\\\\\\\\|/////\ \\\\\\\\\|//////\ \\\\\\\\I////////\ \\\\\\\I//////////\ \IIIIII\I\//////////\ /****/*\////////////\ /****/***\////////////\ /****/*****|////////////| J$$$$$$$$$$$$$$$******\////////////| J$$***************$$$$$***|/////////// $$**********************$$L. \\\\\\\\\/ .$***************************$$L .J$$$$$$$$$************************$L .J$$*********$$$$$$$$$$$***************$$ J$$$***********************$$$$$$$$*********$ $$**********************************$$$$$$$***$ $*****************************************$$$$$ $********$$$$$$*************************$***$$ $******$$$$$$$$$$$$$$$$$$$$************$*****$$ $**$$$$ $$$$$$$$$$$$$$$$$ $$$$$$$$****$******$ ~~ $$$ %%$$$$$$$%% $$$$$$$$$$$$$$****$ Volume 2 Issue 1 - 05/28/2002 $$$ %% $$$ %% $$$$$$$$$$$$$$*#$$*$ " Null and Void" $$$Sprint $$$Sprint $$$$$$$$$$$$$*#****$ $$$$$ $$$$$ $$$$$$$$$$$$$*#*****$ $&&$$$$$$$$$$$$$$$$$$$$$$$$$$%**##*****$ $&&&&&$$$$$$npa nxx$$$$$$$$$$$$%**#******$ $&&&&&&&$$$$$$$$$$$$$$$$$$$$$$#########$ $&&&&&&&&&&% ~T$$$$$$$$$$$$$$T~********$ $&&&&&&&&T' OOOOOOOOOOOO********$ OOOOOOOOOOOOOOOO OOOOOOOOOOOOOOOOOOO OOOOOOOOOOOOOOOOOOOOOO OOO/OOOOOOOOOOOOO/OOOOOO :::::::::::::::::::::::::::NPANXX005:::::::::::::::::::::::::::::::: :::::::::::::::::::::::TABLE OF CONTENTS:::::::::::::::::::::::::::: :: :: $$.$$.$$.$$. Introduction and Updates. $$.$$.$$.$$.$$.$$.$$.$$.$$.$$ :: :: :: 1. DSS Card Programming and Opcodes for programming...bikr :: :: 2. Wireless Beige boxing..............................captain_b :: :: 3. Hiding Running Services from Portscanners Part I...phractal :: :: 4. A taste of "their" own medicine....................bor :: :: 5. VERIZON TELECONFERENCING...........................ic0n :: :: 6. Care for your SecurID card.........................Bryan :: :: :: .$$.$$.$$.$$. Links and Advertisment .$$.$$.$$.$$.$$.$$.$$.$$.$$.$$.$ :: (see end of issue) :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: OOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOO ooOoOoOoOoOoOoOoOoOoOO-Staff Emails-OoOoOOOoOoOoOOOOoOoOOoOoOoOoOOoO8 88 O OO bor bor@teamphreak.net 8 88 mcphearson parenomen@teamphreak.net O OO phractal phractal@teamphreak.net 8 OO stain stain@teamphreak.net 8 88 Article submission articles@teamphreak.net O OO To email the entire staff staff@teamphreak.net 8 88 O OO By the way if there is some dying need to get in touch with us, 8 88 and it cant wait you may do so by phone. You can call the O OO teamphreak toll free information hotline/msg center at 8 88 1-866-248-7671 ext: 3974 after you enter in the pin you O OO must wait a little bit before it will connect. Also, there 8 88 is no # at the end of that pin O OO 8 88 O OoOOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOo ooOoOoOoOoOoOoOoOoOoOOo-Shout Outs-OoOoOOOoOoOoOOOOoOoOOoOoOoOoOOoOOo OO 8 88 bikr wildsmile zylone Captain_B O OO vap0r lynx b4b0 1337secuirty O 88 gizmo ic0n awnex goodbyte 8 OO rotary deadcode janus bryan O 88 lucky225 setient ppchq 8 OO iluffu overlord ddrp tek250 O 88 8 OOoOOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoO ooOoOoOoOoOoOoOoOoOoOOo-Note from editor-OoOoOoOOOOoOoOOoOoOoOoOOoOOo 88 0 OO Team Phreak contributes to the scene. We write our own articles 8 88 and do not rely heavily on outside sources for our issues, O OO unlike some other groups (unless other wise noted). We may 8 88 use other materials for news articles or in research purposes O OO to verify what we type is fact, but we guarantee that all 8 88 articles are written by us and anyone who wishes to contribute O OO original texts. Also please come and vist us on irc at 8 88 irc.teamphreak.net or irc.phelons.org and join us on the O OO world wide web at www.teamphreak.net 8 88 O OOoOOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoO OOoOOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoO _ ______ /_/\ /-/ / / /-/ \_| _________________ / /==//=/_/ `-' //| |/=====/ EFnet // | /=====/_ // 0| // ///----------------------// / // /// .----O #TEAMPHREAK || / // /(/ //\__/ ________________/|/ // / //\ \/ / // / '-----' / // / / _____./ // / / / // /_ / / // /''/-\\/ // / // // //__/ // / /| _ \//_ / [ |_| . | www.teamphreak.net |____/--- =========================================================== _ _ ___ _ _ _ _ ___ _ _ _ ======== | | \ | | | ) | | | \ | | / | | | | | \ | ======== | | \| | | \ |_| |_/ |_| \_ | | |_| | \| ======== =========================================================== Team Phreak's here, kicking it in summer 2002. Summer is always a treasured time for phreaks and hackers alike, as it is usually the end of school, temporarily. Summer means more free time, more free time, to try and find that format string overflow,seize that trunk, go on that 3 week long conf, or better yet, attend an actual physical hacker conference. Anyway, enjoy the issue. - phractal (phractal@teamp hreak.net) _ _ _ _ _ _ _ _ _ _ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ ( T | e | a | m | P | h | r | e | a | k ) \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ _ _ _ _ _ _ _ / \ / \ / \ / \ / \ / \ / \ ( U | p | d | a | t | e | s | \_/ \_/ \_/ \_/ \_/ \_/ \_/ - [03/02/02] - Listed on www.ppchq.org - [03/10/02] - New Npa-nxx Layout!!! - [03/22/02] - New site layout up!! _ _ _ / \ / \ / \ ( E | N | D | \_/ \_/ \_/ __________________________________________________________________________ -========================================================================- --======================================================================-- 1."DSS Card Programming and Opcodes for programming" ---===============--- Written By: bikr (bikr@bikr.net) ----=================================---- Written For: NPANXX 005 (www.teamphreak.net) ----=====================---- Written On: 04/xx/02------===========================================----- ------==============================================================------ -------============================================================------- Part one will explain What dss is and how it works And part two will have the Op Codes for programming DSS. / PART ONE/ Yo. What's up , I'm writing this for my boy Bor.. He's the shit and has helped me out many times so, when he asked me to write an article I said no prob.. Anyways.. If you haven't read the title of the article then you don't know what it's about , so look up at the writing in between the *'s up top.. Go ahead I'll wait......... Got it? good.. now your filled in.. Ok, to understand how to work with satellite piracy , you must understand what's going on.. take this schematic to heard as it is the heart and sould of what we are messing with... ----- |Direc| --- Satellite ---- dish ---- house -- reciever -- ird - card |_TV__| Ok.. i started to draw it and i got bored so i just typed it.. Basically Direc-tv sends their signal up to a satellite and the satellite just rains down the signal 24/hours a day.. any dish that points in the right direction can pick up the signal. Once the signal hits the dish it travels via coaxial cable to the reciever the reciever is bascaills a box between to cables with a break in it.. -----signal---- BREAK ----signal---- now.. the box is what determines if you are alowed to view what's being sent , and interputs it accordingly.. To do this , it uses a smartcard programmed with which channels you are allowed to view etc.. That is why your reciever stays plugged into the phone line.. So alot of people are thinking .. Hey call up , order service , then unplug the phone line and cancel subscription right? *beep* wrong.. Ok.. here's what they do when you cancel.. They'll put a signal on the stream that has your cards serial number on it and it'll basacailly tell the reciever to format your card.. Now.. in the past cards were duped , and eventually decompiled and we figured out how they worked.. Started a BIG scene of piracy and then Dave - Directv said.. Nope sorry, and sent down an ECM that attacked all non subcribed cards and cleared the boot load sector of the cards.. The only way to fix this was to get a new card.. Untill someone figured out a way to buypass the boot loader and boot from a seperate device.. "Boot Strap Loader" if you had a "black sunday" <--called that because the ECM happened on a sunday and everyone's screen went black.. Anyway if you had a black sunday card and a bootstrap loader you could again watch TV!! yay!!!! well.. Guess what.. eventually dave started issuing new cards.. aka Football player cards.. They have a picture of a football player on the front.. Another name for the new cards is "HU Card" that name came from the letters in front of the cards serial number ex.. HU-123423--234234 etc.. The old cards were called H cards.. They have a picture of a satellite on the front. These new cards have presented a larger challenge to break through due to heavier encryption although eventually someone did it.. And TV on the new cards was fee too.. The H cards never really died out though.. Direc-tv left the H stream and the HU stream on at the same time so not to disrupt the H card subscribers.. recently Dave has said that they are sending all subscribers the newer card to replace the H card.. If you have an H card and don't send it back it'll be useless within a month they say.. So in this discussion we'll concentrate soley on HU cards..aka football player cards.. Lets' think about what happens.. You put your card in the reciever , it says ok what channel is bikr on? channel 595 <--porno.. it checks the card to see , hmm.. is bikr allowed to watch porno? now if you ask Prin <--bikr's fiance.. The answer is no , but if you ask bikr's hu card.. the answer is yes.. I know what your saying , but how do i get porn on mine Bikr how how how .. Ok slow down.. It's not too hard to get into , but if you wanna keep your card from getting knocked down by Dave you'll have to study hard.. Here is a list of things i suggest you purchase or aquire.... 1. Extra cards cards get looped and as of right now , there is no fix for a looped HU card.. loop basically means that the boot loader tells the card to jump to a certain register for example register a1 then the a1 register has the code to revert back to the bootloader.. AKA LOop.. alrighty.. lets go on.. 2. HU Loader This is a neccesity , it's a box you plug into your computer , it is the card programmer , you insert your card in and then run a lil program and boom , your card is loaded.. 3. Private HU Script These are hard to come by. why you ask? well cuz they are private stupid.. Best bet? learn low level assembly and make your own.. I'll discuss this later.. 4. Extra cards I can't stress this enough. You are going to ruin a few cards if you write your own scripts. And if your letting someone else write them , then get twice as many cards cuz they are gonna get shot down alot.. never throw them out though, eventaully unlooping will be possible and this is when you will make mad cheddar selling your unlooped old cards.. OK now that you have the stuff needed we can start.. Once you get your Huloader installed you'll want to grab an app called "Extreme HU" the newest version is 2.0.. Lots of good stuff check it out.. Once you have that installed grab the latest script floating around from www.dssware.com make sure you grab a HU script and not an H cuz that'd be bad.. <--insert new card here.. Anyways.. If you have your hu script , put the card into the loader and hit in huextreme.. This will whipe the current krap off the card and get it ready to be loaded.. Now you want to click the button up top that says HEX and use extreme hex file.. Then just browse and find the file.. Once you find it , go through the popups and check marks and fill in the stuff custom to you , ie.. time zone etc.. Once your done hit ok and it'll write the card with the program.. If this worked properly you can take the card out put it in your reciever and watch tv.. Most likely if it worked your card will get zapped within a day or 2.. Sux eh?? Well that's what you get for putting a script on your card from a website directv visits daily and grabs fixes so they can zap them.. Makes you wish you made your own eh?? Well if you know Hex and assembly it's pretty simple to make your own script.. just grab someone elses and fix the jumppoints to work against the current hash.. You can find a detail of the current hash at www.pirateden.com just read the hash , it's all assembly.. The opcode list to what the hash is doing has been given to Bor.. I'm sure he posted it somewhere on the site by now. find it.. =)... Once you see what jump points are being attacked , just set your script up to jump to a different register than the ones being hacked and your golden.. There is another way to get around this and not have to write your own script.. But it requires you to re-program your card every 2-4 days... It's called activation , you can find activation scripts all over the place. You bascailly write this script to your card and it pretends that your a new customer previewing prorated channels.. Eventually though the channels start falling off the tiers.. And you'll slowley lose all channels.. Another shitty thing is you have to use your remote to "purchase" the payperviews, and the card will only let you do 20 before you have to use the toilet paper icon in hu-extreme to "wipe the ppv log" on your card.. Just remember everytime you write to your card.. you risk looping it cuz if the glitch point from the programmer hits a bad spot on the card , boom done.. =) Hope this has been knowledgable , I'd write more but my wrists hurt.. So enjoy and i'll think about sending another one to bor for next issue.. --Bikr www.bikr.net / PART TWO/ TMS370-P3 Opcodes Quick Reference by aol6945 v1.0 ----------------------+------------------------+-------------------------+----- ----------- Op B Mnemonic | Op B Mnemonic | Op B Mnemonic | Op B Mnemonic ----------------------+------------------------+-------------------------+----- ----------- 00h 2 JMP ra8 | 40h 4 MOV Rd,&ad16 | 80h 2 MOV Ps,A | C0h 1 MOV A,B 01h 2 JN ra8 | 41h - ---- | 81h - ---- | C1h - ---- 02h 2 JZ ra8 | 42h 3 MOV Rs,Rd | 82h - ---- | C2h 1 SWAP B 03h 2 JC ra8 | 43h 3 XOR Rs,Rd | 83h 2 AND A,Pd | C3h 1 INC B 04h 2 JP ra8 | 44h 3 OR Rs,Rd | 84h 2 OR A,Pd | C4h 1 POP B 05h 2 JPZ ra8 | 45h 3 AND Rs,Rd | 85h 2 XOR A,Pd | C5h 1 CLR B 06h 2 JNZ ra8 | 46h 4 BTJO Rs,Rd,ra8 | 86h 3 BTJO A,Pd,ra8 | C6h 1 TST B / XCHB B 07h 2 JNC ra8 | 47h 4 BTJZ Rs,Rd,ra8 | 87h 3 BTJZ A,Pd,ra8 | C7h 1 DEC B 08h 2 JV ra8 | 48h 3 SBB Rs,Rd | 88h 4 MOVW #im16,Rpd | C8h 1 PUSH B 09h 2 JL ra8 | 49h 3 ADC Rs,Rd | 89h 3 JMPL ra16 | C9h 1 INV B 0Ah 2 JLE ra8 | 4Ah 3 MPY Rs,Rd | 8Ah 3 MOV &ad16,A | CAh 2 DJNZ B,ra8 0Bh 2 JHS ra8 | 4Bh 3 ADD Rs,Rd | 8Bh 3 MOV A,&ad16 | CBh 1 COMPL B 0Ch 2 JNV ra8 | 4Ch 3 SUB Rs,Rd | 8Ch 3 BR ad16 | CCh 1 RR B 0Dh 2 JGE ra8 | 4Dh 3 CMP Rs,Rd | 8Dh 3 CMP &ad16,A | CDh 1 RRC B 0Eh 2 JG ra8 | 4Eh - ---- | 8Eh 3 CALL ad16 | CEh 1 RL B 0Fh 2 JLO ra8 | 4Fh - ---- | 8Fh 3 CALLR ra16 | CFh 1 RLC B 10h - ---- | 50h - ---- | 90h - ---- | D0h 2 MOV A,Rd 11h - ---- | 51h 2 MOV B,Pd | 91h 2 MOV Ps,B | D1h 2 MOV B,Rd 12h 2 MOV Rs,A | 52h 2 MOV #im8,B | 92h 2 SETRK Rs | D2h 2 SWAP Rn 13h 2 XOR Rs,A | 53h 2 XOR #im8,B | 93h 2 AND B,Pd | D3h 2 INC Rn 14h 2 OR Rs,A | 54h 2 OR #im8,B | 94h 2 OR B,Pd | D4h 2 POP Rn 15h 2 AND Rs,A | 55h 2 AND #im8,B | 95h 2 XOR B,Pd | D5h 2 CLR Rd 16h 3 BTJO Rs,A,ra8 | 56h 3 BTJO #im8,B,ra8 | 96h 3 BTJO B,Pd,ra8 | D6h 2 XCHB Rn 17h 3 BTJZ Rs,A,ra8 | 57h 3 BTJZ #im8,B,ra8 | 97h 3 BTJZ B,Pd,ra8 | D7h 2 DEC Rn 18h 2 SBB Rs,A | 58h 2 SBB #im8,B | 98h 3 MOVW Rps,Rpd | D8h 2 PUSH Rs 19h 2 ADC Rs,A | 59h 2 ADC #im8,B | 99h 2 JMPL *Rpd | D9h 2 INV Rn 1Ah 2 MPY Rs,A | 5Ah 2 MPY #im8,B | 9Ah 2 MOV *Rps,A | DAh 3 DJNZ Rn,ra8 1Bh 2 ADD Rs,A | 5Bh 2 ADD #im8,B | 9Bh 2 MOV A,*Rpd | DBh 2 COMPL Rn 1Ch 2 SUB Rs,A | 5Ch 2 SUB #im8,B | 9Ch 2 BR *Rpd | DCh 2 RR Rn 1Dh 2 CMP Rs,A | 5Dh 2 CMP #im8,B | 9Dh 2 CMP *Rps,A | DDh 2 RRC Rn 1Eh - ---- | 5Eh - ---- | 9Eh 2 CALL *Rpd | DEh 2 RL Rn 1Fh - ---- | 5Fh - ---- | 9Fh 2 CALLR *Rpd | DFh 2 RLC Rn 20h - ---- | 60h - ---- | A0h - ---- | E0h 1 TRAP 15 21h 2 MOV A,Pd | 61h - ---- | A1h - ---- | E1h 1 TRAP 14 22h 2 MOV #im8,A | 62h 1 MOV B,A | A2h 3 MOV Ps,Rd | E2h 1 TRAP 13 23h 2 XOR #im8,A | 63h 1 XOR B,A | A3h 3 AND #im8,Pd | E3h 1 TRAP 12 24h 2 OR #im8,A | 64h 1 OR B,A | A4h 3 OR #im8,Pd | E4h 1 TRAP 11 25h 2 AND #im8,A | 65h 1 AND B,A | A5h 3 XOR #im8,Pd | E5h 1 TRAP 10 26h 3 BTJO #im8,A,ra8| 66h 2 BTJO B,A,ra8 | A6h 4 BTJO #im8,Pd,ra8 | E6h 1 TRAP 9 27h 3 BTJZ #im8,A,ra8| 67h 2 BTJZ B,A,ra8 | A7h 4 BTJZ #im8,Pd,ra8 | E7h 1 TRAP 8 28h 2 SBB #im8,A | 68h 1 SBB B,A | A8h 4 MOVW #im16[B],Rpd| E8h 1 TRAP 7 29h 2 ADC #im8,A | 69h 1 ADC B,A | A9h 3 JMPL *ra16[B] | E9h 1 TRAP 6 2Ah 2 MPY #im8,A | 6Ah 1 MPY B,A | AAh 3 MOV *ad16[B],A | EAh 1 TRAP 5 2Bh 2 ADD #im8,A | 6Bh 1 ADD B,A | ABh 3 MOV A,*ad16[B] | EBh 1 TRAP 4 2Ch 2 SUB #im8,A | 6Ch 1 SUB B,A | ACh 3 BR *ad16[B] | ECh 1 TRAP 3 2Dh 2 CMP #im8,A | 6Dh 1 CMP B,A | ADh 3 CMP *ad16[B],A | EDh 1 TRAP 2 2Eh - ---- | 6Eh - ---- | AEh 3 CALL *ad16[B] | EEh 1 TRAP 1 2Fh - ---- | 6Fh - ---- | AFh 3 CALLR *ra16[B] | EFh 1 TRAP 0 30h 4 MOV &ad16,Rd | 70h 3 INCW #im8,Rpd | B0h 1 TST A / CLRC | F0h 2 LDST #im8 31h - ---- | 71h 3 MOV Rs,Pd | B1h - ---- | F1h 2 MOV #off8[SP],A 32h 2 MOV Rs,B | 72h 3 MOV #im8,Rd | B2h 1 SWAP A | F2h - ---- 33h 2 XOR Rs,B | 73h 3 XOR #im8,Rd | B3h 1 INC A | F3h - ---- 34h 2 OR Rs,B | 74h 3 OR #im8,Rd | B4h 1 POP A | F4h 35h 2 AND Rs,B | 75h 3 AND #im8,Rd | B5h 1 CLR A | F5h - ---- 36h 3 BTJO Rs,B,ra8 | 76h 4 BTJO #im8,Rd,ra8| B6h 1 XCHB A | F6h - ---- 37h 3 BTJZ Rs,B,ra8 | 77h 4 BTJZ #im8,Rd,ra8| B7h 1 DEC A | F7h 3 MOV #im8,Pd 38h 2 SBB Rs,B | 78h 3 SBB #im8,Rd | B8h 1 PUSH A | F8h 1 SETC 39h 2 ADC Rs,B | 79h 3 ADC #im8,Rd | B9h 1 INV A | F9h 1 RTS 3Ah 2 MPY Rs,B | 7Ah 3 MPY #im8,Rd | BAh 2 DJNZ A,ra8 | FAh - ---- 3Bh 2 ADD Rs,B | 7Bh 3 ADD #im8,Rd | BBh 1 COMPL A | FBh 1 PUSH ST 3Ch 2 SUB Rs,B | 7Ch 3 SUB #im8,Rd | BCh 1 RR A | FCh 1 POP ST 3Dh 2 CMP Rs,B | 7Dh 3 CMP #im8,Rd | BDh 1 RRC A | FDh 1 LDSP 3Eh - ---- | 7Eh - ---- | BEh 1 RL A | FEh 1 STSP 3Fh - ---- | 7Fh - ---- | BFh 1 RLC A | FFh 1 NOP Extended Opcodes Op B Mnemonic Notation ------------------------- -------- F400h 4 BRL ad16 Ps Source Peripheral Register F401h 4 BN ad16 Pd Destination Peripheral Register F402h 4 BZ ad16 Rs Source Register F403h 4 BC ad16 Rd Destination Register F404h 4 BP ad16 Rn Register Used as both Source and Destination F405h 4 BPZ ad16 Rps Source Register Pair (referred to by the high register) F406h 4 BNZ ad16 Rpd Destination Register Pair (referred to by the high register) F407h 4 BNC ad16 im8 8-bit Immediate Value F408h 4 BV ad16 im16 16-bit Immediate Value F409h 4 BL ad16 ra8 8-bit Relative Offset F40Ah 4 BLE ad16 ra16 16-bit Relative Offset F40Bh 4 BHS ad16 ad16 16-bit Absolute Address F40Ch 4 BNV ad16 off8 8-bit Signed Offset SP stack pointer F40Dh 4 BGE ad16 # Immediate operator-used to clearly identify immediate operands F40Eh 4 BG ad16 * Dereference operator F40Fh 4 BLO ad16 *Rp -> Byte contained address contained in Rp F4CAh 5 CMPW Rpd,#im16 (1) [ ] Addition of two arguments F4CCh 4 CMPW Rps,Rpd (1) Operands reversed from standard TMS370 F4CEh 4 SUBW Rps,Rpd F4D9h 5 MOV *off8[Rps],Rd All opcodes on this sheet are those that are verified to work F4DAh 5 MOV Rs,*off8[Rpd] correctly on the TMS370/P3 microcontroller. Non-verified F4E8h 5 MOVW #off8[Rps],Rpd opcodes are not included. F4E9h 4 JMPL *off8[Rps] F4EAh 4 MOV *off8[Rps],A F4EBh 4 MOV A,*off8[Rpd] F4ECh 4 BR *off8[Rps] F4EDh 4 CMP *off8[Rps],A F4EEh 4 CALL *off8[Rps] F4EFh 4 CALLR *off8[Rps] F4F8h 3 DIV Rn,A *********** **END****** *********** -========================================================================- --======================================================================-- 2."Wireless Beige boxing" ---==========================================--- Written By: captain_b (unkown) ----===================================---- Written For: NPANXX 005 (www.teamphreak.net) ----=====================---- Written On: 04/xx/02 -----===========================================----- ------==============================================================------ -------============================================================------- One thing I've come to realize is that many things in electronics use fairly low voltage on average, and tend to run on DC (Direct Current) power. Cordless phones are no exception. In case you didn't already know, batteries also run on DC. Can you tell where I'm going with this yet? Most cordless phones I've seen thus far use 9 volts to power the base. (You know, the unit you put your cordless phone on to charge it). So far, I seen one that used 12 volts to power it. But, I think those that use more than 9 volts to power the base mainly tend to have built in answering machines, speakerphones, or other extras you wouldn't need during wireless beige boxing, anyway. To be sure a given cordless phone's base uses 9VDC (9 volts DC) to power it, look either on the AC adapter plug for what It's voltage "rating" is (Displayed as 9VDC or whatever next to "output"). Disregard the input stats. That's the voltage/current coming into the AC adapter from the electrical outlet before the ad! apter lowers the voltage and current and converts it to DC. Or, you can also check on the back of cordless phone's base where the power cord connects to the back. Usually, you'll see something like "9V in", or simply "9V". Just as long as the phone's base uses 9 volts to power it, you can power it with a 9v battery. There's more than one way to go about this. With the 1st method, you'll sacrifice your AC adapter, since it involves modifying it for the purpose. So, you you may want to think twice, With the 2nd method, you can buy a rechargeable battery charger called Power Bank from Radio Shack that doubles as a DC power source to power electronics. The 3rd method, which is probably the most complex of the three involves an adaptaplug, an adaptacord attached to it leading to a 9v battery clip soldered on at the end where the AC adapter would be. (Which, is basically the same as the 1st method described, except you won't have to ruin the AC adapter that came with the cordless)! . Anyway, I'll describe only the 1st method here. But, you can always do it another way, too. By the way, you're going to need a wire cutter, wire stripper, 9v battery clip (Sold in packs of 5 at Radio Shack), standard 60/40 solder, and a soldering iron (30 watts should be fine for the job), and possibly electrical tape. First, get AC adapter and cord for the cordless phone. (Remove it from the back of the cordless phone). What you'll need to do first is cut the AC adapter off of the power cord. Now, I've come to know more recently that sometimes AC adapters sometimes retain some electric current even after being unplugged for a bit. With 9v of power, I doubt It'd be a bad shock if there's leftover current. But, there's a way to remove leftover current if you happen to have an insulated alligator clips jumper cable (Also sold at Radio Shack). Just connect one of the alligator clips to one of the 2 prongs on the AC adapter, and touch the metal part of the other alligator clip! on the other end of the jumper cable to the other prong on the AC adapter, thereby shorting it. If there was leftover current, there will be a little bit of a spark. Okay, with that said, let's move on. As stated before, you'll have to cut the AC adapter off of the power cord. Then, cut a fairly small notch vertically downward on the power cord right between the 2 wires. Now, slowly and carefully, seperate the power cord by pulling the 2 wires apart from each other a bit. Then, carefully strip about an half and inch of insulation off each of the wires. Now, you can attach it to the 9v battery clip to the bare wire leads of the power cord. There's 2 ways this can be done: With the 1st method, you can solder the bare wire leads from the power cord to bare wire leads from the 9v battery clips. In which case, you'll want to wrap the exposed section of soldered wire with electrical tape afterward. Or, you can use the 2nd method and solder the wire leads from the power cord directly to the 9v battery connector clip. If you go with that way, It may be better not to buy the heavy duty 9v battery clips as I think they can be a bit harder to solder the wire leads to. At any rate, once you have the 9v battery connector soldered up to the power cord, It's just a matter of connecting a 9v battery to the 9v battery connector to power the cordless phone's base. Optionally, you could also remove the circu it board from inside the casing of cordless phone's base. Afterall, you don't need the interior components and not the chasis casing to operate the cordless phone's base. If you've bought a cordless phone that has a particularly small base, it may even be the case that you could fit it all inside something. Like say inside a TNI, or inside the bottom base part of a fortress payphone. Use your imagination, have phun, and as always, be careful with everything phreaking related that you do. *********** **END****** *********** -========================================================================- --======================================================================-- 3."Hiding Running Services from Portscanners Part I" ---===============--- Written By: Phractal (phractal@teamphreak.net) ----===================---- Written For: NPANXX 005 (www.teamphreak.net) ----=====================---- Written On: 04/xx/02 -----===========================================----- ------==============================================================------ -------============================================================------- Hiding Running Services from Portscanners Part I by phractal /* parts of this article are theoretical and some is proven with code, feel free to get in touch to comment or point out flaws in my theories */ Hey there. Have you ever wished to run a certain daemon or backdoor but have it hidden from the eyes of network scannners. Suppose you want to run a private ssh server for only a select few, but they don't always have the same hostname, or perhaps a backdoor to a unix that you worked hard to get to. Well, I got to thinking of ways to have an actual service running and yet being undetectable to people snooping in on your network. Here's what I will discuss -'port tripwire' -how it works -porttrip.c -end notes ############# Port Tripwire: ############# Port tripwire is a name i came up with for opening up a low port in an attempt to catch a port scanner before he reaches any ports that you want to hide. If you or your borrowed remote host are running: Port State Service 23/tcp open telnet 53/udp open domain 80/tcp open http 3557/tcp open BACKDOOR You might want to hide this machine from scanning kiddies to hide anyone who might want to abuse your server if they want to get in via telnet, or maybe you don't want it known that you run a web server, and of course, that backdoor is supposed to be hidden from view of scanners as well. How can we prevent a scanner, of whom we will have no idea of his IP address, from finding these running services via scanning? Well, port scanners will generally scan ports in sequence or in rough sequence. They will or will usually access the low ports first, and then proceed to connect/request ACK replys of higher and higher ports. We can intervene on the scanning process if we stop the scanner midway. We can do that by looking for him where he'll come in, the low ports. We should choose a fairly obscure port to try and detect the scanner, because otherwise it could be a legitimate session, a normal user accessing a known service. For my little port tripwire program, I chose port 3, it is a low port, and almost no one runs it. If you wish to hide common services, you may wish to change that to port 7(echo), as that is obscure, but it is also listeded in nmap's services to scan for. The way that Port Tripwire works is, it opens up a socket and listens on that low port. If any connection is made to that port, the program identifies who that host is, and immediatly issues a command to firewall out any further attempted connections made by the scanner. It blocks him out, turns the computer silent on him. The following code proves this concept. It is however incomplete, not a full security program, and most likely has plenty of vulnerabilities itself. It is used just to demonstrate this concept. #include #include #include #include #include #include #define PORT 3 #define BACKLOG 1 //Port Tripwire BETA //made for BSD or any ipfw firewalled OS //by phractal int main() { //printf("PortScan Tripwire BETA by phractal \n"); int fd=socket(AF_INET,SOCK_STREAM,0); int fd2; struct sockaddr_in server; struct sockaddr_in client; int sin_size; server.sin_family = AF_INET; server.sin_port = htons(PORT); server.sin_addr.s_addr = INADDR_ANY; bzero(&(server.sin_zero),8); bind(fd,(struct sockaddr*)&server,sizeof(struct sockaddr)); listen(fd,BACKLOG); while(1){ sin_size=sizeof(struct sockaddr_in); if((fd2=accept(fd,(struct sockaddr *)&client,&sin_size))>-1) { //printf("connection from %s\n",inet_ntoa(client.sin_addr) ); //printf("DENY! \n"); char cmd[150]; char cmdpt1[] = "ipfw add 01234 deny tcp from "; char cmdpt2[] = " to any"; sprintf(cmd, "%s%s%s", &cmdpt1, inet_ntoa(client.sin_addr), &cm dpt2); printf("%s",cmd); system(cmd); } } close(fd2); return 0; } While this program is running, if i nmapped a server running it with a normal TCP connect() scan then I would see port 3 as the only running service. There are some problems with this program. Since it uses accept() to determine that a scan is in place, SYN scans will not be picked up, and if a scanner was lucky or smooth enough, maybe he might scan a certain block of ports that is outside the port that the tripwire program runs on. In Part 2, I will discuss more advanced port scan detection methods. I will focus on using promiscuous mode to sniff for SYN packets and will be using methods different from the tripwire approach. --------------------------------------------------------------------> greetz go out to h/pers and coders better than me: stain, team phreak, awnex, dvdman, l33tsecurity, pare, bor, trunklord linear, 9x, subz, hybrid, datawar, downt1me, notten, telec and people i forgot *********** **END****** *********** -========================================================================- --======================================================================-- 4."Sprint: A Taste Of Their Own Medicine." ---=========================--- Written By: bor (bor@teamphreak.net) ----===================---- Written For: NPANXX 005 (www.teamphreak.net) ----=====================---- Written On: 04/02/02 -----===========================================----- ------==============================================================------ -------============================================================------- ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ 1.) What exactly are we talking about? ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Several days ago, I had been scanning google for open teleconferences that could be used for various fun, when a friend and myself stumbled onto something that at that time, and now seems kind of big. It seems that we stumbled onto a teleconference of sprint employees discussing the current contract that they have with HBF Group Inc. It seemed that they wer e dissatisfied with the care that they had gotten from HBF, and were looking for a way to weasel out of the contract. And so the story goes... ------------------------------------------------------------------------------- -- ------------------------------------------------------------------------------- -- 2.) Who is HBF? ------------------------------------------------------------------------------- -- ------------------------------------------------------------------------------- -- HBF Group, Inc. is a company which sells and installs wireless 911 systems for various telephone companies and emergency services. Basically, if you call 911 from your cell phone, and the cops can find you...It's their software/hardware which enabled them to find you. Basically, they run a database which stores cellular information for every cell phone that they can track, and sell the capability to access this database to telephone companies and emergency services. There you have it. That is HBF for you. ------------------------------------------------------------------------------- -- ------------------------------------------------------------------------------- -- 3.) What is sprint's problem? ------------------------------------------------------------------------------- -- ------------------------------------------------------------------------------- -- According to the people on the conference (namely Linda...who seems to be a bit ch) HBF has been violating some simple rules laid down by Sprint. Sprint simply ask ed them to notify them before installing new software, working on their novell servers, and not to make any serious changes to the hardware that sprint owns i n general. However according to the people on the conference, HBF did exactly the opposite. HBF has been rude, crude, and has screwed with everything on the spri nt servers without any notification of sprint officials. Not only this, but HBF charges about $2500 for every trip they take to sprint t o fix something. From what we heard on the conference, it's cost sprint about $150,000 so far in this contract. So there is only one option that they have le ft. ------------------------------------------------------------------------------- -- ------------------------------------------------------------------------------- -- 4.) We Want Out ------------------------------------------------------------------------------- -- ------------------------------------------------------------------------------- -- The overwhelming reason that we saw for the conference which these sprint offic ials called, was to find a way to get out of their contract with HBF. It seemed that nearly everything that they talked about involving problems with HBF, included a sentence or two about terminating the contract early. Although the consensus of the group agreed that they needed to find a way to ge t out of the contract, it seemed that everyone on the call was more or less fight ing with Linda over whether they really should terminate the contract or not. There seemed to be a lot of fighting on this conference between associates for the same company. tisk tisk. ------------------------------------------------------------------------------- -- ------------------------------------------------------------------------------- -- 5.) Conclusion ------------------------------------------------------------------------------- -- ------------------------------------------------------------------------------- -- In conclusion, it seems that sprint can't take a taste of their own medicine. I t seems that they have no problem in giving shitty customer service, and having a history of simply not listening to their customers, however once something to t he same effect happens to them...it's time to terminate the contract. In my opinion, I think that all sprint customers should take the same approach sprint has taken. Are you dissatisfied with your service? Maybe you should thin k about terminating that contract. -bor (bor@telcobox.net) ------------------------------------------------------------------------------- - ------------------------------------------------------------------------------- - Afterthoughts ------------------------------------------------------------------------------- - ------------------------------------------------------------------------------- - - If you've been reading NPANXX from the start (and i mean the original issues) then you know our history with sprint. WE LOVE SPRINT! - All of the material gathered in this article was obtained on a sprint teleconference. We obtained the information for this teleconference through the google search engine. It was a pure fluke that people were actually on this conference at the time which we found it. - This information is to be used for educational purposes only. We are in no wa y responsible for what you do with this information. We only have the expressed point of spreading information. We do not wish harm upon any person/company mentioned in this article. However all information in this article is to be presumed for entertainment purposes only :-D ------------------------------------------------------------------------------- - ----------------------------------------------------------------------------- *********** **END****** *********** -========================================================================- --======================================================================-- 3." \/ERIZON |ELECONFERENCING " ---====================================--- Written By: k00p$ta Phr34k and ic0n ----==============================---- Written For: NPANXX 005 (www.teamphreak.net) ----=====================---- Written On: 05/xx/02 -----===========================================----- ------==============================================================------ -------============================================================------- BY: k00p$ta Phr34k and ic0n Before we begin this file I (ic0n&k00p$ta) are not going to give you any info o n setting up the conference. For a few reasons but it's not hard at all the setup once since everyone @ verizon is crazy or just dumb minus a selected few. (they know who they are) Now on with the file. Verizon now offers a new service, Conference Connections.These Conferences's ar e reservation-less, which means around the clock availability. The Conference is available 24 hours a day, 7 days a week, and 365 days out of the year. This makes confere ncing very easy. Thanks Verizon! There's 2 ways to dial into a verizon conference. 1.Toll Free dial in number (866-441-2942) 2. Direct (972-717-2043) Npa 972 is in Texas There are no setup fees, no cancellation fees, and no monthly charges. Which me an you can setup a teleconference and your victim will not even know he's got a teleconfer ence being billed to him. The minutes your participants used are logged separately logged by differnt ports. There are 20 of these ports but I'm sure there is a way to get more. Any ways the minutes are added together to simplify the subscriber's bill, in addition are r equired taxes. There is a separate bill for toll free service as well. States that need to use the direct number to the conference: 1.Alaska 2.Delaware 3.Maryland 4.New Jersey 5.New Hampshire 6.Virginia 7.Vermont 8.Washinton D.C. 9.West Virginia *Once again the direct number is 972-717-2043. The resoning behind the direct numbers is that Verizon provides long distance s ervices for calls originating in most states outside the mid-Atlantic and new England state s. Until government approval is obtained, Verizon cannot carry long distance in the stat es listed above. Verizon is in the works on getting the necessary states and federal perm issions to offer long distance in every state. Rates Cents per minute per port Until 3/30/02 Normal Toll Free $0.22 $0.31 Direct $0.09 $0.18 Feature Descriptions Announcements for Entry and Exit At your option, the reservation-less Conference Connections system can sound a tone or have silence when participants enter or exit a conference. Attendant Request The Subscriber or Participants can request attendant assistance for private or group consultation. The person requesting assistance remains in the conference until the attendant handles the request. Conference Continuation This feature allows the subscriber to exit a conference after it begins without disconnection the participants and must be activated for each conference call. *Note The systems automatically defaults to end the conference call when the su bscriber disconnects.* Conference Lock/Unlock This feature lets subscriber lock a conference once all parties are present to keep the conference private. Attendants cannot enter locked conferences, but can rin g the conference requesting that the subscriber unlock for attend entry. Help Menu Help with using conference commands is available to every conference Subcriber and Participant. The system plays a private help message to the requester that list the available features and their associated touch-tone (dtmf) commands. Mute/Un-mute The Subscriber can collectively mute or un-mute all lines in the conference ex cept for the subscriber's line. The participants can mute and un-mute there own line s to help control distractions and interruptions. Participant Count The system automatically tracks the number of participants on a conference. Any Subscriber or Participant can check the number of people in conference at any t ime. The system announces the count privately to the requester. Quick Start As a rule, conferences do not begin until the subscriber the conference. Howev er your account can be configured to allow the subscriber to use this feature so that b egins as soon as the first participant arrives. In this scenario, Participants who arrive bef ore the subscriber may talk to one another before the conference actually begins. Thoug h the quick start features offers less security, it allows unplanned meetings to occur when ever needed or permits conferencing when the subscriber is unavailable to start the confere nce. Features Subscriber Conference Commands This is how you Begin a conference: 1. Dial into conference system 2. Enter Pass code, then the # (pound) key 3. Then Press the * (star) key 4. Enter Subscriber Pin (4 digits) 5. Press 1 to start the conference or press 2 to change account options. To Change Account Options: Press 1 to chance subscriber pin Press 2 to configure roll call options Presses 3 to change quickly start options Press 4 to change auto continuation options Conference Control options (while in conference) Press *0 to speak privately with an operator Press 00 to request an operator to join the conference Press *4 to lock conference Press *5 to unlock the conference Press *6 to mute your line Press *7 to un-mute your line Press *8 to allow the conference to continue after you disconnect Press *9 to privately play a list of participants on conference Press *# to hear the number of participants in the conference Press ## to mute all lines except the subscriber Press 99 to un-mute all lines Press ** to play this list of commands How to end a Conference Say whatever then hang up the phone a short message will be played for them and then disconnects them. ***We also need to thank verizon for be so dumb and giving us all this informat ion to write this article. Shout Outs....Lucky225, Dark_Fairytale, The Borish One,Xeno cide, Cuebiz, MaddjimBeam, Whit3rav3n, Reaver,Captain_B, Mr. Poop, RBCP, Everyone Who was on $kytel back in 96-97...well okay only some people from skytel and everyone else we know.*** *********** **END****** *********** -========================================================================- --======================================================================-- 3."Care for your SecurID card" ---=====================================--- Submited By: Bryan ----===============================================---- Written For: NPANXX 005 (www.teamphreak.net) ----=====================---- Written On: 05/xx/02 -----===========================================----- ------==============================================================------ -------============================================================------- Your new SecurID card is part of a security dynamics system that protec ts your organization valuable resources. Follow your systems admin instructions for using your assigned SecurID card and for getting your own personal iden number (pin). In addition for your own protection and that of the system, always take the following precautions * never reveal your pin to anyone do not write it down IF you think someone has learned your PIN notify the security admin who will clear the pin immediately at your next login you will have to receive or create a new pin to use Exercise care not to lose your SecurID card or to allow it to be stolen if you card is missing tell and admin immediately the admin will disable it so that it is useless to unauthorized users do not let anyone access the system under identity always follow your systems standard logoff procedures failure to log off prop can create a route into the system that is completely unprotect ed. *********** **END****** *********** __________ / ________/ / / _____ _____ _ __ _ _______ / /________ / __ \ / __ \ / / / | / / /__ __/ \_______ / / /__/ / / /__/ / / / / | | / / / / / / / ____ / / 0wned! / / / /| |/ / / / ================== ===================================== ________/ / / / / / | | / / / / | / / / / ===========T=H=E== ===================================== /_________/ /_/ /_/ |_| /_/ /_/ |__/ /_/ =================E =V=I=L=============================== <==$Phractal$==> ================== =======E=M=P=I=R=E=================== Teamphreak toll free information hotline/msg center is now OPEN. The number is: 1-866-248-7671 ext: 3974 ====_==_============_===================== Special Thanks to our good friends at ............. | | | \ | | / /====================== | | | \ | |_/ |====================== *** *** ********** ********* * *********** *********** *** |__ | | \| | \ _/====================== **** *** ********** ********* * *********** *********** *** ========================================== ***** *** *** *** *** ** * *** *** *** ****** *** *** *** *** ** * *** *** *** http://9x.tc *** *** *** *** *** ********* *** *********** *** http://f41th.com *** *** *** *** *** ******** *** *********** *** http://phonelosers.org/.net *** ****** *** *** *** *** *** *** *** http://blacksun.box.sk *** **** ********** *** ** * *** *********** *********** http://verizonfears.com *** *** ********** *** * ** *** *********** *********** http://undergroundnewsnetwork.com http://ghettosoldier.com Quote of the issue : http://ppchq.org "If consequence dictate the course of action and it doesnt matter w hats right it only matters if you Proud Supporters of the ..... get caught, the n I should play God and shoot you myself." - Maynard _ _ _ _ ____ _____ ____ ____ ____ ___ _ _ _ _ ____ _ _ _____ _ _ _____ | | | | \ | | _ \| ____| _ \ / ___| _ \ / _ \| | | | \ | | _ \ | \ | | ____\ \ / /|___ | | | | | \| | | | | _| | |_) | | _| |_) | | | | | | | \| | | | | | \| | _| \ \ _ / / / / | |_| | |\ | |_| | |___| _ <| |_| | _ <| |_| | |_| | |\ | |_| | | |\ | |___ \ \| |/ / / <_ \___/|_| \_|____/|_____|_| \_\\____|_| \_\\___/ \___/|_| \_|____/ |_| \_| _____| \_____/ /____| _ _ ____ _ _ _ ___ ____ | \ | | ___|__| |__\ \ / // _ \ | _ \ | | / / http://UnderG roundNewsNetwork.com | \| | _||__ __|\ \ _ / /| | | || |_) | / / http://UnderG roundNewsNetwork.com | |\ | |__ | | \ \| |/ / | |_| || _ < | |\ \ http://UnderG roundNewsNetwork.com |_| \_|____| |_| \_____/ \___/ |_| \_\| | \ \ http://Underg roundNewsNetwork.com