                   "" "" "" "" "" "" "" "" "" "" "" "" ""
                            ,;;11;.                                     ,;!!;.                   
                            11   ;;'                ,1;;|1,;||;,.       |1  '11 leetophreakoheadz                 
                            11  1;               11'  "1;'    '11      |1   11     'zine #5                 
                            11 1;'                1;'   11:      11     11  11        2002
                       "",;;||;;                 '1;'  11;'    ,1;     1; .1:           
                            11'                         1::;1||1'"      1;.1:'
                            11'         .               1:1'            |1!1';'11:.        
                      .,;::;1!;.,       11.             1:1             11'     11;   
                      :;    1;  "1:;,..,;:;      .:;1!  1:1             |;1     11:          
                      '1.,;'"     ";11;1      1|1    1:1            .|11     11:  ,;1;,.' 
	     	                                    '";:|1:;"          ;|1;:"    ':11;;^   	  
                                       
                                          ...We coined the term "leeto"...
                   "" "" "" "" "" "" "" "" "" "" "" "" ""



 

  ______________________
  *  Intro             *
  * by ic0n            *
  * ic0n@phreaker.net  *
  *____________________*


 Welcome everyone to issue 5 of the lph zine! Where back after for yet another round. If you have'nt
 noticed i've been working on the site here and there. sometime this summer the site will be where 
 i want it to be. Before we get too much into the zine a huge Shout to Captain_B for getting printed
 in 2.6 (2600) and it just so happen's to be the box I named "The Bungee Box' I would also thank hackerhost
 for the hosting. Nuff with the intro and let's get on with the good stuff....

                ______________________________________________________________
               *      Table of Content (Toc)                                          *
               *Hiding Running Services from Portscanners Part I..........by phractal * 
               *Toll Free Modem Numbers...................................by Pref1x   *
               *Conversion box............................................by Captain B*
               *Toll Free Busy Lines......................................by Pref1x   *
               *RCMAC.....................................................by ic0n     *
               *Call Forwarding Phun......................................by ic0n     *
*_____________________________________________________________*
                         
                         _____________________________________________________ 
                        *  Hiding Running Services from Portscanners Part I   *     
                        *    by phractal                                      *
                        *_____________________________________________________*




    /* parts of this article are theoretical and some
       is proven with code, feel free to get in touch
       to comment or point out flaws in my theories */


         Hey there. Have you ever wished to run a certain daemon or backdoor
       but have it hidden from the eyes of network scannners. Suppose you
       want to run a private ssh server for only a select few, but they
       don't always have the same hostname, or perhaps a backdoor to a 
       unix that you worked hard to get to. Well, I got to thinking of
       ways to have an actual service running and yet being undetectable
       to people snooping in on your network. 



        Here's what I will discuss

	-'port tripwire'
	  -how it works
	  -porttrip.c
	  -end notes


           #############
           Port Tripwire:
           #############

           Port tripwire is a name i came up with for opening up a low port in
           an attempt to catch a port scanner before he reaches any ports that
           you want to hide. 

           If you or your borrowed remote host are running:

            Port       State       Service
           23/tcp     open        telnet
           53/udp     open        domain
           80/tcp     open        http
           3557/tcp   open        BACKDOOR

           
          You might want to hide this machine from scanning kiddies to hide
         anyone who might want to abuse your server if they want to get in
         via telnet, or maybe you don't want it known that you run a web
         server, and of course, that backdoor is supposed to be hidden from 
         view of scanners as well. How can we prevent a scanner, of whom
         we will have no idea of his IP address, from finding these running
         services via scanning? Well, port scanners will generally scan ports
         in sequence or in rough sequence. They will or will usually access 
         the low ports first, and then proceed to connect/request ACK replys
         of higher and higher ports. We can intervene on the scanning process
         if we stop the scanner midway. We can do that by looking for him
         where he'll come in, the low ports. We should choose a fairly obscure
         port to try and detect the scanner, because otherwise it could be
         a legitimate session, a normal user accessing a known service. For
         my little port tripwire program, I chose port 3, it is a low port, 
         and almost no one runs it. If you wish to hide common services, you
         may wish to change that to port 7(echo), as that is obscure, but it
         is also listeded in nmap's services to scan for.

           
           The way that Port Tripwire works is, it opens up a socket and 
         listens on that low port. If any connection is made to that port,
         the program identifies who that host is, and immediatly issues
         a command to firewall out any further attempted connections made
         by the scanner. It blocks him out, turns the computer silent on
         him. The following code proves this concept. It is however 
         incomplete, not a full security program, and most likely has
         plenty of vulnerabilities itself. It is used just to demonstrate
         this concept.

         #include <stdio.h>
         #include <string.h>
         #include <sys/types.h>
         #include <sys/socket.h>
         #include <netinet/in.h>
         #include <netdb.h>       

         #define PORT 3
         #define BACKLOG 1

        //Port Tripwire BETA
        //made for BSD or any ipfw firewalled OS
        //by phractal


        int main() {

	//printf("PortScan Tripwire BETA by phractal \n");
	int fd=socket(AF_INET,SOCK_STREAM,0);
	int fd2;
	
	struct sockaddr_in server;
	struct sockaddr_in client;
	int sin_size;
	
	server.sin_family = AF_INET;
	server.sin_port = htons(PORT); 
	server.sin_addr.s_addr = INADDR_ANY;
	bzero(&(server.sin_zero),8);
	
	bind(fd,(struct sockaddr*)&server,sizeof(struct sockaddr));
      		
	
	

	listen(fd,BACKLOG);	
	
	while(1){
  		sin_size=sizeof(struct sockaddr_in);
		if((fd2=accept(fd,(struct sockaddr *)&client,&sin_size))>-1) {
		//printf("connection from %s\n",inet_ntoa(client.sin_addr) );
		//printf("DENY! \n");
		char cmd[150];
		char cmdpt1[] = "ipfw add 01234 deny tcp from ";
		char cmdpt2[] = " to any";
		sprintf(cmd, "%s%s%s", &cmdpt1, inet_ntoa(client.sin_addr), &cmdpt2);
		printf("%s",cmd);
		system(cmd);
		
		}
	}
	close(fd2);
	return 0;
        }


        While this program is running, if i nmapped a server running it with a 
        normal TCP connect() scan then I would see port 3 as the only running
        service. 


        There are some problems with this program. Since it uses accept() to 
       determine that a scan is in place, SYN scans will not be picked up,
       and if a scanner was lucky or smooth enough, maybe he might scan a 
       certain block of ports that is outside the port that the tripwire
       program runs on.

       In Part 2, I will discuss more advanced port scan detection methods.
       I will focus on using promiscuous mode to sniff for SYN packets
       and will be using methods different from the tripwire approach.

      <-------------------------------------------------------------------->


      greetz go out to h/pers and coders better than me:

    stain, team phreak, awnex, dvdman, l33tsecurity, pare, bor, trunklord
    linear, bor, 9x, subz, hybrid, datawar, downt1me, notten, telec
    and people i forgot

                         _______________________
                        *Toll Free Modem Numbers*      
                        *by Pref1x - 3/25/02    *     
                        *_______________________*
        * Summary

         This text file will provide a list of toll free numbers that will 
         most likely connect to computers/modems. Some of these systems may
         even let you in login free. Keep in mind these numbers can be disconnected
         at anytime.






                               % Numbers % 



     1-800-214-9617           1-800-221-5451           1-800-222-0555
     1-800-223-1078           1-800-223-3141           1-800-223-5151
     1-800-223-6932           1-800-223-7213           1-800-260-3122
     1-800-282-2222           1-800-321-1570           1-800-323-2919
     1-800-362-4504           1-800-362-4509           1-800-362-4510
     1-800-362-4550           1-800-362-4584           1-800-367-0815
     1-800-401-0075           1-800-424-6245           1-800-432-4838
     1-800-439-5823           1-800-456-6245           1-800-465-7735
     1-800-466-3256           1-800-539-6245           1-800-543-3279
     1-800-552-2130           1-800-555-3425           1-800-555-9014
     1-800-555-9905           1-800-555-9920           1-800-555-9955
     1-800-555-9973           1-800-617-9056           1-800-624-5123
     1-800-725-3512           1-800-726-4823           1-800-726-6714
     1-800-737-6068           1-800-763-0222           1-800-789-4756
     1-800-789-4792           1-800-800-4098           1-800-822-0458
     1-800-822-2439           1-800-822-2478           1-800-822-3298
     1-800-822-3479           1-800-822-6425           1-800-822-7540
     1-800-822-8353           1-800-822-9619           1-800-822-9917
     1-800-855-2882           1-800-909-1994           1-800-909-2111
     1-800-909-2286           1-800-909-3269           1-800-909-4311
     1-800-959-0013           1-800-959-0057           1-800-959-9822
     1-877-222-1008           1-888-527-6134           1-888-888-0520



                                       _____________________________
                                      *       Conversion box        * 
                                      *    by Captain B             *
                                      *_____________________________*

     	Test sets (Lineman handsets) are obviously a useful phreak tool for beige boxing. But, unless you're 
     willing to drop a couple hundred bucks to buy one at your local authorized Harris telecom products dealer, 
     dumpster dive for one, or take the chance doing the ol' 5 finger discount with some Ma Bell truck, It's 
     better to use a one-piece phone (Like the Apollo or Super-mini flip phones from Radio Hack, or the ConAir 
     flip phone availible at K mart stores). Or, you could convert a phone that has a keypad in the handset to 
     a psuedo test set for beige boxing purposes (As I'll be discussing here). Yes, you could also convert a 
     phone without a keypad in the handset, but you'd better have a way of sending DTMF via acoustic coupling, 
     such as with a tone dialer (If you can still find one at the local Radio Hack). Also, since most lineman 
     handsets have features that are either on most phones, or not absolutely needed for the more exclusive 
     features, It's just all the more reason to beige box with a regular phone. The driving principal behind 
     making this is very similar to the one used for the Bungee box. Because, you'll be modifying a handset 
     cord for this. The difference is that only 1 end of the handset cord will be modded. Here's what you'll need...

        *A handset cord
        *Modular crimp tool
        *Wire cutter (Unless the crimp tool has it built in)


     	You'll also first want to check how many conductors there are inside your phone handset. If It's 2 conductors, 
     It'll be simpler. If there's more than 2, it becomes necessary to isolate which 2 wires are used to power the 
     handset. (Well, at least that's how it was with a 4 wire phone handset I was converting). To check the amount of           conductors in the handset, remove the handset cord and look inside the hole where the handset plug from the cord 
     goes in. Hopefully, It's 2 conductors. And yes, you could check the number of conductors in the handset cord 
     instead, but since handset cords always seem to have 4 conductors when bought as new, that could mislead you. 
     I'll go more into isolating the 2 wires involved for powering the handset on a 4 conductor handset cord in a minute.          Let's get into making this. Take the handset cord, look first at the little wires in the plug to observe for the color 
     scheme (Thus making note of correct polarity) then, cut off that handset cord plug as close as possible with where it         connects to the cord. Carefully, strip off a bit of the insulation using the modular crimp tool's stripper. Take a 2          line (RJ14) modular line cord plug, and push the line cord plug over that end of the handset cord, facing the same way        as the previous handset cord plug was. (In other words, if the little spring clip on the handset cord plug was facing         down, crimp the line cord plug on facing the same way as that was). Then insert that end of the handset cord into the         modular crimp tool properly, and squeeze the handles together firmly until it stops (which is quite fast). See the           instuctions that came with the modualar crimp tool if you need more help. Now, if a 2 conductor handset was used, you         can just plug it into any working modular jack, and it should work. But, if the handset has more than 2 conductors,           connect up an in-line coupler (Female-to-female RJ14 connector). Then, connect a modified 2-line (RJ14) line cord 
     (with 4 alligator clips) on the other end of the in-line coupler. Try connecting the gator clips in different      combinations of 2 at a time to the screws holding the red and green wires inside a modular jack or out at the TNI until      you get a dial tone. Of course, you'll want to either remove the cover from the modular jack by unscrewing the center      screw, or prying it off if it has no screw to access the 42A block with 4 screw terminals inside. Or, in the case of the      TNI, open it on the Telco access side using a 3/8 hex bit on a 1/4 drive ratchet or spinner handle. 
     (These can be found at Home Depot stores). In a TNI, the red and green wires run from the subsciber modules contained 
     in the customer side to the screw termianls on the telco side. Use that for reference. (Disregard the other colored      wires there). If you only have 1 line service, make sure you connect up to the 2 screw terminals that have phone      service. Otherwise, there won't be a dial tone, of course. The conversion box makes for a handy placebo to a lineman's        hand set, don't you think? 

         As always, be careful and have phun.

                    
                     **********************************
                     * Toll Free Busy Lines by Pref1x *
                     *            6/18/02             *
                     **********************************



           This is a list of toll free numbers that are ALWAYS busy. Why they're
        always busy is beyond me. They could be some kind of test number of some
        sort. There might also be a modem connected to the line with "Busy Mode"
        enabled, which will cause the line to be busy. Sysops often use the modem's
        "Busy Mode" feature to do maintenance on their system. Anyway, all I know is
        that the numbers below are busy 24 hours a day; 7 days a week. I find busy
        numbers useful to give out on applications and forms that ask for a home or
        work phone number. Another idea is if you have call forwarding, you can have
        your calls forwarded to these numbers if you don't want to be disturbed 
        while scanning or something. Who knows, you may find many interesting uses for 
        them. All the numbers below work as of the date above.



             1-800-221-5807   1-800-223-3325   1-800-225-8456
             1-800-284-3463   1-800-325-4081   1-800-327-6764
             1-800-328-7777   1-800-332-0090   1-800-368-9414
             1-800-378-5610   1-800-388-9912   1-800-421-3879
             1-800-424-5664   1-800-431-3762   1-800-431-3764
             1-800-432-4896   1-800-438-9999   1-800-453-9999
             1-800-555-0057   1-800-555-9161   1-800-576-9999
             1-800-617-9977   1-800-693-9999   1-800-726-0350
             1-800-822-0154   1-800-822-9400   1-866-466-6245
             1-888-252-9922   1-888-252-9928   1-888-252-9932
             1-888-252-9934   1-888-252-9936   1-888-252-9938
             1-888-252-9941   1-888-252-9942   1-888-252-9945
             1-888-252-9949   1-888-253-8379   1-888-313-3716


                              _____________________
                             *      RCMAC          *
                             *   by ic0n           *
                             *  ic0n@phreaker.net  *
                             *_____________________*

 What Does RCMAC stand for?
 Recent Change Memory Administrative Center

 Now your thinking Great! but what good can it do for me. This in my opinion is the most important service that the fone 
 company has. With some social engineering you can add features like Three-way calling,Call waiting,Caller ID,and in some 
 places voicemail. You also can set flags on people's line's so they won't be able to use there fone.Change line classes
 so you can make fone's payfones. Once you have got 1 RCMAC you can just social them into doing something in another npa 
 or at lease getting the number in that npa.


  Here's a Example 

 RCMAC: Hello RCMAC Cleveland how may I help you?
 you: Hi this is 'Name Here' here at Atlanta RCMAC and our computers are down are they up there?
 RCMAC: Yes they are running fine may I help you?
 you: Good  Yes I need the San Diego RCMAC and the one we got is wrong can you give me the newest one?
 RCMAC:Sure the number is 619-XXX-XXXX
 you:Thank you 

 It's pretty simple but now i've seen alot of RCMAC's ask for more info like...Employee Number,Name,Sometimes they ask for 
 a mobile fone number for that given lineman (this is very rare tho). You can get this info from trashing.

 I guess you could even give them a payfone number to contact you....just an idea never tryed it before.

 Oh yeah i forgot you have to call the number a 'line number'

 Line Class Codes:
 ESF=speed calling
 CWT=Call Waiting 
 CFB=Call Forwarding Busy
 CFV=Call Forwarding
 TWC=Three Way Calling
 TTC=Touch Tone Dialing 
 UNA=No Long Distance
 PXX=Block All Long Distance services
 CHD=Centrex
 CPU=" "
 ACB=Auto Call Back
 FRE=Free Calling
 DTF=Payfone
 CFD=Coinless Charge a call
 

 Line Problems:
 NDT=No DialTone
 CC=Cant Call
 DTWD=DialTone While Dialing
 CH=Cant Hear
 CBH=Cant Be Heard


 Oh yeah if there not doing dialtone you should be good to go on the Adding the trouble ticket.

 just to let you know a dialtone in this case  is just a test when you hear a click on your line late at night there checking
 for a dialtone. 



                            ____________________________________
                           *     Call Forwarding Phun           *
                           *   by ic0n                          *
                           * ic0n@phreaker.net                  *
                           *____________________________________*


   Everytime I'm at a place with fone on the counter like Pizza Hut,Blockbuster,ect,ect,ect. I think at all the funny things     that are possible.

  Here's a little story...... 

 I was at pizza hut waiting on my food when i noticed there was a ameritech office fone on the counter. I looked around 
 making sure nobody was around. I quickly picked up the handset and dialed * (start) 72 witch is the star code for Call   Forwarding. I had it forward to one of the people that make life suck. Heh. Alot of home's and smaller companys won't have    this feature. Anyway's you can forward to anywhere in North America as far as i know it might even be World wide.

 A Few Idea's 

 Forward Anywhere to a porn shop. 
 Voicemail Box With a funny Greeting
 Forward Walmart to Kmart and Kmart to Walmart
 
 Sorry about this shitty file i'm kinda in a hurry to get the fuck out of here and go to yet another grad. party! until then 
 peace out!