656 lines
32 KiB
Plaintext
656 lines
32 KiB
Plaintext
![]() |
ToneLoc v0.96
|
|||
|
|
|||
|
by
|
|||
|
|
|||
|
Minor Threat & Mucho Maas
|
|||
|
|
|||
|
ToneLoc is short for Tone Locator, and is a bit of a wild thing.
|
|||
|
What it does is simple: it dials numbers, looking for some kind of tone.
|
|||
|
It can also look for carriers like an ordinary wardialer.
|
|||
|
|
|||
|
It is useful for:
|
|||
|
|
|||
|
1. Finding PBX's.
|
|||
|
2. Finding loops.
|
|||
|
3. Finding dial-up long distance carriers.
|
|||
|
4. Finding any number that gives a constant tone, or something
|
|||
|
that your modem will recognize as one.
|
|||
|
5. Finding carriers.
|
|||
|
6. Hacking PBX's.
|
|||
|
|
|||
|
You will need an additional program to make ToneLoc work: a FOSSIL
|
|||
|
driver. If you don't have one, you can probably find one on any local
|
|||
|
public domain board. Some popular (and good) ones are X00 and BNU (just
|
|||
|
search for those and download them).
|
|||
|
|
|||
|
Here are the command line options for ToneLoc:
|
|||
|
|
|||
|
ToneLoc [DataFile] /M:[Mask] /R:[Range] /D:[ExRange] /X:[ExMask]
|
|||
|
/C:[Config] /S:[StartTime] /E:[EndTime] /H:[Hours] /T[-] /K[-]
|
|||
|
|
|||
|
You can use ":" or "-" as a delimiter. If you don't use ":" or "-",
|
|||
|
ToneLoc will assume there is no delimiter. Example: ToneLoc [DataFile]
|
|||
|
/M[Mask] ...
|
|||
|
|
|||
|
When you run ToneLoc you need to give it at least one command line
|
|||
|
parameter. The only required parameter is a data filename; the rest are
|
|||
|
optional. The optional parameters can come in any order. If you only
|
|||
|
provide a filename, the filename is also used as the mask. A mask tells
|
|||
|
ToneLoc what numbers to dial. A mask will look something like this:
|
|||
|
555-1XXX. The X's are replaced by ToneLoc with random numbers. It will
|
|||
|
never dial the same random number twice in the same mask. If you exit
|
|||
|
before the mask has been exhausted, ToneLoc will save the array of
|
|||
|
numbers dialed and their results in the data file. You should never
|
|||
|
have more than 4 X's in a mask. ToneLoc will run, but since ToneLoc
|
|||
|
uses integer variables, the numbers will be all screwed up, since 5 X's
|
|||
|
would have 100,000 possible numbers which is more than 32,768 (integer)
|
|||
|
and 65,536 (word). If you have no idea what I'm talking about, just
|
|||
|
trust me and don't put 5 X's in the mask.
|
|||
|
|
|||
|
The next command line parameter is the Mask. If you use this, your
|
|||
|
data filename can be anything you want, and the mask will be taken from
|
|||
|
the string following /M.
|
|||
|
|
|||
|
The next parameter is the range to dial (/R). This makes it easier
|
|||
|
to specify a range of numbers without having to exclude numbers. Say
|
|||
|
you want to dial 835-1000 - 835-2000, you would run:
|
|||
|
TONELOC 835-xxxx /R:1000-2000.
|
|||
|
|
|||
|
The next parameter is the range to NOT dial (/D). Say you want to
|
|||
|
dial 345-xxxx, but you know that 345-9000 - 345-9999 is all payphones.
|
|||
|
Run: TONELOC 345-XXXX /D:9000-9999. ToneLoc would dial everything
|
|||
|
except the 9000-9999 range.
|
|||
|
|
|||
|
|
|||
|
The next parameter is an Exclude mask. (/X) This should be no more
|
|||
|
than four characters, unlike the dial mask. It maps out which numbers NOT
|
|||
|
to dial. For example, /X:1XXX will exclude numbers 1000-1999 from the dial
|
|||
|
scan. You can specify multiple exclude masks, up to 10. Excluded numbers
|
|||
|
are only excluded for the current run of ToneLoc - the flagging is not
|
|||
|
permanent. Between your dial mask and negative masks you should be able
|
|||
|
to obtain a good degree of specificity in your scan.
|
|||
|
|
|||
|
The next command line parameter (/C) is which configuration file to
|
|||
|
use (.CFG). This file contains all of the configuration data for ToneLoc,
|
|||
|
such as which COM port to use, the baud rate, window colors, dial string,
|
|||
|
etc. See the configuration file for details.
|
|||
|
|
|||
|
The next parameter is the starting time. ToneLoc will wait until
|
|||
|
this time to begin the dial scan. You can use either standard time
|
|||
|
notation (5:30p) or military time (17:30) for any time parameter. You
|
|||
|
can hit any key to start early.
|
|||
|
|
|||
|
The next parameter is the ending time. When this time is reached
|
|||
|
ToneLoc will end the current scan.
|
|||
|
|
|||
|
The next parameter is a useful shortcut. It specifies an end time
|
|||
|
at a certain number of hours and minutes past the start time. If you
|
|||
|
specify a start time and a number of hours (/S:10:00p /H:5:30), the end
|
|||
|
time will be the start time plus the number of hours desired (3:30 AM).
|
|||
|
If you specify both an end time and a number of hours, the number of
|
|||
|
hours will take precedence.
|
|||
|
|
|||
|
The next few parameters are overrides for the scan type. This
|
|||
|
is usually set in the config file, but this parameter overrides it. To
|
|||
|
scan for tones you'd use /T, to scan for everything except tones use /T-.
|
|||
|
To scan for carriers you'd use /C, to scan for everything except carriers
|
|||
|
use /C-. The inverted scan modes are useful for hacking a PBX; see
|
|||
|
below on hacking PBX's.
|
|||
|
|
|||
|
The datafile should be 10012 bytes at all times. It ain't the most
|
|||
|
efficient way, but it sure is the fastest! There can be as many data
|
|||
|
files in the directory as you want. Don't forget to SAVE your data files,
|
|||
|
they don't take too much space, and they are great with ToneMap.
|
|||
|
|
|||
|
Here are a few example command lines:
|
|||
|
|
|||
|
ToneLoc 346-XXXX - Dial 346-0000 to 346-9999 using the
|
|||
|
default configuration file, logging
|
|||
|
dialed numbers to the data file 346-XXXX.DAT.
|
|||
|
|
|||
|
ToneLoc 950-5XXX /C:NINE5 - Dial 1000 numbers, from 950-5000 to 950-5999
|
|||
|
(randomly), and use the configuration file
|
|||
|
NINE5.CFG. This configuration file might
|
|||
|
skip rings and have a short wait. This
|
|||
|
could be used for dialups.
|
|||
|
|
|||
|
ToneLoc 474-9XXX /X:1xx - Dial 1000 numbers, from 474-9000 to 474-9999
|
|||
|
(randomly), using the default configuration
|
|||
|
file TONELOC.CFG, but exclude 474-9100 to
|
|||
|
474-9199. Also see next example
|
|||
|
|
|||
|
ToneLoc 474-XXXX /R:9000-9999 /X:91XX - Same as above, but easier to
|
|||
|
understand.
|
|||
|
|
|||
|
ToneLoc 836-99XX /C:LOOP /S:21:30
|
|||
|
- Dial 100 numbers, from 836-9900 to 836-9999
|
|||
|
(randomly), using the config file LOOP.CFG,
|
|||
|
waiting until 9:30 PM to begin dialing.
|
|||
|
Notice the use of military time.
|
|||
|
|
|||
|
ToneLoc TEST /M555-1XXX /H:5:00 /x:3XX /x:1XX
|
|||
|
- Dial the numbers from 555-1000 to 555-1999
|
|||
|
for five hours maximum, saving the dialed
|
|||
|
numbers to TEST.DAT, and excluding the
|
|||
|
ranges 1300-1399 and 1100-1199.
|
|||
|
|
|||
|
ToneLoc 677-8xxx /E:8:30a - Dial the numbers 677-8000 to 677-8999
|
|||
|
until 8:30 AM, saving the dialed numbers
|
|||
|
to 677-8XXX.DAT.
|
|||
|
|
|||
|
The optional parameters can come in any order, but the name of the
|
|||
|
datafile MUST be the first parameter. If there is no mask specified, the
|
|||
|
data file name is used as the mask.
|
|||
|
|
|||
|
We hope you are impressed by the way the screen looks while dialing.
|
|||
|
The screen is split up into 3 major windows. The first window, called the
|
|||
|
Activity Log, takes up the entire left half of the screen. It tells you
|
|||
|
what is going on. Everything that appears here also goes to the log
|
|||
|
file. The following messages may appear in the message log:
|
|||
|
|
|||
|
22:54:09 <20>
|
|||
|
This is written at the beginning of each run. It makes it
|
|||
|
easier for you to separate ToneLoc runs in the log file.
|
|||
|
|
|||
|
22:53:53 ToneLoc started on 12-Nov-91
|
|||
|
This is self explanatory.
|
|||
|
|
|||
|
22:53:53 Data file: 403-XXXX.DAT
|
|||
|
This shows which file ToneLoc is using to store the dialed
|
|||
|
numbers.
|
|||
|
|
|||
|
22:53:53 Config file: TONELOC.CFG
|
|||
|
This shows which file ToneLoc has loaded the configuration
|
|||
|
information from. TONELOC.CFG is the default configuration
|
|||
|
file.
|
|||
|
|
|||
|
22:53:53 Log file: TONE.LOG
|
|||
|
This shows which file ToneLoc is logging the scan to. This
|
|||
|
file name is set in the configuration file and can be changed
|
|||
|
there.
|
|||
|
|
|||
|
22:53:53 Mask used: 403-XXXX
|
|||
|
This tells what mask you used for the current run.
|
|||
|
|
|||
|
22:53:53 Exclude mask 1: 8XXX
|
|||
|
Shows which numbers you AREN'T dialing in the current run.
|
|||
|
|
|||
|
22:53:53 Initializing modem ...
|
|||
|
ToneLoc is trying to initialize the modem. It will either
|
|||
|
give a "Done" message or a "Failed" Message. Toneloc will
|
|||
|
try 3 times to initialize the modem.
|
|||
|
|
|||
|
22:53:53 Waiting until 09:30:00
|
|||
|
ToneLoc is waiting until 9:30 AM to start the current scan.
|
|||
|
You can hit any key to start early.
|
|||
|
|
|||
|
23:30:44 474-5294 - Timeout (0)
|
|||
|
This means the number was dialed, and nothing was found during
|
|||
|
the WaitDelay.
|
|||
|
|
|||
|
23:30:56 474-5335 - Timeout (3)
|
|||
|
This means the number was dialed, and nothing was found during
|
|||
|
the WaitDelay. The (3) indicates there were three rings.
|
|||
|
|
|||
|
23:31:00 474-5978 - No Fucking Dialtone
|
|||
|
This means when ToneLoc tried to dial, there was no
|
|||
|
dial tone found (your dialtone). When this happens,
|
|||
|
ToneLoc tries the same number that it tried previously,
|
|||
|
as to not skip any.
|
|||
|
|
|||
|
23:39:02 474-5685 - Busy
|
|||
|
This means the number dialed was busy.
|
|||
|
|
|||
|
00:24:26 474-5989 - ** TONE **
|
|||
|
Holy Shit! You found a tone. It is probably either a loop,
|
|||
|
PBX, or dial-up LD carrier. Now it is your job to hack it
|
|||
|
out and use it!
|
|||
|
|
|||
|
00:24:26 474-5489 - Voicexx (1)
|
|||
|
This means your modem detected a voice answer. Good modems
|
|||
|
like the USR HST/DS can detect voice. X5 or X6 in your
|
|||
|
init string will enable this on a HST/DS. CAUTION: Detecting
|
|||
|
voice can many times accidentally detect some dialtones as
|
|||
|
voices.
|
|||
|
|
|||
|
06:45:43 Ringout (3)
|
|||
|
This means MaxRings (in this case 3) was reached and the dial
|
|||
|
was aborted. See below for a discussion of rings.
|
|||
|
|
|||
|
15:11:23 474-5555 - * Blacklisted #5 *
|
|||
|
This means the number was found in the BlackList file
|
|||
|
(the 5th entry), so it was not dialed. This is highly
|
|||
|
recommended for areas with Caller ID and ex-girlfriends.
|
|||
|
|
|||
|
00:45:21 Autosaving
|
|||
|
This means Toneloc is backing up the .DAT file after the interval
|
|||
|
set in the config file.
|
|||
|
|
|||
|
04:53:12 Stopping at 10:00:21
|
|||
|
ToneLoc has reached the stop time specified after /E and is
|
|||
|
exiting the current scan.
|
|||
|
|
|||
|
03:00:32 All 10000 codes exhausted
|
|||
|
Damn, you dialed every possible number! 3 X's means 1000
|
|||
|
numbers are possible. 4 X's means 10,000 numbers are
|
|||
|
possible, etc. Like this: 10^X, where X is the number of X's
|
|||
|
in the mask. Math sucks.
|
|||
|
|
|||
|
Other messages are in response to input:
|
|||
|
|
|||
|
00:25:31 474-5629 - Speaker ON
|
|||
|
By hitting S you can toggle the speaker on and off DURING
|
|||
|
a scan. ToneLoc will beep high (ON) or low (OFF) depending
|
|||
|
on the status of the speaker. ToneLoc waits until it is
|
|||
|
finished with the current dial to toggle the speaker.
|
|||
|
|
|||
|
00:28:45 474-9091 - Volume set to 3
|
|||
|
By hitting a number 0-9 you can set the volume level with the
|
|||
|
commands defined in the Config file. You can also use them for
|
|||
|
customized commands.
|
|||
|
|
|||
|
00:25:59 474-5985 - * Noted *
|
|||
|
You can hit N to make a note in the log next to this number.
|
|||
|
Aborts current number. Use it when you find something
|
|||
|
interesting like a drunk cowboy yelling at you through the
|
|||
|
phone. Other note keys are:
|
|||
|
C - Carrier
|
|||
|
F - Fax
|
|||
|
G - Girl
|
|||
|
K - Custom note (you can type a note yourself)
|
|||
|
V - VMB
|
|||
|
Y - Yelling asshole
|
|||
|
|
|||
|
00:27:23 474-5239 - Jumped to DOS
|
|||
|
Hit J to shell to DOS. Just type EXIT to return. This will
|
|||
|
abort the current number being dialed, but ToneLoc will redial
|
|||
|
it after you return from DOS.
|
|||
|
|
|||
|
00:27:45 474-5722 - Redialing
|
|||
|
Hit R to redial the current number. Useful if a number doesn't
|
|||
|
"take" or you want to fuck with that drunk cowboy who answered
|
|||
|
last time.
|
|||
|
|
|||
|
00:30:45 474-5123 - Escaped
|
|||
|
03:30:45 Dials/hour : 225
|
|||
|
00:30:46 ToneLoc Exiting ...
|
|||
|
Hitting escape will abort the current number and exit the
|
|||
|
program. ToneLoc writes the average number of dials per hour
|
|||
|
to the log file.
|
|||
|
|
|||
|
00:28:12 474-5756 - Aborted
|
|||
|
Hitting any other key will abort the current number.
|
|||
|
|
|||
|
00:45:23 454-5365 - Paused
|
|||
|
Pressing P will stop the current dial and wait for another
|
|||
|
keypress before continuing. Good in case you want to use
|
|||
|
the phone for a sec.
|
|||
|
|
|||
|
A few keys don't have screen responses:
|
|||
|
|
|||
|
X : Adds 5 seconds to the WaitDelay time for this dial only. Can be
|
|||
|
used multiple times on the same dial.
|
|||
|
|
|||
|
Ok, on to the next window. The top-right corner of your screen is
|
|||
|
the modem window. Everything that is returned from your modem is shown
|
|||
|
here. This isn't very useful, except maybe for debugging, but it looks
|
|||
|
neat. The last window is in the bottom-right part of the screen. It is
|
|||
|
called the Statistics window. It shows a bunch of cool stuff like....
|
|||
|
|
|||
|
<20> The time you began scanning.
|
|||
|
<20> The current time
|
|||
|
<20> The maximum number of possible numbers,
|
|||
|
based on your mask and negative mask
|
|||
|
<20> Your current Dials per Hour
|
|||
|
<20> The number of numbers already dialed
|
|||
|
<20> Number of responses for CD, Tone, Voice, Busy, & Ringout
|
|||
|
<20> The average number of dials per hour.
|
|||
|
<20> ETA - Estimated Time to Arrival (or completion)
|
|||
|
based on your current dials per hour and numbers left.
|
|||
|
<20> The number of rings so far in the current dial.
|
|||
|
<20> Last 5 tones or carriers found.
|
|||
|
|
|||
|
You'll also notice (you better!) the meter at the bottom right.
|
|||
|
Pretty cool huh? It just shows the progress of the current call. This
|
|||
|
is a graphic representation of the elapsed wait time as set in the config
|
|||
|
file. If you can't stand to look at a still screen, set a fancy meter
|
|||
|
wipe option in the config file.
|
|||
|
|
|||
|
The Black List File:
|
|||
|
--------------------
|
|||
|
|
|||
|
This is a file of up to 100 numbers that ToneLoc should not dial.
|
|||
|
Put your own numbers here, your friends numbers, the police station,
|
|||
|
fire department, etc. The numbers should be each on one line exactly as
|
|||
|
ToneLoc will dial them. For example the entry "555-1212" will only
|
|||
|
blacklist the number "555-1212", not "1-555-1212" or "5551212". If
|
|||
|
ToneLoc comes up with one of these numbers as a candiate for a dial
|
|||
|
attempt, it will skip it and move on to the next number.
|
|||
|
|
|||
|
Rings And The X Parameter:
|
|||
|
--------------------------
|
|||
|
|
|||
|
This discussion refers in particular to USR modems. If you are
|
|||
|
using another brand of modem you'll probably have to sort through the
|
|||
|
details yourself.
|
|||
|
|
|||
|
This can get a little confusing so a little detail is in order.
|
|||
|
There are several ways to deal with the RINGING message that your modem
|
|||
|
can generate. The simplest is to simply disable it with the X4 command
|
|||
|
in your modem init string. With X4, RINGING and VOICE will be supressed
|
|||
|
as responses. This is simple enough, but you won't get much diagnostic
|
|||
|
detail in your logs. You can enable these messages with the X6 flag,
|
|||
|
which will respond with VOICE and RINGING when it is detected.
|
|||
|
Unfortunately, the USR is no AppleCat, and VOICE is more often than not
|
|||
|
a false response. Of particular importance, the 2600 hz divert tone
|
|||
|
which precedes many PBX's (namely AT&T System 75/85s) initial dialtone
|
|||
|
will cause a VOICE response.
|
|||
|
|
|||
|
X7 supresses the VOICE response, but leaves the RINGING response.
|
|||
|
In our experience RINGING is seldom a false response, and any potential
|
|||
|
VOICE responses will show up as BUSY's. If you decide to use X7, you'll
|
|||
|
need to adjust the MaxRings parameter in your config file. Experiment a
|
|||
|
little bit to decide how to set it. If you set it to 0, the number of
|
|||
|
rings will be recorded after Timeout messages, but it will never abort
|
|||
|
because of rings.
|
|||
|
|
|||
|
After the Scan:
|
|||
|
---------------
|
|||
|
|
|||
|
Well now that I have some dial tones, what the fuck do I do with
|
|||
|
them? First, figure out what kind of a number it is.
|
|||
|
|
|||
|
PBX's usually have a 0-6 digit code, but they can be longer. If you
|
|||
|
enter the correct code and you will hear a second dial tone, otherwise
|
|||
|
you will probably get a reorder (fast busy), busy, a hangup, or ringing.
|
|||
|
Sometimes it will ring the PBX operator (ugh). Once you get the second
|
|||
|
dialtone, dial 9+ACN (sometimes 8+ACN or even 7+ACN) to make a long
|
|||
|
distance call. (NOTE: ACN = Area Code & Number) Some PBX's have no code,
|
|||
|
you just need to dial 9. Sometimes the code will follow the number in
|
|||
|
the format 9+ACN+Code. Many will also call international. See below on
|
|||
|
hacking them.
|
|||
|
|
|||
|
It might also be a long-distance extender dial-up. You'll find many
|
|||
|
of them in the prefix 950-xxxx. Sometimes it is easy to hack a code, but
|
|||
|
please be careful! They are easy to get busted on. MCI people are dicks.
|
|||
|
They get off on busting people, and announcing it to the world. Sprint
|
|||
|
doesn't fuck around either, they'll bust you, but they like to keep it
|
|||
|
quiet. Consult with local phreaks before experimenting with an
|
|||
|
unfamiliar extender.
|
|||
|
|
|||
|
Here's a tip. If you scan 950's you'll find most will give either a
|
|||
|
result of Voice, Ring, or Busy. A few will be Tones, but also a few will
|
|||
|
be Timeouts. Investigate these - you may find something interesting,
|
|||
|
like a voice-prompted dialup or a modem carrier.
|
|||
|
|
|||
|
You may also find "Phantoms". In Mucho's area there are several MCI
|
|||
|
dialup ports that are no longer in use since the full implementation of
|
|||
|
Equal Access. Hack all day, you won't find a code. Try and figure out
|
|||
|
what you are hacking before you waste time on a dead end.
|
|||
|
|
|||
|
Now, for an explanation of loops. We'll tell you what we know about
|
|||
|
them, which ain't a whole lot. Loops are a pair of phone numbers,
|
|||
|
usually consecutive, like 836-9998 and 836-9999. They are used by the
|
|||
|
phone company for some kind of testing, but we aren't sure what. What
|
|||
|
good do loops do us? Well, they are cool in a few ways. Here is a
|
|||
|
simple use of loops. Each loop has two ends, a 'high' end, and a 'low'
|
|||
|
end. One end gives a (usually) constant, loud tone when it is called.
|
|||
|
The other end is silent. Loops don't usually ring either. When BOTH ends
|
|||
|
are called, the people that called each end can talk through the loop. Some
|
|||
|
loops are voice filtered and won't pass anything but a constant tone;
|
|||
|
these aren't much use to you. Here's what you can use working loops for:
|
|||
|
billing phone calls! First, call the end that gives the loud tone.
|
|||
|
Then if the operator or someone calls the other end, the tone will go
|
|||
|
quiet. Act like the phone just rang and you answered it ... say "Hello"
|
|||
|
or whatever. The operator thinks that she just called you, and that's
|
|||
|
it! Now the phone bill will go to the loop, and the Telephone Company
|
|||
|
will get the bill! Use this technique in moderation, or the loop may go
|
|||
|
down. Loops are probably most useful when you want to talk to someone to
|
|||
|
whom you don't want to give your phone number.
|
|||
|
|
|||
|
As for carriers.. well, we would hope you know what to do with a
|
|||
|
carrier by now. But if you don't, I highly recommend The Mentor's
|
|||
|
Guide to Hacking (Phrack, I forget which issue).
|
|||
|
|
|||
|
ToneMap - A new science?
|
|||
|
------------------------
|
|||
|
|
|||
|
When we first wrote and ran ToneMap, we were amazed by what we saw.
|
|||
|
ToneMap reads a ToneLoc .DAT file, and displays the data visually on the
|
|||
|
screen. Big deal, right? Actually, it is a big deal. We saw more than
|
|||
|
just scattered colors. We saw definate patterns within the prefixes we
|
|||
|
scanned. Hopefully you took the time to print this doc file out, because
|
|||
|
I am going to go over one of the example .DAT files with you. Ok, run
|
|||
|
ToneMap like this: "TONEMAP 555-XXXX" and press Enter. (You need VGA)
|
|||
|
You should see a square of colors that takes about 2/3 of the screen.
|
|||
|
This is a prefix. It starts at the top left (0000) and works down and to
|
|||
|
the right (9999), so each vertical column is 100 numbers.
|
|||
|
|
|||
|
Here's an explanation of the colors:
|
|||
|
|
|||
|
BLACK = Not yet dialed by ToneLoc
|
|||
|
GREY = Timeout. Lighter = more rings before timeout
|
|||
|
ORANGE = Busy number.
|
|||
|
DARK BLUE = Blacklisted number.
|
|||
|
DARK GREEN = RingOut. (rang too many times)
|
|||
|
LIGHT GREEN = TONE FOUND
|
|||
|
CYAN = NOTED Number ('N' was pressed)
|
|||
|
DARK RED = Aborted (spacebar pressed)
|
|||
|
|
|||
|
Unless you're colorblind, you have probably already noticed a pattern
|
|||
|
to this prefix. There are some vertical bands in the middle of the prefix
|
|||
|
(from about 3900-5900). In fact, one ENTIRE column (3900) is all BUSY
|
|||
|
NUMBERS! Oh by the way, you can use your cursor keys to move the white
|
|||
|
cursor around to see where you are. The number is shown on the bottom
|
|||
|
right corner of the screen.
|
|||
|
What does this mean? Well, I haven't thought too hard about it yet,
|
|||
|
but if you think about it for a little while, it starts to make a little
|
|||
|
bit of sense. A large range of numbers that are BUSY (like 3900 column)
|
|||
|
are most likely a set of test numbers. Several RINGOUTS are harder to
|
|||
|
explain. They could be residential, or they could be disconnected.
|
|||
|
Whatever it means, one thing is for sure, there is definately a pattern
|
|||
|
to the way ma bell assigns the phone numbers. It may be up to each
|
|||
|
individual Central Office. I scanned a prefix that is over 20 years
|
|||
|
old, and there was NO PATTERN WHATSOEVER. The sample .DAT data files
|
|||
|
are from an exchange using 5ESS equipment, if that matters.
|
|||
|
|
|||
|
It behooves you (I LOVE that word!) to scan your prefixes and study
|
|||
|
your results. It is best to scan a prefix in one big scan (555-xxxx
|
|||
|
rather than 555-0xxx, 555-1xxx, etc) so you can see the whole prefix at
|
|||
|
once. I would appreciate it if you could get in contact with me
|
|||
|
(Minor Threat or Mucho Maas) via CelerityNet and share your results with
|
|||
|
us.
|
|||
|
|
|||
|
Hacking PBX's:
|
|||
|
--------------
|
|||
|
|
|||
|
If the PBX code is 4 digits or less you can use ToneLoc to hack it.
|
|||
|
The simplest way is to use ToneLoc to look for an internal dialtone.
|
|||
|
Lets say you found a 3 digit PBX at 555-9999 which hangs up on you after
|
|||
|
you enter a bad code. You'd use ToneLoc like this:
|
|||
|
|
|||
|
ToneLoc Example1 /m:555-9999Wxxx
|
|||
|
|
|||
|
(EXAMPLE1.DAT will be the .dat file, /m: specifies the mask.)
|
|||
|
|
|||
|
This will produce dialing strings like this: ATDT 555-9999Wxxx W;.
|
|||
|
ToneLoc will dial the number, wait for a dialtone, try a code, then wait
|
|||
|
for a second dialtone. If you get the right code, you'll get the second
|
|||
|
dialtone, otherwise you'll just get a timeout.
|
|||
|
|
|||
|
Some PBX's have alert tones for invalid codes which the W command
|
|||
|
will hear as a dialtone. You can't look for a second dialtone directly
|
|||
|
with the W command on these PBX's, but Toneloc has a scan mode
|
|||
|
specifically for this problem. Set the scan mode to look for everything
|
|||
|
except tones, either in the config file or on the command line, and use
|
|||
|
toneloc like this:
|
|||
|
|
|||
|
ToneLoc example2 /m:555-8999WxxxW1
|
|||
|
|
|||
|
This will produce dialing strings like this: ATDT 555-8999WxxxW1 W;.
|
|||
|
Toneloc will dial the number, wait for the first dialtone, dial the
|
|||
|
code, wait for a dialtone, dial 1, then wait for a dialtone. If the
|
|||
|
code is invalid, the second W command will hear the alert tones as a
|
|||
|
dialtone and dial 1. The tones should keep playing, and the third W
|
|||
|
will respond to the alert tones too, giving a final response of Tone.
|
|||
|
If the code is valid, the second W command will hear the internal
|
|||
|
dialtone and the 1 will immediately quiet it since 1xx or 1xxx is a
|
|||
|
valid extension on most PBX's. This would give a final response of
|
|||
|
Timeout since the third W command won't find a tone - and voila, you
|
|||
|
have your code.
|
|||
|
|
|||
|
This method might not work if 1xx or 1xxx isn't a valid extension
|
|||
|
on the PBX you are trying to hack, since some PBX's will immediately
|
|||
|
give an alert tone if you dial the first digit of an invalid extension.
|
|||
|
If you fail the first time around, and think you might have this
|
|||
|
problem, have a look at the phone number for the PBX indial. For
|
|||
|
example, if the PBX indial is 555-6444, it's a good bet that some valid
|
|||
|
extensions are in or near 4xx.
|
|||
|
|
|||
|
Apparently some PBX's will respond with a carrier blast to an
|
|||
|
invalid code, although we've never found one. You can use the
|
|||
|
everything-but-a-carrier scan mode for these, or just look for an
|
|||
|
internal dialtone since carriers don't appear as tones to the W command.
|
|||
|
|
|||
|
Cautions & Usage Notes:
|
|||
|
-----------------------
|
|||
|
|
|||
|
We do not have personal experience scanning 800 exchanges with
|
|||
|
ToneLoc but we recommend that you exercise caution. First of all, if you
|
|||
|
are looking for tones you may not get anything. Many of the PBX's or
|
|||
|
extenders you would be looking for will answer with a short tone, about
|
|||
|
the length of a ring. That's how ToneLoc will perceive those tones - as
|
|||
|
a ring. Local PBX's can answer like this as well, however the 800
|
|||
|
exchanges are more likely to have better security since they are under
|
|||
|
constant pressure from call-sell operations as well as every code abuser
|
|||
|
in the nation. Second, MCI and Sprint can get irritated when someone
|
|||
|
makes thousands of calls into their 800 exchange, and, unlike a local
|
|||
|
number, they WILL have easy access to at least your area code and
|
|||
|
exchange, and probably your entire phone number. Since each 800 call
|
|||
|
costs somebody money, and you aren't conducting legitimate business
|
|||
|
during these calls, it might also be considered theft of service. I have
|
|||
|
heard AT&T is less attentive than their competitors, but I wouldn't
|
|||
|
trust my freedom to a rumor.
|
|||
|
|
|||
|
Hacking an 800 system of any kind, be it a computer, long distance
|
|||
|
extender, PBX, or even a VMB system, can be extremely risky. We urge you
|
|||
|
to use good judgment.
|
|||
|
|
|||
|
If you live in an area with the Call Return and Call Trace
|
|||
|
functions of Caller ID active, you will definitely experience some call
|
|||
|
returns with ToneLoc. Politely explain to anyone who calls back that you
|
|||
|
dialed a wrong number - don't provoke them into a Call Trace. Who knows,
|
|||
|
you may even meet a fellow hacker. If Caller ID is active, use more
|
|||
|
caution - they could have your phone number and scanning could be
|
|||
|
construed as harrassment, especially if it happens at 3:00 am.
|
|||
|
|
|||
|
In any case, please use some intelligence if you are scanning
|
|||
|
a range that belongs to a large company. Often the same operator will
|
|||
|
have to answer dozens of incoming phone numbers, and your strange
|
|||
|
hangups may get tiresome enough in the course of the day that he or she
|
|||
|
might decide to do something about it. Listen in on ToneLoc to figure
|
|||
|
out what kind of an exchange you are scanning. If it is principally a
|
|||
|
business exchange, consider only scanning at night when the affected
|
|||
|
businesses are closed. If it is mostly residential you might want to
|
|||
|
scan during the day. Make intelligent use of the exclude mask to
|
|||
|
eliminate ranges that will most likely be unproductive - pager numbers,
|
|||
|
answering services, cellular phones, etc. If you want an overview of
|
|||
|
your local exchanges, first try the yellow pages. You will quickly
|
|||
|
discover where promising exchanges are. If you want greater depth, go
|
|||
|
to your local public library and ask at the reference desk for the
|
|||
|
criss-cross directory. A section of this directory is a listing of the
|
|||
|
telephone numbers in an exchange. It does not list unlisted or
|
|||
|
nonpublished numbers (PBX's will not show up, although the PBX billing
|
|||
|
number might), but it will show you if the exchange is a residential one
|
|||
|
or not. Ten minutes of thought can save you 40 hours of scanning.
|
|||
|
|
|||
|
When hacking a PBX, have some sense and do it late at night when
|
|||
|
nobody is using the PBX. Have a little patience; you'll be glad you
|
|||
|
did. Make sure you hack RANDOMLY - sequential hacking is a good way to
|
|||
|
get noticed, and besides Toneloc has a better chance of finding it
|
|||
|
sooner.
|
|||
|
|
|||
|
Is Scanning Illegal? (Who cares)
|
|||
|
--------------------
|
|||
|
|
|||
|
We don't know. We've heard it is legal to scan during business
|
|||
|
hours when the call would not be harrasment. We've heard it's not
|
|||
|
illegal if you only call once. We've heard that scanning with intent to
|
|||
|
hack is illegal, as if such a thing could be proven. (Some people
|
|||
|
suggest not using the same phone line for hacking and scanning).
|
|||
|
Remember, the most important thing is not whether it is illegal, but
|
|||
|
whether you piss someone off or attract attention.
|
|||
|
|
|||
|
Here's what the staff at 2600 magazine have to say about wardialing:
|
|||
|
|
|||
|
"In some places, scanning has been made illegal. It would be hard,
|
|||
|
though, for someone to file a complaint against you for scanning since
|
|||
|
the whole purpose is to call every number once and only once. It's not
|
|||
|
likely to be thought of as harassment by anyone who gets a single phone
|
|||
|
call from a scanning computer. Some central offices have been known to
|
|||
|
react strangely when people start scanning. Sometimes you're unable to
|
|||
|
get a dialtone for hours after you start scanning. But there is no
|
|||
|
uniform policy. The best thing to do is to first find out if you've got
|
|||
|
some crazy law saying you can't do it. If, as is likely, there is no
|
|||
|
such law, the only way to find out what happens is to give it a try."
|
|||
|
[2600, Spring 1990, Page 27.]
|
|||
|
|
|||
|
Problems?
|
|||
|
---------
|
|||
|
|
|||
|
ToneLoc's tone scanning mode may not work for everyone's modem.
|
|||
|
ToneLoc looks for tones by dialing strings like this: "ATDT 555-1234
|
|||
|
W;". This tells the modem to dial the number 555-1234, wait for
|
|||
|
dialtone, and then return to the command line. ToneLoc then waits for a
|
|||
|
result code. If it gets Ringing, Voice, Busy, etc. it moves on to the
|
|||
|
next number. If it gets nothing, the modem never heard a dialtone, so
|
|||
|
ToneLoc hangs up and moves on - this is a timeout. If it gets "OK" as a
|
|||
|
result code the modem has heard a tone (W waits for a dialtone) and
|
|||
|
returned to the command line (; returns to the command line).
|
|||
|
|
|||
|
ToneLoc won't work if your modem isn't discriminative. Some cheap
|
|||
|
modems "detect" dial tones just fine, but they also "detect" everything
|
|||
|
else - rings, busys, even silence. Other modems won't wait long enough,
|
|||
|
and will move from W to ; very quickly. If you have a problem that
|
|||
|
doesn't stem from either of these, let us know and we'll see what we can
|
|||
|
do to help.
|
|||
|
|
|||
|
We hope you find this program useful. Give it to anyone and
|
|||
|
everyone who deserves to have it. If you think it is very cool and
|
|||
|
useful, try to contact us somehow. If you think it is a piece of shit
|
|||
|
and the directions totally misguided, try to contact us anyway. Our
|
|||
|
handles are Minor Threat and Mucho Maas. Minor Threat can be reached on
|
|||
|
CelerityNet, Midian, Solsbury hill, and sometimes he has a VMB or two.
|
|||
|
(There is a separate program Minor wrote that hacks VMB's). Mucho can
|
|||
|
be reached on RipCo, Solsbury Hill, or on IRC.
|
|||
|
|
|||
|
ToneLoc is written in C and assembly. Assembled by Turbo
|
|||
|
Assembler, and compiled by Borland C++ 2.0. Window routines are from
|
|||
|
CXL v5.2.
|
|||
|
|
|||
|
Minor Threat Sez:
|
|||
|
|
|||
|
Thanks to Alexis Machine and Marko Ramius for teaching me most of what
|
|||
|
I know about the phone system. Thanks to our beta testers, Dead Cow, The
|
|||
|
Raging Golem, The Monk, Gentry, Nat X, and anyone else who I forgot (tell
|
|||
|
me if I did). And thanks to whoever invented the telephone for doing
|
|||
|
so. Life wouldn't be as fun without it!
|
|||
|
|
|||
|
[uhm, ever heard of Alexander Graham Bell?.. he's kinda famous.. sheesh...]
|
|||
|
|
|||
|
Mucho Maas Sez:
|
|||
|
|
|||
|
Thanks to Minor Threat for helping me work on ToneLoc. It should be
|
|||
|
noted that the lion's share of the programming was done by him, and that
|
|||
|
his code is a hell of a lot cleaner than mine. Still, somebody had to
|
|||
|
get Minor off his ass.
|
|||
|
|
|||
|
For something entirely different many, many thanks to Whodo.
|
|||
|
------------------------------------------------------------------------------
|
|||
|
One last quote: from a newspaper editorial in the 1870's
|
|||
|
|
|||
|
'... carrying human voice over copper wires is impossible, and even if
|
|||
|
it was possible, the thing would have no practical use.'
|
|||
|
|
|||
|
HA!
|