Õ005ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ005¸

³ ³

³ ³

³How To Bill All Of your Fone Calls To Some Poor, Unsuspecting Son Of A Bitch³

³ ³

ÆÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͵

³ Written On July 7, 1993 Last Revision on May 13, 1995 ³

ÆÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͵

³ For Informational Purposes Only. We're Not Responsible For Your Stupidity. ³

Ô005ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ0005¾

So there I was stranded in Miami with a broken red box in one hand and an

outdated list of calling card numbers in the other hand. Just as I was about

ready to jump to my death in the ocean because I couldn't call my friends, I

got an idea. Third-party bill my calls to random names in the phone book!

Of course, I started out using this method on pay phones which is a pain in

the ass because the operator wants to call up the number you're billing to

and make sure it's okay with them first. So here's your detailed instructions

for simplified third-party billing. Oh, and by the way, in no way am I claiming

to be the elite guy who "discovered" third party. I mean, come on, third party

billing's been around forever and some guy said I shouldn't take credit for

something that's been done forever. I'm just trying to explain how easy it is.

Sheesh, some people! Cactus.

Finding A Number To Use:

-----------------------

First of all, if you're going to be calling from home, it's best to charge

the calls to a different area code than your own. Sure, a local number will

work but when the people get their phone bill and see a local number on it,

they'll most likely call it to find out what it is. When they see a long

distance number they think "Goodness gracious! If I call that number my

phone bill will even be higher." Even if they do call you, you can just play

ignorant and if they're far away they probably won't come looking for you.

Pick a city, any city. The city should be far away in another state. Now dial

local information and ask for the area code to your city. Let's say you

picked Waverly, Iowa. The area code is 319. Now dial 1-319-555-1212 to call

Waverly Directory Assisstance. The charge for this call should only be about

sixty cents.

Now think of a very common last name like Smith, Lawrence, Conner, Mitchell,

Shlappenheimerwinthrop, etc. You get the idea.

OPER: Directory Assisstance, Betty. What city, please?

YOU: Waverly.

OPER: Go ahead.

YOU: I need the number of a last name Conner.

OPER: (type, type, type) Okay I have two Conners listed. A Bob and an

initial H.

YOU: Bob, yeah that's it. Definately Bob. Bob it is. Gimmie Bob. Yeah, Bob.

OPER: The number is 452-0357.

So that's the number you'll bill to. 319-452-0357. Of course if you're

planning to do this extensively you'll need many more numbers to pick from.

That's when you call up the phone company and ask for a phone book to be

delivered to you so you'll have a whole list of numbers to choose from. A

normal book will cost about $7.00 or so. If you know how to do it right, it

won't cost you anything but I won't get into that. The phone book will pay

for itself after about 3 or 4 long distance calls.

Exchange List:

-------------

If you don't want to go through all the trouble of doing the above, here's a

list of exchanges you can pick from. I'm including the area code and prefix.

You just make up four numbers after that at random.

618-254-xxxx 409-744-xxxx 213-962-xxxx 505-398-xxxx

318-981-xxxx 314-231-xxxx 513-741-xxxx 503-255-xxxx

803-254-xxxx 319-452-xxxx 618-377-xxxx 512-441-xxxx

Making The Call:

---------------

Pretty easy. Dial 0-AREA CODE-NUMBER. You'll hear a cool Bell tone and the

automated voice will ask you to enter your card number. Press "0" to skip

that part. Recently, they came out with automated third number billing so you

don't have to deal with a live operator anymore. Isn't technology great?! The

automated voice will ask you to "say" how you want to bill your call. Just

say, "third number" and it'll ask you to touch tone in the number you want to

charge it to. Dial 319-452-0357 and presto, your call is completed.

If you get a live operator instead say, "I'd like to charge this to my home

telephone in Waverly, Iowa, the Turnip capitol of the world." and follow the

same proceedure.

Some of the more intelligent people (about 2%) put a third-number block on

their line. If this happens the recording will say, "This call cannot be

billed to this number." Solution? Hang up, redial the number and try billing

it to a different number or just transpose a couple of the numbers you just

tried.

If you don't have AT&T as your long distance carrier, dial 10288-0-NUMBER.

Calling From A Pay Phone:

------------------------

As I mentioned before, doing it from a pay phone is a little harder but still

works. The operator will want to call the person you're billing to a verify

with them that it's okay to bill it there.

The trick is to open the phone book at the pay phone and pick a number at

random. Look for an old person's name because they're the most gullible but

anyone will do. Let's say you picked Christian Slater 213-962-7142. Dial your

number as 0-AREA CODE-NUMBER and hit "0" after the tone.

OPER: AT&T, How may I help you?

YOU: I want to charge this to my home phone.

OPER: Will someone be there to accept the charges?

YOU: Who wants to know?

OPER: Me.

YOU: Okay, then, tough guy.

OPER: What is your name?

YOU: Christian Slater, you may have heard of me.

OPER: (dials 213-962-7142. A lady answers the phone. Probably Slater's wife.)

LADY: Hello?

OPER: Hello, this is AT&T. Christian is making a call from a public phone and

wishes to bill the call to you. Will you accept the charges?

LADY: Oh, yeah, okay. I'll accept.

And the operator thanks you and puts your call through. As long as you don't

get any of the following responses you should be okay:

"Huh? But I'M Christian Slater."

"Calling from a pay phone?? But he's right here with me watching Cheers!?"

"Christian died last week."

"No Hablo Engles??"

A Few Extra Notes:

-----------------

Sometimes if the no one is home at the number you're trying to bill to, you

can convince the operator that it's really you're number if you know what the

answering machine message is going to say and if you can do an impression of

their voice on the machine. Even a bad impression will sometimes work.

When doing this from home, try not to use the same number more than two or

three times so the owner of the number will be less likely to investigate.

I've experienced third-party billing from both sides. Someone charged forty

dollars worth of calls to my dad's phone and the operators were very

unhelpful and unfriendly. They refused to investigate even though it was

comming from a residential line and it took two months to get the charges

removed. This was back in 1990 but I've been doing this for a few years now

and people don't seem to care too much at a few calls totaling to under ten

bucks. I've actually called the people I used and asked them about it and they

almost always blow it off as a "minor nusience."

AT&T is completely automated from your home and the best to use. U.S.Sprint

is the second best because they're not automated but they also don't call and

verify. M.C.I. sucks because they're losers who verify no matter what so don't

use them. To choose your company, before you dial the number dial 10288 for

AT&T or 10333 for U.S. Sprint.

International calls will be verified no matter what from pay phone or home.

Hope this file benefits everyone who reads it. It'll sure cut your long

distance bill down a lot.

May 13, 1995 Update:

-------------------

Well, it seems that AT&T are finally waking up to this problem of third party

billing...On my local phone bill I was backbilled for $175 worth of third

party calls. The kicker part is that I called the phone company and complained

that there were all these extra charges on my bill that I know nothing about

and they were more than happy to take the charges off. A few weeks later, I

got a letter from AT&T concerning some more charges...

Dear Customer,

We are sending you this letter to advise you of the long distance

calls we have billed your account. The amount is $53.70, excluding

taxes. These long distance calls have been investigated by our

Message Analysis Center and were determined to be your responsibility.

A list of these calls will appear on a future bill.

If you would like to discuss this matter, please contact our office

toll-free at 1-800-522-2157, ext. 4737. Our ofice hours are Moday

through Friday between the hours of 8 a.m. and 3:30 p.m. Eastern

Standard Time.

Sincerely,

Dawn Brooks

Investigator

I've yet to hear anything more about this but I plan to just ignore the extra

charges on the bill and complain to the phone company and hopefully I won't

have to pay. If I do, oh well, it's only fifty bucks.

Another recent happening is that two people I know have been back billed.

Martini from Illinois was charged $75 on her bill. "I don't understand what

this third number means, sir, I only have two lines!" Also, an idiot in Oregon

was back billed because he had the itelligence to bill to the exact same

number every single time. Worse yet, the number was in Canada and it was a

non-working number and the last four digits were 1234. What a cool guy!

Operator Diverting:

------------------

A new safe way to get around being back billed is to operator divert before

you get AT&T. It's a pain in the ass and takes a little longer, but it works

if you really need to call from home and don't have any other way.

Dial "0" and ask that operator to dial 1-800-225-5288 for you. (AT&T) Tell the

AT&T operator that you want to place a 3rd party billed call. She'll ask what

number you're calling from and you give her the number of somebody that you

don't like so it'll come back on them and not you. Whatever you do, don't give

her your real phone number.

ÕÍÍÍÍÍÍÍÍÍÍÍÍÍContactÍTheÍPhoneÍLosersÍOfÍAmericaÍNearestÍYou!ÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸

³ Voice: ³ Data: ³

³ 512-370-4680 PLA Voicemail System ³ 618-797-2339 PLA BBS Illinois Line ³

³ 314-995-1261 Zak's VMB System ³ 512-883-7543 PLA BBS Texas Line ³

ÆÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͵ 512-851-8317 Sonic Youth Systems ³

³ U.S. Mailing Address: ÆÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͵

³ Phone Losers Of America ³ FTP Site: FTP.FC.NET ³

³ P.O. Box 3642 ³ directory pub\deadkat\phreaking\PLA ³

³ Corpus Christi, TX 78463 ³ (Thanks to Disorder & Deadkat!) ³

ÆÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͵

³

ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ;

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # HOW PHONE PHREAKS ARE CAUGHT #

# #

# #

# #

# #

#()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()(#

Until about four months ago, I worked for a large long distance company. I was given the pink slip because some guy in my office found out that I did a little hacking in my spare time. It seems that most companies just aren't into that anymore. I feel I should do all I can to keep phreaks from getting caught by the IC's(Independent Carriers or Interexchange Companies). Remember: a safe phreak is an educated phreak.

When you enter an authorization code to access a long distance company's network there are a few things that happen. The authorization code number you enter is cross referenced in a list of codes. When an unassigned code is received the switch will print a report consisting of the authorization code, the date and time, and the incoming trunk number (if known) along with other miscellaneous information.

When an authorization code is found at the end of a billing cycle to have been "abused" in the switch, one of two things is done. Most of the time the code is removed from the database and a new code is assigned. But there are times when the code is flagged "abused" in the switch. This is very dangerous. Your call goes through, but there is a bad code report printed.(this is similar to an unassigned code report, but it also prints out the number being called.) You have no way to know this is happening but the IC has plenty of time to have the call traced. This just goes to show that you should switch codes on a regular basis and not use one till it dies.

ACCESS

There are several ways to access an IC's network. Some are safe and some can be deadly.

FEATURE GROUP A (FGA). This is a local dial-up to a switch. It is just a regular old telephone number (for example 871-2600). When you dial the number it will ring (briefly) and give a dial tone telling you to proceed. There are NO identifying digits (i.e. your telephone number) sent to a switch. The switchis signaled to give you a dial tone from the ringing voltage alone. The only way you could be caught hacking codes on an FGA would be if Telco (your local telephone company) were to put an incoming trap on the FGA number. This causes the trunk number your call came over to be printed out. From the trunk number Telco could tell which central office (CO) your call was coming from. From there Telco could put an outgoing trap in your CO which would print the number of the person placing the call to that number--that is provided that you are in an ESS or other Electronic Switch. This is how a majority of people are caught hacking codes on a FGA access number.

Next down the line we have Feature Group B (FGB). There are two FGB signalling formats called FGB-T and FGB-D. All FGBs are 950-XXXX numebers and Ihave yet to find one that doesn't use FGB-T format.

When you dial an FGB number your call can take two paths: 1) Large COs havedirect trunks going to the different IC's. This is more common in Electronic offices. 2) Your call gets routed through a large switch called a tandem, whichin turn has trunks to all the ICs.

When you dial an FGB-T number the IC's switch receives: KP+ST

This prompts the switch to give you a dial tone. The IC gets no informationregarding your phone number. The only thing that makes it easier to catch you is that with a direct trunk from your central office when you enter a bad code the IC knows what office your coming from. Then it's just a matter of seeing who is calling that 950 number.

On the other hand, when you dial an FBG-D number the switch receives:

KP+(950-XXXX)+ST followed by

KP+0+NXX-XXXX+ST or KP+0+NPA

NXX-XXXX+ST

The first sequence tells that there is a call coming in, the 950-XXXX (optional) is the same 950 number that you call. The second sequence contains your number (ANI-Automatic Number Identification). If the call comes over the trunk directly from your CO it will not have your NPA (Area Code). If the call is routed through a tandem it will contain your NPA number. FGB-D was originallydeveloped so that when you got the dial tone you could enter just the number youwere calling and your call would go through; thus alleviating authorization codes. FGB-D can also be used as FGB-T, where the customer enters a code but the switch knows where the call is coming from. This could be used to detect hackers, but has not been done, yet at least not to my switch.

FGB-D was the prelude to FEATURE GROUP D (FGD). FGD is the heart of Equal Access. Since FGD can only be provided by electronic offices, equal access is only available under ESS (or any other electronic office). FGD is the signalling used for both 1+ dialing (when you choose an IC over AT&T) and 10XXX dialing. The signalling format for FGD goes as follows:

KP+II+10D(10 digits)+ST followed by

KP+10D+ST

The first sequence is called the identification sequence. This consists of KP. information digits(II), and the calling party's telephone number with NPA (10D ANI) finished up with ST. The second address seqeunce has KP, the called number (10D) followed by ST. There is a third FGD sequence not shown here whichhas to do with international calling--I may deal with this in a future article. When the IC's switch receives an FGD routing it will check the information digits to see if the call is approved and if so put the call through. Obviouslyif the information digits indicate the call is coming from a coin phone, the call will not go through.

This is a list of information digits commonly used by Bell Operating Companies.

Code Sequence Meaning

00 identification Regular line, no special treatment

01 identification ONI(Operator Number Identification) mulitparty lines

02 identification ANI failure

06 identification Hotel or Motel

07 identification Coinless,hospital,inmate etc.

08 identification InterLATA restricted

10 address 10X test call

13 international 011-plus:direct distance dialed

15 international 01-plus:operator assisted

27 identification Coin

68 identification InterLATA-restricted hotel or motel

78 identification InterLATA-restricted hospital, coinless, inmate etc.

95 address 959-XXXX test call

There is a provision with FGD so when you dial 10xxx# you will get a switchdial tone as if you dial a 950. Unfortunately, this is not the same as dialing a 950. The IC would receive:

KP+II+10D(ANI)+ST

KP+ST

The KP+ST gives you the dial tone, but the IC has your number by then.

800 NUMBERS

Now that we have the feature groups down pat we will talk about 800 numbers. Invisible to your eyes, there are two types of 800 numbers. There are those owned by AT&T--which sells WATS service. There are also new 800 exchanges owned by the IC's. So far, I believe only MCI, US SPRINT, and WesternUnion have bought there own 800 exchanges. It is very important not to use codes on 800 numbers in an exchange owned by an IC. But first...

When you dial an AT&T 800 number that goes to an IC's switch the following happens. The AT&T 800 number is translated at the AT&T switch to an equivalent POTS (Plain Old Telephone Service). This number is an FGA number and as stated before does not know where you're calling from. They might know what your general region is since the AT&T 800 numbers can translate to different POTS numbers depending on where you're calling from. This is the beauty of FGA and AT&T WATS but this is also why it's being phased out.

On the other hand, IC-owned 800 numbers are routed as FGD calls--very deadly. The IC receives:

KP+II+10D+ST

KP+800 NXX XXXX+ST

When you call an IC 800 number which goes to an authorization code-based service, you're taking a great risk. The IC's can find out very easily where you're calling from. If you're in an electronic central office your call can godirectly over an FGD trunk. When you dial and IC 800 number from a non-electronic CO your call gets routed through another switch, thus ending up with the same undesirable effect.

MCI is looking into getting an 800 billing service tariffed where a customer's 800 WATS bill shows the number of everyone who has called it. The way the IC's handle billing, if they wanted to find out who made a call to their800 number, that information would be available on billing tapes. The trick is not to use codes on an IC owned 800

The way to find out who owns an 800 exchange is to call 800-NXX-0000 (NXX being the 800 exchange). If this is owned by AT&T you will get a message saying, "You have reached the AT&T Long Distance Network. Thank you for choosing AT&T. This message will not be repeated." When you call an exchange owned by an IC you will usually get a recording telling you that your call cannot be completed as dialed, or else you will get a recording with the name ofthe of the IC. If you call another number in an AT&T 800 exchange (i.e. 800-NXX-0172) the recording you get should always have an area code followed by a number and a letter, for example, "Your call cannot be completed as dialed. Please check the number and dial again. 312 4T." AS of last month, most AT&T recordings are done in the same female voice. An MCI recording will tell you to"Call customer service at 800-444-4444" followed by a switch number ("MCI 20G"). Some companies such as US Sprint, are redesigning their networks. Since the merger of US Telecom and GTE Sprint, US Sprint has had 2 seperate networks. The US Telecom side was Network 1 an dthe GTE side was Network 2. US Sprint will be joining the two, thus forming Network 3. When Network 3 takes effect there will be no more 950-0777 or 10777. All customers will have 14 digit travel cards (referred to as FON cards, or Fiber Optic Network cards) based on their telephone numbers. Customers who don't have equal access will be given seven digit "home codes". These authorization codes may only be used from your home town or city. The access number they will be pushing for travel code service will be 800-877-8000. This cutover was supposed to be completed by June27th, 1987 but the operation has been pushed back.

One last way to tell if the port you dialed is in an IC's 800 exchange is if it doesn't ring before you get the tone. When you dial an FGA number it willring shortly but when you dial 10XXX# you get the tone right away. Last but notleast, I will provide you with a list of 800 exchanges that are owned by IC's. Amajority of them are owned by MCI.

1800-XXX-....

MCI

XXX= 234,274,283,284,288,289,333365,444,456,627,666,678,727,759,777,825,876,888,937,950,955,999

US SPRINT

XXX= 347,366,699,877

WESTERN UNION XXX= 988

And to avoid confusion, these are the AT&T 800 exchanges:

XXX= 202,212,221,222,223,225,227,228,231,232,233,235,237,238,241,242,243,245,247,248,251,252,253,255,257,258,262,263,265,267,268,272,282,292,302,213,321,322,323,325,327,328,331,332,334,336,338,341,342,343,344,345,346,348,351,352,354,356,358,361,362,363,367,368,372,382,387,392,402,412,421,422,423,424,426,428,431,432,433,435,437,438,441,442,443,445,446,447,448,451,452,453,457,458,461,462,463,456,468,471,482,492,502,512,521,522,523,524,525,526,527,528,531,532,533,535,537,538,541,542,543,544

---------START OF TEXT -----------

HOW BT PHONE CARDS WORK -

----------------------- ---------------------- --------

Contrary to popular belief, BT phonecards do not work using a magnetic

strip system. The reason for this being that a magnetic strip would be

read only.

So how do they work then?

Well, examine a phonecard - preferably a used one if you are going to

scratch it or dissect it. If you look on the printed surface (the green

side - which is the front) you will find two lines which form a thick band.

Underneath this area is a "track" which holds the information about the

number of units used up and how many are left. A used phonecard will have

some tiny bars marked on the track near one end.

On the reverse side of the phonecard (the black side) you can see a shiny

black strip in contrast to the matt black which has text on it (on older

phone cards the whole of this side is shiny black). Anyway, this shiny strip

is "opposite" the band on the front and acts as a "window" to the information

on the track - for the simple reason that it is no ordinary shiny black

plastic. This special black plastic is not like all the others (which do

not let normal light or infra-red light pass through) but is transparent to

infra-red light. When a phonecard is in the machine, an infra-red beam is

shone through the back of the card and the reflected beam is checked to

detect the time units remaining.

Now to explain the track itself which is protected by a layer of paint that

also serves as the base for printing text and figures visible to the user.

On a 20-unit card, the track has 20 tiny rectangular areas (called

diffraction gratings - you might have come across them if you took physics)

which affect the light reflected by the cards. As the time units are used up,

the ares are destroyed by an eraser head. The design of the assembly enables

the progress of the erasing operation to be checked. in fact, the 20

rectangular areas touch each other and form a continuous strip on the card.

The area which is read is wider than the track. This makes it possible to

detect a reduction in track width.

Each unit is separated from its neighbour by a distance of 0.6mm. the erase

area is greater than the width of the track so that the unit is always

completely erased. The dimensions of both the card and the time units

suggest 140 as the theoretical maximum number of units possible.

The read-and-erase mechanism consists of a moving carriage on which are

fixed the eraser head and the optical components for reading. the carriage

is driven by a stepping device which moves along the track to determine

whether each unit is god or erased. when a unit has been consumed by the

cardphone, the area is erased in its turn and the carriage moves on one step.

OK, for those that weant to know, here is an ascii graphical representation

of the read and erase geometry :

Time units

---------------------------------------------------------

Track | | | | | | | | | 1.2mm

---------------------------------------------------------

<0.6mm>

Area read Area erased

*** *********

---------------***------------------*********------------

| | | *** | | | *|*****|* | | 1.6mm

---------------***------------------*********------------

*** *********

0.4mm 0.7mm

Well I hope you all understood that! Most of the information in this text

file was obtained from British Telecom sources so is quite likely to

be correct (after all, they should know their own cardphones!).

------EOF--------------

okay?

Hope I didn't offend anyone by upping this.

-- DreamshadoW --

Damn me father, for I must sin

Finger for PGP Key.

Volume Two, Issue Eleven, Phile #4 of 12

+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

+=+ Hacking Voice Mail Systems +=+

+=+ +=+

+=+ +=+

+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Voice Mail is a relatively new concept and not much has been said about it.

It is a very useful tool for the business person and the phreak. The way it

works is that somebody wishing to get in touch with you calls a number,

usually a 1-800, and punches in on his touch-pad your mailbox number and then

he is able to leave a message for you. Business experts report that this

almost totally eliminates telephone tag. When a person wishes to pick up his

message all he needs to do is call the number enter a certain code and he can

hear his messages, transfer them, and do other misc. mailbox utilities.

Most VMSs are similar in the way they work. There are a few different ways

the VMSs store the voice. One way is that the voice is recorded digitally and

compressed and when heard it is reproduced back into the voice that recorded

it. Another method that is slower and uses more space, but costs less, stores

the voice on magnetic tape, the same type that is used to store data on a

computer, and then runs the tape at a slow speed. Using this method the voice

does not need to be reproduced in any way and will sound normal as long as the

tape is running at a constant speed. On some of the newer VMSs the voice is

digitally recorded and is transformed from the magnetic tape at about 2400

bits per second.

There are many different types and versions of voice mail systems. Some of

the best and easiest to get on will be discussed.

Centagram

---------

These are direct dial (you don't have to enter a box number). To get on one

of these, first have a number to any box on the system. All of the other

boxes will be on the same prefix; just start scanning them until you find one

that has a message saying that person you are calling is not available. This

usually means that the box has not been assigned to anybody yet. Before the

nice lady's voice tells you to leave the message, hit #. You will then be

prompted for your password. The password will usually be the same as the last

four digits of the box's number or a simple number like 1000, 2000, etc. Once

you get on, they are very user friendly and will prompt you with a menu of

options. If you can't find any empty boxes or want to do more, you can hack

but the system administrators box, which will usually be 9999 on the same

prefix as the other boxes, will allow you to hear anybody's messages and

create and delete boxes.

Sperry Link

-----------

These systems are very nice. They will usually be found on an 800 number.

These are one of the hardest to get a box on because you must hack out a user

ID (different from the person's box number) and a password. When it answers,

if it says, "This is a Sperry Link voice station. Please enter your user ID,"

you will have to start trying to find a valid user ID. On most Sperrys it

will be a five digit number. If it answers and says, "This is an X answering

service," you first have to hit *# to get the user number prompt. Once you

get a valid user number will have oKVWV.."!
password on most systems, it

will be 4 digits. Once you get in, these are also very user friendly and have

many different options available.

RSVP

----

This is probably one of the worst VMSs but it is by far the easiest to get

yourself a box. When it answers you can hit * for a directory of the boxes on

it (it will only hold 23). If you hit # you will be given a menu of options

and when you choose an option you will then be prompted for your ID number.

The ID number on an RSVP system will just about always be the same as the

mailbox number, which are always only 2 digits.

A.S.P.E.N.

----------

The Aspen voice message systems made by Octel Telecommunications is in my

opinion the BEST VMS made. To get a box on an Aspen, you need to find an

empty box. To find an empty box, scan the box numbers and if one says, "You

entered XXXX. Please leave a message at the tone," then this is an empty box.

You next just press # and when prompted for your box number enter the number

of the empty box and friendly voice of the nice lady will guide you through

all of the steps of setting up your box. She first tells you what you can do

with the box and then will prompt you with, "Please enter the temporary

password assigned to you by your system manager." This password will usually

be 4 digits long and the same as the box number like 1000, etc. Once you get

on their are many things you can do. You can make a distribution list where

if you want to leave a certain message to more than one person, you can enter

the list number and all of the boxes on the list will get the message. You can

also have the system call you and notify you that you have new messages. These

systems also have what they call "Information center mailboxes" that are

listen only and can also have a password on them so the person calling has to

enter the password before he hears the greeting message. Aspen VMSs have a

system managers mailbox that will just about give you total control of the

whole system and let you listen to people's mail, create and delete boxes, and

many other things.

Thank you for reading this file and if you would like to get in touch with me

VIA VOICE MAIL call 1-800-222-0311 and hit *2155.

//--Black Knight from 713--\\

| for PHRACK XI (1987) |

\\--++--++--++--++--++--++-//

==========================================================================

Mailbox Systems

==========================================================================

Mailbox systems are the link between information and the underworld. If

you have ever called one, then you will know the advantages of having one,

especially the ones that are open to whole underworld, rather than just a

select few. There are two types of mailbox systems that are widely used.

The first type we will talk about is the multiple mailbox systems, or

commonly referred to as message systems. These systems have several

mailboxes set up on one number. Usually, you can access other mailboxes

from that number by pressing '*' or '#'. Sometimes you just enter the

mailbox number and you are connected. These are the safest systems to use

to protect information from US Sprint and other long distance companies.

Since US Sprint and other companies call the destination numbers, it is

safer to have 800 mailbox systems, and most of the time, the multiple

mailbox systems are on 800 numbers. The passcode on these systems can

vary in length and can be accessed by several different methods, so it is

impossible to explain exactly how to hack these systems.

The other type is the single mailbox system. These are usually set up

in a reserved prefix in an area code. (Ex: 713-684-6xxx) These systems

are usually controlled by the same type of hardware/software. To access

the area where you enter the passcode, just hit '0' for a second or so.

The passcodes are four (4) digits long. The only way to hack these is

manually. The best thing you could do is to find one that does not have

a recording from a person, but just the digitized voice. If you hack one

that someone already owns, they will report it and it will not last as

long.

Here is a list mailboxes or prefixes to help you get started

--------------------------------------------------------------------------

Single Multiple Digits

------------ ------------ --------

213-281-8xxx 212-714-2770 3

213-285-8xxx 216-586-5000 4

213-515-2xxx 415-338-7000 Aspen Message System 3

214-733-5xxx 714-474-2033 Western Digital

214-855-6xxx 800-222-0651 Vincent and Elkins 4

214-978-2xxx 800-233-8488 3

215-949-2xxx 800-447-8477 Fairylink 7

312-450-8xxx 800-521-5344 3

313-768-1xxx 800-524-2133 RCA 4

405-557-8xxx 800-527-0027 TTE TeleMessager 6

602-230-4xxx 800-632-7777 Asynk 6

619-492-8xxx 800-645-7778 SoftCell Computers 4

713-684-6xxx 800-648-9675 Zoykon 4

800-847-0003 Communications World 3

==========================================================================

==Phrack Inc.==

Volume Three, Issue Thirty-four, File #6 of 11

HACKING VOICE MAIL SYSTEMS

by Night Ranger

DISCLAIMER

I, Night Ranger, or anyone else associated with Phrack, am not responsible

for anything the readers of this text may do. This file is for informational

and educational purposes only and should not be used on any system or network

without written permission of the authorized persons in charge.

INTRODUCTION

I decided to write this text file because I received numerous requests for

vmbs from people. Vmbs are quite easy to hack, but if one doesn't know where

to start it can be hard. Since there aren't any decent text files on this

subject, I couldn't refer them to read anything, and decided to write one

myself. To the best of my knowledge, this is the most complete text on

hacking vmb systems. If you have any comments or suggestions, please let me

know.

Voice Mail Boxes (vmbs) have become a very popular way for hackers to get in

touch with each other and share information. Probably the main reason for

this is their simplicity and availability. Anyone can call a vmb regardless

of their location or computer type. Vmbs are easily accessible because most

are toll free numbers, unlike bulletin boards. Along with their advantages,

they do have their disadvantages. Since they are easily accessible this

means not only hackers and phreaks can get information from them, but feds

and narcs as well. Often they do not last longer than a week when taken

improperly. After reading this file and practicing the methods described,

you should be able to hack voice mail systems with ease. With these thoughts

in mind, let's get started.

FINDING A VMB SYSTEM

The first thing you need to do is find a VIRGIN (unhacked) vmb system. If

you hack on a system that already has hackers on it, your chance of finding

a box is considerably less and it increases the chance that the system

administrator will find the hacked boxes. To find a virgin system, you need

to SCAN some 800 numbers until you find a vmb. A good idea is to take the

number of a voice mail system you know, and scan the same exchange but not

close to the number you have.

FINDING VALID BOXES ON THE SYSTEM

If you get a high quality recording (not an answering machine) then it is

probably a vmb system. Try entering the number 100, the recording should

stop. If it does not, you may have to enter a special key (such as '*' '#'

'8' or '9') to enter the voice mail system. After entering 100 it should

either connect you to something or do nothing. If it does nothing, keep

entering (0)'s until it does something. Count the number of digits you

entered and this will tell you how many digits the boxes on the system are.

You should note that many systems can have more than one box length depending

on the first number you enter, Eg. Boxes starting with a six can be five

digits while boxes starting with a seven can only be four. For this file we

will assume you have found a four digit system, which is pretty common. It

should do one of the following things...

1) Give you an error message, Eg. 'Mailbox xxxx is invalid.'

2) Ring the extension and then one of the following..

1) Someone or no one answers.

2) Connects you to a box.

3) Connect you to mailbox xxxx.

If you get #1 then try some more numbers. If you get #2 or #3 then you have

found a valid vmb (or extension in the case of 2-1). Extensions usually have

a vmb for when they are not at their extension. If you get an extension,

move on. Where you find one box you will probably find more surrounding it.

Sometimes a system will try to be sneaky and put one valid vmb per 10 numbers.

Eg. Boxes would be at 105, 116, 121, ... with none in between. Some systems

start boxes at either 10 after a round number or 100 after, depending on

whether it is a three or four box system. For example, if you do not find

any around 100, try 110 and if you do not find any around 1000 try 1100. The

only way to be sure is to try EVERY possible box number. This takes time but

can be worth it.

Once you find a valid box (even if you do not know the passcode) there is a

simple trick to use when scanning for boxes outside of a vmb so that it does

not disconnect you after three invalid attempts. What you do is try two box

numbers and then the third time enter a box number you know is valid. Then

abort ( usually by pressing (*) or (#) ) and it will start over again. From

there you can keep repeating this until you find a box you can hack on.

FINDING THE LOGIN SEQUENCE

Different vmb systems have different login sequences (the way the vmb owner

gets into his box). The most common way is to hit the pound (#) key from the

main menu. This pound method works on most systems, including Aspens (more

on specific systems later). It should respond with something like 'Enter

your mailbox.' and then 'Enter your passcode.' Some systems have the

asterisk (*) key perform this function. Another login method is hitting a

special key during the greeting (opening message) of the vmb. On a Cindy or

Q Voice Mail system you hit the zero (0) key during the greet and since

you've already entered your mailbox number it will respond with 'Enter your

passcode.' If (0) doesn't do anything try (#) or (*). These previous two

methods of login are the most common, but it is possible some systems will

not respond to these commands. If this should happen, keep playing around

with it and trying different keys. If for some reason you cannot find the

login sequence, then save this system for later and move on.

GETTING IN

This is where the basic hacking skills come to use. When a system

administrator creates a box for someone, they use what's called a default

passcode. This same code is used for all the new boxes on the system, and

often on other systems too. Once the legitimate owner logs into his new vmb,

they are usually prompted to change the passcode, but not everyone realizes

that someone will be trying to get into their mailbox and quite a few people

leave their box with the default passcode or no passcode at all. You should

try ALL the defaults I have listed first.

DEFAULTS BOX NUMBER TRY

box number (bn) 3234 3234 Most Popular

bn backwards 2351 1532 Popular

bn+'0' 323 3230 Popular With Aspens

Some additional defaults in order of most to least common are:

4d 5d 6d

0000 00000 000000 *MOST POPULAR*

9999 99999 999999 *POPULAR*

1111 11111 111111 *POPULAR*

1234 12345 123456 *VERY POPULAR WITH OWNERS*

4321 54321 654321

6789 56789 456789

9876 98765 987654

2222 22222 222222

3333 33333 333333

4444 44444 444444

5555 55555 555555

6666 66666 666666

7777 77777 777777

8888 88888 888888

1991

It is important to try ALL of these before giving up on a system. If none of

these defaults work, try anything you think may be their passcode. Also

remember that just because the system can have a four digit passcode the vmb

owner does not have to have use all four digits. If you still cannot get

into the box, either the box owner has a good passcode or the system uses a

different default. In either case, move on to another box. If you seem to

be having no luck, then come back to this system later. There are so many

vmb systems you should not spend too much time on one hard system.

If there's one thing I hate, it's a text file that says 'Hack into the

system. Once you get in...' but unlike computer systems, vmb systems really

are easy to get into. If you didn't get in, don't give up! Try another

system and soon you will be in. I would say that 90% of all voice mail

systems have a default listed above. All you have to do is find a box with

one of the defaults.

ONCE YOU'RE IN

The first thing you should do is listen to the messages in the box, if there

are any. Take note of the dates the messages were left. If they are more

than four weeks old, then it is pretty safe to assume the owner is not using

his box. If there are any recent messages on it, you can assume he is

currently using his box. NEVER take a box in use. It will be deleted soon,

and will alert the system administrator that people are hacking the system.

This is the main reason vmb systems either go down, or tighten security. If

you take a box that is not being used, it's probable no one will notice for

quite a while.

SCANNING BOXES FROM THE INSIDE

>From the main menu, see if there is an option to either send a message to

another user or check receipt of a message. If there is you can search for

VIRGIN (unused) boxes) without being disconnected like you would from

outside of a box. Virgin boxes have a 'generic' greeting and name. Eg.

'Mailbox xxx' or 'Please leave your message for mailbox xxx...' Write down

any boxes you find with a generic greeting or name, because they will

probably have the default passcode. Another sign of a virgin box is a name

or greeting like 'This mailbox is for ...' or a women's voice saying a man's

name and vice versa, which is the system administrator's voice. If the box

does not have this feature, simply use the previous method of scanning boxes

from the outside. For an example of interior scanning, when inside an Aspen

box, chose (3) from the main menu to check for receipt. It will respond with

'Enter box number.' It is a good idea to start at a location you know there

are boxes present and scan consecutively, noting any boxes with a 'generic'

greeting. If you enter an invalid box it will alert you and allow you to

enter another. You can enter invalid box numbers forever, instead of the

usual three incorrect attempts from outside a box.

TAKING A BOX

Now you need to find a box you can take over. NEVER take a box in use; it

simply won't last. Deserted boxes (with messages from months ago) are the

best and last the longest. Take these first. New boxes have a chance of

lasting, but if the person for whom the box was created tries to login,

you'll probably lose it. If you find a box with the system administrator's

voice saying either the greeting or name (quite common), keeping it that way

will prolong the box life, especially the name.

This is the most important step in taking over a box! Once you pick a box take over, watch it for at least three days BEFORE changing anything! Once

you think it's not in use, then change only the passcode, nothing else!

Then login frequently for two to three days to monitor the box and make sure

no one is leaving messages in it. Once you are pretty sure it is deserted,

change your greeting to something like 'Sorry I'm not in right now, please

leave your name and number and I'll get back to you.' DO NOT say 'This is

Night Ranger dudes...' because if someone hears that it's good as gone. Keep

your generic greeting for one week. After that week, if there are no

messages from legitimate people, you can make your greeting say whatever you

want. The whole process of getting a good vmb (that will last) takes about

7-10 days, the more time you take the better chance you have of keeping it

for long time. If you take it over as soon as you get in, it'll probably

last you less than a week. If you follow these instructions, chances are it

will last for months. When you take some boxes, do not take too many at one

time. You may need some to scan from later. Plus listening to the messages

of the legitimate users can supply you with needed information, such as the

company's name, type of company, security measures, etc.

SYSTEM IDENTIFICATION

After you have become familiar with various systems, you will recognize them

by their characteristic female (or male) voice and will know what defaults

are most common and what tricks you can use. The following is a few of a few

popular vmb systems.

ASPEN is one of the best vmb systems with the most features. Many of them

will allow you to have two greetings (a regular and an extended absence

greeting), guest accounts, urgent or regular messages, and numerous other

features. Aspens are easy to recognize because the female voice is very

annoying and often identifies herself as Aspen. When you dial up an Aspen

system, sometimes you have to enter an (*) to get into the vmb system. Once

you're in you hit (#) to login. The system will respond with 'Mailbox number

please?' If you enter an invalid mailbox the first time it will say 'Mailbox

xxx is invalid...' and the second time it will say 'You dialed xxx, there is

no such number...' and after a third incorrect entry it will hang up. If

you enter a valid box, it will say the box owner's name and 'Please enter

your passcode.' The most common default for Aspens is either box number or

box number + (0). You only get three attempts to enter a correct box number

and then three attempts to enter a correct passcode until it will disconnect

you. From the main menu of an Aspen box you can enter (3) to scan for other

boxes so you won't be hung up like you would from outside the box.

CINDY is another popular system. The system will start by saying 'Good

Morning/Afternoon/Evening. Please enter the mailbox number you wish...' and

is easy to identify. After three invalid box entries the system will say

'Good Day/Evening!' and hang up. To login, enter the box number and during

the greet press (0) then your passcode. The default for ALL Cindy systems is

(0). From the main menu you can enter (6) to scan for other boxes so you

won't be hung up. Cindy voice mail systems also have a guest feature, like

Aspens. You can make a guest account for someone, and give them

password, and leave them messages. To access their guest account, they just

login as you would except they enter their guest passcode. Cindy systems

also have a feature where you can have it call a particular number and

deliver a recorded message. However, I have yet to get this feature to work

on any Cindy boxes that I have.

MESSAGE CENTER is also very popular, especially with direct dials. To login

on a Message Center, hit the (*) key during the greet and the system will

respond with 'Hello . Please enter your passcode.' These vmbs are

very tricky with their passcode methods. The first trick is when you enter

an invalid passcode it will stop you one digit AFTER the maximum passcode

length. Eg. If you enter 1-2-3-4-5 and it gives you an error message you enter the fifth digit, that means the system uses a four digit passcode,

which is most common on Message Centers. The second trick is that if you enter

an invalid code the first time, no matter what you enter as the second passcode

it will give you an error message and ask again. Then if you entered the

correct passcode the second and third time it will let you login. Also, most

Message Centers do not have a default, instead the new boxes are 'open' and

when you hit (*) it will let you in. After hitting (*) the first time to

login a box you can hit (*) again and it will say 'Welcome to the Message

Center.' and from there you can dial other extensions. This last feature can

be useful for scanning outside a box. To find a new box, just keep entering

box numbers and hitting (*) to login. If it doesn't say something to the

effect of welcome to your new mailbox then just hit (*) again and it will

send you back to the main system so you can enter another box. This way you

will not be disconnected. Once you find a box, you can enter (6) 'M'ake a

message to scan for other boxes with generic names. After hitting (6) it

will ask for a mailbox number. You can keep entering mailbox numbers until

you find a generic one. Then you can cancel your message and go hack it out.

Q VOICE MAIL is a rather nice system but not as common. It identifies itself

'Welcome to Q Voice Mail Paging' so there is no question about what system it

is. The box numbers are usually five digits and to login you enter (0) like

a Cindy system. From the main menu you can enter (3) to scan other boxes.

There are many more systems I recognize but do not know the name for them.

You will become familiar with these systems too.

CONCLUSION

You can use someone else's vmb system to practice the methods outlined above,

but if you want a box that will last you need to scan out a virgin system.

If you did everything above and could not get a vmb, try again on another

system. If you follow everything correctly, I guarantee you will have more

vmbs than you know what to do with. When you start getting a lot of them, if

you are having trouble, or just want to say hi be sure to drop me a line on

either of my internet addresses, or leave me a voice mail message.

NOTE: Some information was purposely not included in this file to prevent

abuse to various systems.

_______________________________________________________________________________

!

! ! !

! ! !

! ! !

! ! !

-------------------------

Sir K.N.

--------------------

presents...

****************************

* phreaking *

* tutorial *

***********************

what is phreaking?

------------------

phreaking involves ripping off ma bell

and other phone companies such as mci

and gte.this can be done in a variety

of ways.phreaking is almost 100%

illegal,but has that ever stopped any-

body?

how do you phreak?

------------------

there are 3 basic ways to phuck the

phone companies:

1.colored boxing.(blue,purple,etc.)

2.using sprint,mci without paying.

3."tricks of the trade"

colored boxing

--------------

a pushbutton phone works by emmiting

tones of different frequencies.by

changing the frequencies you can do

some intresting stuff.phreaks have

realized this and have built devices

called boxes.there are many types of

boxes here is a list of a few...

types of boxes

-------------

color function

----- --------

blue - all calls for the price of local

purple- all calls free!

silver- free calls,etc.army uses them!

fuzz box - makes sound of coin dropped

cheese box-makes calls untracable

for more information send e-mail to

f}sir francis

l}drake

what are boxes continued

------------------------

most of the above boxes work by making

differnt tones for each key.i have

the plans for:blue,silver,gree,brown

boxes if you want them send e-mail.

how do you phreak with sprint?

------------------------------

since the break up of att cheaper

phone companies such as:

itt

mci

gte sprint

metrophone

wu

and many more..

until january 1st to use these services

you call the local acssess number and

then type in a 5 or 6 digit code.you

can get programs that will call mci

,sprint,or whatever and try consecutive

numbers until it gets one.to fight

against this the companys use 2 things.

..

1.they have dummy numbers that you thin

k work but when you call using it

they trace you!

2.they change the numbers randomly

eveery week or less,so you cant use

a number to long!

here are some access numbers you can

try hacking...

access numbers

--------------

metrophone-(415) 579-6001

itt-(415) 858-2750

mci-(415) 495-2640

sprint-(415) 348-7700

future developments

-------------------

after january first,the date the att

break up starts,all hell will break

loose because the reginal companies

will not no what the fuck to do!

who will profit from this?

phreaks!!

/E

!

-$-

! *

+ /^ |

! | |//^ _^_

/^ / @ | /_-_

|@ _| @ @|- - -|

| | | /^ | _ | - - - - - - - - - *

|___/____|_|_|_(_)_| Aaaaaeeeeeeeeeeeeeeeeee! /

Specializing in conversations, E-Mail, obscure information,

entertainment, the arts, politics, futurism, thoughtful discussion,

insane speculation, and wild rumours. An ALL-TEXT BBS.

"Raw data for raw minds."

The busy box is just that, it makes whatever fone line it's attached to

busy. It's quick, it's easy, it's actually fairly useful at school, cause

those idiots can't figure them out. Here's the plans:

Shoppong list:

One length of 4 cond fone wire w/modular plug on one end

wire strippers

elec tape

Strip the two inside wires on the end of the fone cord that doesn't have

the plug on it (Ring/Tip or Red/Green). Twist them together, and wrap a few

times with elec tape. Yes, that's really it.

Do you REALLY need a diagrag? Ok:

/

/

---------- red

| |----------------------------------\

| |----------------------------------/ <--- twist wires together

---------- green

^ Mod plug

That better be enough for you. Jesus. This is only SO hard...

This is a new b0x INVENTED AND MADE BY _--=PeEll=--_ on June 18, 1995 at

11:20 pm central time. Okay? This is not really a box. This has nothing

to do with tha fone system. It has to do with a person's (not yours) breaker

box and electrical system within his/her house. This is foe info only.

These plans should not be use in an illegal way. There are two wayz to make

this box.

Materials

2 Extension cords (doesn't matter how long)

Knowledge of splicing wire

Whatever you need to splice

A plastic crate

A long thin (but strong) peice of wood (a stick, broom-handle)

How to make it

Take tha extension cords and cut off tha ends that you plug into tha wall

(ya know tha plugs). Make SuRe you have about four-five inchs on both. Now

splice tha two plugs together. *****If they have tha third prong you have to

break it off***** You should have something like this:

=|)-------(|=

Now to use it

Go to tha enimies house and find an outside power outlet. Plug one of tha

plugs into one of tha outlets. THEN GET ON THA CRATE!!! Make SuRe that no

part of you is touching tha ground. Then plug tha other end in (cause there

is usally two sockets). Watch tha sparcks. It may start a fire. When it

stops lighting up tha ski, take tha stick or whatever put it in tha loop and

pull it out. Grab it and run.

Materials (foe tha second kind)

1 Extention cord

1 Bucket of Salt water (like a 5 gallon bucket filled with a lot of salt)

Cut tha cord so you have about six-seven feet of cord. Now find an

outside power outlet and plug in tha cord (might wanna get a crate). Now you

have a LIVE wire. THROW (so you are not holding it) into tha bucket of

water. You may have to leave tha breaker box there.

This b0x is KewL cause if it doesn't trip tha breakers or fuses it will

fry tha wires in tha house!!! If something is running and using electricity

it may blow it (ie lights, TV, things like that).

///////////////////////////////**\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\**///////////////////////////////////

///// ** M \\\\\\

\\\\\ ** Bell Hell Volume #2 METAL! E //////

///// ** KICKS! T \\\\\\

\\\\\ ************ By: The Dutchman A C //////

///// Neon**Knights -Wired L O \\\\\\

\\\\\ ** M //////

///// ** Thanx to: Baby Demon & The Metallian M \\\\\\

\\\\\ ** U //////

///// ** Call These Genocidal Systems... N \\\\\\

\\\\\ ** I //////

///// /\/\etalland 1 10mgs/AE/BBS/Cat-Fur[503]538-0761 C \\\\\\

\\\\\ /\/\etalland ][ AE/Cat-Fur Line.....[503]253-5300 A //////

///// The /\/\etal AE PW: KILL............[201]879-6668 T \\\\\\

\\\\\ The Cheese ][ 10mgs/AE/BBS/Cat-Fur[409]696-7983 I //////

///// Milliways 10mgs BBS...........[609]921-1994 O \\\\\\

\\\\\ 7 Gates of Hell BBS.................[415]697-1320 N //////

///// The Mordor AE 1200bps/Cat-Fur/10mg[201]528-6467 S \\\\\\

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\**///////////////////////////////////

///////////////////////////////**\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

/CONTENTS/

In vol. I we discussed some of the minor aspects of bell hell. Now we shall

enter the realm of serious bell hell, including how to crush AT&T's firm grip

on the wired industry and Ma's underground passages.

/MA'S CODES ETC./

In order to make things easier for her employees, Ma has given us not only

free access to almost all her treasures but guides next to them to help us

along the way. One of the more common boxes found are the ones located either

at the end of your street, in an adjacent field or on telephone poles. Any of

these boxes contains all the lines for the surrounding neighbourhood. Ma

usually supplys a code for the wires inside on the side of the door to one of

these boxes, if not the code usually goes like this:

Red (ring-) = Ring line, allows others to call you

Green (tip+) = Calling out line, for you to call others

Ma has conveniently located these, the red on the right and the green on the

left. If you run into one of these boxes and it's locked then you'll need to

purchase is either a 1/2" crowbar or an 7/16" hex driver, prefferably the

latter. In order to use the 7/16, simply give a 1/8" turn counter clockwise,

presto you are in. The crowbar is self explanatory I believe.

The other, and less likely to be found of the bell underground network is just

that, the underground network. To find one of these simply look for a manhole

cover with a bell in the middle instead of an S or what-ever you sanitary

dept. might use. The aspects and entry of these will be discussed later in

this article, now to the boxes.

Now that you are in one of these boxes there is a rather interesting list of

prospects you can do, connect a linesmans handset, connect a box, or eavesdrop

to name a few, here's some of the ways to do the following.

Hell #1:

/LINESMANS HANDSET/

In order to make a linesmans handset (if not included within the newly found

box) you'll need a few things:

1 a phone (prefferably a GTE flip fone or a slimline)

2 a spliceing knife (any knife will do, the sharper the better)

3 a set of alligator clamps (if not already within the box)

Now take your knife and cut off all the wires and the modular jack (if one)

saving the red (ring-) and green (tip+) wires. Now attach the alligator clips,

one to the red and one to the green, and your set. All you need do is attach

the alligator clips to the designated colors on the box (red - red/green -

green) and you have essentially become an extension of that line.

Hell #2:

/THE BLACK/BLUE BOX/

Finally a place where you can use that box of yours with minimal worries of

being caught (the only way would be to get caught red-handed). Ah yes, bell

hell at one of its finer points. Commonly it takes Ma about a month or so to

figure out the trip on this one.

If you are unfamilar with boxes, the black box allows others to call you free

where-as the blue box allows you to use operator lines and even become one of

the bitches (become an operator). For more info I would suggest consulting

black/blue box plans.

Use the normal plans for a black/blue box and make the following

modifications:

Equipment:

(1) SPST SWITCH (found at your local Trash Shack)

(1) 10K OHM 1/2 WATT 10% RESISTOR (same as above)

SOME EXTRA WIRE (same as above above)

Now disconnect the green wire in the box and connect it to one of the two

poles on the SPST switch. Take a piece of your extra wire connect one end to

the other pole on your SPST switch and the other end to the terminal. Now

place the 10k ohm resistor between the terminal and the terminal.

Connect it (the 10k ohm resistor) via wire to the two. The terminal

should have a green wire going to it and the terminal should have a white

and blue wire connected to it. Your finished product should look something

like this:

--/-/--

:S P S T:

-------

:: ::

-----GREEN WIRE--:: ::----

!

10K OHM

!

!

-----WHITE WIRE-----------\\

------BLUE WIRE-----------------

This is simply the basic wiring, if you decide to become one with advancement

you might try hooking up lights to go on when your online or perhaps a

recorder, what-ever you wish.

Hell #3

/EAVES-DROPPING/

There are many various ways to accomplish this, seeing how I like to stick to

basics I will describe what I feel is the easiest by far. First you need to

make a linesmans handset as mentioned above if you already haven't. Now simply

disconnect the sending end (the end you talk through) and listen in. From here

you can accomplish several various tasks. If you are into blackmail you can

hook up a tape recorder (if you want to do this you can leave me a msg. or

wait for another file later, its rather a long task) or you may simply hold

the recorder to the listening end of the phone. To find out about the line

etc. You can do a couple of things, first you can dial your ANI (automatic

number identification) and find out the line you are on, after this call, you

are a local CN/A (described below) and run a check on who's line it is etc.

This can bring all kinds of hell for those not-so-trustworthy wifes/husbands.

More Hell:

/OTHER TRICKS/

You can set up a conference call simply by dialing your conference operator

(0-700-456-1000) and setting it up, just do what she says. I suggest this

operator for her lines are superior to those of the bitchy PBX ones. Oh,

you'll also need to know that lines person, address etc. Just pull an ANI and

then an CN/A on it.

If you have an urge to get back at someone simply attach your linesmans

handset to the persons line (fine their line as mentioned many times before)

and leave it off the hook. You can imagine just how long it could take Ma's

loyal employees to discover the problem. Possibly weeks if not a month.

Using the persons line to call computer systems that trace. This also goes

under the heading 'getting back at people' for the hassles you'll cause them

when the line is traced to them is numerous, bitchy Ma employees tend to be

irrational, spoiled children when it comes to busting people.

Bugging the operator - self explanatory.

RAISE HELL

/Insider/ - The rest of this doc is mainly explanations, a little hell and a

few other things I decided to throw in instead of making another Vol.. It's

true purpose is to coincide with Vol. I, as well as take up space, the rest is

unknown.

-----------

800 EXTENDERS

-----------

Basically, 800 extenders are much like Save-Net or Am-Net going 800 instead of

local access numbers. With this one you can call anywhere in the U.S. for

free, of course you need the X digit code, but this is easily found. You use

these just like you would if you were using Save-Net, i.e. you would dial

1-800-XXX-XXXX, then enter in your X digit code and then the area code + the

number you wish to reach, i.e. 1800521167429125036358443, as you can see there

is an 800 number followed by a 4 digit code followed by a number wished to be

reached. Here's a few 800 extenders, theres many many more:

1-800- 1-800-

------- -------

245-4890 4 DIGITS 327-6713 4 DIGITS

243-7650 6 DIGITS 328-7112 4 DIGITS

654-8494 6 DIGITS 327-9895 7 DIGITS

327-9136 4 DIGITS 227-3414 4 DIGITS

682-4000 6 DIGITS 343-1844 4 DIGITS

858-9000 3 DIGITS 521-1674 4 DIGITS

537-3511 8 DIGITS 843-0698 9 dIGITS

=-=-=-=-=-=-=------------------------->

LOOP NUMBERS EXPLORED

Loop numbers simply connect two people together using two different numbers.

Thus these numbers always come in pairs, one being the higher one while the

other being the lower one. So if you were to use one, you would call one of

the pair and the other one would call the other one (you take the high road

I'll take the low road). Loop numbers are equal in quality as calling direct,

thus it would be the same quality as you would get calling your neighbour. If

you would happen to call a loop number and no one was on the other end one of

two things would happen, if you called the higher of the two you would here

silence, if you dialed the lower you would get a 1000 hertz tone. Heres a list

of some loop numbers:

Area Code 212

XXX-9979 (HIGH)

XXX-9977 (LOW)

XXX= 690,534,569,432,868,255,228,677,982,466,926,220,586,524,283

XXX-9906 (HIGH)

XXX-9900 (LOW)

XXX= 529,352,439,388

Where you see XXX you enter the prefix desired, thus if you wanted area code

212, you could choose a prefix say 690, so one person would dial 690-9906 and

the other 690-9900.

In order to scan for loop numbers you'll need a friend to help. Loop numbers

run in pairs, the combination is 00XX and XX99. So what you need is for one

person to scan one end while the other scans the upper (using the same

prefix). The hang side has no tone while the other gives off a 1000hz tone.

To use a loop number in order to start a conference call simply have one

person get on the hangside while another calls the conferenceing operator (PBX

operator will do). The person calling the operator (hopefully from a fortress

phone) should charge the call to the upper loop number (the one the other

person isn't on), when the operator calls to verify she'll get your freind,

who of course will accept all charges gladly.

=-=-=-=-=-=-=------------------------->

Customer name and address

(CN/A)

A CN/A operator is disagnated for the use of AT&T employees who need some

information on a certain person. Ex- A Bell cop got a persons name from a nark

or whatever, he needs more info about the person so he calls up the CN/A

operator and asks her for the persons where abouts. Ma has been nice enough to

grant these operators the knowledge of a few more things (Ma's slip up), such

as their phone number. Thus we can call up one of these operators, say,'Hi, my

names Joe Rodrequiz and I'm from the Lake Oswego Bell customer service

department, I need the following info on a 'Jack Suchos'.' Then you become

really nice and ask if you can have that persons phone number so you don't

have to go over there. Since these operators are human, and are easily conned

and are very informed they'll give you just about whatever you need to know.

However you must be polite and business like. Following is a list of CN/A's,

to use it, find your area code and the CN/A operators number will follow:

DUTCHMAN DIRECTORY

AREA CODE PHONE NUMBER

---------- ---------------

201 201-676-7070

202 301-384-9820

203 203-789-6815

204 204-949-0900

205 205-988-7000

206 206-382-8000

207 617-787-2750

208 303-399-4200

209 415-546-1341

212 518-471-8111

213 213-501-4144

214 214-948-5731

215 412-633-5600

216 614-464-2345

217 217-525-7000

218 402-345-0600

219 317-265-4834

301 301-534-1168

302 412-633-5600

303 303-399-4200

304 304-344-8041

305 912-784-9111

306 NONE....NONE

307 303-399-4200

308 402-345-0600

309 217-525-7000

312 312-796-9600

313 313-223-8690

314 314-726-7142

315 518-471-8111

316 816-275-2782

317 317-265-4834

318 318-227-1551

319 402-345-0600

401 617-787-2760

402 402-345-0600

403 403-425-2652

404 912-784-9111

405 405-236-6121

406 303-399-4200

408 415-546-1132

412 412-633-5600

413 617=787-2760

414 608-252-6932

415 415-546-1132

416 416-922-6686

417 314-726-7142

418 514-861-2635

419 614-464-2345

501 405-236-6121

502 502-583-2861

503 203-784-6815

504 504-245-5330

505 303-399-4200

506 506-657-3855

507 402-345-0600

509 206=382-8000

512 512-828-2501

513 714-464-2345

514 514-861-2635

515 402-345-0600

516 518-471-8111

517 313-223-8690

518 518-471-8000

519 416-922-6686

601 601-961-0877

602 303-399-4200

603 617-787-2750

604 604-432-2996

605 402-345-0600

606 502-583-2681

607 518-471-8111

608 608-252-6932

609 201-676-7070

612 402-345-0600

613 416-922-6686

614 614-464-2345

615 615-373-5791

616 313-223-8690

617 617-787-2750

618 217-525-7000

701 402-345-0600

702 415-546-1341

703 804-747-1411

704 912-784-9111

705 416-922-6686

707 415-546-1132

709 NONE....NONE

712 402-345-0600

713 713-820-4112

714 213-501-4144

715 608-252-6932

716 518-471-8111

717 412-633-5600

801 303-399-4200

802 617-787-2750

803 912-784-9111

804 804-747-1411

805 415-546-1341

806 512-828-2501

807 416-922-6686

808 212-334-4336

809 LIST BELOW

812 317-265-4834

813 813-223-9678

814 412-633-5600

815 217-525-7000

816 816-275-2782

817 214-948-5731

819 514-861-2635

901 615-373-5791

902 902-421-4110

903 NONE....NONE

904 912-784-9111

906 313-223-8690

907 NONE....NONE

912 912-784-9111

913 816-275-2782

914 518-471-8111

915 512-828-2501

916 415-546-1341

918 405-236-6121

919 912-784-9111

900+(DIAL-IT) NUMBERS: 212-334-3611

FOR BAHAMAS, BERMUDA, DOMINICAN REP, JAMAICA AND PUERTO RICO: 212-334-4336