==Phrack Inc.== Volume Three, Issue Thirty-four, File #9 of 11 ._._._._._._._._._._._._._._._._._._._._._._._._. ! ! ! Advanced Modem-Oriented BBS Security ! ! ! ! By Laughing Gas and Dead Cow ! ! ! ! Written Exclusively for PHRACK 8/22/91 ! !_._._._._._._._._._._._._._._._._._._._._._._._! * Introduction =-= Things you need to know * This is an introduction and guide to setting up your BBS and modem so that a caller must know a certain code and append it to his dialing string in order to access the BBS. This lets you have yet another way (besides newuser passwords, etc) to lock out unwanted callers. You can also set a certain pattern for your board's numerical code based on the day or the month or something, and distribute this pattern instead of having to distribute the access code. You must have an intelligent modem to be able to run a board which requires the access method I'm going to be discussing in this file. However you don't need an intelligent modem to be able to call the same board, but you do have to enter the code manually if you do not have an intelligent modem. (So only certain people can run a board with this method of access control, but >almost< anyone can call one.) All modem commands in this manual will be hayes 'AT' style commands, and some may be available only to USRobotics Courier modems with v.42bis, or certain other intelligent modems. If you can't get it to work with your modem, your modem may not be able to do it, but try looking in your modem manual, just in case. NOTE: The ONLY modem that this method has been tested with is a USRobotics Courier HST modem, (the new kind) with the v.42bis. I tested it with my modem which is an older HST (14.4, but no v.42bis) and it did NOT accept the AT%T command (it returned "ERROR"). Check page 83 of your HST manual for more info, or type AT%$ for on-line help from the modem firmware. (about as helpful as the manual, and neither are very detailed.) Things to know: ATDT1234567; This command causes your modem to dial 1234567 and then return to command mode. ATDT1234567@1; This command causes your modem to dial 1234567, wait for an answer, dial 1 and return to command mode. |-----> AT%T This command causes every tone that goes into the modem | to be identified and followed with a 0. | |---------------------- This is the key to the whole enchilada. Alternate commands may be available depending on your modem type. * Concept =-= How-To The concept for the bbs access code would be as follows. The caller dials the number to the BBS, when the BBS picks up, it sends a digit, then the caller sends a responding set of digits. If the digits which the caller sends match the access code for the BBS, the BBS will send an answer tone and the caller's modem will acknowledge and connection. How it works is like this: (Sample Transcript) CALLER> ATDT1234567@234 BBS> RING BBS> ATDT1; BBS> OK BBS> AT%T BBS> 203040 BBS> ATA What happens is the caller dials 1234567 (the number of the BBS) the '@' tells the callers modem to wait for a result (which is received when the BBS gets a ring and sends a 1) then the callers modem dials 234 (the access code) after the BBS sent the '1' it got a OK so it sent a AT%T which told it to monitor tones. This command returned "203040" which is 234 followed by 0's (the format of the output of AT%T) the BBS software would have to watch for this string. Since 234 was the right code, the board sent an ATA which would connect the caller since it's dial command was still open. If 234 hadn't been the code, then the BBS would have sent a ATH0. * Manual Dialing =-= Lame modems * Anyway, if you don't have a modem that does the AT%T or ATDT1; commands you CANNOT run a BBS with this type of security, unless your modem has EQUIVALENT commands, or you can figure out a way to do it with the commands your modem has. The toughest part is the reading of tones, which, as far as I know, is unique to the HST/Courier modems. However, if your modem does not do the ATDT1@1 thing, then you can PROBABLY still call a board using this security. This is assuming you can just send a "dial command" to your modem without a number (ie ATD on an HST.) What you do is dial the BBS number manually, then you'll here a beep, you dial the code, then send the dial command to your modem and put the phone down. This should connect you in the same fashion.. (ie..) CALLER> manually dials BBS BBS> ATDT1; CALLER> hears beep and dials 234, then sends ATD to his modem and puts the phone down. BBS> OK BBS> AT%T BBS> 203040 BBS> ATA CALLER> his modem connects. * Bells and Whistles =-= Wrapping It Up * Your options when using this type of security. There are many different things you can do. Method #1: You can say "Hey, the access code for my board is 234" and give that to the people you want to call. Method #2: Set a pattern for your access codes. Say, the date (ie, for today, 8-22-91 the code would be 082291), or you could get more complex (add one to each digit, run it through an algorithm, etc) Method #3: Distribute a program that generates the code based on the day, the month, what have you. (However this is only a solution if you can either distribute a program like this to EVERY type of operating system, or you only want callers from one operating system (or several, the only ones you can produce it for..) Method #4: Have the BBS accept several codes, and give out different code to each class of users (say, newusers to apply = 1234, validated = 2345, elite = 3456) or something like that, this would allow for control of who calls when, as well as logging of call class frequency, etc. Method #5: Have a specific code for each user. This would take a lot of maintenance, but would provide for a VERY secure BBS environment. This would allow the same advantages above as well (logging, freq. etc). Things to keep in mind however are if you have an access code generated by a program or by the date, etc. you have to change the code whenever the program would. An interesting side note here is that the AT%T command can be used to call a COCOT (private payfone) and record the tones, or possibly to record codes other people entered, etc. (Ie, bring your laptop with modem to a office, attach it to an extension and wait for a person to pick up, issue the ATD; command right away, then AT%T command. If the person dials a 950, you should get something like 90500010003030 (pause) 203040506070 that is assuming the code is 234567. Congratulations, you now have their code. The modem can recognize the dtmf tones for 0-9, *, #, and the silver box tones A, B, C, and E. I'm sure other interesting uses for this feature can be found, and I'd love to hear from the other people out there in the h/p world. I'm sure a lot of you have seen me around, for those that haven't I can be reached on my board, Solsbury Hill or Ripco (312) or on Internet as lgas@doomsday.spies.com. (Note: Spies is down as of this writing, I have some other accounts, but I'd prefer that most of them remain unknown... if anyone wants to offer me an account I can use just for mail where I can have my alias for the account name, on a stable system, please contact me.) * Non-BBS Oriented Stuff =-= Conclusion * In some issue of 2600 magazine someplace at some time they published an article on how to build a tone detection device: Now you have your own, built in to the modem. An example application of this "in the field" would be calling a COCOT and using the modem to decipher the tones. That would be done: ATDT3014283268; ;call the COCOT AT%T ;get tones it should respond with the decoded tones. You could fool around with it and get it to accept input from a tape recorder, this gives you a way to decipher recorded VMB passcodes, or phone numbers, or anything else that was recorded as it was dialed. Or use it with a radio scanner set to scan the freqs that cordless fones operate on, and record those tones. Then play 'em back into the modem and they're yours. In conclusion... (ahem).. This is an area which I believe has never been breached before, and this idea was brought to you by THUGS. As long as technology keeps advancing, we'll be here to bring you the latest tricks such as this one. Please contact me if you have any information about this area (tone detection via modem, or anything relating to it at all..) especially if you know of modems besides the v.42bis models of USRobotic's HSTs that can do this. Laughing Gas Solsbury Hill BBS (301-428-3268) _______________________________________________________________________________