level
operator up and getting all the information you need just by asking? Great!
I'll outline some simple steps to the art of social engineering, or getting
that you want, in this article. Social engineering really is an art and
should be treated as no less. Make sure you abide by these guidlines and
don't screw up because screwing up only alerts the security people that there
is an imposter just begging information off of the lame-brained operators.
VOICE
-----
First, you need to be old enough to sound like you could actually be the
person you are trying to impersonate. The operators will be able to figure
out that you are not thier boss if they can tell you are only 13 years old and
your voice opens trunk lines (eg. 2600 Hz.) Get someone else to do it for you
or wait until *after* puberty to do this.
OVERKILL
--------
Don't act like you are a legitamit customer trying to get information because
that can clue the operators in as to what is actually going on. You should
consider calling as an fellow employee from another store from the chain, or
maybe as that persons supervisor. They may be stupid and subservient to thier
officials, but hired phone operators will know that the owner of the company
is not going to be calling Atlanta to find out technical information or C/NA on
someone that lives in Anchorage, Alaska. That would be overkill. The best
bet in getting information from a TSPS (dial 0 for one of these) operator is
to call as a lineman. A lineman is the guy that comes to your house to
install the phones. They usually hire contractors to run extensions under
your house as they don't want to deal with it themselves--don't call saying
you are having problems with your wire cutters and you need to know what the
local ANAC number is.
PBX's
-----
PBX's are a nice utility to the social engineer because they almost insure
that you will get a different operator each time you call. With this
knowledge, and no ANI available to them, you can continue to query operators
on PBX's as many times as there are operators. Obviously, if you keep asking
the same person for information they will figure out that you don't know a
damn thing and are trying to leech them.
CONFIDENCE
----------
If you stutter a lot and trip over your words they will eventually notice that
you are not who you say you are. It doesn't hurt one bit to plan out exactly
what you are going to say and verbally run over a few times before you call.
You could screw up an insecure company by alerting them of the real world.
JARGON
------
It really helps to know the proper jargon and acronyms for the company you are
trying to get something out of. For instance "Hello there, this is Phred
Smith and I would shore like it if you could give me the adress and name of
512-555-555" wouldn't work as well as "This is Smith from line service. I
need caller name and adress for 512-555-5555" In this case being polite
doesn't do you much good. Good sources on jargon would be g-files on BBS's
or hacking/phreaking dictionaries.
EXTENDERS
---------
Always do your engineering from an extender because there are plenty of secure
places that will have ANI readouts on an LCD when you call in. They will call
you back and ask you why you were calling if they think you were engineering
them. They will get the dialout number for your extender if you call from an
extender. For all practical purposes, this is impossible to trace.
BACKGROUND NOISE
----------------
As a for instance, you are a telephone lineman and are boxing a call to C/NA.
Instead of hearing birds in the background, the C/NA operators hear
keyboard clicks and other phones ringing. They will not give you anything in
situations like this. Call when nobody else is home or if they are asleep.
TIMING
------
This is a small but important matter. The operators will know that you aren't
really installing a phone line if it's 2:30 a.m. and you are whispering so you
don't wake up the parents! You have to remember things like this.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Downloaded From P-80 International Information Systems 304-744-2253 12yrs+
Hackers Unlimited Listings
-=] VMB's [=-
System # Box # Owner Comments
---------------==========-------------------================================
800-227-6662 320 Mr. Perfect CodeLine
800-289-2121 118 ESX CodeLine
126 Street Killer Personal
127 Street Killer CodeLine
128 ESX Personal
131 Vortex Personal/Group(G-Force?)
255 The Gremlin Unknown
800 Public Enemy VMB List
900 Unknown CodeLine
800-323-4243 254 The Encryptor CodeLine
800-444-7073 3590 The Encryptor Personal
3528 TCS TCS Related Stuff
4001 Mickey Mouse Club Hacker's Unlimited Magazine
7078 Fallen Angel Rumors
7765 Unknown Some Apple User
9542 Jester CodeLine
800-446-1233 7881 ESX Personal
7883 ESX VMB List
7879 SlamHound/ESX Unknown
800-525-7243 **8889 Pure Genius Unknown
800-552-2240 5206 Console Cowboy
800-632-6681 2614 Con Artist
800-772-4634 358 The Gypsy Personal/CodeLine
989 The Encryptor CodeLine
800-877-7448 402 Unknown BBS Voice Validation
213-202-4381 N/A JDT
213-494-9700 N/A Public Enemy
213-856-8450 N/A The Annihilator
313-399-2596 N/A The Stranger
619-492-8078 N/A Trixder Ice
714-647-1958 N/A Mr. Music
714-987-5128 N/A Alpha-Bits
716-987-7439 N/A The Pirate
716-987-7502 N/A Death
716-987-7623 N/A Romper
716-987-7648 N/A AK47
716-987-7666 N/A Jack The Ripper
818-594-7049 **7751 Whiplash
**7754 Ace
Key :
* = Pound
N/A = No Extensions Required
Unknown = Couldn't Understand, Spoke Too Softly/Quickly, Etc.
-=] ----------------------------------------------------------------------- [=-
-=] BBS's [=-
Fone Number Name Baud Comment
----------------=============================--------==========================
(201)502-9115 Underground II 2400 Sysop : Rambone
(205)554-0480 FireBase Eagle 9600 Pirate Master Distribution
(205)979-2983 Byte Me 2400 Sysop : Omega Ohm
(206)255-1282 Ethereal Dimension 2400 Wasington's Finest
(206)352-4606 Alternate Reality 2400 Sysop : Mr. Classic
(206)462-7718 The Void 2400 Sysop : Zeke
(206)827-2029 The End 2400
(206)839-5865 Neutral Zone 2400 Home Of TWNC
(213)476-6490 Mystic Knight 2400 Sysop : The Sniper
(213)833-8309 Insomnia 2400
(217)332-4019 Golf City BBS 2400 Sysop : Egghead Dude
(217)359-2071 Realm Of Darkness 2400 Sysop : Dark Shadow
(303)363-7960 The Inter World 2400 Sysop : Tushka
(303)499-2928 The Late Night Prowl 2400 Phreak/Hack
(303)649-3510 Shockwave 14.8k Telegard Beta Site
(303)680-8622 The Vulgar Unicorn 2400 Games Only
(303)755-5934 The Forbidden Planet 2400 Utilities Only
(303)779-4451 The Software Exchange 2400 Sysop : The Gigilo
(303)794-2083 Dragon's Bane 1200 3pm-7pm Mountain Time
(303)933-3472 The Discordian Society 9600 Discordia Stuff
(303)979-9418 The Vulcan Way 2400 Star Trekkies
(312)297-5385 Gamer's Galaxy 2400 Sysop : Robocop
(408)446-0316 Lake Of Dreams 2400 Sysop : Grey Ghost
(408)268-6692 Billionaire Boys Club 9600 Home Sentinel BBS Prog.
(408)735-8685 Dragon's Heaven 2400 Wares Galore
(409)763-4032 Smash Palace South 2400 Phreak/Hack
(617)364-3304 Swift's Ridge 2400 Sysop : Sir Swift
(717)566-1129 The Frozen Desert 2400 Phreak/Hack
(801)298-1736 Port o' Tales 2400 Sysop : Merchant Prince
(801)486-5918 Crazy Nights 2400 Phreak/Hack
(817)545-5031 Satan's Hollow 1200 MMC Dist. Site #1
-=] ----------------------------------------------------------------------- [=-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Downloaded From P-80 International Information Systems 304-744-2253 12yrs+