pimp issue thirteen

PIM.,PIMPIMPIMPI. MPIM IMPIMPIMPI, .MPIMPIMPIMP MPI,.MPIMPIMPIM.
MPIMPIMPIMPIMPIM. PI IMPIMPIM PIMPIMPIM PIMPIMPIMPIMPIMP.
PIMPI 'MPIMPI PIMPIMPI MP IMPIM IMPIM `PIMPIM
PIMPI MPIMPI PIMPI. PIM PIMP IMP IMPIM PIMPI PIMPIM
MPIMP .IMPIMPI PIMPI PIM PIMPIMPI MPIMP PIMPI. ,MPIMPIM
MPIMPIMPIMPIMPI' MPIM IMP IMPIMP IMPIM PIMPIMPIMPIMPIM'
MPIMPIMPIMPIM' PIMP PIM PIMPIM PIMPI PIMPIMPIMPIMP'
PIMPI IMPI MPI MPIM PIMPI PIMPI
MPIMP MPIM MPI MPIM PIMPI MPIMP
IMPIM PIMP MPI MPIM PIMPI IMPIM
PIMPI IMPI MPI MPIM PIMPI PIMPI
MPIMP MPIM MPI MPIM PIMPI MPIMP
.IMPIMPI,. .PIMP. .MPIMP, IMP' IMPIMPI. .IMPIMPI,.
MPIMPIMPIMPIM IMPIMPIMP MPIMPIMP `IM PIMPIMPIMPI MPIMPIMPIMPI
------------------------------------------------------------------------------

_ _ _______ _____ ___ ___ ____ _
/___/ /___/ / / /__) /_
_ __/ _/ \ _/__/ _/__) _/____ _ _ _ _ _ _ _
/ I N D U S T R I E S 1 9 9 7

|
---------+------
____ ____ _ _ ____
| \ | |_ _| | \__/ | | / | PROBE INDUSTRIES MAGAZINE PHILES
| \ _| _||_ | | | /_| ISSUE NUMBA 13
|__| |____| |_|\/|_| |__| RELEASED: 8/97

----------+---------------------
|

========================
Now of avail on the web:

http://www.dope.org/pimp/
==========================

thirteenthirteenthirteenthirteenthirteenthirteenthirteenthirteenthirteen

p.i.m.p. publicly disclosed members:
----------------------------------------

fringe -chicago PIMP stickman -chicago PIMP

subhuman -chicago PIMP stash -chicago PIMP

insane lineman -chicago PIMP special-k -germany PIMP

jello biafra -chicago PIMP - Q - -new york PIMP

luthor -east coast PIMP mastermind -florida PIMP

smokee -chicago PIMP q-ball -chicago PIMP

thirteenthirteenthirteenthirteenthirteenthirteenthirteenthirteenthirteen

This issue has been broken down into three sections.

1. Hacking
- Moving through AT&T System 75 and Definity Systems

2. Decoding Schemes
- Discussion on how RC-5 decoding works.

3. H/P scene news that's good to know, but not all good.
- TRW, now Experian Inc., fucks up!

+-------------------------------------+
| start the lucky 13's pimp issue |
+-------------------------------------+

Edita's Note: This issue is a concentration of peoples efforts to
edjumacate peoples on a need to know basis.. either you
know the things discussed, or you need to.. information
is meant to be free.. as are we.. information owns all,
so enjoy a drop of its reign. many submissions are in
the works for the next issue.. this one is short but i
kinda wanted to release it on time.. 14 will be due out
soon.. gotta keep the pimps movin..

+-----------------------+
| section one - hacking |
+-----------------------+

| |
---+---------------------------------------------------+---
| |
A informational phile on the
AT&T Definity and System 75 / XE
contributed by fringe
| |
---+---------------------------------------------------+---
| |

READ ME: just a quik note, please read this whole article through
thoroughly before using anything that's been said in it.
this article is for informational purposes and gives a
slight overview of *some* things about a sys75 and the
likes. i only typed up what one screen would look like..
after that i gave up, because scrollbacks don't capture the
screens all too nicely at all, and i have done enuff typing.

This section is broken down into the following sekshunz:

i. background
ii. security violations
iii. barrier codes, remote access
iv. trunk groups
v. access codes
vi. monitoring
vii. listing scheduled reports
viii. history logs
ix. notes

---------------
i. Background
---------------

A System 75 system, or the likes, is a pbx computer system.
A PBX stands for private branch exchange in this case (for those that
don't know) and routes phone calls. These systems hold all different
types of reports, extension information, trunk group information, and
most liked to peoples who need to divert fone calls, dialouts.
You rarely will find a System 75 scanning 1-800's, however locally
you can definately turn up a few in a night. To give you an example
of who would actually use such a PBX system, just look at any normal
office building. The following information does not tell you how to
make free fone calls for illegitamate use, but moreso just discusses
how to manuever around the system for those just starting to play with
them or whom are interested. You can severely fuck up a company's
fone system when in their pbx system; please try NOT to.

First off, there is the basic login sequence.. you'll see the following:

CONNECT 1200
(sometimes 2400, usually 1200 baud though because the top speed for
a data or netcon channel is 1200; there may be a point now where
you see nothing.. wait 10 seconds and then hit return once)

followed by the normal

Password:

If you fuck it up, you will get this: INCORRECT LOGIN
If you get in through a valid account, you will get a prompt like this
normally:

Terminal Type (513, 4410, 4425): [513]

513 is set up as the best terminal..i haven't really tested the others
though. To do any of the commands listed below, depending on the
account you use, you will have an interesting list available to you.
the browse account basically lets you just display and look at things.
display whatever is the syntax for browse.. when you are using a
decent account, you can also use the following actions:

add
busyout
change
clear
disable
display
duplicate
enable
list
monitor
recycle
release
remove
reset <-this is dangerous, it's only used to reset the system
save
set
status
test

the correct syntax for a normal command would be :

action object qualifier

for example:

add trunk-group 17

got it? good.. now these will help you get around:

Esc [ U -changes to the next page
Esc SB -save
Esc Ow -cancel whatever you were doin
Esc Om -help, if of avail

another way to receive help as to what options you have to use with
what action, is to type that action and just put the word help after
it.. it will either give you a list of commands that may be used with
that action, or tell you that you will need an extension number, or
it may say something to the effect of [print] or [schedule], for
beginners, you won't want to start scheduling things,.. when you use
print (without the brackets) it will be displayed on your terminal.

---------------------------------------------------------

Some default accounts you may want to try are as follows:

---------------------------------------------------------
login: password:
------------------------

browse looker or browse
enquiry enquirypw
bcim bcimpw
rcust rcustpw
cust custpw
maint maintpw
locate locatepw
bcnas bcnspw
init initpw
inads inadspw or indspw
craft craftpw or crftpw

I got those from a text file, but there is no one to give credit to so
none granted. The first two give you like 1/5 of the commands
allowed.. they suck.. but browse/looker is very commonly left in.
The only other two accounts i've accessed sys75's with were craft and
inads, the last two listed. Both held full access. The rest, I dunno
about. If you have attempted hacking this system before, and now you
have finally gotten in thru a good account, not a lame one, then
you'll want to do the following look-see:

-------------------------
ii. Security Violations
-------------------------

from the "enter command:" prompt type the following:

list measurements security-violations schedule

if it shows a lot of "hacker" activity, such as a lot of invalid
login attempts on the dial-in port, then do this:

clear measurements security violations

the only downfall to this command is that it says the date it was last
cleared. You may still come up noticeable. The list screen may look
somethin like this:

list measurements security violations

Date: 4:25 pm FRI JUN 12, 1997

SECURITY VIOLATIONS MEASUREMENTS

Number of Invalid Login Attempts
Maintenance EIA Port: 0
Maintenance Dial-up Port: 2
Network Control Dial-up Ports: 7

Number of Invalid Barrier Codes: 8

Counted Since: 9:33 am MON MAY 14, 1997

Command successfully completed
enter command:

-----------------------------------
iii. Barrier Codes, Remote Access
-----------------------------------

the invalid barrier codes listed above relate to incorrect codes
entered into their dialup pbx extender. if the amount is reasonably
low, it's normal. people tend to misdial now and then.. if it's a high
number, say 132, then chances are peoples are trying to haxor out
codes..

if there is a pbx on the system, the dialout number will be shown and
then there will be barrier codes listed. ONLY the last four digits of
the pbx will be shown, the prefix usually will be the same as the
number you have dialed. to see what is set up for remote-access,type:

display remote-access

if you are using a decent account, such as craft or one with powers
that let you use the change command, you can type:

change remote-access

and enter in yer own barrier codes to dialout off of their pbx with.
i've read about 6 philes that are old that tell you how to "set-up"
yer own pbx on the system if one isn't set up.. with the manual i
have and the philes i have, it still has not werked,.. maybe i just
suck with these things. if the pbx is already set up for extender
use, then adding nonbillable codes is easy.

------------------
iv. Trunk Groups
------------------

There may be various "trunk-groups" on a System 75. Each trunk group
serves its own purpose. trunk group 1 may be for a company on one
floor, while trunk group 2 may be for another company on a different
floor. use:

display trunk-group #

to display the # specified.. you will see various information as to
what peoples who use that group are allowed to do. this is all
specified by the COR, Class of Restriction,.. it's a number between
0 and 63 that indicates what restrictions are assigned to voice
terminals, their groups, trunk groups, and data modules. you will
also see the group name of course, and a nite service extension
among other things of little interest. if you want to find out what
all the extensions are to that trunk, go to the next page and you
will see the last 4 digits of the dialin numbers.

-----------------
v. Access Codes
-----------------

Access Codes can be a 1,2,or 3 digit dial code used to activate or
cancel a feature or access an outgoing trunk. The star * and the
pound # can be used as the first digit of an access code.

There are access codes that can also be set up internally on the pbx..
they are known as Trunk Access Codes (TAC) and Feature Access Codes
(FAC).

----------------
vi. Monitoring
----------------

Yes, you can do this. since you are in the system itself, it's not
as though you can monitor actual conversations; however you can
monitor all trunk traffic by doing the following command:

monitor traffic trunk-groups

you will see five seperate columns of characters and then 3 more
headers just like it. they five columns are #, S, A, Q, and W.

# is the group number. it should be a number between 1-99 that will
identify the trunk group in use.

S is the group size. it lists however many trunks are administered
for that trunk group in particular. the range of possible numbers
is system dependant, but is usually 1-60.

A is the active group members. it lists however many trunk members in
a group are active on a call. 'busied out' trunks are *not* active.

Q is the queue length.. that being the length of whatever queue was
administered for the group.

W is calls that are waiting; the number of the group queue.

another way of monitoring the system is to use this other format:

monitor system view1

You can also use view2 instead, but view1 gives you the same sight
as view2 but also has the hunt groups measurements listed. on this
page you will see a different format of the traffik status. first
off you have the :

Attendant Status : shows the activated attendant consoles and
deactivated attendant consoles. activated means
an "agent's" headset or handset is plugged in and
the console isn't busied out or set up for night
service.

Maintenance Status: shows the number of alarms (including major and
minor alarms) that may indicate problems on
trunks, stations, and other resources. The
alarm(s) may have already been found out and
acknowledged,. use display alarms to check on
this.. Y means they've been found out and noticed,
N means they haven't.

Traffic Status: the "view" displays call handling for trunk, hunt,
and attendant groups. it indicates the number of
queued and abandoned calls. in the trunk group
measurements, only the four trunk group numbers with
the highest percentage blocking are listed. they
have their calls displayed as INC (incoming), OUT
(outgoing), and TWO (two-way).

monitoring traffic analysis is a good thing,.. because of it, you can
see if anything weird may be going on while you are inside the system.
usually, it's best to enter these systems late night, in case you
alter something incorrectly disturbing fone service temporarily..
it's better to go unnoticed eh? but nonetheless.. ya gotta watch the
watchers.. that's where this command comes in.

--------------------------------
vii. Listing Scheduled Reports
--------------------------------

on the Manager I system, you can use the :

list report-scheduler

to see what reports have been scheduled for printing..
if you put schedule on the end of a command, this is where the "job"
goes. you will see the following things on the screen:

- Job Id: this shows the report identification number, it's 1-50, and
is provided by the system.

- Command: this will show what command is scheduled to be executed

- Print interval: this field has 3 options: immediate, scheduled, and
deferred. if it isn't immediate, then you will see:

- Print Time: this will be in military time, ie 21:15, and below that
you will see a list of every day of the week with a y or
n after it, in regards to which day it will be done;
whether it be scheduled or deferred.

you can use the change action to edit out any scheduled reports that
shouldn't be there, y'know what i mean.. say you have been
contributing to a lot of heavy activity on the system one day, and
you notice that they are going to print out the "list history" command
every night.. all you're transactions are stored in a log and will be
printed.. i have actually found a few systems that do not use this log
but nonetheless.. it's good to check on this things. read on for more
about listing your history on the system..

--------------------
viii. History Logs
--------------------

these can be brutally dangerous to being caught.. once you are found
out having been inside the system, unless you diverted really decently
you can easily be nailed. Ma Bell doesn't like when you play with her
PBXes... and remember the ess switches of today log everything. you
can list your history by doing the following:

list history

simple eh? you will get a list of dates and times and the port used
and the login used and the action used and the object used and any
qualifier that was used with it; in respect to changing/listing things
on the system. for example,

list station 4382

If you look in the history log, you will see what every person that
logged in did on the system that, what time they did it, and even what
port they came in offa.. actually, only if it's data affecting, such
as changing or bridging extensions and the sort, will it be in there..
all the displaying of trunks and the like should not be in there. the
only sys75's i've been in that actually have used this, i've only had
access with the browse account.. ones that i've used craft and the
likes in, they didn't have a history to be listed.. methinx it was
disabled. but if you have a good account that can do things, see if
you can clear or change your history.. since you may need to if you
make changes a little too obviously.

if you cannot remove the history log, nor change it..
then make EVERY attempt to change or remove the translations.. such as

remove translations

translations are what is saved to the tape backup every week.. when

save translations

is performed, the history gets kopied to the tape backup... so when
the system cold starts or reboots, the log is loaded from the tape.

-----------
ix. NOTES
-----------

a few things to remember when working on system 75's:

whenever you are changing an option that has a qualifier on the end
for time, if you decide to put in the time it MUST be in military
time..

if you use schedule as a qualifier for a command, it won't do anything
but schedule it to be printed.. which isn't a good thing.

you may want to peruse a system's activity before working on it..
such as see how often maintenance is done thru the dial in.. this way
you will have a better handle as to how easily your work may be
noticed.. i know it's common sense.. but it's not always too common.

+------------------
a side note
--------------+

i know this did not get all too technical as to setting up a hidden
pbx or elsewise.. it is an overview of what to check as you learn
while using the system.. using the word help after an action usually
gives you a good feel as to what to do.. and if you know/have studied
telecommunications, you will find most of the terms familiar. if you
have a question on anything in particular, please email me

fringe@dope.org

i want to give special thanx to pluto in jersey, it's been years man..
and i still appreciate the hell outta this manual you hooked me up
with.. also if anyone wants to order sys75 manuals, the info is below.

however, they AREN'T CHEAP! (methinx they're like $80 a pop)

To order manuals, call AT&T Customer Information Center at
1-800-432-6600; unless you're in Canada, then call 1-800-255-1242

or you can write to:

AT&T Customer Information Center
2855 North Franklin Road
P.O. Box 19901
Indianapolis, IN 46219-1385

there are way too many manuals to list.. the best thing to do is to
order this:

Definity Communications System Generic 1 and System 75
- Documentation Guide

Order No: 555-200-010

this will give ya the dox on all their manuals.. there has to be 30-40
around.. if you are looking for the order number to a specific one,
drop me a line.

|
---+--------
|
Sys75 phile number 1, done

|
-----------+---
|
---END SYS75---

+------------------------------+
| section two - Coding Schemes |
+------------------------------+

*--------------------------------------------------------------*

Instructions in decoding RC5 - by special-k (special-k@dope.org)

*--------------------------------------------------------------*

This rather mathematic description shows in what way RC5 (32,1*) can be
decoded when its original text is attacked.

In spite of good static qualities of this method it will possibly be
sufficient if you know merely 2 word pairs of the original text and the
corresponding text in order to decode the text.

Attacks of this kind should always be expected. RC5 is described as follows:
(further information later)

A0 = A+S0;
B0 = B+S1;
A1 = ((A0^B0)<<>>k2) ^ A1) - B (3)

Now we choose two word pairs with different k2 among those which are
available. The difference of these k2 should be as small as possible.
This is theorethically not always possible, but in this case we ignore it.
Having 4 different k2, the difference can be less or equal to 8.
We substract (3) from the smaller k2 of (3) and the greater k2 and get
the following equation:

(X>>>K)^P - ((X+D)>>>L)^Q = R

with L-K=S > 0 and with L, D, P, Q and R known.

This equation can perhaps not clearly be solved, but all the possible X
may be found in this way.

We now choose the s Bits:

X[K],...,x[L-1] of any X (from 0 .......31)
and determine among them the s Bits:
y[L],...,y[L+S-1] of X+D and
y[32] = (y[0],
y[33] = (y[1], etc.

Depending on the fact whether a carry in Bit L emerged by the addition
of X and D, the s Bits x[L],...,x[L+S-1] of x will possibly be ambigous
due to the carry.

We are going to determine now the following s Bits of x in a similar way.
A possible carry has been found now.

After the (32/S+1) steps we arrive at the already given bits and can
check for which values of x[K],...,x[L-1] it worked out.

Perhaps only a few solutions of X will remain, if you are lucky, only one.
The less s is the smaller is also the imaginable variety of solutions.

We are going to determine S3 for each X which we found and for each S3 i
we determine B0 and in its turn S1.

We can use equation 1 for each word pair and thus determine the greater
B0 and K1.

Consequently, the determiantion of S0 and S2 will be analogy with the
ones of S1 and S3, and perhaps with two other word pairs as well.

Thus, we are already holding the key in our hands. w00p!@$#

Should there be several solutions, we can check them with further word
pairs. If need be, we can generate the original text on trial and
check it with regard to readability and sense.
In theory, there are of course several keys possible. However, this is
not what we care about because we want to get the original text.

I worked out this method after several considerations and it can be adapted
for any computer programmes without any problems.

Our results have been impressive, in all the cases we tested, three word
pairs (this means 24 bytes) of the original text were sufficient to
calculate the complete key definately (and consequently the original text)
within 2ms using a Pentium-133, ESIX V.4.2, PoC <- only onkeld knows
what this means).

In addiction, our method which methods today abalysty use, trying to cope
with problems in cryptography.

The RC5 encoding within the pseude code:

A = A + S[0];
B = B + S[1];
for i=1 to r do
A = ((A^B)(less than)(less than)(less than)B) + S[2*1];
B = ((B^A)(less than)(less than)(less than)A) + S[2*i+1];

The explanations of the instructions:

X (less than)(less than)(less than) Y
The word X rotetes by Y bits to the left
^ Cannot translate :(
(in german: Das Bit-Weise ausschliessende oder (XOR).
S[] The key
r The number of rounds

---END RC5 Decoding---

+----------------------------------+
| section three - h/p related news |
+----------------------------------+
--------------------
news for the scene
-------------------+

TRW Finds A New Way to Violate Our Privacy!
8/97

Earlier this month, Experian Inc., one of the nation's largest
repositories of credit inphormation for everyone had to shutdown a
new service they provided on the internet. They claim a huge mistake
incurred due to a software glitch. This glitch violated some federal
laws and your privacy.

Experian Inc. is TRW's new name, and with that name came a whole
new level of stupidity. Their new service let people get a copy of
their credit history via the net for only $8.00. One problem, when
someone submitted their information to get their form, instead of
getting their form, they received someone else's confidential
information.. that's right, your credit card information, all known
address that you have lived at, everything may have just been handed
to someone else. This made the Washington Post and Chicago Tribune.
Both reports who did the story tried the new service and verified that
they got someone else's information. Thousands of people hit their
web site, and were not only disappointed, but probably sincerely
screwing themselves over with their report request sending their
report into someone else's e-mail. Ed Mierzwinski of the U.S. Public
Interest Research Group said "We are gravely concerned that Experian
went into this too soon and their system is vulnerable to hackers and
it is grossly inadequate to protect consumer privacy." It's 3AM, do
you know where your codes are? outtie -fringe

---END NEWS---
+---------------------+
| end pimp thirteen |
+---------------------+

¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,
_ _______ ______ ___ ___ ____ _
/___/ /___/ / / /__) /_
_ __/ _/ \ _/__/ _/__) _/____ _ _ _
/ I N D U S T R I E S
¼,¼,¼,¼,¼,¼,¼,¼,/¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼, M A G A Z I N E
P H I L E S 1 9 9 7

╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫
╫ ╫
╫ the following boards listed hold true to the scene and if you ╫
╫ are deep into h/p and the likes, i suggest you give them a call. ╫
╫ some are gone and i haven't kept up with all of them.. most ╫
╫ should be all good. ╫
╫ ╫
╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫

Apocalypse 2000 - H/P/Punk/Ska/Rave/home of the PIMPS!
+1-847-831-0484 - *NO* ratio. 1 gig online.
(^^^^^^^^^^^^^^ New Number)

The Centre' - H/P, more than a gig online plus cd's.
+1-207-490-2158

Poison Pen - H/P, *NO* ratio
+1-847-966-2095
(^^^^^^^^^^^^^^ Yet, ANOTHER New Number)

Moo 'n' Oink - H/P
+1-847-256-5928

Microcosm - H/P
+1-904-484-5548

Underworld 96
**(514) toast**

Aneurysm - H/P - NUP: Discipline
+1-514-458-9851

Last Territory - H/P
+1-514-565-9754

Linoleum - H/P
**(704) toast**

Hacker's Haven - H/P
+1-303-343-4053

Digital Disturbance - H/P
**(516) toast**

Hacker's Hideaway - H/P
+1-416-534-0417

TOTSE - H/P and crazy other amounts of info
+1-510-935-5845

The Switchboard - H/P
+011-31-703-584-868

Arrested Development - H/P
+31 ***TOAST** and will be missed.

----- If you'd like to write for PIMP, you can send any and all worx
to pimp@dope.org

all worx will be looked at and considered. all credit is always
going to be given to whomever the giver is, unless you would
rather not be known. PIMP Issue numba thirteen, outtie.

GO BACK...