¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ,;;11;. ,;!!;. 11 ;;' ,1;;|1,;||;,. |1 '11 leetophreakoheadz 11 1;¨ 11' "1;' '11 |1 11 'zine #4 11 1;' 1;' 11: 11 11 11 2002 "",;;||;; ¨'1;' 11;' ,1; 1; .1: 11' 1::;1||1'" 1;.1:' 11' . 1:1' |1!1';'11:. .,;::;1!;., 11. 1:1 11' 11; :; 1; "1:;,..,;:; .:;1! 1:1 |;1 11: '1.,;'" ¹";11;1¹ 1|1 1:1¹ .|11 11: ,;1;,.' '";:|1:;" ;¹|1;:" ':11;;^ ...We coined the term "leeto"... ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ issue 4 Table Of Content (toc) Intro By: ic0n The Wireless beige box By: Captain B What is a Cna Number and what can it do for me? By: ic0n HOW TO UTILISE NMAP'S NEW IDLESCAN TECHNIQUE PROPERLY by: pulse state Verizon Teleconferencing By K00p$ta Phr34k and ic0n __________________ *Intro * *by: ic0n * *ic0n@phreaker.net * *__________________* What's up everyone we finally decided to release issue 4 after many months of doing nothing. We hope you enjoy this issue of the zine and we hope to have issue 5 out sometime in July. Maybe even earlyer. We hope to get alot of feedback from this zine once agian to answer any question you mayb have about phreaking okay maybe even some hacking questions. Where going to start putting scans into the zine or if we can get at lease 10 scans we could make a scan zine. _________________________ *The Wireless beige box * *By: Captain B * *_________________________* One thing I've come to realize is that many things in electronics use fairly low voltage on average, and tend to run on DC (Direct Current) power. Cordless phones are no exception. In case you didn't already know, batteries also run on DC. Can you tell where I'm going with this yet? Most cordless phones I've seen thus far use 9 volts to power the base. (You know, the unit you put your cordless phone on to charge it). So far, I seen one that used 12 volts to power it. But, I think those that use more than 9 volts to power the base mainly tend to have built in answering machines, speakerphones, or other extras you wouldn't need during wireless beige boxing, anyway. To be sure a given cordless phone's base uses 9VDC (9 volts DC) to power it, look either on the AC adapter plug for what It's voltage "rating" is (Displayed as 9VDC or whatever next to "output"). Disregard the input stats. That's the voltage/current coming into the AC adapter from the electrical outlet before the ad! apter lowers the voltage and current and converts it to DC. Or, you can also check on the back of cordless phone's base where the power cord connects to the back. Usually, you'll see something like "9V in", or simply "9V". Just as long as the phone's base uses 9 volts to power it, you can power it with a 9v battery. There's more than one way to go about this. With the 1st method, you'll sacrifice your AC adapter, since it involves modifying it for the purpose. So, you you may want to think twice, With the 2nd method, you can buy a rechargeable battery charger called Power Bank from Radio Shack that doubles as a DC power source to power electronics. The 3rd method, which is probably the most complex of the three involves an adaptaplug, an adaptacord attached to it leading to a 9v battery clip soldered on at the end where the AC adapter would be. (Which, is basically the same as the 1st method described, except you won't have to ruin the AC adapter that came with the cordless)! . Anyway, I'll describe only the 1st method here. But, you can always do it another way, too. By the way, you're going to need a wire cutter, wire stripper, 9v battery clip (Sold in packs of 5 at Radio Shack), standard 60/40 solder, and a soldering iron (30 watts should be fine for the job), and possibly electrical tape. First, get AC adapter and cord for the cordless phone. (Remove it from the back of the cordless phone). What you'll need to do first is cut the AC adapter off of the power cord. Now, I've come to know more recently that sometimes AC adapters sometimes retain some electric current even after being unplugged for a bit. With 9v of power, I doubt It'd be a bad shock if there's leftover current. But, there's a way to remove leftover current if you happen to have an insulated alligator clips jumper cable (Also sold at Radio Shack). Just connect one of the alligator clips to one of the 2 prongs on the AC adapter, and touch the metal part of the other alligator clip! on the other end of the jumper cable to the other prong on the AC adapter, thereby shorting it. If there was leftover current, there will be a little bit of a spark. Okay, with that said, let's move on. As stated before, you'll have to cut the AC adapter off of the power cord. Then, cut a fairly small notch vertically downward on the power cord right between the 2 wires. Now, slowly and carefully, seperate the power cord by pulling the 2 wires apart from each other a bit. Then, carefully strip about an half and inch of insulation off each of the wires. Now, you can attach it to the 9v battery clip to the bare wire leads of the power cord. There's 2 ways this can be done: With the 1st method, you can solder the bare wire leads from the power cord to bare wire leads from the 9v battery clips. In which case, you'll want to wrap the exposed section of soldered wire with electrical tape afterward. Or, you can use the 2nd method and solder the wire leads from the power cord direc! tly to the 9v battery connector clip. If you go with that way, It may be better not to buy the heavy duty 9v battery clips as I think they can be a bit harder to solder the wire leads to. At any rate, once you have the 9v battery connector soldered up to the power cord, It's just a matter of connecting a 9v battery to the 9v battery connector to power the cordless phone's base. Optionally, you could also remove the circuit board from inside the casing of cordless phone's base. Afterall, you don't need the interior components and not the chasis casing to operate the cordless phone's base. If you've bought a cordless phone that has a particularly small base, it may even be the case that you could fit it all inside something. Like say inside a TNI, or inside the bottom base part of a fortress payphone. Use your imagination, have phun, and as always, be careful with everything phreaking related that you do. _____________________________ *What is a Cna Number and what* *can it do for me? * *By ic0n * *ic0n@phreaker.net * *wrote on 3/29/02 * *_____________________________* Before i even begin if you have never read about C.N.A. it stands for Customer Name and Address. There's not very many companys that offer this service to the public. One C.N.A. number that was floting around the upl (phonelosers.net) Message Board awhile ago. The company that offerd it was Johnson&Johnson it was for some lawsuit. Most Phreaks will find use in having a C.N.A. number when beige boxin'. All you need to do is get the number and call up the C.N.A. and enter the number that anac gave you. Then the system will give you the name and address for that given number even if it's unlisted. There's not many cna's around anymore mainly because lamers use them to show off there leeched skills to show off. but there still around and there's even a few toll free ones i know about. Ameritech offers something like a cna service. But since it's offerd to the public it's got some diffrent things. The main thing is there is a toll for the call and you can only get the info for 2 numbers per call. *Note only in 312/708 area so far 35 cents per call also* One last thing before i finish up on this artical. There's also some cna's that are 900 numbers. But you will be charged for the minunites and not like the call like ameritech offer's. I just thought you might want to know this also. Cna Number's that i can share with fellow phreaks *got anymore please contact me via e-mail with them* 203-771-8080 CT 312/7008-796-9600 Ameritech pay-for-play Cna 415-781-5271 Pac Bell Cna 513-397-9110 Cincinnati/Dayton Oh 516-321-5700 Hempsted/Long Island Ny 518-471-8111 Albany/Schenectadt Ny 641-464-0123 Columbus/Steubenville Oh 813-270-8711 Ft Meyers/St. Petersburg Fl 900-933-3330 Unidirectory 900-884-1212 Telename _____________________________________________________ *HOW TO UTILISE NMAP'S NEW IDLESCAN TECHNIQUE PROPERLY* *by: pulse state * * * *_____________________________________________________* Starting with Nmap version 2.54BETA30, Fyodor has implemented a new type of clandestine portscanning called "idlescan". Since the man page for nmap(8) goes into not very much detail on this type of scanning, I've decided to explain it from my point of view. Before I start, you will need... - A computer running something other than Windows. Linux is the best choice for running Nmap. If you do run Linux, any kernel version equal to or later than 2.2.17 should work fine. Remember to login as root, or set Nmap to run suid (not recommended). - Nmap 2.54BETA30 or later. - to be on a subnet that has one or more machines having IP addresses visible to the Internet (10.*.*.*, 172.0-16.*.*, and 192.168.*.* subnets are not visible to the Internet... anything else will be). NOTE: This subnet has to have a netmask other than 255.255.255.255. Most people connecting to the Internet through a dialup ISP, will have this netmask. Most people having a cable modem, DSL, T1 or higher will not have a 255.255.255.255 netmask. A netmask of 255.255.255.255 means that you are the only host on your subnet, which means you won't be able to do this scan without hopping a few routers, and as of the date this article was written, I've not seen the idlescan work using a zombie on another subnet. If someone gets it to work, please E-Mail me. :) OK, now that I've managed to completely confuse the n00bs, let's continue. Basically, how this scan works, is that you pick a target host that you want to scan but you don't want your IP address to show up in their logs, and then you pick what's called a 'zombie host'. The zombie host needs to be a computer on your subnet that is idle, that is to say, little or no TCP/IP traffic comes in or out of it. Once you've found the target and zombie hosts you want to use, fire up Nmap like this: nmap -sI -P0 -v -v What you're telling Nmap to do here, is to initiate an idlescan (-sI) against the target host, using the zombie host as a go-between, not to ping any hosts (-P0) so that the target host doesn't see any pings originating from your machine, and to be quite verbose (-v -v) about what it's doing. Now, here's a sample of the Nmap output (if it works): Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Host cactus (192.168.0.85) appears to be up ... good. Idlescan using zombie 192.168.0.15 (192.168.0.15:80); Class: Incremental Initiating Idlescan against (192.168.0.85) Adding open port 445/tcp Adding open port 139/tcp Adding open port 135/tcp The Idlescan took 0 seconds to scan 6 ports. Interesting ports on (192.168.0.85): (The 3 ports scanned but not shown below are in state: closed) Port State Service 135/tcp open loc-srv 139/tcp open netbios-ssn 445/tcp open microsoft-ds (NOTE: I only scanned six ports in this example, to keep the output to a minimum.) It is telling you that your target host (192.168.0.85) appears to be up. Nmap will always do this when you specify '-P0' on the command line. Next, Nmap is telling you that it is about to do an idlescan using the zombie (192.168.0.15), the originating TCP port on 192.168.0.15 will be 80, and the IP ID sequence has been found to be incremental. That means that the IP ID number on every packet that comes out of that machine is one greater than the last packet that came out of that machine. There are different types of incrementation. Some hosts use pretty tough randomisation algorithms, so they will be unusable as zombie hosts, and Nmap will tell you this. Most hosts out there, however, will have some simple algorithm that Nmap can follow. Next, Nmap is saying that it has initiated the actual idlescan against 192.168.0.85. Every time it finds a port to be open, Nmap will add it to the list. At the end, it lists the ports it found open. Now, while all that was going on, here is what was happening... Your machine sent a few packets to the zombie host on port 80, to figure out its IP ID sequencing algorithm. Then, your machine masqueraded as the zombie host, and portscanned the target that way. Every time a response packet would come back to the zombie, your machine would see that, and interpret the results as if the packets had come directly to your machine. However, you will remain unseen for the most part. The target host will never see your IP address, only the address of the zombie host. The zombie (depending on how extensive their logging program is), may show you trying to connect a couple of times to their port 80 (or whatever you specified -- I'll cover all the idlescan-relevant options below), but that's it. Nothing more. Now, here are some tips on how to be safe when doing these scans. Obviously, both your target and your zombie hosts need to be up and responsive, or else the scan will fail. Also, don't pick an outlandish port number for the zombie host. Pick something like 80 (http), 21 (ftp), or 25 (smtp), or something along those lines. The reason for this, is if the administrator of the zombie host looks at his logs, and sees you connecting to his port 602, he will think something is really suspicious. But, if he sees you connecting to his port 80 or 25 or something, he'll just shrug it off, assuming that you typed in the wrong IP address or DNS name, and not think twice about it. Anyway, I said I would cover the options that you could use with the idlescan. -p - Port specification. Use this if you only want to scan a port, or a range of ports. An argument like -p 21,25,135-139 would tell Nmap to scan port 21, port 25, and ports 135 through 139. This option should be familiar to people who have already used Nmap's many other scanning methods. -S - Source address spoofing. Use this if you REALLY don't want your IP address to get out anywhere, even to the zombie host. Your spoofed IP address needs to be that of a host that is known to be up, or else the entire scan won't work at all. You may also need to use the -e option (which is covered below) and the -P0 option (which you are already using). -e - Interface specification. If you use -S, you also need to tell Nmap which interface you want to use your fake IP address on. Usually, Nmap will not complain about this if you only have one network interface. However, if you're running Nmap out of a machine that maybe serves as a cheap router/firewall, and it has two network interfaces, you will need to tell Nmap which interface to use. This should be enough to get you started. If you want to see what really goes on around your subnet, get Tcpdump and read the man page thoroughly. (Hint: I used Tcpdump to see what Nmap was doing, hence my understanding of the idlescan. ) I also highly recommend reading RFC 793 (discusses Transmission Control Protocol, or TCP). See the links section below. If you are just starting off in Linux, I would suggest getting the Debian distribution. See the links section below. Here is a list of links pertinent to this article: Debian Linux: http://www.debian.org Nmap homepage: http://www.insecure.org/nmap/index.html RFC documents: http://www.ietf.org/rfc.html ____________________________ | _____ | |\ / | | | \ / | | | \/ERIZON |ELECONFERENCING | | BY: k00p$ta Phr34k and ic0n| |____________________________| Before we begin this file I (ic0n&k00p$ta) are not going to give you any info on setting up the conference. For a few reasons but it's not hard at all the setup once since everyone @ verizon is crazy or just dumb minus a selected few. (they know who they are) Now on with the file. Verizon now offers a new service, Conference Connections.These Conferences's are reservation-less, which means around the clock availability. The Conference is available 24 hours a day, 7 days a week, and 365 days out of the year. This makes conferencing very easy. Thanks Verizon! There's 2 ways to dial into a verizon conference. 1.Toll Free dial in number (866-441-2942) 2. Direct (972-717-2043) Npa 972 is in Texas There are no setup fees, no cancellation fees, and no monthly charges. Which mean you can setup a teleconference and your victim will not even know he's got a teleconference being billed to him. The minutes your participants used are logged separately logged by differnt ports. There are 20 of these ports but I'm sure there is a way to get more. Anyways the minutes are added together to simplify the subscriber's bill, in addition are required taxes. There is a separate bill for toll free service as well. States that need to use the direct number to the conference: 1.Alaska 2.Delaware 3.Maryland 4.New Jersey 5.New Hampshire 6.Virginia 7.Vermont 8.Washinton D.C. 9.West Virginia *Once again the direct number is 972-717-2043. The resoning behind the direct numbers is that Verizon provides long distance services for calls originating in most states outside the mid-Atlantic and new England states. Until government approval is obtained, Verizon cannot carry long distance in the states listed above. Verizon is in the works on getting the necessary states and federal permissions to offer long distance in every state. Rates Cents per minute per port Until 3/30/02 Normal Toll Free $0.22 $0.31 Direct $0.09 $0.18 Feature Descriptions Announcements for Entry and Exit At your option, the reservation-less Conference Connections system can sound a tone or have silence when participants enter or exit a conference. Attendant Request The Subscriber or Participants can request attendant assistance for private or group consultation. The person requesting assistance remains in the conference until the attendant handles the request. Conference Continuation This feature allows the subscriber to exit a conference after it begins without disconnection the participants and must be activated for each conference call. *Note The systems automatically defaults to end the conference call when the subscriber disconnects.* Conference Lock/Unlock This feature lets subscriber lock a conference once all parties are present to keep the conference private. Attendants cannot enter locked conferences, but can ring the conference requesting that the subscriber unlock for attend entry. Help Menu Help with using conference commands is available to every conference Subcriber and Participant. The system plays a private help message to the requester that list the available features and their associated touch-tone (dtmf) commands. Mute/Un-mute The Subscriber can collectively mute or un-mute all lines in the conference except for the subscriber's line. The participants can mute and un-mute there own lines to help control distractions and interruptions. Participant Count The system automatically tracks the number of participants on a conference. Any Subscriber or Participant can check the number of people in conference at any time. The system announces the count privately to the requester. Quick Start As a rule, conferences do not begin until the subscriber the conference. However your account can be configured to allow the subscriber to use this feature so that begins as soon as the first participant arrives. In this scenario, Participants who arrive before the subscriber may talk to one another before the conference actually begins. Though the quick start features offers less security, it allows unplanned meetings to occur whenever needed or permits conferencing when the subscriber is unavailable to start the conference. Features Subscriber Conference Commands This is how you Begin a conference: 1. Dial into conference system 2. Enter Pass code, then the # (pound) key 3. Then Press the * (star) key 4. Enter Subscriber Pin (4 digits) 5. Press 1 to start the conference or press 2 to change account options. To Change Account Options: Press 1 to chance subscriber pin Press 2 to configure roll call options Presses 3 to change quickly start options Press 4 to change auto continuation options Conference Control options (while in conference) Press *0 to speak privately with an operator Press 00 to request an operator to join the conference Press *4 to lock conference Press *5 to unlock the conference Press *6 to mute your line Press *7 to un-mute your line Press *8 to allow the conference to continue after you disconnect Press *9 to privately play a list of participants on conference Press *# to hear the number of participants in the conference Press ## to mute all lines except the subscriber Press 99 to un-mute all lines Press ** to play this list of commands How to end a Conference Say whatever then hang up the phone a short message will be played for them and then disconnects them. ***We also need to thank verizon for be so dumb and giving us all this information to write this article. Shout Outs....Lucky225, Dark_Fairytale, The Borish One,Xenocide, Cuebiz, MaddjimBeam, Whit3rav3n, Reaver,Captain_B, Mr. Poop, RBCP, Everyone Who was on $kytel back in 96-97...well okay only some people from skytel and everyone else we know.***