_,,>- -. .,` .,' -` /''!!!''' ..,,,,,,. ''''' | Npanxx104 ' ..;;;; ,,< / ..;;;!!!!!!!!!!!!!!!!'.,,,;;;;,,.````' !!!''``..;;!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!; ''.;'``'.,!!!!!!!!!!!!!!!!''''```'.,,,,,,,,,,,. .,'''``...= -?$$F '!!!!!!!!''` ;!!'',;`$$$$$cc== ;!!!''',-''` ,c= ,dMM"we "L. .,cc 4LsouthJMMP cc"?$$$$$c??, '''.-'` ,<.)!!!!> .$h.? /??"""" " `'!!NPANXX!!!' z$$r',` ,c=. ,cccccc,. ```''''' ,cd$$$$F ` `"z$$$$$$$$$$$$$$$$hcccc,.,c,,ccc$$$$$$$$$P' 4?$F$$$$$$$$$$$$$$$0$$$$$$$$$$$$$$$$$$$?$$P= `'"""P$$$?$$$$$$"$$$$$$$$$$$$$$$$$$$C3l$$P' WWW.teamphreak.net /-$P?$c$"$$$$hdhC$$$$$$"$$$$?$$$P""? " IRC.teamphreak.net `" """h.)J??$$$$$$$$$h. J""= ??% - . c`" `""""?$"??C"?`=... .. '!!'`````---.. ,;;;'''`''.r.-`,$c - c,"-== J --ccc$c,.` !!!!!!>.``'';. .;;!''',;;'`'' " `,$$??-,cr?$hcc9$$cc$$''." !!!!!!!!!!!(. . `!!!!!` < '!!!!!!!!!!!!''` ,,c,dc$hc,$$$c `$F ,cd$F .$cc "$$$$$$,`$h`c `' ,;; '' !!!> `!!''..``"" MP' M !! .;!!; !!>; M ! > '>!!!!!> !! !!!!; `!!!' ;!!; `!!! ;!!; `;<.;;; M !! !!!!! `!>' M ! ! '>!!!!!! !> !7!7! 0!8! '!!! !!!!> !!! !! M !! !!!!! !!>',M ! ! ''!!!!! !>;!!!!! '!!! !!!!! !!! !! 4 !! !!!!! '`,nP' ! >. !!!!! !!!! '!!!!>'!!! !!!!! !!!;!!.`b_` ```_,,="" , !! !!!!!> !! !!!!! !!!! ;!!!!>'!!! !!!!! !!!!!!!>,`""""""' ;;!!!!!! !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! "NPANXX upholding the Bell tradition of quality text files and exploits" @@@@@@@@@@@@@@@@@@@@@@@@<=OSCAR Owns SPRINT=>@@@@@@@@@@@@@@@@@@@@@@ <#############################C#O#N#T#E#N#T#S############################## > ### .$$.$$.$$.$$.Introduction and Updates.$$.$$.$$.$$.$$.$$.$$.$$.$$.$$ ## # ### ## # ### 1. Scanner Basics............................................rotary ## # ### 2. Exploiting weak password schemes with gdb...............phractal ## # ### 3. The MeetingPlace Conference System...........................bor ## # ### 4. Capacitance on Telephones.............................mcphearson ## # ### 5. Telesystems load balancing by magnetic resonance.......trunkLord ## # ### 6. Breaking into VMBS..........................................ic0n ## # ### 7. WOE-DATA FLOW DIAGRAM....................Contributed by phractal ## # ### ## # ### .$$.$$.$$.$$.Links and Advertisment.$$.$$.$$.$$.$$.$$.$$.$$.$$.$$. ## # ### (see the end of the issue) ## # ########################################################################### # <########################.S#t#a#f#f#/E#M#A#I#L#S.########################## > <###########################Staff and Email################################ > ### ## # ### mcphearson parenomen@teamphreak.net ## # ### phractal phractal@teamphreak.net ## # ### bor bor@teamphreak.net ## # ### TrunkLord trunklord@teamphreak.net ## # ### stain stain@teamphreak.net ## # ### Article submission articles@teamphreak.net ## # ### To email the entire staff staff@teamphreak.net ## # ### ## # ### By the way if there is some dying need to get in touch with us, ## # ### and it cant wait you may do so by phone. You can call the ## # ### teamphreak toll free information hotline/msg center at ## # ### 1-866-248-7671 ext: 3974 after you enter in the pin you must wait ## # ### a little bit before it will connect. Also, there is no # at the ## # ### end of that pin ## # ### ## # ########################################################################### # <############################S#H#O#U#T#O#U#T#S############################# > <##################################Shouts################################## > ### Lucky225 # iluffu # Rotary and Wildsmile ## # ### deadkode # 9x and d4rkcyde # b4b0 ## # ### Overlord DDRP # original tp members# Wildsmile ## # ### Setient # vap0r # ic0n ## # ### zylone # jenna jameson # ## # ########################################################################### # <######################N#O#T#E#F#R#O#M#E#D#I#T#O#R######################### > <###########################Note from editor############################### > ### ## # ### Team Phreak contributes to the scene. We write our own articles ## # ### and do not rely heavily on outside sources for our issues, unlike ## # ### some other groups (unless other wise noted). We may use other ## # ### materials for news articles or in research purposes to verify what ## # ### we type is fact, but we guarantee that all articles are written by ## # ### us and anyone who wishes to contribute original texts. Also please ## # ### come and vist us on irc at irc.teamphreak.net or irc.phelons.org ## # ### and join us on the world wide web at www.teamphreak.net ## # ### ## # ########################################################################### # ########################################################################### # _ ______ /_/\ /-/ / / /-/ \_| _________________ / /==//=/_/ `-' //| |/=====/ irc.teamphreak.net or // | /=====/_ irc.phelons.org // 0| // ///----------------------// / // /// .----O #TEAMPHREAK || / // /(/ //\__/ ________________/|/ // / //\ \/ / // / '-----' / // / / _____./ // / / / // /_ / / // /''/-\\/ // / // // //__/ // / /| _ \//_ / [ |_| . | www.teamphreak.net |____/--- =========================================================== _ _ ___ _ _ _ _ ___ _ _ _ ======== | | \ | | | ) | | | \ | | / | | | | | \ | ======== | | \| | | \ |_| |_/ |_| \_ | | |_| | \| ======== =========================================================== It's amazing how much stuff has happened since the release of NPANXX103. Even though that release was only a few weeks ago, we have gotten a domain, IRC server, gained a new member, and now we have what we think is the best issue to date. In this issue, we've got a ton of useful stuff. We go over things such as the MeetingPlace Conference System, Breaking into VMBs, A very nice article about Telesystem load balancing and magnetic resonance, and some other nice stuff for all of you. However I guess you probably already saw that in the table of contents. Time to go off and write my article for NPANXX105. - bor. (bor@teamphreak.net) _________________________________________________________________________ _ _ _ _ _ _ _ _ _ _ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ ( T | e | a | m | P | h | r | e | a | k ) \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ _ _ _ _ _ _ _ / \ / \ / \ / \ / \ / \ / \ ( U | p | d | a | t | e | s | \_/ \_/ \_/ \_/ \_/ \_/ \_/ - [02/25/02] Stain joined teamphreak! - [02/28/02] Set up Irc server - irc.teamphreak.net - [03/02/02] Domain working - www.teamphreak.net - [03/05/02] Listed on www.undergroundnews.com - [03/09/02] Teamphreak 1800 hotline now up (Also mad props to trunklord) The number is: 1-866-248-7671 ext: 3974 - [03/10/02] Listed on www.ppchq.org - [03/11/02] Layout redone (thanks trunklord!) _ _ _ / \ / \ / \ ( E | N | D | \_/ \_/ \_/ __________________________________________________________________________ -========================================================================- --======================================================================-- 1.Scanner Basics --=====================================================-- Written By: Rotary --===================================================-- Written For: BNW (http://www24.brinkster.com/bravenewworld/) --=========-- But submitted to NPANXX --==============================================-- Written On: xx/xx/xx --=================================================-- --======================================================================-- -========================================================================- Things to know about "Police Scanners." If you are considering purchasing a "police scanner", there are somethings you should know. The main things to consider about a scanner are the radio bands (how many and which ones it has), # of channels it holds (more is better), whether it can limit scan, whether it's handheld or a base unit (and if it's handheld, whether it has an A/C adaptor because they use alot of batteries!), and whether or not it handles trunking. Radio frequencies are split into several different sub-groups, called "bands," most of which aren't important for the type of scanning I'm discussing here. The ones that are important to us are the "land-mobile" bands. These bands are set aside for two-way communications between offices, 2-way radio-equipped vehicles, & portable 2-way radios (Walkie-talkies). There are 5 major land-mobile bands: VHF-low 30.000-50.000 MHz VHF-high 138.000-174.000 MHz UHF 406.000-470.000 MHz UHF-T 470.000-512.000 MHz "800" band 806.000-940.000 MHz Many of the older & cheaper scanners have the first 4 bands, but not the all-important 800 band. The 800 band is special because that's the band that cell phone transmit on. Unfortunately, even if you do find a scanner with the 800 band, if you're in the US it will probably have the cell frequencies (824-849 MHz and 869-894 MHz) blocked out. That's because Federal Law requires them to be deleted from all scanners imported to or manufactured in the US. The best way to get a scanner with cell frequencies is to buy it from someone second-hand in the UK. But no worries; even if you can't get the cell frequencies, there's still plenty of fun to be had with a scanner! Another thing that is important about the 800 band is that it is becoming more and more popular with the police & other government/public safety organizations. However, most of these frequencies are trunking systems, so you have to have a scanner that handles trunking to take advantage of them. I'll cover trunking a little later. But no worries; even if your scanner doesn' t handle trunking, you can STILL have lots of fun with the 800 band. It also happens to be the band where most modern cordless phones transmit (900 MHz). OK, so now you know lots of great things about the 800 band, but the scanner you saw at the Ham-Fest for $30 only has the first 4 bands (VHF-low, VHF-high, UHF, UHF-T). Is it worth it? You bet! There are still plenty of interesting things to check out on the lower bands. VHF-low is the band that many of the older and/or cheaper cordless phones transmit on. Limit scan this band (40 - 50 MHz) & you'll find a host of people in your community having phone conversations. Each phone transmits on a particu lar frequency, so each time you pick up a phone conversation, you can record that frequency & find the same person talking on the phone again and again. That is, assuming you're into that kinda thing... >8-D VHF-high is mostly private aircraft communications, 24-hour weather reports, an d ham radio operators. Some local emergency organizations use this band also (like volunteer fire departments & EMT), but I haven't spent much time scanning this band because I found it rather boring. UHF has mostly various government communications. Also kinda boring... UHF-T is where most of the interesting police & emergency communications happen . That is, the ones that aren't on the 800 band anyway. You can find a good list of local police/emergency frequencies from RadioShack's "Police Call" (a must for any scanner buff), and from various places on the internet. These are only a starting point, though. To get a good list of local frequencies, you have to do some work. First, you n eed to keep a log of your scanning activities. At the very least, you need to keep track of which frequencies you've scanned for any length of time & mark whether they' re used often and/or whether you heard anything interesting. Program the frequenci es from "Police Call" (and any from other sources) into your scanner & scan them f or a couple of weeks to find out which ones are used & which ones are interesting. After that, limit scan frequency ranges near the frequencies that you have foun d interesting. You'll have to check the manual for your particular scanner if it doesn't work like mine, but for most models, you simply hit "program" then "lim it" then enter the frequency you want to start with, then "limit" then enter the fr equency you want to end your scan with. For example, say you want to scan 40.000 - 45.0 00, you would hit "limit" "40.000" "limit" "45.000" "enter". Then hit scan & it wil l run through those frequencies until it captures a signal. When choosing a range to scan, you should keep in mind that the average radio communication is around 3-5 seconds. Set your scanner on it's fastest speed & l imit scan a range that your scanner can cover in 3-5 seconds. Each time you find a new frequency that seems to be used, program it into your scanner for a couple of weeks & see if it's used often and is interesting. You should u sually set "delay" for police transmissions, because often multiple people will be usi ng the same channel & there will be a pause after one person starts talking & before s omeone else responds. The delay tells your scanner to wait on that frequency for a cou ple of seconds before leaving to continue it's scan. - rotary ****** *END** ****** -===========================================================- --==========================================================-- 2.Exploiting weak password schemes with gdb --==============-- Written By: phractal (phractal@teamphreak.net) --===========-- Written For: NPANXX (www.teamphreak.net) --=================-- Written On: 02/28/2002 --===================================-- --==========================================================-- -============================================================- //precondition: //This article is working with a FreeBSD environment for this article, //so the asm gdb stuff may be a bit different if running on linux or any //other non-BSD unix. phractal assumes general C and GDB knowledge of //reader, but I'm not a virtuoso at it, so feel free to mail me my //mistakes or to school me more in the ways of ASM Well, I know that one can do the same tasks which this blurb discusses with a common hex editor, or even easier, use the strings program but in an effort to look leet, as well as learn about memory and stuff, I present a way to do it with gdb. Eh, maybe you'll learn something Well, some of you may be asking what it is that I am going to school you on. I am talking about very weak means of password protecting programs, and how to use gdb to reverse engineer them and get the password. I don't know of any programs that this would be of great use to, but hey, its a concept ;) let's start with some k0de: /////////////////// pass.c ////////////////// ---KUT------------ #include #include #include main() { char pass[20]; printf("enter password \n"); gets(pass); if(strcmp(pass,"boob")) { printf("access denied \n"); exit(0); } else { printf("access granted \n"); } return 0; } ------END KUT-------------- ok, now go ahead and compile this party $ gcc -o pass pass.c Now test it out to make sure it werkz $./pass enter password boob access granted $ ok, cool that worked, let's try a wrong password $./pass enter password zzzz access denied $ Alright, everything is in order, OR SO IT MAY SEEM!! Let's whip out good ol' gdb. $ gdb pass GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"...(no debugging symbols found )... (gdb) disass main Dump of assembler code for function main: 0x804854c
: push %ebp 0x804854d : mov %esp,%ebp 0x804854f : sub $0x28,%esp 0x8048552 : add $0xfffffff4,%esp 0x8048555 : push $0x80485fb 0x804855a : call 0x80483f0 <<<-------------\ 0x804855f : add $0x10,%esp | 0x8048562 : add $0xfffffff4,%esp | 0x8048565 : lea 0xffffffec(%ebp),%eax | 0x8048568 : push %eax | 0x8048569 : call 0x8048400 <<<----------------|--\ 0x804856e : add $0x10,%esp | | 0x8048571 : add $0xfffffff8,%esp | | 0x8048574 : push $0x804860d | | 0x8048579 : lea 0xffffffec(%ebp),%eax | | 0x804857c : push %eax | | 0x804857d : call 0x8048410 <<<-------------|--|----\ 0x8048582 : add $0x10,%esp | | | 0x8048585 : mov %eax,%eax | | | 0x8048587 : test %eax,%eax | | | 0x8048589 : je 0x80485ac | | | 0x804858b : add $0xfffffff4,%esp | | | 0x804858e : push $0x8048612 | | | 0x8048593 : call 0x80483f0 | | | 0x8048598 : add $0x10,%esp | | | 0x804859b : add $0xfffffff4,%esp | | | 0x804859e : push $0x0 | | | 0x80485a0 : call 0x8048430 | | | 0x80485a5 : add $0x10,%esp | | | 0x80485a8 : jmp 0x80485bc | | | 0x80485aa : mov %esi,%esi | | | 0x80485ac : add $0xfffffff4,%esp | | | 0x80485af : push $0x8048622 | | | 0x80485b4 : call 0x80483f0 | | | 0x80485b9 : add $0x10,%esp | | | 0x80485bc : xor %eax,%eax | | | 0x80485be : jmp 0x80485c0 | | | 0x80485c0 : leave | | | 0x80485c1 : ret | | | 0x80485c2 : nop | | | 0x80485c3 : nop | | | __ | | | Woah, that's alot of information, it probably would have been \ | | | a lot less if my programming didn't suck so much. Let's examine \ | | | the program, first from personal experience. What was the first | | | | thing that we saw it do? Of course,it asked us for the password |--/ | | to enter. Let's assume that at memory address 0x80455a, the call | | | to the function is when that occurs in the program. / | | PS. We know that when it is, but we're acting like we haven't__/ | | seen the C source, pretend, use your imagination! | | __ | | Ok, we enter in a string of text that will be analyzed to see if \ | | indeed it IS the password set by the program to unlock itself and \ | | display 'access granted'. OK, now what could be accepting the |---/ | string into memory? let's scroll up and look at the gdb ASM dump / | once again. hey, there is a call to the function. That __/ | look's like its it, let's assume so. | __ | Now gets() hasn't analyzed the string, it has merely taken it in from\ | the user and placed it into a variable in memory. So, ONCE AGAIN, we \ | turn to the ASM dump and look some more. Hey, not that much farther | | down, we seethe function! That's definetly gotta be it, after |----/ all, it compares strings. What are we comparing? Well, it would be a / good guess to assume that we are comparing something to the password__/ to see if the password is correct or not. if we use gdb again (gdb) x/4bc 0x08044860d we get the output 0x804860d <_fini+25>: 98 'b' 111 'o' 111 'o' 98 'b' recocgonize that? there's boob! the password! Well, like i said, this was a fairly inefficient way to crack the common un-encrypted password program, but think about how this could be applied to a more complex situation, such as strings being compared to other variables as well as other things. I don't care what you use this info for, just make sure it isn't anything illegal. - phractal ******* **END** ******* -========================================================================- --======================================================================-- 3.The MeetingPlace Conference System --=================================-- Written By: bor (bor@teamphreak.net) --=================================-- Written For: NPANXX (www.teamphreak.net) --=============================-- Written On: 02/28/2002 --===============================================-- --======================================================================-- -========================================================================- ---------------------- Part One: Introduction ---------------------- Throughout time, I've been on a search of teleconference heaven. Of course this place doesn't exist, and probably never will (except for some fun that we had) and I'll have to be satisfied with a conference here and a conference there. However learning about the various conference systems makes for something to read as time goes by. In my personal opinion, one of the most interesting and complex conferencing systems is the MeetingPlace Conferencing System by Latitud e Communications. WARNING: Just so that you know: MeetingPlace systems provide an INSANE amount o f information to the sysop about what is going on in his/her system. If a decent sysop is running the MP system, they WILL notice that you are/have been there. I don't advise that anyone go around setting up conferences for a large amount of people unless you secure yourselves first. Just use some common sense. -------------------------------- Part Two: Background Information -------------------------------- The MP system is more of an all around communication system than a simple conferencing system. The MP system is comprised of an interent front-end for the system, as well as the conferencing system. Conferences are able to be setup through a specified website where all dial-in numbers, pins, descriptions , as well as previous/current/future conferences scheduled. The system is composed of multiple hardware components, all with a seperate job, working in harmony perfectly. All hardware is connected through the user's LAN, and is configured to work with each other piece of hardware. The Software/Hardware is all routed through the owner's PBX system. The system can handle up to 120 ports simultaniously. To setup a conference, the person simply needs to enter in their user ID and password, and they are able to setup conferences, and in some cases, if there are restrictions to guest viewings of confs, view current/previous/fut ure conferences and participants. Unlike other conference systems, MeetingPlace is NOT controlled by the phone company. It is a system which is bought by large corporations,and universities which are used for student, or faculty meetings through the telephone. I guess you can kind of think of it as a PBX owned by a corporation, however this is a conference service. -------------------------------- Part Three: Conference Interface -------------------------------- When you dial into the MeetingPlace system, you will hear a message that says "Welcome To MeetingPlace..." and will list all of the following options by number dialed: 1 - Attend A Meeting - When dialed you are given a prompt to enter a meeting ID , and enter your name. This is so that the participants already in the meeting ca n hear who is entering the conference. 2 - Access Your Profile - You will be asked to enter your profile number. If yo u have one of course, you'll be able to set up meetings, and other things, all depending on the user level that has been given to you by the sysop. Just so th at you know, the default passcode for profiles is the same as the profile number. So, if you're lucky enough to find a working profile number, just try that firs t. The admin profile is usually 0002. 3 - Review Meeting Recordings/Notes - This option allows you to listen to previ ous meetings which may have been recorded. 9 - Hear an Overview of MeetingPlace functions - Obvious. --------------------------------- Part Four: Finding A MeetingPlace --------------------------------- Of course none of this information is any help to you unless you know of a MeetingPlace system. Finding a system can be very easy, or very hard. Many times the numbers used to access them are unlisted company lines. However the web-interface can be found quite easily at times. Some companies/universities are not intelligent enough to notice when dangerous things like their meetingplace interface are published on the web, so this leav es their system wide open. When they thought only faculty had access to the system , ANYONE could virtually access the system. One way that I have found systems is by typing "Welcome To MeetingPlace" into v arious search engines. I know that it sounds quite lame, and easy, but it actaully wor ks. You should be able to narrow out the actual systems from the text files/other w ebsites. Many of the systems look quite the same with a java interface and a menu bar on the left side of the screen. The company logo is commonly in the top frame, and all meet ing information is viewed in the main right frame. It is a very simplistic design. How easy is it to find a MeetingPlace system? Well, just to let you know, NASA's MeetingPlace system was wide open for quite awhile. A few months ago I sent them an e-mail warning them about this, and now it has been closed. Although if you know the address, you can still view the site...you just can't view meetings. So, all in all, it just depends on how secure a certain corporation/university has been with their system, and how much they plan on keeping it a secret. Remember, even if you don't find the MeetingPlace interface, you could find a tutorial written by that company/university which has some needed information on it. Read anything that you think could be useful. --------------------- Part Five: Conclusion --------------------- While the MeetingPlace system is by far the most advanced conferencing system at this moment, it is also a gamble to play around with. Even though it could be quite fun to screw around with, the sysop gets a ton of information about what is going on in his system. You'd be best to secure yourself so that he cannot tell who you are before you try any funny stuff. Remember, if you do something, you're screwing with a multi-million corporation or university which can afford very high priced lawyers. If they can afford a $30,000 conferencing system, then I'm sure lawyers are a little higher on their list. ---------------------- Part Six: Useful Links ---------------------- Latitude Communications - http://www.latitude.com MeetingPlace Homepage - http://www.meetingplace.net Latitude MeetingPlace Teleconferencing (by 9x) - http://packetstorm.decepticons.org/landline_telephony/miscellaneous/9x_lmpt.txt ******* **END** ******* -========================================================================- --======================================================================-- 4."Capacitance on Telephones and Cables" ---===========================--- Written By: Mcphearson (parenomen@teamphreak.net) ----================---- Written For: NPANXX 004 (www.teamphreak.net) ----=====================---- Written On: 02/28/02 and stoped on 03/03/02 -----====================----- ------==============================================================------ -------============================================================------- = = --===================-- = = = = ----------------------- = = = = ^^^Table of Contents^^^ = = = = ----------------------- = = = = --===================-- = = 1. Capacitance 2. How does a capacitor work 3. How capacitance was discovered 4. Characteristics of Capacitors 5. Why do they call a farad a farad 6. Capacitance on a Telephone pair 7. Basic rules to follow when dealing with capacitors //1.Capacitance// In this brand spanking new article by yourstruly, mcphearson, I will attempt to explain Capacitance and how it has/had an effect on your telephone cable. I will go over what it is, how it affects your cable, and how we are able to measure the distance to an open fault. Capacitance is always present on a cable just like resistance. There is nothing you can do to stop it. So cables are being made to lessen the negitive effects that it has. Capacitance reduces the level of the voice signal as it is being broadcasted along the conductor, and it lessens the high freq of the signal more than the low freqs. //2.How the hell does a Capacitor work you ask?// Well it's simple really, a capacitor is a device that stores an electrical charge. For your tiny little minds to understand this complicated topic I will break it down into simple terms. Let us compare it to filling a scuba diver's air bottle before a dive. The air is pumped into a bottle by an air compressor which supplies air at a certain pressure. When the air bottle is empty the air flows quickly, but as the bottle fills up, the air starts a back pressure and slowly the air is reduced until more air can be pushed into the bottle. The air valve is shut and the bottle is disconnected from the compressor. The amount of air in the bottle depends on the pressure of the supply: the more pressure you have, the more air will be forced into the bottle. The second factor is the size the bottle. Ok, I know this will be a litte hard for you guys to understand but I'm going to run it by you anyways. The bigger the bottle, the more air it will hold... did you understand that?! Well for your sake I hope you did, if you didn't, you are a fucking reta rd and need to be beaten with a large stick. Anyways back to me explaining how a capcitor works. This is similar to the way in which a capacitor works because the capacitor has three main parts (see figure 1.1): top and bottom plates which are conductors with an electrical connection and a middle layer, an insulator that separetes the plates. When the voltage starts to run one plate becomes positive and the other negative. When the voltage across the capacitor equals the voltage across the battery, the capcitor is charged to its maximum capacity. This takes some time and the meter in the circuit kicks until the full charge is reached, it then comes back to the center point. This is quite like the air pressure supplied to the divers bottle. [FIGURE 1.1 - Construction of a capacitor] ------------ Top layer Conductor \ ============ Middle layer Non conductor | RULE: The more voltage applied the greater the charge. ------------ Bottom layer Conductor / [---END OF FIGURE 1.1------------------------------] [Figure 1.2] LINKS / ----> Meter POS ___/ \_______________( /)/______ POS _+_| Voltmeter _|_+_ _ _ Battery ( / ) <---- |___-_| - |__/ \___________________________| NEG NEG| \ LINKS [---END OF FIGURE 1.2------------------------------] [Figure 1.3] Meter POS ___ ______________(|)/_______ POS _+_| Voltmeter |__+__ _ _ Battery ( / ) |__-__| - |___ ________________________| NEG NEG| ==Retains the charge== [---END OF FIGURE 1.2------------------------------] [Figure 1.3] <--- Meter POS ___ ______________(\)/_______ POS _+_| | Voltmeter |__+__ _ _ | ( \ ) ----> |__-__| - |___ |_________________________| NEG NEG| ==Discharging the capacitor== | Battery [---END OF FIGURE 1.3------------------------------] If the links are removed(seen in figure 1.2), the capacitor will keep its negitive charge. If a link is added to connect the positive and negative plates, the capacitor will discharge until the voltage on the plates is the same (Figure 1.3). If that is the case, the meter will kick to the left as the capacitor discharges. This kick is like the kick seen on an ohmmeter when it is connected to a telephone pair or when the reverse switch is thrown. //3.How capacitance was discovered// In 1746, Professer Museenbrock put some liquid into a leyden jar and put a cork in it containing a wire. He applied a high voltage to the wire to see if the change could be retained. Next, he picked up the leyden jar with one hand and tapped the wire with his other hand (see figure 1.4). Then he received a great shock and later stated that it felt like he was being shocked by lightening. After that he defined the method of storing electricity in a capacitor. [---------------------------Figure 1.4----------------------------------] ------- ___ wire ------- Scene 1 ('_') / Scene 2 ------- \ | _[] ------- Professer Museenbrock knocked o ut \|/ \_Jar of leyden / | ___ \|/ / \ {x_x}// // _/ \_ |_//__// [------------------------END OF FIGURE 1.4------------------------------] //4.Characteristics of Capacitors// Now that you have a grasp of what a capacitor is and what it does, I will go on to explain what the characteristics of a capacitor are. The first characteristic would be that the size of the charge depends on the size of the two pates. The bigger the plate the greater the charge, just as a larger air tank can store more air. The space between the plates is very important. The closer the plates are, the more the capacitor can store. The amount the capacitor can store also depends on the insulator between the plates. If two plates seperated by air they would have a factor of 1, if it was seperated by paper it would have a factor of 2.2, or a capacitor with a paper insulator would store 2.2 times the charge. Ceramic materials have factors six to seven times more than air, and titanium oxide increases the capacitance by a factor of 100. The unit we measure capacitance in is "Farads" but in actuality this unit is too big. One farad would be as big as bor's mom's ass (a house) and could kill a herd of elephants! So we use a unit one millionth this size,the microfarad (uF). If a uF is to big for what you need you would use a picofarad (pF) which is one thousand times smaller. //5.Why do they call a farad a farad// They named farad after Michael Faraday. Mr. Faraday lived from 1791 to 1867. He was an English scientist and received little formal education. He learned a lot of his scienctific knowledge from reading and attending lectures by Sir Humphry Davy. In 1833, he became a Fullerian professor of chemistry at the Royal Instition. He turned down knighthood and the presidency of the royal Society. His experiements came to be some of the most significant principles and inventions in scientific history. He came up with the first dynamo (in the form of a copper disk rotated between the poles of a permanent magnet), From his discoverys of electromagnetic infuction, he stemmed a cast development of electrical machinery for industry. In the year of 1825, Faraday discovered the compound benzene. And he did research on electrolysis; this led to the Faraday's law. The faraday law states "That the number of moles of substance produced at an electrode during electrolysis is directly proportional to the number of moles of electrons transferred at that electrode. The law is named for Michael Faraday, who formulated it in 1834. The amount of electric charge carried by one mole of electrons (6.02 x 1023 electrons) is called the faraday and is equal to 96,500 coulombs. The number of faradays required to produce one mole of substance at an electrode depends upon the way in which the substance is oxidized or reduced (see oxidation and reduction). For example, in the electrolysis of molten sodium chloride, NaCl, one faraday, or one mole, of electrons is transferred at the cathode to one mole of sodium ions, Na+, to form one mole of sodium atoms, Na, while in the electrolysis of molten magnesium chloride, MgCl2, two faradays of electrons must be transferred at the cathode to reduce one mole of magnesium ions, Mg+2, to one mole of magnesium atoms, Mg." (This information was taken from some website i found on askjeeves.com) //6.Capacitance on a Telephone pair// In my illustrations, I have only given you the example that capacitors are always sandwhich shaped. This is not true, it does not matter what shape the capacitor is in. As long as there are two plates separated by some form of insulation, there will be capacitance. One of the more common shapes of capacitors are the rolled up kind that you can put into a condenser tube in a car engine. Telephone conductors act as capacitor plates when a voltage is being applied, and they charge up in the same way as capacitors. The capacitor charge is distributed evenly along the length of the conductor. The larger the plate area the greater the capacitor, so the larger the conductor gauge, the greater the capacitace on the pair. But, I have also told you that the greater the distance between the plates, the lesss capacitance. So large conductors are made with thicker insulation to keep the capacitance the same. Oh by the way, capacitance is not affected by tempature this is not true for resistance though. //7.Basic rules to follow when dealing with capacitors// 1. The higher the voltage applied, the greater the charge. 2. Be sure to measure in microfarads or picofarads not farads. 3. Tempature doesnt have an effect on capacitance. 4. Tempature does have an effect on resistance. 5. Cable capacitance depends on the length of the cable. ******* **END** ******* -========================================================================- --======================================================================-- 5.Telesystems load balancing by magnetic resonance ---=================--- Written By: TrunkLord (trunklord@teamphreak.net) ----=================---- Written For: NPANXX 004 (www.teamphreak.net) ----=====================---- Written On: 03/02/02 and stoped on 03/03/02 -----====================----- ------==============================================================------ -------============================================================------- Table of Contents I. Load Balancing I. II. How to get RID of the MRLBS III. Formulas This article written in accordance with the TeamPhreak rules and regulations. Failure to notify the author before modifications take place within the document will automatically void the integrity of the information listed. This information is not to be held, or used by general public. Only BELL and VERIZON authorized associates should acknowledge this information to exist. Use of this material may result in imprisonment or fines up to $25,000. This information is for educational purposes only please do not attempt anything in this article. //I.Load Balancing// The MR Load Balancing System, which is a PCI card that fits into slots 23A, 23B, 23C, 23D, and 23Z of the DMS 500 switching system automatically integrates or removes part of a trunk group based on number of participating customers. As you may know, Voltage creates Magnetic fields. the MRLBS (MR load balancing system) automatically reads these fields to ensure equal channel bandwidth is being distributed to each subscriber. One thing you have to know about the DMS 500 system, is that since it is a relatively new system, late 1999, it is almost 100% computer based, somewhat like the DMS-250A. However, bell had its best idea yet. Why not integrate a computerized system with an electromechanical system so that not only being more stable, its also secure. Bad Idea. If the MRLBS, which is shipped with the DMS 500 trunk accessory pack is not installed before operating, the DMS-500 system can be reduced to a flashing, buzzing, whirring piece of metal with no real value. Here's why. When you initiate a call, you are reversing voltage in your telephone, this creates a small field within your trunk, which is connected directly to a PCI card in the DMS 500. Now, we can measure magnetic fields in ppmps, which is Particle Potential to Move (per second.) One subscriber, using a regular band to initiate a call creates 20PMPS, which is about the strength of a refrigerator magnet. Imagine 10,000 subscribers initiating calls. And whats worse, is that its about 40 to 55PMPS when someone RECEIVES a call! The MRLBS equally distributes this field, and almost rythmically converts this magnetivity into electricity and discards it, back into the dry cell it is connected to. //II.How to get RID of the MRLBS// WARNING: DAMAGING A 14 MILLION DOLLAR PIECE OF EQUIPMENT CAN BE DANGEROUS TO YOURSELF. BE CAREFUL. DO NOT DO THIS. You can easily bump the MRLBS offline and cause a fire at your local CO, since the software does not automatically detect a failure on this bus breaker. Simply disconnect your telephone, place the RING wire around the TIP wire. now connect this to one end of a STSP (single throw, single pole aka a light switch) switch, connect the other to the NEGATIVE end of a wall socket. (left prong). YOU WILL NOT BE ELECTROCUTED. Flip the switch. You have just injected raw magnetivity, which is opposite to the recieving end of the MRLBS and this signals it to go into DISPOSAL mode. In this mode, it turns off while spare electricity trickles out and is dispersed. You cannot create nor distroy energy. //III.Formulas// Load Balancer Alogrythm: NU/NP*NB/NC=LPL LPL*CC/20=RB RB*IB=TL TL/60*NU = LOAD TO BALANCE or LTB. NU = Number of Users NP = Number of Ports NB = Number of Balancers NC = Number of Channels LPL = Load per Line CC = Channel Capacity RB = Receive Balance IB = Initiative Balance TL = TOTAL LOAD. NU = Neutral Users (on hook) ******* **END** ******* -========================================================================- --======================================================================-- 6.Breaking into VMBS ---===============================================--- Written By: ic0n (ic0n@phreaker.net) ----=============================---- Submitted For: NPANXX 004 (www.teamphreak.net) ----===================---- Written On: XX/XX/XX ----=============================================---- ------==============================================================------ -------============================================================------- Intro: Voicemail can be used for many useful things to the phreak. i'm not goi ng to get into that. I'm only going to explain how to hack many diffrent types of sy stems. i know there is about 10 other systems that i did'nt talk about at all in here . But all the infomation in this artical will help you get many voicemail boxes and just remember it's all pretty much common sence. With that said let's begin. Finding a system: There are so many voicemail systems today it's not even funny. The best way to find a system or a direct dial box is to find them by scanning toll free numbers. A bout half of the systems will tell you that it's a voicemail system by saying 'welc ome to the blank voicemail system' or they will ask for an ext. number. Make sure you note everything you find while scanning you may find something really cool and not even know about it. After you finish you scan go back and find out what vms (voicemail systems) yo u have found The best way to see if there systems is after you dial up hit * (star) o r # (pount) and if they are a vms they may give you a login prompt. Here's a list on how to login prompt to most of the vms: Audix: *8 Octel/Aspen: # sometimes * # Meridian: *81 Message Center: * Phone Mail: none it just ask for your pass code Partner Mail: *8 On some direct voicemail boxes: 0 Most Common On Direct Dial boxes: # (pount) or * (star) Defult Pass codes: On 2 digit systems 9999,1234 On 3 digit systems 1234,9999,box number,999,123,000,111,222,333,444,555,666,777,888, On 4 digit systems 1234,9999,box number,box number backwards,0000,1111,2222,3333,4444,5555,6666,7 777, and 8888 On 7 digit boxes 1234,9999,1234567,9999999,box number, last 4 digits of box number,0000 On 10 digit boxes 1234,9999,9999999999,0123456789,1234567890,box number,0000 Admin Boxes: Admin boxes are the coolest thing ever since sliced bread. It's pretty much th e box that runs the whole system. On some systems you can create and delete boxes an d login to a box without even knowing the code. I also was told on some systems that t here is no admin box like these systems (Audix and Merdian). Other then them two syste ms i have found and hacked or talked to some fellow who hacked a admin box on all t he other type of systems. One more thing Never ever change the code on these boxes. Some Defult Places For Admin Boxes: 1000,9999,9000,1111,1234,5000 Hacking 2 digit Boxes: Systems that I've seen that used this layout: (Partner Mail) Now as you might have guessed this system is so easy to hack a box on. The 1st few boxes I tell you to try will almost get you at lease one box. 99 if that box does not work try 10 and 00. If for some reason these boxes where not valid try 20,30,40 and so on and 05,15,25 and so on with this done you have a good layout on the system. and try the basic defult pass codes and you should have at lease one box. Hacking 3 Digit Boxes: Systems that I've seen that used this layout: (audix,octel,aspen,cheap company s) Most Older and cheaper Systems have this type of layout and really is quite ea sy to find more boxes than on than any other system. The First few boxes I try are x00,999,888,777 and so on. Chances are very good to find more than 5 boxes this way but only 1 or 2 maybe hackable or that are no longer in use with the user. Hacking 4 Digit Boxes: Systems that I've seen that used this layout: (Audix,Octel,Aspen,Meridian, Message Center,Phone Mail and cheap companys) This is the Most Popular layout and almost every system has over 30 boxes that have the temp code still in place. Witch making getting the box very easy. Like in all the other systems i try 9999,1000,x000,1111, 2222,3333 and so on. Also it would be a good idea to scan like 1100,1200,1300 also because some systems try to fool you (Witch Never works). Hacking 7 digits boxes: Systems that I've seen that used this layout: (octel,local systems,Message Ce nter) Now most of the time you come acrossed a system like this the boxes are someon e fone number minus the area code. and or a greety fone company. Here's the firs t pick of boxes to try 9999999,9999998,1000000,2000000, and so on. Systems with boxes this long most of the time have direct dial feature witch means you have a dir ect number to your voicemail box. Hacking 10 Digit Boxes: Systems that I've seen that used this layout: (octel,verizon,ameritech,bell ca nada,bell south, and many other long distance voicemail systems) Now your thinking no way or something but getting boxes on here are quite simp le if you have the time on your hands. But try the fone number you dialed to get the system this box should be valid and the admin box. If not it will be the outgoing gr eeting box witch is also cool to be able to do. Other k d45h r4d voicemail hacking tricks and stuff: Audix when you dial up a audix vms and hit star (star) 8 it tell you how many digits the boxes are. Also Ive noticed that no box ever starts with a 1 Octel When scanning for boxes this trick will help you. This works on all layo uts also but you enter all the digits but the last one and wait if a error message star ts playing you know there's no boxes in that 10 number range. Messgae Center- The 1st time the box has been log in to a box there is no pass word. Some VoiceMail Systems Dial in Numbers: 1-800-317-6245 Message Center 1-800-232-3472 Audix type 1 1-800-222-6245 Audix type 2 1-800-574-6245 Meridian 1-877-447-6245 Fone Mail 1-800-954-6245 Octel 6 Digit boxes Company's VoiceMail Systems 1-800-408-6245 3 digit boxes 1-800-366-76245 1-800-631-3400 box 998 code 998 _ ____ (_)____/ __ \____ / / ___/ / / / __ \ / / /__/ /_/ / / / / /_/\___/\____/_/ /_/ -========================================================================- --======================================================================-- 7.WOE-DATA FLOW DIAGRAM ---============================================--- Contributed By: Phractal (phractal@teamphreak.net) ----===============---- Contributed For: NPANXX 004 (www.teamphreak.net) ----=================---- Trashed On: xx/xx/xx -----===========================================----- ------==============================================================------ -------============================================================------- ________________ | Net Provider/ | | Network /---->| Open Server |------->| Alpha1- NCC | |_______________| | /|\ --------------------------- ---------\ \--\ | / ____________ | _____________ ___________ | | / | Converstion| | |Oracle Order| | | | /-----\ | scripts for|---\ | /----->| Entry |---->|Oracle Fin|<---->| CAM |--->| r1 accounts| | I nvoices | | | Cingular | |__________| | \-----/ ____ | /|\ | | | Wireless | /|\ | ____________ | BP| | | | | | BSWD BSC | \------|--\-->| Hardware \--->| | | | | | |____________| /---------------\ | | | only \ | d | | | | | |TIBCO Processes|--/ | | converstion \ | a | | | | | \---------------/ | | scripts | | t |<-/ |A rbor BP | | /|\ | \_____________/ | a |----->|b illing | | ______|______ | | b | |P rocess | | | OM database |----/ ______________ | a | /|\ | | |_____________|----->|Arbor updater |-->| s | | | | /|\ \ \--------------/ | e | | IPS | | | | \ |___| |U sage| | | | \ __________ | | Logs| | | /--------------------\ \---->| TIBCO |--------|----\ /|\ | | ___ | Monet | | Adaptor | | | | | | |s | | (WOE Database) | | | | | | |i | | Fidelity Generic |<---------------------------/ | __ _|____ | | |l | | WOE Enterprise AOL | \-->| IPS | | | |v |-------->| Cingular Wireless |-----\ |G ateway| | | |e | | BSWD BSC | | /|\ | | |r | \--------------------/ | | | | | | | | I PS | | | |s | ____________ | | M anager|<-/ | |t |<-------| AOL File | | | |r | _____|_____________________ | |e | _______________ | Millennium Reports (SSO) | | |a |<-------|WOE interface | |__________________________| | |m | | fidelity | | | | |Cingular | | |s | | Wireless | | |e | |Generic WOE | | |r | |WOE enterprise| | |v | |BSC BSWD | | |e | \--------------/ | |r | /|\ | |__| | | | \-----------------------/ ******* **END** ******* __________ / ________/ / / _____ _____ _ __ _ _______ / /________ / __ \ / __ \ / / / | / / /__ __/ \_______ / / /__/ / / /__/ / / / / | | / / / / / / / ____ / / 0wned! / / / /| |/ / / / ================== ===================================== ________/ / / / / / | | / / / / | / / / / ===========T=H=E== ===================================== /_________/ /_/ /_/ |_| /_/ /_/ |__/ /_/ =================E =V=I=L=============================== <==$Phractal$==> ================== =======E=M=P=I=R=E=================== Teamphreak toll free information hotline/msg center is now OPEN. The number is: 1-866-248-7671 ext: 3974 ====_==_============_===================== Special Thanks to our good friends at ............. | | | \ | | / /====================== | | | \ | |_/ |====================== *** *** ********** ********* * *********** *********** *** |__ | | \| | \ _/====================== **** *** ********** ********* * *********** *********** *** ========================================== ***** *** *** *** *** ** * *** *** *** ****** *** *** *** *** ** * *** *** *** http://9x.tc *** *** *** *** *** ********* *** *********** *** http://f41th.com *** *** *** *** *** ******** *** *********** *** http://phonelosers.org/.net *** ****** *** *** *** *** *** *** *** http://blacksun.box.sk *** **** ********** *** ** * *** *********** *********** http://verizonfears.com *** *** ********** *** * ** *** *********** *********** http://undergroundnewsnetwork.com http://ghettosoldier.com http://ppchq.org Proud Supporters of the ..... _ _ _ _ ____ _____ ____ ____ ____ ___ _ _ _ _ ____ _ _ _____ _ _ _____ | | | | \ | | _ \| ____| _ \ / ___| _ \ / _ \| | | | \ | | _ \ | \ | | ____\ \ / /|___ | | | | | \| | | | | _| | |_) | | _| |_) | | | | | | | \| | | | | | \| | _| \ \ _ / / / / | |_| | |\ | |_| | |___| _ <| |_| | _ <| |_| | |_| | |\ | |_| | | |\ | |___ \ \| |/ / / <_ \___/|_| \_|____/|_____|_| \_\\____|_| \_\\___/ \___/|_| \_|____/ |_| \_| _____| \_____/ /____| _ _ ____ _ _ _ ___ ____ | \ | | ___|__| |__\ \ / // _ \ | _ \ | | / / http://UnderG roundNewsNetwork.com | \| | _||__ __|\ \ _ / /| | | || |_) | / / http://UnderG roundNewsNetwork.com | |\ | |__ | | \ \| |/ / | |_| || _ < | |\ \ http://UnderG roundNewsNetwork.com |_| \_|____| |_| \_____/ \___/ |_| \_\| | \ \ http://Underg roundNewsNetwork.com