¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ,;;11;. ,;!!;. 11 ;;' ,1;;|1,;||;,. |1 '11 leetophreakoheadz 11 1;¨ 11' "1;' '11 |1 11 'zine #5 11 1;' 1;' 11: 11 11 11 2002 "",;;||;; ¨'1;' 11;' ,1; 1; .1: 11' 1::;1||1'" 1;.1:' 11' . 1:1' |1!1';'11:. .,;::;1!;., 11. 1:1 11' 11; :; 1; "1:;,..,;:; .:;1! 1:1 |;1 11: '1.,;'" ¹";11;1¹ 1|1 1:1¹ .|11 11: ,;1;,.' '";:|1:;" ;¹|1;:" ':11;;^ ...We coined the term "leeto"... ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ¹"¹"¹ ______________________ * Intro * * by ic0n * * ic0n@phreaker.net * *____________________* Welcome everyone to issue 5 of the lph zine! Where back after for yet another round. If you have'nt noticed i've been working on the site here and there. sometime this summer the site will be where i want it to be. Before we get too much into the zine a huge Shout to Captain_B for getting printed in 2.6 (2600) and it just so happen's to be the box I named "The Bungee Box' I would also thank hackerhost for the hosting. Nuff with the intro and let's get on with the good stuff.... ______________________________________________________________________ * Table of Content (Toc) * *Hiding Running Services from Portscanners Part I..........by phractal * *Toll Free Modem Numbers...................................by Pref1x * *Conversion box............................................by Captain B* *Toll Free Busy Lines......................................by Pref1x * *RCMAC.....................................................by ic0n * *Call Forwarding Phun......................................by ic0n * *______________________________________________________________________* _____________________________________________________ * Hiding Running Services from Portscanners Part I * * by phractal * *_____________________________________________________* /* parts of this article are theoretical and some is proven with code, feel free to get in touch to comment or point out flaws in my theories */ Hey there. Have you ever wished to run a certain daemon or backdoor but have it hidden from the eyes of network scannners. Suppose you want to run a private ssh server for only a select few, but they don't always have the same hostname, or perhaps a backdoor to a unix that you worked hard to get to. Well, I got to thinking of ways to have an actual service running and yet being undetectable to people snooping in on your network. Here's what I will discuss -'port tripwire' -how it works -porttrip.c -end notes ############# Port Tripwire: ############# Port tripwire is a name i came up with for opening up a low port in an attempt to catch a port scanner before he reaches any ports that you want to hide. If you or your borrowed remote host are running: Port State Service 23/tcp open telnet 53/udp open domain 80/tcp open http 3557/tcp open BACKDOOR You might want to hide this machine from scanning kiddies to hide anyone who might want to abuse your server if they want to get in via telnet, or maybe you don't want it known that you run a web server, and of course, that backdoor is supposed to be hidden from view of scanners as well. How can we prevent a scanner, of whom we will have no idea of his IP address, from finding these running services via scanning? Well, port scanners will generally scan ports in sequence or in rough sequence. They will or will usually access the low ports first, and then proceed to connect/request ACK replys of higher and higher ports. We can intervene on the scanning process if we stop the scanner midway. We can do that by looking for him where he'll come in, the low ports. We should choose a fairly obscure port to try and detect the scanner, because otherwise it could be a legitimate session, a normal user accessing a known service. For my little port tripwire program, I chose port 3, it is a low port, and almost no one runs it. If you wish to hide common services, you may wish to change that to port 7(echo), as that is obscure, but it is also listeded in nmap's services to scan for. The way that Port Tripwire works is, it opens up a socket and listens on that low port. If any connection is made to that port, the program identifies who that host is, and immediatly issues a command to firewall out any further attempted connections made by the scanner. It blocks him out, turns the computer silent on him. The following code proves this concept. It is however incomplete, not a full security program, and most likely has plenty of vulnerabilities itself. It is used just to demonstrate this concept. #include #include #include #include #include #include #define PORT 3 #define BACKLOG 1 //Port Tripwire BETA //made for BSD or any ipfw firewalled OS //by phractal int main() { //printf("PortScan Tripwire BETA by phractal \n"); int fd=socket(AF_INET,SOCK_STREAM,0); int fd2; struct sockaddr_in server; struct sockaddr_in client; int sin_size; server.sin_family = AF_INET; server.sin_port = htons(PORT); server.sin_addr.s_addr = INADDR_ANY; bzero(&(server.sin_zero),8); bind(fd,(struct sockaddr*)&server,sizeof(struct sockaddr)); listen(fd,BACKLOG); while(1){ sin_size=sizeof(struct sockaddr_in); if((fd2=accept(fd,(struct sockaddr *)&client,&sin_size))>-1) { //printf("connection from %s\n",inet_ntoa(client.sin_addr) ); //printf("DENY! \n"); char cmd[150]; char cmdpt1[] = "ipfw add 01234 deny tcp from "; char cmdpt2[] = " to any"; sprintf(cmd, "%s%s%s", &cmdpt1, inet_ntoa(client.sin_addr), &cmdpt2); printf("%s",cmd); system(cmd); } } close(fd2); return 0; } While this program is running, if i nmapped a server running it with a normal TCP connect() scan then I would see port 3 as the only running service. There are some problems with this program. Since it uses accept() to determine that a scan is in place, SYN scans will not be picked up, and if a scanner was lucky or smooth enough, maybe he might scan a certain block of ports that is outside the port that the tripwire program runs on. In Part 2, I will discuss more advanced port scan detection methods. I will focus on using promiscuous mode to sniff for SYN packets and will be using methods different from the tripwire approach. <--------------------------------------------------------------------> greetz go out to h/pers and coders better than me: stain, team phreak, awnex, dvdman, l33tsecurity, pare, bor, trunklord linear, bor, 9x, subz, hybrid, datawar, downt1me, notten, telec and people i forgot _______________________ *Toll Free Modem Numbers* *by Pref1x - 3/25/02 * *_______________________* * Summary This text file will provide a list of toll free numbers that will most likely connect to computers/modems. Some of these systems may even let you in login free. Keep in mind these numbers can be disconnected at anytime. % Numbers % 1-800-214-9617 1-800-221-5451 1-800-222-0555 1-800-223-1078 1-800-223-3141 1-800-223-5151 1-800-223-6932 1-800-223-7213 1-800-260-3122 1-800-282-2222 1-800-321-1570 1-800-323-2919 1-800-362-4504 1-800-362-4509 1-800-362-4510 1-800-362-4550 1-800-362-4584 1-800-367-0815 1-800-401-0075 1-800-424-6245 1-800-432-4838 1-800-439-5823 1-800-456-6245 1-800-465-7735 1-800-466-3256 1-800-539-6245 1-800-543-3279 1-800-552-2130 1-800-555-3425 1-800-555-9014 1-800-555-9905 1-800-555-9920 1-800-555-9955 1-800-555-9973 1-800-617-9056 1-800-624-5123 1-800-725-3512 1-800-726-4823 1-800-726-6714 1-800-737-6068 1-800-763-0222 1-800-789-4756 1-800-789-4792 1-800-800-4098 1-800-822-0458 1-800-822-2439 1-800-822-2478 1-800-822-3298 1-800-822-3479 1-800-822-6425 1-800-822-7540 1-800-822-8353 1-800-822-9619 1-800-822-9917 1-800-855-2882 1-800-909-1994 1-800-909-2111 1-800-909-2286 1-800-909-3269 1-800-909-4311 1-800-959-0013 1-800-959-0057 1-800-959-9822 1-877-222-1008 1-888-527-6134 1-888-888-0520 _____________________________ * Conversion box * * by Captain B * *_____________________________* Test sets (Lineman handsets) are obviously a useful phreak tool for beige boxing. But, unless you're willing to drop a couple hundred bucks to buy one at your local authorized Harris telecom products dealer, dumpster dive for one, or take the chance doing the ol' 5 finger discount with some Ma Bell truck, It's better to use a one-piece phone (Like the Apollo or Super-mini flip phones from Radio Hack, or the ConAir flip phone availible at K mart stores). Or, you could convert a phone that has a keypad in the handset to a psuedo test set for beige boxing purposes (As I'll be discussing here). Yes, you could also convert a phone without a keypad in the handset, but you'd better have a way of sending DTMF via acoustic coupling, such as with a tone dialer (If you can still find one at the local Radio Hack). Also, since most lineman handsets have features that are either on most phones, or not absolutely needed for the more exclusive features, It's just all the more reason to beige box with a regular phone. The driving principal behind making this is very similar to the one used for the Bungee box. Because, you'll be modifying a handset cord for this. The difference is that only 1 end of the handset cord will be modded. Here's what you'll need... *A handset cord *Modular crimp tool *Wire cutter (Unless the crimp tool has it built in) You'll also first want to check how many conductors there are inside your phone handset. If It's 2 conductors, It'll be simpler. If there's more than 2, it becomes necessary to isolate which 2 wires are used to power the handset. (Well, at least that's how it was with a 4 wire phone handset I was converting). To check the amount of conductors in the handset, remove the handset cord and look inside the hole where the handset plug from the cord goes in. Hopefully, It's 2 conductors. And yes, you could check the number of conductors in the handset cord instead, but since handset cords always seem to have 4 conductors when bought as new, that could mislead you. I'll go more into isolating the 2 wires involved for powering the handset on a 4 conductor handset cord in a minute. Let's get into making this. Take the handset cord, look first at the little wires in the plug to observe for the color scheme (Thus making note of correct polarity) then, cut off that handset cord plug as close as possible with where it connects to the cord. Carefully, strip off a bit of the insulation using the modular crimp tool's stripper. Take a 2 line (RJ14) modular line cord plug, and push the line cord plug over that end of the handset cord, facing the same way as the previous handset cord plug was. (In other words, if the little spring clip on the handset cord plug was facing down, crimp the line cord plug on facing the same way as that was). Then insert that end of the handset cord into the modular crimp tool properly, and squeeze the handles together firmly until it stops (which is quite fast). See the instuctions that came with the modualar crimp tool if you need more help. Now, if a 2 conductor handset was used, you can just plug it into any working modular jack, and it should work. But, if the handset has more than 2 conductors,connect up a n in-line coupler (Female-to-female RJ14 connector). Then, connect a modified 2-line (RJ14) line cord (with 4 alligator clips) on the other end of the in-line coupler. Try connecting the gator clips in different combinations of 2 at a time to the screws holding the red and green wires inside a modular jack or out at the TNI until you get a dial tone. Of course, you'll want to either remove the cover from the modular jack by unscrewing the center screw, or prying it off if it has no screw to access the 42A block with 4 screw terminals inside. Or, in the case of the TNI, open it on the Telco access side using a 3/8 hex bit on a 1/4 drive ratchet or spinner handle. (These can be found at Home Depot stores). In a TNI, the red and green wires run from the subsciber modules contained in the customer side to the screw termianls on the telco side. Use that for reference. (Disregard the other colored wires there). If you only have 1 line service, make sure you connect up to the 2 screw terminals that have phone service. Otherwise, there won't be a dial tone, of course. The conversion box makes for a handy placebo to a lineman's hand set, don't you think? As always, be careful and have phun. ********************************** * Toll Free Busy Lines by Pref1x * * 6/18/02 * ********************************** This is a list of toll free numbers that are ALWAYS busy. Why they're always busy is beyond me. They could be some kind of test number of some sort. There might also be a modem connected to the line with "Busy Mode" enabled, which will cause the line to be busy. Sysops often use the modem's "Busy Mode" feature to do maintenance on their system. Anyway, all I know is that the numbers below are busy 24 hours a day; 7 days a week. I find busy numbers useful to give out on applications and forms that ask for a home or work phone number. Another idea is if you have call forwarding, you can have your calls forwarded to these numbers if you don't want to be disturbed while scanning or something. Who knows, you may find many interesting uses for them. All the numbers below work as of the date above. 1-800-221-5807 1-800-223-3325 1-800-225-8456 1-800-284-3463 1-800-325-4081 1-800-327-6764 1-800-328-7777 1-800-332-0090 1-800-368-9414 1-800-378-5610 1-800-388-9912 1-800-421-3879 1-800-424-5664 1-800-431-3762 1-800-431-3764 1-800-432-4896 1-800-438-9999 1-800-453-9999 1-800-555-0057 1-800-555-9161 1-800-576-9999 1-800-617-9977 1-800-693-9999 1-800-726-0350 1-800-822-0154 1-800-822-9400 1-866-466-6245 1-888-252-9922 1-888-252-9928 1-888-252-9932 1-888-252-9934 1-888-252-9936 1-888-252-9938 1-888-252-9941 1-888-252-9942 1-888-252-9945 1-888-252-9949 1-888-253-8379 1-888-313-3716 _____________________ * RCMAC * * by ic0n * * ic0n@phreaker.net * *_____________________* What Does RCMAC stand for? Recent Change Memory Administrative Center Now your thinking Great! but what good can it do for me. This in my opinion is the most important service that the fone company has. With some social engineering you can add features like Three-way calling,Call waiting,Caller ID,and in some places voicemail. You also can set flags on people's line's so they won't be able to use there fone.Change line classes so you can make fone's payfones. Once you have got 1 RCMAC you can just social them into doing something in another npa or at lease getting the number in that npa. Here's a Example RCMAC: Hello RCMAC Cleveland how may I help you? you: Hi this is 'Name Here' here at Atlanta RCMAC and our computers are down are they up there? RCMAC: Yes they are running fine may I help you? you: Good Yes I need the San Diego RCMAC and the one we got is wrong can you give me the newest one? RCMAC:Sure the number is 619-XXX-XXXX you:Thank you It's pretty simple but now i've seen alot of RCMAC's ask for more info like...Employee Number,Name,Sometimes they ask for a mobile fone number for that given lineman (this is very rare tho). You can get this info from trashing. I guess you could even give them a payfone number to contact you....just an idea never tryed it before. Oh yeah i forgot you have to call the number a 'line number' Line Class Codes: ESF=speed calling CWT=Call Waiting CFB=Call Forwarding Busy CFV=Call Forwarding TWC=Three Way Calling TTC=Touch Tone Dialing UNA=No Long Distance PXX=Block All Long Distance services CHD=Centrex CPU=" " ACB=Auto Call Back FRE=Free Calling DTF=Payfone CFD=Coinless Charge a call Line Problems: NDT=No DialTone CC=Cant Call DTWD=DialTone While Dialing CH=Cant Hear CBH=Cant Be Heard Oh yeah if there not doing dialtone you should be good to go on the Adding the trouble ticket. just to let you know a dialtone in this case is just a test when you hear a click on your line late at night there checking for a dialtone. ____________________________________ * Call Forwarding Phun * * by ic0n * * ic0n@phreaker.net * *____________________________________* Everytime I'm at a place with fone on the counter like Pizza Hut,Blockbuster,ect,ect,ect. I think at all the funny things that are possible. Here's a little story...... I was at pizza hut waiting on my food when i noticed there was a ameritech office fone on the counter. I looked around making sure nobody was around. I quickly picked up the handset and dialed * (start) 72 witch is the star code for Call Forwarding. I had it forward to one of the people that make life suck. Heh. Alot of home's and smaller companys won't have this feature. Anyway's you can forward to anywhere in North America as far as i know it might even be World wide. A Few Idea's Forward Anywhere to a porn shop. Voicemail Box With a funny Greeting Forward Walmart to Kmart and Kmart to Walmart Sorry about this shitty file i'm kinda in a hurry to get the fuck out of here and go to yet another grad. party! until then peace out!