----------------------------[ Beginning of file ]----------------------------- __________ ____________________ (__ .__)(__ ___ __ __ __ __) ___)(__)|__)___) | (--)| )(__ __) Issue 002 - 14. Nov 1993 "If everything is coming your way, you're in the wrong lane!" Disclaimer: This text is written for informational purposes only. Neither the Substance Crew, nor the people who distribute this file are liable for any damage, legal action, or other consequences of use or misuse of this file. We will not invite anyone to perform the activities described, as they may be considered illegal, depending on your place of residence. On the contrary, dissuasion is not our policy. If you find the contents of this file offensive, please feel free to do so; we don't care. ------------------------------------------------------------------------------ HACKING DONUTS -------------- by Winnie the PooH I'm very sorry to disappoint all the hungry people out there, but the donunts that will be described in this article aren't eatable. On the other hand you may find them interesting and useful anyway, and they may also satisfy your hunger for cheap phone calls. What is a donut? A donut is a small, private telephone network. It got its name when Inner Self and Plastic discovered the stunning resemblance between a donut and the number "0". To put it short, a donut is simply a PBX that will allow you to dial out by pressing "0" at the PBX tone. What is a PBX? Ok, some of you might not know what a PBX is, so I'll try to enlighten that particular subject a bit. "PBX" is an abbreviation for "Private Branch Exchange", and these interesting devices are usually owned by companies, in Norway mostly by fairly large ones. Our challenge is to turn these devices into PUBLIC Branch Exchanges instead of private ones. A PBX is connected to one or more of a company's phonelines. When someone is calling any of these numbers, the PBX will take off the hook and answer the phone automaticly, normally with a tone or tones of some kind, but sometimes also with recorded messages. The caller may then use his/her phone keypad to instruct the PBX what it should do. In Norway the most common use of PBXs is to reroute the callers to particular offices or persons inside a company building. This makes things a lot easier for whoever wants to contact anyone in such a company, since only one phone number is needed, with which different internal numbers may be used. The interesting part is that these PBXs often also have an ability to take off the hook on another phoneline, making you able to dial out and letting the PBX-owner pay the bill! Why donuts work The interesting part about PBXs to us, is the possibility to dial out from them. Some places this feature is in frequent use, although this seems to be quite seldom in Norway at the time compared to the extensive use of this in the USA. If they are being used to dial through, they probably require an access code to perform the dialout, but a lot of the Norwegian PBXs has got this possibility without the owners using it, or sometimes even knowing that it exists. This often leaves the PBX unprotected, and all that's needed is to enter the command for dialing out, without any access code. In the USA this command usually is equal to dialing a "9", but in Norway, as you have probably guessed already, the command is "0" for a lot of PBX brands. How do I find a PBX? The first method is to scan numbers to find one that may sound like a PBX. Scanning numbers and knowing which numbers to scan will be discussed in a later issue of Substance, so I won't explain in detail here how that is done. Anyway, the main idea is to dial numbers you think might be a PBX, and check the response. The second method is far the easiest way to do this, in fact it's so easy that most people wouldn't even consider it. You simply look in the phonebook! For those of you who've seen the film "Rainman", you may remember the main character reading the phonebook, and you may even have laughed at that particular scene, but for hackers this is an easy way of getting interesting information. In fact it almost says "This is a PBX"! In the Norwegian phonebook, what you would look for would be numbers called "2-trinns innvalg". These numbers aren't listed in the local phonebooks called "Lokalveiviseren" as far as I know, but they are listed in both the local ("Ditt Distrikt") and the real versions of the phonebook from the phone company. These are numbers with a PBX at the other end, and calling these numbers would probably result in getting a tone as an answer. Hacking the donuts Ok, so you've looked in your local phonebook and found a few of these numbers, or you've found them in some other way, and then what do you do? What you might do, is to consider using another phoneline than your own for hacking them, at least if your line is connected to a digital phone central. It probably won't be dangerous at all, but sometimes it's better being paranoid than being caught. Well, let's suppose you find a phone somewhere, and you dial the PBX. Five things might happen: 1. You get a message stating that the number isn't in use 2. You get anything else than a PBX (A person answering, an answering machine, a fax etc.) 3. You get a tone, either continuous, or a tone with short, quite rapid pauses 4. You get a recorded message, telling you which numbers to press to perform certain actions, or simply telling you to enter an internal office-number 5. You get something else that I didn't think of... If 1,2 or 5 is what you come up with, which you probably will sometimes, just throw the number away. (Unless, of course, you found a secret number directly to the prime minister, or some nice modem carrier!) If 4 was your result, then you probably haven't got much hope of hacking this PBX easily, as the ones with recordings usually are the most advanced ones, but of course - try pressing 0! If 3 is your number, then there might be a fair chance you have got something. Try pressing 0 at the tone, and listen to the result. If you get a dial tone - then you're in! Simply dial a number, normally any number would work, and listen as the PBX dials a number that the company will pay for! If pressing 0 results in rapid beeps, which is the most usual case, the PBX probably hasn't assigned anything to the 0 command, or you need an access code to perform the dialout. Then of course, you could always try the other numbers as well, because not all of them have 0 as the command for dialing out, it just seems to be the most usual case. If you think this is no challenge at all, then you might try to hack a PBX with a code. Make your computer do the hacking, or make a bluebox-like construction that will try different codes automaticly. As scanning numbers, this will also be discussed in a later issue of Substance. Time limits With quite a lot of the donuts, there is a negative hind part: A very high percentage of the PBXs have got time limits. The most usual case seems to be that after about 2 mins and 25 seconds, the PBX sends out a pulse, which for you appears as about 2 seconds of silence, and 10 seconds later the connection is broken. These donuts almost ALWAYS have a non-continuous tone when calling them. Another usual type of time limit is when you can call for 11 minutes, with short beeps as a warning after exactly 10 minutes. This one is obviously more useful than the first type. Here the tone usually is a continuous tone, almost like the dialing-tone, but a bit higher pitched. And of course the ones completely without time limit do exist, although these aren't the most usual ones. Getting one of these opens a great number of possibilities, but of course - you have already understood that. How to use your donuts There are of course a great number of uses for your donuts, but here are a few ideas on how to use them: 1. Call 820-numbers for free, win competitions & get free phone-sex 2. Test foreign bulletin board systems 3. Use them for number-scanning 4. Call numbers you already know are being traced 5. Hack other systems 6. Send a terrorist-threat to your nearest airport 7. Call your rich uncle in the USA, increase your inheritance Suggestions 1-5 are the most common uses of donuts, and most of them are also fairly safe. Do remember though, that using donuts to call numbers you know might be traced, i.e. that the phone company might be monitoring the line to see who is calling, is not always safe when calling numbers with heavy security. If you consider the sixth alternative, I would suggest you hack at least 3 or 4 donuts first, calling through all of them before you call the airport. How NOT to use your donuts Not everything is safe even though you're calling through a donut, and there are also a few things you never should do with a donut: 1. Never call military numbers unless you KNOW you can't be traced (Which you never do) 2. Never mention your name when making voice-calls, unless you're 110% sure the conversation isn't recorded 3. Never use a donut you know someone else has used before you 4. Never call from your own phoneline if you're connected to a digital phone central, and you suspect the number might be traced 5. Never call someone you know who won't be able to cope with a questioning from the phone company All this may sound a bit paranoid, but it's still better than being caught! Troubleshooting Here is a list of the most usual problems you might encounter when finding, hacking and using your donuts: Problem: Solution: - I haven't got a phonebook - Steal one from the nearest phone booth - I can't get a dial tone in my - Check that your phone is plugged own phone in, and that you have the phone off-hook - I get a dial tone at the donut, - Turn up your phone-volume, but nothing happens when i dial or try using another phone a number - When I hang up, it's often busy - Wait until the time limit has for some time expired - There's a police-car outside my - Deep format your hd and say you've house had a virus-crash - Men with dark sunglasses are sitting - Run! in a van outside my house ------------------------------------------------------------------------------ The Substance Crew: Inner Self (IS!) Apollon Plastic Winnie the PooH Comments, contributions, ideas, questions and such would be appreciated, and may be e-mailed to sbstance@oslohd.no. If you haven't got that possibility, please try locating us at some board. Your chances of reaching us that way will probably increase significantly by first checking the boards allowing aliases, but if you aren't able to reach any of those, try looking for "Robert Levin". Sensitive information of any kind, or information you want to keep private, should be encrypted using PGP with the -a option. Our Public Key may be found below. If a sysop doesn't allow encrypted messages, please find another board if you consider encryption to be necessary. UNIX programs may be sent as UUCP code. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3a mQCNAizhvskAAAEEAKHitHjoJhc+5d5yiVyBtBTJa3Sp/PoPsW6jjoRHGSm3ISK1 /rop/R53Og970TWI9/gcK80a6QRGo4RZVrYFfQfS02SD+ra7bHUoqurhhdLczgTC CvKxIgeoPEHhM3zRiFY0yZoCFRXaWJfTOu8L5sti91+lbGqt8IpQ7eBFWsnNAAUR tA9TdWJzdGFuY2UtS2V5LTE= =nkoH -----END PGP PUBLIC KEY BLOCK----- -------------------------------[ End of file ]--------------------------------