an introductory guide to phreaking in the uk, one of hybrid's earlier files, for darkcyde and 9x, specifically aimed at uk dudes.
d0fe4706aaa5dd12e2bf945787f311ab29f1b44e20556423ececddb6395a9ec7__________ ____________________ ________
<< \________ __ ! / __ ___ \____________/
____ | \ /\ | \| / / \ /| \ ___ >
\ | |/__\ |__/|= | \ / | | /___\ _________
__ \_________|___/ \| \| \ | ! |___/ \____________/ >>
\ < \ ! \ \___ / ____ _____
\______________________________________/ \_________/
_________DarkCyde_____________________ Communications __UK/USA_
/ ___ \ ____/ \_____
__/ ___<_________ / ¡ / / \ ___ ____________
/ | \ __ /|__/| / | ¡ | \ /___ \___>>____
____/ | |\ / | \|= | / \ | | \___/
____|___/ \/ |__/| \ \__ / \|___/ ________>___
__<<______/ ¡ \____________________/ \_________
! ! !
! ! ! ! ! !
! ! ! ! ! ! ! ! ! ! ! ! !
! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !
!!==================================================!!
! _d_C_RawDATA P-r-e-s-e-n-t-s !
!!================================================!!
UK Phreaking, an Intermediate Guide
Sept'98 v1.0
by Hybrid
.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:.
Contents:
Introduction
DTMF
Remote Phreaking
Basic US Phreaking from the UK
Voice Mail
Boxing
Information Gathering Techniques
Teleconferencing
Ionica
How not/to get busted
Final Misc Phreaking Tips
.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:.
Introduction:
UK Phreaking has always been a hazard, if you phreak, you always run the risk
of being busted. Unlike hacking, it can be very difficult to cover your
tracks in the world of phreaking. Of course, there are precautions you can
take, which I will explain later in this phile. In this phile I intend to
inform the masses of things that have never been discussed before. I have
never seen a UK specific phile on TeleConferencing or call routing, here I
intend to tell everyone all that I know, if you are reading this phile to
learn how to execute free phone calls and bypass the charging system, then
fuck off now... A person who just wants to know how to make free phone calls
is not a phreak, they are just plain stupid. A phreak is someone who enjoys
exploring areas of the phone network that are not generally available to the
public... You have probably read this kind of shit before, but having the
ability to make free calls is just an added bonus of phreaking. The most
stupid thing you can do is find some lame companys PBX and just keep making
free calls through it from your house, this is bad. The company will notice
an increase in outgoing calls, and log them all. If you just do this, expect
a nice call from our friends BT, complaining you owe some company you have
never heard of loads of money. Later in this phile I will discuss how to
avoid this. I got started in phreaking after reading various txt philes by
people like coldfire, and the group PHILA. It was origionaly a phile by a
phreak called Neondreamer that inspired me into phreaking. If you are not
already a phreak, but want to learn more I would sudgest that you read
*everything* you can download. Start scanning for interesting things, and
take notes on your findings. I have noticed that the UK phreak scene is
extreamly secretive, or even more or less dead. This is because no-one
discusses or shares decent information anymore, and when they do, they face
ridicule for leting the 'lamers' know about interesting things. Whats wrong
with this? I have also noticed that most UK phreaks advatise as being
'31337' but don't know shit.. People that say they are eleet are the
'lamers'. Most of the *real* eleet phreaks don't need to advatise as being
eleet, because they know it anyway. The problem is most real phreaks like to
work alone, and don't like to discuss there aquired information.. Therefore
it is becoming increasingly difficult for 'newbies' learn, they turn to
reading newsgroups such as alt.ph.uk, and read postings like 'how do i make
free calls?' and 'does blueboxing work?' These people give phreaking a bad
name, if you want to know if blueboxing still works, then go away and try it.
If you post something like that you are likely to get responces like, 'Go
away lamer'.. The people that flame these postings have nothing better to do,
they are probably lame as fuck them-selves and have probably posted similar
things themselves in the past, been flammed for it, and then think they are
31337 for flamming an inquisitive 'newbie'. To these people I say fuck off,
and go learn something. You see, I don't give a flying fuck if I get flammed
for writting this kind of stuff, because I know that the people that are
likely to flame it don't know shit themselves. (excuse my German). Now thats
enough of that, all i'm trying to say is.. If you find something good, tell
others, fuck-it, tell the whole world.. Whats the point in keeping stuff to
yourself, when you can tell others and get feedback from it, and learn more.
OK, now you have finished reading my crap, on with the rest of the phile.
.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:.
The Basics, DTMF tones:
DTMF stand for Dual Tone Multiplexed Frequency, it basically means 2 tones
are played together at the same time. When you are pressing the buttons on
your phone, you will notice a series of different tones assigned to different
buttons. It is these tones that are sent to the other side of the line, the
exchange. DTMF tones are your best friend in the world of phreaking. They
allow you to remotely control any system, whether it be a PBX, VMB or other
DTMF controled system.
Here is a map of your keypad, and the tones emited from each touch tone:
1209 Hz 1336 Hz 1477 Hz 1633 Hz
ABC DEF
697 Hz 1 2 3 A
GHI JKL MNO
770 Hz 4 5 6 B
PRS TUV WXY
852 Hz 7 8 9 C
oper
941 Hz * 0 # D
Decoding: If you are an electronics genius you could decode DTMF tones with
the following procedure: ;) I will be honest here and say that this bit is
extracted from a DTMF FAQ:
One idea
could be an eight sharp-tuned filter combination with detection
circuits. Needless to say, this is very impractical, considering the
various ICs (Integrated Circuits or 'chips') made by different
manufacturers all over the world.
Most of these ICs do not require more than one (inexpensive) 3.58 MHz
x-tal or resonator and the power circuitry. Usually the output is
4-bit binary + 1 strobe.
--------------
l l- d3
l DTMF l- d2
signal in -l Decoder l- d1 4-bit binary out
l chip l- d0
l l- strobe
--------------
If like me, you cannot be bothered to get the soldering iron out, you decode
signals by feeding them into a password prompt on a VMB or something, the
system will then read back the numbers for you. There is also an 0500 number
that is designed for this, I think it is something like 0500-212-213, I can't
remember at the moment.
0800-969-388 Reads out 200327110, then speed dials, hmm..
0800-892-558 and 0800-892-282 both emit DTMF tones, very strange.
.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:.
Remote Phreaking:
In this file I will explain the techniques used for long distance phreaking
through the country direct numbers. In the UK many, if not most phreaks will
concentrate most of there projects on the country direct numbers. For those
of you who don't know what these numbers are for, they are numbers set up by
various corporations / telcos etc so people can reach there contact in the
terminating country for free. These numbers can be set up for various reasons
- the 0800/0500-890-xxx area for example is packed full of country direct
numbers that terminate on various foreign telco switchboards. For example-
Presedent Clinton decides to come to the UK for a while to bum Tony Blair...
He needs to call the white house ASAP, but being the cheapscate he is, he has
no money. So he rings AT&T direct on 0800-890-011... Plugs in the US number
and is then asked for his calling card number... His call is then placed to
his requested destination. That is 1 example, another would be: Dick Dobbins
of ABCD corperation is flying to the UK for a few days to attend some kind of
conference. While he is in the UK he needs to check his voice mail, and
report back to his company etc... So he uses the companys UK toll-free number
which would be somthing like 0800-89x-xxx... He can now check his voicemail,
whatever for free. Now you can see why UK phreaks give these numbers alot of
attention. Here is a list of the UK country direct numbers:
0800-89x-xxx 0800-96x-xxx 0500-89x-xxx 0500-96x-xxx I have also found various
numbers which terminate in foreign countrys via the 0800-733-xxx area,
although this prefix is not designated to country direct services.
In order to find interesting things on these prefixes you will need to start
scanning. I recomend that you do all your country direct scans by hand,
because a program like toneloc will be looking for carriers, while you are
looking for PBXs, VMBs and various other things. I would not recomend that
you scan 1000's of these numbers in any one night, because your telco will
notice and put a nasty thing called a monologue on your phone line, which
will record EVERY single DTMF tone you emit. If you are going to scan these
numbers remember not to go over the top, and limit yourself to about 100 or
so a night. On the end of these numbers you will find a massive range of
interesting things, here are some of the things I have found:
PBXs, VMBs, Stange tones, Conference loops, Conference systems, Info lines,
Emergency services, Government lines, Carriers, Chargecard services, extender
lines, test lines, and various other EXTREAMLY strange things.
Here are some examples of the delights you will come accross: ;)
0800-896-050 card no and pin 0800-896-373 STRANGE 0800-896-400 dialtone
0800-896-910 vangard voice network... 0800-897-010 Asks for Password
0800-897-235 4-did PIN 2222 then 6-did Protocol number 0800-897-357 Passcode
0800-897-414 4-did extender passcode, p=1234 PBX VMS 0800-897-815 GTS Global
Access Calling Card 0800-897-850 Conference Centre 0800-961-230- God damn
STRANGE¿¿! 0800-961-237- Call divert [no code] 0800-961-238- FBI!~
0800-961-341- MCI-service setup, number query 0800-961-351- Mad Fax LINK...
0800-961-365- somthing police¿ 0800-961-371- Roles Royce Corp head office.
Octel 0800-965-061 strange C5 line 0800-965-063 strange 0800-965-064 'please
enter company code 0800-965-075 strange C5 line 0800-965-077 C5.
There are tons more things in the country direct numbers, these are just a
few.
These numbers can be abused by the phreak for many reasons:
Outdials: If you are scanning and you come accross a dialtone, or Meridian
Mail system or similar you can access the systems outdialing features and
dial various numbers in the terminating country, ie- US toll-free 1-800
numbers. The system you are most likely to phreak will be US Meridian Mail
systems. A more in-depth file on MM's can be found on the DarkCYDE website
at www.darkcyde.org. Here is basic guide to hacking the MM systems:
Find a Meridian Mail system on the terminating end of an 89x/96x number.
You will know when you have found a MM system if: The terminating number
directly ID's itself as, 'Meridian Mail, mailbox?' Or If you get a OGM
recording such as, you have reached blah blah company after hours', Try
hiting 81, if it is MM it will drop you into the MM login prompt. Or you
may get, You have reached blah blah corp, please dial the extension of the
person you are calling.. If you get this try dialing an eXt, if your call
is put through you should get the persons recored voicemail greeting. Hit 81,
and try to login to the persons box, the default passcode is the same as the
box number. To find where the boxes are located you need to get yourself to
the dial extension prompt, or dial by name prompt. On most systems you will
be given the option to do this, but on some you are only given the option to
leave a message, these type of systems are very unlikely to be 24hr... to get
the dial eXt prompt on these systems, just hit 011# quickly... the system
will then say 'name cancelled' and ask you to dial an eXt. On some systems I
have noticed that you can still exploit the machines out dialing feature
without even loging into a box, try hiting 0 for the operator, and then
instantly hit 9-1-800-xxx-xxxx whatever. I have found this works on 1 out of
10 systems. Once you have managed to get into a box. Try the following: 09,
1-800-xxx-xxxx-# The system may let your call through if no call blocking is
in place, on some systems only some boxes are configured for out-dialing so
don't give up. Some systems will be programmed to only allow local calls, or
not to allow any calls beggining with 1, or no calls at all. If your call is
put through, you now have access to the intire US toll-free network, you may
even get lucky and be able to dial ANY number in the world. Now you have a
MM outdial you are ready to start remotely phreaking the US!
.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:.
Basic US Remote Phreaking:
I am not going to go into to much detail here because there are plenty of US
specific philes all over the .net, if you want more information on US
phreaking go and find some info.. The DarkCYDE website will soon have a US
section headed by Elf and Downtime. So keep an eye on it. ;)
The US toll free network is alot different to ours. They have 1-800-xxx-xxxx
1-888-xxx-xxxx 900-xxxx numbers etc. On the end of these numbers you will
find LOADS of cool stuff. If you want to find a specific US number just dial
1-800-555-1212 for toll-free directorys. The possibilitys are endless,
remember, it is loads of hastle for them to even begin to try and find you,
they think you are calling from the US! Just remember that if you call
something dodgy in the US such as the CIA and give them loads of grief they
will know the ANI of your PBX, in the UK you block this by dialing 141, in
the US you would dial a * service to block your ANI. When dialing through a
PBX this is not possible to use * services, so remember, if you don't want to
lose your PBX don't use it for prank calls or anything like that. 1-800
numbers are fun to scan because you will find alot more things on the end of
them, than you would in the UK.
It is not advisable to scan 1-800 numbers by constantly dialing up your PBX,
remember the company whos PBX you are using have to pay about 15c every time
you dial it up, they will notice an increse in toll-free number access and
the next thing you know, BT will be busting down your door. The best thing
to do if you are planning on scanning US 1-800 numbers is to find a
chargecard service or similar, that lets you dial a 1-800 number, hang it
up, and then re-dial. This way you will only have to dial 1 UK country direct
number, stay on the line and then scan from that. Here is a small list of
some of the 1-800 toll-free numbers that I have found myself:
1-800-466-2518 4-did pin, p=9999 Frontier Communications
1-800-466-3003 4-did pin, p=9999 Frontier Communications
1-800-476-3911 4-did pin p=9999 Frontier Communications
1-800-452-6993 4-did PIN p=9999 Frontier Communications
1-800-584-5692 4-did PIN p=9999 Frontier Communications
1-800-523-9142 4-did pin p=9999 Frontier Communications
1-800-482-3520 4-did code p=9999 Frontier Communications
1-800-455-2670 Strange (it's worth messing around with these)
1-800-455-6398 Personal vmb
1-800-455-3902 4-did access code
1-800-455-8223 Modem
1-800-455-6932 Skytell Pager
1-800-455-6980 Call forwarding (3-did)
1-800-455-1150 VMS OCTEL
1-800-227-5937 Sky Message
1-800-376-2903 Skyline Pager 80=help
1-800-632-8921 Pager (NationWide Messaging)
1-800-685-3910 VMS OCTEL 81000 Free
1-800-760-9256 Porn Line
1-800-673-6840 Somthing Testing services
1-800-256-3581 Modem (another thing, they think you are in the US)
1-800-638-8267 VMS 300 p=0000 Admin Box
1-800-780-9650 Syword Messaging System
1-800-507-8960 VMS
1-800-480-5802 Chargecard Service
1-800-322-5889 AUDIX Voice Power
1-800-381-5504 South Western Bell Call Notes
1-800-304-5887 Access code
1-800-362-8896 4-did PIN p=9999 (most of these eXtenders have this)
1-800-320-9651 VMS
1-800-395-5569 Porn Line
1-800-207-4482 Free porn line
1-800-605-3472 Central Command
1-800-633-8284 conference replay
1-800-280-1445 CIA
1-800-562-7242 CIA employment line
1-800-285-3222 bank, vmb MM. 3000-3000 (you would be suprised at
amount of banks that leave
their default passcode
active)-Barklays :p
If you find a modem try dialing into it with terminal or somthing, most of
the modems on these 1-800 numbers are *very* interesting. Remember, according
to thier CLID software, you are in the US ;) You can also get *totaly* free
internet access through your country-direct PBX... Just card a few earthlink
accounts, they will give you a 1-800 dial-up number! Or if you have a PBX
that lets you dial local numbers (local numbers in the US are free), get a
trial account with an ISP in the US, they will give you a local number
dial-up.. When you access the net, it will appear that you are in the US,
cool? If you need to find out the local number of your PBX, you can use an
ANI number, which will read out the number of the PBX you are calling from:
here is the one I use: (1-800-487-9240) This number will read out everything
about the line you are calling from. Just remember that all MM systems with
dialout features will record every single number put through it, so be
carefull.
.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:.
VoiceMail:
If you are a newbie phreak, I would sugest that you begin your telephoney
adventures with voicemail. Voicemail systems can be very easy or very hard
to penatrate, but most will be left in there default state with default
passcodes still active. If you are scanning through the country direct
numbers you are likely to come accross thousands of different voicemail
systems, here is a list, along with example numbers of the systems you will
come accross:
Meridian Mail Direct Dial: 0800-897-110
Meridian Mail Front End: 0800-969-580
OCTEL Direct Dial: 0800-961-373
OCTEL Front End: 0800-961-384
AUDIX Direct: 0800-896-891
AUDIX Front End: 0800-967-012
AUDIX Voice Power: 0800-897-077
PhoneMail Direct: 0800-969-913
PhoneMail Front End: 0800-969-394
InfoStar VX: 0800-969-171
Partner Mail: 0800-897-467
Communications Gateway: 0800-896-500
?Standard vmb: 0800-960-305
Bell Atlantic: 0800-962-279
Those are just some of the main systems you will come accross, hint- The
Infostar VX system admin boxes allow you to set up new boxes, the passcode
for these boxes is always the same as the box. Voicemail is a very usefull
tool for the phreak. They can be used for many purposes, you could set a
system to communicate with other phreaks or get your own system, so you can
give others your VMB number so they can contact you.. There are loads of
applications.
Notes on Meridian Mail:
OK, I'm not going to go into detail here because there are some fairly
decent philes on MM floating around on the .net. Here is a simple guide to
managing your Meridian Mail box: (cut 'n' pasted from Coldfire's phile)
0 - Zero on its own will transfer you to the operator assistance
number. 011 will let you look up names in the directory. 0XXXX will
dial that number, assuming its passes the call blocking mask.
1 - Rewinds the current message about 10 seconds
2 - Play message
3 - Fast Forwards the current message by 10 seconds
4 - Previous Message
5 - Record, used when composing or forwarding a message.
6 - Next Message
7 - Message Commands(Sub Menu)
0 - Message Options (Sub Menu, can only be used on outgoing
messages)
1 - Urgent, tag a message for urgent delivery.
2 - Standard, tag a message for standard delivery.
3 - Economy, tag a message for economy deliver.
4 - Private, tag a message private (private messages cannot
be forwarded to other users)
5 - Acknowledgement, tag a message for acknowledgement,
you'll be send an acknowledgement message when the message is
received.
6 - Timed Delivers, specify a time and date for delivery.
1 - Reply, sends a message to the sender of the message. Can only
be used on incoming messages from mailboxes on the same system.
2 - Play envelope - Gives all the details of the messages, such as
who its from, time, if it was urgent, attached messages etc., etc.
3 - Forward, forward the message to another user. 4 - Reply All,
record a message to all the senders of the messages in your
mailbox.
5 - Compose, compose a message to other users, either just one, a
distribution list, or several boxes.
6 - Delete, deletes message, or if used on an deleted message
restores it.
9 - Sends a message you've just recorded.
8 - Mail Box Commands (Sub Menu)
0 - Mailbox Options (Sub Menu) (Not always available on earlier
versions of the software)
1 - Change Operator Assistance Number
1 - Login, enters the login process.
2 - Greeting (Sub Menu)
1 - External, record a greeting to be played to external
callers.
2 - Internal, record a greeting to be played to internal
callers.
3 - Log-off
4 - Password Change, change your password, enter your new password
twice and your old password.
5 - Distribution Lists, create distribution lists.
6 - Goto, goto a message number in your mailbox.
9 - Personal Verification, record a personal verification which
will be played instead of your mail box number to message
recipients.
9 - Call Sender, when used on an incoming message will dial the
extension of the sender, if the number is known.
Hint- If you find a nice MM system, start scanning internal eXtensions, you
will find some *very* interesting things. ;7) For the *ultimate* guide to
Meridian Mail Systems keep an eye on the www.darkcyde.org, PUBLiC_NUiSANCE
stole a MM Admin Technical Manual!
OCTELs are generally very easy to hack. The typical OCTEL will behave like
this: You dial up the number, hear some kind of company greeting.. Try hiting
the # key, this should put you into the login prompt, if this dos'nt work
try hitting * then #.. You should then get, a generic female voice asking
you for your mailbox number. It is very easy to find a free box on an OCTEL
system, just find a valid box, like 9999 (sysadmin) and keeping going back
to it after 2 invalid login attempts, this way you will not get loged out of
the system. When you find a valid box, scan around this until you get a box
that says 'this mailbox can increase your communications productivity' it
will then say a load of crap an then ask you for your passcode, which is
usually the same as the box. If this is not the case try things like 1111
2222 1234 etc. Once you have the default passcode you can own any box on the
system, and givem to your phreaking friends. Once inside your new VMB, all
the options are very self explantry.. you can even ajust the generic help
voice to be abreviated, it gets anoying after a while. It is worth scanning
the extensions on these systems because you will find loads of interesting
things, such as dialtones and conference bridges. The system admin box will
usually be on 9999, if you manage to get into one of these boxes you can do
anything you want to the system, ie set up free boxes :).
AUDIX AUDio Information eXcahange:
AUDIX Main Menu [Activity Menu]
1. Record and send Voice Mail messages to other users.
*D. Delete
*L. Add a mailing list you have created or public list
*1. Review or modify the list you are creating
*#. Approve list
*A. Name addressing
*R. Restart at activity menu
*T. Transfer to an ext
*W. Have system wait
**N. Access names and numbers dir
2. Get Messages.
0. Listen
1. Respond/forward
#. Skip to next header
2. Rewind
3. Play
*#. Skip to next category
**H. Hold in current category
5. Replay last few seconds
6. Fast forward a few seconds
4. Louder
7. Softer
9. Faster
8. Slower
*D. Delete
*R. Restart
*W. Wait
**N. Names and numbers dir
*T. Transfer
3. Record or change the greeting heard by outside callers.
0. Listen to a greeting
1. Create, change or delete a greeting
2. Scan all greetings
3. Activate a greeting
4. Administer call types
1. Identify calls as internal and external
2. Identify calls as busy and no answer
#. Finish
*R. Restart
4. Check outgoing messages.
5. Administer mailing list, personal dir, password, or account name.
1. Administer mailing lists
1. Create a list
2. Scan lists
3. Review or modify lists
2. Administer personal dir
1. Add entries
2. Review all entries
3. Review a specific entry
4. Change passcode
5. Record name
6. Out-dialling [sometimes disabled by admin]
7. Scan incoming messages automatically
1. Scan headers in messages
2. Scan headers only
3. Scan messages only
AUDIX systems can sometimes be quite hard to hack, especialy if the system is
a direct dial. If the system is front end here are some of the techniques I
use to find valid boxes... Dial the number, hit *8 you will be prompted to
enter an eXtension number, if you cannot find any valid extensions try
dialing by name- the owners of boxes usually say there extension number. On
some AUDIX systems the passcode is the same as the box number. To login to
AUDIX dial the number and hit *7 to login. If you are lucky the admin would
have enabled outcalling on your box. To see if this works hit 6 at the main
menu, you should get a dialtone.
Phonemail systems are very easy to hack, the passcode is always the same as
the box. Try boxes such as 1000-1000 or 5000-5000 etc... You should get a
female generic voice say, you have access to the system adminisator
functions'. Again once inside your phonemail VMB, an anoying voice will
guide you through it's functions.
Infostar VX voice proccessing systems are very nice. If you manage to get
into the admin box (usually 5000) you will be able to set up your own boxes.
You will also be given the option to set up various different levels of
service boxes, ie- more admin boxes etc. Here is a dictation of a VX admin
box:
1. System Greetings
1. listen
2. record
3. erase
2. Broadcast message
1. listen
2. record
3. erase
3. Mailbox administration
1. Reset a mailbox access code
2. Add a box
...dial the box, ie-3666#
...dial extension number
...dial a class of service
...dial a mailbox type
...dial 0 destination number
...dial dial depo number
...dial subscibers name (p-h-r-e-a-k)
...reviewing data
...# proccessing * Correct a field
3. Delete a mailbox
8. Record mailbox greetings
9. Reset message waiting indicators
0. Link a mailbox
4. System group lists
1. list members
2. establish
3. erase entire list
4. modify
5. Set date of system mm/dd/yy
Partner Mail systems are basicaly rip-offs of AUDIX systems, the functions
are suprisingly similar. These systems are usually 2-3 didgit mailbox
numbers. Again the passcode is usually the same as the boxes.
Communications Gateway systems are again very nice systems to use, although
they are quite rare. The problem is you cannot stay on the line and guess
boxes because it will log you out after 1 invalid attempt. There will be a
more detailed phile on this on our website soon. Anway thats it for this
part of the file. If you need more specific philes on this subject just look
around, there are loads about.
.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:.
UK Boxing: Red/Blue and other ideas
Red boxing:
Despite what some people say, red boxing does work from BT payphones. The
only ones I have tried are the older models such as the ones with the crap
buttons. You will need some sort of recording equipment (good quality). Here
are the tones:
10p (1000Hz for 200ms)
20p (1K for 200ms, 50ms gap, 1K for 200ms)
50p (1000Hz for 350ms)
œ1 (1K for 350ms, 66ms gap, 1K for 350ms).
You can get away with recording the tones from your computer onto a tape
recorder, but if the operator gets the slightest hint that you are using
recorded tones, they will either disalow the call and give you loads of
abuse. Or they may connect the call for you and then send the gestapo to
your payphone. Anway, here is what you do:
1. Ring the operator (100)
2. Say you are having trouble placing a call, make up some excuse like
someone has vomited all over the keypad.
3. Ask the operator to place the call for you
4. She will then ask you to diposite the amount of money it takes to
connect the call.
5. Play the tones and your call will be put through
6. The operator will come on the line when your time is up, or you may here
some plucks, just play the tones again.
Blue boxing:
Blue boxing can be a real hasard from your own telephone so be carefull. I
have never tried this from my own phone because I am to paranoid, although
I have found a few numbers that seem pretty boxable. Blueboxing is the art
of seizing C5 trunks and efectivly becoming an operator. C5 is an old
signalling system, and can be heavly exploited because it is controled by
various tones. The only countrys likely to still employ these systems are
3rd world countrys, or lesser developed countrys. To cut a long story short,
this is how you bluebox from the UK: You need to find a C5 line, a good
place to start is by scaning the 0800=890-xxx area, although I have found
them all over the prefixes. You will know when you have found a C5 line
because when the other end picks up you will hear a distinctive 'pleep'
'pleep' or something like that. As far as I can tell there are 2 ways to
seize a trunk, 1 is to blast the line with your tones while the line is ring
ing, the other is to blast the tones when the other end picks up. If you are
considering trying blueboxing I would sugest that you get yourself a copy
of bluebeep, or similar progy. These programs will allow you to configue the
different tone seizue patterns. Here are the tones you will need to
successfully bluebox (cut'n'pasted from another file)
+========================================================+
| Key | CCITT 5 | For | Gap | DTMF | For | Gap |
+======+============+=====+=====+============+=====+=====+
| 1 | 700 + 900 | 50 | 50 | 1209 + 697 | 50 | 50 |
| 2 | 700 + 1100 | 50 | 50 | 1336 + 697 | 50 | 50 |
| 3 | 900 + 1100 | 50 | 50 | 1477 + 697 | 50 | 50 |
| 4 | 700 + 1300 | 50 | 50 | 1209 + 770 | 50 | 50 |
| 5 | 900 + 1300 | 50 | 50 | 1336 + 770 | 50 | 50 |
| 6 |1100 + 1300 | 50 | 50 | 1477 + 770 | 50 | 50 |
| 7 | 700 + 1500 | 50 | 50 | 1209 + 852 | 50 | 50 |
| 8 | 900 + 1500 | 50 | 50 | 1336 + 852 | 50 | 50 |
| 9 |1100 + 1500 | 50 | 50 | 1477 + 852 | 50 | 50 |
| 0 |1300 + 1500 | 50 | 50 | 1336 + 941 | 50 | 50 |
| 11 | 700 + 1700 | 50 | 50 | 0 + 0 | 0 | 0 |
| C12 | 900 + 1700 | 50 | 50 | 0 + 0 | 0 | 0 |
| * | 0 + 0 | 0 | 0 | 1209 + 941 | 50 | 50 |
| # | 0 + 0 | 0 | 0 | 1477 + 941 | 50 | 50 |
| KP1 |1100 + 1700 | 100 | 50 | 1633 + 697 | 50 | 50 |
| KP2 |1300 + 1700 | 100 | 50 | 1633 + 770 | 50 | 50 |
| ST |1500 + 1700 | 100 | 100 | 1633 + 852 | 50 | 50 |
| KP2E | 0 + 0 | 0 | 0 | 1633 + 941 | 50 | 50 |
| EO |2100 + 0 |1000 | 100 | 0 + 0 | 0 | 0 |
+========================================================+
KP = Key Pulse, ST = Start
2400 Hz/2600 Hz Clear Ahead Tone
2400 Hz/2400 Hz Seize Tone
Most exchanges will hang up on you if you directly blast them with with
2600/2400 tones, so you will need and additional tone like 2100, This will
'disguise' the other tones. As I said before the majourity of blueboxing is
executed on the 0800-890-xxx numbers, but I have found many other C5 lines
in other prefixes. Anyway, here is an example of how you would bluebox:
1. You dial the number of the country direct C5 line.
2. You either seize the line while the before the other end picks up, or
you can seize it when they pick up.
This seize used to work while the line was ringing on the China country
direct service:
tone 1: 2600hz/2400hz for 340ms then delay for 50ms
tone 2: 2400hz/2400hz for 180ms then delay for 300ms
Or if the operator picked up:
tone 1: 2600hz/2397hz for 180ms delay for 30ms
tone 2: 2100hz/2100hz for 180ms delay for 30ms
tone 3: 2400hz/2400hz for 180ms delay for 30ms
After the 1 of the above seizures, you would get a responce from the C5
equipment (the wink) 2 bleeps. You would then dial your number using the
following:
KP2-country code-area-number-ST
This kind of seize would probably not work anymore, so you would use the
following method:
2600hz/2400hz/and an additional tone such as 2100hz to disguise the other
tones. You will have to experiment with different tone lengths and
variations for different numbers. Here I will be honest and say I have
never attempted to bluebox from my own house, I'm paranoid like that. But
here is a list of C5 lines to experiment with. (I have found ALL of these
numbers myself, they have NEVER been realsed before) Some of them appear
to terminate in the US!
0800-965-060 strange (c5 after VERY strange tones)
0800-965-061 strange C5 line
0800-965-063 strange (c5 after VERY strange tones)
0800-965-075 strange C5 line
0800-965-077 C5
0800-965-078 strange (VERY strange c5 line!)
0800-965-079 strange (fault tones, then c5!)
0800-895-222
0800-967-796 VERY strange (Suidia rabian Bank)
0500-892-200 VERY strange
These numbers should be very boxable, so have a go. Thats it for blueboxing
now for the next part of the file.
.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:.
Information Gathering:
Information is the root of all phreaking. Without it you are lost, here I
will discuss how to gain information, and how to use it. My favourite
information source is other peoples VoiceMail. By listening to other peoples
voice mail messgaes you will learn alot about certain things. ie- Say you
wanted some CC details: Go through some magazine and note all of the numbers
that advatise as excepting Visa/Mastercard etc.. Ring the numbers after
buisness hours to see if they have an answerphone or VMB. If they have a VMB
you will need to find the main outgoing greeting box and break-in. This is
simple because some companys are stupid and will leave there VMB systems in
deafault state, ie-with the passcode same as the box number. When you are
inside the box, all you have to do is get a pen and write all of the lovely
numbers down... I'm not into carding my-self, but this can be a VERY rich
source of info. If they have an answerphone, try guessing the remote log-in
passcode after you are prompted to record your message. Anwerphone passcodes
tend to be 2-dids long, so you won't have any trouble there. Once inside the
answerphone you will be able to do various things, such as listen to all of
the messages. Here is an example of what functions you will get inside one:
1. Menu
2. Play new messages
3. Turn machine ON/OFF
4. Play previous messages
5. Play all
6. Skip message
7. Repeat message
8. Play out-going greeting (OGM)
9. Record NEW OGM, 9-stop recording.
0- Erase message
If you get into a large companys voicemail system, you will here LOADS of
interesting stuff. Here is a small list of some of the things I have heard:
-Conference numbers/codes
-Employee calling cards
-Workstation logins/passcodes
-Generaly how well the Corp is doing (shares ;)
-Peoples bank details/PINs etc (I'm not going to name any banks)
-Various other confidential stuff.
Also you should here some of the stuff on the CIA's AUDIX system! haha
US toll-free number 1-800-280-1445. *8 dial eXt 22222, then login to the
Admin box, *7, 22222 passcode 22222- not to íntelegent are they? Mi5 also
have a Meridian Mail system, but I'm not going no-where near that!
It can also be interesting listen to various Telcos VMB systems, example:
Vear Communications: 0800-962-832. 000-1234 Admin box
You should hear some of the stuff I have heard on certain (un-named) phone
companys VMBs..All I can say here is, If your reading this [¿], thanx for
the lovely test line codes. ;)
.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:.
Teleconferencing:
My favourite side of phreaking! A Teleconference system will allow you to
talk to LOADS of people similtaniously. Basically you and other people dial
into a number, enter an access code.. and your in. There are loads of
different systems out there, most of them are in the country direct
prefixes, do if you get one of these get the system operator and ask for the
US -1-800 number, you will then be able to give the number to people in the
US. The system you are most likely to come accross are Centrex conference
bridges. When you ring 1 of these numbers you will eiteher get a live
operator who will ask you for a passcode and the host of the conf, or if
you are lucky you will get an automated attendant which will ask you for a
conf ID code (usually 4-did) If you come accross this there are 3 ways you
can get a conf.
Example: 0800-898-734
1. You could guess the ID code and join the conf. Wait until ALL of the
legit attendees have left, then tell all of the people you wan't to
attend your conf. The conf will auto-extend aslong as there are people
in it all of the time.
2. You could dial the number and hit 0 for the operator. Tell her that you
have just been paged to attend a conf on this number, that starts at a
certain time, ie- 12pm. (Remember time zones) She will then look up
what confs are scheduled for that time, and if she is stupid will give
you the conf info!
3. Ring the number and say you need to setup a conf. (WARNING! use a string
of PBXs, or a phone-box, they may try and trace the person who set up
the call) The operator will give you the conf reservation number, which
will be a US 1-800 number, so you will need a PBX anyways to dial it.
checklist before ringing the conf reservation line:
-False name, Company name and US phone number (go through a US zine)
-They may ask for a Credit Card for validation, although the call is charged
to the phone number you tell them.
-Time/Date you want to set up the conf
-How many people are going to be dialing in, and the duration of the call
Call up the 1-800 reservation line and say something like the following:
Her. [Welocome to ABCD teleconferencing, how may I help you?]
You. [Hi, this is John Smith from playboy corperation, I'd like to set up
a conference call]
Her. [OK, Sir.. I'm going to need your billing information, Can I have the
billing phone number for your company?]
You. [Sure, it's 510-555-1212.. I'm going to be out of the office today, but
you can tell the operator to leave me a message...]
Her. [Your billing address?]- Make sure the address matches the number
You. [12 inatree avenue, blah blah blah, ZIP code 31337]
Her. [Reads out your billing information, and informs you that the bill will
appear on your phone bill]
You. [Sure, thats ok... Erm, how much will it cost for each participant?]
Her. [48c a minute per person]
You. [That's good value!]
Her. [What time do you want your conf to start?]
You. [ASAP, erm.. How about in 15 mins?]
Her. [OK, how many people will be dialing in?] -Don't be dumb!
You. [I am expecting 10 people to attend] -The conf will allow more
Her. [How long will the duration of the call be?]
You. [About 1-2 hours] -it will auto-extend
Her. [OK Sir, You call has been scheduled, the dial in number for your
participents will be 1-800-xxx-xxxx and will be activated in 10 Mins.
The PIN code for your call is xxxx]
You. [OK thanxs alot]
Her. [OK thanxs for using blah blah blah teleconferencing service, and have
a nice day!]
You. [OK, cya l8er Baby]
Your conf will then be set up, make sure you don't call directly into your
conf, if they see you are the first to join, they will know you set it up!
So go through PBX's and stuff. Calls set up this way don't usaually last
long, only about 1-2 hours.. But are phun while they last. Once inside your
conf there will be various DTMF tone controled options, here is a list of the
most common on these types of system:
71# lock meeting
70# un-lock meeting
81# Mute everyones phone so they can only hear you talking
80# Un-mute everyones phone
61# mute your own phone
60# un-mute your own phone
Thats just 1 of the conf systems I have come accross, there are tons more
out there. The conf system I like to use the most is called 'MeetingPlace'
produced by a company called Latitude Communications. Meeting Place is a
powerful teleconferencing system designed to accommodate up to 120 ports in
any combination of simultaneous conference calls.
Meeting Place is not generally available to the public, it is designed to
be attached to eXtensions of corporations and companies that require a
private teleconferencing system to communicate with other employees and
associates. Meeting Place can also be found on some direct-dial 800 numbers.
Unlike other teleconferencing systems such as AT&T's Conference service,
Latitude Meeting Place is much more advanced, allowing multi-user
configuration and automated user interfaces. Basically with these systems
you dial up the number, enter your profile number and schedule confs, via
automated user menus, the advantages being you don't need to do any
social engineering. I have wriiten a VERY detailed phile on MeetingPlace,
you should be able to find a copy at www.darkcyde.org or in various other
places, it will go into detail on how to 'hack' a MeetingPlace system.
.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:.
Ionica:
Ionica are a fairly new Telco in the UK. Basically they are rivals with BT.
Instead of using wires to carry voice data, Ionica is based on radio
transmissions to base towers. Here is a simpe diagram of how Ionica works:
(excude my crude ASCI drawing)
Base transmitting
Equipment at house
Ie- Decryption/encryption Tranceiver tower. Decoder/Encoder
radio equipment. _/ Base station.
| /
/ /
|
|\ _____ ____ _______
/| | \ | |____-| |_______/
| |>.>.>.>.>.>.>.>.>.>.>.>.>| |======| |____-| | ______
| |>.>.>.>.>.>.>.>.>.>.>.>.>| |======| |____-|____|_______/
\| | / |_____| \______________
|/
|
Digital Switching Network
I should be writting a VERY detailed phile on the Ionica Nework soon. Here
are ALL of Ionica's * services, I scanned these because I need to find the
Ionica test line, the equivelent to 17070 etc.
...Full [*] service scan...
*00# not available from this line
*02*37# not available from this line
*03*37* not available from this line }na
*21* not available from this line
*227# not available from this line
*231** dial a number
*25* na
*261# na
*27# same as [1471]
*28# you have no new calls to return
*331# bars out going calls
*352# na
*351* na
*37# sorry, ring back service cannot be used on this call
*40# na
*411# na
*43# call waiting is in operation
*44* [security code] * phone number # -you have dialed incorectly
*471* na
*51* na
*52# na
*53* na
*54# na
*55* na
*56* na
*61* na
*62* na
*64* [security code] * phone number # -you have dialed incorectly
*65* [security code] * phone number # -you have dialed incorectly
*66* na
*67* na
*68* na
*72* na
**1 na
**2 na
**3 na
**4 na
**5 na
**6 na
**7 na
**8 na
**9 na
**0 na
#21# na
#02*37# na
#03*37* na
#227# na
#234# na
#25# na
#261# na
#331* na
#341* [security code] #
#342* same
#343* same
#344* same } call baring cancellers
#345* same
#346* same
#351* na
#37* *anything# ringback reqeust cancelled
#411# na
#43# call waiting cancelled
#44* [security code] same as before
#471* na
#51* na
#51# na
#52# na
#53# na
#55# na
#56* na
#56# na
#61# na
#62# na
#64* [security code] same as before
#65* same as above
#66# na
#67# na
#68# na
#72# na
*#02*37# na
*#03*37# na
*#21# na
*#227# na
*#234# na
*#25# na
*#261# na
*#331# na
*#34# tells you what call barring is in operation
*#35# na
*#37* dial the number of the ringback request you wish to control
*#441# na
*#43# call wainting is in operation
*#44* [security code] same as before
*#51* na
*#51# na
*#52# na
*#53# na
*#55# na
*#56# na
*#61# na
*#62# na
*#64* [security code] same as before
*#65* same as above
*#67# na
*#68# na
...Funny things I have noticed about ionica...
* On rare ocations I have droped into other peoples converstions, I can hear
them but they can't hear me.
* On 1 ocation the phone rang, I picked up and I heard 2 people talking to
to each other. Again they could not hear me.
* In the early hours of the morning, usually about 3am, sometimes the phone
seizes, and I can hear an alternating tone. This tone is usually present
for exactly 1 hour (3am-4am) No dialtone can be retrieved. This has
happend when I have been talking to someone, and even when I was in the
middle of dialing a number. I have a suspision that this may be some kind
of test tone, considering the hours at which it happens...
* If I hit * 4 times a tone is emitted... it will stop after a while. When
someone trys to phone me, while the tone is present or after it has stoped
they will hear no ring, but drop directly onto my line. Again I can hear
them, but they can't hear me.
* If you listen to the earpiece very carefully and gently push the hang-up
button, you can hear people talking for about a second or so.
* Also I have noticed a lack of test numbers for ionica, so I decided to try
out all of there [*] services to see if there was anything interesting
there.
.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:.
How to Get/Not get busted:
It can be very easy to get get busted phreaking in the UK if you are not
carefull. If you follow the 1 golden 'rule' of phreaking (common sence) you
should be OK. Here are some simple guildlines to help you:
-Never BlueBox or 'manipulate' the switching system from home, if you can be
bothered, use a phone box. :)
-Never heavely (ab)use a PBX from home. If you do use PBXs from home, you
should route your call through a string of PBXs before placing a call.
Even if you do this, it can be easy for the gestapo to find you, due to
PBX internal logs.. They can trace you through a process called 'hoping'.
It is a good idea to 'sit' on a PBX system for a few minutes before dialing
out.. While you are sitting on a system, other legit user will be making
calls, it will harder for them to guess which calls you made, since your
call will be mixed in with others.
-Don't let anyone know you are a phreak, some people can be real bastards..
all they have to do is ring BT, or whatever and tell them what you are doing
They will then place a Monolouge on your line which will record all DTMF
tones you emit. This will be used as evidence against you.
-Don't EVER tell ANYONE your real name, or any other self descriptive info.
-Don't trust ANYONE.
-Never dial direct into ANYTHING, even a VMB. Always route your call as
described before.
-Don't go on IRC with your own nick.
-Never dial your own number with a PBX.
-Don't scan to much in a short amount of time, spread your scans out over a
long time period.
-Encrypt your WHOLE hard drive, have a 'logic bomb' ready to overwrite and
completly shred any information that could be used against you.
-When communicating through email always use strong encryption techniques
such as PGP.
-Keep all mobile communications equipment anomonous, ie- Cell phones, pagers.
-Never post to Newsgroups from your own box, if you do post, do it
anomonously.
-Never sell PBXs or any other code, if that person get's busted they WILL
blame it on you.
-If someone manages to get your doc's, STOP phreaking. Detach yourself from
the phreaking community for a long period of time.. Come back with a
different nick and tougher security.
-Phone your Telco and get them to automatically block your CLID.
-Use your brain! phreaking isn't just about exploring the phone network, it's
also about out-smarting people, think 9 steps ahead!
If you follow these simple 'rules' you should be fine, it's just common sense
really.
.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:.
Final Misc Phreaking Tips: ;)
-ALL VodaPhone voicemail services have a default passcode of 3333. If you
know someone with a VodaPhone, ring it when you know the voicemail will
come on. Hit 9, then 3333. You will then be able to change the persons OGM
and listen to there messages etc.
-ALL BT pagers have a default passcode of 0893. To enter someones pager,
phone it and enter * at the OGM, you will be prompted for a passcode, enter
0893. You will then be ablt to do a variety of things, discussed in another
phile of mine.
-Most extender tones will have a passcode of 9999.
-Most OCTEL VMB system Admin boxes will be 9999, the passcode is another
story.
A few cool numbers: (I just had to put these in!) ;7)
2600 =VOICE= BBS! (US number) [001]- 516-473-2626... Why can't we have
something cool like this in the UK!?
DEFC0N =VOICE= BBS! (US number) [001]- 801-855-3326, you can sometimes find
me on the voice bridge.
A few Carriers I have found:
0800-897-903 'Call Intercepted by DEFENDER 5000.. Unauthorised use of this
System is PROHIBITED'
0800-897-982 'Max 200 Server 2.01'
0800-897-967 'AT&T Info Access System' -guest/guest.. Telnet prompt.
0800-963-101 'WebTV Networks.inc
0800-897-359 'Starting RADIUS Authentication @UserID
0800-897-307 'PIPELINE Terminal Server'
Anyway that's it for this phile, I hope you have found it usefull. If you
need more detailed information, keep an eye on the DarkCYDE_Communications
website. www.darkcyde.org, it will be updated constantly.
-Peace. ,
/( )`
\ \__ / |
/- _ `-/ '
(/\/ \ \ /\
/ / | ` \
O O ) |
`-^--'`< '
(_.) _ ) /
`.___/` /
`-----' /
<----. __ / __ \
<----|====O)))==) \) /==== Hybrid
<----' `--' `.__,' \
| | g0d@deathsdoor.com
\ /
____( (_ / \______ www.darkcyde.org
,' ,----' | \
`--{__________) \/
___ ___ _____.___.____________________ ____________
hybrid@b4b0.org / | \\__ | |\______ \______ \/_ \______ \
hybrid@ninex.com / ~ \/ | | | | _/| _/ | || | \
hybrid.dtmf.org \ Y /\____ | | | \| | \ | || ` \
---------------- \___|_ / / ______| |______ /|____|_ / |___/_______ /
\/ \/ \/ \/ \/
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed