Copy Link
Add to Bookmark
Report
Leeto Phreako Headz Issue 5
น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น
,;;11;. ,;!!;.
11 ;;' ,1;;|1,;||;,. |1 '11 leetophreakoheadz
11 1;จ 11' "1;' '11 |1 11 'zine #5
11 1;' 1;' 11: 11 11 11 2002
"",;;||;; จ'1;' 11;' ,1; 1; .1:
11' 1::;1||1'" 1;.1:'
11' . 1:1' |1!1';'11:.
.,;::;1!;., 11. 1:1 11' 11;
:; 1; "1:;,..,;:; .:;1! 1:1 |;1 11:
'1.,;'" น";11;1น 1|1 1:1น .|11 11: ,;1;,.'
'";:|1:;" ;น|1;:" ':11;;^
...We coined the term "leeto"...
น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น น"น"น
______________________
* Intro *
* by ic0n *
* ic0n@phreaker.net *
*____________________*
Welcome everyone to issue 5 of the lph zine! Where back after for yet another round. If you have'nt
noticed i've been working on the site here and there. sometime this summer the site will be where
i want it to be. Before we get too much into the zine a huge Shout to Captain_B for getting printed
in 2.6 (2600) and it just so happen's to be the box I named "The Bungee Box" I would also thank hackerhost
for the hosting. Nuff with the intro and let's get on with the good stuff....
______________________________________________________________________
* Table of Content (Toc) *
*Hiding Running Services from Portscanners Part I..........by phractal *
*Toll Free Modem Numbers...................................by Pref1x *
*Conversion box............................................by Captain B*
*Toll Free Busy Lines......................................by Pref1x *
*RCMAC.....................................................by ic0n *
*Call Forwarding Phun......................................by ic0n *
*______________________________________________________________________*
_____________________________________________________
* Hiding Running Services from Portscanners Part I *
* by phractal *
*_____________________________________________________*
/* parts of this article are theoretical and some
is proven with code, feel free to get in touch
to comment or point out flaws in my theories */
Hey there. Have you ever wished to run a certain daemon or backdoor
but have it hidden from the eyes of network scannners. Suppose you
want to run a private ssh server for only a select few, but they
don't always have the same hostname, or perhaps a backdoor to a
unix that you worked hard to get to. Well, I got to thinking of
ways to have an actual service running and yet being undetectable
to people snooping in on your network.
Here's what I will discuss
-'port tripwire'
-how it works
-porttrip.c
-end notes
#############
Port Tripwire:
#############
Port tripwire is a name i came up with for opening up a low port in
an attempt to catch a port scanner before he reaches any ports that
you want to hide.
If you or your borrowed remote host are running:
Port State Service
23/tcp open telnet
53/udp open domain
80/tcp open http
3557/tcp open BACKDOOR
You might want to hide this machine from scanning kiddies to hide
anyone who might want to abuse your server if they want to get in
via telnet, or maybe you don't want it known that you run a web
server, and of course, that backdoor is supposed to be hidden from
view of scanners as well. How can we prevent a scanner, of whom
we will have no idea of his IP address, from finding these running
services via scanning? Well, port scanners will generally scan ports
in sequence or in rough sequence. They will or will usually access
the low ports first, and then proceed to connect/request ACK replys
of higher and higher ports. We can intervene on the scanning process
if we stop the scanner midway. We can do that by looking for him
where he'll come in, the low ports. We should choose a fairly obscure
port to try and detect the scanner, because otherwise it could be
a legitimate session, a normal user accessing a known service. For
my little port tripwire program, I chose port 3, it is a low port,
and almost no one runs it. If you wish to hide common services, you
may wish to change that to port 7(echo), as that is obscure, but it
is also listeded in nmap's services to scan for.
The way that Port Tripwire works is, it opens up a socket and
listens on that low port. If any connection is made to that port,
the program identifies who that host is, and immediatly issues
a command to firewall out any further attempted connections made
by the scanner. It blocks him out, turns the computer silent on
him. The following code proves this concept. It is however
incomplete, not a full security program, and most likely has
plenty of vulnerabilities itself. It is used just to demonstrate
this concept.
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define PORT 3
#define BACKLOG 1
//Port Tripwire BETA
//made for BSD or any ipfw firewalled OS
//by phractal
int main() {
//printf("PortScan Tripwire BETA by phractal \n");
int fd=socket(AF_INET,SOCK_STREAM,0);
int fd2;
struct sockaddr_in server;
struct sockaddr_in client;
int sin_size;
server.sin_family = AF_INET;
server.sin_port = htons(PORT);
server.sin_addr.s_addr = INADDR_ANY;
bzero(&(server.sin_zero),8);
bind(fd,(struct sockaddr*)&server,sizeof(struct sockaddr));
listen(fd,BACKLOG);
while(1){
sin_size=sizeof(struct sockaddr_in);
if((fd2=accept(fd,(struct sockaddr *)&client,&sin_size))>-1) {
//printf("connection from %s\n",inet_ntoa(client.sin_addr) );
//printf("DENY! \n");
char cmd[150];
char cmdpt1[] = "ipfw add 01234 deny tcp from ";
char cmdpt2[] = " to any";
sprintf(cmd, "%s%s%s", &cmdpt1, inet_ntoa(client.sin_addr), &cmdpt2);
printf("%s",cmd);
system(cmd);
}
}
close(fd2);
return 0;
}
While this program is running, if i nmapped a server running it with a
normal TCP connect() scan then I would see port 3 as the only running
service.
There are some problems with this program. Since it uses accept() to
determine that a scan is in place, SYN scans will not be picked up,
and if a scanner was lucky or smooth enough, maybe he might scan a
certain block of ports that is outside the port that the tripwire
program runs on.
In Part 2, I will discuss more advanced port scan detection methods.
I will focus on using promiscuous mode to sniff for SYN packets
and will be using methods different from the tripwire approach.
<-------------------------------------------------------------------->
greetz go out to h/pers and coders better than me:
stain, team phreak, awnex, dvdman, l33tsecurity, pare, bor, trunklord
linear, bor, 9x, subz, hybrid, datawar, downt1me, notten, telec
and people i forgot
_______________________
*Toll Free Modem Numbers*
*by Pref1x - 3/25/02 *
*_______________________*
* Summary
This text file will provide a list of toll free numbers that will
most likely connect to computers/modems. Some of these systems may
even let you in login free. Keep in mind these numbers can be disconnected
at anytime.
% Numbers %
1-800-214-9617 1-800-221-5451 1-800-222-0555
1-800-223-1078 1-800-223-3141 1-800-223-5151
1-800-223-6932 1-800-223-7213 1-800-260-3122
1-800-282-2222 1-800-321-1570 1-800-323-2919
1-800-362-4504 1-800-362-4509 1-800-362-4510
1-800-362-4550 1-800-362-4584 1-800-367-0815
1-800-401-0075 1-800-424-6245 1-800-432-4838
1-800-439-5823 1-800-456-6245 1-800-465-7735
1-800-466-3256 1-800-539-6245 1-800-543-3279
1-800-552-2130 1-800-555-3425 1-800-555-9014
1-800-555-9905 1-800-555-9920 1-800-555-9955
1-800-555-9973 1-800-617-9056 1-800-624-5123
1-800-725-3512 1-800-726-4823 1-800-726-6714
1-800-737-6068 1-800-763-0222 1-800-789-4756
1-800-789-4792 1-800-800-4098 1-800-822-0458
1-800-822-2439 1-800-822-2478 1-800-822-3298
1-800-822-3479 1-800-822-6425 1-800-822-7540
1-800-822-8353 1-800-822-9619 1-800-822-9917
1-800-855-2882 1-800-909-1994 1-800-909-2111
1-800-909-2286 1-800-909-3269 1-800-909-4311
1-800-959-0013 1-800-959-0057 1-800-959-9822
1-877-222-1008 1-888-527-6134 1-888-888-0520
_____________________________
* Conversion box *
* by Captain B *
*_____________________________*
Test sets (Lineman handsets) are obviously a useful phreak tool for beige boxing. But, unless you're
willing to drop a couple hundred bucks to buy one at your local authorized Harris telecom products dealer,
dumpster dive for one, or take the chance doing the ol' 5 finger discount with some Ma Bell truck, It's
better to use a one-piece phone (Like the Apollo or Super-mini flip phones from Radio Hack, or the ConAir
flip phone availible at K mart stores). Or, you could convert a phone that has a keypad in the handset to
a psuedo test set for beige boxing purposes (As I'll be discussing here). Yes, you could also convert a
phone without a keypad in the handset, but you'd better have a way of sending DTMF via acoustic coupling,
such as with a tone dialer (If you can still find one at the local Radio Hack). Also, since most lineman
handsets have features that are either on most phones, or not absolutely needed for the more exclusive
features, It's just all the more reason to beige box with a regular phone. The driving principal behind
making this is very similar to the one used for the Bungee box. Because, you'll be modifying a handset
cord for this. The difference is that only 1 end of the handset cord will be modded. Here's what you'll need...
*A handset cord
*Modular crimp tool
*Wire cutter (Unless the crimp tool has it built in)
You'll also first want to check how many conductors there are inside your phone handset. If It's 2 conductors,
It'll be simpler. If there's more than 2, it becomes necessary to isolate which 2 wires are used to power the
handset. (Well, at least that's how it was with a 4 wire phone handset I was converting). To check the amount of
conductors in the handset, remove the handset cord and look inside the hole where the handset plug from the cord
goes in. Hopefully, It's 2 conductors. And yes, you could check the number of conductors in the handset cord
instead, but since handset cords always seem to have 4 conductors when bought as new, that could mislead you.
I'll go more into isolating the 2 wires involved for powering the handset on a 4 conductor handset cord in a minute.
Let's get into making this. Take the handset cord, look first at the little wires in the plug to observe for the color
scheme (Thus making note of correct polarity) then, cut off that handset cord plug as close as possible with where it
connects to the cord. Carefully, strip off a bit of the insulation using the modular crimp tool's stripper. Take a 2
line (RJ14) modular line cord plug, and push the line cord plug over that end of the handset cord, facing the same way
as the previous handset cord plug was. (In other words, if the little spring clip on the handset cord plug was
facing down, crimp the line cord plug on facing the same way as that was). Then insert that end of the handset cord
into the modular crimp tool properly, and squeeze the handles together firmly until it stops (which is quite fast).
See the instuctions that came with the modualar crimp tool if you need more help. Now, if a 2 conductor handset was
used, you can just plug it into any working modular jack, and it should work. But, if the handset has more than 2
conductors,connect up a n in-line coupler (Female-to-female RJ14 connector). Then, connect a modified 2-line (RJ14)
line cord (with 4 alligator clips) on the other end of the in-line coupler. Try connecting the gator clips in
different combinations of 2 at a time to the screws holding the red and green wires inside a modular jack or out at
the TNI until you get a dial tone. Of course, you'll want to either remove the cover from the modular jack by
unscrewing the center screw, or prying it off if it has no screw to access the 42A block with 4 screw terminals inside.
Or, in the case of the TNI, open it on the Telco access side using a 3/8 hex bit on a 1/4 drive ratchet or spinner
handle. (These can be found at Home Depot stores). In a TNI, the red and green wires run from the subsciber modules
contained in the customer side to the screw termianls on the telco side. Use that for reference. (Disregard the other
colored wires there). If you only have 1 line service, make sure you connect up to the 2 screw terminals that have
phone service. Otherwise, there won't be a dial tone, of course. The conversion box makes for a handy placebo to a
lineman's hand set, don't you think?
As always, be careful and have phun.
**********************************
* Toll Free Busy Lines by Pref1x *
* 6/18/02 *
**********************************
This is a list of toll free numbers that are ALWAYS busy. Why they're
always busy is beyond me. They could be some kind of test number of some
sort. There might also be a modem connected to the line with "Busy Mode"
enabled, which will cause the line to be busy. Sysops often use the modem's
"Busy Mode" feature to do maintenance on their system. Anyway, all I know is
that the numbers below are busy 24 hours a day; 7 days a week. I find busy
numbers useful to give out on applications and forms that ask for a home or
work phone number. Another idea is if you have call forwarding, you can have
your calls forwarded to these numbers if you don't want to be disturbed
while scanning or something. Who knows, you may find many interesting uses for
them. All the numbers below work as of the date above.
1-800-221-5807 1-800-223-3325 1-800-225-8456
1-800-284-3463 1-800-325-4081 1-800-327-6764
1-800-328-7777 1-800-332-0090 1-800-368-9414
1-800-378-5610 1-800-388-9912 1-800-421-3879
1-800-424-5664 1-800-431-3762 1-800-431-3764
1-800-432-4896 1-800-438-9999 1-800-453-9999
1-800-555-0057 1-800-555-9161 1-800-576-9999
1-800-617-9977 1-800-693-9999 1-800-726-0350
1-800-822-0154 1-800-822-9400 1-866-466-6245
1-888-252-9922 1-888-252-9928 1-888-252-9932
1-888-252-9934 1-888-252-9936 1-888-252-9938
1-888-252-9941 1-888-252-9942 1-888-252-9945
1-888-252-9949 1-888-253-8379 1-888-313-3716
_____________________
* RCMAC *
* by ic0n *
* ic0n@phreaker.net *
*_____________________*
What Does RCMAC stand for?
Recent Change Memory Administrative Center
Now your thinking Great! but what good can it do for me. This in my opinion is the most important service that the fone
company has. With some social engineering you can add features like Three-way calling,Call waiting,Caller ID,and in some
places voicemail. You also can set flags on people's line's so they won't be able to use there fone.Change line classes
so you can make fone's payfones. Once you have got 1 RCMAC you can just social them into doing something in another npa
or at lease getting the number in that npa.
Here's a Example
RCMAC: Hello RCMAC Cleveland how may I help you?
you: Hi this is 'Name Here' here at Atlanta RCMAC and our computers are down are they up there?
RCMAC: Yes they are running fine may I help you?
you: Good Yes I need the San Diego RCMAC and the one we got is wrong can you give me the newest one?
RCMAC:Sure the number is 619-XXX-XXXX
you:Thank you
It's pretty simple but now i've seen alot of RCMAC's ask for more info like...Employee Number,Name,Sometimes they ask for
a mobile fone number for that given lineman (this is very rare tho). You can get this info from trashing.
I guess you could even give them a payfone number to contact you....just an idea never tryed it before.
Oh yeah i forgot you have to call the number a 'line number'
Line Class Codes:
ESF=speed calling
CWT=Call Waiting
CFB=Call Forwarding Busy
CFV=Call Forwarding
TWC=Three Way Calling
TTC=Touch Tone Dialing
UNA=No Long Distance
PXX=Block All Long Distance services
CHD=Centrex
CPU=" "
ACB=Auto Call Back
FRE=Free Calling
DTF=Payfone
CFD=Coinless Charge a call
Line Problems:
NDT=No DialTone
CC=Cant Call
DTWD=DialTone While Dialing
CH=Cant Hear
CBH=Cant Be Heard
Oh yeah if there not doing dialtone you should be good to go on the Adding the trouble ticket.
just to let you know a dialtone in this case is just a test when you hear a click on your line late at night there
checking for a dialtone.
____________________________________
* Call Forwarding Phun *
* by ic0n *
* ic0n@phreaker.net *
*____________________________________*
Everytime I'm at a place with fone on the counter like Pizza Hut,Blockbuster,ect,ect,ect. I think at all the funny things
that are possible.
Here's a little story......
I was at pizza hut waiting on my food when i noticed there was a ameritech office fone on the counter. I looked around
making sure nobody was around. I quickly picked up the handset and dialed * (start) 72 witch is the star code for Call
Forwarding. I had it forward to one of the people that make life suck. Heh. Alot of home's and smaller companys won't
have this feature. Anyway's you can forward to anywhere in North America as far as i know it might even be World wide.
A Few Idea's
Forward Anywhere to a porn shop.
Voicemail Box With a funny Greeting
Forward Walmart to Kmart and Kmart to Walmart
Sorry about this shitty file i'm kinda in a hurry to get the fuck out of here and go to yet another grad. party! until then
peace out!
