Power Hacker 2003

home *** CD-ROM | disk | FTP | other *** search

/ Power Hacker 2003 / Power_Hacker_2003.iso / E-zine / Magazines / pimp / pimp13.luk < prev next >

Wrap

Text File | 2002-05-27 | 28.7 KB | 818 lines

PIM.,PIMPIMPIMPI. MPIM IMPIMPIMPI, .MPIMPIMPIMP MPI,.MPIMPIMPIM. MPIMPIMPIMPIMPIM. PI IMPIMPIM PIMPIMPIM PIMPIMPIMPIMPIMP. PIMPI 'MPIMPI PIMPIMPI MP IMPIM IMPIM `PIMPIM PIMPI MPIMPI PIMPI. PIM PIMP IMP IMPIM PIMPI PIMPIM MPIMP .IMPIMPI PIMPI PIM PIMPIMPI MPIMP PIMPI. ,MPIMPIM MPIMPIMPIMPIMPI' MPIM IMP IMPIMP IMPIM PIMPIMPIMPIMPIM' MPIMPIMPIMPIM' PIMP PIM PIMPIM PIMPI PIMPIMPIMPIMP' PIMPI IMPI MPI MPIM PIMPI PIMPI MPIMP MPIM MPI MPIM PIMPI MPIMP IMPIM PIMP MPI MPIM PIMPI IMPIM PIMPI IMPI MPI MPIM PIMPI PIMPI MPIMP MPIM MPI MPIM PIMPI MPIMP .IMPIMPI,. .PIMP. .MPIMP, IMP' IMPIMPI. .IMPIMPI,. MPIMPIMPIMPIM IMPIMPIMP MPIMPIMP `IM PIMPIMPIMPI MPIMPIMPIMPI ------------------------------------------------------------------------------ _ _ _______ _____ ___ ___ ____ _ /___/ /___/ / / /__) /_ _ __/ _/ \ _/__/ _/__) _/____ _ _ _ _ _ _ _ / I N D U S T R I E S 1 9 9 7 | ---------+------ ____ ____ _ _ ____ | \ | |_ _| | \__/ | | / | PROBE INDUSTRIES MAGAZINE PHILES | \ _| _||_ | | | /_| ISSUE NUMBA 13 |__| |____| |_|\/|_| |__| RELEASED: 8/97 ----------+--------------------- | ======================== Now of avail on the web: http://www.dope.org/pimp/ ========================== thirteenthirteenthirteenthirteenthirteenthirteenthirteenthirteenthirteen p.i.m.p. publicly disclosed members: ---------------------------------------- fringe -chicago PIMP stickman -chicago PIMP subhuman -chicago PIMP stash -chicago PIMP insane lineman -chicago PIMP special-k -germany PIMP jello biafra -chicago PIMP - Q - -new york PIMP luthor -east coast PIMP mastermind -florida PIMP smokee -chicago PIMP q-ball -chicago PIMP thirteenthirteenthirteenthirteenthirteenthirteenthirteenthirteenthirteen This issue has been broken down into three sections. 1. Hacking - Moving through AT&T System 75 and Definity Systems 2. Decoding Schemes - Discussion on how RC-5 decoding works. 3. H/P scene news that's good to know, but not all good. - TRW, now Experian Inc., fucks up! +-------------------------------------+ | start the lucky 13's pimp issue | +-------------------------------------+ Edita's Note: This issue is a concentration of peoples efforts to edjumacate peoples on a need to know basis.. either you know the things discussed, or you need to.. information is meant to be free.. as are we.. information owns all, so enjoy a drop of its reign. many submissions are in the works for the next issue.. this one is short but i kinda wanted to release it on time.. 14 will be due out soon.. gotta keep the pimps movin.. +-----------------------+ | section one - hacking | +-----------------------+ | | ---+---------------------------------------------------+--- | | A informational phile on the AT&T Definity and System 75 / XE contributed by fringe | | ---+---------------------------------------------------+--- | | READ ME: just a quik note, please read this whole article through thoroughly before using anything that's been said in it. this article is for informational purposes and gives a slight overview of *some* things about a sys75 and the likes. i only typed up what one screen would look like.. after that i gave up, because scrollbacks don't capture the screens all too nicely at all, and i have done enuff typing. This section is broken down into the following sekshunz: i. background ii. security violations iii. barrier codes, remote access iv. trunk groups v. access codes vi. monitoring vii. listing scheduled reports viii. history logs ix. notes --------------- i. Background --------------- A System 75 system, or the likes, is a pbx computer system. A PBX stands for private branch exchange in this case (for those that don't know) and routes phone calls. These systems hold all different types of reports, extension information, trunk group information, and most liked to peoples who need to divert fone calls, dialouts. You rarely will find a System 75 scanning 1-800's, however locally you can definately turn up a few in a night. To give you an example of who would actually use such a PBX system, just look at any normal office building. The following information does not tell you how to make free fone calls for illegitamate use, but moreso just discusses how to manuever around the system for those just starting to play with them or whom are interested. You can severely fuck up a company's fone system when in their pbx system; please try NOT to. First off, there is the basic login sequence.. you'll see the following: CONNECT 1200 (sometimes 2400, usually 1200 baud though because the top speed for a data or netcon channel is 1200; there may be a point now where you see nothing.. wait 10 seconds and then hit return once) Login: followed by the normal Password: If you fuck it up, you will get this: INCORRECT LOGIN If you get in through a valid account, you will get a prompt like this normally: Terminal Type (513, 4410, 4425): [513] 513 is set up as the best terminal..i haven't really tested the others though. To do any of the commands listed below, depending on the account you use, you will have an interesting list available to you. the browse account basically lets you just display and look at things. display whatever is the syntax for browse.. when you are using a decent account, you can also use the following actions: add busyout change clear disable display duplicate enable list monitor recycle release remove reset <-this is dangerous, it's only used to reset the system save set status test the correct syntax for a normal command would be : action object qualifier for example: add trunk-group 17 got it? good.. now these will help you get around: Esc [ U -changes to the next page Esc SB -save Esc Ow -cancel whatever you were doin Esc Om -help, if of avail another way to receive help as to what options you have to use with what action, is to type that action and just put the word help after it.. it will either give you a list of commands that may be used with that action, or tell you that you will need an extension number, or it may say something to the effect of [print] or [schedule], for beginners, you won't want to start scheduling things,.. when you use print (without the brackets) it will be displayed on your terminal. --------------------------------------------------------- Some default accounts you may want to try are as follows: --------------------------------------------------------- login: password: ------------------------ browse looker or browse enquiry enquirypw bcim bcimpw rcust rcustpw cust custpw maint maintpw locate locatepw bcnas bcnspw init initpw inads inadspw or indspw craft craftpw or crftpw I got those from a text file, but there is no one to give credit to so none granted. The first two give you like 1/5 of the commands allowed.. they suck.. but browse/looker is very commonly left in. The only other two accounts i've accessed sys75's with were craft and inads, the last two listed. Both held full access. The rest, I dunno about. If you have attempted hacking this system before, and now you have finally gotten in thru a good account, not a lame one, then you'll want to do the following look-see: ------------------------- ii. Security Violations ------------------------- from the "enter command:" prompt type the following: list measurements security-violations schedule if it shows a lot of "hacker" activity, such as a lot of invalid login attempts on the dial-in port, then do this: clear measurements security violations the only downfall to this command is that it says the date it was last cleared. You may still come up noticeable. The list screen may look somethin like this: list measurements security violations Date: 4:25 pm FRI JUN 12, 1997 SECURITY VIOLATIONS MEASUREMENTS Number of Invalid Login Attempts Maintenance EIA Port: 0 Maintenance Dial-up Port: 2 Network Control Dial-up Ports: 7 Number of Invalid Barrier Codes: 8 Counted Since: 9:33 am MON MAY 14, 1997 Command successfully completed enter command: ----------------------------------- iii. Barrier Codes, Remote Access ----------------------------------- the invalid barrier codes listed above relate to incorrect codes entered into their dialup pbx extender. if the amount is reasonably low, it's normal. people tend to misdial now and then.. if it's a high number, say 132, then chances are peoples are trying to haxor out codes.. if there is a pbx on the system, the dialout number will be shown and then there will be barrier codes listed. ONLY the last four digits of the pbx will be shown, the prefix usually will be the same as the number you have dialed. to see what is set up for remote-access,type: display remote-access if you are using a decent account, such as craft or one with powers that let you use the change command, you can type: change remote-access and enter in yer own barrier codes to dialout off of their pbx with. i've read about 6 philes that are old that tell you how to "set-up" yer own pbx on the system if one isn't set up.. with the manual i have and the philes i have, it still has not werked,.. maybe i just suck with these things. if the pbx is already set up for extender use, then adding nonbillable codes is easy. ------------------ iv. Trunk Groups ------------------ There may be various "trunk-groups" on a System 75. Each trunk group serves its own purpose. trunk group 1 may be for a company on one floor, while trunk group 2 may be for another company on a different floor. use: display trunk-group # to display the # specified.. you will see various information as to what peoples who use that group are allowed to do. this is all specified by the COR, Class of Restriction,.. it's a number between 0 and 63 that indicates what restrictions are assigned to voice terminals, their groups, trunk groups, and data modules. you will also see the group name of course, and a nite service extension among other things of little interest. if you want to find out what all the extensions are to that trunk, go to the next page and you will see the last 4 digits of the dialin numbers. ----------------- v. Access Codes ----------------- Access Codes can be a 1,2,or 3 digit dial code used to activate or cancel a feature or access an outgoing trunk. The star * and the pound # can be used as the first digit of an access code. There are access codes that can also be set up internally on the pbx.. they are known as Trunk Access Codes (TAC) and Feature Access Codes (FAC). ---------------- vi. Monitoring ---------------- Yes, you can do this. since you are in the system itself, it's not as though you can monitor actual conversations; however you can monitor all trunk traffic by doing the following command: monitor traffic trunk-groups you will see five seperate columns of characters and then 3 more headers just like it. they five columns are #, S, A, Q, and W. # is the group number. it should be a number between 1-99 that will identify the trunk group in use. S is the group size. it lists however many trunks are administered for that trunk group in particular. the range of possible numbers is system dependant, but is usually 1-60. A is the active group members. it lists however many trunk members in a group are active on a call. 'busied out' trunks are *not* active. Q is the queue length.. that being the length of whatever queue was administered for the group. W is calls that are waiting; the number of the group queue. another way of monitoring the system is to use this other format: monitor system view1 You can also use view2 instead, but view1 gives you the same sight as view2 but also has the hunt groups measurements listed. on this page you will see a different format of the traffik status. first off you have the : Attendant Status : shows the activated attendant consoles and deactivated attendant consoles. activated means an "agent's" headset or handset is plugged in and the console isn't busied out or set up for night service. Maintenance Status: shows the number of alarms (including major and minor alarms) that may indicate problems on trunks, stations, and other resources. The alarm(s) may have already been found out and acknowledged,. use display alarms to check on this.. Y means they've been found out and noticed, N means they haven't. Traffic Status: the "view" displays call handling for trunk, hunt, and attendant groups. it indicates the number of queued and abandoned calls. in the trunk group measurements, only the four trunk group numbers with the highest percentage blocking are listed. they have their calls displayed as INC (incoming), OUT (outgoing), and TWO (two-way). monitoring traffic analysis is a good thing,.. because of it, you can see if anything weird may be going on while you are inside the system. usually, it's best to enter these systems late night, in case you alter something incorrectly disturbing fone service temporarily.. it's better to go unnoticed eh? but nonetheless.. ya gotta watch the watchers.. that's where this command comes in. -------------------------------- vii. Listing Scheduled Reports -------------------------------- on the Manager I system, you can use the : list report-scheduler to see what reports have been scheduled for printing.. if you put schedule on the end of a command, this is where the "job" goes. you will see the following things on the screen: - Job Id: this shows the report identification number, it's 1-50, and is provided by the system. - Command: this will show what command is scheduled to be executed - Print interval: this field has 3 options: immediate, scheduled, and deferred. if it isn't immediate, then you will see: - Print Time: this will be in military time, ie 21:15, and below that you will see a list of every day of the week with a y or n after it, in regards to which day it will be done; whether it be scheduled or deferred. you can use the change action to edit out any scheduled reports that shouldn't be there, y'know what i mean.. say you have been contributing to a lot of heavy activity on the system one day, and you notice that they are going to print out the "list history" command every night.. all you're transactions are stored in a log and will be printed.. i have actually found a few systems that do not use this log but nonetheless.. it's good to check on this things. read on for more about listing your history on the system.. -------------------- viii. History Logs -------------------- these can be brutally dangerous to being caught.. once you are found out having been inside the system, unless you diverted really decently you can easily be nailed. Ma Bell doesn't like when you play with her PBXes... and remember the ess switches of today log everything. you can list your history by doing the following: list history simple eh? you will get a list of dates and times and the port used and the login used and the action used and the object used and any qualifier that was used with it; in respect to changing/listing things on the system. for example, list station 4382 If you look in the history log, you will see what every person that logged in did on the system that, what time they did it, and even what port they came in offa.. actually, only if it's data affecting, such as changing or bridging extensions and the sort, will it be in there.. all the displaying of trunks and the like should not be in there. the only sys75's i've been in that actually have used this, i've only had access with the browse account.. ones that i've used craft and the likes in, they didn't have a history to be listed.. methinx it was disabled. but if you have a good account that can do things, see if you can clear or change your history.. since you may need to if you make changes a little too obviously. if you cannot remove the history log, nor change it.. then make EVERY attempt to change or remove the translations.. such as remove translations translations are what is saved to the tape backup every week.. when save translations is performed, the history gets kopied to the tape backup... so when the system cold starts or reboots, the log is loaded from the tape. ----------- ix. NOTES ----------- a few things to remember when working on system 75's: whenever you are changing an option that has a qualifier on the end for time, if you decide to put in the time it MUST be in military time.. if you use schedule as a qualifier for a command, it won't do anything but schedule it to be printed.. which isn't a good thing. you may want to peruse a system's activity before working on it.. such as see how often maintenance is done thru the dial in.. this way you will have a better handle as to how easily your work may be noticed.. i know it's common sense.. but it's not always too common. +------------------ a side note --------------+ i know this did not get all too technical as to setting up a hidden pbx or elsewise.. it is an overview of what to check as you learn while using the system.. using the word help after an action usually gives you a good feel as to what to do.. and if you know/have studied telecommunications, you will find most of the terms familiar. if you have a question on anything in particular, please email me fringe@anet-chi.com i want to give special thanx to pluto in jersey, it's been years man.. and i still appreciate the hell outta this manual you hooked me up with.. also if anyone wants to order sys75 manuals, the info is below. however, they AREN'T CHEAP! (methinx they're like $80 a pop) To order manuals, call AT&T Customer Information Center at 1-800-432-6600; unless you're in Canada, then call 1-800-255-1242 or you can write to: AT&T Customer Information Center 2855 North Franklin Road P.O. Box 19901 Indianapolis, IN 46219-1385 there are way too many manuals to list.. the best thing to do is to order this: Definity Communications System Generic 1 and System 75 - Documentation Guide Order No: 555-200-010 this will give ya the dox on all their manuals.. there has to be 30-40 around.. if you are looking for the order number to a specific one, drop me a line. | ---+-------- | Sys75 phile number 1, done | -----------+--- | ---END SYS75--- +------------------------------+ | section two - Coding Schemes | +------------------------------+ *--------------------------------------------------------------* Instructions in decoding RC5 - by special-k (special-k@dope.org) *--------------------------------------------------------------* This rather mathematic description shows in what way RC5 (32,1*) can be decoded when its original text is attacked. In spite of good static qualities of this method it will possibly be sufficient if you know merely 2 word pairs of the original text and the corresponding text in order to decode the text. Attacks of this kind should always be expected. RC5 is described as follows: (further information later) A0 = A+S0; B0 = B+S1; A1 = ((A0^B0)<<<k1) + S2; (1) B1 = ((B0^A1)<<<k2) + S3; (2) (A, B = original text; A1, B1 = encoded text) K2 is the value of the 5 lowest bits of A1 whereas K1 is the corresponding value of B0. We will start at equation 2. As A1 and thus K2 are known, S1 can be calculated with the help of $3. S1 = (((B1-S3)>>>k2) ^ A1) - B (3) Now we choose two word pairs with different k2 among those which are available. The difference of these k2 should be as small as possible. This is theorethically not always possible, but in this case we ignore it. Having 4 different k2, the difference can be less or equal to 8. We substract (3) from the smaller k2 of (3) and the greater k2 and get the following equation: (X>>>K)^P - ((X+D)>>>L)^Q = R with L-K=S > 0 and with L, D, P, Q and R known. This equation can perhaps not clearly be solved, but all the possible X may be found in this way. We now choose the s Bits: X[K],...,x[L-1] of any X (from 0 .......31) and determine among them the s Bits: y[L],...,y[L+S-1] of X+D and y[32] = (y[0], y[33] = (y[1], etc. Depending on the fact whether a carry in Bit L emerged by the addition of X and D, the s Bits x[L],...,x[L+S-1] of x will possibly be ambigous due to the carry. We are going to determine now the following s Bits of x in a similar way. A possible carry has been found now. After the (32/S+1) steps we arrive at the already given bits and can check for which values of x[K],...,x[L-1] it worked out. Perhaps only a few solutions of X will remain, if you are lucky, only one. The less s is the smaller is also the imaginable variety of solutions. We are going to determine S3 for each X which we found and for each S3 i we determine B0 and in its turn S1. We can use equation 1 for each word pair and thus determine the greater B0 and K1. Consequently, the determiantion of S0 and S2 will be analogy with the ones of S1 and S3, and perhaps with two other word pairs as well. Thus, we are already holding the key in our hands. w00p!@$# Should there be several solutions, we can check them with further word pairs. If need be, we can generate the original text on trial and check it with regard to readability and sense. In theory, there are of course several keys possible. However, this is not what we care about because we want to get the original text. I worked out this method after several considerations and it can be adapted for any computer programmes without any problems. Our results have been impressive, in all the cases we tested, three word pairs (this means 24 bytes) of the original text were sufficient to calculate the complete key definately (and consequently the original text) within 2ms using a Pentium-133, ESIX V.4.2, PoC <- only onkeld knows what this means). In addiction, our method which methods today abalysty use, trying to cope with problems in cryptography. The RC5 encoding within the pseude code: A = A + S[0]; B = B + S[1]; for i=1 to r do A = ((A^B)<<<B) + S[2*1]; B = ((B^A)<<<A) + S[2*i+1]; The explanations of the instructions: X <<< Y The word X rotetes by Y bits to the left ^ Cannot translate :( (in german: Das Bit-Weise ausschliessende oder (XOR). S[] The key r The number of rounds Copyright (c) and all other stuff by special-k special-k@dope.org For suggestions and pizza contact me! ---END RC5 Decoding--- +----------------------------------+ | section three - h/p related news | +----------------------------------+ -------------------- news for the scene -------------------+ TRW Finds A New Way to Violate Our Privacy! 8/97 Earlier this month, Experian Inc., one of the nation's largest repositories of credit inphormation for everyone had to shutdown a new service they provided on the internet. They claim a huge mistake incurred due to a software glitch. This glitch violated some federal laws and your privacy. Experian Inc. is TRW's new name, and with that name came a whole new level of stupidity. Their new service let people get a copy of their credit history via the net for only $8.00. One problem, when someone submitted their information to get their form, instead of getting their form, they received someone else's confidential information.. that's right, your credit card information, all known address that you have lived at, everything may have just been handed to someone else. This made the Washington Post and Chicago Tribune. Both reports who did the story tried the new service and verified that they got someone else's information. Thousands of people hit their web site, and were not only disappointed, but probably sincerely screwing themselves over with their report request sending their report into someone else's e-mail. Ed Mierzwinski of the U.S. Public Interest Research Group said "We are gravely concerned that Experian went into this too soon and their system is vulnerable to hackers and it is grossly inadequate to protect consumer privacy." It's 3AM, do you know where your codes are? outtie -fringe ---END NEWS--- +---------------------+ | end pimp thirteen | +---------------------+ ¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼, _ _______ ______ ___ ___ ____ _ /___/ /___/ / / /__) /_ _ __/ _/ \ _/__/ _/__) _/____ _ _ _ / I N D U S T R I E S ¼,¼,¼,¼,¼,¼,¼,¼,/¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼,¼, M A G A Z I N E P H I L E S 1 9 9 7 ╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫ ╫ ╫ ╫ the following boards listed hold true to the scene and if you ╫ ╫ are deep into h/p and the likes, i suggest you give them a call. ╫ ╫ some are gone and i haven't kept up with all of them.. most ╫ ╫ should be all good. ╫ ╫ ╫ ╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫╫ Apocalypse 2000 - H/P/Punk/Ska/Rave/home of the PIMPS! +1-847-831-0484 - *NO* ratio. 1 gig online. (^^^^^^^^^^^^^^ New Number) The Centre' - H/P, more than a gig online plus cd's. +1-207-490-2158 Poison Pen - H/P, *NO* ratio +1-847-966-2095 (^^^^^^^^^^^^^^ Yet, ANOTHER New Number) Moo 'n' Oink - H/P +1-847-256-5928 Microcosm - H/P +1-904-484-5548 Underworld 96 **(514) toast** Aneurysm - H/P - NUP: Discipline +1-514-458-9851 Last Territory - H/P +1-514-565-9754 Linoleum - H/P **(704) toast** Hacker's Haven - H/P +1-303-343-4053 Digital Disturbance - H/P **(516) toast** Hacker's Hideaway - H/P +1-416-534-0417 TOTSE - H/P and crazy other amounts of info +1-510-935-5845 The Switchboard - H/P +011-31-703-584-868 Arrested Development - H/P +31 ***TOAST** and will be missed. ----- If you'd like to write for PIMP, you can send any and all worx to pimp@dope.org all worx will be looked at and considered. all credit is always going to be given to whomever the giver is, unless you would rather not be known. PIMP Issue numba thirteen, outtie.