Basic Phreaking Skills. NeonDreamer of -=(PHILA)=- 10/5/1996 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I've been around for a while now, and there is AFAIK only one general phreaking phile specific to the U.K. It is written by Pharlin J. Hack and available at http://www.paranoia.com/~coldfire - a site to which I owe a lot. This is no attempt to outdo it, but rather to complement available information. Some of the information will be from cut-down versions of philes I have written, you are encouraged to go out and learn something and release the information yourself. If anyone needs a distro site we will be happy to 'publish' your stuff with full credits. Needless to say this information is not to be used for illegal purposes and I cannot accept any responsibility in the event you get busted. So what are we going to cover? -Beige boxing -Blue boxing -VMB hacking -Payfone vunerabilities -Ansafone hacking -Other boxes -The line monitor -What else is there? -Resources and references If I start to include anything else this is going to become a monster phile and I have to do this in half an hour before I get kicked off the computer. Beige Boxing ~~~~~~~~~~~~ This is really the only thing you'll ever need to know if you're just into free calls. It is the simplest phreaking technique known to man, and here is a cut down version of a very long phile due for release in August : If you're contemplating a move into the world of boxes, there can be no easier, or ultimately rewarding mini-project than the beige box. Why is it called a beige box? Why is a blue box called a blue box? It's all historical, the first person to make a beige box made theirs from a beige coloured handset. If we were all going to name boxes after their true colour, then I would use an 'Off-White' box. So before we go into the rather basic construction details, why do you need a beige? Well first and foremost for using BT PCP's (them green boxes) as a convenient launching pad for your exploits, either from the PCP internal line, or off a customer who is connected in that box. Firstly go and buy a fone. Get a self contained handset type one - like the cheapest ones out of the Argos catalogue. Check for : tone/pulse switching, a ringer on/off switch and PABX compatibility. Now cut the modular jack from the fone lead with wireclippers. Leave about 30cm of cord attached to the jack. Strip back a couple of inches of insulation from the cord ends. It is possible to do this without getting all cut up, because the gold pins of the jack can be prised out and new wires added in, extending the reach of your fone; rather than diminishing it. Inside the cord you will find three wires. I have finally torn up enough fones to know that there is no attempt at convention in these matters. Get some colour coded crocodile clips and solder them or crimp them on to the wires of both the fone and the plug, after you expose a centimetre or so of the wires core. This can be a pain, and is not really necessary if using with an arsenal of dedicated line monitors. More later... Now you need to determine which wire does what. Plug the jack into a wall socket and attach up the crocodile clips to their coloured counterparts. You will notice that only two wires are required for a dial tone. Make a note of it so you aren't fumbling around on the job. I removed the crocs from the third wire (which is basically your ring indication) to make life easy. Ring indication is not necessary with a line monitor. You now have a pristine beige box. Take it apart, put it back together, slap some tape and dirt on it so you look like a pro and then get to a fone line/PCP. In order to get into a PCP beg, borrow or steal a hex wrench. The 13mm one will fit the triangular bolt on a PCP. Find a quiet box, it's not easy, but when you find *the* box ;-). Make it at night. Unscrew the bolts and pocket them. Have your beige connected to the modular jack, and open the PCP. Look around and find the BT socket. Plug yourself in and listen. You should hear a dialtone, if you don't you screwed up somewhere along the line. These lines are normal BT lines. It is inadvisable to call your mates, but bring along a laptop and you can dial up boards, scan numbers, wardial etc. This kind of stuff will get you noticed. Assuming that BT does actually monitor these lines for unusual activity, international calls will be noticed. Mind you I have heard BT engineers yabbering away on them to their mates/wives/mistresses etc. All those wires in the box will take you into subscribers fone lines. Now is *not* the time to go into pair localisation etc. because it is covered on Coldfire's site and besides in the full phile we have a number of nice tricks to reveal. So what can you do with someone elses fone line? If you haven't got any thoughts in your head - retire. As a matter of courtesy, bolt up the PCP when you've finished. This is going to extend your boxing life. Now sometimes you will hit a box with wiring diagrams, anything from specific diagrams for the PCP internals to (more frequently) a cable diagram for the PCP area. This can be anything from an A4 sheet up to 3 or 4 A3 sheets. These will give you a map reference (although for what map I don't know), the 'PCP Area', which exchange the cables are routed to, the location of PCP's and manholes in the area (down to the numbers of the houses they are outside). They also have a history of amendments to the original map. With a little local knowledge and a single one of these maps it is possible to find the next box with a map, and so on - until you know the local area better than BT. If you're feeling very nice you can photocopy and return them, or consult them on the spot and never remove them from the PCP. Ever heard of a Beagan box? Me neither until last week, but it is something that can be done. It's a fairly lame idea, but it works. Think many feet of cable.... Think drill... Think back of a junction box and under a hedge.... Makes a real difference from standing in the middle of nowhere clipped into a PCP to being sat in a car nice and warm, but doing the same thing. Using the beige you can also use domestic lines, payfone lines etc. All you need to do is cut a razor thin cut into a wire and hook the beige wires around... A favourite place is train stations - because there are fone wires all over the place. Try schools and hospitals (where they plug their payfones into the wall using standard BT plugs (haha)). There are a lot of things you can do. Blue Boxing ~~~~~~~~~~~ This is either impossible or possible, depending on who you speak to. I dabbled ages ago, but it's worth playing around with. Blue boxing is the art of seizing lines in another country with the affect that you have operator control over the line. BT and Mercury have 'country direct' numbers which basically route you to an internal operator of another country. A recent list of numbers for BT follows : COUNTRY NUMBER ~~~~~~~ ~~~~~~ o AT&T USA direct 0800 890 011 o Australia direct 0800 890 061 o Austria direct 0800 890 943 o Bahamas direct 0800 890 135 o Bahrain direct 0800 890 973 o Belgium direct 0800 890 032 o Bermuda direct 0800 890 123 o Bolivia direct 0800 890 059 o Brazil direct 0800 890 055 o Brunei direct 0800 890 673 o Canada direct 0800 890 016 o Chile direct 0800 890 056 o Colombia direct 0800 890 057 o Denmark direct 0800 890 045 o Finland direct 0800 890 358 o France direct 0800 890 033 o Gabon direct 0800 890 241 o Germany Direct 0800 890 049 o Greece Direct 0800 890 030 o Hawaii direct 0800 890 808 o Hong Kong direct 0800 890 852 o Hungary direct 0800 890 036 o Iceland direct 0800 890 354 o Indonesia direct 0800 890 062 o Ireland direct 0800 890 353 o Italy direct 0800 890 039 o Japan direct (KDD) 0800 890 081 o Japan straight (IDC) 0800 890 080 o Korea South direct 0800 890 082 o Korea South (DACOM) 0800 890 820 o Luxembourg direct 0800 890 352 o Macao direct 0800 890 853 o Malaysia direct 0800 890 060 o MCI Call USA 0800 890 222 o Netherlands direct 0800 890 031 o New Zealand direct 0800 890 064 o New Zealand (C COMMS) 0800 890 640 o Norway direct 0800 890 047 o Paraguay direct 0800 890 595 o Philipines direct 0800 890 063 o Philipines (PHILICOM) 0800 890 633 o Phone USA TRT 0800 890 456 o Portugal direct 0800 890 351 o Singapore direct 0800 890 065 o South Africa direct 0800 890 027 o Spain direct 0800 890 034 o Sweden direct 0800 890 046 o Switzerland direct 0800 890 041 o Taiwan direct 0800 890 886 o Thailand direct 0800 890 082 o Turkey direct 0800 890 090 o U.A.E direct 0800 890 971 o Uraguay direct 0800 890 598 o USA Sprint Express 0800 890 977 o Venezuela direct 0800 890 058 What you are looking for is a country that has a CCITT-5 line. But how do you tell this line from Adam? Well when the line is picked up there is a distinctive 'cheep'. Put it this way, you wont hear it if you start dialling so called 'developed' countries. When you have a CCITT-5 line it is sometimes possible to seize it. This requires the generation of tones. On the PC then BlueBeep is the definitive blue box program, if you have a Mac, then try one of the blueboxes from Kaos and Logix of the Network (Fone Tone Pro and Blubox respectively). Seizing involves sending a 2600Hz/2400Hz tone down the lines for about 100ms-500ms. This is generally followed by a 2400Hz tone for the same time. Some systems require a 2600/2400 clear forward for 100-150ms and then the seize tones. There are no hard and fast rules for this EXCEPT THE TONES, so you will need to experiment with the timings of both the tones and the delay between them. Signalling is a two way thing, so each burst is replied to with an acknowledgement. Now you can place a call. The convention is : KP2+countrycode+0+areacode+number+ST for international calls KP1+0+number+ST for placing a call in the country KP1+2+Code11+ST should connect you to the inward operator So what are all theses cryptic acronyms? KP = Start of pulsing, indicates whether a national or international call is being placed. ST = End of pulsing, ie no more digits to follow Now for the tones : Digit Freqs (Hz) ~~~~~ ~~~~~~~~~~ 1 700/900 2 700/1100 3 900/1100 4 700/1300 5 900/1300 6 1100/1300 7 700/1500 8 900/1500 9 1100/1500 0 1300/1500 KP1 1100/1700 KP2 1300/1700 ST 1500/1700 C11 700/1700 C12 900/1700 The timings are supposed to be critical and the standards are: Between seize and KP = 80+/-10ms KP signal duration = 100+/-10ms Other signals = 55+/-1ms Delay between digits = 55+/-1ms Points to note : if at first you don't succeed, try and try again because : o Some countries allow international calls via KP1 routings o Others differ in KP2 routing conventions (eg KP2+00+countrycode+number+ST) o The ubiquitous +0+ can be replaced with other digits o Timings can vary quite dramatically. You need to experiment! VMB hacking ~~~~~~~~~~~ Right voicemail may be the bane of a lot of peoples lives, but for the phreak it is a joy. A voicemail system is a glorified ansafone with enough fun things to play with to keep you occupied. How do you find a voicemail system? First of all, unless you are phreaking the call *already* stick to 0800 and 0500 numbers. Now here it starts to get a bit repetitive because you need to sequentially dial a few hundred numbers to glean a good set of voicemail systems. Do not confuse voicemail with an ansafone! A voicemail system will either tell you it is the voicemail system of company X or it will just prompt you for a mailbox number and password. Scanning will also provide you with carriers to explore and a number of funky things to play with... such as Department of Defence dialups :-) Not all systems are up 24hrs a day, and it is nice to find one that is. If you find a VMB in say the US, then remember the time difference.... you may simply be calling in the middle of the night rather than finding a permanent VMB. When you get a system you are generally presented with the option of leaving a message "Please dial the extension of the person you are trying to reach" or given instructions to press '#' if you have a mailbox on the system. Listen to all the prompts and write them down, because mapping a VMB is very important in discovering all the phun things. You will now need to find a valid mailbox... This can be achieved by stepping up in blocks of 500 from 0000 to 9500 if it is a four digit mailbox system or 000 to 950 in steps of 50 on a three digit system. Be warned, some 4 digit systems will reject an incorrect mailbox number after 3 digits which is very confusing. The trick is to learn the delay between an incorrect number and the system warning you it is wrong, because if you hit three digits and it takes longer than usual to kick you out try adding a fourth digit. Some systems require you to enter the '#' after the box number. Now a quick and dirty way of doing this on some systems is to use the user directory - which enables you to search for people on the system by using the keypad letters (1 = ABC etc.). If you find this facility then just plug stuff randomly into it - eventually it will credit you with a hit and give you an extension or voicemail box. When you hit a box, map around it by trying sequential boxes up and down from the one you find. Boxes are usually in clumps, but a canny sysadmin will dot them around in no particular order. When doing this kind of internal wardialling simply press the '*' after every mailbox you try - this generally backs you up a level and allows you to plug away for hours without redialling the VMB number. It is generally not advisable to hack peoples voicemail, but rather to find an empty box. An empty box will either have no name associated with it, or on ASPEN systems a message saying "Voicemail can significantly increase your productivity....". When you get this, pat yourself on the back, because you're nearly home and dry. Empty boxes are often very simple to hack, but you need to work out how many digits the passcode is. ASPENs / OCTELS etc. are generally four digits, ASPENS especially have the default login code the same as the empty box number. Again smart sysadmins will change the default code, but try 1000,2000 etc... and other simple combinations and permutations to access the box. Be warned though NYNEX VMB's have been found to have up to seven digit passwords, and one system has nine digit codes :-( Eventually you will have a box under your control. Now you need to map the system thoroughly, exploring every menu option, setting up your personal greeting (hint: don't set up a box with your handle, because if someone accidentally dials your box to be greeted by an effusive |