d8b 888 888 888 888 .d8888b 8888b. 88888b.d88b. 8888b. 888d888 888 888 888 8888b. d88P" "88b 888 "888 "88b "88b 888P" 888 888 888 "88b 888 .d888888 888 888 888 .d888888 888 888 888 888 .d888888 Y88b. 888 888 888 888 888 888 888 888 888 888 888 888 888 "Y8888P "Y888888 888 888 888 "Y888888 888 888 888 888 "Y888888 01100011 01100001 01101101 01100001 01110010 01101001 01101100 01101100 01100001 [ Volume 1 / Number 1 ] [ November 1, 1999 ] [ Contents: Issue 1 -> - Editorial/Intro...........................ls - MeetingPlace Conference System 101........castor - Burning Bridges!..........................keen - Rodopi Billing Software. . . .............discore - Cellular Authentication and Algorithms....GPS - Pager Spoofing............................dialect - MYSQL Brute Force Attack..................memor - h1p h4pp3n1ngz [aka news!] ...............discore - Submissions and Contacts..................Staff [ Staff (lewk mah, eye can alfabitize!) -> - castor - cwj "everybody, at the speed of light, tends to become nobody" - dialect - discore "am thinkink eleet, da?" - keen - lowtek - ls "born 'n raised on the catfarms..." - memor "boo" ______________________________________________________________ |---------------> Editorial/Intro ---------------------------- |-> ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ - Welcome to the inaugural issue of camarilla, this is a tech/telco zine that we have created for some unknown reason. One of our main efforts in this attempt at creating an electronic publication, is to make it something not only worth while, but also fun to read. I don't really know how I ended up as the editor for this zine...I suppose one day my name just appeared on the webpage "ls - editor" so here I am. I'll try to do my best. I've never really done such a thing before, but I think this isn't too shabby for a first attempt. After reading if you have any suggestions, comments, article submissions, etc, don't hesitate to e-mail us here: camarilla@hektik.org Hrmm, I can't really think of much more to say, I was hoping that my editorial would be a bit more philosophical than this because I was unable to find the time to write an article myself. Which btw I apologize to the other staff members, I had to get pushy with them about getting articles in, then turns out I didn't write one...but hey, it is after all Issue 1... on a side note: sh0utz and sp3cial th4nkz -> - #!camarilla, #telconinjas, #telehack, #phreak (undernet) - GPS, thanks for contributing, yer dead seckzy Thanks for reading, and have a fearable day. -- ls (lordsmurfs@caspers.net) |-------------------------> w0op! 0n w1th th3 sh0w <-------------------------| ______________________________________________________________ |---------------> MeetingPlace Conference System 101 by castor |-> ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ Ok most of you I know are into phones so here is my rant on Latitudes conf system. This text isn't going to tell you all about the menu system and all that cause Hybrid has already writen a file on that but didn't tell people to much on how to find the systems and hack them. A while ago I got cought up in the confs while they where being setup and run on a 24/7 basis. Me and some friends had found some interesting files on latitudes misconfigured servers. To get started i'll give some numbers out. 1.8oo.242.3266 ext:66300 1.8oo.280.1260 Now depending on the version of the system it will either be easy or a bit more difficult to find profiles. On older version of the system when you enter a profile number it would give an error message or if you found a valid profile and tthe system when you enter a profile number it would give an error message or if you found a valid profile and the user setup a greeting you would hear it such as "Technician". Also so you don't get disconnected every time you hit # to try another profile number you should hit * then 2 to cycle back to the "Enter your profile number" menu, by doing this it will think its your first time entering the number and you can keep doing this until you get a profile number. Other wise you get disconnected after a few tries. Once you made a list of profile numbers you can start trying to brute force the password. To do this just try the profile number as the password, profile number backwards, profile number with a one at the end, etc. Once you crack one get a pen and paper and write down every meeting you are invited to, it will list off 30, giving you the date, time, and pin number for the meeting. You should do this because many times they will have the outdial enabled which is always fun to play with. Meeting place is unique in the way that most of what can be done over the phone can be done over the web. Yes for every company that runs Meeting Place they have a web server for it too. So while latitude.com was running their verry own bugy version of Meeting Place I took it upon my self to look around. What I found was that the version of Meeting Place latitude was running was even more fucked up than I thought. Users information is kept on the server in txt files huh? you say well look. ---[ Start ]--- "fnm","lnm","uid","prfnum","phnum","ctctuid","grpnme","grpnum","tzcode","abbprmpts","anndpart","annentry","pwdreq","screntry","bcode","uactive","utype","cndial","shrtmnus","pwdonoutdial","whocanattnd","whocanlstn","canrecord","recordmtgs","IsAdvancedPromptsIsDefault","NamedDisconnectIsDefault","NamedIntroductionIsDefault","PasswordRequiredIsDefault","ScreenedIntroductionIsDefault","BillCodeIsDefault","IsActiveIsDefault","CanOutdialIsDefault","IsContactIDDefault","TimeZoneIsDefault","IsQuickMtgEntryAllowedDefault","IsPasswordRequiredOnODDefault","WFPasswordLastChanged","VUPasswordLastChanged","RecordMeetingsIsDefault","IsMeetingRestrictionDefault","IsMtgNoteRestrictionDefault","CanRecordMeetingsIsDefault","VName","IsODXLatTableNumDefault","IsMaxImmedMtgsPerDayDefault","IsMaximumMeetingLengthDefault","IsMaxVUIODsPerMtgDefault","ODXLatTableNum","MaxImmedMtgsPerDay","DayOfLastImmedMtg","NumImmedMtgsOnThatDay","MaximumMeetingLength","MaxVUIODsPerMtg","faxnum","pgrnum","mxattsprmtg","rcvnotifs","attndprf","prmryno ifprf","altnotifprf","pgrtype","emailtype","site","preferredunit","emailaddr","faxxlattblnum","sndnotifs","autodistatts","dfltnotifprio","sndnotifonmtgch","sndinvlstwnotif","sndmtgpwdwnotif","rcvattswnotif","playattlstfifo","schedprefunitonly","autostrtrcrd","disablerollcall","schedhomesiteonly","profileflex1","profileflex2","profileflex3","concurrentquestions","announceqarr","announceqdep","fqnadisabled","ftellpartpos","fadvanceinfo","fautoproenabled","fstartpeopleinwr","publiculallowed","groupulallowed","privateulallowed","meetingcategory","numdataparts","dataconfclienttype","chatclienttype","fallowdataconf","fchatsession","fismtgseminartype","fallowguestview","updatetime","qnanotify","InternetEmailAddr","EncryptedUserPWD","EncryptedProfilePWD" "Guest","User","guest","0000","","gd","System","0","gd","gd","gd","Beep","gd","gd","","Yes","EndUser","No","gd","gd","gd","gd","gd","gd","Yes","Yes","No","Yes","Yes","No","No","No","Yes","Yes","Yes","Yes",01/18/2033 00:00,01/18/2033 00:00,"Yes","Yes","Yes","Yes","Not_Recorded","No","Yes","Yes","Yes","0","gd",12/31/69 16:00,0,"gd","gd","","","gd","gd","gd","gd","gd","gd","gd","0","0","","gd","gd","gd","gd","gd","gd","gd","gd","gd","No","gd","gd","gd","gd","gd","gd","1","Beep","Beep","No","No","No","No","No","0","0","0","gd","0","0","0","No","No","No","No",09/29/97 10:44,"No","","Daefnlgjdaoh","Daefnlgjdaoh" "Sales","Engineer","salesengineer","0001","","gd","System","0","gd","gd","gd","Beep","gd","gd","","Yes","Technician","Yes","gd","gd","gd","gd","gd","gd","Yes","Yes","No","Yes","Yes","No","No","No","Yes","Yes","Yes","Yes",01/18/2033 00:00,01/18/2033 00:00,"Yes","Yes","Yes","Yes","Not_Recorded","No","Yes","Yes","Yes","0","gd",08/22/97 00:00,2,"gd","gd","","","gd","gd","gd","gd","gd","gd","gd","0","0","","gd","gd","gd","gd","gd","gd","gd","gd","gd","No","gd","gd","gd","gd","gd","gd","1","Beep","Beep","No","No","No","No","No","0","0","0","gd","0","0","0","No","No","No","No",09/29/97 10:44,"No","","Dachkldjlble","Dachkldjlble" ---[ End ]--- The first row explains what everything means, fnm = First nam, prfnum = profile # etc. This is just a short peice of the file that I got. Interesting thing is that latitude being the creators of the conference system Latitude has clients ranging from Microsoft to NASA. So listening on a conf is always interesting. You can also listen to conf logs which are kept in .ra and .wav format. assuming you have access to the webserver. Other files may have information such as: ---[ Start ]--- [03/24/97 02:44 PM] User Information Report Page 7 Group Name: Web Sales Group Number: 33661 User Profile Contact Billing Name ID Number User ID Code Active Type -------------------- Total in System 187 10700 32218664 7215 host125-131.latitude.com 9960 54643465 4060 shiva2-1.latitude.com 8414 71975996 2058 206.10.74.5 8321 111722568 3476 shiva-port1.latitude.com 5812 122150390 1620 low.latitude.com ---[ End ]--- Again this file went on and on and on. Ok I know what some of you are saying how do I fucking get access to the server. Easy manipulate the URL whats the URL? here go to somesite.com/MPWEB/html now all that we used to do was delete the '/html' part either you get a error saying directory listing not allowed or you gain access. Directory structure for meeting place may look like the following or similar. 3/1/99 5:44 PM 104 _ODINST.INI 11/11/98 5:47 PM audiosvc 6/2/99 12:26 PM cgi-bin 6/2/99 12:25 PM datasvc 6/2/99 12:25 PM html 6/2/99 12:26 PM images 6/2/99 12:02 PM MEETINGS 7/12/99 3:56 PM 896 MPWEB301.ldb 7/15/99 1:44 AM 2729984 MPWEB301.MDB 5/6/99 2:27 PM net120 2/19/99 7:45 AM temp_tpl 3/1/99 5:40 PM template 3/1/99 5:40 PM zoneinfo Note the MPWEB301.MDB thats a Microsoft Access Database with everything you need to hack that meeting place. Usernames Passwords E-mail addresses, real names you name it it's there. Here is a snipping of one file ---[Start]--- UserID Password FirstName LastName EmailAdd Name GroupID RestrictFor ContactID TimeZone TimeZoneIsDefault Kind fActive fActiveIsDefault WFPasswordChangeDate 3 Guest User guest 0 0 0 0Yes 0 1 Yes 903915875 4 07049149452 Email User email 0 0 0 0 Yes 0 1 No 2147483647 20 01239441502 Sales Engineer salesengineer 0 0 0 0 Yes 4 1 No 2147483647 21 12069242201 Tech Engineer technician 0 0 0 0 Yes 4 1 No 2147483647 ---[End]--- This is just a small peice of the database but you get the idea :) The one thing all Meeting Place websites have in common is www.server.com/MPWEB. That MPWEB is what your looking for most sites main page will be www.something.com/MPWEB/html delete the /html and if its an old version it will let you in now look through the directories for anything. To find sites running meeting place go to your favorite search engine and type /MPWEB you should come up with a few sites es.net, some .edu, a .com and a few others I know of but forgot. You won't get a list of all sites that run the software since some servers are on the subnets and not on the main site. Not all meeting place systems identify themselves right away meaning when you call them. A friend of mine was going through extensions on some companies 800 number and found a Meeting Place system. They're not everywhere but are getting more popular so keep looking. The OS it runs on is NT so if you wan't to hack the server its running on go right ahead. As for default logins for MeetingPlace I don't know of any but there might be. nbtstat -A site.com looks like this. NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- MPLACEWEB <00> UNIQUE Registered NOC <00> GROUP Registered Edited MPLACEWEB <20> UNIQUE Registered MPLACEWEB <03> UNIQUE Registered TAG <03> UNIQUE Registered Edited 31337 <1E> GROUP Registered Edited INet~Services <1C> GROUP Registered IS~MPLACEWEB...<00> UNIQUE Registered MPLACEWEB <06> UNIQUE Registered MAC Address = 01-33-E7-75-46-L8 note. Hybrids file on MeetinPlace can be found on the ninex webpage at www.ninex.com ______________________________________________________________ |---------------> burning bridges! by keen ------------------- |-> ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ the evil modern society which we live in seems to have propagated a lie which causes many of us great misfortune throughout not only our day-to-day lives but ultimately ruins them forever. yes, das is correctzors, the modern myth that "burning bridges" is a bad thing. the ministers of disinformation and heads of our nations engrain the negativity of this phrase into us by using their classical propaganda techniques, including the one which i'm sure most of the readers of this great zine are familiar with, definition defamation, or d squared for short. for those of you who aren't knowledgeable of this term ( you aren't because you've been brainwashed to forget it ), it involves the planting of mole lexiconographers into the offices of the many domestic and international dictionary publishing companies. yea, agents employed by both world governments and corporate america pull the strings of the very industry which controls words. sounds pretty crazy, eh? well it's true, and we've photographs to prove it. but back to the original topic of this paper... no no, i have to resume my avocations of "burning bridges" and thus can no longer speak of the modern phenomenon of d squared. yes, i know it seems selfish that i won't be addressing any of the other many words and phrases (10s of thousands) which have been 'd squared up' (the term used by the moles when referring to a word whose definition they have bastardized in order to propagate their evil ideas) but this stupid zine isn't an appropriate forum for a more in-depth account. erm, so, what was i saying? oh yea, burning bridges is actually a good thing(tm). now, here's a little test .. when i've used the term "burning bridges" did you immediately append "behind ones-self" to that? well i bet you did! see, these ministers of propaganda have so brainwashed society that our minds immediately make links from the original phrases to their debased definitions. now you may be wondering "what difference does 2 extra words mean? burning bridges easily conveys the same meaning as burning bridges behind ones-self". guess again mister smarty-pants! those two words make a huge-ass difference in your sub-conscious interpretation of the word. you see, the added phrase "behind ones-self" promotes a foul connotation in your mind. the key word is "behind". it seems like the word means "in back of", but that meaning doesn't begin to unravel the tangled web of lies which totally encompasses the word "behind". because of the extra phrase "behind ones-self" the term "burning bridges" actually degrades the person who the phrase is speaking of into a domesticated ass (equus asinus). far-fetched? preposterous? cockamamie? no. i'll enlighten you as so how the phrase "behind ones-self" totally twists into this hideous degeneration of humanity. in the field of "disinformation propogation derogation" or dpd [hehe, that's the inverse of pdp, fear the subliminal messages] for short, we draw diagrams to illustrate the path which the human mind takes in _slightly_ changing the denotation of a word into a previously concealed connotation of doom. the one for this phrase follows: behind ones-self | | rear me | | buttocks | | | ass | | | <--------> | | me ass | | I ass | | I am ass | | I am an ass | | I am an Equus asinus there. now how degrading would it be to be an Equus asinus? _VERY._ nobody in their right mind wants to be a long-eared, slow, domesticated beast of burden. when left alone the two words "burning bridges" portrays correctly the idiomatic expression of making decisions that cannot be changed in the future. but when changed into the phrase "burning my bridges means people strap foodstuffs and heavy things to my back and ride around on me and even occasionally push me off cliffs while i'm trying to sleep", well, need i say more? i'll answer that one for you ever so loyal readers once again, yes, yes i must. now that you know how to correctly use the phrase "burning bridges" (NOT like: "burning bridges behind you), you're probably wondering why you would ever want to make a decision that couldn't be changed in the future... well i'll tell ya why in 5 words. Fewer options means easier decisions. isn't that true? it is, and by making decisions which remove options you have less options. correct? hell yeah. less options means easier decisions. by burning bridges you've less options and thus an easier life. let's take a look at it solely from a probability and statistics point of view. scenario: you've been offered work from 20 different companies. 20! a score as abraham lincoln would say! that's a lot. it'd be impossible to select the one which is right for you from such a myriad of choices. this is where burning bridges comes in. why not phone up 18 of the businesses and tell them all about your craving to murder their executive offices? you needn't have such desires, but you'll find much creativity comes into burning bridges. yup! you mayn't have realized it but you've just done it! you've burnt bridges! congrats! but on with the scenario. now there are only 2 choices left. you can pick one... or the other. one. the other. simple! 50/50. with 20 offers your chances of picking one are 5%. but with 2, you've a 50% chance of picking one. now it doesn't take a rocket scientist to figure out 50% odds are better than 5% odds. 1 in 2 chances to win instead of 1 in 20. big improvement. and since all those places had 800 numbers you didn't even spend toll-charges. yup. choice reduction for free. that's what "burning bridges" meant back in the day. even the word "burning" implies free. fire's free. just whip out a magnifying glass, direct it at the rope railing of the bridge and voila! it's on fire! right in front of your eyes! hmm, "burning bridges in front of ones-self". now that sounds good. let's permanently change "burning bridges (behind ones-self)" to "burning bridges in front of ones-self. that accurately portrays the definitions of the idiom while simultaneously preaching the idea that burning bridges is a good thing. after all, nobody does something in front of their self that's bad. but that's another story in itself. now i'd like to conclude this essay in the spirit of burning bridges so i'll just go with the always helpful and never out-of-place: "#$*@!&(*&$(*#@&)*$&#@()$#@elite$*#@&($&#@()$&#@(&$#@&*$@#( ok. there. i've just burnt some bridges. don't ask which ones though. ta-ta ______________________________________________________________ |---------------> Rodopi Billing Software by discore --------- |-> ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ Rodopi Billing Software is a product that does billing and such for internet involved companys. I've noticed a lot of ISP's running NT like this software. Can we say double stupid? Rodopi is supposed to make it all easy for tech support guys to edit accounts, look up account information, and do basic billing procedures. I first stumbled across this software when a friend of mine was working for a NT powered ISP, and he happend to show me how to get free accounts there, all via the web with NO passwords. I'm going to show you how to use and abuse Rodopi. I'll give you ideas on how to find places running Rodopi. In the process of all of this I may accidently suggest doing something that seems less than legal. I do not suggest doing such things because you will need a new door after the feds kick it down, and they are expensive plus annoying to install. If at any point any Rodopi lawyers happen to be reading this, I would like to remind them of that little thing called the First Ammendment. I'm just trying to show that shitty software like this shouldn't be used because it is insecure and weak. What's wrong with that? \ Begin guide to hack planet now \ First off we have to find somewhere running Rodopi. A quick and easy way to find places running rodopi is to do a search for servers containing the directory; /olsplus/rodopi.html The software is usually installed there. Here is how it would look if it was an actual URL: I'm going to use nsa.gov for my example site from now on. No they don't use Rodopi so don't even try. Sometimes it will be configured to run on a specific port. For example I seem to see it on port 8181 a lot. A simple portscan can tell you if you aren't sure what port it is on. To search for this directory goto like Altavista's advance search and figure it out. I'm not making this a point and click guide to get credit card numbers just yet. As soon as you've found a site that run's Rodopi you will see a screen like this: Now try going to Filter Search really quickly. If you see a Login/Password you probably shouldn't even try. I haven't found a default login/password but most places are relatively stupid. Try something generic like cs/cs1234 until you get bored. Not all Rodopi servers are passworded. I know this for a fact, if you look hard enough you _will_ find an unpassworded one. It will not ask for a password until you start trying to do stuff. Keep that in mind. When you get to that screen, you will see a bunch of neat options. Lets take a look at them. Under the Subscription catagory we see, oh whats that? Create New Account? Does this mean I'm "root" or whatever they call it? Might as well be, if you get to this page you have full access to that entire company (except for a few password popups :P). To the point of being able to take them offline completely. Speaking of taking places offline, one thing I should note really quickly. Buttons aren't what they seem to be. If you hit "Edit" next to something, it won't give you anything to edit. It will change it right away for you. Be careful we don't want to accidently knock anyone offline. That's bad for business. As you can see under 'Subscription' there are four neat things to to. The first sort are sort of self explanatory. If you goto Customer Support it asks for the customers Registration Number, and then if you know one it tells you a bunch of worthless crap. List Roaming Phones, well this is sort of interesting. I think it is for the company's cell phone wielding employees. Overall it isn't that neat, you can get their e-mail addresses and tell them their rates are high though. Finding a Registration number is Customer Support related, and worthless. Maintenence, ok, what's this first thing? Filter Search? Hey it asked me for a password. Thats right, don't even bother if it is password protected, unless you want to brute force it. Filter Search is probably the most important thing that I will be discussing, so let me quickly finish up explaining the rest of the options and I'll get back to it. Radius Attributes Editor is where you can completely check out up their setup. I don't want to explain too much because this will turn into a Networking text. Pretty much you can make some admin's day hell if you play with that. It asks for a login, if you happen to guess or know one good job. If you happen to get a login/password make sure you try it for all the login prompts, its probably all the same. If you haven't noticed there are two types of password prompts. One is a popup that gets you into the interesting stuff, and another is HTML that edits their setup. Management/Marketting Reports. Yay. Self explanatory? I don't know if anything worthwhile will be found in here, although it doesn't seem to ask for a password. Knock yourself out. Printing, Archiving and Batch Payments. Well, you can see how their company is doing. This is stats that only execs care about, unless you are planning some sort of corporate takeover. Then it also may come in useful. Administration is really neat. You can totally re-edit their Rodopi configuration. Some help with this may be found at: That is the basic Installtion-HOWTO. I'm sure if you're feeling mischeiveous you can find something to play with here. The Tech Support section has some lame stuff. That is probably totally worthless unless, maybe, you're going for that whole corporate takeover thing. In the next section down you can edit their voicemail system. Listen to the boss's voicemails (if you know his PIN) and do other bad bad illegal things that shouldn't be done. And the last section is the Help section. It has some useful links for information if you are confused. But remember this software is made for 16 year old tech support junkies and starch-shirt execs. So I don't think its too confusing. They just put the help there so they can claim they have "really good online docs." What a scam. So usually to get to the demo at rodopi.com you need to fill out some registration. I skipped all that for you people and gave you the link right to the demo. Now in the registration it asks for all of your usual information, email, address, name, phone number, etc. It says clearly at the top (in bold); Please fill out the form completely. All the data is considered confidential. Well this is interesting. I'm glad to see they are at least telling people its confidential. This brings me to the filter search, go click on it (on the demo site) and enter demoadmin/demoadmin for the login/password. You will see three different ways to search. I usually like to search by date and do it maybe a month or two at a time (from 10/99 to 11/99 for example). So lets search for 9/99 to 10/99. Wow 128 matches. Great. This may be a bit slow for dialup users but you will soon see a light of names, and email addresses, with a button you can select next to them. Let's select the first person and look to the left. Hit Edit Cust. and a new window will popup with all of the information they submitted when they registered. How interesting, the information is considered confidential yet anyone can get access to it? Before you sue me think about getting sued yourself. If you goto Edit Acnt. you will see the type of payment they make. Now if you were on any other Rodopi server but the demo one, you would eventually find someone who pays with a *gasp* credit card! Now I think carding is totally worthless but this is a good example of a company having very private information publically availiable, all because of their silly little billing software. This could spark major battles in Internet Privacy if Rodopi were ever to be heavily abused. It is very easy to use this search if you haven't noticed. I'm starting to get too drawn out so I think you can figure out the rest of it. Please don't email me asking for places that run a real Rodopi server because I do not use these for any illicit activities, and I won't help you do the same. I hope this has enlightened you on getting information from a company that should be private, because it isn't that hard. --discore (tyler@enjoy-unix.org) ______________________________________________________________ |------> Cellular Authentication and Algorithms by GPS ------- |-> ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ .authentication.and.a-keys. Authentication is a process to prevent fraudulent access to the cellular network by validating user units with algorithms. Most North American systems use an authentication process based on the CAVE algorithm (IS-54 TDMA, IS-91 AMPS, IS-136 TDMA, and IS-95 CDMA). The GSM system uses an authentication process based on the A3 algorithm. Authentication is basically done to validate a mobile subscriber to determine if it is fraudulent and if so, deny access to the cellular system from that subscriber. The process of authentication takes place by transferring classified information between the mobile unit and the system. During setup, each cellular phone is given a number called an A-KEY. The A-KEY is never disclosed to others. The subscriber enters the A-KEY into the phone by keypad and the phone uses the A-KEY to calculate and store a shared secret data (SSD) key. The network then performs the same calculations to create and store the SSD. During each processed call, the SSD key creates an authentication response code, and then during access, the phone transmits only the authentication response code. The authentication response changes during each call because the system sends a random number which is also used to create the authentication response code value. Someone who intercepts an authentication transaction over the air has no clue regarding the correct value of the SSD key, and has no way of repeating the response given in one authentication transaction to fool the system in another authentication transaction. .algorithms.and.xDMA.authentication. An algorithm is the mathematical process of forcing manipulation of data so that if 2 processors have the same initial values, they produce the same answer. The answer from the authentication algorithm is used to determine if a subscriber seeking access to the system is a valid registered subscriber. The CAVE algorithm is utilized in authenticating most North American systems such as NAMPS, IS-54/IS-136 TDMA, and CDMA), and operates on a group of data bits called the shared secret data (SSD). The SSD is in both the mobile telephone and cellular system. If either the mobile unit or cellular system fail to have an incorrect value of the shared secret data, authentication fails and the call is not processed. The SSD is 128 bits of data divided into 2 parts called SSD-A and SSD-B. SSD-A is used by te authentication process, and SSD-B by message encryption and voice privacy processes. Processing authentication relies not on the secrecy of the CAVE algorithm, but more on the values used when running and decoding the algorithm. Each subscriber receives a secret number called the A-KEY (authentication key). The cellular subscriber enters the A-KEY on the keypad after typing A-K-E-Y (as letters on the keypad), then pressing the function key twice. The A-K-E-Y is entered into the mobile set one time only, by the subscriber, and can then be forgotten. The subscriber does not need to remember and use it repeatedly, like the PIN number used with some bank cards and in some analog cellular phone backup authentication methods still in use today. The mobile telephone doesn't use the A-KEY itself to authenticate the mobile set, but instead creates and stores a secret key (SSD). After the A-KEY is entered, it's known only to the subscriber and the network home location register (HLR). The cellular system begins the authentication process by sending an AUTH bit over the control channel in the continuous system parameter overhead message (SPOM). When the mobile unit receives the AUTH information, it is set so that it will always send the authentication response information in addition to other values such as the mobile's ESN (electronic serial number) and dialed digits when starting a telephone call. Mobile telephones add other data in addition to the authentication response value processed by the CAVE algorithm. The random challenge value from the base station adds one extra data element as a code. That's to ensure that the mobile unit and base station are using the same random challenge value in their calculations to produce the authentication response. The other extra data element is the "call count" value which counts all calls made by the mobile unit. After receiving the results of the mobile's authentication process, the base station compares the answer to it's own calculations. If the values match, the call is processed. Once a voice channel is assigned, the base station may update the mobile's SSD with a new value to be used in future processing. Aside from being used for authentication, the CAVE algorithm is also used for message encryption and voice privacy. Message encryption "scrambles" non-voice messages sent between the mobile unit and the base station. The base station controls which m essages are encrypted. .algorithms.and.gsm.authentication.and.sim. The GSM system uses the A3 authentication algorithm. The GSM A3 authentication algorithm is contained in a removable subscriber identification module (SIM) chip or card. Unlike the CAVE authentication algorithm, which is standard for all mobile telephones, the GSM A3 authentication process has several versions for use in different countries. With a SIM card, a subscriber can use any PCS (personal communication system) phone that has a card reader to make a telephone call. The SIM card is about the size of a credit card, and must be inserted into the phone to activate it. While the card is in the phone, the phone is personalized and becomes the user's personal data. The SIM card contains a microprocessor which includes the personal identification number (PIN), services subscribed to, authentication key and different authentication programs (so that different system operators can use different authentication algorithms), IMSI, speed dialing lists, and so forth are stored in the SIM card. The GSM algorithm processes data with shared secret data (called Ki) to create a signed result (SRES). The Ki is stored in both the mobile telephone and cellular system. After receiving the results of the mobile's authentication process, the cellular system compares the answer to it's own calculations. If the values match, the call is processed. If either the mobile unit of cellular system have an incorrect piece of the shared secret data, the authentication process fails. The Ki key has a maximum length of 128 bits of data. Ki is also used to create the key used for voice privacy encryption. A random number (RAND) is sent on the broadcast control channel as part of the secret key processing. This random number changes periodically. The random number, the Ki secret data, and other information in the mobile telephone are processed by the A3 authentication algorithm to create an signed response (SRES). The GSM system uses a different algorithm for message encryption and voice privacy, unlike xDMA authentication and CAVE algorithms. The A5 algorithm creates a message encryption mask for voice privacy. The encryption mask uses a Kc key, which is created at the beginning of each call, with an A8 encryption algorithm. Throughout the call,the A5 algorithm uses the Kc key to scramble voice data sent to and from the mobile telephone. Since the cellular system has access to the same set of secret information, it makes the same encryption mask as the mobile telephone and uses it to unscramble the voice data before sending it to the land line network for the call to be further processed. ______________________________________________________________ |---------------> Pager Spoofing by dialect ------------------ |-> ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ Elitely enough, I, myself being a ninja trained in the art of telecommunications yearn for something more in phreaking, something feared++, like run-on sentences! Many have tried but failed to successfully hax the beeper system. For we all have had the power to Spoof our ani information when paging a friend but it was all of matter of doing it! Simply enough. I am willing to train my fellow comrades in the extra elite stragedy in Beeper/Pager Spoofing. Beeper spoofing is much like diverting. Disguising your number so the other end has no clue who you are. And with dialects extra uberistic way of spoofing you too can be phatty- boomba-latty. Heres how we do it. 1.] We first call the Victims Beeper (example: 973-474-4839) 2.] We then choose our method of madness. Here, we must choose the method to page, and not to leave a message! 3.] (Heres the elite part) We now enter a phone number totally different from where you're actually calling from! (beeper systems secure!? Bah!) 4.] End call by hitting "#" in most cases. You may not believe it but what you just did was elitely spoofed your ani info. In one try you're able to place the victim in total fear mode by totally bugging the shit outta him/her when they try to call the number back and find you are not there!!#% To find out you were not there in the first place is enough to place Houdini in fear mode!# We use this elite stragedy for throwing off the evil feds that haunt us day in day out. This one is for you guys! If you run into any trouble don't hesitate to mail me at dialect@stupidphat.com . Werd. Later. Shout Outs : #Phreak, #telconinjas, #!camarilla, #Telehack, #gay_teen_hackers. and Smartbeep. Werd to my friend 'Payga-hacka' who currently got arrested for pager fraud. Bro, bails coming soon. Elite Log of the day : [ * dialect slaps ls around a bit with a large trout ] ______________________________________________________________ |---------------> mysql brute force hax0rn by memor ---------- |-> ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ This is a brute force attack for mysql. Save it as a .c file and hax0r away! Remember! You will need the mysql libs to run it... also take note that the ns part is ripped from z0ne.c/adm ....mad propz to them =] |----------------------------> c0de st4rtz h3r3 <----------------------------| /****************************************************** Usage : ./code [-fol