___________ _______________________________________ ", / / ___ _.-'' '. / / / / /NDERGROUND> .' _ | / / / / / _______ / / \ / / / / / / / ___ \ / __/_.' / / / / / / / /__/ / /.-'' .' / / / / / / _____.' /_________..-' / / / / /___/ /_ / / / / / '.____ __/ / / | / / / / / / \ | _.' /__/ERIODICAL> / / '-._'..-'_______________________________/__..-' "We're on the Up and Up" :..:..::..Issue..::..:..: Issue 5 July 1999 :.::.::.:.Staff.:.::.::.: Cyborg - Editor HitMan - Writer Darkflame - Writer CrossFire - Writer :..::..:.Website.:..::..: http://www.ecad.org/up/ :..::..:..E-mail.:..::..: under_p@yahoo.com upzine-subscribe@egroups.com :.:.Alternative Hosts.:.: http://www.ecad.org http://www.swateam.org http://www.tdshackers.com http://www.deadprotocol.org/tgb/ http://www.pinnacle-creations.com :..::..Introduction.::..: <*> Underground Periodical, read by the FBI, feared and revered by the masses. Another month goes by and many more people have helped out as usual :). Another distributor climbs aboard, thanks tGb, if you want to be like him then get uploading right now. Well, I'm finally started to get recognised by people on IRC, lots of people talk just to say hello, point out minor mistakes in articles or tell me their ideas, all of which are much appreciated. <*> Well, we received many applications for the role of Webmaster, all were impressive, but a friend convinced me that it would be better to stay independent. We gave the site a minor overhaul, its a little bit more slick but still needs work. So now we all help out with the site, expect more changes and additions over the coming months. We'd still like suggestions for ways to improve the site. Keep sending those helpful emails. <*> We'd like to thank any and all people who submitted to issue five or contributed in any way. They are the people who go out of their way to help others. Without continued support from the underground community we won't be able to keep on going. It's your magazine, so help it out a little. Anyway, on with this issue... :..::.:..Contents.:.::..: <*> 1 - Inroduction & Contents : Cyborg <*> 2 - Dextromethorphan Trip : DrnknMnky <*> 3 - Phreaking In Britain : Trionix <*> 4 - Forgery And Tracing : Mob Boss <*> 5 - Getting Free Dial-Ups : Neonbunny <*> 6 - Dealing With Payphones : T|rant <*> 7 - Digital Broadcasting : HitMan <*> 8 - Subscriber Units Guide : Cyborg <*> 9 - Explosive Formulas : Scooter <*> 10 - AOL Instant Messenger : CrossFire <*> 11 - Reasearch Machines : NeonBunny <*> 12 - Anonymous Hacking : AlphaVersion <*> 13 - You've Got Mail : Readers <*> 14 - Disclaimer & The End : Up Staff :..::..End Of File..::..: :..::..File 2 Of 14.::..: :.Dextromethorphan Trip.: :.:.:..By DrnknMnky.:.:.: <*> MY FIRST DXM TRIP by DrnknMnky "Use your powers for good, not for evil. Well, you can use them for evil if you want, but it voids your warranty." Dec. 1, 1998 Subject: Male 140lb (63kg) 19 yrs Location: Tiny dorm room in SK, Canada Bathroom across the hall Prev Exp: Pot, oil, alcohol Dosage: 150ml bottle of Delsym DXM Ingredients are dextromethorphan polistirex (900mg) At 5:30p I ate a ham sandwich and some cookies. I didn't wasn't sure if I was going to do this tonight or not. I finished reading the DXM FAQ and about 200 reports, so I figured I was ready. At 7:00 I diluted about 1/2 the bottle (450mg) of Delsym in some water and gulped it down. It was actually pretty good. I started up a journal to record what I was feeling. I also took a few puffs of Berotec (asthma inhalor), just in case. I got out some CDs and a blacklight, my stomach gurgled a bit and felt a bit tight, but not nauseous at all. I played around some more on the computer. At 8:15 I started feeling lightheaded, but by 8:30 it went away. I decided to finish off the bottle, so I now had 900mg in me. At about 9:00 I started feeling drunk, goofy, then mellow and nice. By 10:00 I was feeling very stoned and time was slow. I talked on IRC a bit and took out my contacts because they were bugging me. I laid on the floor and looked at the ceiling, listening to music. I was listening to Tool, but I took it out and put in underworld. The stucco ceiling looked all sparkly with the blacklight on. After enjoying the buzz for about an hour, I had to go to the bathroom. I felt ok enough to handle it. Unfortunately, I haven't been stoned in a long time and forgot how to handle it in public. I opened the door to go across the hall to the bathroom. There were two guys standing about 5 feet down the hall talking about something. Don't ask me why but I did panic and sorta jumped across the hall into the bathroom and shut the door. Later, when I came out, they were gone. For some strange reason I had an urge to phone my girlfriend. She had no clue I was doing anything like this. She is straight, doesn't even smoke. Luckily, she is very open minded. We talked for about 15min, and then I told her what I was doing. (This stuff must be truth serum!) She was a bit scared, but I told her I had researched it and everything. I started to explain the reason I was doing this, etc. when I peaked. I don't remember much of what happened then. Lots of CEV. Energy clouds, flowing strands of colour, everything. A big weird triangle, blue, green, black, pink... Somehow we started talking about life, the universe, and everything over the phone, I was definetly 'at oneing' what I felt & saw I told her, what she said back got incorporated into what I was seeing, we started connecting on a spiritual/mental/psychic level. I could see the two of us as big jellyfish made of energy (like Abyss). I could see the whole network of consciousness, and God was a huge blue stand of energy that connected everything together. It was cool. It was definetly a religious experience, and I'm not even that religious. One thing was clear to me, however, there is a supreme power. "I have no idea what happened - blue green mesh mold network - connected - GOD wow." One thing that I realized, is that everything was planned out through fate. Everything from the day I met her, to when I found out about DXM, to this day that I decided to try it, was utterly planned out. About 1 1/2 hrs (1hr after I peaked) into the conversation I started coming down enough to ask "what the fuck just happened?". Both of us still don't know, but both of our perceptions of life have changed drastically. We talked for 2 1/2 hrs. That's going to be one massive phonebill :( After I hung up, I felt extreme deja vu, like I knew this place... "This is the real reality, this is where I live." I think I laid in bed now, and just thought. No more CEV's. I got up to go to the bathroom. At 1:44 AM I was "walking around like a tank" (I think I was walking around my room on my toes for a bit). When I walked down the hall to the second bathroom (first was being used) I felt like I was walking like a toy soldier, sticking my feet way out. Seemed like I was in a Busta Rhymes video. My pupils were huge, and my left was bigger than the right (doesn't this mean hemmorhaging or something). At 2:00, I laid in bed and thought. I might have drifted in and out of sleep. I noticed my eyes were taking 2-3 sec. to look at things after I looked at them. Like, I'd try to look at the desk, and then my eyes would slowly track up to the desk. I think I fell asleep at about 4:00. At 7:00am I woke up and noticed my eyes were still doing the same thing. Still pretty stoned. At 12:00 I woke up again. Everything was back to normal. I had a slight headache that went away as soon as I drank something. For the rest of the day, I've felt sort of warm and nice, and more solid and grounded. I haven't eaten all day, but I'm not really hungry. I just want to lay in bed and read. I've talked to my GF, and our relationship is definetly on a higher level now, so that worked out pretty good (don't try this at home). It was definetly a good trip. I'm thinking mid/high second plateau. Most of the things I saw came from things either one of us said. I didn't lose any idea of identity or location. I didn't get nauseous (but I have a very strong stomach), no itching, etc. I came down with some new perspectives, beliefs and a stronger relationship with my GF. Will I do it again? Probably, but not for a while, I have finals, etc. coming up. This seems for me like something every once in a while when I'm feeling like exploring. DrnknMnky :..::..End Of File..::..: :..::..File 3 Of 14.::..: :..Phreaking In Britain.: :.:..:..By Trionix.:..:.: -- .o0Phone-Boxes0o. -- By Tr10n1x of #HackUK on Undernet. How to get free calls from a payphone, without pissing about with tone generators, redboxen and such like. The best thing about this is that you don't need to ring operators, so they can't trace you. In fact, the only way people know what's going on is if they compare the phone bill for the box with the amount of money in the tray, hardly likely that a BT employee will be able (or bothered) to add-up anyway. Ok, first, you need a shit old phone. Cut the lead connecting the phone to the phone jack. Get some crocodile clips and connect them to the red/blue wires, or the yellow/black wires, depending on the age of your phone. Don't worry if none of your wires are those colours, just because YOU'VE GOT A FREAK PHONE THAT'S CRAP AND NO-ONE'S EVER HEARD OF AND IS SHIT, doesn't mean you can't get free calls from it ;) If you have got a freak phone, experiment by connecting each wire back up to the original (before you cut it), and see which 2 wires give you a dialtone. Attach the croc. clips to those. Right, you now have a beige box, or linesman's handset. I call mine a glasses box, because I dismantled my phone and put it into a much smaller container, a glasses case, to prevent prying eyes wondering what I'm doing with a separate phone in a phone box. You might want to disguise yours too, if you're planning to use a phonebox in urban areas (not recommended). Next, you need to go outside and hunt for the right kind of phone box. Don't even think about going anywhere near the new glass phone boxes, because you've no chance, AND they're always in highly public areas, so you're a prick if you plan to use them :) You're looking for an OLD red payphone. Found one? go inside, and look at the floor underneath the money box. You see a big metal triangle on the wall of the box, with a metal tube going up to the phone. Get a hammer and wrench this casing tube off. You'll now have a wire. Pull this out from around the back of the money box. Eventually, this cable will meet with a white phone line. They'll be connected by two wires, (if there are lots, you want the blue and orange ones). Strip the wires back partially (about 1/2 a centimetre) and attach your crocodile clips from YOUR phone to them. Check that you have a dialtone, and BINGO! Free calls, paid for by BT. When you're done, tuck the wires back where they were, so people don't think it's been tampered with. Oh, one last thing, NEVER call home unless it's an emergency, and ALWAYS dial 141 before all calls, that stops Big Brother from tracing you. -- .o0Blue-Boxing0o. -- Welcome. Are you pissed off with paying for calls? Me too. Are you pissed off with shit blueboxing files? Me too. That's why I've written this text. The basic structure of a blueboxing file goes: Here is how to bluebox Here are the tones you'll need Go get Bluebeep Find a C5 line EXPERIMENT The one that really pissed me off was the last one. Experiment. Frankly, I don't want to. I want to be able to bluebox straight away, no questions asked. I imagine that's how you feel, so I'll teach you. First, what is blueboxing? Blueboxing is possibly the most commonly used skill in the phreaking community. Or at least, it was. Don't worry, it's not extinct, that's bullshit. It started in the US (quelle suprise?), when phreaks got tired of paying for calls. They found out that if they sent 2600hz down the phone line to a local number they'd already dialed, they could dial any number they want in the world, all for the cost of a local call. It used to work here, but no longer. Which, in a way is a good thing, because now it means we don't have to pay the local call either, it's all free. Basically, the 2600hz tone told the fone company 'This person's hung up, stop charging them'. And from there, the phreak could call anywhere. It's called blueboxing because there used to be a little box that made the tones needed, and funnily enough, it was blue. Anyway, in the UK it's a little more complicated. What do I need to bluebox? The program found at hackuk.8m.com, S|ain's UK tone Emulator. A soundcard. A phone near your soundcard. A C5 number. A what number? A C5 number, it's an undeveloped phone line that still thinks certain tones mean the caller has hung up. They are usually 0800 890 ***, and they connect to various poor countries. I know of two that are currently useable, the first being one I can't get to work, Uraguay direct, and the second, the one I use, Bolivia Direct (0800 890 059). If it packs up, just go to the back of your phonebook and you'll find more there. You'll know they're C5, as there'll be a high-pitched CHEEP CHEEP when the other end picks up. Bolivia is especially good, as it is automated, so no operators will get pissed off with you, trace you, send you to prison and get your parents/guardians (see how Politically Correct I am?) pissed with you so they disown you. Which they can do, by the way, in case you're thinking of calling Bolivia direct without dialing 141 first. Not that that'll save you anyway. I'm sorted, now what? Dial the number, wait about 5 secs, and you'll hear a cheep cheep, followed by some Bolivian speaking to you (It's automated, don't worry, they won't laugh at you when they realise you've failed miserably and start bleeping at them). That step's to make sure you know what your dialing, and that you've dialed it right. Hang up. Ok...and now? Open S|ain's program. Click on Blue Box. Ignore what's written on the buttons, it's wrong. Press all the buttons to make sure they're working. Keep this program open. Right, get on with it, I want free calls! FUCKING WAIT. Pick up your phone and call Bolivia (0800 890 059). Put your phone next to the speaker from which your tones flow out. Press the button (on the program) marked '2400/2400 mix'. Now press '2400 hz'. Hold the phone to your ear. If you hear a long bleep, you've fucked up, you've got to press 2400 hz really quickly. If you hear nothing, good. Put the phone back to the speaker, and press KP now dial the number you want to call (inc. country and area code). Press ST. You're there, the call's being connected. A basic summary of what to press 0800 890 059--> 2400/2400 mix--> 2400 hz--> KP--> Country Code--> Area Code--> Number--> ST -- .o0Red-Boxing0o. -- Ok, redboxing. This takes more guts than blueboxing, but not much, you just need social engineering skills (the ability to persuade someone to give you what you want). For more info about social engineering, just ask Mister-X ;) Right, first, what do you need? Things you'll need: S|ain's UK box emulator at hackuk.8m.com A tape recorder (dictaphone ideal) A walkman A small (walkman headphone) speaker A phone box OK, set up your dictaphone or tape recorder to record from your PC onto either. The recording MUST be clear, but I'll leave that to you. Load up S|ain's UK box emulator. Click on Redbox. Start recording on your tape player/dictaphone. Click on the 50p button. Wait 2 seconds, then click on 50p again. Repeat this until you've got enough for the call you want to make. But the tape in you walkman, and plug in the speaker. Go down to your local telephone box. Next step, dealing with the operator. Putting money into a phone box creates tones. The only way an operator knows you've put in money is if they hear these tones. These tones are the ones you've just recorded :) Decide where you want to call. First, dial 155 to report a fault to the operator. Say that you can't call a number, because the (whatever) button is broken. Operator will ask you to insert money. Here, you play the tones back to them. They'll then connect you. You now have free calls! Bad things to do: Decide you're calling 0891 33 99 55 and tell them the '7' button's broken. Be rude to them. Be mouthy. Tell them what to do, they're an operator, it's their job, if you tell them what to do, they won't. Bye and stuff: __ __ __ __ __ __ / // /__ _____/ /__ / // // /__ / _ / _ `/ __/ '_// // // '_/ /_//_/\_,_/\__/_/\_\/____//_/\_\ Trionix #HackUK Undernet http://www.hackuk.com :..::..End Of File..::..: :..::..File 4 Of 14.::..: :..Forgery And Tracing..: :.:..:.By Mob Boss.:..:.: <*> The wonderful and evil world of e-mail <*> The art of e-mail forging and tracing explained in one simple text This is my second article on hacking my first being the ethics of a true hacker which is available on my web site at http://mobboss.dragx.cx. This article will touch on the subject of mail forgery and tracing. Please beware any info learned this article is to be used only for the purposes of information and not wrong doing. The Mob Boss will in no way be responsible for your stupidity. Now on with the article. Now there has been several guides written about this on the internet yet a lot of people still don't understand or haven't read about it yet. Most of the guides fail to show you how to find a willing server as well since that is the major problem these days. I. Forgery - E-mail forging, how is this done? This is quite easy to do as long as you can type and boot up telnet. Telnet is a program for connecting to remote hosts and it ships with Windows 9x and all distros of UNIX. To run this program simply go to run then telnet or the DOS prompt then simply type telnet while in the c:\windows. That's simple enough and I hope that every newbie hacker who is running windows becomes good friends with telnet because if you want to ever want to hack your going to do it through it telnet that is for sure when you are running Windows for your main operating system. Now the second step is connecting to a remote host, the computer you want to do this from. Now I will almost guarantee on your first shot you will not get to forge mail your first time because over the years security has become better and sysadmins are stopping the routing of mail. Anyways, click file and then remote host. This brings up a box in which you choose a port and a host. Now for port notice that a default value of telnet is in there. Thats' the equivalent of port 23. That is used to physically log into a system such as into your ISP shell account which allows you to give UNIX commands to one of your ISP's computers. We won't be working with that default port, the telnet one, we will be working with port 25 the standard SMTP port which is the port that sends out mail. This is the port which mail forging, mail bombers, and those sendmail exploits you see so much of occur on. So lets begin by choosing a host and then a port 25. Now if this doesn't work on the first computer don't get discouraged that's the best trait a hacker can display, persistence. Now when we telnet in we will be displayed with a welcome message which will have the computer's name and hostname. It will be followed by the daemon software they are using usually sendmail, which runs on a UNIX platform and is to say the least an intruders best friend in gaining root. Now the second step is to greet the computer (they have feelings too you know): helo Dreamer.Foobar.com Then the computer will say hello and will display where they logged you from. The next thing to do is to specify a return address. For this put in any god damn thing you want, remember you are in control muhahahahahah: mail from: President@whitehouse.gov Now if everything goes according to plan and the machine allows routing well then bingo you won the booby prize. But were getting ahead of ourselves there is still another crucial step. We have to specify a recipient which will tell us whether or not this computer wants to be our friend or not: rcpt to: Lewinsky@interns.com Now if you get a message such as "Sorry routing not allowed" well then you're out of luck and move onto the next machine. But if it excepts it then you have found that trusting machine. Notice on the different machines how the message, "Routing denied", can vary in its tone and pleasantness. Anyways on to the next step the body of the message: data This tells the computer you are ready to write the message. It will then say enter your message and end by hitting enter, then a period by its self and enter. Hey Monica, my place or yours? Then it will say message excepted for delivery. Just enter the command exit and it will close you out of the system. It's that simple. - What the hell is this any use for? This is one of those most basic and helpful hacks you can learn. Whether you aspire to be an evil criminal, or in the words of Carolyn Meinel, a whitehat hacker then you need to know this. It gives you some practice in a command line atmosphere where all the real hacking takes place, very little is or can be done in a graphical windows interface. Now the other thing this is good for is if you are a eager beaver when it comes to social engineering. The wonderful things that could be done with an e-mail appearing to be from system administration. Another handy thing is that this can be used as an impressive trick to show your friends who are clueless in AOL la la land. They'll find this very impressive. If you have ever used a mail bomber maybe you'll remember it asking for a server and it allowed you to send e-mail from any address. This is all because it uses the same principle that we have learned today. As you can see this is quite useful for a variety of things and is something every inspiring hacker should learn. - WHAT THE FUCK!? It won't let me route or something? Ok now, calm down. The reason is because the sysadmin at the computer you were trying to telnet into and forge from is smarter then the average bear. But this is the MOB BOSS your talking too so of course I'll give you some hints on how to find open boxes. First of all don't attempt this on any military computers all you 31337 hacker buffs, unless you enjoy being interrogated (though I should write an article on that). Now after you narrow that down try to forget about government computers like courthouses and state agencies. Although there are some good boxes, it's a unnessecary risk. Your best bet will definitely be *.edu servers. Colleges and Universities have the most lazy security although I have found some very secure computers at those places of learning. A good place to start looking is on a search engine such as altavista (www.altavista.com). From there, pour yourself a big cup of coffee and prepare for some searching. Look up universities and colleges. There are so many variations you can do, its pathetic. Now make a nice long list of them and then once you have a fair amount hosts start telneting. This might be a happy or discouraging moment but no matter what don't give up. Persistence will beat all, at least most of the time. Take a look at the versions of sendmail, those computers that are paying off are usually old dusty versions huh? Anyways I have found this the best way to look. Now these can be used for a variety of purposes. Mail bombing and mail forging alike but under all circumstances be sure not to use one server too much. This can piss of a sysadmin royally especially if you and a buddy are being idiots and using his computers to mailbomb constantly. If you do idiotic things like this expect your ISP to find out and kick your ass off. Now since good ISP's are hard to come by these days this might be a royal pain in the ass so watch yourself. Now once you have a few computers which route go trade with friends who do the same or in chat rooms. Expect that they'll want something in return though. Nothing is free. II. Tracing e-mail - What's the point? Well ever want to get revenge on that spammer or the schmuck who bombed you well tracing the messages back to the idiots ISP is a good start. Now also I have had many attempts on my accounts with trojans and viruses but once I spotted the mini intruders I traced it back to the ISP and informed his sysadmin. Never had anything else from him again hahahahahahaha. Also its the best way to scare a stalker or an abuser. Those threatening e-mails may leave some people helpless but we are hackers so we take action. The hunted becomes the hunter. This can all be done by turning an e-mail and tracing it. - Ok sounds good so how is it done? First step is to check out the full header. I am way too lazy to tell you how to do this because its in the manual but I'll tell you right now on web based e-mail the option for full headers is usually in options although on hotmail I hit reply and the header is right there. Ask your tech support people if you can't figure it out yourself. Anyways in that header there is a variety of info there that we want to know. There are two main things you want to know though. The biggest is going to be mail received from thing. Its here where you want to look for an IP address. One you have that its time to DNS that. If you have a shell account go to it and do nslookup IP addy. Once you get the servers name you'll do a whois query. Hopefully your target has a small ISP or university account. If this is true you will know his state and possibly town. Using this info casually in an e-mail to him will make him worry. Also you will know have the power to inform the sysadmin of the IP addy and exact time it was sent. This is so simple yet very few people do it. My suggestion is to look at all full headers you can. It will give you addresses to telnet into look around and will also give you the power to know exactly who the son of a bitch is. Now if you want to be really slick you might have one of those Yahoo accounts and will be informed immediately of any new mail which was just sent then you'll have his current IP hahahahaha. This might be the perfect time to attack. Teach the guy a lesson if you must or turn him in its up to you. Practice this techniques you never know when it'll come in handy. mafia_man777@yahoo.com http://mobboss.dragx.cx By the Mob Boss Co-edited by Dragoonx This has been a publication written by THE MOB BOSS, he is in no way responsible for the accuracy or results from the use of info in this article. Anything done is totally done at the users discretion. THE MOB BOSS in no way or form supports, aids, participates in the act of criminal hacking or phreaking. Any ideas, beliefs, and information gathered in all publications published by THE MOB BOSS is strictly for informational purposes only.THE MOB BOSS copyright 1999 all rights reserved. :..::..End Of File..::..: :..::..File 5 Of 14.::..: :.Getting Free Dial-Ups.: :..::..By NeonBunny.::..: <*> Getting Free Dial-Ups From Free CDs +-----------------------------------+ INTRO ----- Most ISPs are freely willing to send you their sign-up CDs in the post or they've got their files on cover CDs freely available from your newsagents. The other similarity that most ISPs have is that they distribute Internet Explorer to their customers as the default browser. To do this easily they use IEAK (Internet Explorer Admin Kit) which is freely available from the Microsoft site and is used to produce full installation packages for ISPs. Right, enough of the background... IE4 --- The installations are often in their own directory called IE4 or similar and are normally made up of a bunch of .CAB (Microsoft's compressed files) and a few other executables. If you can't see these in your IE4 directory then make sure you've got the latest version of WinZip and right click on executable file in the directory that looks like IE4, if you're lucky then it will have an "Open with WinZip" option which allows you to open the installations file's built in files and extract them without installing them. If you still can't find the IE4 install files then you're in the wrong directory or your ISP's got wise, but this is rare and they're normally easy to find. In these install files is at least one .isp file which is normally called setup.isp (although the name isn't set, make sure you're not hiding the extensions and use explorer to look for the file). Once you've found the file hold down shift and right click the file then choose the "Open With..." option followed by Notepad (Or you're fav. text viewer!) This .isp file hold all of the information that IE4 install uses to dial into your ISP and sign you up a new account, to dial into an ISP you need a username and password of course, but you've not been assigned one yet since you're not a member of your ISP, so instead IE4 dials into a signup account while IE4 arranges to give you your password. The user name and password can be found in this .isp file along with the phone number of your ISPs reg-server. Depending on how well your ISP's set up there server will depend on what you can access through this dial-in account, normally it's just a single URL or server which has the registration process on but if you strike lucky you'll find an ISP who's security is lame and allows you to have full internet access through the account, providing you with an anon, free account. If the ISPs get annoyed and change their password then simply re-apply for a sign-up CD and pull the password off again! I can't see there being any change in the IE5 distribution so it looks like this problem is around to stay :-) IE3 --- After trawling through zip files it looks like the same trick can be done with IE3, but from my test install you're gonna need something which can open install.exe files, like WinZip. The general method is pretty similar, I played with the netcom install files and here's what I found, first extract the files from msie30uk.exe or whatever the IE3 install file is. From here you need to open the iexplore.cab file and extract the contents, these include the set-up info. The test install had a phone.icw file which held the numbers for the local dial-ups it also contained pointers to .dun files depending on the location, opening these up in notepad revealed that these looked similar to IE4's .isp files containing user and pass info, simply match these up with the number in phone.icw and happy surfing! PROBLEMS -------- The only problem that I've come across while using this method is with the InfoTrade ISP (Run by Mitsubishi and has numeric user-names, Urgh!) I sifted through the .isp file, but I couldn't find the username/pass anywhere, I dialed in through HyperTerminal and sure enough it wanted a login, but alas there wasn't one anywhere, when I ran the .isp file it also prompted me for a username/pass, looking through the documentation it appears that each new subscriber is given a user name and pass to sign on with that then becomes their permanent account, no why haven't the rest of the ISP's done this? Simply because they don't treat you as a number but more of a person so unless you pre-arrange the username this can't be done, it just goes to show how much difference it takes to prevent this hole from coming to light! Here are a few accounts that I've pulled off CDs, if you have anymore more (Restricted or not) contact me at the e-mail address below. Please not they are all UK specific. Virgin Net Phone No: 0645 505440 User: v.net Password: 6661066 Other Info: Restricted Access Cable & Wireless Phone No: 0645 300702 User: guest Password: guest Other Info: Full Internet Access!! Direct Connection Phone No: 0845 0798400 User: isignup Password: Iwannaj0in Other Info: Restricted Access Global Internet Phone No: 0845 0798777 User: referral Password: msreferral Other Info: Restricted Access Freeserve Phone No: 0845 0796699 User: freeservesignup Password: signup Other Info: Restricted Access UK Online Phone No: 0845 3331125 User: signup Password: signup Other Info: Full Internet Access!! O-Net (aka Orangenet) Phone No: 0181 9306630 User: guest Password: You may need to select "Bring up terminal window after Other Info: Full Access!! dialing" and not "log onto network" to allow null passwords. NetCom } Phone No: 0645 250101 } User: icwsignup } Password: icwsignup } Other Info: Restricted Access } } Funny how these are the same! MSN } Phone No: 0645 250101 } User: icwsignup } Password: icwsignup } Other Info: Restricted Access } Easy Net Phone No: 0645 220220 User: signup Password: signup Other Info: Restricted Access BT Internet Normal Phone No: 0345 288000 User: register@btinternet.com Password: BTinternet Other Info: Restricted Access BT Internet ISDN Phone No: 0345 640000 User: register Password: BTinternet Other Info: Restricted Access Demon Internet Phone No: 0645 300702 User: olr Password: olr Other Info: Restricted Access - disconnects after a few seconds. ClaraNET Phone No: 0845 0804000 User: signup Password: sign123 Other Info: Not Tested Thanks go to... Chimmy who inspired this text. KingAde who added the O-Net dial-up. Anonymity for Demon & BT dial-ups. NeonBunny the_neon_bunny@hotmail.com http://www.infowar.co.uk/hack-net :..::..End Of File..::..: :..::..File 6 Of 14.::..: :.Dealing With Payphones: :.:.::..By T|rant..::.:.: <*> Most of you have seen War Games, right? Remember the part where David was stranded in Colorado and needed to call his girlfriend in Seattle? I knew you did. If you didn't, what David done was unscrew the mouthpiece on the payphone and make some connection between the mouthpiece and the phone. Well... that was pretty close to reality except for two things... 1> Nowadays, mouthpieces are unscrewable. 2> You cannot make long distance or toll calls using that method. Maybe that DID work on older phones, but you know Ma Bell. She always has a damn cure for every thing us Phreaks do. She glued on the mouthpiece! Now to make free local calls, you need a finishing nail. I highly recommend "6D E.G. FINISH C/H, 2 INCH" nails. These are about 3/32 of an inch in diameter and 2 inches long (of course). You will also need a large size paper clip. By large we mean they are about 2 inches long (FOLDED). Then you unfold the paper clip. Unfold it by taking each piece and moving it out 90 degrees. When it is done it should look somewhat like this: /----------\ | | | | | | | | \----- Now, on to the neat stuff. What you do, instead of unscrewing the glued on mouthpiece, is insert the nail into the centre hole of the mouthpiece (where you talk) and push it in with pressure or just hammer it in by hitting the nail on something. Just DON'T KILL THE MOUTHPIECE! You could damage it if you insert the nail too far or at some weird angle. If this happens then the other party won't be able to hear what you say. You now have a hole in the mouthpiece in which you can easily insert the paper clip. So, take out the nail and put in the paper clip. Then take the other end of the paper clip and shove it under the rubber cord protector at the bottom of the handset (you know, the blue guy..). This should end up looking remotely like... like this: /----------\ Mouthpiece | | / Paper clip --> | | / | /---|---\ | | | |------------> ====================\---)))| | To earpiece -> \--------------------> ^ ^ | | | | Cord Blue guy (The paper clip is shoved under the blue guy to make a good connection between the inside of the mouthpiece and the metal cord.) Now, dial the number of a local number you wish to call, sayyyy, MCI. If everything goes okay, it should ring and not answer with the "The Call You Have Made Requires a 20 Cent Deposit" recording. After the other end answers the phone, remove the paper clip. It's all that simple, see? There are a couple problems, however. One is, as we mentioned earlier, the mouthpiece not working after you punch it. If this happens to you, simply move on to the next payphone. The one you are now on is lost. Another problem is that the touch tones won't work when the paper clip is in the mouthpiece. There are two ways around this.. A> Dial the first 6 numbers. This should be done without the paper clip making the connection, i.e. one side should not be connected. Then connect the paper clip, hold down the last digit, and slowly pull the paper clip out at the mouthpiece's end. B> Don't use the paper clip at all. Keep the nail in after you punch it. Dial the first 6 digits. Before dialing the last digit, touch the nail head to the plate on the main body of the phone, the money safe thingy... then press the last number. The reason that this method is sometimes called clear boxing is because there is another type of phone which lets you actually make the call and listen to them say "Hello, hello?" but it cuts off the mouthpiece so they can't hear you. The Clear Box is used on that to amplify your voice signals and send it through the earpiece. If you see how this is even slightly similar to the method I just described up there, kindly explain it to ME!! Because I DON'T GET IT! Anyways, this DOES work on almost all single slot, Dial Tone First payphones (Pacific Bell for sure). I do it all the time. This is the least, I STRESS *LEAST*, risky form of Phreaking. And remember. There are other Phreaks like you out there who have read this article and punch payphones, so look before you punch, and save time. If you feel the insane desire to have to contact me to bitch at me for some really stupid mistake in this article, you can reach me in #hackuk on Undernet. Also, if you think of any new ideas that can be used in conjunction with this method, such as calling a wrong number on purpose and demanding your quarter back from the 0perator, tell me!! Find me on Undernet or email me. Oh, and if this only works on Pac Bell phones, tell me also! Thanks for your time. T|rant tyrant59@hotmail.com :..::..End Of File..::..: :..::..File 7 Of 14.::..: :..Digital Broadcasting.: :.:.::..By HitMan..::.:.: <*> DAB <*> Digital Audio Broadcasting.... NOTE: -=-=- With the release of this file I am in no way stating that I am an expert in the radio field but read on if you think it is something that might interest you... START: -=-=-=- We all by now know that the digital television phase has suddenly taken over the standard analogue television set's job of giving you you a standard cable operated amount of channels and turning it into a multi functional 1000+ channel high quality receiver. Well the second phase of this digital takeover is now on its way to now give you the same operation accept this time its on your car radio. It's called Digital Audio Broadcasting and it's the most fundamental advance in radio since FM. Now, for the first time, you can tune into pure CD quality sound over the airwaves. Without interference, fading or distortion. With more stations and services to choose from. And text pictures and graphics can be sent to support audio programmes. DAB is compatible with other digital services, such as the internet. All of this, in-car. Created in 1987 by a European consortium, DAB (also known as Eureka 147) is the only system in the world to receive International Telecommunications Union (ITU) recognition as a world-wide standard, and the word is spreading fast. DAB services will soon be available throughout most of the EU. At least 100,000,000 people are already within reach of DAB transmissions. SYSTEM OVERVIEW: -=-=-=-=-=-=-=-=- With DAB, the audio signal from each programme is converted into a stream of digital data bits. This digital data is combined by a multiplexing technology known as COFDM into one Ensemble - an Ensemble consists of up to eight principal programmes, as well as additional programme related data and data for use with ancillary data services. COFDM spreads the data stream over the time and frequncy spectrum, eliminating the effects of radio interference. This gives continuous CD quality sound for uninterrupted listening pleasure. COFDM also enables the creation of Single Frequency Network (SFN). This allows the broadcaster to build a network of transmitters, each of which use the same frequencies. This eliminates the need for retuning, and adds to the convenience of the DAB service. -=DAB=- Different ensembles often don't share <----- services. Manually retuning to -----> a different ensemble can take some time -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- DAB Ensemble 1 Multiplexed Data Stream! -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Sevices can share informatiuon, i.e. traffic, weather announcements etc. Retuning is instantaneous. --------------------------------------------------------- DATA SERVICE |RADIO 1 |RADIO 2 |RADIO 3 |RADIO 4 |RADIO 5 --------------------------------------------------------- | | | ------- ------ --------- | | |News| |Concert| --- --- ------ --------- |1| |2| | --- --- | | Can split into components, | giving more choice. | i.e. 1=Tennis 2=Football | | --------------------- |Radio 4's concert | | in higher quality | | audio borrowing | | Radio 3's spare | | capacity. | | = Data bits --------------------- ***************************************** Analouge signal can be very interferable: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- <*>-----------------------Analouge Signal Map-----------------------<*> /\ TRANSMITTER __________/ \__ ___________ RADIO \ / \/ <*>-----------------------Analouge Signal Map-----------------------<*> Digital signal is direct and has less than 0.5% interferance: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- <*>------------------------Digital Signal Map-----------------------<*> TRANSMITTER _______________________________ RADIO <*>------------------------Digital Signal Map-----------------------<*> ***************************************** MULTIPLEXING: -=-=-=-=-=-=- Multiplexing, in terms of digital broadcasting, is the process of interweaving two or more lower-speed data streams into a single high speed radio frequency channel, or Ensemble. DAB offers the possibility of Dynamic Multiplex Reconfiguration. This means that the Ensemble contents can be adjusted according to the requirements at any time, allowing a different choice of programmes and services at different times. For example, the broadcaster can choose to simultaneously cover a football game and a tennis match, instead of only offering one sports programme (See Diagram). Broadcasters now have more flexibility in programming and the listener has more choice. The Ensemble may also contain Programme Associated Data (PAD), Programme Type (PTY) information, Dynamic Label Segment (DLS-DAB Text), Language information and Announcement support information. END OF FEAR: -=-=-=-=-=-=- ___ ___ __ __ _______ _______ _______ | | | | |____| | | | | | |__| ____| | | | | | | | | | | | | | | | | | | _ | | | | | | | _ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |___|___|__|_______|__|_|__|___|___|___|___| [-=http://hitman.ie.8m.com=-] [-=vectra500@geocities.com=-] :..::..End Of File..::..: :..::..File 8 Of 14.::..: :..Subsciber Unit Guide.: :.:.::..By Cyborg..::.:.: <*> Introduction [Overview] Subscriber Units are Customer Line Interfaces, this is where two or more phone lines intersect, they are multiplexers which connect up to the local switching hub. They are sometimes installed in houses where a second phone is placed. Or you may have seen boxes on telephone poles where about fifty or more of the phone lines in a neighbourhood all join up. The reason for this is convenience, the lineman might need all the local lines in one fixed place at his disposal, and you probably thought all those commercials on television claiming convenience was just some slick telco advertising campaign. Ok, I'm not going to bore you with a list of the some telco acronyoms and seeing as they are mostly country specific and usually corporate speak it would be dull and useless to most people. I'm just going to talk a little subscriber units in no great detail. They are largely experimented with by the phreaking community due to their high level of accessibility, they are outside which makes the possibilities endless. For more information head down to the back of your local telco yard with a balaclava and backpack or search in your local library under telecommunications. <*> General Information [Overview] Boxes located on the sides of roads to deal with all the lines in that area, some subscriber units are full of hundreds of wires for that area whereas others can be much smaller. I would recommend having a look inside one of these as they are totally full of wires but don't get caught opening one of these as you might be arrested! If you open one of these subscriber units you can beige box off it, good fun if the unit has hundreds of lines in it as you can easily seize lot of peoples phone lines and hook up to your laptop. Alternatively, many have operator test sockets which you can simply plug your phone cord into. All the residential phone lines join into them and are connected by fibre optic cables to the local switching exchange. [Diagram] _____________ / __ __ \ This is a very rough diagram, especially considering | °__° °__° | that subscriber units can be big or small, black or | °__° °__° | green, whatever. It all depends on what country you | °__° °__° | live in, but aesthetic details such as size and | °__° °__° | colour are not important, what matters is the phone | °__° °__° | lines inside. The diagram to the left shows a very | °__° °__° | general example with seven ring and tip pairs on | ° ° ° ° | either side. There are many different kinds of \__\\-----//__/ copper pairs each with their own colour coding, but | | that goes beyond the scope of this file. This ascii | | diagram is best viewed in the Fixedsys font. <*> Country Interfaces [Overview] Customer Line Interfaces vary from country to country, size and shape, colour and context, many different types and styles. This section is a meant as a resource for looking up information on subscriber units in a small handful of countries. [United States] A subscriber unit in this country is officially referred to as Telephone Line Interfaces but more loosely called BellCans. In most states they are small green boxes usually going down into the ground. These Junction Boxes (as they are also sometimes called) can be black or green depending on which telco administrates them e.g. Bell, GTE, MCI, AT&T etc. [United Kingdom] A subscriber unit in this country is called a Cable Access Box (CAB) and they are generally big green boxes with the majority fixed by pole installation. The newer standard BT models have sockets where the phone is plugged into. They are also known as PCPs. [Spain] A subscriber unit in this country is called a Telefonica Rectángulo De Ensambladura. That roughly translates as Telefonica Junction Box, it is worth noting that Telefonica are the telco that hold the monopoly on the Spainish telecommunications market. [Ireland] A subscriber unit in this country is called a RBM. I'm not sure what that stands for but it is a foreign acrynom as Telecom Eireann's RBM supplier is Tadiran Communications, a company based in Israel. They are small black boxes found on poles etc. They are never buried underground. The most common models come in two and four copper pair units. <*> Manual Installation [Overview] Below the overview is instructions for installing a subscriber unit. Ok, so maybe most phreaks won't care, but going with the philosophy that all knowledge is power I'm going to include it anyway. It is an extract from a manual that was given to me along with some other interesting items by a friendly lineman. It is supposed to be info reserved for telco employees. The official title is Installation Instructions For The RBM 2 Subscribers Unit. This particular unit is only compatible with European phone systems as far as I know. [Unpacking] 1. Open the plastic bag. 2. Open the RBM housing cover by unscrewing the two slotted screws. [Wall Installation] 1. Select an appropriate location on a vertical smooth surface for the Subscriber Unit. 2. Attach the RBM box, using the enclosed screws. [Pole Installation] 1. Secure the RBM box to a pole with a flexible strap (not supplied). 2. Thread the strap through the pair of holes provided on the upper and lower parts of the unit and fasten around the pole. [Wiring] 1. To insert wires into the box - cut grommet bosses located on the front cover and route the wires through. 2. Strip away approximately 8mm. of wire insulation. 3. Pull out the connector from its housing. 4. Insert the wires into the connector (see diagrams), using the plastic lever (the plastic lever can be use for all 11 positions). 5. Replace the connector into its housing. 6. Close the front cover. [Inspection] 1. If the DLX unit is operated and connected to the digital line, verify that the green SYNC light is on. This indicates that the RBM 2 Subscribers Unit is synchronised with the DLX. Note: The light will begin to glow within 60 seconds of connector insertion. 2. If the subscriber lines are connected to the exchange, connect a telephone set in parallel with the subscriber connections and carry out operational test. [Diagram] 1. Wiring diagram for RBM 2 Subscriber Units. 2. Diagram uses the extended ascii characters, best viewed in the Fixedsys font. SUB 1 °--° SUB 2 /o\ _1___2___3___4___5___6___7___8___9__10__11_ °--° /___\ _____|___|___|___|___|___|___|___|___|___|___|___| /o\ \ \_____________/ / / / \ \__ /___\ \_________________/ / / \_____ DSL \ \_____________________________/ / \_________________________________/ <*> Signing Off _________ ___ ____ ____ ____ ______ / ____/\ \/ // __ ) / __ \ / __ ) / ____/ / / \ // __ |/ / / |/ __ |/ / __ / /___ \ // /_/ // /_/ // / / // /_/ / \____/ /_//_____/ \____//_/ /_/ \____/ cyborg@disinfo.net http://cyborg.ie.8m.com "as i walk through the valley of evil i shall fear no death... because i'm the meanest motherfucker in the valley" [mousey] [franco] [hitman] [simo] [r0b] [cheesy] [gpf#2] [crypt0genic] [demonr] [alan509] [darkflame] [crossfire] [zirqaz] [force] [zomba] [axcess] [firestarter] [freeman] [ego] [sunburst] [ginger] [lordphaxx] [hellbent] [tefx] [g_h] [rekcah] [neonbunny] [n1s] [h2so4] [npn] [call] [tds] [swat] [darkcyde] [scorpion] [#tds] [#hackuk] [#hackers_ireland] :..::..End Of File..::..: :..::..File 9 Of 14.::..: :...Explosive Formulas..: :.:.::..By Scooter.::.:.: Vegetable Shortening Bomb ------------------------- Materials: Chlorine Bleach or pool chlorine Vegetable Shortening Procedure: Mix the two together and watch the smoke pour out. Don't inhale the fumes they are dangerous to your health Pipe Bomb --------- Materials: Pipe with threads on one end Cap for pipe. Paraffin Steel disk size of pipe Hydrochloric acid Procedures: Take the pipe crimp one end closed and fill about 3/4 full of paraffin, poke a number of holes in the paraffin. On top of this place the steel disk (**make sure it fits around the top of the pipe completely) Put some HCl on the disk put cap on set with paraffin end down and get the hell away from there. In 2-5 minutes depending on the thickness of the disk... it goes kaboom cause the pressure builds of from the chemical reaction of the paraffin and the acid... the cap or the pipe (whichever is stronger) bursts Light Bulb Bomb --------------- Materials: Light Bulb Drill and Small Bit Gasoline Some silicon or something to plug a hole in the bulb. Procedures: Drill a small hole in the bulb fill it 1/2 way with gasoline plug the hole with the silicon (or something like that) screw it in (with the power off of course) and when the person turns it on boom!!!! Small Explosive mixtures: ------------------------- Materials: Petroleum jelly Potassium nitrate Procedure: Mix the petroleum jelly and potassium nitrate in a one to one ratio. When wet it is harmless... but when it dries it is highly explosive and shock sensitive. Store in oil. Materials: Potassium iodide pure iodine Ammonium hydroxide [ammonia water 10%] Procedures: Mix 3 grams of potassium iodide and 5 grams of iodine in a beaker with 50 ml. of water. Then add 20 ml. of Ammonium Hydroxide filter this substance and the resulting solid is called nitrogen triiodine. When this is wet it is safe but when it is dry it is as unstable as the last mixture. Common Rocket Fuel ------------------ Materials: Potassium nitrate Powdered sugar Procedures: Mix the two together in a 1 to 1 ratio. Then take an old sauce pan and melt it. It should turn into a fudgey looking compound Pour this into a cardboard tube and put a fuse in. Let hardened. It is easier just taking two dry ingredients and packing them in a tube or just lighting as a powder. As a powder it makes lots of smoke. Chlorite Mixtures ----------------- NOTE: The main ingredient for this experiment is potassium or sodium chlorite. Both of these are equally as good. However, both may prove difficult to find. Probably the only way to get it would be to order it through a chemical warehouse. Materials: Potassium or Sodium Chlorite Powdered Charcoal Powdered aluminum Sulfur Procedures: Mix sulfur, charcoal, and aluminum in mortar. Grind well to make sure the mixture is evenly mixed. Add the Chlorite (**Do not grind after the chlorite is added) You can use this for many uses smoke bombs, model rocket fuel etc. Green Goddess ------------- Materials: Zinc Sulfur Procedure: Mix the zinc and sulfur in a one to one ratio. To ignite use Magnesium and a blow torch. Matches won't work. (A good source of magnesium is sparklers.) Nitrate Compound ---------------- Materials: Potassium Nitrate Aluminum Powder Sulfur Procedure: Mix 2 Tbsps of the Potassium Nitrate, 2 tbsps of Aluminum Powder and 1 1/2 tbsps of Sulfur. Put in a container put a fuse in it light and throw makes tons of smoke. Here are a few tips: a.) To make more smoke add more sulfur b.) To make it burn slower, add more Potassium Nitrate c.) To make it burn faster add more Aluminium Missile Launcher ---------------- Materials: empty can (gasoline can preferably) gasoline paper bag aluminium foil Procedures: Cut a piece out of the bag the size of your can. Roll it up cigar-style and tape the very ends to keep it in the same shape. Now, take your missile, and stick about 3/4ths of it in a pool of gasoline, and let it soak a little while. Now, on the upper limit where the Gas hit rip a small piece almost completely, bend it and twist it that's your fuse. Now put aluminum foil on the top. The amount of foil that you put on determines the range of the missile. The more the shorter... makes it easier to aim. Put the missile in the hole in the Gas can so that the fuse is lightable and light it, and stand back (it makes a bit of a noise. Car Bomb -------- Materials: Tylenol bottle (empty) Liquid Drayno Heavy wire or solder. Instructions: Fill the bottle all the way full of liquid drayno. Close the bottle wrap some wire or solder around the neck of the bottle (to make it sink fast) Slip it in a car's Gas tank and run... In about 5-15 minutes *BOOM* Fragmentation Grenade --------------------- Materials: Can of Vasoline Rusty nails A fuse Instructions: Remove top from can of vasoline and punch a small hole in it just big enough for the fuse to fit through. Put the rusty nails in the vasoline and put the top back on tape the top securely and put the fuse in... light throw and run. ***BOOM*** Nails, glass, and burning vasoline all over. Scooter :..::..End Of File..::..: :..::.File 10 Of 14.::..: :.AOL Instant Messenger.: :..::..By CrossFire.::..: <*> CrossFire Presents....... Introduction ------------ AOL Instant Messenger, the tool of lamers worldwide. It's pretty obvious right from the beginning that AOL don't think much security is needed. There are several bugs in the aim software that could possibly lead to compromise of the victim's AOL account. Password Hashes --------------- The Hash that AIM uses to "encrypt" passwords is absolutely awful. An AIM password has to be between 4 and 16 characters, When the AIM client signs on to the authorizer, the encoded password presented is the same length as the decoded form. After a bit of working, I discovered the hash used to encrypt the passwords looks something like this: u_char hash[16] = { 243, 179, 108, 153, 149, 63, 172, 182, 197, 250, 107, 99, 105, 108, 195, 154 }; The server then just XOR's this hash with the encrypted password and gets the plain text pass. In other Words: for (i = 0; i < 16; i ++) crypt_pw = cleartext_pw[i] ^ hash[i]; This data seems to be static, well it is for the AIM Windows Client, and I believe for the java client too. Now all you need to do is sniff this users connection to the authorizer, and you have that user's plain text password. Cookies ------- Once the user has been authorised, the server sends it a cookie, to let it sign on quickly to another service. But what happens if you can get that cookie? You can steal a user's cookie, flood the user or reset their connection so that they can't reach the destination server, and login with their cookie yourself. I have only tried this with the BOS server; it will probably work just as well with the ad servers, chat & chatnav servers, and the directory servers. I assume they all run basically the same server software, with software modules that plug-in to provide the various services. The server also does traffic Filtering, if a host has not received a cookie, it will not let you access any service. The traffic filter however, seems to have nothing to do with the cookie, if you have a legitimate reason to access the server, it will let you. FLAP ---- FLAP Is the low level protocol used by AIM, it uses TCP, and maybe UDP but I haven't seen this yet. The FLAP header looks like this: struct FLAP { u_char id; /* a literal '*' */ u_char channel; /* communications channel */ u_short sequence; /* sequence number */ u_short length; /* length of the data portition of the datagram */ }; The string "id" is an asterisk character, probably used to quickly identify the protocol being used. The string "channel" is a numeric value that allows you to multiplex FLAP. Just think of it like a TCP port number. The string "sequence" is just that, a sequence number, all FLAP datagrams must arrive in sequence, as there is no resend or handshake functions. The string "length" is the length of the data portion of the datagram - the datagram not including its 6 byte header. >From What I've found, the 4 channels used in FLAP are: 1 - Signon, Used to sign onto a server. 2 - SNAC Data, Used to send data back and forth between the client and server. 3 - Error, FLAP-related errors. 4 - Signoff, Used to sign off a server. DoS Attacks ----------- On the More 31337 h4x0R side, AIM is vulnerable to a DoS attack using HTML, the problem is: AOL's Instant message's uses HTML. This enables their customers to change font sizes, colors, backgrounds, to suite there tastes. Well here is where the bug comes into play. All you simply have to do is send someone who is using an AOL version, that uses the tag, an instant message of: An AOL instant message has to be below a certain character size that can fit in one message. This goes beyond the valid size, as well as being an invalid parameter for the variable, creating a buffer overflow effect. It will cause your AOL software to freak out, and a GPF will occur. If you're able to stick more 9's in there, then please do. This HTML thing might also be used to create a javascript message box, but I haven't tested this yet, and frankly, I cannot be arsed. CrossFire Signing Off. ___ ___ _ | _> _ _ ___ ___ ___| __><_> _ _ ___ | <__| '_>/ . \<_-<<_-<| _> | || '_>/ ._> `___/|_| \___//__//__/|_| |_||_| \___. CrossFire / Underground Periodical / Apocalypse Now email: crossfire@hackers-uk.freeserve.co.uk IRC: EFnet #phuk - nick: CrossFire Shouts: Cyborg, HitMan, darkflame, Pr0tocol, Silicon, Call, 2drive, Connor, Joskyn, #BuffyUk, #phuk :..::..End Of File..::..: :..::.File 11 Of 14.::..: :.:.Research Machines.:.: :..::..By NeonBunny.::..: <*> Research Machines Hacking by the Neon Bunny +-------------------------------------------+ RM Connect is now the main networking software for UK schools and colleges, here's how to hack it... DEFAULT/COMMON PASSWORDS -=-=-=-=-=-=-=-=-=-=-=-= BIOS password RM Disable the HDD and laugh as the admin replaces the whole thing! RMUser1-49 password Similar to student areas, exact number varies teacher password Access to control panel settings guest NO PASSWORD propagate application Used for distributing software, password can't be changed? setup changeme Used when "building" systems, similar to student areas deskman changeme Screw with people's desk-top settings admin2 changeme { If this doesn't work then try a few } administrator changeme { common ones, IT teachers ain't too bright } deskalt password Alternative Desktop including all drives plus find in start menu desknorm password Normal Desktop deskres password Restricted Desktop topicalt password Alternative Topics topicres password Restricted Topics topicnor password Normal Topics replicator1 replicator Dunno? RM doesn't take use of NT's event logger but instead uses it's own program. which is almost as good and can log... log-ons including terminals and times, some programs used (but ours only does MSword!) and can see printer by printer stats, it doesn't however log bad logins or show up anything out of the ordinary since it pulls data from the NT logs instead of showing it all. RM user manager is where most things are set up, it's the alternative to NT's user manager for domains and has everyone grouped into folders such as 98intake, staff. If you ever get a look at this note the "Homeless users" which is where most admin accounts hide. User manager doesn't allow you to see which groups users are in (well not proper NT groups any way) and so adding a backdoor to the Domain Admins will probably go unnoticed. There is a link to NT user manager but it doesn't have pretty pictures so most admins hate it :-) RM FileProtector is another RM only app. You can tell if it's running by changing the file attributes to almost anything in the windows directory, if it's on you get a lovely blue screen warning you something's up, but since Windoze is full of blue screens of death anyway, no one notices!. There are a few files that it excludes so play around and see if you can't find them! To disable FileProtector modify: HKEY_LOCAL_MACHINE/Software/ResearchMachines/NOATTRIB.VXD and make the new value of LoadVxd '0'. You can now rename files and save to the Hard Disk of the computer. RM have QuickView installed as default so using MSword etc. open *.* files and right click on your favourite exe, choose quickview and choose the top left button to run the prog. There is a CD dump of the windows CD (I think that's what it is) which is normally on: \\server1\win95 and is used when progs want the CD, not had a chance to play with this yet! Machines can be "built" with a "Build Disk" which formats the HDDs and reinstalls all the software, so if you see one of these lying around they may B useful. You'll need the setup password for these disks, the default can be seen above. Pulling the "bit of network string" out of the back of them and then changing the domain to log onto should result in a fully functional desktop. Most machines boot as A,C so dump a boot disk in and play with DOS. A point that Yoda brought forward was that logging into admin areas often brings up the dodgy wallpaper so be very careful when doing this and use Desktop Manager to sort out this prob... You'll need to have the password to DeskMan area though. By bringing back the shutdown command (using poledit/regedit/grpconv) you can restart without the files being overwritten if you hold shift while choosing "restart windows". The directory c:\backups is where the back-ups of the system are kept that RM uses to overwrite at startup, but if you modify these then your changes will stay. This can be easily done by... cd\backup attrib *.* -r -s -h del *.da0 cd\hds makebak This makes your new changes to custom settings stick by using the built in batch files in c:\hds. If you find yourself in an unrestricted area you can setup shared drives for windows, because user-level shares are setup you'll get a full list of users from the server, these can make an interesting read. If you do share the drives be sure to put a $ after the share-name to "hide" it. If you want to leave a picture/logo/message on the RM connect login screen then overwrite the bitmap file in the c:\program files\rm folder which will modify the picture of the 5 computers at the top of the login screen. The bitmap there as default id blank and when opened in notepad says "Dummy Logo" so if you want the computers back you'll need to recreate the original file. Having a look on the 404 page I came accross another way to break into not only RM networks but any using Dr Soloman's Antivirus. The virus checker is "un-killable" so even logging off will not kill the progarm, if you log into any area then click the icon in the start bar this will bring up the program. Now log off and the program will stay active and hide behind the login screen, ALt+TAB to bring the program into focus and then choose Help -> Contents to bring up the help file. From here you can go File -> Open which brings up a common dialog box, and we all know what fun they can be. Explorer your way into c:\windows and then right click explorer.exe (you'll need to look for all files not just help files) from the right click menu choose open which will bring you up an unrestricted desktop, bewarned that any wallpaper changes etc. are made to the desktop that is displayed behind the login screen normally. As far as I know you can tell if accounts exist with-out even logging into the machine. To do this enter a login name and password and try to login, if you see a pointer and hourglass combined cursor then the account exists, if you see an hour glass quickly folowed by the error message then chances are the account doesn't even exist! You may need to try this on slower machines but that shouldn't be too much of a problem in schools :-) The propagate area is a much talked about feature of RM connect which was previously thought useless. Propagator is a set of programs, the application wizard scans systems before and after software installations and then allows you to allocate the "packages" to other machines. It does have it's own area though which at first looks seems secure, there are two ways around it though, firstly you can use the AntiVirus trick (brought to light by CFiSH, Toxic Fox and Drew I think, see above) or you can modify the area in a cunning way. Since propagate isn't supposed to be used it doesn't have a start menu (well nothing on the one it has anyway), instead it uses the one in: c:\windows\start menu\ which can be modified from any area and then by logging into propagate the new contents will be displayed, dumping a new folder in the "startup" works well! A bug in RM networks allows you to get an unrestricted shell fairly easily, if you log into your area and then change the password, then log into another machine ASAP I'm told you get all the run of an unrestricted shell! My chums at 404 have discovered another bug which applies to all computers including RM ones. Called the "Green Screen Bug" it involves hitting CONTROL+ALT+DEL while the machine boots to display hidden programs which can then be destroyed, for more info check out the 404 site at http://the404.hypermart.net ! I'm told that while propagating if you hit Control+Alt+Delete it will drop you into an unrestricted shell, but I have my doubts about this since I've not had the opportunity to try it, the source I got it from has a lower IQ than cheese and Propagate runs as the Propagate User which is highly restricted. The other problem with this hole is that it only happens when your machine is being propagated, i.e. new software is being put on it, so it only applies to rich/new networks. Another tasty morsel from the 404 dudes is that if you dump stuff in the: c:\windows\spool\printers directory it will stay there even after a reboot, I guess this is where the files go that sometimes pop-up after a crash informing you that you can print un-printed documents. For additional holes read my Windows9X Security Holes doc available from: http://www.infowar.co.uk/hacknet If you know of other holes I'd love to know so I improve this text file. Here are accounts of how areas were gained... I got "propagate" by disking Snadboy's Revelation (http://www.snadboy.com) and adding it to the "Run Services" Registry Key. Then, after running grpconv.exe, a Shift-Reboot ran it at the prompt which pops up with this account and the star'd password (When there's no cable attached). BitStream By scanning the network for open shares I discovered that one of the machines' HDDs in the offices was shared, by editing win.ini I added a keylogger and grabbed the admin password. Just wait until you have a lesson in the computer room and all or most of the computers are being used or off and say "Oh, dear mrs/sir I've forgotten my password and need to do some real important work, can you change it please?" The teacher (if its a computer teacher they'll have admin access) will then see that all computers are taken or off and then your computer will be the quickest to use ( no powering up) and they will then log on to change the password. Before that of course you disable the virus protection (if it is a recent version) and install BO turn keylogger on close BO and loggoff - trust me it still records keystrokes if you point it to your machine and turn it off. Once that's done you have a file in the C:\ with the teachers password!!! Yipe - don't open in that lesson, you could get caught. NeonBunny the_neon_bunny@hotmail.com http://www.infowar.co.uk/hack-net :..::..End Of File..::..: :..::.File 12 Of 14.::..: :.:.Anonymous Hacking.:.: :.::.By AlphaVersion.::.: <*> AlphaVersion's Guide To Anonymous Hacking <*> A comprehensive guide to wingating and hiding your idenity Howdyz! First of all let me tell you that English isn't my native language, so if you find a few spelling errors learn to live with it. Ok, so you want to keep the FBI/Secret Service/police/mom and dad/ISP /little brother/dog off your back, something that sounds harder than it is (except for the mom and dad/little brother/dog, which, if you haven't noticed yet, won't be in this guide anyway). This file is mainly going to concentrate on WinGates and proxies and shit. I know it's basic but this is a newbie text after all. If you plan on doing some hacking never use daddy's account, if something goes wrong his ISP will cut off his account, making him very pissed off, he'll probably never let you near his (or your own) computer ever again. Better use a stolen account. I've read texts that suggested setting up an ISP account under a false name and paying for it in cash, these texts are kinda old but I doubt ISP's accepted cash in '93 and i'm sure they don't do it now. Dialing into your stolen account from your own phone line isn't the safest thing to do either, but sometimes you don't have a choice. Your best bet is bouncing off a few WinGates too, along with a stolen account. First some background info on WinGates... WinGate is a program for Windows used to let several computers on a LAN (Local Area Network, but if you didn't know that, stop reading) connect to the internet with only one modem, the computer that has WinGate installed will act as a gateway. But WinGate wouldn't be that interesting for us if it wouldn't have some strange flaws and defaults. The most important one is, as a default it opens port 23 (standard telnet port) and lets others connect to it. If you connect to a WinGate you can use it to connect to another computer, the other computer's logs will show the IP address of the WinGate, not yours. But there's another interesting one, as a default WinGate doesn't log any connections it gets. Of course you don't have to go with the defaults but it is a Windows application, most people install it with the default Windows way. Next, finish and just go with the defaults, leaving everything open. WinGates aren't that hard to find, there are several programs around the internet that scan for them. But that takes up a lot of time, especially when you don't know where to look. You may know about cable modems and their high bandwidth, a lot of people want to share this bandwidth, they're the ones that use WinGate a lot. If you find an ISP that offers cable modem accounts you can scan their IP range. You can also do it by hand, but that's not a viable option, that's like walking to the the other side of the country when you have a train ticket. A lot of people that use WinGates like to chat on IRC, a lot of IRC servers have this thing against WinGate and g-line them (a g-line is when a certain IP address gets banned from an IRC server). /stats g will show all the IP's that are g-lined, when it says "xxx.xxx.xxx.xxx insecure WinGate rejected" you found yourself a WinGate. Before you use it for a hack you'd better see if it works (note that when you try it out it may work, but people sometimes turn their computers off or close their connection with the internet, don't ask me why, also some ISP's give out dynamic IP addresses, which change everytime someone logs into their account there). Telnet to that IP address, when you are greeted by the infamous "WinGate>" prompt you've found what you're looking for. But one isn't enough, you'll need more if you want to stay out of shit. Was there only one insecure WinGate in the list? Try some of the "Automatically banned for excessive connections". They could be WinGates too. Keep in mind that some WinGates do log any connections so it's best to use more then one, I always use 5 to 10 myself. But sometimes all 10 of them log, but as long as you don't do any damage they won't track you through 10 WinGates, it'll cost too much. They'll just close whatever hole you used, change all passwords and go on with life. To bounce from one WinGate to another just type the other computer's hostname or IP address (whether it's another WinGate or the target). WinGates can also be used to remain anonymous on IRC (remember that the WinGates you found by giving the "/stats g" command won't work on the server you found them). Connect to the WinGate's port 23 from your IRC client (/server xxx.xxx.xxx.xxx 23) then connect to your favourite IRC server by typing /raw diemen.nl.eu.undernet.org (or whatever server you want). It will want a nickname, type /raw nick Give your username and your IRC name by typing /raw user AlphaVers 0 0 :AlphaVersion (replace AlphaVers and AlphaVersion with whatever name you want to use). On some clients you may need to use /quote instead of /raw. Have you ever noticed how e-mails send along your IP address in the header? If you telnet to a WinGate and bounce a little you can change that. From a WinGate type mail.whatever.com 25 (replace mail.whatever.com with a genuine server running SMTP protocol of course, 25 is the standard port for the SMTP daemon). For more info on forging mail and sending it through telnet please read The Mob Boss's article, "The Wonderful and Evil World Of E-mail" at http://mobboss.dragx.cx/mail.txt This guide NOT meant as a guide to criminal activity, nor is it meant as a guide to fuck around on IRC. If the the swearing in this file has offended you in any way: FUCK YOU! Get an AOL account and look at pretty pictures of pretty flowers in pretty landscapes. Oh yeah, this file is for educational use only. AlphaVersion This file is copyright (c) 1999, all rights reserved. This file can be freely distributed as long as it stays intact, no changes are to be made by anybody other then me (AlphaVersion). :..::..End Of File..::..: :..::.File 13 Of 14.::..: :.::.You've Got Mail.::.: :.::.:..By Readers.:.::.: ____ _______ _____ _ _____________ \ | / \| | |\)\ | / __| \__ __/ | \ | | \ | / __| / \ \ | / | \ /| | /___\ \___/|_____| \_/ |_____| _____ ___ __ / ___|__/ \| |___ / / / | \ ___| \ /\ | / | | \_____/ \___/|______| __ __ _____ ___ ___ ___ / | \ | |_ _| |__| | / \| | | | | | | / | | \ | | | |_ _| /___|___|___\_|__|___|______|___| <*> Hi all. We presume if you are reading this section you simply have nothing better to do (well naturally). If you are uneducated in the inner workings of Underground Periodical maybe you'll need a short explanation... this is that special time when we sift through the letters that find their way to our email account. The letters page is very short this month (shame on you). We want to hear from you no matter what it is you want to talk about. If you just want to drop by a mail to say hello we will gladly appreciate it. The ascii logo for this issue was designed by Force, much thanks go to him. :.:.::.::.Spam?.::.::.:.: From: securitysearch@securitysearch.net To: Subject: Your Web Site. Hello, Security Search is implementing web site voting. This will allow visitors to cast their vote for the "Top 50" security web sites. All you need to do is place the following html code into your web pages. When a user clicks on the graphic they will register a vote for your site. The Security Search Engine You must replace ABC123 with your ID number. You were sent this ID number in an e-mail message when your site was submitted to Security Search. It's the same ID number as the one you enter to change your web site entry. If you do not remember your ID number then please contact us and we will e-mail it to you. You can obtain a list of the Top 50 sites by clicking on "Top 50" from any menu. If you have any questions please don't hesitate to contact us. Security Search Content Team http://www.securitysearch.net/ <*> <*> <*> <*> <*> <*> Well, well, well, thanks for sending us your 'letter'. Do we detect an unsolicited email? Come on people, we want real letters, from readers, not spam from the infamous Top 50 which is crap and notorious for listing sites which deal in pirated software. If anybody wants to leech the code and become a 'famous' security site, feel free. :.:.:..Subscribe Me.:.:.: From: Shoot 2 Kill To: vectra500@geocities.com Subject: Underground Periodical Hi, When is there going to be another edition of Underground Periodical? Please subscribe me, so I can receive it. Cheers, Shoot2Kill. ---------------------------------- Shoot2Kill@iname.com +44 (0)705 XXX XXXX ---------------------------------- <*> <*> <*> <*> <*> <*> Sure thing, you've been added to the subscription list. Remember all, a blank message sent to upzine-subscribe@egroups.com does the trick quite nicely indeed. By the way, we blanked out this guy's phone number as he probably doesn't need prank calls from random people. :.:.:.Access Denied.:.:.: From: "Richard" To: Subject: Problems accessing site Hi, I was trying to download the back issues from your site, but I kept getting a 403 Forbidden Access error message. Any chance of you emailing them to me? TIA Richard <*> <*> <*> <*> <*> <*> We replied to Richard with the complete list of places to download back issues and discovered he had fallen victim to the old upzine.8m.com web site. If anyone has any problems accessing the four current distribution sites or the files hosted on them, please e-mail us as soon as possible. :...G'luck With Upzine..: From: GPF#2 To: Cyborg _ Subject: Up4 Hey, hey, HEYYY!!! okay well I hevent mailed ya in fucken YEEERS but, hey, I'm a lazy bollox, what can I do about it!! :) well, cybie boy, i must give you credit. From reading you upzine, I wasnt too sure that you were making a right decision, and I even doubted your ability to produce a completely technically correct article. But the articles have been getting better, and I can see that you really do research some of stuff you've written. Your upzine certainly seems to be on the up & up, and I've been even considering helping out a bit with it, maybe an issue or 2 down the road :) Ok well I'm working now for the summer. upgrading a personnel package from 16 bit to 32. Tis pretty hard work, and thats what I like about it. I could give you funny stories about the business, but they're stories for another day :) anyway, I gotta send this mail now, seeya, and g'luck with the upzine __ ___ General _|_|_ / \ \ \ / http://members.xoom.com/GPF2 Protection _|_|_ __/ \//\ GPF2 @ pmail . net Fault | | /___ / \_\_ Digital Artist <*> <*> <*> <*> <*> <*> Yes, I think that mail sums up the philosophy carried by Up staff. Our original motto "We're on the Up and Up" was not chosen by total coincidence, when we compiled our first two issues we knew that we were capable of so much more. This was complicated by real life stuff. In fact getting out this issue was a big struggle, notice how people all over over the world, particularly in America and the United Kingdom have been doing exams recently? Any help GPF#2 has to offer would be gladly appreciated. In fact, any help anybody has to offer whether they already know staff members or not is so very welcome. :.:.:.You Guys Rock.:.:.: From: "Kobe Bryant" Subject: up zine To: i'm just writing to say how much i like up mag! i read the review in anti-social mag and thought it was really unfair, i much prefer UP zine to a-s mag, i find it has more relevent articles, i personally don't enjoy reading about politics and ufo shit. anyway, you r0ck keep it up, .. phonique <*> <*> <*> <*> <*> <*> We aim to please. It is comforting to know you prefer our particular content as opposed to various competitors. We don't seem to receive much submissions of articles focusing on political views or UFO sightings but we do consider every single thing sent to us no matter how strange, sick, evil etc. :.:..Misplaced Info...:.: From: Marc Luna Subject: To: cyborg@disinfo.net I have misplaced the email address for the upzine newletter. If you could please email me with info I would appreciate it greatly. Thank You and good day <*> <*> <*> <*> <*> <*> We passed on the information to Mr. Luna as requested. However, despite having the upzine email address he never sent another email! :..::..End Of File..::..: :..::.File 14 Of 14.::..: :..Disclaimer & The End.: :.::.:.By Up Staff.:.::.: _______ _ _______ _ (_______) | (_______) | | _ | | _ ____ _____ ____ _ | | | | | || \ / _ ) | ___) | _ \ / || | | |_____| | | ( (/ / | |_____| | | ( (_| | \______)_| |_|\____) |_______)_| |_|\____| <*> Use this information at your own risk. Staff or contributors to Underground Periodical, nor the persons providing or hosting Underground Periodical, will NOT assume ANY responsibility for the use, misuse, or abuse, of any information provided herein. The previous information is provided for educational purposes ONLY. This information is NOT to be used for any illegal purposes whatsoever. <*> By reading Underground Periodical you ARE AGREEING to the following terms: I understand that using this information is illegal. I agree to, and understand, that I am responsible for my own actions. If I get into trouble using this information for the wrong reasons, I promise not to place the blame on Underground Periodical staff, contributors, or anyone that provided this issue or any other issue of Underground Periodical whether it were official or without notification. I understand that this information is for educational purposes only. Thanks for reading. :..::..End Of File..::..: