The Magic of NetBIOS

3:42 AM

The Magic of NetBIOS

In this guide you will learn how to explore the Internet using Windows XP and NetBIOS:

· How to Install NetBIOS

· How to Use Nbtstat

· The Net View Command

· What to Do Once You Are Connected

· How to Break in Using the XP GUI

· More on the Net Commands

· How Crackers Break in as Administrator

· How to Scan for Computers that Use NetBIOS

· How to Play NetBIOS Wargames

· An Evil Genius Tip for Win NT Server Users

· Help for Windows 95, 98, SE and ME Users

Not many computers are reachable over the Internet using NetBIOS commands - maybe only a few million. But what the heck, a few million is enough to keep a hacker from getting bored. And if you know what to look for, you will discover that there are a lot of very busy hackers and Internet worms searching for computers they can break into by using NetBIOS commands. By learning the dangers of NetBIOS, you can get an appreciation for why it is a really, truly BAD!!! idea to use it.

*****************
Newbie note: a worm is a program that reproduces itself. For example, Code Red automatically searched over the Internet for vulnerable Windows computers and broke into them. So if you see an attempt to break into your computer, it may be either a human or a worm.
*****************

If you run an intrusion detection system (IDS) on your computer, you are certain to get a lot of alerts of NetBIOS attacks. Here's an example:

The firewall has blocked Internet access to your computer (NetBIOS Session) from 10.0.0.2 (TCP Port 1032) [TCP Flags: S].

Occurred: 2 times between 10/29/2002 7:38:20 AM and 10/29/2002 7:46:18 AM

A Windows NT server on my home network, which has addresses that all start with 10.0.0, caused these alerts. In this case the server was just doing its innocent thing, looking for other Windows computers on my LAN (local area network) that might need to network with it. Every now and then, however, an attacker might pretend to have an address from your internal network even though it is attacking from outside.

If a computer from out on the Internet tries to open a NetBIOS session with one of mine, I'll be mighty suspicious. Here's one example of what an outside attack may look like:

The firewall has blocked Internet access to your computer (NetBIOS Name) from 999.209.116.123 (UDP Port 1028).

Time: 10/30/2002 11:10:02 AM
(The attacker's IP address has been altered to protect the innocent or the guilty, as the case may be.)

Want to see how intensely crackers and worms are scanning the Internet for potential NetBIOS targets? A really great and free IDS for Windows that is also a firewall is Zone Alarm. You can download it for free from http://www.zonelabs.com . You can set it to pop up a warning on your screen whenever someone or some worm attacks your computer. You will almost certainly get a NetBIOS attack the first day you use your IDS.

Do you need to worry when a NetBIOS attack hits? Only if you have enabled NetBIOS and Shares on your computer. Unfortunately, in order to explore other computers using NetBIOS, you increase the danger to your own computer from attack by NetBIOS. But, hey, to paraphrase a famous carpenter from Galilee, he who lives by the NetBIOS gets hacked by the NetBIOS.

********************
Newbie note: NetBEUI (NetBIOS Extended User Interface) is an out-of-date, crummy, not terribly secure way for Windows computers to communicate with each other in a peer-to-peer mode. NetBIOS stands for network basic input/output system.

Newbie note: Shares are when you make it so other computers can access files and directories on your computer. If you set up your computer to use NetBIOS, in Win XP using the NTFS (new technology file system) you can share files and directories by bringing up My Computer. Click on a directory - which in XP is called a "folder". In the left-hand column a task will appear called "Share this folder". By clicking this you can set who can access this folder, how many people at a time can access it, and what they can do with the folder.
********************

There are a number of network exploration commands that only NetBIOS uses. We will show how to use nbtstat and several versions of the net command.

How to Install NetBIOS

You might have to make changes on your system in order to use these commands. Here's how to enable NetBIOS for Windows XP. (If you are stuck with Windows 95, 98, SE or ME, see the end of this Guide for how to enable NetBIOS.) Click:

Control Panel -> Network Connections

There are two types of network connections that may appear here: "Dial-up" and "LAN or High-Speed Internet".

**************
Newbie note: A dial-up connection uses a modem to reach the Internet. LAN stands for local area network. It's what you have if two or more computers are linked to each other with a cable instead of modems. Most schools and businesses have LANs, as well as homes with Internet connection sharing. A DSL or cable modem connection will also typically show up as a LAN connection.
**************

To configure your connections for hacking, double click on the connection you plan to use. That brings up a box that has a button labeled "Properties". Clicking it brings up a box that says "This connection uses the following items:"

You need to have both TCP/IP and NWLink NetBIOS showing. If NWLink NetBIOS is missing, here's how to add it. Click Install -> Protocol -> Add NWlink/IPX/SPX/NetBIOS Compatible Transport Protocol.

**************
Newbie note: NWLink refers to Novell's Netware protocol for running a LAN.
**************

How to Use Nbtstat

To get started, bring up the cmd.exe command. Click Start -> Run and type cmd.exe in the command line box. This brings up a black screen with white letters. Once it is up, we will play with the nbtstat command. To get help for this command, just type:

C:\>nbtstat help

One way to use the nbtstat command is to try to get information from another computer using either its domain name (for example test.target.com), its numerical Internet address (for example, happyhacker.org's numerical address is 206.61.52.30), or its NetBIOS name (if you are on the same LAN).

C:\>nbtstat -a 10.0.0.2

Local Area Connection:
Node IpAddress: [10.0.0.1] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
OLDGUY <00> UNIQUE Registered
OLDGUY <20> UNIQUE Registered
WARGAME <00> GROUP Registered
INet~Services <1c> GROUP Registered
IS~OLDGUY......<00> UNIQUE Registered
OLDGUY <03> UNIQUE Registered
WARGAME <1e> GROUP Registered
ADMINISTRATOR <03> UNIQUE Registered

MAC Address = 52-54-00-E4-6F-40

What do these things tell us about this computer? Following is a table explaining the codes you may see with an nbtstat command (taken from the MH Desk Reference, written by the Rhino9 team).

Name Number Type Usage =========================================================
00 U Workstation Service
01 U Messenger Service
<\\_MSBROWSE_> 01 G Master Browser
03 U Messenger Service
06 U RAS Server Service
1F U NetDDE Service
20 U File Server Service
21 U RAS Client Service
22 U Exchange Interchange
23 U Exchange Store
24 U Exchange Directory
30 U Modem Sharing Server Service
31 U Modem Sharing Client Service
43 U SMS Client Remote Control
44 U SMS Admin Remote Control Tool
45 U SMS Client Remote Chat
46 U SMS Client Remote Transfer
4C U DEC Pathworks TCPIP Service
52 U DEC Pathworks TCPIP Service
87 U Exchange MTA
6A U Exchange IMC
BE U Network Monitor Agent
BF U Network Monitor Apps
03 U Messenger Service
00 G Domain Name
1B U Domain Master Browser
1C G Domain Controllers
1D U Master Browser
1E G Browser Service Elections
1C G Internet Information Server
00 U Internet Information Server

To keep this Guide from being ridiculously long, we'll just explain a few of the things what we learned when we ran nbtstat -a against 10.0.0.2:

* it uses NetBIOS
* its NetBIOS name is Oldguy
* one of the users is named Administrator
* it runs a web site with Internet Information Server, and maybe an ftp - file transfer protocol -- server
* it is a member of the domain Wargame
* it is connected on a local area network and we accessed it through an Ethernet network interface card (NIC) with a MAC Address of 52-54-00-E4-6F-40.

When using nbtstat over the Internet, in most cases it will not find the correct MAC address. However, sometimes you get lucky. That is part of the thrill of legal hacker exploration. OK, OK, maybe getting a thrill out of a MAC address means I'm some kind of a freak. But if you are reading this, you probably are freaky enough to be a hacker, too.

**************
Newbie note: MAC stands for media access control. In theory every NIC ever made has a unique MAC address, one that no other NIC has. In practice, however, some manufacturers make NICs that allow you to change the MAC address.
**************

**************
Evil Genius tip: sneak your computer onto a LAN and use it to find the MAC address of a very interesting computer. Crash it, then give yours the same MAC, NetBIOS name and Internet address as the very interesting computer. Then see what you can do while faking being that computer. That's why I get a charge out of discovering a MAC address, so stop laughing at me already.
**************

**************
You can get fired, expelled, busted and catch cooties warning: Faking all that stuff is something you would be better off doing only on your own test network, or with written permission from the owner of the very interesting computer.
**************

Now that we know some basic things about computer 10.0.0.2, also known as Oldguy, we can do some simple things to learn more. We can connect to it with a web browser to see what's on the web site, and with ftp to see if it allows anonymous users to download or upload files. In the case of Oldguy, anyone can browse the web site. However, when we try to connect to its ftp server with Netscape by giving the location ftp://10.0.0.2, it returns the message "User Mozilla@ cannot log in.

**************
Newbie note: The people who programmed Netscape have always called it Mozilla, after a famous old movie monster. As a joke they have stuck obscure mentions of Mozilla into the operations of Netscape. Mozilla lovers recently spun off a pure Mozilla browser project that has the web site http://www.mozilla.org.
**************

The Net View Command

Now let's have some serious fun. Netscape (or any browser or ftp program) uses TCP/IP to connect. What happens if we use NetBIOS instead to try to download files from Oldguy's ftp server?

Let's try some more NetBIOS commands:

C:\>net view \\10.0.0.2
System error 53 has occurred.

The network path was not found.

I got this message because my firewall blocked access to Oldguy, giving the message:

The firewall has blocked Internet access to 10.0.0.2 (TCP Port 445) from your computer [TCP Flags: S].

There's a good reason for this. My firewall/IDS is trying to keep me from carelessly making my computer a part of some stranger's LAN. Keep in mind that NetBIOS is a two-way street. However, I want to run this command, so I shut down Zone Alarm and give the command again:

C:\>net view \\10.0.0.2
Shared resources at \\10.0.0.2

Share name Type Used as Comment

--------------------------------------------------------
ftproot Disk
InetPub Disk
wwwroot Disk
The command completed successfully.

This is a list of shared directories. Oooh, look at that, the ftp server is shared. Does this mean I can get in? When setting shares on a Windows NT server, the default choice is to allow access to read, write and delete files to everyone. So sometimes a sysadmin carelessly fails to restrict access to a share.

What is really important is that we didn't need a user name or password to get this potentially compromising information.

Let's establish an anonymous connection to Oldguy, meaning we connect without giving it a user name or password:

C:\>net use \\10.0.0.2\ipc$
Local name
Remote name \\10.0.0.2\IPC$
Resource type IPC
Status OK
# Opens 0
# Connections 1
The command completed successfully.

We are connected!

**********************
Newbie note: IPC (ipc$) stands for "Inter Process Connector", used to set up connections across a network between Windows computers using NetBIOS.
**********************

What to Do Once you Are Connected

So far we haven't quite been breaking the law, although we have been getting pretty rude if the owner of that target computer hasn't given us permission to explore. What if we want to stop pushing our luck and decide to disconnect? Just give the message:

C:\>net session \\10.0.0.2 /delete

Of course you would substitute the name or number of the computer to which you are connected for 10.0.0.2.

What if you want to stay connected? Oldguy will let you stay connected even if you do nothing more. By contrast, a login to a Unix/Linux type computer will normally time out and disconnect you if you go too long without doing anything.

How to Break in Using the XP GUI

You could try out the other net commands on Oldguy. Or you can go to the graphical user interface (GUI) of XP. After running the above commands I click My Computer, then My Network Places and there you'll find the victim, er, I mean, target computer. By clicking on it, I discover that ftproot has been shared to - everyone!

Let's say you were to get this far investigating some random computer you found on the Internet. Let's say you had already determined that the ftp server isn't open to the public. At this moment you would have a little angel sitting one shoulder whispering "You can be a hero. Email the owner of that computer to tell him or her about that misconfigured ftproot."

On the other shoulder a little devil is sneering, "Show the luser no mercy. Information should be free. Because I said so, that's why. Hot darn, are those spreadsheets from the accounting department? You could make a lot of bucks selling those files to a competitor, muhahaha! Besides, you're so ugly that future cellmate Spike won't make you be his girlfriend."

Some hackers might think that because ftproot is shared to the world that it is OK to download stuff from it. However, if someone were to log in properly to that ftp server, he or she would get the message "Welcome to Oldguy on Carolyn Meinel's LAN. Use is restricted to only those for whom Meinel has assigned a user name and password." This warning logon banner is all a computer owner needs to legally establish that no one is allowed to just break in. It won't impress a judge if a cracker says "The owner was so lame that her computer deserved to get broken into" or "I'm so lame that I forgot to try to use the ftp server the normal way."

More on the Net Commands

Let's get back to the net commands. There are many forms of this command. In XP you can learn about them with the command:

C:\>net help
The syntax of this command is:

NET HELP
command
-or-
NET command /HELP

Commands available are:

· NET ACCOUNTS

· NET HELP

· NET SHARE
NET COMPUTER

· NET HELPMSG

· NET START

· NET CONFIG

· NET LOCALGROUP

· NET STATISTICS

· NET CONFIG SERVER

· NET NAME

· NET STOP

· NET CONFIG WORKSTATION

· NET PAUSE

· NET TIME

· NET CONTINUE

· NET PRINT

· NET USE

· NET FILE

· NET SEND

· NET USER

· NET GROUP

· NET SESSION

· NET VIEW

· NET HELP SERVICES lists some of the services you can start.

· NET HELP SYNTAX explains how to read NET HELP syntax lines.

· NET HELP command | MORE displays Help one screen at a time.

How Crackers Break in as Administrator

As we look around Oldguy further, we see that there's not much else an anonymous user can do to it. We know that there is a user named Administrator. What can we do if we can convince Oldguy that we are Administrator?

******************
Newbie note: in Windows NT, 2000 and XP, the Administrator user has total power over its computer, just as root has total power over a Unix/Linux type computer. However, it is possible to change the name of Administrator so an attacker has to guess which user has all the power.
******************

Let's try to log in as Administrator by guessing the password. Give the command:

C:\>net use \\10.0.0.2\ipc$ * /user:Administrator
Type the password for \\10.0.0.2\ipc$:
System error 1219 has occurred.

Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.

This means that someone else is currently logged onto this server who has Administrator rights. Furthermore, this person is probably watching me on an IDS and thinking up terrible things to do to me. Eeep! Actually this is all going on inside my hacker lab - but you get the idea of what it could be like when trying to invade a computer without permission.

I discover that whether I guess the password correctly or not, I always get the same error message. This is a good safety feature. On the other hand, one of the users is named Administrator. This is a bad thing for the defender. When you first set up a Windows NT or 2000 server, there is always a user called Administrator, and he or she has total power over that computer. If you know the all-powerful user is named Administrator, you can try guessing the password whenever no one is logged on with Administrator powers.

Computer criminals don't waste time guessing by hand. They use a program such as NAT or Legion to get passwords. These programs are why smart NT administrators rename their Administrator accounts and choose hard passwords. Also, this kind of persistent attack will be detected by an intrusion detection system, making it easy to catch criminals at work.

********************
You can get expelled warning: What if you are a student and you want to save your school from malicious code kiddies who steal tests and change grades? It is important to get permission *in writing* before you test the school's network. Even then, you still must be careful to be a model student. If you act up, cut classes - you know what I mean - the first time a cracker messes up the network, who do you think they will suspect? Yes, it's unfair, and yes, that is the way the world works.
********************

How to Scan for Computers that Use NetBIOS

Your tool of choice is a port scanner. Any computer that is running something on port 139 is likely (but not certain) to be using NetBIOS. Most crackers use nmap to port scan. This tool runs on Unix/Linux type computers. You can get it at . There is also a Windows version of nmap, but it isn't very good. A better choice for Windows is Whats Up from . You can get a one month free trial of it.

Here's an example of an nmap scan of Oldguy:

test-box:/home/cmeinel # nmap -sTU 10.0.0.2

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on (10.0.0.2):
(The 3060 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
70/tcp open gopher
80/tcp open http
135/tcp open loc-srv
135/udp open loc-srv
137/udp open netbios-ns
138/udp open netbios-dgm
139/tcp open netbios-ssn
500/udp open isakmp

Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds

As you can see from this scan, three ports are identified with NetBIOS. This tells us that we could set nmap to scan a large number of Internet addresses, only looking for port 139 on each. To learn how to set up nmap to run this way, in your Unix or Linux shell give the command "man nmap".

For more on what crackers do once they break into a computer using NetBIOS (like installing back doors), see http://happyhacker.org/gtmhh/vol3no10.shtml .

********************
You can get punched in the nose warning: if you use a port scanner against networks that haven't given you permission to scan, you will be waving a red flag that says "Whaddaya wanna bet I'm a computer criminal?" You can't get arrested for merely port scanning, but people who don't like being scanned might get you kicked off your Internet service provider.

You can get really, big time, punched in the nose warning: If you visit the same computer or LAN really often to see what's new and to try different things, even if you don't break the law you'd better be doing it with the permission of the owner. Otherwise you may make enemies who might crash or destroy your operating system. And that is only what they may do when feeling mellow. After a night of hard drinking - well, you don't want to find out.
********************

How to Play NetBIOS Wargames

What if you want to challenge your friends to a hacker wargame using NetBIOS? The first thing to do is *don't* email me asking me to break in for you. Sheesh. Seriously, almost every day I get emails from people claiming to have permission from their girlfriend/boyfriend and begging me to help them break in. You can read their hilarious pleas for help at http://happyhacker.org/sucks/ <../sucks/index.shtml> .

The way to run a hacker wargame over the Internet is first, get permission from your Internet provider so they don't kick you off for hacking. They probably run an IDS that scans users for suspicious activity. They probably hate malicious hackers. Enough said.

Second, you and your friends are likely to be at a different Internet address every time you log on. Your safest way to play over the Internet is for each player to get an Internet address that is the same every time he or she logs on: a "static" address. This way you won't accidentally break into someone else's computer.

You have to arrange with your Internet provider to get a static address. Normally only a local provider can do this for you. A big advantage of using a local provider is you can make friends with the people who work there - and they are probably hackers.

If you live in an apartment building or dormitory with other hackers, you can play break-in games without using the Internet. Set up a LAN where you can play together. For example, you can string Ethernet cable from window to window. To learn how to set up a Windows Ethernet LAN, see http://happyhacker.org/gtmhh/winlan.shtml .

Or you could set up a wireless LAN. With wireless you never know who might come cruising with a laptop down the street by your home or business and break in. That can make a wargame lots more fun. For help on how to break into wireless LANs (it's pathetically easy), see .

**************
Evil genius tip: Attack using a Win NT server with the Microsoft Resource Kit installed. Heh, heh. With it you can give the command:

C:\>Local Administrators \\

This should show all user accounts with administrator rights on targetbox.com.

C:\>Global Administrators \\

This should show all user accounts with Domain administrative rights. These are exceptionally worth compromising, because with one Domain administrative password you will be able to control many resources among NT servers, workstations, and Win 95/98 computers.

I've tried to install the Resource Kit on XP Professional, but it wasn't compatible.

Another option is to install hacker tools such as Red Button and DumpACL, which extract information on user names, hashes, and which services are running on a given machine.
**************

Help for users of Windows 95, 98, SE or ME

To enable NetBIOS, click

Control Panel -> Network -> Protocols

If you see both NetBEUI and TCP/IP, you are already using NetBIOS. If not, add NetBEUI.

To bring up the command screen, click Start -> Run and type in command.com.

Read On 0 comments

Proxy how to

3:41 AM

Proxies

What is a Proxy Server?
A proxy server is a kind of buffer between your computer and the Internet resources you are accessing. The data you request come to the proxy first, and only then it transmits the data to you. I know many are looking for IP Maskers or Scramblers, but honestly, it aint real easy for the simple fact that any website that you visit needs your IP to send the info packets too. If its scrambled, you will get alot of errors and crazy redirects :P My solution? Read on........... for a good list of Proxy servers try here>> http://www.multiproxy.org/

Why do I need to use proxy servers?
Transfer speed improvement. Proxy servers accumulate and save files that are most often requested by thousands of Internet users in a special database, called “cache”. Therefore, proxy servers are able to increase the speed of your connection to the Internet. The cache of a proxy server may already contain information you need by the time of your request, making it possible for the proxy to deliver it immediately.
Security and privacy. Anonymous proxy servers that hide your IP address thereby saving you from vulnerabilities concerned with it.
Sometimes you may encounter problems while accessing to web server when server administrator restricted access from your IP or even from wide IP range (for example restricting access from certain countries or geographical regions). So you try to access those pages using an anonymous proxy server.

What is a public proxy server?
It is a proxy server which is free and open for everybody on the Internet. Unfortunately most of them are not anonymous.
Free service trying to provide list of public HTTP proxy servers. Usually provide small list of proxies with low percent of functioning servers due to hosting restrictions on CPU time (they simply can't allow themselves to check many proxies every second especially in parallel).

The Solution?
When using an anonymous proxy server you don’t give a anybody chance to find out your IP address to use it in their own interests. ;) If there is a need to make an (inner) proxy connect to the outside world via another (outer) proxy server, you can use the same environment variables as are used to redirect clients to the proxy to make inner proxy use the outer one:
http_proxy
ftp_proxy
gopher_proxy
wais_proxy
E.g. your (inner) proxy server's startup script could look like this:
#!/bin/sh
http_proxy=http://outer.proxy.server:8082/
export http_proxy
/usr/etc/httpd -r /etc/inner-proxy.conf -p 8081

This is a little ugly, so there are also the following directives in the configuration file:
http_proxy http://outer.proxy.server/
ftp_proxy http://outer.proxy.server/
gopher_proxy http://outer.proxy.server/
wais_proxy http://outer.proxy.server/

Read On 0 comments

Telnet trick port 25

3:39 AM

Network solutions shut down that nifty telnet thing on whois.intenic.net on the default telnet port (25), despite many protests. However, there is something fun you can do with telnet with whois.internic.net or any other cooperating domain name server. At your DOS prompt in Windows (search for command.com or cmd.exe to run a DOS prompt) or teminal prompt (shell) in Linux or Unix, type:

telnet whois.internic.net 43

It gives a blank page. Type in the domain name you want to check and hit enter. Voila! You get something like this:

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net for detailed information.

Domain Name: TECHBROKER.COM
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Name Server: DNS1.WURLD.NET
Name Server: DNS2.WURLD.NET
Status: ACTIVE
Updated Date: 11-dec-2002
Creation Date: 13-feb-1996
Expiration Date: 14-feb-2006

>>> Last update of whois database: Fri, 14 Nov 2003 07:28:09 EST <<<

NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration.

Read On 0 comments

Yahoo Chat Commands:

3:34 AM
/join [room] go to what ever room you wish

/invite [buddys name] sends invitation request

/tell [user] [message] private messages a friend

/follow [user] follows a friend

/stopfollow [user] stop following someone

/stopfollow [yourname] to stop them from following you

/goto [user] enters the room the user is in

/away [off] turn your private messages back on

/think [message] (type this to think what you want

/ignore [list] list everyone who you are ignoring

/ignore add [user] add someone to your ignoring list

/ignore [add all] ignores everything going on
Read On 0 comments

Zen and the Art of Fone Phreaking `97

7:45 AM
b4 i get started, just remember i did not rite this phile
so you people can learn preform telecommunications fraud!
contrary to popular beleafs phreaking is still an art form.
phreaking is a form of intelectual advancement. is just like
hacking, if u think of it this way: when hacking you type
certain commands in phreaking, you play certain MHz tones.
blue boxing is just like gaining r00t access of a unix sys.
by gaining r00t access you be come the 'system operator'.
the blue box utelizes 'system operator' tones. see what i'm sayn?
just cuz phreaking is intelectual it dousnt mean it cant be fun.

_`'-.,_,.-'`_`'-.,_,.-> [ definitions ] <-.,_,.-'`_`'-.,_,.-'`_

Phreak ["free"k] Verb--1. The act of "Phreaking"
2. The act of making telephone calls without paying money
[the word phreak is a combination of phone, freak, and free]

Phreaker ["free"-k-er] Noun--1. One who engages in the act of
"Phreaking" 2.One who makes telephone calls without paying
money

_`'-.,_,.-'`_`'-.,_,.-> [fone systems in the world today] <-.,_,.-'`_`'-.,_,.-'`_

[1] Step by Step
[2] Crossbar
[3] ESS Electronic Switching System


Step by Step
~~~~~~~~~~

First switching system used in America, adopted in 1918 and until
1978 Bell had over 53% of all exchanges using Step by Step [SxS].
A long,and confusing train of switches is used for SxS switching.

[> Disadvantages <]

[A] The switch train may become jammed : Blocking call.
[B] No DTMF [Dual-Tone Multi-Frequency]["Touch-tone"].
[C] Much maintanance and much electricity.[0;36;40m
[D] Everything is hardwired

+> Identification<+

[A] No pulsing digits after dialing or DTMF.
[B] Phone Company sounds like many typewriters.
[C] No: Speed calling, Call forwarding, and other services.
[D] Pay-phone wants money first before dial-tone.


Crossbar
~~~~~~~

Crossbar has been Bell's primary switcher after 1960. Three
types of Crossbar switching exist: Number 1 Crossbar [1XB],
Number 4 Crossbar [4XB], and Number 5 Crossbar [5XB]. A
switching matrix is used for all the phones in an area.When
someone calls, the route is determined and is met up with the
othr fone.The matrix is set-up in horizontal and vertical paths.
There are no definite distinguishing features of Crossbar
switching.


ESS
~~~

ESS is the big brother of the Bell family. Its very name strikes
fear and apprehension into the hearts of most who have this
knowlege, for a good reason. ESS [electronic switching System]
knows the full story on every telephone hooked into it. While
it may be paranoid to say that all telecomunications loop holes
may come to a screeching hault under ESS, it is certainly
realistic to think that everyone must be a little more careful
under ESS. Heres why:

With ESS, every single digit dialed is recorded. This is useful
not only for nailing telecomunications frauders but settling
billing disputes. In the past, there has been no easy way for
the phone company to show you what numbers you have dialed locally.
If you protested long enough, and loud enough, they might have put
a pen register on your line to record everything and prove it to
you. Under ESS, the actual printout [which will be dragged out of
of a vault somewhere if needed] shows every last digit you dialed,
Every 800 call, every directory assistance, repair service, the
operator, every rendation of the 1812 overture, everything! Here
is a typical example of an ESS print out, which shows time of
connect, and a number called:

DATE TIME LENGTH UNITS NUMBER NOTE
---- ---- ------ ----- ------ ----
0403 1517 3 1 264-9021 none
0403 1523 5 3 576-1303 H,P,V,C,A
0403 1600 1 0 800-555-1212 none
0403 1612 10 2.25* 716-221-3184 none
0403 01629 1 0 000-000-0000 O
[TSPS]

Now your probally asking, "What are those letters under
"NOTE?" Well, those letters stand for cretain words or
phrases that the Telco/phone company serches for. For
instance: O may stand for Overthrow. From here on, every
time you dial that number, the ESS may tap the line! And
this IS Legal! It is legal because they may think you are
planning to "Overthrow" the Government or something!
You never know.

A thousand calls to "800" will show up on the Ess print out.
Every touch tone or pulse is kept track off along with every
foreign signal. A traffic engineer did an exhausting study of 800 calls
over the past few years and came to these conclusions:

1] Legit made calls to 800 numbers last up to an average
of three minutes or less. Of the illegal calls via 800
lines, more than 80% lasted 5 minutes or longer.

2] The average residential telephone subscriber dials five
calls per month to an 800 number. Persons making illegal
calls via 800 numbers average significantly higher number.


Under ESS, one simply does not place a 2600 MHz on the line,
unless of course, they want a Telco security representative
and a FBI/Police man at their door with in the hour!

Tracing calls, for reasons such as fraud or abusive calls, is done
from a computer terminal in a security department. Within Ess,
nothing is hidden or concealed in electromechanical frames, etc.
It is merely a software program designed for ease in operation by the
Telco. Call tracing has become very sophisticated and immediate.
There is no more "running in the frames" or looking for long periods
of time. ROM Chips in ESS computers work quickly. That's what ESS
is all about.

Minimizing telecommunications fraud is not the only reason for ESS,
but is a very important one. The first and foremost reason for the
ESS is to provide the Teleco with better control on billing and
equipment records, faster handling of calls [i.e. less equipment
tied up in the office at one time], and to help agencies such as
the F.B.I. keep better account of who was calling who from where.
When the F.B.I. finds out that someone who's calls they want to trace
is on an ESS exchange, they are thrilled because it is so much easier
for them to trace.

The United States won't be 100% ESS until sometime around 2010.
But, in real practice, phone offices in almost every city, are getting
some of the basic modifications brought about by ESS. "911" service
is an ESS function. So is ANI [ Automatic Number Identification] on
long distance calls. "Dial Tone First" payphones are also an ESS
function. None of these things were available prior to ESS. The
amount of pure fraud calling via bogess calling card numbers,
third party dialing, colored boxing, etc. on the ESS lines led to
the decision to rapidly install the ANI, for example, even if the
rest of the ESS was several years away in some cases.

Depending on how you you choose to look at the whole concept of ESS,
it can be either one of the most advantageous inventions of all time,
or one of the terrifying. The system is good for consumers in that
it can take a lot of activity and do lots of things that older
systems could never do. Features such as direct dialing overseas,
call forwarding, and call holding are steps forward without question.
But at the same time, what do all of the nasty implications mentioned
further back mean to the average person on the sidewalk? This system
is perfectly capable of monitoring anyone , not just telecommunication
frauders. What would happen if the nice, friendly government we have
somehow got overthrown and a mean nasty one took its place? With ESS,
they wouldn't have to do much work, just come up with some new software.
Imagine a phone system that could tell authorities how many calls you
placed to certain types of people: i.e. African Americans, Hispanics,
Communists, known Anacharists, laundromat service employees....ESS
could do it if so programmed.

_`'-.,_,.-'`_`'-.,_,.-> [ History of the Art of phreaking ] <-.,_,.-'`_`'-.,_,.-'`_

the age of blue boxing began, not with a bang, but with a whistle. In
1972,a man named John Draper, a slightly scraggly engineer at a national
semiconductor, found a small blue whistle in a box of "Captain Crunch"
Cereal. The whistle was deformed and had an odd extra hole. Draper found
that when the regular hole was covered the whistle created a perfect 2600hz
cycle. Draper, who now refers to himself as "Cap'n Crunch", toyed with the
whistle until he created his first basic PCI-Board construction of the Blue box.
After receiving a university file which contained information on all operator
tones, the Cap'n created the new version of the blue box which utilizes all
operator tones.

_`'-.,_,.-'`_`'-.,_,.-> [ Colored Boxing ] <-.,_,.-'`_`'-.,_,.-'`_

The bulk of phreaking was (and still is to some extent) committed
by a technological piece known as a colored box. Most colored boxes
function by using certain Megahurtz tones/ combinations of Megahurtz
tones . The next section gives a list and short description of all colored boxes.

What is a Red Box?

When a coin is inserted into a payphone, the payphone emits a set of
tones to ACTS (Automated Coin Toll System). Red boxes work by fooling
ACTS into believing you have actually put money into the phone. The
red box simply plays the ACTS tones into the telephone microphone.
ACTS hears those tones, and allows you to place your call. The actual
tones are:

Nickel Signal 1700+2200hz 0.060s on
Dime Signal 1700+2200hz 0.060s on, 0.060s off, twice repeating
Quarter Signal 1700+2200hz 33ms on, 33ms off, 5 times repeating

Canada uses a variant of ACTSD called N-ACTS. N-ACTS uses different
tones than ACTS. In Canada, the tones to use are:

Nickel Signal 2200hz 0.060s on
Dime Signal 2200hz 0.060s on, 0.060s off, twice repeating
Quarter Signal 2200hz 33ms on, 33ms off, 5 times repeating

How do I build a Red Box?

Red boxes are commonly manufactured from modified Radio Shack tone
dialers, Hallmark greeting cards, or made from scratch from readily
available electronic components.

To make a Red Box from a Radio Shack 43-141 or 43-146 tone dialer, open
the dialer and replace the crystal with a new one. The purpose of the
new crystal is to cause the * button on your tone dialer to create a
1700Mhz and 2200Mhz tone instead of the original 941Mhz and 1209Mhz
tones. The exact value of the replacement crystal should be 6.466806 to
create a perfect 1700Mhz tone and 6.513698 to create a perfect 2200mhz
tone. A crystal close to those values will create a tone that easily
falls within the loose tolerances of ACTS. The most popular choice is
the 6.5536Mhz crystal, because it is the easiest to procure. The old
crystal is the large shiny metal component labeled "3.579545Mhz." When
you are finished replacing the crystal, program the P1 button with five
*'s. That will simulate a quarter tone each time you press P1.

Where can I get a 6.5536Mhz crystal?

Your best bet is a local electronics store. Radio Shack sells them, but
they are overpriced and the store must order them in. This takes
approximately two weeks. In addition, many Radio Shack employees do not
know that this can be done.

Or, you could order the crystal mail order. This introduces Shipping
and Handling charges, which are usually much greater than the price of
the crystal. It's best to get several people together to share the S&H
cost. Or, buy five or six yourself and sell them later. Some of the
places you can order crystals are:

Digi-Key
701 Brooks Avenue South
P.O. Box 677
Thief River Falls, MN 56701-0677
(800)344-4539
Part Number:X415-ND /* Note: 6.500Mhz and only .197 x .433 x .149! *\
Part Number:X018-ND

JDR Microdevices:
2233 Branham Lane
San Jose, CA 95124
(800)538-5000
Part Number: 6.5536MHZ

Tandy Express Order Marketing
401 NE 38th Street
Fort Worth, TX 76106
(800)241-8742
Part Number: 10068625

Alltronics
2300 Zanker Road
San Jose CA 95131
(408)943-9774 Voice
(408)943-9776 Fax
(408)943-0622 BBS
Part Number: 92A057

Mouser
(800)346-6873
Part Number: 332-1066

Blue Saguaro
P.O. Box 37061
Tucson, AZ 85740
Part Number: 1458b

Unicorn Electronics
10000 Canoga Ave, Unit c-2
Chatsworth, CA 91311
Phone: 1-800-824-3432
Part Number: CR6.5

Which payphones will a Red Box work on?

Red Boxes will work on telco owned payphones, but not on COCOT's
COCOT is an acronym for Customer Owned Coin Operated Telephones.
COCOT's are the payphones that you see in front/inside of restraunts
that don't dial directly into the ESS, they first dial into the
operating phone system of the store/restraunt in which it is located.

Red boxes work by fooling ACTS (Automated Coin Toll System) into
believing you have put money into the pay phone. ACTS is the
telephone company software responsible for saying "Please deposit XX
cents" and listening for the coins being deposited.

COCOT's do not use ACTS. On a COCOT, the pay phone itself is
responsible for determining what coins have been inserted.

How do I make local calls with a Red Box?

Payphones do not use ACTS for local calls. To use your red box for
local calls, you have to fool ACTS into getting involved in the call.

One way to do this, in some areas, is by dialing 10288-xxx-xxxx. This
makes your call a long distance call, and brings ACTS into the
picture.

In other areas, you can call Directory Assistance and ask for the
number of the person you are trying to reach. The operator will give
you the number and then you will hear a message similar to "Your call
can be completed automatically for an additional 35 cents." When this
happens, you can then use ACTS tones.

What is a Blue Box?

Blue boxes use a 2600hz tone to size control of telephone switches
that use in-band signaling. The caller may then access special
switch functions, with the usual purpose of making free long distance
phone calls, using the tones provided by the Blue Box.

Do Blue Boxes still work?

This FAQ answer is excerpted from a message posted to Usenet by
Marauder of the Legion of Doom:

Somewhere along the line I have seen reference to something
similar to "Because of ESS Blue boxing is impossible". This is
incorrect. When I lived in Connecticut I was able to blue box
under Step by Step, #1AESS, and DMS-100. The reason is simple,
even though I was initiating my call to an 800 number from a
different exchange (Class 5 office, aka Central Office) in each
case, when the 800 call was routed to the toll network it would
route through the New Haven #5 Crossbar toll Tandem office. It
just so happens that the trunks between the class 5 (CO's) and
the class 4 (toll office, in this case New Haven #5 Xbar),
utilized in-band (MF) signalling, so regardless of what I
dialed, as long as it was an Inter-Lata call, my call would
route through this particular set of trunks, and I could Blue
box until I was blue in the face. The originating Central
Offices switch (SXS/ESS/Etc..) had little effect on my ability
to box at all. While the advent of ESS (and other electronic
switches) has made the blue boxers task a bit more difficult,
ESS is not the reason most of you are unable to blue box. The
main culprit is the "forward audio mute" feature of CCIS (out of
band signalling). Unfortunately for the boxer 99% of the Toll
Completion centers communicate using CCIS links, This spells
disaster for the blue boxer since most of you must dial out of
your local area to find trunks that utilize MF signalling, you
inevitably cross a portion of the network that is CCIS equipped,
you find an exchange that you blow 2600hz at, you are rewarded
with a nice "winkstart", and no matter what MF tones you send at
it, you meet with a re-order. This is because as soon as you
seized the trunk (your application of 2600hz), your Originating
Toll Office sees this as a loss of supervision at the
destination, and Mutes any further audio from being passed to
the destination (ie: your waiting trunk!). You meet with a
reorder because the waiting trunk never "hears" any of the MF
tones you are sending, and it times out. So for the clever
amongst you, you must somehow get yourself to the 1000's of
trunks out there that still utilize MF signalling but
bypass/disable the CCIS audio mute problem. (Hint: Take a close
look at WATS extenders).

What is a Black Box?

A Black Box is a resistor (and often capacitor in parallel) placed in
series across your phone line to cause the phone company equipment to be
unable to detect that you have answered your telephone. People who call
you will then not be billed for the telephone call. Black boxes do not
work under ESS.

What do all the colored boxes do?

Acrylic Steal Three-Way-Calling, Call Waiting and programmable
Call Forwarding on old 4-wire phone systems
Aqua Drain the voltage of the FBI lock-in-trace/trap-trace
Beige Lineman's hand set
Black Allows the calling party to not be billed for the call
placed
Blast Phone microphone amplifier
Blotto Supposedly shorts every phone out in the immediate area
Blue Emulate a true operator by seizing a trunk with a 2600hz
tone
Brown Create a party line from 2 phone lines
Bud Tap into your neighbors phone line
Chartreuse Use the electricity from your phone line
Cheese Connect two phones to create a diverter
Chrome Manipulate Traffic Signals by Remote Control
Clear A telephone pickup coil and a small amp used to make free
calls on Fortress Phones
Color Line activated telephone recorder
Copper Cause crosstalk interference on an extender
Crimson Hold button
Dark Re-route outgoing or incoming calls to another phone
Dayglo Connect to your neighbors phone line
Diverter Re-route outgoing or incoming calls to another phone
DLOC Create a party line from 2 phone lines
Gold Dialout router
Green Emulate the Coin Collect, Coin Return, and Ringback tones
Infinity Remotely activated phone tap
Jack Touch-Tone key pad
Light In-use light
Lunch AM transmitter
Magenta Connect a remote phone line to another remote phone line
Mauve Phone tap without cutting into a line
Neon External microphone
Noise Create line noise
Olive External ringer
Party Create a party line from 2 phone lines
Pearl Tone generator
Pink Create a party line from 2 phone lines
Purple Telephone hold button
Rainbow Kill a trace by putting 120v into the phone line (joke)
Razz Tap into your neighbors phone
Red Make free phone calls from pay phones by generating
quarter tones
Rock Add music to your phone line
Scarlet Cause a neighbors phone line to have poor reception
Silver Create the DTMF tones for A, B, C and D
Static Keep the voltage on a phone line high
Switch Add hold, indicator lights, conferencing, etc..
Tan Line activated telephone recorder
Tron Reverse the phase of power to your house, causing your
electric meter to run slower
TV Cable "See" sound waves on your TV
Urine Create a capacitative disturbance between the ring and
tip wires in another's telephone headset
Violet Keep a payphone from hanging up
White Portable DTMF keypad
Xero Portable silver box
Yellow Add an extension phone

What is an ANAC number?

An ANAC (Automatic Number Announcement Circuit) number is a telephone
number that plays back the number of the telephone that called it. ANAC
numbers are convenient if you want to know the telephone number of a pair
of wires.

What is the ANAC number for my area?

How to find your ANAC number:

Look up your NPA (Area Code) and try the number listed for it. If that
fails, try 1 plus the number listed for it. If that fails, try the common
numbers like 311, 958 and 200-222-2222. If you find the ANAC number for
your area, please let us know.

Note that many times the ANAC number will vary for different switches insame city. The geographic naming on the list is not intended to be an
accurate reference for coverage patterns, it is for convenience only.

Many companies operate 800 number services which will read back to you the
number from which you are calling. Many of these require navigating a
series of menus to get the phone number you are looking for.

(800)238-4959 A voice mail system
(800)328-2630 A phone sex line
(800)568-3197 Info Access Telephone Company's Automated Blocking Line
(800)571-8859 A phone sex line
(800)692-6447 (800)MY-ANI-IS
(800)455-3256 Unknown

An non-800 ANAC that works nationwide is 404-988-9664. The one catch with
this number is that it must be dialed with the AT&T Carrier Access Code
10732.

Another non-800 nationwide ANAC is Glen Robert of Full Disclosure
Magazine's number, 10555-1-708-356-9646.

Please use local ANAC numbers if you can, as abuse or overuse kills 800
ANAC numbers.

NPA ANAC number Geographic area
--- --------------- ---------------------------------------------
201 958 Hackensack/Jersey City/Newark/Paterson, NJ
202 811 District of Columbia
203 970 CT
205 300-222-2222 Birmingham, AL
205 300-555-5555 Many small towns in AL
205 300-648-1111 Dora, AL
205 300-765-4321 Bessemer, AL
205 300-798-1111 Forestdale, AL
205 300-833-3333 Birmingham
205 557-2311 Birmingham, AL
205 811 Pell City/Cropwell/Lincoln, AL
205 841-1111 Tarrant, AL
205 908-222-2222 Birmingham, AL
206 411 WA (Not US West)
207 958 ME
209 830-2121 Stockton, CA
209 211-9779 Stockton, CA
210 830 Brownsville/Laredo/San Antonio, TX
212 958 Manhattan, NY
213 114 Los Angeles, CA (GTE)
213 1223 Los Angeles, CA (Some 1AESS switches)
213 211-2345 Los Angeles, CA (English response)
213 211-2346 Los Angeles, CA (DTMF response)
213 760-2??? Los Angeles, CA (DMS switches)
213 61056 Los Angeles, CA
214 570 Dallas, TX
214 790 Dallas, TX (GTE)
214 970-222-2222 Dallas, TX
214 970-611-1111 Dallas, TX (Southwestern Bell)
215 410-xxxx Philadelphia, PA
215 511 Philadelphia, PA
215 958 Philadelphia, PA
216 200-XXXX Akron/Canton/Cleveland/Lorain/Youngstown, OH
216 331 Akron/Canton/Cleveland/Lorain/Youngstown, OH
216 959-9892 Akron/Canton/Cleveland/Lorain/Youngstown, OH
217 200-xxx-xxxx Champaign-Urbana/Springfield, IL
219 550 Gary/Hammond/Michigan City/Southbend, IN
219 559 Gary/Hammond/Michigan City/Southbend, IN
301 958-9968 Hagerstown/Rockville, MD
310 114 Long Beach, CA (On many GTE switches)
310 1223 Long Beach, CA (Some 1AESS switches)
310 211-2345 Long Beach, CA (English response)
310 211-2346 Long Beach, CA (DTMF response)
312 200 Chicago, IL
312 290 Chicago, IL
312 1-200-8825 Chicago, IL (Last four change rapidly)
312 1-200-555-1212 Chicago, IL
313 200-200-2002 Ann Arbor/Dearborn/Detroit, MI
313 200-222-2222 Ann Arbor/Dearborn/Detroit, MI
313 200-xxx-xxxx Ann Arbor/Dearborn/Detroit, MI
313 200200200200200 Ann Arbor/Dearborn/Detroit, MI
314 410-xxxx# Columbia/Jefferson City/St.Louis, MO
315 953 Syracuse/Utica, NY
315 958 Syracuse/Utica, NY
315 998 Syracuse/Utica, NY
317 310-222-2222 Indianapolis/Kokomo, IN
317 559-222-2222 Indianapolis/Kokomo, IN
317 743-1218 Indianapolis/Kokomo, IN
334 5572411 Montgomery, AL
334 5572311 Montgomery, AL
401 200-200-4444 RI
401 222-2222 RI
402 311 Lincoln, NE
404 311 Atlanta, GA
404 940-xxx-xxxx Atlanta, GA
404 990 Atlanta, GA
405 890-7777777 Enid/Oklahoma City, OK
405 897 Enid/Oklahoma City, OK
407 200-222-2222 Orlando/West Palm Beach, FL
408 300-xxx-xxxx San Jose, CA
408 760 San Jose, CA
408 940 San Jose, CA
409 951 Beaumont/Galveston, TX
409 970-xxxx Beaumont/Galveston, TX
410 200-6969 Annapolis/Baltimore, MD
410 200-555-1212 Annapolis/Baltimore, MD
410 811 Annapolis/Baltimore, MD
412 711-6633 Pittsburgh, PA
412 711-4411 Pittsburgh, PA
412 999-xxxx Pittsburgh, PA
413 958 Pittsfield/Springfield, MA
413 200-555-5555 Pittsfield/Springfield, MA
414 330-2234 Fond du Lac/Green Bay/Milwaukee/Racine, WI
415 200-555-1212 San Francisco, CA
415 211-2111 San Francisco, CA
415 2222 San Francisco, CA
415 640 San Francisco, CA
415 760-2878 San Francisco, CA
415 7600-2222 San Francisco, CA
419 311 Toledo, OH
502 2002222222 Frankfort/Louisville/Paducah/Shelbyville, KY
502 997-555-1212 Frankfort/Louisville/Paducah/Shelbyville, KY
503 611 Portland, OR
503 999 Portland, OR (GTE)
504 99882233 Baton Rouge/New Orleans, LA
504 201-269-1111 Baton Rouge/New Orleans, LA
504 998 Baton Rouge/New Orleans, LA
504 99851-0000000000 Baton Rouge/New Orleans, LA
508 958 Fall River/New Bedford/Worchester, MA
508 200-222-1234 Fall River/New Bedford/Worchester, MA
508 200-222-2222 Fall River/New Bedford/Worchester, MA
508 26011 Fall River/New Bedford/Worchester, MA
509 560 Spokane/Walla Walla/Yakima, WA
510 760-1111 Oakland, CA
512 830 Austin/Corpus Christi, TX
512 970-xxxx Austin/Corpus Christi, TX
515 5463 Des Moines, IA
515 811 Des Moines, IA
516 958 Hempstead/Long Island, NY
516 968 Hempstead/Long Island, NY
517 200-222-2222 Bay City/Jackson/Lansing, MI
517 200200200200200 Bay City/Jackson/Lansing, MI
518 511 Albany/Schenectady/Troy, NY
518 997 Albany/Schenectady/Troy, NY
518 998 Albany/Schenectady/Troy, NY
603 200-222-2222 NH
606 997-555-1212 Ashland/Winchester, KY
606 711 Ashland/Winchester, KY
607 993 Binghamton/Elmira, NY
609 958 Atlantic City/Camden/Trenton/Vineland, NJ
610 958 Allentown/Reading, PA
610 958-4100 Allentown/Reading, PA
612 511 Minneapolis/St.Paul, MN
614 200 Columbus/Steubenville, OH
614 571 Columbus/Steubenville, OH
615 200200200200200 Chatanooga/Knoxville/Nashville, TN
615 2002222222 Chatanooga/Knoxville/Nashville, TN
615 830 Nashville, TN
616 200-222-2222 Battle Creek/Grand Rapids/Kalamazoo, MI
617 200-222-1234 Boston, MA
617 200-222-2222 Boston, MA
617 200-444-4444 Boston, MA (Woburn, MA)
617 220-2622 Boston, MA
617 958 Boston, MA
618 200-xxx-xxxx Alton/Cairo/Mt.Vernon, IL
618 930 Alton/Cairo/Mt.Vernon, IL
619 211-2001 San Diego, CA
619 211-2121 San Diego, CA
703 811 Alexandria/Arlington/Roanoke, VA
704 311 Asheville/Charlotte, NC
707 211-2222 Eureka, CA
708 1-200-555-1212 Chicago/Elgin, IL
708 1-200-8825 Chicago/Elgin, IL (Last four change rapidly)
708 200-6153 Chicago/Elgin, IL
708 724-9951 Chicago/Elgin, IL
708 356-9646 Chicago/Elgin, IL
713 380 Houston, TX
713 970-xxxx Houston, TX
713 811 Humble, TX
714 114 Anaheim, CA (GTE)
714 211-2121 Anaheim, CA (PacBell)
714 211-2222 Anaheim, CA (Pacbell)
716 511 Buffalo/Niagara Falls/Rochester, NY (Rochester Tel)
716 990 Buffalo/Niagara Falls/Rochester, NY (Rochester Tel)
717 958 Harrisburg/Scranton/Wilkes-Barre, PA
718 958 Bronx/Brooklyn/Queens/Staten Island, NY
802 2-222-222-2222 Vermont
802 200-222-2222 Vermont
802 1-700-222-2222 Vermont
802 111-2222 Vermont
805 114 Bakersfield/Santa Barbara, CA
805 211-2345 Bakersfield/Santa Barbara, CA
805 211-2346 Bakersfield/Santa Barbara, CA (Returns DTMF)
805 830 Bakersfield/Santa Barbara, CA
806 970-xxxx Amarillo/Lubbock, TX
810 200200200200200 Flint/Pontiac/Southfield/Troy, MI
812 410-555-1212 Evansville, IN
813 311 Ft. Meyers/St. Petersburg/Tampa, FL
815 200-xxx-xxxx La Salle/Rockford, IL
815 290 La Salle/Rockford, IL
817 211 Ft. Worth/Waco, TX
817 970-611-1111 Ft. Worth/Waco, TX (Southwestern Bell)
818 1223 Pasadena, CA (Some 1AESS switches)
818 211-2345 Pasadena, CA (English response)
818 211-2346 Pasadena, CA (DTMF response)
903 970-611-1111 Tyler, TX
904 200-222-222 Jackonsville/Pensacola/Tallahasee, FL
906 1-200-222-2222 Marquette/Sault Ste. Marie, MI
907 811 AK (All)
908 958 New Brunswick, NJ
910 200 Fayetteville/Greensboro/Raleigh/Winston-Salem, NC
910 311 Fayetteville/Greensboro/Raleigh/Winston-Salem, NC
910 988 Fayetteville/Greensboro/Raleigh/Winston-Salem, NC
914 990-1111 Peekskill/Poughkeepsie/White Plains/Yonkers, NY
915 970-xxxx Abilene/El Paso, TX
916 211-2222 Sacramento, CA (Pac Bell)
916 461 Sacramento, CA (Roseville Telepohone)
919 200 Durham, NC
919 711 Durham, NC

Canada:
204 644-4444 Manitoba
306 115 Saskatchewan, Canada
403 311 Alberta, Yukon and N.W. Territory
403 908-222-2222 Alberta, Yukon and N.W. Territory
403 999 Alberta, Yukon and N.W. Territory
416 997-xxxx Toronto, Ontario
506 1-555-1313 New Brunswick
514 320-xxxx Montreal, Quebec
519 320-xxxx London, Ontario
604 1116 British Columbia, Canada
604 1211 British Columbia, Canada
604 211 British Columbia, Canada
613 320-2232 Ottawa, Ontario
705 320-4567 North Bay/Saulte Ste. Marie, Ontario

Australia:
+61 03-552-4111 Victoria 03 area
+612 19123 All major capital cities
+612 11544

United Kingdom:
175

Israel:
110

What is a ringback number?

A ringback number is a number that you call that will immediately ring the
telephone from which it was called.

In most instances you must call the ringback number, quickly hang up the
phone for just a short moment and then let up on the switch, you will then
go back off hook and hear a different tone. You may then hang up. You will
be called back seconds later.

What is the ringback number for my area?

An 'x' means insert those numbers from the phone number from which you are
calling. A '?' means that the number varies from switch to switch in the
area, or changes from time to time. Try all possible combinations.

If the ringback for your NPA is not listed, try common ones such as
951-xxx-xxxx, 954, 957 and 958. Also, try using the numbers listed for
other NPA's served by your telephone company.

Note: These geographic areas are for reference purposes only. Ringback
numbers may vary from switch to switch within the same city.

NPA Ringback number Approximate Geographic area
--- --------------- ---------------------------------------------
201 55?-xxxx Hackensack/Jersey City/Newark/Paterson, NJ
202 958-xxxx District of Columbia
203 99?-xxxx CT
206 571-xxxx WA
208 99xxx-xxxx ID
213 1-95x-xxxx Los Angeles, CA
215 811-xxxx Philadelphia, PA
216 551-xxxx Akron/Canton/Cleveland/Lorain/Youngstown, OH
219 571-xxx-xxxx Gary/Hammond/Michigan City/Southbend, IN
219 777-xxx-xxxx Gary/Hammond/Michigan City/Southbend, IN
301 579-xxxx Hagerstown/Rockville, MD
301 958-xxxx Hagerstown/Rockville, MD
303 99X-xxxx Grand Junction, CO
304 998-xxxx WV
305 999-xxxx Ft. Lauderdale/Key West/Miami, FL
312 511-xxxx Chicago, IL
312 511-xxx-xxxx Chicago, IL
312 57?-xxxx Chicago, IL
315 98x-xxxx Syracuse/Utica, NY
317 777-xxxx Indianapolis/Kokomo, IN
317 yyy-xxxx Indianapolis/Kokomo, IN (y=3rd digit of phone number)
319 79x-xxxx Davenport/Dubuque, Iowa
334 901-xxxx Montgomery, AL
401 98?-xxxx RI
404 450-xxxx Atlanta, GA
407 988-xxxx Orlando/West Palm Beach, FL
412 985-xxxx Pittsburgh, PA
414 977-xxxx Fond du Lac/Green Bay/Milwaukee/Racine, WI
414 978-xxxx Fond du Lac/Green Bay/Milwaukee/Racine, WI
415 350-xxxx San Francisco, CA
417 551-xxxx Joplin/Springfield, MO
501 221-xxx-xxxx AR
501 721-xxx-xxxx AR
502 988 Frankfort/Louisville/Paducah/Shelbyville, KY
503 541-XXXX OR
504 99x-xxxx Baton Rouge/New Orleans, LA
504 9988776655 Baton Rouge/New Orleans, LA
505 59?-xxxx New Mexico
512 95X-xxxx Austin, TX
513 951-xxxx Cincinnati/Dayton, OH
513 955-xxxx Cincinnati/Dayton, OH
513 99?-xxxx Cincinnati/Dayton, OH (X=0, 1, 2, 3, 4, 8 or 9)
516 660-xxx-xxxx Hempstead/Long Island, NY
601 777-xxxx MS
609 55?-xxxx Atlantic City/Camden/Trenton/Vineland, NJ
610 811-xxxx Allentown/Reading, PA
612 511 Minneapolis/St.Paul, MN
612 999-xxx-xxxx Minneapolis/St.Paul, MN
614 998-xxxx Columbus/Steubenville, OH
615 920-XXXX Chatanooga/Knoxville/Nashville, TN
615 930-xxxx Chatanooga/Knoxville/Nashville, TN
616 946-xxxx Battle Creek/Grand Rapids/Kalamazoo, MI
619 331-xxxx San Diego, CA
619 332-xxxx San Diego, CA
703 958-xxxx Alexandria/Arlington/Roanoke, VA
708 511-xxxx Chicago/Elgin, IL
714 330? Anaheim, CA (GTE)
714 33?-xxxx Anaheim, CA (PacBell)
716 981-xxxx Rochester, NY (Rochester Tel)
718 660-xxxx Bronx/Brooklyn/Queens/Staten Island, NY
719 99x-xxxx Colorado Springs/Leadville/Pueblo, CO
801 938-xxxx Utah
801 939-xxxx Utah
802 987-xxxx Vermont
804 260 Charlottesville/Newport News/Norfolk/Richmond, VA
805 114 Bakersfield/Santa Barbara, CA
805 980-xxxx Bakersfield/Santa Barbara, CA
810 951-xxx-xxxx Pontiac/Southfield/Troy, MI
813 711 Ft. Meyers/St. Petersburg/Tampa, FL
817 971 Ft. Worth/Waco, TX (Flashhook, then 2#)
906 951-xxx-xxxx Marquette/Sault Ste. Marie, MI
908 55?-xxxx New Brunswick, NJ
908 953 New Brunswick, NJ
913 951-xxxx Lawrence/Salina/Topeka, KS
914 660-xxxx-xxxx Peekskill/Poughkeepsie/White Plains/Yonkers, NY

Canada:
204 590-xxx-xxxx Manitoba
416 57x-xxxx Toronto, Ontario
416 99x-xxxx Toronto, Ontario
416 999-xxx-xxxx Toronto, Ontario
506 572+xxx-xxxx New Brunswick
514 320-xxx-xxxx Montreal, Quebec
519 999-xxx-xxxx London, Ontario
613 999-xxx-xxxx Ottawa, Ontario
705 999-xxx-xxxx North Bay/Saulte Ste. Marie, Ontario

Australia: +61 199
Brazil: 109 or 199
Holland: 99-xxxxxx
New Zealand: 137
Sweden: 0058
United Kingdom: 174 or 1744 or 175 or 0500-89-0011

(Italic indicates updated ringbacks, while bold indicates new ringbacks.)

What is a loop?

This FAQ answer is excerpted from: ToneLoc v0.99 User Manual by Minor
Threat & Mucho Maas

Loops are a pair of phone numbers, usually consecutive, like 836-9998 and
836-9999. They are used by the phone company for testing. What good do
loops do us? Well, they are cool in a few ways. Here is a simple use of. Each loop has two ends, a 'high' end, and a 'low' end. One end gives
a (usually) constant, loud tone when it is called. The other end is silent.
Loops don't usually ring either. When BOTH ends are called, the people that
called each end can talk through the loop. Some loops are voice filtered
and won't pass anything but a constant tone; these aren't much use to you.
Here's what you can use working loops for: billing phone calls! First, call
the end that gives the loud tone. Then if the operator or someone calls the
other end, the tone will go quiet. Act like the phone just rang and you
answered it ... say "Hello", "Allo", "Chow", "Yo", or what the fuck ever.
The operator thinks that she just called you, and that's it! Now the phone
bill will go to the loop, and your local RBOC will get the bill! Use this
technique in moderation, or the loop may go down. Loops are probably most
useful when you want to talk to someone to whom you don't want to give your
phone number.

What is a loop in my area?

Many of these loops are no longer functional. If you are local to any of
these loops, please try them out an e-mail me the results of your research.

NPA High Low
------- ------- ------
201 666-9929 666-9930
206 827-0018 827-0019
206 988-0020 988-0022
208 862-9996 862-9997
209 732-0044 732-0045
201 666-9929 666-9930
210 993-9929 993-9930
210 330-9929 330-9930
210 333-9929 333-9930
210 376-9929 376-9930
210 467-9929 467-9930
212 220-9977 220-9979
212 283-9977 283-9979
212 283-9977 283-9997
212 352-9900 352-9906
212 365-9977 365-9979
212 529-9900 529-9906
212 562-9977 562-9979
212 986-9977 986-9979
213 360-1118 360-1119
213 365-1118 365-1119
213 455-0002 455-xxxx
213 455-0002 455-xxxx
213 546-0002 546-xxxx
213 546-0002 546-xxxx
213 549-1118 549-1119
305 778-9952 778-9951
305 964-9951 964-9952
307 468-9999 468-9998
308 357-0004 357-0005
310 365-1118 365-1119
310 445-0002 445-????
310 455-0002 455-????
310 545-0002 545-????
310 546-0002 546-????
312 262-9902 262-9903
313 224-9996 224-9997
313 225-9996 225-9997
313 234-9996 234-9997
313 237-9996 237-9997
313 256-9996 256-9997
313 272-9996 272-9997
313 273-9996 273-9997
313 277-9996 277-9997
313 281-9996 281-9997
313 292-9996 292-9997
313 299-9996 299-9997
313 321-9996 321-9997
313 326-9996 326-9997
313 356-9996 356-9997
313 362-9996 362-9997
313 369-9996 369-9997
313 388-9996 388-9997
313 397-9996 397-9997
313 399-9996 399-9997
313 445-9996 445-9997
313 465-9996 465-9997
313 471-9996 471-9997
313 474-9996 474-9997
313 477-9996 477-9997
313 478-9996 478-9997
313 483-9996 483-9997
313 497-9996 497-9997
313 526-9996 526-9997
313 552-9996 552-9997
313 556-9996 556-9997
313 561-9996 561-9997
313 569-9996 569-9996
313 575-9996 575-9997
313 577-9996 577-9997
313 585-9996 585-9997
313 591-9996 591-9997
313 621-9996 621-9997
313 626-9996 626-9997
313 644-9996 644-9997
313 646-9996 646-9997
313 647-9996 647-9997
313 649-9996 649-9997
313 663-9996 663-9997
313 665-9996 665-9997
313 683-9996 683-9997
313 721-9996 721-9997
313 722-9996 722-9997
313 728-9996 728-9997
313 731-9996 731-9997
313 751-9996 751-9997
313 776-9996 776-9997
313 781-9996 781-9997
313 787-9996 787-9997
313 822-9996 822-9997
313 833-9996 833-9997
313 851-9996 851-9997
313 871-9996 871-9997
313 875-9996 875-9997
313 886-9996 886-9997
313 888-9996 888-9997
313 898-9996 898-9997
313 934-9996 934-9997
313 942-9996 942-9997
313 963-9996 963-9997
313 977-9996 977-9997
315 673-9995 673-9996
315 695-9995 695-9996
402 422-0001 422-0002
402 422-0003 422-0004
402 422-0005 422-0006
402 422-0007 422-0008
402 572-0003 572-0004
402 779-0004 779-0007
406 225-9902 225-9903
517 422-9996 422-9997
517 423-9996 423-9997
517 455-9996 455-9997
517 563-9996 563-9997
517 663-9996 663-9997
517 851-9996 851-9997
609 921-9929 921-9930
609 994-9929 994-9930
616 997-9996 997-9997
708 724-9951 724-????
713 224-1499 759-1799
713 324-1499 324-1799
713 342-1499 342-1799
713 351-1499 351-1799
713 354-1499 354-1799
713 356-1499 356-1799
713 442-1499 442-1799
713 447-1499 447-1799
713 455-1499 455-1799
713 458-1499 458-1799
713 462-1499 462-1799
713 466-1499 466-1799
713 468-1499 468-1799
713 469-1499 469-1799
713 471-1499 471-1799
713 481-1499 481-1799
713 482-1499 482-1799
713 484-1499 484-1799
713 487-1499 487-1799
713 489-1499 489-1799
713 492-1499 492-1799
713 493-1499 493-1799
713 524-1499 524-1799
713 526-1499 526-1799
713 555-1499 555-1799
713 661-1499 661-1799
713 664-1499 664-1799
713 665-1499 665-1799
713 666-1499 666-1799
713 667-1499 667-1799
713 682-1499 976-1799
713 771-1499 771-1799
713 780-1499 780-1799
713 781-1499 997-1799
713 960-1499 960-1799
713 977-1499 977-1799
713 988-1499 988-1799
805 528-0044 528-0045
805 544-0044 544-0045
805 773-0044 773-0045
808 235-9907 235-9908
808 239-9907 239-9908
808 245-9907 245-9908
808 247-9907 247-9908
808 261-9907 261-9908
808 322-9907 322-9908
808 328-9907 328-9908
808 329-9907 329-9908
808 332-9907 332-9908
808 335-9907 335-9908
808 572-9907 572-9908
808 623-9907 623-9908
808 624-9907 624-9908
808 668-9907 668-9908
808 742-9907 742-9908
808 879-9907 879-9908
808 882-9907 882-9908
808 885-9907 885-9908
808 959-9907 959-9908
808 961-9907 961-9908
810 362-9996 362-9997
813 385-9971 385-xxxx
908 254-9929 254-9930
908 558-9929 558-9930
908 560-9929 560-9930
908 776-9930 776-9930

What is a CNA number?

CNA stands for Customer Name and Address. The CNA number is a phone number
for telephone company personnel to call and get the name and address for a
phone number. If a telephone lineman finds a phone line he does not
recognize, he can use the ANI number to find it's phone number and then
call the CNA operator to see who owns it and where they live.

Normal CNA numbers are available only to telephone company personnel.
Private citizens may now legally get CNA information from private
companies. Two such companies are:

Unidirectory (900)933-3330
Telename (900)884-1212

Note that these are 900 numbers, and will cost you approximately one dollar
per minute.

If you are in 312 or 708, AmeriTech has a pay-for-play CNA service
available to the general public. The number is 796-9600. The cost is
$.35/call and can look up two numbers per call.

If you are in 415, Pacific Bell offers a public access CNA service at
(415)781-5271.

What is the telephone company CNA number for my area?

203 (203)771-8080 CT
312 (312)796-9600 Chicago, IL
506 (506)555-1313 New Brunswick
513 (513)397-9110 Cincinnati/Dayton, OH
516 (516)321-5700 Hempstead/Long Island, NY
518 (518)471-8111 Albany/Schenectady/Troy, NY
614 (614)464-0123 Columbus/Steubenville, OH
813 (813)270-8711 Ft. Meyers/St. Petersburg/Tampa, FL

(Italic indicates updated CNA's, while bold indicates new CNA's.)

What are some numbers that always ring busy?

216 xxx-9887 Akron/Canton/Cleveland/Lorain/Youngstown, OH
303 431-0000 Denver, CO
303 866-8660 Denver, CO
316 952-7265 Dodge City/Wichita, KS
501 377-99xx AR
719 472-3773 Colorado Springs/Leadville/Pueblo, CO
805 255-0699 Bakersfield/Santa Barbara, CA
818 885-0699 Pasadena, CA
906 632-9999 Marquette/Sault Ste. Marie, MI
906 635-9999 Marquette/Sault Ste. Marie, MI
914 576-9903 Peekskill/Poughkeepsie/White Plains/Yonkers, NY

What are some numbers that temporarily disconnect phone service?

314 511 Columbia/Jefferson City/St.Louis, MO (1 minute)
404 420 Atlanta, GA (5 minutes)
405 953 Enid/Oklahoma City, OK (1 minute)
407 511 Orlando/West Palm Beach, FL (1 minute)
512 200 Austin/Corpus Christi, TX (1 minute)
516 480 Hempstead/Long Island, NY (1 minute)
603 980 NH
614 xxx-9894 Columbus/Steubenville, OH
805 119 Bakersfield/Santa Barbara, CA (3 minutes)
919 211 or 511 Durham, NC (10 min - 1 hour)

What is a Proctor Test Set?

A Proctor Test Set is a tool used by telco personell to diagnose problems
with phone lines. You call the Proctor Test Set number and press buttons on
a touch tone phone to active the tests you select.

What is a Proctor Test Set in my area?

805 111 Bakersfield/Santa Barbara, CA
909 117 Tyler, TX
913 611-1111 Lawrence/Salina/Topeka, KS

What is scanning?

Scanning is dialing a large number of telephone numbers in the hope of
finding interesting carriers (computers) or tones.

Scanning can be done by hand, although dialing several thousand telephone
numbers by hand is extremely boring and takes a long time.

Much better is to use a scanning program, sometimes called a war dialer or
a demon dialer. Currently, the best war dialer available to PC-DOS users is
ToneLoc from Minor Threat and Mucho Maas. ToneLoc can be FTPed from
ftp.paranoia.com.

A war dialer will dial a range of numbers and log what it finds at each
number. You can then only dial up the numbers that the war dialer marked as
carriers or tones.

Is scanning illegal?

Excerpt from: 2600, Spring 1990, Page 27:

In some places, scanning has been made illegal. It would be hard,
though, for someone to file a complaint against you for scanning since
the whole purpose is to call every number once and only once. It's
not likely to be thought of as harassment by anyone who gets a single
phone call from a scanning computer. Some central offices have been
known to react strangely when people start scanning. Sometimes you're
unable to get a dialtone for hours after you start scanning. But
there is no uniform policy. The best thing to do is to first find out
if you've got some crazy law saying you can't do it. If, as is
likely, there is no such law, the only way to find out what happens is
to give it a try.

It should be noted that a law making scanning illegal was recently passed
in Colorado Springs, CO. It is now illegal to place a call in Colorado
Springs without the intent to communicate.

Where can I purchase a lineman's handset?

Contact East
335 Willow Street
North Andover, MA 01845-5995
(508)682-2000

Jensen Tools
7815 S. 46th Street
Phoenix, AZ 85044-5399

Time Motion Tools
12778 Brookprinter Place
Poway, CA 92064
(619)679-0303

What are the DTMF frequencies?

DTMF stands for Dual Tone Multi Frequency. These are the tones you get when
you press a key on your telephone touchpad. The tone of the button is the
sum of the column and row tones. The ABCD keys do not exist on standard
telephones.

1209 1336 1477 1633

697 1 2 3 A

770 4 5 6 B

852 7 8 9 C

941 * 0 # D

What are the frequencies of the telephone tones?

Type Hz On Off
---------------------------------------------------------------------
Dial Tone 350 & 440 --- ---
Busy Signal 480 & 620 0.5 0.5
Toll Congestion 480 & 620 0.2 0.3
Ringback (Normal) 440 & 480 2.0 4.0
Ringback (PBX) 440 & 480 1.5 4.5
Reorder (Local) 480 & 620 3.0 2.0
Invalid Number 200 & 400
Hang Up Warning 1400 & 2060 0.1 0.1
Hang Up 2450 & 2600 --- ---

What are all/most of the * codes?

Local Area Signalling Services (LASS) and Custom Calling Feature Control
Codes:

(These appear to be standard, but may be changed locally)

Service Tone Pulse/rotary Notes
--------------------------------------------------------------------------
Assistance/Police *12 n/a [1]
Cancel forwarding *30 n/a [C1]
Automatic Forwarding *31 n/a [C1]
Notify *32 n/a [C1] [2]
Intercom Ring 1 (..) *51 1151 [3]
Intercom Ring 2 (.._) *52 1152 [3]
Intercom Ring 3 (._.) *53 1153 [3]
Extension Hold *54 1154 [3]
Call Redial *55 n/a
Customer Originated Trace *57 1157
Selective Call Rejection *60 1160 (or Call Screen)
Selective Distinct Alert *61 1161
Selective Call Acceptance *62 1162
Selective Call Forwarding *63 1163
ICLID Activation *65 1165
Call Return (outgoing) *66 1166
Number Display Blocking *67 1167 [4]
Computer Access Restriction *68 1168
Call Return (incoming) *69 1169
Call Waiting disable *70 1170 [4]
No Answer Call Transfer *71 1171
Usage Sensitive 3 way call *71 1171
Call Forwarding: start *72 or 72# 1172
Call Forwarding: cancel *73 or 73# 1173
Speed Calling (8 numbers) *74 or 74# 1174
Speed Calling (30 numbers) *75 or 75# 1175
Anonymous Call Rejection *77 1177 [5] [M: *58]
Call Screen Disable *80 1160 (or Call Screen) [M: *50]
Selective Distinct Disable *81 1161 [M: *51]
Select. Acceptance Disable *82 1162
Select. Forwarding Disable *83 1163 [M: *53]
ICLID Disable *85 1165
Call Return (cancel out) *86 1186 [6] [M: *56]
Anon. Call Reject (cancel) *87 1187 [5] [M: *68]
Call Return (cancel in) *89 1189 [6] [M: *59]

Notes:

[C1] - Means code used for Cellular One service
[1] - for cellular in Pittsburgh, PA A/C 412 in some areas
[2] - indicates that you are not local and maybe how to reach you
[3] - found in Pac Bell territory; Intercom ring causes a distinctive
ring to be generated on the current line; Hold keeps a call
connected until another extension is picked up
[4] - applied once before each call
[5] - A.C.R. blocks calls from those who blocked Caller ID
(used in C&P territory, for instance)
[6] - cancels further return attempts
[M: *xx] - alternate code used for MLVP (multi-line variety package)
by Bellcore. It goes by different names in different RBOCs.
In Bellsouth it is called Prestige. It is an arrangement of
ESSEX like features for single or small multiple line groups.

The reason for different codes for some features in MLVP is that
call-pickup is *8 in MLVP so all *8x codes are reaasigned *5x

What frequencies do cordless phones operate on?

Here are the frequencies for the first generation 46/49mhz phones.

Channel Handset Transmit Base Transmit
------- ---------------- -------------
1 49.670mhz 46.610mhz
2 49.845 46.630
3 49.860 46.670
4 49.770 46.710
5 49.875 46.730
6 49.830 46.770
7 49.890 46.830
8 49.930 46.870
9 49.990 46.930
10 49.970 46.970

The new "900mhz" cordless phones have been allocated the frequencies
between 902-228MHz, with channel spacing between 30-100KHz.

Following are some examples of the frequencies used by phones currently on
the market.

Panasonic KX-T9000 (60 Channels)
base 902.100 - 903.870 Base frequencies (30Khz spacing)
handset 926.100 - 927.870 Handset frequencies
CH BASE HANDSET CH BASE HANDSET CH BASE HANDSET
-- ------- ------- -- ------- ------- -- ------- -------
01 902.100 926.100 11 902.400 926.400 21 902.700 926.700
02 902.130 926.130 12 902.430 926.430 22 902.730 926.730
03 902.160 926.160 13 902.460 926.460 23 902.760 926.760
04 902.190 926.190 14 902.490 926.490 24 902.790 926.790
05 902.220 926.220 15 902.520 926.520 25 902.820 926.820
06 902.250 926.250 16 902.550 926.550 26 902.850 926.850
07 902.280 926.280 17 902.580 926.580 27 902.880 926.880
08 902.310 926.310 18 902.610 926.610 28 902.910 926.910
09 902.340 926.340 19 902.640 926.640 29 902.940 926.940
10 902.370 926.370 20 902.670 926.670 30 902.970 926.970
31 903.000 927.000 41 903.300 927.300 51 903.600 927.600
32 903.030 927.030 42 903.330 927.330 52 903.630 927.630
33 903.060 927.060 43 903.360 927.360 53 903.660 927.660
34 903.090 927.090 44 903.390 927.390 54 903.690 927.690
35 903.120 927.120 45 903.420 927.420 55 903.720 927.720
36 903.150 927.150 46 903.450 927.450 56 903.750 927.750
37 903.180 927.180 47 903.480 927.480 57 903.780 927.780
38 903.210 927.210 48 903.510 927.510 58 903.810 927.810
39 903.240 927.240 49 903.540 927.540 59 903.840 927.840
40 903.270 927.270 50 903.570 927.570 60 903.870 927.870

V-TECH TROPEZ DX900 (20 CHANNELS)
905.6 - 907.5 TRANSPONDER (BASE) FREQUENCIES (100 KHZ SPACING)
925.5 - 927.4 HANDSET FREQUENCIES

CH BASE HANDSET CH BASE HANDSET CH BASE HANDSET
---- --------- -------------- ---- -------- --------------- ---- -------- ---------------
01 905.600 925.500 08 906.300 926.200 15 907.000 926.900
02 905.700 925.600 09 906.400 926.300 16 907.100 927.000
03 905.800 925.700 10 906.500 926.400 17 907.200 927.100
04 905.900 925.800 11 906.600 926.500 18 907.300 927.200
05 906.000 925.900 12 906.700 926.600 19 907.400 927.300
06 906.100 926.000 13 906.800 926.700 20 907.500 927.400
07 906.200 926.100 14 906.900 926.800

OTHER 900 MHZ CORDLESS PHONES
AT&T #9120 - - - - - 902.0 - 905.0 & 925.0 - 928.0 MHZ
OTRON CORP. #CP-1000 902.1 - 903.9 & 926.1 - 927.9 MHZ
SAMSUNG #SP-R912- - - 903.0 & 927.0 MHZ

What is Caller-ID?

This FAQ answer is stolen from Rockwell:

Calling Number Delivery (CND), better known as Caller ID, is a telephone
service intended for residential and small business customers. It allows
the called Customer Premises Equipment (CPE) to receive a calling party's
directory number and the date and time of the call during the first 4
second silent interval in the ringing cycle.

Parameters

The data signalling interface has the following characteristics:

Link Type: 2-wire, simplex
Transmission Scheme: Analog, phase-coherent FSK
Logical 1 (mark) 1200 +/- 12 Hz
Logical 0 (space) 2200 +/- 22 Hz
Transmission Rate: 1200 bps
Transmission Level: 13.5 +/- dBm into 900 ohm load

Protocol

The protocol uses 8-bit data words (bytes), each bounded by a start bit and
a stop bit. The CND message uses the Single Data Message format shown
below.

| Channel | Carrier | Message | Message | Data | Checksum |
| Seizure | Signal | Type | Length | Word(s) | Word |
| Signal | | Word | Word | | |

Channel Siezure Signal

The channel seizure is 30 continuous bytes of 55h (01010101) providing a
detectable alternating function to the CPE (i.e. the modem data pump).

Carrier Signal

The carrier signal consists of 130 +/- 25 mS of mark (1200 Hz) to condition
the receiver for data.

Message Type Word

The message type word indicates the service and capability associated with
the data message. The message type word for CND is 04h (00000100).

Message Length Word

The message length word specifies the total number of data words to follow.

Data Words

The data words are encoded in ASCII and represent the following
information:

* The first two words represent the month
* The next two words represent the day of the month
* The next two words represent the hour in local military time
* The next two words represent the minute after the hour
* The calling party's directory number is represented by the remaining
words in the data word field

If the calling party's directory number is not available to the terminating
central office, the data word field contains an ASCII "O". If the calling
party invokes the privacy capability, the data word field contains an ASCII
"P".

Checksum Word

The Checksum Word contains the twos complement of the modulo 256 sum of the
other words in the data message (i.e., message type, message length, and
data words). The receiving equipment may calculate the modulo 256 sum of
the received words and add this sum to the reveived checksum word. A result
of zero generally indicates that the message was correctly received.
Message retransmission is not supported.

Example CNS Single Data Message

An example of a received CND message, beginning with the message type word,
follows:

04 12 30 39 33 30 31 32 32 34 36 30 39 35 35 35 31 32 31 32 51

04h= Calling number delivery information code (message type word)
12h= 18 decimal; Number of data words (date,time, and directory
number words)
ASCII 30,39= 09; September
ASCII 33,30= 30; 30th day
ASCII 31,32= 12; 12:00 PM
ASCII 32,34= 24; 24 minutes (i.e., 12:24 PM)
ASCII 36,30,39,35,35,35,31,32,31,32= (609) 555-1212; calling
party's directory number
51h= Checksum Word

Data Access Arrangement (DAA) Requirements

To receive CND information, the modem monitors the phone line between the
first and second ring bursts without causing the DAA to go off hook in the
conventional sense, which would inhibit the transmission of CND by the
local central office. A simple modification to an existing DAA circuit
easily accomplishes the task.

Modem Requirements

Although the data signalling interface parameters match those of a Bell 202
modem, the receiving CPE need not be a Bell 202 modem. A V.23 1200 bps
modem receiver may be used to demodulate the Bell 202 signal. The ring
indicate bit (RI) may be used on a modem to indicate when to monitor the
phone line for CND information. After the RI bit sets, indicating the first
ring burst, the host waits for the RI bit to reset. The host then
configures the modem to monitor the phone line for CND information.

Signalling

According to Bellcore specifications, CND signalling starts as early as 300
mS after the first ring burst and ends at least 475 mS before the second
ring burst

Applications

Once CND information is received the user may process the information in a
number of ways.

1. The date, time, and calling party's directory number can be displayed.
2. Using a look-up table, the calling party's directory number can be
correlated with his or her name and the name displayed.
3. CND information can also be used in additional ways such as for:
1. Bulletin board applications
2. Black-listing applications
3. Keeping logs of system user calls, or
4. Implementing a telemarketing data base

References

For more information on Calling Number Delivery (CND), refer to Bellcore
publications TR-TSY-000030 and TR-TSY-000031.

To obtain Bellcore documents contact:

Bellcore Customer Service
60 New England Avenue, Room 1B252
Piscataway, NJ 08834-4196
(908) 699-5800

How do I block Caller-ID?

Always test as much as possible before relying on any method of blocking
Caller-ID. Some of these methods work in some areas, but not in others.

Dial *67 before you dial the number. (141 in the United Kingdom)
Dial your local TelCo and have them add Caller-ID block to your line.
Dial the 0 Operator and have him or her place the call for you.
Dial the call using a pre-paid phone card.
Dial through Security Consultants at (900)PREVENT for U.S. calls
($1.99/minute) or (900)STONEWALL for international calls ($3.99/minute).
Dial from a pay phone. :-)

What is a PBX?

A PBX is a Private Branch Exchange. A PBX is a small telephone switch owned
by a company or organization. Let's say your company has a thousand
employees. Without a PBX, you would need a thousand phone lines. However,
only 10% of your employees are talking on the phone at one time. What if
you had a computer that automatically found an outside line every time one
of your employees picked up the telephone. With this type of system, you
could get by with only paying for one hundred phone lines. This is a PBX.

What is a VMB?

A VMB is a Voice Mail Box. A VMB is a computer that acts as an answering
machine for hundreds or thousands of users. Each user will have their own
Voice Mail Box on the system. Each mail box will have a box number and a
pass code.

Without a passcode, you will usually be able to leave messages to users on
the VMB system. With a passcode, you can read messages and administer a
mailbox. Often, mailboxes will exist that were created by default or are no
longer used. These mailboxes may be taken over by guessing their passcode.
Often the passcode will be the mailbox number or a common number such as
1234.

What are the ABCD tones for?

The ABCD tones are simply additional DTFM tones that may be used in any way
the standard (0-9) tones are used. The ABCD tones are used in the U.S.
military telephone network (AutoVon), in some Automatic Call Distributor
(ACD) systems, for control messages in some PBX systems, and in some
amateur radio auto-patches.

In the AutoVon network, special telephones are equipped with ABCD keys. The
ABCD keys are defined as such:

A - Flash
B - Flash override priority
C - Priority communication
D - Priority override

Using a built-in maintenance mode of the Automatic Call Distributor (ACD)
systems once used by Directory Assistance operators, you could connect two
callers together.

The purpose of the Silver Box is to create the ABCD tones.


_`'-.,_,.-'`_`'-.,_,.-> [ DTMF's phucking with the operators ] <-.,_,.-'`_`'-.,_,.-'`_

Ever get an operator who gave you a hard time, cuz u kept calling
back talking, asking dumb questionz, or cussig at her and you didn't no
what to du? Well if the operator hears you use a little Bell jargon, she might
wise up. Here is a little diagram (excuse the artwork) of the structure of
operators

/-----------\ /------\ /------\
!Operator!-- > ! S.A. ! --->! BOS !
\-----------/ \------/ \------/
!
!
V
/-----------------\
! Group Chief !
\-----------------/

Now most of the operators are not bugged, so they can curse at you, if they
do ask INSTANTLY for the "S.A." or the Service Assistant. The operator does not
report to her (95% of them are hers) but they will solve most of your problems.
She MUST give you her name as she connects & all of these calls are bugged. If
the SA gives you a rough time get her BOS (Business Office Supervisor) on the
line. S/He will almost always back her girls up, but sometimes the SA will get
tarred and feathered. The operator reports to the Group Chief, and S/He will
solve 100% of your problems, but the chances of getting S/He on the line are
nill.
If a lineman (the guy who works out on the poles) or an installation man
gives you the works ask to speak to the Installation Foreman, that works
wonders.
Here is some other bell jargon, that might come in handy if you are having
trouble with the line. Or they can be used to lie your way out of
situations....

An Erling is a line busy for 1 hour, used mostly in traffic studies A
Permanent Signal is that terrible howling you get if you disconnect, but don't
hang up.
Everyone knows what a busy signal is, but some idiots think that is the
*Actual* ringing of the phone, when it just is a tone "beeps" when the phone is
ringing, wouldn't bet on this though, it can (and does) get out of sync.
When you get a busy signal that is 2 times as fast as the normal one, the
person you are trying to reach isn't really on the phone, (he might be), it is
actually the signal that a trunk line somewhere is busy and they haven't or
can't reroute your call. Sometimes you will get a Recording, or if you get
nothing at all (Left High & Dry in fone terms) all the recordings are being
used and the system is really overused, will probably go down in a little
while. This happened when the bomb went off @ the olimpix, the system just
couldn't handle the calls. By the way this is called the "reorder signal"
and the trunk line iz "blocked".
One more thing, if an overseas call isn't completed and doesn't generate
any money for AT&T, is is called an "Air & Water Call".

_`'-.,_,.-'`_`'-.,_,.-> [ who/what the hell is 4matt ] <-.,_,.-'`_`'-.,_,.-'`_

+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
_A_HACKING_PHREAKING_AND_ANARCHY_KLUB_
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
/ /\ / /\ / \ / \ / / \ /___ ___//__ __/\
/ /_/__/ /_/ / \ / \ / / \ \ __/ / /__\\__/ / /__\/
/_____ __/ \ / /\ /\ \ / / / \ \ / / / / / /
\____ / / \_\ / / / | \_ / | \ \/ /__\ \ / / / / / /
/_/ / /_ / / \/__\/ \ \ _\ ______/_ / / /_/ /
\_\/ \ _\/ \/_/ ______\_\/ \_\/
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
_4_MODERN_ANARCHIST'S_TICKING-OFF_TELCO'S_
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
CURRENT MEMBERS:
(***) CbeRpHreAk ( Head of Phreaking )
(**) DTMF
(**) Lord Sommer ( Head of Hacking )
(***) DOS DestroeR
(*) V-A-P-O-R
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
(***) = the elite hybrids who started all the madness
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
our home on the world wide web: http://4matt.home.ml.org/
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+

_`'-.,_,.-'`_`'-.,_,.-> [ Sources of this grate phile ] <-.,_,.-'`_`'-.,_,.-'`_

and
_`'-.,_,.-'`_`'-.,_,.-> [ the phreax @ 4matt producti0nz ] <-.,_,.-'`_`'-.,_,.-'`_
Read On 1 comments

Followers