Copy Link
Add to Bookmark
Report
Leeto Phreako Headz Issue 4
น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น
,;;11;. ,;!!;.
11 ;;' ,1;;|1,;||;,. |1 '11 leetophreakoheadz
11 1;จ 11' "1;' '11 |1 11 'zine #4
11 1;' 1;' 11: 11 11 11 2002
"",;;||;; จ'1;' 11;' ,1; 1; .1:
11' 1::;1||1'" 1;.1:'
11' . 1:1' |1!1';'11:.
.,;::;1!;., 11. 1:1 11' 11;
:; 1; "1:;,..,;:; .:;1! 1:1 |;1 11:
'1.,;'" น";11;1น 1|1 1:1น .|11 11: ,;1;,.'
'";:|1:;" ;น|1;:" ':11;;^
...We coined the term "leeto"...
น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น
issue 4
Table Of Content (toc)
Intro By: ic0n
The Wireless beige box By: Captain B
What is a Cna Number and what can it do for me? By: ic0n
HOW TO UTILISE NMAP'S NEW IDLESCAN TECHNIQUE PROPERLY by: pulse state
Verizon Teleconferencing By K00p$ta Phr34k and ic0n
__________________
*Intro *
*by: ic0n *
*ic0n@phreaker.net *
*__________________*
What's up everyone we finally decided to release issue 4 after many months of doing nothing.
We hope you enjoy this issue of the zine and we hope to have issue 5 out sometime in July.
Maybe even earlyer. We hope to get alot of feedback from this zine once agian to answer any
question you mayb have about phreaking okay maybe even some hacking questions. Where going
to start putting scans into the zine or if we can get at lease 10 scans we could make a scan
zine.
_________________________
*The Wireless beige box *
*By: Captain B *
*_________________________*
One thing I've come to realize is that many things in electronics use
fairly low voltage on average, and tend to run on DC (Direct Current)
power. Cordless phones are no exception. In case you didn't already
know, batteries also run on DC. Can you tell where I'm going with
this yet? Most cordless phones I've seen thus far use 9 volts to power
the base. (You know, the unit you put your cordless phone on to charge
it). So far, I seen one that used 12 volts to power it. But, I think
those that use more than 9 volts to power the base mainly tend to have
built in answering machines, speakerphones, or other extras you
wouldn't need during wireless beige boxing, anyway. To be sure a
given cordless phone's base uses 9VDC (9 volts DC) to power it, look
either on the AC adapter plug for what It's voltage "rating" is
(Displayed as 9VDC or whatever next to "output"). Disregard the input
stats. That's the voltage/current coming into the AC adapter from the
electrical outlet before the ad!
apter lowers the voltage and current and converts it to DC. Or, you can
also check on the back of cordless phone's base where the power cord
connects to the back. Usually, you'll see something like "9V in", or
simply "9V". Just as long as the phone's base uses 9 volts to power it,
you can power it with a 9v battery. There's more than one way to go about
this. With the 1st method, you'll sacrifice your AC adapter, since it
involves modifying it for the purpose. So, you you may want to think
twice, With the 2nd method, you can buy a rechargeable battery charger
called Power Bank from Radio Shack that doubles as a DC power source to
power electronics. The 3rd method, which is probably the most complex of
the three involves an adaptaplug, an adaptacord attached to it leading to
a 9v battery clip soldered on at the end where the AC adapter would be.
(Which, is basically the same as the 1st method described, except you won't
have to ruin the AC adapter that came with the cordless)!
. Anyway, I'll describe only the 1st method here. But, you can always do it
another way, too. By the way, you're going to need a wire cutter, wire
stripper, 9v battery clip (Sold in packs of 5 at Radio Shack), standard
60/40 solder, and a soldering iron (30 watts should be fine for the job),
and possibly electrical tape. First, get AC adapter and cord for the cordless
phone. (Remove it from the back of the cordless phone). What you'll need to do
first is cut the AC adapter off of the power cord. Now, I've come to know more
recently that sometimes AC adapters sometimes retain some electric current even
after being unplugged for a bit. With 9v of power, I doubt It'd be a bad shock if
there's leftover current. But, there's a way to remove leftover current if you
happen to have an insulated alligator clips jumper cable (Also sold at Radio Shack).
Just connect one of the alligator clips to one of the 2 prongs on the AC adapter,
and touch the metal part of the other alligator clip!
on the other end of the jumper cable to the other prong on the AC adapter, thereby
shorting it. If there was leftover current, there will be a little bit of a spark.
Okay, with that said, let's move on. As stated before, you'll have to cut the AC
adapter off of the power cord. Then, cut a fairly small notch vertically downward
on the power cord right between the 2 wires. Now, slowly and carefully, seperate
the power cord by pulling the 2 wires apart from each other a bit. Then, carefully
strip about an half and inch of insulation off each of the wires. Now, you can attach
it to the 9v battery clip to the bare wire leads of the power cord. There's 2 ways
this can be done: With the 1st method, you can solder the bare wire leads from the
power cord to bare wire leads from the 9v battery clips. In which case, you'll want
to wrap the exposed section of soldered wire with electrical tape afterward. Or, you
can use the 2nd method and solder the wire leads from the power cord direc!
tly to the 9v battery connector clip. If you go with that way, It may be better not
to buy the heavy duty 9v battery clips as I think they can be a bit harder to solder
the wire leads to. At any rate, once you have the 9v battery connector soldered up to
the power cord, It's just a matter of connecting a 9v battery to the 9v battery connector
to power the cordless phone's base. Optionally, you could also remove the circuit board
from inside the casing of cordless phone's base. Afterall, you don't need the interior
components and not the chasis casing to operate the cordless phone's base. If you've
bought a cordless phone that has a particularly small base, it may even be the case
that you could fit it all inside something. Like say inside a TNI, or inside the
bottom base part of a fortress payphone. Use your imagination, have phun, and as
always, be careful with everything phreaking related that you do.
_____________________________
*What is a Cna Number and what*
*can it do for me? *
*By ic0n *
*ic0n@phreaker.net *
*wrote on 3/29/02 *
*_____________________________*
Before i even begin if you have never read about C.N.A. it
stands for Customer Name and Address. There's not very many
companys that offer this service to the public. One C.N.A. number
that was floting around the upl (phonelosers.net) Message Board
awhile ago. The company that offerd it was Johnson&Johnson it was
for some lawsuit.
Most Phreaks will find use in having a C.N.A. number when beige
boxin'. All you need to do is get the number and call up the C.N.A.
and enter the number that anac gave you. Then the system will give
you the name and address for that given number even if it's unlisted.
There's not many cna's around anymore mainly because lamers use them to
show off there leeched skills to show off. but there still around and
there's even a few toll free ones i know about.
Ameritech offers something like a cna service. But since it's offerd
to the public it's got some diffrent things. The main thing is there
is a toll for the call and you can only get the info for 2 numbers per
call. *Note only in 312/708 area so far 35 cents per call also*
One last thing before i finish up on this artical. There's also some
cna's that are 900 numbers. But you will be charged for the minunites
and not like the call like ameritech offer's. I just thought you might
want to know this also.
Cna Number's that i can share with fellow phreaks
*got anymore please contact me via e-mail with them*
203-771-8080 CT
312/7008-796-9600 Ameritech pay-for-play Cna
415-781-5271 Pac Bell Cna
513-397-9110 Cincinnati/Dayton Oh
516-321-5700 Hempsted/Long Island Ny
518-471-8111 Albany/Schenectadt Ny
641-464-0123 Columbus/Steubenville Oh
813-270-8711 Ft Meyers/St. Petersburg Fl
900-933-3330 Unidirectory
900-884-1212 Telename
_____________________________________________________
*HOW TO UTILISE NMAP'S NEW IDLESCAN TECHNIQUE PROPERLY*
*by: pulse state *
*<personaljesus@mediaone.net> *
*_____________________________________________________*
Starting with Nmap version 2.54BETA30, Fyodor has implemented a new
type of clandestine portscanning called "idlescan". Since the man page
for nmap(8) goes into not very much detail on this type of scanning,
I've decided to explain it from my point of view.
Before I start, you will need...
- A computer running something other than Windows. Linux is the best
choice for running Nmap. If you do run Linux, any kernel version
equal to or later than 2.2.17 should work fine. Remember to login
as root, or set Nmap to run suid (not recommended).
- Nmap 2.54BETA30 or later.
- to be on a subnet that has one or more machines having IP addresses
visible to the Internet (10.*.*.*, 172.0-16.*.*, and 192.168.*.*
subnets are not visible to the Internet... anything else will be).
NOTE: This subnet has to have a netmask other than 255.255.255.255.
Most people connecting to the Internet through a dialup ISP, will
have this netmask. Most people having a cable modem, DSL, T1 or
higher will not have a 255.255.255.255 netmask. A netmask of
255.255.255.255 means that you are the only host on your subnet,
which means you won't be able to do this scan without hopping a few
routers, and as of the date this article was written, I've not seen
the idlescan work using a zombie on another subnet. If someone gets
it to work, please E-Mail me. :)
OK, now that I've managed to completely confuse the n00bs, let's
continue. Basically, how this scan works, is that you pick a target
host that you want to scan but you don't want your IP address to show
up in their logs, and then you pick what's called a 'zombie host'. The
zombie host needs to be a computer on your subnet that is idle, that is
to say, little or no TCP/IP traffic comes in or out of it. Once you've
found the target and zombie hosts you want to use, fire up Nmap like
this:
nmap -sI <zombie host IP> <target host IP> -P0 -v -v
What you're telling Nmap to do here, is to initiate an idlescan (-sI)
against the target host, using the zombie host as a go-between, not to
ping any hosts (-P0) so that the target host doesn't see any pings
originating from your machine, and to be quite verbose (-v -v) about
what it's doing. Now, here's a sample of the Nmap output (if it works):
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Host cactus (192.168.0.85) appears to be up ... good.
Idlescan using zombie 192.168.0.15 (192.168.0.15:80); Class: Incremental
Initiating Idlescan against (192.168.0.85)
Adding open port 445/tcp
Adding open port 139/tcp
Adding open port 135/tcp
The Idlescan took 0 seconds to scan 6 ports.
Interesting ports on (192.168.0.85):
(The 3 ports scanned but not shown below are in state: closed)
Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
(NOTE: I only scanned six ports in this example, to keep the output
to a minimum.)
It is telling you that your target host (192.168.0.85) appears to be
up. Nmap will always do this when you specify '-P0' on the command
line. Next, Nmap is telling you that it is about to do an idlescan
using the zombie (192.168.0.15), the originating TCP port on
192.168.0.15 will be 80, and the IP ID sequence has been found to be
incremental. That means that the IP ID number on every packet that
comes out of that machine is one greater than the last packet that
came out of that machine. There are different types of incrementation.
Some hosts use pretty tough randomisation algorithms, so they will be
unusable as zombie hosts, and Nmap will tell you this. Most hosts out
there, however, will have some simple algorithm that Nmap can follow.
Next, Nmap is saying that it has initiated the actual idlescan
against 192.168.0.85. Every time it finds a port to be open, Nmap will
add it to the list. At the end, it lists the ports it found open.
Now, while all that was going on, here is what was happening... Your
machine sent a few packets to the zombie host on port 80, to figure out
its IP ID sequencing algorithm. Then, your machine masqueraded as the
zombie host, and portscanned the target that way. Every time a response
packet would come back to the zombie, your machine would see that, and
interpret the results as if the packets had come directly to your
machine. However, you will remain unseen for the most part. The target
host will never see your IP address, only the address of the zombie
host. The zombie (depending on how extensive their logging program is),
may show you trying to connect a couple of times to their port 80 (or
whatever you specified -- I'll cover all the idlescan-relevant options
below), but that's it. Nothing more.
Now, here are some tips on how to be safe when doing these scans.
Obviously, both your target and your zombie hosts need to be up and
responsive, or else the scan will fail. Also, don't pick an outlandish
port number for the zombie host. Pick something like 80 (http), 21
(ftp), or 25 (smtp), or something along those lines. The reason for
this, is if the administrator of the zombie host looks at his logs, and
sees you connecting to his port 602, he will think something is really
suspicious. But, if he sees you connecting to his port 80 or 25 or
something, he'll just shrug it off, assuming that you typed in the
wrong IP address or DNS name, and not think twice about it.
Anyway, I said I would cover the options that you could use with
the idlescan.
-p - Port specification. Use this if you only want to scan a port, or
a range of ports. An argument like -p 21,25,135-139 would tell
Nmap to scan port 21, port 25, and ports 135 through 139. This
option should be familiar to people who have already used Nmap's
many other scanning methods.
-S - Source address spoofing. Use this if you REALLY don't want your IP
address to get out anywhere, even to the zombie host. Your spoofed
IP address needs to be that of a host that is known to be up, or
else the entire scan won't work at all. You may also need to use
the -e option (which is covered below) and the -P0 option
(which you are already using).
-e - Interface specification. If you use -S, you also need to tell Nmap
which interface you want to use your fake IP address on. Usually,
Nmap will not complain about this if you only have one network
interface. However, if you're running Nmap out of a machine that
maybe serves as a cheap router/firewall, and it has two network
interfaces, you will need to tell Nmap which interface to use.
This should be enough to get you started. If you want to see what
really goes on around your subnet, get Tcpdump and read the man page
thoroughly. (Hint: I used Tcpdump to see what Nmap was doing, hence
my understanding of the idlescan. <grin>) I also highly recommend
reading RFC 793 (discusses Transmission Control Protocol, or TCP). See
the links section below.
If you are just starting off in Linux, I would suggest getting the
Debian distribution. See the links section below.
Here is a list of links pertinent to this article:
Debian Linux: http://www.debian.org
Nmap homepage: http://www.insecure.org/nmap/index.html
RFC documents: http://www.ietf.org/rfc.html
____________________________
| _____ |
|\ / | |
| \ / | |
| \/ERIZON |ELECONFERENCING |
| BY: k00p$ta Phr34k and ic0n|
|____________________________|
Before we begin this file I (ic0n&k00p$ta) are not going to give you any info on
setting up the conference. For a few reasons but it's not hard at all the setup
once since everyone @ verizon is crazy or just dumb minus a selected few. (they know
who they are) Now on with the file.
Verizon now offers a new service, Conference Connections.These Conferences's are
reservation-less, which means around the clock availability. The Conference is available
24 hours a day, 7 days a week, and 365 days out of the year. This makes conferencing very
easy. Thanks Verizon!
There's 2 ways to dial into a verizon conference.
1.Toll Free dial in number (866-441-2942)
2. Direct (972-717-2043) Npa 972 is in Texas
There are no setup fees, no cancellation fees, and no monthly charges. Which mean you can
setup a teleconference and your victim will not even know he's got a teleconference being
billed to him. The minutes your participants used are logged separately logged by differnt
ports. There are 20 of these ports but I'm sure there is a way to get more. Anyways the
minutes are added together to simplify the subscriber's bill, in addition are required
taxes. There is a separate bill for toll free service as well.
States that need to use the direct number to the conference:
1.Alaska
2.Delaware
3.Maryland
4.New Jersey
5.New Hampshire
6.Virginia
7.Vermont
8.Washinton D.C.
9.West Virginia
*Once again the direct number is 972-717-2043.
The resoning behind the direct numbers is that Verizon provides long distance services for
calls originating in most states outside the mid-Atlantic and new England states. Until
government approval is obtained, Verizon cannot carry long distance in the states listed
above. Verizon is in the works on getting the necessary states and federal permissions to
offer long distance in every state.
Rates Cents per minute per port
Until 3/30/02 Normal
Toll Free $0.22 $0.31
Direct $0.09 $0.18
Feature Descriptions
Announcements for Entry and Exit
At your option, the reservation-less Conference Connections system can sound a tone
or have silence when participants enter or exit a conference.
Attendant Request
The Subscriber or Participants can request attendant assistance for private or group
consultation. The person requesting assistance remains in the conference until the attendant
handles the request.
Conference Continuation
This feature allows the subscriber to exit a conference after it begins without
disconnection the participants and must be activated for each conference call.
*Note The systems automatically defaults to end the conference call when the subscriber
disconnects.*
Conference Lock/Unlock
This feature lets subscriber lock a conference once all parties are present to keep
the conference private. Attendants cannot enter locked conferences, but can ring the conference
requesting that the subscriber unlock for attend entry.
Help Menu
Help with using conference commands is available to every conference Subcriber and
Participant. The system plays a private help message to the requester that list the available
features and their associated touch-tone (dtmf) commands.
Mute/Un-mute
The Subscriber can collectively mute or un-mute all lines in the conference except
for the subscriber's line. The participants can mute and un-mute there own lines to help
control distractions and interruptions.
Participant Count
The system automatically tracks the number of participants on a conference. Any
Subscriber or Participant can check the number of people in conference at any time. The
system announces the count privately to the requester.
Quick Start
As a rule, conferences do not begin until the subscriber the conference. However your
account can be configured to allow the subscriber to use this feature so that begins as soon
as the first participant arrives. In this scenario, Participants who arrive before the
subscriber may talk to one another before the conference actually begins. Though the quick
start features offers less security, it allows unplanned meetings to occur whenever needed
or permits conferencing when the subscriber is unavailable to start the conference.
Features
Subscriber Conference Commands
This is how you Begin a conference:
1. Dial into conference system
2. Enter Pass code, then the # (pound) key
3. Then Press the * (star) key
4. Enter Subscriber Pin (4 digits)
5. Press 1 to start the conference or press 2 to change account options.
To Change Account Options:
Press 1 to chance subscriber pin
Press 2 to configure roll call options
Presses 3 to change quickly start options
Press 4 to change auto continuation options
Conference Control options (while in conference)
Press *0 to speak privately with an operator
Press 00 to request an operator to join the conference
Press *4 to lock conference
Press *5 to unlock the conference
Press *6 to mute your line
Press *7 to un-mute your line
Press *8 to allow the conference to continue after you disconnect
Press *9 to privately play a list of participants on conference
Press *# to hear the number of participants in the conference
Press ## to mute all lines except the subscriber
Press 99 to un-mute all lines
Press ** to play this list of commands
How to end a Conference
Say whatever then hang up the phone a short message will be played for them and then
disconnects them.
***We also need to thank verizon for be so dumb and giving us all this information to
write this article. Shout Outs....Lucky225, Dark_Fairytale, The Borish One,Xenocide, Cuebiz,
MaddjimBeam, Whit3rav3n, Reaver,Captain_B, Mr. Poop, RBCP, Everyone Who was on $kytel back
in 96-97...well okay only some people from skytel and everyone else we know.***