                       
                 "" "" "" "" "" "" "" "" "" "" "" "" ""
                          ,;;11;.                                     ,;!!;.                   
                          11   ;;'                ,1;;|1,;||;,.       |1  '11 leetophreakoheadz                 
                          11  1;               11'  "1;'    '11      |1   11     'zine #4                 
                          11 1;'                1;'   11:      11     11  11        2002
                     "",;;||;;                 '1;'  11;'    ,1;     1; .1:           
                          11'                         1::;1||1'"      1;.1:'
                          11'         .               1:1'            |1!1';'11:.        
                    .,;::;1!;.,       11.             1:1             11'     11;   
                    :;    1;  "1:;,..,;:;      .:;1!  1:1             |;1     11:          
                    '1.,;'"     ";11;1      1|1    1:1            .|11     11:  ,;1;,.' 
	     	                                  '";:|1:;"          ;|1;:"    ':11;;^   	  
                                       
                                        ...We coined the term "leeto"...
                 "" "" "" "" "" "" "" "" "" "" "" "" ""

                                  issue 4

 Table Of Content (toc)
Intro By: ic0n
The Wireless beige box By: Captain B
What is a Cna Number and what can it do for me? By: ic0n  
HOW TO UTILISE NMAP'S NEW IDLESCAN TECHNIQUE PROPERLY by: pulse state 
Verizon Teleconferencing By K00p$ta Phr34k and ic0n

  __________________
 *Intro             *
 *by: ic0n          *
 *ic0n@phreaker.net *
 *__________________*

 What's up everyone we finally decided to release issue 4 after many months of doing nothing.
 We hope you enjoy this issue of the zine and we hope to have issue 5 out sometime in July. 
 Maybe even earlyer. We hope to get alot of feedback from this zine once agian to answer any
 question you mayb have about phreaking okay maybe even some hacking questions. Where going
 to start putting scans into the zine or if we can get at lease 10 scans we could make a scan 
 zine.   

  _________________________
 *The Wireless beige box   * 
 *By: Captain B            *
 *_________________________*   

One thing I've come to realize is that many things in electronics use 
fairly low voltage on average, and tend to run on DC (Direct Current) 
power. Cordless phones are no exception. In case you didn't already 
know, batteries also run on DC. Can you tell where I'm going with 
this yet? Most cordless phones I've seen thus far use 9 volts to power 
the base. (You know, the unit you put your cordless phone on to charge 
it). So far, I seen one that used 12 volts to power it. But, I think 
those that use more than 9 volts to power the base mainly tend to have 
built in answering machines, speakerphones, or other extras you 
wouldn't need during wireless beige boxing, anyway. To be sure a 
given cordless phone's base uses 9VDC (9 volts DC) to power it, look 
either on the AC adapter plug for what It's voltage "rating" is 
(Displayed as 9VDC or whatever next to "output"). Disregard the input 
stats. That's the voltage/current coming into the AC adapter from the 
electrical outlet before the ad!
apter lowers the voltage and current and converts it to DC. Or, you can 
also check on the back of cordless phone's base where the power cord 
connects to the back. Usually, you'll see something like "9V in", or 
simply "9V". Just as long as the phone's base uses 9 volts to power it, 
you can power it with a 9v battery. There's more than one way to go about 
this. With the 1st method, you'll sacrifice your AC adapter, since it 
involves modifying it for the purpose. So, you you may want to think 
twice, With the 2nd method, you can buy a rechargeable battery charger 
called Power Bank from Radio Shack that doubles as a DC power source to 
power electronics. The 3rd method, which is probably the most complex of 
the three involves an adaptaplug, an adaptacord attached to it leading to 
a 9v battery clip soldered on at the end where the AC adapter would be. 
(Which, is basically the same as the 1st method described, except you won't 
have to ruin the AC adapter that came with the cordless)!
. Anyway, I'll describe only the 1st method here. But, you can always do it 
another way, too. By the way, you're going to need a wire cutter, wire 
stripper, 9v battery clip (Sold in packs of 5 at Radio Shack), standard 
60/40 solder, and a soldering iron (30 watts should be fine for the job), 
and possibly electrical tape. First, get AC adapter and cord for the cordless 
phone. (Remove it from the back of the cordless phone). What you'll need to do 
first is cut the AC adapter off of the power cord. Now, I've come to know more 
recently that sometimes AC adapters sometimes retain some electric current even 
after being unplugged for a bit. With 9v of power, I doubt It'd be a bad shock if 
there's leftover current. But, there's a way to remove leftover current if you 
happen to have an insulated alligator clips jumper cable (Also sold at Radio Shack). 
Just connect one of the alligator clips to one of the 2 prongs on the AC adapter, 
and touch the metal part of the other alligator clip!
on the other end of the jumper cable to the other prong on the AC adapter, thereby 
shorting it. If there was leftover current, there will be a little bit of a spark. 
Okay, with that said, let's move on. As stated before, you'll have to cut the AC 
adapter off of the power cord. Then, cut a fairly small notch vertically downward 
on the power cord right between the 2 wires. Now, slowly and carefully, seperate 
the power cord by pulling the 2 wires apart from each other a bit. Then, carefully 
strip about an half and inch of insulation off each of the wires. Now, you can attach 
it to the 9v battery clip to the bare wire leads of the power cord. There's 2 ways 
this can be done: With the 1st method, you can solder the bare wire leads from the 
power cord to bare wire leads from the 9v battery clips. In which case, you'll want 
to wrap the exposed section of soldered wire with electrical tape afterward. Or, you 
can use the 2nd method and solder the wire leads from the power cord direc!
tly to the 9v battery connector clip. If you go with that way, It may be better not 
to buy the heavy duty 9v battery clips as I think they can be a bit harder to solder 
the wire leads to. At any rate, once you have the 9v battery connector soldered up to 
the power cord, It's just a matter of connecting a 9v battery to the 9v battery connector 
to power the cordless phone's base. Optionally, you could also remove the circuit board 
from inside the casing of cordless phone's base. Afterall, you don't need the interior 
components and not the chasis casing to operate the cordless phone's base. If you've 
bought a cordless phone that has a particularly small base, it may even be the case 
that you could fit it all inside something. Like say inside a TNI, or inside the 
bottom base part of a fortress payphone. Use your imagination, have phun, and as 
always, be careful with everything phreaking related that you do.       


    _____________________________
   *What is a Cna Number and what* 
   *can it do for me?            *
   *By ic0n                      *
   *ic0n@phreaker.net            *
   *wrote on 3/29/02             *
   *_____________________________*


 Before i even begin if you have never read about C.N.A. it
 stands for Customer Name and Address. There's not very many
 companys that offer this service to the public. One C.N.A. number
 that was floting around the upl (phonelosers.net) Message Board 
 awhile ago. The company that offerd it was Johnson&Johnson it was
 for some lawsuit. 

 Most Phreaks will find use in having a C.N.A. number when beige 
 boxin'. All you need to do is get the number and call up the C.N.A.
 and enter the number that anac gave you. Then the system will give 
 you the name and address for that given number even if it's unlisted.
 
 There's not many cna's around anymore mainly because lamers use them to
 show off there leeched skills to show off. but there still around and 
 there's even a few toll free ones i know about.

 Ameritech offers something like a cna service. But since it's offerd 
 to the public it's got some diffrent things. The main thing is there
 is a toll for the call and you can only get the info for 2 numbers per
 call. *Note only in 312/708 area so far 35 cents per call also*

 One last thing before i finish up on this artical. There's also some
 cna's that are 900 numbers. But you will be charged for the minunites
 and not like the call like ameritech offer's. I just thought you might 
 want to know this also.


 Cna Number's that i can share with fellow phreaks
 *got anymore please contact me via e-mail with them*

 203-771-8080 CT
 312/7008-796-9600 Ameritech pay-for-play Cna
 415-781-5271 Pac Bell Cna
 513-397-9110 Cincinnati/Dayton Oh
 516-321-5700 Hempsted/Long Island Ny
 518-471-8111 Albany/Schenectadt Ny
 641-464-0123 Columbus/Steubenville Oh
 813-270-8711 Ft Meyers/St. Petersburg Fl
 900-933-3330 Unidirectory
 900-884-1212 Telename

 _____________________________________________________
*HOW TO UTILISE NMAP'S NEW IDLESCAN TECHNIQUE PROPERLY*
*by: pulse state                                      *
*<personaljesus@mediaone.net>                         *
*_____________________________________________________*


   Starting with Nmap version 2.54BETA30, Fyodor has implemented a new
type of clandestine portscanning called "idlescan". Since the man page
for nmap(8) goes into not very much detail on this type of scanning,
I've decided to explain it from my point of view.

   Before I start, you will need...

- A computer running something other than Windows. Linux is the best
  choice for running Nmap. If you do run Linux, any kernel version
  equal to or later than 2.2.17 should work fine. Remember to login
  as root, or set Nmap to run suid (not recommended).
- Nmap 2.54BETA30 or later.
- to be on a subnet that has one or more machines having IP addresses
  visible to the Internet (10.*.*.*, 172.0-16.*.*, and 192.168.*.*
  subnets are not visible to the Internet... anything else will be).
  NOTE: This subnet has to have a netmask other than 255.255.255.255.
  Most people connecting to the Internet through a dialup ISP, will
  have this netmask. Most people having a cable modem, DSL, T1 or
  higher will not have a 255.255.255.255 netmask. A netmask of
  255.255.255.255 means that you are the only host on your subnet,
  which means you won't be able to do this scan without hopping a few
  routers, and as of the date this article was written, I've not seen
  the idlescan work using a zombie on another subnet. If someone gets
  it to work, please E-Mail me. :)

   OK, now that I've managed to completely confuse the n00bs, let's
continue. Basically, how this scan works, is that you pick a target
host that you want to scan but you don't want your IP address to show
up in their logs, and then you pick what's called a 'zombie host'. The
zombie host needs to be a computer on your subnet that is idle, that is
to say, little or no TCP/IP traffic comes in or out of it. Once you've
found the target and zombie hosts you want to use, fire up Nmap like
this:

nmap -sI <zombie host IP> <target host IP> -P0 -v -v

   What you're telling Nmap to do here, is to initiate an idlescan (-sI)
against the target host, using the zombie host as a go-between, not to
ping any hosts (-P0) so that the target host doesn't see any pings
originating from your machine, and to be quite verbose (-v -v) about
what it's doing. Now, here's a sample of the Nmap output (if it works):

Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Host cactus (192.168.0.85) appears to be up ... good.
Idlescan using zombie 192.168.0.15 (192.168.0.15:80); Class: Incremental
Initiating Idlescan against  (192.168.0.85)
Adding open port 445/tcp
Adding open port 139/tcp
Adding open port 135/tcp
The Idlescan took 0 seconds to scan 6 ports.
Interesting ports on  (192.168.0.85):
(The 3 ports scanned but not shown below are in state: closed)
Port       State       Service
135/tcp    open        loc-srv                 
139/tcp    open        netbios-ssn             
445/tcp    open        microsoft-ds            

   (NOTE: I only scanned six ports in this example, to keep the output
to a minimum.)

   It is telling you that your target host (192.168.0.85) appears to be
up. Nmap will always do this when you specify '-P0' on the command
line. Next, Nmap is telling you that it is about to do an idlescan
using the zombie (192.168.0.15), the originating TCP port on
192.168.0.15 will be 80, and the IP ID sequence has been found to be
incremental. That means that the IP ID number on every packet that
comes out of that machine is one greater than the last packet that
came out of that machine. There are different types of incrementation.
Some hosts use pretty tough randomisation algorithms, so they will be
unusable as zombie hosts, and Nmap will tell you this. Most hosts out
there, however, will have some simple algorithm that Nmap can follow.

   Next, Nmap is saying that it has initiated the actual idlescan
against 192.168.0.85. Every time it finds a port to be open, Nmap will
add it to the list. At the end, it lists the ports it found open.

   Now, while all that was going on, here is what was happening... Your
machine sent a few packets to the zombie host on port 80, to figure out
its IP ID sequencing algorithm. Then, your machine masqueraded as the
zombie host, and portscanned the target that way. Every time a response
packet would come back to the zombie, your machine would see that, and
interpret the results as if the packets had come directly to your
machine. However, you will remain unseen for the most part. The target
host will never see your IP address, only the address of the zombie
host. The zombie (depending on how extensive their logging program is),
may show you trying to connect a couple of times to their port 80 (or
whatever you specified -- I'll cover all the idlescan-relevant options
below), but that's it. Nothing more.

   Now, here are some tips on how to be safe when doing these scans.
Obviously, both your target and your zombie hosts need to be up and
responsive, or else the scan will fail. Also, don't pick an outlandish
port number for the zombie host. Pick something like 80 (http), 21
(ftp), or 25 (smtp), or something along those lines. The reason for
this, is if the administrator of the zombie host looks at his logs, and
sees you connecting to his port 602, he will think something is really
suspicious. But, if he sees you connecting to his port 80 or 25 or
something, he'll just shrug it off, assuming that you typed in the
wrong IP address or DNS name, and not think twice about it.

   Anyway, I said I would cover the options that you could use with
the idlescan.

-p - Port specification. Use this if you only want to scan a port, or
     a range of ports. An argument like -p 21,25,135-139 would tell
     Nmap to scan port 21, port 25, and ports 135 through 139. This
     option should be familiar to people who have already used Nmap's
     many other scanning methods.

-S - Source address spoofing. Use this if you REALLY don't want your IP
     address to get out anywhere, even to the zombie host. Your spoofed
     IP address needs to be that of a host that is known to be up, or
     else the entire scan won't work at all. You may also need to use
     the -e option (which is covered below) and the -P0 option
     (which you are already using).

-e - Interface specification. If you use -S, you also need to tell Nmap
     which interface you want to use your fake IP address on. Usually,
     Nmap will not complain about this if you only have one network
     interface. However, if you're running Nmap out of a machine that
     maybe serves as a cheap router/firewall, and it has two network
     interfaces, you will need to tell Nmap which interface to use.

   This should be enough to get you started. If you want to see what
really goes on around your subnet, get Tcpdump and read the man page
thoroughly. (Hint: I used Tcpdump to see what Nmap was doing, hence
my understanding of the idlescan. <grin>) I also highly recommend
reading RFC 793 (discusses Transmission Control Protocol, or TCP). See
the links section below.

   If you are just starting off in Linux, I would suggest getting the
Debian distribution. See the links section below.

   Here is a list of links pertinent to this article:

 Debian Linux: http://www.debian.org
Nmap homepage: http://www.insecure.org/nmap/index.html
RFC documents: http://www.ietf.org/rfc.html

 ____________________________
|         _____              |
|\    /     |                |
| \  /      |                |
|  \/ERIZON |ELECONFERENCING |
| BY: k00p$ta Phr34k and ic0n|
|____________________________|

 Before we begin this file I (ic0n&k00p$ta) are not going to give you any info on 
 setting up the conference. For a few  reasons but it's not hard at all the setup 
 once since everyone @ verizon is crazy or just dumb minus a selected few. (they know 
 who they are) Now on with the file.

	Verizon now offers a new service, Conference Connections.These Conferences's are 
reservation-less, which means around the clock availability. The Conference is available 
24 hours a day, 7 days a week, and 365 days out of the year. This makes conferencing very 
easy. Thanks Verizon!

 There's 2 ways to dial into a verizon conference.
 1.Toll Free dial in number (866-441-2942)
 2. Direct (972-717-2043) Npa 972 is in Texas 	

There are no setup fees, no cancellation fees, and no monthly charges. Which mean you can 
setup a teleconference and your victim will not even know he's got a teleconference being 
billed to him. The minutes your participants used are logged separately logged by differnt 
ports. There are 20 of these ports but I'm sure there is a way to get more. Anyways the 
minutes are added together to simplify the subscriber's bill, in addition are required 
taxes. There is a separate bill for toll free service as well.

 States that need to use the direct number to the conference:
 1.Alaska
 2.Delaware
 3.Maryland
 4.New Jersey
 5.New Hampshire
 6.Virginia
 7.Vermont
 8.Washinton D.C.
 9.West Virginia
 *Once again the direct number is 972-717-2043.

 The resoning behind the direct numbers is that Verizon provides long distance services for 
calls originating in most states outside the mid-Atlantic and new England states. Until 
government approval is obtained, Verizon cannot carry long distance in the states listed 
above. Verizon is in the works on getting the necessary states and federal permissions to 
offer long distance in every state.

 Rates Cents per minute per port
                  Until 3/30/02    	Normal 
    Toll Free         $0.22             $0.31
    Direct            $0.09             $0.18

Feature Descriptions
Announcements for Entry and Exit
	 At your option, the reservation-less Conference Connections system can sound a tone 
or have silence when participants enter or exit a conference.

Attendant Request
	 The Subscriber or Participants can request attendant assistance for private or group 
consultation. The person requesting assistance remains in the conference until the attendant 
handles the request.

Conference Continuation
	 This feature allows the subscriber to exit a conference after it begins without 
disconnection the participants and must be activated for each conference call.
 *Note The systems automatically defaults to end the conference call when the subscriber 
disconnects.*

Conference Lock/Unlock
 	This feature lets subscriber lock a conference once all parties are present to keep 
the conference private. Attendants cannot enter locked conferences, but can ring the conference 
requesting that the subscriber unlock for attend entry.

Help Menu 
 	Help with using conference commands is available to every conference Subcriber and 
Participant. The system plays a private help message to the requester that list the available 
features and their associated touch-tone (dtmf) commands.

Mute/Un-mute
 	The Subscriber can collectively mute or un-mute all lines in the conference except 
for the subscriber's line. The participants can mute and un-mute there own lines to help 
control distractions and interruptions.

Participant Count
	 The system automatically tracks the number of participants on a conference. Any 
Subscriber or Participant can check the number of people in conference at any time. The 
system announces the count privately to the requester.

Quick Start
 	As a rule, conferences do not begin until the subscriber the conference. However your 
account can be configured to allow the subscriber to use this feature so that begins as soon 
as the first participant arrives. In this scenario, Participants who arrive before the 
subscriber may talk to one another before the conference actually begins. Though the quick 
start features offers less security, it allows unplanned meetings to occur whenever needed 
or permits conferencing when the subscriber is unavailable to start the conference.


Features
 Subscriber Conference Commands 
  This is how you Begin a conference:
  1. Dial into conference system
  2. Enter Pass code, then the # (pound) key
  3. Then Press the * (star) key
  4. Enter Subscriber Pin (4 digits)
  5. Press 1 to start the conference or press 2 to change account options.

  To Change Account Options:
  Press 1 to chance subscriber pin
  Press 2 to configure roll call options
  Presses 3 to change quickly start options
  Press 4 to change auto continuation options

  Conference Control options (while in conference)
  Press *0 to speak privately with an operator
  Press 00 to request an operator to join the conference
  Press *4 to lock conference
  Press *5 to unlock the conference
  Press *6 to mute your line
  Press *7 to un-mute your line
  Press *8 to allow the conference to continue after you disconnect
  Press *9 to privately play a list of participants on conference
  Press *# to hear the number of participants in the conference
  Press ## to mute all lines except the subscriber
  Press 99 to un-mute all lines
  Press ** to play this list of commands


How to end a Conference
  Say whatever then hang up the phone a short message will be played for them and then 
disconnects them.

 ***We also need to thank verizon for be so dumb and giving us all this information to 
write this article. Shout Outs....Lucky225, Dark_Fairytale, The Borish One,Xenocide, Cuebiz, 
MaddjimBeam, Whit3rav3n, Reaver,Captain_B, Mr. Poop, RBCP, Everyone Who was on $kytel back 
in 96-97...well okay only some people from skytel and everyone else we know.***  