gemini - kennedy.gemi.dev

💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › THTJ › thtj19.t… captured on 2022-01-08 at 17:25:00.

-=-=-=-=-=-=-

. .
. . . ,g$p,
.,. {body}amp;y .,. `"`
oooy$$yoo o oooy$$yoo o
. `$

$$yyyyp,`$

gyp . .
. yxxxx $$ $$"`"$$ $$ $$ xxxxxxxxxxxxxxy . volume 2
$ $$ $7 ly$ $$ $$ $ number 7
$ $y$ $b d$ $y$ $y$ $ issue 19
. $xxxx $$ $$ $$ $$ $$ xxxxxxxxxxxxxx$ .
. """ """ """ """ $' .
t h e h a v o c $' t e c h n i c a l j o u r n a l
[February 1, 1998.................

................`1998 - The year of THTJ']
[......................'Putting the hell back in shell'......................]

-��-������������������������������������������������������������������������
Table of Contents
-��-������������������������������������������������������������������������

Contacts & Copyrights...............................Staff
Editorial...........................................scud
Cellulite...........................................lurk3r
What the hell is PCS?...............................KungFuFox
Free UK Phonecalls..................................Josh Freedaleman
Introduction to ADSL................................Rebel Entity
Red Boxing in the UK................................Josh Freedaleman
Hacking the Standard Answering Machine..............V
Introduction to OpenVMS.............................sub version
CIGARS..............................................scud -
SSH: Secure Shell...................................scud -
Trust...............................................scud
The Mailroom........................................scud
Reader Survey.......................................Staff

---->NEW Majordomo<----
Subscribe to thtj at: majordomo@orc.ca 'subscribe thtj you@your.isp'

-��-������������������������������������������������������������������������
Contacts & Copyrights - Staff
-��-������������������������������������������������������������������������

-��-���������������������������������������������������������
1. Contacts
-��-���������������������������������������������������������

Editor in Chief : Scud-O, <scud@thtj.com>
Executive Editor : KungFuFox, RIP
Submissions Editor : Keystroke,
Editing Assistants : FH, Phrax, Shok, su1d
News Editor : KungFuFox, RIP
Mail Editor : Scud-O, <scud@thtj.com>
Webpage Editor : Scud-O, <scud@thtj.com>

Extra Special Thanks : All the writers, and people who filled out
the reader survey.

Shout Outs : All of you in the know.
Thank yous : John Grisham
Fuck yous : ToS P.D.

Has more lives than a cat : Kenny
Total Beefcake : Cartman
Throws up more than a wino : Stan
Mr. Hanky's best friend : Kyle
Pimp : Chef

Good Movie of the Month : Scarface
Good Music of the Month : DJ Shadow
Good TV of the Month : South Park
Good Alcohol of the Month : Jim Bean

THTJ Website : http://www.thtj.com/
THTJ e-mail : thtj@thtj.com, scud@thtj.com

-��-���������������������������������������������������������
2. Copyrights
-��-���������������������������������������������������������

The HAVOC Technical Journal (THTJ) Volume 2, Number 7, Issue 19
February 1st, 1998. *Everything* here is (c) Copyright 1996,1997,1998
by THTJ, HAVOC Bell Systems Publishing, or HNS. All Rights Reserved.
Nothing may be reproduced in whole or in part without written permission from
the Editor in Chief. The articles included here, belong to their writers and
articles are copyrighted by their writers. If you want to use their articles
in your publication, ask them. For more information on our copyrights, and
article submissions policy, please see http://www.thtj.com/submissions.html
For more information on legal stuff goto http://www.thtj.com/legal.html
[No copying THTJ, damnit.]

Articles, comments, whatever should be directed to: scud@thtj.com
Subscribe to thtj at: majordomo@orc.ca 'subscribe thtj you@your.isp'

Disclaimer:

THTJ is provided free of charge, thus THTJ provides NO warranties
whatsoever. You use this zine and its information at your own risk.
While every effort has been taken to ensure the accuracy of the
information contained in this article, the authors, editors, and
contributors of this zine assume no responsibility for errors or
omissions, or for damages resulting from the use of the information
contained herein.

The HAVOC Technical Journal does in no way endorse the illicit use of
computers, computer networks, and telecommunications networks, nor is it to
be held liable for any adverse results of pursuing such activities.
[Actually, to tell you the honest to goodness truth, we do endorse that
stuff. We just don't wanna get in trouble if you try it for yourself and
something goes wrong.]

-------------------> 'Its Not Our Fault' <-------------------

THTJ is protected by the First Amendment of the US of A. If any of the
information contained in this file offends you, then why the hell are
you reading it?

THTJ publishes its information to educate you, if YOU choose to use the
information illegally, so be it. We are not responsible for *YOUR* actions.
We merely provide the information. By reading this zine, you agree to this
policy, and you void all rights to sue us or get us involved in the
consequences of *YOUR* actions. If you can not deal with this policy, then
delete this file now.

Stealing articles, or pieces of articles, or pieces of pieces of articles
from thtj with out permission is a crime against humanity. If you want to
use any of the material in here, please contact THTJ and/or the articles
author. If you do not follow these rules, we may be forced to take legal
action.

-��-������������������������������������������������������������������������
Editorial - scud
-��-������������������������������������������������������������������������

-��-���������������������������������������������������������
1. RIP KungFuFox, The next few issues.....
-��-���������������������������������������������������������
-��-���������������������������������������������������������
2. We need you!
-��-���������������������������������������������������������
-��-���������������������������������������������������������
3. Stuff
-��-���������������������������������������������������������

-��-������������������������������������������������������������������������
Cellulite - lurk3r
-��-������������������������������������������������������������������������

-��-���������������������������������������������������������
Primer
-��-���������������������������������������������������������

Cellular telephony traces its roots back to 1929, when transoceanic
liners introduced ship-to-shore radio service that was interconnected to the
Public Switched Telephone Network (PSTN). In 1946, AT&T began offering
commercial mobile telephone service in St. Louis and soon expanded to other
cities. In 1964, Improved Mobile Telephone Service (IMTS) was introduced.
This service offered electronic switching, but was still very inefficient;
in large part because the available frequency range could carry only a very
limited number of calls.

The answer to the capacity constraint turned out to be a system of
small geographic areas or "cells" within which a limited number of channels
could be used. A transceiver (transmitter/receiver) in each cell could
overlap into an adjacent coverage area. Since the system was designed so
that no two adjacent cells would use the same channels, call interference was
minimized. Yet the same channels could be reused in non-adjacent cells where
the transceivers were far enough apart to not interfere with each other.
This cellular system had actually been designed in the 1940s and
tested in the 1960s but was not developed until the IMTS networks reached
capacity in the late 1970s.

In 1981, the Federal Communications Commission (FCC) established
rules for licensing cellular carriers. The FCC decided early on to limit the
industry to two competitors in each marketplace. The wireline, or B-side
license, was granted to the incumbent LEC in each market and the non-wireline,
or A-side license, was awarded to another bidder, often an Regional Bell
Operating Company (RBOC) from a different region. (B-side was originally used
to designate Bell System while A-side meant Alternate.)
In 1983, Ameritech Mobile Communications launched the first
commercially available cellular service in Chicago, followed shortly
thereafter by American Radio Telephone Service in the Baltimore/Washington
market. The next year, Bell Atlantic also began offering service in
Baltimore/Washington making that market the first to have a choice of
cellular carriers.

-��-���������������������������������������������������������
Cellular Architecture
-��-���������������������������������������������������������

Because data can be transmitted over the analog cellular network via
a method known as circuit-switched cellular data(CSCD)9.6 to 14.4 kbps),
Cellular does currently offer cellular data capabilities. All that is
required is a PC, cellular-compatible modem, data cable and data compatible
phone (including the Motorola DPC 550,Nokia 121, and Nokia 232). To the
network, this type of transmission looks exactly like a voice call. A
continuous connection is made between the phone and the network, and usage is
billed on a per-minute rate. This method is suitable for transmitting
relatively large files such as faxes and large e-mail files.

For short, "bursty" data transmission, such as point-of-sale
transactions and brief e-mails, circuit switched cellular data can be slow
(because call set-up may take longer than the actual transmission) and
expensive (because usage is generally billed in one-minute increments). A
more efficient method is cellular digital packet data (CDPD)19.2 kbps). This
method divides files into small segments (packets) that are transmitted over
any available channel and reassembled at the receiving end (Such as many
computer networks) Note that CDPD is also Capable of supporting TCP/IP.

Cellular technology divides service areas into smaller calling areas
known as cells. Cells are often a few miles across (actual cell coverage area
depends on density of the subscriber base and topography). At the center of
each cell is a Cell Site, which contains the radio transmitters and receivers.
Each cell site belonging to a particular system is linked to a Mobile
Telephone Switching Office (MTSO), which performs the call routing and
interfaces with the LEC. The transmitter�s range of broadcast extends across
the radius of the cell and overlaps into the adjoining cells. The
transmitter's power is typically 100 watts or less. A frequency can be
simultaneously used in non-adjacent cells within the same geographic area. As
the caller moves from one cell to another the mobile unit picks up radio
frequency used in the next cell without causing any interference. This is
also known as a "handover", by enabling simultaneous calls within the
area, the network capacity increases.

Analog service is available in all markets, Metropolitan Service
Areas (MSAs) and Rural Service Areas (RSAs). Digital service is being rolled
out in limited markets where capacity is regulated.

-��-���������������������������������������������������������
Cellular Protocols
-��-���������������������������������������������������������

Cellular networks are noisy and less predictable than landbased
connections. So, Cellular protocols provide additional enhancements to ensure
reliable "switched circuit" cellular connections from 9600 bps to 14400 bps.
Some of these include:

o Throughput-X-Cellerator a.k.a (TX-CEL)
o Enhanced Throughput Cellular a.k.a (ETCH)
o Microcom Networking Protocol Level 10 a.k.a (MNP-10)
o Microcom Networking Protocol Level 10 Enhanced Cellular a.k.a (MNP-10 EC)

-��-���������������������������������������������������������
Call Flow
-��-�����������������������������������������������������������

When a cellular phone is turned on, it emits a signal that is picked
up by the closest cellular transceiver. This signal includes the subscriber's
Mobile Identification Number (MIN) and Electronic Serial Number (ESN). The
MIN is simply the subscriber's phone number (same as ANI for landline phones).
The ESN is unique to the handset. The subscriber's MIN/ESN combination is
loaded into the Cellco's switch when service is first activated, enabling
the cellular system to identify the customer prior to completing each call.
Aside from this signalling, no connection is made until a call is attempted.
In other words, there is no dial tone for cellular. Thus, in order to initiate
a call, the caller must hit the send key after dialing to transmit the digits
to the cell site.

Each cell site contains a transceiver. Several cell sites may be
connected to a base station controller, and several base station controllers
may be served by a single MTSO (Mobile Telephone Switching Office). The MTSO
is like a central office for the cellular system. It is the MTSO that
performs call routing functions and interfaces with the LEC to terminate
calls over the PSTN.

The call flow is similar to a cellular call placed to a long distance
landline phone. However, instead of terminating directly to the home phone,
the LEC transfers the call to the receiving carrier's MTSO. The MTSO transmits
the call to the cell site and then to the receiver's cellular phone.

-��-���������������������������������������������������������
Call Flow - Step by Step
-��-���������������������������������������������������������

1. Cellular user keys in the phone number and hits send.
2. A signal is sent to the nearest cell site.
3. The cell site passes the call to the MTSO.
4. The call is routed from the MTSO to the LEC.
5. The LEC transfers the call to the IXC (INTER-EXCHANGE CARRIER).
6. The IXC passes the call to the distant LEC.
7. The LEC transfers the call to the receiving carrier�s MTSO.
8. The MTSO transmits the call to the cell site.
9. The cell site routes the call to the receiver's cellular phone.

-��-���������������������������������������������������������
Conclusion
-��-���������������������������������������������������������

As Cellular Technology advances and so do the people out there that
are interested in where it is and where its going. The Cell Phreaker develop
new ways to take advantage of this weak system of communications.

They also create new tools and ideas to exploiting the data being
transmited through our airwaves. Such as Packet Sniffer software combined
with hardware that decypher the frequencies that are constantly being emited
from all around us. Just think, no more accidently sitting in the ant piles
as the car drives by the box your plugged into, and no more dropping your
laptop as you hop a few blocks worth of fences before you realize no one was
even there. Just you, a nice scanner mod, your computer, and an ice cold beer.

Then BellCore Will Once Again Know The Fear...

HAVOC BELL SYSTEMS

-��-���������������������������������������������������������
Shouts Out
-��-���������������������������������������������������������

-��-������������������������������������������������������������������������
Channels: #Virii #Phreak #Hackers | Groups: HBS Razor1911 Rhino9 PLA
-��-������������������������������������������������������������������������
People : FA-Q memor Scud Warz JP trix antifire netmask Wrd Calldan Iczer
-��-������������������������������������������������������������������������

-��-������������������������������������������������������������������������
What the hell is PCS? - KungFuFox
-��-������������������������������������������������������������������������

Ever heard of PCS? Yes? Good. It stands for Personal Communications
Service. The problem with PCS is it's not phreak friendly. As surprising as
it may seem, normal people don't like it when they get cellphone bills for
thousands of dollars when the only call they remember making was to 911 when
they saw a black guy in their posh upscale neighborhood. The reason it's
being adopted faster than a fat baby in Ethiopia is because some assholes in
organized crime and/or drug cartels have been doing a lot of cell cloning,
and as I said before, people hate that.

PCS networks transmit at a higher frequency than the current cellular
systems, at between 1850MHz and 2200Mhz, compared to the 800MHz band used by
current cellular systems. These PCS networks are all digital, meaning the
transmission quality is better and the customer capacity is higher. The
reason behind the need for higher capacity is that wireless use expanding
like a starving raccoon in a dognut shop. Currently there are 52,687,924
wireless subscribers, a number expected to get bigger in the future. I say
"get bigger in the future" rather than provide a figure and a date because
I've seen wildly different numbers from different sources. Even the wireless
people are too stupid to know what their industry will be like 30 months from
now. The PCS market will be expanding as rapidly, growing from relatively few
customers today to an estimated 15 million by 2000.

About 3 percent of wireless revenue in 1996 came from cellular fraud,
though the percentage had been as high as 6 percent earlier this decade. The
amount of money lost to this type of fraud, about $650 million in 1995, has
been a big factor behind the adoption of PCS over cellular (no, not because
the cellphone companies want you to get more for your money), because PCS
offers some handy dandy security features to thwart attempts at cloning.

Security features of the past such as calling the cloner and
threatening to "beat their ass" are slowly but surely being replaced with
features found only in PCS networks, such as radio frequency fingerprinting,
which entails the matching of an ESN from a wireless phone to another id
number unique to the subscriber's account. If they don't match your clone
won't work for more than a week, due to automatic alerts at the subscriber's
service when fraud is detected (which gives you a good amount of time to run
up a couple thousand in calls to your favorite BBS in Germany).

Cellular and PCS do share some forms of fraud prevention though. Much
like software used by credit card companies to spot unusual buying patterns,
software has been developed for use with wireless services to detect
suspicious calling patterns, such as a sudden and recent spree of calls to
Cali, Columbia, or frequent calls to 1900goatsex. This suspicious activity is
reported and usually means the death of the clone as well.

RoamEx, an international data-exchange network, keeps track of
cellular and PCS subscriber calling activity and makes it immediately
available to the subscriber's provider. Suspicious calling activity is
investigated and leads to possible clone termination. Some wireless services
set up calling 'profiles' to describe the type of calling a certain
subscriber intends to make, such as non-roaming, interstate, etc. Calls that
are made out of profile require use of a PIN (personal identification number)
in order to allow the call to be connected, which means you either have to
steal the person's PIN or you just call everyone in the local calling area a
couple hundred times.

All in all, PCS's biggest advantages over cellular are that it uses
all digital technology, making it much less vulnerable to airwave theft, and
it is compatible with GSM technology (of course, the wireless companies WANT
you to think that higher cost is an advantage). Global Systems for Mobile
Communications (GSM) digital technology is the most advanced of its kind in
the wireless world. It offers a bunch of services that non-GSM systems don't
have, like integrated voice, data, fax, and paging capabilities, but most
importantly it eliminates cloning and eavesdropping (the victimless crime).
GSM also offers seamless roaming across North America, and allows for even
more secure personalized features with use of Smart Card technology, which is
available worldwide.

The only real advantages cellular currently has over PCS is coast to
coast coverage, which may not even exist in areas where providers have
disabled roaming due to concentrated fraud patterns, and phreak friendliness.
As stated before, PCS services utilizing GSM have coast to coast coverage as
well, but none bear the "phreak friendly(c)" logo. Cellular still remains
more popular than PCS mainly because of the cost associated with it. As PCS
matures its price will become more affordable and therefor more widely
accepted, and that means less and less clonable phones. I guess eventually
those people in organized crime will have to resort to stealing the phones
right out of people's hands.

-��-������������������������������������������������������������������������
Free UK Phonecalls - Josh Freedaleman
-��-������������������������������������������������������������������������

Yes...I know this subject has been covered a few times before but I have a
less dangerous way of getting free calls than the methods that have been
explained before.

I am gonna explain it in Lamer terms coz there is no hard way about it. In
my neighbourhood the phones are all connected to one pole which has a section
at the bottom which can be taken off, this is RIGHT outside my garden so it
is fuckin convinient for me to use this method.

All you need to do this method is have 2 things

1) Telephone extension line

2) Wrench with a nice little extension (like 1 inch or less) which has to be
TRIANGLE at the end.

To use all this you need to either live in an area with an old fone terminal
OR have a laptop. At the bottom of old fone poles about 5ft from the bottom
of the pole is a cut away part to the pole which contains all the wires etc
for that phone pole. It should look like this......

| |
| _____ |
| | | |
| | _ | |
| | |_| | |
| |_____| |
| |
| |

Thats the pole....(yes..i know i can't draw)...the big box inside the pole is
the bit which pulls away and the little box inside the bit which pulls away
is where you would insert you Wrench with the square-ended extension. You
need to twist it and of course....make this box bit come off the fone pole.
Once its off you will see loads of wires and also a fone jack (like the one
you plug your fone into at home)...Ignore the wires...all you need for this
is the fone jack. This is the method i use to make use of this fone jack.

The fone jack is the British Telecom Engineer's test fone line and is
therefore FREE!!! All I do is have a LONG telephone extension with about 1 ft
free of the white protective wire, so i just have 1ft with the VERY thin
coloured wire's showing. This is where you have to be VERY careful for many
reasons. The main reason is that after you have plugged your fone line into
this fone jack you will have to put the case cover back onto the pole, so you
have to be careful not to tear the thin wires which will be hanging out from
case...they r very unnoticeable because of their fineness (and the fone poll
is right next to my garden so i hide the line along my hedge and across my
garden) but I would ALWAYS recommend that you use this method for LATE NIGHT
USE ONLY!! I use it to phone foreign countries and for Hax0r use, and
although I only use it temporarily, real late at night and for a short time
period only it a MASSIVE saving on my previous fone bills.

If you have a Laptop computer you could use this method in a very secluded
area late at night, just make sure you don't spotted for hanging around as
the cops could be called out. As these type of fone polls are old they
mainly feature in secluded and rural area which is good for the phreaker.

This method is much easier than the method used on new fone polls, because on
new fone polls the box is found right at the top of the poll which is fuckin
high and climbing is risky to yourself and the chances of being spotted are
high. So hunt around and have Phun....Phreak Hard, Live Longer.

Josh Freedaleman
joshfree@bluedragon.net
http://www.bluedragon.net/cof

-��-������������������������������������������������������������������������
Introduction to ADSL - Rebel Entity
-��-������������������������������������������������������������������������

-��-���������������������������������������������������������
Introduction
-��-���������������������������������������������������������

What the hell does ADSL mean? ADSL stands for Asymmetric Digital
Subscriber Line and refers to the two way capability of a twisted
copper pair with analog to digital conversion at the subscriber end
and an advanced transmission technology. Basically, with ADSL, you
can download faster and talk over the phone while being online. This
is accomplished by using the upper frequency spectrum of the
telephone line for data transmissions while the lower portion is used
for POTS ( Plain Old Telephone System ). This service also do not
require any supplemental cabling or modification to the existing
phone line.

-��-���������������������������������������������������������
ADSL Description
-��-�����������������������������������������������������������

On the telephone lines, only the frequencies between 0khz and 4khz
are used. ADSL take advantage of this by using the upper portion
( 4khz to 2.2mhz ) of the spectrum for data transmission. The ADSL
line then provide asymmetric transmission of data up to 9Mbps
downstream ( to you ), and up to 800 kbps upstream. These rates
depend heavily on line length and line and loop conditions due to
signal degradation.

To connect yourself to your ISP, you need an ethernet card, an ADSL
modem and a plain old telephone line. As far as I know, this service
is not available in rural areas yet but I might be wrong. It is
however available in Canada in the Ottawa region. The installation
fee is around 200$ ( ethernet card included ) and the monthly costs
are around 70$ ( modem location included ) for unlimited time. Ok,
this gives you an idea how much it costs. Here are performance
specs for the Bell Sympatico ( ISP ) service here in Ottawa: 2,2
Mbps download / 1,1 Mbps upload. I don't have ADSL yet so I haven't
been able to verify these specs. You should also keep in mind that
the download speed is often dictated by the server you're connected
to.

ADSL is expected to perform as follow :

Data Rate Wire Gauge Distance Wire Size Distance

1.5 or 2 Mbps 24 AWG 18,000 ft 0.5 mm 5.5 km
1.5 or 2 Mbps 26 AWG 15,000 ft 0.4 mm 4.6 km
6.1 Mbps 24 AWG 12,000 ft 0.5 mm 3.7 km
6.1 Mbps 26 AWG 9,000 ft 0.4 mm 2.7 km

ADSL depends upon advanced digital signal processing algorithms and error
correction to squeeze so much information through twisted-pair telephone
lines.

Here's an ASCII schematic of a ADSL Tranceiver - Network End

ADSL modems use one of two techniques to separate data transmissions
from POTS: Frequency Division Multiplexing (FDM) or Echo Cancellation.

FDM works by assigning one band for upstream data and another one for
downstream data. The downstream band is then divided by time division
multiplexing into one or more high speed channels and one or more low speed
channels. The upstream band is also divided into corresponding low speeds
channels.

Echo Cancellation assigns the upstream band to over-lap the downstream one
and separate them using the Echo Cancellation method ( used in V.32 and V.34
modems ).

By either ways, POTS gets assigned a frequency.

The modem organize data in data blocks and attach error correction code to
each one of these blocks so the receiver is able to correct any errors that
might appear during the transmission.

This technology seems very appropriate for high speed Internet
connection and doesn't cost too much compared to ISDN which doesn't
even offers speeds similar to ADSL. Compared to the cable modems,
ADSL uses a dedicated line for each customer instead of using a
shared media like the modem cable for data transmissions. This
prevent bottleneck slowdowns in peak traffic hours.

[ Comments, flames or suggestions welcome ... lemirem@netcom.ca ]

-��-������������������������������������������������������������������������
Red Boxing in the UK - Josh Freedaleman
-��-������������������������������������������������������������������������

Ok...many of you must be thinking things like.."It doesn't work", "I was told
you can't red box" etc etc. Well i got news for you all, you CAN Red Box in
the United Kingdom unlike many of you are lead to believe and its pretty easy
to do.

All you need is :-

1) A Stereo Tape Recorder, preferably hand-held

2) A program that can generate tones (I use Soundforge)

3) Good talking persuasive voice

All you need to do in basic terms is record the tones on soundforge, record
them onto your tape recorder and emmit them down the phone when the operator
asks you to. The tones you need to record are all the same frequency and
that magic frequency is 1000hz!!! The time the tone is emmitted however
changes depending on the coin you want to pretedn to put in. The Lengths are
below :-

10p - 200milliseconds
50p - 350milliseconds

(remember all tones at 1000hz)

SO if you want �1 worth of calltime just emmitt the 50p tone twice, if you
want 40p worth of call time emmitt the 10p four times etc etc.

To get the tones to actually work you need to get your good, persuasive voice
on and talk to the "lovely" BT Operators. You need to get them to put the
calls through for you and when they ask you to put in your money you need to
blast out your tones. I have found this the hardest part of the whole red
boxing task. The Operators can be very ignorant and tell you to dial it
yourself so you need to make up some good excuses. Below is a sample of what
can be said, This is what I said last week.

<Me> Hello, I would like to place a call but sadly the 3 button
has broken
<Operator> No problem sir i can put the call through for you
<Me> Thank you
<Operator> Whats the number you would like to call?
<Me> Its..*blah* *blah*
<Operator> Ok sir, could you please insert you money
<Me> Sure *tones blasted out*
<Operator> Putting you through, thank you very much
<Me> Thank you

And I was put through to my call, thats an example of a successful attempt to
persuade the operator, below is an unsuccessful attempt.

<Me> Hello, I would like to place a call but the 3 button on the
fone has broken
<Operator> I'm sorry sir, could you please find another fone to use?
<Me> There isn't another fone around that I can use, can you
please put it through?
<Operator> I'm sorry sir, you are going to have to find another fone
<Me> But it is an emergency
<Operator> I can't help you sir, did you say the 3 key is broken
<Me> I did yes
<Operator> I will send an engineer out to fix it immediatly
<Me> Ok..Bye
<Operator> Bye

That was a very stubborn operator and I had to quickly leave the fone before
an engineer arrived!! More often than not it has been a success, it is just
a matter of being polite but persuasive, you have the 1000hz tones so use
them, just ignore the arrogent operators and keep trying until you find one
who will put the call through, its 96% successful for me on my 1st attempt so
Phreak 0ut and Have Phun.

Josh Freedaleman
joshfree@bluedragon.net
http://www.bluedragon.net/cof

-��-������������������������������������������������������������������������
Hacking the Standard Answering Machine - V
-��-������������������������������������������������������������������������

Many people overestimate the security of remote controlled
answering machines, in fact many people don't even know
answering machines can be controlled remotely.
Here is a quick guide to getting into an answering machine
and what you can do when you get there:

Okay, first you need to find out the remote access number
(Which is a ONE DIGIT pin, heh!) for the answering
machine. You can do this in two ways:
1) If you can physically get to the answering machine all
you have to do is read the remote access number from the
bottom of the machine! (a one digit number on a sticker
or etched into the plastic).
2) By trying all the digits on the keypad in the hope that
you'll find the right one. Heh, there are only 10 in
total! (no * or # is used). It is best to do this at a
time when you know the owner is out, if that is not
possible try phone early in the morning when the owner
will be too tired to get out of bed and will just let
the answering machine pick-up. You'll need to spread
this out so as not to make it sound too suspicious.

Once you have the remote access number then that's all you
need. Below are standard guidelines for the remote
operation of an answering machine - some things may differ
on other models of answering machine, but the principal
is roughly the same. If you got the access code by method
one then you should have noticed the make and model of the
device. If you did then try shopping around and pick up a
copy of the manual that goes with it - that will contain
plenty of more accurate information on remote operation.

-��-���������������������������������������������������������
Checking your messages
-��-���������������������������������������������������������

1) Make a call to number in usual way

2) Listen to the OGM and wait for the music and tone that
follow

3) Key in the remote access code by holding down the number
key for at least 2 seconds
---> If there are no messages you hear four beeps
instead of music

4) The answering machine rewinds the tape and plays back
the messages.
----> At the end of the final message you hear a
beep and then two more.

5) After the two beeps (or after the four beeps if there
were no messages), you have a choice:

a) To SAVE the messages - Simply hang up the phone.
b) To ERASE the messages - Press and hold the remote
access code for 2 seconds. Aftering hearing the four
beeps which will follow, hang up.
c) To REPEAT PLAYBACK of the messages wait for 10
seconds until you hear 2 beeps. Then press the
remote access code number for 2 seconds.

-��-���������������������������������������������������������
Changing the Out-Going-Message
-��-���������������������������������������������������������

1) Follow steps 1-4 as above

2) Press the remote access code number for 2 seconds (this
will erase all messages but is necessary to record the
OGM)

3) Press the remote access code number for 4 seconds (you
will hear 2 beeps followed by music while the tape
rewinds. You will then hear another beep)

4) Start speaking (the OGM is now being recorded)

5) When finished speaking, wait for 2 seconds, then press
the remote access code number for 2 seconds.

(You will hear 2 beeps followed by music as the tape
rewinds. the new OGM is then played back to you,
followed by four beeps - Go back to step 3 to record a
new OGM if you are not happy with the one you recorded)

-��-������������������������������������������������������������������������
Introduction to OpenVMS - sub version
-��-������������������������������������������������������������������������

Since there dosn't seem to be a whole lot of documentation out there on
VMS, i've decided to write some of what i've found about it. I havn't
had much experience using VMS before but recently gained access to one and
started exploring :)

I've looked around and found very little information on them.. most people
spouting about how VMS is cryptic (as if UNIX or even DOS isn't cryptic to
someone who has never used it before..) and impossible to crack. Personally,
I don't beleive anything is totally secure.. there are always ways to do
do something if you look in the right places. I did manage to find many
online documents released by digital on their home page..
http://www.openvms.digital.com:81 if you would like to learn more about
how to use VMS.. I mention a few things covered in the documentation and
add in a few things i've found either playing around or in the online help
(VMS has got to have the best help command ever :) )

Anyways enough rambling on my part...

-��-���������������������������������������������������������
Logging In
-��-���������������������������������������������������������

First off, you can recognize a system running VMS by the login prompt
which usually resembles something like:

--<snip snip>--

Welcome to OpenVMS Alpha (TM) Operating System, Version 7.1

Username:

--<snip snip>--

With maybe some extra text to the extent of: Unauthorized access will be
prosecuted to the full extent of the law etc. etc. I don't know *why*
people feel the need to put things like that as it usually makes people
want to get in even more just to see what secrets they are hiding that
are so special.. anyways on with the show...

There are a number of defaults you can try which have been documented in
many other files, but the only ones i've found to definatly be included in
the default user file are:

SYSTEM operator
DEFAULT default

The default passwords for both of these are ALWAYS changed [Unless the
admin is a REAL idiot].

some other common defaults are:

FIELD service
SYSTEST uetp

Sometimes there are public accounts set up (such as at universities,
libraries, etc..) which dump you into a restricted shell menu interface...
if you have such an account, there are a couple things you can try to get
to the DCL prompt. try using Ctrl-Y to break out at some point.. unless
Ctrl-Y is disabled this usually works good...

You can try using SPAWN to create spawn a new DCL shell from a MAIL> prompt
and probably from other places as well.

Another thing that works good if it is not a captive or restricted account
are login qualifiers. try logging in as:

Username: jdoe/nocommand
|_________|
\________bypasses login.com (which executes restrictive
menu shells, etc.)

Other login qualifiers you can use are:

/[no]command[=file] - bypass login.com [or execute file.com instead]
/disk - changes default system disk
/cli - changes command line interpreter [default is DCL]
/tables=[command table] - specifies alternate cli table [default is dcltables]
/new_password - shortcut to set a new pw on login [as if it has
expired]

Type HELP LOGIN for more detailed explanations on these.

As far as I can tell, none of this will work if you have a captive or
restricted account.

-��-���������������������������������������������������������
Once you are in
-��-���������������������������������������������������������

The first thing you should do once you're in is type:

$set control

This will enable Ctrl-Y [interupt] and Ctrl-T [displays system info] if it
was disabled for that account. The next would be to find out what actions
the system is logging and what may trip off alarms. VMS can be configured
to log and set off alarms for just about anything.

Here are some examples of what can trigger an audit or alarm:

- Installation of images (executable files).
- Certain types of file access (any attempt to read/write/delete/run a file).
- Process/subprocess/misc job [print, network, batch, etc.] terminations
- Volume mounts and dismounts.
- User messages.
- Access event requested by an ACL file or global section.
- Modifications to system and user passwords, system authorization file,
- Network proxy file, or rights database.
- Logins, logouts, login failures, break-in attempts.

There may be more they can audit but these are the only ones that I know
of.. to find out what kind of security your admin has setup, type:

$show accounting

It should then, depending on the setup, say accounting is disabled or spit
out a list of what is being watched. If you have a higher level account
you should also type:

$show audit

To see the actual level of security they have.

Protection codes control the types of access allowed (and denied) to
files in a similar way to unix but more verbose. The format is:

[category: access-list,(category:access-list,...)]

Categorys are defined as:

(W)orld - any user on the system
(G)roup - any user with the same group UIC
(O)wner - any user with the same UIC
(S)ystem - any user with a UIC inbetween 1 through 10 (octal),
has SYSPRV set, or is in the same group with GRPPRV set

Access-list is defined as:

(R) - read access
(W) - write access
(E) - execute access
(D) - delete access

With the directory command you can view file access permissions along
with lots of other information.

ie. with:

$ dir sys$system:authorize.exe/full

You might see:

--<snip snip>--

Directory SYS$COMMON:[SYSEXE]

AUTHORIZE.EXE;1 File ID: (399,2,0)
Size 380/380 Owner: [SYSTEM]
Created: 25-NOV-1996 22:23:21.17
Revised: 25-NOV-1996 22:23:53.66 (1)
Expires: <None specified>
Backup: 2-JAN-1998 22:07:08.38
Effective: <None specified>
Recording: <None specified>
File organization: Sequential
Shelved state: Online
File attributes: Allocation: 380, Extend: 0, Global buffer count: 0
No version limit, Contiguous best try
Record format: Fixed length 512 byte records
Record attributes: None
RMS attributes: None
Journaling enabled: None
File protection: System:RWED, Owner:RWED, Group: RE, World:RE
Access Cntrl List: None

Total of 1 file, 380/380 blocks.

--<snip snip>--

You can also use:

$show security [file]

To see just the access permissions for the file or device
to change file/directory permissions, type:

$set security/protection=(s:rwed,o:rwed,g:re,w) [file]

This would give world no access, group read and execute access,
owner and system full access.

AUTHORIZE.EXE is a neat little program which lets you view and edit
SYS$SYSTEM:SYSUAF.DAT which holds information on all the user accounts on
the system... from the file above we see anyone is allowed to read and
execute this program.. BUT you also need to have access to sysuaf.dat
which on most systems, is not world readable. If you DO happen to have
access to this, then you can go on and create your own users, modify
existing users, attempt to extract the users passwords, etc..

Authorize must be run from the sys$system directory or else it tells you
it can't find the sysuaf.dat file and prompts to create a new one [in
whatever directory you happen to be in] so you need to type:

$ set default
$ sys$system run sys$system:authorize.exe

which will give you a UAF> prompt.. I won't go into too much detail about
this function here... if you manage to gain access to this, you can type HELP
from that prompt and it will give you plenty of information [gotta love VMS
help files:)] keep in mind that if you decide to create some new users
[not recommened since a smart admin would most likly notice a new user name
on the system...] or modify access to existing users, giving the account full
access to everything is NOT a good idea.. again, a smart admin would
notice this and you would not be around very long... instead, set /defpriv
to netmbx (create network device) and tmpmbx (create temp mailbox) as
these are usually the only privileges allowed to the average user. then
set /priv to setprv which will give you the ability to set any privileges
for yourself using:

$ set proc/priv=all

"ok, yeh great but i can't access any of that stuff!@#$%!@$#"

Well in this case you have a few options... you can always try hacking out
more accounts... if that dosn't work, you can try creating a trojan which
is great if you have write access to any of the directories containing programs
that alot of people run.. this probably isnt very likely but if the admin is
really trusting or really stupid, it might. Basicaly the idea is to edit
a .com file (which is bassicaly just a script.. similar to a dos batch file
or a unix shell script..) add in some lines to check the access level of the
person running the file, if they have high enough access, have it change the
security of a file such as sysuaf.dat.. and authorize.exe if necessary.
read up on how to script with DCL.. i'm too lazy to explain that all here..
besides, it's big enough to deserve a whole file of it's own. anyways,
the next time you log in, you could simply go to sys$system and run authorize
to change your own privs, create a new user, etc. providing someone with
high access runs the file.

this text is by no means complete...and may or may not contain numerous
errors. The best thing to do is explore and find out for yourself! Lots of
documentation around... and lots of places like to run VMS.. :)

-��-������������������������������������������������������������������������
The Mailroom - scud
-��-������������������������������������������������������������������������

I am learning how to hack now and I understand a lot in my opinion. I was
wondering if you or anyone you know knows of any easy hacks that a beginner
would have no problem with. I just want to practice and learn more about
hacking. Thanks for your time.

Phlow

[ Personally if I was wanting to practice and not get in a lot of trouble
because I am beginning and dont want any logs to show up, I would just
work at hacking your box. (You do have Linux or BSD don't you?) I would
try some sendmail exploits, or other remote exploits to get in, and then
just keep cracking the system. Look at the logs that you create and edit
them, or find out how to sneak past logging. Practice locally until you
are a master at it, and then go on to cracking a real site. For more
guidance and help, check out hack-kit 2.0, at rootshell.com ]

---

Thtj,

I want informative computer security weaknesses/ attacks.
Specifically web server remote access faults. If your BBS is full or not
ready could you direct me to pertinant information.

Thanks!

[ You might want to look at the WWW security FAQ or some of the other FAQs
that are out there, pertaining to WWW servers. CERT, and just about all of
the other security reporting groups and mailing lists have many files
detailing the weaknesses in various servers.
We do not run a BBS, nor do we plan on having one. Sorry. ]

---
to: scud@thtj.com

This may or may not be common knowledge, but in Windows 95 and, surprisingly,
Windows 98, and probably NT (but i'm not sure), there's this "bug" so-to-speak
in the way it handles filenames.

In DOS, (remember DOS?) files can have a name with characters ranging from
a-Z, 0-9 and all the wonderous extended ASCII characters like � & �.
Windows 95 for some odd reason doesn't support extended character file names,
and if someone tried to create a file (or directory) in DOS called "�������"
and tried to delete (move, copy, or anything else) it in Windows, they'd be
fucked.

For the novice computer user, who's got a "sweet" Packard Bell fully loaded
with "hi-tek" Win95 and has no clue what DOS is, (or have kind of a clue, but
not really) this kind of a "bug" could cause a big problem.

Just try it yourself and see what kind of creative ideas you come up with.
Open DOS, type "MD", SPACE, and then hold down ALT while you type 0220 from
the number pad. Then, goto Windows and check out the properties...when was
the file created huh? Now try to delete it...you can't find what file you
say?

I can think of so many ways to take advantage of micro$oft's flaw.
I made a program called Crasher that does so, and it's availible at my
website:

[http://come.to/matic]

- the_enigmatic

[ I had not heard of this bug in Microslut's Win95. Thanks for
sharing with us. ]

---

Hi people of THTJ. Gonna be a short note, as I'm ready to pass out through
lack of sleep. Regarding a mail to thtj:

------- THTJ 18 Mailbox ------------------------------------------

Hey Scud,

I like your zine. Just wanted to make a comment that I think that maybe
should should write the journal in HTML format. It would add allot to the
zine, I'm sure u know, of the advantags. Thanxs, keep it up.

BTW, PGP public key?

�
nakar

�

[ After issue 6 it was too much work to convert 150+ k of text to
HTML, so we stopped making thtj in HTML. If one of you out there
wants to do it, by all means go ahead and let us know. ]

------------ E O F -------------------

Well, I done it all. I've converted all the THTJs I have issues 4-18 to
html. No <pre> shit, all the text has been converted to true html.
Obviously, the ANSI looks crap and the rest looks mostly like the original
text file, but if one of you sit down and work at it, 30 mins or so,
(simply add some nice body colour tags, a bit of java, and replace that dam
ansi with you HAVOC logo and you've got yourself nice html journals.

I didn't think any of you would appreciate me directly mailing you the
710KB file(all the htmls in one zip), so here it is uploaded at my server:

http://www.vincee.demon.co.uk/thtj.zip

Well, that's it. If you use this file, I'd appreciate if you let me know.

-Vince Gilligan

[ To Vince and several other people that e-mailed me about converting it to
HTML, I want to thank you all for converting everything to HTML. Vince, since
I recieved your e-mail first, I am giving everyone your site that they can
download it from until i get a copy of it on thtj.com. You are right in that
it does only take a short period of time to convert it, but I honestly have
so much to do right now that converting thtj to HTML is low on my list. ]

---

Scud O.

I dont usually do this sort of thing, but I just cant help myself this time.
What has happened to thtj? What happened to the interesting articles?
Lets take a quick look at some of the stuff in issue 17:

1) Basic Network Architecture Part I
This is knowledge anyone can pick up at a library.
This information belongs in a computer 101 class, not
in a hacking zine. Anyone interested in learning about this will
have NO problem what-so-ever obtaining the info on his own.

2) DNS: The Domain Name System
Nothing wrong with the article itself, but I think it belongs
in /usr/doc/howto/ rather then a hacking zine.

3) The Boot Process
See 1)

4) MMC: Microsoft Management Console
Im not even going to start on this one.

Following the last article i mentioned comes an email bomber (like we need
more of those for the lamers to play with), two DOS attack sources (see
comment on the bomber) and a "modified" teardrop version. (did you even
"diff" it before it was included??). Not to mention the clear "backdoor".
Dont you think root will become suspicious when he finds a SUID clear? The
entire point of a backdoor is to remain undetected.

This leaves us with two 6k articles about phreaking that I dont want to
comment on (since i dont know too much about it) and News + Mail.
This is a total of 51k. (the entire mag is 181k). I think the
numbers more or less speak for themselves.

Which brings me to my point (finally).. Is this the direction thtj wants to
be heading? Writing articles that allready have been covered a plethora of
times before, or are publicly available to anyone with access to a library?
If this continues, I fear thtj's readers will consist soly of people who are
to lazy to look for any information themselves, and these people will never
be hackers. There is a difference between educating and spoiling.

I guess right now you are thinking in the lines of "why dont you write an
article yourself rather than flame those who do?".. well, since this is an
anonymous mail you cant really be sure that I havent allready done so.

Ofcourse, this is all IMHO (although I belive most people who have read the
older issues and watched thtj grow into what seemed to be a new good zine
feel the same way)

I am _very_ interested in your views on this mail.

Signed
-Anonymous

(IF you include this in the next issue's mailroom, please do me the
curtesy of including the entire mail. This comment can be removed at your
discretion :) )

[ Anonymous,
You do have some good points on issue 17.

1> Yes, this article probably doesn't belong in a hacking zine.
2> The DNS article I ran because at the time I was promised 2 more
articles on DNS related hacking. As fate would have it, neither
writer delivered their articles for thtj18.
3> Ok, this is a bad judgement call. This article came from a project
I had to do for a Computer Architecture class. I liked learning a
bit about the linux boot up process, so I ran it in thtj17. Bad
judgement call.
4> The MMC intro is very basic stuff, but MMC is the next generation
of NT security software. I ran this so that people will have
heard about MMC so that when NT 5.0 is released, we can already
be at the gate and finding out the problems in NT 5.0.

simon gave me the 'modified' teardrop code and article about 10
minutes before I released issue 17. Once I had released 17 and looked
more at it, I saw the mistake I had made. A poor editoral decision on
my side. The suid clear backdoor has the potential to be a glaring
backdoor for sysadmins to see, but when you use it, it is all in the
eye of the beholder. Some sysadmins wouldn't think about it, and it
could work for a long time, or it could just be a one time thing to
get access to things and then you hide your tracks. Its all up to the
person using the code. A tool is only as effective as the person that
is using it.

Your fears on the path that thtj was heading to were very
similar to my own fears after issue 17. That was why I redesigned thtj
starting with issue 18, and it is also why I am working harder on
editing thtj than I have in the past. We are working harder to cut the
crap out of thtj, and get the first run hardcore technical information
but this job is not easy. This is also part of the reason why I will
be leaving for 2 to 3 issues and letting other people work on thtj.

Judging by how you started your e-mail I doubt that you have
written an article for thtj, looking at the message headers only
solidifies my findings. Although the headers could all just be a load
of crap, I still doubt that you have written anything. However, you
sound like you know what you are doing and you make some good points,
so maybe you should write something for us.

I am very interested in your views on this mail Anonymous, so
please e-mail me back using the fake e-mail address you did when you
sent this mail so I can be assured that it is really you. Also, if you
want, please give me an address where I can e-mail you at so you will
not have to wait a whole month to get a reply from me. Well, I
modified not a line of your e-mail, just like you asked me Anon. ]

---

Why are people emailing thtj-approvl....

Those people will not get added and there has been like about 100 of
them so far. I have no Idea where they are getting the idea they
need to email thtj-approval?

Make sure they use

subscribe thtj

or if they are not sure about the reply of the email

subscribe thtj <email addr>

May clearify things up a little

====================================================================
DoXiCaL ORC Networks Ltd.
\/ doxical@orc.ca 500 Lorne Ave.
/\TReMe http://www.orc.ca Stratford, Ontario, Canada
====================================================================

[ Dox, its beats the hell outta me, but somepeople cant undersatnd things
unless they hear it from the lion's mouth. ]

---

The mailing list has been relocated to x-treme.org

Also, on you home page, change the way to subscribe to

subscribe <list name>

without the email after, that will cause problems if they enter the
wrong email addy, there are about 100 people who have been rejected
because of that....

[ Thanks Dox.]

---

hey d00d! Id just like to say that your zine is really k-rad kick ass!
Now that the underground has you and phrack, there 'll be pleanty of
reading material! I just have a few questions 4 u.

[ I'm glad you like our zine, we try. ]

(1) You know in issue 4 when you were talking about NIMs? Well I was
wondering where I would find one of those on my house. I took apart the
bell systems little tall skinny green box in front of my house but there
was just 6 black battery terminal looking things and a big black metal box
with wires sticking out, no nice neat rj-11 jack like u said. And it was
alot bigger than a sunglasses case! Maybe I took apart the wrong thing?
Anyway, you said you were going to write a foloow up article. Which number
is that in? I couldn't find it.

[ Yes, you took apart the wrong thing. The NID is a wee bit bigger than a
sunglass case, and it is a grey plastic box. I never did get to finishing
that article on NIDs. I have moved on, but maybe one day I will finish it.]

Okay (2) You had that C looking code that was supposed to turn your modem
into a chat system. Well, how would I go about getting that to work. Is
it like a script that i would load with like a "copy `at xxx` > com4" or
something? And I would have to set the s register 2 1 before hand
proabably, like "at s=1". I would like to do that, it would be pretty
damned cool to have a chat system.

[ The code in thtj6 was ment for QuickLink software that comes with
most USR modems. I never developed the full code to make it stand
alone, because as I have said before, I have moved on. ]

I was wondering if you would like any authors? I could write about
VM/CMS, VAX/VMS, PRIMOS, RSTS/E or whatever. Just blast me some mail! I
would be glad to join up with you at havoc bell systems if you would take
me! I can take the little test you had set up in the early issues (like
PBX = Private Branch Exchange). But you said later it was invite only.

[ We are always looking for articles, but as of right this minute, HBS
is not looking for new members. That test we had in thtj5 i think it
was was merely a tool for us to get some PBX numbers. So don't
bother with it unless you *really* want to give us some numbers. ]

Laterz....

Special-K

ps: dont visit my website, it's not up yet!!!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Special-K

NEUA (North Eastern Underground Alliance)
http://sdf.lonestar.org/~specialk/

---
[ In reference to sendmail885.c ]

The only thing this piece of code does , is adding two new accounts to
the local box...well because of it is run as root there is no problem
that these two accounts cant be created on the local machine . Have you
ever tried it yourself ???

[ Yes, I did run the code myself. We ran this in thtj18 as a spoof to see
how long it would take people to discover what this really did, and to
see how many people did use the code. Since I got your letter first, you get
the THTJ Offical No-Prize! ]

---

-��-������������������������������������������������������������������������
Reader Survey - Staff
-��-������������������������������������������������������������������������

[This survey is designed to help us better suit our magazine to the reader,
or we may just be trying to get a good laugh, but we haven't decided yet.]

Nick:
M/F:
Age:
Occupation/grade:
City:
State/Province:
Zip Code:
Country:
Area Code:

Why do you read The HAVOC Technical Journal?

Where did you get this issue?

Are you a subscriber to THTJ?

What other zines do you read on a regular basis?

What would you like to see in future issue of THTJ?

What would you add or subtract from THTJ's format and articles?

On a scale of 1-10 ( 1 being lowest, 10 being highest), how would you rate
The HAVOC Technical Journal?

Any extra comments?

Please send all replies to scud@thtj.com

�--�������������������������Ŀ
: [ ] Do not check this box! �
�-��-�������������������������

For office use only:

[ ]D [ ]X [ ]W [ ]Y [ ]0 [ ]1 [ ]0 [ ]1
(don't ask, we don't have a clue what this is for)

-��-������������������������������������������������������������������������
Fin.
-��-������������������������������������������������������������������������

Well, once again thank you for reading this fine issue of thtj. Tune in next
month, same bat time, same bat channel! While you are waiting to read the
next issue, why dont you send us some mail, or fill out the reader survey, or
better yet, write an article for thtj?
scud_ <scud@thtj.com>