< The Israeli Underground Information eXchage > , � ,g,___.,,�g?P�~ g�,,,. g.,gd$P�''~``'4${ ,, ,,._ __..,, _.,._}$$$$%' '�4$$b, ' g��,.. :} :}"�P#g,. ,yP�~"�4Py. ,gP'~"��"~` '$$$b. ~�4$$4 }$ }$ `$$b: d$} }$b,%%} :$$$% ~$$i _.,, ii��,, `4$%%%?W, ;$$} $$; , .}$$$P g�,,,. .}$$b#P�"}: �$~"�4 `$$b.`4?g,,.,g?P�` ;?W,.,,�g?P�~ ,dP�"' .,._}$$$$%':d$$' $}g4: `$$$b. `~}}~`` `4?~``'4${ '' ,gP'``~"��"~` ,$$P' ii�' .'P�~' ,d$P' '' .d$$' $} ,g, --IL d$$P' '' '~�4` :4g, `�' .,,, {$$$ .. / `�' '?${_.,, `�Pb, jizm#@ '�"~``'4g, `` '' '' Chaos IL - Issue #5, 04/Oct/1998 .. ,, ~If freedom is outlawed, only outlaws will have freedom~ Chaos IL Issue Five Index: ~~~~~~~~~~~~~~~~~~~ ~~~~~~ 01. ISSUE#5: Intro & News by morgoth 02. BezeqNet - The central of phreaking by morgoth 03. Automatic Number Identification (ANI) by morgoth 04. TTYs and Relay service - newschool of free calling! by mr. jones 05. PBX Security & Hacking bible by mr. jones 06. Resources & Credits * -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- [ snap your ass at: http://www.bezeq.org ] *** 01. ISSUE#5: Intro & News ###### ## ## ###### ####### ######## #### ## ## ## ## ## ## ## ## ## ## ## ## ####### ###### ## ## ######## ## ## ## ## ## ## ## ## ## ## ## ## ###### ## ## ## ## ####### ######## #### ######## " Spreading H/P on the 972 scene " ! Issue #5 ! (c) Chaos-IL Foundation 1998 greetings! after a long, LONG idle time we, once again, bring you a brand, new, fresh and leet issue that will dazzle you. our last release, ISSUE#4 was released on the 26/07/98, about 3 months ago since we last shown up. yeah, we are a bunch of lazzy junkheads, this issue is small indeed but informative as always - I worship whoever said "It's the quality that counts, not quentity!". we've went through some changes during the last few months and I would like to give out a special greet to all the people who donated us and helped us to compile this issue (and previous ones), WERD UP. -- morgoth NEWS! NEWS! NEWS! NEWS! NEWS! NEWS! NEWS! NEWS! NEWS! NEWS! NEWS! NEWS! NEWS! * I would like to welcome an oldschool phreak, back from the good h/p/a days in 1993 - the adorble MR. JONES! * some members have been removed from the memberlist due to *MAJOR* inactivity or just notorious lameness. don't bother bugging us about it since there is nothing you can do to help yourselfs, gays. * our irc channel #Chaos-IL is no longer supported until further announce. * printed, colorful issues of Chaos-IL are now available! collect your own Chaos-IL papers. for further information, contact with the staff. * NOTE! our new web site is located at: http://www.bezeq.org ( www.chaos-il.org is down for good ). - ANNOUNCEMENTS - We are open for applications. If you have any interesting information for us, and you are * ARTICLES * willing to write an article about it or just to share the information with us and let us handle it, contact the staff. * MEMBERSHIP * currently, membership will be considered by the amount of articles. if we want you to our membership, WE will get in touch with YOU. : 9 : n$X : ?L $$B :X $B<: U$$$X :X! 7$$N$ mr jones........ ( mr_jones ) .. member ............ mr_jones@hotmail.com fourth horseman. ( _4thm ) ..... member ............ 4thm@ skade........... ( skade ) ..... member ............ skade@ the errormaker.. ( Emaker ) .... member ............ emaker@the-pentagon.com the trick....... ( trick ) ..... member ............ ttrick@yahoo.com easy............ ( Easy ) ...... member ............ easy@ mystify......... ( mystify ) ... member ............ mystify@ terminal man.... ( termi ) ..... member ............ terman@netlane.com dissection...... ( ^[dSN]^ ).... member ............ dsn@ send applications/submissions to: morgoth@hempseed.com --- [ DISTRIBUTION ] ** Chaos IL Issues will be regulary available once released in the following distribution boards and sites: Anarchy Workshop +972-X-XXXXXXX X Nodes ILHQ *on hold* Sardonyx +972-3-XXXXXXX X Nodes MEMBER *on hold* Liquid Underground +972-3-XXXXXXX X Nodes MEMBER ftp.mag.co.il /cHaos-il/ ftp.fc.net /pub/phrack/underground/chaos-il/ ftp.auscert.org.au /pub/emags/chaos_il/ _______ ______ :_____ :___.___: ___\ / ____ _\___ \_______ | __/__ |___| | | |__/_| /____/ _ _/ ___/_|____ | | _ |____ | | _ | | | | | | | | | | /_ | ____/| | |___|___| | |______| | |________| = =|____|====|___|____|=======|_______|========|___|======== = Chaos-IL Foundation 1998 *** 02. BezeqNet - The central of phreaking XXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXX X C X X C XX X H X X H XX X A X " BezeqNet - The central of phreaking " X A XX X O X X O XX X S X explored & done by morgoth X S XX X I X X I XX X L X X L XX XXXX XXXXXXXXXXXXXXXx (c) cHaos IL Foundation 1998 xXXXXXXXXXXXXXXXXXX XXXXX Yeah. that's a pure fact, a big part of you, the "eleet" Extending/PBXing people might think that BezeqNet is the most risky ISP for PBXing through, because it's a Bezeq subnetwork and when PBXing you are cheating Bezeq. well, thats a major bullshit - bezeqnet is the most SECURED ISP to PBX/Extend to, and take that as a fact. why? it's even approved in the following disclaimer given by bezeqnet admins, and being displayed first when you log into BezeqNet system: _______________________________________________________________________________ Bezeq, The Israel Telecommunication Corp. Ltd. welcome you to BezeqNet. Through BezeqNet you will be able to obtain information on a variety of topics, from different sources, and access the internet through different internet service providers. The Information suppliers and internet providers on BezeqNet are solely responsible for the services they provide. Bezeq is not responsible for the contents of information, or the quality of service supplied by independent companies. BezeqNet service is provided upon the condition that Bezeq shall not be reliable for any act or omission on the part of any information supplier or internet provider to which access is provided on BezeqNet. _______________________________________________________________________________ In other words, BezeqNet is not an actual ISP in mainly its just a machine that follow links to other providers and getting a doubled money for it ("money" - not in our case :P). "BezeqNet service is provided upon the condition that Bezeq shall not be reliable for any act or omission on the part of any information supplier or internet provider to which access is provided on BezeqNet." In other words, you can phreak the ass out of each provider that bezeqnet is following a link to, and in case the provider detecting your illegal act, they can't even report about it to BezeqNet - because as just qouted, bezeqnet is provided upon a condition that bezeq shall not be reliable for any act or omission on the part of any information supplier or internet provider to which access is provided on BezeqNet. when the ISP signed to bezeqnet that they are going to be linked through bezeqnet's network, they signed on this condition that actually gives us a HUGE advantage when phreaking through bezeqnet. Here are some qualified information that bezeqnet supports the phreaks with: *** As you know, each ISP has a monitor computer(s) that can auto manage the online status (users online, activities, anti-idleing, etc). for security reasons, due to frauding of ISPs, account hacking and the like, sometimes the monitoring is being made manually by a person who works for the ISP and he is trying to figure/scan for any illegal activities being made on the network (things that auto-monitoring systems can't always detect). this guy is going after users that are online for too much time and it makes them look strange, checking thier account info and trying to look if there was a voice report of this account being hacked during the last few weeks, etc. let's say the ISP we are talking about is SHANI for example which is connected/linkable through bezeqnet. when the monitor guy looks around or even the auto-monitoring systems checks up for some users that are online for too much time, they dont even mess with the users that are connected to SHANI through bezeqnet! why? because they just can't check it up. the linking to SHANI through bezeqnet is simple and being made like that: SHANI has one or two multi-access accounts that are owned by bezeqnet, with at least 200 users simulations available on them. and for example, each time you are choosing to connect SHANI through bezeqnet, the head simulation of the account is automatically opening another simulation (randomaly) and you are being logged through it. the monitor guy see the bezeqnet account(s) on SHANI's monitoring system (once again, I am using SHANI here for an example only) and the highest information he can about this account is the number of users that are connected through it. therefor, there is NO actual information about you on the ISP even if you are connected for a few days in a raw! Techniques for the BezeqNet phreak ---------------------------------- * Stay ON * If you are a daily bezeqnet phreak, you prolly know those pissing situations when you come back after idleing and notice you've got disconnected. well, this annoy shit can be easily arranged. if you are using Win9X OS get a program like StayOn or AutoCon that will use the connection way you configure it and will auto-reconnect to the net when getting disconnected. one or more of these programs can be reached at: BLACKACID.PHEARED.COM & WWW.TUCOWS.CO.IL If you are using a *X OS, i know such script program for Linux that can be reached at WWW.LINUXNOW.ORG - about other OSs, just check it out from your OS homepage link to archives or the like. * Taste some hax0ring * BezeqNet are well backdoored, here a pretty nice one that i've found out during connection attemp- total normally, I connected to bezeqnet and instead of getting the features providers screen I got this prompt: I didn't actually knew WTF is going on, but as in all systems, I tried getting some info with the help comand and this is what I got: ? help Help screen mode Turn off privileged mode ppp start PPP connect telnet Open a telnet connect tunnel Open a tunnel connect exit Exit from procedure Have you ever attempted to connect and got this? if so, this is your LUCK DAY. I couldn't actually figure what does this system is used for, but because all I did was calling bezeqnet, I assume they were rebooting/rehashing right when I was attempting to connect and because of that, I got into this section. however, the TELNET command will be used just as in normal VT100 telnet, but without any graphics ofcourse. the TUNNEL command didnt worked for me, so I have no idea how is it working. the PPP command is the magic of this thing :), it will connect you to the net in PPP mode, directly through the main BezeqNet computer. the other day I found out about this thing, I used the PPP command to connect and I was online for over 5 days in a raw... as I said, if you attempted to connect and got into this section, this is your lucky day :) your domain will be bezeq.net or bezeq.co.il. the EXIT command will disconnect you, so don't use it unless you can't find any use from this system. I couldn't figure the MODE command, it prompts to turn off the privileged mode, which means that the current mode we are in is privileged? I couldnt find any hided commands that might be for privileged mode only. if you find any, let me know. This is it. hopefuly I'll add more new information in future. for further information / questions / etc ... email me at morgoth@hempseed.com 03. Automatic Number Identification (ANI) : : || || ==||====================================================================||== || || || Automatic Number Identification (ANI) || || || || by morgoth || || || ==||====================================================================||== || || : : (c) Chaos IL Foundation - 1998! ( --------------------------------------------------------------------------- ) ANI stands for Automatic Number Identification. it's a packet that is sent everytime you dial at least 7 digits on the phone that tells alot of information about you. it gives the name of the person the phone number is registered to, the phone number and area code, and any other information relating to you directly. this technology was here since bezeq first started, but the devlopment for it has first started in 1990, when bezeq found out about too many frauds going around thier network. alot of people were asking me "Do 177, 1800, etc numbers get my identification and information when I call them?" well, the answer unfortuneatly is yes. but, thanks to the phreak-full minds around us, anything as always, can be bypassed. as said above, ANI is a machine that sends a packet to your line, getting an identification reply from your line and logging it. the action is similar to ctcp ping / ctcp ping replys when ircing. as you probably know, bezeq's and other telecommunication networks most fimilar problem is the situation called "voltage overflow" that happens (in our case as in Bezeq), when the network tech is taking too much then what it can provide. that usually happens when too much calls are made at once, etc. for using as less as possible network resources and to prevent from a voltage overflow in future, the ANI machine is built to identify only 1 route of signalling. in other words, it can get identification info on only 1 phone line. this will make it more clear for you; let's say I have this IBM free 177 # which lets me connect the net with no charge at all. I want to connect it, but I am afraid that IBM will get my line information through the ANI and will trace my ass. so, I am connecting from a PBX, or any other exchange that can let me do another route (call). ANI ANI ** ------------------------ ** ------------------- ** || || || || || || || || \/ || \/ IBM Free 177 (example) \/ PBX morgoth's stinky ( route 2 ) house ( route 1 ) I called from my line, to a PBX, and from the PBX to IBM. all this way from my line to IBM is 2 routes. and as I said before, ANI detects the last route only. which means, that as IBM knows, the call that was just made into thier 177 was made from the PBX. and thier ANI logs the last route, which is route 2 (PBX). Conclusion: Connecting a number through a PBX/Extender or any exchange that lets you open another route (call) is secured in * 100% * and totaly gets you out of any traceable possibility! thats it. if you _really_ need some further information about ANI, I can help you. or if you have some headache questions regarding this article: morgoth: morgoth@hempseed.com thanks to: Foneman, prym, Eagle_1, player-x 04. Israeli TTYs/TTDs and Relay service ---------------------------------------------------------------------------- - - - - Israeli TTYs/TTDs and Relay service - - - - - the newschool of call frauding! - - - - done by Mr. Jones / cHAOS.IL 1998 - - - ---------------------------------------------------------------------------- TTYs/TTDs and Relay service - by Mr. Jones ------------------------------------------ introduction: ------------- You can make free calls anywhere in the world with the help of TTY/TTD relay service, let me explain what TTY/TTD is, its a machine/device, it has acoustic couplers, a keyboard and a lcd screen. If you dont have a tty, you can still make your computer into a tty, just get a terminal program that can set your modem at 110 or 300 baud, half duplex, 8N1 parity, and CR settings, i will explain more howto setup your computer to act like a tty later in this article. TTD/TTY Relay Service is a service for Deaf people with TTD/TTY's they call the relay service and make calls to hearing people... and the operator relays it all. its like this -- operator==> Tel-Aviv Relay Service Relais operator #8032 ga me==> Hi id like to make a call to John Doe at Tel-aviv, 03-677XXXX ga operator==> Okay, Dialing.. ringing 1, 2, hello ga me==> hello, this is mr jones.. how are you doing John ga john==> im doing fine, how about you? ga me==> i gotta go, bye sksk operator==> would you like to make another call? ga me==> no thanks, bye for now ga to sk operator==> have a nice day sksk me==> (thinks, yeah.. thanx for the free call) sksk *click* thats a example of a relay operator conversation with a friend. how the relay service works: ---------------------------- the Operator has a tty and a telephone, you call the relay operator and type what you want to say to the hearing person, the operator reads what you type and speaks it to your friend, and your friend speaks back, and the operator types what your friend says to you. and you type back. making free callz using relay service + extender or pbx: -------------------------------------------------------- Ok, I found out a really neat thing.. i called to Hertzellia's relay service with a extender, (pbx/extendernumber,,code,,relayservice#). then the bell relay operator answers, i asked her what my # was, the relay operator said it was 177022XXXX (thats, the # of the extender i used to call the relay service in Hertzellia) bingo. The relay operator doesnt know my real # and therefore i can make long distance calls anywhere in the whole world. And the operator charges those calls to the extender, not your number! setting up your computer to call tty relay service: --------------------------------------------------- Now, you dont have a tty eh? go buy one! but ehh, its way too much money if you are not a deaf person. you can turn your computer so that it acts like a tty! ascii code is used, ASCII stands for American Standard Code for Information Interchange, Some TTYs and all computers in the US/Canada use ASCII code. IF you use ASCII, you may need to change some options. The options you can change are as follows: Baud rate, is how fast characters travel. You can choose 110 or 300 baud, but 110 is relay used. The default baud rate is 300. Duplex, controls how characters are displayed. If you get double characters, (lliikkee tthhiiss) or none at all, change the option between half duplex and full duplex. The default is half duplex. Parity, controls error-checking, You can choose 7N1, 8N1, 7E1, or 7O1. The first number is data bits. The middle letter means (N)o parity, (E)ven parity, or (O)dd parity. The last number is stop bits. 8N1 and 7E1 are used most often. The default is 8N1 parity. Return, Determines what the TTY sends when you press the return key. You can choose CR or CR/LF. Cr (carriage return) goes to the beginning of the current line. CR/LF (carriage return plus line feed) goes to the beginning of the next line. The default is CR. To connect your computer to a TTY, you shuold use 300 baud, half duplex, 8N1 parity and CR settings. TTY Language (Conversation Etiquette): -------------------------------------- you need to know tty codes to communicate with the Operator, when you connect a TTY. the language is usually Hebrew, but they will talk to you on English too. anyway i dont even know the way they talk hebrew, because i live in israel for only 2 years.. GA =When you talk with another person by TTY, you type while the other person reads. When you want the other person to respond, type GA for "Go ahead." ie. hello john, how are you GA GA OR SK =To say goodbye, type GA OR SK. This gives the other person a chance to say any last words before ending the conversation. SKSK =Type SKSK to end the conversation. Q =Some people prefer to type Q instead of a quetion mark because it saves time and is easier to type You can use punctuation marks such as commas and periods, although many people choose to omit them. you may also abbreviate words, such as: GA = go aheadOPR = operator SK = stop keyingPLS = please CD = couldQ = question mark CUL = see you laterR = are CUZ = becauseSHD = should HD = holdTHX = thanks MTG = meetingTMW = tomorrow NBR = numberU = you OIC = oh i seeUR = your getting TTY relay service #s: ----------------------------- call 144, ask for some #s of "deaf centrals", places like schools for deaf people, union for deafs, etc. call those places and say your brother is deaf is deaf, you bought him a TTY and you want #s of relay services in your areacode. you better not say "TTY", say a number when he can use the telephone deaf machine to make calls, etc.. all depends in your level of bullshitting! personally, i have pretty much #s but i don have them all yet.. i think there are more then 5 TTYs in each areacode for sure.. extra technincal info: ---------------------- Communication Codes; Automatic code detection on outgoing calls (Turbo Code, ASCII or Baudot) Baudot Code: 45.5 and 50 baud Senstivity: -45 dbm, 67 dBSPL (min) Output: -10 dbm Turbo code: 100 baud (average) 7 data bits ASCII Code: 7N1, 8N1, 7E1, and 7O1 110 and 300 caud Answer and orignate Full and half duplex Compatible with Bell 103 modems --- So, just set your modem up and dial a extender then the relay service, boom.. call any friend anywhere, anytime. :) article by mr_jones. any questions, reach me at mrjones@hotmail.com or irc/efnet - mr_jones c'ya all [EOA] 05. PBX Securityh & Hacking bible # 01/10/98 # ########################################################################### # # # ((- PBX Hacking bible -)) # # # # ((- by MR. JONES -)) # # # #################### (c) Chaos IL Foundation 1998 ######################## # # Note from the author: well, I have'nt been around for a few years since I was abroad. I hope some old people who are still alive (from the old scene) can still remember me ;) I say HI to The Highlander.. if you are still alive and see this! ... I was one of the first people to use pbx's in israel and I have'nt noticed any stuff changing util today. hope it'll stay that way forever ;) ___________________________________________________________________________ I am not writing this to get a whole bunch of .il newbies in trouble. that is not my intention. I want the public to be informed on how to hack pbx's nowdays. actually not that much has changed. but if you have a few minutes, I can share with you my ideas on how to hack them, and what ive learned about not getting caught. the main thing you want to keep in mind is, you want a toll free PBX, so you can call it from payphones and talk away, free of charge. the best way ive found to get them is to use Toneloc (or your favorite scanner) to scan for tones. pick a prefix you think will be decent. when I pick i prefix I usually try even numbers, like 177-022, 177-100 .. but it doesnt really matter. what toneloc is doing when you scan for tones is, it puts the regular dial string with a W; after it. ( ATDT177-022-0000 W; ) * get used to putting ATS11=40 in your init string.. it speeds dialing * once you have a logfile of the scanner with a few pbx #'s in it... its time for the hack. dont be stupid! do not call ANY of those pbx's in the logfile from home (again). you already called it once (with your computer) that was enuf, your ANI has already been logged by the company you called, but its no big deal you havent done anything wrong damnit!@# (take a look at the article covering "ANI" by morgoth if you donno whats ANI) print out the logfile with the founded numbers. clear your phone line and make sure you have a pen. call the 1st one on the list. you really want to do this as fast as possible unless you are a bumfuck and you wanna have all day to waste on this shit. when you hear the familiar tone the 1st thing going thru your mind should be, "I want to find out how many digits this code is". most of the time this can be figured out by hitting 9 and counting how many times you can hit it before you get another tone or a message comes on saying invalid code. the best numbers to try 1st are: * hit 9 and wait a few seconds, see if you get another tone. * try hitting 9# if that doesnt work try 8# and so on. its worth a shot what you are really trying to get is a dialtone or a different tone then the one that answered. when you hear the different tone, you can pretty much guess you have an unrestricted dialtone. if these first few methods didnt work (no worries, they probably wont, most companies are getting smarter in the 90's) Then you want to move on to the brute force method. once you have established how many digits the pin you are looking for is (we are going to say this PBX is a 4 digit pin, because after it answers if you hit 4444 an operator comes on and says you have entered an invalid code) you get your pen and paper ready and write down something similiar to this: 0000 2222 4321 5000 7000 1000 2345 4000 5111 7111 1111 3000 4444 5678 7777 ( see a pattern developing?! ) 1234 3333 4567 6666 8888 keep on calling back and trying the next code on the list. those are just a few common ones for a 4 digit pin. I didnt list them all i think you can figure it out. try 9999 of course, it is usually a popular one ;) If none of the codes work that you would think are the most moronic you have to spend some time calling and entering #'s in sequentially. Eventually you will get it. if you are attempting this method use it on a 3 digit code pbx. 4 digit could take you forever w/o a computer. If you find that a PBX has an 8 digit code or more. you have 2 options: 1. SAY fuck that PBX there is millions out there waiting for me 2. HACK it from home with your computer and get caught!@# so what im basically saying is stick with the 3 and 4 digit code PBX's they are MUCH easier to gain access to. move on down the list until you have circled the ones you want to try and hack. dont spend too much time on one pbx unless you only have a few there. if for some reason an operator comes on, hang up dont mess with her. call the PBX back at a later date and retry. also some PBXs you will call and get a voice operator. Look at the time your computer found it, call back at that time, alot of PBX's have hours and will only work after the company is closed. once you have access to the PBX dont give it out to everyone. That is the quickest way to see one dies. keep it to yourself, and stick to the following rules I've collected: ## you might use it from home, with your regular line. but this risk can cost ya in bigtime, in case you dont know who owns the PBX - you dont know who are you messing up with. make yourself a limit and never use the PBX from your home with your own line unless it is an "emergency". ## if you are about to use it for LD calls, you better figure what company owns the PBX and what kind of a company are they. nearly, international company wont detect your LD calls considering they are pretty short and rarely. but, a local (Israeli) company will get the PBX or YOU down after your LD calls will be shown up in the first month billing! ## it's always recommanded to check who you are messing with and find out as much as information possible about the PBX owners. if you have any other (secured) free calling methods, take no risks at all and always connect the PBX thought your other free calling method (extender, etc) nobody requirs that.. ;) ### END ### [ done my Mr. Jones ] [ greetz: serial-k, morgoth, suspekt, skade ] all of CHAOS IL send questions to mr_jones@hotmail.com ______________________________________________________________________________ 06. Resources & Credits Bezeq TeleCommunictions INC. Barak Israel-International INC. GreenShop Computers (TEL-AVIV) IDC Communications INC. AT&T Communications INC. SPRINT Global-One Communications Israel Telegraph LTD. 2600 Magazine Phrack INC. Newsletter Informatik E-Magazine PLA-Phone Losers of America Hacker's Heaven (BBS) Underground Society (BBS) Route 666 (BBS) Liquid Underground (BBS) #972 #phreak #telephony #root #2600 www.border.com www.etext.org www.l0pht.com www.lat.com www.itd.nrl.navy.mil ftp.fc.net The Prototype Captain Crunch "T.S" (Bezeq 144/199 Operator) "C.B" (Bezeq 188 Operator) "N.I" (Sprint Global One Operator) retro Manomaker phriend- Anti-D deadzed prophet Substance jizm stoner f0k Mindroot skade Toast BelowZero *ALL of Chaos-IL Members -[EOI#5]---------------------------------------------------------------------- (c) Chaos-IL Foundation October 1998