The Mickey Mouse Club Presents... __ __ ____ __ __ __ ______ _____ ______ __ __ __ __ __ __ __ __ __ __ __ __ ______ ________ __ ___ ____ _____ ______ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ ______ __ __ ______ Hackers Unlimited __ __ __ __ __ ______ __ __ ______ ______ ______ ____ __ __ ___ __ __ __ ___ ___ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ ____ __ __ __ __ __ ___ __ __ __ __ __ __ __ __ __ ____ __ __ ______ ______ __ __ ______ __ ______ ____ Magazine Volume 1 Issue 1 Released 10/02/89 Editors The Dark Lord Cardiac Arrest -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Hackers Unlimited Volume 1, Issue 1 Table Of Contents # Title Author ------==========================================------------------------------- 1 Information about The Mickey Mouse Club Editors 2 Artical Submission Policies Editors 3 Introduction Editors 4 How Ma Bell Crushed The Blue Box Cardiac Arrest 5 Beige Boxing Cardiac Arrest 6 Basic Information About Credit Cards Midnight Caller 7 MMC Guide To Hacking, Phreaking, Carding The Dark Lord 8 A Novice's Guide To Hacking - 1989 Ed. The Mentor 9 Cable Piracy Psycho Bear 10 Pyro File 1 Fallen Angel 11 Pyro File 2 Fallen Angel 12 Pyro File 3 Fallen Angel 13 Social Engineering Fallen Angel 14 Listings Compilations 15 Closing Notes Editors ------==========================================------------------------------- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What is The Mickey Mouse Club? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Mickey Mouse Club was founded by Cardiac Arrest and The Dark Lord. The name MMC came about because we couldn't think of a better one. We are basically a cracking club. Aside from cracking, we write instructional text files, and an electronic magazine called Hackers Unlimited Magazine, designed to help beginning hackers and phreakers. We are also the authors of programs such as Data Protect, a file that, as the name implies, provides features such as data ecnryption/decryption, file hiding, file clearing, and several other functions. MMC Membership ~~~~~~~~~~~~~~ Since we are still a comparitively new group, we are looking for members of the underground BBS community who can do one or more of the following : * Crack games (or other programs) * Draw crack screens * Write instructional text files about phreaking, hacking, carding, etc * Contribute to Hackers Unlimited Magazine in other ways than files * Write programs beneficial to the hacking community (ie code hackers, etc) If you are interested in applying for the MMC, contact either Cardiac Arrest or The Dark Lord. If you fit into the above specifications, we will give you permission to fill out our application. After completion, upload your application to the BBS you downloaded it from. Your membership will be considered ONLY if you received the application with permission. It will be based entirely on the application (ie, your truthfullness and knowledge). Hackers Unlimited Magazine ~~~~~~~~~~~~~~~~~~~~~~~~~~ The Mickey Mouse Club puts out an electronic newsletter/magazine called Hackers Unlimited Magazine. This magazine is devoted to informing the hacking community about hacking, phreaking, carding, or anything else or interest. It is geared towards beginners, but we hope some experienced hackers will benefit from it also. The editors of the magazine are the founders of the MMC, Cardiac Arrest and The Dark Lord. ANYONE may write for HU magazine, and we would like to encourage readers to submit any articles they have written to a HU Support Board. We would also like to encourage comments, complaints or suggestions. Where You Can Contact Us ~~~~~~~~~~~~~~~~~~~~~~~~ Cardiac Arrest and The Dark Lord can be contacted on most pirate boards in Denver (303/CODEN), as well as various BBSes around the country. At the time of this writing, we also have a Voice Mail Box: X-XXX-XXX-XXXX Box XXXX -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ___________________________ ___________________________ ___ ___ ___ Submission Policy ___ ___________________________ ___________________________ Hackers Unlimited Magazine is an ongoing newsletter, and we will release issues as regularly as possible. To do this we will need readers to contribute articles for the magazine as often as possible. We ask that if you feel you have something good to write about that will fall within the guidelines for Hackers Unlimited, please submit it. However, we do take pride in the magazine, and we will only accept articles up to our standards. Do not be discouraged if your article is turned down. Although this is not a thing that is expected to happen, if we feel the article is not good, then we do reserve the right to turn down your article. Please don't let that stop you from writing your article. Ninty percent of the articles will NOT be turned down, and by having this policy, we are not wanting to scare off the good writers. We ask that you keep the topic within the guidelines, and make it to the best of your ability. If your article IS turned down, the editors may make suggestions, or, if the changes are minor, permission to edit the file. One thing to keep in mind, we do not base our decisions on the type of computer you own, reputation that you have, age or anything else unrelated to the magazine. The decision whether the article stays or goes is based STRICKLY on the quality of the article itself. To submit an article just find some way of getting in touch with one of the writers of Hackers Unlimited, or even better, one of the editors, The Dark Lord, or Cardiac Arrest. If you do get in touch with one of the writers, you must make sure it is relayed to one or both of the editors, because it will do little or no good if we don't know you're out there. There will be ways listed through out this magazine on how you can get in touch with us, either through support boards, Colorado boards, Vmb's etc. Hope to see an article from you soon and enjoy.........Hackers Unlimited!!! -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Introduction : Welcome to the premier issue of Hackers Unlimited Magazine, a magazine designed for the sole purpose of helping hackers, beginning and advanced alike. The editors of this magazine are Cardiac Arrest and The Dark Lord (both from 303). You will undoubtedly notice that several of the articles were written by us. In future issues, we hope to have more articles written by readers, and less written by the editors. Anyways, on with the magazine.... Cardiac Arrest & The Dark Lord Editors, Hackers Unlimited Magazine VMB X-XXX-XXX-XXXX Box XXXX NOTE : This VMB is valid as of the release of this magazine, but may change without notice. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "The Blue Box And Ma Bell" Herb Friedman, Communications Editor Radio Electroncs Magazine November 1987 Typed By : Cardiac Arrest 06/89 Before the breakup of AT&T, Ma Bell was everyone's favorite enemy. So it was not surprising that so many people worked so hard and so successfully at perfecting various means of making free and untracable telephone calls. Whether it was a "Red Box" used by Joe and Jane College to call home, or a "Blue Box" used by organized crime to lay off untracable bets, the technology that provided the finest telephone system in the world contained the seeds of it's own destruction. The fact of the matter is that the Blue Box was so effective at making untracable calls that there is no estimate as to how many calls were made or who made them. No one knows for certain whether Ma Bell lost revenues of $100, $100-million, or $1-billion on the Blue Box. Blue Boxes were so effective at making free, untracable calls that Ma Bell didn't want anyone to know about them, and for many years denied their existence. They even went as far as strong-arming a major consumer science magazine into killing an article that had already been prepared on the Blue and Red boxes. Further, the police records of a major city contain a report concerning a break-in at the residence of the author of that article. The only item missing following the break-in was the folder containing copies of the earliest Blue-Box designs and a Bell-System booklet that described how subscriber billing was done by the AMA machine--a booklet that Ma Bell denied ever existed [article includes picture proving otherwise - Cardiac]. Since the AMA (Automatic Message Accounting) machine was the means whereby Ma Bell eventually tracked down both the Blue and Red Boxes, we'll take time out to explain it. Besides, knowing how the AMA machine works will help you to better understand "phone phreaking." WHO MADE THE CALL Back in the early days of the telephone, a customer's billing was originated in a mechanical counting device, which was usually called a "register" or a "meter." Each subscriber's line was connected to a meter that was part of a wall of meters. The meter clicked off the message units, and once a month someone simply wrote down the meter's reading, which was later interpolated into message-unit billing for those subscriber's who were charged by the message unit. (Flat rate subscriber's could make unlimited calls only within a designated geographic area. The meter clicked off message units for calls outside that area.) Because eventually there were too many meters to read individually, and because more subscribers started questioning their monthly bills, the local telephone companies turned to photography. A photograph of a large number of meters served as an incontestable record of their reading at a given date and time, and was much easier to convert to customer billing by the accounting department. As you might imagine, even with photographs billing was cumbersome and did not reflect the latest technical developments. A meter didn't provide any indication of what the subscriber was doing with the telephone, nor did it indicate how the average subscriber made calls or the efficiency of the information service (how fast the operators could handle requests). So the meters were replaced by the AMA machine. One machine handled up to 20,000 subscribers. It produced a punched tape for a 24-hour period that showed, among other things, the time a phone was picked up (went off-hook), the number dialed, the time the called party answered, and the time the originating phone was hung up (placed on-hook). One other point, which will answer some questions that you're certain to think of as we discuss the Red and Blue boxes: Ma Bell did not want persons outside their system to know about the AMA machine. The reason? Almost everyone had complaints--usually unjustified--about their billing. Had the public been aware of the AMA machine they would have asked for a monthly list of their telephone calls. It wasn't that Ma Bell feared errors in billing; rather, they were fearful of being buried under an avalanche of paperwork and customer complaints. Also, the public beleived their telephone calls were personal and untraceable, and Ma Bell didn't want to admit that they knew about the who, when, and where of every call. And so Ma Bellalways insisted that billing was based on a meter unit that simply "clicked" for each message unit; thatthere was no record, other than for long-distance calls, as to who called whom. Long distance was handled by, and the billing information was done by and operator, so there was a written record Ma Bell could not deny. The secrecy surrounding the AMA machine was so pervasive that local, state, and even federal police were told that local calls made by criminals were untraceable, and that people who made obscene telephone calls could not be tracked down unless the person receiving the cals could keep the caller on the line for some 30 to 50 minutes so the connections could be physically traced by technicians. Imagine asking a woman or child to put up with almost an hours worth of the most horrendous obscenities in the hope someone could trace the line. Yet in areas where the AMA machine had replaced meters, it would have been a simple, though perhaps time-consuming task, to track down the numbers called by any telephone during a 24-hour period. But Ma Bell wanted the AMA machince kept as secret as possible, and so many a criminal was not caught, and many a woman was harried by the obscene calls of a potential rapist, because existence of the AMA machine was denied. As a sidelight as to the secrecy surrounding the AMA machine, someone at Ma Bell or the local operating company decided to put the squeeze on the author of the article on Blue Boxes, and reported to the treasury Department that he was, in fact, manufacturing them for organized crime--the going rate in the mid 1960's was supposedly $20,000 a box. (Perhaps Ma Bell figured the author would get the obvious message: Forget about the Blue Box and the AMA machine or you'll spend lots of time, and much money on lawyer's fees to get out of the hassles it will cause.) The author was suddenly visited ay his place of employment by a Treasury agent. Fortunately, it took just a few minutes to convince the agent that the author was really just that, and the a technical wizard working for the mob. But one conversation led to another, and the Treasury agent was astounded to learn about the AMA machine. (Wow! Can an author whose story is squelched spill his guts.) According to the treasury agent, his department had been told that it was impossible to get a record of local calls made by gangsters: The Treasury department had never been informed of the existence of automatic message accounting. Needless to say, the agent left with his own copy of the Bell System publication about the AMA machine, and the author had an appointment with the local Treasury-Bureau director to fill him in on the AMA Machine. That information eventually ended up with Senator Dodd, who was conducting a congressional investigation into, among other things, telephone company surveillance of subscriber lines--which was a common practice for which there was detailed instructions, Ma Bell's own switching equipment ("crossbar") manual. THE BLUE BOX The Blue Box permitted free telephone calls because it used Ma Bell's own internal frequency-sensitive circuits. When direct long-distance dialing was introduced, the crossbar equipment knew a long-distance call was being dialed by the three-digit area code. The crossbar then converted the dial pulses the the CCITT tone groups, shown in Table 1 [I'll put the table in at the end of the file - Cardiac], that are used for international and truckline signalling. (Not that those do not correspond to Touch-Tone frequencies.) As you can see in that table, the tone groups represent more than just numbers; among other things there are tone groups indentified as KP (prime) and ST (start)--keep them in mind. When a subscriber dialed an area code and a telephone number on a rotary-dial telephone, the crossbar automatically conneceted the subscriber's telephone to a long-distance truck, converted the dial pulses to CCITT tones sent out on the long-distance trunk that set up or selected the routing and caused electro-mechanical equipment in the target city to dial the called telephone. Operator-assisted long-distance calls worked the same way. The operator simply logged into a long-distance trunk and pushed the appropriate buttons, which generated the same tones as direct-dial equipment. The button sequence was KP (which activated the long-distance equipment), then the complete area code and telephone number. At the target city, the connection was made to the called number but ringing did not occur until the operator there pressed the ST button. The sequence of events of early Blue Boxes went like this: The caller dialed information in a distant city, which caused his AMA machine to record a free call to information. When the information operator answered, he pressed the KP key on the Blue Box, which disconnected the operator and gave him access to a long-distance trunk. He then dialed the desired number and ended with an ST, which caused the target phone to ring. For as long as the conversation took place, the AMA machine indicated a free call to an information operator. The technique required a long-distance information operator because the local operator, not being on a long-distance trunk, was accessed through local wire switching, not the CCITT tones. CALL ANYWHERE Now imagine the possibilities. Assume the Blue Box user was in Philadelphia. He would call Chicago information, disconnect from the operator with a KP tone, and then dial anywhere that was on direct-dialing service: Los Angeles, Dallas, or anywhere in the world in the Blue Boxer could get the internatioal codes. The legend often told of one Blue Boxer who, in the 1960's, lived in New York and had a girlfriend at a college near Boston. Now back in the 1960's, making a telephone call to a college town on the weekend was even more difficult than it is today to make a call from New York to Florida on a reduced-rate holiday using one of the cut-rate long-distance carriers. So our Blue Boxer got on an international operator's circuit to Rome, Blue Boxed through to a Hamburg operator, and asked Hamburg to patch through to Boston. The Hamburg operator thought the call originated in Rome and inquired as to the "operator's" good English, to which the Blue Boxer replied that he was an expatriate hired to handle calls by American tourists back to their homeland. Every weekend, while the Northeast was strangled by reduced-rate long-distance calls, our Blue Boxer had no trouble sending his voice almost 7,000 miles for free. VACUUM TUBES Assembly plans for Blue Boxes were sold through classified advertisements in the electronic-hobbyist magazines. One of the earliest designs was a two-tube poertable model that used a 1.5-volt "A" battery for the filaments and a 125-volt "B" battery for the high-voltage (B+) power supply. The portable Blue Box's functional circuit in shown in Fig. 2 [It's nothing you can't find in any good Blue Box g-file, so I won't try to draw it - Cardiac]. it consisted of two phase-shift oscillators sharing a common speaker that mixed the tones from both oscillators. Switches S1 and S2 each represent 12 switching circuits used to generate the tones. (No, we will not supply a working circuit, so please don't write in and ask--Editor)[That's the real editor, not me - Cardiac] The user placed the speaker over the telephone handset's transmitter and simply pressed the buttons that corresponded to the disired CCITT tones. It was just that simple. Actually, it was even easier then it reads because Blue Boxers dicovered they did not need the operator. If they dialed an active telephone located in certain nearby, but different, area codes, they could Blue Box just as if they had Blue Boxed through an information operator's circuit. The subscriber whose line was blue Box conversatio was short, the "dead" phone suddenly came to life the next time it was picked up. Using a list of "distant" numbers, a Blue Boxer would never hassle plain to the telephone company. The difference between Blue Boxing off a subscriber rather than an informatio operator was that the Blue Boxer's AMA tape indicated a real long-distance telephone call--perhaps costing 15 or 25 cents--instead of a freebie. Of course, that is the reason why when Ma Bell finally decided to go public with "assisted" newspaper articles about the Blue Box users they had apprehended, it was usually about some college kid or "phone phreak." One never read of a mobster being caught. Greed and stupidity were the reasons why the kid's were caught. It was the transistor that led to Ma Bell going public with the Blue Box. By using transistors and RC phase-shift networks for the oscillators, a portable Blue Box could be made inexpensively, and small enough to be used unobstrusively from a public telephone. The college crowdin the many technical schools went crazy with the partable Blue Box; they could call the folks back home, their friends, or get a free network (the Alberta and Carolina connections--which could be a topic for a whole separate article) and never pay a dime to Ma Bell. Unlike the mobsters who were willing to pay a small long-distance charge when Blue Boxing, the kids wanted it, wanted it all free, and so they used the information operator routing, and would often talk "free-of-charge" for hours on end. Ma Bell finally realized that Blue Boxing was costing them big bucks, and decided a few articles on the criminal penalties might scare the Blue Boxers enough to cease and desist. But who did Ma Bell catch? The college kids and the greedies. When Ma Bell decided to catch the Blue Boxers she simply examined the AMA tapes for calls to an information operator that were excessively long. No one talked to an operator for 5, 10, 30 minutes, or several hours. Once a long call to an operator appeared several times on an AMA tape, Ma Bell simply monitored the line and the Blue Boxer was caught. (Now do you understand why we opened with an explanation of the AMA machince?) If the Blue Boxer worked from a telephone boothk, Ma Bell simply monitored the booth. Ma Bell might not have known who originated the call, but she did know who got the call, and getting that party to spill their guts was no problem. The mob and a few Blue Box hobbyists (maybe even thousands) knew of the AMA machine, and so they used a real telephone number for the KP skip. Their AMA tapes looked perfectly legitimate. Even if Ma Bell had told the authorities they could provide a list of direct-dialed calls made by local mobsters, the AMA tapes would never show who was called through a Blue Box. For example, if a bookmaker in New York wanted to lay off some action in Chicago, he could make a legitimate call to a phone in New Jersey and then Blue Box to Chicago. Of course, automatic tone monitoring, computerized billing, and ESS (Electronic Switchin Systems) now make that all virtually impossible. but that's the way it was. You might wonder how Ma Bell discovered the tricks of the Blue Boxers. Simple, they hired the perpetrators as consultants. While the initial newspaper articles detailed the potential jail penalties for apprehended Blue Boxers, except for Ma Bell employees who assisted a Blue Boxer, it is almost impossible to find an article on the resolution of the cases because most hobbyist Blue Boxers got suspended sentences and/or probation if they assisted Ma Bell in developing anti-Blue Box techniques. It is asserted, although it can't be easily proven, that cooperating ex-Blue Boxers were paid as consultants. (If you can't beat them, hire them to work for you.) Should you get any ideas about Blue Boxing, keep in mind that modern switching equipment has the capacity to recognize unauthorized tones. It's the reason why a local office can leave their subscriber Touch-Tone circuits actives, almost inviting you to use the Touch-Tone service. A few days after you use an unauthorized Touch-Tone service, the business office will call and inquire whether you'd like to pay for the service or have it disconnected. The very same central-office equipment that knows you're using Touch-Tone frequencies knows if your line is originating CCITT signals. THE RED BOX The Red Box was primarily used by the college crowd to avoid charges when fequent calls were made between two particular locations, say the college and a student's home. Unlike the somewhat complex circuitry of the Blue Box, a Red Box was nothing more than a modified telephone; in some instances nothing more than a capacitor, a momentary switch, and a battery. As you recall from our discussion of the Blue Box, a telephone circuit is really established before the target phone ever rings, and the circuit is capable of carrying an AC signal in either direction. When the caller hears the ringing in his or her handset, nothing is happening at the receiving end because the ringing signal he hears is really a tone generator at his local telephone office. The target (called) telephone actually gets it 20 pulses-per-second ringing voltage when the person who dialed hears nothing--in the "dead" spaces between hearing the ringing tone. When the called phone is answered and taken off hook, the telephone completes a local-office DC loop that is the signal to stop the ringing voltage. About three seconds later the DC loop results in a signal being sent all the way back to the caller's AMA machine that the called telephone was answered. Keep that three-second AMA delay in mind. (By now you should have a pretty good idea of what's coming!) [I'm skipping a paragraph talking about how a telephone circuit works. It is referring to a simple phone schematic that isn't worth drawing, so I ommited the whole paragraph - Cardiac] Now as we said earlier, the circuit can actually carry AC before the DC loop is closed. The Red Box is simply a device that provides a telephone with a local battery so that the phone can generate an AC signal without having a DC connection to the telephone line. The earliest of the Red Boxes was the surplus military field telephone, of which there were thousands upon thousands in the marketplace during the 1950's and 1960's. The field telephone was a portable telephone unit having a manual ringer worked by a crank--just like the telephone Grandpa used on the farm--and two D-cells. A selector switch set up the unit so that it could be connected to a combat switchboard, with the DC power supplied by the switchboard. But if a combat unit wasn't connected to a switchboard, and the Lieutenant yelled "Take a wire," the signalman threw a switch on his field telephone that switched in the local batteries. To prevent the possibility of having both ends of the circuit feeding battery current into the line in opposite polarity--thereby resulting in silence--the output from the field telephone when running from its internal batteries was only the AC representing the voice input, not modulated DC. [I ommited the next two paragraphs, which talk about how to make one. It too has a complicated schematic, so I wont draw it. It's the same stuff you get from any Red Box g-file - Cardiac] PRESS ONCE TO TALK The Red Box was used at the receiving end; let's assume it's the old homestead. The call was originated by Junior (or Sis) at their college 1000 miles away from home. Joe gave the family one ring and then hung up, which told them that he's calling. Pop set up the Red Box. Then Junior redialed the old homestead. Pop lifted the handset when the phone rang. Then Pop closed a momentary-switch for about a half-second, which caused the local telephone office to silence the ringing signal. When Pop released the switch, the folks cantalk to Junior without Junior getting charged because his AMA tape did not show his call was answered--the DC loop must be closed for at least three-seconds for the AMA tape to show Junior's call was answered. All the AMA tape showed is that Junior let the phone ring at the old homestead for almost 30 minutes; a length of time that no Bell Operating Company is likely to believe twice! A modern Red Box is simpy a conventional telephone that's been modified to emulate the vintage 1940 military field telephone. Aside from the fact that the operating companies can now nail every Red Box user because all modern billing equipment shows the AMA information concerning the length of time a caller let the target phone ring, it's use has often put severe psychological strain on the users. [I ommited another paragraph here. It was just some closing stuff. Nothing special - Cardiac] There are no hard facts concerning how many Red Boxes were in use, or how much money Ma Bell lost, but one thing is known: she had little difficulty in closing down Red Boxes in virtually all instances where the old folks were involved because Mom and Pop usually would not tolerate what to them was stealing. If you as a reader have any ideas about using a Red Box, bear in mind that the AMA machine (or it's equivilent) will get you every time, even if you use a phone booth, because the record will show the number being called, and as with the Blue Box, the people on the receiving end will spill their guts to the cops. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The Mickey Mouse Club's Guide To -+ Beige Boxing +- Written By : Cardiac Arrest [09/26/89] Introduction : Well, I KNOW that nearly everybody and their brother knows how ~~~~~~~~~~~~ to beige box, but what magazine is complete without a file as basic as that. Anyways, if you know how to beige box, and consider yourself master beiger, skip this and go on to the next file. Otherwise, I'll try to help beginners and maybe give some experienced boxers food for thought. What IS Beige Boxing : If you've ever payed any attention to the phone ~~~~~~~~~~~~~~~~~~~~ company, you've definately seen a guy in funny Ma Bell overalls running around with a funny-looking telephone with gator clips coming out the bottom. That's the Ma Bell version of the "beige box", called a Lineman's Handset. There are literally TONS of uses for a beige boxes, and they are simple to make, so it's usually a good introduction to the phreaking world. The Purpose Of This File : If even one person reads this file and learns ~~~~~~~~~~~~~~~~~~~~~~~~ something, I've accomplished what I set out to do (how cliche, right?). But seriously, I'm going to attempt to provide several easy methods of beige boxing. Some experienced beigers will definately see some familiar designs, but they might also see a new twist or two. I'll also include (hopefully) easy but complete directions of some of the possibilities for use. Back To Reality : Ok, on with the file. There are about as many beige box ~~~~~~~~~~~~~~~ designs as there are uses, and with both, new ideas are always popping up. The designs in this file are by no means the best designs. I HOPE that they're some of the easiest, but who am I to say. Method #1 (Generic, Phone Destroying, Design) Required Materials 1 Telephone that you wont miss (it'll be a permanent beige box) 2 Gator clips 1 Telephone cord 1 Screwdriver 1 Pair of wire cutters 1 Soldering iron Solder Construction 1. Open up the telephone with the screwdriver. I can't give exact directions, because different models vary, but if you can't find the screws, try checking under the plastic plate that holds the phone number of the location. 2. Look at the modular jack (the thingy the phone cord plugs into). Find the red and green wires. These are the ones you want. Trace these wires with your finger to the screw that holds them down. Connect your phone cord to these screws, either by soldering them, or by wrapping them around the screw and tightening it down. 3. Run the telephone cord out the modular jack's hole. If you can't squeeze it through the jack, take the wire cutters the cut the wires leading to it, and yank it out. That should leave planty of room. 4. Re-assemble your phone. 5. At the end of the telephone cord hanging out of the phone, connect the gator clips to the same wires hooked up to the screws inside the housing of the phone. You can connect them either by soldering, or by splicing the wire to them (twisting them around the hole and praying that it holds). Method #2 (A spin-off of #1, but less permanent) Required Materials 1 Telephone (Don't worry, you wont wreck this one) 1 Telephone cord (You can use one of the springy ones that you always tangle up when you're on the phone) 2 Gator clips 1 Pair of wire cutters 1 Soldering iron Solder Construction 1. Cut the modular plug (the thing that plugs into the wall or telephone set) off ONE end of the telephone cord. 2. Find the red and green wires and connect the gator clips to these by soldering or splicing them. 3. Connect the other end (the that still has a plug) to a telephone. Method #3 (Similar to #2, but using a wall jack instead of a cord) Required Materials 1 Telephone (This wont get wrecked, either) 1 Modular telephone wall jack (This WILL get wrecked) 2 Gator clips 1 Pair of wire cutters 1 Soldering iron Solder Construction 1. Look on the back of the wall jack. You should see the typical red and green wires going into the back of the jack. Leave the end going into the jack alone, but trace them to where the go into the plate holding the jack. Cut them here (being sure, as I said, to leave the jack end alone). 2. Hook the gator clips up to the red/green wires. 3. Plug the phone into the wall jack. Testing Your Box : Ok, now that you've got one of the boxes described above ~~~~~~~~~~~~~~~~ (or a different one...I really don't care), you ready to go. Go outside, and on the side of your house, you should be able to find a small, approximately 3" X 3", puke-green box, with a bolt in the middle of it. Take a wrench (I'm not sure what the size is, but a 10mm wrench works for me, and that's all I really care about. But be careful, since it's not exact, you might strip it) and take off the bolt. You'll probably have to clear out some cobwebs, since it hasn't been used in a while. Inside the box, you should see four screws (one on each corner) with the typical red/green wires connected to them. (If you have two phone lines, the bottom screws will have black/yellow wires, if you have one phone line, the bottom wont have any). You can probably guess what happens from here--Hook the gator clips up to the screws. You should get a dial tone. If you didn't, make sure the connection is clean, that you're hooked up to the right terminals(screws), etc. If you still don't get one, you're screwed. That means there's something wrong with your box. If you do get a dial tone, you're probably guessing what you can do from here. Where Can You Use The Beige Box : You can use the beige box on several pieces ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ of equipment. You can go to you're best friend's house and use it like I described. You can open up one of those ugly green boxes about 3' high in the back yard of every couple houses. Inside you'll see pretty much the same thing as at individual houses, only there's several houses running through the box, not just yours. I have heard that you can use a beige inside a Ma Bell manhole, but I crawled down one (not fun) and there was a huge plastic tube. You can see the telephone wires inside, but I have no idea how to get to them. There are definately more uses, but these are the ones I've been exposed to. The Box Of Many Uses : As I've mentioned, there are TONS of uses for beige ~~~~~~~~~~~~~~~~~~~~ boxes, and the ones I explain are merely the ones I've had some fun with. It's all basically the same, but there are some interesting twists. Conferences : Definately one of the funnest. It's easier to do than explain, ~~~~~~~~~~~ but I'll give it a shot. First, call up a conference service (I'll list them in a second). From here, you'll pretty much get instructions (at least on the ones I've used). Basically, you call up your buddies, tell them what's going on, and hit a key (usually *) and they get put into the conference. From there, you and all your friends can all talk to each other, trade codes, etc. Get the idea? (You can even call foreign numbers. On our conference, we voiced a user from Italy and called a hotel in Madrid for someone to practice Spanish....) Conference Services : 0-700-456-1000 0-700-456-1001 0-700-456-1002 0-700-456-1003 0-700-456-1004 0-700-456-2000 0-700-456-2001 0-700-456-2002 0-700-456-2003 0-700-456-2004 Tapping : If you hook up your beige box, and hear voices, the rightful owner ~~~~~~~ of the line is obviously using it. Well, that's about all there is to phone tapping. Just shut up and listen. L/D Calling : Hey, it's not YOUR bill, so go ahead and call your pal in ~~~~~~~~~~~ France. Maybe voice verify some users on your BBS.... Dial-A-Porn : Hey, wait!! How'd that get in here? ~~~~~~~~~~~ Conclusion : That's about it. I wont pretend to be an expert on beige boxes, ~~~~~~~~~~ so I wont say that these are the limits, or that these are the best methods. I'm just trying to provide a non-technical introduction to phreaking. Well, if anyone has any comments, questions, or come up with any new ideas, let me know. MMC [09/26/89] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =============================================================================== Basic Information About Credit Cards =============================================================================== There are at least three types of security devices on credit cards that you aren't supposed to know about. They are the account number, the signature panel, and the magnetic strip. The Account Number ------------------ A Social Security card has nine digits. So do two-part Zip codes. A domestic phone number, including area code, has ten digits. Yet a complete MasterCard number has twenty digits. Why so many? It is not mathematically necessary for any credit-card account number to have more than eight digits. Each cardholder must, of course, have a unique number. Visa and MasterCard are estimated to have about sixty-five million cardholders each. Thus their numbering systems must have at least sixty-five million available numbers. There are one hundred million possible conbinations of eight digits-- 00000000, 00000001, 00000002, 00000003, all the way up to 99999999. So eight digits would be enough. To allow for future growth, an issuer the size of Visa of MaserCard could opt for nine digits---enough for a billion differnt numbers. In fact, a Visa card has thirteen digits and sometimes more. An American Express card has fifteen digits. Diners Club cards have fourteen. Carte Blanche has ten. Obviously, the card issuers are not projecting that they will have billions and billions of cardholders and need those digits to ensure a different number for each. The extra digits are actually a security device. Say your Visa number is 4211 503 417 268. Each purchase must be entered into a computer from a sales slip. The account number tags the purchase to your account. The persons who enter account numbers into computers get bored and sometimes make mistakes. They might enter 4211 503 471 268 or 4211 703 417 268 instead. The advantage of the thirteen-digit numbering system is that it is unlikely any Visa cardholder has 4211 503 471 268 or 4211 703 417 268 for an account number. There are 10 trillion possible thirteen-digit Visa numbers (0000 000 000 000;0000 000 000 0001;... 9999 999 999 999). Only about sixty-five million of those numbers are numbers of actual active accounts. The odds that an incorrectly entered number would correspond to a real number are something like sixty-five million in ten trillion, or about one in one hundred and fifty thousand. Those are slim odds. You could fill up a book the size of this one {note, book is 228 pgs long} with random thirteen-digit numbers such as these: 3901 160 943 791 1090 734 231 410 1783 205 995 561 9542 425 195 969 2358 862 307 845 9940 880 814 778 8421 456 150 662 9910 441 036 483 3167 186 869 267 6081 132 670 781 1228 190 300 350 4563 351 105 207 Still you would not duplicate a Visa account number. Whenever an account number is entered incorrectly, iw will almose certainly fail to match up with any of the other account nubmers in the computer's memory. The computer can then request that the number be entered again. Other card-numbering systems are even more secure. Of the quadrillion possible fifteen-digit American Express card numbers, only about 11 million are assigned. The chance of a random number happening to correspond to an existing account number is about one in ninety million. Taking into account all twenty digits on a MasterCard, there are one hundred quintillion (100,000,000,000,000,000,000) possible numvers for sixy-five million card- holders. The chance of a random string of digits matching a real MasterCard number is about one in one and a half trillion. Among other things, this makes possible those television ads inviting holders of credit cards to phone in to order merchandise. The operators who take the calls never see the callers' cards nor their signatures. How can they be sure the callers even have credit cards? They base their confidence on the security of the credit-card numbering systems. If someone calls in and makes up a creditcard number--even being careful to get the right number of digits--the number surely will not be an existing real credit-card number. The deception can be spotted instantly by plugging into the credit-card company's computers. For all practical purposes, the only way to come up with a genuine credit-card number is to read it off a credit card. The number, not the piece of plastic, is enough. Neiman-Marcus' Garbage Can -------------------------- The converse of this is the fact that anyone who knows someone else's card number can charge to that person's account. Police sources say this is a major problem, but card issuers, by and large, do their best to keep these crimes a secret. The fear is that publicizing the crimes may tempt more people to commit them. Worse yet, there is alomost nothing the average person can do to prevent being victimized {muhaha} -- short of giving up credit cards entirely. Lots of strangers know your credit-card numbers. Everyone you hand a card to--waiters, sales clerks, ticket agents, hairdressers, gas station attendants, hotel cashiers--sees the account number. Every time a card is put in an imprinter, three copies are made, and two are left with the clerk. If you charge anything by phone or mail order, someone somewhere sees the number. Crooks don't have to be in a job with normal access to creditcard numbers. Occasional operations have discovered that the garbage cans outside prestige department or specialty stores are sources of high-credit-limit account numbers. The crooks look for the discarded carbon paper from sales slips. The account number is usually legible--as are the expiration date, name, and signature. (A 1981 operation used carbons from Koontz Hardware, a West Hollywood, California, store frequented by many celebrities.) Converting a number into cash is less risky than using a stolen credit card. The crook need only call an airline, posing as the cardholder, and make a reservation on a heavily traveled flight. He usually requests that tickets be issued in someone else's name for pickup at the airport (airlines don't always ask for ID on ticket pickups, but the crook has it if needed) and is set. The tickets can be sold at a discount on the hot- ticket market operating in every major airport. There are other methods as well. Anyone with a Visa or MasterCard merchant account can fill out invoices for nonexistent sales and submit them to the bank. As long as the account numbers and names are genuine, the bank will pay the merchant immediately. For an investment of about a thousand dollars, an organized criminal operation can get the pressing machines needed to make counterfeit credit cards. Counterfeiting credit cards in relatively simple. There are no fancy scrolls and filigree work, just blocky logos in primary colors. From the criminal's standpoint, the main advantage of a counterfeit card is that it allows him to get cash advances. For maximum plundering of a line of credit, the crook must know the credit limit as well as the account number. To learn both, he often calls an intended victim, posing as the victim's bank: CROOK: This is Bank of America. We're calling to tell you that the credit limit on your Visa card has been raised to twelve hundred dollars. VICTIM: But my limit has always been ten thousand dollars. CROOK: There must be some problem with the computers. Do you have your card handy? Could you read off the embossed number? On a smaller scale, many struggling rock groups have discovered the knack of using someone else's telephone company credit card. When a cardholder wants to make a long-distance call from a hotel or pay phone, he or she reads the card number to the operator. The call is then billed to the cardholder's home phone. Musicians on tour sometimes wait by the special credit-card-and-collect-calls-only booths at airports and jot down a few credit card numbers. In this way, unsuspecting businesspeople finance a touring act's calls to friends at home. If the musicians call from public phones, use a given card number only once, and don't stay in one city long, the phone company seems helpless to stop them. What makes all of these scams so hard to combat is the lead time afforded the criminal. Theft of a credit card--a crime that card issuers will talk about--is generally reported immediately. Within twenty-four hours, a stolen card's number is on the issuer's "hot list" and can no longer be used. But when only a card number is being used illicitly, the crime is not discovered until the cardholder recieves his first inflated bill. That's at least two weeks later; it could be as much as six weeks later. As long as the illicit user isn't too greedy, he has at least two weeks to tap into a credit line with little risk. The Signature Panel ------------------- You're now supposed to erase the signature panel, of course. Card issuers fear that crooks might erase the signature on a stolen credit card and replace it with their own. To make alteration more difficult, many card signature panels have a background design that rubs off if anyone tries to erase. There's the "fingerprint" design on the American Express panel, repeated Visa or MasterCard logos on some bank cards, and the "Safesig" desgn on others. The principle is the same as with the security paper used for checks. If you try to earse a check on security paper, the wavy-line pattern erases, leaving a white area-- and it is obvious that the check has been altered. Rumors hint of a more elaborate gimmick in credit-card panels. It is said that if you erase the panel, a secret word--VOID--appears to prevent use of the card. To test this rumor, fifteen common credit cards were sacrificed. An ordinary pen eraser will erase credit-card signature panels, if slowly. The panels are more easily removed with a cloth and a dry-cleaning fluid such as Energine. This method dissolves the panels cleanly. Of the fifteen cards tested, six had nothing under the panel(other than a continuation of the card back design, where there was one). Nine cards tested had the word "VOID" under the panel. In all cases, the VOIDs were printeed small and repeated many times under the panel. The breakdown: Void Device Nothing -------------------------------------- Bloomingdale's American Express Gold Card Bonwit Teller Broadway Bullock's MasterCard(Citibank) Chase Convenience B.C. Neiman-Marcus I. Magnin Robinson's Joseph Magnin Saks Fifth Avenue First Interstate B.C. Montgomery Ward Visa (Chase Manhattan) When held to a strond light, the VOIDs were visible through the Blooming- dales's card even without removing the panel. The VOID device isn't foolproof. Any crimianl who learns the secret will simply refrain from trying to earse the signature. Most salesclerks don't bother to check signatures anyway. Moreover, it is possible to paint the signature panel back in, over the VOIDs--at least on those cards that do not have a design on the panel. (Saks' panel is a greenish-tan khaki coler that would be difficult to match with paint.) The panel is first removed with dry-cleaning fluid. The back of the card is covered with masking tape, leaving a window where the replacement panel is to go. A thin coat of flat white spray paint simulates the original panel. The Magnetic Strip ------------------ The other security device on the back of the card, the brown magnetic strip, is more difficult to analyze. Some people think there are sundry personal details about the cardholder stored in the strip. But the strip has no more information capacitythan a similar snippet of recording tape. For the most part banks are reticent about the strip. The strip need not contain any information other than the account number or similar indentification. Any futher information needed to complete an automatic-teller transaction-- such as current account balances--can be called up from bank computers and need not be encoded in the strip. Evidently, the card expiration date is in the strip. Expired cards are "eaten" by automatic-teller machines even when the expired card has the same account number and name as its valid replacement card. Credit limit, address, phone number, employer, etc, must not be indicated in this strip, for banks do not issue new cards just because this info changes. It is not clear if the personal identification number is in the strip or called up from the bank computer. Many automatic-teller machines have a secret limit of three attempts for provideing the correct personal identification nubmer. After three wround attempts, the "customer" is assumed to be a crook with a stolen card, going through all possible permutations--and the card is eaten. It is possible to scramble the information in the strip by rubbing a pocket magnet over it. Workers in hspitals or research facilites with large electromagnets sometimes find that their cards no longer work in automatic-teller machines. (If you try to use a magnetically doctored card, you usually get a message to the effect, "Your card may be inserted incorrectly. Please remove and insert according to the diagram.") The Bloomingdale's Color Code ----------------------------- Only in a few cases does the color of a credit card mean anything. There are, of course, the American Express, Visa, and MasterCard gold cards for preferred customers. The Air Travel Card comes in red and green, of which green is better. (With red, you can charge tickets for travel within North America only.) The most elaborate color scheme, and a source of some confusion to status-conscious queues, is that of Bloomingdale's credit department, here is how it works: Low color in the pecking order is blue, issued to Bloomingdale employees as a perk in their compensation packages. The basic Bloomingdale card is yellow. Like most department store cards, it can be used to spread payments over several months with the payment of a finance charge. The red card gives holders three months' free interest and is issued to customers who regularly make large purchases. The silver card is good for unlimited spending, but as with a travel and entertainment card, all charges must be paid in thirty days. The gold card offers the same payment options as the yellow card but is reserved for the store's biggest spenders. The End --------------------------------------------------------------------------- Comments and Acknowledgements- The above has been copied from "Big Secrets" WITHOUT permission. Big Secrets is written by Willian Poundstone. This is a great book that tells you hundreds of things you weren't suppose to find out about. The above artical, was only 5 pages out of a book 288 pages long! He also has a new book out called "Bigger Secrets", which is also good. You can find both at almost anybook store, they should be able to special order it. Well it's now midnight, and i'm getting tried... so I hope you have enjoyed this artical, if you wanna talk to me I'm on many boards all over the country. Well later, i'm gonna go watch Star Trek the Next Generation... The above was written by The /\/\idnight Caller a.k.a. Pizzia Man 08/19/89 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The Mickey Mouse Club Presents....... The M.M.C. Guide to Hacking, Phreaking, Carding By: The Dark Lord Introduction: ~~~~~~~~~~~~~~ This is a text file is made by The Mickey Mouse Club and we ask that it would be distibuted to others for their use. This file is going to go into depth on how to hack, phreak, and card. There will be information that should help everyone, hopefully!! Hacking: ~~~~~~~~~~ Hacking is a long hard process, unless you get lucky. There are many programs and aids out to make the job a lot easier, but the concept is the same no matter how you use it. First, at least on most things that you hack, you need to get some type of account or vacancy, etc... This is done by randomly entering numbers and or letters until you come up with the proper combination to find the account. Knowing the size of the account number makes this job one-hundred times easier. Thats why I suggest you find out from someone who allready has one or card one. By carding the account, it will die quickly but at least it will give you the length of the account numbers (More on that topic will be expained in the carding section). The accound numbers, do not always just contain numbers or have numbers at all in it. If it has a mix, it makes it a hell of a lot harder to get. You will just have to experiment to find out what charactors are contained in the account. Some Examples of ones that do have mixes of numbers and letters would be Pc Persuit accounts. The forms of them are usuall as such: Account: Pgp014764g Password: 23632k It looks from these that you are pretty much screw because of the way letters are mixed with numbers, thats what makes having a program so much easier. In a lot of circumstances, getting the account is the hardest part that is why having a good background of the system is a major plus in your favor. Once you have got the account, it is time to get the password for this account. Once again having the length and such makes this process not only easier, but faster. just keep entering random passwords of the length or the thought length in until you get a stoke of luck and get it. You MUST remember that 99.5 out of 100 times, this is a long process, and you have to have patience. If you don't you might as well forget ever getting on to the system or have someone else do it for you. Once you have gotten the password, look it over long and hard. Write it down and keep it, examine it. 99% of the time there is a pattern to all the account passwords. Things to look at is the password in reference to the account number. check to see if things have been added to the end or beginning like 00 or 01 or 99 of 0010 thing like that. If you see no relations, the only other way to really find out the pattern in to get another one. Look at both of them together, see if there the same or it account 400's password is 3456 and 402's password is 3458 (they go in order) then just those as a reference to other passwords, take away so much from accounts with a lower number and add the required amounts to accounts with a higher number, etc.... But bassicly, LOOK FOR A PATTERN! Once you have got the password and the account, you have got yourself a passage way in. Although this is what you do to succeed, you have to take many precautions. They do NOT like us messing with the system and they obviously want you to pay just like the others, so they will take necessary means to nail you. They trace like you wouldn't belive. They will trace right as you get on, if you happen to be unlucky, you will never know when they are doing it either, you must ALWAYS be aware of the dangers and take precautions!!! Even on things that you wouldn't think that they would trace you but, be carfull. Whether they trace depends on a couple of things, here are a few major ones: 1. There bank balance 2. There desire to catch you 3. The amount of infestation in there system There are things that you can do to protect yourself, these are not all of them and none of them are sure fire ways, but hey, cutting down your chances of getting caught makes a world of difference, because remember, All the fun is taken away if you caught. Some things to do to protect yourself is: 1. Use a diverter 2. Use false information about you 3. Never stay On-line too long 4. Call during late or early hours, were there is most likely no one monitoring the system 5. Don't call frequently or during the same hours, regulate it Once again these are not all of them but these are some of the "More" helpfull things. If you follow all the step, you can reduce the change of getting caught by about 40%. If you do get caught there is not a whole lot that you can do, but some tips are, first, don't reveal any information on what you have done. Deny all charges. Sencond, plea bargin with knowladge of things, like hacked sytems etc.. But never admit that you did it. Three, and most important, get a GOOD LAWYER!!!!!!! DIFFERENT TYPES OF SYSTEMS: Pc Persuit Cp\m Trw Unix Vmb Vms These are just a few systems, if I made a complete list There would be pratically no end to it, there are millions. Phreaking: ~~~~~~~~~~~~ Phreaking, Ahhhwwww, the wonderfull world of phreaking. Well to start with Phreaking is "The use of Telecommunications to others besides people of the Phone Company". Well thats my version of the definition at least. Using codes is wuit easy, there are different parts to it, the Dial-up, the code, and the number. First you will have to dial in the dial-up and on most dial ups you will get a tone or a buzz or click or something to that effect. Once you hear this, and you will know when you hear it you dial in the code. Sometime you will get another tone or beep etc. and when you do that is when you dial in the number. If you do not get another tone or whatever you just dial in the number right after you enter the code. You might have to have a test dial up to see how the tones go. In dialing the number once agian the nubers differ. You must enter the area code and then the nuber. Some require that you have a one before the area code but most that I have used do not. You can tell if the code worked right after the number has been put in not just by the error recording that you get but if right off the bat the phone begins to ring, it doesn't work. A code can also be busy. If it is busy it could mean that the code is dead or that too many people are using it at once. You might experiance this often. There are numbers that make phreaking much safer, they are called diverters. What the do is when the number that you have dial is being traced it diverts it to that number. Unless this is virgin or nobody else uses it, you will find that with in a couple of days after it is out, it will be busy, that is the annoyance about diverters, and they are also hard to get. Hacking is also put into play in phreaking by using programs to get dial ups and the codes. Getting these are done in the same way you hack anything else. Just get a program like code thief or code hacker, or make one yourself, it is quite easy. There is a danger with useing the codes. If you hack a code yourself, not just the code but the dial up amd no one else has it you can pretty well bet that it is safe. A newly hacked dial-up/code is considered "Virgin". those Ma bell is not having the problem with people phreaking off of it so they don't bother doing anything with it. But after a while, it will either Die (No Longer work) or they will start tracing off of it. The whole pain about it is, is you will never positively no when they started doing traces or things like that. The codes might be being traced but you are getting the luck of the draw. On most codes they don't trace on every call, they just file it away and watch for like the 50th or 100th caller and then that person gets nailed. You might think if they do trace every 100 calls, that means you have a 1 in 100 chance of getting caught and those are really good odds. Well the odd is 100 to 1 but the is a lot of people that live in areas that they can call with that code. If you figure about 10 million people could use it then about 100,000 of them are. 100,000, hummmmmmm, how odes your odds look now. In a couple minute time spand 99 peoplecould have used it, and lucky you might be the 100th caller. A lot of times the take like every hundered calls and then when they get the 100th caller, that don't just trace one, they trace 100, 101, 102, 103, 104 200, 201, 202 etc. So you chances of getting caught when the heat is on the code is pretty good. There are a couple different types of codes and the two major ones are 1-800's and 950's. 800's can pretty much be dialed from anywhere in the states, but 950's stay in certain areas. Some 950 dial ups are: 9501001 9500266 9500355 9501388 And there are others, but like take me for example, where I live you cannot use 9500266. It will tell you that you cannot use that number from your dialing range or it just won't work. You might get to the point where the dial-up works but not the code. If this is the case it will say: "Invalid authorization Code" Some examples of 1-800's are as follows: 1-800-255-2255 1-800-759-2345 1-800-959-8255 There are many others but those are just a few, very few. There are also 1-800's and others that will send you directly to the operator, you must tell her the code and the number you are dialing. These are NEVER safe to use. but in one case they are alot better. I am out of town a lot so I have to use pay phones right? Well, you are safe with anything with pay phones, so that is a good way to call people. The real good thing them though, is since you must go throught th operator, the codes stay valid for up to 10 times as long as the others. But thenm again another draw back is it is not a line that you want to give real names or numbers over. Because these are often tapped, since the operator know that you used the code, they will listen in quite often, and you will never even notice. Another problem experianced with them is if you are what MMC calls "Petite Flowers", our home made word for, someone that sounds like a little kid, then they really give you a hastle about using the code. I have had a lot of people ask me if the person you are calling with the codes can get busted. The answer is "No". They cannot do anything to the person, just ask him who is calling him with the codes, and they rarely do that. Just let the person you are talking to, if they don't already know, not to tell anyone that you are calling with the codes. The phone companies do have to option of setting up a trace on that persons line and bust you when you do call him with a code. I have never seen this done but do be aware that the phone companies are made up of intellegent adults and they are very smart and can and will nail you in many ways. I am a firm beliver that you should share a the information that you other phreakers and hackers as they should do the same with you. I also see an execption, inexperianced people. They can run it for everyone be not have the knowladge and screwing up. I realize that they need someway to build themselves up to a good phreaker but be cautions in what you give to them. Codes die really often and you really have to keep up with the phone company. Its kinda of a pain to keep up with it on your own as quickly as they work but thats why there is phreaking communities and groups such as Fhp and MMC, the gives the edge to the phreakers in the way that, you have help in keeping up with the phone companies, and in most cases if the groups or communities are working well together, you can eve stay one step ahead of good 'ole Ma bell and others. You really need to find ways of getting codes either from getting acess to the phreaking sections on the pirate boards you call or throught friends, Vmb's Loops, Confrences, etc., just try to find a good connection to people that are into phreaking too. Carding: ~~~~~~~~~~ Although everything talked about in the text file to this point is illegal, and you will get busted if you get caught, this is one one the one that you can get in some major shit over. About the only thing I have talked about that this falls short of is hacking a government compter, and thats one of the Grand daddies of them all. Well, although it is a major crime, it is really cool!!!! This is the process in which you find the card number of someone and use it to purchase things. In order to card, there are a few things that you must have or it will not work. You will need to have........ 1. The Card Number 2. The Experation date 3. Card type (Master Card, Visa, etc...) Those are the main things tha you will need. Having the name of the owner is very helpfull but it is not a must. You can get by without it. You have to order everything you want by mail. A couple of "Beginner" carder that I talked to didn't understand how you would do it, but thats when they had the misconception that you actually go to the store and purchase things. That is a complete No, no. You do everything from a phone ordering service. When you call make sure that you are a t a pay phone. Don't do it your house or anywhere where it can come back to you. When you order the merchandice, once again do send it to anywhere that it can come back to you like your home, work, etc. Find a vacant house or building or anywhere else that you can send it to. Also, don't send it to a P.O. box that you have, just as dangerous. When you do order it and you think its around the time that you will be reciving it, check the mailbox frequently. But do it during odd hours. I mean, hows it going to look you taking a package from a vacant house? Most bills are sent at the end of the month or at the biginning, so try to time it to where the bill won't come to the person untill a couple of days after you have recived the package. Ok heres how to figure it. I have found out that the bills are sent out up around the 26-30th of the month, so they will actually recive the bill around the 31-4th. Have it sent right after you think the bill has been sent. Find what you want, but try to order it from the place that guarentees the fastest delivery. When you order the item, make sure they have it in stock and don't have to get the item in first. Order the highest class of delivery but not COD or next day service. Thats cutting it too close. It should take around 2-4 weeks before you get it and if you timed it right, then it sound get there right before the person gets the bill. You need to have it in your possesion before the bill gets to the person because if they complain, they can keep it from being sent, or watch who actually gets it even while its going throught the mail process. Don't order more than a couple of things or overcharge the card, if the people at the Credit card office, see irregular charging on the card, they will follow up on it. To actually order the item you will call up the place that you will be ordering from, and when the operator answers let her know what you need to as far as what you are purchasing, etc. When she ask how you will be paying just tell her "Charge" and the the type of card like Master Card, Visa, ect. Then Tell them your name, if you don't know the name of the actuall owner of the card, Make up a false name that has NO relation to your name, not the same first, last middle what ever, nothing relating to your real name. Then continue answering all the operators questions, address (Not your own remember!) state, area code etc. They will also ask for your phone number. Make one up, not your own. If something happens to go wrong as far as delivery or if they are checking if you are who you say, then your screwed, unless of course, hehehe, the number is ALWAYS busy. Find the busiest number there is and leave them that. When they ask for the card number and experation, just tell them and do what all else you need. Wish them a good day, and hope you get it. Ok heres how you check if the card is good, and how much money can be charged on the card....... 1. Dail 1-800-554-2265 2. it will ask for the type of the card. you must put in 10 for Master Card and 20 for Visa, I am not sure about the others. 3. Next it will ask for the Identification. You will need to enter 1067 4. After all that you will have to enter the Mecrchant number, which you will either need to put in 24 or 52. One of them should work. 5. You will then have to enter (When Prompted) the card number itself. 6. Next, the experation date of the card. 7. Last but not least the amount you want to try to get on the card. The procedure for this is enter dollars, astricks, then cents. (Example:) 100*30 = One hundred dollars and thirty cents. One thing I do need to mention, after you type in everything you must press pound (#). Like when it asks you for the type of card, if you had a Master Card you would put: 10#. when it asked for identification you would enter 1067#. If it says invalid, that either means that the card is no good or you can't charge that amount on the card. Try it again, but try a lower amount. If you get down to $1 and it still doesn't work, hehehe, you can probably guess that the card is no good. You might not be ordering just merchandice you might be ordering accounts and things like that and if you are, fine, but you have to remember, the accounts do not stay good for very long, the owner of the card gets the bill, complains and its no longer any good. And when you card and account, Nine out of ten times, they won't kill the account, they will trace in and that is when you butts really in a sling. So carding accounts and things, isn't the safest way to go, of course. nothing we have talked about it, right? Conclusion: ~~~~~~~~~~~~~~ Well thats about it for now, there should be a BIG newsletter by The Mickey Mouse Club comming out soon that you have to be sure NOT to miss. I sincerely hope that you have gotten alot out of this file and I would like to ask for suggestions and ideas to make MMC a better orginazation. At this time myself and Cardiac Arresst have a VMB at: 1-800-444-7207 [Ext] 4001. All ideas and suggestions, please bring there. Also, since your making the trip anyways, bring along some phreaking codes and all and any types of accounts. I would be greatly appreciated by: The Mickey Mouse Club. 09/89 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +++++++++++++++++++++++++++++++++++++++++++++++++ | The LOD/H Presents | ++++++++++++++++ ++++++++++++++++ \ A Novice's Guide to Hacking- 1989 edition / \ ========================================= / \ by / \ The Mentor / \ Legion of Doom/Legion of Hackers / \ / \ December, 1988 / \ Merry Christmas Everyone! / \+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/ ********************************************************************** | The author hereby grants permission to reproduce, redistribute, | | or include this file in your g-file section, electronic or print | | newletter, or any other form of transmission that you choose, as | | long as it is kept intact and whole, with no ommissions, delet- | | ions, or changes. (C) The Mentor- Phoenix Project Productions | | 1988,1989 XXX/XXX-XXXX | ********************************************************************** Introduction: The State of the Hack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ After surveying a rather large g-file collection, my attention was drawn to the fact that there hasn't been a good introductory file written for absolute beginners since back when Mark Tabas was cranking them out (and almost *everyone* was a beginner!) The Arts of Hacking and Phreaking have changed radically since that time, and as the 90's approach, the hack/phreak community has recovered from the Summer '87 busts (just like it recovered from the Fall '85 busts, and like it will always recover from attempts to shut it down), and the progressive media (from Reality Hackers magazine to William Gibson and Bruce Sterling's cyberpunk fables of hackerdom) is starting to take notice of us for the first time in recent years in a positive light. Unfortunately, it has also gotten more dangerous since the early 80's. Phone cops have more resources, more awareness, and more intelligence that they exhibited in the past. It is becoming more and more difficult to survive as a hacker long enough to become skilled in the art. To this end this file is dedicated . If it can help someone get started, and help them survive to discover new systems and new information, it will have served it's purpose, and served as a partial repayment to all the people who helped me out when I was a beginner. Contents ~~~~~~~~ This file will be divided into four parts: Part 1: What is Hacking, A Hacker's Code of Ethics, Basic Hacking Safety Part 2: Packet Switching Networks: Telenet- How it Works, How to Use it, Outdials, Network Servers, Private PADs Part 3: Identifying a Computer, How to Hack In, Operating System Defaults Part 4: Conclusion- Final Thoughts, Books to Read, Boards to Call, Acknowledgements Part One: The Basics ~~~~~~~~~~~~~~~~~~~~ As long as there have been computers, there have been hackers. In the 50's at the Massachusets Institute of Technology (MIT), students devoted much time and energy to ingenious exploration of the computers. Rules and the law were disregarded in their pursuit for the 'hack'. Just as they were enthralled with their pursuit of information, so are we. The thrill of the hack is not in breaking the law, it's in the pursuit and capture of knowledge. To this end, let me contribute my suggestions for guidelines to follow to ensure that not only you stay out of trouble, but you pursue your craft without damaging the computers you hack into or the companies who own them. I. Do not intentionally damage *any* system. II. Do not alter any system files other than ones needed to ensure your escape from detection and your future access (Trojan Horses, Altering Logs, and the like are all necessary to your survival for as long as possible.) III. Do not leave your (or anyone else's) real name, real handle, or real phone number on any system that you access illegally. They *can* and will track you down from your handle! IV. Be careful who you share information with. Feds are getting trickier. Generally, if you don't know their voice phone number, name, and occupation or haven't spoken with them voice on non-info trading conversations, be wary. V. Do not leave your real phone number to anyone you don't know. This includes logging on boards, no matter how k-rad they seem. If you don't know the sysop, leave a note telling some trustworthy people that will validate you. VI. Do not hack government computers. Yes, there are government systems that are safe to hack, but they are few and far between. And the government has inifitely more time and resources to track you down than a company who has to make a profit and justify expenses. VII. Don't use codes unless there is *NO* way around it (you don't have a local telenet or tymnet outdial and can't connect to anything 800...) You use codes long enough, you will get caught. Period. VIII. Don't be afraid to be paranoid. Remember, you *are* breaking the law. It doesn't hurt to store everything encrypted on your hard disk, or keep your notes buried in the backyard or in the trunk of your car. You may feel a little funny, but you'll feel a lot funnier when you when you meet Bruno, your transvestite cellmate who axed his family to death. IX. Watch what you post on boards. Most of the really great hackers in the country post *nothing* about the system they're currently working except in the broadest sense (I'm working on a UNIX, or a COSMOS, or something generic. Not "I'm hacking into General Electric's Voice Mail System" or something inane and revealing like that.) X. Don't be afraid to ask questions. That's what more experienced hackers are for. Don't expect *everything* you ask to be answered, though. There are some things (LMOS, for instance) that a begining hacker shouldn't mess with. You'll either get caught, or screw it up for others, or both. XI. Finally, you have to actually hack. You can hang out on boards all you want, and you can read all the text files in the world, but until you actually start doing it, you'll never know what it's all about. There's no thrill quite the same as getting into your first system (well, ok, I can think of a couple of bigger thrills, but you get the picture.) One of the safest places to start your hacking career is on a computer system belonging to a college. University computers have notoriously lax security, and are more used to hackers, as every college computer depart- ment has one or two, so are less likely to press charges if you should be detected. But the odds of them detecting you and having the personel to committ to tracking you down are slim as long as you aren't destructive. If you are already a college student, this is ideal, as you can legally explore your computer system to your heart's desire, then go out and look for similar systems that you can penetrate with confidence, as you're already familar with them. So if you just want to get your feet wet, call your local college. Many of them will provide accounts for local residents at a nominal (under $20) charge. Finally, if you get caught, stay quiet until you get a lawyer. Don't vol- unteer any information, no matter what kind of 'deals' they offer you. Nothing is binding unless you make the deal through your lawyer, so you might as well shut up and wait. Part Two: Networks ~~~~~~~~~~~~~~~~~~ The best place to begin hacking (other than a college) is on one of the bigger networks such as Telenet. Why? First, there is a wide variety of computers to choose from, from small Micro-Vaxen to huge Crays. Second, the networks are fairly well documented. It's easier to find someone who can help you with a problem off of Telenet than it is to find assistance concerning your local college computer or high school machine. Third, the networks are safer. Because of the enormous number of calls that are fielded every day by the big networks, it is not financially practical to keep track of where every call and connection are made from. It is also very easy to disguise your location using the network, which makes your hobby much more secure. Telenet has more computers hooked to it than any other system in the world once you consider that from Telenet you have access to Tymnet, ItaPAC, JANET, DATAPAC, SBDN, PandaNet, THEnet, and a whole host of other networks, all of which you can connect to from your terminal. The first step that you need to take is to identify your local dialup port. This is done by dialing 1-800-424-9494 (1200 7E1) and connecting. It will spout some garbage at you and then you'll get a prompt saying 'TERMINAL='. This is your terminal type. If you have vt100 emulation, type it in now. Or just hit return and it will default to dumb terminal mode. You'll now get a prompt that looks like a @. From here, type @c mail and then it will ask for a Username. Enter 'phones' for the username. When it asks for a password, enter 'phones' again. From this point, it is menu driven. Use this to locate your local dialup, and call it back locally. If you don't have a local dialup, then use whatever means you wish to connect to one long distance (more on this later.) When you call your local dialup, you will once again go through the TERMINAL= stuff, and once again you'll be presented with a @. This prompt lets you know you are connected to a Telenet PAD. PAD stands for either Packet Assembler/Disassembler (if you talk to an engineer), or Public Access Device (if you talk to Telenet's marketing people.) The first description is more correct. Telenet works by taking the data you enter in on the PAD you dialed into, bundling it into a 128 byte chunk (normally... this can be changed), and then transmitting it at speeds ranging from 9600 to 19,200 baud to another PAD, who then takes the data and hands it down to whatever computer or system it's connected to. Basically, the PAD allows two computers that have different baud rates or communication protocols to communicate with each other over a long distance. Sometimes you'll notice a time lag in the remote machines response. This is called PAD Delay, and is to be expected when you're sending data through several different links. What do you do with this PAD? You use it to connect to remote computer systems by typing 'C' for connect and then the Network User Address (NUA) of the system you want to go to. An NUA takes the form of 031103130002520 \___/\___/\___/ | | | | | |____ network address | |_________ area prefix |______________ DNIC This is a summary of DNIC's (taken from Blade Runner's file on ItaPAC) according to their country and network name. DNIC Network Name Country DNIC Network Name Country _______________________________________________________________________________ | 02041 Datanet 1 Netherlands | 03110 Telenet USA 02062 DCS Belgium | 03340 Telepac Mexico 02080 Transpac France | 03400 UDTS-Curacau Curacau 02284 Telepac Switzerland | 04251 Isranet Israel 02322 Datex-P Austria | 04401 DDX-P Japan 02329 Radaus Austria | 04408 Venus-P Japan 02342 PSS UK | 04501 Dacom-Net South Korea 02382 Datapak Denmark | 04542 Intelpak Singapore 02402 Datapak Sweden | 05052 Austpac Australia 02405 Telepak Sweden | 05053 Midas Australia 02442 Finpak Finland | 05252 Telepac Hong Kong 02624 Datex-P West Germany | 05301 Pacnet New Zealand 02704 Luxpac Luxembourg | 06550 Saponet South Africa 02724 Eirpak Ireland | 07240 Interdata Brazil 03020 Datapac Canada | 07241 Renpac Brazil 03028 Infogram Canada | 09000 Dialnet USA 03103 ITT/UDTS USA | 07421 Dompac French Guiana 03106 Tymnet USA | There are two ways to find interesting addresses to connect to. The first and easiest way is to obtain a copy of the LOD/H Telenet Directory from the LOD/H Technical Journal #4 or 2600 Magazine. Jester Sluggo also put out a good list of non-US addresses in Phrack Inc. Newsletter Issue 21. These files will tell you the NUA, whether it will accept collect calls or not, what type of computer system it is (if known) and who it belongs to (also if known.) The second method of locating interesting addresses is to scan for them manually. On Telenet, you do not have to enter the 03110 DNIC to connect to a Telenet host. So if you saw that 031104120006140 had a VAX on it you wanted to look at, you could type @c 412 614 (0's can be ignored most of the time.) If this node allows collect billed connections, it will say 412 614 CONNECTED and then you'll possibly get an identifying header or just a Username: prompt. If it doesn't allow collect connections, it will give you a message such as 412 614 REFUSED COLLECT CONNECTION with some error codes out to the right, and return you to the @ prompt. There are two primary ways to get around the REFUSED COLLECT message. The first is to use a Network User Id (NUI) to connect. An NUI is a username/pw combination that acts like a charge account on Telenet. To collect to node 412 614 with NUI junk4248, password 525332, I'd type the following: @c 412 614,junk4248,525332 <---- the 525332 will *not* be echoed to the screen. The problem with NUI's is that they're hard to come by unless you're a good social engineer with a thorough knowledge of Telenet (in which case you probably aren't reading this section), or you have someone who can provide you with them. The second way to connect is to use a private PAD, either through an X.25 PAD or through something like Netlink off of a Prime computer (more on these two below.) The prefix in a Telenet NUA oftentimes (not always) refers to the phone Area Code that the computer is located in (i.e. 713 xxx would be a computer in Houston, Texas.) If there's a particular area you're interested in, (say, New York City 914), you could begin by typing @c 914 001 . If it connects, you make a note of it and go on to 914 002. You do this until you've found some interesting systems to play with. Not all systems are on a simple xxx yyy address. Some go out to four or five digits (914 2354), and some have decimal or numeric extensions (422 121A = 422 121.01). You have to play with them, and you never know what you're going to find. To fully scan out a prefix would take ten million attempts per prefix. For example, if I want to scan 512 completely, I'd have to start with 512 00000.00 and go through 512 00000.99, then increment the address by 1 and try 512 00001.00 through 512 00001.99. A lot of scanning. There are plenty of neat computers to play with in a 3-digit scan, however, so don't go berserk with the extensions. Sometimes you'll attempt to connect and it will just be sitting there after one or two minutes. In this case, you want to abort the connect attempt by sending a hard break (this varies with different term programs, on Procomm, it's ALT-B), and then when you get the @ prompt back, type 'D' for disconnect. If you connect to a computer and wish to disconnect, you can type @ and you it should say TELENET and then give you the @ prompt. From there, type D to disconnect or CONT to re-connect and continue your session uninterrupted. Outdials, Network Servers, and PADs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In addition to computers, an NUA may connect you to several other things. One of the most useful is the outdial. An outdial is nothing more than a modem you can get to over telenet- similar to the PC Pursuit concept, except that these don't have passwords on them most of the time. When you connect, you will get a message like 'Hayes 1200 baud outdial, Detroit, MI', or 'VEN-TEL 212 Modem', or possibly 'Session 1234 established on Modem 5588'. The best way to figure out the commands on these is to type ? or H or HELP- this will get you all the information that you need to use one. Safety tip here- when you are hacking *any* system through a phone dialup, always use an outdial or a diverter, especially if it is a local phone number to you. More people get popped hacking on local computers than you can imagine, Intra-LATA calls are the easiest things in the world to trace inexp- ensively. Another nice trick you can do with an outdial is use the redial or macro function that many of them have. First thing you do when you connect is to invoke the 'Redial Last Number' facility. This will dial the last number used, which will be the one the person using it before you typed. Write down the number, as no one would be calling a number without a computer on it. This is a good way to find new systems to hack. Also, on a VENTEL modem, type 'D' for Display and it will display the five numbers stored as macros in the modem's memory. There are also different types of servers for remote Local Area Networks (LAN) that have many machine all over the office or the nation connected to them. I'll discuss identifying these later in the computer ID section. And finally, you may connect to something that says 'X.25 Communication PAD' and then some more stuff, followed by a new @ prompt. This is a PAD just like the one you are on, except that all attempted connections are billed to the PAD, allowing you to connect to those nodes who earlier refused collect connections. This also has the added bonus of confusing where you are connecting from. When a packet is transmitted from PAD to PAD, it contains a header that has the location you're calling from. For instance, when you first connected to Telenet, it might have said 212 44A CONNECTED if you called from the 212 area code. This means you were calling PAD number 44A in the 212 area. That 21244A will be sent out in the header of all packets leaving the PAD. Once you connect to a private PAD, however, all the packets going out from *it* will have it's address on them, not yours. This can be a valuable buffer between yourself and detection. Phone Scanning ~~~~~~~~~~~~~~ Finally, there's the time-honored method of computer hunting that was made famous among the non-hacker crowd by that Oh-So-Technically-Accurate movie Wargames. You pick a three digit phone prefix in your area and dial every number from 0000 --> 9999 in that prefix, making a note of all the carriers you find. There is software available to do this for nearly every computer in the world, so you don't have to do it by hand. Part Three: I've Found a Computer, Now What? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This next section is applicable universally. It doesn't matter how you found this computer, it could be through a network, or it could be from carrier scanning your High School's phone prefix, you've got this prompt this prompt, what the hell is it? I'm *NOT* going to attempt to tell you what to do once you're inside of any of these operating systems. Each one is worth several G-files in its own right. I'm going to tell you how to identify and recognize certain OpSystems, how to approach hacking into them, and how to deal with something that you've never seen before and have know idea what it is. VMS- The VAX computer is made by Digital Equipment Corporation (DEC), and runs the VMS (Virtual Memory System) operating system. VMS is characterized by the 'Username:' prompt. It will not tell you if you've entered a valid username or not, and will disconnect you after three bad login attempts. It also keeps track of all failed login attempts and informs the owner of the account next time s/he logs in how many bad login attempts were made on the account. It is one of the most secure operating systems around from the outside, but once you're in there are many things that you can do to circumvent system security. The VAX also has the best set of help files in the world. Just type HELP and read to your heart's content. Common Accounts/Defaults: [username: password [[,password]] ] SYSTEM: OPERATOR or MANAGER or SYSTEM or SYSLIB OPERATOR: OPERATOR SYSTEST: UETP SYSMAINT: SYSMAINT or SERVICE or DIGITAL FIELD: FIELD or SERVICE GUEST: GUEST or unpassworded DEMO: DEMO or unpassworded DECNET: DECNET DEC-10- An earlier line of DEC computer equipment, running the TOPS-10 operating system. These machines are recognized by their '.' prompt. The DEC-10/20 series are remarkably hacker-friendly, allowing you to enter several important commands without ever logging into the system. Accounts are in the format [xxx,yyy] where xxx and yyy are integers. You can get a listing of the accounts and the process names of everyone on the system before logging in with the command .systat (for SYstem STATus). If you seen an account that reads [234,1001] BOB JONES, it might be wise to try BOB or JONES or both for a password on this account. To login, you type .login xxx,yyy and then type the password when prompted for it. The system will allow you unlimited tries at an account, and does not keep records of bad login attempts. It will also inform you if the UIC you're trying (UIC = User Identification Code, 1,2 for example) is bad. Common Accounts/Defaults: 1,2: SYSLIB or OPERATOR or MANAGER 2,7: MAINTAIN 5,30: GAMES UNIX- There are dozens of different machines out there that run UNIX. While some might argue it isn't the best operating system in the world, it is certainly the most widely used. A UNIX system will usually have a prompt like 'login:' in lower case. UNIX also will give you unlimited shots at logging in (in most cases), and there is usually no log kept of bad attempts. Common Accounts/Defaults: (note that some systems are case sensitive, so use lower case as a general rule. Also, many times the accounts will be unpassworded, you'll just drop right in!) root: root admin: admin sysadmin: sysadmin or admin unix: unix uucp: uucp rje: rje guest: guest demo: demo daemon: daemon sysbin: sysbin Prime- Prime computer company's mainframe running the Primos operating system. The are easy to spot, as the greet you with 'Primecon 18.23.05' or the like, depending on the version of the operating system you run into. There will usually be no prompt offered, it will just look like it's sitting there. At this point, type 'login '. If it is a pre-18.00.00 version of Primos, you can hit a bunch of ^C's for the password and you'll drop in. Unfortunately, most people are running versions 19+. Primos also comes with a good set of help files. One of the most useful features of a Prime on Telenet is a facility called NETLINK. Once you're inside, type NETLINK and follow the help files. This allows you to connect to NUA's all over the world using the 'nc' command. For example, to connect to NUA 026245890040004, you would type @nc :26245890040004 at the netlink prompt. Common Accounts/Defaults: PRIME PRIME or PRIMOS PRIMOS_CS PRIME or PRIMOS PRIMENET PRIMENET SYSTEM SYSTEM or PRIME NETLINK NETLINK TEST TEST GUEST GUEST GUEST1 GUEST HP-x000- This system is made by Hewlett-Packard. It is characterized by the ':' prompt. The HP has one of the more complicated login sequences around- you type 'HELLO SESSION NAME,USERNAME,ACCOUNTNAME,GROUP'. Fortunately, some of these fields can be left blank in many cases. Since any and all of these fields can be passworded, this is not the easiest system to get into, except for the fact that there are usually some unpassworded accounts around. In general, if the defaults don't work, you'll have to brute force it using the common password list (see below.) The HP-x000 runs the MPE operat- ing system, the prompt for it will be a ':', just like the logon prompt. Common Accounts/Defaults: MGR.TELESUP,PUB User: MGR Acct: HPONLY Grp: PUB MGR.HPOFFICE,PUB unpassworded MANAGER.ITF3000,PUB unpassworded FIELD.SUPPORT,PUB user: FLD, others unpassworded MAIL.TELESUP,PUB user: MAIL, others unpassworded MGR.RJE unpassworded FIELD.HPPl89 ,HPPl87,HPPl89,HPPl96 unpassworded MGR.TELESUP,PUB,HPONLY,HP3 unpassworded IRIS- IRIS stands for Interactive Real Time Information System. It orig- inally ran on PDP-11's, but now runs on many other minis. You can spot an IRIS by the 'Welcome to "IRIS" R9.1.4 Timesharing' banner, and the ACCOUNT ID? prompt. IRIS allows unlimited tries at hacking in, and keeps no logs of bad attempts. I don't know any default passwords, so just try the common ones from the password database below. Common Accounts: MANAGER BOSS SOFTWARE DEMO PDP8 PDP11 ACCOUNTING VM/CMS- The VM/CMS operating system runs in International Business Machines (IBM) mainframes. When you connect to one of these, you will get message similar to 'VM/370 ONLINE', and then give you a '.' prompt, just like TOPS-10 does. To login, you type 'LOGON '. Common Accounts/Defaults are: AUTOLOG1: AUTOLOG or AUTOLOG1 CMS: CMS CMSBATCH: CMS or CMSBATCH EREP: EREP MAINT: MAINT or MAINTAIN OPERATNS: OPERATNS or OPERATOR OPERATOR: OPERATOR RSCS: RSCS SMART: SMART SNA: SNA VMTEST: VMTEST VMUTIL: VMUTIL VTAM: VTAM NOS- NOS stands for Networking Operating System, and runs on the Cyber computer made by Control Data Corporation. NOS identifies itself quite readily, with a banner of 'WELCOME TO THE NOS SOFTWARE SYSTEM. COPYRIGHT CONTROL DATA 1978,1987'. The first prompt you will get will be FAMILY:. Just hit return here. Then you'll get a USER NAME: prompt. Usernames are typically 7 alpha-numerics characters long, and are *extremely* site dependent. Operator accounts begin with a digit, such as 7ETPDOC. Common Accounts/Defaults: $SYSTEM unknown SYSTEMV unknown Decserver- This is not truly a computer system, but is a network server that has many different machines available from it. A Decserver will say 'Enter Username>' when you first connect. This can be anything, it doesn't matter, it's just an identifier. Type 'c', as this is the least conspicuous thing to enter. It will then present you with a 'Local>' prompt. From here, you type 'c ' to connect to a system. To get a list of system names, type 'sh services' or 'sh nodes'. If you have any problems, online help is available with the 'help' command. Be sure and look for services named 'MODEM' or 'DIAL' or something similar, these are often outdial modems and can be useful! GS/1- Another type of network server. Unlike a Decserver, you can't predict what prompt a GS/1 gateway is going to give you. The default prompt it 'GS/1>', but this is redifinable by the system administrator. To test for a GS/1, do a 'sh d'. If that prints out a large list of defaults (terminal speed, prompt, parity, etc...), you are on a GS/1. You connect in the same manner as a Decserver, typing 'c '. To find out what systems are available, do a 'sh n' or a 'sh c'. Another trick is to do a 'sh m', which will sometimes show you a list of macros for logging onto a system. If there is a macro named VAX, for instance, type 'do VAX'. The above are the main system types in use today. There are hundreds of minor variants on the above, but this should be enough to get you started. Unresponsive Systems ~~~~~~~~~~~~~~~~~~~~ Occasionally you will connect to a system that will do nothing but sit there. This is a frustrating feeling, but a methodical approach to the system will yield a response if you take your time. The following list will usually make *something* happen. 1) Change your parity, data length, and stop bits. A system that won't re- spond at 8N1 may react at 7E1 or 8E2 or 7S2. If you don't have a term program that will let you set parity to EVEN, ODD, SPACE, MARK, and NONE, with data length of 7 or 8, and 1 or 2 stop bits, go out and buy one. While having a good term program isn't absolutely necessary, it sure is helpful. 2) Change baud rates. Again, if your term program will let you choose odd baud rates such as 600 or 1100, you will occasionally be able to penetrate some very interesting systems, as most systems that depend on a strange baud rate seem to think that this is all the security they need... 3) Send a series of 's. 4) Send a hard break followed by a . 5) Type a series of .'s (periods). The Canadian network Datapac responds to this. 6) If you're getting garbage, hit an 'i'. Tymnet responds to this, as does a MultiLink II. 7) Begin sending control characters, starting with ^A --> ^Z. 8) Change terminal emulations. What your vt100 emulation thinks is garbage may all of a sudden become crystal clear using ADM-5 emulation. This also relates to how good your term program is. 9) Type LOGIN, HELLO, LOG, ATTACH, CONNECT, START, RUN, BEGIN, LOGON, GO, JOIN, HELP, and anything else you can think of. 10) If it's a dialin, call the numbers around it and see if a company answers. If they do, try some social engineering. Brute Force Hacking ~~~~~~~~~~~~~~~~~~~ There will also be many occasions when the default passwords will not work on an account. At this point, you can either go onto the next system on your list, or you can try to 'brute-force' your way in by trying a large database of passwords on that one account. Be careful, though! This works fine on systems that don't keep track of invalid logins, but on a system like a VMS, someone is going to have a heart attack if they come back and see '600 Bad Login Attempts Since Last Session' on their account. There are also some operating systems that disconnect after 'x' number of invalid login attempts and refuse to allow any more attempts for one hour, or ten minutes, or some- times until the next day. The following list is taken from my own password database plus the data- base of passwords that was used in the Internet UNIX Worm that was running around in November of 1988. For a shorter group, try first names, computer terms, and obvious things like 'secret', 'password', 'open', and the name of the account. Also try the name of the company that owns the computer system (if known), the company initials, and things relating to the products the company makes or deals with. Password List ============= aaa daniel jester rascal academia danny johnny really ada dave joseph rebecca adrian deb joshua remote aerobics debbie judith rick airplane deborah juggle reagan albany december julia robot albatross desperate kathleen robotics albert develop kermit rolex alex diet kernel ronald alexander digital knight rosebud algebra discovery lambda rosemary alias disney larry roses alpha dog lazarus ruben alphabet drought lee rules ama duncan leroy ruth amy easy lewis sal analog eatme light saxon anchor edges lisa scheme andy edwin louis scott andrea egghead lynne scotty animal eileen mac secret answer einstein macintosh sensor anything elephant mack serenity arrow elizabeth maggot sex arthur ellen magic shark asshole emerald malcolm sharon athena engine mark shit atmosphere engineer markus shiva bacchus enterprise marty shuttle badass enzyme marvin simon bailey euclid master simple banana evelyn maurice singer bandit extension merlin single banks fairway mets smile bass felicia michael smiles batman fender michelle smooch beauty fermat mike smother beaver finite minimum snatch beethoven flower minsky snoopy beloved foolproof mogul soap benz football moose socrates beowulf format mozart spit berkeley forsythe nancy spring berlin fourier napoleon subway beta fred network success beverly friend newton summer bob frighten next super brenda fun olivia support brian gabriel oracle surfer bridget garfield orca suzanne broadway gauss orwell tangerine bumbling george osiris tape cardinal gertrude outlaw target carmen gibson oxford taylor carolina ginger pacific telephone caroline gnu painless temptation castle golf pam tiger cat golfer paper toggle celtics gorgeous password tomato change graham pat toyota charles gryphon patricia trivial charming guest penguin unhappy charon guitar pete unicorn chester hacker peter unknown cigar harmony philip urchin classic harold phoenix utility coffee harvey pierre vicky coke heinlein pizza virginia collins hello plover warren comrade help polynomial water computer herbert praise weenie condo honey prelude whatnot condom horse prince whitney cookie imperial protect will cooper include pumpkin william create ingres puppet willie creation innocuous rabbit winston creator irishman rachmaninoff wizard cretin isis rainbow wombat daemon japan raindrop yosemite dancer jessica random zap Part Four: Wrapping it up! ~~~~~~~~~~~~~~~~~~~~~~~~~~ I hope this file has been of some help in getting started. If you're asking yourself the question 'Why hack?', then you've probably wasted a lot of time reading this, as you'll never understand. For those of you who have read this and found it useful, please send a tax-deductible donation of $5.00 (or more!) in the name of the Legion of Doom to: The American Cancer Society 90 Park Avenue New York, NY 10016 ******************************************************************************** References: 1) Introduction to ItaPAC by Blade Runner Telecom Security Bulletin #1 2) The IBM VM/CMS Operating System by Lex Luthor The LOD/H Technical Journal #2 3) Hacking the IRIS Operating System by The Leftist The LOD/H Technical Journal #3 4) Hacking CDC's Cyber by Phrozen Ghost Phrack Inc. Newsletter #18 5) USENET comp.risks digest (various authors, various issues) 6) USENET unix.wizards forum (various authors) 7) USENET info-vax forum (various authors) Recommended Reading: 1) Hackers by Steven Levy 2) Out of the Inner Circle by Bill Landreth 3) Turing's Man by J. David Bolter 4) Soul of a New Machine by Tracy Kidder 5) Neuromancer, Count Zero, Mona Lisa Overdrive, and Burning Chrome, all by William Gibson 6) Reality Hackers Magazine c/o High Frontiers, P.O. Box 40271, Berkeley, California, 94704, 415-995-2606 7) Any of the Phrack Inc. Newsletters & LOD/H Technical Journals you can find. Acknowledgements: Thanks to my wife for putting up with me. Thanks to Lone Wolf for the RSTS & TOPS assistance. Thanks to Android Pope for proofreading, suggestions, and beer. Thanks to The Urvile/Necron 99 for proofreading & Cyber info. Thanks to Eric Bloodaxe for wading through all the trash. Thanks to the users of Phoenix Project for their contributions. Thanks to Altos Computer Systems, Munich, for the chat system. Thanks to the various security personel who were willing to talk to me about how they operate. ************************************* EOF ************************************** -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- |==========================| || Cable Piracy || || by || || Psycho Bear || || Thanks: Mad Poo Bandit || |==========================| After reading another G-file on cable theft that was almost completely inaccurate and totally wrong, I felt that I was obligated to write a G-file about cable piracy that really does work. BACKGROUND: ----------- There are two ways to scramble pay-channels (HBO, Showtime, Cinemax, The Movie Channel, Disney, Playboy, Bravo, etc.). I call them the "old" way and the "new" way. (Yeah I know it's dumb) The "old" way of scrambling channels works this way: The cable company sends a clean, unscrambled signal of ALL the pay-channels, and only at the "junction box", "cable box", "green dome" or "beige dome" are they scrambled (this is not really true...a few channels like Disney, in my area, are scrambled...so you'll just have to go without Goofy). The cable company sends a clean signal out to a neighborhood in large 2 inch diameter underground cable. At every 4 houses; 4 houses square, that is to say you, your next door neighbor, the house behind you, and the house behind your next door neighbor (or every 2 if your house backs up to a street or a park etc.) this underground cable comes out of the ground and into a "green dome" ("beige dome" if it's every 2 houses) is split into 4 separate coaxial cables (the same size as the cable in the back of your TV), and the signal boosted. Then, depending on what each of the 4 houses subscribes to, certain channels are scrambled. The cable company scrambles channels by screwing the cable into a 3" metal cylinder. These cylinders can range in size from 2" to 4" but it is usually 3". The cylinder will have a sticker on it with one or more letters telling what channel(s) is scrambles. For instance if it scrambles channel 20, it will say "NF-G", the last F being the important letter. If it scrambles channels 20,21,22 it will say "NF-GHI". Cable companies are weird, so they might put two of these cylinders on, say one "NF-G" and one "NF-HI", but it will do the same job the as the aforementioned. GETTING CABLE IF YOU DON'T SUBSCRIBE: ------------------------------------- This is for the "old" way you've just read about. First, you'll have to find where the "green dome" is. The "green dome" will be either a green dome (of course) or a beige dome, with a yellow "Cable theft is naughty" sticker on it. Like I said above, you have a one in 4 (or 1 in 2) chance of having it in your own backyard. If it's not in your backyard, then find out whose backyard it is in, and go over there some day when they're at work or something. Now that you've located it, you must get the master lock off. There are three proven methods of doing this. You can either kick the living shit out of it, or take some pliers and grab the loop that the lock goes into, and bend it off by twisting it back and forth, or take heavy duty wire cutters and cut the loop off. And don't worry about the damage you've done; cable men do the exact same thing, and if you're lucky they might have done it already! So it won't appear to be anything out of the ordinary. Once you've got the lock off, you can take the big green dome off. You will see a box with 4 terminals (places to screw in cable): _______ / \ | o o | | | <-- the "box", each "o" is a | o o | terminal to screw in a \_______/ cable | | | | <-- metal pole/big cable | | they may or may not be any cable currently screwed into these depending on if you and your neighbors subscribe to cable. If someone does not subscribe to cable, there will simply be a terminal where the cable is not screwed in. The terminal where the cable is not screwed in might have a little dull grey 1" cylinder to prevent you from getting cable free. See, the cylinder is hollow and will carry no signal, so if you reconnect the cable to it, you will get nothing. DO NOT RIP IT OUT!!! I have, and it will rip the terminal right out with it and then the cable company WILL come out to fix it. These things use the same idea as child-proof bottles; you have to push "in"/towards the "box" and then unscrew. It will take awhile to do this, so don't get perturbed. So, if you are not currently subscribing to cable at all, there will be an unused terminal, and one end of a cable lying somewhere in the dome. All you have to do is reconnect the unused cable to the unused terminal, and there you go! Instant Cable with all pay-channels included! If you are paranoid, you can connect it at 6 pm (when the cable company closes for the day), and then disconnect it before 9 or 10 am. This way, even if they come out and look at it, it will be disconnected--nothing unusual. Of course you can leave it hooked up ALL the time. It sounds crazy, but Mad Poo has had the cable company come to his house four times and work on his box, and they didn't say a word! I guess the cable linemen don't have records of what everyone subscribes to. GETTING PAY-CHANNELS IF YOU ARE ALREADY A BASIC SUBSCRIBER: ----------------------------------------------------------- If you are currently subscribing to the basic cable service, and you want all the pay-channels that you aren't already subscribing for, read this. First you'll want to find out which cable/terminal you are. Go turn on your TV and then go out to the green dome and unscrew one of the cables from a terminal. Go back inside and see if you've disconnected the cable for yourself. Once you find which cable disconnects yours, your done. And DON'T leave your neighbors unconnected or the cable company WILL come out. Remember how I said that cable companies scramble the pay-channels? (above, in the BACKGROUND section) Well, those 3" metal cylinders are kept in black plastic cases about 9" long. There are a few ways of getting the cylinders off. The first is to get some pliers and grab the cable tight, close to the black cylinder. Then grabbing the black cylinder as tight as you can (so that it grips the cylinder inside), unscrew the cable. Once you've got one side unscrewed, do the other side. The second way is to get wire cutters and cut up the edge of the black plastic cylinder. This is a lot easier, and this way you actually get to see the 3" metal cylinders inside. I recommend this one. When you're done with that, either attach the cable coming out of the ground to the terminal (leaving you with one short length of cable; go use it inside your house or something), or get a male-to-male coaxial cable converter and attach the two (this will not look suspicious, as the cable company uses them too). THE "NEW" WAY OF SCRAMBLING SIGNALS: ------------------------------------ Just like phreaking has it's ESS, so cable piracy has it's Addressable Converter Box. The "new" way works like this. You have an Addressable Converter Box at your house, which means that the cable company can talk to your converter box and tell it which channels you are currently subscribing to. ALL pay-channels are pre-scrambled (there is never a "clean" signal to tap into, so the "old" way of cable piracy won't work). If you are currently subscribing to HBO/channel 33, then the cable company will send a signal to your converter box saying "un-scramble channel 33". So your converter box will unscramble that channel. The Addressable Converter Box is weird. Every hour or so, the cable company will send out a signal to EVERY Addressable Converter Box and depending on it's Address, it will tell it which services it gets. Say my Converter Box's Address is 12345679 and I get HBO. So I take my Converter Box to Mad Poo Bandit's house (who doesn't get HBO), and hook it up. Then we can watch HBO over at his house now. See, the Converter Box can be ANYWHERE. The only thing the cable company looks for is the Address of the Box. There are a couple of reasons you can't pirate cable with the "new" way. One G-file talked about subscribing to ALL the pay-channels, waiting for the cable company to send the signal to your Addressable Converter Box telling it to un-scramble ALL the pay-channels. Then disconnecting the cable from the Addressable Convert Box, calling them up and unsubscribing to all the channels. Then when the cable company sends the signal to NOT un-scramble any pay-channels, it will not reach the Addressable Converter Box because you have disconnected it. There are two problems with this idea. First, the cable company (in my area anyway) sends out the signal telling Addressable Converter Boxes what to un-scramble, and what not to, every hour or so. So once you re-connect cable after the little scheme, you'd lose the channels in about an hour or two. The second problem is that if you leave it unconnected for too long (a few weeks-a few months) the RAM of the Addressable Converter Box will go bad and forget even how to work at all! This is no bullshit! When it happens, you have to call up the cable company and ask for them to re-initialize your Addressable Converter Box. AFTERWORD: ---------- In some areas, they have not made the transition from the "old" way to the "new" way completely. This is obvious: not everyone is going to go out of THEIR way to get a stupid Addressable Converter Box. So the cable company must use BOTH ways. So you'll have a the "old" scrambled HBO on say channel 20, and the "new" scrambled HBO on channel 33. If you are in the transition, you can still use the "old" way of cable piracy. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -------------------------------------------------------------------------- - - - - - How to get some quick flames going from a remote spot - - File Created by Fallen Angel - - 9 / 15 / 1989 - - - -------------------------------------------------------------------------- There is a nifty chemical called potassium permanganate. It's used for getting chickens the dietary potassium they need, and I've heard it is used in snake bite kits. Today's lesson will cover making this stuff burn. All you need is some potassium permanganate and common glyceryn alcohol. Materials --------- Something to experiment on. I played with this on the underside of a large coffee can, then I store my things in the can too. A jar of potassium permanganate. I will refer to it here as potassium pmgt. Get as much as you think you will need for your purposes. $20.00 worth should last a while. Glyceryn alchahol. I got mine at the Safeway near me. This is very common stuff so you will not look suspicious in the least when you are buying it. Empty medicine bottle with a dropper. This is optional. I used it for activating just a small amount of potassium pmgt. Procedure --------- Put some of the potassium pmgt. on a flat surface to experiment with. Fill your dropper with glyceryn and put a drop or two in the middle of a spoonful of the potassium pmgt. If it doesn't spark immediately give it a few seconds. Notice that it burns only where you put the glyceryn. That is because the chemical reaction between glyceryn and potassium pmgt. is what causes the flame; potassium pmgt. is not inherently flammable, but a little glyceryn changes that. Miscelaneous ------------ You can now figure out numerous ways of incorporating this into letter bombs, car pranks or touch explosives. Be careful though, the mixture throws beads of hot lava-like stuff out about a foot. Watch for more files coming soon from Fallen Angel! -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -------------------------------------------------------------------------- - - - - - How to make a great hot flame with two common ingredients. - - File Created by Fallen Angel - - 9 / 15 / 1989 - - - -------------------------------------------------------------------------- Two common things that you will find at any grocery store are saltpeter and powdered sugar. Alone, they are harmless. Putting them together makes a powder that is easy to ignite and will burn like crazy. I first tested this with one of those old plastic Jaws toys. I mexed up the powder and put some in his head. It just melted through the top and the plastic jaw dropped letting the burning powder fall on the ground. Materials --------- Saltpeter (potassium nitrate). Get this at a grocery store. Make sure it is the first thing you buy since they will get suspicious sometimes but there is nothing they can do except joke with you about it! It costs around $2.50 a bottle. Powdered sugar or powdered carbon. The finer the sugar the better. 10x confectioners sugar should work. 1 lighter with a high flame setting or "strike anywhere" matches. Procedure --------- Mix exactly equal amounts of saltpeter and powdered sugar in a container. This stuff isn't caustic, so you can store it in plastic. Scoop out the desired amount and place it where ever you want it to burn. Light it and move so the wind doesn't blow smoke in your face. Miscelaneous ------------ This mixture is very smoky and burns with a high temperature. Remember: you don't need to use the whole bottle just to fry a small helpless stuffed toy. Save some for a rainy day fooling around in the garage. Watch for more files coming soon from Fallen Angel! -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -------------------------------------------------------------------------- - - - - - How to extract the hydrogen from plain water - - File Created by Fallen Angel - - 9 / 15 / 1989 - - - -------------------------------------------------------------------------- To separate the hydrogen and oxygen contained in water is a simple process. I made this file so that anyone with minimal equipment could have himself a glass jar full of flamable hydrogen. When the process fills your jar, the hydrogen won't be compressed, hot or radioactive. It will be room temperature and room pressure. The same goes for the oxygen. Materials --------- 1 large bowl. Preferably clear glass so you can see through it. 2 carbon rods. These can be take from carbon batteries such as Radio Shack's battery club batteries. The bigger the better. 1 DC power source. I use a Sears 36-watt car battery charger. 4 feet of insulated copper wire 2 small jars. Small enough to fit two in the bowl. I used some narrow, tall olive jars. 1 roll of duct tape. 1 packet of sodium carbonate. This is NOT baking soda which is sodium bicarbonate. Sodium carbonate usually comes in a plastic package with tie-dye kits. It is a grainy white powder. Procedure --------- Fill the large bowl with water and dissolve half the packet of sodium carbonate in it. Attach one carbon rod to a stripped end of each of the copper wires with duct tape after you have cut it evenly into two pieces. Be sure that no metal is showing on the end where you connected the carbon rods. Somehow, make an electrical connection between the remaining ends of the wires and the power source. If everything is working properly, you can now turn on the power source and stick the carbon rods in the bowl. Watch them closely to see which one is emitting bubbles twice as fast as the other once, as that will be hydrogen and the slower one will be oxygen. If you want to burn this hydrogen or inhale the oxygen, you can fill one of the small jars with water from the bowl and turn it over on top of the rod with your favorite gas. Have fun with this and be sure to keep your hands out of the way when you put a match under the upside-down jar full of hydrogen when you light it! Miscellaneous ------------ I have tested this method for getting hydrogen gas and it works. I captured it into a mayonaisse jar, then put a match underneath it and it blew leaves up that were four feet away from me. It is powerful stuff. Watch for more files coming soon from Fallen Angel! -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ³ ³ S o c i a l E n g i n e e r i n g ³ ³ How to get Information ³ ³ By Fallen Angel ³ ³ 9 / 26 / 89 ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Have you ever wished you had the finesse of calling some high-level operator up and getting all the information you need just by asking? Great! I'll outline some simple steps to the art of social engineering, or getting that you want, in this article. Social engineering really is an art and should be treated as no less. Make sure you abide by these guidlines and don't screw up because screwing up only alerts the security people that there is an imposter just begging information off of the lame-brained operators. VOICE ----- First, you need to be old enough to sound like you could actually be the person you are trying to impersonate. The operators will be able to figure out that you are not thier boss if they can tell you are only 13 years old and your voice opens trunk lines (eg. 2600 Hz.) Get someone else to do it for you or wait until *after* puberty to do this. OVERKILL -------- Don't act like you are a legitamit customer trying to get information because that can clue the operators in as to what is actually going on. You should consider calling as an fellow employee from another store from the chain, or maybe as that persons supervisor. They may be stupid and subservient to thier officials, but hired phone operators will know that the owner of the company is not going to be calling Atlanta to find out technical information or C/NA on someone that lives in Anchorage, Alaska. That would be overkill. The best bet in getting information from a TSPS (dial 0 for one of these) operator is to call as a lineman. A lineman is the guy that comes to your house to install the phones. They usually hire contractors to run extensions under your house as they don't want to deal with it themselves--don't call saying you are having problems with your wire cutters and you need to know what the local ANAC number is. PBX's ----- PBX's are a nice utility to the social engineer because they almost insure that you will get a different operator each time you call. With this knowledge, and no ANI available to them, you can continue to query operators on PBX's as many times as there are operators. Obviously, if you keep asking the same person for information they will figure out that you don't know a damn thing and are trying to leech them. CONFIDENCE ---------- If you stutter a lot and trip over your words they will eventually notice that you are not who you say you are. It doesn't hurt one bit to plan out exactly what you are going to say and verbally run over a few times before you call. You could screw up an insecure company by alerting them of the real world. JARGON ------ It really helps to know the proper jargon and acronyms for the company you are trying to get something out of. For instance "Hello there, this is Phred Smith and I would shore like it if you could give me the adress and name of 512-555-555" wouldn't work as well as "This is Smith from line service. I need caller name and adress for 512-555-5555" In this case being polite doesn't do you much good. Good sources on jargon would be g-files on BBS's or hacking/phreaking dictionaries. EXTENDERS --------- Always do your engineering from an extender because there are plenty of secure places that will have ANI readouts on an LCD when you call in. They will call you back and ask you why you were calling if they think you were engineering them. They will get the dialout number for your extender if you call from an extender. For all practical purposes, this is impossible to trace. BACKGROUND NOISE ---------------- As a for instance, you are a telephone lineman and are boxing a call to C/NA. Instead of hearing birds in the background, the C/NA operators hear keyboard clicks and other phones ringing. They will not give you anything in situations like this. Call when nobody else is home or if they are asleep. TIMING ------ This is a small but important matter. The operators will know that you aren't really installing a phone line if it's 2:30 a.m. and you are whispering so you don't wake up the parents! You have to remember things like this. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- **Additional Note: The information in this magazine is subject to change. We, the writers have no control over the change of these thing, nor do we know when and what they will be changed to. Things such as VMB's, dial-ups, etc. may die or be changed and the information in this will no longer be valid. We will be releasing other editions of this magazine in hope that the information will all be up to date and of use to all that read the magazine. As you may know we cannot keep up with some of the changes and things that happen to the things we have mentioned. Due to that, we ask your support in letting us know of these changes and such through or Mickey Mouse Club VMB, if of course, it is still valid, or through distribution sites or any other ways the you know of to get in touch with one or more members of MMC. Not only will we accept information on changes, we welcome any new and/or better information, tips etc. Let us know if you would like to write a section of this magazine, and what you would like to write. We are rather picky about what is put into our magazine, but that is because we want the utmost quality. Please don't be intimidated by the standards we have set, we still would appreciate the chance to see the things that you have written, as there is a lot of valuable information that could help the effort in improving this magazine. Well, that is it for "Hackers Unlimited". We hope you enjoyed, and have gotten a lot of information from, it. There was a lot of time, and a lot of effort put into this from a lot of fine writers. The editors of Hackers Unlimited would like to thank these people for contibuting to this fine piece of writing, both in the writing of articles and the support of this project : Psycho Bear Fallen Angel Midnight Caller The Mentor Plus the Editors: The Dark Lord Cardiac Arrest And all the people that didn't laugh at the name The Mickey Mouse Club We hope this magazine has provided you with more knowledge than when you started reading it. If you have, we ask that you use this knowledge for not only the benefit of you, but for the benefit of others. There are a lot of beginners in the areas that we have talked about throughout this magazine, and all they need is the know-how and a little experience to make them into good phreakers, hackers, carders, you name it. Well, once again, thanks to all who contributed to Hackers Unlimited and thank you for reading, (and hopefully) enjoying and distributing Hackers Unlimited Magazine, a Mickey Mouse Club production!