.;..;. .;..;. . ;. . . .;; . ... .; ;...; .' . ; ;.. .;. .. .;;. .;..;. ttt ttt .;..;. .;... ..; NNN NNNN .;..;. ttttttttt ttttttttt .;. . NNNN NNNN ttt ttt .;..;..;..;. ...; ;. NNNNN NNNN ttt .;..;. ttt .;..;. ..; ..; NNNNNN NNNN eeeeeeee ttt ttt .; .. NNNNNNNNNNN eee eee ttt ttt _---_---_--- .; .; NNNN NNNNNN eeeeeeee ttt .;. ttt W E R K E D >>> .;;;. . NNNN NNNNN eee ttt ttt _---_---_--- . ; . ;.; NNNN NNN eeeeeeee ttt ttt .;..; . .;.;. .;;;. ..; --/-/-///--- _-- [ K - 1 i n e #8 ] --_ ---\\\-\-\-\-- 'Call and Response' _)##vol.3####$.;..;..;..;. .;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. ::#issue.8#$)$ :: `:==--::--==--::--==--::--==--::--==--::--==--::--===?:--::--==--::--==--::--=: ^ ^ ^ October 2000 ^ ^ ^ *: :* *: :* *: [-] Introduction .......................................... The Clone :* *: (-) Contact Information ................................... The Clone :* *:-=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=>y4y<=:* [ Da 0-Day WarEz ;] *: (x) 'Surveillance Possibilities on the ECS' ............... Seuss :* *: (x) 'CLEARNET PCS - "PAY & TALK",...' ..................... The Clone :* *: (x) 'Canadian University Dialup List' ..................... The Clone :* *: (x) 'Assaulting Payfones' ................................. Anonymous :* [-] Credits ............................................... The Clone :* *: [-] Shouts ................................................ The Clone :* *: :* *: :* *: :* *: :* . . . A little tinkling in the night Just to check your line's are alright, A little tinkle in the day just to listen to what you say... =-=- == -= - . -= = =- -= - .;. .;..;..;..;. .;. ;;;; .;.;..;.. .;..;. .;..;. .;..;. .;..;. .;..;. .;..;..;..;..;..;..;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. - - = - -= = - .,. ,. -= =- = = - .,. , - , ,. , =- -= Introduction; Welcome to the 8th issue, 3rd volume October edition of K-1ine zine. Well do I ever have a nice bunch of files for you fone-pholks out there... my associates and I have been in hyper think-tank mode, churning out some very wicked telecom-related technical releases that'll make your heads spin. What do I have in store for you this month? - A detailed and interesting perspective on Lucent Technologies "Definity ECS" PBX's - A Clearnet PCS 'Pay & Talk' programming guide, useful for Clearnet/Telus 'Pay & Talk' subscribers (duh) and telecom enthusiasts - A file listing the known modem carrier numbers for major Canadian Universities - A file written specifically on physically exploiting payphones Lock up your wives, lock up your daughters, 'cause K-1ine is here... -: Contact Information; Comments/Questions/Submissions: theclone@haxordogs.net Check out my site: (Nettwerked) http://www.nettwerked.net Shoot me an ICQ message: (UIN) 79198218 - -: Surveillance Possibilities on the ECS Disclaimer: Your mileage may vary. [- Seuss, 10/04/00 -] PBXs invariably offer a rich set of surveillance options to a skilled eavesdropper, from soft wiretaps to commands that allow bugging rooms through the handsets. Lucent's enterprise phone systems provide an eavesdropper with an even greater wealth of possibilities, particularly the Definity ECS. This article only touches on hostile programming of the switch. NIST has an excellent report on PBX security that discusses hardware attacks thoroughly. - Hostile Features * Bugging Attacks You can bug a room through a telephone. Surprise. Typically this will require some modification to the handset so the phone is never really on hook, i.e. shorting the hook-switch contacts with a capacitor. Attach an audio amplifier to the line, and room audio will be heard pretty clearly. On a POTS line this sort of attack can be countered by either using a handset with a push to talk button, or connecting a listen-down amplifier to the line and monitoring it for room audio. On a PBX however a few commands and a flipped switch can be used to accomplish the same. Auto answer is a feature used by many people who have their hands busy, i.e. secretaries and receptionists. After giving a ring or two the phone will automatically go off-hook. By itself auto-answer is of little consequence. However it can be coupled with an anti-disturbance feature that allows callers to mute their phone's ringing. These two features together will allow for the phone to go off-hook without any warning and allow an eavesdropper to receive clear room audio. A bit of hardware intervention will be needed here. To engage auto answer the user will have to move a slide switch on their phone from ring to auto answer. If long term surveillance is planned its possible to either replace the existing phone with one that has the answer selection switch disabled, or to have a rectifier wired into the line to suppress ringing. Lucent platforms include a feature that permits only internal calls to be auto answered, with external calls ringing audibly. Making intercom calls via remote access will create less suspicion than a station that never ever rang. * Soft wiretaps Analog station sets allow any user to pick up an extension and monitor the content of a call. Due to the more complex signaling used by digital station sets, just picking up an extension phone will yield very little in the way of usable eavesdropping data. However there are several features available on the ECS that allow multiple people to add themselves into a call to a digital set by simply picking up the receiver. Call bridging is the most obvious technique for adding oneself to an ongoing call. Call bridging allows a particular phone to answer (and incidentally monitor) calls on another extension. This method of eavesdropping is rather impractical as it allows rings sent to either phone to ring both phones. This possibility can be reduced by assigning the phone used to eavesdrop an unused number or VDN, or forwarding all calls to that number. Temporary bridged appearances, which create a roving bridged appearance are another possibility. Pickup groups are a feature provided by several manufacturers, in order to provide for a smaller but more flexible alternative to ACDs. This feature allows a call to simultaneously ring a group of phones, but allows them all to enter into the call. Any set in the pickup group can be used to monitor a call from anyone else in the group. Adding yourself to a pickup group appears to be a good way to monitor calls from on site. Creating a pickup group will become very obvious under examination during a switch audit. The Busy Verification feature allows privileged users to add themselves to ongoing calls as an additional party. Busy verification isn't as sexy as it appears, though. Usually there is an alerting tone used in conjunction with override functions to alert the caller and called parties that another person has joined the conversation; after the first long tone it will sound off again every 12 seconds. Verifying a number that's on a multi-line station will generate a priority call (and an irritating special ring) to any available line on the station. The Definity incorporates a special function that will monitor ongoing conversations without any notification at all. This is called 'service observation'. Service observation does not include an alerting tone. Service observation is the most attractive choice for ongoing soft wiretaps, because it can be easily accessed remotely. Service observation can best be dealt with via a call vector. Type: change vector x (make sure x isn't a currently assigned vector) and press return. 1. wait-time 0 secs hearing ringback 2. collect 4 digits after announcement 9876 (make sure there's an announcement that works here. Adding more requires adding a module to the switch) 3. route-to digits with coverage n 4. stop Now create a vector directory number that will route to this vector. Type: add VDN 1234 and press return You'll be presented with the Vector Directory Number screen. Assign an unused extension and an innocuous name. Make sure the associated COR allows for service observation. When the VDN is called, the vector will initiate, spout off some meaningless crap, and wait for the caller to dial an extension. The vector will then connect the user to the requested extension. Appendix A: Default ECS Logins cust rcust bcms browse NMS -: Come into city and share some with us... i so fucking would Alan but i got no ride if you wanna drive my ass then sure - -: CLEARNET PCS - "PAY & TALK" ACTIVATION/NAM PROGRAMMING FOR SERIAL By: The Clone Date: Monday September 11, 2000 Note: In August 2000, Telus Mobility made public the acquisition of Clearnet. All services that were once will Clearnet will still exist, except all Clearnet customers will be under Telus ruling with access to current Telus Mobility services. <--OCR Snip--> Why is Clearnet's Pay & Talk better? ` we have .com ready phones so you'll be able to surf the net ` we include all the extras, like caller ID, voice mail and call waiting ` we have dual mode coverage, which means your Pay & Talk phone works in Clearnet's digital and analouge service areas You will need your activation code (below) and your $50 Pay & Talk card (attached) to activate on Clearnet's Pay & Talk service. activiation code: XXXX XXXX XXX To get going, please refer to the Getting Started section in your Pay & Talk Starter Kit for instructions. Serial Number: XXXX XX XX XXX -- Programming the NAM for the Serial Number: `- Firstly Enter: 739 939 `- Secondly: Power Down Phone `- Thirdly Enter: * 8 3 7 8 - END- Contact: E-MAIL: theclone@haxordogs.net URL: http://www.nettwerked.net -: I don't wanna have sex today my pussy hurts - -: <-- Canadian University Dialup List Updated on: 09/30/00 By: The Clone E-mail: theclone@haxordogs.net URL: http://www.nettwerked.net Comments: Originally Posted on Phrack Magazine Volume Five, Issue Forty-Six, File 13 of 28 --> -= Alberta; University of Alberta (Edmonton) - 780-492-3110 - 780-492-3214 www.ualberta.ca -= British Columbia; Simon Fraser University (Vancouver) - 604-291-1457 [Temporary 28.8k Dial-up] - 604-291-4700 [10-minute "Express"] - 604-291-4721 [Registered Students] - 604-291-5947 [Faculty and Staff] - 604-291-9514 [Premium Modem] www.sfu.ca University of British Columbia (Vancouver) - 604-822-1331 [Interchange Account] - 604-822-4477 [Netinfo Account] www.ubc.ca -= Manitoba; University of Manitoba (Winnipeg) - 204-275-6100 - 204-275-6132 - 204-275-6150 - 204-275-7771 - 204-946-8100 www.umanitoba.ca -= Newfoundland; Memorial University of Newfoundland (St.John's) - 709-737-8302 www.mun.ca -= Nova Scotia; Dalhousie University (Halifax) - 902-494-2500 - 902-494-8000 www.dal.ca Saint Mary's University (Halifax) - 902-429-8270 www.stmarys.ca -= Ontario; McMaster University (Hamilton) - 905-570-1889 www.mcmaster.ca Trent University (Oshawa) - 705-741-3350 - 705-741-3351 - 705-741-4637 www.trentu.ca University of Ottawa/Université d'Ottawa (Ottawa) - 613-564-3225 - 613-564-5926 www.uottawa.ca University of Waterloo (Waterloo) - 519-725-5100 - 519-725-1392 www.uwaterloo.ca University of Western Ontario (London) - 519-661-3513 www.uwo.ca -= Saskatchewan; University of Regina (Regina) - 306-586-5550 www.uregina.ca -= Québec Bishop's University/Université Bishop's (Lennoxville) - 819-822-9723 http://www.ubishops.ca Concordia University/Université Concordia (Montréal) - 514-848-4585 - 514-848-8800 www.concordia.ca Laval University/Université Laval (Québec) - 418-656-7700 - 418-656-3131 www.ulaval.ca McGill University/Université McGill (Montréal) - 514-398-8111 - 514-398-8211 www.mcgill.ca University of Montréal/Université de Montréal (Montréal) - 514-733-2394 - 514-343-2411 www.umontreal.ca University of Quebec/Université du Québec (Québec) - 514-285-6401 www.uquebec.ca -= - END - -: I want to start screwing a chick, and be all like "oh god, I'm coming!!" and start pissing inside of her, and she'll be like "ohh.. there's so much! You're so warm... er.. wait a minute!" - -: +++ WWW.HACKERSALVAGE.NET +++ HackerSalvage.net is a non-profit website dedicated to keeping old hardware in circulation. Many of us have piles of it sitting around but can't just toss it out. Here you can post computer items for sale or post a want ad for items you are looking for. A perfect place to get rid of perfectly good junk.... and get some new stuff to rebuild the pile. +++ +++ --------------------------. Assaulting Payfones 1.o \ ----------------------------`-----------------------------------------------. ' ------------. * * * c/a 1o-17-oo : Disclaimah \ . --------------`-------------------------------------------------------------.' ' This material is presented for informational and entertainment purposes : only, and to satisfy the curious. Any activities described in this file . which involve vandalism, theft, or any other illegal activities are . recounted from third-party conversations. I do not condone or encourage vandalism or theft. I do not accept any liability for anything anyone . does with this information. So, don't shoot the messenger. Remember: Looking is one thing, but busting up payfones is ILLEGAL. . -------------------. Table of Contents \ ---------------------`------------------------------------------------------. ' : [ Removing the Cover . . . . . . . . . . . . . . . . . line 32 ] . . [ Accessing the Lines . . . . . . . . . . . . . . . . . 11o ] . [ Removing the Card Reader . . . . . . . . . . . . . . . . 157 ] . --------------------. Removing the Cover \ ----------------------`-----------------------------------------------------. ' This is so easy it's almost not worth going into, but people always ask. : I figured this out when I was about thirteen years old and I used a coat . hanger. I'll present the coat hanger method, as well as how to fabricate . a proper key. . = Method #1 = Take a coat hanger made from very stiff wire and unbend it. You don't . have to do a very nice job of it, you just need a stiff piece of wire to work with. I suggested a coat hanger because everybody has one, and also for nostalgic purposes. Bend the coat hanger and pull it across itself, right side in front of left, so it forms a little loop at the bottom of the bend. Pull it tight until the loop is about 8mm in diameter. Now form the ends sticking out into a handle of sorts. Be creative. Break off any excess wire by bending it back and forth with pliers. Done. The following diagram may help you, but probably not since it sucks to an extreme degree. This is sort of what it looks like anyway. wire crossed over and _____ ______ formed into a handle --> \/ /\ / \ / \ / \ *blink* ( ) \ / *blink* \ / \ / \/ little loop --> () = Method #2 = Making an actual key is pretty easy too. Get a small sheet of metal that is easy to work with and rigid enough to handle some torque. Now cut it according to the diagram below. Yeah, this is what shop class is for. Important dimensions are noted. _________ handle --> [___ ___] | | 5mm wide --> | | _| |_ 10mm wide x 5mm high --> |_____| = Doo-be-doo = Well, that is that. Someone could simply stick their homemade key into the hole that looks like this... _ ..., give it a twist, and pull the cover off. | | | | The little loop in the "Coat ( ) Hanger Method" is the part | | one would stick in the hole. |_| This works on Centurians and the slot is located on the top. Millenniums and Fortress Phones both have this slot located on a small panel on the front of the payfone, in front of the coin box. I haven't been able to open them with the coat hanger method, just twists the hanger up. Perhaps with a strong fabricated key and a wide handle for lot's of torque. Or maybe you need to unlock the lock located on the side of the payfone first. These locks require a real key. Who knows. When you are finished nosing around, make sure to replace the cover and lock it back up. ---------------------. Accessing the Lines \ -----------------------`----------------------------------------------------. ' Again, this is easy stuff. Accessing a payfone's lines really depends on : the payfone and installation. Sometimes you will see the fone-line running . right out of the payfone and across the wall. With pillar-mounted payfones . there is usually a panel on the pole beneath the fone that can be easily opened with the appropriate tools. In payfone booths you will also find . panels that can be removed to reveal the line, above or beneath the fone. And of course, if you can see the wiring coming out of the top of the booth and going up to a pole, it can be accessed there. Regardless of the . installation, if you take a look you will see that a payfone's fone-line can almost always be accessed. Note: Many of the panels spoken of are fastened with "security screws." You know those odd shaped screw-driver heads that most people don't have. Here in Canada you can find sets of these odd-shaped bits at Princess Auto. Scour your local tool and automotive supply stores and you can probably find some. Warning: There are also high-voltage lines running into payfone booths to power the booth-light. When messing with electrical lines it is always wise to exercise extreme caution. Or better yet, don't mess with them at all. So, what can be done with a payfone's fone-line? Well, it is possible to beige box from at least some of them. Generally works on Paytel COCOTs, Millenniums, and probably other COCOTs. Just hook up to the red and green wires. (duh) If you don't know what a beige box is... well, it's just a regular fone-set with some alligator clips on the red and green wires that you can use to patch into a fone-line. Also known as a linemans handset. If you still don't get it just do a search for "beige box" on the web. It's one of the oldest boxes and the information is everywhere. Now, a payfone line has four wires in it. Red, green, black, and yellow. We know red and green (ring and tip respectively) are used for the voice communications, and can be exploited for beige boxing as mentioned above. The black and yellow wires are used to control the coin mechanism relays and solenoids. If you cut these wires no coins will be returned on calls that can not be completed. If the wires are reconnected, and the handset is lifted and put back down, the coins will be released. Neat-o. However, it sounds far cooler in theory than in practice. This is an old scam and your telco likely knows all about it. It is obviously illegal and doing this habitually will surely lead to your arrest. Oh, and as far as I know this only works on Centurians. --------------------------. Removing the Card Reader \ ----------------------------`-----------------------------------------------. ' And the Lord said, "let there be little yellow cardreaders upon : every fone so that the people may go out and harvest the bounty . wrought of the telcos..." -- XX . The method covered here applies to Millennium payfones. Now, you really . shouldn't be doing this. Millennium payfones cost several thousand bucks. If you are caught vandalizing one, the penalty will be quite heavy. Fone companies do not look kindly on people messing up their equipment. And . again, this is all third-hand information. Don't look at me. A payfone is usually a heavily armored unit with secure mountings and impenetrable housings to disuade peoples thoughts of emptying them of their silver booty. The Millennium payfone card readers, however, are a soft-spot indeed. Tools required: * Hammer * Big flat-head screwdriver * Knife * A desire to commit a criminal act Place the head of the screwdriver against the slit at the top edge of the card reader. Pound it in a few inches with the hammer. Apply downward force on the handle of the screwdriver until you create a large enough gap to fit the claw of the hammer in there. Insert the claw of the hammer into the gap with the hammerhead facing up. Yank hard on the hammer in an upward dir- ection using the front of the fone as a fulcrum under the head of the hammer. The yellow faceplate will come off, either with or without the card reader attached. If it's not still attached to the yellow part you can just reach into the hole and pull it out. Use the knife to slash the ribbon cable or just yank really hard until it disengages from either the reader or the mainboard in the payfone. At this point the payfone might be quietly going beedley-boop-beedley-boop and displaying some message on the screen about re-inserting your card or something. Not an alarm, just an error notification. It is not known if this causes the payfone to fone home for help. Probably not, since the error on the screen seems to indicate that the fone thinks there is simply something wrong with a card in its slot... which it no longer even has. Go figure. It has also been noticed that when missing card readers are replaced by the telco, reinforcements are often added to prevent them from being emancipated again. The card reader is an American Magnetics (www.magstripe.com) Model # 171. It has both a magstripe reader and a smartcard reader/writer. Exactly how . these card readers can be interfaced with a PC is a story for another day. Play safe. And if you ever happen to catch yourself vandalizing payfones, . call Crime-Stoppers at 1-800-222-TIPS... That's wun-aight-zee-row-zee-row- too-too-too-aight-phore-sebbin-sebbin. Jeah. . . ; ----------------------------------------------------------------------------' . ' . . ' ` ,;;%$$$%%%&;,. ' ( . , ) ,&$$$&$&$$L.`'"4%%&,. . . ` * , ) &$$&$&$&$$$$$$&;, `"&%%&,. . ( . . , &$&$&$$&$$$$$$$$$$$%, `"&%%%&. ( ( ' * ` %&$&$&$$$$$$$$$$$$$$$&;, `"&%%%&. ` . `( . * ` *, ` ' ) $$&$&$&$$$$$$$$$$$$$$$$$$&, `"&%%%&. ( ` . ) )' `$$&$&$&$$$$$$$$$$$$$$$$$$$$&, `"&%%&. `( ( .* ` ` ) ' `$$&$&$&$&$$$$$$$$$$$$$$$$$$$$%;, `"&%%&. ` . ( * ' . `$$$&$$$$$&$$$$$$$$$$$$$$$$$$$$$&, `"&%%&. ` ` @ * ' `&$$&$&$$$$&$$$$$$$$$$$$$$$$$$$$$&, `"&%%&. `( @ * * . `"$$$&$&$$$&$&$$$$$$$$$$$$$$$$$$$$&, `"&%%&. * . @ * `:$$$$$&$&$$&$&$$$$$$$$$$$$$$$$$$$&, `"&%%&. ` @ * ) `"&$$$$$&$&$&$$&$$$$$$$$$$$$$$$$$$&, `"&%&. . @. `"&$$$$&$&$$&$$&$$$$$$$$$$$$$$$$$&, `"&%&. `*`' `"%$&$$&$&$$$&$$&$$$$$$$$$$$$$$$&, `"&&. '" _ `"&$$$$$&$&$$$&$&$$$$$$$$$$$$$$&, `"&.'/ : `"&$$$$$&$&$&$&$&$$$$$$$$$$$$&, `'. : `"&$$$$$$$&$&$&$$$$$$$$$$$$&, `\ `'"&$$$$$$&$&$$©$H$C$$$$$&; `'"&$$$$$$$$$&$$&$&$$ CRA$HING DOWN THE TELEC0M INDU$TRY ``'"&%$$$$$$%' ``\``: { one payfone @ a time } \_: --: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Credits: I would like to give credit to the following people for helping with this issue of K-1ine - if it wasn't for you guys I don't think this issue would of been released... Anonymous, Seuss, and of course myself... what, can't a guy give himself a pat on the back for hard work? ;-) And how... -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Articles are ALWAYS welcomed. If you have something you'd like to see on this zine, feel free to send me an e-mail. Even if you're worried that the article is "lame" or "isn't technical" or something like that, send it anyways. Remember; everyone has something to offer to the scene. Show your support. -: Shouts: Hack Canada and Haxordogs, #CPU, k-rad-bob @ b0g, Blackened @ Damage Inc., The Grasshopper Unit, Pyrofreak, and lastly to everyone and anyone who contributes to the Canadian H/P scene. ;. .;.. ; ;. ;.. ;.. .;..; .;.; .;; ;.. .;..;. .;..; .;.;...; ;..;.. .;. A .;. .;. ;.. N E T T W E R K E D ;.. ;..;.. P R O D U C T ;..;.. .;..; ;..;.. ; .;..;.;.. .; . .;. ..;.. .;.. . .; ..;..;..;.. .; ;..;. .;.. . .;.. .;.;. ..;. ..;.. .;. ;.;..;;..;.; ;.;;..;.. ;.;.; .; . ;.;..;. .;. ;.;:.;. ,;....;. .;.;. .;.; .;.;.; .;.; ;..;. .;.; ;.; .;. ..; ;. > > > blip blip blip...