< The Israeli Underground Information eXchage > .________. . _ . | | ._//.___/\ _/______ .______|___ _ -|-/__ _ : | // \/ __/___ _ ._\_ | .:::. | _/_/// / | : .___:_ .:::::::. | | | ._\ | .::::.::::::. | | : | | ::::: | | .__________ | | :.::: | _ ___|_________. / .________/_|___ | ::::: | | | / l/ /_|______::::: : | | /________________/ \____ _/_ .____________. _ _|_________|_ rOMAN! |____|/ .______/____\______ | : | . /_____\ _________/ .___|________ . : . \________________/ __ _____\_____ | : ::::: /_________\ _____/________ _ _\___________|_ _ | `:::: : ____\_____________ / . \ | / | c h a o s`: | / l/ / -/- \_________|_ | i l: | /____________________/ /___ | | :...: | | / _|_ | h/p information | ________\ -/----- - /____|_ _ ezine |______________\_ . : :.... \ ::: : . : :: . : . Chaos IL - Issue #6, 24/Dec/1998 ~If freedom is outlawed, only outlaws will have freedom~ [ http://www.chaos-il.org ] Chaos IL Issue Six Index: ~~~~~~~~~~~~~~~~~~~~~~~~~ 01. ISSUE#6: Intro & News by morgoth 02. The "thruth" about Bezeq's extenders by The Inspector 03. Cellular Phreaking guide - PART II by phederal 04. Motorola-israel universal phreaking by mr_jones 05. ISDN NET: 64k to 128k by asi 06. Hacking the TRILOG VoiceMail systems by morgoth 07. How to set up 1800 #s (free toll) by morgoth 08. Novell Netware Exploits (SCHOOL) - PART II by phederal 09. Israeli cellular phreaking - volume 1 by toxid rage 10. Greetings * -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- *** 01. ISSUE#6: Intro & News ###### ## ## ###### ####### ######## #### ## ## ## ## ## ## ## ## ## ## ## ## ####### ###### ## ## ######## ## ## ## ## ## ## ## ## ## ## ## ## ###### ## ## ## ## ####### ######## #### ######## " Spreading H/P on the 972 scene " ! Issue #6 ! (c) Chaos-IL Foundation 1998 word up. a massive issue this time, with informative data from the high class as always. as you know, I hate intros so lets just skip over to the important shit and get along. I hope you'll find this issue useful for your knowladge and vandalism, dont fuck with stuff you dont know. Chaos-IL has been re upgraded and we are up to some new projects, here is a part of our upcoming plan: [ Project I ] - The Chaos-IL FAQ 1997-98 - ---------------------------- Release note: Chaos-IL FAQ will include all the Frequently Asked Questions regarding to hack/phreak material that were pointed to Chaos-IL in the last two year. including thier answers, ofcourse. Comment: If you have some sort of a question regarding to any Chaos-IL material or beyond, mail your questions to morgoth@chaos-il.org and they will be answered in a short while. plus, they will be published on the FAQ. Status: Constructions. Release: Public [ Project II ] - The Chaos-IL Scanning issue - ------------------------------- Release note: Chaos-IL Scanning issue will contain a detailed scanning results of specific bezeq free-toll ranges (177-xxx-xxx, 1800-xxx-xxx). the scanning results will include PBX/VMB/TONE/LOOP/ETC numbers without thier codes/passwords. this issue will be an internal release to Chaos-IL members only. Comment: People who will scan, and donate us with new #s will get the full issue after it is done. Status: Half time constructions. Release: Internal / private NEWS! NEWS! NEWS! NEWS! NEWS! NEWS! NEWS! NEWS! NEWS! NEWS! NEWS! NEWS! NEWS! * A new skilled soldier is joining the chaos, greetings to phederal. * Some members have been removed due to inactivity for a long period of time. if you become active again, please contact us asap. - ANNOUNCEMENTS - We are open for applications. If you have any interesting information for us, and you are * ARTICLES * willing to write an article about it or just to share the information with us and let us handle it, contact the staff. * MEMBERSHIP * currently, membership will be considered by the amount of articles. if we want you to our membership, WE will get in touch with YOU. : 9 : n$X : ?L $$B :X $B<: U$$$X :X! 7$$N$ ... founder/chief ..... morgoth@chaos-il.org mota boy........ < m0ta_boy > .. staff ............. mota-boy@mindless.com wackie.......... < wackie > .... staff ............. wackie@newmail.com dr. jekyll...... < jekyll > .... staff ............. jekyll@acid.org blue grass...... < bG > ........ member ............ shine-@usa.net molotov......... < Molotov > ... member/webadmin ... molotov@dabronx.com mr jones........ < mr_jones > .. member ............ mr_jones@hell.com fourth horseman. < _4thm > ..... member ............ 4thm@ skade........... < skade > ..... member ............ skade@mindless.com the errormaker.. < Emaker > .... member ............ emaker@the-pentagon.com the trick....... < trick > ..... member ............ ttrick@yahoo.com easy............ < Easy > ...... member ............ easy@ terminal man.... < termi > ..... member ............ terman@netlane.com phederal........ < phederal > .. member ............ phederal@pbx.org send applications/submissions to: morgoth@chaos-il.org --- [ DISTRIBUTION ] ** Chaos IL Issues will be regulary available once released in the following distribution boards and sites: Section X +972-X-XXXXXXX X Nodes ILHQ *on hold* Liquid Underground +972-3-XXXXXXX X Nodes MEMBER ftp.mag.co.il /chaos_il/ ftp.fc.net /pub/phrack/underground/chaos-il/ ftp.auscert.org.au /pub/emags/chaos_il/ _______ ______ :_____ :___.___: ___\ / ____ _\___ \_______ | __/__ |___| | | |__/_| /____/ _ _/ ___/_|____ | | _ |____ | | _ | | | | | | | | | | /_ | ____/| | |___|___| | |______| | |________| = =|____|====|___|____|=======|_______|========|___|======== = Chaos-IL Foundation 1998 *** 02. The thruth about PBXs/Extenders [[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]][] [] [] [] The thruth about PBXs/Extenders [] [] [] [] by [] [] [] [] The_Inspector [] [] [] [] ( the_inspector@usa.net ) [] [] [] [[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[] \\ (c) Chaos-IL Foundation 1998! \\ ____________________________________________________________________________ NOTE! NOTE! NOTE! NOTE! NOTE! NOTE! This article includes material regarding to PBXing and Bezeq, all of the above information is *CURRENTLY* nothing more then an OPINION of a person. which means, the information can't be judged as false or true. ____________________________________________________________________________ This article was written by The_Inspector, in order to help all the PBX users ('PBXers') understand why Bezeq haven't done a thing even though they're aware to the large number of people PBXing. DO NOT EMAIL ME ABOUT PBX NUMBERS OR PROGRAMS - I WILL NOT REPLY!!! = What is PBX? = What Bezeq knows... = Why haven't they done any thing What is PBX? PBX is a protocol used by some of "Nezeq"s computerized services. It lets you "Connect" to another phone number("Target") in certain Area Codes by dialing the number at a certain point of the connection. Since the PBX protocol is used on "Free" numbers - when you connect to the target, the call is free. What Bezeq knows A whole lot actually. Since the protocol IS used by Bezeq AND since it's the only phone company (which I wana say Monopolises ALL telecomunication through-out Israel and tries to do the same in the International area (Good Work Kavey Zahav / Barak!!)) they have no problem tracing the origin of the call and chargeing him for the call. Bezeq IS AWARE of the PBX usage and they HAVE called some houses demanding the immediate stop of PBX but still, they have decided not to change protocols and/or remove the PBX "exploit" (it isn't a bug actually...) You might ask yourself "WHY?" Why haven't they done any thing The answer to that is very simple actually and includes some real easy math that all of you can do: When you call to a City-to-City call ("Bein-Eroni"), that IS what PBX is doing EVEN if you're in the same area code..., at the highest prices (08:00-18:00 Sun-Thurs.) the counter ("Peima") changes every 12 secs. Each one is 30 agorot. So in "ONE MINUTE" you already have 5 Peimot = 1.5 NIS. Now since most people don't connect for one minute, in ONE HOUR you have 300 Peimot = 90 NIS now lets say you connect for ONLY 1 Hour everyday for a whole month that gives you 2,700 NIS PER MONTH!!! Now some of you might say "Hey, I'm not stupid - I connect when it's much cheaper (22:00+) I made the same math and got to some smaller numbers BUT STILL in the thousands!!! (Remember either way it IS City-to-City...) Now with prices like this - Why should bezeq go and stop this "Gold-Mine"? Ofcourse they don't take any money for it now(atleast when this page was published...) but we're forgeting IT IS BEZEQ !!!! and if they know about it (and when they called people it proved they do) it's just a matter of time till they go and start traceing and sueing the PBXers for Bezeq's "rightfully money". Now I made some research and found out that legaly if they sue they deserve ATLEAST the +/- 3000 NIS per month(and thats if they're unusually nice and don't ask for a fine too...). Now I got a friend that was connected for 2 months none-stop except for a few-hours when he had to reboot, re-connect etc. Now one month = 720 hours... Lets say he was offline for +/- one day and lets say he was online 700 hours each month. Now, Just calculating the HIGHEST prices (without the cheaper hours) gave me 10 hours a day = 3000 Peimot = 900 NIS PER DAY!!!!! Multiply that by 30 days and you get a grand total of 27,000 NIS PER MONTH! And I was talking about 2 months... =) So as you can see the second Bezeq decides to sue for ONLY what they deserve in Peimot - we're in big shit. I ask another question: If Bezeq DOES know about it - Isn't it misleading the public by not closeing this breach? But that question is for the courts to prove... Thats about all I had to say - If you have any questions/comments - email me: the_inspector@usa.net _____________________________________________________________________________ 03. Cellular Phreaking guide - PART II ******************************************** CELLULAR PHREAKING GUIDE - PART II by: phederal ******************************************** (c) Chaos-IL Foundation 1998! Introduction ~~~~~~~~~~~~ Greetings all, this is the second part of my Cellular guide book. PART I has been first released on Chaos IL #3. This part will mainly deal around the basics of the Cellular programming and the Cellular Digital System. I hope you find it useful, this way or another. == Basics == The main thing to remember about a cellular phone is that it is a radio. It is basically like a hand held walkie talkie except with a cellular phone you have alot more capabilities and can talk and listen at the same time. Remember though that when you are talking on a cellular phone what you say may and possibly will be monitored very easily. There are two main types of Cellular Phones Analog and Digital. 1) Analog: On this the audio is modulated directly onto a carrier 2) Digital: On Digital, these are converted to digitized samples. These are transmitted as 1's and 0's. Then it is converted back to voltage so you get the audio signal. Each Cellular Phone has to identify itself to its cell site before service is allowed. They are identified by what is known as an ESN and a MIN. 1) ESN: This stands for Electronic Serial Number. This is a 32-bit Binary Number if I am not mistaken. 2) MIN: Mobile Identification Number. This is the phone number of the Cellular Phone. 10 digits including area code and all. == Review of the Cellular System == The main system operating in the United States is the AMPS, Advanced Mobile Phone System. The AMPS are composed of two different things: 1) EAMPS: This system has 832 channels. 2) NAMPS: This system has three times the amount with very clear signals. All these have 42 channels that are used to setup calls the rest are for talking over the Cellular Phone. 4) What goes on during Cellular Calling. Just imagine if you are stranded somewhere or possibly just want to use your cellular phone to call someone. Have you ever wondered how it worked? Why it worked? If so then I will explain how and why in this section here. Enjoy! 1) Scan Channels: In this step the cellular phone scans for the closest cell site near you so that you can get the strongest signals possible due to your location at the moment. 2) Choose Strongest: As stated above the cellular phone finds the closest site to give you the best performance. 3) Send Message: The phone sends a short message to the cell site verifying the MIN, ESN, and the number that you have just entered to call. 4) Assign Channel: After verifying the above information and they know that you are a legal paying customer, the base assigns a mesage to your phone, telling it where the conversation is. 5) Talk: Phone then gets on that channel and begins to ring. Then you begin to talk like normal. The easiest step of them all. == Cellular Cloning and Other Features == Cellular Cloning is one of the newest and more popular things going on now a days. What you are basically doing is programming someone else's MIN and ESN into your phone in the process of fooling your cellsite into thinking that you are actually them. Is this legal? Well it depends on which way you use it. If you use it to clone one of your own phones where you can have two phones exactly the same then no, but if you are cloning someone else's then yes it is very illegal. The philosophy of a cellular phone phreak is to push the machines as far as they would go. The possibilites with a cellular phone are practically endless. You can make one into a scanner as well as many other things. The first step of being able to do ANY of this is getting the cellular phone into what people call test mode. This is where you can practically change the whole phone's features. The main way to get into this is to crack the access code. There is a good site that deals with that at the following URL: http://www.radiophone.com They have great information. Another way to get a cellular phone is by taking the battery pack off of the back and look in the lower corner. Here you will see some little prongs, you can get a small piece of tin foil and place it in the center of the prong like so: |*| then put the battery pack back on the back of the phone. Then turn the phone on and when you turn it on you should see an array of flashing numbers. If so you are in luck because you are in test mode! :) == Basic Test Mode Programming == This section will tell you what to do once you get into the test mode. This part comes from 1996 Cellular Subscriber Technical Training Manual, that was published by Cellcom-Israel. I give full credit to them for this information. I am not going to include all of it because it would take forever. Here are some of the basics. Enjoy! 32# = clear the phone 38# = displays the ESN 55# = test mode programming 01# = restart 13# = power off 16# = setup 18# = send NAM 34# = turn DTMF off 61# ESN transfer That is jsut some of the very basics. Of course there is alot more and if I ever write another article with Cellular Phones I will include some more. Don't want to get very much ahead of ourselves. :) == What kind of Cellular is Best? == There are different kinds of cellular phones for different kind of people. Me personally I have experience so far with only Motorola. I plan to get a Nokia soon. Nokia are very advanced and have many options. There is also the OKI those have been stated to be good. The one that interests me at the moment are these new ones that are Java based. If you would like to read more about these go to the following URL: http://www.nortel.com/cool/norteledge/edge298/N._IP_N.html But as stated above many people like many different things, there is also a new Motorla that is the IDEN I10000. These have two-way radio and alphanumeric pager in one. These weigh in at around 5 oz. as well. They also include: One touch call back, a speakerphone, and a multilanguage operation that displays prompts in one to four different languages. For more information on this you can call: 177-022-6099 (c) phederal [ phederal@pbx.org ] EOF _____________________________________________________________________________ 04. Motorola-IL Universal phreaking ###################################################### ## ## ## Motorola(IL) universal phreaking ## ## ## ###################################################### by mr_jones (mr_jones@dhp.com) -> (c) Chaos-IL Foundation 1997-98 <- One of the things I do when I get bored and cant find anything better to do is play with my motorolas. As im sure you know, you can take a motorola phone, and if its old enough, dump it into testmode, and listen in on people. Hell, if the signal strength is high enough, you can cut into their conversations and mess with them. That is allways fun. But what do you do when the phone switches towers? How do you know what channel the phone was handed off to? "so how DO i mess with people's cell phones?" you may be asking yourself. well... im gonna tall ya. What im not gonna do is give you alot of unessicary information about cellular that has nothing to do with the task at hand. =) first, you need a motorola phone that was made before 1995. it took them from the time they started making phones all the way up to 1995 to realize that people were eaves-dropping using their phones. so, they changed the firmware in the phones to only work on certain channels, which have no conversation on them... they use these channels for testing signal strength god knows what else. just find yourself a phone made before 95, okay? for the purposes of this article, i will be speaking specifially about flip phones. if you have a brik or a bag, consult the motorola bible on how to get it to testmode. - in order to tell if it was made before 1995 you need to know the firmware version. - in order to get the firmware version, you need to put it in testmode. "how do i put it in testmode, siezer?" - how you put it in testmode depends on the firmware version. (see step 1) this means you have to do a few trial and errors.. on phones with firmware versions of 95xx (1995... xx'th week) or higher, the code fcn 00**83786633 sto (spells TESTMODE) will put you in testmode. 95xx's basically have anything cool disabled, which means you cant clone it, use it as a scanner, or anything of that nature. Therefore, if that code puts you in testmode it is generally a bad thing. although, I have seen exceptions, for example my 9449 brick uses that code.... if fcn 00**83786633 sto gives you nothing, its time to go find yourself a peice of tin-foil. Take the battery off your flip, and there will be three pins for the battery on the back of the phone. in order from left to right, we shall call these pins pin 1 2 and 3. take your foil and find and connect pins 2 and 3. slide the battery back on and power up. you should see some flashing numbers... you are now in test mode. this is rather difficult at first, but you will get the hang of it. what i like to do is fold the foil so that there is a little peice that acually fits in the hole of pin2 and squeezes between the pin and the plastic. the rest of the foil is long enough to hang out the back of the phone when you put the battery back on, and wide enough to touch pin3. I can pretty much do it on the first try now. after you have fumbled with getting your phone into testmode, i suggest you go download the motorola bible. there is soooo much more that you can fiddle with than what im about to tell you. Once in testmode, there are alot of things you can do, from identity transfers, to messing with the battery indicator. let me list the relevant ones for messing with people. 08# -- Rx audio on. turns on the receiver audio. all a cell phone is is a ham radio with a computer attached to it. 07# --Rx audio off. 11xxxx# -- this lets you switch channels. every frequency has a channel assigned to it. for example, you wanted to listen to what people were saying on 880.86 Mhz... you would turn on your Rx audio and enter 110362#. this command ignores preceding zeros, so hitting 111# is the same as 110001#. 1153# is the same as 110053#. you get the idea. 45# -- tells you the signal strength of the channel/freq you are listening to. on most phones, this is a range from 0-100+. On some flips, however, its a range from 0-50+. you figure out which one your phone is. the highest ive ever got it is 110 on my brick with a car antenna attached to it. 47x# -- sets Rx audio level to x. basically volume control. usually the max is 15... see the motorola bible for more details. -- 4716# ive found, keeps it at the last audio level... but makes it so you cant hear the buttons when you press them. dtmf tones can get irratating. 10# -- Tx audio. turns on the transmitter audio. You need this on to turn on the Tx carrier. 09# -- Tx audio off. 05# -- Tx carrier on. If the signal strength is closeish to 100, you can say things to people. the lowest ive ever been able to jump in on is 75. i dont know how that worked. when your tx carrier is on, all they can hear is you, not the person they are talking to, so when you are finished talking, remember to turn the carrier off so you can hear them go "who the fuck was that?!?" 06# -- Tx carrier off. 40# -- receive one voice channel word.... ill explain this and its uses later. so here we go... --------------------------------* begin fucking with people *--- turn your phone on.... in testmode.... hit # to get you to the ' prompt enter in: 08# to turn your Rx audio on. 10# to enable your transmitter. 11632# (or any other channel you would like) 4716# to turn off the button noise.. (optional) sometimes them hearing the beepy noises are good, if you are pretending to be an alien or somthething. 45# to check the signal strength if its close to 100.... you can fuck with em. if not, you can still listen. pick some more channels if you'd like... once you've found a stong enough signal... 05# "Fuck you bitch." 06# ... "did you hear that?" ... "yeah.... who was that?" 05# "we are CHAOS IL" 06# ..."what the fuck?!" 05# "i thought i should warn you...." 06# ..."how the fuck is he talking on my phone?" 05# "We are watching you" 06# --------------------------------* end fucking with people *--- shit like that... sometimes it gets interesting if you pretend you are god.. or whatever... ive recorded some examples of me messing with people, but those are on a super-secret URL. what i like to do when recording is have 4 phones going. a flip to listen, a brick to transmit,(makes it easier to hit buttons -- so i dont miss anything) one just listening with the volume all the way up and a microphone over the speaker, and one collecting 40# data. in the course of eaves-dropping/messing with people you may encounter some things that you might wonder about. for example, you can hear one person talking, but not the other.... or you'll hear these wierd noises then all of the sudden extrememly loud static. ill go over the static one first. when you talking on your phone, you are using a cell tower. (if you need more info, go consult somewhere else). Anyway, when your phone moves about, it switches you to the closest tower. when this happens, the channel you are on is switched, too. well.. the cell tower has to tell your phone what channel to switch to, right? otherwise your call would be cutoff. How it goes about doing this, is embedding data in the audio that tells your phone do stuff like adjust the power level, or to switch channels. well.... that's where 40# comes in handy. in a nutshell, 40# listens for this data, and then displays it in hex you hit 40#, and it waits for the data. You can get back to the ' prompt by pressing the # key. when it gets it, it scrolls it across the display. Truthfully, i have no idea what it means, but there's a way to extract the new channel number out of it. when you hear the wierd noise... and if the conversation is still there.. the phone you are listening to was sent a power adjustment command. if you hear the strange noise, and the conversation is gone (loud static) it was sent a channel switching command. well... what you do now is take the number left on the display (3 digits sould have scrolled by.) and write em down. you should have something like this: 54e30c4 the first digit is junk. only the next 3 are important. disregard the rest. so now you have 4e3. take each of the digits, and convert them into binary. 4 0100 e (14) 1110 3 0011 next, concatenate (big word!) the 3 binary words: 010011100011 drop the first 2 bits 0011100011 take that whole thing, and convert is into a decimal. 227. w00t! your new channel number. dont ask me why that works, i have not the slightest idea, but it works. well... at least most of the time. unless you can do all that stuff up there in your head, you might want to check out the program attached to the end of this file. (dont laugh at the code, please) Next up, is what to do when you can only hear one person on a line. This happens when two people are talking on two cell phones. im not going to go into this, simply because this file is long enough, and is starting to stray off topic. but the basic gist of it is that you are hearing one person's tx audio... and not their rx... to listen to the other side, find the conversion tables and do some math. either that, or there is a digital phone involved. if this is the case, you'll have to wait for somebody with an analog phone to jump on the channel. damn technology. well thats about it. experiment. piss people off. make people laugh. do what you'd like. mr_jones greets ------ emperor, morgoth, G0D, phederal and all of Chaos-IL ! _____________________________________________________________________________ 05. ISDNnet: 64k to 128k *------------------------------------------------------------* ISDN-NET: 64k to 128k by asi asi@4u.net *------------------------------------------------------------* (( Introduction )) ISDN net, first isp to provide ISDN services in Israel. well, this is how it goes.. you order ISDN from ISDN net (process is about 1 month), you get: (1) ISDN line (2) ISDN modem (3) ISDN account as much as they can say that if you've ordered ISDN 64 you'll be able to use only 64, it's not true. the line is 128k no matter what. so is the modem, and the account, can't say for sure, but the way I've figured it, they can't ban the option for you to log twice (or more). ISDN net are way too stupid for an isp. :) (( Usage )) Well, in order to use ISDN 64k you enter inXX/yourusername and password as your password. so I did a little research, and found out how to use 128k :) follow these steps: (1) Create a new Connection, choose one of the ISDN devices. (2) Find the Multilink option, add the second ISDN device. (3) Use Username: in128/yourusername, Password: yourpassword. yes, that's it.. easy eh? :) (( Risks )) Well, a lot of ISDN net's users knows this 'trick' and use it.. nobody got over charged or anything, so I allow myself to say that there are no risks. Enjoy. :) done by asi / Chaos IL 1998. (( END )) _____________________________________________________________________________ 06. Hacking the TRILOG VoiceMail systems �� �� ���� �!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!� ���� ������ !!! !!! ������ �� �� �� !!! HACKING THE TRILOG VOICEMAIL SYSTEMS !!! �� �� �� ���������� !!!! !!!! ���������� �� �� !!! by morgoth !!! �� �� �� �� !!!! !!!! �� �� ���� �!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!� ���� �� �� �� (c) Chaos-IL Foundation 1998 �� werd up y0. this document is more or less a nice little guide to acquiring a voice mail box (VMB) on the computerized system called TRILOG. unfortunately, I don't know too much about the company, but it may be possible to order an official instruction system for this software if you were to contact the company itself. please excuse the "how-to" format I wrote this in. it was really the only way I could write a text like this. not too much real theory in this, but hopefully this will help revive VMBs in the scene. ok. this article will deal with breaking into TRILOD voicemail systems. I have been working with this particular type of voicemail for almost one year now. after reading this file, I hope that you will be able to get into your own VMB (Voice Mail Box) on a TRILOG system. I am assuming that you all know what 'scanning' is. if not, this is the basic concept: call as many numbers as you can think of, random or sequential, to find interesting or useful numbers. the first step to identifying a TRILOG is to listen for an automated menu. this is usually just a recording of some lady in a noisy office telling you what to press. if the message mentions a directory of names, you *MIGHT* be dealing with a TRILOG. if you are asked to press [1] for the directory, it is a pretty good chance you're at one. to be absolutely certain, press the [#] key on your phone. if it says "Please enter your mailbox" you've found a TRILOG. plus, some of the TRILOG boxes are greeting with a "WELCOME TO TRILOG" so you'll be able to recognize them. (check the buttom for scanning notes) so, once you find a TRILOG, write the number down and keep scanning until you're satisfied. now it's time to get working. dial up your favorite TRILOG number. enter [1] for the names directory. it will ask for a name of the person you'd like to talk to. key in a common name like 'Smith' or 'Jones.' It *SHOULD* give you a name and extension. if the system can't find the name specified, just enter two or three numbers and keep doing this until you find a name. now, assuming that you have name and extension (the name isn't really important), get back to the menu you got when you called. there is a nice option in TRILOG systems that makes our jobs a hell of a lot easier. it's called QuickMessage. at the greeting message, hit the [*] key to enter this mode. now, lets say the extension you got for Aviv Cohen was 5593. You may wish to check that you got his extension right. simply enter his extension at the voice prompt and it will play his recorded name (uhm... h'llo... This is Aviv Cohen.) and a nice lady's voice will say 'Recording...' followed by a short beep. ok. you're sure that's him. now hit [#] followed by [*] to enter a new extension. the reason for getting Aviv's extension was to get a general idea of where the boxes are. so, at the voice prompt, enter in, perhaps, 5594. if you hear a person's name, keep repeating the process until you find one without a name. after entering, say, 5652, you hear nothing except for a 'Recording...' then you've found one of two things: (1). a stupid gay ass who doesn't know how to record his name on the system. (2). an empty box! (wtf!?@#) now, we're really hoping that you've found the latter. be absolutely to write down all numbers you find like this. once again, keep scanning until you think you've got enough. you may think that hacking the box will be a problem, but that's where you're wrong. the hard part is pretty much over. TRILOG's are fairly consistant with their default passwords for empty boxes. hit the [#] key and listen for the 'Please enter your mailbox' prompt. say you have a list of possible empty boxes - 5632, 5633, and 5634. enter 5632 at the prompt. when it asks for the security code, try one of the following: 1111 - very common default code on TRILOG systems. 1234 - used sometimes, not as common as the former. 9876 - about the same as 1234. 0000 - if all else fails. if none of these work, the problem could be one of the two: the system has a nasty default code set for their boxes (NOT likely), or the box belongs to someone, but they were too stupid to record their name. if you believe that your problem is of the former, try another TRILOG. the latter, keep scanning for empty boxes. well, let's move on now assuming you've gotten into a box. grEEtings! TRILOG systems are menu-driven and easy to understand from the inside of the box. below are a few functions that you can do when inside a box: [5] - play new messages, skip to next msg [3] - delete current message [6] - send a message [9] - exit the box there are other functions, but as I can't remember ALL of them offhand, once you're in a box, wait for the 'Ready' prompt and stay on the line. it'll read off more options. ok. so after reading this text file, you should now be one of the two things: one level dumber for having read this, or now fairly knowledgeable in how to hack a TRILOG. you tell me. call my VMB at the number provided at the top of the page, or reach me at email morgoth@gmx.net, irc - morgoth @ efnet. * Scanning notes * to all the scanning p1mps of you, as to my experiance with scanning, TRILOG systems can usually be found on the following ranges: 177-022-40xx 177-022-55xx 177-022-59xx 177-022-22xx 177-100-xx22 177-100-xx67 177-100-xx68 1800-022-xxxx --> this is a new range. email: morgoth@chaos-il.org _____________________________________________________________________________ 07. How to set up 1800 (free toll) Numbers +----------------------------------------------------+ | | | SETTING 1800 (toll free) NUMBERS | | | | by morgoth | | | +----------------------------------------------------+ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- (c) Chaos-IL Foundation 1998! -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- simple way to get an 1800 (toll free) number setup to any valid number Intro: ------ 1800's are the new toll free numbers for 1998. and since it is a new exchange, there is a HUGE number of 1800 #'s available. if you would like to get an 1800 ringing on any number, follow these few easy steps and if you do it right, you'll either A) get the new 1800 # on the phone B) have to wait a few days (if the lady is a bitch). now I cant gaurante that these are going to be risk free. but from my expierences with bezeq, they will never really investigate it. I had an 177 ringing in on my home voice line for over 4 months, and after it went down, I never heard a thing from bezeq. also, if you are setting a toll free number up to a free internet provider, or a LD BBS, then no one is going to know you did it anyway. just dont tell the sysop unless you know he wont bug out. if you set your 1800 up and sound believable to the op, chances are, your new 1800 number will last more then 2 months. if you give it to alot of people, and the 1800 is in use all the time, expect it to go down within the week. a few times ive taken over a VMB system, setup tons of boxes (for fellow h/p ppl) then setup a 1800 to the local VMB number. then i give every h/p person im friends with a box. but they usually only last a week or 2. its not advisible. How to set them up: ------------------ to get the 1800 number setup you'll need the following information 1st: (hint: its a good idea to get a valid company name, address and zip when you are setting them up. if the company is big enough they might just pay the 1800 bill and not notice :) 1) Valid Company Name 2) Your fake name 3) Valid Company Address (Street Address, City, ST, Zip) 4) The number you want the 1800 to ring in on *5) (sometimes) a VMB to leave you a msg at * = optional call up 199, wait to hear the "Welcome to bezeq" msg wait for a bitch to answer. it is a good idea to setup toll free #'s Sunday morning, you will get quickest setup time. when the op comes on (sometimes you'll have to wait a few minz) tell her you want a READYLINE 1800. say you know all about it, (to avoid the prices bullshit). say you need it expidieted. (which means do it on the double) give her the company name, your fake name, address, city/st/zip. she'll say hang on, ill try and get you a number. when she returns, she will either say: 1> "Here is your new 1800 number . . . " 2> "Our systems are down now, can i call you back with your # later?" if she says 1 then your in luck, ask her when it will be up. Say thanx and bye. if she says 2 say 'yes no problem, but i am out of town at the moment" give her your VMB and box # (if any) tell her she can call you there. it is good idea to ask what her name (for further abuse, or incase the 1800 doesnt go up for some reason). morgoth@chaos-il.org _____________________________________________________________________________ 08. Novell Netware Exploits - PART II ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Novell Netware (Schoolnet) Exploits - PART II by phederal ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (c) Chaos-IL Foundation 1998! _____________________________________________________________________________ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Novell Netware Exploits- How to use them to your advantage by phederal (phederal@pbx.org) Let's face it. Most people who own computers are idiots. software developers make their software more "user-friendly" and easy to use. And the more software is easy to use, the easier it is to exploit. Novell Netware is known for being an easy-to-use platform that is very secure. I hope to show you that, like every good program, it has its flaws. These flaws, if abused correctly, can open up security gaps wide enough for doing whatever is it in your little criminal minds. ----------------------------------------------------------------------------- O v e r V i e w 1.) Why Novell Netware? 2.) The Basics 3.) Accessing Accounts 4.) Account Passwords ----------------------------------------------------------------------------- W h y N o v e l l N e t w a r e ? Novell Netware, owning 60% of the market share, is the most common platform despite the tireless efforts of both Windows NT and UNIX systems. Its extremely fast and reliable File\Print services are major strengths that these systems are just now attaining. Netware systems are used because of their easy-to-use but powerful environments which can tailor to the needs of both system managers and copy-boys. ----------------------------------------------------------------------------- T h e B a s i c s The success of almost everything in this document depends on the way that the network is set up. Not everything will work. In most cases, you will need to know the version of Novell Netware that you are using. If you don't know it, try running VERSION in the SYS:PUBLIC directory. You need some basic knowledge on how a computer operates. Now, I know that very few, if any of you are professional hackers. You wouldn't be reading this if you were. This isn't the most complete Novell Netware article. I left out some details that weren't practical either because they could only be used under very slim circumstances or because they don't accomplish enough. This document is centered around the intermediate or beginner hacker. Most of the programs described in this document come with Netware. Any programs that don't will be listed on the last page along with where to find them. I guess what I am saying is to sit back and relax. In Netware, there are common levels of security that are offered to certain users. The security levels and your what you can execute within them are listed below: (1) Not Logged In - Very basic commands, usually programs in the SYS:LOGIN directory (2) Logged In - Basic commands and programs controlled by trustee rights (3) Operator - Basic access, control of print queues, a few special commands such as FCONSOLE (4) Supervisor - Full file system access, control of user access, server configurations, and security (5) OS Access - Console access, all NLMs and most commands typed at the console run at this level, partial file access, optional supervisor access Now, onto accessing the server. When logging in directly (a physical console), versions 3.x and 4.x take two very secure measures. They both use packet signiture and password encryption techniques. But, to log into the server from a remote location using RCONSOLE (Remote Console), all thats required is a single password. This is designed so that administrators can execute commands as if they are actually at the server console. RCONSOLE establishes a session with the server. This is the one major weakness of Novell Netware's security. Now, some of the techniques described in this document won't work on 4.x versions. This isn't a problem, however, because almost everybody still has 3.x versions. Those who do have 4.x versions usually still have one or more 3.x servers still being used. ----------------------------------------------------------------------------- A c c e s s i n g A c c o u n t s As stated in the introduction, people are stupid. When Novell Netware is installed, the platform creates a list of default accounts that are used for a variety of different things. These accounts are can be used as a user name and, without entering a password, provide you with access to the server. Keep in mind, however, that smart administrators will have disabled these accounts. The following is a list of these common accounts and what Netware uses them for. -------------------------------------------------------------------- SUPERVISOR - Default supervisor-equivilant account GUEST - Default account for non-clients to use ADMIN - Version 4.x uses it as a default account with administrator eqivilance USER_TEMPLATE - Version 4.x uses it as a default account for testing security or client capabilities LASERWRITER - Printing to a second server LASER - Printing to a second server HPLASER - Printing to a second server PRINTER - Printing to a second server PRINT - Printing to a second server POST - Using a second server for e-mail MAIL - Using a second server for e-mail GATEWAY - Connecting the server to a gateway machine GATE - Connecting the server to a gateway machine ROUTER - Connecting the server to an e-mail router BACKUP - Used to make tape backups of the server WANGTEK - Used to make tape backups of the server FAX - Connecting the server to a dedicated fax unit FAXUSER - Connecting the server to a dedicated fax unit FAXWORKS - Connecting the server to a dedicated fax unit TEST - Temporary account usage ARCHIVIST - Default account for Palidrome WINDOWS_PASSTHRU- Supposably needed for sharing resources without a password ROOT - Default account for Shiva LanRovers that allows for ADMINGUI command-line equivilance CHEY_ARCHSVR - Default backup account for Arcserve - Password WONDERLAND may be required ALT-255 - Less common but works NOT_LOGGED_IN - Less common but works PC-CLAS_LOGIN_DO_NOT_REMOVE - Less common but works -------------------------------------------------------------------- Now don't shoot yourself if none of these worked. There are other ways to access accounts. If you want to access existing client accounts, try going to the SYS:PUBLIC directory and running SYSCON. Go into User Information and you will be able to view all defined accounts and their user's full name. If this didn't work, try doing the same thing by running USERLST. If you are using version 4.1, you can use CX to get accounts. When 4.1 is installed, the SYS:PUBLIC directory is added to the Root as a Trustee. This means that the SYS:PUBLIC sirectory has browse access to the entire tree. To utilize this, load all of the VLMs and run CX /T /A /R. You won't even have to log in and will be given a list of almost every account on the server. Many accounts will use its user name as its password. This happens when people act like idiots or when accounts are created for users that aren't currently using them. These accounts can be view by using CHKNULL. CHKNULL will only work if Bindery Emulation is on. If none of the above methods have worked, don't bother guessing accounts and passwords. Netware will ask you for a password whether the user name you entered was valid or not. This can lead to disaster if Inturder Detection is turned on. But, if you have a burning desire to do so, use ATTACH to log in instead of LOGIN. At least, with ATTACH, you won't be asked for a password if the user name wasn't valid. ----------------------------------------------------------------------------- A c c o u n t P a s s w o r d ' s If you've got an account, you're probably wondering how to get that account's password. The files that store the passwords in Novell Netware are located in different places in different versions. In versions 2.x and 3.x, every object and its properties are kept in bindery files. In 4.x, they are stored in an NDS database. Accounts are bindery objects and their passwords and user names are properties. The following shows where the files are located for each version, the file names, and what attributes, or flags, that they have. To access these files, run the Norton Disk Editor with a /M parameter. Then, press F2 to view everything in hexadecimal format. Next, press Ctrl-S to load the search routine. Enter the file name you're looking for and you're done. VERSIONS LOCATIONS FILE NAMES ATTRIBUTES ---------- ----------- ------------ ------------ 2.x SYS:SYSTEM NET$BVAL.SYS Hidden System NET$BIND.SYS Hidden System 3.x SYS:SYSTEM NET$VAL.SYS Hidden System NET$OBJ.SYS Hidden System NET$PROP.SYS Hidden System -------------------------------------------------------------------- 4.x In versions 4.x, the password files aren't as easily accessible. They can only be viewed through RCONSOLE using the Scan Directory option. They will then be stored in SYS:_NETWARE and are as follows: VALUE.NDS NDS Subpart BLOCK.NDS NDS Subpart ENTRY.NDS NDS Subpart PARTITIO.NDS NDS Partition MLS.000 License VALLINCEN.DAT License Validation done by phederal, chaos IL 1998. -- phederal@pbx.org -- 09. Israeli cellular phreaking - volume 1 ------------------------------------- --- --- --- Israeli cellular phreaking --- --- --- --- volume 1 --- --- --- ------------------------------------- by toxid rage ------------------- (c) Chaos-IL Foundation What is it? Cellular phreaking meanning is to do with the cellular things you shouldnt be able to do usualy, such as changing esn/min. What is esn/min and all the rest. There are few terms on the cellular phones, here are the important ones: 1.MIN - Mobile identification number = this has two uses, one is to identify you in the cellular Service provider's computer, and two this is your phone number. this includes 11 digits, numbers only in israel, pelephone(050) starts with 972, then prefix (0/1) and then the phone number itself... 9720/1XXXXXX. 2.ESN - Electronic serial number = this is one of the most important components of the cellular phone, because this is what identifies your cellular phone of who he is. esn is not changable, unless you have a burner, a device that can change the esn by sending to it specific signals, device like that usually costs between 1000$-2000$, also known as COPYCAT. 3.NAM - Number Allocation Module = the most basic thing on the celluar which contains all of the information about the unit this includes the Min, Acolc, SID, and all the rest, most of them, besides the ESN are changable through the keypad, by entering a TEST MODE. old cellular phones had NAM burnt on a PROM chip. today it is not. ok enough about the terms. what is cellular rechipping ?? cellular rechipping meanning burnt the CHIP inside the cellular unit itself, and by that, being able to do whatever you want, such as making a new software to it (menus, and all), some people who do rechipping also enable in the software unlimited number of esn changes by keypad which i will explain later why it is useful. oh, and one more thing, a rechipping is made by a Computer mostly. what is a copycat ? copycat, is a device, that allows you to change only the ESN, the copycat goes by connectors, out from its header to the socket of the cellular and sends signals that change the HEX ESN into whatever you wish. this thing is also based on a computer software, only that this software is burnt on the device. ESN changing, btw, can also be made by computer easily, depends on which model you are trying to do it. old mobiles, 94 and so can easily be made using all kind of softwares, find them on l0pht or something, its not a problem really. what is ESN SNIFFER ? a new thing came up in the last year, so i assume, it is an esn sniffer meanning, it steals ESN and MIN numbers from cellular phones. people who has a cellular phone nearby the device, will automaticly recieve a NO-SERVICE led for 2-3 seconds, while the device sniff it, and than will return to normal, and the esn/min are saved inside this device. what is it good for?? suppose you have a old cellular you dont need, or you just stole one or something, you rechip on it the esn/min you sniffed and there, you have a free call device. this thing is made alot in israel and for all i know its sold in about 150 nis or so... Rechipping also can be done with a software, published in l0pht and in radiophone, this one goes by a program and a ROM file. you need to burn that file, which is a software, to the cellular. ESN sniffer, btw, can also be made on an other cellular phone, again, by rechipping its software from the CHIP itself. this thing is sold in about 3,000$ - 5,000$ for all i know. some of you may have heard, that there is a possibility to burnt cellular phone manually, by keys. well that is impossible. that is just changing the MIN, and when both cellulars are on (the original and the dup) than it will ring in both of them, and you can not put outgoing calls from there. motorola is stupid, but not THAT stupid. Cellcom, israeli digital company, are more smart, for example, they toke then Nokia 2120, which is a NONE burnable cellular, and 1-time-chip. meanning once you got it from the cellcom company, you can only use it and not change anything but the MIN and some lame stuff, which wont help a bit. there for, if you have a stolen nokia, shuve it. Now to the more active part, i will explain some more interesting things on The motorola cellular phone. Motorola, one of the biggest electronic companys, has a unique software on its cellular phone unit, that can allow you to do alot of things, such as listening to specific phone numbers (MINS), as used in IDF. you can enter a phone number of a specific person you want, and listen to it how to do it? dont worry... first of all, entering the Nam programming mode , there are couple of ways: on the microtac elite, you have two options: short the 6th and the 9th pin of the socket, using a connector or anything that can connect them. another way is the keypad, most comfortable way,. you have to write this in a row(ya, most of you already know it...) FCN-00**83786633-STO. on the startac, the only system i know is the keypads, (ofcurse, you can do it by pins, but i dont really recall the pinouts for startac) on the LITE II/CLASSIC/ALPHA/ULTA mobiles, you either short the middle connector of the battery with the middle connector on the mobile using an iron or anything that can short it, or again, the keypad...as written above in the elite section. the Brick phone (huge, but strong) you remove the battery, and in the upper section, near the antenna, you short between the sixth(row 1 last of right) to the seventh (row 2 first of the left), and turn on the phone, it will automatically wake up in the test mode, and you will see numbers running on the screen. now, after you finished the first part, depends on which mobile you have you will see numbers running over the screen, if not, return and start it all over again. once you see those numbers, you press #, and you will have a US ` on the screen, or something like that... you are now in the main command line options. from here you can control over the cellular as you wish,. i will now show some examples, of the main things you can do here, the main commands you can find , as i said , in l0pht, search for the motorola bible, it is pretty updated. here, # is a sort of ENTER, if you dont press # it is as if you didnt send the command at all... 08# = Audio reciever on (usefull when bugging someone) 19# = Displays the software version number. also by year. 38# = Display current ESN number. ESN, built by 8 hex digits, showen in series of 00 XX, 01 XX... 03 XX, 04 XX. the esn numbers are in the XX. * move to next, # exit. 32# = Master reset - resets the cellular phone, including memories. 55# = the main NAM programming. do not tuch it if you like your mobile. in this NAM programming you have 16 options, i will now mention the main important of out of them: * will move to next option, # will cancel in the middle, to save what you have changed, you must run with the * until the end(16) 01: SID - system ID, prefferd not to tuch this. - 5 digits israel default is 08465 tip = if you want to drive your friends crazy, change this to 00019, the mobile will be able to take out calls, not to recieve calls. 02: Programming option - do not tuch (0-no/1-yes) - 10 digits 03: MIN - this is the phone number of the unit, also identified with the ESN, in the Service provider's computer, if one of them dont with the ESN/MIN written in the computer , than the cellular will not function correctly (wont work...bah). 04: Station Class mark - 2 digits. 05: Access Overload Class - 2 Digits. (ACOLC) 06: Group ID - 2 Digits 07: Security code. this code is usually used by the motorola technics when you have a problem in your phone,they use this code to access your cell, in case it is locked. - 6 digit. 08: Lock code - this is the code that unlocks your mobile. 3 digit. i wont go over the rest because they shouldnt be tuched with, and doesnt make alot of difference anyways. t0xidrage ______________________________________________________________________________ 09. Credits & greetings crypto, Manomaker, LSD, jizm, retro, Plex_inph, skade, BelowZero, rough, bellboy, phriend-, tabi, _jobe_, retaliator, p-wInd0Wz, route, j_aka, _v9, spi7fire, dead_rat, FrontLine, suspekt, _char_, toxidrage, d2_rN, Kombo. * ALL chillers of: #972, #31337, #punx, #r00t, #chaos-il * special thanx to the brotherhoods: skillz, r0x Crew, pX 1998, NoName ALL of Chaos-IL Members , � ,g,___.,,�g?P�~ g�,,,. g.,gd$P�''~``'4${ ,, ,,._ __..,, _.,._}$$$$%' '�4$$b, ' g��,.. :} :}"�P#g,. ,yP�~"�4Py. ,gP'~"��"~` '$$$b. ~�4$$4 }$ }$ `$$b: d$} }$b,%%} :$$$% ~$$i _.,, ii��,, `4$%%%?W, ;$$} $$; , .}$$$P g�,,,. .}$$b#P�"}: �$~"�4 `$$b.`4?g,,.,g?P�` ;?W,.,,�g?P�~ ,dP�"' .,._}$$$$%':d$$' $}g4: `$$$b. `~}}~`` `4?~``'4${ '' ,gP'``~"��"~` ,$$P' ii�' .'P�~' ,d$P' '' .d$$' $} ,g, --IL d$$P' '' '~�4` :4g, `�' .,,, {$$$ .. / `�' '?${_.,, `�Pb, jizm#@ '�"~``'4g, `` '' '' -[EOI#6]---------------------------------------------------------------------- (c) Chaos-IL Foundation December 1998