|
***BEGINNERS FREEFONE PHREAKING IN THE UK (1998)*** *************************************************** - by uV & Senor Cardini - DISCLAIMER (All the information in this file is for educational purposes only. No-one involved in the compilation of this file would suggest using it for any purposes leagal/illegal whatsoever. In fact it might all be complete bollocks for all we know etc) !! Loadsa phun to be had on freephone numbers !! Freefone phreaking is calling freephone (0500/0800) numbers and using the interesting systems that are often on the other end. This often means accessing company's phone system to obtain free calls or services. I will cover the three main areas:- VMB Hacking, Dial-Outs and Conference System abuse. There are countless other systems on 0800's that are not covered here. **Scanning** You need to scan a lot of 0800/0500 numbers to find useful numbers. You can't use a scanning program like Toneloc here as you are not looking for a modem carrier signal. This means dialling hundreds of numbers by hand. Apparently BT are able to detect mass 0800 scanning done from your home phone but I know lots of people who have called 1000's and never heard a peep. Still a phone box is better if you're paranoid. You may reach foreign systems on UK 0800 numbers. The 0800 89XXXX range is full of these as is the 0800 9XXXX range. These are also referred to as Country Direct numbers (check out the back of you BT Book). These are cool as you may get access to systems in that country. USA numbers a great because the US has loads more conferences, loops and PBX's than we do and lots of these are on the WWW. Companies are getting wise to abuse of their systems. Certain numbers are always getting hacked and are now completely blocked. It might be worth avoiding the 0800 89xxxx range for this reason 0500 numbers don't get anywhere near as much attention...:-) So choose the range of numbers you are going to scan and get going. Make a note of what you find and what time you dialled. It is best to dial out of hours for whatever country the line terminates in. Otherwise a lot of numbers will be picked up by a human. You are looking for dial-tones, other tones and automated attendants, mail-boxes etc. Getting in: Let's say you have the number of an American company on a 0800 89XXXX. This might answer as "Welcome to ABC company voice-mail system, if you know the number of the person you want to reach dial it now. If you have a mail-box on the system press 9. If you want to reach assistance dial 0 or stay on the line`. Listen to the whole message - there may be other options. If you get no options try the * or # keys or combinations of these with numbers like 1,8 or 9. This may throw you into the voice mail. You may have to leave a message and then try to break out. Get a range: Try dialling some extensions and get an idea of the range of numbers accepted. You are starting to map the system. Some extensions (often at the end of the allowable range or a one off number like 2000, 4444 etc.) will have an out-dial on it. **The Systems** *VMB's This is accessing voice-mail systems and using the features to your own ends. You can set up your own free voice-mail box or listen to confidential messages etc. This is obviously boring after the first few times. The real interest comes when there is an out-dial, conference box or whatever on the system that is only accessible by valid mailbox owners. This centres around the fact that most VMB passwords are either the same as the box number (Box=3300, PW=3300), a crappy default (1234), easy to remember/guess (1111, 1234 etc.) or similar (box number+0). When you enter the voice-mail system it will often tell you what make it is Meridian, Octel, Norstar or whatever. This obviously helps a lot, although particularly sad individuals will come to recognise them by the prompts anyway. You really need to try all these numbers and map out systems for yourself to get a good idea of what's out there. There are loads of texts specific VMB brands. I reckon Meridian are the easiest to hack (pass-code is the box number as default and they have an excellent help facility - press the * key). I will only touch on Meridian systems to give you an idea of how they work. A lot of the points are relevant to other systems. Meridian Voice-mail:- I suggest you read Coldfire's text on Meridians. I won't go into details as he does it well and I don't want to quote it word for word. I will therefore cover the practical hacking aspects I will assume you will go get that text! Ok here are a few of the more essential ones *8 is mailbox commands *7 is message commands *81 is login 011 is name-directory 011# is dial any number/extension - depends on whether you're logged in/masks etc(see below) *80 is mailbox features - options here to allow to to change the number that is dialled when 0 is pressed (normally the opertator) - has some potential... Lets say you called a company, pressed * and got "Hello, you have reached the voice-mail system. If you have a mailbox on the system press pound(#), or if you wish to reach someone and know the 4 digit extension please dial it now" If you press # you get "Meridian Mail. Mailbox?" - this is expecting a 4 digit code+# and a 4 digit-pass-code+#. Unfortunately you have no idea of the allowable codes. They could be random or more likely within a certain range. 3000 is normally a good shot BUT seeing as the login sequence will only let you know whether you have got BOTH codes correct you'll have a hard time hacking it. Go back to the original prompt and try some extension numbers until you get one or two that work. Seeing as the box numbers are always the same as the extension numbers so now you know some valid box numbers or better still the range of valid box numbers. Ideally you want unused boxes in their default state. These unused extension/boxes don't have a "Hi leave a message for John Smith here" on them. Depending where you are in the system. Dialling 011 will put you through to a directory system where you can dial in a name using the number/letter combinations on you telephone keypad. Try SMITH or JONES, you should get a few numbers this way. Once you have valid boxes you need the pass-codes, so go to the login (*81) and try the default pass-code, i.e. the box number itself. Empty boxes are more likely to work in this way, failing that try some 1234, 1111 sequences (good for thick giggly admin department boxes :)). You should be able to get at least one box this way. You will have noticed that 3 unsuccessful pass-code tries will throw you out. With one valid box you can get around this. Try 2 boxes then log into your valid box, now try two more and so on until you get more boxes. As long as you enter one valid code combination in 3 you are fine. This is the sort of feature that most systems have and makes hacking them much easier. To see if you have an out-dial here enter 09+number to dial+# if it dials you have got one (remember to work out what country your system is in first though). Which brings us on to.... *Out-dials This is basically dialling into a company's phone system (PBX), gaining access and dialling out. The net result is that you only pay for the call to the company. If this is an 0800 number then you don't pay anything. There are two ways you might come across out-dials. 1. Straight-forward PBX extenders Background:- A company wants it's sales staff to be able to call internationally from home for free so they set up an 0800 PBX extender. This allows the person to dial free to the company number and then out to the desired destination (on the company bill). They work mostly like this: you dial a certain number and get another dialling-tone, another sort of tone or even a voice-prompt ("enter your 4 digit ID" etc.). An incorrect tone will often give a two-tone alarm signal (don't worry it is just an audible prompt). Once you enter the correct code (normally plus a #) you may get another dial-tone which you can use as if dialling from you own phone. You may have to enter 9 or 0 or similar to get a line. You may need to add a # to the end of the number. Hacking them:- These are only easy to hack if the code is something stupid like 1111, 2222, 1234 etc., +# which it often is. The first thing you need to know is the length of the code. You may be able to get this by entering in the numbers very slowly and listening. After the correct number of digits there may be the alarm tone or a soft click. If not you have to assume it is 4 or less. If it is not you are going to have a hell of a job cracking it anyway! Try the common defaults as described and any other easy-to-remember numbers. You may notice that it bleeps you out after only 2 numbers when say entering 12 but after 4 numbers when trying 4567. This may be a clue to the start of the sequence. If you have a group of bored, nerdy friends (you may be a student for example.;-)) you can split up the 9999 possible combinations between you. This should only take 10 of you a couple of hours. The speed of these things is often dependant on how many tries a system lets you have before throwing you out. Another way is to use a PBX Hacker program which I won't go into except to say that they come with their own documentation, they don't often work unless you know the exact format of the switch (PBX) and can't be used from phone boxes (can you explain 9999 calls to the same number?!) 2. "Hidden" PBX's. Background:- Most larger companies have their own PBX systems with 0800 access numbers. Some of them will intentionally want people to be able to dial though them, others just don't know it can be done or have configured them incorrectly. Their out-dial may be on a certain extension or hidden behind a VMB (See the VMB section on Meridians) Hacking them:- This can be as easy as ringing the sales line 0800 of some company, asking for another dept, say accounts, asking to be put though to the operator and saying "Hi I'm Dave from accounts, I can't seem to get an outside line. Could you dial this number for me?" - this may or may not work!. There are a number of ways depending on the make of the system and the way it is configured. I can't give you a sure-fire way on all systems. You may just be able to dial 9+the- number-you-want+# or 09+.... Etc. You may have to try every extension until you get a tone. You may have to hack the systems admin. box first to change some options. You may have to hack a certain box. Meridian systems often allow 09+number+# but only after you have logged in successfully to a mail-box. There may be calling masks set up by the administrator which restrict outgoing calls to nil or a limited range (e.g. local calls or free-fone calls only). So (on most Meridians for example) having a valid box/code is not always enough. However, you may be able to fool the mask on a UK system by entering 141 in front of the number you want as the system is often checking for zeros. Keep trying different 0800 numbers until you find systems that you can hack. ANY fool can hack a Meridian. You will find some with out-dials once you have, you have got your phree calls without any fancy kit. *What is the real number?** Although you may be dialling an 0800 number you can be sure that there is a normal number like 01454 654312 or whatever linked to it. If you dial 17070 (in BT areas) from your out-dial it will tell you what number you are really at. If this doesn't work dial your own number and do a 1471 job on it. This means that if you want to pretend to be someone else or specifically to pretend to be from that company you can! All but a really determined trace will do is show up the wrong number. *Linking them up* Linking up your out-dials will extend their usefulness. If you have an 0800 out-dial that terminates in the USA thus allowing dialling to US numbers you can use it to dial 1-800 numbers which are the yank equivalent of our 0800 numbers. Americans are way ahead in the use of mail/switching systems and there are out-dials, conferences etc. abound. *Keeping hold of them* Using out-dials is obviously illegal. Not only are you gaining unauthorised access to a system (i.e. hacking) but you are stealing call credit from the company. BT and the company have a vested interest in stopping you or catching you. Here are some guidelines: I. The first rule is do not give the numbers/codes out to anyone else. As soon as you do you can be sure that they will too and so on, and so on. At least one of these people will be a twat, use it to call Mexican sex-lines for 4 hours at 2am on a Sunday. It will either get closed down or they will set up a trace. II. Use them wisely. As with all crime, you should be fine unless you get noticed. So if you call numbers that are likely to be called from that company, are of a normal length, during normal times etc. you are unlikely to raise any eyebrows. III. Linking out-dials up makes tracing your call much harder, especially if you cross international boundaries. This will often throw the phone companies systems and can make prosecution harder. The most likely way of tracing calls is going to be from the point which you 1st call in at. Seeing as you are only making freefone calls from that point it will not be showing up in any bills. They are not losing and are not monitoring. Should the second company notice they will trace it back to the first company. Do this through 3 or 4 and things start looking good for you! IV. Try not to use them from home V. Don't stay on for long. Using one out-dial to acess the Intenet for hours at a time is one way of getting noticed. VI. Be paranoid. No matter how careful you are being, there may be others using the same out-dial recklessly. You could get caught in the same net. It is a good idea to tell you call recipient to have a cover story ready in case they are called to see who called them at a certain time. "Oh yeah, I have been getting odd calls, some time they just don't speak to I just leave the receiver off the hook and come back to it in an hour" or "Fuck off you running-dog capitalist pig I don't have to tell you anything". **Conferences** For spending hours talking to your geeky phrekin' mates you really need to start accessing conference systems. These are basically systems which join multiple lines together so all parties can speak to each other real-time. Those shite Partyline things are basically fucking expensive conferences (although now they are not allowed to even be real-time!). There are two general ways of accessing conferences. 1. Social Engineering/Carding This is a piece of piss. Ring up your directory enquiries or look on the Internet for teleconferencing numbers. A good way of accessing these things is to call the USA through one of your US-terminating out-dials. This allows you access to the many US based conferencing companies as well as hiding your phone number. You need some information before you call. Get some US names and addresses - check out the Internet. People often put such info. at the bottom of their newsgroup postings. The name, address, zip code and telephone number must match. Basically just ing them up and ask to set up a conference. The conversation will go something like this:- TC "Hello thank you for choosing XYX Teleconferencing Ltd, how may I help you?" You "Hi I would like to set up a conference please" TC "Sure when would you like it for?" You "in about 15 minutes" TC "How long for and for how many people sir?" You "4 hours and for twenty people please" TC "What is your company name, your name and address please" You "3M corporation, John Mackenzie, 1020 Slow St, Happy Valley. Minesota Zip code 12232" TC "Was that Mackintosh" - (how!?) You "No that MACKENZIE" TC "Sorry about that" You "No problem, it's a bad line" - probably because you're calling through 16 extenders! TC "And what's the billing number" You "that's 1-513-2344-3434" TC "Fine that has been set up - please dial 1-800-854-8554 to access your conference. The conference number will be 54334. What would you like for your pass-code?" You "Err 8232 please. Oh by the way, I have some people accessing the conference from the UK. What number do they need to dial?" TC "That will be 0800-756-3333" You "Thanks" Now you and your mates can call the relevant access numbers and enter the codes and get chatting. This works virtually every time with most of these companies - think about it, how the fuck are they supposed to find out who is vaild or not from that info. You can even get cheeky and use someone's account. Try calling AT&T teleconferencing and saying you are John Doe from some big company" Try anything you like. Remember they really don't know who you are. Some companies allow billing to a credit card. You can generate these pretty easily using CreditMaster and use them. This however does tend to carry a heavy penalty and also fucks over some poor unsuspecting member of the public (if that bothers you) Anyway there's no need. 2. Company Conferencing Systems Companies having realised how handy but expensive teleconferencing is have set up their own conference boxes. The most common one in the USA is Meeting Place. You will find these on the end of 0800 numbers or on extensions of Octel VM systems systems (try spelling MEETING into the directory to find the extension or just get scanning). They welcome you with "Welcome to Meeting Place. To attend a meeting press 1. To access your profile press 2 etc" What you need is a valid profile number. These a 3-17 digits but generally are between 4 and 6. You just have to keep trying until you find one. (There are default profiles on 0001, 0002 and 0003) The pass-code may be something like 123456. Once you are on these you can set up conferences when ever you like for loads of people. You can lock the session, form splinter sessions and boot people out like IRC. You don't need to know too much more as they are voice-prompt city. However there are some important features which stop you from getting noticed - the exact layout of Meeting place is in another text file, cryptically entitled "Phreaking Conferences with Meeting Place". See ya uV and Senor Cardini ************************************************** Shouts to Darkcyde Communications + Hybrid + Public Nuisance + Nitrous Oxide