UNITED PHONE LOSERS E-ZINE
issue no. 26 - October 7, 2001
this issue edited by linear
Here ya go. I realize it took a long time to get this issue out (this long waiting period for issues has become convention, hasn't it?), but that's because we're trying to produce much higher-quality issues lately, and these things take time.
Speaking of much higher quality issues, there's a reason this issue has such a small ammount of articles. All the articles that aren't in here have been placed into UPL026 Toneage. If you're familiar with Phrack, then you should be aware of Linenoise. Toneage is the UPL equivalent.
So be sure to read Toneage for more of the usual UPL crap, which can be found at <http://www.phonelosers.net/issues/toneage26.txt>. If all goes well, you'll be seeing Toneage more as a regular UPL supplement.
I'd also like to point out that in an article in UPL025 entitled "A Simple Way Around Content Filter," I pointed out that phonelosers.net was not yet blocked by WebSense. It is with greatest symtpathies that I pass this startling news on to you: phonelosers.net is now blocked by WebSense.
So anway, enjoy. Because dammit, it'll be another three years until UPL027 is released.
straight from the dark dungeons of the internetArticles
Bonus Phresh Warez
Be Sure to Check Out http://www.phonelosers.net/issues/toneage26.txt For More Old-School UPL Leetness!
"Those who say they know it all ruin it for those who do"
[ disclaimer: unless you are a certified technician, any DATU you access is not your property and therefore is electronic trespassing into the insides of your local Central Office. Know what you're getting into. This information may or may not have been test by someone certified to operate a DATU. This is merely information, nothing more.]
I. Intro, Switching Diagrams, DATU definition
II. Format of DATUs
III. Test Mode
IV. Admin Mode
V. Practical DATU uses
VI. Theoretical DATU uses
VII. Final Notes
VIII. Technical Acronyms
Well, a great many of articles have been written recently regarding the Direct Access Test Unit (DATU). A DATU is a computer that you can connect to via the PSTN, all you need is the phone number. My local Central Office uses a AT&T 5ESS switch, so I know for a fact that those switches use DATUs, I am not sure about others, like DMS switches, but chances are, your local, residential Central Office has a DATU. DATUs use the ring and tip wires a lot to test lines, the ring and tip wires are often the red and green wires that go into your phone.
DATUs are tubular little wonders that allow the phone company and phreaks to perform tests on local loops. To test a line outside your Central Office's area, you need the DATU number for the Central Office that serves it.
I should mention that this article discusses but is not necessarily limited to testing POTS lines.
From the PSTN to your home:
_ PSTN! ---ss7--| Toll Switch |---| Local Switch / CO |
|DMS 200, 250, 500 | | 5ESS, DMS 10, DMS 100 |
/ | \ |
| Box | | Box |
/\ Split /\
Your k-rad line~~~~~~~~~>/ \ lines / \
/\ /\ /\ /\
/ \ /
tip> /\ <ring Residential
/ \ Loops
| home |
II. The Format of DATUs
The format of most DATUs is xxx-9935
It is up to you to find an exchange that works, it shouldn't be too hard since most non-toll COs only serve less than 15 or so exchanges. If you still can't find it, the DATU could be anyplace else, or you have a different switch, but for most 9935 is the suffix for the DATU. You can try wardialing for them. You will recognize a DATU by it's weird prompt. It is a 440hz tone sounding like a low hum. The prompt is asking you to enter in the DATU password on your DTMF keypad. All passwords that I have found to work are 4 digits, the default is 1111. If it isn't the password, try pairs like 3535 or 9292, i have found some that work with pairs, as well as 4300. Then again, don't try and brute force the password, at least not from home. If the Telco notices a lot of failed DATU logins then they will contact you or they will change the password, causing a headache for all the linemen and phreaks who already know it. Use your head :)
The real hardcore hardware nerdy stuff of DATUs can be acquired by reading Phrack 52, and PPM issue 2 and 3.
Therefore I'm not going to heavily explain what all the functions do inside the DATU.
Also, for a quick reference, check Telec's article @ phonerangers.org
Once you have the DATU, and the 440Hz tone, you will have to dial the password using DTMF tones. There are two accounts/passwords THAT I KNOW OF for each DATU. There is the normal account which is a 4 digit password, and there is an ADMIN account, which is * followed by 7 digits.
III. Test Mode
Default passwords for the normal account are 1111 and 4300 Once inside the DATU using the normal account you will hear a second 440 Hz tone prompting you to enter in a seven digit phone number that is served by the switch the DATU is at. After that you should hear an OK to confirm, otherwise you did something wrong, or the line is busy. You can perform tests on the line by using the corresponding codes:
Code: Test: Fuction:
1 ---- Announces the menu over the phone
2 Audio Montior Hear SCRAMBLED traffic on the phone, can
be used to test if there is activity on
line or not.
33 Short to Ground Shorts the ring, tip and ground wires of
your line back at the CO(red and green
37 Ring Ground Shorts ground and ring wires
38 Tip Ground Shorts ground and tip wires
44 Ring/Tip High Tone Bursts a high level tone onto the Tip
and Ring Wires
47 Ring High Tone Bursts a high level tone onto Ring wire,
48 Tip Hight Tone Bursts a high level tone onto Tip wire,
5 Low level Tone Bursts low level tone onto tip and ring
6 Open Line Cuts battery power to tip and ring, line
has no electricuty from CO, rendering it
7 Short Line Electricity given to tip and ring from
9 Permanent Signal Release Used on busy lines in older switches,
refer to the DATU article by BlackAxe in
Phone Punx Magazine Issue 2
* Hold Function Keeps current test on line active after
you disconnect for a specified amount of
time that you have to enter in, most of
the time 10 minutes is the max, to
prevent things like a line being open
for a month.
# New Test Disconnects you from current line, and
prompts you to enter in a new number to
test, like the Control-C of a DATU.
IV. ADMIN MODE:
HI, I just want to make a point of saying that the following is info is NOT confirmed, I am writing this from my experiences using admin mode. For example, I don't know if option 3 actually has the power to delete exchanges or not, i haven't tried it, and neither should you, really.
The Admin mode is entered by entering in a * followed by a seven digit passsword. I currently am un-aware of any 'defaults' for this. The options in the admin account allow you to do things that pertain more to the Central Office and how it serves the public. You cannot test local loops with the ADMIN ACCOUNT. Once you get a valid password, you should NOT hear a second 440hz tone, you should just automatically hear an 'OK'. The following codes work for the ADMIN mode:
***PLEASE IF YOU HAVE ACCESS HERE, EXPLORE WITH CARE! YOU COULD SERIOUSLY CAUSE DAMAGE TO YOU AND YOUR LOCAL NEIGHBORS SERVED BY THE LOCAL CO. I WOULD SUGGEST YOU DO NOT EVEN ATTEMPT TO CHANGE OR ACCESS ANY OPTIONS OTHER THAN TO CLEAR YOUR TRACKS(covered later).
Code: Option: Sub-Optionz:
1 Set password 1.Set System Password
2.Set User Password
2 Select Busy Test 1.Select Busy Test
4. Stanard Busy Test
5. 5ESS Busy Test
2.Select Dialing Message
1. MF Dialing Message (??)
2. MF Dialing Message
3. Pulse Dialing Message (??)
4. Pulse Dialing Message
5. MF with Reversal Sensing
6. Pulse with Reversal Sensing
1. Trunk Share
2. No Trunk Share
3 Read/Change Prefixes 3.Add Prefix
4.Clear all prefixes
6.Read all prefixes
4 Read/Clear Timers 1. Read Timers
1. Usage Timers
2. Function Timers
2. Clear Timers
1. Clear Usage Timers
2. Clear Function Timers
3. Clear all Timers
5 Select # of digits Dial 4, 5, or 7
6 Set AccessTimeout Parameters Dial Three Digits
7 Read/Clear Counters 1. Read Counters
1. Read Usage Counters
2. Read Function Counters
2. Clear Counters
1. Clear Usage Counters
2. Clear Function Counters
3. Clear all Counters
8 Enable/Disable Test 9 Toggle wheather Permanent Signal
Release is allowed or not to be
0 Clear Alarm ??
There are other kinds of lines and functions that you can do with the DATU computer, but I suggest you look them up in Phrack or PPM, or maybe I'll write a part 2 sometime later :)
BTW, the only tests that work on a busy line are: Audio Monitor, Low Level Tone, and Permanent Signal Release.
To cover your tracks, clear the onboard logs, aka Timers, via Option 7.
V. Practical Uses for DATUs:
Let's say you call a number, be a friend, or wardialing and its busy. You can use the audio montitor to test if there is actual traffic on the line, if not, then maybe the line is somesort of test line or someone left a phone off the hook. I have found audio monitor useful when trying to hack weird modern COCOTs. Let's say you know a BBS or some carrier that you want to connect to, but it's busy, like a COCOT's computer modem, you can blast a Low Level Tone to throw off the modem and have it get disconected, you can also remotely disconnect any modem from a connection if you know the number of the line. (You can only do this if the line has a ground going into thehouse, or building and not just at the CO) If there is a number you have found that is ALWAYS busy, i mean ALWAYS, try opening the line and dialing it right after the line is shorted back. I find that COCOTS almost always have grounds in them.
*Most residential lines will not hear Low Level Tone, because they have no ground going into the phone.
Beige Boxing in a large Telco Boxes:
When beiging in a large telcobox, depending on where you are, it can be a puzzle to find the right pair to connect to the line you want to, if it is a specific line that you are looking for. You can use High Level Tone Tests to look for the pair, when you reach a pair that has a beeping you can bet its the same line you inputted into the DATU. If the line is busy, or you want to be more stealthy, you can use the low level tone, which is less likely for someone to hear unless they have a ground going into their phone, most don't nowadays.
Remote Busy Box:
Remember the Busy Box? You crossed the green and red wires to busy out any line. The green and red wires are tip and ring, so test code 33 can remotely turn any local line into a busy box since the tip and ring wires are shorted out at the CO. Be in mind that most likely you can only keep a line shorted for 10 minutes after you hang up, if you want longer, just keep dialing in every 10 minutes. The same goes for opening a line (shutting it off) or any tone tests.
(Hint about time limits, study ADMIN functions)
Some notes about Audio Monitor:
The Audio Monitor feature is not a tap or eavesdropping feature, you can not understand any speech or capture any DTMF tones traveling along the line though the DATU. It is merely used to verify that there is indeed activity on a line, if the line is busy and there is no acitivy, then there could be a problem.
VI. Theoretical Uses for DATUs:
Creating Phone Numbers:
Have you ever dreamed of creating a phone number out of thin air, with no billable address like the Legion of Doom did back in the day? Well, the first step could be creating a new exchange to use your numbers on. Once the exchange is created, I can't really tell you where to go from there. If you find other ways of entering the switch, like thru a dialup or over some Packet Switched Network, then go for it, but be careful, respect the telco's turf, and DON'T MODIFY OTHER PEOPLE'S STUFF!
Mapping Switch Hardware:
I have heard some DATUs announce the switch they are attached to. This can be useful to find out info on how to remotely explore the switch. Also, if Permanent Signal Release is enabled, then you could find a stroke of unbelievable good luck, Step by Step switching, which in theory of course, all kinds of things would work, like blueboxing (inband signalling), black boxes, etc...
VII. Final Notes:
DATUs are for testing lines only, they apply certain tones and can short lines, but they are not used to add features or anything to a line. You cannot add three way calling to your line through a DATU. You cannot add Call Forwarding to you line, you cannot get ISDN or ADSL. And please test responsably. If you keep opening a line to annoy someone then the password will most likely get changed.
As far as I know, if you have the dialup and password, you can access the DATU from any place on the PSTN, there is no confirmation that you are calling from a local number or anything, so If you are in NY, you can test lines in California providing you have the DATU k0d3z.
VIII. Technical Acronyms:
9x, Substance, Hybrid, D4RKCYDE, Downtime, Phonerangers, Telec, Mastermind, Black Axe, Janus, linear, terror eyz, dijit, nawleed, vixen, Zylone, Pinguino, The Clone, logicbox, velocity, Venadium, Brisk, Bor, Xade :), notten, barby, bikr, tomgavin, leprekaun, dinkee, purp, vap0r, Tubular Phreak, 3rd worm, diozepart, Team Phreak, and all my other old skool conf buddiez, you know who you are ;)
I also owe alot to Telec and MMX to my current understanding of the DATU.
I know that these days it's almost pointless to lust after free calls, what with all these amazing deals like 10-10-321 and 1-800-COLLECT (what, you don't believe what Mr. T says??) but here I am writing yet another senseless article on how to get free calls. I bet years and years from now long distance will end up being free for everyone and I'll still be writing articles on how to get free calls. This idea is a little different because you're actually scamming the phone company for the call but nobody else gets charged in the process. Just the phone company.
Years ago in my wreckless youth I read a text file that explained how to trick Sears into transferring you to outside lines. I thought it was a great idea so I started trying it but it never worked very good. Then I started doing similar things to Target, Wal-Mart and other big stores and while it still works most of the time, it's still kind of a pain because your average minimum wage Target slave doesn't know how to work their phone system very well.
So where else to turn but to the phone company. ANY phone company, in fact, can transfer you to an outside line and they actually know how to do it. And not only can you use these outside lines to make free, untracable calls, but you can call anywhere in the world using this method. You can even emergency inturrupt busy phone lines and it all gets billed to Ma Bell.
Emergency inturrupting a line is how I discovered how easy this all is. It was an ordinary Monday morning and I was harassing the people on a local morning DJ show. They had this Hollywood guy call in and do the Hollywood Report from his home so I figured out Mr. Hollywwod's home phone number and started calling him nonstop during his segment. The call waiting caused his voice to constantly cut out while he tried to deliver his paparazzi news, making it nearly impossible to understand him. But the next day he got smart and dialed *70 to keep me from getting through. So I started calling his cell phone to hear it ring in the background. The next day he turned off his cell ringer and once again there was nothing I could do to disrupt the show.
So I got the bright idea of emergency inturrupting his phone line nonstop during his segment. Of course I couldn't do it from home because it would get a little pricey. So I dug through my things and found my old red box, blew a thick layer of dust from it and went out to a pay phone. But I quickly found out that things had changed since I last tried this - the cost would be around $20.00 to inturrupt his line and they would only take my credit card or calling card for billing.
In MY DAY, operators would take red box tones for emergency inturrupts. And they only charged $5.00 for it. And they would even inturrupt BBS lines to knock people offline which would piss off the sysop. And we played Pac-Man and cans of Pepsi were only 35 cents. And that's the way it was and we LIKED it. So I rubbed my bald spot and hobbled back to my car with my cane as I tried to think of a different way to get through.
That night I had a dream, a vision - Oh fuck it, I'm going to quit trying to be dramatic and just tell you how to do it. You pick a phone company, any phone company. Personally I try to stay away from my local phone company since they have my info. You can get the customer service numbers for any phone company by going to their web site but I'll list a few on the end of this article anyway.
You call their customer service and start pounding on the zero button until you get connected to a live person. You can call either the residential or the business departments but it's best to call business because they almost always answer quicker than residential. Once you get connected to a live person you should have a conversation something like this:
REP: Verizon business office, can I help you?
YOU: This is John, I'm an outside Verizon technician here in Boston.
REP: Hey there John, what can I do for you?
YOU: Well I'm trying to get an operator on this auxilary line but for some
reason I can't get that to work here. Would you mind just transferring
me to the local operator?
REP: You mean the "0" operator?
REP: Sure, I can do that, John.
There you go, free call. A second later you'll hear a Verizon operator ask how she can help you. If you want to make a call from within the state you're calling from just tell her you want to place a call and give her the number. Tell her that you keep getting an error message when you dial it and ask if she can try it. If the number ends up being outside of her calling area she'll tell you that she needs to transfer you to a long distance operator. Some of them will ask which you prefer and some will just send you straight to AT&T. Then once you get the AT&T (or whichever LD carrier you choose) operator, you just tell them the same thing and ask them to put your call through. And the call is billed to the line that they think you're calling from which is the phone company's number.
This will work for a call to just about anywhere in the world. They can call overseas and they'll just bill it to the local phone company that transferred you to an outside line. And I assume that means it will never even be noticed since the phone company probably doesn't bill themselves for phone calls.
And of course, you can ask the AT&T operator to emergency break into phone lines that are busy. Like if you're trying to get ahold of a friend but their line is busy because they're too stupid to get call waiting, the operator will interrupt your friend's conversation with a long beep and then she'll say, "I have an emergency phone call from Roy Gerbil. Will you release the line?" This works great for spooking people. Especially when you do it nonstop for weeks at a time. Not that I'd know anything about that sort of thing.
Is this a risky way to make free phone calls? That I can't say for sure. I'm guessing that your weakest link might be the phone company you're using would notice that you're spending 8 hours a day on their customer service line. I suppose that could look a little fishy to them. So like I said before, a good idea would be NOT to use your local phone company to do this.
Another security risk might be if the rep. you spoke with about transferring you to an outside line suspected you of lying. They might try to spook you by reading off your number or something. But if it's with another phone company and they figure out that you're full of shit, I doubt you'd have much to worry about. This has never happened to me though. But that's because I'm an elite phr33ker and no Bell employee would dare question my
authority because they know the consequences.
Customer Service Numbers:
Below are a few customer service lines from various phone companies. There are plenty more to choose from if you search the web a little. If you're only concerned with making an anonymous, untracable call and don't care about the charges, there are plenty of telcos that have non-toll-free lines so your ANI isn't picked up at all.
Evening & Night Time Calling:
What about when you want to make a call during the evenings when the phone company is closed? Well that's easy, you just call repair! All of the major telcos have a repair number that's answered 24 hours a day. You might have to sit on hold for a few minutes, but if you experiment with different phone companies you'll find the one that has the least amount of hold time. You'd say more or less the same thing to repair, just that you're out on a job and you're having troubles reaching the local operator.
As I mentioned, this method of free calling makes a kick ass diverter since whoever you call won't get your number on their caller ID. But what about the phone company having your number in their logs for hours at a time? Well you can always divert your phone call that you make to the phone company. It's an extra step and takes an extra minute
Diverting is easy, you just call up your local operator and tell her you're trying to call a toll-free number but you can't seem to get through to it. She'll ask what number you want and hopefully she'll dial it for you. I've heard in some areas operators won't do this for you. So if that happens break down in tears and tell the operator you're blind and in a wheel chair so that she feels sorry for you and does it anyway.
Phone Company Alternatives:
If you'd rather not cheat the phone company, there's always the other large companies out there. Like I said, I used to do this with Target and Wal-Mart but I had to deal with idiot employees who didn't know how to work a phone properly. Get out your yellow pages and search out other potential companies to do this to.
Once you figure out which company you're going to use, you call that place (K-Mart for example) and tell them you want to be connected to the K-Mart in Yahoo, OK (for example). The K-Mart lady will say they don't have a K-Mart in Yahoo, Oklahoma and you say, "Oh yes you do, bitch. I used to work there and I know the number! It's 405-482......" and hopefully she'll connect you to whatever number you're trying to call. There's plenty of other lines you could use on these companies, just use your imagination.
Who Do I Call?
So now that you know how to do all this I suppose you need a good number to call since you probably don't have any friends and you spend each evening locked in your bedroom, reading UPL issues and thinking that they're actually cool. Well do I have the number for you! Call the PLA/UPL Voice Bridge line at 305-503-6666 ext. 752. You can sit on a chatline with people you don't know and talk about what a cool article this is and how you're going to use this technique every night so that you can sit on a party line and talk to people you don't know.
For more information on our voice bridge and to make sure you have the current number, visit http://www.phonelosers.org/bridge.html For more information on the author of this article visit RBCP's homepage at http://www.phonelosers.org/rbcp/
Well, it turns out that I've kept this shit job at k-mart for longer than I would have liked. However, in that time, I've had to use the phone at the hell hole more than a few times. If you are planning on picking a target for any mischief, or any other type of ill-advised conduct, I strongly suggest that you pick a k-mart... afterall, they do suck... now on to the other stuff.
Like the title would have you believe, the telephone system at k-mart is a primitive one. How primitive you ask? Well, it is so primitive that you cannot even transfer a call from an outside line, to a different inside line, something which would seem like nothing on a phone system that is even close to new. It's my belief that this system is about 25 years old, the same age as the store....or so.
No matter what they tell you when you call up, you can get a call over the intercom. All they have to do is press "page" while they are on the phone with you. I guess I can provide a script below of what to tell the losers at the service desk.
There isn't even anything such as voice mail on the system. They don't even have caller ID, or anything remotely close to it, so don't plan on having them trace your call, it isn't possible to dial *69 from the service desk phone, which is the only one in use if you call at night. So remember, it will be a minimum of 3 calls before they trace you, which they probably won't even attempt.
Here are a few extensions for you to remember:
If you would like to screw with a manager, then just remember that a 400 is the store manager, a 402 is the hardlines manager, and 1000 is the cash room manager. I believe that 800 is the security d00d.
Well, thats really all I have to say about the k-mart phone system. There really isn't a whole lot more to say except that if you are going to try to get on to the intercom system of any store, pick k-mart. The people at the store are not highly trained, don't give a shit, and won't get in trouble if you do get on to the intercom. Not to mention that it is so very easy to get on.
One more side note, they will seriously hate you if you ask them to print out a ticket from ticketmaster... K-mart doesn't get shit for the tickets that they actually sell, and it takes about an hour to refund ONE ticket that someone doesn't actually want...I know that I hate when people do it.
So, until next time...I'm out.
When you start up the target computer, do you see the security program's icon as one of the extensions or comtrol panels that load? If you do, shut off the computer and start up again. Hold down the shift key immediately until you see the 'Welcome to MacOS' screen. It should now say 'Welcome to MacOS, extensions disabled'. The extensions should load with X's over them. Now, if the computer starts up security free, you've bypassed it the easiest way possible. Let's say, for a number of reasons, the shift key didn't work. Don't sweat it. Let the computer start up as normal. When the password prompted dialouge box opens up, or when you first see the security program load (because it may be a screen saver or just disable some functions) try hitting cmd+opt+esc. For you losers out there, that's the apple key, then (while still holding it down) the option (alt) key, then the escape key. It will ask you if you're sure that you want to force quit the program. Say 'fuck yeah' then click the force quit button.
If that didn't work, you aren't fucked yet. If the security gives you some privelledges, basically use of programs, try clicking everything you can see and launching these programs. Once you have as many programs open as you see on the computer's hard drive, an alert should come up saying there is not enough memory left. It will give you the option of quiting a program. It goes in the order of how they were loaded, so quit the security program. The security was most likely the first one to load, but it may have loaded without appearing in the task menu. It skips the Finder usually, because the finder is vital for most people using their mac.
Next is an even more sophisticated bypass. When the security program loads, push cmd + power. Once again, folks, that's apple button then the one on the keyboard that makes the pretty lights turn on. Now, type in "G FINDER" then hit return. This basically stops all system feed to the computer, and lets you give commands to the system. It's called a programmer's interrupt. If the interrupt works, the program will "unexpectedly quit" and the finder will be open and waiting for you to love it.
Alright, now for the final step, which typically works. It requires a bit of work, but it's well worth it. You'll basically be giving the computer a new system drive, which makes the secure drive into the slave. You need a CD burner, or you need to use someone's. What you're going to do is take your system folder and drag it into toast (or another burning program). Also put on whatever programs you plan on installing on the target machine (keystroke loggers are fun because you can install them and use the method again to find the password). Burn the CD, and test it on your computer first. Put in the CD, open up the control panels and select it as the startup disc. Reboot. If your CD is now running the computer, you're in business. Switch the control panels back and put your precious moch-hd into your pocket. Go to the host computer and pop in the CD. If they have it so you can't open the CD drive, a paper clip will manually over ride it when stuck in the little hole on the front of the tray. Pop in your CD and reboot. Now, I know you're thinking "how come i dont have to go into the control panels?" Well, basically, a program that won't give you enough privelleges in order to hack it the previous ways i named surely wont let you tinker with the control panels. Startup the computer and hold down C until it begins to boot up from the disc. It hasn't been given the word to secure itself, so its open to suggestion right now. It will startup, and since it was your system folder it tried to use, it will look just like your computer, and will be loading all your extensions. Now unload the keystroke logger to get the admin password at a later date. Or if you plan to merely get something and leave, delete the entire security program.
Well, if none of this worked, you're basically out of luck. I guess the security programmers are smarter than us, eh? I haven't tested these methods on OSX yet, but im sure many work.
This text is intended on those of you who have Win NT at school, like I did. There's lots of ways to fuck up your school's system, and I'm gonna tell you a few ways to do it. As long as you dont do anything illegall with the info provided here, it's ok to blame me! And remember, when I said I really did the stuff in this text, I really didn't I made it up....
First an warning to those of you who are too stupid to know better. Don't do this shit while your logged on with your own account, unless you WANT to be caught. Do stuff like this when you find a computer that is already logged on by some retard that think its safe just to walk away from it without logging out.
Now on to the good stuff
The sysadmins at my school hadn't set a BIOS password. This is bad cause some asshole like me could come fuck it up, and the computer wont function properly. But when I found this out I was nice enough to set a password... on ALL the computers. I also, by mistake, made the bios prompt for this password on boot. The sysadmins didnt like this that much cause they had to spend the next week reseting the bios on every (almost every) computer at school. I felt so bad for them.
I found this really neet command you could do in DOS. It's called net send and it allows you to send cute little messages to all your friends. It can also be used to cheat on tests. But since cheating is bad, and we are nice guys, we're not going to do that.
The syntax is
"net send <the_recepient_computers_name> <message>";
What you can do insted, when you want to send a message to ALL of your friends, and dont want to type it a hundred times, you simply write "net send * the sysadmins are lame". This message of course was sent to the sysadmins at my school as well, and they came running like they had chilis up their asses to find out who it was, since the name of the sending computer showed up along with the message. "uhhmm... net send...message.. what the fuck are you talking about.... I just sat down at this computer".
But of course, it's no fun when just one message appears so what you want to do is make a .bat file like this:
----- Start monkeypoo.bat -----
net send * the sysadmins had monkeypoo for brekfast!
----- End monkeypoo.bat -----
of course you could just start this file and run like hell, but what I found more amusing to send this file to someone else (all school was always on IRC). "Hey man, check out this pr0n man. This is some really sick shit!!!", and DCC them your file. Then they open it expecting to find ther mom eating some fat chicks shit it starts sending messages and most retarded fucks don't know how to stop it. Then the sysadmin comes and start beating them up, it's fucking hillarious.
What owns most is having the admin password. This might not be that easy. I'll explain how I did it. First of all, this will only work if the school network is hubbed, not switched. If your computer allows you raw IP access to the net then great. My school didn't so I had to bring my laptop. What you need to do is plug it in somewhere, and set up L0pht Crack to sniff for passwords.. Then you fuck up some computer (preferably connected to the same hub as your computer cause they may switch between the hubbs). I don't care how you fuck it up as long as the sysadmin will have to come and log on to that computer in order to fix it. L0pht Crack will pick up the password, let it run overnight (might need longer time if you got a slow computer), and the next day, you got admin access.
There are tons of things you can do once you get that password, first thing you should do is create another account with admin access. They most likely change the password on a regular basis (once a week at my school), and you don't want to go through all the trouble again. I didn't fuck up anything while I was admin. Why? because I'm a nice guy. The only thing I did was setting the default page for internet explorer to be "my special banner add page" (dont flame me cuz i made a little money). The page was pretty basic:
----- Start bannerpage.html -----
----- End bannerpage.html -----
Adding that <meta> tag saves your users the effort of clicking the banner. It will be click automaticly when the banner itself is done loading. If your going to try the same thing, remember to open an account under a false name and address, unelss of course you want to get caught for fraud...
That's that.. Now go fuck up your schools computers!!
What equipment was used:
1. (Not sure if this is the exact model) Wall Switch Reader - 4" read range - Black or Beige or White. (221-505)
About 5"x5"x3". Black square mounted on wall.
2. Amtel Standard proximity tags for keyrings. (223) http://www.amtel-security.com/products/accesscontroldevices/proximitytechnologymotorola.htm
' o ' About 1/8" thick. Grey with hole for keyring.
\ / Had a 6 digit number printed in pink on back.
3. Amtel TeleEntry 2000 http://www.amtel-security.com/products/telephoneentrysys/a9-1products.htm
PDF File With More Indepth Info http://www.amtel-security.com/cutsheetsnap/products/telephoneentry/te2000.htm
Keypad and headset looked like payphone keypad and headset. Had an black on green backlit LCD display. Forget what it displayed before anyone picked up the phone but would print numbers dialed as dialed. Had visor over display to reduce glare and prying eyes, I suppose. If I remember correctly, instructions were printed on the actual unit.
4. Closed circuit television surveilence which worked only with cable (Americast http://www.ameritech.com/content/0,3086,6,00.html) (Unknown type model)
Camera pointed at TeleEntry 2000. If I remember correctly it used channel 3.
200 Arlington Place Apartments, Arlington Heights, Illinois
Basic Description Of Use:
When a visitor would 'call' from the front door using the TeleEntry 2000, (847) 506-1230 (This is from memory from 3 years ago so don't quote me) would appear on the caller ID. At the other end of this number was a modem. When someone was connected to that number, when visitors picked up the handset of the TeleEntry 2000 downstairs they could hear the modem and were unable to use the TeleEntry 2000. When dialed into the modem (at 7-e-1 I believe, but again.. memory.. 3 years ago), the output would look similar to the following (memory.. 3 years ago.)
102398 11:51:23 123456 3
The first number was the date. Any single digits were preceeded with a zero (IOW, March is month 3 and would be seen as 03)
The second number was the time in hh:mm:ss format.
The third number was the six digit number printed on the back of the residents proximity tag.
The fourth number was the door number. For this building (may be different with others)
If a visitor 'called' a resident with the TeleEntry 2000 whose phone line was busy, they would hear the busy signal as well as the name and number delivery ad for Ameritech one would hear as they made a regular phone call with a regular phone (http://twpyhr.multiservers.com/nandn1.wav)
If I remember correctly, when you picked up the handset on the TeleEntry 2000, you would hear a normal dialtone and not a pbx 'dial tone.'
There was a code the mailman used to dial into the TeleEntry 2000 to open the door without being 'buzzed in' by a resident. Never got around to shoulder surfing it.
Sometimes when you dialed the number that showed up on the caller ID for calls from the TeleEntry 2000, instead of hearing the modem, you could eavesdrop :)
I still have a proximity tag somewhere... If I find it, I'll dissect it and take pictures.
[note from linear: this article is now grossly outdated, as I believe Rubicon was sometime in April or something. Probably even earlier. Anyway, That's how UPL works.]
I attended my first Rubicon in Detroit, Michigan this year and it was a very entertaining event. I managed to drag along St. Louis 2600 attendee Wraith with me. From St. Louis it was a 9 hour drive to Detroit so we woke up around 4am so we could get there around the beginning of the con.The drive was more or less uneventful. We listened to lots of CDs and our average speed was 80MPH. With the time zone change (losing an hour) we ended up arriving at the con around 2:30pm. We only took one wrong turn once was got into Detroit, quickly recovered and found the Ramada Inn easily.
Everyone seems to have this horrible picture of Detroit in their minds, like it's the most dangerous city on the face of the earth, you'll be dodging gunfire immediately as you enter the city, you'll get your ass beat if you get out of your car, etc. This, of course, isn't true and Detroit isn't much different than any other city in the States.
Rubicon's Ramada Inn, however, wasn't located in the nicest part of town you could hope for. And I can't say it's the nicest hotel I've ever seen. It looks like it was last decorated in the late 1970's. Only 2 of the six elevators worked so we ended up taking the stairs a lot. The stairwells smelled like piss, the lower floors smelled musty like basements. This hotel was huge, it was just a little ghetto looking. But this was okay since con attendees spent a lot of time tagging the walls and causing minor destruction. The hotel staff probably didn't even notice much out of the ordinary.
We didn't do a whole lot on Friday, just kind of walked aroundmeeting people, listened in on a few of the talks (well, Wraith listened, I mostly played MahJongg on my Palm) and hung around in the network room hooking up my laptop and playing around on the net. I felt kind of retarded for driving 9 1/2 hours to sit around and surf the net. Wraith broke open our room's phone jack and there were an extra unused 10 or so wires inside the box. We hoped that at least one pair would give us the dial tone for another room but had no luck finding anything.
I got to meet RijilV, Jim and a few of the other con organizers and they were nice enough to pimp my lame PLA tshirts all weekend for me. Then later when we saw people walking around wearing the PLA tshirts we would laugh at them, point and throw things at them calling them stupid PLA lamers. We made 2 people cry and we got beat up once.
We had a lot of fun doing immature, juvinille things like bouncing super balls out of our 11th story window to see how far they'd bounce. After using them all up we ran across the street and retrieved most of them from the grass in front of the AT&T building. Then we duct-taped some fishing line around one and started bouncing the ball continuously off of all the other windows around us. But nobody ever stuck their head out to yell at us so that got boring. Eventually we started lowering the ball to the ground level trying to whack random people in the head but Wraith got the fishing line wrapped around some high voltage wires. We pulled as hard as we could but it was stuck for good. Wraith let the string go and the ball is probably still hanging from some lightpost wires today.
On Saturday night my room got rooted. Me and Wraith were hanging out in the room and causing the usual problems for people down on the sidewalk. We decided to go downstairs for awhile so we left our room and headed towards the elevators. As we rounded the corner about 7 people passed us heading the other direction. We hear one of them say, "Hey, was that Redboxchilipepper??" I reply quickly, "No, there's no RBCP at this con!" and quickly press the elevator buttons to go downstairs.
One of them comes back around the corner and says, "Wait a second come with us! We have something to show you.." So me and Wraith obeyed them and followed them down the hall. They led us straight to our room and let themselves inside with a key. I was suddenly glad that I came with them. I never did really catch any of their names, but they hung out in the room for awhile and then we all left. It turns out that one of them must have gone to the front desk and said something along the lines of, "Hi I'm Brad Carter. I lost my key and I don't remember what room I'm in." The front desk people apparently weren't the brightest people on Earth and happily furnished them with a spare key and my room number.
Several hours later I found out that my Yahoo email had also been compromised. Someone wrote my username and password on a wall near the network room. Throughout the weekend I'd been hooking my Windows 98 laptop to the network and checking my Yahoo mail. I realized at the time that this was a bad idea, being that I was on a network full of hackers and I was running '98. But I did it anyway and changed my password each night. My current password was written on the wall though and a broke down in tears as I read it crying "WHY?! WHY!?!" Then I immediately called home and said, "Er, um, Colleen could you log into my Yahoo account and change my password for me?" The hackers were at least nice enough not to change my password and lock me out of the account. That would have been a pain in the ass. So anyway, I think that I hold at least one record at Rubicon - Person Most R00ted In One Weekend!
The few talks that I actually wanted to attend I didn't get to because the schedules seemed to be all messed up or running behind or something. Hopefully I'll get to listen to them on mp3 when rubi-con.org gets them up there. We decided to leave rather early on Sunday since we both had jobs to be at on Monday morning. Overall I had a great time and met a lot of interesting people over the weekend and I definitely plan to attend next year. I took a lot of pictures and I should have them up at http://www.phonelosers.org/rcbp/rubicon.html by the time anyone reads this
Def Con 9 was full of pranks, entertainment, and police sirens this year. My last Def Con was 5, so the number of people attending this year overwhelmed me.
We drove from Illinois this year. It took 3 days until we arrived at the Alexis Park. The lobby was very clean and spacious, the decorations were very tasteful. The desk attendant warned me upon check in not to use the phones in our room because because they charge more than jails do per minute.
So we went over to check out our suite. Even with the group reduction for the con, it was not a cheap room. It was however a filthy room. We had no T.V. reception or remotes. It took 2 days and 3 calls to get that fixed. The tiled bathroom floors were covered with a substance that looked like dry Elmer's Glue. The couch was stained and the carpets turned the bottoms of my feet black if I tried to walk barefoot.
Lets see, there were several pranks pulled, all ranging in severity. Some of the funnier things that happened were bubbles appearing in various pools during the convention. One hot tub was made to smell deliciously fruity with an addition of orange Jell-O, and of course the pool with the mysterious "smoke" coming out of it (dry ice.) At one point all three pools were so gross I was scared to be in them. One of the pools had vegetable oil dumped into it. Another nice group of people threw bottle caps at my 5 year old while she was swimming. A towel cabana was set on fire. Then there was Shipley from www.dis.org <http://www.dis.org> -- he assaulted people and property this weekend, and thanks to persuasions from Def Con management did not have any charges brought against him. So I guess its okay to smash other people's laptops at Def Con.
I also wanted to thank all the skanky little whores who attended, making Def Con such a female friendly environment. If you are a female who is under the impression that Napster was "back in the day," (an actual quote, boys and girls, overheard in the ladies room) then you need to sign on to your AOL account, sit down in front of your computer, and maybe if you slam your head into the monitor hard enough you won't be so fucking stupid. Unless you are a hooker, I found that the Def Con environment has grown increasingly hostile toward women. It also does not help when certain groups are paying women to wear their ugly shirts around with their tits hanging out just so people won't realize how lame these certain groups are. Oh, and I forgot to add that their logo is pretty much a rip-off of an actual popular groups logo. I guess they can't even come up with their own logo.
[side note from linear: the original, 100% working Napster has been dead for over a year now. In a technological sense, were capabilities improve by about 100 times within three months, Napster is "back in the day." Sorry, Colleen]
[side note from Phractal: Napster is NOT back in the day, linear back in the day is downloading the latest Ultima and Phrack at 300 baud and being excited about it. ]
One of the things I enjoyed about Def Con was the large ammout of people willing to fork over cash for useless crap. But that joy was diluted by the several hundreds of attendees who don't even know what phreaking is. There were drug o.d.'s, a gang fight, and again, lots of hookers. Or maybe those were just girls who wished they were hookers. Come on guys 'Pretty Woman' was not a true story!
Aside from the thousands of retards now attending Def Con I did meet several nice new friends. I finally got to meet Barkode, the guys from www.stuff.halibut.com <http://www.stuff.halibut.com> were awesome, White Vampire, www.antichildporn.org <http://www.antichildporn.org> and, some silly guy from atlantacon.org <http://atlantacon.org/> who kept trying to give everyone stickers. Hug Me from Atlantacon was very nice. He said their last years attendance was only about 500. It sounds like a great con and I hope I can make it there next year. The Def Con Goons were super nice and helpful (Russ and Screwyou) even with all the crap they had to deal with. And although my quest for a photo opportunity with Chris Goggans was unfruitful, I hope to run into him again someday and capture the joyous moment on film. I'm happy that Dark Tangent's convention is so monetarily successful. It's too bad that this convention had to get turned into an out-of-control frat party sprinkled with wanton destruction.
Yea, you COULD jump over some fences and beige box some TNIs, but most people scrutinize their fone bill, and when they see a 500 dollar or more teleconfrence, they WILL be pissed. Corporations on the other hand, dont scrutinize at all, they just pay, as many found out about due to that fake invoice scam a while back. Additionally, theres less risk involved while actually setting up the call if you try my way.
Find a store like blockbuster or target, any store that has a little employee application booth or machine. The machines look like a fone with a screen, and a small extendable keyboard. Before you actually start to set up the teleconfrence, make up a fake name, fake adress, and fake business. Bring a small fone with you. I personally use the Appolo Fashion Fone from Radio Jack.
Sit down at the machine with your fone, a pen and some paper. unplug their employee application fone's modular cord, and plug it into your fone. Now, get the ANI for the location and write it down, this is VERY important. If you dont know any ani numbers, use 1800 314 4258.
Once you get this done, dial 1 800 232 1234 for ATT Teleconfrencing. Soundathoritative and tell the person who picked up you need a folder and a teleconf set up. They'll ask you for some info and then ask if you want it billed to cred card or the line. Tell them the line. The will then say they will call you back in a minute to verify billing, heres how it goes when your setting up a new folder.
ATT:ATT teleconfrencing, this is smellywhore, what is your folder number ?
j00:I need to set up a new folder
ATT:Okay, and what is your name ?
Att:Okay, Mr. Valdez, is this a business or a residence ?
j00:Its a business, Cocaine Importation and Distribution Inc.
Att:Okay, and your adress
j00:1600 Pensylvania (use an adress not too far where from where you are
Att:Okay, Juan, and would you like this billed to a credit card, or the phone
j00:Phone line, you stupid bitch, I ain't payin !
Att:Okay, I'm gonna call you back in a minute to verify billing.
j00:Hurry up, bitch !
At this point, doodle or something , and make sure your phones ringer is on but low. When it rings she should give you your setup info.
Att:Hello, is Juan Valdez there ?
att:Okay, Mr.Valdez, when would you like to setup your confrence for ?
j00:Tommorow at 12 noon Pacific
att:And how many hours would you like it to be ?
j00:Twelve (Dont go overboard, they'll get suspicious, and you can always
extend the conf later)
att:Dial in or Dial Out ?
j00:Dial in, bitch, I aint getting busted !
att:Okay, and how many nodes(or participants)
j00:Ten, auto extend.
att:Okay, juan your confrence number is 1-800--345-1337, your host acess
number is 123 456 and your guest acess number 987 654, your teleconfrence
is scheduled for tommorow at 12 Pm pacific.
j00:And what is my folder number ?
j00:Okay, thanks bitch, targets phone bill just went up.
att:Thank you !
And there ya go, your teleconfrence is set up billed to a corporation, you're high and dry, you ave a folder number and you are k-rad 1337 r34dy t0 g0. Oh, and dont ever do anything mentioned in this document as I am not fucking liable!
From: "Dead Penny"
Subject: about an article in your recent issue
Date: Fri, 29 Jun 2001 21:46:48 -0800
hey, this is deapenny, i was having my daily view of the upl site. and i happily saw that issue 25 had been released. as i gleefully started reading the contents i saw "a newbies guide for newbies" written by royal-tea. "cool, i wrote a textfile with that same name once for my little group/zine the phuckups <http://www.phuckups.cjb.ne> (yea we arent the greatast but its something) so i start reading, and i notice the phuckups motto "blah blah blah shut the phuck up" and then i read it, and not only was it the same article as mine from the phuckups, but it was copyed word for word. except for the whole "a few final words from deadpenny" part had someone elses name in it. now i dont want to start a whole "im angry at so and so, and im l33ter and so and so" but i was hoping i could get some due credit for writting the article.
what was even worse, was that its not the greatest article in the world, and he could have at least made some improvements on it. maybe then i wouldnt have even asked for credit. its not a big deal if you dont believe me, im not gonna start some dumb shit like alot of people do. but that is the phuckups motto, and i did write it, and i have alot of poeple who know i wrote it. and if you dont put my name on it, could you at least ask him to improve it some? thanks for your time linear and i hope i didnt bother you any. (oh and by the way i think you are godlike, and i am sucking up, but its true or something)
DeadPenny(of the phuckups)
Words From linear:
This was am interesting situation indeed. Usually, one would go to Royal-Tea and blame him for forging an article. But there was a twist here: Even before I got this email, Royal-Tea had IMed and told me that he didn't write this article. Then, I get this email a day or so later. Interesting.
So apparently, someone had stolen DeadPenny's article, tagged Roya-Tea's name on it, and submitted it to UPL. Why this was all done? I have no clue. The result was three very confused people (uh, Me, Royal-Tea, and DeadPenny).
From: Alexandre D. F. Souza
Date: Wednesday, March 28, 2001 10:13 PM
GreetZ from Brazil!
Nice site, nice advices, nice knowledge. Hope I can contribute with something brazilian. But why the hell someone in USA would want to know how to 313371Y phr34k a phone in Brazil???
Strength and Honor
"Raw data for Raw Nerves"
Words From linear:
UPL sends a shout out to Brazil. We'd like Alexandre and all our other non-US readers to know that we are more than happy to print information on other-than-US systems. Anyone, from any country, is welcome to submit to the UPL zine. UPL, unlike our President Bush, does not even care if your country harbors terrorists! You're still welcome to submit.
Of course, we're all idiots and can only speak English. So we'd advise all article be submited in English, or the article will be published in UPL as a horribly garbled Babelfish <http://babelfish.altavista.com> translation.
Subject: why are you such a bitch-boy?
Date: Monday, April 23, 2001 1:40 PM
hey, linear, Why are you such a bitch-boy? You suck so much ass, that you cant even make a new poll. i should go there and stab your ass.
thanks for your time
Words From linear:
Unfortunately, being a bitch-boy is something I have no control over. You see, I am simply a product of my enviroment and have little to no control over the way I have turned out in life. Blame my parents, friends, and society in general (especially the nasty movies, songs and video games) for the horrible freak of nature I have become.
Don't condemn me, I was once like yourself!
Date: Sat, 18 Aug 2001 01:37:22 EDT
do you know of any hacker programs that I could get my hands on for free to get started with?
Words From linear:
// Sheetz0r.CPP v1.1
// by Phractal
// This little scrap of code is a program that is used to aid you in your
// wardialing efforts. If you scan manually, which seems to be the safest
// way nowadays, it's tedious to write every number down so you remember
// what is special about that number, be it a PBX, outdial, VMB, carrier,
// loop, or some weird mystery tones, or even the clandestine DATU line.
// After running the program, all the numbers should be ready for you in a
// list format in numbers.txt in whatever directory you ran this from.
// SHOULD WORK ON ALL OS's, EVEN THE REALLY CRAPPY ONES
// Remember, this is C++, not C, if using unix, use g++ to compile, not gcc.
// shell~$ g++ sheetz0r -o sheetz0r.cpp
// shell~$ sheetz0r
// Also, this has a bug, if you are scanning lets say 0000 thry 9999, don't
// type in 0000, type 0001. It tends not to like entries that end in zero.
// It also doesn't like scans that are like 0501 thru 0599 and 0801 thru 0899
// Anyone is open to contribute to this program, as long as I maintain credit
// for original program.
// NOTES FOR VERSION 1.1
// * Changed the interface a little bit, instead of the spaces thing, just
// fill in the prompts, should make it easier.
// Had no trouble with 0000 - 9999 (Because of different compiler, perhaps?)
// some other computers might have problems, though.
// also had no problems with 0501 - 0599 or 0801 - 0899, once again,
// you might.
// This version also saves to numbers.txt instead of scans.txt Why? I
// honestly don't know.
// -The Visual Assassin
// Kudos to Visual Assassin for actually trying to improve upon my horrbile
// programming skillz, now the program is k-rad. I added a few insignificant
// things, like main() having a return of 31337, what better way to waste
// segments of memory?
int main(int arg, char* pszArgs)
// Set c, c1, c2, and NPA
outStream<<"********************Sheetz0r V. 1.1********************\n\n";
cout<<"Enter NPA (e.g. 800): ";
cout<<"Enter exchange (e.g. 555): ";
cout<<"Enter beginning numbers (e.g. 0000): ";
cout<<"Enter finish numbers (e.g. 9999): ";
cout<<"\n\n\n\n\n\n"<<"Check out numbers.txt!";
for (c = c2; c <= c3; c++)
Definitions from McGraw-hill illustrated TELECOM Dictionay (Second Edition)
Three parts of this TXT
CSM BLS AKEY: FILE: CFWD.DMS
ANI_GETNUM,STDIN FS/ST = NUMBER.1$
IF NUMBER.1$=BSY_STATE=TRUE THEN OPEN NUMBER.1$.CUST.DAT
LOCAT.CUST.DAT=CFWD[ENTRY1]/READOUT CM FWD VARIABLE=NUMBER.2$
IF NUMBER1.$=STILL BSY_STATE=TRUE THEN FUNC.FWD NUMBER.2$
CSM BLS AKEY: FILE: CALLID.DMS
ANI_GETNUM,STDIN FS/ST = NUMBER.1$
IF DATE%=NULL AND TIME%=NULL THEN LCD_RDOUT
= PROPDATE%, PROPDATE%, NUMBER.1$
2. Explanations of source
Call Forwarding sourcee explination
CSM BLS AKEY: FILE: CFWD.DMS = Global standard mechanism, bellsouth, Akey - Programing lang.
ANI_GETNUM,STDIN FS/ST = NUMBER.1$ = Antumated Number identification, standard input, Frist start/stop, NUMBER.1$ = varriable.
IF NUMBER.1$=BSY_STATE=TRUE THEN OPEN NUMBER.1$.CUST.DAT
Caller ID source explination
CSM BLS AKEY: FILE: CALLID.DMS = Global standard mechanism, bellsouth, Akey - Programing lang
ANI_GETNUM,STDIN FS/ST = NUMBER.1$ = Antumated Number identification, standard input, Frist start/stop, NUMBER.1$ = varriable
LCD_RDOUT CALLED_NUMBER=TEXT1.NUMBER.1$ = LCD (liquid Crystal Display) ReadOut, Puts Callers Number on the LCD screen.
IF DATE%=NULL AND TIME%=NULL THEN LCD_RDOUT= PROPDATE%, PROPDATE%, NUMBER.1$ = If theres no Date or time then fill in with correct date and time.
ENDSW_CID = stop
Kill your parents and blame it on us! Download MP3s! Stay Home from school! Corrupt the youth! Read literature! Burn things!
linear el caco
Head of State Department of Absence
Rob T Firefly Harry Tuttle
Department of Wit, Humor Department of Propaganda
Department of Apathy Department of Historical Record