.;..;. .;..;. . ;. . . .;; . ... .; ;...; .' . ; ;.. .;. .. .;;. .;..;. ttt ttt .;..;. .;... ..; NNN NNNN .;..;. ttttttttt ttttttttt .;. . NNNN NNNN ttt ttt .;..;..;..;. ...; ;. NNNNN NNNN ttt .;..;. ttt .;..;. ..; ..; NNNNNN NNNN eeeeeeee ttt ttt .; .. NNNNNNNNNNN eee eee ttt ttt _---_---_--- .; .; NNNN NNNNNN eeeeeeee ttt .;. ttt W E R K E D >>> .;;;. . NNNN NNNNN eee ttt ttt _---_---_--- . ; . ;.; NNNN NNN eeeeeeee ttt ttt .;..; . .;.;. .;;;. ..; --/-/-///--- _-- [ K - 1 i n e #7 ] --_ ---\\\-\-\-\-- 'It Comes On Anyhow' _)##vol.3####$.;..;..;..;. .;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. :: :: `:==--::--==--::--==--::--==--::--==--::--==--::--===?:--::--==--::--==--::--=:' ^ ^ ^ September 2000 ^ ^ ^ *: :* *: :* *: [-] Introduction .......................................... The Clone :* *: (-) Contact Information ................................... The Clone :* *:-=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=>y4y<=:* [Main Menu;] *: (x) 'Anyone with a Screwdriver Can Break In!' ............. Jay Beale :* *: (x] 'OB Duct Tape Hack' ................................... Kira Brown :* *: (x) 'Walk' ................................................ D.M.S. :* *: (x) 'Hacker Hypocrisy; @Stake/L0pht' ...................... The Clone :* *: (x) 'Model 001 Payphone Programming Guide' ................ Nettwerked :* *: (x) 'PBX Access Total' .................................... Flopik :* *: (x) 'US NATIONAL PARTYLINE NUMBERS' ....................... Kybo_Ren :* *: (x) 'Rogers/AT&T Pay-As-You-Go Billing Vulnerability' ..... The Clone :* *: (x) 'A Guide to General Packet Radio Service' ............. N&N :* *: (x) 'Miklos Adventure at Graybar' [love this article!] ... Miklos :* *: [-] Credits ............................................... The Clone :* *: [-] Shouts ................................................ The Clone :* *: :* *: :* *: :* *: :* . . . =-=- == -= - . -= = =- -= - .;. .;..;..;..;. .;. ;;;; .;.;..;.. .;..;. .;..;. .;..;. .;..;. .;..;. .;..;..;..;..;..;..;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. - - = - -= = - .,. ,. -= =- = = - .,. , - , ,. , =- -= [][][ PERSONAL ADS: ][][] -- Brand New Telephone Related Archive; 'Telecom File Archive' -- www.nettwerked.net/TFA/TFA.html -- Brand New Organization; 'Canadian Phreakers Union' (FAQ) -- www.nettwerked.net/TFA/cpu_faq.html -- .;..;..;..;..;..;..;..;.;..;.. .;..;. .;..;. .;..;. .;..;. .;..;. .;.. .;. .;..;. .;..;. == - , , ;; ;: ; ; / ; / ; ; ; ; / ;/;/; / ; / ; ;; .;..;..;..;..; ..;.;..;.. .;..;. .;..;. .;..;. .;..;. .;..;. .;..;..;..;..;..;..;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. .;..;..;..;..;..;..;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. .;..;..;..;..;..;..;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. brian had tailored his intestinal flora to allow him to remix music biologically... .;. .;..;..;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. .;..;..;..;..;..;..;..;. .;..;. .;..;..;..;. .;..;. .;.;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. .;..;..; Great, smashing, super. .;.;;. ;. ;; ;; ;.;..; ..;..;..;..;..;. .;..;. .;..;..;..;. .;..;. .; .. ; . ;. ; .,l,l,,,l;?quirk ;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. ;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. ;..;. .;..;. .;..;..;..;. .;..;. ;..;. .;..;. .;..;..;..;. .;..;. ;..;. .;..;.;..;. .;..;. ;..;. .;..;.;..;. ;..;. .;..;. ;..;. .;..;. ;..;. .;..;. .;..;. .;..;..;..;..;..;..;..; .; Introduction .; `.;..;..;..;..; - BEGINNING OF CHEESY INTRO - Welcome to the September edition of K-1ine - Oooo summer is over... back to school, kiddies! Alright, this is the seventh issue and third volume of K-1ine... the issues keep jumping numbers and growing & growing in submission size... what can I say - I'm impressed! Keep those rockin' articles coming, and I'll continue to compile them! Enjoy this far-out issue! - END OF CHEESY INTRO - Contact -- Comments/Questions/Submissions: theclone@haxordogs.net Check out my site: (Nettwerked) http://www.nettwerked.net Shoot me an ICQ message: (UIN) 79198218 ___ Anyone with a Screwdriver Can Break In! By: Jay Beale -- jay@bastille-linux.org August 28, 2000 - This article will discuss the second weakest layer of computer security, Physical Security. As we'll see, any attacker with physical access to a computer, a little ingenuity, and sufficient time can compromise the system. By way of example, I'll demonstrate attack and defense on a Red Hat Linux box and show how you might slow down, or even prevent, these kinds of attacks. You don't need a Linux machine, or even technical responsibility, for this article to be useful. This problem is independent of operating system and this article is general enough to be useful to every level of computer user. Be warned, though - you'll probably only be able to slow down a determined attacker. Breaking in Through the LILO Prompt If you boot a Red Hat Linux 6.x system right now, you can boot into single user mode like this: LILO: linux single This will place the machine in Runlevel 1, or single-user mode. You'll be logged in as the superuser, root, and you won't even have to type in a password! This is not a backdoor, as such - this mode is generally used for system maintenance, which is a good idea. Requiring no password to boot into root here is probably a bad idea! You can fix this by editing /etc/inittab. Insert the following line, right after the "initdefault" line: ~~:S:wait:/sbin/sulogin This will require a password to boot into single-user mode by making init run sulogin before dropping the machine to a root shell. sulogin requires the user to input the root password before continuing. So, what if we've password-protected single-user mode? Well, you can still have root on the machine if you type: LILO: linux init=/bin/bash This boots the Linux kernel, but runs the Bourne-Again-Shell (bash) as the first (non-kernel) process, in place of init. Since the kernel runs init as the root user, this shell is run as root. You now have an instant rootshell! OK, so how do we stop this and attacks like it? We really should restrict who gets access to the LILO prompt. LILO permits this, natively. First, we can password-protect the LILO prompt, so an attacker can't add options to the LILO prompt without typing a password. To add a password to the LILO prompt, just choose a password, and place the following lines in the top of the /etc/lilo.conf file: restricted password=SOME_PASSWORD_YOU_CHOOSE We can also protect the LILO prompt by setting the delay time to 1 millisecond, providing an attacker with insufficient time to add options[34]2. You can accomplish this by editing /etc/lilo.conf and then re-running lilo. Comment out any lines that read "prompt" by placing a # in front of them. Then insert the line: delay=1 near the top of the file. Once you're done, make sure to re-run lilo to effect your changes, by typing lilo at the root prompt. Type man lilo and man lilo.conf to learn more about the LILO Linux [kernel] Loader. OK, so we've secured lilo - have we completely locked an attacker out of superuser access? Sadly, we haven't, because an attacker with physical access can... Boot Via a Floppy/CD-ROM/Other Bootable, Removable Medium Well, if your computer has a floppy or CD-ROM drive, an attacker can usually boot the system from a bootable floppy/CD-ROM. I carry around a Tom's Root Boot disk in my laptop case, for occasions where someone forgets their root password (or a machine is too munged to boot properly). I boot the system from my Linux floppy disk, and then mount the drive, like this: # mkdir /jay # mount /dev/hda5 /jay # vi /jay/etc/passwd Since I booted with my own floppy disk, I'm root on the machine. If the drive isn't encrypted, I can mount it (as above), edit the passwd file, and create myself a root equivalent account, by adding a line like this: jay::0:0:Security Admin:/:/bin/bash This creates a non-passworded root-equivalent account named 'jay'. From here, I can repair the damage to the box, delete the account and go about my business. Unfortunately, an attacker can use the same technique illegitimately to quickly root a box. We can prevent this, initially, by restricting the machine to booting only off the hard drive. This technique is useless if the computer won't boot off a floppy/CD-ROM. You can generally configure boot options via your computer's battery-backed NVRAM, EEPROM, CMOS, or such. On Intel x86 hardware, turn your machine off and then, as it boots, press whatever key (Esc, F1, F2...) puts you into your BIOS's configuration menu. Now, when the option is saved, try to boot off a floppy. This should be impossible. OK, so now an attacker can't simply insert a floppy disk to root the box, nor can he get easy access through the LILO prompt. Does he have other methods? Of course! He can... Remove the Boot Device Restrictions! A knowledgeable attacker, upon finding that he can't boot from removable media, will simply follow the same procedure you just did, simply changing the boot device list back! Well, we can combat this, but you should be seeing two primary effects: 1. Stop less knowledgeable attackers by knowing just a little more than them. 2. Slow down and deter the knowledgeable attacker. We'll talk about these later - I just didn't want you to lose hope halfway through the article... So, the attacker can undo the change we just made to your system's boot restrictions. Well, most systems, including Intel-based hardware, allow you to set a password on the NVRAM, EEPROM, CMOS or whatever. This is an easy option to find, yet still an easy one to neglect. Place a password on your system's BIOS. This, combined with the options above, will stop a large percentage of attackers dead in their tracks. The remaining few might... Remove the BIOS/NVRAM/.../CMOS Password! OK, our attacker is annoying. He's also burning plenty of time. If he can get sufficient access, he might be able to use a tool to discover the BIOS password from inside Linux. Usually, he can't do this. Instead, since he has physical access, he can take the simpler approach. On Intel hardware, the CMOS/BIOS configuration is maintained via a small battery, often similar to a watch battery. If you disconnect this battery for a few moments, the RAM blanks, and the system forgets its password. While some systems then default to a manufacturer's password, there are online tables of these which our attacker can probably consult and/or partially memorize. What do we do here? Well, we can place a lock on the case, so it can't be easily opened. With time, and tools, these locks can be picked or broken. Further, the attacker might be able to compromise the lock by harming the case directly... Still, the lock (and strong case) will slow him down and may deter him to the extent that he leaves. Further, you might just remove the floppy drive, CD-ROM drive, and any other external drive/disk mount ports (Zip disk, parallel port...). What then? Remount the Hard Drive on Another Machine! Remember our mounting trick with the floppy disk from earlier? This can be applied from another host! While this may seem impractical, I'll note that I saw a deck-of-cards-sized computer just a few weeks ago, at DefCon, that could be used for this very purpose. Boasting a 340MB hard disk, with a Red Hat Linux install and a free IDE port, this ultra-portable computer could be used easily for this purpose. Just plug the hard drive into this system or another system you've got control of, and you've got somewhat-less-that-quick superuser access. All we need, generally, is a screwdriver to open the target machine to get at the hard drive! Again, the case locks can help here, but they only serve to slow down a determined attacker. So, suppose we're still working on stopping the determined attacker. This guy is a total pain. The physical access makes the machine weak! So, what if we could remove the physical access? We place the machine in a locked room, with a steel door, hinged on the inside, with multiple non-trivial locks. Only the monitor, mouse and keyboard are accessible. We're truly safe now, right? Well, don't start patting yourself on the back just yet. Check those walls. Most of you secure your server rooms behind walls that don't quite go up past the ceiling... What do I mean, you ask? Consider the ceiling tiles around the room. Push one up, right near your inter-office walls, and you might find plenty of crawl space over that wall into your "secure" server room. Once, when I locked myself out of my own office, I was told to use this space to unlock the door from the inside. Most offices don't think about this design in their physical security audit! OK, OK, I'm getting a little outrageous by now, yes? Eh, it really depends on how "secure" you need your computers to be. As I hope I've shown, it truly is difficult to stop an attacker who has time and unsupervised physical access to your computers. So, what do you do? Remove the Opportunity and Deter the Attacker You really can stop most attackers, simply by not providing them with the unsupervised opportunity and time required to carry out an attack. If you followed the path our attacker might take, you'd note that all of this took time. He had to reboot the host several times. This all takes time. If you harden the LInux LOader (lilo) sufficiently, set boot device restrictions and secure the method of changing such, our attacker will be getting into the realm of opening his target computer's case, possibly defeating locks along the way. While this part takes time, it's also highly likely to be noticed by anyone monitoring the area. If you've given physical access because the target is in a computer lab, you can hire a lab monitor to watch for anything this noticeable. If the physical access is accidental/unintended, you can look into door locks, alarm systems, and perhaps even guards. In any case, now that you understand the dangers, you'll be able to think about this problem more carefully and choose the measures that fit your organization. Not Really a Losing Battle? OK, so, against a determined attacker, with sufficient time and no supervision, you've got little chance, right? Well, not quite. Most attackers don't quite think of all of these methods, or don't have the time/energy/wherewithal to apply them. Further, I would think that most attackers wouldn't choose a method that might be so time-intensive, when they can be caught on the scene. So, work to foil all but the most capable attacker with the steps above. Secure the operating system boot loader, the physical boot loader (BIOS...) and the hardware itself. The few attackers left will require lots of time to break in, which, along with fear of being caught, will often provide an ample deterrent. Really, deterring the attacker is the name of the game for many of us. If we could get anywhere near to making a computer impossible to break into, it would be considered fairly unusable by most. So, we compromise. We remove all of the "easy" methods of breaking in, like the 30-second LILO: linux single or boot floppy "exploits" demonstrated above. We try to go as many steps further as we can, without disrupting normal use. If we can make our machines enough of a pain to root, most attackers will go after someone else. The remainder we'll have to try to catch or deter with other methods, like security systems and lab monitors. In the end, always remember, the attacker is a human being, with plenty of potential for creativity and brilliance. Don't underestimate him/her! Good luck! Footnotes 1. The absolute weakest layer of computer security is widely believed to be the social, or "people," layer. Crackers like Kevin Mitnick often broke in simply by calling users, pretending to be system administrators, and asking said users for their passwords. 2. By the way, Bastille Linux can perform both of these steps for you. (Wink, wink, plug, plug) ____ OB Duct Tape Hack Date: Sun, 03 Sep 2000 kira@linuxgrrls.org ObDuctTapeHack: If you get the wooden storage racks from the children's section of Ikea, the plastic boxes that go with them make excellent top-box luggage containers for motorbike usage. Just takes a little tape to stick the top on. ObThat'sTooObviousHack: I used duct tape to stick tagged 7/5AF cells together to make a new pack for my Compaq LTE5100 ancient crappy laptop. ObWhyNoWD40ThisTimeHack: WD40 makes an *excellent* polish for laminated wooden desk surfaces... ObHeyThisiMacIsKindofCool: when it's running LinuxPPC :-) Kira Brown. ___ ___ Walk A moonless night awaits my journey into the unknown, surrounded with the terrifying sounds of silence and the thick spring air thinking of careless times and childhood freedom just to realize the horror of times hold on humanity as it ticks by; no stars to wish upon desperately awaiting her smile, endless travel through the overgrown path sweat trickling down as nervousness takes over the thought, breathing, gasping, going nowhere, suddenly a wind passes by my soul and I start to shiver, droplets of water begin to fall, showering sounds take over the silence, still walking this path, ending where I began, I felt a warm moss touch my back. Fear ran down my spine, but alas, a hand touched mine, and gently whispered "I'm here, I'll walk with you from now on." My heart filled with happiness, and as the sun came, I saw her smile. - Dead Musicians Society ____ Hacker Hypocrisy; @Stake/L0pht - 09/05/00 - RE: SecurityFocus News: AtStake jilts Phiber Optik http://www.securityfocus.com/templates/article.html?id=79 You know, in regards to @Stake I really don't know what to think. Here we are [in the] the year 2000 talking about "hacker hypocrisy" and what happens to a group of people (L0pht) who, until just recently stood for something pure in our hacking sub-culture. What happened? When a multi-million-dollar venture capital is offered to a group of people, who for the better part of the 90's relied on donations and t-shirt/cd sales, and eventually, computer security consulting jobs to break even -- well of course they're going to take it. I mean, who wouldn't turn down a nice comfortable corporate career doing what they love? WHO would of thought that a group who were so respected in the hacking scene go about screwing over both of their own; Space Rogue (in June) and now Phiber Optik? The same group who were once going against the grain, doing their part for our culture and at the same time maintaining a certain amount of respect have now sold out in a big big way. It's one thing to take on a well paying job, but it's another to have it interfere with what you love to do and have it ruin the friendships that were built over the years. Maybe it's me ranting about something I really don't know anything about... disappointed in a group who I looked up to for so many years as "heros of the information age" - maybe it's the rebellious generation-X all grown up? Whatever it may be is irrelevant now -- the damage has been done, it doesn't look like @Stake is bowing to hacking culture in any way at all. --- The L0pht is no more, HNN is now very heavily saturated by the bureaucracy of @Stake stockholder value rather than fair media reporting, and now it seems they want nothing to do with any hacker convicted of ... hacking? - The Clone Nettwerked; "a web-site for the 780 undergr0und scene" http://www.nettwerked.net ___ Model 001 Payphone Programming Guide FEATURES: * Coin operated line powered payphone. * Keypad programmable. * Multi coin phone: accepts nickels, dimes and quarters. * Touch-tone dialing. * Ringer On/Off switchable. * Phone emits warning tone 15 seconds prior to end of call. FACTORY PRESETS: * Tone dialing * Local calls: $0.25 for 3 minutes. * Long distance calls: $0.75 for 1 minute. * Information calls (1411/411): $0.50 for unlimited time. * Restricted calls: operator, international, 1900, 1976, 976, and 1700. * Free calls: 1800, 1888, 1877, and 911. * Incoming calls for unlimited time. * Allow 0+, calling cards, and credit cards calls. * Pass Code: 000000 IMPORTANT: It is recommend that you read the 001 users manual prior to installation and programming the phone. TO INSTALL THE 001 PAYPHONE: Simply plug the phones line cord into a standard RJ11 outlet provided by the phone company. TO REMOVE THE COIN BOX: Locate the metal tabs at the rear of the phone and pull the top tab back. This will allow the coin box to be removed. To lock the coin box close the tab and insert a pad lock (not provided with phone) between the two holes of the tabs. TO USE THE PAY PHONE: 1. Lift handset, LCD display will show HELLO 2. Dial desired phone number, the display will show the amount to be deposited 3. Deposit the amount requested 4. Press talk button when other party answers 5. If you get a busy tone or a no answer signal, hang up the handset and the money will be refund PROGRAMMING REFERENCE: Note: All programming must be done in the program mode. The first important thing you need to do is to change factory preset pass code. For all programming press # to save the entry, press * to cancel. To enter the program mode: 1. Enter # then the six digit pass code 000000, the display will show FLASH then FREE 2. Enter preset pass code, *#000000, the display will show P-, you are now in the program mode To change factory pass code: 1. Enter *96 the display will show the old pass code 2. Enter your new 6-digit pass code 3. Enter # to confirm, display will show PASS If you forget your pass code: 1. With the phone hang up, remove the tap underneath the base to reveal the dipswitches 2. Dipswitches should be dipswitch-1 off, dipswitch-2 on, and dipswitch-3 on 3. Put dipswitch-1 on and go off hook 4. Enter #000000 display will show FLASH then FREE 5. Enter *#000000 display will show P- 6. Put dipswitch-1 off 7. Enter *96 and your new 6-digit pass code, enter # to confirm and display will show PASS 8. The pass code becomes your own 6-digit number. To use Dipswitches: - Dipswitch-1 resets pass code. It is used as above. - Dipswitch-2 sets tone or pulse dialing. For tone dialing, put it on, for pulse dialing, put it off. - Dipswitch-3 sets ringer on or off. To check the amount of money in the coin box: 1. Enter *97 the display will show the cash amount 2. Enter # to reset or enter * to exit (Example: 00075 is $0.75, 00100 is $1, and 20000 is $200) To erase old program settings: 1. Enter *99, display will show [99] CLr 2. Enter # to confirm, display will blink CLr ----, then show PASS To set phone for PBX: To set phone to work on a PBX but you will manually dial the prefix i.e. 0 or 9. 1. Enter *13 2. Enter 1 then your 1-digit extension 3. Enter # to confirm, display will show PASS To set phone to work on a PBX but to automatically dial the prefix i.e. 0 or 9. 1. Enter *13 2. Enter 2 then your 1-digit extension 3. Enter # to confirm, display will show PASS To set phone for regular line: (preset by factory) 1. Enter *13 2. Enter 00 3. Enter # to confirm, display will show PASS Incoming calls: (preset as unlimited time) 1. Enter *14 2. Enter your 2-digit time limit; it can be set for 01 minute to 98 minutes 3. Entering 00 will restrict incoming calls; entering 99 will allow unlimited time on incoming calls 4. Enter # to confirm, or enter * to cancel Example: To set incoming time limit to 5 minutes. 1. Enter *14 2. Enter 05 3. Enter # to confirm, display will show PASS Free calls: There are 20 different locations you can used to allow 20 different free calls up to 12 digits. These locations are *40 thru *59. To allow a particular number to be free enter any locations from *40 thru *59. Enter that particular number, if the number is less than 12 digits enter # after the last number. Then enter # to confirm or enter * to cancel. Example: To allow the number 281-550-5592 to be free. 1. Enter *45 2. Enter 2815505592# 3. Enter # to confirm, display will show PASS, or enter * to cancel the entry. Restrict calls: There are 20 different locations you can used to restrict 19 different numbers up to 12 digits. These locations are *20 thru *39. To restrict a particular number enter any locations from *20 thru *39. Enter that particular number, if the number is less than 12 digits enter # after the last number. Then enter # to confirm or enter * to cancel. Example: To restrict 011 calls. 1. Enter *28 2. Enter 011# 3. Enter # to confirm, display will show PASS, or enter * to cancel the entry. Rate bands: *00 thru *12 allows you to create a total of 13 types of rate bands. The rate is set by an initial charge and time limit (in seconds) followed by an additional charge and time limit (in seconds). | RATE BAND | RATE # | INTIAL RATE/TIME LIMIT | ADDITIONAL RATE/TIME LIMIT | *00 00 025180 025180 *01 01 075060 075060 *02 02 050999 000999 *03 03 Empty Empty *04 04 Empty Empty *05 05 Empty Empty *06 06 Empty Empty *07 07 Empty Empty *08 08 Empty Empty *09 09 Empty Empty *10 10 Empty Empty *11 11 Empty Empty *12 12 Empty Empty - *00 is used by factory preset for local calls set at $.25 for the first 3 minutes and $.25 for each additional 3 minutes. - *01 is used by factory preset for long distance calls set at $.75 for the first minute and $.75 for each additional minute. - *02 is used by factory preset for information calls (1411 & 411) set at $.50 for unlimited time. To create a rate band enter any empty rate band from *00 thru *12 and set up the initial rate and time limit followed by the additional rate and time limit. Example: To set up a rate band to charge for $.50 the first 3mins, and $.25 each additional 2mins. 1. Enter *03 2. Enter 050180 025120, the initial rate 050180 is 50 cents for 180 seconds, the additional rate 025180 is 25 cents for 120 seconds. 3. Enter # to confirm, display will show PASS, or enter * to cancel the entry. Assign area codes or prefixes to rate bands: There are a total of 100 3-digit memory locations that may be used to assign special area codes and/or prefixes to a particular rate band (*00 thru *12). These 3-digit memory locations are 000 thru 099. You may first create a rate band containing charges and time limits you want (see rate bands), and then assign an area code or area code/prefix in a particular 3-digit memory location from 000 thru 099. Enter # after the last number if the area code and/or prefix is less than 7 digits. Then enter your rate number for the particular rate band you created and enter # to confirm. Example 1: To assign the area code 1-281 to the long distance rate band in the memory location 056. (assume *01 is kept as factory preset.) 1. Enter 056 1281#01 2. Enter # to confirm, display will show PASS, or enter * to cancel the entry. Example 2: To assign the area code 1-713 and prefix 551 to charge for $.75 for the first minute and $.25 for each additional minute. First create a rate band (we choose rate band *10) 1. Enter *10 2. Enter 075060 025060 3. Enter # to confirm, display will show PASS Then assign the area code and prefix to a particular 3-digit memory location and assign it to the rate band we just create by the rate number. (we choose 3-digit memory location 088) 1. Enter 088 1713551#10 2. Enter # to confirm, display will show PASS To allow/disallow 0-calls: (factory set to disallow) To allow 0-calls. 1. Enter *60 2. Enter 1 3. Enter # to confirm, display will show PASS To disallow 0-calls. 1. Enter *60 2. Enter 0 3. Enter # to confirm, display will show PASS To enable/disable 0+ rerouting calls: (factory set to enable) To enable 0+ rerouting calls. 1. Enter *61 2. Enter 1 3. Enter # to confirm, display will show PASS To disable 0+rerouting calls. 1. Enter *61 2. Enter 0 3. Enter # to confirm, display will show PASS Cut off time: (factory set as 5 second) *62 is programmed to set a cut off time on calls using 0 or Operator for the leading number prior to the prefix. If additional numbers are not entered within the preset time, the connection will be broken and deposited coins will be returned. This function is effective only under the condition that there is not a reroute number in *63. To change the cut off time. 1. Enter *62 2. Enter the 1-digit time limit in seconds 3. Enter # to confirm, display will show PASS Example: To set the cut off time to 3 seconds. 1. Enter *62 2. Enter 3 3. Enter # to confirm, display will show PASS To reroute number: *63 is used to program a 0+reoute number that will be dialed out when you dial 0. This number can be up to 29 digits, if the number is less than 29 digits enter # after the last number. The factory preset reroute number is 18884562277 pause 2815505592. Example: If you want to set up the reroute number as 1010222. 1. Enter *63 2. Enter 1010222*0#, the display will show [63] 1010222-0= 3. Enter # to confirm, display will show PASS When customers dial 0-281-550-5592, the phone will actually dial: 1010222 pause 0-281-550-5592. * is to put a pause in the reroute number. Example: If you want to set up the reroute number as: 18884562277 pause 2815505592. 1. Enter *63 2. Enter 18884562277*28155055920#, the display will show [63] 18884562277-28155055920= 3. Enter # to confirm, display will show PASS When customers dial 0-956-855-2345, the phone will actually dial 1888-456-2277 pause 281-550-5592-0-956-855-2345. To set the pause time in the reroute number: (factory set at 5 seconds) 1. Enter *64 2. Enter the time in seconds (1-digit) 3. Enter # to confirm, display will show PASS Example: To set the pause time to be 3 seconds. 1. Enter *64 2. Enter 3 3. Enter # to confirm, display will show PASS To clear the reroute number: 1. Enter *63 2. Enter # 3. Enter # to confirm, display will show PASS OWNERS TO MAKE A FREE COINLESS CALL: 1. Enter # then your pass code, the display will show FLASH then FREE 2. You are now able to make a free call ERROR CODE LIST: - Error 2: Dial restricted number or invalid numbers. - Error 4: Coin mechanism is full or has coin jam. - Error 6: You dont dial number for 25 seconds after handset is lifted. - Error 7: You dont deposit enough coins for 25 seconds. - Error 8: The line is connected for a long time but no one answers. FACTORY PRESETS: *#000000 Pass code *00 025180025180# Rate 00 for local at $.25 for 3mins. and $.25 for each add 3mins. *01 075060075060# Rate 01 for long distance at $.75 for 1min. and $.75 each add min. *02 050999000999# Rate 02 for information (411/1411) set at $.50 for unlimited time limit *13 00# Regular line dialing *14 99# Incoming calls set at unlimited time Restricted calls: *20 1900## Used to restrict 1900#s *21 1976## Used to restrict 1976#s *22 976## Used to restrict 976#s *23 1700## Used to restrict 1700#s Free calls: *40 1800## Used to allow 1800 toll free calls *41 1877## Used to allow 1877 toll free calls *42 1888## Used to allow 1888 toll free calls *43 911## Used to allow free emergency 911 calls *60 0 Used to disallow 0- calls *61 1 Used to allow 0+ calls *62 5 Cut off time set at 5 seconds *64 5 Pause time set at 5 seconds 000 through 099 3-Digit Memory locations 000 1#01# 1+ Long distance calls set a rate 01 001 2#00# 001 thru 008 are 3-digit memory locations 002 3#00# used to set local calls at rate 00 003 4#00# 004 5#00# 005 6#00# 006 7#00# 007 8#00# 008 9#00# 009 1411#02# 1411 calls set at rate 02 010 411#02# 411 calls set at rate 02 TECHNICAL SPECIFICATIONS: Complies with part 68, FCC rules FCC Regulation Number: 4N9THA-30319-CX-E Ringer Equivalence: 1.0A U.S.O.C.: RJ11C Model Number: ST-001 w w w . n e t t w e r k e d . n e t 0 8 . 3 1 . 2 0 0 0 ___ ------------------ Salut ,bon aujourd'hui ma vous présenter un systême de VMB,PBX qui j'ai nommer acces total car c'est la compagnie qui s'occuper de ca qui s'appelle dememe et j'ai pas trouver de nom officiel.C'est mon ami Loster qui ma donner un pbx dememe, mais j'avais jusqu'a resamment tester un peut toute les options que je vais vous faire partager.Pour ce qui est des nip (passwords)avant c'était les deux pbx que j'avais était de 4 numéro mais vu qu'il y a eu quelque abuseur (regarder moi pas comme ca)ben il on augmenter la sécurité selon ce que Neuro ma dis.Bon la vous saver un peu l'historique ,bon maitenant ce trouver un numero 990 a hacker .C'est ultra simple dans tout le range (450)(514)-990-XXX c'est rien que de ca! Vous pourriez aussi regarder dans les journaux car plusieur ligne érotique gratuite sont dans le 990 ,ou simplement des agences d'escortes (gang de pervert). Bon quand vous appeller vous a aller entendre un message et ensuite ca transfer a quelque chose d'autre.C'est avant le transfer et directement quand ca répond qui faut émidiatement composer un mot de passe. C'est habituellement entre 6-10 numéro(quoi que avant yen avais avec 4).Faut en rentrer deux apres * sinon ca te disconnect.Vu que c'est 6 chiffre et + c'est pas évidant a rappeller alors tu fais sois le numéro a l'envers ou des choses simples que la personne pourrais mettre (Voir zine de pyrofreak ou npc). La fiche technique: Rappelle -Se retrouvant surtout dans le (450)(514)-990-XXX -On rentre le nip rapidement au debut,tout de suite quand ça répond -Tu rentre deux nip ensuite tu fais * ,sinon apres trois ca te disconnect -Nip entre 6-10 habituellement MENU 2-Réacheminement des appelles De quel facon desirer vous que vos appelles sont réacheminer ? Vos appelles sont actuellement reacheminer a..... Entrer les deux chiffre de la mémoire pour reacheminer vos apelles ou encore appuiyer sur * pour laisser la fonction de reacheminement actuel 6-Transmettre un message Veuiller rentrer le numero access total ou vous désirer envoiyer un message 0-Aide 8-Fonctions évolués 1-Enregistrer un message d'acceuil pour une mémoire 2-Enregistrer l'intro standard 3-Modifier le numéro reserver 4-Modifier le nom enregistrer 5-Activé l'horraire hebdomadaire 6-Désactivé l'horraire 7-Écouter intro du systême et changer le nip Veuiller entrer votre nouveau Nip maitenant 9-faire un appelle (Seulement dans le 450-514 malheureusement) Si on veux faire un autre appelle ensuite tu fais deux fois le ## 'Pratique ca si tu est dans une cabine !! *-Avancer #-Reculer Pour conclure,si vous avez de la misère a trouver les mots de passes ,j'ai un ami qui a reussi a faire du social engineering en se fesant passer pour quelqu'un de Bell Canada ,alors a vous d'essaisser ce que vous pouver pour reussir.Have phone! Flopik ___ US NATIONAL PARTYLINE NUMBERS Submitted by: Kybo_Ren On: Friday September 1, 2000 For: Canadian Phreakers Union Notes: The following party line phone numbers offer free sign-up and private conference rooms for up to 8 people. Use these numbers for your conferences, but please don't abuse the systems because that just ruins it for the rest of us... - Boston Donut 617-933-7760 - Chitown Underground 312-602-1212 - Connecticut Raven 860-835-7760 - Mars Hotel 815-333-4356 - Miami Raven 305-503-7771 - Miami Zoo 305-503-7777 - NYC Club 30 718-280-7779 - Raven 305-503-7771 - Roach 305-503-1878 - "" 215-825-7776 - "" 305-503-7771 - Viper 305-503-1877 END ___ [-` Rogers/AT&T Pay-As-You-Go Billing Vulnerability `-] Advisory released: Tuesday August 29, 2000 Severity: Pay-As-You-Go billing vulnerability on the part of Rogers/AT&T allowing anyone (especially YOU!) to exploit it and make local/national/international calls for free. Author: The Clone -- Disclaimer; I don't take responsibility for anything in this file because an Iranian terrorist group known as 'habakkkoktao' has held me at gun point requesting that I write this or they're going to shoot me. Don't blame me, blame them! Introduction; Rogers/AT&T (Canada) offers to its customers, a particular service plan known as the "ROGERS/AT&T Pay-As-You-Go Wireless Plan". This "plan" entitles you to full local, national, and international wireless service within the coverage areas that it offers (see www.rogers.ca for coverage info). In order to make use of the pre-paid wireless service, you must firstly sign up by: 1. Dialing one of the following toll-free numbers from a landline phone; (Between 8:00am-9:00pm weekly, 8:00am-6:00pm Saturdays and holidays) 1-800-663-1415 - British Columbia, Alberta, Saskatchewan, Manitoba 1-800-268-7347 - Ontario 1-800-361-0538 (1-800-ROGERS AT&T) - Quebec, New Brunswick, Nova Scotia, Prince Edward Island, Newfoundland OR 2. Walk into any Rogers/AT&T store or certified dealership and sign up there. Want to order over the phone or need help finding the nearest dealership? Call: 1-888-448-7994 OR 3. Buy 'Pay-As-You-Go' online: http://www.rogers.ca/wireless/english/voice/pay/buy/index.html Pre-Paid Cards; By going to any Rogers/AT&T wireless store location, you can pick yourself up one of many different Pay-As-You-Go cards. What I usually buy are the $25 1-hour cards because their cheap and I'm not really huge on talking on tumor causing insecure radio transmitter/receivers. Activating your Card; After purchasing your pre-paid card, what you can do is call up one of the INWATS number listed above (from a landline) that services your local area and speak to one of the friendly customer service representative who'll be MORE than happy to help you out. Tell them that you just purchased a pre-paid card and that you'd like them to renew the time to your phone. Re-filling your time; Either buy another Pay-As-You-Go card from a Rogers/AT&T dealership, call them up and pay with your credit card, OR see step 3 [above]. -- The Vulnerability - as a scenario. - Johnny picks up his wireless Rogers/AT&T pre-paid phone and turns it on - Johnny hears a beep, looks at his phone and notices that he has a lot of battery power left - Johnny feels glee and lets out a huge *sigh* - Johnny then proceeds to dial his boyfriend Frank's phone number - Johnny prepares to listen to the beautifully sounding automated female recording (that makes him for a moment in his very homosexual life want to be heterosexual just so he'd know what it was like to actually lust for such an angelic voice) read off the number of minutes he has left for his call (account balance). - Too bad for Johnny; no automated voice at all! "What duth dith mean?" lisps the very gay, confused, and curious Johnny. Well Johnny, what just occurred was simple; The Rogers/AT&T's Pay-As-You-Go billing system didn't recognize your account, therefore you weren't billed for that particular call. Each time the automated voice plays, you're billed for the call - each time it doesn't, you aren't. I've estimated (with my personal experience) that the billing errors occur approximately 40% of the time while 60% of the time the billing goes through absolutely fine. One good easily exploit this vulnerability by; Hanging up the call every time the automated voice appears on the phone, re-dialing the desired number and repeating the process until the automated voice doesn't appear. Simply only pay for one $25 Pay-As-You-Go card and keep exploiting the Rogers/AT&T system, calling any number you wish in the world for absolutely free! No one gets billed, no one is hurt. Leech off the capitalist pigs while you still can! -END- ___ A Guide to General Packet Radio Service Written by: PsychoSpy and The Clone Date: Sunday September 3, 2000 GPRS (short for General Packet Radio Service) is a data service upgrade for GSM networks. This allows GSM Networks to be completely compatible with the Internet. GPRS uses a packet-mode technique to transfer traffic in bursts. These bursts allow higher efficiency, and therefore higher speeds. The packet bursting technique is also used in DSL modems, and other methods of high-speed internet access. Due to this technique GPRS allows bit rates of 9.6 Kbps to anywhere more than 150 Kbps per user. There are a couple major benefits of using GPRS. These include better use of radio/network resources and a completely transparent support of IP. Radio resources are only used when data is being sent and/or received. GPRS also provides an immediate connection (again like DSL or Cable) and a high throughput. It also allows end user applications to only occupy the network when data is being transferred, and is an almost perfect design for the short data burst which data applications seem to have these days. Applications based on standard protocols (data) like IP and X.25 are supported. Four different quality of service levels are supported by GPRS. To supports data apps, GPRS uses several new network nodes in addition to the GSM PLMN network nodes. They are responsible for traffic routing, and various other internetworking functions with other, external, packet-switched data networks (can anyone say Datapac?), subscriber location, cell selection, roaming and all the other functions which all cellular networks need to operate. Now that we have the general info on what GPRS is, I will talk about a few other protocols which are linked with GPRS. NS ~~ NS (Network Service) transfers the NS SDUs between the SGSN (serving GPRS support node) and BSS (Base station system). There are several services which are provided to the NS user. They include: Network Congestion Indication - The Sub-Network Service (i.e. Frame Relay) perform congestion recovery control actions. The network service uses various congestion reporting mechanisms which are in the Sub-Network Service implementation. Status Indication - Is used to tell the NS user of NS affecting events. An example is a change in the capabilities of transmission. Network Service SDU Transfer - Allows network service primitives. This lets transmission and reception of upper layer protocol data units between the BSS and SGSN. NS SDU's are transferred in order of the Network Service, but under certain circumstances order might not be maintained. The NS PDU format is: 1 byte |----------------------------| | PDU Type | |----------------------------| | Other Information Elements | |----------------------------| The PDU Type can be any of the following: NS-ALIVE NS-ALIVE-ACK NS-BLOCK NS-BLOCK-ACK NS-RESET NS-RESET-ACK NS-STATUS NS-UNBLOCK NS-UNBLOCK-ACK NS-UNITDATA Next we're onto the Information Elements (IEs) of the PDU. The IEs which are present depend on what the PDU type is. The structure of an IE is as follows: 1 byte |------------------------------| | Information Element ID (IEI) | |------------------------------| | Length Indicator | |------------------------------| | Information Element Value | |------------------------------| The first 8th (or octet) of an information element, having the TLV format, contains the IEI of the IE. If the IEI is not known to the PDU, the receiver assumes that the next octet is the first octet of the length indicator. This rule is used to allow the receiver to skip unknown IEs to analyze any other following elements, Next up is the length indicator. This varies in length, and can be either one or two octets long. However, the second octet may not be present. This field has the field extension bit, 0/1 ext, and closely following it is the length of field in octets. The 8th bit of the first octet is reserved for the field extension bit. If the field extension bit is set to zero, the second octet of the length indicator is present. If it is set to one, then the first octet is the final octet of the length indicator. Lastly, the IE Value. The following IEs can be present, but are, once again, dependent on the PDU type: Cause NS-VCI NS PDU BVCI NSEI BSSGP ~~~~~ The primary functions of the BSSGP are: - Provision by an SGSN to a BSS of radio related information used by the RLC/MAC function (in downlink) - Provision by a BSS to an SGSN of radio related information from the RLC/MAC function (in uplink) - Provision of functionality to allow two physically distinct node, an SGSN and a BSS, to operate node management control functions. The BSSGP PDUs format is: 1 byte |----------------------------| | PDU Type | |----------------------------| | Other Information Elements | |----------------------------| LLC ~~~ The LLC (Logical Link Controller) defines the logical link control later protocol to be used for (packet) data transfer between the MS (Mobile Station) and a serving GPRS support node (SGSN). LLC goes from the MS to the SGSN and is intended to be used for both acknowledged and unacknowledged data transfers. LLC's defined frame formats are based on the ones defined for LAPD and RLP. Although, there are major differences between other protocols and LLC, in particular to frame delimitation methods and transparency mechanisms. These differences are necessary for independence from the radio path. Two methods of operation are supported by LLC. These are: - Unacknowledged peer-to-peer operation - Acknowledged peer-to-peer operation All LLC layer peer-to-peer exchanges are in frames of the following format: 1 byte |------------------------------| | Address | |------------------------------| | Control | |------------------------------| | Information | |------------------------------| | FCS | |------------------------------| The address field contains the SAPI and identifies the DLCI which a downlink frame is intended and the DLCI transmitting an uplink frame. The length of the address field is 1 byte, and has the following format: _______________________________ Bit | 8 7 56 4-1 | |------------------------------| | PD C/R XX SAPI | |------------------------------| - The protocol discriminator (PR) shows whether a frames is LLC or belongs to a different protocol. LLC frames have the PD bit set to zero. The frame is treated as invalid if its PD bit is set to 1. - The C/R identifies a frame as either a command or response. The MS side sends commands with the C/R bit set to zero, and responses with it at 1. The SGSN does the opposite (commands are sent with C/R set to 1, and responses are set to 0). - The XX bit is a reserved bit. - Service Access Point Identifier (SAPI) identifies a point where KKC services are provided by an LLE to a layer-3 entity. After the address, comes control. This identifies the type of frame. There are four types of control field formats. They are: - Confirmed information transfer (I format) - Supervisory functions (S format) - Unconfirmed information transfer (UI format) - Control functions (U format) Next is the information bit. This contains various commands and responses. The FCS (Frame Check Sequence) field consists of a 24-bit cyclic redundancy check (CRC) code. CRC-25 is used to detect bit errors in the frame header and information fields. SNDCP ~~~~~ SNDCP (Sub-Network Dependent Convergence Protocol) users the services provided by the LLC Layer, and SM (Session Management) sub-lay. The four main functions of SNDCP are: - Multiplexing of several PDPs (Packet Data Protocol) - Compression/Decompression of user data - Compression/Decompression of protocol control information - Segmentation of a network protocol data unit (N-PDU) into LLC protocol data units (LL-PDUs) and re-assembly of LL-PDUs into a N-PDU Data transfer is acknowledged by the SN-DATA PDU. The format of the SN-DATA PDU is: 8 7 5 6 4-1 |-------------------------------------------| | X | C | T | M | NSAPI | |-------------------------------------------| | DCOMP | PCOMP | |-------------------------------------------| | | | Data | |-------------------------------------------| The SN-UNITDATA PDU (used to Acknowledge data transfer) has a format as follows: 8 7 5 6 4-1 |-------------------------------------------| | X | C | T | M | NSAPI | |-------------------------------------------| | DCOMP | PCOMP | |-------------------------------------------| | Segment offest | N-PDU Number | |-------------------------------------------| | E | N-PDU Number (Cont'd) | |-------------------------------------------| | | | Data | |-------------------------------------------| NSAPI (Network Service Access Point Identifier. The values of this field may be any one of the following: 0 | Escape Mechanism for Future Extensions ----|-------------------------------------------------- 1 | Point-to-multipoint multicast (PTM-M) information ----|-------------------------------------------------- 2-4 | Reserved for future user ----|-------------------------------------------------- 5-15| Dynamically allocated NSAPI value ----|-------------------------------------------------- M is the more bit. It's values may be: ----|------------------------------------------------------- 0 | Last Segment of N-PDU ----|------------------------------------------------------- 1 | Not the last segment of N-PDU, more segments to follow ----|------------------------------------------------------- The T bit, SN-PDU type specifies whether the PDU is SN-DATA (0) or SN-UNITDATA (1). C is the compression indicator. If set to 0, the compression fields DCOMP and PCOMP are not included. While 1 tells that these fields are included. X is the spare bit. This is always set to 0. DCOMP (Data Compression Coding) is included if the C-bit is set. DCOMP values are: ----|-------------------------------------------- 0 | No Compression ----|-------------------------------------------- 1-14| Points to the data compression identifies | negotiated dynamically ----|-------------------------------------------- 15 |Reserved for future extensions ----|-------------------------------------------- PCOMP (Protocol Control Information Compression Coding) is included if the C-bit is set. The PCOMP Values are: ----|-------------------------------------------- 0 | No Compression ----|-------------------------------------------- 1-14| Points to the protocol control information | compression identifier negotiated dynamically ----|-------------------------------------------- 15 |Reserved for future extensions ----|-------------------------------------------- N-PDU Number 0-2047 when the extension bit is set to 0. 2048-524287 if the extension bit is set to 1. RLP ~~~ The Radio Link Protocol (RLP) is used to transmit data over the GSM PLMN. RLP covers the functionality of Layer 2 of the ISO OSI Reference Model. It has been tailored to the needs of digital radio transmissions and provides an OSI data link service. It also spans from the MS (Mobile Station) to the interworking function, which is located at the nearest MSC (Mobile Switching Center) or even further. There are currently three versions of RLP: Version 0 is a Single-link basic version, Version 1 is a Single-Link extended version, And Version 2 is a Multi-link version. RLP frames are fixed in length. The frame can either be 240 or 576 bits. The frame consists of a header, information field, and an FCS field. The format of the 240-bit frame is: _____________________________________ | Header | Information | FCS | |---------|-----------------|--------| | 16 bit | 200 bit | 24 bit | |---------|-----------------|--------| | 24 bit | 192 bit | 24 bit | |---------|-----------------|--------| The header is 16 bits in versions 0,1, and in the U frame of version 2. It is 24 bits in the S and I+S frames of version 2. The format of the 576-bit frame is: _____________________________________ | Header | Information | FCS | |---------|-----------------|--------| | 16 bit | 536 bit | 24 bit | |---------|-----------------|--------| | 24 bit | 528 bit | 24 bit | |---------|-----------------|--------| The header is 16 bits in version 1 and in the U frames of version 2. It is 24 bits in the S and I+S frames of version 2. The header contains control information. This control information can be any one of three types: 1) Un-numbered protocol control information (U frames) 2) Supervisory Information (S frames) 3) User Information Carrying Supervisory information piggypacked (I+S Frames) The FCS (Frame Check Sequence) field in the RLP is just like the FCS which is used in LLC which was discussed earlier. RLP can be either in Asynchronous Balanced Mode (ABM) or Asynchronous Disconnected Mode (ADM). ABM is the data link operation mode, while ADM is the data link non-operational mode. Now we're going to get into some, maybe, confusing diagrams. The following diagram shows the Structure of Versions 0 and 1. N(S) is a bit 4 low order bit, and N(R) bit 11 low order bit. Bits 1-16 are as follows: ___________________________________________________________________________ U | C/R | X | X | 1 | 1 | 1 | 1 | 1 | 1 | P/F | M1 | M2 | M3 | M4 | M5 | X | | | | | | | | | | | | | | | | | | |-----|----|----|---|---|---|---|---|---|-----|----|----|----|----|----|---| S | C/R | S1 | S2 | 0 | 1 | 1 | 1 | 1 | 1 | P/F | N (R) | | | | | | | | | | | | | |-----|----|----|---|---|---|---|---|---|-----|----------------------------| I+S | C/R | S1 | S2 | 0 1 N 1 1 1 | P/F | N (R) | | | | | (S) | | | |-----|----|----|-----------------------|-----|----------------------------| version 2 S is a L2R status Bit, N(S) is a bit 1 low order bit, N(R) is a bit 14 low order bit and UP is a UP bit. Bits 1-24 ___________________________________________________________________________ U | C/R | X | X | 1 | 1 | 1 | 1 | 1 | 1 | P/F | M1 | M2 | M3 | M4 | M5 | X | |-----|---|---|---|---|---|---|---|---|-----|-----|----| ----|---------| |----| S | X | X | X | 0 | 1 | 1 | 1 | 1 | 1 | P/F | C/R | S1 | S2 | N(R) X UP | |-----|---|---|---|---|---|---|-- |-|-|-----|-----|----|----|----------------|-| I+S | N(S) | | P/F | C/R | S1 | S2 | N(R) S UP | |-----------------------------------|-|-----|-----|----|----|----------------| The C/R (Command Response) bit shows whether the frame is a command or a response frame. It can have only one of two values: 1 Command 0 Response The P/F (Poll/Final) bit shows a special instance of the command/response exchange. The X bits don't really matter. In the Unnumbered Frames (U) the M1 M2 M3 M4 and M5 bits can have any of the following values in the U frames depending on the type of information carried. SABM 11100 UA 00110 DISC 00010 DM 11000 NULL 11110 UI 00000 XID 11101 TEST 00111 REMAP 10001 SABM == Set Asynchronous Balance Mode SABM is used to initiate a link for a numbered information transfer or to reset a link already established. UA == Unnumbered Acknowledge UA is issued as a response to acknowledge a SABMM or DISK command. DISC == Disconnect DISC is used to disestablish a previously established link information transfer link. (duh!) DM == Disconnect Mode DM Encoding is used as a response message NULL == NULL UI == Unnumbered Information UI says that the information f field is to be interpreted as unnumbered information. ID == Exchange Identification ID signifies that the information field should be interpreted as exchange identification, and is used to negotiate and/or renegotiate parameters of RLP and Layer 2 relay functions. TEST == TEST This shows that the information field of the frame is test information. REMAP == REMAP This signifies that a remap exchange takes place in ABM following a change of channel coding. If an answer is not received within a specified time then the module end enters ADM. In the S and I+S Frames the following are present: N(S) == Send Sequence Number N(S) contains the number of the I frame. N(R) == Receive Sequence Number N(R) is used in ABM to designate the next information frame to be sent and to confirm that all frames upto and including this bit have been correctly received. S == L2 Status Bit S1 and S2 bits can have the following significance in the S and I+S frames. RR 00 REJ 01 RNR 10 SREJ 11 RR == Receive Ready RR can be used as a command OR a response. It clears any previous busy condition in that area. REJ == Reject Encoding REJ is used to show that in numbered information transfer, 1 or more out of sequence frames have been received. RNR == Receive Not Ready RNR shows that the entity isn't ready to receive numbered information frames. SREJ == Selective Reject SREJ is used to request a retransmission of a single frame. UP is used in version 2, to indicate that a service level upgrade will increase the throughput. [- {GTP} -] The GPRS Tunnelling Protocol (GTP) is the protocol between GPR Support Nodes (GSNs) which allow multiprotocol packets to be tunnelled through it in the GPRS backbone network. These packets are the collection of data that carry one of two substantial pieces of information; either the user's IP or X.25 packets. Below GTP, the standard protocols (TCP or UDP) are employed to transport the GTP packets within the GPRS backbone network. X.25 expects a reliable data link to be used, thus why TCP is occupied for data transfer. UDP, is simply used for special access to IP-based packet data networks, which don't necessarily expect reliability in the network layer. IP is employed in the network layer to route specific packets through the GPRS backbone. Please note; Ethernet, ISDN, or ATM-based protocols may be used below IP for GTP packeting. Lets summarize shall we? In the GPRS backbone we have an IP/X.25-over-GTP-over-UDP/TCP-over-IP transport architecture. Subnetwork Dependent Convergence Protocol -- The Subnetwork Dependent Convergence Protocol (SNDCP) within the signalling plane, specifies a tunnel control and managment protocol which allows the SGSN is used to transfer data packets between the Serving GPRS Support Node (SGSN) and the Mobile Station (MS). Its functionality includes: * Compression and decompression of user data and redundant header information. * Multiplexing of several connections of the network layer onto one virtual connection in the underlying Logical Link Control (LLC) layer. (Definition; Logical Link Control (LLC): a data link layer protocol for GPRS. This layer assures the reliable transfer of user data across a wireless network.) - In the signaling plane, GTP specifies a tunnel control and management protocol which allows the SGSN to provide GPRS network access for a MS. - Signaling is used to create, modify and delete tunnels. In the transmission plane, GTP uses a tunneling mechanism to provide a service for carrying user data packets. The choice of path is dependent on whether the user data to be tunneled requires a reliable link or not. - The GTP protocol is implemented only by SGSNs and GGSNs. No other systems need to be aware of GTP's presence. GPRS MSs are connected to an SGSN without being aware of GTP. It is assumed that there will be a "many-to-many" relationship between SGSNs and GGSNs. - A SGSN may provide service to many GGSNs. A single GGSN may associate with many SGSNs to deliver traffic to a large number of geographically diverse mobile stations. GTP header structure The GTP header is a fixed format 16 octet header used for all GTP messages. Below is a simple diagram of the GTP header structure, hopefully this will give you a general idea of the relevancy of GTP headers. 8 7 6 5 - 2 1 Version Reserved LFN Message type Length Sequence Number Flow Label LLC Frame Number x x x x x x x FN Reserved TID GTP header structure GTP Header Structure; Definitions --------------------------------- - Version: Set to 0 to indicate the first version of GTP - Reserved: Reserved bits for future use, set to 1. - LFN: Flag indicating whether the LLC frame number is included or not. - Message Type: Type of GTP message. - Length: Indicates the length in octets of the GTP message (G-PDU). - Sequence number: Transaction identity for signaling messages and an increasing sequence number for tunneled T-PDUs. - Flow label: Identifies unambiguously a GTP flow. - LLC frame number: Used at the Inter SGSN Routing Update procedure to coordinate the data transmission on the link layer between the MS and the SGSN. - x: Spare bits x indicate the unused bits which are set to 0 by the sending side and are ignored by the receiving side. - FN: Continuation of LLC frame number. - TID: Tunnel identifier that points out Mobility Management and PDP contexts. The format of the TID is as follows: 5 - 8 4 - 1 MCC digit 2 MCC digit 1 MNC digit 1 MCC digit 3 MSIN digit 1 MNC digit 2 MSIN digit 3 MSIN digit 2 MSIN digit 5 MSIN digit 4 MSIN digit 7 MSIN digit 6 MSIN digit 9 MSIN digit 8 NSAPI MSIN digit 10 TID Format: MCC, MNC, MSIN digits Parts of the IMSI (defined in GMS 04.08). NSAPI: Network service access point identifier. [- {GMM} -] GMM What is GMM? GMM, or GPRS Mobility Management is a very complex versatile protocol that operates within the signaling plane of GPRS handing such things as: roaming, authentication, and selection of encryption algorithms. The main function of the GMM sub-layer is to support the mobility of user terminals, such as informing the network of its present location and providing user identity confidentiality. GMM header format: 8 7 6 5 4 3 2 1 Octet Protocol discriminator Skip indicator 1 Message type 2 Information elements 3-n GMM header structure; Definitions --------------------------------- Protocol discriminator - 1000 identifies the GMM protocol. Skip indicator - The value of this field is 0000. Message type - Defines the function and format of each GMM message. The message type is mandatory for all messages. Bit 8 is reserved for possible future use as an extension bit. Bit 7 is reserved for the send sequence number in messages sent from the mobile station. GMM message bit types: 0 0 0 0 0 0 0 1 Attach request 0 0 0 0 0 0 1 0 Attach accept 0 0 0 0 0 0 1 1 Attach complete 0 0 0 0 0 1 0 0 Attach reject 0 0 0 0 0 1 0 1 Detach request 0 0 0 0 0 1 1 0 Detach accept 0 0 0 0 1 0 0 0 Routing area update request 0 0 0 0 1 0 0 1 Routing area update accept 0 0 0 0 1 0 1 0 Routing area update complete 0 0 0 0 1 0 1 1 Routing area update reject 0 0 0 1 0 0 0 0 P-TMSI reallocation command 0 0 0 1 0 0 0 1 P-TMSI reallocation complete 0 0 0 1 0 0 1 0 Authentication and ciphering req 0 0 0 1 0 0 1 1 Authentication and ciphering resp 0 0 0 1 0 1 0 0 Authentication and ciphering rej 0 0 0 1 0 1 0 1 Identity request 0 0 0 1 0 1 1 0 Identity response 0 0 1 0 0 0 0 0 GMM status 0 0 1 0 0 0 0 1 GMM information --- Conclusion; PsychoSpy and I wrote this document as a guide for anyone desiring to learn more about the future of GSM wireless. Within the next couple of years, I guarantee you'll be seeing a vast number of GSM-type phones in Canada (FIDO provider) offering the high-speed GSM add-on technology known as GPRS. So when GPRS is released by 2002, you won't be left out in the cold wondering "now how the hell did they do that?" because you would of read this document! What to look for in the future in regards to our R&D: - A look at GPRS administration, configuration and security analysis - CDMA Protocols; CC, MM, BSSMAP, DTAP (GSM-L3), RR, BTSM, BSSAP - SS7 Protocols; MTP2/MTP3, SCCP (v2.0), TCAP ISUP, TUP, DUP ---- Contact Information; PsychoSpy -- E-mail: PsychoSpy@softhome.net The Clone -- E-mail: theclone@hackcanada.com URL: http://www.nettwerked.net ~-= An N&N Production =-~ ___ Tuesday August 23rd - Miklos' Adventure at Graybar -------------------------------------------------------- Schools coming around shortly, and I haven't had much luck finding drains in my dismal city. However, I have kept my eye on a construction site, for the new home of a very successful electric wholesaler, Graybar. A couple months pass and I see that construction is coming together with some interesting things for me to check out. It is now 21:00 on August 23rd, and I pump myself up to travel solo, and explore the building. I have no car, so I pack up my backpack and begin walking to the building. When I arrived, I quickly made my way to a pile of girders. I hid behind the girders until traffic eased up, so no one could see me enter the building. The building is centrally located around residential, light industrial, and a lighted baseball field 500 meters away from this building. A few minutes pass, and I quietly slip into the building. In front of me are hundreds of girders, wall panels, and blocks of concrete. The building has 2 floors, the ground level, and an upstairs. The ground level so far is spilt into 2 sections. The section I entered was the offices, and such. The other section is a huge space to load trucks, and hold inventory. I crawled along against the wall of the office part of the building (to aviod being spotted by traffic) I entered the larger section of the building. whoa. There wasn't even a concrete floor yet, just a huge 4 walled, gravel floored building. As I started going through this room, I saw a light "shit!" I backed-up against the wall, quickly turned off the maglite, and waited for the light to go away. Then, I heard an engine noise, and some guy yelling. I was unsure at the moment what to do, so I waited for the guy(s?) to leave. After 15 minutes of some more yelling, the car finally left, and so did I, back to the office section of the ground level. I searched around the office section of the building, not finding much, and made my way towards the stairs. Again, I layed low against a wall until the traffic lightened up so I could go up the stairs un-noticed by motorists. The second level hasn't been done yet, but I could still move around up there. I walked mostly along planks to get a look at rest of the building. The upstairs didn't offer much for me, except a nice view of the entire building from above. I looked around for ladders, or anything else to get me higher.. Success! I found a 30-foot ladder to would take me to the roof! I quickly scaled the ladder, and got up on the roof. It was a nice site. I walked around up on the roof, and tried to take a picture of the city. Unfortunately, the picture turned out bad, as did most of the pictures that night. Anyhow, I had a nice, cool breeze against my face up on the roof, and decided to chill out and watch the night scenery for a bit. Afterwards, I went back down the ladder, down the stairs to the ground level and left the building. At this point in time, I didn't even care if anyone saw me on the site, cause I was leaving. I put the camera, my maglite, and streetchy gloves into my backpack, and started my journey back home. I pulled out my music, and strolled home to witness a beautiful lightning storm, and get a bit wet from the rain. So concludes my adventure at Graybar. For a pictorial version of this, check out: http://www.haxordogs.net/ghu/ue/ex/graybar.htm . See you in the next installment of Urban Exploration. Miklos@SunOS.com http://www.haxordogs.net/ghu -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Credits: I would like to give credit to the following people for helping with this issue of K-1ine - if it wasn't for you guys I don't think this issue would of been released... Dead Musicians Society (D.M.S.), Flopik, Jay Beale, Kira Brown, Kybo_Ren, Miklos, and lastly to PsychoSpy -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Thanks you guys, seriously. I'm very happy to see all the contributions. Remember: Articles are ALWAYS welcomed. If you have something you'd like to see on this zine, feel free to send me an e-mail. Even if you're worried that the article is "lame" or "isn't technical" or something like that, send it anyways. Remember: everyone has something to offer to the scene. Show your support. -- Shouts: Cyb0rg/asm - I REALLY appreciate your full support by linking the last three issues from Hack Canada... thanks for getting the w0rd across about K-1ine. Hack Canada (www.hackcanada.com), #CPU, k-rad-bob @ b0g (www.b0g.org), Magma, Alan, Ottawa 2600, RT, Enjoy`, Seuss, Blackened @ Damage Inc., and lastly to everyone and anyone who gives a shit about the Canadian H/P scene. ;. .;.. ; ;. ;.. ;.. .;..; .;.; .;; ;.. .;..;. .;..; .;.;...; ;..;.. .;. A .;. .;. ;.. N E T T W E R K E D ;.. ;..;.. P R O D U C T ;..;.. .;..; ;..;.. ; .;..;.;.. .; . .;. ..;.. .;.. . .;..;..;..;.. .; ;..;. .;.. . .;.. .;.;. ;..;. ;..;..; .;. ;..;;..; ;..; .; ;..;;..;;..; ;.;.;; .;. . ;/.;:.. ,;.. .. /' . .-ll; .; ;;-.;. -- .;; -- .; . it doesnt matter it doesnt matter... *UH!*