|
Basic phreak information,
I've been around for a while now, and there is AFAIK only one general
phreaking phile specific to the U.K. It is written by Pharlin J. Hack and
available at http://www.paranoia.com/~coldfire - a site to which I owe a
lot. This is no attempt to outdo it, but rather to complement available
information. Some of the information will be from cut-down versions of
philes I have written, you are encouraged to go out and learn something and
release the information yourself. If anyone needs a distro site we will be
happy to 'publish' your stuff with full credits.
Needless to say this information is not to be used for illegal purposes
and I cannot accept any responsibility in the event you get busted.
So what are we going to cover?
-Beige boxing
-Blue boxing
-VMB hacking
-Payfone vunerabilities
-Ansafone hacking
-Other boxes
-The line monitor
-What else is there?
-Resources and references
If I start to include anything else this is going to become a monster
phile and I have to do this in half an hour before I get kicked off the
computer.
Beige Boxing
~~~~~~~~~~~~
This is really the only thing you'll ever need to know if you're just into
free calls. It is the simplest phreaking technique known to man, and here
is a cut down version of a very long phile due for release in August :
If you're contemplating a move into the world of boxes, there can be no
easier, or ultimately rewarding mini-project than the beige box. Why is it
called a beige box? Why is a blue box called a blue box? It's all
historical, the first person to make a beige box made theirs from a beige
coloured handset. If we were all going to name boxes after their true
colour, then I would use an 'Off-White' box.
So before we go into the rather basic construction details, why do you need
a beige? Well first and foremost for using BT PCP's (them green boxes) as a
convenient launching pad for your exploits, either from the PCP internal
line, or off a customer who is connected in that box.
Firstly go and buy a fone. Get a self contained handset type one - like
the cheapest ones out of the Argos catalogue. Check for : tone/pulse
switching, a ringer on/off switch and PABX compatibility.
Now cut the modular jack from the fone lead with wireclippers. Leave
about 30cm of cord attached to the jack. Strip back a couple of inches of
insulation from the cord ends. It is possible to do this without getting all
cut up, because the gold pins of the jack can be prised out and new wires
added in, extending the reach of your fone; rather than diminishing it.
Inside the cord you will find three wires. I have finally torn up enough
fones to know that there is no attempt at convention in these matters. Get
some colour coded crocodile clips and solder them or crimp them on to the
wires of both the fone and the plug, after you expose a centimetre or so of
the wires core. This can be a pain, and is not really necessary if using
with an arsenal of dedicated line monitors. More later...
Now you need to determine which wire does what. Plug the jack into a wall
socket and attach up the crocodile clips to their coloured counterparts. You
will notice that only two wires are required for a dial tone. Make a note
of it so you aren't fumbling around on the job. I removed the crocs from
the third wire (which is basically your ring indication) to make life easy.
Ring indication is not necessary with a line monitor.
You now have a pristine beige box. Take it apart, put it back together,
slap some tape and dirt on it so you look like a pro and then get to a fone
line/PCP.
In order to get into a PCP beg, borrow or steal a hex wrench. The 13mm
one will fit the triangular bolt on a PCP. Find a quiet box, it's not easy,
but when you find *the* box ;-). Make it at night. Unscrew the bolts and
pocket them. Have your beige connected to the modular jack, and open the
PCP. Look around and find the BT socket. Plug yourself in and listen. You
should hear a dialtone, if you don't you screwed up somewhere along the line.
These lines are normal BT lines. It is inadvisable to call your mates, but
bring along a laptop and you can dial up boards, scan numbers, wardial etc.
This kind of stuff will get you noticed. Assuming that BT does actually
monitor these lines for unusual activity, international calls will be
noticed. Mind you I have heard BT engineers yabbering away on them to their
mates/wives/mistresses etc.
All those wires in the box will take you into subscribers fone lines.
Now is *not* the time to go into pair localisation etc. because it is
covered on Coldfire's site and besides in the full phile we have a number of
nice tricks to reveal. So what can you do with someone elses fone line? If
you haven't got any thoughts in your head - retire.
As a matter of courtesy, bolt up the PCP when you've finished. This is
going to extend your boxing life. Now sometimes you will hit a box with
wiring diagrams, anything from specific diagrams for the PCP internals to
(more frequently) a cable diagram for the PCP area. This can be anything
from an A4 sheet up to 3 or 4 A3 sheets. These will give you a map reference
(although for what map I don't know), the 'PCP Area', which exchange the
cables are routed to, the location of PCP's and manholes in the area (down
to the numbers of the houses they are outside). They also have a history of
amendments to the original map. With a little local knowledge and a single
one of these maps it is possible to find the next box with a map, and so
on - until you know the local area better than BT. If you're feeling very
nice you can photocopy and return them, or consult them on the spot and
never remove them from the PCP.
Ever heard of a Beagan box? Me neither until last week, but it is
something that can be done. It's a fairly lame idea, but it works. Think
many feet of cable.... Think drill... Think back of a junction box and under
a hedge.... Makes a real difference from standing in the middle of nowhere
clipped into a PCP to being sat in a car nice and warm, but doing the same
thing.
Using the beige you can also use domestic lines, payfone lines etc. All
you need to do is cut a razor thin cut into a wire and hook the beige wires
around... A favourite place is train stations - because there are fone
wires all over the place. Try schools and hospitals (where they plug their
payfones into the wall using standard BT plugs (haha)). There are a lot of
things you can do.
Blue Boxing
~~~~~~~~~~~
This is either impossible or possible, depending on who you speak to. I
dabbled ages ago, but it's worth playing around with.
Blue boxing is the art of seizing lines in another country with the affect
that you have operator control over the line.
BT and Mercury have 'country direct' numbers which basically route you to
an internal operator of another country. A recent list of numbers for BT
follows :
COUNTRY NUMBER
~~~~~~~ ~~~~~~
o AT&T USA direct 0800 890 011
o Australia direct 0800 890 061
o Austria direct 0800 890 943
o Bahamas direct 0800 890 135
o Bahrain direct 0800 890 973
o Belgium direct 0800 890 032
o Bermuda direct 0800 890 123
o Bolivia direct 0800 890 059
o Brazil direct 0800 890 055
o Brunei direct 0800 890 673
o Canada direct 0800 890 016
o Chile direct 0800 890 056
o Colombia direct 0800 890 057
o Denmark direct 0800 890 045
o Finland direct 0800 890 358
o France direct 0800 890 033
o Gabon direct 0800 890 241
o Germany Direct 0800 890 049
o Greece Direct 0800 890 030
o Hawaii direct 0800 890 808
o Hong Kong direct 0800 890 852
o Hungary direct 0800 890 036
o Iceland direct 0800 890 354
o Indonesia direct 0800 890 062
o Ireland direct 0800 890 353
o Italy direct 0800 890 039
o Japan direct (KDD) 0800 890 081
o Japan straight (IDC) 0800 890 080
o Korea South direct 0800 890 082
o Korea South (DACOM) 0800 890 820
o Luxembourg direct 0800 890 352
o Macao direct 0800 890 853
o Malaysia direct 0800 890 060
o MCI Call USA 0800 890 222
o Netherlands direct 0800 890 031
o New Zealand direct 0800 890 064
o New Zealand (C COMMS) 0800 890 640
o Norway direct 0800 890 047
o Paraguay direct 0800 890 595
o Philipines direct 0800 890 063
o Philipines (PHILICOM) 0800 890 633
o Phone USA TRT 0800 890 456
o Portugal direct 0800 890 351
o Singapore direct 0800 890 065
o South Africa direct 0800 890 027
o Spain direct 0800 890 034
o Sweden direct 0800 890 046
o Switzerland direct 0800 890 041
o Taiwan direct 0800 890 886
o Thailand direct 0800 890 082
o Turkey direct 0800 890 090
o U.A.E direct 0800 890 971
o Uraguay direct 0800 890 598
o USA Sprint Express 0800 890 977
o Venezuela direct 0800 890 058
What you are looking for is a country that has a CCITT-5 line. But how do
you tell this line from Adam? Well when the line is picked up there is a
distinctive 'cheep'. Put it this way, you wont hear it if you start
dialling so called 'developed' countries. When you have a CCITT-5 line it
is sometimes possible to seize it. This requires the generation of tones.
On the PC then BlueBeep is the definitive blue box program, if you have a
Mac, then try one of the blueboxes from Kaos and Logix of the Network
(Fone Tone Pro and Blubox respectively).
Seizing involves sending a 2600Hz/2400Hz tone down the lines for about
100ms-500ms. This is generally followed by a 2400Hz tone for the same
time. Some systems require a 2600/2400 clear forward for 100-150ms and then
the seize tones. There are no hard and fast rules for this EXCEPT THE
TONES, so you will need to experiment with the timings of both the tones and
the delay between them. Signalling is a two way thing, so each burst is
replied to with an acknowledgement.
Now you can place a call. The convention is :
KP2+countrycode+0+areacode+number+ST for international calls
KP1+0+number+ST for placing a call in the country
KP1+2+Code11+ST should connect you to the inward operator
So what are all theses cryptic acronyms?
KP = Start of pulsing, indicates whether a national or international call
is being placed.
ST = End of pulsing, ie no more digits to follow
Now for the tones :
Digit Freqs (Hz)
~~~~~ ~~~~~~~~~~
1 700/900
2 700/1100
3 900/1100
4 700/1300
5 900/1300
6 1100/1300
7 700/1500
8 900/1500
9 1100/1500
0 1300/1500
KP1 1100/1700
KP2 1300/1700
ST 1500/1700
C11 700/1700
C12 900/1700
The timings are supposed to be critical and the standards are:
Between seize and KP = 80+/-10ms
KP signal duration = 100+/-10ms
Other signals = 55+/-1ms
Delay between digits = 55+/-1ms
Points to note : if at first you don't succeed, try and try again because :
o Some countries allow international calls via KP1 routings
o Others differ in KP2 routing conventions (eg KP2+00+countrycode+number+ST)
o The ubiquitous +0+ can be replaced with other digits
o Timings can vary quite dramatically. You need to experiment!
VMB hacking
~~~~~~~~~~~
Right voicemail may be the bane of a lot of peoples lives, but for the
phreak it is a joy. A voicemail system is a glorified ansafone with enough
fun things to play with to keep you occupied.
How do you find a voicemail system? First of all, unless you are
phreaking the call *already* stick to 0800 and 0500 numbers. Now here it
starts to get a bit repetitive because you need to sequentially dial a few
hundred numbers to glean a good set of voicemail systems. Do not confuse
voicemail with an ansafone! A voicemail system will either tell you it is
the voicemail system of company X or it will just prompt you for a mailbox
number and password. Scanning will also provide you with carriers to
explore and a number of funky things to play with... such as Department of
Defence dialups :-)
Not all systems are up 24hrs a day, and it is nice to find one that is.
If you find a VMB in say the US, then remember the time difference.... you
may simply be calling in the middle of the night rather than finding a
permanent VMB. When you get a system you are generally presented with the
option of leaving a message "Please dial the extension of the person you are
trying to reach" or given instructions to press '#' if you have a mailbox on
the system. Listen to all the prompts and write them down, because mapping
a VMB is very important in discovering all the phun things.
You will now need to find a valid mailbox... This can be achieved by
stepping up in blocks of 500 from 0000 to 9500 if it is a four digit mailbox
system or 000 to 950 in steps of 50 on a three digit system. Be warned,
some 4 digit systems will reject an incorrect mailbox number after 3 digits
which is very confusing. The trick is to learn the delay between an
incorrect number and the system warning you it is wrong, because if you hit
three digits and it takes longer than usual to kick you out try adding a
fourth digit. Some systems require you to enter the '#' after the box
number. Now a quick and dirty way of doing this on some systems is to use
the user directory - which enables you to search for people on the system by
using the keypad letters (1 = ABC etc.). If you find this facility then
just plug stuff randomly into it - eventually it will credit you with a hit
and give you an extension or voicemail box.
When you hit a box, map around it by trying sequential boxes up and down
from the one you find. Boxes are usually in clumps, but a canny sysadmin
will dot them around in no particular order. When doing this kind of
internal wardialling simply press the '*' after every mailbox you try -
this generally backs you up a level and allows you to plug away for hours
without redialling the VMB number.
It is generally not advisable to hack peoples voicemail, but rather to
find an empty box. An empty box will either have no name associated with
it, or on ASPEN systems a message saying "Voicemail can significantly
increase your productivity....". When you get this, pat yourself on the
back, because you're nearly home and dry. Empty boxes are often very simple
to hack, but you need to work out how many digits the passcode is. ASPENs /
OCTELS etc. are generally four digits, ASPENS especially have the default
login code the same as the empty box number. Again smart sysadmins will
change the default code, but try 1000,2000 etc... and other simple
combinations and permutations to access the box. Be warned though NYNEX
VMB's have been found to have up to seven digit passwords, and one system
has nine digit codes :-(
Eventually you will have a box under your control. Now you need to map
the system thoroughly, exploring every menu option, setting up your personal
greeting (hint: don't set up a box with your handle, because if someone
accidentally dials your box to be greeted by an effusive |
|
