alt.ph.uk

Section 1: General Information About The alt.ph.uk Group

1.0.1. About alt.ph.uk

Generally it is to be presumed that the group is read by people who are actively involved in prosecuting hackers and phreaks, and thus if you *are* going to post sensitive information, it's a good idea to use an anonymous remailer if you're going to post the information at all (see the next section).

2.0.1. What is Phreaking?

A good dose of paranoia is always healthy when using such systems. If you do insist on using a PBX, diverting is better than nothing, and when you connect wait a few minutes before placing an outgoing call.

Henceforth follow some common misconceptions about the laws surrounding PBXing.

• I am on a cable phone, can I get busted for PBXing?
  Yes! Cable companies have to co-operate under the law. Some cable companies actually have stricter policies than BT themselves.
• Can I get busted for using international PBXs (ie. outside the UK)?
  Yes! Prosecution is a different matter though. But people have got in trouble for using 89/96x PBX's etc. in other countries.
• If I'm not in England (ie. Scotland/N.Ireland) therefore am I not covered by the 'fraudulent abstraction of electricity' and 'computer misuse' laws?
  WRONG! In fact, in these cases it might be worse, as they might choose to charge you under general fraud laws.
• I dial through one PBX to another before I use it, so I am safe?
  No. Whilst it's much better than 'dialing direct' BT can trace things on their own network fairly easily. Things just take more time. If they trace you, they will put a monologue on your line.. It then doesnt matter how many things you dial through, as they'll have every DTMF you dial!

The old Green BT cards used an optical system. The apparently black plastic is translucent in the infrared - hold a card up to a 60watt light bulb and you will see the purple stripes either side of the charge band on the printed side.

The mechanism , by Landis & Gyr shines an infrared laser onto the underside ("black") side of the card. The charging strip has a diffraction grating pattern moulded into it which back scatters the light to a detector set at a certain angle. The angle is different for each Telecom operator. Once the call units have been used up a heating element melts the plastic on the printed surface sufficiently to leave a visible mark and enough to destroy the diffraction pattern at that point. The mechanism then makes a verifying read to check that this has worked and will not physically release the card until then. Any ideas about nail varnish etc making any difference are fiction.

Simple, cheap, and hackproof so therefore the telecoms companies are rushing away to use smart cards instead !

The new BT smart cards have both an expiry date and a serial number, with presumably an audit trail of all the calls made using a particular card - will all bomb hoaxers, drug dealers and obscene callers remember not to use the same card to call home as well ?

Any of the above the generate tones will have to be modified (see below).

Box schematics may be retrieved in a zip file from:

2.2. Landline Telephony

Mercury's country direct numbers are evenly distributed through out the 0500 xxxxxx range.

Country direct numbers are numbers which forwards calls to a regular number in the remote country. I believe these numbers are arranged with your local Telco, who rent a number of 0800/0500 lines from BT/Mercury and pay BT/Mercury for incoming calls over them. The remote telco then resells these numbers to company's requiring a toll-free number from the UK. You are not charged for the call, the company you reach is paying for the call, as with all 0800/0500 numbers.

• Residential:
  Quite risky. Key points to remember are that your'e waking people up if you're scanning at night; You could be ringing consecutive DDI ports for a target company which will immediately alert them to your presence; Also, you're generating a lot of outgoing traffic for one sweep. Geographically, it's child's play to pinpoint your location unless your'e going via an outdial. Use your loaf - get to the library, pinpoint residential ranges, isolate the carrier providers for your NDC of interest, and take it from there.
• DDSN (Aka 0800/0345/Whatever)
  Very Risky. No shit. The switching architecture in place within the DDSN is particularly good at logging, with AMA in place on each step and switch point in the net. Furthermore (for those of you mystified as to the protocol intricacies of CLID), your CLID is forwarded right up to the far end hop off switch, ie. your CLID is masked from the end user only by one bit determining its visibility status. Your target may not see it, but if you're dialling into hostile territory, don't be surprised if weird things happen. I managed to get NTL to shut down a whole prefix after I'd swept two the same week just to keep me out, dependant on CLID, so keep an eye on things the whole time.

If you're serious about doing some damage with Toneloc or the like, get a second line. Your parents/spouse/SO/flatmates will appreciate the line being free, and you don't have to have a schizoid embolism everytime they pick up midway through a nmap sweep.

1. If you are caught you will be prosecuted. No shit!
2. It is very hard to learn and even harder to master!
3. You must have network or physical access to the input device (ie. the console).
4. MMI language differs for every switching architecture even though families retain similar structures.

Learn. Study various switching architectures. Grow to realise their differences and nuances. Then get out there and turn some poor clod's phone into a MicroMACS receiver circuit.

Take a look at:

Now as you know, every vodaphone PAYT customer has two phone numbers:

1. Handset Number
2. VBX Number

The VBX range is from 07788 200 000 to 07788 450 999 If you want to target a specific individual, just type *#61# [enter/ok] on his/her phone to get the VBX number, then dial it from your land line.

Once you have found a number, just listen to the message, if its the default "Welcome to the vodaphone recall service for <handset number>" then quickly key 9 and enter the default PIN of 3333

This also seems to work for non PAYT SIMs as well, except that the range of VBX numbers is different e.g. 0777 10x xxxx to ?

3.0.1. What is Hacking and Cracking?

Some BIOS's allow you to require a password be entered before the system will boot. Some BIOS's allow you to require a password to be entered before the BIOS setup may be accessed.

Every BIOS must store this password information somewhere. If you are able to access the machine after it has been booted successfully, you may be able to view the password. You must know the memory address where the password is stored, and the format in which the password is stored. Or, you must have a program that knows these things.

The most common BIOS password attack programs are for Ami BIOS. Some password attack programs will return the AMI BIOS password in plain text, some will return it in ASCII codes, some will return it in scan codes. This appears to be dependent not just on the password attacker, but also on the version of Ami BIOS.

If you get lucky, and find a VMS machine running an open account, hang on tight, and don't reveal this gem of computing to anyone else; Hours of fun can be had with large VAXen arrays, and especially more so on Clusters of the beasts.

But how do I find an open account? Brute force, really. Dumb logins to try are DECNET/DECNET, SYSTEM/SYSTEM, UETP/UETP, and what have you. Many files exist out there (somewhere - aahhahhh) that detail all the VMS system defaults from version to version. DECNET/DECNET was a popular one circa 91/92 and led to several embarrased .mil's. If your'e lucky an account will not have been disabled, and will be instead whats known as a CAPTIVE account (AFAIR), in which case a quick appendment of /NOCOMMAND to the login name will drop you into DCL. Bada Bing! Now go get some SYSUAF wares!

To access the SYSUAF.DAT file and to furthermore, modify it, you must be SYSTEM/SYSTEM or equivalent. If you've blagged this (by some _quirk_ of local insecurity) then download it as a binary file and feed it to the program VMSCRACK. This can be downloaded from most places, if not, try hunting through VMS security lists for it. This is basically a version of Crack for VMS, and works _very_ rapidly, even on a pre-pentium system. Unfortunately, my drug addled memory has long forgotten the intricacies of the encryption used in the SYSUAF.DAT file, but hey, grab one and you can learn.

Attacking VMS Machines via a network is a different matter. They present a distinct IP fingerprint, and very often sit with the SYSTAT port open, enabling you to pull login information from them for later attacks. Frequently, you will also find OpenVMS systems running NFS daemons. Hours of fun for the interested, weeks of hell for the admin.

X.25 networks hold literally _thousands_ of VAXen, and unexplored territory can reap the benefits of global access; Nothing quite beats watching a DCL script run through 100 simultaneous DNIC scans.

Within their own domain, VMS and VAXen speak their own protocol languages, which are intriguing to study. DECNets, as they are called, are arranaged into groups called Areas and Nodes. IIRC, there is a maximum of 64 areas and 1024 nodes per network; further expansion is done by bridging. So for example, you might find upon looking at the address table under VMS, a listing for systems such as 6.22, 3.11, and what have you. Unreachable nodes can be reached by providing a hardware address converted from the AREA.NODE notation. We'll leave this as an exercise for the reader. (Hint - visit your library, and look up DECNET).

DECNET Protocols are as follows:

MOP	Management Operations Protocol, ala bootp
LAT Commonly used in Terminal Server Environs
DDCMP	File transfer, task to task processing. DDCMP has its roots in HLDC IIRC. And yes, they even speak TCP/IP.
NICE	Network Management functions
DAP	File Transfer
NSP	Session Control

Want a challenge? Want to put hairs on your chest? Hack VMS.

On other systems /etc/passwd doesn't store the password. It can be stored in a shadow file (that is not normally readable to normal users). To obtain the (encrypted) passwords you have to have a special program to read it. The source for a program to do this is obtainable from the alt.2600 FAQ.

3.3. Network Hacking

"I know next to nothing about Novell hacking, other than the passwords file is stored in the bindery and older versions of Novell had a system call called VerifyBindaryObjectPassword that when given an account and password wouth say if they matched. This was very useful for knocking up quick Novell versions of Crack. I believe also something clever can be done when you run Netware Lite over the top of normal Netware."

3.4. Viruses

3.5. Anonimity On The Internet

Remailers work by taking incoming messages from you, stripping off the headers and sending them on, although this is good enough for most of the time, the truly paranoid tend to string several remailers together to avoid the possibility of traffic analysis giving away their identity. Other options include PGP [see section 1.2.2] relay, random delays, random message size alteration, and so on.

"PGP (pretty good privacy) is a public key encryption package to protect email and datafiles. It lets you communicate securely with people you've never met, with no secure channels needed for prior exchange of keys. It's well featured and fast, with sophisticated key management, digital signatures, data compression, and ergonomic design."

You will also find that many service providers also log accounting details from their authentication servers - data includes not just the CLID, but also bytes transferred, login times, etc.

Nowadays, with the advent of 0800 dialups and free connectivity, a sizeable proportion of the free industry are blocking any authentication for users who withhold their caller ID (notably, AOL and Compuserve are not among this lot).

In any event, it's not the best idea to hack on your own "doorstep" as it were.

3.6. UK Internet Hacking

JANET stands for Joint Academic NETwork.

LONAP is a privately-run alternative to LINX, for smaller ISPs.

3.7. RM Network Hacking

4.0.1. What is and isn't illegal?

Telecom law is less specific, in general defrauding an phone company is illegal, connecting un-approved devices to a BT network is 'unlawful' and 'prohibited'. I am unsure whether this includes sending tones from a hand-held dial or personal-stereo. Using BT test codes may not be illegal, but is probably in breach of your contract with them. The Telecommunications Fraud Act 1997 introduced/clarified the law that if you are found in posession of material (anything from a copy of 2600 to a sack of chipped P3's) with intent to defraud, you will be taken to the cleaner's.

The following is ColdFire's interpretation of the Computer Misuse Act 1990:

All the following is my opinion, as I have no legal qualifications DO NOT rely on it to be the case. Until wardialing is tested in court no one will know for sure, now, who wants to be the test case :)

Quote from the Computer Misuse Act (1990) Section 1:

• 1(1) A person is guilty of an offence if
  • a) he causes a computer to perform any function with intent to secure access to any program or data held in a computer
  • b) the access he intends to secure is unauthorised, or
  • c) he knows at the time when he causes the computer to perform the function that this is the case.
• 1(2) The intent a person has to commit an offence under this section need not be directed at
  • a) any particular program or data
  • b) a program or data of any particular kind or
  • c) a program or data held in any particular computer.
• 1(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or both.

As you can see, causing a computer to perform any function with intent to secure unauthorized access to a computer is illegal. If you are wardialing to find carrier, and then intend to gain unauthorized access, then war dialling IS illegal (In my opinion)

As most voicemail system can be classified as computer systems war- dialling for VMB's with the intent of gaining unauthorized access to the VMB system is illegal. The same applies to PBX's

I believe, from my interpretation of the law, that war-dialling is illegal under the Computer Misuse Act (1990). Of course to prosecute you under this law it would have to be proven that you intended to gain unauthorised access to a computer (note: computer is not defined under the act).

Obviously this only applies to automated wardialing, dialling by hand is not covered by this :)

Log files make crap evidence, for a start they're easily forged, and you're reliant upon computer generated evidence. What jury will believe a computer over a human?

At best log files are supporting evidence, in most cases they only show logins, connections and other impersonal evidence, no log can say BEYOND REASONABLE DOUBT that someone did something, if in doubt deny everything, after all its the job of the prosecution to prove you are guilty.

Things to check out are:

4.2. Infamous Hackers and Phreaks

5.0.1. I found some cool stuff in a skip. Is it legal to take it?

Be careful when skipdiving (or dumpster diving as it's also called), especially round the back of your local phone exchange. Most large companies are now using razor wire, infra-red CCTV, and sizeable dogs to stop culprits from making off with dead equipment and (more importantly) credit card carbons. Going trashing round the back of your local small businesses is more likely to reap rewards than getting yourself arrested digging through the contents of BT's wastebins.

6.0.1. How do I build a Cable TV descrambler?

If you thought that to let you view a particular channel cable companies had to switch some thing externally, you are wrong. In fact in most systems all the channels are present when they reach your box. It is your box that is programmed to stop you seeing these channels, Not something outside the home! The only exception to this is possibly a very few companies who use 'filtering' methods, ie. they use computerised 'smart filters' outside the home which filter out premium channels etc. and control what you can and cannot see. If your cable co uses this type of system (I know none that do in the UK) Then you are screwed. (Either that or it's time to go pay a rich neighbour a visit with some wire cutters, a spade, and a length of cable wire long enuff to reach your house :) The one positive side to this method is that all signals are sent in the clear, and the ones you dont pay for are filtered out. And so, if you have a 'cable ready' TV, it eliminates the need for a box.

All cable boxes contain a serial number. Your cable co. has this number on record in their computers. When you phone and say "I'd like to subscribe to the Racing Channel, Cause its great value at only 20 quid a month" They simply type in the computer you are allowed to see that channel. The cable co. then sends a signal to your box saying box AB 1234567890 is allowed to see channel 33. Your cable box contains a modem that receives data from the cable co. in the form of an FM signal. The box specifically looks out for instructions to its serial number, and obeys. It can be told where specific channels go, (Show BBC1 on ch 21 etc) can disconnect your service, or can show what are called 'barker' channels in place of the premium channels (Unless it's told different ;). This FM signal is known as the cable boxes 'data stream'. However, cable companies dont just send the data stream to your box the once and then thats it. They send instructions to everyones box constantly looping around you all. And so, on a small system with a few people your box might be updated every few minutes, or on a larger one the box might be updated every 20 minutes etc. This ensures everyone gets what they pay for.

And so, the point is that you don't build a descrambler - you trick your cable box into thinking you're allowed to see the premium channels! This can be done in two ways: 1. By Cube. 2. By Test chip. Both have their advantages and disadvantages, much of which is outside ths scope of this document and therefore you are encouraged to seek further information elsewhere.

Finally, because there are no UK sources for this type of thing EVERYONE must get cubes/test chips etc. from the USA. And the UK being the UK has to be a bit awkward and do it slightly different from the US. Data streams there are 99 times out of 100 one of four frequencies between 88-108.5 FM. However, here the data stream is often found at higher rates like 122.75Mhz etc. (ie. outside the normal FM wave band). If unsure, get yourself a scanner that can tune that high, plug your cable into it, and search around for your data stream. Once you find it let the company know, and many will be happy to modify it for you before shipping to the UK. You need to know this or your cube will not work!

7.0.1. What does "xxxx" stand for?

"It all stems from warez, warez d00dz 'traffic' warez (pirated software). The practice of intentionally miss-spelling words and changing letters for numbers etc come partly from the necessity to 'hide' files. So if someone (especially a sysadm) decides to search the entire disk for a known software title, they wouldn't be found"

• Directorate Of Security & Investigation
  The focal point for 'expertise' within the group.
  Director Of Security & Investigation.
  Room A740
  BT Centre
  81 Newgate Street
  London EC1A 7AJ
  Tel: 0171 356 4928. Fax: 0171 356 5909.
  
• Commercial Security Unit
  Room A169
  BT Centre
  81 Newgate Street
  London EC1A 7AJ
  Tel: 0171 356 5234. Fax: 0171 356 6068.
• Specialist Services Unit
  Libra House.
  Sunrise Parkway.
  Milton Keynes MK14 6PH.
  Tel: 01908 693939. Fax: 01908 693961.
  
• Computer Emergency Response Team
  btcertcc@boat.bt.com, Tel. +44 1908 634 000, +44 1908 230 343
• PP LF16
  Libra House,
  Sunrise Parkway,
  Milton Keynes,
  Buckinghamshire,
  MK14 6PH
• Investigation And Detection
  Libra House.
  Sunrise Parkway.
  Milton Keynes MK14 6PH.
  Tel: 01908 693838/3839 ;'Help desk' Fax: 01908 693860.
  Also : 01908 693800...

It's this last one which is responsible for actually 'busting' people for nicking 0.00005v of electricity.

8.1. On The Internet

8.2. In Print

• Cyberpunk: Outlaw & Hackers on the computer FrontierKatie Hafner and John Markoff - ISBN 1-872180-94-9
  3 Accounts in one book, Mitniks Early Years, widely discredited by people close to him. Pengo and The Chaos Computer Club (which ties in with The Cuckoo's Egg) and Robert 'Internet Worm' Morris
• The Cuckoo's Egg Clifford Stoll
  Techno Hippy gets compulsive about East German Hacker
• Hackers Steven Levy
  Early days of Old-Style MIT hackers, not to be confused with the film Hackers
• Approaching Zero: Data Crime And The Computer Underworld
• Beating the System (Hackers, Phreakers and Electronic Spies) Owen Bowcott and Sally Hamiliton. ISBN: 7475 0513 6
• Computer Hacking: Detection and Protection Sigma Press 1995?, UK - ISBN 1-85058-538-5

8.3. TV and Film

• War Games - Matthew Broderick. High-school kid almost starts World War III with his TRS-80
• Sneakers - Dan Akroyd.
• Hackers - Johnny Miller, Angelina Jolie. Famed for the in-joke character Emmanuel Goldstein, and appearance of 2600 Magazine.
• The Net - Sandra Bullock.
• The Matrix - Keanu Reeves.

This document dated Wed Feb 7 11:57:03 GMT 2001 .
Created by Cap'n B's FAQ-O-Matic, © 1999 JML Online Ltd.