Subject: 3500 lines of obsolete phreaking stuff Date: Thu May 12 13:13:03 1994 This is something I put together a few years ago. None of it was written by me. I spellchecked it, made a table of contents, and converted from 20 column all-caps and removed K0oL spellings. I don't want comments, good or bad. I figured somebody might want this, so I'm posting it, but that the extend of my involvement. I'm sorry about the control-L's. I don't know how to remove them. xxxxxxxxxxxxxxxxxxxxxxxxxxx Table of Contents Introduction to hacking. . . . . . . . . . . . . . . . . . . . 1 Phone Hacking. . . . . . . . . . . . . . . . . . . . . . . . . 2 Basic Boxes Technically Explained . . . . . . . . . . . . 3 (BLUE,3); (BLACK,4); (CHEESE,5) Voice mail box hacking. . . . . . . . . . . . . . . . . . 6 Blue Box Tones. . . . . . . . . . . . . . . . . . . . . . 9 Customer name and address . . . . . . . . . . . . . . . . 9 Lock In Trace . . . . . . . . . . . . . . . . . . . . . . 14 Pinkish Box . . . . . . . . . . . . . . . . . . . . . . . 16 Pearl Box . . . . . . . . . . . . . . . . . . . . . . . . 17 Brown Box . . . . . . . . . . . . . . . . . . . . . . . . 19 Scarlet box . . . . . . . . . . . . . . . . . . . . . . . 20 Day-Glow. . . . . . . . . . . . . . . . . . . . . . . . . 20 Gold Box Plans. . . . . . . . . . . . . . . . . . . . . . 22 Green Box . . . . . . . . . . . . . . . . . . . . . . . . 23 Blotto Box. . . . . . . . . . . . . . . . . . . . . . . . 23 Computer Hacking . . . . . . . . . . . . . . . . . . . . . . . 26 Tymnet. . . . . . . . . . . . . . . . . . . . . . . . . . 27 Telenet . . . . . . . . . . . . . . . . . . . . . . . . . 32 Hacking Unix. . . . . . . . . . . . . . . . . . . . . . . 34 Primenet. . . . . . . . . . . . . . . . . . . . . . . . . 36 Hacking DECs. . . . . . . . . . . . . . . . . . . . . . . 44 Crashing BBSs . . . . . . . . . . . . . . . . . . . . . . 45 Credit bureaus. . . . . . . . . . . . . . . . . . . . . . 54 File grabbing on large systems. . . . . . . . . . . . . . 64 Potpourri. . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Bugs. . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Wiretapping . . . . . . . . . . . . . . . . . . . . . . . 67 Lunch Box . . . . . . . . . . . . . . . . . . . . . . . . 72 Beep Time . . . . . . . . . . . . . . . . . . . . . . . . 76 Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . 77 8OO VMB Systems . . . . . . . . . . . . . . . . . . . . . 78 Extenders . . . . . . . . . . . . . . . . . . . . . . . . 78 Loops . . . . . . . . . . . . . . . . . . . . . . . . . . 79 PBXs. . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Sweeps. . . . . . . . . . . . . . . . . . . . . . . . . . 79 1-800 modem numbers . . . . . . . . . . . . . . . . . . . 79 Area Codes by State . . . . . . . . . . . . . . . . . . . 82 INTRODUCTION TO HACKING Most people who have never hacked or are beginners think that hackers are a small community of very knowledgeable computer "geniuses" that randomly break into systems for fun and then create havoc or steal information. I will speak of my own views on hacking which shouldn't reflect the feelings of the entire hacking community but I would guess a large amount. First of all hacking is getting more and more risky everyday. Because of this, hacking for fun isn't as safe as it used to be (although most of my hacking is for fun). The reason people (people I know) hack is because we believe in free information exchange. This means that I should be able to freely access any information that is available over the modem that I want. There are obvious reasons why this can't be achieved, but if people have information that is that sensitive then it should not be put out over the modem. Now the second and biggest misconception about hacking is how the hacker actually "hacks". Most people think that hacking is just basically getting lucky and guessing a password that lets you into a system. This is *very* untrue. Let us take an example that you have just broken into the CIA's computer system. So suddenly you get a -> prompt. Now what do you do?!? This is the difference between the hacker and some kid that is good at guessing. The kid may be able to guess a password, but if he doesn't know what to do once he's in then he might as well have not even hacked the password at all. So, the main objective of the hacker is to concentrate on learning how to use a system. After he has done that then he can figure out ways to get around certain kinds of security and get to the stuff he wants. So what you should do is read all the manual's and text files that you can get your hands on. Because before you can defeat a system, you must know how it works (this works for life in general). Ok, now you understand what hacking is and how you should go about learning it. Phone Hacking Basic Boxes Technically Explained BLUE The "Blue Box" was so named because of the color of the first one found. The design and hardware used in the Blue Box is fairly sophisticated, and its size varies from a large piece of equipment to the size of a pack of cigarettes. The Blue Box contains 12 or 13 buttons or switches that emit multi-frequency tones characteristic of the tones used in the normal operation of the telephone toll (long distance) switching network. The Blue Box enables the user to place free long distance calls by circumventing toll billing equipment. The Blue Box may be directly connected to a phone line, or it may be acoustically coupled to a telephone handset by placing the Blue Box's speaker next to the transmitter or the telephone handset. To understand the nature of a fraudulent Blue Box call, t is necessary to understand the basic operation of the Direct Distance Dialing (DDD) telephone network. When a DDD call is properly originated, the calling number is identified as an integral part of establishing the connection. This may be done either automatically or, in some cases, by an operator asking the calling party for his telephone number. This information is entered on a tape in the Automatic Message Accounting (AMA) office. This tape also contains the number assigned to the trunk line over which the call is to be sent. The information relating to the call contained on the tape includes: called number identification, time of origination of call, and info that the called number answered the call and time of disconnect at the end of the call. Although the tape contains info with respect to many different calls, the various data entries with respect to a single call are eventually correlated to provide billing info for use by your Bell's accounting department. The typical Blue Box user usually dials a number that will route the call into the telephone network without charge. For example, the user will very often call a well-known INWATS (toll-free) customer's number. The Blue Box user, after gaining this access to the network and, in effect, "seizing" control and complete dominion over the line, operates a key on the Blue Box which emits a 2600 Hertz (cycles per second) tone. This tone causes the switching equipment to release the connection to the INWATS customer's line. The 2600Hz tone is a signal that the calling party has hung up. The Blue Box simulates this condition. However, in fact the local trunk on the calling party's end is still connected to the toll network. The Blue Box user now operates the "KP" (Key Pulse) key on the Blue Box to notify the toll switching equipment that switching signals are about to be emitted. The user then pushes the "number" buttons on the Blue Box corresponding to the telephone # being called. After doing so he/she uses the "ST" (Start) key to tell the switching equipment that signalling is complete. If the call is completed, only the portion of the original call prior to the 'blast' of 2600Hz tone is recorded on the AMA tape. The tones emitted by the Blue Box are not recorded on the AMA tape. Therefore, because the original call to the INWATS # is toll- free, no billing is rendered in connection with the call. Although the above is a description of a typical Blue Box call using a common way of getting into the network, the operation of a Blue Box may vary in any one or all of the following respects: The Blue Box may include a rotary dial to apply the 2600Hz tone and the switching signals. This type of Blue Box is called a "dial pulser" or "rotary SF" Blue box. Getting into the DDD toll network may be done by calling any other toll-free # such as Universal Directory ASSistance (555-1212) or any number in the INWATS network, either inter-state or intra-state, working or non-wrking. Entrance into the DDD toll network may also be in the form of "short haul" calling. A "short haul" call is a call to any # which will result in a lesser amount of toll charges than the charges for the call to be completed by the Blue Box. For example, a call to Birmingham from Atlanta may cost $.80 for the first 3 minutes while a call from Atlanta to Los Angeles is $1.85 for 3 minutes. Thus, a short haul, 3-minute call to Birmingham from Atlanta, switched by use of a Blue Box to Los Angeles, would result in a net fraud of $1.05 for a 3 minute call. A Blue Box may be wired into the telephone line or acoustically coupled by placing the speaker of the Blue Box near the transmitter of the phone handset. The Blue Box may even be built inside a regular Touch-Tone phone, using the phone's push- buttons for the Blue Box's signalling tones. A magnetic tape recording may be used to record the Blue Box tones for certain phone numbers. This way, it's less conspicuous to use since you just make it look like a walkman or whatever, instead of a box. All Blue Boxes, except "dial pulse" or "Rotary SF" Blue Boxes, must have the following 4 common operating capabilities: It must have signalling capability in the form of a 2600Hz tone. This tone is used by the toll network to indicate, either by its presence or its absence, an "on hook" (idle) or "off hook" (busy) condition of the trunk. The Blue Box must have a "KP" tones that unlocks or readies the multi-frequency receiver at the called end to receive the tones corresponding to the called phone #. The typical Blue Box must be able to emit M tones which are used to transmit phone #'s over the toll network. Each digit of a phone # is represented by a combination of 2 tones. For example, the digit 2 is transmitted by a combination of 700Hz and 1100Hz. The Blue Box must have an "ST" key which consists of a combination of 2 tones that tell the equipment at the called end that all digits have been sent and that the equipment should start switching the call to the called number. BLACK This Box was named because of the color of the first one found. It varies in size and usually has one or two switches or buttons. Attached to the telephone line of a called party, the Black Box provides toll-free calling *to* that party's line. A Black Box user tells other people beforehand that they will not be charged for any call placed to him. The user then operates the device causing a "non-charge" condition ("no answer" or "disconnect") to be recorded on the telephone company's billing equipment. A Black Box is relatively simple to construct and is much less sophisticated than a Blue Box. NOTE: This will not work on any type of Electronic Switching Systems, (ESS, DMS100 etc.) CHEESE This Box was named after the container in which the first one was found. Its design may be crude or very sophisticated. Its size varies; one was found the size of a half-dollar. A Cheese Box was used most often by bookmakers or betters to place wagers without detection from a remote location. The device inter-connects 2 phone lines, each having different #'s but each terminating at the same location. In effect, there are 2 phones at the same location which are linked together through a Cheese Box. It is usually found in an unoccupied apartment connected to a phone jack or connecting block. The bookmaker, at some remote location, dials one of the numbers and stays on the line. Various bettors dial the other number but are automatically connected with the book maker by means of the Cheese Box interconnection. If, in addition to a cheese box, a Black Box is included in the arrangement, the combined equipment would permit toll-free calling on either line to the other line. If a police raid were conducted at the terminating point of the conversations -the location of the Cheese Box- there would be no evidence of gambling activity. This device is sometimes difficult to identify. Law enforcement officials have been advised that when unusul devices are found associated with telephone connections the phone company security representatives should be contacted to assist in identification. (This probably would be good for a BBS, especially with the Black Box set up. and if you ever decided to take the board down, you wouldn't have to change your phone #. It also makes it so you yourself cannot be traced. I am not sure about calling out from one though.) VOICE MAIL BOX HACKING Hello again, and welcome to another �egions f �ucifer text file! This text file has to do with hacking and scanning VMBs. The reason I am writing this file is because I am very good at it, and have had years of experience. In fact I have been called by MCI for screwing them over by attacking and taking over a whole damn system with a few friends of mine. Anyway, hacking VMBs is very simple and basically safe, and not only that but they are cool to have around. You can give them to friends, you can trade them for access on bulletin boards, or you can use it for yourself. As for this 'Tutorial on Hacking VMBs', we will be talking about what systems to hack, how you go about hacking them, default passwords, hints on better scanning, and having your very own box. VMB, in case you don't know, stands for 'Voice Mail Box'. Now a VMB is like an answering machine. You can use it for all sorts of things. Most VMB systems are dialed though 800 numbers. People call up the VMB system that you have a box on, and dial in your box number and then leave you a message. Whenever you want to check your box, you just call up, enter your password and read your messages. Inside a VMB you can do whatever, you can leave messages to others on the system, you can change your 'Out Going' message, you can have guest boxes (Explained later), you can have the box call your house when you get an Urgent message, you can do a lot of things. In fact, on some systems you can even CALL OUT through them, so they can be used as a code of sorts! They are cool to have. You should scan/hack out Virgin Systems, this is another way of calling a system that hasn't been hack out yet. Also, CINDI Systems and ASPEN Systems have the best boxes and the most options that VMB Systems can offer. I will be talking about ASPEN System today since I know most about those. Okay once you've found your Virgin VMB System, you start to scan. Just incase you don't know what scanning is, that means you search for boxes that are hackable (Explained later on). Now you dial up the system and when it picks up and the bitch starts to talk, press the "#" key. It will then ask you for your box number... now there are two different way the ASPEN System can be configured: 1) a "3 Digit Box Number System" or 2) a "4 Digital Box Number System". Now lets just say this system is a 3 Digit System. Okay, when it asks for your Box Number, enter in 999, now it will say one of three things: [These are known as 'Greeting Names'] 1. John Doe [Box owners name] 2. "Box Number 999 Is Not a Valid Box Number" 3. "Box Number 999" Now, if it either says 1 or 2, go to box number 998...997...996...995..etc, but if it says 3, then you are lucky, now it will ask you for your password, now you are probably saying 'Oh no this is where it gets difficult'... well you are WRONG! This part is easy. Here is a list of ASPEN Default Passwords: * We will use box number 666 as an example box # [ BN = Box Number ] List of Default Password: Combination Result 1-BN 1666 BN+1 667 0-BN 0666 BN-0 6660 Most Common �į BN 666 Now enter in a those defaults, try JUST the Box Number first, ASPENs usually use that most. Now, if you try all those Defaults and still can not get into that Voice Mail Box, then that means that the box has been already taken, but the owner hasn't changed his 'Generic Message', if you don't get in, you will just have to search until you get in. Okay, once you get your first box, *DO NOT* change anything!! That will come later. Your first box is, as what is known as a 'Scanning Box'! What you do with your Scanning Box is this: You enter "3" from the main commands menu, and it will ask you for the box number. Now that command is the "Check for Receipt" command, what it does it check Box #xxx for mail rom you. This command is very convenient for us VMB Hackers. To use that command to your advantage, you enter in box a box number and it will say 1 of the three 'Greeting Names', like before, if it say #3, then you write down that Box Number and hack it later. But if it says 1 or 2, then just keep scanning! All boxes with the number 3 Greeting Name is known as a 'Hackable Box'. Now you keep scanning until you have gone all the way down to Box number 000 or whatever is the lowest box it supports. Now, once you have your list this is when all the fun starts! Now you are ready to hack! Hacking Out Your New Found 'Hackable' Boxes: Okay this is the easy part. After you spent most of your time by scanning the system you should be used to the system and how it works, that should make hacking the ASPEN all the easier. Now, if you had a 'Scanning Box', you should know what the default password was for your Scanning Box. Well if the password for your Scanning Box was just the Box Number, then *EVERY* other hackable box should have the SAME default password. VMB Systems have only one default password, If one box has the BN for a Default PW, the all the others will too. Okay, you call up the VMB System will the list of 'Hackable' boxes by your side, and when the bitch is talking, press the "#" key. When it asks you for your box number, enter in the first box number on your list. When it asks for your password, enter in the Default Password Sequence. Now if you don't get into that box, it's not a problem, just keep going down your list. You should get into a few. But remember, just because a box is marked 'Hackable', it doesn't mean you will definitely get into it. Okay, now you hav a few dozen boxes. You can now use you Scanning Box to do whatever you please. ASPEN Guest Boxes: Once you have a box of your own, you can give out 'Guest Boxes'. Guest Boxes are like Sub Boxes in your box. In ASPEN you have 4 of them. If you give out Guest Box #1 to John Doe, Mr. Doe can call in, enter in the password YOU set for him, and leave you messages, but not only that, you can leave messages to HIM! Which means, if his is in New York, and you are in California, and neither of you have codes to call each other, then you can leave messages thru your 800 VMB. Here is a list and explanation of all 4 of the Guest Boxes: 0. Main Box - Your Voice Mail Box! 1. Guest Box #1 - Can Leave & Receive Messages 2. Guest Box #2 - Can Leave & Receive Messages 3. Home Box -Can Leave & Receive Messages 4. Secretary Box - Can Check How Many Messages You Have & Receive Messages Hints On Better Scanning: A lot of people say hacking and scanning for VMBs is too damn hard... well that's because they are going at it all wrong, they probably read some lame piece of text file on Hacking VMBs that was about 500 bytes long. Well, here is a small list of hints on better scanning and hacking: 1. Do not use a Voice Mail Box hacking/scanning program (i.e.: VMB v1.0, ASPEN v1.0, VMBHACK v2.3, etc..) 2. Do not hack in random order (i.e.: B#999, 345, 810, etc) Always hack in order: 999, 998, 997, 996, 995...000. 3. Try to find out if it's virgin. The newer the System, the better. 4. If you have a phone with memory dial, change one entry to the number of the VMB System. 5. Don't hack the System Managers box unless you really want to. Ideas of Things To Do With Your Extra Boxes: Well since you can have up to 500 extra Voice Mail Boxes, you might not know what to do with them, here are a few ideas that can help you out: 1. Give them to friends 2. Sell them to friends 3. Offer them to sysops for better access 4. Trade them for HSTs or whatever 5. Use them as a Voice Verifying line (So you don't have to give out your real voice number to BBSs when you apply!) Blue Box Tones In this short section I will attempt to list some tones that Ma Bell uses and what they are. Well here goes: Blue box frequencies: 2600 hz - used to get on/off trunk tone matrix to use after 2600 hz. 700: 1 : 2 : 4 : 7 : 11 : 900: + : 3 : 5 : 8 : 12 : 1100: + : + : 6 : 9 : KP : 1300: + : + : + : 10 : KP2 : 1500: + : + : + : + : ST : 900 :1100 :1300 :1500 : 1700 : Use KP to start a call and ST (1500+1700) to stop. Use 2600 HZ to disconnect. Red box freqs: 1700 hz and 2200 hz mixed together. A nickel is 66 ms on (1 beep). A dime is 66ms on, 66ms off, 66ms on (2 beeps) a quarter is 33ms on, 33ms off repeated 5 times. (Ms = millisecond). For those of you who don't know, a red box simulates money being put into a pay phone. You must put in some money first though (the operator can tell if money was put in but as to how much she lets the computer answer that. (Yeah for he computer) TASI locking freq: TASI (time assignment speech interpolation) is used on satellite trunks, and basically allows more than one person to use a trunk by putting them on while the other person isn't talking. Of course, you'd never hear the other person talking on your trunk. When you start to talk, however, the TASI controller has to find an open trunk for you. Because of this, some of your speech is lost (because of the delay in finding a trunk) this is called clipping. Well, if you were transmitting data over a trunk, clipping would really mess up the data. So there is something called a TASI locking frequency which keeps the TASI from putting anyone else on your trunk or you on anyone else's trunk. In any case the freq. is 1850 hz. (Sent before the transmission). Have fun!!! CUSTOMER NAME AND ADDRESS The word CN/A stands for Customer's Name and Address ... Your telephone company has set up little bureaus that will answer the telephone all day and give numbers out to any authorized Bell employees of the same city or any other city nationwide. The bureau keeps everyone on file with their name and address, INCLUDING those that are unlisted. So if you have a phone number and you want to find out who owns it and where they live, you can use this little handy system. In short, it is basically used to get a persons real name and real address through just having a phone number! Lets sayyou are constantly being bugged by some little dick and you don't know his name or address, BUT you have his phone number.. well you can get his Name & Address just by having his telephone number! For example, lets say you have this dicks phone number, and it's (212) 555-1873, then just do the following: Look up the CN/A Number for that NPA (NPA = AREA CODE) in the list below. For this example, the NPA is 212 and the CN/A number is 518-471-8111. So then call up the CN/A # (During regular hours) and throw a line like, "Hello, This is Operator #321 from the residential service center in California. And I need to get a CN/A on a customer at 212-555-1873. Thank You."... Make sure not too sound like a twelve year old dork or try and sound lame with a really deep voice, just try to sound as real as possible. Okay, if you got that far, and you sound pretty convincing, then the CN/A operator should not in any means, ask questions and you should get all the info you need! Here is a list of just about EVERY CN/A Number in the Continental United States, this list was supplied to Legions of Lucifer by LawBreaker. ������������������������������������������������������������Ŀ Area � Account � Telephone � Call � Time � Requests � Code � Code � Number � Hours � Zone � per call � ������������������������������������������������������������Ĵ 201 � � (304)344-7935 � 8:00-4:10 � E � 3 � 202 � � (304)343-7016 � 8:30-4:10 � E � 3 � 203 � � (203)789-6815 � 8:10-4:45 � E � 7 � 204 � � (204)949-0900 � 8:30-4:45 � C � N/A � 205 � � (205)555-1212 � 24 hours � C � 2 � 206 � I47128 � (402)572-5858 � 24 hours � C � 2 � 207 � 411 � (518)471-8111 � 8:00-5:00 � E � 16 � 208 � I47127 � (402)572-5858 � 24 hours � C � 2 � 209 � 1659 or � (415)781-5271 � 7:00-5:00 � P � 5 � 209 � 2826 � � � � N/A � 212 � 111 � (518)471-8111 � 8:00-5:00 � E � 16 � 213 �1659/2826� (415)781-5271 � 7:00-5:00 � P � 5 � 214 � SW5167 � (817)461-4769 � 8:00-4:50 � C � 3 � 215 � � (412)633-5600 � 8:30-5:00 � E � 3 � 216 � 161 � (614)464-0511 � 8:00-5:00 � E � 3 � 217 � 700 � (217)789-8290 � 8:00-5:00 � C � 2 � 218 � I47126 � (402)572-5858 � 24 hours � All � 2 � 219 � 161 � (317)265-4834 � 7:30-4:45 � E � 3 � 301 � � (304)343-7016 � 8:00-4:10 � E � 3 � 302 � � (412)633-5600 � 8:30-5:00 � E � 3 � 303 � I47126 � (402)572-5858 � 8:00-5:00 � M � 5 � 304 � I47127 � (304)343-1401 � 8:00-4:10 � E � 3 � 305 � 13402 � (803)251-0046 � 8:30-5:00 � E � 3-15 � 306 � � (306)777-2878 � 8:00-12:00� M � N/A � 307 � I47127 � (402)572-5858 � 24 hours � C � 2 � 308 � I47126 � (402)572-5858 � 24 hours � C � 2 � 309 � 700 � (217)789-8290 � 8:00-5:00 � C � 2 � 312 � 500 � (312)796-9600 � 24hours � C � 2 � 313 � 53423 or� (313)424-0900 � 24 hours � E � 20 � 313 � 61728 � � � � N/A � 314 � SW1012 � (816)275-8460 � 8:30-4:30 � C � 3 � 315 � 111 � (518)471-8111 � 8:00-4:55 � E � 16 � 316 � SW2019 � (913)276-6708 � 8:00-4:45 � C � 3 � 317 � 161 � (317)265-4834 � 7:30-4:45 � E � 3 � 318 � � (318)555-1212 � 24 hours � C � 2 � 319 � I47126 � (402)572-5858 � 24 hours � C � 2 � 401 � 411 � (518)471-8111 � 8:00-5:00 � E � 16 � 402 � I47126 � (402)572-5858 � 24 hours � C � 2 � 403 � � (403)493-6383 � 8:00-4:30 � M � N/A � 404 � 13402 � (803)251-0046 � 8:30-5:00 � E � 3-15 � 405 � SW4070 � (405)236-6121 � 7:30-4:15 � C � 3 � 406 � I47127 � (402)572-5858 � 24 hours � C � 2 � 407 � 13402 � (803)251-0046 � 8:30-5:00 � E � 3-15 � 408 �1659/2826� (415)781-5271 � 7:00-5:00 � P � 5 � 409 � SW5167 � (713)961-2397 � 8:00-5:00 � C � 3 � 412 � � (412)633-5600 � 8:30-5:00 � E � 3 � 413 � 411 � (518)471-8111 � 8:00-5:00 � E � 16 � 414 � 767 � (608)252-6932 � 8:00-4:30 � C � 1-5 � 415 �1659/2826� (415)781-5271 � 7:00-5:00 � P � 5 � 416 � � (416)443-0542 � 8:30-5:00 � E � N/A � 417 � SW1012 � (816)275-8460 � 8:30-4:30 � C � 3 � 418 � � (514)391-7440 � 8:30-4:45 � � N/A � 419 � 161 � (614)464-0511 � 8:00-5:00 � E � 3 � 501 � SW3006 � (405)236-6121 � 7:30-4:30 � C � 3 � 502 � � (502)555-1212 � 24 hours � E � 2 � 503 � I47128 � (402)572-5858 � 24 hours � C � 2 � 504 � � (504)555-1212 � 24 hours � C � 2 � 505 � I47127 � (402)572-5858 � 24 hours � C � 2 � 506 � � (506)694-6541 �8:15-4:30 � A � N/A � 507 � I47126 � (402)572-5858 � 24 hours � C � 2 � 508 � 411 � (518)471-8111 � 8:00-5:00 � E � 16 � 509 � I47128 � (402)572-5858 � 24 hours � C � 2 � 512 � SW5167 � (512)828-2501 � 9:00-5:00 � C � 3 � 513 � 161 � (614)464-0511 � 8:00-5:00 � E � 3 � 514 � � (514)391-7440 � 8:00-4:30 � E � N/A � 515 � I47126 � (402)572-5858 � 24 hours � C � 2 � 516 � 111 � (518)471-8111 � 8:00-5:00 � E � 16 � 517 �53423 or � (313)424-0900 � 24 hours � E � 20 � 517 � 61728 � � � � N/A � 518 � 111 � (518)471-8111 � 8:00-5:00 � E � 16 � 519 � � (416)443-0542 � 8:30-5:00 � E � N/A � 601 � � (601)555-1212 � 24 hours � C � 2 � 602 � I47127 � (402)572-5858 � 24 hours � M � 2 � 603 � 411 � (518)471-8111 � 8:00-5:00 � E � 16 � 604 � � Contact Local � � � N/A � 604 � �Business Office� � � N/A � 605 � I47126 � (402)572-5858 � 24 hours � C � 2 � 606 � � (606)555-1212 � 24 hours � E � 2 � 607 � 111 � (518)471-8111 � 8:00-5:00 � E � 16 � 608 � 767 � (608)252-6932 � 8:30-4:30 � C � 5 � 609 � � (304)344-7935 � 8:00-4:10 � E � 3 � 612 � I47126 � (402)572-5858 � 24 hours � C � 2 � 613 � � (416)443-0542 � 8:30-5:00 � E � N/A � 614 � 161 � (614)464-0511 � 8:00-5:00 � E � 3 � 615 � 13402 � (615)373-7663 � 8:00-4:10 � E � 3 � 616 �53423 or � (313)424-0900 � 24 hours � E � 20 � 616 � 61728 � � � � N/A � 617 � 411 � (518)471-8111 � 8:00-5:00 � E � 16 � 618 � 700 � (217)789-8290 � 8:00-5:00 � C � 2 � 619 �1659/2826� (415)781-5271 � 7:00-5:00 � P � 5 � 701 � I47126 � (402)572-5858 � 24 hours � C � 2 � 702 �1659/2826� (415)781-5271 � 7:00-5:00 � P � 5 � 703 � � (304)343-1401 � 8:00-4:10 � E � 3 � 704 � 13402 � (803)251-0046 � 8:30-5:00 � E � 3-15 � 705 � � (416)443-0542 � 8:30-5:00 � E � N/A � 707 �1659/2826� (415)781-5271 � 7:00-5:00 � P � 5 � 708 � 500 � (312)796-9600 � 24 hours � C � 2 � 709 � � *NONE* � � � N/A � 712 � I47126 � (402)572-5858 � 24 hours � C � 2 � 713 � SW5167 � (713)961-2397 � 8:00-5:00 � C � 2 � 714 �1659/2826� (415)781-5271 � 7:00-5:00 � P � 5 � 715 � 767 � (608)252-6932 � 8:00-4:30 � C � 5 � 716 � 111 � (518)471-8111 � 8:00-5:00 � E � 16 � 717# � � (412)633-5600 � 8:30-5:00 � E � 3 � 717@ �6630109ATZ (717)245-6829 � � � N/A � 718 � 111 � (518)471-8111 � 8:00-5:00 � E � 16 � 719 � I47127 � (402)572-5858 � 8:00-5:00 � M � 5 � 801 � I47127 � (402)572-5858 � 24 hours � C � 2 � 802 � 411 � (518)471-8111 � 8:00-5:00 � E � 16 � 803 � 3402 � (803)251-0046 � 8:30-5:00 � E � 3-15 � 804 � � (304)343-1401 � 8:00-4:10 � E � 3 � 805 �1659/2826� (415)781-5271 � 8:30-5:00 � P � 5 � 806 � SW5167 � (512)828-2501 � 8:00-5:00 � C � 3 � 807 � � (416)443-0542 � 8:30-5:00 � E � N/A � 808 � � (800)852-8840 � 8:00-6:00 � E � N/A � 809 � � (800)852-8840 � 8:30-5:00 � E � N/A � 812 � 161 � (317)265-4834 � 8:30-4:45 � E � 3 � 813 � 13402 � (803)251-0046 � 8:30-4:30 � E � N/A � 813 �GTE only � (813)442-7229 � 8:00-5:00 � E � N/A � 814 � � (412)633-5600 � 8:30-5:00 � E � 3 � 815 � 700 � (217)789-8290 � 8:00-5:00 � C � 2 � 816 � SW1012 � (816)275-8460 � 8:00-4:45 � C � 3 � 817 � SW5167 � (817)461-4769 � 8:00-5:00 � C � 3 � 818 �1659/2826� (415)781-5271 � 6:45-5:00 � P � 5 � 819 � � (514)391-7440 � 8:00-4:30 � E � N/A � 901 � 13402 � (615)373-7663 � 8:00-4:10 � E � 3 � 902 � � (902)421-4110 � 8:15-4:45 � A � N/A �� 904 � 13402 � (803)251-0046 � 8:30-5:00 � E � 3-15 � 906 � 61728 � (313)424-0900 � 24 hours � E � 20 � 907 � � *NONE* � � � N/A � 912 � 13402 � (803)251-0046 � 8:30-5:00 � E � 3-15 � 913 � SW2019 � (913)276-6708 � 8:00-4:45 � C � 3 � 914 � 111 � (518)471-8111 � 8:00-5:00 � E � 16 � 915 � SW5167 � (512)828-2501 � 8:00-5:00 � P � 5 � 916 �1659/2826� (415)781-5271 � 8:30-5:00 � P � 5 � 918 � SW4070 � (405)236-6121 � 7:30-4:10 � C � 3 � 919 � 13402 � (803)251-0046 � 8:30-5:00 � E � 3-5 � �������������������������������������������������������������� # - Bell of PA @ - United Time Zones: P - Pacific 12:00 pm M - Mountain 1:00 pm C - Central 2:00 pm E - Eastern 3:00 pm A - Atlantic 4:00 pm Note: The account code for Centel and CONTEL is CNAT, United Tel. is 6630109ATZ Well, that's about it. I tried to find any mistakes that might have occurred during typing, but there's bound to be one or two around... Two things to note here: 1> California has 2 codes listed (1659 and 2826). The first is for people in California, the second is for everyone else outside of California obtaining a CNA in those area codes. 2> Michigan ALSO has two codes. The first was the one currently working when I last tried; the second is what the new code will be if it hasn't been changed already... It's a totally automated system, so try both codes. Lock In Trace A lock in trace is a device used by the F.B.I. to lock into the phone users location so that he can not hang up while a trace is in progress. For those of you who are not familiar with the concept of 'locking in', then here's a brief description. The F.B.I. can tap into a conversation, sort of like a three-way call connection. Then, when they get there, they can plug electricity into the phone line. All phone connections are held open by a certain voltage of electricity. That is why you sometimes get static and faint connections when you are calling far away, because the electricity has trouble keeping the ine up. What the lock in trace does is cut into the line and generate that same voltage straight into the lines. That way, when you try and hang up, voltage is retained. Your phone will ring just like someone was calling you even after you hang up. (If you have call waiting, you should understand better about that, for call waiting intercepts the electricity and makes a tone that means someone is going through your line. Then, it is a matter of which voltage is higher. When you push down the receiver, then it see- saws the electricity to the other side. When you have a person on each line it is impossible to hang up unless one or both of them will hang up. If you try to hang up, voltage is retained, and your phone will ring. That should give you an understanding of how calling works. Also, when electricity passes through a certain point on your hone, the electricity causes a bell to ring, or on some newer phones an electronic ring to sound.) So, in order to eliminate the trace, you somehow must lower the voltage level on your phone line. You should know that every time someone else picks up the phone line, then the voltage does decrease a little. In the first steps of planning this out, Xerox suggested getting about a hundred phones all hooked into the same line that could all be taken off the hook at the same time. That would greatly decrease the voltage level. That is also why most three-way connections that are using the bell service three way calling (which is only $3 a month) become quite faint after a while. By now, you should understand the basic idea. You have to drain all of the power out of the line so the voltage can not be kept up. Rather sudden draining of power could quickly short out the F.B.I. voltage machine, because it was only built to sustain the exact voltage necessary to keep the voltage out. For now, imagine this. One of the normal Radio Shack generators that you can go pick up that one end of the cord that hooks into the central box has a phone jack on it and the other has an electrical plug. This way, you can "flash" voltage through the line, but cannot drain it. So, some modifications have to be done. Materials ---------- A BEOC (Basic Electrical Output Socket), like a small lamp-type connection, where you just have a simple plug and wire that would plug into a light bulb. One of cords metioned above, if you can't find one then construct your own... Same voltage connection, but the restrainer must be built in (I.E. The central box) Two phone jacks (one for the modem, one for if you are being traced to plug the aqua box into) Procedure ---------- All right, this is a very simple procedure. If you have the BEOC, it could drain into anything: a radio, or whatever. The purpose of having that is you are going to suck the voltage out from the phone line into the electrical appliance so there would be no voltage left to lock you in with. Take the connection cord. Examine the plug at the end. It should have only two prongs. If it has three, still, do not fear. Make sure the electrical appliance is turned off unless you want to become a crispy critter while making this thing. Most plugs will have a hard plastic design on the top of them to prevent you from getting in at the electrical wires inside. Well, remove it. If you want to keep the plug (I don't see why...) then just cut the top off. When you look inside, Lo and Behold, you will see that at the base of the prongs there are a few wires connecting in. Those wires conduct the power into the appliance. So, you carefully unwrap those from the sides and pull them out until they are about an inch ahead of the prongs. If you don't want to keep the jack, then just rip the prongs out. If you are, cover the prongs with insulation tape so they will not connect with the wires when the power is being drained from the line. Do the same thing with the prongs on the other plug, so you have the wires evenly connectd. Now, wrap the end of the wires around each other. If you happen to have the other end of the voltage cord hooked into the phone, stop reading now, you're too stupid to continue. After you've wrapped the wires around each other, then cover the whole thing with the plugs with insulating tape. Then, if you built your own control box or if you bought one, then cram all the wires into it and close it. That box is your ticket out of this. Re-check everything to make sure it's all in place. This is a pretty flimsy connection, but on later models when you get more experienced at it then you can solder away at it and form the whole device into one big box, with some kind of cheap Mattel hand-held game inside to be the power connector. In order to use it, just keep this box handy. Plug it into the jack if you want, but it will slightly lower the voltage so it isn't connected. When you plug it in, if you see sparks, unplug it and restart the whole thing. But if it just seems fine then leave it. Now, so you have the whole thing plugged in and all... Do not use this unless the situation is desperate! When the trace has gone on, don't panic, unplug your phone, and turn on the appliance that it was hooked to. It will need energy to turn itself on, and here's a great source... The voltage to keep a phone line open is pretty small and a simple light bulb should drain it all in and probably short the F.B.I. computer at the same time. Happy boxing and stay free! Pinkish Box The function of a "Pink Box" is a hold button that allows music or anything else to be played into the telephone while person is on hold. This modification either be done right in the telephone as a separate box. Materials Needed 1. Some Bell wire or Phone wire 2. A SPST momentary switch RS # 275-1547 3. 470 ohm resistor RS # 271-019 4. 1 LED (Approx 5V) RS # 276-041 5. An SCR, 2N5061 (Transistor) 6. Audio Transformer (Ratio 10K:600) 7. RCA phono Jack RS # 274-346 8. Screw drivers, soldering irons, solder, Etc. 1. Open the wall box and locate the RED and GREEN wires. 2. Take a piece or RED wire and strip tend and attach it to the red lead on the wall box. Do the same for the GREEN. 3. Connect the GREEN wire to the ANODE of the LED. 4. Connect the CATHODE side of the LED the UPPER pin of the primary side of the transformer. 5. Connect the pin directly across to one pole of the phono jack. 6. Connect the RED wire to one side of resistor and to the "C pole" of the transistor. 7. Connect the open pin of the switch the other side of the resistor and to the "G pole" of the transistor. Wiring Diagram RCA Jack X-former LED _____ C A Pole or Jack --/---! Top !---/--(*)--\------GREEN wire -!View !- Primary --I---RED wire Pole of Jack --/---!_____!---/-I (O) I I I [--I-----Pole of Switch I I--------/--m--Pole of Switch Key to Symbols -- Wire I Connection or wire / Connection or wire _/ C pole of transistor --(*)-- [_)-- G pole of transistor I I A pole of transistor (O) Resister I _____ ---! Top !--- -! View!- Primary Transformer ---!_____!--- Hook the RED and GREEN wires up to the appropriate terminals and hook the RCA jack to the output on your stereo. Turn on your stereo at a good volume. Now call a friend. To test the Box, hold down the switch and hang up the phone. The LED should go and your friend should hear music, If not then start over. The hold is shut off if you pick up a phone on that line or your end hangs up. Pearl Box The Pearl Box:Definition - This is a box that may substitute for many boxes which produce tones in hertz. The Pearl Box when operated correctly can produce tones from 1-999hz. As you can see, 2600, 1633, 1336 and other crucial tones are obviously in its sound spectrum. Materials you will need in order to build The Pearl Box: ===================================== C1, C2:.5mf or .5uf ceramic disk capacitors Q1.....NPN transistor (2N2222 works best) S1.....Normally open momentary SPST switch S2.....SPST toggle switch B1.....Standard 9-Volt battery R1.....Single turn, 50k potentiometer R2..... " " 100k potentiometer R3..... " " 500k potentiometer R4..... " " 1meg potentiometer SPKR...Standard 8-ohm speaker T1.....Mini transformer (8-ohm works best) Misc...Wire, solder, soldering iron, PC board or perfboard, box to contain the completed unit, battery clip Instructions for building Pearl Box: ====================================== Since the instruction are EXTREMELY difficult to explain in words, you will be given a schematic instead. It will be quite difficult to follow but try it any way. There is also a Hi-Res picture you can get that shows the schematic in great detail. Schematic for The Pearl Box +---+------------+---------+ ! ! \ C1 C2 \ ! ! + + + -----+T1 !\ +------------+-+ ! b c-------! + ! Q1 ! +-S1- ! e-----S2---+ ! SPKR ! ! ! +---- ! B1 ! ! ! ! ! +-------+ !R1 R2 R3 R4! /\/\ /\/\ /\/\ /\/\ +--+ +--+ +--+ Now that you are probably thoroughly confused, let me explain a few minor details. The potentiometer area is rigged so that the left pole is connected to the center pole of the potentiometer next to it. The middle terminal of T1 is connected to the piece of wire that runs down to the end of the battery. Correct operation of The Pearl Box: You may want to get some dry-transfer decals at Radio Shack to make this job a lot easier. Also, some knobs for the tops of the potentiometers may be useful too. Use the decals to calibrate the knobs. R1 is the knob for the ones place, R2 is for the tens place, R3 if for the hundreds place and R4 is for the thousands place. S1 is for producing the all the tones and S2 is for power. Step 1: Turn on the power and adjust the knobs for the desired tone. (Example: For 2600 hz- R1=0:R2=0:R3=6:R4=2) Step 2: Hit the pushbutton switch and VIOLA! You have the tone. If you don't have a tone recheck all connections and schematic. If you still don't have a tone call Brainstorm BBS: 612-345-2815, The Bay:415-775-2384 or Pirate's Harbor:617-720-3600 and leave me e-mail stating what the scene is. Brown Box This is a fairly simple modification that can be made to any phone. All it does is allow you to take any 2 lines in your house and create a party line. So far I have not heard of any problems with it from my friends that have set one up and I have not had any either. There is one thing that you will notice when you are one of the two people who is called by a person with this box. The other person will sound a little bit faint. I could overcome this with some amplifiers but then there wouldn't be very many of these boxes made. I think that the convenience of having two people on line at any one time will make up for the minor volume loss. Here is the diagram: ___________________________ PART SYMBOL --------------------------- BLACK WIRE * YELLOW WIRE = RED WIRE + GREEN WIRE - SPDT SWITCH _/_ VERTICAL WIRE | HORIZONTAL WIRE _ * = - + * = - + * = - + * = - + * = - + * ==_/_- + *******_/_++++++ | | | | | | |_____PHONE____| In some houses the black and yellow are already wired in others you will have to go out to your box and rewire it. A goo way to figure out which line is which is to take the phone you are looking for off the hook. Then you only need to take the red and green wires entering your phone and hook them to the different pairs of red and green going into the house. You can't hurt anything in the phone or telephone by probing. When you find the pair that you want take the black from your line and attach it to the red of the other line then take the yellow and attach it to the green line. Now you are all set to go. For people with rotary phones you can have one person call you then place the second call out to the other person. Though not a phreaker's tool, the brown box can be fun. Scarlet box The purpose of a Scarlet box is to create a very bad connection, it can be used to crash a BBS or just make life miserable for those you seek to avenge. Materials: 2 alligator clips, 3 inch wire, or a resister (plain wire will create greatest amount of static) (Resister will decrease the amount of static in proportion to the resister you are using) Step (1): Find the phone box at your victims house, and pop the cover off. Step (2): Find the two prongs that the phone line you wish to box are connected to. Step (3): Hook your alligator clips to your (wire/resister). Step (4): Find the lower middle prong and take off all wires connected to it, I think this disables the ground and call waiting and stuff like that. Step (5): Now take one of the alligator clips and attach it to the upper most prong, and take the other and attach it to the lower middle prong. Step (6): Now put the cover back on the box and take off!! Day-Glow A day-glow box is very easy to make, and very inexpensive to build. It works like this: On the outside of every home that has a phone, there is something called "the outside connection box," which is where the house is connected to Ma Bell's network. This ingenious device connects to a) your phone, b) the victim's outside box. You should be starting to get the idea. Materials necessary: 1. Radio Shack modular conversion jack 2. A small experimenter's box (optional) 3. 1 foot of red wire. (better to overkill) 4. 1 foot of green wire. (same as above) 5. 2 medium alligator clips In order to construct this box, you will need all of the above materials. Note that your wire does not necessarily have to be red or green, but it is necessary that you be able to tell them apart. Also, you might want to use thick, easily bent wire (audio hookup wire works best) instead of bell wire. Now, on to the construction. Remove the actual modular jack from the conversion box. This can be done by pushing inward and then up, or you can just cut the plastic. Remove the black and yellow wires from the jack. You can either clip these or rip them out. To your newly isolated jack, add the 1 foot wire extensions to the respective wires. Soldering and then wrapping the connections with electrical tape works best. Next, solder the alligator clips to the extended wires. If you do not wish to solder them, then just wrap the clips with the wire. Now, place this newly made contraption into a box (optional). You may need to drill a few holes, and possibly remove the alligator clips, but you should have read this file first, anyway. The day-glow box will work with any phone. First, you need to locate a house that has a phone. Next, (it's preferable to do this at night) go up to the and locate the outside connection box. Pop the cover off. Locate prong 3 and prong 4. You will attach the green wire clip to prong 3. The red wire clip will go to prong 4. Now, plug your phone (preferably a trimline or ranger) into your modular plug. You may now either listen in on the call (wire tap) OR you may call out to anywhere in the world. If you are really daring, you can bring your computer with you. Note: This box may also be used in conjunction with the lunch box in order to make a perfect phone bug. Neat things you can do with your new box: Call 976 numbers. This should be done very frequently. Also, I find that after finding the victim's outside box, several calls to the gay hotline will have interesting after-effects. Namely, his parents wondering about him. Alliance teleconferencing can be accomplished quite easily. Try it! Call 0-700-456-1000. Or, tell the operator you'd like to initiate a conference. Of course, you should place several calls to other countries. This can be accomplished by looking in the front of your white pages for the various country and city codes. You should be able to follow the directions provided in there. Have you ever wondered what those 6ft tall cabinets with the bell logo on them were for? Well, if you've never seen them, here's a quick description: They are 6ft tall by 3ft wide, and painted the dull phone company green. They can be opened quite easily with a 7/16ths inch socket wrench. After turning the bold over the handle, turn the handle to the right and pull. It should open, displaying over 100 different lines. Occasionally, you can find tech. manuals and test kits inside. They are usually located near phone lines. Okay, now, once you have opened one of these calling cabinets, locate the line of your choice. You will have to take out both the orange and the white insulated screws. The purple and white wires should come off along with the screws. The lines go out to the house, and the screw posts are the actual line. Now, you should clip the alligators to the posts, with one part of the clip on the insulation, and on.]Now, you should clip the alligators to the nep parteli. Oh, if you want the home to remain connected, clip the wires inside the hole using the alligator clips. By the way, the red terminal on your box goes to the orange post, and the green one to the white post... if that doesn't work, reverse the connection. Now, to find out the number you have taken over, dial 380-55555555. Yes, that's eight fives. A computer voice should tell you what number you are on. I hope you can take it from here. Oh, in apartments, you can find the calling cabinet in the basement... remember, this is not your line, so do anything you want. Call the President or something. Gold Box Plans Materials: 2 10k OHM resistors 3 1.4k OHM resistors 2 2N3904 transistors 2 Photocells 2 LED's (Make sure they're real bright) 1 Box to contain it in that will not allow sunlight in it. (some) wire. Red and green for easiness sake Light from the LED's must shine directly on the photocells. You may have to have the LED touching the photocell for it to work. [The 1.4k resistor is variable and if the second part of the box is skipped the box will still work but if someone picks up the phone they may report it to the Phone Co. The 1.4k will give you good reception with little risk of the Gestapo knocking at your door. Take two green wires and strip the ends. Twist one end of each together so they make one wire. Connect it to Green #1. Label this 'Line #1'. Do the same but with red wire and attach it to Red #1. Repeat the process for Red #2 and Green #2 and label it 'Line #2'. Find two phone lines that are close together. Label one of them 'Line #1'. Cut [the phone lines and take off the outer covering. You'l see 4 colored wires inside. Cut the yellow and black wire off and strip the red and green wires on both lines. Line #1 should be in two pieces. Take the green wire of one end and connect to one of the green wires on the box. Take the other half of the phone line green wire and connect it to the other green wires on the gold box. Do the same for the red wires on the other line and the red wires on the box. Now, find out what number you hooked up the gold box to. Go home and call it. You should get a dial tone and you can dial out. If not, re-check everything. If it still doesn't work, pack up and go home. Green Box Paying the initial rate in order to use a red box (on certain fortresses) left a sour taste in many red boxers mouths, thus the green box was invented. The green box generates useful tones such as COIN COLLECT, COIN RETURN, AND RINGBACK. These are the tones that ACTS or the TSPS operator would send to the CO when appropriate. Unfortunately, the green box cannot be used at the fortress station but must be used by the CALLED party. Here are the tones: COIN COLLECT 700+1100hz COIN RETURN 1100+1700hz RINGBACK 700+1700hz Before the called party sends any of these tones, an operator release signal should be sent to alert the M detectors at the CO. This can be done by sending 900hz + 1500hz or a single 2600 wink (90 ms.) Also, do not forget that the initial rate is collected shortly before the 3 minute period is up. Incidentally, once the above M tones for collecting and returning coins reach the CO, they are convertedinto an appropriate DC pulse (-130 volts for return and +130 for collect). This pulse is then sent down the tip to the fortress. This causes the coin relay to either return or collect the coins. The alleged "T- network" takes advantage of this information. When a pulse for coin collect (+130 VDC) is sent down the line, it must be grounded somewhere. This is usually the yellow or black wire. Thus, if the wires are exposed, these wires can be cut to prevent the pulse from being grounded. When the three minute initial period is almost up, make sure that the black and yellow wires are severed, then hang up, wait about 15 seconds in case of a second pulse, reconnect the wires, pick up the phone, an if all goes well, it should be "JACKPOT" time. Blotto Box For years now every pirate has dreamed of the Blotto Box. It was at first made as a joke to mock more ignorant people into thinking that the function of it actually was possible. Well, if you are The Voltage Master, it is possible. Originally conceived by King Blotto of much fame, the Blotto Box is finally available to the public. The Blotto Box is every phreak's dream... you could hold AT&T down on its knee's with this device. Be cause, quite simply, it can turn off the phone lines everywhere. Nothing. Blotto. No calls will be allowed out of an area code, and no calls will be allowed in. No calls can be made inside it for that matter. As long as the switching system stays the same, this box will not stop at a mere area code. It will stop at nothing. The electrical impulses that emit from this box will open every line. Every line will ring and ring and ring... the voltage will never be cut off until the box/generator is stopped. This is no 200 volt job, here. We are talking GENERATOR. Every phone line will continue to ring, and people close to the box may be electrocuted if they pick up the phone. But, the Blotto Box can be stopped by merely cutting of the line or generator. If they are cut off then nothing will emit any longer. It will take a while for the box to calm back down again, but that is merely a superficial aftereffect. Once again: Construction and use of this box is not advised! The Blotto Box will continue as long as there is electricity to continue with. OK, that is what it does, now, here are some interesting things for you to do with it... Once you have installed your Blotto, there is no turning back. The following are the instructions for construction and use of this box. Please read and heed all warnings in the above section before you attempt to construct this box. Materials: - A Honda portable generator or a main power outlet like in a stadium or some such place. - A radm r=L L5I Z] ] for 400 volts that splices a female plug into a phone line jack. - A meter of voltage to attach to the box itself. - A green base (i.e. one of the nice boxes about 3' by 4' that you see around in your neighborhood. They are the main switch boards and would be a more effective line to start with. or: regular phone jack (not your own, and not in your area code! - A soldering iron and much solder. - A remote control or long wooden pole. Now. You must have guessed the construction from that. If not, here goes, I will explain in detail. Take the Honda Portable Generator and all of the other listed equipment and go out and hunt for a green base. Make sure it is one on the ground or hanging at head level from a pole, not the huge ones at the top of telephone poles. Open it up with anything convenient, if you are two feeble then don't try this. Take a look inside... you are hunting for color-coordinating lines of green and red. Now, take out your radio shack cord and rip the meter thing off. Replace it with the voltage meter about. A good level to set the voltage to is about 1000 volts. Now, attach the voltage meter to the cord and set the limit for one thousand. Plug the other end of the cord into the generator. Take the phone jack and splice the jack part off. Open it up and match the red and green wires with the other red and green wires. NOTE: If you just had the generator on and have done this in the correct order, you will be a crispy critter. Keep the generator off until you plan to start it up. Now, solder those lines together carefully. Wrap duck tape or insulation tape around all of the wires. Now, place the remote control right on to the startup of the generator. If you have the long pole, make sure it is very long and stand back as far away as you can get and reach the pole over. NOTICE: If you are going right along with this without reading the file first, you should realize now that your area code is about to become null! Then, getting back, twitch the pole/remote control and run for your damn life. Anywhere, just get away from it. It will be generating so much electricity that if you stand to close you will kill yourself. The generator will smoke, etc. but will not stop. You are now killing your area code, because all of that energy is spreading through all of the phone lines around you in every direction. Computer Hacking TYMNET Introduction: Many people may or may not have heard of Tymnet. Tymnet is one of the best information gathering networks that is around. It seems as though it were set up with the hacker in mind, but we all know this isn't true. After becoming experienced with the network, I found there to be little information available to the newcomer, with the exception of what is already available on the network, but as we all know, this leaves the newcomer craving for more. As this file was under construction, a great blow hit the hacker community on the network; four of the most popular NUIs died (NUIs to be discussed later). They were VIDEO, and the T.LLOYxx Family. In hopes of having the community reborn, an additional new NUI has been included. For more information regarding Tymnet, Telenet, and other PSNs, consult the Leigon's of Lucifer Text File #10-11. Although other information on PSNs is available from Leigon's of Lucifer, this file was written in mind that the reader is unfamiliar with Tymnet. Terminology that would appear to be new to the reader is explained, in hopes that you will gain a greater knowledge of the networks. Tymnet is an international network designed for two basic reasons. One, to link computers worldwide in order to exchange information. Two, so hackers can take advantage of the network and connect to the as many computers available =). Tymnet is linked to computers throughout the world including most major continents (North/South America, Asia, Europe, Africa, Australia, etc.). Tymnet is referred to as a PSN, which is an acronym for Packet Switching Network. A PSN is any network that sends information via packets, in Tymnet's case, 128 byte packets. The following is an example of a simple PSN, which includes three major components: 1) The PAD (Your Local Dialup) 2) The PSN (The network that you are currently on) 3) The Host (The computer you connect to via the PSN) Use of a PSN is quite simple. First you must connect to your local PAD, and sign in with a NUI. If the NUI is valid, a colon prompt will follow (;), at which you may enter any NUA (NUAs to be discussed later), depending on what level of access the NUI has. The PSN then connects you to the Host, posing as a relay between you and the host. If this appears confusing, read through the rest of this file, and browse back through it, and possibly you will understand the concept a bit better. Since Tymnet is not connected to nearly as many businesses as Telenet, it turns to be more of a communication and information gathering tool then a scanning one. Hackers on Tymnet, which can be contacted on the many various chat systems are almost always bound to have information to trade, or give away. Almost everything is available, from telco, fraud, to hacking. Connecting to Tymnet: The first thing you must do is find your local Tymnet dialup. If you already know your dialup, you can skip by this paragraph, and move on. There are two ways to acquire your dialup. Voice, or data. If you choose to find out your dialup voice, call 1- (800)-222-0555. Use your touch-tone keypad and follow the voice prompts. Data is quite simple if you are already familiar with the logon process on Tymnet. Type 'Information', or 'Info' at the NUI (Logon) prompt. It's self explanatory from there. You can also dial 1-(800) 336-0149 to find out your local dial, this includes HST Modems. You must now prepare your terminal to communicate with Tymnet. Switch your parity to either 7E1 or 8N1. 7E1 is preferred, as I have encountered problems using 8N1. Toggle your Local Echo until it appears satisfactory. Once connected, Hit return a few times until the following message appears: please type your terminal identifier When this occurs, hit 'a' if you have 7E1, or 'o' if you have 8N1 set up. The 'a' / 'o' combination tells the PAD your parity setting. Something to this effect will follow: -4353:01-007- please log in: You have now successfully connected to Tymnet. Usage of NUIs: NUI is an acronym for Network User Identification. This is much like the standard 'user name' on your favorite BBS. NUIs are legitimate accounts given to paying members of Tymnet. Hackers always seem to have a knack for setting up illegal NUIs though. Unlike Telenet, Tymnet NUIs are easy to find. The NUI 'VIDEO', which was by far one of the most popular hacker NUIs on Tymnet was cancelled during the construction of this file. Along with it, the T.LLOYxx Family died (T.LLOY01, T.LLOY02, T.LLOY03). These NUIs are probably the most free accounts that have been available; meaning they had extremely little restrictions. After entering a legitimate NUI, a colon prompt will appear. This notifies you that Tymnet is ready to receive a NUA. NUA is an acronym for Network User Address. This could be associated with a BBS telephone number, as they are much alike in certain aspects. Types of NUAs: Chat Systems- Chat systems are probably the most popular of the NUAs to hackers on the networks. You can find many other hackers that are willing to trade new information. As well, in-depth conversations on hacking do take place on chat systems, so they are an excellent place to learn for the newcomer. One of the most popular chat systems is QSD France. You can reach QSD via 208057040540 NUA. It is not a 'Live' chat system, as messages take some time to exchange. This chat system is also an excellent place to find other hackers to exchange information with. But be noted, QSD is like a local chat system in France, so you will, certain times, run into people who know nothing about hacking. It's best to avoid these people, because they are usually gay/lesbian, or looking for a fight. Besides, what use do you have for the general public? When reaching QSD, remember to change your parity to 8N1. If you logged in with 8N1, don't worry about it. Another note, QSD treats a destructive backspace as return. Do NOT hit backspace. The only way to get around the backspace problem, from my knowledge, is to use a Canadian PAD. Most other chat systems are run off either custom software, like QSD, or off a Unix Shell. The Unix Shell chat systems are a bit harder to understand, but are much more powerful. When logging in to a Unix chat system, you will see a Logon: prompt, as most Unix's have. Try using default accounts to logon (x25, Guest, etc.). When logging onto a Unix Chat System which automatically places your NUA (Your PAD Address), use the FROM= command from the logon. RMI Chat System is a perfect example of this. Use Gast FROM=Hell/Gast as a Username/Password. If you want other hackers to know the exact geographical location from which you are calling, don't bother with this, otherwise, be safe, and use the FROM= command. Unix Chat Systems resemble closely to the conferences found on most pay networks (Compuserve, Genie, BIX, etc), as they are 'Live', and you see messages as soon as the author writes them. Outdials Explained: Outdials that are available on Tymnet are PC-Pursuit (Telenet) Outdials. PC-Pursuit is a pay service from Telenet where you sign up and pay a monthly fee, and you are allowed a certain amount of long distance data calls. Of course, when using PC-Pursuit Outdials through Tymnet, you don't have to pay for anything. Outdials are restricted only to dial numbers from within that area code. If you logon to the 213 Outdial, you can only reach data numbers in 213. These Outdials are referred to as Local Outdials. There is another type of Outdials, and there are called Global Outdials, or, abbreviated, GODs. GODs can call anywhere within the United States with no restrictions, unlike LODs. The dial format for GODs usually differs. Ask whomever you received the GOD from for dialing procedures. Usage of Outdials is quite simple, after logging into Tymnet, and entering the NUA of the desired Outdial, you must hit one of three commands. If you are new to Outdials, they have a help level available where a program controls the modem for you via certain commands you send to it. To reach this help level, hit either CTRL-E or '%' when you connect to the Outdial. If you wish to use simplified AT commands, type 'AT', and you are ready. Use the AT level just as you would with your own modem. Entering a 1+AC+Number is not necessary, and if done, will not work correctly. Remember, you are logged into a certain area code, and you can only call numbers within that area code, so just type the local 7 digit phone number. File transferring through Tymnet/Telenet OutDial through tymnet is tricky when you are on a BBS, you must ALWAYS switch to 8n1,1 after you connect to a BBS through a OD, and when you are about to transfer, the only protocol you can use is PCP Z-Modem, aka MobyTurbo Zmodem, aka Z-Modem '90. This protocol was made for tymnet OD's and if you don't use it, you will get a slew of errors in your file and it will just corrupt the file and/or abort your transfer. DNIC Restrictions: DNIC is an acronym for Data Network Identification Code. A DNIC is made up of the first 4 digits of any NUA. There are plenty of DNIC lists around, so I will not include one. A DNIC shows which network, or country you are connecting to. Most of the NUIs that have been around have had very little restrictions when it comes to connecting to different DNICs, but as they are slowly dying, you might run into trouble with new NUIs that have restrictions. If you are trying to connect to a system in Germany, and your NUI bars access to German DNICs, try connecting to another PAD, such as an England PAD, and attempt connecting to the NUA again. You should not run into many problems. It's harder to scan this way.. but it's a method around NUI restrictions. (Editor's Notes: In this text file, the author refers to your local Tymnet dialup as a PAD. Technically, it is. Technically, everything on Tymnet is a PAD. When I use the acronym PAD, I mean an x28/x29 PAD, and not a local dialup, and most of the rest of the hacker community on the networks would agree. I find very rare instances where I see it used in this way.) Here is a list of Telenet PC-Pursuit Local Out Dials: New Jersey: 3110 201 00 022 2400 Baud District of Columbia: 3110 202 00 117 2400 Baud Connecticut: 3110 203 00 105 2400 Baud Washington: 3110 206000 208 2400 Baud New York: 3110 212 00 028 2400 Baud California: 3110 213 00 023 2400 Baud 3110 213 00 413 2400 Baud 3110 714 00 004 2400 Baud 3110 714 00 102 2400 Baud 3110 916 00 007 2400 Baud 3110 408 00 021 2400 Baud Texas: 3110 214 00 022 2400 Baud 3110 713 00 024 2400 Baud Pennsylvania: 3110 215 00 022 2400 Baud Ohio: 3110 216 00 120 2400 Baud Colorado: 3110 303 00 021 2400 Baud 3110 303 00 115 2400 Baud Florida: 3110 305 00 122 2400 Baud 3110 813 00 124 2400 Baud Illinois: 3110 312 00 024 2400 Baud Michigan: 3110 313 00 024 2400 Baud Missouri: 3110 314 00 005 2400 Baud Alabama: 3110 404 00 022 2400 Baud Wisconsin: 3110 414 00 120 2400 Baud Arizona: 3110 602 00 026 2400 Baud Minnesota: 3110 612 00 022 2400 Baud Massachusetts: 3110 617 00 026 2400 Baud Utah: 3110 801 00 012 2400 Baud North Carolina: 3110 919 00 124 2400 Baud TELENET I am writing this assuming that the reader has no knowledge of the Telenet network. In part 1 I will discuss the basic theory of Telenet and how it can be used as a basically safe and fun hacking tool. Telenet is a Packet Switching Network (PSN). Since I want to make this as short as possible I will try to give you a *basic* understanding of what a PSN is and how it works. Basically there are 3 levels to the PSN. The 3rd and lowest is the PAD that you dial-up. This is where you enter all of the information. 2nd is the actual PSN which takes the data you enter in 128k chunks (usually) and then transmits them to the host (1st and highest level) at baud rates ranging from 9600 to 19,200. This means that 2 computers with different baud rates are able to communicate (See my really bad ASCII PSN map). Ok, now you have a *basic* understanding of how Telenet works. Now to the fun stuff! Remember, Telenet has access to computers all over the world. When you consider all the networks that these other computers are connected to then you can see that you can basically access the entire world. It is also pretty safe because there is no way that someone can monitor all the PADs at one time. Ok, now first you must find a list of Telenet access numbers. There are many lists out there (look in Phrack issue 21). If you can't find one then to find the Telenet dialup nearest your location, call 800-424-9494 at 300/1200 baud. At the '@' prompt, type 'MAIL'. Enter user name 'PHONES' with password 'PHONES'. So now you have a local access number. Remember it's (7E1), so if your screen looks messed-up then you're not set right. After you call this is what you do..... *Inside the '<>' (of course is return) is what you have to type.... CONNECT 2400 (or whatever baud rate it is) TERMINAL= @ Ok, now you're to the @ prompt. This is the telenet PAD prompt. This prompt means that telenet is in "command" mode. Now we will get to the *real* fun. Telenet's computer systems are identified by NUA's. This stands for Network User Address. The way you connect to the NUA's are by either typing in 'c' or just typing in the nua by itself. We will work w/ the 1st and most basic form on the NUA since this is a file for people who don't know what the hell they're doing (I'll make another G-phile for the more advanced telenet hacker ). The easiest form is AAA XXX, this is where AAA stands for an area code and XXX stands for random numbers. So if I wanted to scan the Los Angeles area for example I would type 213 123. Here 213 is the area code and 123 are random numbers. You must have a at least 4 numbers. So 213 1 would work as would 213 12. Telenet doesn't recognize zeros or spaces so you could also type 213 123 like this 213000000000000123 or like 213123. Ok, now that you know how to use simple NUA's you can start messing around. So, now you can access all the networks and Unix/Vax/Primes/etc... that you want right? So, you enter 213 123 and suddenly it says.. COLLECT CONNECTION REFUSED F4 E6 Well, you just learned life's first lesson. Nothing in life is free! Yes, that's right, the "good" systems on telenet you have to pay for. This is where a NUI comes in. This stands for Network User ID. This is for users with "accounts" on telenet. NUI's are very hard to find these days ( I've only had 1 in my hacking adventures ). They are in the form of a user name ( anything ) and then a password (6 numbers). These are very hard to hack since there are no "default" names or passwords. You type in ID and then the password to user one. if you can hack out a NUI then you should be writing G-Philes instead of reading them. But don't worry though! There are *MANY* systems on telenet that are free. The only ones that cost money are the big ones like some BIG corporation. By just typing in an area code and then a random number ( up to 3 digits ) you can find some really cool systems (hey, yo can hack into McDonalds for free!!). Anyway I have the most fun by turning on my Led Zeppelin CD and just randomly typing in numbers. You will find at least 1 NUA that connects for every 5 you type in . Its not like phreaking where you find a code per 10 hours.... Of course there are the lazy hackers who just want the NUA's with no work, there are many good NUA lists ( check you local p/h/a board ). You can find a NUA lists in a few Phrack issues or on DII (Data Infinty, Incorporated (yes once again, I must plug my organization you know). If you want to feel like you did something then get the NUA Attacker. This is an IBM program that calls telenet and then types in different NUA's ( you set the range ). It is basically a code hacker for Telenet. This can be found on DII (Data Infinity, Inc.) or most good p/h/a boards. HACKING UNIX Welcome to the basics of hacking Vax's and Unix. In this article, we discuss the unix system that runs on the various vax systems. If you are on another unix-type system, some commands may differ, but since it is licensed to bell, they can't make many changes. Hacking onto a unix system is very difficult, and in this case, we advise having an inside source, if possible. The reason it is difficult to hack a vax is this: Many vax, after you get a carrier from them, respond=> Login: They give you no chance to see what the login name format is. Most commonly used are single words, under 8digits, usually the person's name. There is a way around this: Most vax have an acct. called 'suggest' for people to use to make a suggestion to the system root terminal. This is usually watched by the system operator, but at late he is probably at home sleeping. So we can write a program to send at the vax this type of a message: A screen freeze (Ctrl-s), screen clear (system dependant), about 255 garbage characters, and then a command to create a login acct., after which you clear the screen again, then un- freeze the terminal. What this does: When the terminal is frozen, it keeps a buffer of what is sent. well, the buffer is about 127 characters long. so you overflow it with trash, and then you send a command line to create an acct. (System dependant). after this you clear the buffer and screen again, then unfreeze the terminal. This is a bad way to do it, and it is much nicer if you just send a command to the terminal to shut the system down, or whatever you are after... There is always, *Always* an acct. called root, the most powerful acct. to be on, since it has all of the system files on it. If you hack your way onto this one, then everything is easy from here on... On the unix system, the abort key is the Ctrl-d key. watch how many times you hit this, since it is also a way to log off the system! A little about unix architecture: The root directory, called root, is where the system resides. After this come a few 'sub' root directories, usually to group things (stats here, priv stuff here, the user log here...). Under this comes the superuser (the operator of the system), and then finally the normal users. In the unix 'Shell' everything is treated the same. By this we mean: You can access a program the same way you access a user directory, and so on. The way the unix system was written, everything, users included, are just programs belonging to the root directory. Those of you who hacked onto the root, smile, since you can screw everything... the main level (exec level) prompt on the unix system is the $, and if you are on the root, you have a # (super- user prompt). Ok, a few basics for the system... To see where you are, and what paths are active in regards to your user account, then type > pwd This shows your acct. separated by a slash with another pathname (acct.), possibly many times. To connect through to another path, or many paths, you would type: You=> path1/path2/path3 and then you are connected all the way from path1 to path3. You can run the programs on all the paths you are connected to. If it does not allow you to connect to a path, then you have insufficient privs, or the path is closed and archived onto tape. You can run programs this way also: you=> path1/path2/path3/program-name unix treats everything as a program, and thus there a few commands to learn... To see what you have access to in the end path, type=> ls -- for list. this show the programs you can run. You can connect to the root directory and run it's programs with=> /root By the way, most unix systems have their log file on the root, so you can set up a watch on the file, waiting for people to log in and snatch their password as it passes thru the file. To connect to a directory, use the command: => cd pathname this allows you to do what you want with that directory. You may be asked for a password, but this is a good way of finding other user names to hack onto. The wildcard character in unix, if you want to search down a path for a game or such, is the *. => ls /* Should show you what you can access. The file types are the same as they are on a dec, so refer to that section when examining file. To see what is in a file, use the => pr filename command, for print file. We advise playing with pathnames to get the hang of the concept. There is on-line help available on most systems with a 'help' or a '?'. We advise you look thru the help files and pay attention to anything they give you on pathnames, or the commands for the system. You can, as a user, create or destroy directories on the tree beneath you. This means that root can kill every- thing but root, and you can kill any that are below you. These are the => mkdir pathname => rmdir pathname commands. Once again, you are not alone on the system... type=> who to see what other users are logged in to the system at the time. If you want to talk to them=> write username Will allow you to chat at the same time, without having to worry about the parser. To send mail to a user, say => mail And enter the mail sub-system. To send a message to all the users on the system, say => wall which stands for 'write all' By the way, on a few systems, all you have to do is hit the key to end the message, but on others you must hit the ctrl-d key. To send a single message to a user, say => write username this is very handy again! If you send the sequence of characters discussed at the very beginning of this article, you can have the super-user terminal do tricks for you again. Privs: If you want super-user privs, you can either log in as root, or edit your acct. so it can say => su this now gives you the # prompt, and allows you to completely by-pass the protection. The wonderful security conscious developers at bell made it very difficult to do much without privs, but once you have them, there is absolutely nothing stopping you from doing anything you want to. To bring down a unix system: => chdir /bin => rm * this wipes out the pathname bin, where all the system maintenance files are. Or try: => r -r This recursively removes everything from the system except the remove command itself. Or try: => kill -1,1 => sync This wipes out the system devices from operation. When you are finally sick and tired from hacking on the vax systems, just hit your ctrl-d and repeat key, and you will eventually be logged out. The reason this file seems to be very sketchy is the fact that bell has 7 licensed versions of unix out in the public domain, and these commands are those common to all of them. We recommend you hack onto the root or bin directory, since they have the highest levels of privs, and there is really not much you can do (except develop software) without them. Primenet Well, we've all heard of Unix and Vax systems. We hear a little bit now and then about Cyber or Tops systems, but what is Prime? Well, prime is a system made by Primos which has a set-up something like DOS. Prime is arguably not as powerful as a Vax or Unix system, but it is more user friendly (I feel) than either of them. Now, you may say to yourself "Great, why should I even learn about prime if nobody uses it". Well there are many people who use it (just not as many as Unix of Vax), but the real reason I wrote this is because a good percentage of the systems found on Telenet are prime. Since I have already wrote a telenet G-Phile (which is very good ), I thought I'd follow it up with a primos text phile since there are so many. Also, there are no really good primenet hacking philes (except for a good one in a LOD/H journal and in a Phrack issue which I forget) that cover everything. First of all find a prime system. This can be done by going on Telenet and just scanning or picking-up the LOD/H journal #4 which has a great NUA list (or any NUA list for that matter). You can also check at your local university for one. Ok, first I tell you the way to identify a prime system. It should be easy because almost all prime systems have a system header that looks something like... PRIMENET 22.1.1.R27 SWWCR This means that this is a primenet version 22.1.1. If for some reason you get VERY lucky and find a version 18.xx or lower then you're in. See, most version 18's and lower have either no password (So you enter System for the ID which is the sysop), or if they do have a password then all you have to do is hit a few ^C (Control C for the beginner) for the password. Some prime systems just sit still when you connect. On these try typing like 'hi'. If its a prime you will get a message like... Now, in order to logon to a prime system you must type "Login " or just "Login". If you type in "Login" then it will just ask you for your username anyway. Now, here is the hardest part of hacking. You must get a working password. Primes are hard to hack since they don't have any default passwords. Here is a list that I have compiled ..... (passwords same as Username!) �����������������������������ͻ � Username � Password � �����������������������������͹ � Prime � Prime � � System � System � � Primos � Primos � � Admin � Admin � � rje � rje � � Demo � Demo � � Guest � Guest � � Games � Games � � Netman � Netman � � Telenet � Telenet � � Tools � Tools � � Dos � Dos � � Prirun � Prirun � � Help � Help � � Test � Test � � Netlink � Netlink � �����������������������������ͼ Not all these passwords and names are guaranteed to work. If none of them work then try to mix-up the usernames and the passwords. Hopefully you have now gotten into the system and get the "OK," prompt. OK, so now you're in. If you have gotten in then that is a big step in itself and I congratulate you. So, now you have the prompt "OK," or something like that. This is the command prompt, if you enter a bad command it may look different such as "ERR," or soething like that. This is nothing to worry about just an error message. Ok, first I'm going to run down some basic commands. First of all we must understand how primos is set-up. The primos set-up is very much like MS-DOS There are separate directories each with files and more directories in them . It is pretty easy to navigate, so i will just give you the commands and then explain what to do with them.... LD shows the contents of the current directory you're in. Attach attaches (move) to another directory. Delete deletes a file or directory. ED text editor to edit/create text. Logout logs-off Netlink enters the netlink section. Slist lists the contents (text) of a file CPL runs a .CPL program Users lists the amount of users on the system. Status Users gets the names, numbers and locations of the users on line. Help gets a list of the commands. Help gets help with a command Ok, those should be enough for the time being. Now, lets start by doing a 'LD' (anything in single quotes means to type it). The name of the directory you're in right now should be the same as your user name. There may be a few files in here so to see the contents of the files type 'SLIST '. Now, lets do an 'Attach MFD'. This is the "Main File Directory" where most of the major files and directories are found. So now we will do another "LD" and look at all the directories and files. Ok, now to start the hacking. This method works with most primes, but not all so don't be to discouraged if it doesn't work. Ok, first of all you probably noticed that when you first started-out the directory you were in had the same name as your username (id). This is a very important lesson. The reason this is important is because now you can probably figure-out that *The name of every directory is also the name of a user* (NOTE: This is true for all directories, EXCEPT ones with an asterix '*' by their name). This means 2 things, first of all it means that you can basically find a fair amount of usernames from the mfd directory and the odds are that a few of them will have the same password as the name (This is an important lesson in hacking, whenever you're on any kind of system et a user list and then just go through the list, using the username as the password and you should get a few accounts at least) Secondly it means that you can access a certain users "private" directory. What this means is that a lot of the usernames of actually people may not be in the MFD directory. This means that once you find out a username you can then simply say "attach " and your in their directory. So, now knowing that we will do a 'Status Users'. This will give you a list somewhat like this: User Number Device Guest 14 System 1 Hacker 81 Sysmaint 19 (phantom) From this list we can get all the usernames/directories of the users on-line and start snooping. It is usually not ood to be on when there are a lot of people on since a Sysop might notice that you shouldn't be on at that time or something. You may notice that the last one (Sysmaint) has the word Phantom by it. This means that it is just a program that is doing house keeping stuff. Its nothing to worry about. The devices are merely like a tree in other software (UNIX/VAX), if there are 2 devices then it means that the user is either interacting with another system or has logged-off incorrectly. So, now we have some usernames / directories to look at (and to try as passwords for the same username). Now first of all we want to go back to the MFD directory and look for a directory that is something like UTIL, Utilities, CCUTIL or whatever. This part is very site dependant so just try any thing that looks like a util. Now attach to that directory which is 'Attach Util' (assuming the name is Util). Now we get to another important part of Primenet. The different file formats..... FileSuffix How to execute/Description ����������������������������������������ͻ � .CPL � CPL/Language � � .SAVE � SAVE � � .SEG � SEG � � .TXT � SLIST � ����������������������������������������ͼ This list shows you the different file suffixes you'll see. Every file will be followed by a suffix. If it is not then you can assume its text. The only suffix we want to worry about now is the CPL suffix. CPL (Command Procedure Language) is the primos "programming language". So you can assume that anything with a .CPL suffix is some type of program. Most often you will find simple programs which tell the date, some "menus" that people programmed in CPL to navigate the system easier, and then their own misc CPL files. To run a CPL file you type 'CPL ' (the pathname is simply the file name). Now, since CPL is a language it's programs must some how be written. This means that by doing a SLIST on a .CPL file will display the contents & source code of the .CPL file. Ok, so back to the hacking. So we're in the Util's library (or whatever the name of the directory is). Ok, now do an 'LD' to see the contents and look for any .CPL files. Lets say there's a CPL file named "CleanUp.CPL". Now you'd type 'SLIST CleanUp.CPL', this will display the source code of the CleanUp program. Now, you will get a lot of trash but in it somewhere look for a line that is something like... A UTIL KEWL � ^Password �Ĵ Directory name So, what does this mean you ask?? Well first off we will remember that every Directory (except for ones with stars by them) is a username which you can log-on with. So this means that the password for the username Util is KEWL !!! If you have found a line like this then congratulate yourself..you have SYS1 access. Just in case you don't really understand, lets say that there was a directory's name was COUNT, and the password was ZER0. Now, if you got lucky and were on a system where this works then you'd see a line like... A COUNT ZER0 Another way to find out directory/usernames is by using the 'List_Access' command. This shows the different directories that the current directory has access to. This will look something like... ACL "). Because of this you will find *MANY* directories with ALL access. I have found many directories of people who have SYS1 access, with ALL access. Most of the other people will have LUR access. This is still very sufficient for your needs, since U can still read files. Since I want to be slightly kind I will discuss how to change access on directories, for the people who have legit prime accounts. If you have a hacked account then there should be no reason for you to change access on a directory, first of all you will be detected in a second, and second of all its not permanent at all and can't be used to crash the board. First of all the command to create a directory is 'Create [-password] [-access]'. So in other words if I wanted to create a mail directory with the password of HACK and LUR access hen I'd type. Create Mail [-HACK] [-LUR] The command for changing access on a directory is... Set_Access ALL [-LUR] In this example we are changing a directories access to LUR (you can read but you can't edit) from ALL (everything). Since there is no real reason you would want anyone else changing your files I would suggest at least LUR access. If you are really worried then I would not even think twice about going to NONE access, its up to you. Although changing access is the most effective way to secure your directory, there are some people who would like others to read, or maybe even edit files in their directory. This is why I usually tell people to just make a password, this command has already been discussed.. That about wraps it up for their directory part of this file. This is the major an most important part. Now we get to the fun little features. �����������������������������������Ŀ �Creating Files and Writing Programs� ������������������������������������� Creating files are a very important part of hacking prime net. The main reason we want to create files is so we can take advantage of the CPL language. I have not learned the CPL language well enough so I really can't explain much about it. I'm still looking for technical manuals. The easiest way to learn it is by just looking at all the .CPL files. Once we learn the CPL language we can simply add commands to create us new accounts to house keeping programs. The reason we would want to do this is because when it is run by the admin, or any user with high enough access it will run these embedded commands and we will have a new account with unlimited access!! The way to create a file is by typing 'ED'. This will get you into the text editor. It should look something like.. INPUT This means you can type in what ever you want. So lets say you are making a file that, when run will type out 'Count_ZER0 is the ruler of heaven and earth', you would type... Type Count_ZER0 is the ruler of heaven and earth Now, you'd type just a alone and you'll get a line like... COMMAND This line varies a lot from system to system, but you'll get something to that affect. Here you would now type 'Save Count.CPL'. This would then save a program call Count.CPL in the directory and when you ran it (Discussed earlier) it would type 'Count_ZER0 is the ruler of heaven and earth' on the screen. The editor can also be used to write Basic, Fortran, C, and pascal files (use the 'Languages' command to see what languages it supports). All you do is write the program in the editor and then save it with the correct suffix. Then you run/compile the program. Since this file is much longer then I thought it would be I won't discuss it, but it can easily be found out about by using the 'HELP' command. Communicating With Other Users And Systems To send a message to another user On-Line you use the Message command. Lets say using the status command (discussed earlier) you found there was a user named JOE that you wanted to talk to. So you'd type .. Message JOE Hello, how are you ! This will send a message to him unless you get some message that says something like.. User Joe not accepting messages at this time. This means that he is not accepting messages (duhhhhhh), so you can try again later. You can also use the TALK command, which is self-explanatory. Just type 'TALK', and then follow the directions. Accessing Remote Systems The most exciting feature of primos (and this G-Phile), is primenet's ability to access remote systems. See, they call it primenet, because all primes are hooked-up to one big network. This network is much like a "mini-telenet". This can be used with the 'NETLINK' command. At a prompt, you must type 'NETLINK'. Then you will be thrown into the netlink system. There is a good On- Line help file which can be accessed with the 'HELP NETLINK' command. Basically you type NC xxxxxxx . Now, you can scan this like telenet and see what you come up with. The most exciting part of all this is that some primos systems on telenet let you enter telenet NUA's in the netlink system. This means that all those "Collect Connection" NUA's you can't call, can be accessed through primos *FOR FREE*. This means that you don't need to mess with NUI's anymore (see my hacking telenet part 1 file). Now comes the part that will bring me fame in the hacking community, fame to �egions f �ucifer, and anyone who knows me............. The 'ANET' command Yes, this is the first time this command has every been "published" is a G-phile. The way I came about this command was one day I was hacking around and I saw this lady's directory with LUR access. So I looked at the files, and surprisingly there was a file that was a *BUFFER* of her logging on to remote systems (yes the password was there!!). I was very surprised to see that she used a command like 'anet -8887613' to access the remote system, instead of netlink. This is a beautiful example of how you can do a lot even if the directory isn't ALL access, anyway heres the good part...... What the anet command does is dial a phone number out from the primos and connects to it!! Yes, this is like a code (but used for data communications of course). I'm still hacking the command, but basically you just type 'anet - ' and you have it. I have only tried it on this one system which is Primos version 22.1. This is a very exciting command, so if you find any more things about it please contact me. HACKING DECs Welcome to basics of hacking: DECs. In this article you will learn how to log in to dec's, logging out, and all the fun stuff to do in-between. All of this information is based on a standard dec system. Since there are dec system s 10 and 20, and we favor, the dec 20, there will be more info on them in this article. It just so happens that the dec 20 is also the more common of the two, and is used by much more interesting people (if you know what we mean...) Ok , the first thing you want to do when you are receiving carrier from a dec system is to find out the format of login names. You can do this by looking at who is on the system. Dec=> @ (the 'exec' level prompt) you=> sy sy is short for sy(stat) and shows you the system status. You should see the format of login names... A systat usually comes up in this form: job line program user job: the job number (not important unless you want to log them off later) line: what line they are on (used to talk to them...) These are both two or three digit numbers. Program: what program are they running under? If it says 'exec' they aren't doing anything at all... User: ahhhahhhh! This is the user name they are logged in under... Copy the format, and hack yourself out a working code... Login format is as such: dec=> @ you=> login username pass word username is the username in the format you saw above in the systat. After you hit the space after your username, it will stop echoing characters back to your screen. This is the password you are typing in... Remember , people usually use their name, their dog's name, the name of a favorite character in a book, or something like this. A few clever people have it setto a key cluster (qwerty or asdfg). Pw's can be from 1 to 8 characters long, anything after that is ignored. You are finally in... It would be nice to have a little help, wouldn't it? CRASHING BBSs Fundamentals: 1) Never use YOUR account.. always go under JOHN DOE or some lamer's password you figured out. 2) Never brag. It gets you in trouble. Tell some dudes in your group or whatever but don't go posting on BBSs that you did it unless the sysop doesn't really care (usually elite sysops don't) 3) Always format. If you get in to dos, don't take the risk, format the thing with out a boot sector. If you are going to JUST use the format command be sure to corrupt and rename ALL the files that might have records in them of you in his dos (in case of a unformat command). Try low level formatting. De command: g=c800:5 that calls up the low level format program. 4) Never mess with a narc/fed. There ARE police boards and the like and it just isn't worth it to mess with them. Don't be stupid. 5) Have class. The biggest thing to bear in mind is to do a good job, or no job. If you really don't hate him, once you get into his dos just add a line to his autoexec.bat file to show you got in. Otherwise format it. 6) Don't call back. You never know if he was keeping double logs in a hidden directory or some thing like that. Just be damn sure never to call back and NEVER leave a number. 7) Never delete. Never delete log files, always corrupt them by ripping a few lines out with edlin and then rename them and delete them. This, hopefully, will solve the undelete problem. Another good thing to do is to start madly undoing zip files after you delete something. This will also help the undelete dilemma. SLBBS: The first thing you should do when in dos is to run config and find out what his activity log file name is and where his data files REALLY are. Use edlin or something and totally screw them over so they are screwed and them rename them and delete them. The most important ones are ACTIVITY.LOG, SYSTEM.BBS, INDEX.BBS, LOG.BBS Most of these files can be used to figure out who you are. Another wise thing to do is to look in his EVENT.DEF file and see if he copies the files to a backup directory. Check all batch files that the sysop may run out of EVENT.DEF. They also might have backup in them. I, being the clever thing I am, back up my logs to a tape backup after every call. Many sysops use Return to dos after logoff and a program called GODOS to run a batch after every call. Check his config to see if go to dos after logoff is set to yes. If so look for batch files or com files that look like they may be run to start the bbs. If he has a tape backup you have to find his tape software and run it (the directory name will be in his EVENT.DEF file if he backs up regularly). Once you are in the tape software you have to format the tape, however this will take a LOOOOOONG time (1 to 2 hours) so you may want to do that last. You want to do pretty much the same thing but the *.BBS files will be *.SL2. Pretty easy. After Shock 1.23: After Shock is kind of annoying. The best thing to do is to run his config program t find out what his directories REALLY are and then delete everything in his board and after shock main directory. Remember to look at his RUN.BAT or what ever he uses to run the bbs with, he may be keeping backups. There is also a config option of what batch file to run every night. That also may have back up info in it. Telegard: All the data files will probably be in the main bbs directory or the GOFILES directory (check config for sure). Get rid of these and that will be about it. Forum Hacks: A lot of BBS programs have been written by altering the source code of TG or another BBS program. The best thing to do with these is to run the config programs and find the REAL directory names then mess them up and delete everything in them. CRASHING BBS's PART TWO Table of Contents: Section I : Crashing Emulex/2 & Forum Hacks a: Emulex/2 b: Forum Hacks Section II: Crashing WWIV & Telegard a: WWIV b: Telegard Section Ia: Emulex/2 We'll start with one of the most known BBS softwares. Emulex/2. As you all know, I, Tripin Face, stole the source code of Emulex/2 last year from one of the programmers. Broke into his house and grabbed a few diskettes and it just so happens that one of the disks contained the source code to Emulex/2!! Here are a few ways to access into Emulex/2 (or any Forum Clone for that matter.. a list of Forum Clones will be shown later.) When you get connected at the Matrix Menu, hack User ID #1. Of course, its the Sysop Account. Always try the Password "Sysop", some Sysops are SOO lame, you wouldn't believe it. If that doesn't work, try anything that goes with the Sysop's handle... But for the really stupid Sysops, the best way, is to get one of his Passwords from another board and try that. Some lusers might use the same Password. Also, if you don't hack the correct password, don't hang up, wait for it to hang you up. Sometimes the board hangup strings gets screwed and it doesn't get rid of you, but lets you on the board with the account of the user you attempted to hack! Ok, lets say you have a Sysop account. now, the best thing to do is get a file on the board called "USERS." Now, with Emulex/2, thanks to me, you can't add users, so what you have to do is user edit each user by hand, and the view their passwords and make sure you capture all of it. Now, lets get to the crashing part. Hehehehe. Open a door,("P" from the Main Menu and then "%" for Sysop Commands) and put any file for it, the board will create any file you ask it to make. Now in the door batch file, you must have the following commands: Ctty comX command Now, comX, is the com port the bbs is set at. Now, if you know the sysop is using com2, then put com2. DUH!!!. (Replace the "X" with the Com Port #) Now this door should let you go to their DOS, and the rest is easy. FORMAT ME PLEASE!. Or, run a virus or a trojan.. Even a baby can do that.. If you can get an account, but has no Sysop access. you can do many things. An easy way is upload a file called "USERS. " with the following DSZ commands: DSZ sz -fs \\ make sure you are in the DIR you want to upload to. What this does is upload a file anywhere on the HD you want. Now, before you do this you must edit the users file and change the sysops password to anything you want and then you can enter it and get on as him! This way, you can crash the board but you don't need to get all the users passwords. Also, a way to do this and get all the users passwords is get the BBS software's config, and the change the co-sysop level to like Level 1 or something and then you can call with your account and have sysop access. I found that the best way to crash a board... Now, with old Emulex/2 there was a command for Net-Mail which was .. Shift 1 thru shift 0 ..like this -> !@#$%^&*() ..and with this command, the board will receive any file. So you can use the DSZ on it. Works good, but with the new Emulex/2 you set the Net-Mail command from the config. Right now, in the new Emulex/2 there are only a few backdoors. Sam Brown didn't want to add any more. Why, I don't know. I think Emulex/2 has a upload a message command, you can also use the DSZ command with that too. I am not sure though.. A good way to hang a Emulex/2 board is go to the Database Area, if there isn't one, keep on hitting "D", after a few times the board will get screwed, you wont be able to tell unless you go the file area, and it will say something like I/O errors, etc... then upload and upload, and in the middle of the third or fourth upload hang up, turn off the modem or pull the phone line out of the wall, so it will hang on in the middle of the transfer. Another way to hang Emulex/2 is by doing this: post a message, and then edit a line, and insert a new line, but keep on hitting anything until it gets to the last line. Then hang up, or try to save. It should of hung, to make sure the hanging was cool, call the board back and see. Section Ib: Forum Clones Now lets get to other software... Well, all FORUM CLONES are the same.. so all commands for Em/2 should and will work for all the of the following BBS Softwares: Emulex/2 LSD Celerity FCP all version AfterShock Monarch Monarch/2 TCS 1 and 2 Havok Forum Plus ACS UCI/Forum Ghost Ship/2 USSR Magnum TCS/Cobra Silicosis Section IIa: WWIV BBS's 1) Hacking into WWIV - The Utilities Needed. PkZip/PkUnZip Zmodem (Or Any Other Protocol) An Account at the WWIV BBS you wish to Crash. A Terminal Program 2) Hacking into WWIV - First Steps First of all, you might want to make a separate directory for all of these files you're about to make. Although there won't be that many total, it might still be a good idea. But if you're like normal people (Messy), like me, just put it wherever. Ok, Here's what you do. Make a text file called PKUNZIP.BAT from your DOS, and put the line: command in it. This is done like this: C:\HACKBBS> copy con pkunzip.bat command ^Z (Press Ctrl-Z, Then Enter, and the file will save) Second, go ahead and zip the file. Make it any filename you want as long as it's not something too obvious (like TEMP.ZIP). You can zip up the file with PKZIP.EXE. This is done like this: PKZIP [zipfile] [athname\filename.ext] - or in other words: PKZIP temp.zip pkunzip.bat This will make a file called TEMP.ZIP with the file pkunzip.bat in it. Go ahead and delete pkunzip.bat now, you won't need it anymore. Now you've got the file temp.zip (or whatever you called it). Go ahead and logon to your favorite WWIV BBS. Hacking into WWIV - The Way To Do It. Go ahead and logon with your name and password, etc. Go to the File section, and upload your file to any directory. Now there is a temp file there. hit 'E' from the Transfer Menu in the current directory that temp.zip is it, and when it asks what file to extract, enter temp.zip as the filename. You'll get something to the effect of: Extract which file? (?=list, *=All files): Hit '*'. What this just did is make a pkunzip in the current working DOS directory. You'll be at the: Extract which file? (?=list, *=All Files): Hot the asterix (*) again. Congratulations! You made it into the Sysops DOS! (If not, the sysop is smarter than you think, and he's protected himself against some little hackers like yourself!) Not much you can do if you didn't make it here. Hacking into WWIV - What to do while in DOS. You'll be in the path of \WWIV\TEMP>, Immediately type this in: C:\WWIV\TEMP> cd ..\files C:\WWIV\FILES> del *.log - This deletes the log of what you did. C:\WWIV\FILES> del laston.txt - this deletes the list of users who were on today. Now, you're into his/her DOS. Since dos interrupts are currently ON, You can type anything anywhere. You can type del *.* and get the Are you sure? (Y/N) sign, and from there, you CAN hit 'Y'. Or you can do it the other way, and just type echo y|del *.*. From here you got his userlist and some other fun stuff, which is located in C:\WWIV\DATA. You can go there by typing cd..\data. once there, do this: C:\WWIV\DATA> type user.lst and you'll find the Sysops Phone Number and password right next to each other. Write those down. Next, type cd.. and you'll be in C:\WWIV>. From there, type the file status.dat, and the first legible text you can find will be the System Password, so if you just want to scare the living hell out of him, just type exit from there and you'll come back to the BBS, with the Sysops Name, Pass, Phone Number and System Password. You can now logon under the Sysop and do all the cool stuff like go into UEDIT and give yourself like 254sl and DSL, etc. Hacking into WWIV - Alternatives Instead of the PKUNZIP.BAT file in the TEMP.ZIP file, go ahead and put your favorite Virus/Trojan in there, and follow the same exact steps, except this time skip the DOS part. The Virus should spread from there, and a trojan will work immediately. Hanging WWIV - The easiest thing to do in the world. Just make a plain and simple text file, and in it include an ANSI code. Not just any ANSI Code, it's gotta be an ANSI Code that is not a real part of ANSI. For example, (ESCAPE CODE)[349857m or something like that, anyway. Then just //UPLOAD it to a message base, and read it. When WWIV Doesn't intercept the correct ANSI Codes, it doesn't know what to do, so it'll just hang itself there 'till the System Operator comes and resets the flippin' computer. Hang up from there, and well, it'll be down. Section IIb: Telegard BBSs All right, Swabbies. Here's a way to hack into Telegard (One of the easiest to hack into - Next to WWIV). There's a catch to this system, tho. There's got to be an Archive Menu from the File Area. Most new Telegard systems will have one, it comes stock into it. But the Sysop (Probably not if the Sysop is a new Sysop) may take it out. So, if he's got it, you're in luck. It's basically the same idea, Just follow these rules and other guidelines, etc., and you'll soon become a better crasher than you know ... Hacking into Telegard's DOS - Things Needed Latest PkZip Utilities (c) PKWare Terminal, Modem, Computer, etc. A little knowledge of the use of DOS, And a text file like this. Hacking into Telegard's DOS - Steps 1) Logging on. 2) Finding your way. 3) Uploading/Extracting the File 4) What to do while in DOS. First of all, You've got to establish an account with the so- called 'friendly BBS' that you want to crash. It's probably a good idea to logon with a fake account, fake information, etc., to protect yourself. Once you've logged on, try and talk to th Sysop there. Try to social engineer your way into him validating you with the highest possible access you can get. Be nice, offer him stuff, basically, KISS HIS ASS. If he insists on Voice Validating you, ask him just to pick up a phone at his end, and you do the same (Pick up your phone), and you'll already be connected so there should be no numbers dialing, and this will obviously protect you. Make the PKUNZIP.BAT file from DOS, by typing in this: copy con pkunzip.bat command ^Z Go and zip the file up, call it something that sounds catchy, so it doesn't look too inconspicuous, use the line: pkzip myfile.zip pkunzip.bat Now you have a myfile.zip with pkunzip.bat inside of it. There's a way to get into the Telegard's File System, although you may not haveaccess to it, you'll eventually get it if you kiss the Sysop's ass for awhile. It's usually 'F' or 'T' from the main menu. Once you're in there, upload a file to wherever it tells you to, and if there's no certain directory, don't worry about it. Just upload it. After you finish uploading the file, it will kick you out to the transfer menu again. The Archive menu from there is usually either '/A' or just 'A'. From there, you will most likely get a prompt that is similar to the Transfer prompt, (most likely containing the Area and Area Number that you are currently in). Hit 'X' from there (Remember: Telegard has the ability to change Command Letters, so if 'X' doesn't work, punch in a '?' and look for Extract File). Extract the myfile.zip, obviously extract *.*. If it kicks you back out, or whatever, just go back into the menu and do the same thing over again. Extract *.*, And this time it will run Pkunzip.bat, which contains COMMAND.COM inside of it, and you'll have full access to this guys DOS. Now that you're in DOS, you'll be in the area C:\BBS\TEMP>. From there, type in 'cd ..\files'. Then 'del *.log', 'del *.txt', then do the same thing in the Afiles Directory. Here's a type of basic structure that Telegard uses. (Assuming the main dir is BBS): BBS FILES AFILES TFILES TEMP 1 2 3 DLS TRAP This is the basic format, del ALL *.log files from all of these areas (The Sysop logs are kept in C:\BBS\TRAP>) You've now gotten rid of all proof that you were ever on. Once in there, just do whatever you'd like to do. Delete everything, run a few Virii, execute a few trojans, give his computer herpes, or whatever. You can simply exit by typing 'exit'. Another way is to upload a Game or some file (Sysops never check the zip file to see what is in it..) Make one of the files 'PKZIP.COM' or 'PKZIP.EXE' *.COM is better because DOS runs COM files before EXE files. Anyway, upload a PKZIP.COM that is a trojan or a virus, or even COMMAND.COM (That will get you into DOS) and after you upload it check and see if the file is 'Auto-Validated' if it isn't then you have to wait until the Sysop Validates it.. otherwise if it is Validated then type "/A" from the File Menu and then type "X" or "E" for Extract ZIP File.. then it prompts you for the Zip File, enter in the Fle you uploaded. Then it will ask you what files to extract, just say all or just the PKZIP file.. When it extracts it, type "Q" then type "W" for Work on Archive.. Then you are at the 'Work on Archive Menu'. Type "A" for Add to Archive, it will then proceed to ask you for a Archive Name,... type in something like 'HACK.ZIP' or anything for that matter. It will ask you for the files you want in the ZIP file, just do '*.*'. Then it will ask you if you want to do it or add more files, type "D" for 'Do It'. It will then run your "PKZIP.EXE" or "PKZIP.COM"!!! Easy enough?? There are a bunch of great files you can find in someone else's HD, try going to the Sysop Dir. (C:\BBS\DLS\SYSOP) or just go to all the Directories right off the root directory. After you are done having fun, take his/her USER.LST & STATUS.DAT and you will have FOREVER Access.. or just wipe out his drive! There are many more ways to access Telegard DOS and have the System run what you upload, but I will not get into that, I will leave some ways open for me, Captain Swashbuckler, to crash those Telegard Boards! CREDIT BUREAUS Part One: What Is Credit Bureau, Incorporated? As many of you know, CBI is a credit reporting agency, or credit bureau. It keeps the credit history of millions of Americans on file. Our friends at CBI have been kind enough to make this information available to the public for a moderate annual fee. If you are cheap, or if you just want to learn how to hack CBI, "you have come to the right place." Part Two: The CBI Account. A CBI account follows this general format: 3 Numbers, 2 Letters, 2-5 Numbers, a dash{-}, followed by a letter and a number. A sample might look like this: 123ab4567-a1. or: 123ab4567-a1,bc,d. Either way is acceptable. The `bc,d' is not necessary. Part Three: Connecting To CBI. When calling CBI, I suggest you use at least one outdial if you know for sure the account you have is valid. If you are going to be hacking accounts, use at least three outdials. I don't suggest calling direct, even if the dialup is local to you. If you don't know why, you don't deserve to be reading this text. CBI runs at either 300 baud, or that oh-so-technologically advanced 1200 baud. This means you will need a 300 or 1200 baud outdial for the NPA containing the CBI dialup. Make sure your terminal program is set at E-7-1. I also find it easier to work at half-duplex, because CBI does not echo a thing you type. So, if you connect with full-duplex, and don't see your account appearing on the screen, don't call your local P/H BBS and post twenty messages saying, "N0thInG i tYpE aPPeArS 0n tHe sCrEEn aT CbI!!!!!!!!!!!1!!1!1!!!!!!!!!!!!111!!!!!!!!!!!" (Note: the exorbitant amount of exclamation points is a sign of the loser's complete and utter idiocy.) Another thing I find useful is just to have my capture log running as I work. This saves you the trouble of having to write everything down, and it also serves as a good reference. Currently functioning CBI dialups are: *[201/984-6297] Newark, New Jersey *[503/226-1070] Portland, Oregon [612/341-0023] Minneapolis/St. Paul, Minnesota [713/591-8100] Houston, Texas *[804/466-1619] Norfolk, Virginia [916/635-3935] Sacramento, California The starred numbers I have not verified. Keep in mind some CBI accounts are only valid on certain dialups. They still serve any part of the country, you just can't use them on every dialup. I have found CBI accounts that work on more than one dialup, so it can't hurt for you to try. The worst thing you will get is a message saying it's NOT VALID ON THIS PHONE NUMBER or something. If you are hacking accounts and get this message, try the account that yields the message on different dialups. Maybe you'll "get lucky". CBI also has voice dialups. These numers are provided for those "Social Engineers" out there. I have not verified these. [201/842-7500] Newark, New Jersey (Equifax Credit Information Services) [617/932-8163] Boston, Massachusetts (CBI) Part Four: Applied Password Use: Pulling Info. Use is fairly straightforward. When you connect to CBI, hit Control-S (^S) twice, then () twice. You should get a message that reads: (ND)PLEASE SIGN-ON At this point you should enter the password. Make sure when you enter the password that you include a period at the end. This is very important; if you neglect to type the period, you won't get in. Type the password: "123ab456-a1." then hit CONTROL-S, and a . The ^S is the CBI "wakeup" command. CBI doesn't respond to regular s. If you ever think CBI should be doing something, and it has just frozen, hit ^S. Chances are this will solve the problem. Anyway, you will then get a message telling you to WC5E - PROCEED This is when the fun begins. You decide you want to know your next door neighbor's credit history. Here is what you do: NM-SMITH,ALAN,S. CA-157,MAPLE,ST,YUTZVILLE,NY,10011. ID-SSS-012-34-5678. ^S This is, of course, based on the assumption that your subject's name is "Alan S. Smith" and that he lives at 157 Maple Street in Yutzville, New York, 10011, and that his Social Security Number is 012-34-5678. Keep in mind, the ID-SSS line is not ecessary, but it is necessary if you are to distinguish between Alan S. Smith, Jr. and Alan S. Smith, Sr. Wait a moment. The report will pop up. You may want to hunt someone down from a Post Office Box. If this is the case, replace the above CA- line with this: CA-418#,POB,,YUTZVILLE,NY,10011. If you only have the subject's Social Security Number, type DTEC-012-34-5678. ^S This will give you a name and address to enter in the above format. Part Five: A Sample CBI Report. ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: S A M P L E C B I R E P O R T Note: All information in this report is fictional, including the ACCOUNT NOs and the BUS/ID CODEs. ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: *SMITH,ALAN,S SINCE 04/00/75 FAD 10/21/89 FN-700 157,MAPLE,ST,YUTZVILLE,NY,10011,TAPE RPTD 10/89 68,PENN,ST,NOWHERE,IA,50055 SEX-M,MAR-M,DEPS- 2,AGE-38,SSS-012-34-5678 01 ES-WALMART CORP 02 EF-MCDONALDS RESTAURANTS *SUM-01/85-01/91,PR/OI-NO,FB-NO, ACCTS:11,HC$6-1600, 3-ONES. *INQS-450DC81 02/24/89,178BB20089 02/06/89. * BUS/ID CODE RPTD OPND H/C TRMS BAL P/D RT 30/60/90+MR DLA/ACCOUNT NO 03 S*178BB34860 11/90 05/85 500 171 521 139 R5 01 01 01 66 1234567890123456 PREV HI RATES: R4 10/90, R3 09/90, R2 08/90 CLOSED ACCOUNT AMOUNT IN H/C COLUMN IS CREDIT LIMIT 04 I*178CD8712 10/90 03/89 123 123 123 O1 003/88 048286423 05 I*342IH34 10/90 12/85 1600 500 1600 R9 00 00 03 462642892 PREV HI RATES: R5 11/88, R5 10/88, R5 09/88 CHARGED OFF ACCOUNT AMOUNT IN H/C COLUMN IS CREDIT LIMIT 06 I*905PZ82 11/90 12/86 700 0 390 R9 00 00 00 16 3482684629331 PREV HI RATES: R9 03/89, R9 02/89, R9 01/89 CHARGED OFF ACCOUNT AMOUNT IN H/C COLUMN IS CREDIT LIMIT 07 U*178BQ282 10/90 01/85 231 231 R9 00 00 03 4560337134046711 PREV HI RATES: R5 04/90, R5 03/90, R4 02/90 CHARGED OFF ACCOUNT 08 I*956BB115 10/90 05/86 1100 0 R9 00 00 03 714827012 PREV HI RATES: R5 05/90, R5 04/90, R5 07/89 CLOED ACCOUNT 09 I*178AC10870 07/90 05/87 123 123 123 123 R9 38812604654 CHARGED OFF ACCOUNT 10 A*906OC69 01/90 10/87 0 O5 00 00 01 09 01/90 4906124373 PREV HI RATES: O5 04/89. COLLECTION ACCOUNT PAID-CREDIT LINE CLOSED 11 I*906OF259 12/89 11/87 6 6 6 O9 00 00 02 3724962236703 PREV HI RATES: O5 11/89, O5 10/89, O9 02/89 12 I*416DC1577 11/88 11/87 300 R1 00 00 00 12 32134882735921 SETTLEMENT ACCEPTED ON THIS ACCOUNT CHARGE 13 I*421DC4566 07/89 10/87 401 390 372 R9 00 00 01 18736847728634 PREV HI RATES: R9 02/89, R9 01/89, R5 12/88 CHARGED OFF ACCOUNT CHARGE & END OF REPORT CBI AND AFFILIATES - 01/30/91 SAFESCANNED ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: E N D S A M P L E C B I R E P O R T ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: S A M P L E D T E C R E P O R T ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: M1 OF 1 NM-SMITH,ALAN,S CA-157,MAPLE,ST,YUTZVILLE,NY,10011,10/89 FA-68,PENN,ST,NOWHERE,IA,50055 ES-WALMART CORP SS-012-34-5678 AGE 38& END OF REPORT CBI AND AFFILIATES - 01/30/91 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: E N D S A M P L E D T E C R E P O R T ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Part Six: Making Sense Out of All That. SMITH,ALAN,S - is the subject's last name, first name, and middle initial. SINCE 04/00/75 - I imagine this is how long they've had a file on the subject. (Since April, 1975). On the next line is his address- his current address is listed first, and his past addresses are listed underneath. SEX-M is pretty self explanatory. (It indicates he is a MALE.) MAR-M is the subject's marital status (single, married, widowed, divorced). DEPS- 2 is the number of dependents the subject has. A dependant is most often a son or daughter of the subject who is still under 21. SS-012-34-5678 is the subject's Social Security Number. ES- is the subject's current employer. EF- are his past employers, listed in order, from most recent to least recent. SUM-01/85-01/91 indicates that the report is a summary from January 1985 to January 1991. This really just tells you how far back in time the report covers. PR/OI-NO - Public Record/Other Information. This indicates whether or not the subject has been involved in any court cases (Public Record), and how those cases turned out (usually that is what Other Information is.) Obviously, the NO indicates the subject has not had any legal involvement during the period which the report covers. FB-NO - Firm/Business. I assume this signifies the subject is not a business. ACCTS:11,HC$6-1600 tells you that there are 11 entries listed below, and that the credit limit (or amount loaned, in the case of a loan) ranges from $6 to $1600. 3-ONES - This tells you the credit rating. The "3" indicates that there are 3 of the following type ("ONES" in this case). The more "ONES" a subject has, the better his rating. This particular person has a lousy credit rating. Out of 11 accounts, only 3 are ONES. There can also be TWOS, THREES, FOURS, et cetera, up through NINES. NINES are incredibly bad; the more of these the subject has, the worse his credit rating is. ZEROS indicate that the account was too new to be rated at the time the creditor last reported. INQS - This line tells what creditors have checked on the subject's credit. While interesting, it is more of a hassle than anything. You see, when YOU pull the subject's info, a little line will be added saying that your hacked account pulled the file. Now, this won't look funny until the subject reports fraudulent charging on his card. Then, CBI may check on who has pulled the guy's info. When they see that The First National Bank of Ethiopia has pulled his info, they will know something is up. They will probably call the First National Bank of Ethiopia and say, "Did you pull this guy's info?" And of course they'll say "No." Actually, I've made more out of this than it's worth. Anyway, the most recent credit check is listed first, and then it works backwards. It lists the ID CODE and the date the file was pulled. The next line contains the headings for the columns that fall under them. BUS/ID CODE is the CBI account (minus the password) of the creditor that holds the subject's credit card, loan, or whatever. In front of the actual ID CODE, there is a letter and an asterisk (*). The letter signifies what type of account it is. A - Authorized, C - Co-maker, I - Individual, J - Joint, S -Shared, T- Terminated, U - Undesignated. Consult your Local Library to find out what each type of account is. This isn't really relevant to what you are after. RPTD - The last time the creditor reported on the subject. OPND - tells when that account was opened. H/C - you will notice throughout the report that the "AMOUNT IN H/C COLUMN IS CREDIT LIMIT". On a loan, this column reports the amount loaned. TRMS - clarifies the terms of a loan. Usually in the case of a credit card, this column is blank. A "48M" in this column iiicates that the amount in the H/C column will be paid back over a period of 48 months, or four years. In such a case, the number in the MR column subtracted from the 48 will tell you how many more months the subject has to go before paying off that loan. BAL is an abbreviation for BALANCE OWING. This is how much of the credit limit (on a credit card) has been used, or how much of the loan has been paid back. On a credit card entry, the BAL subtracted from the H/C is how much the subject is authorized to spend. P/D- Past Due. Every month, a minimum amount of money is due on your credit card payment. This may be as little as 10% of the total amount due. Now, the credit card company would be damned happy to see you only pay the minimum amount, because then they can charge interest on every thing you owe. But, if you do not pay this minimum amount (say you pay $75 out of a $100 minimum), then $25 will be PAST DUE. It isn't good to owe money. RT - Rating. This column gives the credit rating for that particular account. An 'R' means the account is a revolving or option payment plan, an 'I' means it is an installment payment plan, and an 'O' means it is an open account. Consult your library for definitions. The number following it is the credit rating for that account. Remember, a '1' is good, and a '9' is really bad. The number of '1's here should match the number "X" in "X-ONES" on the first line. 30/60/90 - the number in the 30 column means that the subject has been between 30 and 59 days delinquent on his payment that many times. If a "2" is in the 60 column, this indicates that the subject has been between 60 and 89 days late with the minimum payment twice during the number of months in the MR column. A number in the 90 column would indicate that the minimum payment has been over 90 days past due "X" number of times. +MR - Months Reviewed. Indicates how many months have been reviewed. (Obviously.) Say you have a "1" in the 30 column, and a 49 in the MR column. This indicates that the subject has been 30-59 days late with the minimum payment in the past 49 months. It's not really too hard to understand. DLA/ACCOUNT NO - This column contains the credit card numbers. Visa and Mastercard both have 16 digits. American Express (Amex) hs 13 digits. DLA is the Date Last Activity. If there is a date in this column, it is NOT a credit card expiration date, it is telling you the last time that account was active. PREV HI RATES - This indicates the past ratings of the account on the date listed. Explanation of the DTEC report: "1 of 1" means that the first report of one is being listed. Remember, no two people have the same Social Security Numbers. NM is the subject's name. CA is the subject's current address. The date at the end of this line should match the most recent date on the address line in the subject's full report. The FA line lists former addresses. The ES line lists the subject's current employer. Following this is the subject's Social Security Number, which you must have already had to get the DTEC report. And lastly, the subject's age. Part Seven: Practical Use of CBI. You may have a question now, "Whose file do I pull?" You want to pull the file of someone who is rich. Usually Lawyers and Doctors will fit the bill. Look in the Yellow Pages under "Lawyers" and "Doctors" and find the names of some upper class bastards. You can use your local White Pages to cross-reference and get their home addresses. From here, you call CBI, and pull their file. Once you get the file, look in the DLA/ACCOUNT NO column. Find all the 13 and 16 digit numbers. 16 digit numbers starting with "4" are Visas. 16 digit numbers starting with "5" are Mastercards. 13 digit numbers starting with "37" are American Express. The first four digits of the card number signify the bank that issued the card. A list is supplied below, taken from the Narc Infofile #7, Update A. I have not done any work toward verifying these myself, either. VISA ---- 4428 Bank of Hoven 4128 Citibank CV 4271 Citibank PV 4929 Barclay Card CV (from England) 4040 Wells Fargo CV 4019 Bank of America CV 4024 Bank of America PV or CV 4019 Bank of America Gold (This card looks like a CV but without a CV after the expiration date) 4678 Home Federal 4726 Wells Fargo CV 4036 4561 4443 4833 4424 Security Pacific National Bank 4428 Choice Visa [Citibank(Maryland)]??? 4070 4735 4673 4044 4050 4226 Chase Manhattan Bank 4605 4923 4820 4048 CV 4121 Signet Bank CV 4368 Mastercard ---------- 5419 Bank of Hoven 5410 Wells Fargo 5412 Wells Fargo 5273 Bank of America Gold 5273 Bank of America 5254 Bank of America 5286 Home Federal 5031 Maryland Bank of North America 5326 5424 Citibank 5250 5417 5215 5204 5465 Chase Manhattan Bank 5411 5421 5329 Maryland Bank of North 5308 5217 5415 5291 Signet Bank American Express ---------------- 3728 GOLD 3713 Regular 3732 Regular 3737 3782 Small Corporate Card 3731 3724 3742 3727 3787 Small Corporate Card 3726 3766 3734 3749 3763 3710 3718 3720 3739 At this point, your rendezvous with CBI is complete. Write the credit card number you obtained, and the subject's basic info in your notebook. Destroy the CBI report you have- there's no need to have evidence sitting around. Part Eight: Getting the CBI account. Okay kids, here's the hard part. Actually, it's not very hard at all. Just time consuming. First, you have to find an ID CODE. You know, the part of the account BEFORE the dash. Remember, the part following the dash is the password. To get the ID CODE, go trashing at a car dealership. You should find some printed out reports. On these reports (they should look like what I supplied above), you will find the "usernames" in the BUS/ID CODE column, and in the INQS line. All you have to add to this ID CODE is the password (obviously). Remember, the password is a letter and a number. So, say your ID CODE is 123ab4567. When CBI asks you to PLEASE SIGN ON, you begin hacking. Two common passwords are -c2 and -c3. So, the first two things you try to enter should be "123ab4567-c2. ^S " and "123ab4567-c3. ^S ". If neither of these work, start at "123ab4567-a1." and work to "123ab4567- z9." If I don't find something by the time I get hrough -d9, I will usually pick another ID CODE and start over. You can do it however you like. The lazy way to do this is hang around on QSD with the sex freaks and see if you can find someone who will trade with you. Chances are you'll get screwed, because almost everyone there is a leech. They'll either give you something fake, or nothing at all. If you want to trade, there are more trustworthy and knowledgeable people on Lucifer. Part Nine: ID CODEs. This section is a list of ID CODEs for you to hack on. This list is taken from The Ghost's file on CBI, because I am too lazy to make up my own list. 426DC33 465IG14 444BB7072 906ON259 906ON267 906BB5130 458ON2792 906BB206 444FP289 882AN137 444FS1399 843BB342 404BB539 404DC21 496ON747 496BB82 404CG94 426DC1577 401BB4880 872BB213 444FS1381 728B10420 905BB587 496ON598 426BB756 426BB3859 444BB3469 444BB3626 444BB5605 444FP2137 906FA26 906BB115 906BB40 906FM6418 447FS844 906BB289 496ON291 901BB5101 906FM6335 496ON218 458ON3022 402RE30375 426CG544 872BB31 872BB205 444BB143 444BB6173 444FM11838 458ON3014 155ON44 905ON1497 444ZB361 496ON648 444BB5654 496BB587 906CG2913 444BB5704 416FM2092 444BB465 444BB5282 444BB5308 444BB5290 404FF262 906FF278 906FF260 404FF1039 404FF825 906FF252 426DC561 181FS320 444FA483 906FA34 163DC2280 444BB2719 163BB17526 404HZ141 444AN1082 444ZB00577 906DC185 444DC10639 906DC193 444JA591 906DC151 444DC49 405BB280 801ON119 801BB2942 496BB74 496FM271 426BB238 426BB541 426BB1895 426BB2406 444BB804 444BB3253 444BB9466 906OC99 404BB3483 444BB1315 444FM12285 805BB2492 906DC656 444FA848 444BB6173 444BB1869 444YC1311 444BB6363 444BB6496 444BB564 444BB3436 444BB952 891BB186 496ON44 444AN2452 444CS315 906DC29 444DC510 905DC3081 180BB19097 444CG377 496FZ45 404TZ19 444AN4177 906DM10 403DC1426 496DC319 496DC20 444KI54 606OC10587 414BB917 906FA67 444FA814 444BB5035 444BB9466 444BB978 444BB2248 444BB1182 444BB4491 444ON366 444ON200 444ON358 444ON341 404HF375 444AN4491 496FS380 404BB182 155ON85 163BB19418 444ZB668 801ON1182 444BB2958 444BB1331 465ZB134 I haven't collected these myself, so I don't know if they all are valid. File grabbing on large systems Definitions: Salami......Program that takes a selected amount of money from a group of specified accounts and deposits it into another account. Trojan......Program that does one honest function but meanwhile caries out a series of secret commands. Say you are working for a company that uses a large central computer network that is slightly old. You want to get at the accounts file to make your self a salami. Most old systems have two pointers at the head of the file, a write access and a read access. The write means you can edit and delete the file while the copy mean you can only run and copy the file. Your goal is to gain write access to the accounts file. The best form of action would be to take a program everybody has read access to (data base, spreadsheet, whatever) and make a trojan out of it. Probably the spreadsheet would be the best idea since the accountant must use it a lot. The first problem you are going to have is that you are only going to have read access to the spreadsheet program because all you need to do is run it. (Business policy is to give no more access than is needed.) So you make a file and give your self read and write access to it. Then simply copy the spreadsheet file into your file. You can now edit the spreadsheet and add a feature to it (diagonal adding or something make it VERY attractive). Then you add a little trojan to the program that copies the accounts file to a file in your directory, then copies another file from your directory in place of the true accounts fie. You then give the spreadsheet program to the accountant showing him the new feature and hope to God he likes it. When he uses your spreadsheet program you will get the accounts file in your directory. You should write a program and leave it in memory so that as soon as it sees this file it copies it into the other file name so your trojan can copy the other file back the first time with out error. Once this has happened delete the TSR program and edit the accounts file as you please. You can then rename it to the file in your directory the trojan copies back and your payroll will be changed! Potpourri BUGS As far as bugs go, don't worry about not being able to obtain them. Sure, there are some suppliers around that only sell to 'Law Enforcement Agencies' only, but most will sell to you, so there is no reason to bother with social engineering yourself one. Anyway, most suppliers that will only sell to law enforcement agencies usually have their products so marked up, its unrealistic. Good bargains, and very high quality equipment can be found offered by a Japanese company called CONY. Usually their products are so reasonable that it makes the competitors cry in shame. I suggest you write to them. CONY MFG CORP Rm 301 Hirooka Bldg No 59, 2 Chome Kangetsu cho Chikusa ku Nagoya 464 JAPAN WHERE AND HOW TO STICK THEM Assuming you obtain a bug, or any combination of different types of bugs, you will want to use them, for any number of particular purposes. The safest and easiest way to plant a is to send the person that you want to know better a nice gift with you know what hidden inside it. Something that they could, say, place on their desk, or display prominently in their place or work or residence. Wrap it nice, and include a small card, and do whatever you feel is appropriate. A more dangerous method is to actually obtain entry into the office or residence of the person that you want to know better. If you have success in getting in, planting it, and getting out unnoticed, then you will be safe. Once a is planted, you will leave it there even after it becomes inoperative, because, if you have placed considerable risk on yourself to plant it, you do not want to go through that risk again just to retrieve it. Just forget about it. It won't miss you. There are a number of places to hide your electronic friend: o Carefully [!] unscrew a wall socket. There, you will notice some extra, unused space inside. Figure out the rest. o Do like the shows on TV. Hide them under a table, or chair. Let your imagination run wild [use good judgement]. You are relatively free, due to today's technology, and the short antennas. Pick an area that is not subject to 'search or routine cleaning'. o Dress up like a workman and show up at their house. Make up a good excuse. Gain access. Plant it. UTILIZATION You will want to record all that you can get with this for later review. Also, take into consideration, that you can't be at the receiver 24 hours a day. The setup to use for maximum efficiency is a recorder with a VOX. Therefore, tape waste will be at a bare minimum. That's also good, because you don't want to be at the receiver just to flip tapes every half hour to 45 minutes. Also, it would be difficult to review these tapes, becasse you would have to listen to a half hour recording for an actual half hour, and so on. Well, those half hours will add up into hours, into hours, into hours. Not smart. As said, invest in a VOX. This will make it able to have the recorder skip over those quiet times in your target's house. To save tape you could slow down the recorder with electronics, if you have the electronics. You might not be successful, because it becomes difficult to tell the speech of people from background noise. Please note that not every technique is discussed here. This is a scratch of the surface. If you can, use metal tapes [if the recorder has that capability]. If not, use low noise/extended range tapes. As with most surveillance equipment, be sure that you know what you are doing. This is a game in which you can be charged hundreds of dollars for something that you could do yourself with 35 bucks. Some companies sell recorders which claim to be able to record 14 hours on a standard cassette. They have simply removed the pulley from the drive shaft of a Panasonic or Sony recorder that costs less than 50 dollars and jacked up the price 300%. Try it yourself, save money. ADVANCED TECHNOLOGY There is a nice device called a shotgun mic that allows you to point it at a window and listen in on a conversation in the immediate room, because of the room's sound waves causing the window glass to vibrate. The window must be closed. Since all you have to do is point it and go, well, they become obviously convenient. And fun. Find one. They might cost a litle more, but worth it. And the target is not likely to know he is being watched, so he will not be smart enough to enact countermeasures. WIRETAPPING Everyone has at sometime wanted to hear what a friend, the principal, the prom queen, or a neighbor has to say on the phone. There are several easy ways to tap into a phone line. None of the methods that I present will involve actually entering the house. You can do everything from the backyard. I will discuss four methods of tapping a line. They go in order of increasing difficulty. 1. The " beige box ": a beige box (or bud box) is actually better known as a "lineman" phone. They are terribly simple to construct, and are basically the easiest method to use. They consist of nothing more than a phone with the modular plug that goes into the wall cut off, and two alligator clips attached to the red and green wires. The way to use this box, is to venture into the yard of the person you want to tap, and put it onto his line. This is best done at the bell phone box that is usually next to the gas meter. It should only have one screw holding it shut, and is very easily opened. Once you are in, you should see 4 screws with wires attached to them. If the house has one line, then clip the red lead to the first screw, and the green to the second. you are then on the "tappee's" phone. You will hear any conversation going on. I strongly recommend that you remove the speaker from the phone that your using so the "tappee" can't hear every sound you make. If the house has two lines, then the second line is on screws three and four. If you connect everything right, but you don't get on the line, then you probably have the wire's backward. Switch the red to the second screw and the green to the first. If no conversation is going on, you may realize that you can't tap the phone very well because you don't want to sit there all night, and if you are on the phone, then the poor tappee can't dial out, and that could be bad...so....... method two. 2. The recorder: This method is probably the most widespread, and you still don't have to be a genius to do it. There are LOTS of ways to tape conversations. The two easiest are either to put a "telephone induction pickup" (radio shack $1.99) on the beige box you were using, then plugging it into the microphone jack of a small tape recorder, and leaving it on record. Or plugging the recorder right into the line. This can be done by taking a walkman plug, and cutting off the earphones, then pick one of the two earphone wires, and strip it. There should be another wire inside the one you just stripped. Strip that one too, and attach alligators to them. Then follow the beige box instructions to tape the conversation. In order to save tape, you may want to use a voice activated recorder (Radio shack $59), or if your recorder has a "remote" jack, you can get a "telephone recorder control" at Radio shack for $19 that turns the recorder on when the phone is on, and off when the phone is off. This little box plugs right into the wall (modularly of course), so it is best NOT to remove the modular plug for it. Work around it if you can. If not, then just do you best to get a good connection. When ecording, it is good to keep your recorder hidden from sight (in the bell box if possible), but in a place easy enough to change tapes from. The wireless microphone: this is the tap. It transmits a signal from the phone to the radio (Fm band). You may remember Mr microphone (from kaytel fame), these wireless microphones are available from radio shack for $19. They are easy to build and easy to hook up. There are so many different models, that it is almost impossible to tell you exactly what to do. The most common thing to do, is to cut off the microphone element, and attach these two wires to screws one and two. the line MIGHT, depending on the brand, be "permanently off hook" this is bad, but by mucking around with it for a while, you should get it working. There are two drawbacks to using this method. One, is that the poor asshole who is getting his phone tapped might hear himself on "FM 88, the principal connection". The second problem is the range. The store bought transmitters have a VERY short range. I suggest that you build the customized version I will present in part four (it's cheaper too). Now on to the best of all the methods.... 4. The "easy-talks": This method combines all the best aspects of all the other methods. It only has one drawback... You need a set of "Easy-talk" walkie talkies. They are voice activated, and cost about $59. You can find them at toy stores, and "hi-tech" catalogs. I think that any voice activated walkie talkies will work, but I have only tried the easy-talks. First, you have to decide on one for the "transmitter" and one for the "receiver". It is best to use the one with the strongest transmission to transmit, even though it may receive better also. Desolder the speaker of the "transmitter", and the microphone of the "receiver". now, go to the box. put the walkie talkie on "VOX" and hook the microphone leads (as in method three) to the first and second screws in the box. Now go home, and listen on your walkie talkie. if nothing happens, then the phone signal wasn't strong enough to "activate" the transmission. If this happens there are two things you can do. One, add some ground lines to the microphone plugs. This is the most inconspicuous, but if it doesn't work then you need an amplifier, like a walkman with two earphone plugs. Put the first plug on the line, and then into one of the jacks. Then turn the volume all the way up (w/out pressing play). Next connect the second earphone plug to the mice wires, and into the second earphone outlet on the walkman. now put the whole mess in the box, and lock it up. This should do the trick. It gives you a private radio station to listen to them on, you can turn it off when something boring comes on, and you can tape off the walkie talkie speaker that you have! WIRELESS TRANSMITTER PLANS Here the plans for a tiny transmitter that consists on a one colpitts oscillator that derives it's power from the phone line. Since the it puts on the line is less than 100 ohms, it has no effect on the telephone performance, and can not be detected by the phone company, or the tappee. Since it is a low-powered device using no antenna for radiation, it is legal to the FCC. (That is it complies with part 15 of the FCC rules and regulations). It, however is still illegal to do, it's just that what your using to do it is legal. This is explained later in part 15... "no person shall use such a device for eavesdropping unless authorized by all parties of the conversation" (then it's not eavesdropping is it?). What this thing does,is use four diodes to form a "bridge rectifier". It produces a varying dc voltage varying with the auto-signals on the line. That voltage is used to supply the voltage for the oscillator transistor. Which is connected to a radio circuit. From there, you can tune it to any channel you want. The rest will all be explained in a minute.... PARTS LIST DESCRIPTION C1 | 47-Pf ceramic disk capacitor C2,C3 | 27-Pf mica capacitor CR1,CR2,CR3,CR4 | germanium diode 1n90 or equivalent R1 | 100 ohm, 1/4 watt 10% composition resistor R2 | 10k, 1/4 watt 10% composition resistor R3 | .7k, 1/4 watt 10% composition resistor L1 | 2 uH radio frequency choke (see text) L2 | 5 turns No.20 wire (see text) Q1 | Npn rf transistor 2N5179 or equivalent One may be constructed by winding approximately 40 turns of No. 36 enamel wire on a megohm, 1/2 watt resistor. The value of L1 is not critical. L2 can be made by wrapping 5 turns of No. 20 wire around a 1/4 inch form. After the wire is wrapped, the form can be removed. Just solder it into place on the circuit board. It should hold quite nicely. Also be sure to position Q1 so that the Emitter, Base, and collector are in the proper holes. The schematic should be pretty easy to follow. Although it has an unusual number of grounds, it still works. |------------------L1----------------| -- | CR1 / \ CR2 |----------------| A--------------/ \ --| ----| | | | \ / | | | C2 L2 | CR3 \ /CR4 | C1 R2 |----| | R1 -- | | | gnd C3 | | | | ----| |-----| | gnd | | | | | |-----|----Base collector | | R3 \ / B-----------------------| | \/\ <- Q1 gnd \/ | | emitter(gnd) One odd thing about this that we haven't encountered yet, is that it is put on only one wire (either red or green) so go to the box, remove the red wire that was ALREADY on screw #1 and attack it to wire 'A' of the then attach wire 'B' to the screw itself. you can adjust the frequency which it comes out on (the FM channel by either tightening, or widening the coils of L2. It takes a few minutes to get to work right, but it is also very versatile. You can change the frequency at will, and you can easily record off your radio. HELPFUL HINTS First of all, With method one, the beige box, you may notice that you can also dial out on the phone you use. I don't recommend that you do this. If you decide to anyway, and do something conspicuous like set up a 30 person conference for three hours, then I suggest that you make sure the people are either out of town or dead. In general when you tap a line, you must be careful. I test everything I make on my line first, then install it late at night. I would not recommend that you leave a recorder on all day. Put it on when you want it going, and take it off when your done. As far as recording goes, I think that if there is a recorder on the line it sends a sporadic beep back to the phone co. I know that if you don't record directly off the line (i.e off your radio) then even the most sophisticated equipment can't tell that your recording. Also, make sure that when you install something the people are NOT on the line. Installation tends to make lots of scratchy sounds, clicks and static. It is generally a good thing to avoid. It doesn't take too much intelligence to just make a call to the house before you go to install the thing. If it's busy then wait a while. (This of course does not apply if you are making a "midnight run"). All in all, if you use common sense, and are *VERY* Careful, chances are you won't get caught. Never think that you're unstoppable, and don't broadcast what your doing. Keep it to yourself, and you can have a great time. Lunch Box The Lunch Box is a VERY simple transmitter which can be handy for all sorts of things. It is quite small and can easily be put in a number of places. I have successfully used it for tapping phones, getting inside info, blackmail and other such things. The possibilities are endless. I will also include the plans for an equally small receiver for your newly made toy. Use it for just about anything. You can also make the transmitter and receiver together in one box and use it as a walkie talkie. Materials you will need ======================= 1 9 volt battery with battery clip 1 25-mfd, 15 volt electrolytic capacitor 2 0.0047 mfd capacitors 1 0.022 mfd capacitor 1 51 pf capacitor 1 365 pf variable capacito 1 Transistor antenna coil 1 2N366 transistor 1 2N464 transistor 1 100k resistor 1 5.6k resistor 1 10k resistor 1 2meg potentiometer with SPST switch Some good wire, solder, soldering iron, board to put it on, box (optional) Schematic for The Lunch Box This may get a tad confusing but just print it out and pay attention.] [!] ! 51 pf ! BASE ---+---- ------------COLLECTOR ! )( 2N366 +----+------/\/\/----GND 365 pf () emitter ! ! )( ! ! +-------- ---+---- ! ! ! ! ! ! ! GND / .022mfd ! ! 10k\ ! ! ! / GND +------------------------emitter ! ! ! 2N464 / .0047 ! base collector 2meg \----+ ! ! +--------+ ! / ! GND ! ! ! GND ! ! ! +-------------+.0047+--------------------+ ! ! ! +--25mfd-----+ -----------------------------------------+ ! ! microphone +--/\/\/-----+ ---------------------------------------------+ 100k ! ! GND---->/<---------------------!+!+!+---------------+ switch Battery from 2meg pot. Notes about the schematic 1. GND means ground 2. The GND near the switch and the GND by the 2meg potentiometer should be connected 3. Where you see: )( () )( it is the transistor antenna coil with 15 turns of regular hook-up wire around it. 4. The middle of the loop on the left side (the left of "()") you should run a wire down to the "+" which has nothing attached to it. There is a .0047 capacitor on the correct piece of wire. 5. For the microphone use a magnetic earphone (1k to 2k). 6. Where you see "[!]" is the antenna. Use about 8 feet of wire to broadcast approx 300ft. Part 15 of the FCC rules and regulation says you can't broadcast over 300 feet without a license. (Hahaha). Use more wire for an antenna for longer distances. (Attach it to the black wire on the phone line for about a 250 foot antenna!) Operation of the Lunch Box This transmitter will send the signals over the AM radio band. You use the variable capacitor to adjust what freq. you want to use. Find a good unused freq. down at the lower end of the scale and you're set. Use the 2 meg pot. to adjust gain. Just screw with it until you get what sounds good. The switch on the 2meg is for turning the Lunch Box on and off. When everything is adjusted, turn on an AM radio adjust it to where you think the signal is. Have a friend say something thru the Box and tune in to it. That's all there is to it. The plans for a simple receiver are shown below: 9 volt battery with battery clip 365 pf variable capacitor 51 pf capacitor 1N38B diode Transistor antenna coil 2N366 transistor SPST toggle switch 1k to 2k magnetic earphone Schematic for receiver [!] ! 51 pf ! +----+----+ ! ! ) 365 pf (----+ ! ) ! ! +---------+---GND ! +---*>!----base collector----- [ diode 2N366 earphone emitter +----- ! ! GND ! - + - battery + GND------>/<------------+ switch Closing statement This two devices can be built for under total of $10.00. Not too bad. Using these devices in illegal ways is your option. If you get caught, I accept NO responsibility for your actions. This can be a lot of fun if used correctly. Hook it up to the green wire (I think) on the phone line and it will send the conversation over the air waves. -- Daniel N2SXX dmd@panix.com