

               < The Israeli Underground Information eXchage >

                   ,
Ú     ,g,___.,,Úg?Pü~                                                 g¿,,,.
  g.,gd$Pü''~``'4${              ,, ,,._            __..,,       _.,._}$$$$%'
   'ü4$$b,        '   gÚÚ,..     :} :}"üP#g,.    ,yPü~"ü4Py.   ,gP'~"üü"~`
      '$$$b.          ~ü4$$4     }$ }$    `$$b: d$}       }$b,%%}
       :$$$%            ~$$i   _.,, iiÚÚ,, `4$%%%?W,      ;$$} $$;        ,
      .}$$$P     g¿,,,. .}$$b#Pü"}: Ã$~"ü4  `$$b.`4?g,,.,g?Pü` ;?W,.,,Úg?Pü~
     ,dPü"'  .,._}$$$$%':d$$'    $}g4:       `$$$b. `~}}~``     `4?~``'4${
    ''  ,gP'``~"üü"~`  ,$$P'     iiü'        .'Pü~'                   ,d$P'
        ''            .d$$'      $}       ,g,    --IL                d$$P'
       ''            '~ü4`       :4g,     `ü'               .,,,    {$$$
       ..          /              `ü'                       '?${_.,, `üPb,
                jizm#@                                        'ü"~``'4g, ``
                                                                      ''
                                                                       ''
                     Chaos IL - Issue #4, 26/Jul/1998                 ..
                                                                      ,,

  Oi!     ~If freedom is outlawed, only outlaws will have freedom~     Oi!


                        Chaos IL Issue Four Index:
                        ~~~~~~~~~~~~~~~~~~~ ~~~~~~

 01. Introduction to Issue #4 (NEWS)                      by morgoth         
 02. Gaining supervisor on school Novell NetWare          by Insaine                                                     
 03. Cheating Israeli ISPs for Dummies PART I             by Volatile                                           
 04. Israeli Blue boxing in the '90s                      by morgoth                                                         
 05. Extra Extender INFO                                  by Radon                                                                    
 06. Resetting Fastcomm router                            by skade                                       
 07. Bezeq's DMX system - Information and usage           by morgoth                                                                                                                         
 08. Information about BezeqNet (135) for PBXers          by Mota Boy                                                                                                    
 09. Resources & Credits                                  *


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
           

                                  ***


01. General NEWS & Introduction to Issue #4


                                                                               
          ######  ##   ##  ######  #######  ########      ####  ##        
         ##      ##   ##  ##  ##  ##   ##  ##             ##   ##
        ##      #######  ######  ##   ##  ########       ##   ##
       ##      ##   ##  ##  ##  ##   ##        ##       ##   ##
      ######  ##   ##  ##  ##  #######  ########      ####  ########
                                                                               

                              !  Issue #4  !


                      (c) Chaos-IL Foundation 1998
                                                                               


We are still alive (!).  Due to internal group re-arrangement situation and 
major technical problems, we became inactive and were away for a while.
The main problem has began when we couldn't supply anough information to
compile a new issue.  However, currently, we are truely fixed and here is
another fresh issue of Chaos IL with updates and new information as always.
We are looking for more information suppliers (read below).  I would like to
greet the whole Chaos-IL team for being Chaos IL, major greets to the #972
eleet hax0rs :], who were involved in making Chaos-IL possible.


We are open for applications.

               If you have any interesting information for us, and you are
 * ARTICLES *  willing to write an article about it or just to share the
               information with us and let us handle it, contact the staff.
               



                                      :
                                      9
                          :          n$X           :
                          ?L         $$B          :X
                           $B<:     U$$$X        :X!
                           7$$N$   <R$$$@      :W$E
                            T$$$i:  @$$$&    :u$$$$
    C H A O S                M$$$$: @$$$R  :t$$$$*              C H A O S
                    ^%$_      7"$$$:7$$$R:!@$$$*!    _$%^
       I L            ~$$$N$*%_\9$$$/R$$!$$$*:/_%$$$$*~            I L
                         *$$$$$*WX!$N~$FtW#Xd$$$$$*
                          _   ^^^%$$$%%%%$$$%^^^   _
                           ^^%%##%%#$$$%%%$%%$$$%^^
                                ~~~~^:$$:^~~~~
                                      X#
                                      ||




plus, I would like to say a big FUCKYOU! to Bezeq, that are charging me for
local calls, while it cost them NOTHING.
            

                                                       --morgoth
                                                 


Contact info updates:



DOMAIN- Our new domain is currently under heavy constructions.

            http://www.chaos-il.org/


IRC CHANNEL- Our IRC channel is now public on the EFnet  -  #chaos-il

 

_____________________________________________________________________________


                            [ THE MEMBERSHIP ]


Chaos-IL primary members:
(IN *NO* FUCKING ORDER)

morgoth                  morgoth@chaos-il.org        
squish                   squish@chaos-il.org
Dissection               dsn@chaos-il.org
Easy                     easy@chaos-il.org
The Trick                trick@mindless.com
Mota Boy                 mota_boy@the-hood.com
skade                    skade@encrypted.org
Terminal Man             terman@hotmail.com
malder                   malder@chaos-il.org
Volatile                 volatile@unique98.org
Blue Grass               ???
Jekyll                   jekyll@chaos-il.org
The Errormaker           emaker@chaos-il.org
Fourth Horseman          4thm@chaos-il.org

               


                             [ DISTRIBUTION ]
    

*Chaos IL Issues will be regulary available once released in the following
 distribution boards and sites:


ANARCHY WORKSHOP        +972-3-XXXXXXX     2 Nodes     HQ
LIQUID UNDERGROUND      +972-3-XXXXXXX     1 Node      DIST
KAOS ON COMPTON         +972-8-XXXXXXX     4 Nodes     DIST
THE ORPHANED LAND       +972-8-XXXXXXX     1 Node      DIST



*Anon sites*

ftp.fc.net             /pub/phrack/underground/chaos-il/
ftp.auscert.org.au     /pub/emags/chaos_il/


You can also:

-Join our IRC channel at the EFNet: #chaos-il



                                  ***
 

02. Gaining supervisor on school Novell NetWare


           \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
           /                                                \
           \  Gaining supervisor on school Novell NetWare   /
           /                                                \
           \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

                 (c) Chaos-IL Foundation & Insaine 1998


-=[The "Secret" method to gain supervisor access on Novell NetWare
    that used to teach in CNE classes]=-

         -[x]- This Document has been written by Insaine -[x]-


Well, If you are on a Novell NetWare and you want to hack it and gain a
supervisor access, There is a "secret" way to do it.
What you need is a DOS-Based sector editor to edit the entry in the FAT.
And reset the bindery to default upon server reboot. This gives you Supervisor
and Guest with no passwords. The method was taught in case you Lost Supervisor
on a NetWare 2.15 server and you had no supe equivalent accounts Created.
It also saves the server from a wipe and reboot in case the Supervisor account
is corrupt, deleted, or trashed.

While you get a variety of answers from Novell about this technique, from it 
Doesn't work to it is technically impossible, truth be it can be  done.
Here are the steps, as quoted from comp.os.netware.security, with my comments
in [Brackets]:

[Start of quote]
A NetWare Server is supposed to be a very safe place to keep your files. Only
People with the right password will have access to the data stored there. The
Supervisor (or Admin) user's password is usually the most well kept secret in
the organization / company, since anyone that has that code could simply log
to the server and do anything he/she wants.

But what happens if this password is lost and there's no user that is 
Security-equivalent to the supervisor? What happens if the password system
is somehow damaged and no one can log to the network? According to the manual
(Novell Administrating Book), there's simply no way out. You would have to
reinstall the server and try to find your most recent Backup. 

Fortunately, there is a very interesting way to gain complete access to a
NetWare server without knowing the Supervisor's (or Admin.'s) password. You
may imagine that you would have to learn complex decryption techniques or even
type in a long C program, but that's not the case. The trick is so simple and
generic that it will work the same way for NetWare 2.x, 3.x and 4.x.
The idea is to fool NetWare to think that you have just installed the server
and that no security system has been established yet. Just after a NetWare 2.x
or 3.x server is installed, the Supervisor's password is null and you can log
in with no restriction. NetWare 4.x works slightly differently, but it also
allows anyone to log in after the initial installation, since the installer
is asked to enter a password for the Admin user.

But how can you make the server think it has just been installed without
actually reinstalling the server and losing all data on the disk? Simple.
You just delete the files that contain the security system. In NetWare 2.x,
all security information is stored in two files (NET$BIND.SYS and NET$BVAL.SYS).
NetWare 3.x stores that information in three files (NET$OBJ.SYS, NET$VAL.SYS
and NET$PROP.SYS). The all-new NetWare 4.x system stores all login names and
passwords in five different files (PARTITIO.NDS, BLOCK.NDS, ENTRY.NDS, VALUE.NDS
And UNINSTAL.NDS [This last file may not be there, don't worry]).

One last question remains. How can we delete these files if we don't have
access to the network, anyway? The answer is, again, simple. Although the people
from Novell did a very good job encrypting passwords, they let all directory
information easy to find and change if you can access the server's disk directly,
using common utilities like Norton's Disk Edit. Using this utility as an example,
I'll give a step-by-step procedure to make these files vanish. All you need is
a Bootable DOS disk, Norton Utilities' Emergency Disk containing the DiskEdit
program and some time near the server.

1. Boot the server and go to the DOS prompt. To do this, just let the network
boot normally and then use the DOWN and EXIT commands. This procedure does not
work on old NetWare 2.x servers and in some installations where DOS has been
removed from memory. In those cases, you'll have to use a DOS bootable disk.

2. Run Norton's DiskEdit utility from drive A:

3. Select "Tools" in the main menu and then select "Configuration". At the
configuration window, uncheck the "Read-Only" checkbox. And be very careful
with everything you type after this point.

4. Select "Object" and then "Drive". At the window, select the C: drive and
make sure you check the button "physical drive". After that, you'll be looking
at your physical disk and you be able to see (and change) everything on it.

5. Select "Tools" and then "Find". Here, you'll enter the name of the file you
are trying to find. Use "NET$BIND" for NetWare 2.x,"NET$PROP.SYS" for NetWare
3 and "PARTITIO.NDS" for NetWare 4. It is possible that you find these strings
in a place that is not the NetWare directory. If the file names are not all near
each other and proportionally separated by some unreadable codes (at least 32
bytes Between them), then you it's not the place we are looking for. In that
case, you'll have to keep searching by selecting "Tools" and then "Find again".
[In NetWare 3.x, you can change all occurrence of the bindery files and it
should still work okay, I've done it before. ]

6. You found the directory and you are ready to change it. Instead of deleting
the files, you'll be renaming them. This will avoid problems with the directory
structure (like lost FAT chains). Just type "OLD" over the existing "SYS" or
"NDS" extension. Be extremely careful and don't change anything else.

7. Select "Tools" and then "Find again". Since NetWare store the directory
information in two different places, you have to find the other copy and change
it the same way. This will again prevent directory structure problems.

8. Exit Norton Disk Edit and boot the server again. If you're running NetWare
2 or 3, your server would be already accessible. Just go to any station and
log in as user Supervisor. No password will be asked. If you're running NetWare
4, there is one last step.

9. Load NetWare 4 install utility (just type LOAD INSTALL at the console prompt)
and select the options to install the Directory Services. You be prompted for
the Admin password while doing this. After that, you may go to any station and
log in as user Admin, using the password that you have selected.

What I did with Norton's Disk Edit could be done with any disk editing utility
with a "Search" feature. This trick has helped me save many network supervisors
who lost their passwords. I would just like to remind you that no one should
break into a NetWare server unless authorized to do it by the company that owns
the server. But you probably know that already.
[End of quote]

I actually had this typed up but kept changing it, so I stole this quote from
the newsgroup to save me retyping ;-)

Now the quickly for 3.x users. Use LASTHOPE.NLM, which renames the bindery
and downs the server. Reboot and you have Supe and Guest, no password.

That's all folks, Now remember, You have to work on the server, it means you
must have access to it (or u can break in).

Cya in the next issue

-[o]- Insaine ( mail me: insaine@cyberdude.com) -[o]-



03. Cheating Israeli ISPs for Dummies PART I


             ---------------------------------------------

             "Cheating ISP'S in israel For Dummies Part I"

             ---------------------------------------------

                     (c) Chaos-IL Foundation 1998

                                 ***

well here i will show you some basic idea on how to cheat the ISP'S in
israel...
its not too hard, and dangrous as buying a new pair of shoes if you know
what your doing....


first i will start with the mega-giant called Netvision....

Mega Giant In My a** this company security level is low when it come to
service support...
the first thing you need to do is to simply telnet the finger port (write
"telnet netvision.net.il 79") and write a common user name (e.g moshe) now
after you got some detiles about user "moshe" like the name he is
registered on netvision (e.g Moshe Levi) from there all you need to do is
call netvision support, and claim you have lost the paper with the
password (sounding completly dumb will help you sound reliable and thats
the key word) and in 65% to 70% they will give you the password just like
that, if you tried it once and it didn't worked, don't give up, try it
again and again and i promise like the precents show, you will get user
"moshe" password!
now the main problem in this issue is to sound reliable, becouse thats what
make the diffrence, if you don't know how to sound reliable and mature
(also help) find another business becouse cheating is all about acting a
charcter :) now after vola's course on how to hack stupid netvision... i
will give you some detiles about the server as a bonus....
heres what i know....

Main Server : dns.netvision.net.il
Working On : Digital Unix
Finger : works, but with one slight problem, you can only finger one
         user, every couple hours...

thats all i know about netvision, its not that hard as you may think...
the best way is to hit a new support man/women becouse those usely dosn't
know all the rules and they are preety naive and sometimes lack of
intrest in the work (lazy enough to let you get away with it).
no one will try to trace you if you will be smart...

ok now i will break from the top of the cream (supposly, between us they
are fast as my digasting system =]), to the most bad suppLIER in israel
called Aquanet (Aquanut even) those guys give bad costumer support as
they give bad internet connection, anyway to cheat them is the easy thing
in the book.


Someone you hate have an aquanet account.
-----------------------------------------
well you hate someone who use an aquanet account?
you know his/her name and/or user name?
well if you do you can close her/his account in one minute, all you have
to do if you have the user name is to say you want to close your account,
give the user name and the account is closed (aquanet account cost 120nis
to open =]).
if you don't have the user name and you happend to fall on a somewhat
smart support man (rarley happens in aquanet IF it happens =]), all you need
to do is sound like an upset dad and say something like "my son as become
an addicted to the internet and i want to close our account" then they
will ask you for the username, just say "user name?" now give the name of
the person the account is reg'd on "my name is..." acting dumb allways
works here, now if you get lucky the support man/women will just do it
without checking, but the key word is to sound like someone serious and
trusted, be kind, but not too kind, talk calm becouse pepole notice when
you talk like a nervious rack, that work most of the times...


Getting a password
-------------------
Meny (Aquanet Manager) is a maniak (to his luck he closed the finger port) 
anyway that make it harder, but again choose a common user name "moshe"
and tell the support man/women that you forgot your password and ask him
kindly (sounding honest is the key) for the password, now thats harder
then in netvision becouse you have hard time getting  the name of the
owner of the account and thats a minus, but trust me cheating them is much
easier then cheating netvision if you know what your doing...

the most common way to get access and even it sounds suspicious is to ask
them to change the password (in that point they will tell you, you can do it
from thier site) just tell them your using internet for irc and you don't
even have a browser, not to speak of knowing how to use one...
that works sometimes and you can even get more info about it later on...
by emailing them with questions about your account (id number and sevral
other detiles) be carfull in this part becouse later on they can trace you
if they get suspicious...
using an hacked aquanet account is strangely more dangrouse then using a
Netvision account, becouse aquanet is a small company and they have time
to trace you down, a friend of mine used an hacked account and
someone supposly owned the account called him and told him he was using
his account, and he need to pay for it... (he didn't by the way)
well the thing is that they log the phone number with the hours, so users can
check about hours and calls, its stupid but dangrouse so dial *43 before
using aquanet hacked account, becouse their support group is full of big
mouth's who dosn't afraid to give any information (good for us and bad for
us) about the account activity (yes i think also where the call was made
from), so ask bezeq to disable the *42 perm so they can't trace you...


Getting a Username Of Someone You Hate On Irc, who use aquanet
--------------------------------------------------------------
well if someone piss you on irc, and you know he use an aquanet account but
you don't know nothing else but his irc nick, well no worries, its even more
easy then to know the user full name...
all you need to do, when he's online on irc or whatever (icq, etc) is to get
his ip address (newbie note : to get an ip address of someone in irc all you
need to do is "/dns nickname" then after you got the ip and wrote it down
just go to the aquanet page (www.aquanet.co.il) and click on "services" then,
click on "who's online" and search for the ip address, walla, you got the user
name, from there you can close his account (as written above) or scare the
hack out of him, showing off your hax0ring skills =), or get his password and
give it to your friends and another nice option is to change his password
via the site, just goto www.aquanet.co.il and click on "support" then click on
"change password" and change it).


Do You Want a Phone Number ?
----------------------------
Someone you know is real lame and use aquanet(proves he's even more lame then
you thought =)) and you want to get his phone number and give it to your
friends... n/p its easy as crashing winblows 95, all you need to do is to get
his user name (as described above) and then to go to the aquanet site, and
click on "services" then click on "time counter" and enter his user name
and walla, there's the phone number in there (a usefull tip : when using
aquanet, do *43 before the number, becouse obvisiouly aquanet is too stupid
to figure that this thing is invading your privicey and that us hackers can
be spotted up, by any dumbshit who know how to browse the aquanet site)

Thank you...

Information About The Server : the last time i used them, the stupid
mother fuckers used WINBLOWS NT yes you heared right, they used windows
nt, they probebly still use it in some area codes... (07 area-code use
linux or digital unix), the main server is : main.aquanet.co.il (useless i
guess becouse they closed 98% of the ports).

See You In "Cheating ISP'S for dummies Part II"
so go cheat some ISP'S, GO!

thank you, squish for the info about the time counter...

Volatile.



04. Israeli Blue boxing in the '90s



              [][][][][][][][][][][][][][][][][][][][][][][][]
     C        []                                            []       C
     H        []      Israeli Blue boxing in the '90s       []       H
     A        []                                            []       A
     O        []                by morgoth                  []       O
     S        []                                            []       S
              []       (c) Chaos-IL Foundation 1998!        []
     I        []                                            []       I
     L        [][][][][][][][][][][][][][][][][][][][][][][][]       L



-= Introduction =-

This is an updated guide for Israeli Blue boxing in the '90s.  please note,
that information in this article wont guide you through GETTING seize tones
for blue boxing, or the like.  This is only pure information that will guide
you through the oldschool and newschool Israeli blue boxing.  Before you're
going to read this, let me just give you a strong advice:  DONT fuck around
with it that much, the oldschool Blue boxing is dieding slowly, and there
are some major traces being made from global operator trunk lines.

(MY SELF EXPERIANCE).




* this article includes the following sections:

     -- Introduction
     -- Signalling 
     -- Trunk Lines (eH?) 
     -- The Operation 
     -- Getting around with C5 
     -- Some words about the Seize tone
     -- Once it's breaked
     -- What's the "ST" stands for?
     -- Placing a call (in general)
     -- List of Bezeq's Home Country Directs
     -- Some notes about Security and Tracing  I
     -- Bezeq's FREQUENCY TONE DETECTOR (FTD)
     -- Tracing & some Security tips II




-= Signalling =-

Signalling is the term used to describe how telecommunication
networks communicate with each other. There are MANY types of signalling
and some of them are unknown. These are examples of signalling systems that
are most known:


CCITT (Committee Consultative International Telegraph and Telephone)
DTMF (Dual Tone Multi-Frequancy) <Bezeq>
R1
R2
PULSE (Pulse dialset)
ANALOG (Analog dialset)


Telephone networks communicate via special "lines", connecting each other
up, called Trunks. Information about a call, and in some cases the
conversation, is passed through a trunk line to the called network. The
called end gathers the signalling information, manipulates some hardware, 
and  voila- a call is made. If the called line is busy etc.. then the
called end signals back to the called system, and the caller get a busy
signal. 

Thats way over simplified, (and somewhat incorrect) but I'll explain more as
I go. Until then, here is an analogy. :)


-= Trunk Lines (eH?) =-

A trunk line is a circut that connects two (2) networks together.  You
may already be familiar with the trunk lines running between CO's. 
For C5, however,  the trunk lines will be the ones that connect transit
(international) networks to terminal (national) networks in distant countrys.

The trunk lines not only transmit signalling information, they also
transmit your conversation.  So, when you make a call over one of these
trunks you have access to more than a friendly voice. :)  I once wondered
why in the hell anyone would ever do such a stupid thing, but the answer
is simple: 1. It's known Bezeq are stupid  2. With the volume of traffic
going overseas, and the cost of the cable, equipment, boats, crew and design,
the profit for using a single line to handle both signalling and voice eaisly
outweighs the amount of "potential" loss due to fraud or bad connections.
No one really cares.

Trunk lines are like Bridges (the kind you drive over). Instead of running
many small bridges to various locations, one large bridge is built in a
convienient spot. Even though there is only one bridge, it's big and handles
lots of traffic, effectivley connecting two sections of town. :)


-= The Operation =-
 
Blue boxing is the art of seizing lines in another country with the affect
that you have operator control over the line.  What you are looking for is
a CCITT#5 (C5) phone system of a foreign country, that can be seized.

CCITT (aka C) has 7 versions up to now that are running, 
The one signalling system I will discuss is: CCITT5. It is still possible
to use other systems (Like R1), but most people wont be able to find them.
CCITT5 (C5) is an international Signalling system. It was designed for
handeling international calls going over the trans-atlantic cables.  Its
still widley used in many South American, Carribean, Asian and poorer
countrys. Slowly, it's dying.

Seize is a signal sent in the forward direction to prepare the incoming
exchange (free toll number) for a call.
Seizing involves sending a 2600Hz/2400Hz tone down the lines for about
100ms-500ms. This is generally followed by a 2400Hz tone for the same
time. Some systems require a 2600/2400 clear forward for 100-150ms and then
the seize tones that are in other tone range, though it's harder, that is the
modern way for Blue boxing.


-= Getting around with C5 =-

Usually if you listen, you will hear wierd beeps or clicks before the phone
rings, when the person answers the phone, or after the called party
hangs up. These noises are actually signals being sent in the reverse
direction. If you got into one of these, this is a C5 phone system.

After you got your C5, there are a few steps you have to do in order to gain
a free call, or in order words.. Blue box :P

1. Breaking the operator trunk line or in other words, break into the C5.
2. Prepare the trunk line for dialing or in other words, after you breaked
   the C5, send the seize tones to prepare the line for dialing.

[*]  C5 can be breaked by sending variations of 2600Hz/2400Hz tones for
     about 100ms-500ms to the line. Each country has it own frequancies
     and you'll have to use another variation for breaking it.

     Example:

     Breaking ENGLAND (177-022-XXXX)
     -------------------------------
     
     Break tone: 2400Hz + 2600Hz / 300ms / vol22
     Seize tone: 4400Hz + 2420Hz / 252ms / vol44


Info/Explaination
-----------------

*Break Tone*  sending 2400 + 2600 Hz tones for 300 mili-seconds at volume 22.
*Seizing Tone*  sending 4400 + 2420 Hz tones for 252 mili-seconds at volume 44.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-
** This is a luzzy example, so don't think you're a wize ass and bother to
   try it out even :))
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-


Some words about the Seize tone
-------------------------------

After you breaked the C5 trunk line, you mostly get silence or a low tone,
in this situation you have to send a seizing tone that will Seize the line
and prepare it for dialing. Seize tone must include a 2400Hz in it since
2400Hz is the C5's Seizure tone. The 2400Hz in your seize tone will come
secondary, it should look like something in this syntax:

(Seize tone example) - <first Hz tone> + 2400Hz / <mili-seconds> / <volume>


-----------------------------------------------------------------------------


Once it's breaked
-----------------

Greetings. send the Seize tone properly to prepare and line you are on, and
the line is ready for dialing! Switch your Blue box Dialing program to C5
dialset, and follow the next dialing rules...

After breaking you'll have to dial in C5 signalling, it is different from
the normal DTMF tones we are using daily with our home phone.


Here are the C5 signals:


+++++++++++++++++++++++++++++++
+ CCITT system 5 Line Signals +
+++++++++++++++++++++++++++++++

  Signal         Frequency(Hz)
  --------------+--------------    
  Seizure                 2400 *
  Clear Forward    2600 + 2400 *
  Clear Backward          2600
  Proceed-to-Send         2600
  Release guard    2400 + 2600

  KP1 (term)       1100 + 1700
  KP2 (trans)      1300 + 1700
  Digit 1           700 + 900
        2           700 + 1100
        3           900 + 1100      
        4           700 + 1300
        5           900 + 1300
        6          1100 + 1300
        7           700 + 1500
        8           900 + 1500
        9          1100 + 1500
        0          1300 + 1500
   Code11           700 + 1700
   Code12           900 + 1700
 ST (end)          1500 + 1700


You probably saw those signals already, in your Blue box Dialer, but I guess
some of you who have'nt Blue boxed yet don't know thier meanings.


  KP1:  Indicates the beggining of a terminal (national) routing.

  KP2:  Indicates the beggining of a transit (international) routing.

  ST:  Indicates the end of a routing.


A terminal call is one that is inside of the national network that owns the
trunk line.  It's kind of like a local call, but fuck the regional boundries.
In other words, will perform a local call in the country you breaked into.
The format for a typical terminal call is:

        KP1 - <Phone number> -  ST

For example, if you breaked a US trunk line, you'll be able to dial numbers
in the US just like you are calling from within the US :)


Transit calls are formated a little diffrent because they obviously need
more information.  The format for a typical transit call is:

        KP2 - <Country Code> - 10 - <Phone number> - ST


What's the "ST" stands for?
---------------------------

ST signal will come at the end of the call operation. ST is actually similar
to the ENTER command, it tells the C5 you are done, and sends the info of the
call you want to perform.


Placing a call (in general)
---------------------------

Let's say we breaked a US exchange, and willing to call localy, to the free
toll US 1-800 number of AT&T, which is 1-800-426-7720. We dial the follow:


KP1-18004267720-ST
 |           |   |
 |           |   |
Local call   |  End
             |
           Phone #


Now let's say we want to call international to Netvision in Israel. We pick
the Netvision central system at 972-3-5166222. We dial the follow:


KP2-972-10-35166222-ST
 |    |  |      |   |
 |    |  |      |   |
Inter |  Pass   |  End
 Call |  Digit  |
      |         |         
    Country   Phone #
     Code


***


List of Bezeq's Home Country Directs
------------------------------------

 177-430-2727 .............................................. Austria
 177-610-2727 .......................... (TELSTRA Telecom) Australia
 177-611-2727 ............................ (OPTUS Telecom) Australia
 177-390-2727 .................... ........................... Italy
 177-353-2727 .............................................. Ireland
 177-100-2727 ......................... (AT&T Telecom) United States
 177-150-2727 .......................... (MCI Telecom) United States
 177-102-2727 ....................... (SPRINT Telecom) United States
 177-320-2727 .............................................. Belgium
 177-550-2727 ............................................... Brazil
 177-440-2727 ................................ (BTI Telecom) Britian
 177-441-2727 ............................ (MERCURY Telecom) Britian
 177-490-2727 .............................................. Germany
 177-450-2727 .............................................. Denmark
 177-270-2727 ......................................... South Africa
 177-310-2727 .............................................. Holland
 177-360-2727 .............................................. Hungary
 177-886-2727 ............................................... Tiewan
 177-300-2727 ............................................... Greece
 177-810-2727 ................................................ Japan
 177-962-2727 ............................................... Jordan
 177-352-2727 ............................................ Luxemburg
 177-330-2727 ............................................... Monako
 177-212-2727 .............................................. Morocco
 177-470-2727 ............................................... Norway
 177-640-2727 ........................................... New-Ziland
 177-860-2727 ................................................ China
 177-659-2727 ............................................ Singapore
 177-340-2727 ................................................ Spain
 177-100-2727 ........................................... Portu-Riko
 177-351-2727 ............................................. Portugal
 177-358-2727 .............................................. Finland
 177-450-2727 ............................................ Froa-Cost
 177-560-2727 ................................................ Chile
 177-330-2727 ............................................... France
 177-506-2727 ........................................... Costo-Riko
 177-822-2727 .......................................... South Korea
 177-105-2727 ............................................... Canada
 177-357-2727 ............................................... Cyprus
 177-460-2727 ............................................... Sweden
 177-410-2727 .......................................... Switzerland
 177-660-2727 .............................................. Tieland
 177-900-2727 ............................................... Turkey


Syntax is 177-COUNTRY_CODE-2727 for any others that are not listed in here.
If you reach nothing in one of these that are listed here or you get a
broken line signal, try using a similar number like:

Canada - 177-105-2727 , 177-104-2727 .
_________________________________________________________________________


***

Some notes about Security and Tracing  I
----------------------------------------

Since '94 and earlier in some exchanges, there have been tone detection
devices on operator trunk lines. One of the most known detectors being used
is the FTD (Frequency Tone Detector). The FTD is filtering your line and can
detect tones such as 2600Hz when being sent. The FTD's reaction is an immediate
disconnection from the exchange you dialed in (where you sent the tones),
informing/notifying Bezeq of your action, and a line shutdown for few minutes.
In order to Blue box, you MUST bypass/disable the FTD. You may Blue box in
the old ways through foreign contries and if you're experianced with a high
technique performance it might work, though you'll either get busted or
a line shutdown for a long period. There are a few ways to bypass/disable
the FTD that are actually based on the same technique, we've published the
easiest of them in Chaos-IL ISSUE#1, I've included it here anyway.



   *RIPPED FROM CHAOS#1*  *RIPPED FROM CHAOS#1*  *RIPPED FROM CHAOS#1*

== CHAOS-IL ISSUE#1 ARTICLE #4 ===============================================
==============================================================================
Bezeq's Frequency Tone Detector is an InterLine exchange that is able to detect
2600hz tones and beyond.  The project has came into act in 1989, when AT&T
distributed the first FTD to TeleComm. companys, in order to detect any kind of
"blue actions"/ Blue boxing that was much massive those days.  Either that the
FTD is operated within the pick/hang up Hz tones, and an InterLine exchange,
it can bypassed VERY simply.

To first-check Bezeq's FTD, get any Blue boxing program that supports the local
DTMF(Dual Tone Multi-Frequency) dialset, and send generated phone number tones
to your phone's mouthpiece using the SoundBlaster/MIC. After performing 3 local
calls, your telephone will be shuted down for 5 seconds and with period, you
will hear a strange tone that sounds like a musical trunk, and the line will
be back to normal.  This is the FTD, and what it did, is to announce Bezeq of
your illegal tone frequency and disabling your short pass calls that were
actually performed without of any Billing Incharges. (please note that this can
be mentioned in your monthly Telephone paperbill).

As said before, the FTD can be bypassed/disabled very easly. before excuting
your desired call, get a payphone number that is placed near to your house
(best in your street) and dial it in a reasonable hour.  Wait for someone to
pick up the phone (a streetwalker).  When the payphone is being picked
up, right then, the FTD gets disabled for the correct call. try to bullshit the
streetwalker that answered your call as much as you can in order to produce
more time if you get into troubles (it is not recommanded to repeat the same
way to the same payphone in generaly, in order to disable bezeq from
noticing anything).  Anyhow, your call is out of the FTD.  Now, you have to
quickly discharge the call, and send it over to your house. You have to make theperson who answer the phone to call you back within less then 5 seconds after
you closed down the corrent call. (5 seconds is the FTD's period time).
Now, this call should be performing very quickly, and it not seems to work some
of times couse of the payphone's "Telecard" delays, so the streetwalker
need to be ready with the Telecard verified inside.  After he's done dialing
your phone's dialtones and the phone rings at your house, the FTD is enabled.
Quickly pickup the phone and hangup after 5 seconds exactly! (its recommanded
to use a clock near you). FTD is bypassed. you have 5sec to excute your desired
call using a Blue box or any other tone freq. that need to disable the FTD in
order to excute the call. I know this might not be clearly to some of you,
so I discribed an online FTD bypass that I did a short time ago:

* PP = Payphone (the remote payphone carrier)
* LP = Local Phone (you)

-- Calling the payphone --
-- Phone has been picked up --

PP: "Hello?"

LP: "Hello, is this 03-XXXXXXX payphone number, that is located in the main
     Tel-aviv square?, Did I dialed correctly?"

PP: "You sure did. There was no one here to answer, so I picked up ..."

LP: "Can I use few minutes of your time?"

PP: "What happened?"

LP: "I'm a Bezeq lineman, I'm in the middle of Tele-line Device installation
     and I need you to call back in here in order to verify the new Device."

PP: "I Understand.  Then what is your purpose in calling this payphone?"

LP: "The device line is need to be tested within this Local Area Network,
     The payphone you're talking through is serving the Network's point."

PP: "Ok, Understood.  Which number should I call?"

LP: "Call to 03-XXXXXXX. Now, you must done the dialing within 5 seconds max.
     the device will not get into act if you will pass the 5 seconds period.
     put your Telecard in by now, so we wont lose any time."

PP: "Telecard is in. I will try doing this."

LP: "Ok, I am about to disconnect, please get ready and be alert."

PP: "Ok, all set."

LP: "Hanging up ..."


-- Call has been disconnected --
-- 3+ Seconds passed from disconnection --
-- Phone rings --
-- Picking up (This call should be closed within 5 Seconds) --
-- Clock Operated (To point the exact time period!) --

LP: "Hello?"

PP: "Thanks, Goodbye."

* DONT TAKE ANY CHANCES! DISCONNECT WITHIN 5 SECONDS PASS!

-- Clock beeps, 5 seconds passed --
-- FTD is bypassed! FREE 5 seconds to excute the desired call --
-- Box- <EXCHANGE DIAL-IN>+2600HZ+KP1+XXXXXXXXX (just an example) --
-- Call performed --

The FTD is limited for only 2 switchings that are less then the period time
(5 seconds). When you switch 2 calls (switch=disable FTD/enable FTD) in less
then 5 seconds that are not operated from the same signalling system,
(payphones uses an auto-operated exchanging switching system named ACTS)
you get a free 5 seconds when the FTD is setting up, in those 5 seconds you
can send any tones without getting detected.
=============================================================================

***//NOTE//***
You also might want to take a look at Article #3 at CHAOS-IL ISSUE#1, covers
the Israeli Blue boxing. 




Tracing & some Security tips II
-------------------------------

Well, you shouldn't pHEAR of Blue boxing like many does :P  I'm gonna say
some facts that I hope wont get mixed for wrong by people who read this.

ANI is Automatic Number Identification. It's a packet that is sent everytime
you dial at least 7 digits on the phone that tells alot of information about
you. It gives the name of the person the phone number is registered to, the
phone number and area code, and any other information relating to you directly.  

The conclusion is, that the number you are Blue boxing through have your info.
but Bezeq doesn't have it :). If you were Blue boxing through a free-toll which
is monitored by Bezeq they would detect and know your info if they would like,
through the ANI, but since you are Blue boxing through a foreign country, the
risks of getting noticed and cought becomes smaller. It is a great idea to
Blue box through a foreign country which are currently not in good relations.
That way, even if you'll get cought by one country, the lack of communication
between her and the other country wont allow tracing you. e.g: Israel -> Arab


                                   [EOA]

Greeting
--------

This article is specially dedicated to all those "WTF! TEACH ME HOW TO BLUE
BOX MAN!" guyz.  I hope this info is informative to anyone who read it, and
I hope more people will start boxing around our fuckedup country.

I would like to greet a few gods that helped me compiling this article, and
helped me to know what I know:

marauder 
TheQ    
BigBoss  
Terminal Man 


                                               singned, morgoth.
                                             [  c h a o s  I L  ]


 
                                   ***



05. Extender INFO


                           Extenders  / radon
                          ~~~~~~~~~~~

 - Part 1 -
well , those extenders (pbxes) stuff has got spread all over israel and today
if you attend you will see that every second person got an extender.
its seems that bezeq already understood the trick about using extenders for
free calls and started to do something about it.

now, i know about at least 1 extender that is under bezeq trace and all
i can tell you guys that this is the most common extender in israel.
(the number of the extender will stay safety in the magazine systems) :)

anyway friends of mine that used the extenders for some time started to get
calls from bezeq that told them that they making some sort of survey that
regarding usage of 177,1800 and 199 numbers and that they would like to know
if they used those services in the last weeks and if yes what sort of services.
now , there is a chance that this survey is just a random call that really
come to check, regrat and improve those services by those questions, but still
one of the magazine perpous is to note you from any dangerous suspect of ours.

this is the formal form of the call usually: 
[bezeq]:  hello, we are from "mercaz dahaf" and we are doing a survey for
          bezeq regarding usage of the 177,1800 and 199 services. 
          did you used those servies for any kind of function in the last weeks?

[person]: [now there are few answers you should answer here] :
person1:   hmm, dunno maybe my father did or someone else in my family.
    bezeq: we just want to know if there was any miss fanctions in our 
           services and what was the function you used.
   person: sorry, no one from my family is at home right now.
-------------------------------------------------------------------------------
person2:   i already recived a call from you today!!!
    bezeq: ok, thanks for the cooperation.
-------------------------------------------------------------------------------
person3:   i got a girlfriend that working in 199 thats why i calling alot 
           to there! :))
    bezeq: ha, if this is the case so its ok! :)
------------------------------------------------------------------------------- 
well here is a log of somone that quote his call into a log, this person got
little into tangle but here its go:
<person> ok
<person> i get a call oneday
<person> a nice lady
<bezeq> "we are from the mishlav (i think thats the name.. ) and we are doing
 a survey for bezeq regarding usage of 177 and 199 numbers"
<bezeq> "u have been using them right?"
<person> "hmmms... dunno."
<bezeq> "well, we just wanna know if the service was good etc..."
<person> "no, i don't recall calling 177 or 199. maybe some1 from my family
 and i don't wanna be in the seker"
<bezeq> "ok bye"
-----------------------------[ after 20 minutes ]------------------------------
<person> a man calls
<person> sounding VERY angry
<bezeq> "Hello. i'm from the seker, and u said u didn't use a number right?"
<person> "yes"
<bezeq> "are u sure?"
<person> "yes"
<bezeq> "do u live alone?"
<person> "yes"
<bezeq> "so u'r name is <he gave my father's name"
<person> "ohhhhh..... no"
<bezeq> "did i get to <my phone number>?"
<person> "yea"
<bezeq> "so who are u?"
<person> "i'm blah blah blah :) "
<bezeq> "but u said u live alone"
<person> "no, i ment i'm alone at home now"
<bezeq> "hmm. so u didn't call? u sure?"
<person> "yea."
<bezeq> "and no1 from u'r home?"
<person> "look, i dunno, i don't know who my family calls"
<bezeq> "ok, bye" (sounding pissed off)
-----------------------------------------------------------------------------
Last note: well, i did my best to get you guys conscious to the situation
today and this article was made and basic about good sources.
i wanna greet m0ta_boy that help me to get some stuff.

I will do my best to keep you inform about any new deatils that will come out,
keep following after chaos-il magazine.
 
                                - PART 2 -
                  Using the extenders with 135 / Radon

well, i think that you guys that use the extenders need to know something:
this calls that you make thru 177 numbers to 135 get charge by someone, even if
its belong to bezeq, when you call thru 135 the internet providers do charge 
bezeq for the services, now someone told me ,and its do make sense, that when
someone use 135 with the extender the chance that they will close the extender
or start to make traces and find peoples that "charged" them for calls to 135
is bigger than you use extender with other isp account as IBM (see issue#1:
how to card ibm internet account / 4thm).

conclusion: dont use the extender with 135! its just more dangerous for you and
for us.

Irc Efnet: radon/rn86away  
E-mail: radon666@hotmail.com 
i would be glad to get any information/responses/fix/updates about 
the article.


06.

                                  ***


                     - Resetting Fastcomm routers -

                               by skade


    ))   ) subject: resetting fastcomm routers
    ))   ) author.: skade (skade@encrypted.org)

   lately alot of people are seeking for a way to reset their fastcomm
   routers, the main reason is that actvnet is about to go bankrupt, and they
   want to sell or use the routers . . well, I did some research and i finally
   found a way to reset the router, its pretty simple when you think about
   it. ok, first of all, you open up the router . . you can do it with a
   simple screwdriver from the buttom of the router once you got that done,
   you'll have to put a jumper right behind the SupV socket, after you
   accomplished that all you have to do is power up the router, press the
   reset and disconnect the router from the power, dont forget to remove
   the jumper before closing up the router, well thats pretty much it.
   here's another tip for all actvnet users out there, maybe it took me a 
   while, but i found the defualt passwords actvnet uses for their routers,
   you might want to try this passwords before resetting the router which
   will save you the time of  reconfiguring the router. . the passwords are:
   password #1: larom  ))  password #2: tavor  ))  password #3: fastcomm

                                            signing off, skade. 



07. BEZEQ'S DMX SYSTEM - INFORMATION AND USAGE



       ############################################################
       #                                                          #
       ####.     BEZEQ'S DMX SYSTEM - INFORMATION AND USAGE   .####
       #                                                          #
       ############################################################


                           ###. by morgoth .##


                              (c) Chaos IL

Have you ever dreamed about monitoring your whole local area code?  Have
you ever dreamed about managing the phone billing process of your whole damn
area code? ITS POSSIBLE.  DMX stands for Direct Monitoring eXchange.
In past, empoylers of the phone company (in this case, Bezeq) used to do the
black-job of calculating the phone billing of the phone network users, etc.
right when the local humanity developped a bit, they built little monitoring
machines for each 3,000 phone lines that are connected to Bezeq's network.
nowdays, the gays let the DMX digital systems to monitor and calculate the
all needed for each each code.  The biggest DMX system is the 03's area code
system, because 03 areacode has more phonelines then any other areacode.
A DMX system is storaging all the lines-information, line-owner's details,
location, and more.  In short of a way, accessing one of Bezeq's DMX systems
is a total MAD SHIT.


##. Locating a DMX system .##

*ALL* of the DMX systems are located in the free-toll network.  When there is
a network overflow, when too much operations(calls) are being made at a time,
the phone network falls down, to prevent a shutdown of the DMX system, which
will cause a total DOOM for the area code monitored by the DMX, Bezeq located
all of them in the free-toll network.

when connecting a DMX system you will be prompted with this:



CONNECT 1200


     ?    ^
    N003 >


NOTE! most of the Israeli local banks are using CISCO Routers as thier
calculating/managing machines, those routers looks almost the same as DMX
systems. (they are both routers).  A Bank CISCO will prompt you with simple:

    XXXXX >


 [  Can be anything --> XXXXX ]


The DMX systems of Bezeq are always prompting with the N at first, which
stands for NODE.  and then, the areacode that the DMX system is monitoring.
In this case, the one that I accessed was N003, the 03 areacode DMX. (wow :D)
Although, you might even find a bank system that will prompt you with N00?.
(I did).  In that case, there is a way I found out to recognize between
each system, in the command prompt you get, enter 'EX'.

When prompting EX on the DMX system, it WONT ask for a password:


N003>EX

Logged Out -
TIME: 14:59:32  DATE: WED JUL-22-1998



When prompting 'EX' on the bank CISCO router, it will logout with asking for
a password at first.  This is how you can make a difference between those
both alike systems.

Logged Out -
TIME: XX:XX:XX  DATE: XXX XXX-XX-1998
ENTER PASSWORD :


  --------------------------------------------------------------------


Use '?' to see a fast help screen.


    N003 >?
     ?, @, CLR+, CON+, DEF+, DSC+, DSP+, LP+, MON+, NOD, RMV, SET+, TRC+, TST+,
     BSY, CEN+, HEL, EP, CNV+, EX, DEL+, RST+, INS+, SAV+, LOA+, COP+, CLS,
     HOM, S




Use 'help' to see the detailed help screen.



    N003 >help
     ?
     
     @  
    
     CLR   @  
     CLR   AQ 
     CLR   BP    LP
     CLR   BP    PH
     CLR   CH 
     CLR   DL 
     CLR   MG 
     CLR   PG 
     CLR   PH 
     CLR   RDN
     CLR   RLY
     CLR   RTE
     CLR   MC 
     CLR   FMC
     CLR   DS0
     CLR   DS1
     CLR   TON
     CLR   LCL
     CLR   MUM   LOC
     CLR   MUM   REM
     CLR   SEC
     CLR   PW 
     CLR   TMO
     CLR   POL
     CLR   PRO
     CLR   MM 
     CLR   VPR
     CLR   SPR
     CLR   LFM
     CLR   SRT
     CLR   SNA
     CLR   BNA
     CLR   TRA
    
     CON   CH 
     CON   DR/   DS0
     CON   ND 
     CON   PRO
     CON   DR 
     CON   DS0
     CON   BDL
     CON   POL
     CON   PR 
    
     DEF   @  
     DEF   ALM
     DEF   CFB   1     CH 
     DEF   CFB   1     DLR
     DEF   CFB   1     DRI
     DEF   CFB   1     DLT
     DEF   CFB   1     INT
     DEF   CFB   1     SC1
     DEF   CFB   1     SC2
     DEF   CFB   1     DS1
     DEF   CFB   1     SKP
     DEF   CFB   1     LFM
     DEF   CFB   2     CH 
     DEF   CFB   2     DLR
     DEF   CFB   2     DRI
     DEF   CFB   2     DLT
     DEF   CFB   2     INT
     DEF   CFB   2     SC1
     DEF   CFB   2     SC2
     DEF   CFB   2     DS1
     DEF   CFB   2     SKP
     DEF   CFB   2     LFM
     DEF   CFB   3     CH 
     DEF   CFB   3     DLR
     DEF   CFB   3     DRI
     DEF   CFB   3     DLT
     DEF   CFB   3     INT
     DEF   CFB   3     SC1
     DEF   CFB   3     SC2
     DEF   CFB   3     DS1
     DEF   CFB   3     SKP
     DEF   CFB   3     LFM
     DEF   CH/   QSC  
     DEF   CH/   DSC  
     DEF   CH/   QAM  
     DEF   CH/   DCI  
     DEF   CH/   QVM.1
     DEF   CH/   QVM.2
     DEF   CH/   QVM.3
     DEF   CH/   QSP  
     DEF   CH/   QVM.6
     DEF   CH/   QVM.5
     DEF   CH/   QVM  
     DEF   CH/   EVM  
     DEF   CH/   FXS  
     DEF   CH/   FXO  
     DEF   CH/   ICM  
     DEF   CH 
     DEF   CON
     DEF   CP 
     DEF   DL 
     DEF   IO 
     DEF   NOD
     DEF   OOS
     DEF   PSZ
     DEF   RTE
     DEF   SC 
     DEF   RET
     DEF   DS1
     DEF   DST   CH 
     DEF   DST   DS0
     DEF   DS0
     DEF   QUA
     DEF   BIA   CH 
     DEF   BIA   DS0
     DEF   EP 
     DEF   PW1
     DEF   PW2
     DEF   CSP
     DEF   MDS
     DEF   MSR   POL
     DEF   POL
     DEF   MM 
     DEF   MCL
     DEF   PRO
     DEF   LFM   10
     DEF   LFM   11
     DEF   LFM   12
     DEF   LFM   3 
     DEF   LFM   14
     DEF   VPR
     DEF   SPR
     DEF   SP 
     DEF   ILQ
     DEF   BDL   PR 
     DEF   BDL   NPR
     DEF   DCM
     DEF   SRT
     DEF   SAL
    
     DSC   CH 
     DSC   DL 
     DSC   ND 
     DSC   PRO
     DSC   DS0
     DSC   BP 
     DSC   POL
     DSC   PR 
     DSC   BDL
    
     DSP   @  
     DSP   AQ 
     DSP   CH 
     DSP   CKS
     DSP   CON
     DSP   CP 
     DSP   DL 
     DSP   ERR
     DSP   FN 
     DSP   PPN
     DSP   RTE
     DSP   ST    BP 
     DSP   ST    CH 
     DSP   ST    DL 
     DSP   ST    SY 
     DSP   ST    DS1
     DSP   ST    DS0
     DSP   ST    QUA
     DSP   ST    AL 
     DSP   ST    BDL
     DSP   ST    POL
     DSP   ST    CLK
     DSP   ST    LFM
     DSP   ST    VCH
     DSP   ST    DCM
     DSP   SY 
     DSP   TIM
     DSP   TST
     DSP   DS1
     DSP   DST   CH 
     DSP   DST   DS0
     DSP   DST   ALL
     DSP   DST   *  
     DSP   DST   DL 
     DSP   BW 
     DSP   DS0
     DSP   REV
     DSP   SIG   DS0
     DSP   SIG   EQ 
     DSP   SIG   LI 
     DSP   QUA
     DSP   TS 
     DSP   TOP
     DSP   EP 
     DSP   CFG
     DSP   CSP
     DSP   MDS
     DSP   POL
     DSP   ACT   POL
     DSP   PRO
     DSP   LFM
     DSP   BDL   PR 
     DSP   BDL   NPR
     DSP   VPR
     DSP   SPR
     DSP   SP 
     DSP   ILQ
     DSP   PHN   XDL
     DSP   PHN   BCK
     DSP   DCM
     DSP   HIS
     DSP   SRT
     DSP   TRA
     DSP   LIT
    
     LP    RB    CH
     LP    RB    DL
     LP    LB    CH
     LP    LB    DL
     LP    RA    CH
     LP    RA    DL
     LP    RD    CH
     LP    RD    DL
     LP    LA    CH
     LP    LA    DL
     LP    LD    CH
     LP    LD    DL
     LP    BP 
     LP    DS1   EQ
     LP    DS1   LI
     LP    DS1   BI
     LP    NI    LK 
     LP    NI    LLB
     LP    DS0   EQ
     LP    DS0   LI
     LP    DS0   BI
     LP    DS0   VS
     LP    DS0   RA
     LP    DS0   RB
     LP    DS0   RD
     LP    LS    CH
     LP    LP    CH
     LP    VS    CH
     LP    LFM   LK 
     LP    LFM   LLB
    
     MON   L
     MON   R
    
     NOD
    
     RMV
    
     SET   BMP   D
     SET   BMP   E
     SET   BMP   P
     SET   CKS
     SET   CLK
     SET   PG 
     SET   RDN
     SET   RLY
     SET   TIM
     SET   TON   EQ
     SET   TON   LI
     SET   DAT
     SET   MUM   REM
     SET   SEC
     SET   TMO
     SET   REG
     SET   CFG
     SET   CQT   HI
     SET   CQT   LO
     SET   GRM
     SET   PRO
     SET   CH 
     SET   CTN   D
     SET   CTN   E
     SET   CTN   C
     SET   RET
     SET   VSM
     SET   PHN   XDL
     SET   PHN   BCK
     SET   TSA
     SET   TSB
     SET   DRT
     SET   DTM
     SET   DL    EXP
     SET   DL    BCK
     SET   SID
     SET   SNA
     SET   BNA
     SET   CSW   QS
     SET   CSW   SS
     SET   TRA
     SET   IO 
    
     TRC   BP 
     ªRC   CH 
     TRC   BCK
     TRC   SUB
    
     TST   L     DAT   C 
     TST   L     DAT   P1
     TST   L     DAT   P2
     TST   L     CNT   C 
     TST   L     CNT   P1
     TST   L     CNT   P2
     TST   R     DAT   C 
     TST   R     DAT   P1
     TST   R     DAT   P2
     TST   R     CNT   C 
     TST   R     CNT   P1
     TST   R     CNT   P2
     TST   DS0   EQ
     TST   DS0   LI
    
     BSY
    
     CEN   PHS
    
     HEL
    
     EP 
    
     CNV   BIA
     CNV   PRO
    
     EX 
    
     DEL   CH 
     DEL   RTE
     DEL   SRT
     DEL      
    
     RST   BDL
     RST   DR 
     RST   PS 
     RST   PRT
     RST   CH 
     RST      
    
     INS   RTE
     INS   SRT
     INS      
    
     SAV   DB 
    
     LOA   SW 



OK. I wont explain what each command does, because this is a complexed system
with like TONS of sub-commands. (the '+' signed next to the commands means
the command have sub-commands).  I will guide through the interesting commands
though.  At first, let me give you a wide look about how this system works
like;  The DMX have some kind of a "room", a memory, that storages little
hosts.  Each host is serving a phone line in the codearea that the DMX is
monitoring (in this case, its 03 arecode).  Therefor, to monitor the number
you wish, you need to connect to his host first.  The host is storaging all
the information about the line and about the owner of the line (a good way
to fuck up people! haha) plus options to change/update it.

Let's say that my number at home is 03-6778080, and I want to access the host
that is monitoring it.  The command 'CONN' which stands for CONNECT, is used
to connect to the DMX hosts.  'CONN' command have sub-commands as well:


     CON   CH           -  Connect to a specific host
     CON   DR/   DS0    -  Conncet to a random host
     CON   ND           -  Connect to a specific host
     CON   PRO          -  View all hosts of the DMX
     CON   DR           -  Search for a host
     CON   DS0          -  Connect to a DS channel number
     CON   BDL          -  Connect to a random host
     CON   POL          -  RE-Connect to the previous random host connection
     CON   PR           -  Re-Connect to the previous host (last connection)


If you have'nt understood yet (dumbfuck!#@), each phone line has it own host,
so HOST means a line in here.  DS channels are used to see which lines are
active and which lines are not, but I wont mess around with it rightnow.

OK. my number at home is 03-6778080.  Use 'CON CH' to connect to a specific
host:


        N003 >con ch
        

You will be prompted with:


       |host:@|host:#  N003ENTER:


The DMX is hosting the lines, and the hosts are numerically arranged.  The
number we are messing with is 6778080, in the DMX, the host name of it is 677.
(the three first digits).  Use this to connect:


       |host:@|host:#  N003ENTER: 677-6778080


If the number is correct, and exists on the DMX, you will be greeted:


       CONNECTED TO HOST 677-6778080 AT DS0/03677

       DS0/03677-6778080 >


You are connected.  Here are the available commands (gained with '?'):


       DS0/03677-6778080 >?

       ?

       CONF
       BULL
       PRIME
       MOV
       DIS
       CON
       

The commands stands for:


   CONF    -  This command will install a conference call option on the line
              you are messing with.  Use 'CONF ?' to see the usage.
              
   BULL    -  This command will enter the billing system of the line.

   PRIME   -  This will re-connect a line to the network.  Only the numbers
              that are registered to the network can be re-connected.  Which
              means, only if it was removed with 'MOV'

   MOV     -  This will remove the line from the network, but will keep the
              line REGISTERED to the network.  (like those numbers who say
              "HA MISPAR ELAV HEGATA EINENO MEHOBAR" :))

   DIS     -  This will disconnect the line from the network, and will ERASE
              the line data. (like those numbers who sound this "broken tone"
              when you are calling them).


   CON     -  This will let you connect a new line to the network, using the
              billing information of the person who owns the line you are messing
              with. (in this case I am messing with 03-6778080, so if I'll
              command to create a new line, it will be billed by the owner of
              the line 03-6778080).


Alright now.  I will detail how to use some of these commands.  I am hardly
NOT RECOMMANDING to mess with the billing.  Although, I will include the
article of messing around with the billing in the next issue of Chaos IL.


Installing a conference call feature
------------------------------------

I want to install a conference call option on my line, 03-6778080.



       DS0/03677-6778080 >conf

       c|o CONFERENCE?

Now this is easy, there are two commands; C to Cancel a conference option
on the line, or O to Operate a conference option on the line.

I want to Operate :)


       c|o CONFERENCE? o
       OPERATED

       DS0/03677-6778080 >


Changes to the line are being made in less then 8 hours (tested).  


Remove a line from the network
------------------------------

As I said before, this will just remove the line from the network but it'll
keep the line registered.


       DS0/03677-6778080 >mov

       ENTER TO CONFIRM

       SUCCEED
       

Press ENTER to confirm the move of the line, if you want to cancel it press Q.



Connect a new line to the network
---------------------------------

This will auto-setup a new line into the network using the billing information
of the person who owns the line you are messing with.  This command is useless
unless you are some mechanical guru, and you have tech equipment to wire phone
lines through your house to the phone-box.  You can connect a new line to the
network with this command but this is just confirming the registration of the
line to Bezeq's network.  If you can get someone to build a shocket to this
line and wire it, it will work.  I've never tried it though.


 ========================================================================

 This is it.  Hopefully, I will detail about the other commands and even more
 in the next issue of Chaos IL.


 greetings:

 El_Mago -  how to access the DMX hosts
 Ares    -  thanx for helping me to understand this krap!

 
 MAJOR THANKS to all the Chaos IL krew.                              


 signed, morgoth.  (morgoth@chaos-il.org)



                                    ***
 


08. Information about BezeqNet (135) for PBXers



            -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-

                 Information about BezeqNet (135) for PBXers
                   
                                    by

                                 Mota Boy

            -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-


                             (c) Chaos-IL 1998


In the past few years, Bezeq has developped a pretty stable Internet service
provider network - BezeqNet (aka "135").
BezeqNet's network offers two prodviders from thier machines (providers 4 & 22)
and 18 links to known and unknown ISP (Internet Service Providers) networks in
Israel.
When reaching BezeqNet you will be prompted with the following:




ATZ
OK
atdt135
CONNECT 28800/ARQ/V34/LAPM/V42BIS
Bezeq, The Israel Telecommunication Corp. Ltd. welcome you to BezeqNet.
Through BezeqNet you will be able to obtain information on a variety
of topics, from different sources, and access the internet through
different internet service providers.
The Information suppliers and internet providers on BezeqNet are solely
responsible for the services they provide.
Bezeq is not responsible for the contents of information, or the quality
of service supplied by independent companies.
BezeqNet service is provided upon the condition that Bezeq shall not
be reliable for any act or omission on the part of any information
supplier or internet provider to which access is provided on BezeqNet.

#.  Provider                    |Price per call|Price per minute| Phone      |
--------------------------------|--------------|----------------|------------|
1.  Bezeqnet                    |     0.00 NIS |     0.00 NIS   |177-022-0135|
    url:"http://menu.bezeq.net" |              |                |            |
----INTERNET PROVIDERS----      |              |                |            |
2.  S. Kat (IsraServ) + MAIL    |     0.39 NIS |     0.03 NIS   |09-7428522  |
4.  Internet Bezeq Zahav        |     0.29 NIS |     0.07 NIS   |03-5433784  |
5.  AquaNet L.T.D               |     0.23 NIS |     0.04 NIS   |03-5366503  |
6.  Infolink                    |     0.36 NIS |     0.04 NIS   |03-5332466  |
7.  N.M.T  + MAIL               |     0.20 NIS |     0.05 NIS   |03-7523333  |
8.  SHANI Technologies          |     0.36 NIS |     0.03 NIS   |03-6391288  |
10. Urbis Computer Communication|     0.10 NIS |     0.03 NIS   |03-5258527  |
12. S. Kat (K - Systems)        |     0.29 NIS |     0.03 NIS   |09-7428522  |
13. TalkTel + MAIL              |     0.29 NIS |     0.05 NIS   |03-6132822  |
14. SpeedNet 1                  |        --    |     0.03 NIS   |09-9545288  |
15. Netline + MAIL              |     0.20 NIS |     0.02 NIS   |03-5746756  |
16. N.M.T (MANGO)               |        --    |     0.06 NIS   |03-7513333  |
17. Urbis Fast                  |     0.10 NIS |     0.04 NIS   |03-5258527  |
18. SpeedNet 2                  |        --    |     0.05 NIS   |09-9545288  |
19. Netline Gold                |     0.23 NIS |     0.04 NIS   |03-5746756  |
20. Aquanet - TurboNet          |     0.30 NIS |     0.05 NIS   |03-5366503  |
22. Bezeq Zahav                 |     0.25 NIS |     0.05 NIS   |03-5433784  |
23. Netvision                   |     0.25 NIS |     0.07 NIS   |04-8560570  |
24. Internet Gold - Euronet     |     0.23 NIS |     0.07 NIS   |03-9020022  |
25. Infolink COI                |     0.36 NIS |     0.05 NIS   |03-5332466  |
-----------------------------------------------------------------------------|
Tariff for communication is price of local call plus 2.9 Agorot per minute
Prices not including VAT


Please choose an entry number for Internet/Service provider.

Provider:

----end----

(This is the most updated BezeqNet's ISP list currently, it might be changed
 a bit, or alot, by the time you are read this article).

You will notice the list is missing a few numbers. The numbers that aren't
shown are down servers and/or private usage ISPs, and I have found that
you can type even higher numbers, even something like "113".
I tryed that a few times, but didn't even reach an Internet provider, just some
weired BBS-like system, but you may be luckier (note that you will still
probebly pay. They are just hidden for private usage, or tests I guess)



BezeqNet provider links - General Info.
---------------------------------------

This is for IRCers who gives a fuck about the hostmask of each ISP layout
and for general information about each ISP :)

(Sorry for incomplete info, but it wasn't possible to try out *all* the ISPs
so here are the highlites, mostly the only ones you will use anyway)

1.  Bezeqnet (url:"http://menu.bezeq.net") -> **See note on the buttom**

2.  S. Kat (IsraServ) + MAIL -- *.israsrv.net.il  SERVER: 172.17.30.102:5050

4.  Internet Bezeq Zahav -- 192.114.*.*  SERVER: 192.116.206.21:57

5.  AquaNet L.T.D -- 192.117.*.*   SERVER: 192.117.240.4:230

6.  Infolink -- 192.115.*.*    SERVER: 192.115.208.10:57

7.  N.M.T  + MAIL -- 192.115.*.*    SERVER: 192.115.48.130:4002

8.  SHANI Technologies -- *.shani.net    SERVER: ???

10. Urbis Computer Communication -- *.infogate.co.il SERVER:194.90.232.2:400

12. S. Kat (K - Systems) -- Same as number 2

13. TalkTel + MAIL -- 194.90.*.*  SERVER:194.90.237.5:33

14. SpeedNet 1 -- 192.114.*.*  SERVER:192.114.155.1:57

15. Netline + MAIL -- 192.114.*.*  SERVER: 192.117.254.9:57

16. N.M.T (MANGO) -- Same as number 7

17. Urbis Fast -- 199.203.*.*  SERVER: 199.203.190.3:400

18. SpeedNet 2 -- 192.114.*.*  SERVER: 192.114.155.2:57

19. Netline Gold -- 192.117.*.*  SERVER: 192.117.254.9:240

20. Aquanet - TurboNet -- 192.117.*.*  SERVER: 192.117.240.4:230

22. Bezeq Zahav -- *.attgold.net.il  SERVER: 192.115.8.135:57

23. Netvision -- *.netvision.net.il  SERVER: 62.0.186.1:57

24. Internet Gold - Euronet -- 192.114.*.* SERVER: 192.116.206.22:57

25. Infolink COI -- Same as number 6


- Regarding number 1 on the list -

Some people may not understand the porpuse of number 1 in the list.
It may seem that it is only for the purpose of "surfing" through Bezeq's site,
wich is almost true. The idea of number 1 is that you choose it, press
"continue" in your win95 dialer, and then surf to http://menu.bezeq.net (wich
is acually the only site you are allowed to reach).
There you will find a list of ISPs (Internet Service Providers), the same ISPs
that are in the list that is shown after you dial 135, but in this case you just
press on their banner and you will recive a host and an IP, and ofcourse, the
ability to surf where ever you want. This is great, because you can always
surf back to http://menu.bezeq.net and just choose a different ISP if you are
not satisfied with the speed, or just bored with the host.



BezeqNet's Modems.
------------------

You may think, like I thought at first: "What? only 28800? what is it worth?".
Well, you could be right if you are on an ISDN. But most of the computer users
still have a 33600 modem, and alot still even have a 28800.
Besides, the max speed of the best 33600 can be alittle over 4K/s, but face it,
how often to you reach speeds of 4K/s? you usually get 3K/s, 3.5K/s, wich their
28800 modems can deliver easly (depending on the ISP you chose ofcourse).

Here is just alittle more information for the end:

##. | Provider          | Speed | Stability | System      | Network Usage |
-----------------------------------------------------------------------------
2   | IsraServ          | FAST* | UNSTABLE  | DG/UX       | *****   
4   | Bezeq Zahav       | SLOW  | UNSTABLE  | ???         | ****
5   | AquaNet           | SLOW  | DURABLE   | RH Linux    | ***
6   | Infolink          | FAST  | STABLE    | UN*X        | *****
7   | N.M.T             | SLOW  | UNSTABLE  | Tikshuvit(?)| x
8   | SHANI Tech        | FAST  | UNSTABLE  | UN*X        | ****
10  | Urbis Comm.       | SLOW* | UNSTABLE* | ???         | x
12  | S. Kat            | SLOW* | STABLE    | DG/UX       | x
13  | TalkTel           | SLOW* | DURABLE   | Linux 2.0.27| *
14  | SpeedNet 1        | FAST  | STABLE    | ???         | ***
15  | Netline           | FAST  | DURABLE   | RH Linux    | **
16  | N.M.T (MANGO)     | SLOW  | UNSTABLE* | ???         | x
17  | Urbis Fast        | SLOW* | STABLE*   | ???         | *
18  | SpeedNet 2        | FAST* | STABLE*   | ???         | ***
19  | Netline Gold      | FAST  | STABLE    | RH Linux    | **
20  | Aquanet TurboNet  | FAST  | DURABLE   | RH Linux    | **
22  | Bezeq Zahav       | FAST* | STABLE*   | ???         | ***
23  | Netvision         | SLOW  | UNSTABLE  | ???         | ****   
24  | Inet Gold Euronet | SLOW  | DURABLE   |             | *
25  | Infolink COI      | SLOW  | UNSTABLE* |             | **
-----------------------------------------------------------------------------

notes:

x ====== less then 20 connections a month
* ====== 20+ connections a month
** ===== 80+ connections a month   
*** ==== 140+ connections a month
**** === 220+ connections a month
***** == 300+ connections a month


1) When we say "STABLE" or "UNSABLE" we mean mostly disconnections and how
   the speed holds up most of the time.

2) * == major
   DURABLE == stable, but not for a while.

3) A "???" under the System means that there was no indication of any Operating System.
   But in 99% of the time it's some sort of UNIX flavour.



In Conclution.
--------------

This is the best info we can supply you for now, regarding 135. Basically, the
idea of 135 is that you pay for the exact amount of your usage. Some may think
their prices are too high, but when you think about it, it will usually come
to about 100nis (more or less) per month, and it's basically what you would pay
any respectable ISP in Israel.

                              Thats it for now,
                                                 Mota Boy.




      --------------------------------------------------------------



09. Resources & Credits

Chaos-IL would like to greet every possible resource who supported us and
helped us:

Bezeq TeleCommunictions INC.
Barak Israel-International INC.
GreenShop Computers (TEL-AVIV)
IDC Communications INC.
AT&T Communications INC.
SPRINT Global-One Communications
Israel Telegraph LTD.

2600 Magazine
Phrack INC. Newsletter
Informatik E-Magazine
PLA-Phone Losers of America
Hacker's Heaven (BBS)
Underground Society (BBS)
Route 66 (BBS)
Liquid Underground (BBS)

#972
#phreak
#telephony
#root
#2600

www.border.com
www.etext.org
www.l0pht.com
www.lat.com
www.liquid98.com
www.itd.nrl.navy.mil
ftp.fc.net

The Prototype
Captain Crunch
TS (Bezeq 144/199 Operator)
CB (Bezeq 188 Operator)
NI (Sprint Global One Operator)
retro
Manomaker
Unix geek
phriend-
The Milkman
Anti-D
Lizzard King
deadzed
Blackbird
prophet
Substance 
jizm
stoner
f0k
Mindroot
Toast
BelowZero
*ALL of Chaos-IL Members

-[EOI#2]----------------------------------------------------------------------

(c) Chaos-IL Foundation
        July 1998