Copy Link
Add to Bookmark
Report

HIR Issue 4: Mobile Hackers Guide to Phreaking

Sometimes it is necessary for a hacker to rely on techniques that have been developed by the close colleagues of ours, known as the phreakers. Hacking usually takes place, but is not limited to, electronic communications, such as the internet, bulletin boards, voice mail, packet radio, and other services. Almost always, where electronic communication is involved, so is the phone company. Enter the knowledge held by the phreaks. The original phone phreaks built elaborate devices such as the blue box, to explore billing proc edures, switches, and just "how does that voice on the other end get to where I'm standing?" Anymore, phreaking is more and more about exploiting holes in the telephone company, either physical or electronic, to gain "something for nothing", or, stealing service. Some of these techniques are extremely borderline legal issues, if not completely illegal. I don't necessarily condone these actions, but if there is a need, a hacking directive that cannot be achieved without using such measures, sometimes certain things have to be done. Maybe you need to make sure no one can pinpoint you as the hacker. Maybe you just feel like going outside to hack, who knows. Everyone has their reasons. I, myself am not a phreaker, but I learn from them, and can put their knowledge and power to use for my own purposes as a hacker. So, here's my guide to using phreaking to aid in hacking.

There will be quite a bit covered here, I have broken it up into sections:

  1. Your Mobile Platform
  2. General Equipment
  3. Preparing for the event
  4. Keeping On your Guard
  5. Hacking it Up!
  6. UH-OH! We've got company!
  7. Making a BeigeCord
  8. Complete plans on making and using a GoldBox (Schems included!)
  9. Tips for use with the Acoustic Coupler

Your Mobile Platform

Surely you'll want a laptop with a good sum of battery life, or a palmtop, anything with a terminal program, and a modem. Without these, mobile hacking (at least via electronic means) is not very likely. If choosing a laptop or other portable hacking platform, look for something that's light, yet durable. I personally have two platforms for field hacking: An NEC laptop with a 540Meg hard drive, 8 megs of ram, and a wonderful terminal emulator called Telemate. I also have a Hewlett Packard 300LX palmtop with 2 megs of overall storage, and a built in VT-100 and TTY terminal emulator. Both of them have their good and bad sides. Both of the devices support PCMCIA modems. I have 2 modems, an Eiger Labs 28.8 faxmodem, which is powered by the telephone line to reduce battery drain, and a Megahertz 14.4 faxmodem which is Battery powered, so it will work with an acoustic coupler for payphone (or other) use, but will reduce my laptop's run time by 15 minutes or so, and kills my palmtop in a half-hour flat.

Whereas the palmtop is small, weighs under 3/4 of a pound, and is rugged like you wouldn't believe (I dropped it in the mud when i was using it at a payfone once and it didn't so much as complain!), it has no backlight, and the letters are very small and hard to read in low-light conditions. Battery life is limited to about 45 minutes when using a modem, and that's if i use VERY expensive alkaline batteries. Cheap batteries won't even last half an hour with a modem, and NiCd batteries last 5-10 minutes. Not a great choice, but for hit-and-runs, it's a winner, at least if u got a good flashlight. Oh yah, no logging or file transfer capability with the built-in software, either. I've seen some software for Windows CE that has A few transfer protocols, but that's about it, still no logging. They even expect you to PAY for it. Yuck.

The laptop is a different story though. It is full-featured when it comes to communications. Compared to the palmtop, it's a battle control center. With my current setup, I can emulate anything i would ever want to, 3270, VT-xxx (a lot of the VT's), and I can even program my own emulation rules in, if i get very bored. Logging, no problem. File transfer, no problem. Scripting is beautiful. The only problem is that the device weighs in at almost 6 lbs and on top of that, takes up a lot of space. Having close to 3 hours of battery life while online is a bonus though, even longer if you remove the power-leaching modem from the slot.

I *ALWAYS* carry a spare set of batteries, for both my palmtop and the laptop, even when I'm not hacking. If you're using some electronic device (like the REALLY old laptops) that takes normal sized batteries such as AA, C, D, or 9v, you'd really be wise to get the expensive kind to use while you hack, especially if you don't know how long you'll be running your equipment. The last thing you want is a low battery warning before you have time to cover your tracks.


General Phreaking Equipment and Misc Stuff

(Ones marked with * are optional, maybe overkill, yet still fun)
----------------------------------------------------------------
Backpack to cram the equipment into

Ratchet or Bolt-Driver set (you can get cheap 14 pc sets at computer stores, be sure to get 7/16 and 3/8 inch sockets. They'll be the most useful)

A decent pocket knife (to strip/cut wires, wire ties, etc)

Screwdrivers, various sizes, flat and philips head (for taking out screws, and prying)

Pliers, slip notch, and needle-nose (for pulling out stuff, limitless uses)

Small penlight (for reading stuff up-close, etc)

Flashlight (when you need some major light for working)

Notepad and paper (to write stuff down with. Don't always rely on electronic storage when field hacking. Sometimes jotting is more convenient than typing)

BeigeCord (Will tell how to make this later)

Suitable phone to go along with the BeigeCord (Later, as well)

Pair of cheap-ass light cotton or thin leather gloves (Fingerprints. Period.)

No-DoZ (Available in small packages at convenience stores, just in case you're out later than you thought you'd be)

  • Battery operated camera flash (See more details later)
  • Acoustic coupler (for payphones or anywhere you can find phones but no jack)
  • Walkie-Talkies (if you've got more than one person)
  • Goldboxes (depending on directives to be achieved, and application
  • Fake Telco ID tags (These are often capable of fooling normal people, especially at 2am if they've just woken up)


Preparing for the event

Before you decide to go out hacking with your mobile platform, you need to decide where you're going to hack from. This may be a telco can out in the middle of farmer bob's field, or it might be the Fortress fone hanging off the wall of a 7-Eleven! HEH! Anyhow, once you've found out where you're going to be doing this from, you need to scope it out in both broad daylight, and in darkness as well. Get familiar with this place, as you will need to be comfortable with your surroundings. At night, let some cars drive by if at all possible. (If no cars drive by, have a friend cruise up and down the adjacent roadway or paths). You need to be able to stay out of their sight, but still be able to see them coming.


Keeping on your guard

You should have a backpack or other carryable bag that will allow you to store all the stuff in it, in a well-organized and easily accessible manner. I usually advise you venture out in small groups. NEVER have more than 5 people and NEVER use more than one vehicle when traveling via car/van/truck etc. At least one person should be watching out for cops, telco people, bystanders or others. Use walkie-talkies when there will be more than 20 feet between the watchmen and the people doing the phreaking/hacking.


Hacking it up!

As far as hacking, standard procedures need to take place. You hack just like you normally would, except maybe you'll get a little chilly. The only thing you really want to do is find a phone line to use, and use it for hacking. The main purpose I've found for this is sheer anonymity. If they can't trace a call back to you, you won't be found guilty. Make sure when ripping telco cans/boxes apart, you don't leave any fingerprints. It's sometimes advisable to wear light leather or thin cloth gloves when partaking in such activities. As far as opening cans/boxes, that's why you need the sockets. Most of them are secured by 3/8 and 7/16 inch bolts. sometimes you need the screwdrivers too. You can kind of figure out what to do once inside. (More tips in the beigecord section)

UH-OH! We've got company!

When and if you encounter a person who seems to be unfriendly, you need to have a plan. In the case of stupid laymen, I'd say it's wise to try to convince them that you belong there, either you're analyzing their phone lines because service was knocked out randomly and you're trying to find which areas are affected and fix it, or something. This is where the fake telco ID tag comes in handy. Just make sure you're not showing it to an actual telco guy or someone who would know any better. Bullshitting is good. If it's a cop or telco guy, or if you just can't tell if u can fool the person or not, you need to whip out your already charged camera flash, close your eyes tight, flash it (blinding them for about 10-45 seconds), and get the hell out! One alternative that's a lot cheaper, is buying those cheap-ass flashbars (or cubes You know, for those cheesy 10-millimeter point-and-shoot cameras) at the general store or Wal-Mart, and tearing them apart CAREFULLY. remove all the bulbs and store them in something soft and non-flammable. When broken (such as thrown on the ground), they will go off like they normally would, also blinding anyone who didn't have their eyes closed). Some flash bars' bulbs don't work like this. So slam one of the bulbs onto the pavement as a test, before relying on them to be used for this purpose.


Making a BeigeCord

Around here, phreaks use beigeboxes all the time. Typicaly they use them to tap into residential phone lines and call 900 numbers to purchase online time on BBS's and sometimes for personal amusement. A beigebox is just a telephone with alligator clips instead of a modular plug. I think you know that. Well, a BeigeCord, is just what i call a telephone wire with a modular jack on one end to plug your modem or phone into, and alligators on the other, to tap into lines with. This is simple: Buy a telephone cord (between 3 and 6 feet long) and cut off one of the plugs, and wire up 2 alligator clips to the middle 2 wires. Hook your mobile platform or phone up to the modular jack, and the other end up to the line. Look for red and green pairs of wires, and hook the alligators onto the screws, or strip the insulation off of a wire and spread it far apart enough to leave unprotected wire to hook your alligator onto.

Example:

 ================---------=================== 
Insulation^^^ ^^^ ^^^Insulation
BARE WIRE

If you still have some problems, (heck, even if you don't), I would advise you to read some other phreaking articles. Once you've done this, your computer will act just it does at home as far as communications. It's also nice to have a phone for voice communication. a cheap, one-piece phone that accepts a modular plug is all you need (some one piece fones have a hard-wired cord. bletch.)


Gold Boxes

Gold box...fun! The gold box is an electronic device that links two phone lines together. When the first line is called, it picks up the line, and gives you the dial tone for the second line, which you dial another number from. when the call is traced, it's traced to the second line your goldbox was on.

You really need to find a telco box that has many lines in it, in order to use this. Try to make sure that the "first" line, is not a main line that is used for any incoming calls. What you're looking for is a telephone line that only carries outgoing phone calls, like the line used for credit card verification. Chances are, you will want to make sure your goldbox fits inside the telco box nicely. With a goldbox, you can call from home, and not have to be worried about a trace. The only drawback is that most gold-boxes I've seen will stay off-hook for a set amount of time, like 45 minutes. So if your call lasts 45 minutes it will hang up on you, but if your call lasts less than that, it will stay off-hook till the 45 minutes are up, and you can't use it till it hangs up again.

Hooking up a goldbox is a lot like hooking up a beigebox, except that you have to wire two lines up, instead of one. This works best for business phone lines, because most small residential boxes only have 1 line, and even if they have 2 lines, calling one of them might wake someone up, because even though the goldbox picks up the line very quickly, the phone still rings for a short amount of time. Businesses, there will be less likely that the ringing is heard, and if it is, it will probably be by a janitor, who will dismiss it easily. (I did mention that you only gold-box at NIGHT when people are home and asleep didn't I???)

This is a better model I found on the internet though. This one's cool because it hangs up shortly after you hang up (Actually when the line voltage drops on line 1...Have you ever gotten hung up on, then waited for 30 seconds, and heard that static noise drop out, hear some clicks, and then hear the fast busy signal? The dead part is what resets the goldbox)

Here's the ASCII SCHEM for this beast!

           Photo1^^ 
⁄ƒƒ(/\/\)ƒƒƒƒø
ƒƒƒƒƒƒƒƒƒƒƒ¥ ⁄(|<)ƒø b⁄¡øTransistor1
Red Line 1 √ƒƒŸLED1 √ƒƒŸ ¿ƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒ¬ƒƒƒƒƒƒƒƒƒƒƒƒƒ
≥ ≥ e c ≥ Green Line 2
≥ LED2 √/\/\ƒƒƒ/\/\ƒƒƒ/\/\ƒƒƒ/\/\Ÿ
¿ƒƒ(|<)ƒƒŸ10k 10k 1.4k 1.4k
Photo2-> ⁄(/\/\)ø
Trans2--> ⁄¡øb ≥
ƒƒƒƒƒƒƒƒƒ¬ƒŸ ¿ƒ¬ƒƒƒ¡ƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒ
Green ≥ c e ≥ Red Line 2
Line 2 ≥ ≥
¿/\/\/Ÿ
1.4K

⁄ƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒø
≥ Legend (All parts can be found at radioShack Easily!) ≥
≥ ≥
≥ ⁄¡ø 2N3904 Transistors Labels: b=Base c=collector e=emitter≥
≥ Ÿ ¿ ≥
≥ /\/\ Resistor. Labels: Value in ohms noted under each symbol≥
≥ ≥
≥ (|<) LED. Note: Try to use high output LED's. ≥
≥ ≥
¿ (/\/\) Photocell ƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒŸ


I usually put this whole chunk of equipment into one of the small or medium radio shack project cases. You'll want to make sure that your LED's are REALLY bright, and you may want to use some tape to make them touch the photocell. Drill 2 holes in the case, one in either side, and when assembling your goldbox, run both of the Line1 wires out one hole, and label that hole "Line1" and the line2 wires through the other hole, labeling it "Line2". You can not get the greens or reds confused here. I usually use green and red wire when creating my goldbox, so that i won't get confused, I'd advise that you did the same! Once you have the wires poking out of the holes (make sure there's at least 5 inches of wire on each so you have something to work with), put some electrical tape over the inside of the holes. If any light gets into this box, the victim's fone lines will go batty. The only light in this box that we are wanting is the light being produced by the LEDs!

An optional design i heard mention of one time by a colleague of mine was using an optocoupler... you may look into that, but i've yet to see plans for such a device...feel like making 'em? If you successfully do it and do a nice write-up on it, make good skems to go along with it, go ahead and send it to us and we'll probably publish it!

This design will not hang up after a given amount of time. Instead it hangs up when YOU hang up. That's good news for you. You may want to build 3 or 4 of these little guys if ya got the cash to do so. Chances are once ma bell is onto ya (that is traces it to the boxed number), you may never see this thing again. Also, if they DO see this box, they might see what phone numbers have called the other line it was hooked up to at or around the time the traced calls were made. that would point to you. that's not good. Goldboxes can be used in conjunction with payphones and an acoustic coupler. This is a safer method, because ma bell probably won't physically search the site where the gold box is for maybe 2 weeks, then they'll see what phones were calling that number at that time and date, and it's a payphone. could be ANYONE!

Seriously, and sadly enough, I must say that you should count each gold box you install as money spent to achieve a hacking directive. It's not wise to go back to the site and retrieve it, unless you have a lot of balls. I know of at least one person who went back to get the box, only to find out that pacific bell employees had found it when activating another line for the victim establishment, and called in the authorities, who were roughing it in van across the street. Luckily, only the trespassing charges held up in court but not everyone may be that lucky. Retrieving a goldbox should take as much (if not more) planning and effort as it took to plant it. Keep an eye on the area for a few days, in broad daylight, and at night. Take note of vehicle positions, people, everything, especially everything you can see from near the boxes location.

How do you know what number to call to activate your gold box? Well, that's where the phone and beigecord come in. Hook up the biegecord to the phone line you are using for line1. This is the line you will be calling from your modem or phone. When you get a dialtone through your handset, dial an ANI. (All the ANI's I have are now deactivated...growl! Keep an eye on 2600 magazine, in the letters section, there's almost always some ANI numbers in there). The ANI will spout off a 10 digit number (area code and 7 digit phone number. Use your pencil and note pad now...WRITE DOWN THAT NUMBER! Go call it from another phone somewhere. You should get a dial tone VERY quickly, usually it doesn't even get through a full ring for me. Dial a local number just to see if it works, a BBS, see if you get a carrier tone, or if your best friend would be awake at this hour, call and brag...erk... no. don't brag. Bragging is the bane of hacking, to a degree.

When using a payphone to hack, Redboxing is not the way to go.
Most payphones i've ran into let you stay on a local call indefinitely with the initial change (25, 35 cents). You might as well pay, then dial the gold box, which is local, then dial the long distance number from there. That way you won't get an operator asking for more money halfway through your hacking. (computerized voices cause pretty good amounts of line noise!) If this method is used, you have unlimited length long distance phone call for 25 or 35 cents depending on your phone company. Your victim may not see things the same way!

Acoustic Couplers

An acoustic coupler is just a device that is strapped to a phone, and then plugged into your modem. It basically just makes an audio connection to the phone line that the phone is on. This is good for payphones, phones that are on digital PBX's, or any phone where the wall jack is not accessible, but an outside line is! You may be able to find an acoustic coupler in computer stores in your area (I bought mine at a CompUSA in June, 1997) and sometimes you can find old ones at garage sales, used computer stores, and other places. I have seen them in 1-800-batteries catalogs (GREAT Catalog for people with laptops and cell phones...Call 1-800-batteries (I don't know how they did it, but just dialing the first 7 numbers of "betteries" doesn't work...gotta dial tha whole thing), and ask them to be put on the catalog list. it's free! The instructions (if any) that come with the coupler are always screwed up.
Here is what i always do when dialing acoustic...

  1. Power up my laptop.
  2. While it's booting up, I unpack the coupler from my backpack
  3. I insert my PCMCIA modem into my laptop
  4. I pick up the handset, and strap the acoustic coupler to it. (make sure that both the coupler's on the right direction, speaker to microphone!) And plug the RJ-11 Plug into the jack on my modem.
  5. I enter my terminal program, and manually use the command ATX0. (All this does is makes sure it won't hang up if there is a faint or absent dial tone. When you dial with the phone's keypad, it won't get a dial tone and most modems would hang up unless this was done first.)
  6. I Manually enter the command to lock my modem to a specific baud rate For high quality phones, I keep it at 14.4 (on a coupler compatible 33.6 modem I managed to get 26.4kbps out of it, but my modem's just 14.4) For cheap phones i use 4800 For payphones i stoop down to 1200 (To see how to do this, read your modem manual. IT's ATF<x> for my 14.4 My 28.8 is hard to force the baud rate on)
  7. I Type "ATD" into the terminal program, but DON'T hit enter
  8. I press down on the hook for 5 seconds to get a new dial tone
  9. I Use the keypad of the phone I'm using to do all my dialing. If you're gonna dial through a Goldbox, dial the redbox number first, wait 10 seconds or so, Dial the other number.
  10. Before the carrier starts, hit enter on the computer so that it picks up, waiting for a carrier.

The connection will be like any other connection. Once you've disconnected, take it apart any way you want. I pretty much take it apart differently each time.


This concludes the phreaking techniques to manifest hacking. Codes could have been covered but that is an area that i know very little about, and haven't personally tried to use. Remember, if nothing else, you guys in Jr. and Sr. high school could use some of this as a science project! <wink>. Happy haqn!

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT