========================================================
        Page 33 // Second Issue // January 2004
========================================================
               [http://page33.port5.com]
                   [page33@mail.com]


In This Issue
========================================================
A New Year ------------------------------------- blakmac
The Double Op-Divert, and More --------------- Captain B
Snagging Passwords From Cayman DSL Modems ------ blakmac
Test Prefixes and Exchanges ---------------- PhreakBlaze
Toolkit for the Telecom Enthusiast ------------- blakmac
The Old Code ----------------------------- Page 33 Staff
Linkage ---------------------------------- Page 33 Staff
========================================================


Staff Members
========================================================
blakmac - editor in chief, webmaster
diversereality - resident genius, penetration specialist
========================================================




========================================================
A New Year // blakmac [page33@mail.com]
========================================================
Welcome to 2004.  The other day I was playing some old MegaMan 
game, and it was supposed to take place in the year 200X, so 
sometime in the next six years we can expect to see cyborgs 
running around shooting at robots that resemble animals...

We've got alot to look forward to this year.  I'm planning to 
go ahead and work on the site and the zine a bit more.  I doubt 
that we will be fortunate enough to go hardcopy, but I may print 
up a few of these and place them around town just to see if they 
get picked up or thrown away.  It's a risk I'm ready to take.  
In the past year we have seen some awesome zines get started up 
(Dig, Leet, Binary Revolution -- at least I think it all happened 
this past year...), and though it may seem to some that we are all 
competing, in reality it's not at all that way.  There is plenty of 
information to go around, but not nearly enough avenues available 
to deliver it.  I feel that more zines should surface, and we should 
all be supportive of the other zines.  There's good stuff there.

I have been fortunate enough to acquire a new digital camera, so look 
forward to more and better pictures on the site.  Hopefully I will get 
some time to do some urban exploration, however with my schedule, I 
highly doubt it.  If I do, you can bet that there will be pictures posted.  
Also, if you have any photos that you would like to submit, please email 
them to us at page33@mail.com.  Please make sure they are in .jpg or .gif 
format.  Also, we still need articles for both the site and the zine.  
And we welcome any feedback that you may have, be it good or bad.

I do realize that alot of the content in this zine is the same stuff 
that's available on the site.  The reason is this:  it's easier to distribute 
the information on the site if it's in hardcopy.  And rather than printing out 
each individual article for people, I just add them to the zine and print them 
off that way.  I apologize for the redundancy, but until we get more content, 
we'll probably do things this way.  It will change some day, we promise.

We hope you enjoy this issue, we are still just starting out, but it will get 
better.  We look forward to hearing from our readers, so send in your stuff!  
Oh, and have happy new year!



========================================================
The double op-divert, and more // Captain B
Note -- Borrowed from www.textfiles.com
========================================================
By this point, most phreakers have probably at least heard about op-diverting, 
if they don't already know how to do it. But, for a while, I had wondered about 
the possiblity of doing a double op-divert. In which case, you dial into a PBX 
(Private Branch eXchange), dial out to 1010 ATT 0, then dial a 10 digit number 
from there (Including toll free numbers). Well, I can tell you for certain that 
at least one corporate voice mail system allows for such a thing. It's the Altigen 
voice mail system. But, unfortunately, you don't seem to run across these all 
that often. And, it seems like It's not uncommon for this VM system to only have 
the ability to dial out via the admin's voice mail box. Which, in my experience 
so far, has always been at extension/voice mailbox number 500, with a passcode 
of the same.

To do the double op-divert, first log into the VM box, hit # (pound) to start the 
dial out proceedure, then dial the outside line access digit, (which is a 9) 
plus 1 and the 10 digit phone number. And, in the case of the double op-divert, 
it goes like this: 9+ 1010 288 00. And, yes that's not a typo. The 1 after the 9 
in this case is dropped. (Otherwise, the PBX would recognize what you're dialing 
as being "911"). And, you have to   dial 2 zeros after ATT (288) instead of the 
usual single zero. Speaking of which, that double zero technique also works even 
when you're just dialing straight through normally to AT&T and other "dial around" 
carrier access codes on phone lines. (At least it works here for me, but it could 
be different where you are). In fact, on COCOT payphones, it can even help speed 
up the time you wait for the computer inside the COCOT to start processing (or, 
should I say, re-dialing) all your 1010 Carrier Access Code-type calls. Although, 
there are some COCOTS that won't accept 1010 numbers dialed in such a way, and it'll 
have you redial over again. Also, from standard fare fortress Verizon and RBOC 
(Regional Bell Operating Companies) payphones, hitting # (pound) after 1010 XXX 0 will 
put the call through a bit faster as well. Well, at least this is a method that works 
here where I am. But, I know full well that sometimes subtle differences in phone 
switches, and other CO (Central Office) phone equipment can change how things work 
from place to place. Including even with 2 different COs in the same town sometimes. 
By the way, AT&T also has a 2nd 1010 number many don't seem to know about or use 
as much as 1010 288 0. The second one is 1010 732 0. And, for a while at one point, 
AT&T also had 1010 779 0. All work the same. Still yet one more way to access AT&T is 
through 00. (As long as AT&T is the long distance provider for that particular phone 
line). On payphones, the bottom instruction card will show who handles long distance 
calls for that payphone. But, sometimes this info Isn't accurate, or the bottom 
instruction card may be missing, or defaced too badly to be able to read well enough. 
In which case, just dial either 1-700-555-4141 or 1-700-555-1212 and, after a moment, 
you'll hear who the long distance provider is for that given phone line. I've tried 
this method on PBXs to try to find out who the long distance provider was for their 
phone service. But, so far, I've yet to find a PBX that recognizes 1-700 numbers as 
valid. But, I have found that if you get the ANI passed by the PBX by dialing an 
ANAC (Automatic Number Announcement Circuit, which will say back the number you're 
dialing from), then use the VM system's PBX to dial the PBX's area code + 700-1212, 
you'll hear who the local service provider is for them. Here's one ANAC you can 
use: 1-866-My ANI is. By the way, I don't know if it would help screw up ANI from 
being passed properly, but you could always use a PBX to dial that company's own 
local or toll free number back again, log into another voice mailbox on the same 
VM system, and dial out via the 2nd VM box to whatever number you want to call. 
To dial into the  company's corporate voice mail again via their local number, 
simply dial the number read back to you via an ANAC. That local number is the number 
"behind" the toll free number, as It's said to be. Since, most toll free numbers 
are nothing more than numbers that forward your call to some standard 10 digit phone 
number somewhere. (Although, there are some "dedicated" toll free numbers that aren't 
connected to any 10 digit phone number like that). Getting back to the double-op divert 
method, you  could also dial into 1010 ATT 0 or 1010 732 0 to perform an emergency 
interrupt if the person you're calling doesn't have call waiting service, and just 
won't get off the line. In which case, you have to talk to a live AT&T operator, and 
ask them to place an emergency interrupt call for you. (Also known as "Emergency 
interrupt with call completion"). They'll ask you for your name. So, be ready with 
a fake name, if you'd rather the person you're calling not know who you are. And, 
yes, there are special charges for them to do emergency interrupt, so you may want 
to think twice about doing it, since if the company checks their phone bills, they'll 
see the charges, know something is up, and probably change either their toll free phone 
number, local phone number, or perhaps even both. In  which case, you won't have that 
corporate voice mail's PBX to dial out on anymore. So, always think about your actions, 
and the effect it may have before-hand.

By the way, don't forget that It's  possible to do op-diverting via live operators. 
But, if It's a toll free number you want them to place for you, don't expect them to 
unless you say that you're visually impaired, and need help dialing the call. Even 
then, I've found a number of telecom compnies that just won't, or can't do it. The 
only exceptions I can think of off-hand are Verizon operators (via 101 6963 0) certain 
local RBOC operators, and Global Crossing. Global Crossing can be reached at 1010 211 0, 
which passes along an ANI of a disconnected number in the 505 (New Mexico) area. 
Probably Global Crossing may have another 1010 number I'm forgetting, or don't know 
about as well, since many telecom companies seem to have at least more than one 1010 
number. And, some have also been setting up their carrier access numbers in the 
101 5xxx and 101 6xxx ranges. So, search around, if you like. And, as always, 
have phun, and use your head as much as possible. 


===============================================================================
Snagging Passwords From Cayman DSL Modems // blakmac [page33@mail.com]
===============================================================================
INTRODUCTION -- I stumbled across this while scanning subnets for web servers.  
Why was I doing this?  Simply -- I got bored with Googling for stuff to look at.  
What I have discovered is that it is very trivial to get user names and passwords 
from unprotected Cayman DSL units.  In fact, the extent of control available of 
these machines is disturbing, since the ability to gather this information is 
based strictly on human laziness.

TOOLS -- Port Scanner -- I prefer SuperScan.

HOW TO FIND DSL MODEMS -- Now on to the good stuff.  Oh, yeah, before I 
forget...I am only telling you this so you will know how to protect your own 
systems better.  Don't use this against anyone.  Ok, first you need to have an 
IP subnet to scan.  If you are using a decent port scanner, you can specify which 
ports you want to scan for.  We are only looking for port 80 in this case.  Once 
you find one, try to browse that IP using IE or any other browser.  If it is a 
Cayman DSL, it will display a login prompt, which will say that it is in fact a 
Cayman. I'm sure other DSL modems do the same thing, but these are the ones we 
are looking at for now.  For a Cayman, the default user name is "admin" (without 
quotes) and there is no password.  If configured improperly, it will allow you full 
access to that modem.  Yes, I said FULL.  To get the main account user name, simply 
click on "DSL PORT (WAN)".  This will load another screen displaying the ATM 
configuration page where you can configure the ATM settings...heh heh.  Simply 
click on "Config" and voila...the VCC 1 Configuration page is displayed.  Under 
the section that says "Authentication" will be some familiar user name/password boxes.  
The user name will be in plain text, and the password will be displayed as *'s.  
"That's nice, but I want passwords," you say.  Well, here's the trick.  Simply 
view source on the page.  To make getting the password easier (as if it's necessary), 
you can use the search option in your text editor to search for the user name.  Then 
just read through the source a little ways, and you will find the password listed in 
plain text.  Scary, huh?

THE MORAL -- The lesson to be learned in this short and very sick exploit is this: always 
change your passwords from the default to something more secure.  It's painfully simple 
to get this information from any unprotected DSL modem.  If anyone has questions and/or 
comments, feel free to email me.


========================================================
Test Prefixes and Exchanges // PhreakBlaze
========================================================
Introduction:
Co codes, or nxx codes, are speacial exchnages or other 7 (or 3) digit numbers 
for the maintnance of trunks. Most of them are not to be asigned by NANPA for 
usage. They are to be saved for a central office to use as a test/special 
codes/exchanges. These numbers differ from CO to CO. 

What number's are Codes (usually)???:
Most co numbers/NXX codes are universal but with difrent uses. Some are dialed 
useing 10 digit dialing (NPA-NXX-XXXX), 7 digit dialing (NXX-XXXX), and even 3 
digit dialing (NXX). I've also heard of dialing (NPA-0XX-958), but I'm not sure 
what to do there. The comon numbers are all N11 codes, 990, 959, 958, 950, 555, 
976, 700, and then some only used in your area. 

What are the numbers for???: 
Well, all the number's purposes differ from co to co (exept for certian numbers, 
I'll discuss later). Wait, actually, the N11 codes, they usually don't change. 
They are usually supposed to be asigned as:

211 - Community Information and Referral Services
311 - Non-Emergency Police and Other Governmental Services
411 - Local Directory Assistance
511 - Travel Information Services
611 -Repair Service
711 - Telecommunications Relay Service (TRS)
811 - Business Office
911 - Emergency
(Note- They are not suposed to be asigned by the NANPA, but instead the FCC.)

But this is not always true, the only ones I've seen constant are 911 (duh!), 711, 
and 411. (Note- Recently in my area, when I dial 611, it says that the repair service 
in no longer available from that number, and must be reached from an 800 number.) The 
only ones that have a constant use are 700, and 976. The only way to dial 700 is 
(NPA-700-4141) and thats the only number in that whole range. (Note- 700 is the only 
one that can be asigned as a NPA by the NANPA.) Then 976 is used as pay services (they 
usually cost 1 dollar for a call to a service, but if you want to know the services 
in there, then just dial a wrong number, and a recording should tell you which numbers 
do what). The rest do stuff.

Your ANAC, Ringback, and NXX test numbers (and you):
One of the things that these codes are almost always used for is the ringback and 
ANAC for your co/area/region (in my case, state wide). In the Garden State (New 
Jersey, DUH!!!) The ring back and Anac are the same for the whole state. My RingBack 
and my Anac are 550-xxxx(ringback), and 958(ANAC). Now, incase you didn't notice, my 
ring back is not one of the common codes, it is for this area/region only. Now as 
most of us know, these codes are free when dialed from a payphone, as are 990, 555, 
959, 950, and all N11, but not 700, and 976. Now the numbers that serve as a ringback 
and ANAC differ from place to place (Note-place is a general term, place could be 
state, town, or even CO). I've even seen ring backs be on N11 numbers, so check all 
your N11 numbers for ringbacks and ANACs. Another thing I've heard of is a SASS unit 
being on a CO/Nxx code. I believe it was in Captian B's area on the N11 code 311, it 
would play the number your calling from like a ANAC but, it would do it twice, any 
time durring which, you could enter a pass code. SASS units are not always on Co/Nxx 
codes, the sometimes have pots lines. (Note- If your area has a SASS unit, then don't 
try to look for ANAC or ring back once you find your SASS, a SASS is meant to replace 
those CO/Nxx codes.)

I can't find my ANAC(or ring back), but I found my ringback(or ANAc),any advice/help???:
So, you can't find one of the two codes that does the ring back, or ANAC? No worries, 
I have a theroy that may work for you.

***PhreakBlaze's Theroy For Finding Ring Back Or ANAc***

-go to Telcodata.us

-click on the search your npa and ring back or anac code for the nxx. It will most 
likely come up in a thing called "ODDBALLCODES" with no co name, just some Xs for 
the co name. If it gives you a company name that owns it :EX- Verizon East: click 
on it, if not, search you npa and your exchange, then click on the company for your 
region/state like the example above shows.

-Go down the list (it takes a bit to load) to where it starts listing you NPA and 
exchanges in it. Then start going down the list till you see and exchange served 
from the CO XXXXXXXXXX. The first exchange you'll probably see being served by that 
is 211. Now all that you see with the XXXXXXXXXX you slould write down (if its not 
one of the regular codes). 

-Now go to a payphone or normal phone and dial the codes (Note- sometimes, an ANAC 
will need a 7 digit number dialed, and other times not.)

Don't worry aabout the rest of the unused exchanges, they are most lilely just 
exchanges that aren't in use, not codes.

Or, just go to: http://entanglement.net/~ntheory/phreaking...NPA=&NXX=&CLLI= 
"good Site"- rates PBlaze
"Wha?..."-says the New York Times

***End/PhreakBlaze's Theroy For Finding Your Ring Back Or ANAC/End***

Well, what else about these codes???:
Well, we now found (hopfully) our ANAC or Ring Back (or SASS), and maybe something 
else fun on those codes. Well some of tghe codes I've played with have not done 
anything except given me an error measage that I have only heard when the code was 
not in service. As you may have also noticed, I said they are free to be called from 
a payphone. The only codes I've seemed to get working terminate at some place I don't 
know about. Some I've gotten to go to "A Verizon VMS," and other have gone to "network 
contrlers." Other times I've gotten people who answer and all they say is "Verizon," 
and the wait for you to answer.

Any tip/resons for scanning this stuff:
Yes, I do have some tips. Well, I'm not so sure of how good you would be at op 
diverting to it. Also, I'm not sure if there is any possibility/way to get in 
trouble for scanning these, but it would take the same amount of time to scan 
from a payphone as it would from home. When you call one that works, it will ring 
for a long time (never counted the rings), and then after two rings really close 
together, it will actually start ringing the persons desk/answering machine/ or 
the VMS picks up. 

For tips on where tgo scan, I'm not sure this will help much, but around here (so far) 
I've only been able to find number that work between 990-9000 to 990-9999 (Note- 990-9000 
is the Verizon VMS around here.)

Thanks for reading...

Shouts: Y0ung Br1an, Phreak Out, Decoder, Captian B, Dual, StankDawg, Icon, Dox, 
and everybody else at StankDawg's forums. 

===================================================================
Toolkit for the Telecom Enthusiast // blakmac [page33@mail.com]
===================================================================
This is a quick overview of a common kit that every telephone enthusiast should 
assemble.  Please note, this file is created for newbies, and I do not recommend 
using this kit and/or knowledge in any way that violates any laws.  The main goal 
is to educate those who want to learn about phone systems and plan to use this 
information ethically.  There are articles like this available on the net, but 
the proliferation of information is important, not to mention that lots of people 
want to learn these skills but don't know where to begin.  This just gives them 
another starting point.  The tools in this kit will be of use not only to the 
late-night phone phreak, but also the layman.  I strongly recommend keeping a kit 
such as this handy because telecommunications companies charge quite a bit to send 
a technician to your house to do repairs.  Learning about phone systems can prove 
to be an invaluable skill.  First thing you need to do is find a good tool bag or 
backpack, whichever fits your personal needs.  I recommend something small and 
easy to carry, and be sure it is well designed.  Personally, I use a simple 
Craftsman toolbag, which of course can be purchased at Sears.  The reason?  I 
needed a toolbag anyways, and I happend to like this one.

Now we need to begin gathering tools.  We aren't going to cover every concievable 
tool needed here because we are just interested in assembling a kit for people just 
learning.  As time progresses, you will find that you may need or want to carry more 
tools.  Adjust your kit accordingly.  I have also included some tools that may or may 
not be necessary, but this reflects my personal kit.  Here is the basic toolkit:

Lineman's Handset*
Needle-Nose Pliers
Ratchet with 7/16 and 3/8 sockets
Wire Strippers
Telephone Wire
Electrical Tape
Scotch Tape
#1 and #2 Phillips Screwdrivers
Flathead Screwdriver
Gloves - preferably Mechanix Brand (very nice, comfortable)
Microcassette Recorder
Flashlight
Disposable Camera
Alligator Clips
Multimeter

Some of these items may not seem to be useful, however you can never know when 
you will need these tools.  Be sure when you select your tools that you get tools 
that are properly shielded, for example, rubber handles on the needle-nose pliers, 
alligator clips, screwdrivers.  The reason for this is that phone lines are low-voltage 
systems, and they will shock you.  A telephone line that is on-hook passes about 50 
volts, and while ringing passes from 90 to 130 volts.  This can hurt, even though it's 
still considered low-voltage.  Be very careful when working with wire pairs.  If you 
are working on the phone lines inside your house or office, I recommend going to the 
telephone access node on the side of your building and disconnecting the pairs.  In 
most cases, there will be a short wire with an RJ-11 connecter (a standard phone jack). 
Disconnect this.  This is the main patch where you can cut off phone access to the 
building.  Also, when you call the telco if you are having phone trouble, they will 
ask you if you have checked the inside hardware.  That doesn't mean test the phone 
at a friends house, it means take the phone outside to the access node and jack in 
to it.  If you get a dialtone, then the problem is inside the building and is your 
responsibility to repair.  If not, test your phone at a friends house (of course, get 
permission), and if it works, contact your telco.  The gloves provide extra sheilding 
from the wires, and also any small insects that may be inside junction boxes, access 
nodes, etc.  Also, for the phone phreak, the gloves provide the added security of 
covering fingerprints (again, ethics are important).

The lineman's handset is one of the most valuable tools you can have for working 
on telephone systems.  However, the only ones I have found were in pawn shops, 
and they ran close to $100.  I recommend making one, which can be done for very 
little money.  First, find a standard, corded telephone.  Radio shack sold one a 
while back that was small enough to fit in your pocked, and folded like a cell 
phone.  If you can find one I recommend using it.  If not, go to your local 
Goodwill or Salvation Army and pick up a cheap phone.  You will also need some 
phone wire, preferably 1-2 feet long, however you can use as much as you like.  
Cut the wire, and if it does not already have one, place an RJ-11 jack on one end.  
This is the end that will connect to the handset.  on the other end of the wire, 
strip the shielding away to reveal the wires inside.  I would trim off the yellow 
and black wires, they won't be needed.  Strip the sheilding off of the red and green 
wires, be sure to leave some of the red and green sheilding visible.  Attach your 
(sheilded) alligator clips on the wires.  You now have a lineman's handset, ready for 
testing pairs.  You do know a good ANAC, don't you?  (1-800-555-1140)

The ratchet can be used to gain access to access nodes, junction boxes, etc.  I do 
not recommend accessing junction boxes, as this is illegal in most places.  The 
electrical tape is good for, you guessed it, connecting wires.  The Scotch tape can 
be used to "seal" a box to make sure it has not been tampered with, which is good 
if you suspect that someone may be accessing your line from the outside.  The 
microcassette recorder can be used to take notes of what you find, however, they 
can be used for many other things, none of which will be covered in the scope of 
this article.  The flashlight is used to give you light (I shouldn't have to explain 
this), and the camera is good for taking pictures of the things you find that you 
want to remember (again, I shouldn't have to explain).  The multimeter is used to 
check the voltage of the phone lines.  I strongly suggest taking readings and 
making notes.

Now that you have your kit assembled, you are ready to go into the field and learn.  
Be sure to remember that ethics are extremely important.  Don't do anything that will 
get you in trouble or hurt somebody (physically or otherwise).  Contrary to popular 
belief, it is NOT COOL to wipe out peoples phones and run up phone bills.  If you do 
this, then you are not cool, and you WILL get caught.  I assume no responsibility for 
your lack thereof.  If you misuse your abilities, you make us all look bad, and you 
deserve whatever punishment you will recieve.  But for those of you who want to learn 
a very valuable skill, then by all means, pursue it.  Happy exploring!


========================================================
[THE OLD CODE]
We will be putting random bits of source code here.  Some may be good, some not so 
good, and some just flat out lame.  Anyways, here's this issue's code:

Useless code in TI-BASIC -- by blakmac
10 CALL CLEAR
20 PRINT "WE DON'T HAVE ANY SOURCE CODE YET"
30 PRINT "SEND US SOME AND WE WILL PRINT IT"
40 PRINT "..."
50 PRINT "NOW!!!"
60 GOTO 10
[/THE OLD CODE]
========================================================

========================================================
[LINKAGE]
This section is where we will add links that we find very worthy of perusal 
by the masses. Feel free to submit your links too.  If we like them, odds 
are they will end up here. Enjoy.

http://www.digzine.com -- Another awesome zine, better than ours, really.  And hardcopy, too!
http://www.binrev.com -- Yet another way awesome zine.  Also hardcopy.
http://www.datutoday.tk -- DATU site, also general phreaking info.  Good site.
http://www.page33.tk -- Page 33's other URL, in case you can't remember http://page33.port5.com.
http://www.hackthissite.org -- Some realistic wargames.  -=blakmac approved=-
[/LINKAGE]
========================================================


========================================================
[END NOTES]

Insert witty ending blather here.

Thanks: PhreakBlaze, Captain B, lowtec

[http://page33.port5.com]
[page33@mail.com]

[/END NOTES]
========================================================