/---------------------\
| Doctor Scan's       |
| Helpful Scanning    |
|    Tips!            |
\---------------------/

KopyWrong Zik Zak ([) 1996, all lefts unreserved.
Unauthorized duplication of this document is recommended. So there.
If you paid for this, some k0n artist now has some hard-earned dough.
So enjoy.

--------------------------------------------------------------------------

Hi kids! Doctor Scan here. I thought I'd write up a nifty little text
file here to help you along your magical mystery scans with your good
friend, Tone Loc(or the new THC Scan). With this hopefully you'll be
as successful as good 'ol David Lightman as seen in WarGames. Just don't
blow the world up, okay?

Some helpful scanning tips
--------------------------

Scanning requires such little hardware you can even do it on an old
1200 baud modem! I dare not use a 300 bauder for various reasons. Besides,
that damn coupler is a bitch to use in this case. Right David Lightman?
Tone Loc fortunately is for DOS, so you could use a friggin' 4.77 MHz
PC with no hard drives and still scan away. It doesn't matter how fast
your little warez-kouriering modem is. You just want to connect no matter
how slow the speed is just to see if there is a computer on the other side.
Now if you want to scan for something other than carriers, that's a different
story.

If you are running your little scanning setup on something really cramped
for space like on a 360K drive, you'll have to make a sacrifice or two.
First off, just have the executables toneloc.exe and tlcfg.exe on there,
with the appropriate .bin files to run them. You won't need the extra
utilities just yet. I would also do away with the carrier log file. The
important thing is just to get the phone numbers. You can dial them later
to see what type of system they are. Some systems seem to notoriously spew
out many many MANY characters of garbage only to waste space and distance
themselves from other phone numbers in your little file.

When you are using a .DAT file with Tone Loc, scan only one prefix per
.DAT file. It avoids unnecessary confusion.

Get a group of friends together and scan! Assign each person to a prefix,
or have all of you do the same prefix, but in different areas. Collect and
share the carriers you have found and see what you get. With several people
doing scans at the same time, you'll get plenty of carriers in no time.
If you run across an unfamiliar system that you can't hack or even to
connect with, maybe somebody else in your group would know.

When beige boxing scans(whoa, risky!) make sure you disable that call waiting,
even if you don't know they don't have it. That way if anybody tries to call
during the scans, they won't get suspicious. Just a busy signal.

Also when beige boxing scans, do sequential. Who's gonna care? Besides,
sequential is more fun!

Baby-sitting somebody's house? Don't let their phone line gather dust!
Get a junky computer together or a laptop, and do some big time scanning!
After all, who else is using that line? Go crazy. Just remember to use
that *67, both at home or your buddy's house.

I'm sort of a nice guy so I usually confine the times of my scans from
about am to about, say, 6 pm. That way nobody gets too pissed off at you
when you intrude upon their precious phone line, but that's just me.
You can scan at am for all I care, but there are some of those anal-retentive
assholes who find just ONE call with nobody on the other end a threat to
their personal lives ,so they find it necessary to slap you with a *57
trace, or whatever the fuck it is. Personally, I wouldn't worry about it.

If you want to get more information on a system you have found, try looking
up it's number in a reverse directory(book or CD-ROM. Whatever is available).
It might give you a clue on how to get into it further(keywords for passwords,
etc.). See later paragraph about phone number databases.

If you have one of those phone line dubbers(available at Radio Shack for $25),
you might be able to net more than just carriers. I don't mean those cheap
suction cup gizmos. I mean the real thing. Radio Shack makes a phone dubber
that simply outputs to an audio port, and it does not affect the hook, so
your modem does not get interrupted. You can simply wire the dubber through
a tape recorder, and listen to it dial with your headphones on. That way,
you can note in real-time any unusual numbers that go by. PBXs, loops, VMBs,
whatever! You'll be able to net more than just carriers while scanning,
and that's a good thing!

        If you are really* into scanning and want to net more than just
carriers while you are away, try this wacky idea. Get a NTSC converter
for your system(or get a video card that does composite output), and
hook it up to the video IN jack to your VCR. Get that phone dubber out again,
and hook the jack up to the audio IN port of the VCR. Set your VCR to
the slowest tape speed, and scan away! If everything is tuned right, you'll
be able to listen in on every number that Tone Loc dials in whatever prefix
you are scanning.  Hopefully you'll get a lot more than just carriers.
Of course, you'll have the most boring video tape footage in the universe.

        I don't have the right modem to scan for TONES, but I'm curious
how other people have worked with it. Any luck at all? Email me.

        What I wish Tone Loc had was the option for an artificially intelligent
scanning method. Say you are scanning the whole 555 prefix, and you find about
50 carriers in the 9000-9999 range and none elsewhere. Tone Loc would
recognize this trend, and start scanning only the 9000-9999 range. That way,
you could speed up your scans. Yippee.

        What I wish Tone Loc had was a flag it could set if you connect
with a system that does absolutely nothing. Dead. Doesn't respond to anything.
If it could just flag it, or log it to a different file, it would speed
up calling found systems. and move on to the more active ones. Hmm. Maybe
something for the next version.

        Now what if you got a bunch of scans done, and found a bunch of
different systems that you have no idea what to do with. I don't mean to
be the anal-retentive scanboy, but organize them! Say you have a ton of
Annex Command Line Interpreters, UNIX systems(found gazillions of them),
systems that you have no clue what they do, but identify themselves with
a common prompt, and so on.

If you have no clue what type of system you found, but found many of them
with a distinctive logon procedure or banner, keep a list of them too!
Just identify it on your list with the logon presentation it gives you.

Why keep a list of shit you can't get into or even recognize? Well, you
never know when you'll run across that occasional textfile that's not
outdated(or maybe it is, who knows) that tells you all sorts of neat stuff
about that system you found 3 years ago, and you're in business! Call those
badass numbers back, and get yourself in. Or somebody else who takes a gander
at your little list might know what it is, and all that other funky stuff.

Eventually you'll have a big textfile like this. I'd recommend putting
in a comment or two if the system is aside from the usual strain, especially
UNIX systems.

When your luck gets better with these, you'll have accounts and passwords
written down on these comments and then you'll have something to do on
a rainy day. I'd recommend moving those #s that you have accounts on
to a more private text file so nobody else would screw it up.

UNIX systems
------------
555-1234
555-3421 system name: Alcatraz
555-9911 SCO UNIX v 3.2

Annex Command Line Interpreters
-------------------------------
555-0001
555-0096
555-0000

??? - "ENTER USERID:"
-------------------------------
555-6666
555-6667 (bad line noise)


....and so on and so on...

        If you have a CD-ROM full of phone numbers in your target
scanning AC, put it to use! Let's say you are about to scan the 559 prefix.
First, boot up your database program, and get a textfile output of all
the phone numbers in that prefix. All you need is the phone numbers, without
any header garbage around it(you may need to clean it up). Then copy that
file into your Tone Loc directory, and name it to your blacklist file name(
default is BLACK.LST). Then start scanning. No need to add in your
conventional blacklisted phone numbers since you're only scanning that
prefix. That should speed things up in getting unusual numbers. But who
knows? There might be carriers that are listed in the database. Check this
out by looking up a few known carriers in the database, and see what you
get. I haven't tested this whole paragraph out yet since I don't have
the database. Just make sure you buy the CD-ROM that lets you do as
many searches as you want(which SHOULD be the norm).

From experience, I got a list on a telco prefix here in the 612. There
were less than TEN phone numbers listed, and scanning that prefix generated
a 10K list of carriers.

Okay, I found a bunch of numbers to connect to. Now what?
---------------------------------------------------------

If I get a really big-ass list of scans for a prefix, I usually just
print it out on my 10-year old thermal printer and get a good pen. I just
boot up the old terminal program, and just try those #s until they're all
gone. Just cross out the crap ones.

Now if you're running Windows or some other multitasking environment, you
can save some paper. Boot up your favorite term program and have something
like Notepad standing by, and start trying out all the numbers. Besides,
you can take better notes with a word processor than a ragtag printout
of carriers.

        One of my nice pieces of equipment is an almost-speaker phone that
lets me listen in on the phone line hands free. That way I can find out if
it's really* a system on the other side, or a stupid fax machine, or even
a fake carrier signal(found one number that did this). You never know what
the hell your modem is willing to connect with when you're gone.

        I recommend compiling a black list of phone numbers(just in case).
This list would consist of:
Cellular prefixes(just in case you do unusual scans that have varying numbers
in the prefix area)
emergency numbers
police stations
local FBI, CIA, bomb squad, and other evil government organizations.


-------------------------------KUT H3R3---------------------------------------

Greetz go out to Radix, D-FENS, Bandon, Phelon, Mystic Mage, Mindmixer, and Falcon.
                        Don't let the community die!

And of course a BIG thanks go out to Minor Threat and Mucho Mass, for without
them this whole textfile would not be possible.

PGP Key signature: PG PH AS BE EN CR AC KE DD OO DZ