======================================================== Page 33 // Second Issue // January 2004 ======================================================== [http://page33.port5.com] [page33@mail.com] In This Issue ======================================================== A New Year ------------------------------------- blakmac The Double Op-Divert, and More --------------- Captain B Snagging Passwords From Cayman DSL Modems ------ blakmac Test Prefixes and Exchanges ---------------- PhreakBlaze Toolkit for the Telecom Enthusiast ------------- blakmac The Old Code ----------------------------- Page 33 Staff Linkage ---------------------------------- Page 33 Staff ======================================================== Staff Members ======================================================== blakmac - editor in chief, webmaster diversereality - resident genius, penetration specialist ======================================================== ======================================================== A New Year // blakmac [page33@mail.com] ======================================================== Welcome to 2004. The other day I was playing some old MegaMan game, and it was supposed to take place in the year 200X, so sometime in the next six years we can expect to see cyborgs running around shooting at robots that resemble animals... We've got alot to look forward to this year. I'm planning to go ahead and work on the site and the zine a bit more. I doubt that we will be fortunate enough to go hardcopy, but I may print up a few of these and place them around town just to see if they get picked up or thrown away. It's a risk I'm ready to take. In the past year we have seen some awesome zines get started up (Dig, Leet, Binary Revolution -- at least I think it all happened this past year...), and though it may seem to some that we are all competing, in reality it's not at all that way. There is plenty of information to go around, but not nearly enough avenues available to deliver it. I feel that more zines should surface, and we should all be supportive of the other zines. There's good stuff there. I have been fortunate enough to acquire a new digital camera, so look forward to more and better pictures on the site. Hopefully I will get some time to do some urban exploration, however with my schedule, I highly doubt it. If I do, you can bet that there will be pictures posted. Also, if you have any photos that you would like to submit, please email them to us at page33@mail.com. Please make sure they are in .jpg or .gif format. Also, we still need articles for both the site and the zine. And we welcome any feedback that you may have, be it good or bad. I do realize that alot of the content in this zine is the same stuff that's available on the site. The reason is this: it's easier to distribute the information on the site if it's in hardcopy. And rather than printing out each individual article for people, I just add them to the zine and print them off that way. I apologize for the redundancy, but until we get more content, we'll probably do things this way. It will change some day, we promise. We hope you enjoy this issue, we are still just starting out, but it will get better. We look forward to hearing from our readers, so send in your stuff! Oh, and have happy new year! ======================================================== The double op-divert, and more // Captain B Note -- Borrowed from www.textfiles.com ======================================================== By this point, most phreakers have probably at least heard about op-diverting, if they don't already know how to do it. But, for a while, I had wondered about the possiblity of doing a double op-divert. In which case, you dial into a PBX (Private Branch eXchange), dial out to 1010 ATT 0, then dial a 10 digit number from there (Including toll free numbers). Well, I can tell you for certain that at least one corporate voice mail system allows for such a thing. It's the Altigen voice mail system. But, unfortunately, you don't seem to run across these all that often. And, it seems like It's not uncommon for this VM system to only have the ability to dial out via the admin's voice mail box. Which, in my experience so far, has always been at extension/voice mailbox number 500, with a passcode of the same. To do the double op-divert, first log into the VM box, hit # (pound) to start the dial out proceedure, then dial the outside line access digit, (which is a 9) plus 1 and the 10 digit phone number. And, in the case of the double op-divert, it goes like this: 9+ 1010 288 00. And, yes that's not a typo. The 1 after the 9 in this case is dropped. (Otherwise, the PBX would recognize what you're dialing as being "911"). And, you have to dial 2 zeros after ATT (288) instead of the usual single zero. Speaking of which, that double zero technique also works even when you're just dialing straight through normally to AT&T and other "dial around" carrier access codes on phone lines. (At least it works here for me, but it could be different where you are). In fact, on COCOT payphones, it can even help speed up the time you wait for the computer inside the COCOT to start processing (or, should I say, re-dialing) all your 1010 Carrier Access Code-type calls. Although, there are some COCOTS that won't accept 1010 numbers dialed in such a way, and it'll have you redial over again. Also, from standard fare fortress Verizon and RBOC (Regional Bell Operating Companies) payphones, hitting # (pound) after 1010 XXX 0 will put the call through a bit faster as well. Well, at least this is a method that works here where I am. But, I know full well that sometimes subtle differences in phone switches, and other CO (Central Office) phone equipment can change how things work from place to place. Including even with 2 different COs in the same town sometimes. By the way, AT&T also has a 2nd 1010 number many don't seem to know about or use as much as 1010 288 0. The second one is 1010 732 0. And, for a while at one point, AT&T also had 1010 779 0. All work the same. Still yet one more way to access AT&T is through 00. (As long as AT&T is the long distance provider for that particular phone line). On payphones, the bottom instruction card will show who handles long distance calls for that payphone. But, sometimes this info Isn't accurate, or the bottom instruction card may be missing, or defaced too badly to be able to read well enough. In which case, just dial either 1-700-555-4141 or 1-700-555-1212 and, after a moment, you'll hear who the long distance provider is for that given phone line. I've tried this method on PBXs to try to find out who the long distance provider was for their phone service. But, so far, I've yet to find a PBX that recognizes 1-700 numbers as valid. But, I have found that if you get the ANI passed by the PBX by dialing an ANAC (Automatic Number Announcement Circuit, which will say back the number you're dialing from), then use the VM system's PBX to dial the PBX's area code + 700-1212, you'll hear who the local service provider is for them. Here's one ANAC you can use: 1-866-My ANI is. By the way, I don't know if it would help screw up ANI from being passed properly, but you could always use a PBX to dial that company's own local or toll free number back again, log into another voice mailbox on the same VM system, and dial out via the 2nd VM box to whatever number you want to call. To dial into the company's corporate voice mail again via their local number, simply dial the number read back to you via an ANAC. That local number is the number "behind" the toll free number, as It's said to be. Since, most toll free numbers are nothing more than numbers that forward your call to some standard 10 digit phone number somewhere. (Although, there are some "dedicated" toll free numbers that aren't connected to any 10 digit phone number like that). Getting back to the double-op divert method, you could also dial into 1010 ATT 0 or 1010 732 0 to perform an emergency interrupt if the person you're calling doesn't have call waiting service, and just won't get off the line. In which case, you have to talk to a live AT&T operator, and ask them to place an emergency interrupt call for you. (Also known as "Emergency interrupt with call completion"). They'll ask you for your name. So, be ready with a fake name, if you'd rather the person you're calling not know who you are. And, yes, there are special charges for them to do emergency interrupt, so you may want to think twice about doing it, since if the company checks their phone bills, they'll see the charges, know something is up, and probably change either their toll free phone number, local phone number, or perhaps even both. In which case, you won't have that corporate voice mail's PBX to dial out on anymore. So, always think about your actions, and the effect it may have before-hand. By the way, don't forget that It's possible to do op-diverting via live operators. But, if It's a toll free number you want them to place for you, don't expect them to unless you say that you're visually impaired, and need help dialing the call. Even then, I've found a number of telecom compnies that just won't, or can't do it. The only exceptions I can think of off-hand are Verizon operators (via 101 6963 0) certain local RBOC operators, and Global Crossing. Global Crossing can be reached at 1010 211 0, which passes along an ANI of a disconnected number in the 505 (New Mexico) area. Probably Global Crossing may have another 1010 number I'm forgetting, or don't know about as well, since many telecom companies seem to have at least more than one 1010 number. And, some have also been setting up their carrier access numbers in the 101 5xxx and 101 6xxx ranges. So, search around, if you like. And, as always, have phun, and use your head as much as possible. =============================================================================== Snagging Passwords From Cayman DSL Modems // blakmac [page33@mail.com] =============================================================================== INTRODUCTION -- I stumbled across this while scanning subnets for web servers. Why was I doing this? Simply -- I got bored with Googling for stuff to look at. What I have discovered is that it is very trivial to get user names and passwords from unprotected Cayman DSL units. In fact, the extent of control available of these machines is disturbing, since the ability to gather this information is based strictly on human laziness. TOOLS -- Port Scanner -- I prefer SuperScan. HOW TO FIND DSL MODEMS -- Now on to the good stuff. Oh, yeah, before I forget...I am only telling you this so you will know how to protect your own systems better. Don't use this against anyone. Ok, first you need to have an IP subnet to scan. If you are using a decent port scanner, you can specify which ports you want to scan for. We are only looking for port 80 in this case. Once you find one, try to browse that IP using IE or any other browser. If it is a Cayman DSL, it will display a login prompt, which will say that it is in fact a Cayman. I'm sure other DSL modems do the same thing, but these are the ones we are looking at for now. For a Cayman, the default user name is "admin" (without quotes) and there is no password. If configured improperly, it will allow you full access to that modem. Yes, I said FULL. To get the main account user name, simply click on "DSL PORT (WAN)". This will load another screen displaying the ATM configuration page where you can configure the ATM settings...heh heh. Simply click on "Config" and voila...the VCC 1 Configuration page is displayed. Under the section that says "Authentication" will be some familiar user name/password boxes. The user name will be in plain text, and the password will be displayed as *'s. "That's nice, but I want passwords," you say. Well, here's the trick. Simply view source on the page. To make getting the password easier (as if it's necessary), you can use the search option in your text editor to search for the user name. Then just read through the source a little ways, and you will find the password listed in plain text. Scary, huh? THE MORAL -- The lesson to be learned in this short and very sick exploit is this: always change your passwords from the default to something more secure. It's painfully simple to get this information from any unprotected DSL modem. If anyone has questions and/or comments, feel free to email me. ======================================================== Test Prefixes and Exchanges // PhreakBlaze ======================================================== Introduction: Co codes, or nxx codes, are speacial exchnages or other 7 (or 3) digit numbers for the maintnance of trunks. Most of them are not to be asigned by NANPA for usage. They are to be saved for a central office to use as a test/special codes/exchanges. These numbers differ from CO to CO. What number's are Codes (usually)???: Most co numbers/NXX codes are universal but with difrent uses. Some are dialed useing 10 digit dialing (NPA-NXX-XXXX), 7 digit dialing (NXX-XXXX), and even 3 digit dialing (NXX). I've also heard of dialing (NPA-0XX-958), but I'm not sure what to do there. The comon numbers are all N11 codes, 990, 959, 958, 950, 555, 976, 700, and then some only used in your area. What are the numbers for???: Well, all the number's purposes differ from co to co (exept for certian numbers, I'll discuss later). Wait, actually, the N11 codes, they usually don't change. They are usually supposed to be asigned as: •211 - Community Information and Referral Services •311 - Non-Emergency Police and Other Governmental Services •411 - Local Directory Assistance •511 - Travel Information Services •611 -Repair Service •711 - Telecommunications Relay Service (TRS) •811 - Business Office •911 - Emergency (Note- They are not suposed to be asigned by the NANPA, but instead the FCC.) But this is not always true, the only ones I've seen constant are 911 (duh!), 711, and 411. (Note- Recently in my area, when I dial 611, it says that the repair service in no longer available from that number, and must be reached from an 800 number.) The only ones that have a constant use are 700, and 976. The only way to dial 700 is (NPA-700-4141) and thats the only number in that whole range. (Note- 700 is the only one that can be asigned as a NPA by the NANPA.) Then 976 is used as pay services (they usually cost 1 dollar for a call to a service, but if you want to know the services in there, then just dial a wrong number, and a recording should tell you which numbers do what). The rest do stuff. Your ANAC, Ringback, and NXX test numbers (and you): One of the things that these codes are almost always used for is the ringback and ANAC for your co/area/region (in my case, state wide). In the Garden State (New Jersey, DUH!!!) The ring back and Anac are the same for the whole state. My RingBack and my Anac are 550-xxxx(ringback), and 958(ANAC). Now, incase you didn't notice, my ring back is not one of the common codes, it is for this area/region only. Now as most of us know, these codes are free when dialed from a payphone, as are 990, 555, 959, 950, and all N11, but not 700, and 976. Now the numbers that serve as a ringback and ANAC differ from place to place (Note-place is a general term, place could be state, town, or even CO). I've even seen ring backs be on N11 numbers, so check all your N11 numbers for ringbacks and ANACs. Another thing I've heard of is a SASS unit being on a CO/Nxx code. I believe it was in Captian B's area on the N11 code 311, it would play the number your calling from like a ANAC but, it would do it twice, any time durring which, you could enter a pass code. SASS units are not always on Co/Nxx codes, the sometimes have pots lines. (Note- If your area has a SASS unit, then don't try to look for ANAC or ring back once you find your SASS, a SASS is meant to replace those CO/Nxx codes.) I can't find my ANAC(or ring back), but I found my ringback(or ANAc),any advice/help???: So, you can't find one of the two codes that does the ring back, or ANAC? No worries, I have a theroy that may work for you. ***PhreakBlaze's Theroy For Finding Ring Back Or ANAc*** -go to Telcodata.us -click on the search your npa and ring back or anac code for the nxx. It will most likely come up in a thing called "ODDBALLCODES" with no co name, just some Xs for the co name. If it gives you a company name that owns it :EX- Verizon East: click on it, if not, search you npa and your exchange, then click on the company for your region/state like the example above shows. -Go down the list (it takes a bit to load) to where it starts listing you NPA and exchanges in it. Then start going down the list till you see and exchange served from the CO XXXXXXXXXX. The first exchange you'll probably see being served by that is 211. Now all that you see with the XXXXXXXXXX you slould write down (if its not one of the regular codes). -Now go to a payphone or normal phone and dial the codes (Note- sometimes, an ANAC will need a 7 digit number dialed, and other times not.) Don't worry aabout the rest of the unused exchanges, they are most lilely just exchanges that aren't in use, not codes. Or, just go to: http://entanglement.net/~ntheory/phreaking...NPA=&NXX=&CLLI= "good Site"- rates PBlaze "Wha?..."-says the New York Times ***End/PhreakBlaze's Theroy For Finding Your Ring Back Or ANAC/End*** Well, what else about these codes???: Well, we now found (hopfully) our ANAC or Ring Back (or SASS), and maybe something else fun on those codes. Well some of tghe codes I've played with have not done anything except given me an error measage that I have only heard when the code was not in service. As you may have also noticed, I said they are free to be called from a payphone. The only codes I've seemed to get working terminate at some place I don't know about. Some I've gotten to go to "A Verizon VMS," and other have gone to "network contrlers." Other times I've gotten people who answer and all they say is "Verizon," and the wait for you to answer. Any tip/resons for scanning this stuff: Yes, I do have some tips. Well, I'm not so sure of how good you would be at op diverting to it. Also, I'm not sure if there is any possibility/way to get in trouble for scanning these, but it would take the same amount of time to scan from a payphone as it would from home. When you call one that works, it will ring for a long time (never counted the rings), and then after two rings really close together, it will actually start ringing the persons desk/answering machine/ or the VMS picks up. For tips on where tgo scan, I'm not sure this will help much, but around here (so far) I've only been able to find number that work between 990-9000 to 990-9999 (Note- 990-9000 is the Verizon VMS around here.) Thanks for reading... Shouts: Y0ung Br1an, Phreak Out, Decoder, Captian B, Dual, StankDawg, Icon, Dox, and everybody else at StankDawg's forums. =================================================================== Toolkit for the Telecom Enthusiast // blakmac [page33@mail.com] =================================================================== This is a quick overview of a common kit that every telephone enthusiast should assemble. Please note, this file is created for newbies, and I do not recommend using this kit and/or knowledge in any way that violates any laws. The main goal is to educate those who want to learn about phone systems and plan to use this information ethically. There are articles like this available on the net, but the proliferation of information is important, not to mention that lots of people want to learn these skills but don't know where to begin. This just gives them another starting point. The tools in this kit will be of use not only to the late-night phone phreak, but also the layman. I strongly recommend keeping a kit such as this handy because telecommunications companies charge quite a bit to send a technician to your house to do repairs. Learning about phone systems can prove to be an invaluable skill. First thing you need to do is find a good tool bag or backpack, whichever fits your personal needs. I recommend something small and easy to carry, and be sure it is well designed. Personally, I use a simple Craftsman toolbag, which of course can be purchased at Sears. The reason? I needed a toolbag anyways, and I happend to like this one. Now we need to begin gathering tools. We aren't going to cover every concievable tool needed here because we are just interested in assembling a kit for people just learning. As time progresses, you will find that you may need or want to carry more tools. Adjust your kit accordingly. I have also included some tools that may or may not be necessary, but this reflects my personal kit. Here is the basic toolkit: Lineman's Handset* Needle-Nose Pliers Ratchet with 7/16 and 3/8 sockets Wire Strippers Telephone Wire Electrical Tape Scotch Tape #1 and #2 Phillips Screwdrivers Flathead Screwdriver Gloves - preferably Mechanix Brand (very nice, comfortable) Microcassette Recorder Flashlight Disposable Camera Alligator Clips Multimeter Some of these items may not seem to be useful, however you can never know when you will need these tools. Be sure when you select your tools that you get tools that are properly shielded, for example, rubber handles on the needle-nose pliers, alligator clips, screwdrivers. The reason for this is that phone lines are low-voltage systems, and they will shock you. A telephone line that is on-hook passes about 50 volts, and while ringing passes from 90 to 130 volts. This can hurt, even though it's still considered low-voltage. Be very careful when working with wire pairs. If you are working on the phone lines inside your house or office, I recommend going to the telephone access node on the side of your building and disconnecting the pairs. In most cases, there will be a short wire with an RJ-11 connecter (a standard phone jack). Disconnect this. This is the main patch where you can cut off phone access to the building. Also, when you call the telco if you are having phone trouble, they will ask you if you have checked the inside hardware. That doesn't mean test the phone at a friends house, it means take the phone outside to the access node and jack in to it. If you get a dialtone, then the problem is inside the building and is your responsibility to repair. If not, test your phone at a friends house (of course, get permission), and if it works, contact your telco. The gloves provide extra sheilding from the wires, and also any small insects that may be inside junction boxes, access nodes, etc. Also, for the phone phreak, the gloves provide the added security of covering fingerprints (again, ethics are important). The lineman's handset is one of the most valuable tools you can have for working on telephone systems. However, the only ones I have found were in pawn shops, and they ran close to $100. I recommend making one, which can be done for very little money. First, find a standard, corded telephone. Radio shack sold one a while back that was small enough to fit in your pocked, and folded like a cell phone. If you can find one I recommend using it. If not, go to your local Goodwill or Salvation Army and pick up a cheap phone. You will also need some phone wire, preferably 1-2 feet long, however you can use as much as you like. Cut the wire, and if it does not already have one, place an RJ-11 jack on one end. This is the end that will connect to the handset. on the other end of the wire, strip the shielding away to reveal the wires inside. I would trim off the yellow and black wires, they won't be needed. Strip the sheilding off of the red and green wires, be sure to leave some of the red and green sheilding visible. Attach your (sheilded) alligator clips on the wires. You now have a lineman's handset, ready for testing pairs. You do know a good ANAC, don't you? (1-800-555-1140) The ratchet can be used to gain access to access nodes, junction boxes, etc. I do not recommend accessing junction boxes, as this is illegal in most places. The electrical tape is good for, you guessed it, connecting wires. The Scotch tape can be used to "seal" a box to make sure it has not been tampered with, which is good if you suspect that someone may be accessing your line from the outside. The microcassette recorder can be used to take notes of what you find, however, they can be used for many other things, none of which will be covered in the scope of this article. The flashlight is used to give you light (I shouldn't have to explain this), and the camera is good for taking pictures of the things you find that you want to remember (again, I shouldn't have to explain). The multimeter is used to check the voltage of the phone lines. I strongly suggest taking readings and making notes. Now that you have your kit assembled, you are ready to go into the field and learn. Be sure to remember that ethics are extremely important. Don't do anything that will get you in trouble or hurt somebody (physically or otherwise). Contrary to popular belief, it is NOT COOL to wipe out peoples phones and run up phone bills. If you do this, then you are not cool, and you WILL get caught. I assume no responsibility for your lack thereof. If you misuse your abilities, you make us all look bad, and you deserve whatever punishment you will recieve. But for those of you who want to learn a very valuable skill, then by all means, pursue it. Happy exploring! ======================================================== [THE OLD CODE] We will be putting random bits of source code here. Some may be good, some not so good, and some just flat out lame. Anyways, here's this issue's code: Useless code in TI-BASIC -- by blakmac 10 CALL CLEAR 20 PRINT "WE DON'T HAVE ANY SOURCE CODE YET" 30 PRINT "SEND US SOME AND WE WILL PRINT IT" 40 PRINT "..." 50 PRINT "NOW!!!" 60 GOTO 10 [/THE OLD CODE] ======================================================== ======================================================== [LINKAGE] This section is where we will add links that we find very worthy of perusal by the masses. Feel free to submit your links too. If we like them, odds are they will end up here. Enjoy. http://www.digzine.com -- Another awesome zine, better than ours, really. And hardcopy, too! http://www.binrev.com -- Yet another way awesome zine. Also hardcopy. http://www.datutoday.tk -- DATU site, also general phreaking info. Good site. http://www.page33.tk -- Page 33's other URL, in case you can't remember http://page33.port5.com. http://www.hackthissite.org -- Some realistic wargames. -=blakmac approved=- [/LINKAGE] ======================================================== ======================================================== [END NOTES] Insert witty ending blather here. Thanks: PhreakBlaze, Captain B, lowtec [http://page33.port5.com] [page33@mail.com] [/END NOTES] ========================================================