Leaderboard


Popular Content

Showing content with the highest reputation since 07/06/2009 in all areas

  1. 6 points
    Here's the complete collection of recordings I grabbed of the Odessa 1AESS switch before the cutover. The recordings were made during late may, with the last batch (A-D recordings) made on June 2, 2017 -- days before the cutover. The most interesting recordings I found during the calls to the switch: 1AESS-A.wav - Highest quality recording/best example I have of what a normal call to the 1AESS intercept sounded like. Allows you to hear the background SIT-tone noise before recordings. 1AESS-D.wav - Highest quality recording/best example I have of what a normal call to the 1AESS supervision test sounded like. 1AESS-3.wav - Bizarre because the switch cut to busy after intercept, instead of cutting over to reorder like normal. 1AESS-11.wav - Bizarre because the call, without ring, goes to the 1AESS intercept recording for one cycle, then stops for 20 seconds, and returns the Hillsboro 4ESS '121-T!' recording. 1AESS-14.wav - Bizarre because the call, rings once, goes silent for 30 seconds, then returns the Hillsboro 4ESS '121-T!' recording. 1AESS-15.wav - Bizarre because the call, rings once, goes silent for 40 seconds, then returns a reorder. More descriptions on the other calls are available on the 1A_desc.txt file on the dropbox drive. https://www.dropbox.com/sh/xca3wwskn1mzwzt/AABJMpTS0XDL9NQQgiz4LVI4a?dl=0 Enjoy.
  2. 6 points
    Hi all, Been busy for a while and was distracted by other facets of life. Signed in today was reading some of the posts to see if anything major or interesting has happened and not much has changed as I expected (no offence). So it seems no harm there in being temporarily gone. Now as I was reading some of the posts and a reply to my "Everything is Assumed" thread I noticed I had been down rep to -6 so I checked the Binary Revolution forum index page where it has a list of where you were down repped and which it was in like each thread over a long past with no replies as to why...I in some ways don't care but was wondering has another spam bot got lose or some dumb-ass, or did I make a thread that offended some community and they say it and one of them joined and down repped me for that. Anyway I was also wondering if this had happened to anyone else as well. Thanks in advance for any replies.
  3. 5 points
    After reading your comment #4 I also got really annoyed. I agree with Berzerk on this. Correct me if I am wrong, but it seems you don't know the difference between petty theft and hacking. Here is what I consider the difference: HACKING - Taking a computer, and figuring out a way to bypass the password. Disseminating the contents of the drive to find the owner's name, address, and pictures of them to identify them. Being nice and installing programs to help them find their PC if they lose it again. VNC - (to view the system) An SSH server - (to help retrieve their files) An IP beacon - (To say when the PC is online and what the IP address is) [*]Returning the laptop to the owner. [*]Occasionally checking in on the PC to make sure the system is ok, and they didn't lose it again. (What a good citizen!!!) PETTY THEFT - Not using google to find a simple kiddie script. Being an idiot and telling everyone you are committing a crime.
  4. 4 points
    There's another number to that; 3438. If you're hitting a route that gives you g.729 (sorta ruins that catchy song), it's not a bad idea to try both a few times. Interestingly, the transcoding seems to come on after the C5 chirps; those (and sometimes some Australian sounding ring) are always clear as day. So now when I found this - I actually think I found it with radio_phreak, but when I did, I was about as excited as you can expect. But something wasn't quite right. If you do a RESPORG lookup on 3438/7, it comes back as using the MCI/0222 network. If you call the number directly terminating to the Malaysian destination (you'll find it with a bit of searching) over MCI though, it's end to end SS7. After trying a bunch of carriers with no success, the theory we wound up with is that they were re-originating via a third party country; likely Australia, to shave a few cents off termination charges. Interestingly, when you hop on a conference on that access number, it'll allow you the option to contact customer service for the company, which is based out of Denver. The route you get is _definitely_ not C5. For whatever it's worth, there was another number until semi-recently; 3439 that routed a little differently. Usually it was more likely to get a transcoded route, or other weird things - one route had 450 hertz ringback before the call went offhook quite a lot . But anyway, for whatever it's worth, during Hurricane Sandy it gave you an error recording from a Santera OCX. If I remember right, the other numbers worked fine though. One thing I've noticed is during that song they play for hold music, sometimes it likes to disconnect you in weird ways. The hold music in question passes some notes a few times that definitely sound like 2400 hertz, so I wonder if that has anything to do with it (maybe we should pay attention to the supervision status), or if it's just an apathetic operator hanging up on you. Incidentally, when the call tears down with 2600, you'll hear this curious reorder tone from the international gateway that sorta fades in and out. Based on this, I wonder if it's a type 1 EWSD: https://pastebin.com/q1dvEcVw . So this isn't exactly C5, but a while ago, I found some Axtel DMS logs on Scribd. No, seriously. You can see from there they have quite a few R2 trunks provisioned for end users: 142785363-switch-a.pdf . We were playing with this on the bridge a few months ago - something I sorta want to get into again at some point; a few people seemed pretty excited about it. There's one particular number, +52-818-114-1500 (on the AX2P42 trunk group; labeled STA_CATARINA_CALL_CENTER_PBX_R2. If you look at page 224, you'll see the trunk group type configuration for this and many others; there's a bunch of R2 trunks with generic labels) that will send a backwards 4 in MFC (780 + 1140 hertz)to the switch - indicating a network error when it messes up. Which it occasionally does. Dunno how or if these can be seized, but it seemed worth mentioning. Speaking of which, I don't have the number for this; I had the bright idea of putting it on the speed dial for a calling card and then letting it expire, but Russia has some sort of strange signaling - perhaps another R2 variant floating about in their network. This particular call I remember being to Siberia: weirdmfs.flac . A lot of their switches use whatever this is. It enables them to send vacant number conditions and such over their signaling network. All I do here besides try and hit some DTMF is whistle 2600 twice; once to seize the trunk, and another time to make the switch get all angry. The tones you hear are the standard R1 frequency set, but obviously an R1 trunk never barks MFs back at you. EDIT: Crap, I forgot about the Cuba stuff. From what I understand, Havana if no other place has a reasonably modern network of Alcatel gear. As for the fixed GSM terminals, there's some older documents on Cuban telecom infrastructure lying around. All of them seem to point towards the Cuban fixed network being very over capacity. That could have something to do with that particular addition. As for Paraguay, radio_phreak mentioned to me a while back a particular set of numbers that would route to C5 trunks over some carriers. I believe it was +595-528-222-xxx. Back to the C5 stuff though, does anybody know where we can find a protocol spec document for it? That'll probably help us with some of the oddities we've found on some of these trunk groups. Another EDIT: http://www.itu.int/rec/T-REC-Q.140-Q.180/en Holy shit, another EDIT: http://www.binrev.com/forums/index.php?/topic/47028-portugal/#comment-364799 portugal_c5.flac One (hopefully) last thing - for anybody looking for international credit, I've found http://www.call2.com to be pretty good for the most part. Most of their routes look to be resold MCI, the rates are reasonable, and it tends to be decent quality. It is a callback service though, so it can be a little clunky for a large number of calls like in a scan. DMS-10 loops can be a good way to make this a little less painful. I feel kinda gross giving out a plug like that, but given the relative obscurity of the service and the content of the thread, it seems appropriate.
  5. 4 points
    0800 890 595 is now a (quite rare) example of the equipment engaged tone. I haven't done much looking for interesting switching/signalling since the early 2000s. It's got more difficult now because most people and businesses in poor countries have jumped straight to GSM (+successors). Back then, it would (as radio_phreak notes) be much more productive to look in the provincial towns and cities of poor countries than in their main cities. My preferred method was to look online for hotels or businesses in those backwater areas, ideally finding their fax numbers, and call those. Much prefer bothering a fax machine than disturbing a person. Now-a-days you need to do this armed with the country's dialling plan (wikipedia usually has these) - and most of the numbers you find will be mobiles. Re Cuba, I can't reach the supposed second dialtone for the US base via +53 99. The state telco is marketing the "fija alternativa" service - ie a GSM-based fixed service - suggesting aged and interesting POTS equipment exists. Calling from here, it's evident that their international gateway is something not outrageously ancient, because it promptly returns an appropriate SS7 code for incorrect prefixes - eg +53 41 000000 returns the usual SIT+"the number you have dialled has not been recognised" from my local exchange. +53 xx 300000 returns a Cuban intercept - in Spanish then English - after about 5 seconds of delay, where XX is any of the 2-digit areacodes listed at https://en.wikipedia.org/wiki/Telephone_numbers_in_Cuba. Sadly no signalling sounds are evident during the delays - I think I've tried all of them. I had a quick look for hotels in Panama and all the phone numbers I found were +507 6xxx xxxxx - ie mobiles. However, again, I'm hopeful that downstream of the international gateway is something elderly and interesting. +507 900 0000 sometimes gives an intercept - Spanish only - mentioning C&W Panama, again with a significant post-dial delay. +507 800 0000 gives my local telco's equipment engaged tone. +507 811 1111 was answered by a human +507 700 0000 is a different Spanish intercept, with a longer post-dial delay. +507 600 0000 or 500 0000 give my local telco's SIT+number not recognised intercept. +507 400 0000 is the same intercept-after-delay as 900 0000. +507 300 0000 is yet another Spanish intercept, with delay. +507 200 0000 has a very long delay then something times out any my local telco plays SIT+"sorry, there is a fault". +507 210 0000 has a long delay then the 900 0000 intercept +507 220 0000 rings, again after a delay, and is answered by some sort of automated service - in Spanish. No signalling sounds or evident, for me, in any of the above :-(
  6. 4 points
    So I just logged into binrev using this: it automatically generates, stores, and types passwords and looks like a usb-keyboard to your computer. That's a at89c5131 dev-board, this mcu is pretty much an 8051 with usb hardware. I'm probably going to keep touching up the code a little before I start printing boards.
  7. 3 points
    I've worked on this project for quite a while, and have discussed it on the conference, but have never officially posted recordings on here. There is a large presence of analog and electromechanical switches still in service in the former Soviet countries. The following are 3 recordings of me successfully boxing some of these switches: East Ukraine, ATSK Crossbar Using SF (in-band 2600 dial pulse) Signaling -- seizing and SFing another number: http://technotite.com/SF-exampUKR1.wav West Russia, Crossbar Using SF (in-band 2600 dial pulse) Signaling -- seizing and SFing another number: http://technotite.com/SF-exampRUS1.wav East Ukraine, Crossbar Using R1.5 (weird bi-directional MF protocol using R1 tones, used in CIS countries) - seizing and MFing another number: http://technotite.com/R1.5-examp1.wav
  8. 3 points
    If you dial extension 8411-8414 it will make the automated voice say "Lane ""1-4"" Most pharmacies dont have more than two lanes. So if youre there waiting for a script, dial ext 8413 to hear the voice on the loudspeaker say "lane 3" and watch the employees confusion. its hilarious.
  9. 3 points
    Just found this photo and article, figured I'd leave it here. https://www.rcrwireless.com/20171109/network-infrastructure/switching-it-up-bidding-farewell-to-the-1aess-switch-tag6
  10. 3 points
    Long time lurker.... registered recently..... first post... I know this thread is a bit old, figured I could be of some assistance here: Auto-scanned the 630713XXXX exchange (Took about ~15 hours), then did some manual checking: Number Auto-Scan Result Manual Scan, Comments 6307130025 VOICE Voicemail 6307130027 VOICE Subscriber 6307130107 VOICE Voicemail 6307130138 VOICE Voicemail (Nokia) 6307130460 VOICE UMTS Operations Support Group (Nokia -- "Please try again in 15 minutes") 6307130484 VOICE "We're sorry, but the blackout period for the transtition of the 401k record keeper is in effect on January 6th, please call back on January 7th." Repeats, then hangs up. 6307130563 VOICE Subscriber 6307130760 VOICE "Thank you for calling the Nokia workplace resources call center." 6307130869 VOICE Voicemail 6307130990 VOICE Voicemail Access Number, with working directory. 6307130996 VOICE Voicemail Access Number, with working directory. 6307131006 VOICE Subscriber 6307131229 VOICE Subscriber 6307131265 VOICE "Sorry, this automated attendant number is not available at the moment, goodbye." 6307131292 VOICE Subscriber 6307131304 VOICE "The called extension is busy" >> Voicemail 6307131329 VOICE Subscriber 6307131335 VOICE Ring >> Reorder 6307131553 VOICE Voicemail 6307131984 FAX Fax tones 6307132349 FAX Fax tones 6307133200 VOICE Voicemail Access Number, with working directory. 6307133678 FAX Possibly a modem. 6307134150 VOICE Subscriber 6307134389 VOICE Subscriber 6307134433 VOICE Voicemail 6307134484 VOICE Subscriber 6307134633 VOICE Voicemail 6307134967 VOICE Voicemail 6307135012 VOICE Voicemail 6307135163 VOICE Voicemail (reads back extension number) 6307135305 FAX Possibly a modem. 6307135353 VOICE Voicemail 6307135400 VOICE Voicemail 6307136056 FAX Fax tones 6307136081 FAX Fax tones 6307136082 FAX Fax tones 6307136091 VOICE Possibly an elevator?? Buzzing/Static on line. Hangs up with #. 6307136153 VOICE Another elevator phone? Hangs up with # again. 6307137073 VOICE Subscriber 6307137163 VOICE Voicemail 6307137180 VOICE Voicemail 6307137339 VOICE Subscriber 6307138416 VOICE Subscriber 6307138507 VOICE Voicemail 6307138668 VOICE Voicemail 6307138761 VOICE Voicemail 6307139039 VOICE Voicemail 6307139328 VOICE Voicemail 6307139379 VOICE Subscriber 6307139650 VOICE Voicemail 6307139764 VOICE Voicemail 6307139885 VOICE Subscriber 6307139988 VOICE Voicemail If there's any interest I can run a scan on 630979XXXX.
  11. 3 points
    So all credit goes to Ramsaso; he pointed this out on the bridge last night. If you have a T-Mobile phone, try calling 712-451-0011. You should get a recording saying they now charge 1 cent a minute to call it, even if you're on their unlimited plan.
  12. 3 points
    https://en.wikipedia.org/wiki/Debian
  13. 3 points
    I got this bag phone last month and was playing around with it to see if there was some tiny chance that it could connect to any network. As I suspected, there aren't any crumbling remains of AMPS networks anywhere near me. An interesting feature about this phone is there's an "Aux Out" which apparently was for sending faxes. Can't imagine lugging all of that around and plugging everything into the 12v jack in your car...
  14. 3 points
    This is just a beginning to get people started. Feel free to add onto more if you wish. The 'Threads' links you will see are from threads from these forums where the topic has been discussed before. I wrote this a few months ago so there may even be more threads about them if you search around. This list was made from numerous threads about the same topics; to stop the bitching from the Department of Redundancy Department. 1. How do I use exploits? ::Discussions - 1. ::Programs for assistance - Nmap and Nessus. ::Reference material - Security Focus, and Irongeek. 2. How do I get the admin password for Windows XP? ::Discussions - 1. ::Programs for assistance - Login recovery, and John the Ripper. ::Reference material - Password Recovery, Irongeek.com, and many others. I would suggest reading the discussion thread. 3. How do I hack a website? ::Discussions - 1 , 2, 3. 4. How do I get around web filtering like Websense? ::Discussions - 1, 2, 3. ::Programs for assistance - It is probally easier to use a proxy to get around web filtering software. ::Reference material - Babelfish, Proxy Blind, and Proxify. 5. What are proxies and how do they work? ::Discussions - 1, 2. ::Programs for assistance - There are tons of proxy server lists out there. Suggest doing a Google search for "Proxy", "Proxies", "Proxy Server", etc. ::Reference material - Wiki Proxy Info. 6. Where can I find more Hacker media like HackTV or BRR? For general Hacker Media information check out the Forums. ::Reference material - Hackermedia, Infonomicon, Old Skool Phreak, WhiteSword TV, Packet Sniffers, Hak5. 7. What are some good books to read that will teach me about hacking? This all depends on what you are interested in learning. ::Reference material - Cryptography, Programming, Networking, and Social Engineering. 8. Where can I find a meeting to attend, and what if no one is in my area? If no one is in your area then start up your own meeting, and let others know about it! ::Reference material - Bin Rev meetings - BRR listeners map, DefCon groups, 2600 meetings, and also search for a LUG (Linux User Group) in your area. 9. What Linux distro is the best? ::Discussions - 1. ::Reference material - Rundown on different distros, a test that may help you decide which is best for you, and you may also want to check out more distros' for yourself. 10. How do I learn how to hack? ::Discussions - 1, 2. 11. I want to program, where should I start? ::Discussions - 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22. C Book, Tutorial, Windows Compiler, *nix Compiler, *nix Compiler How-To. Python Website, Book, Tutorial, Compiler, Compiler How-To.
  15. 3 points
    Hey Samo! Good to hear from you again. Sorry to give you a wall of text here, there's really no concise way to explain this. In short, if you want to explore a long distance tandem, your best bet is to use a PIC code. There's a very simple trick that lets you push any destination you want directly into the tandem. We'll use Worldcom as an example, since it works from basically anywhere in the United States. Ready? Dial 101-0555. That's it; no zero, nothing. What you get next is a dialtone straight from the tandem. In the case of the ex-Worldcom tandems, it's not quite as fun as it could be; it wants an authorization code a-la 950 calling card. Here's an example of what you might find - http://thoughtphreak..._800223110.flac That's from a DMS (500, I think) owned by Integra, one of the local CLECs. Most long distance tandems (AT&T's aside - we'll get into that in a bit) don't like terminating toll-free calls, so you'll end up getting weird messages that you'll never be able to hear normally unless your switch loses it's mind. What's so great about this is you're completely free from the dialing restrictions of a normal end office. Want to dial an NXX starting with 1 or 0? A code starting with #? *? There's nothing standing in your way. Sprint in particular stuck a speed dial function on their tandem for some weird reason in the #xx range. #99+anything seems to be it's own little exception - it'll wait for a very large amount of digits before eventually giving you a generic CBCAE recording. This might indicate they're hiding something else here. There's one downside to this technique; if you're not subscribed to a carrier, they won't always let you play with the tandem. ex-MCI (0222) and Sprint are a couple good examples of this, but Sprint will give you a cool message as a consolation prize. Depending on your area, you might have better luck too. For example, the Qwest long distance network has a combination of DMS-250 and Sonus switches. Sonus isn't fond of letting people have fun on the phone, so you'll just get a generic error recording. If you encounter Global Crossing's Sonus switches, you won't even get a custom recording, you'll get the Sonus stock one. It's worth a laugh if you ever hear it. It's under three seconds, and was clearly made last minute by an engineer. Speaking of Global Crossing, like MCI/0222, they have a number of Alcatel DEX switches floating around. Dialing 101-0444 will just get you an error, though. The solution? 950-1044! What dialplan they're using is absolutely beyond me, though, so you're on your own there. There's suggestions - like 800-223-1104 (but only without a 1) going to an invalid code recording that suggest it might be for calling card use, but most things I can think to try just go to a CBCAD. And then we come to AT&T's 0288 network. I'll level with you, this is something I haven't figured out at all. Whenever I've been fortunate to get a dialtone back, it's always been from one of their 5ESS toll tandems. If there's such thing as a pushy phone switch, this is it. It'll let you know right away if it thinks you're doing something wrong. And putting a 1 in front of your destination number is wrong. I haven't had time or an opportunity to just sit down and investigate this, but what I do know is it's unique from a lot of other switches. For one, it'll terminate toll-free calls, but only on specific carriers. I believe just AT&T and Global Crossing toll-frees. Sometimes, it gets a little weirder - like, if you dial 800-244-1111, you'll get a recording from a McLeodUSA DMS. What this means I'm not sure exactly, but my guess is since the 5E toll tandems are responsible for lending a hand in connecting toll-frees, they'll store translations for those toll-frees. If it happens to have one - outdated or not, it'll just use that instead of doing an SMS-800 dip. Also of note on the AT&T tandems is the 600 NPA. Instead of just intercepting it like any invalid NPA, it'll pass this onto the 4ESS. This might indicate AT&T stashed something in there. As for your question - is SS7 relevant to phreaks? Absolutely. The very core practice of phreaking - introducing unorthodox input into the phone network - is fair game to everything, in or out of the speech channel. In the past, we've proved ISDN cause codes can trigger calls to take a different route, and it's been demonstrated that originating a ghost call (in short, an ANI fail on steroids - a call originated with no field other than the destination number) can be enough trouble that phone companies would probably scratch their heads as to whom they should send the bill to. It's understandable that figuring these things out is a challenge, but if anything, that should be a motivator. We're phone phreaks, we've got the resourcefulness to identify a piece of telco hardware by nothing more than vague sounds, and have fun in the process. This should be a reminder that there's always more to explore, and always another limit to break.
  16. 3 points
    It's a mindset. You hack to learn, you don't learn to hack.
  17. 3 points
    That sounds like a lot of work! Can I just send you my bank account numbers and social and have you help me out?
  18. 3 points
    Not to stir shit up, but I certainly agree that this forum shouldn't be a place where fake accounts come along and post allegations which result in people being terminated from their employment. If "unlucky" was indeed the victim of a violation of his privacy by an employee of trapcall/spoofcard then he should have contacted them. Also, if Lucky was fired without any evidence of a particular account being accessed by an employee, then he worked for a piece of shit company. If I were a mod, i would have deleted this thread because even if the allegations were true, there was not a shred of evidence provided, and I do not believe that this is a place for such things. perhaps if "unlucky" simply voiced a concern over the privacy expectations when dealing with a particular service, but he didn't - he made an accusation directed at one man, without anything to back it up. That being said, it's probably all true. ...seriously.
  19. 3 points
    Stop paying for tv service Look into "FTA" or "FTA Receivers" Etc. Just read up on the "Free to Air broadcasts" You just buy a receiver, point your satellite at the orbiting satellite and you can get over 1,000 channels Free.
  20. 3 points
    SCO doesn't own UNIX, at least not yet. The actual "ownership" and copyright to UNIX is a very complicated issue. All this court decision did was "reverse material aspects" of the earlier verdict from 2007 that found Novell to be the rightful copyright owner. Now there's going to be yet another trial case to determine whether SCO does in fact own the copyright. I don't think anybody seriously gives a shit about System V UNIX, UnixWare or any of SCO's other crappy, outdated products. But a company like SCO, which has been in bankruptcy for over 2 years, has virtually no market share and appears to exist these days only for the purpose of suing other companies, might well gain legal ownership of the original System V UNIX code. In other words: they might gain a legal "leg to stand on" and cause more trouble for OSS creators and vendors. For years, SCO has been bitching that Linux infringes on a copyright for the original UNIX code that it assumes it holds. They have sued companies like IBM and Novell which produce Linux-based software and distribute Linux as an OEM OS. They have disseminated propaganda to Linux users, accusing them of copyright infringement and alleging they could be liable for damages simply by running Linux. They have sued their own (former) customers who switched from using their products to using Linux. SCO is also known to have received financial backing from other, far more powerful interests whose goal is to ruin the open source software movement by any means possible. At this point, SCO clearly has nothing to lose, and Microsoft doesn't have to dirty their hands or risk hurting their own public image by attacking open source developers in court. Microsoft can just sit back and bash the OSS movement in the press, allege IP infringements, negotiate cross-licensing agreements and provide financial support to companies like SCO to file anti-OSS suits. This may not be a potent threat to the very existence of Linux, but it could definitely harm Linux in the business market and lead to some very bad precedents regarding OSS and software copyright/patents in general. BTW, I'm not the one who voted down your post. It's an interesting bit of news on a case I haven't really followed in awhile. Thanks for posting it.
  21. 3 points
    The above is the 'offical' Postal Regulation for an IBI or Information Based Indicia. All this information is contained in the 2-D barcode to the upper left of a piece of metered mail. Look at some of your junk mail and it will be very clear what I mean. It's that box that looks like Lattera's avatar. The column that says barcode are all of the data items in that 2-D barcode that I'm talking about and the Human Readable is what you can decipher when you look at it...date, time, etc. The information is digitally signed so that when the Post Office reads the mail it can be fairly certain that it came from a particular licensed meter. What's crazy is that the meter internally communicates with 'itself' using an asymetric key system...public/private. That is the meter contains a postal security device which is tamper resistant (of course resistance is a relative term) that sends out commands to create and sign the indicia with all the signals being encrypted. Think of it like an HTTPS setup for internal communications or more appropriately like each command being digitally signed. Digital signatures use the public/private key system so this is closer to what is happening. The whole postage meter industry is so wacky. What I mean is that to actually attack the meter directly is incredibly hard but not impossible;however, there are far easier ways to 'hack' a meter. The meter itself and access thereof is fairly easy due to primitive security. If you have physical control of a meter and a system that can interface with it you can do pretty much whatever you want. But not to be too much of a worry wort...printing postage is printing money; stamps are a legal form of tender so if you play games with this stuff the penalties are insanely harsh because of that. I know some smartass is saying to himself, "Oh then I can use it to buy my groceries?" Not exactly...unclaimed stamps can and must be refunded by the post office. If you show up with a stamp that is legally yours or if you can 'somehow' prove that that is a stamp of yours the post office refunds the amount on the stamp. Of course it isn't an immediate refund. You can't just show up with a meter label for a hundred bucks and walk away with a c-note.
  22. 3 points
    Ohm, you obviously get off on policing binrev. Seriously, I've seen you crush countless topics with your sense of superior morality. The only thing that impresses me about you is that you always find some way to condescend. You've got a real talent.
  23. 3 points
    Clearly the best was Windows 95. Don't you miss 3 reboots a day? As for XP, it was received pretty badly at first. Pre-SP1, XP was quite buggy. Also, for the time it was resource heavy, so a lot of people complained they couldn't run it on their current machines. I always got a chuckle when people bashed Vista, yet praised XP which had similar problems at the start. Of course people were willing to bite the bullet since the alternative was Windows 98 (or for the enlightened few, Windows 2000). Now, you have XP which works and is stable, so you can sit back and poo Vista all you want. I've also had no problems with Vista. If you have a fast enough machine, there's just not much to complain about. It works, what more do you want? As long as you're listing future OSs, why not list Ubuntu 9.10?
  24. 3 points
    Great link. Who wants to mirror this and stick up a torrent?
  25. 2 points
    This might be the last time I get to hear a US West TOPS switch hassling me for money, so I thought I might record it. I didn't have a pickup coil with me at the time - still don't actually, I should probably find my way to one. But anyway, sorry about the automatic gain control. Next time I do this, I'm going to use something a little cleaner. All I had at the time was my Dialogic box, though. In case you were wondering, this switch is indeed the sort of thing you can redbox, but it typically doesn't ask you for money retroactively. It's doing this (it actually never cut me off if you're wondering; I sat there for like twenty minutes. The tops_2.wav stuff is the last thing it said) because Qwest doesn't use TOPS for operator services anymore. It's not programmed to automatically cut you off and there's no person it can call to intervene, so, well, it just lets the call go on forever. And probably raised an alarm on the console. I've never heard it myself, but the TOPS manual says it can actually get pretty aggressive; it'll call you back to try and get you to pay if you let it. I was really disappointed when it didn't. If you listen to the way it says "past", you can hear this subtle looping sound on the end of the T syllable. This is a characteristic thing the Nortel EDRAM card does - the closest we'll get to proof here that the tandem is a DMS. Funny enough, we actually do have the original files the switch is playing back; it's some form of 32k ADPCM. It's all in some sort of strange container format that nobody could ever figure out, though. If you'd like to try your luck with it though, this is the archive with all the stock EDRAM stuff. eacts0ae.bin44 has all the ACTS stuff in it: http://www71.zippyshare.com/v/1XzPMAeZ/file.html . I'll post a manual for the card at some point. The .bin44 extension implies that it's binary as per usual, but the 44 after indicates the logical record length of the file is, well, 44 bytes. tops_1.wav tops_2.wav
  26. 2 points
    970-350-00xx scan by Mountain Hell, 5/1/2018 A rather boring 5ESS in Greeley, Colorado. CLLI code GRELCOMADS0. 0000: fax 0001: ringout 0002: reorder 0003: ringout 0004: ring to disco/nis 0005: tone 0006: ring to disco/nis 0007: disco/nis 0008: busy 0009: milliwatt 0010: acb 0011: tone 0012: reorder 0013: reorder 0014: disco/nis 0015: ringout 0016: the number 9703500016 has been disconnected. (x2) no further information is avialable about this number. (off-hook tone x2) 0017: the number 9703500017 has been disconnected. (x2) no further information is avialable about this number. (off-hook tone x2) 0018: the number 9703500018 has been disconnected. (x2) no further information is avialable about this number. (off-hook tone x2) 0019: ringout 0020: carrier 0021: ringout 0022: ringout 0023: ring to disco/nis 0024: ring to disco/nis 0025: disco/nis 0026: busy 0027: busy 0028: dialtone 0029: carrier 0030: reorder 0031: the number 9703500031 is in service. please try your call again. (x2) (off-hook tone x2) 0032: ringout 0033: ringout 0034: ringout 0035: you have reached greeley main ds0 970-350. (x2) 0036: (pat fleet) this local call has changed to 10 digits. it is not necessary to dial a 1 when calling this number. please redial using area code 303. (x2) 0037: ring to disco/nis 0038: ring ro disco/nis 0039: disco/nis 0040: (old lady) we're sorry, it is not necessary to dial the digits 950 before dialing your carrier access code. please hang up and try your call again. (x2) 0041: (old lady) we're sorry, it is not necessary to dial a carrier access code for the number you have dialed. please hang up and try your call aga-- (x2) 0042: (m) we're sorry, the number you dialed cannot be reached with the access code you dialed. please check the code and try again or call your carrier for assistance. (x2) 0043: (pat fleet) we're sorry, due to network difficulties your long distance call cannot be completed at this time. please try your call again later. (x2) 0044: (old lady) we're sorry, due to network difficulties your long distance call cannot be completed at this time. please try your call later. (x2) 0045: (old lady) we're sorry, due to network difficulties your long distance call cannot be completed at this time. please try your call later. (x2) 0046: (old lady) we're sorry, in order to complete this call, you must first dial a 1-0 and the three digit carrier access code. please try your call again or call your long distance carrier for assistance. (x2) 0047: disco/nis 0048: ring to disco/nis 0049: ring to disco/nis 0050: milliwatt (5 sec) 0051: ring to disco/nis 0052: ring to disco/nis 0053: disco/nis 0054: disco/nis 0055: disco/nis 0056: (f) please do not hang up. the voicemail system temporarily needs you to re-enter the number you are calling. please re-enter the number you are calling then press pound. 0057: 105-type test 0058: reorder 0059: disco/nis 0060: disco/nis 0061: disco/nis 0062: disco/nis 0063: ring to acb 0064: acb 0065: disco/nis 0066: (pat fleet) we're sorry, it is not necessary to dial a 1 or 0 when calling this number, will you please hang up and try your call again. (x2) 0067: (old lady) we're sorry, you must first dial a 1 when calling this number, will you please hang up and try your call again. (x2) 0068: disco/nis 0069: the number you are calling was blocked and cannot be called back using your last call return service. (x2) 0070: (deeper pat fleet) your long distance call cannot be completed because your service has been restricted. please contact your centurylink business office. 0071: (deeper pat fleet) the number cannot be reached now. please hang up and try again later. 0072: (pat fleet) we're sorry, you have dialed a number which cannot be reached from your calling area. 0073: disco/nis 0074: (some lady) telephone service has not been installed at this location. please dial 811 when you are ready to establish your home telephone service. a service representative will describe the options available to you and take your order. thank you. 0075: (pat fleet, bad) we're sorry, your call did not go through, will you please try your call again. (x2) 0076: (pat fleet) we're sorry, your call cannot be completed as dialed. please check the number and dial again. remember, colorado now has two area codes. 0077: (old lady) we're sorry, your call cannot be completed as dialed. please check your instruction manual or call repair service for assistaance. (x2) 0078: (pat fleet) the number called is busy. a special ringing will tell you when the line is free. please hang up now. (x2) 0079: (pat fleet) the number called cannot be reached. please hang up now. (x2) 0080: (pat fleet) you have canceled your request. please hang up now. (x2) 0081: (pat fleet) if you'd like to make a call, please hang up and try again. if you need help, hang up and then dial your operator. (x2) 0082: (pat fleet) this call requires a coin deposit. please hang up momentarily then redial your call by first depositing the local rate posted on the instruction card. (x2) 0083: one ring then silence 0084: ringout 0085: (deeper pat fleet) the last call to your telephone cannot be traced and no charge will be added to your bill. please hang up and call the centurylink call identification center at 18005820655 if you need further assistance. once again, that number is 1800582-- (x2) 0086: (pat fleet) the number was free but it has just become busy again. please hang up. you may reactivate if you wish by redialing the original code. (x2) 0087: (pat fleet) your call has been completed however the party you are calling is not receiving calls at this time. (x2) 0088: silent switchman test 0089: rings once then silence 0090: (pat fleet) call trace cannot be activated at this time. please try again in a few minutes if you have not received another call. (x2) 0091: ring to disco/nis 0092: disco/nis 0093: ring to disco/nis 0094: ring to disco/nis 0095: disco/nis 0096: ring to disco/nis 0097: ring to disco/nis 0098: ring to disco/nis 0099: ring to disco/nis
  27. 2 points
    Imagine if the Internet regressed back to 24.4, 33.6, or 56K for 24 hours? Will never happen, but made the start up sound on meh Windows to a 56K modem connecting. The memories. :-)
  28. 2 points
    I still use flash drives to take stuff to untrusted computers -- for example, when I take something to the print shop to be run off in large format. These types of places (print/copy shops, library, et c.) don't run a primary business of having safe, secure computers, and they let you plug in and run pretty much anything, so I will typically use a flash drive to take files, then nuke it when I get home. I don't log into anything on those computers, I've seen people at the print shop logged in with their cloud storage, email, whatever. Seems like a great way to get keylogged or your session cookie swiped or something. For moving stuff around between computers I trust, yeah, I don't really use flash drives anymore. Ironically I do still use floppies -- but that's only because part of my business is legacy systems repair/maintenance.
  29. 2 points
    Yes and no, AMPS was narrowband (+-30 kHz (15 kHz deviation)) FM when TV audio was wideband FM (~200 kHz IIRC) (mono baseband was around 20 kHz BW/10 kHz dev, then stereo difference and SAP was above that, similar to an FM radio station except the subcarrier offsets were different). The frequencies were in former TV channels 70-83 but those were reassigned for telephone and 2-way radio usage back in the mid or late 1980s. This is why many older TV sets and VCRs could monitor AMPS transmissions by playing with the fine-tuning controls when on those channels. (Somebody please feel free to correct me on those bandwidths and deviations!)
  30. 2 points
    1. A carrier in the context of a scan can either be a long distance carrier or a carrier tone from a modem, depending on where it's being said. 2. Yes. Very much yes. 3. In the case of long distance carriers, they have access codes that can be dialed from POTS lines. If you're talking about modems, if you have a modem yourself, usually there shouldn't be any problem connecting to the one on the distant end. 4. It depends. Traditionally, phone companies want you to dial a carrier access code with a destination at the end - like, 101-0222-0 or 101-0725-1-202-484-0000. There are some cases where you can just dial # after the carrier access code (101-0725# is actually one that'll work with this) and get a dialtone from the toll switch. What you can do with it really depends on the carrier and how they have it set up. In that particular carrier's case, the only thing I know for sure you can dial are toll-free numbers that're run by that particular carrier. 800-711-3408 comes to mind. If you subscribe to a carrier or call it in an area with a different kind of toll switch, sometimes you'll get a dialtone where you couldn't before. That being said, if you're calling something that isn't free (like a number that doesn't answer or that toll-free number I posted. On most switches you can flash, and if you get a stutter dialtone, the call has answered), they'll send you a relatively hefty bill, like $5 for a 1 minute call - or outright block you from the network for using it without a subscription. It depends on the carrier; some are more reasonable than others. But it's best not to be in that position to begin with. So just be really careful when you're messing around with that sort of thing. As for scanning itself, it really depends on what you're looking for and where. In the traditional phone company test range, usually you'll find a bunch of recordings that're slapped on the announcement device. Usually there's a couple modems, maybe a DATU depending on the company, an ANAC, a loop (mostly on DMS-10s, since they can do it in software), elevators, and all sorts of other stuff. Sometimes you'll get lucky, and find some one of a kind stuff that isn't anywhere else. If you're looking on a PBX, some companies have really nice things depending on the industry they're in. For example, CNN's Atlanta PBX has a bunch of patches that let you hear network feeds, depending on the time of day; 404-878-9901. 8042, 6040, and 9982 will all give you different content, but just keep in mind that they're silent when not in use. 5. Usually, it's a good idea to just hang up if you get a random person. Most of them will answer and say what or where they are if it's a business, unless it's someone's desk or something.
  31. 2 points
    2098886960 Identifies itself as the lab. Seems pretty cool. Check it out. burntkid
  32. 2 points
    T-Mobile? That doesn't make too much sense, T-Mobile (and its predecessors VoiceStream and Omnipoint) never operated analog networks. Matter of fact, neither did Sprint. T-Mo and Sprint were all digital from their inceptions. my first cell phone was an omnipoint "flip" phone... the flip was just a small plastic piece that covered the numbers when flipped closed... around 1996 or so....
  33. 2 points
    Since you can't easily do MF, why not modify the code to pulse out 2600 when you push the digit keys, like the old pre-MF step tandems used? Timing should be 66 milliseconds of 2600 Hz, followed by 34 milliseconds of silence for each pulse, with about 500 milliseconds between each digit: Digit zero would be 10 sequences of 66ms/34ms 2600, with a 500ms pause before the next digit, for example. You still need to define a key to play 2600 for about 1.5 seconds for trunk seizure. You could also write the code to accept a number, then outpulse the entire number with the correct timings. There is a number on CNET that this can be used to dial with. This is essentially the method used by Cap'n Crunch and Joe Engressia to phreak step tandems or switches that accepted older SF trunks from step tandems. Routes that used this method of tone signalling were already pretty rare back in the late 60's and early 70s when they used this technique. You had to discover a number that routed through a step tandem from your dialing location, usually by trial and error. Vancouver, BC in Canada had one such switch. D.
  34. 2 points
    That 500 set is a late 70's or early 80's model, because of the plastic dial and modular connections. 50's ones had metal dials and were hardwired.
  35. 2 points
    If you use this stuff, consider the time of day. The switcher will probably be upset if his phone rings several times in the night, keep that in mind if you decide to dial around/scanning. Some of the CNET switchers don't mind scanning around. Some do. It's like hunting on someone's land without their permission. They might be fine with it, but if they aren't, make sure you act right.
  36. 2 points
    It's basically what C.N.N. tells sheeple a "hacker" is. The average person doesn't know anything about technology, so they look at what Kim Komando (or other "technology experts") write on CNN and USA Today. Total rubbish! I mean, she says, "a hacker broke into Home Depot and stole peoples' credit card numbers. Bad hackers!". So... that's what people think; architects, mail carriers, police officers, and judges. Doesn't matter what they do for a living, if Kim Komando says its true, its gotta be true. However, if someone kept breaking into a bank's vault and stealing money that way.... They'd say, "crap my banks sucks. It needs a new vault and better security. Of course a burglar will sneak in and rob a bank if they leave the doors and vault unlocked or insecure".
  37. 2 points
    If you want to get the absolute lowest price for telephone service, you want "metered service" or "message rate service". This is not offered in all areas, and it might not be what you really want. In my area, it cannot be ordered (and is not offered) online, it must be ordered over the phone, and it comes out to about $14 after taxes. Essentially, that price only gives you a dial tone, and you are charged for every local call you make. Think of it like a pay phone. In my area, most local calls are also timed on message rate service, so you don't pay per-call, you pay for the amount of time you talk in 3 or 5 minute increments. If you make a lot of calls, the cost can get out of hand quickly. However, if you only make a few calls per month, or call lots of numbers that don't answer, it might be a good option. Metered service is sometimes available with or without an allowance. In my area, the service without an allowance is cheapest, but if you pay $3 extra, you get an allowence of about $5. It can save you money if you make more than $3 of calls. It makes sense if you want a line primarily to receive calls, but you really need to do the math to make sure it's a good option for placing lots of calls. Just to repeat, phone pricing is controlled by each state and as a result, pricing is not consistent nationwide. In my state, prices vary city-to-city, so the only way to find out what's available is to call the phone company and ask them. In PA, they are legally obligated to tell you all of your options starting with the lowest, but they tend to do so only if you say something like "please tell me the pricing options for telephone service starting with the cheapest". If money isn't an object, just get the bundle!
  38. 2 points
    While our holiday specials are indeed something to get hysterical about, there's no reason why we have to behave like the WalMart crowds. We're better than that. So if you decide to visit our online store to take advantage of prices so low we're practically giving it all away, please remain calm and remember that others are also in the store trying to get the best value. There's no need for denial of service attacks, buffer overflows, or pepper spray exploits. We will do our best to accommodate everyone. http://www.2600.com/news/view/article/12162
  39. 2 points
    yet once again 2600 has a trouble with their internet service, and instead of understanding that troubles happen, the copper infrastructure is old and fucked - they blame that their ISP is intentionally damaging their connection, or dragging their heels in making the repairs. makes for a great conspiracy story - perhaps you can get alex jones to write for your publication, as 2600 seems to live with the same paranoia as he does about everyone and everything... as i have mentioned before when you had an outage - 1- it is not very professional to host a server in your office - you really should rent rack space at a co-location 2- if you continue to feel the need to host the server in your mothers basement, then at least get a multi-WAN router and a secondary internet provider.. with all of the money that 2600 saves by having the community submit articles, and not having to pay writers you should not find it difficult to come up with around $200 for a multi-WAN router, and the $30-40 per month for a cable modem as a back-up... as an X-verizon tech i will tell you, i highly doubt that the techs are fuX0ring with your connection, nor do i believe that it is intentional that they showed and were not able to gain access... even if the trouble is in the underground, or block facilities, many techs will no access a job if there is no access to the NID. perhaps they tested the line in the basement terminal of your building and found that the trouble was going back towards the central office, but the terminal was a block terminal, and they needed access to the underground facilities, and were unable to gain access to that terminal - i know that if i encountered a trouble like this when i worked for them i would have just turned the job back as no access other, depending on my mood i may or may not have advised the customer of the situation but more than likely i would have just kept it moving... as this appears to be a recurring trouble, it is obvious to me that there is a cable failure issue with the cabling feeding your internet connection - there is a lot of old cable out their.. so why you have not switched to FiOS, cable modem, or lightpath by now, at least for back up, is beyond me...
  40. 2 points
    The network is obviously not yours, and you do not have authorized use over it, so yes it is still illegal. I seriously doubt anyone will give you the response you are looking for. I suggest forgetting about the prank and to make out with as many high school chicks as you can while you are young, and that is still legal.
  41. 2 points
    I think he is referring of your failure to read: Pinned thread: and Announcement: http://www.binrev.com/forums/index.php/forum-4/announcement-4-malicious-questions-will-not-be-answered/ If you had a "home network" in which you wanted to find a way to attach "Two Girls and One Cup" to every outbound email as an attachment called "statistical_survey.mp4" that might have been a different story. That is legal (weird, but legal) and people could reply to that; however, your request is quite illegal, and no hacker in their right mind would feel comfortable in helping you break any law. Hackers are inquisitive folk, not hooligans that are hell bent on going to jail.
  42. 2 points
    ... *if*, and it's a big if, this is a case of an intel analyst suddenly going moronic. It's more likely he was led to believe he was a protected journalistic source, even if Lamo has Asburger's and has managed to compartmentalize and rationalize he "technically" wasn't acting as the journalist. Take how Lamo was quoted by BBC today, and try to think about the implications dispassionately. I personally and without the "full story" think this is a pretty telling quote right here, and I read it thus ... I'd be interested to see if anyone can show a reasonable alternate reading. "I was never going to write the story. I made that clear. I did say I was working closely with a journalist so maybe he was led on, but tough cookies. Poulsen and I decided privately that it's a breach of ethics if I wrote the story since the source was getting outed once they gave details". Until today, I'd tended to not bother with this story thinking it was simply a loudmouth who couldn't help but brag. Reading the BBC piece today, that quote by Lamo is *waaaaaaaay* to telling for me to think that's a certainty in good conscience any longer. I think the analyst was duped into thinking he was dealing as a protected press source. Lamo keeps his conscience clean by "technically" being the source himself, not the journalist. His quote alludes he truly believes he's the source in this story. It's bizarre.
  43. 2 points
    then your not starting a group but recruiting for one?
  44. 2 points
    some one should email/message him then .
  45. 2 points
    Just wanted to add that 78hrs isn't bad for a brute-force attack. What is the key-space you have it set at? He might not be able to answer you as that post was written two years before you joined, and his last login was one year before you joined.
  46. 2 points
    Nice tute, Biosphear. I have a few notes to add: First of all, in order to crack wifi, your wireless adapter must be capable of these two functions: monitor mode and packet injection. You can think of monitor mode as sort of like "hyper-promiscuous mode for wireless cards." In monitor mode you can listen to all traffic on the air from any AP or other 802.11 device within range. "Packet injection" means crafting custom packets and sending them out on the air through your wireless adapter. If your wireless adapter's chipset does not support monitor mode and packet injection, or if there's no driver or patch available that supports these features, then sorry; you're not going to be cracking wifi networks with that adapter. There's a limited number of chipsets with available drivers to support monitor mode and injection, but luckily most of them are extremely popular so finding one is not too difficult. All the Atheros, most Realtek and Railink, and some Broadcom chipsets are supported. In some cases a special driver is required, and sometimes it might even be necessary to apply a kernel patch to enable these features. If your adapter just won't work or will require a lot of trouble to get working, you can always buy an external USB wifi adapter. They're pretty cheap these days. If you do need a replacement adapter, I strongly recommend the Alfa AWUS036H. Retailing at $30-45, it's a freaking bargain considering its performance over similarly-priced adapters by Linksys and Netgear. It may be ugly, but this adapter is the wardriver's best friend. It's built on a well-supported Realtek chipset, and its 500mW transceiver provides perhaps the best range of any USB Wifi adapter. The best part is, you can plug in a high-gain replacement antenna which will take full advantage of the Alfa's performance. With a 7dBi antenna and optimum conditions, this thing can pick up networks a quarter-mile away. Regarding step 4 in Biosphear's tutorial: The device ID that Linux gives to your wireless adapter may vary from device to device and from distro to distro. Sometimes you'll see "wlan0," sometimes "ath0" or "eth1." The Alfa AWUS036H (which I pimped in the paragraph above) shows up on my netbook as "wlan0" until I use airmon-ng to put it into monitor mode, whereupon a new device ID is created with the name "mon0". When you run ifconfig, it's really not too difficult to figure out which device is your ethernet and which is your wireless. Just be aware that the device IDs may not be consistent with tutorials you find on the Internets. Before you start any cracking, type "sudo cd /root" and sudo mkdir a new directory called .ac-ng in your /root directory. If you do all your cracking from this directory you can keep all your stuff organized. All aircrack-ng tools must be run as root, so either sudo them or else type "sudo -s" at the start of every cracking operation to get a root prompt. (If you choose the second option, be sure to close the terminal after you're done working as root!) Regarding step 7 in Biosphear's tutorial: When using airodump-ng to choose a target network to crack, look for a network with a high power (PWR) and preferably one with at least a few nodes connected. Of course, you'll want one with "WEP" specified in the encoding (ENC) column. Another good thing to look for is any network with an SSID containing "2WIRE". (More about this later ) Once you've selected your target network, mkdir a new subdirectory inside /root/.ac-ng, name it after the target network's SSID, and cd into there before pointing airodump-ng at the target AP. This method will keep all your data organized by network and avoid having a crap-ton of .cap files piling up all over the place. Make a note of the network's BSSID and also the channel it's operating on. It's a good idea to open up a text editor and copy/paste all this info into a text document, along with the MAC addresses of any hosts connected to the target network. Name this text document after the network SSID and save it in the /root/.ac-ng/<target network SSID> directory. Go back to the terminal and hit Ctrl-C to quit airodump-ng. When you restart it, make sure to specify both the BSSID ("-b") and the channel ("-c") of the target AP, and don't forget to add "-w" followed by the filename you want to write the file to (you might want to use the target network's SSID for this as well). Between steps 9 and 10, it's important to recognize whether the target AP is filtering clients by MAC address. If the target is set up for MAC filtering, then you'll need to use a slightly different approach to crack the network. When you run your fakeauth, if you're able to connect OK, then you know MAC filtering is not enabled and you can proceed as described in Biosphear's tutorial. If, however, you start receiving deauth packets then that's a good sign that MAC filtering is enabled on the AP. If you're getting filtered out by MAC address, then you'll need to see some connected hosts in order to attack the network. If another host is connected to the network, you can run a deauth attack against that host (specify its MAC address) and then fakeauth using its MAC address in place of your own. It's important to remember that deauth attacks against a connected host will bump that host offline. Because deauth attacks tend to be 'noisy,' you should keep them to a minimum. If people on the target network keep getting repeatedly knocked offline, they'll probably realize there's something wrong with the router and you might gain the attention of a network admin. A stealthier approach in the case of MAC addy filtering is to bide your time: make a log of all the client MAC addresses connected to the target AP, then try again at a time of day when there's little or no traffic. Find a MAC address on your list which is not connected, then carry out your dissociation/ARP replay attacks under the guise of that trusted client. Finally, a (hopefully) useful bit of information: Due to a ridiculously stupid "ease-of-use" feature, many 2WIRE routers have a vulnerability that allows anyone who cracks the WEP key to easily gain full administrative access to the router (2WIRE wifi routers are standard equipment on AT&T, Bellsouth and Qwest home DSL networks, BTW). After cracking the WEP key of a 2WIRE router, you can easily gain admin access by the following method: 1. Connect to the network using the cracked WEP key you acquired from aircrack-ng. 2. Open a browser window and type the IP address of the 2WIRE router in the address bar. This should not be too hard to guess. For routers on AT&T service it will most likely be 192.168.1.254, but other companies might use different numbers. As usual, Google is your friend here. 3. When you get to the router setup login page, click the link for "I forgot my password." 4. The next page will have a text field with instructions to enter a number printed on a label on the bottom of the router. Instead, just enter the cracked WEP key you just used to log on to the network (the same one you acquired from aircrack-ng). 5. You're in. Now you can change any admin settings you please. If the router is filtering by MAC address, this would be a prime opportunity to add your own MAC address (spoofed, of course!) to the whitelist. I don't know if this works on all 2WIRE routers, but it seems to work on quite a lot of them. As always, this info is provided purely for educational purposes and should in no way be construed as encouragement or endorsement to fuck with other people's belongings without permission. OK?
  47. 2 points
    I scoff when everybody says they can crack WEP in two minutes. You can on some hardware, but you can't on some others. And if there are no clients on the WLAN, you can't do a deauth attack, because you can't deauth what's not authenticated. There are a lot of 'it depends' issues. Doing a traditional passive air-snort style WEP crack can be done quickly only on a VERY busy network, and some vendors (e.g. Cisco) implemented WEP better than others, so you can pass 45 gigs of data thru a Cisco AP running WEP and you'll get around 100 IV collisions. Without enough interesting packets, you can't crack WEP, period. As they say in the South, ya'll can't get there from here. You can only generate enough traffic by forcing deauthentication with aireplay, but if there are no clients on the WLAN at the time, there's nothing to deauth. Now if it's a garden-variety Netgear or Symbol box, and it's got a couple of clients, that's another story, because you get plenty of IV collisions to wor with. The real speed happens when you start forcing traffic with tools like aircrack-ptw which deals with ARP packets only. I'm not a Cisco bigot, but most of their APs are an embedded *NIX box, and these boxes can send SNMP traps alerts to your IDS console. So if somebody is deauth attacking a Cisco AP running WEP or WPA on a managed WLAN, it's gonna be setting off alarms, big time, at the console.
  48. 2 points
    Yeah, they showed us how insecure hacker websites are, but didn't we already know this? Producing content to fill the forums is more important then securing the forums.
  49. 2 points
    Why though? Being a nuisance and preventing communication can be just as useful of a tool for "cyber-warfare" as more 'tactical strikes' with a much lower technical barrier. Also, exploits can be patched (in a perfect world, they would be patched) and then lose their value to the attacker, but a DDoS can be a right bitch to deal with. I guess that is what makes you a dangerous free thinker.... It just seems like a government like N.K., if they wanted to could possibly do better... crippling some major infastructure or what-not. I've not researched it much, so my opinion is coming from what Mitnick stated about the attacks - something to the effect it was more teenage in nature than government. Looking at the attack, something was obviously compromised though, in order to get a botnet that large.
  50. 2 points
    .........what? Basically, the launch os of Android (Not Cupcake) had a missed typed redirect in the code, where anything typed on the G1 would be echoed to a bash session's stdin. So typing reboot would reboot, typing ls would list the current directory, typing sshd would start a sshd session, all with root privileges. It was an (very stupid) exploit that allowed full access to the linux underpinnings of Android on the G1, even allowing people to install a full version of Debian. Oh! Thanks XD