. . . . . ,g$p, .,. $&y .,. `"` oooy$$$yoo o oooy$$$yoo o . `$$$'$$$yyyyp,`$$$' gyp . . . yxxxx $$$ $$$"`"$$$ $$$ $$$ xxxxxxxxxxxxxxy . volume 2 $ $$$ $$7 ly$ $$$ $$$ $ number 7 $ $y$ $$b d$$ $y$ $y$ $ issue 19 . $xxxx $$$ $$$ $$$ $$$ $$$ xxxxxxxxxxxxxx$ . . """ """ """ """ $$' . t h e h a v o c $$' t e c h n i c a l j o u r n a l [February 1, 1998.................$'................`1998 - The year of THTJ'] [......................'Putting the hell back in shell'......................] -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Table of Contents -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Contacts & Copyrights...............................Staff Editorial...........................................scud Cellulite...........................................lurk3r What the hell is PCS?...............................KungFuFox Free UK Phonecalls..................................Josh Freedaleman Introduction to ADSL................................Rebel Entity Red Boxing in the UK................................Josh Freedaleman Hacking the Standard Answering Machine..............V Introduction to OpenVMS.............................sub version CIGARS..............................................scud - SSH: Secure Shell...................................scud - Trust...............................................scud The Mailroom........................................scud Reader Survey.......................................Staff ---->NEW Majordomo<---- Subscribe to thtj at: majordomo@orc.ca 'subscribe thtj you@your.isp' -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Contacts & Copyrights - Staff -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1. Contacts -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Editor in Chief : Scud-O, Executive Editor : KungFuFox, RIP Submissions Editor : Keystroke, Editing Assistants : FH, Phrax, Shok, su1d News Editor : KungFuFox, RIP Mail Editor : Scud-O, Webpage Editor : Scud-O, Extra Special Thanks : All the writers, and people who filled out the reader survey. Shout Outs : All of you in the know. Thank yous : John Grisham Fuck yous : ToS P.D. Has more lives than a cat : Kenny Total Beefcake : Cartman Throws up more than a wino : Stan Mr. Hanky's best friend : Kyle Pimp : Chef Good Movie of the Month : Scarface Good Music of the Month : DJ Shadow Good TV of the Month : South Park Good Alcohol of the Month : Jim Bean THTJ Website : http://www.thtj.com/ THTJ e-mail : thtj@thtj.com, scud@thtj.com -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 2. Copyrights -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The HAVOC Technical Journal (THTJ) Volume 2, Number 7, Issue 19 February 1st, 1998. *Everything* here is (c) Copyright 1996,1997,1998 by THTJ, HAVOC Bell Systems Publishing, or HNS. All Rights Reserved. Nothing may be reproduced in whole or in part without written permission from the Editor in Chief. The articles included here, belong to their writers and articles are copyrighted by their writers. If you want to use their articles in your publication, ask them. For more information on our copyrights, and article submissions policy, please see http://www.thtj.com/submissions.html For more information on legal stuff goto http://www.thtj.com/legal.html [No copying THTJ, damnit.] Articles, comments, whatever should be directed to: scud@thtj.com Subscribe to thtj at: majordomo@orc.ca 'subscribe thtj you@your.isp' Disclaimer: THTJ is provided free of charge, thus THTJ provides NO warranties whatsoever. You use this zine and its information at your own risk. While every effort has been taken to ensure the accuracy of the information contained in this article, the authors, editors, and contributors of this zine assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. The HAVOC Technical Journal does in no way endorse the illicit use of computers, computer networks, and telecommunications networks, nor is it to be held liable for any adverse results of pursuing such activities. [Actually, to tell you the honest to goodness truth, we do endorse that stuff. We just don't wanna get in trouble if you try it for yourself and something goes wrong.] -------------------> 'Its Not Our Fault' <------------------- THTJ is protected by the First Amendment of the US of A. If any of the information contained in this file offends you, then why the hell are you reading it? THTJ publishes its information to educate you, if YOU choose to use the information illegally, so be it. We are not responsible for *YOUR* actions. We merely provide the information. By reading this zine, you agree to this policy, and you void all rights to sue us or get us involved in the consequences of *YOUR* actions. If you can not deal with this policy, then delete this file now. Stealing articles, or pieces of articles, or pieces of pieces of articles from thtj with out permission is a crime against humanity. If you want to use any of the material in here, please contact THTJ and/or the articles author. If you do not follow these rules, we may be forced to take legal action. -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Editorial - scud -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1. RIP KungFuFox, The next few issues..... -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 2. We need you! -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 3. Stuff -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Cellulite - lurk3r -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Primer -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Cellular telephony traces its roots back to 1929, when transoceanic liners introduced ship-to-shore radio service that was interconnected to the Public Switched Telephone Network (PSTN). In 1946, AT&T began offering commercial mobile telephone service in St. Louis and soon expanded to other cities. In 1964, Improved Mobile Telephone Service (IMTS) was introduced. This service offered electronic switching, but was still very inefficient; in large part because the available frequency range could carry only a very limited number of calls. The answer to the capacity constraint turned out to be a system of small geographic areas or "cells" within which a limited number of channels could be used. A transceiver (transmitter/receiver) in each cell could overlap into an adjacent coverage area. Since the system was designed so that no two adjacent cells would use the same channels, call interference was minimized. Yet the same channels could be reused in non-adjacent cells where the transceivers were far enough apart to not interfere with each other. This cellular system had actually been designed in the 1940s and tested in the 1960s but was not developed until the IMTS networks reached capacity in the late 1970s. In 1981, the Federal Communications Commission (FCC) established rules for licensing cellular carriers. The FCC decided early on to limit the industry to two competitors in each marketplace. The wireline, or B-side license, was granted to the incumbent LEC in each market and the non-wireline, or A-side license, was awarded to another bidder, often an Regional Bell Operating Company (RBOC) from a different region. (B-side was originally used to designate Bell System while A-side meant Alternate.) In 1983, Ameritech Mobile Communications launched the first commercially available cellular service in Chicago, followed shortly thereafter by American Radio Telephone Service in the Baltimore/Washington market. The next year, Bell Atlantic also began offering service in Baltimore/Washington making that market the first to have a choice of cellular carriers. -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Cellular Architecture -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Because data can be transmitted over the analog cellular network via a method known as circuit-switched cellular data(CSCD)9.6 to 14.4 kbps), Cellular does currently offer cellular data capabilities. All that is required is a PC, cellular-compatible modem, data cable and data compatible phone (including the Motorola DPC 550,Nokia 121, and Nokia 232). To the network, this type of transmission looks exactly like a voice call. A continuous connection is made between the phone and the network, and usage is billed on a per-minute rate. This method is suitable for transmitting relatively large files such as faxes and large e-mail files. For short, "bursty" data transmission, such as point-of-sale transactions and brief e-mails, circuit switched cellular data can be slow (because call set-up may take longer than the actual transmission) and expensive (because usage is generally billed in one-minute increments). A more efficient method is cellular digital packet data (CDPD)19.2 kbps). This method divides files into small segments (packets) that are transmitted over any available channel and reassembled at the receiving end (Such as many computer networks) Note that CDPD is also Capable of supporting TCP/IP. Cellular technology divides service areas into smaller calling areas known as cells. Cells are often a few miles across (actual cell coverage area depends on density of the subscriber base and topography). At the center of each cell is a Cell Site, which contains the radio transmitters and receivers. Each cell site belonging to a particular system is linked to a Mobile Telephone Switching Office (MTSO), which performs the call routing and interfaces with the LEC. The transmitter’s range of broadcast extends across the radius of the cell and overlaps into the adjoining cells. The transmitter's power is typically 100 watts or less. A frequency can be simultaneously used in non-adjacent cells within the same geographic area. As the caller moves from one cell to another the mobile unit picks up radio frequency used in the next cell without causing any interference. This is also known as a "handover", by enabling simultaneous calls within the area, the network capacity increases. Analog service is available in all markets, Metropolitan Service Areas (MSAs) and Rural Service Areas (RSAs). Digital service is being rolled out in limited markets where capacity is regulated. -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Cellular Protocols -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Cellular networks are noisy and less predictable than landbased connections. So, Cellular protocols provide additional enhancements to ensure reliable "switched circuit" cellular connections from 9600 bps to 14400 bps. Some of these include: o Throughput-X-Cellerator a.k.a (TX-CEL) o Enhanced Throughput Cellular a.k.a (ETCH) o Microcom Networking Protocol Level 10 a.k.a (MNP-10) o Microcom Networking Protocol Level 10 Enhanced Cellular a.k.a (MNP-10 EC) -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Call Flow -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ When a cellular phone is turned on, it emits a signal that is picked up by the closest cellular transceiver. This signal includes the subscriber's Mobile Identification Number (MIN) and Electronic Serial Number (ESN). The MIN is simply the subscriber's phone number (same as ANI for landline phones). The ESN is unique to the handset. The subscriber's MIN/ESN combination is loaded into the Cellco's switch when service is first activated, enabling the cellular system to identify the customer prior to completing each call. Aside from this signalling, no connection is made until a call is attempted. In other words, there is no dial tone for cellular. Thus, in order to initiate a call, the caller must hit the send key after dialing to transmit the digits to the cell site. Each cell site contains a transceiver. Several cell sites may be connected to a base station controller, and several base station controllers may be served by a single MTSO (Mobile Telephone Switching Office). The MTSO is like a central office for the cellular system. It is the MTSO that performs call routing functions and interfaces with the LEC to terminate calls over the PSTN. The call flow is similar to a cellular call placed to a long distance landline phone. However, instead of terminating directly to the home phone, the LEC transfers the call to the receiving carrier's MTSO. The MTSO transmits the call to the cell site and then to the receiver's cellular phone. -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Call Flow - Step by Step -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1. Cellular user keys in the phone number and hits send. 2. A signal is sent to the nearest cell site. 3. The cell site passes the call to the MTSO. 4. The call is routed from the MTSO to the LEC. 5. The LEC transfers the call to the IXC (INTER-EXCHANGE CARRIER). 6. The IXC passes the call to the distant LEC. 7. The LEC transfers the call to the receiving carrier’s MTSO. 8. The MTSO transmits the call to the cell site. 9. The cell site routes the call to the receiver's cellular phone. -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Conclusion -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ As Cellular Technology advances and so do the people out there that are interested in where it is and where its going. The Cell Phreaker develop new ways to take advantage of this weak system of communications. They also create new tools and ideas to exploiting the data being transmited through our airwaves. Such as Packet Sniffer software combined with hardware that decypher the frequencies that are constantly being emited from all around us. Just think, no more accidently sitting in the ant piles as the car drives by the box your plugged into, and no more dropping your laptop as you hop a few blocks worth of fences before you realize no one was even there. Just you, a nice scanner mod, your computer, and an ice cold beer. Then BellCore Will Once Again Know The Fear... HAVOC BELL SYSTEMS -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Shouts Out -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Channels: #Virii #Phreak #Hackers | Groups: HBS Razor1911 Rhino9 PLA -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ People : FA-Q memor Scud Warz JP trix antifire netmask Wrd Calldan Iczer -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ What the hell is PCS? - KungFuFox -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Ever heard of PCS? Yes? Good. It stands for Personal Communications Service. The problem with PCS is it's not phreak friendly. As surprising as it may seem, normal people don't like it when they get cellphone bills for thousands of dollars when the only call they remember making was to 911 when they saw a black guy in their posh upscale neighborhood. The reason it's being adopted faster than a fat baby in Ethiopia is because some assholes in organized crime and/or drug cartels have been doing a lot of cell cloning, and as I said before, people hate that. PCS networks transmit at a higher frequency than the current cellular systems, at between 1850MHz and 2200Mhz, compared to the 800MHz band used by current cellular systems. These PCS networks are all digital, meaning the transmission quality is better and the customer capacity is higher. The reason behind the need for higher capacity is that wireless use expanding like a starving raccoon in a dognut shop. Currently there are 52,687,924 wireless subscribers, a number expected to get bigger in the future. I say "get bigger in the future" rather than provide a figure and a date because I've seen wildly different numbers from different sources. Even the wireless people are too stupid to know what their industry will be like 30 months from now. The PCS market will be expanding as rapidly, growing from relatively few customers today to an estimated 15 million by 2000. About 3 percent of wireless revenue in 1996 came from cellular fraud, though the percentage had been as high as 6 percent earlier this decade. The amount of money lost to this type of fraud, about $650 million in 1995, has been a big factor behind the adoption of PCS over cellular (no, not because the cellphone companies want you to get more for your money), because PCS offers some handy dandy security features to thwart attempts at cloning. Security features of the past such as calling the cloner and threatening to "beat their ass" are slowly but surely being replaced with features found only in PCS networks, such as radio frequency fingerprinting, which entails the matching of an ESN from a wireless phone to another id number unique to the subscriber's account. If they don't match your clone won't work for more than a week, due to automatic alerts at the subscriber's service when fraud is detected (which gives you a good amount of time to run up a couple thousand in calls to your favorite BBS in Germany). Cellular and PCS do share some forms of fraud prevention though. Much like software used by credit card companies to spot unusual buying patterns, software has been developed for use with wireless services to detect suspicious calling patterns, such as a sudden and recent spree of calls to Cali, Columbia, or frequent calls to 1900goatsex. This suspicious activity is reported and usually means the death of the clone as well. RoamEx, an international data-exchange network, keeps track of cellular and PCS subscriber calling activity and makes it immediately available to the subscriber's provider. Suspicious calling activity is investigated and leads to possible clone termination. Some wireless services set up calling 'profiles' to describe the type of calling a certain subscriber intends to make, such as non-roaming, interstate, etc. Calls that are made out of profile require use of a PIN (personal identification number) in order to allow the call to be connected, which means you either have to steal the person's PIN or you just call everyone in the local calling area a couple hundred times. All in all, PCS's biggest advantages over cellular are that it uses all digital technology, making it much less vulnerable to airwave theft, and it is compatible with GSM technology (of course, the wireless companies WANT you to think that higher cost is an advantage). Global Systems for Mobile Communications (GSM) digital technology is the most advanced of its kind in the wireless world. It offers a bunch of services that non-GSM systems don't have, like integrated voice, data, fax, and paging capabilities, but most importantly it eliminates cloning and eavesdropping (the victimless crime). GSM also offers seamless roaming across North America, and allows for even more secure personalized features with use of Smart Card technology, which is available worldwide. The only real advantages cellular currently has over PCS is coast to coast coverage, which may not even exist in areas where providers have disabled roaming due to concentrated fraud patterns, and phreak friendliness. As stated before, PCS services utilizing GSM have coast to coast coverage as well, but none bear the "phreak friendly(c)" logo. Cellular still remains more popular than PCS mainly because of the cost associated with it. As PCS matures its price will become more affordable and therefor more widely accepted, and that means less and less clonable phones. I guess eventually those people in organized crime will have to resort to stealing the phones right out of people's hands. -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Free UK Phonecalls - Josh Freedaleman -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Yes...I know this subject has been covered a few times before but I have a less dangerous way of getting free calls than the methods that have been explained before. I am gonna explain it in Lamer terms coz there is no hard way about it. In my neighbourhood the phones are all connected to one pole which has a section at the bottom which can be taken off, this is RIGHT outside my garden so it is fuckin convinient for me to use this method. All you need to do this method is have 2 things 1) Telephone extension line 2) Wrench with a nice little extension (like 1 inch or less) which has to be TRIANGLE at the end. To use all this you need to either live in an area with an old fone terminal OR have a laptop. At the bottom of old fone poles about 5ft from the bottom of the pole is a cut away part to the pole which contains all the wires etc for that phone pole. It should look like this...... | | | _____ | | | | | | | _ | | | | |_| | | | |_____| | | | | | Thats the pole....(yes..i know i can't draw)...the big box inside the pole is the bit which pulls away and the little box inside the bit which pulls away is where you would insert you Wrench with the square-ended extension. You need to twist it and of course....make this box bit come off the fone pole. Once its off you will see loads of wires and also a fone jack (like the one you plug your fone into at home)...Ignore the wires...all you need for this is the fone jack. This is the method i use to make use of this fone jack. The fone jack is the British Telecom Engineer's test fone line and is therefore FREE!!! All I do is have a LONG telephone extension with about 1 ft free of the white protective wire, so i just have 1ft with the VERY thin coloured wire's showing. This is where you have to be VERY careful for many reasons. The main reason is that after you have plugged your fone line into this fone jack you will have to put the case cover back onto the pole, so you have to be careful not to tear the thin wires which will be hanging out from case...they r very unnoticeable because of their fineness (and the fone poll is right next to my garden so i hide the line along my hedge and across my garden) but I would ALWAYS recommend that you use this method for LATE NIGHT USE ONLY!! I use it to phone foreign countries and for Hax0r use, and although I only use it temporarily, real late at night and for a short time period only it a MASSIVE saving on my previous fone bills. If you have a Laptop computer you could use this method in a very secluded area late at night, just make sure you don't spotted for hanging around as the cops could be called out. As these type of fone polls are old they mainly feature in secluded and rural area which is good for the phreaker. This method is much easier than the method used on new fone polls, because on new fone polls the box is found right at the top of the poll which is fuckin high and climbing is risky to yourself and the chances of being spotted are high. So hunt around and have Phun....Phreak Hard, Live Longer. Josh Freedaleman joshfree@bluedragon.net http://www.bluedragon.net/cof -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Introduction to ADSL - Rebel Entity -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Introduction -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ What the hell does ADSL mean? ADSL stands for Asymmetric Digital Subscriber Line and refers to the two way capability of a twisted copper pair with analog to digital conversion at the subscriber end and an advanced transmission technology. Basically, with ADSL, you can download faster and talk over the phone while being online. This is accomplished by using the upper frequency spectrum of the telephone line for data transmissions while the lower portion is used for POTS ( Plain Old Telephone System ). This service also do not require any supplemental cabling or modification to the existing phone line. -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ADSL Description -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ On the telephone lines, only the frequencies between 0khz and 4khz are used. ADSL take advantage of this by using the upper portion ( 4khz to 2.2mhz ) of the spectrum for data transmission. The ADSL line then provide asymmetric transmission of data up to 9Mbps downstream ( to you ), and up to 800 kbps upstream. These rates depend heavily on line length and line and loop conditions due to signal degradation. To connect yourself to your ISP, you need an ethernet card, an ADSL modem and a plain old telephone line. As far as I know, this service is not available in rural areas yet but I might be wrong. It is however available in Canada in the Ottawa region. The installation fee is around 200$ ( ethernet card included ) and the monthly costs are around 70$ ( modem location included ) for unlimited time. Ok, this gives you an idea how much it costs. Here are performance specs for the Bell Sympatico ( ISP ) service here in Ottawa: 2,2 Mbps download / 1,1 Mbps upload. I don't have ADSL yet so I haven't been able to verify these specs. You should also keep in mind that the download speed is often dictated by the server you're connected to. ADSL is expected to perform as follow : Data Rate Wire Gauge Distance Wire Size Distance 1.5 or 2 Mbps 24 AWG 18,000 ft 0.5 mm 5.5 km 1.5 or 2 Mbps 26 AWG 15,000 ft 0.4 mm 4.6 km 6.1 Mbps 24 AWG 12,000 ft 0.5 mm 3.7 km 6.1 Mbps 26 AWG 9,000 ft 0.4 mm 2.7 km ADSL depends upon advanced digital signal processing algorithms and error correction to squeeze so much information through twisted-pair telephone lines. Here's an ASCII schematic of a ADSL Tranceiver - Network End Downstream /---------\ Channel(s) --> | Mux | /------------\ | Error |-->| | Duplex | control | | D/A & A/D | /----------\ Channel(s) --> \---------/ | | | | | Line | | POTS | /---------\ | Coupler |<--->| Splitter |<---Line---> | Demux | | | | | | Error | | Channel | \----------/ Duplex <-- | Control |<--| separation | | Channel(s) | | | | | \---------/ \------------/ | | POTS ADSL modems use one of two techniques to separate data transmissions from POTS: Frequency Division Multiplexing (FDM) or Echo Cancellation. FDM works by assigning one band for upstream data and another one for downstream data. The downstream band is then divided by time division multiplexing into one or more high speed channels and one or more low speed channels. The upstream band is also divided into corresponding low speeds channels. Echo Cancellation assigns the upstream band to over-lap the downstream one and separate them using the Echo Cancellation method ( used in V.32 and V.34 modems ). By either ways, POTS gets assigned a frequency. The modem organize data in data blocks and attach error correction code to each one of these blocks so the receiver is able to correct any errors that might appear during the transmission. -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Conclusion -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ This technology seems very appropriate for high speed Internet connection and doesn't cost too much compared to ISDN which doesn't even offers speeds similar to ADSL. Compared to the cable modems, ADSL uses a dedicated line for each customer instead of using a shared media like the modem cable for data transmissions. This prevent bottleneck slowdowns in peak traffic hours. [ Comments, flames or suggestions welcome ... lemirem@netcom.ca ] -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Red Boxing in the UK - Josh Freedaleman -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Ok...many of you must be thinking things like.."It doesn't work", "I was told you can't red box" etc etc. Well i got news for you all, you CAN Red Box in the United Kingdom unlike many of you are lead to believe and its pretty easy to do. All you need is :- 1) A Stereo Tape Recorder, preferably hand-held 2) A program that can generate tones (I use Soundforge) 3) Good talking persuasive voice All you need to do in basic terms is record the tones on soundforge, record them onto your tape recorder and emmit them down the phone when the operator asks you to. The tones you need to record are all the same frequency and that magic frequency is 1000hz!!! The time the tone is emmitted however changes depending on the coin you want to pretedn to put in. The Lengths are below :- 10p - 200milliseconds 50p - 350milliseconds (remember all tones at 1000hz) SO if you want £1 worth of calltime just emmitt the 50p tone twice, if you want 40p worth of call time emmitt the 10p four times etc etc. To get the tones to actually work you need to get your good, persuasive voice on and talk to the "lovely" BT Operators. You need to get them to put the calls through for you and when they ask you to put in your money you need to blast out your tones. I have found this the hardest part of the whole red boxing task. The Operators can be very ignorant and tell you to dial it yourself so you need to make up some good excuses. Below is a sample of what can be said, This is what I said last week. Hello, I would like to place a call but sadly the 3 button has broken No problem sir i can put the call through for you Thank you Whats the number you would like to call? Its..*blah* *blah* Ok sir, could you please insert you money Sure *tones blasted out* Putting you through, thank you very much Thank you And I was put through to my call, thats an example of a successful attempt to persuade the operator, below is an unsuccessful attempt. Hello, I would like to place a call but the 3 button on the fone has broken I'm sorry sir, could you please find another fone to use? There isn't another fone around that I can use, can you please put it through? I'm sorry sir, you are going to have to find another fone But it is an emergency I can't help you sir, did you say the 3 key is broken I did yes I will send an engineer out to fix it immediatly Ok..Bye Bye That was a very stubborn operator and I had to quickly leave the fone before an engineer arrived!! More often than not it has been a success, it is just a matter of being polite but persuasive, you have the 1000hz tones so use them, just ignore the arrogent operators and keep trying until you find one who will put the call through, its 96% successful for me on my 1st attempt so Phreak 0ut and Have Phun. Josh Freedaleman joshfree@bluedragon.net http://www.bluedragon.net/cof -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Hacking the Standard Answering Machine - V -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Many people overestimate the security of remote controlled answering machines, in fact many people don't even know answering machines can be controlled remotely. Here is a quick guide to getting into an answering machine and what you can do when you get there: Okay, first you need to find out the remote access number (Which is a ONE DIGIT pin, heh!) for the answering machine. You can do this in two ways: 1) If you can physically get to the answering machine all you have to do is read the remote access number from the bottom of the machine! (a one digit number on a sticker or etched into the plastic). 2) By trying all the digits on the keypad in the hope that you'll find the right one. Heh, there are only 10 in total! (no * or # is used). It is best to do this at a time when you know the owner is out, if that is not possible try phone early in the morning when the owner will be too tired to get out of bed and will just let the answering machine pick-up. You'll need to spread this out so as not to make it sound too suspicious. Once you have the remote access number then that's all you need. Below are standard guidelines for the remote operation of an answering machine - some things may differ on other models of answering machine, but the principal is roughly the same. If you got the access code by method one then you should have noticed the make and model of the device. If you did then try shopping around and pick up a copy of the manual that goes with it - that will contain plenty of more accurate information on remote operation. -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Checking your messages -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1) Make a call to number in usual way 2) Listen to the OGM and wait for the music and tone that follow 3) Key in the remote access code by holding down the number key for at least 2 seconds ---> If there are no messages you hear four beeps instead of music 4) The answering machine rewinds the tape and plays back the messages. ----> At the end of the final message you hear a beep and then two more. 5) After the two beeps (or after the four beeps if there were no messages), you have a choice: a) To SAVE the messages - Simply hang up the phone. b) To ERASE the messages - Press and hold the remote access code for 2 seconds. Aftering hearing the four beeps which will follow, hang up. c) To REPEAT PLAYBACK of the messages wait for 10 seconds until you hear 2 beeps. Then press the remote access code number for 2 seconds. -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Changing the Out-Going-Message -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1) Follow steps 1-4 as above 2) Press the remote access code number for 2 seconds (this will erase all messages but is necessary to record the OGM) 3) Press the remote access code number for 4 seconds (you will hear 2 beeps followed by music while the tape rewinds. You will then hear another beep) 4) Start speaking (the OGM is now being recorded) 5) When finished speaking, wait for 2 seconds, then press the remote access code number for 2 seconds. (You will hear 2 beeps followed by music as the tape rewinds. the new OGM is then played back to you, followed by four beeps - Go back to step 3 to record a new OGM if you are not happy with the one you recorded) -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Introduction to OpenVMS - sub version -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Since there dosn't seem to be a whole lot of documentation out there on VMS, i've decided to write some of what i've found about it. I havn't had much experience using VMS before but recently gained access to one and started exploring :) I've looked around and found very little information on them.. most people spouting about how VMS is cryptic (as if UNIX or even DOS isn't cryptic to someone who has never used it before..) and impossible to crack. Personally, I don't beleive anything is totally secure.. there are always ways to do do something if you look in the right places. I did manage to find many online documents released by digital on their home page.. http://www.openvms.digital.com:81 if you would like to learn more about how to use VMS.. I mention a few things covered in the documentation and add in a few things i've found either playing around or in the online help (VMS has got to have the best help command ever :) ) Anyways enough rambling on my part... -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Logging In -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ First off, you can recognize a system running VMS by the login prompt which usually resembles something like: ---- Welcome to OpenVMS Alpha (TM) Operating System, Version 7.1 Username: ---- With maybe some extra text to the extent of: Unauthorized access will be prosecuted to the full extent of the law etc. etc. I don't know *why* people feel the need to put things like that as it usually makes people want to get in even more just to see what secrets they are hiding that are so special.. anyways on with the show... There are a number of defaults you can try which have been documented in many other files, but the only ones i've found to definatly be included in the default user file are: SYSTEM operator DEFAULT default The default passwords for both of these are ALWAYS changed [Unless the admin is a REAL idiot]. some other common defaults are: FIELD service SYSTEST uetp Sometimes there are public accounts set up (such as at universities, libraries, etc..) which dump you into a restricted shell menu interface... if you have such an account, there are a couple things you can try to get to the DCL prompt. try using Ctrl-Y to break out at some point.. unless Ctrl-Y is disabled this usually works good... You can try using SPAWN to create spawn a new DCL shell from a MAIL> prompt and probably from other places as well. Another thing that works good if it is not a captive or restricted account are login qualifiers. try logging in as: Username: jdoe/nocommand |_________| \________bypasses login.com (which executes restrictive menu shells, etc.) Other login qualifiers you can use are: /[no]command[=file] - bypass login.com [or execute file.com instead] /disk - changes default system disk /cli - changes command line interpreter [default is DCL] /tables=[command table] - specifies alternate cli table [default is dcltables] /new_password - shortcut to set a new pw on login [as if it has expired] Type HELP LOGIN for more detailed explanations on these. As far as I can tell, none of this will work if you have a captive or restricted account. -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Once you are in -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The first thing you should do once you're in is type: $set control This will enable Ctrl-Y [interupt] and Ctrl-T [displays system info] if it was disabled for that account. The next would be to find out what actions the system is logging and what may trip off alarms. VMS can be configured to log and set off alarms for just about anything. Here are some examples of what can trigger an audit or alarm: - Installation of images (executable files). - Certain types of file access (any attempt to read/write/delete/run a file). - Process/subprocess/misc job [print, network, batch, etc.] terminations - Volume mounts and dismounts. - User messages. - Access event requested by an ACL file or global section. - Modifications to system and user passwords, system authorization file, - Network proxy file, or rights database. - Logins, logouts, login failures, break-in attempts. There may be more they can audit but these are the only ones that I know of.. to find out what kind of security your admin has setup, type: $show accounting It should then, depending on the setup, say accounting is disabled or spit out a list of what is being watched. If you have a higher level account you should also type: $show audit To see the actual level of security they have. Protection codes control the types of access allowed (and denied) to files in a similar way to unix but more verbose. The format is: [category: access-list,(category:access-list,...)] Categorys are defined as: (W)orld - any user on the system (G)roup - any user with the same group UIC (O)wner - any user with the same UIC (S)ystem - any user with a UIC inbetween 1 through 10 (octal), has SYSPRV set, or is in the same group with GRPPRV set Access-list is defined as: (R) - read access (W) - write access (E) - execute access (D) - delete access With the directory command you can view file access permissions along with lots of other information. ie. with: $ dir sys$system:authorize.exe/full You might see: ---- Directory SYS$COMMON:[SYSEXE] AUTHORIZE.EXE;1 File ID: (399,2,0) Size 380/380 Owner: [SYSTEM] Created: 25-NOV-1996 22:23:21.17 Revised: 25-NOV-1996 22:23:53.66 (1) Expires: Backup: 2-JAN-1998 22:07:08.38 Effective: Recording: File organization: Sequential Shelved state: Online File attributes: Allocation: 380, Extend: 0, Global buffer count: 0 No version limit, Contiguous best try Record format: Fixed length 512 byte records Record attributes: None RMS attributes: None Journaling enabled: None File protection: System:RWED, Owner:RWED, Group: RE, World:RE Access Cntrl List: None Total of 1 file, 380/380 blocks. $ ---- You can also use: $show security [file] To see just the access permissions for the file or device to change file/directory permissions, type: $set security/protection=(s:rwed,o:rwed,g:re,w) [file] This would give world no access, group read and execute access, owner and system full access. AUTHORIZE.EXE is a neat little program which lets you view and edit SYS$SYSTEM:SYSUAF.DAT which holds information on all the user accounts on the system... from the file above we see anyone is allowed to read and execute this program.. BUT you also need to have access to sysuaf.dat which on most systems, is not world readable. If you DO happen to have access to this, then you can go on and create your own users, modify existing users, attempt to extract the users passwords, etc.. Authorize must be run from the sys$system directory or else it tells you it can't find the sysuaf.dat file and prompts to create a new one [in whatever directory you happen to be in] so you need to type: $ set default $ sys$system run sys$system:authorize.exe which will give you a UAF> prompt.. I won't go into too much detail about this function here... if you manage to gain access to this, you can type HELP from that prompt and it will give you plenty of information [gotta love VMS help files:)] keep in mind that if you decide to create some new users [not recommened since a smart admin would most likly notice a new user name on the system...] or modify access to existing users, giving the account full access to everything is NOT a good idea.. again, a smart admin would notice this and you would not be around very long... instead, set /defpriv to netmbx (create network device) and tmpmbx (create temp mailbox) as these are usually the only privileges allowed to the average user. then set /priv to setprv which will give you the ability to set any privileges for yourself using: $ set proc/priv=all "ok, yeh great but i can't access any of that stuff!@#$%!@$#" Well in this case you have a few options... you can always try hacking out more accounts... if that dosn't work, you can try creating a trojan which is great if you have write access to any of the directories containing programs that alot of people run.. this probably isnt very likely but if the admin is really trusting or really stupid, it might. Basicaly the idea is to edit a .com file (which is bassicaly just a script.. similar to a dos batch file or a unix shell script..) add in some lines to check the access level of the person running the file, if they have high enough access, have it change the security of a file such as sysuaf.dat.. and authorize.exe if necessary. read up on how to script with DCL.. i'm too lazy to explain that all here.. besides, it's big enough to deserve a whole file of it's own. anyways, the next time you log in, you could simply go to sys$system and run authorize to change your own privs, create a new user, etc. providing someone with high access runs the file. -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Conclusion -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ this text is by no means complete...and may or may not contain numerous errors. The best thing to do is explore and find out for yourself! Lots of documentation around... and lots of places like to run VMS.. :) -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The Mailroom - scud -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ I am learning how to hack now and I understand a lot in my opinion. I was wondering if you or anyone you know knows of any easy hacks that a beginner would have no problem with. I just want to practice and learn more about hacking. Thanks for your time. Phlow [ Personally if I was wanting to practice and not get in a lot of trouble because I am beginning and dont want any logs to show up, I would just work at hacking your box. (You do have Linux or BSD don't you?) I would try some sendmail exploits, or other remote exploits to get in, and then just keep cracking the system. Look at the logs that you create and edit them, or find out how to sneak past logging. Practice locally until you are a master at it, and then go on to cracking a real site. For more guidance and help, check out hack-kit 2.0, at rootshell.com ] --- Thtj, I want informative computer security weaknesses/ attacks. Specifically web server remote access faults. If your BBS is full or not ready could you direct me to pertinant information. Thanks! [ You might want to look at the WWW security FAQ or some of the other FAQs that are out there, pertaining to WWW servers. CERT, and just about all of the other security reporting groups and mailing lists have many files detailing the weaknesses in various servers. We do not run a BBS, nor do we plan on having one. Sorry. ] --- to: scud@thtj.com This may or may not be common knowledge, but in Windows 95 and, surprisingly, Windows 98, and probably NT (but i'm not sure), there's this "bug" so-to-speak in the way it handles filenames. In DOS, (remember DOS?) files can have a name with characters ranging from a-Z, 0-9 and all the wonderous extended ASCII characters like Ü & â. Windows 95 for some odd reason doesn't support extended character file names, and if someone tried to create a file (or directory) in DOS called "âáàßÞÝÜ" and tried to delete (move, copy, or anything else) it in Windows, they'd be fucked. For the novice computer user, who's got a "sweet" Packard Bell fully loaded with "hi-tek" Win95 and has no clue what DOS is, (or have kind of a clue, but not really) this kind of a "bug" could cause a big problem. Just try it yourself and see what kind of creative ideas you come up with. Open DOS, type "MD", SPACE, and then hold down ALT while you type 0220 from the number pad. Then, goto Windows and check out the properties...when was the file created huh? Now try to delete it...you can't find what file you say? I can think of so many ways to take advantage of micro$oft's flaw. I made a program called Crasher that does so, and it's availible at my website: [http://come.to/matic] - the_enigmatic [ I had not heard of this bug in Microslut's Win95. Thanks for sharing with us. ] --- Hi people of THTJ. Gonna be a short note, as I'm ready to pass out through lack of sleep. Regarding a mail to thtj: ------- THTJ 18 Mailbox ------------------------------------------ Hey Scud, I like your zine. Just wanted to make a comment that I think that maybe should should write the journal in HTML format. It would add allot to the zine, I'm sure u know, of the advantags. Thanxs, keep it up. BTW, PGP public key? nakar [ After issue 6 it was too much work to convert 150+ k of text to HTML, so we stopped making thtj in HTML. If one of you out there wants to do it, by all means go ahead and let us know. ] ------------ E O F ------------------- Well, I done it all. I've converted all the THTJs I have issues 4-18 to html. No
 shit, all the text has been converted to true html.
Obviously, the ANSI looks crap and the rest looks mostly like the original
text file, but if one of you sit down and work at it, 30 mins or so,
(simply add some nice body colour tags, a bit of java, and replace that dam
ansi with you HAVOC logo and you've got yourself nice html journals.

I didn't think any of you would appreciate me directly mailing you the
710KB file(all the htmls in one zip), so here it is uploaded at my server:

http://www.vincee.demon.co.uk/thtj.zip

Well, that's it.  If you use this file, I'd appreciate if you let me know.


			-Vince Gilligan


 [ To Vince and several other people that e-mailed me about converting it to
 HTML, I want to thank you all for converting everything to HTML. Vince, since
 I recieved your e-mail first, I am giving everyone your site that they can
 download it from until i get a copy of it on thtj.com. You are right in that
 it does only take a short period of time to convert it, but I honestly have
 so much to do right now that converting thtj to HTML is low on my list. ]


---

Scud O.

I dont usually do this sort of thing, but I just cant help myself this time.
What has happened to thtj? What happened to the interesting articles?
Lets take a quick look at some of the stuff in issue 17:

1) Basic Network Architecture Part I
        This is knowledge anyone can pick up at a library.
        This information belongs in a computer 101 class, not
        in a hacking zine. Anyone interested in learning about this will
        have NO problem what-so-ever obtaining the info on his own.

2) DNS: The Domain Name System
        Nothing wrong with the article itself, but I think it belongs
        in /usr/doc/howto/ rather then a hacking zine.

3) The Boot Process
        See 1)

4) MMC: Microsoft Management Console
        Im not even going to start on this one.

Following the last article i mentioned comes an email bomber (like we need
more of those for the lamers to play with), two DOS attack sources (see
comment on the bomber) and a "modified" teardrop version. (did you even
"diff" it before it was included??). Not to mention the clear "backdoor".
Dont you think root will become suspicious when he finds a SUID clear? The
entire point of a backdoor is to remain undetected.

This leaves us with two 6k articles about phreaking that I dont want to
comment on (since i dont know too much about it) and News + Mail.
This is a total of 51k. (the entire mag is 181k). I think the
numbers more or less speak for themselves.

Which brings me to my point (finally).. Is this the direction thtj wants to
be heading? Writing articles that allready have been covered a plethora of
times before, or are publicly available to anyone with access to a library?
If this continues, I fear thtj's readers will consist soly of people who are
to lazy to look for any information themselves, and these people will never
be hackers. There is a difference between educating and spoiling.

I guess right now you are thinking in the lines of "why dont you write an
article yourself rather than flame those who do?".. well, since this is an
anonymous mail you cant really be sure that I havent allready done so.

Ofcourse, this is all IMHO (although I belive most people who have read the
older issues and watched thtj grow into what seemed to be a new good zine
feel the same way)

I am _very_ interested in your views on this mail.

Signed
-Anonymous

(IF you include this in the next issue's mailroom, please do me the
curtesy of including the entire mail. This comment can be removed at your
discretion :) )

 [ Anonymous,
        You do have some good points on issue 17.

        1> Yes, this article probably doesn't belong in a hacking zine.
        2> The DNS article I ran because at the time I was promised 2 more
           articles on DNS related hacking. As fate would have it, neither
           writer delivered their articles for thtj18.
        3> Ok, this is a bad judgement call. This article came from a project
           I had to do for a Computer Architecture class. I liked learning a
           bit about the linux boot up process, so I ran it in thtj17. Bad
           judgement call.
        4> The MMC intro is very basic stuff, but MMC is the next generation
           of NT security software. I ran this so that people will have
           heard about MMC so that when NT 5.0 is released, we can already
           be at the gate and finding out the problems in NT 5.0.

        simon gave me the 'modified' teardrop code and article about 10
        minutes before I released issue 17. Once I had released 17 and looked
        more at it, I saw the mistake I had made. A poor editoral decision on
        my side. The suid clear backdoor has the potential to be a glaring
        backdoor for sysadmins to see, but when you use it, it is all in the
        eye of the beholder. Some sysadmins wouldn't think about it, and it
        could work for a long time, or it could just be a one time thing to
        get access to things and then you hide your tracks. Its all up to the
        person using the code. A tool is only as effective as the person that
        is using it.

                Your fears on the path that thtj was heading to were very
        similar to my own fears after issue 17. That was why I redesigned thtj
        starting with issue 18, and it is also why I am working harder on
        editing thtj than I have in the past. We are working harder to cut the
        crap out of thtj, and get the first run hardcore technical information
        but this job is not easy. This is also part of the reason why I will
        be leaving for 2 to 3 issues and letting other people work on thtj.
       
                Judging by how you started your e-mail I doubt that you have
        written an article for thtj, looking at the message headers only
        solidifies my findings. Although the headers could all just be a load
        of crap, I still doubt that you have written anything. However, you
        sound like you know what you are doing and you make some good points,
        so maybe you should write something for us.

                I am very interested in your views on this mail Anonymous, so
        please e-mail me back using the fake e-mail address you did when you
        sent this mail so I can be assured that it is really you. Also, if you
        want, please give me an address where I can e-mail you at so you will
        not have to wait a whole month to get a reply from me. Well, I
        modified not a line of your e-mail, just like you asked me Anon. ]

---

Why are people emailing thtj-approvl....

Those people will not get added and there has been like about 100 of 
them so far.  I have no Idea where they are getting the idea they 
need to email thtj-approval?

Make sure they use

subscribe thtj

or if they are not sure about the reply of the email

subscribe thtj 

May clearify things up a little

====================================================================  
			DoXiCaL			ORC Networks Ltd.
	\/		doxical@orc.ca		500 Lorne Ave.
	/\TReMe	http://www.orc.ca		Stratford, Ontario, Canada  
 ====================================================================

 [ Dox, its beats the hell outta me, but somepeople cant undersatnd things
 unless they hear it from the lion's mouth. ]

---

The mailing list has been relocated to x-treme.org

Also, on you home page, change the way to subscribe to

subscribe 

without the email after, that will cause problems if they enter the 
wrong email addy, there are about 100 people who have been rejected 
because of that....

====================================================================  
			DoXiCaL			ORC Networks Ltd.
	\/		doxical@orc.ca		500 Lorne Ave.
	/\TReMe	http://www.orc.ca		Stratford, Ontario, Canada  
====================================================================

 [ Thanks Dox.]

---

hey d00d!  Id just like to say that your zine is really k-rad kick ass! 
Now that the underground has you and phrack, there 'll be pleanty of
reading material!  I just have a few questions 4 u.  

  [ I'm glad you like our zine, we try. ]

	(1)  You know in issue 4 when you were talking about NIMs?  Well I was
wondering where I would find one of those on my house.  I took apart the
bell systems little tall skinny green box in front of my house but there
was just 6 black battery terminal looking things and a big black metal box
with wires sticking out, no nice neat rj-11 jack like u said.  And it was
alot bigger than a sunglasses case!  Maybe I took apart the wrong thing? 
Anyway, you said you were going to write a foloow up article.  Which number
is that in?  I couldn't find it.  

  [ Yes, you took apart the wrong thing. The NID is a wee bit bigger than a
   sunglass case, and it is a grey plastic box. I never did get to finishing
   that article on NIDs. I have moved on, but maybe one day I will finish it.]

	Okay (2)  You had that C looking code that was supposed to turn your modem
into a chat system.  Well, how would I go about getting that to work.  Is
it like a script that i would load with like a "copy `at xxx` > com4" or
something?  And I would have to set the s register 2 1 before hand
proabably, like "at s=1".  I would like to do that, it would be pretty
damned  cool to have a chat system.

        [ The code in thtj6 was ment for QuickLink software that comes with
        most USR modems. I never developed the full code to make it stand
        alone, because as I have said before, I have moved on. ]

	I was wondering if you would like any authors?  I could write about
VM/CMS, VAX/VMS, PRIMOS, RSTS/E or whatever.  Just blast me some mail!  I
would be glad to join up with you at havoc bell systems if you would take
me!  I can take the little test you had set up in the early issues (like
PBX = Private Branch Exchange).  But you said later it was invite only.  

        [ We are always looking for articles, but as of right this minute, HBS
         is not looking for new members. That test we had in thtj5 i think it
         was was merely a tool for us to get some PBX numbers. So don't
         bother with it unless you *really* want to give us some numbers. ]

	Laterz....

                  Special-K

ps: dont visit my website, it's not up yet!!!    

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Special-K 
    
      NEUA  (North Eastern Underground Alliance)
      http://sdf.lonestar.org/~specialk/ 

     


---
[ In reference to sendmail885.c ]

The only thing this piece of code does , is adding two new accounts to
the local box...well because of it is run as root there is no problem
that these two accounts cant be created on the local machine . Have you
ever tried it yourself ???

 [ Yes, I did run the code myself. We ran this in thtj18 as a spoof to see
 how long it would take people to discover what this really did, and to
 see how many people did use the code. Since I got your letter first, you get
 the THTJ Offical No-Prize! ]


---

 -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
 Reader Survey - Staff
 -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

[This survey is designed to help us better suit our magazine to the reader,
or we may just be trying to get a good laugh, but we haven't decided yet.]

Nick:
M/F:
Age:
Occupation/grade:
City: 
State/Province:
Zip Code:
Country: 
Area Code:

Why do you read The HAVOC Technical Journal?

Where did you get this issue?

Are you a subscriber to THTJ?

What other zines do you read on a regular basis?


What would you like to see in future issue of THTJ?


What would you add or subtract from THTJ's format and articles?


On a scale of 1-10 ( 1 being lowest, 10 being highest), how would you rate
The HAVOC Technical Journal?


Any extra comments?


Please send all replies to scud@thtj.com

                     Ú--ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿               
                     : [ ] Do not check this box! ³               
                     ú-ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

For office use only:

         [ ]D  [ ]X [ ]W [ ]Y         [ ]0 [ ]1 [ ]0 [ ]1
        (don't ask, we don't have a clue what this is for)

 -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
 Fin.
 -ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Well, once again thank you for reading this fine issue of thtj. Tune in next
month, same bat time, same bat channel! While you are waiting to read the
next issue, why dont you send us some mail, or fill out the reader survey, or
better yet, write an article for thtj?
                                        scud_