==Phrack Inc.== Volume Three, Issue Thirty-Three, File 1 of 13 Issue XXXIII Index ________________ P H R A C K 3 3 September 15, 1991 ________________ ~Technology for Survival~ On December 24, 1989, Taran King and I released the 30th issue of Phrack and began to prepare for the new decade. The future of Phrack seemed bright and full of great potential. A few weeks later, Phrack was shut down by the United States Secret Service as part of a large scale attack on the world famous hacking group, the Legion of Doom. The legend of Phrack died... or did it? Several months later, a newsletter called Phrack and listed as issue 31 appeared under the editorship of Doc Holiday. Of course it was not the original Doc Holiday from Tennessee, but instead one of the founding members of Comsec Data Security, Scott Chasin. It may have called itself Phrack, but it wasn't. On November 17, 1990, another attempt was made to resurrect Phrack. Crimson Death and Doc Holiday were back to try again, this time calling their product "Phrack Classic." That issue was not absolutely terrible, but the tone behind the articles was misplaced. The introduction itself showed a lack of responsibility and maturity at a time when it was needed most. To complicate matters, Crimson Death failed to produce another issue of Phrack Classic until September 1, 1991, almost 10 months later. This lack of predictability and continuity has become too much of a burden on the hacker community. I am proud to announce that a new era of Phrack has thus begun. The new Phrack is listed as Phrack 33 despite the Phrack Classic issue of September 1st. To help ease the transition, the new Phrack staff has borrowed files from the PC 33 so they are chronicled correctly. Even Crimson Death has agreed that it is once again time to pass the torch. The new Phrack editor is Dispater and other people involved in working on this issue include Ninja Master, Circuit, and The Not. Of course they are always looking for help and good articles. The new Phrack will be run slightly different than the old. The kind of information likely to be found in Phrack will not change drastically, but Phrack is intended for people to learn about the types of vulnerabilities in systems that some hackers might be likely to exploit. If you are concerned about your system being disrupted by computer intruders, allow the hackers who write for Phrack to point out some flaws you might wish to correct. Phrack still strongly supports the free exchange of information and will never participate in censorship except when it would be necessary to protect an individual's personal privacy. There is a delicate balance to be found in this arena and hopefully it can be discovered. Be patient and do not judge the new Phrack without really giving it a chance to work out the bugs. I've said my piece, now it is time to turn over the reigns to Dispater. I wish him the best of luck, and for you the readers, I hope you enjoy the new Phrack as much as you have enjoyed the previous. Sincerely, :Knight Lightning (kl@STORMKING.COM) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - A few words from Dispater: Phrack will be introducing a new regular column similar to a "letters to the editor" section. It will be featured as the second file in each issue, beginning with issue 34. Any questions, comments, or problems that you the reader would like to air with Phrack publically will be answered there. I'd really like to thank Crimson Death for his cooperation in helping us get Phrack started again. He is one of the coolest hackers I have met. We could not have done it without him. Other important people to mention are the The Monk and Twisted Pair. Thanks to Tuc, Phrack will soon be using an Internet listserver. See Phrack 34 for more details. Phrack will also be found on various anonymous FTP sites across the Internet, including the anonymous ftp site at EFF.ORG, a Unix machine operated by the Electronic Frontier Foundation, an organization to which we at Phrack respect. It can also be found at the anonymous ftp site at CS.WIDENER.EDU Off the Internet, we hope to establish several bulletin board systems as archive sites including Digital Underground (812)941-9427, which is operated by The Not. Submissions or letters to Phrack can be made there or on the Internet by sending mail to "phracksub@STORMKING.COM". The new format will be a little more professional. This is because I have no desire to find myself in court one day like Knight Lightning. However, I have no intention of turning Phrack Inc. into some dry industry journal. Keeping things lite and entertaining is one of the ways that I was attracted to Phrack. I think most people will agree that there is a balance of fun and business to be maintained. If this balance is not met, you the reader, will get bored and so will I! Check out Phrack World News Special Edition IV for the "details" on CyberView '91, the SummerCon-ference hosted by Knight Lightning that took place this past summer in St. Louis, Missouri. _______________________________________________________________________________ Phrack XXXIII Table of Contents =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 1. Introduction to Phrack 33 by Knight Lightning and Dispater 2. Phrack Profile of Shooting Shark by Crimson Death 3. A Hacker's Guide to the Internet by The Gatsby 4. FEDIX On-Line Information Service by Fedix Upix 5. LATA Referance List by Infinite Loop 6. International Toll Free Code List by The Trunk Terminator 7. Phreaking in Germany by Ninja Master 8. TCP/IP: A Tutorial Part 1 of 2 by The Not 9. A REAL Functioning RED BOX Schematic by J.R."Bob" Dobbs 10. Phrack World News Special Edition IV (CyberView '91) by Bruce Sterling 11. PWN/Part01 by Crimson Death 12. PWN/Part02 by Dispater 13. PWN/Part03 by Dispater _______________________________________________________________________________ ==Phrack Inc.== Volume Three, Issue Thirty-Three, File 2 of 13 -*[ P H R A C K XXXIII P R O P H I L E ]*- -=>[ by Crimson Death ]<=- This issue Phrack Profile features a hacker familiar to most of you. His informative files in Phrack and the Legion of Doom Technical Journals created a stampede of wanna-be Unix hackers. Your friend and mine... Shooting Shark ~~~~~~~~~~~~~~ Personal ~~~~~~~~ Handle: Shooting Shark Call him: 'Shark' Past handles: None Handle origin: It's the title of the 3rd song on "Revolution By Night," which many consider to be Blue Oyster Cult's last good album. Date of Birth: 11/25/66 Age at current date: 24 Approximate Location: San Francisco Bay Area. Height: 5'10" Weight: 150 lbs. Eye color: Hazel Hair Color: Dark Brown Computers: First: Apple //e. Presently: ALR Business V EISA 386/33. ------------------------------------------------------------------------------ The Story of my Hacking Career ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In 1984 I was lucky enough to be a Senior at a high school that had one of the pilot "Advanced Placement Computer Science" classes. I didn't know much about computers at the time, but I had a strong interest, so I signed up. "Advanced Placement Computer Science" meant programming in Pascal using the UCSD P-System on the newly-released Apple //e. I wasn't too crazy about programming in Pascal -- does ANYBODY really like Pascal? -- but I did enjoy the software piracy sessions that the class had after school and, much of the time, during class when the Instructor was lecturing about DO WHILE loops or something equally fascinating. Some of our favorite games at the time were ZORK II and what I still consider to be the best Apple II game ever, RESCUE RAIDERS. A few months into the school year, I somehow convinced my mother to buy me my very own Apple //e, with an entire 64K of RAM, a monochrome monitor, and a floppy drive. The first low-cost hard drive for the Apple II, the Sider, was $700 for 10Mb at the time, so it was out of the question. Now at about this time, Coleco was touting their Adam add-on to the ColecoVision game unit, and they had these great guilt-inducing advertisements that had copy something like this: TEACHER: "I want to talk to you about Billy. He's not doing very well in school. He just doesn't seem to understand new concepts as well as the other kids. All he does is sit there and pick his nose." CONCERNED "Well, golly, I just don't know what to do. It's probably FATHER: probably because his mother drank so much when she was pregnant." TEACHER: "Have you considered getting Billy a computer?" And of course the next scene showed little Billy inserting a tape cartridge into his new Adam and pecking his way to higher grades. Such was not the case with me when I got MY computer. All I did was go home after school and play "Wizardry." I stopped doing homework and I failed 3 out of 6 classes my last semester of my Senior year of high school. Luckily enough, I had already been accepted to the local state University, so it didn't really matter. Shortly before graduating, I took the AP Computer Science test and got the minimum passing score. (I didn't feel so bad when Sir Francis Drake later told me that he failed it. Then again, he completed all the questions in BASIC.) Worse yet, "Wargames" came out around this time. I'll admit it, my interest in hacking was largely influenced by that film. Shortly after I (barely) graduated from high school, I saved up my money and bought a (get this) Hayes MicroModem //e. It was only something like $250 and I was in 300 baud heaven. I started calling the local "use your real name" BBSs and shortly graduated to the various small-time hacker BBSs. Note that 90% of the BBSs at this time were running on Apples using Networks, GBBS or some other variant. Few were faster than 300 baud. It was on one of these Apple Networks BBSs that I noticed some users talking about these mysterious numbers called "800 extenders." I innocently inquired as to what these were, and got a reply from Elric of Imrryr. He explained that all I needed to do was dial an 800 number, enter a six-digit code, and then I could call anywhere I wanted for FREE! It was the most amazing thing. So, I picked a handle, and began calling systems like Sherwood Forest II and Sherwood Forest III, OSUNY, and PloverNet. At their height, you could call any of these systems and read dozens of new messages containing lots of new Sprint and extender codes EVERY DAY. It was great! I kept pestering my mentor, Elric, and despite his undoubted annoyance with my stupid questions, we remained friends. By this time, I realized that my Hayes MicroModem //e was just not where it was at, and saved up the $400 to buy a Novation Apple Cat 300, the most awesomest modem of its day. This baby had a sound generation chip which could be used to generate speech, and more importantly, DTMF and 2600Hz tones. Stupidly enough, I began blue boxing. Ironically, at this time I was living in the very town that Steve Wozniak and Steve Jobs had gotten busted in for boxing ten years previously. And THEN I started college. I probably would have remained a two-bit Apple hacker (instead of what I am today, a two-bit IBM hacker) to this day if a friend hadn't told me that it was easy to hack into the school's new Pyramid 90x, a "super mini" that ran a BSD 4.2 variant. "The professor for the C class has created a bunch of accounts, sequentially numbered, all with the same default password," he told me. "Just keep trying them until you get an account that hasn't been used by a student yet!" I snagged an account which I still use to this day, seven years later. At about this time, I called The Matrix, run by Dr. Strangelove. This was my first experience with Ken's FORUM-PC BBS software. Dr. Strangelove was a great guy, even though he looks somewhat like a wood mouse (and I mean that in the nicest possible way). DSL helped me build my first XT clone for a total cost of about $400. He even GAVE me a lot of the components I needed, like a CGA card and a keyboard. Shortly after that, The Matrix went down and was quickly replaced by IDI, run by Aiken Drum. It is here that I met Sir Francis Drake. Shortly after THAT, IDI went down and was quickly replaced by Lunatic Labs Unltd, run by my old friend The Mad Alchemist. TMA lived within walking distance of my house, so I called LunaLabs quite a bit. LunaLabs later became the home base of Phrack for a few issues when Knight Lightning and Taran King gave it upon entering their freshman year of college. So during this time I just got really into Unix and started writing files for Phrack. I wrote about six articles for Phrack and then one for the 2nd LOD Technical Journal, which featured a brute-force password hacker. I know, that sounds archaic, but this was back in 1984, and I was actually one of the few people in the hacker community that knew quite a bit about Unix. I've been told by several people that it was my LOD TJ article that got *them* into Unix hacking (shucks). I also wrote the original Unix Nasties article for Phrack, and on two occasions, when I was later heavily into massive Internet node hopping, I would get into a virgin system at some backwoods college like MIT and find *my file* in somebody's directory. During 1987, I got a letter from the local FBI office. It was addressed to my real name and asked for any information I might wish to provide on a break-in in San Diego. Of course I declined, but they kept sending me more letters. Now that I was 18 years old I decided to stop doing illegal things. I know..."what a weenie." So Lunatic Labs, now being run by The Mad Alchemist, became my exclusive haunt because it was a local board. When Elric and Sir Francis Drake took over the editorship of Phrack for a few issues, I wrote all their intro files. When my computer broke I let those days just fade away behind me. Occasionally, old associates would manage to find me and call me voice, much to my surprise. Somebody called me once and told me an account had been created for me on a BBS called "Catch 22," a system that must have been too good to last. I think I called it twice before it went down. Most recently, Crimson Death called me, asked me to write a Profile, and here we are. What I'm Doing Now ~~~~~~~~~~~~~~~~~~ After two years in the Computer Science program in college, I switched my major to Theater Arts for three reasons: 1) Theater Arts people were generally nicer people; 2) Most CS students were just too geeky for me (note I said "most"); and, 3) I just couldn't manage to pass Calculus III! I graduated last year with a BA in Theater Arts, and like all newly graduated Theater majors, started practicing my lines, such as "Do you want fries with that?" and "Can I tell you about today's special?" However, I managed to have the amazing luck of getting a job in upper management at one of the west coast's most famous IBM video graphics card manufacturers. My position lets me play with a lot of different toys like AutoDesk 3D Studio and 24-bit frame buffers. A 24-bit image I created was featured on the cover of the November 1990 issue of Presentation Products magazine. For a while I was the system administrator of the company's Unix system, with an IP address and netnews and the whole works. Now I'm running the company's two-line BBS -- if you can figure out what company I work for, give it a call and leave me some mail sometime. I'm also into MIDI, and I've set my mother up with a nice little studio including a Tascam Porta One and a Roland MT-32. I was an extra in the films "Patty Hearst" (with The $muggler) and "The Doors" (for which I put in a 22-hour day at the Warfield Theater in San Francisco for a concert scene that WAS CUT FROM THE #*%& FILM) and I look forward to working on more films in a capacity that does not require me to wear bell-bottoms. I've also acted in local college theater and I'll be directing a full-length production at a local community theater next year. I like to consider myself a well-rounded person. Oh yeah. I also got married last October. People I Have Known ~~~~~~~~~~~~~~~~~~~ Elric of Imrryr -- My true mentor. He got me into the business. Too bad he moved to Los Angeles. Shadow 2600 -- Known to some as David Flory, may he rest in peace. Early in my career he mentioned me and listed me as a collaborator for a 2600 article. That was the first time I saw my name in print. Oryan QUEST -- After I had my first Phrack article published, he started calling me (he lived about 20 miles away at the time). He would just call me and give me c0deZ like he was trying to impress me or something. I don't know why he needed me for his own personal validation. I was one of the first people to see through him and I realized early on that he was a pathological liar. Later on he lied about me on a BBS and got me kicked off, because the Sysop though he was this great guy. Sheesh. Sir Francis Drake -- Certainly one of the more unique people I've met. He printed a really crappy two-part fiction story I wrote in his WORM magazine. Shortly after that the magazine folded; I think there's a connection. David Lightman -- Never met him, but he used to share my Unix account at school. The Disk Jockey -- He pulled a TRW report on the woman that I later ended up marrying. Incidentally, he can be seen playing basketball in the background in one scene of the film "Hoosiers." Lex Luthor -- I have to respect somebody who would first publish my article in LOD TJ and then call me up for no reason a year later and give me his private Tymnet outdial code. Dr. Strangelove -- He runs a really cool BBS called JUST SAY YES. Call it at (415) 922-2008. DSL is probably singularly responsible for getting me into IBM clones, which in turn got me my job (how many Apple // programmers are they hiring nowadays?). BBSs ~~~ Sherwood Forest II and III, OSUNY -- I just thought they were the greatest systems ever. Pirate's Bay -- Run by Mr. KRACK-MAN, who considered himself the greatest Apple pirate that ever lived. It's still up, for all I know. The 2600 Magazine BBS -- Run on a piece of Apple BBS software called TBBS. It is there that I met David Flory. The Police Station -- Remember THAT one? The Matrix, IDI, Lunatic Labs -- Three great Bay Area Forum-PC boards. Catch-22 -- 25 Users, No Waiting! And, of course, net.telecom (the original), comp.risks, rec.arts.startrek... Memories ~~~~~~~~ Remember Alliance Teleconferencing? Nothing like putting the receiver down to go get something to eat, forgetting about it, coming back in 24 hours, and finding the conference still going on. Playing Wizardry and Rescue Raiders on my Apple //e until I lost the feeling in my fingers... Carding 13 child-sized Garfield sleeping bags to people I didn't particularly care for in high school... Calling Canadian DA Ops and playing a 2600Hz tone for them was always fun. Trashing all the local COs with The Mad Alchemist... My brush with greatness: I was riding BART home from school one night a few years ago when Steve Wozniak got onto my car with two of his kids. He was taking them to a Warriors game. I was the only person in the car that recognized him. He signed a copy of BYTE that I happened to have on me and we talked about his new venture, CL-9, the universal remote controller. (Do you know anybody who ever BOUGHT one of those?) ....And now, for the question ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Of the general population of phreaks you have met, would you consider most phreaks, if any, to be computer geeks?" Back in my Apple pirating days, I met quite a few young men who were definitely members of the Order of the Geek. However, I can count the number of true phreaks/hackers I have met personally on one hand. None of them are people I'd consider geeks, nerds, spazzes, dorks, etc. They're all people who live on the fringe and do things a bit differently -- how many LEGAL people do you know that have a nose ring? -- but they're all people I've respected. Well, let me take back what I just said. Dr. Strangelove looks kinda geeky in my opinion (my mother thinks he's cute, but then again she said that Sir Francis Drake is "cute" and when I told him that it bothered him to no end), but I consider him a good friend and a generally k-kool d00d. (I'm sure I'll be getting a voice call from him on that one...) The only phreak that I've ever taken a genuine disliking to was Oryan QUEST, but that was only because he was a pathological liar and a pest. Who knows, he might be a nice person now, so no offense intended, especially if he knows my home address. So, Anyway... -> Thanks for your time Shooting Shark. Crimson Death _______________________________________________________________________________ ==Phrack Inc.== Volume Three, Issue Thirty-Three, File 3 of 13 ______________________________________________________________________________ A Hacker's Guide to the Internet By The Gatsby Version 2.00 / AXiS / July 7, 1991 ______________________________________________________________________________ 1 Index ~~~~~~~~~ Part: Title: ~~~~ ~~~~~ 1 Index 2 Introduction 3 Glossary, Acronyms, and Abbreviations 4 What is the Internet? 5 Where You Can Access The Internet 6 TAC 7 Basic Commands a TELNET command b ftp ANONYMOUS to a Remote Site c Basic How to tftp the Files d Basic Fingering 8 Networks 9 Internet Protocols 10 Host Names and Addresses 2 Introduction ~~~~~~~~~~~~~~~~ The original release of this informative file was in an IRG newsletter, but it had some errors that I wanted to correct. I have also added more technical information. This file is intended for the newcomer to Internet and people (like me) who are not enrolled at a university with Internet access. It covers the basic commands, the use of Internet, and some tips for hacking through Internet. There is no MAGICAL way to hacking a UNIX system. If you have any questions, I can be reached on a number of boards. - The Crypt - - 619/457+1836 - - Call today - - Land of Karrus - - 215/948+2132 - - Insanity Lane - - 619/591+4974 - - Apocalypse NOW - - 2o6/838+6435 - <*> AXiS World HQ <*> Mail me on the Internet: gats@ryptyde.cts.com bbs.gatsby@spies.com The Gatsby *** Special Thanks go to Haywire (a/k/a Insanity: SysOp of Insanity Lane), Doctor Dissector, and all the members of AXiS. 3 Glossary, Acronyms, and Abbreviations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ACSE - Association Control Service Element, this is used with ISO to help manage associations. ARP - Address Resolution Protocol, this is used to translate IP protocol to Ethernet Address. ARPA - Defense Advanced Research Project Agency ARPANET - Defense Advanced Research Project Agency or ARPA. This is an experimental PSN which is still a sub network in the Internet. CCITT - International Telegraph and Telephone Consultative Committee is a international committee that sets standard. I wish they would set a standard for the way they present their name! CERT - Computer Emergency Response Team, they are responsible for coordinating many security incident response efforts. They have real nice reports on "holes" in various UNIX strands, which you should get because they are very informative. CMIP - Common Management Information Protocol, this is a new HIGH level protocol. CLNP - Connection Less Network Protocol is OSI equivalent to Internet IP DARPA - Defence Advanced Research Project Agency. See ARPANET DDN - Defence Data Network driver - a program (or software) that communicates with the network itself, examples are TELNET, FTP, RLOGON, etc. ftp - File Transfer Protocol, this is used to copy files from one host to another. FQDN - Fully Qualified Domain Name, the complete hostname that reflects the domains of which the host is a part. Gateway - Computer that interconnects networks. Host - Computer that is connected to a PSN. Hostname - Name that officially identifies each computer attached internetwork. Internet - The specific IP-base internetwork. IP - Internet Protocol which is the standard that allows dissimilar host to connect. ICMP - Internet Control Message Protocol is used for error messages for the TCP/IP. LAN - Local Area Network MAN - Metropolitan Area Network MILNET - DDN unclassified operational military network. NCP - Network Control Protocol, the official network protocol from 1970 until 1982. NIC - DDN Network Information Center NUA - Network User Address OSI - Open System Interconnection. An international standardization program facilitate to communications among computers of different makes and models. Protocol - The rules for communication between hosts, controlling the information by making it orderly. PSN - Packet Switched Network RFC - Request For Comments, is technical files about Internet protocols one can access these from anonymous ftp at NIC.DDN.MIL. ROSE - Remote Operations Service Element, this is a protocol that is used along with OSI applications. TAC - Terminal Access Controller; a computer that allow direct access to Internet. TCP - Transmission Control Protocol TELNET - Protocol for opening a transparent connection to a distant host. tftp - Trivial File Transfer Protocol, one way to transfer data from one host to another. UDP - User Datagram _Protocol Unix - This is copyrighted by AT&T, but I use it to cover all the look-alike Unix systems, which you will run into more often. UUCP - Unix-to-Unix Copy Program, this protocol allows UNIX file transfers. This uses phone lines using its own protocol, X.25 and TCP/IP. This protocol also exist for VMS and MS-DOS. uucp - uucp when in lower case refers to the UNIX command uucp. For more information on uucp read files by The Mentor in the Legion of Doom Technical Journals. WAN - Wide Area Network X.25 - CCITTs standard protocol that rules the interconnection of two hosts. In this file I have used several special charters to signify certain things. Here is the key; * - Buffed from UNIX itself. You will find this on the left side of the margin. This is normally "how to do" or just "examples" of what to do when using Internet. # - This means these are commands, or something that must be typed in. 4 What is the Internet? ~~~~~~~~~~~~~~~~~~~~~~~~~ To understand the Internet you must first know what it is. The Internet is a group of various networks, ARPANET (an experimental WAN) was the first. ARPANET started in 1969, this experimental PSN used Network Control Protocol (NCP). NCP was the official protocol from 1970 until 1982 of the Internet (at this time also known as DARPA Internet or ARPA Internet). In the early 80's DARPA developed the Transmission Control Protocol/Internet Protocol which is the official protocol today, but much more on this later. Due to this fact, in 1983 ARPANet split into two networks, MILNET and ARPANET (both are still part of the DDN). The expansion of Local Area Networks (LAN) and Wide Area Networks (WAN) helped make the Internet connecting 2,000+ networks strong. The networks include NSFNET, MILNET, NSN, ESnet and CSNET. Though the largest part of the Internet is in the United States, the Internet still connects the TCP/IP networks in Europe, Japan, Australia, Canada, and Mexico. 5 Where You Can Access Internet ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Internet is most likely to be found on Local Area Networks or LANs and Wide Area networks or WANs. LANs are defined as networks permitting the interconnection and intercommunication of a group of computers, primarily for the sharing of resources such as data storage device and printers. LANs cover a short distance (less than a mile) and are almost always within a single building complex. WANs are networks which have been designed to carry data calls over long distances (many hundreds of miles). You can also access Internet through TymNet or Telenet via gateway. You'll have to find your own NUAs though. 6 TAC ~~~~~~~ TAC (terminal access controller) is another way to access Internet. This is just dial-up terminal to a terminal access controller. You will need to get a password and an account. TAC has direct access to MILNET. One example of a TAC dialup is (800)368-2217, but there are several out there to be found. In fact, CERT has a report circulating about people attempting to find these dialups through social engineering. If you want the TAC manual you can write a letter to: Defense Communications Agency Attn: Code BIAR Washington, DC 2o3o5-2ooo Be sure to write that you want the TAC User Guide, 310-p70-74. In order to logon, you will need a TAC Access Card. You would probably get it from the DDN NIC. Here is a sample logon: Use Control-Q for help... * * PVC-TAC 111: 01 \ TAC uses to this to identify itself * @ #o 124.32.5.82 \ Use ``O'' for open and the internet * / address which yea want to call. * * TAC Userid: #THE.GATSBY * Access Code: #10kgb0124 * Login OK * TCP trying...Open * * 7 Basic Commands ~~~~~~~~~~~~~~~~~~ a: Basic TELNET Commands Situation: You have an account on a UNIX system that is a host on Internet. Now you can access the entire world! Once the UNIX system you should see a prompt, which can look like a '$' or '%' (it also depends on what shell you are in and the type of Unix system). At the prompt you can do all the normal UNIX commands, but when on a Internet host you can type 'telnet' which will bring you to the 'telnet' prompt. * * $ #telnet * ^ ^ | | | the command that will bring you to the telnet prompt | a normal UNIX prompt You should get this: * * telnet> * At this prompt you will have a whole different set of commands which are as follows (This comes from UCSD, so it may vary from place to place). * * telnet> #help * * close close current connection * display display operating parameters * open connect to a site * quit exit telnet * send transmit special character * set set operating parameters * status print status information * toggle toggle operating parameters * ? to see what you are looking at now * close - this command is used to 'close' a connection, when multitasking or jumping between systems. display - this set the display setting, commands for this are as follow. ^E echo. ^] escape. ^H erase. ^O flushoutput. ^C interrupt. ^U kill. ^\ quit. ^D eof. open - type 'open [host]' to connect to a system * * $ #telnet ucsd.edu * or * * telnet> #open 125.24.64.32.1 * quit - to get out of telnet and back to UNIX send - send files set - set echo - character to toggle local echoing on/off escape - character to escape back to telnet command mode The following need 'localchars' to be toggled: erase - character to cause an Erase Character flushoutput - character to cause an Abort Output interrupt - character to cause an Interrupt Process kill - character to cause an Erase Line quit - character to cause a Break eof - character to cause an EOF ? - display help information b: ftp ANONYMOUS to a remote site ftp or file transfer protocol is used to copy files from a remote host to the one that you are on. You can copy anything. Security has really clamped down on the passwd file, but it will still work here and there (always worth a shot). This could be useful when you see a Internet CuD (Computer Underground Digest) site that accepts a anonymous ftps, and you want to read the CuDs, but do not feel like wasting your time on boards downloading them. The best way to start out is to ftp a directory to see what you are getting. Example: The CuD archive site has an Internet address of 192.55.239.132 and my account name is "gats". * * $ #ftp * ^ ^ | | | ftp command | UNIX prompt * * ftp> #open 192.55.239.132 * Connected to 192.55.239.132 * 220 192.55.239.132 FTP Server (sometimes the date, etc) * Name (192.55.239.132:gats): #anonymous * ^ ^ ^ | | | | | This is where you type 'anonymous' unless | | you have a account on 192.55.239.132. | | | This is the name of my account or [from] | This is the Internet address or [to] * * Password: #gats * ^ | For this just type your username or anything you feel like typing in at that time. It doesn't matter. * * % ftp 192.55.239.132 * Connected to 192.55.239.132 * ftp> #ls * ^ | You are connected now, thus you can ls it. Just move around like you would in a normal unix system. Most of the commands still apply on this connection. Here is a example of me getting a copy of the Electronic Frontier Foundation's Effector (issue 1.04) from Internet address 192.55.239.132. * * % #ftp * ftp> #open 128.135.12.60 * Trying 128.135.12.60... * 220 chsun1 FTP server (SunOS 4.1) ready. * Name (128.135.12.60:gatsby): anonymous * 331 Guest login ok, send ident as password. * Password: #gatsby * 230 Guest login ok, access restrictions apply. * ftp> #ls * 200 PORT command successful. * 150 ASCII data connection for /bin/ls (132.239.13.10,4781) * (0 bytes). * .hushlogin * bin * dev * etc * pub * usr * README * 226 ASCII Transfer complete. * 37 bytes received in 0.038 seconds (0.96 Kbytes/s) * ftp> _________________________________________________________________________ | | This is where you can try to 'cd' the "etc" dir or just 'get' | /etc/passwd, but grabbing the passwd file this way is a dieing art. |_________________________________________________________________________ * ftp> #cd pub * 200 PORT command successful. * ftp> #ls * ceremony * cud * dos * eff * incoming * united * unix * vax * 226 ASCII Transfer cmplete. * 62 bytes received in 1.1 seconds (0.054 Kbytes/s) * ftp> #cd eff * 250 CWD command successful. * ftp> #ls * 200 PORT command successful. * 150 ASCII data connection for /bin/ls (132.239.13.10,4805) (0 bytes). * Index * eff.brief * eff.info * eff.paper * eff1.00 * eff1.01 * eff1.02 * eff1.03 * eff1.04 * eff1.05 * realtime.1 * 226 ASCII Transfer complete. * 105 bytes received in 1.8 seconds (0.057 Kbytes/s) * ftp> #get * (remote-file) #eff1.04 * (local-file) #eff1.04 * 200 PORT command successful. * 150 Opening ASCII mode data connection for eff1.04 (909 bytes). * 226 Transfer complete. * local: eff1.04 remote: eff1.04 * 931 bytes received in 2.2 seconds (0.42 Kbytes/s) * ftp> #close * Bye... * ftp> #quit * % * To read the file you can just 'get' the file and buffer it. If the files are just too long, you can 'xmodem' it off the host you are on. Just type 'xmodem' and that will make it much faster to get the files. Here is the set up (as found on ocf.berkeley.edu). If you want to: type: send a text file from an apple computer to the ME xmodem ra send a text file from a non-apple home computer xmodem rt send a non-text file from a home computer xmodem rb send a text file to an apple computer from the ME xmodem sa send a text file to a non-apple home computer xmodem st send a non-text file to a home computer xmodem sb xmodem will then display: * * XMODEM Version 3.6 -- UNIX-Microcomputer Remote File Transfer Facility * File filename Ready to (SEND/BATCH RECEIVE) in (binary/text/apple) mode * Estimated File Size (file size) * Estimated transmission time (time) * Send several Control-X characters to cancel * Hints- File transfer can be an iffy endeavor; one thing that can help is to tell the annex box not to use flow control. Before you do rlogin, type stty oflow none stty iflow none at the annex prompt. This works best coming through 2-6092. Some special commands used during ftp session are cdup (same as cd ..) and dir (gives a detailed listing of the files). c: How to tftp the Files tftp (Trivial File Transfer Protocol, the command is NOT in caps, because UNIX is case sensitive) is a command used to transfer files from host to host. This command is used sometimes like ftp, in that you can move around using UNIX commands. I will not go into this part of the command, but I will go into the basic format, and structure to get files you want. Moreover, I will be covering how to flip the /etc/passwd out of remote sites. There is a little trick that has been around a while. It helps you to "flip" the /etc/passwd file out of different sites, which gets you the passwd file without out breaking into the system. Then just run Brute Hacker (the latest version) on the thing and you save time and energy. This 'hole' (not referring to the method of obtaining Unix superuser status) may can be found on SunOS 3.X, but has been fixed in 4.0. It has sometimes appeared in System V, BSD and a few others. The only problem with this 'hole' is that the system manager will often realize what you are doing. The problem occurs when attempts to tftp the /etc/passwd is happen too many times. You may see this (or something like this) when you logon on to your account. This was buffered off of plague.berkeley.edu. I guess they knew what I was doing. * * DomainOS Release 10.3 (bsd4.3) Apollo DN3500 (host name): * This account has been deactivated due to use in system cracking * activities (specifically attempting to tftp /etc/passwd files from remote * sites) and for having been used or broken in to from . If the legitimate owner of the account wishes it reactivated, * please mail to the staff for more information. * * - Staff * The tftp is used in this format: tftp - /etc/passwd Command -g is to get the file, this will copy the file onto your 'home' directory, thus you can do anything with the file. Any Name If your going to copy it to your 'home' directory, it needs a name. Internet This is the address that you want to snag the passwd file from. Address There are hundreds of thousands of them. /ETC/PASSWD THIS IS THE FILE THAT YOU WANT. You do not want John Smith's even though it would be trivial to retreive it. netascii This how you want the file to be transferred. & Welcome to the power of UNIX, it is multitasking, this little symbol place at the end will allow you to do other things (such as grab the passwd file from the UNIX that you are on). Here is the set up: We want to get the passwd file from sunshine.ucsd.edu. The file in your 'home' directory is going to be named 'asunshine'. * * $ #tftp -g asunshine sunshine.ucsd.edu /etc/passwd & * d Basic Fingering Fingering is a real good way to get an account on remote sites. Typing 'who' or just 'finger ' you can have names to "finger". This will give you all kinds information on the person's account. Here is a example of how to do it: * * % #who * joeo ttyp0 Jun 10 21:50 (bmdlib.csm.edu) * gatsby ttyp1 Jun 10 22:25 (foobar.plague.mil) * ddc crp00 Jun 10 11:57 (aogpat.cs.pitt.edu) * liliya display Jun 10 19:40 /and fingering what you see * % #finger bbc * Login name: ddc In real life: David Douglas Cornwall * Office: David C. Co * Directory: //aogpat/users_local/bdc Shell: /bin/csh * On since Jun 10 11:57:46 on crp00 from aogpat Phone 555-1212 * 52 minutes Idle Time * Plan: I like to eat apples and bananas. * % * Now you could just call (or Telnet to) 'aogpat.cs.pit.edu' and try to hack out an account. Try the last name as the password, the first name, the middle name, and try them all backwards. The chances are real good that you WILL get in because people are stupid. If there are no users online for you to type "who" you can just type "last" and all of the users who logged on will come rolling out. Now "finger" them. The only problem with using the "last" command is aborting it. You can also try telephoning individual users and tell them you are the system manager (i.e. social engineer them). However, I have not always seen phone numbers in everyone's ".plan" file (the file you see when you finger the user). 8 Other Networks ~~~~~~~~~~~~~~~~~ AARNet - Australian Academic and Research Network. This network supports research for various Australian Universities. This network supports TCP/IP, DECnet, and OSI (CLNS). ARPANET - We've already discussed this network. BITNET - Because It's Time NETwork (BITNET) is a worldwide network that connects many colleges and universities. This network uses many different protocols, but it dose use the TCP/IP. CREN CSNET - Corporation for Research and Educational Network (CREN) or Computer + Science research NETwork (CSNET). This network links scientists at sites all over the world. CSNET providing access to the Internet, CREN to BITNET. CREN is the name more often used today. CSUNET - California State University Network (CSUNET). This network connects the California State University campuses and other universities in California. This network is based on the CCITT X.25 protocol, and also uses TCP/IP, SNA/DSLC, DECnet, and others. The Cypress Net - This network started as a experimental network. The use of this network today is as a connection to the TCP/IP Internet as a cheap price. DRI - Defense Research Internet is a WAN that is used as a platform from which to work from. This network has all kind of services, such as multicast service, real-time conference and more. This network uses the TCP/IP (also see RFC 907-A for more information on this network). ESnet - This is the new network operated by the Department of Energy's Office of Energy Research (DoE OER). This net is the backbone for all DoE OER programs. This network replaced the High Energy Physics DECnet (HEPnet) and also the Magnetic Fusion Energy network (MFEnet). The protocols offered are IP/TCP and also DECnet service. JANET - JANET is a Joint Academic NETwork based in the UK, connected to the Internet. JANET is a PSN (information has pass through a PAD) using the protocol X.25 though it does support the TCP/IP. This network also connects PSS (Packet Switched Service is a PSN that is owned and operated by British telecom). JUNET - Japan's university message system using UUCP, the Internet as its backbone, and X.25 (see RFC 877). This network is also a part of USENET (this is the network news). Los Nettos - Los Nettos is a high speed MAN in the Los Angeles area. This network uses the IP/TCP. MILNET - When ARPANET split, the DDN was created and MILNET (MILitary NETwork) is also a part of the network. MILNET is unclassified, but there are three other classified networks that make up the DDN. NORDUNet - This net is the backbone to the networks in the Nordic Countries, Denmark (DENet), Finland (FUNET), Iceland (SURIS), Norway (UNINETT), and Sweden (SUNET). NORDUnet supports TCP/IP, DECNet, and X.25. NSN - NASA Science Network (NSN). This network is used by NASA to send and relay information. The protocols used are TCP/IP. NSN has a sister network called Space Physics Analysis Network (SPAN) for DECNet. ONet - Ontario Network is a TCP/IP network used for research. NSFNet - National Science Foundation Network, this network is in the IP/TCP family, but in any case it uses UDP (User Diagram Protocol) and not TCP. NSFnet is the network for the US scientific and engineering research community. Listed below are all the NSFNet Sub-networks: BARRNet - Bay Area Regional Research Network is located in the San Francisco area. This network uses TCP/IP. CERFnet - California Education and Research Federation Network is a research based network supporting Southern California Universities communication services. This network uses TCP/IP. CICNet - Committee on Institutional Cooperation. This network services the BIG 10, and University of Chicago. This network uses TCP/IP. JvNCnet - John von Neumann National Supercomputer Center. This network uses TCP/IP. Merit - Merit connects Michigan's academic and research computers. This network supports TCP/IP, X.25 and Ethernet for LANs. MIDnet - MIDnet connects 18 universities and research centers in the midwest United States. The support protocols are TELNET, FTP and SMTP. MRNet - Minnesota Regional Network, this network services Minnesota. The network protocols are TCP/IP. NEARnet - New England Academic and Research Network, connects various research/educational institutions. You can get more information about this net by mailing 'nearnet-staff@bbn.com'. NCSAnet - The National Center for Supercomputing Applications supports the whole IP family (TCP, UDP, ICMP, etc). NWNet - North West Network provides service to the Northwestern United States and Alaska. This network supports IP and DECnet. NYSERNet - New York Service Network is a autonomous nonprofit network. This network supports the TCP/IP. OARnet - Ohio Academic Resources Network gives access to the Ohio Supercomputer Center. This network supports TCP/IP. PREPnet - Pennsylvania Research and Economic Partnership is a network operated and managed by Bell of Pennsylvania. It supports TCP/IP. PSCNET - Pittsburgh Supercomputer Center serving Pennsylvania, Maryland, and Ohio. It supports TCP/IP, and DECnet. SDSCnet - San Diego Super Computer Center is a network whose goal is to support research in the field of science. The Internet address is 'y1.ucsc.edu' or call Bob at (619)534-5060 and ask for a account on his Cray. Sesquinet - Sesquinet is a network based in Texas. It supports TCP/IP. SURAnet - Southeastern Universities Research Association Network is a network that connects institutions in the Southeast United States. THEnet - Texas Higher Education Network is a network that is run by Texas A&M University. This network connects to hosts in Mexico. USAN/NCAR - University SAtellite Network (USAN)/National Center for Atmospheric Research is a network for information exchange. Westnet - Westnet connects the western part of the United States, but not including California. The network is supported by Colorado State University. USENET - USENET is the network news (the message base for the Internet). This message base is quite large with over 400 different topics and connecting to 17 different countries. 9 Internet Protocols ~~~~~~~~~~~~~~~~~~~~~ TCP/IP is a general term relating to the whole family of Internet protocols. The protocols in this family are IP, TCP, UDP, ICMP, ROSE, ACSE, CMIP, ISO, ARP and Ethernet for LANs. If if you want more information, get the RFCs. TCP/IP protocol is a "layered" set of protocols. In this diagram taken from RFC 1180 you will see how the protocol is layered when connection is made. Figure is of a Basic TCP/IP Network Node: ----------------------------------- | Network Application | | | | ... \ | / .. \ | / ... | | ------- ------- | | | TCP | | UDP | | | ------- ------- | | \ / | % Key % | ------- --------- | ~~~~~~~ | | ARP | | IP | | UDP User Diagram Protocol | ------- ------*-- | TCP Transfer Control Protocol | \ | | IP Internet Protocol | \ | | ENET Ethernet | ------------- | ARP Address Resolution | | ENET | | Protocol | -------@----- | O Transceiver | | | @ Ethernet Address -------------- | ------------------ * IP address | ========================O================================================= ^ | Ethernet Cable TCP/IP: If connection is made is between the IP module and the TCP module the packets are called a TCP datagram. TCP is responsible for making sure that the commands get through the other end. It keeps track of what is sent, and retransmits anything that does not go through. The IP provides the basic service of getting TCP datagram from place to place. It may seem like the TCP is doing all the work, this is true in small networks, but when connection is made to a remote host on the Internet (passing through several networks) this is a complex job. Say I am connected from a server at UCSD to LSU (SURAnet) the data grams have to pass through a NSFnet backbone. The IP has to keep track of all the data when the switch is made at the NSFnet backbone from the TCP to the UDP. The only NSFnet backbone that connects LSU is the University of Maryland, which has different circuit sets. The cable (trunk)/circuit types are the T1 (a basic 24-channel 1.544 Md/s pulse code modulation used in the US) to a 56 Kbps. Keeping track of all the data from the switch from T1 to 56Kbs and TCP to UDP is not all it has to deal with. Datagrams on their way to the NSFnet backbone (at the University of Maryland) may take many different paths from the UCSD server. All the TCP does is break up the data into datagrams (manageable chunks), and keeps track of the datagrams. The TCP keeps track of the datagrams by placing a header at the front of each datagram. The header contains 160 (20 octets) pieces of information about the datagram. Some of this information is the FQDN (Fully Qualified Domain Name). The datagrams are numbers in octets (a group of eight binary digits, say there are 500 octets of data, the numbering of the datagrams would be 0, next datagram 500, next datagram 1000, 1500 etc. UDP/IP: UDP is one of the two main protocols of the IP. In other words the UDP works the same as TCP, it places a header on the data you send, and passes it over to the IP for transportation throughout the Internet. The difference is that it offers service to the user's network application. It does not maintain an end-to-end connection, it just pushes the datagrams out. ICMP: ICMP is used for relaying error messages. For example you might try to connect to a system and get a message back saying "Host unreachable", this is ICMP in action. This protocol is universal within the Internet, because of its nature. This protocol does not use port numbers in it's headers, since it talks to the network software itself. Ethernet: Most of the networks use Ethernet. Ethernet is just a party line. When packets are sent out on the Ethernet, every host on the Ethernet sees them. To make sure the packets get to the right place, the Ethernet designers wanted to make sure that each address is different. For this reason 48 bits are allocated for the Ethernet address, and a built in Ethernet address on the Ethernet controller. The Ethernet packets have a 14-octet header, this includes address "to" and "from." The Ethernet is not too secure, it is possible to have the packets go to two places, thus someone can see just what you are doing. You need to take note that the Ethernet is not connected to the Internet. A host on both the Ethernet and on the Internet has to have both an Ethernet connection and an Internet server. ARP: ARP translates the IP address into an Ethernet address. A conversion table is used (the table is called ARP Table) to convert the addresses. Therefore, you would never even know if you were connected to the Ethernet because you would be connecting to the IP address. The following is a real sketchy description of a few Internet protocols, but if you would like to get more information you can access it via anonymous ftp from several hosts. Here is a list of RFCs that deal with the topic of protocols. |~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | RFC: | Description: | | | | |~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | rfc1011 | Official Protocols of the Internet | | rfc1009 | NSFnet gateway specifications | | rfc1001/2 | netBIOS: networking for PC's | | rfc894 | IP on Ethernet | | rfc854/5 | telnet - protocols for remote logins | | rfc793 | TCP | | rfc792 | ICMP | | rfc791 | IP | | rfc768 | UDP | | | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 10 Host Name and Address ~~~~~~~~~~~~~~~~~~~~~~~~~ Internet addresses are long and difficult hard to remember (i.e., 128.128.57.83) so we use host names. All hosts registered on the Internet must have names that reflect them domains under which they are registered. Such names are called Fully Qualified Domain Names (FQDNs). Lets dissect a name and see the domains: lilac.berkeley.edu ^ ^ ^ | | | | | |____ "edu" shows that this host is sponsored by an | | education related organization. This is a top-level | | domain. | | | |___________ "berkeley" is the second-level domain. This shows | that it is an organization within University of | Calironia at Berkeley. | |__________________ "lilac" is the third-level domain. This indicates the local host name is 'lilac'. Common Top-Level Domains COM - commercial enterprise EDU - educational institutions GOV - nonmilitary government agencies MIL - military (non-classified) NET - networking entities ORG - nonprofit intuitions A network address is the numerical address of a host, gateway, or TAC. The addresses are made up of four decimal numbered slots, which are separated by a period. There are three classes that are used most, these are Class A, Class B, and Class C. Class A - from '0' to '127' Class B - from '128' to '191' Class C - from '192' to '223' Class A - Is for MILNET net hosts. The first part of the address has the network number. The second is for the physical PSN port number. The third is for the logical port number, since it is on MILNET, it is a MILNET host. The fourth part is for which PSN it is on. On 29.34.0.9. '29' is the network it is on. '34' means it is on port '34'. '9' is the PSN number. Class B - This is for the Internet hosts, the first two "clumps" are for the network portion. The second two are for the local port. 128.28.82.1 \_/ \_/ | |_____ Local portion of the address | |___________ Potation address. Class C - The first three "clumps" are the network portion and the last one is the local port. 193.43.91.1 \_|_/ |_____ Local Portation Address | |__________ Network Portation Address _______________________________________________________________________________ ==Phrack Inc.== Volume Three, Issue Thirty-Three, File 4 of 13 ________________________________________________________ | | | FEDIX | | On-Line Information Service | | | | Written by the people at FEDIX | | | | Like Fedix Upix | |________________________________________________________| What is FEDIX? FEDIX is an on-line information service that links the higher education community and the federal government to facilitate research, education, and services. The system provides accurate and timely federal agency information to colleges, universities, and other research organizations. There are NO REGISTRATION FEES and NO ACCESS CHARGES for using FEDIX. The only cost is for the phone call. FEDIX provides daily information updates on: - Federal EDUCATION and RESEARCH PROGRAMS (including descriptions, eligibility, funding, deadlines). - SCHOLARSHIPS, FELLOWSHIPS, and GRANTS - Available used government RESEARCH EQUIPMENT - New funding for specific research and education activities from the COMMERCE BUSINESS DAILY, FEDERAL REGISTER, and other sources. - MINORITY ASSISTANCE research and education programs - NEWS & CURRENT EVENTS within participating agencies - GENERAL INFORMATION such as agency history, budget, organizational structure, mission statement, etc. PARTICIPATING AGENCIES Currently FEDIX provides information on 7 federal agencies broken down into 2 general categories: 1. Comprehensive Education and Research Related Agency Information - The Department of Energy (DOE) - Office of Naval Research (ONR) - National Aeronautics and Space Administration (NASA) - Federal Aviation Administration (FAA) 2. Minority Assistance Information - National Science Foundation (NSF) - Department of Housing and Urban Development (HUD) - Department of Commerce (DOC) Additional government agencies are expected to join FEDIX in the future. REQUIRED HARDWARE AND SOFTWARE Any microcomputer with communications software (or a dumb terminal) and a modem operating at 1200 or 2400 baud can access the system. HOURS OF OPERATION The system operates 24 hours a day, 7 days a week. The only exceptions are for periodic system updating or maintenance. TELEPHONE NUMBERS * Computer (data line): 301-258-0953 or 1-800-232-4879 * HELPLINE (technical assistance): 301-975-0103. The HELPLINE (for problems or comments) is open Monday-Friday 8:30 AM-4:30 PM Eastern Daylight Time, except on federal holidays. SYSTEM FEATURES Although FEDIX provides a broad range of features for searching, scanning, and downloading, the system is easy to use. The following features will permit quick and easy access to agency databases: Menus -- Information in the system is organized under a series of branching menus. By selecting appropriate menu options (using either the OPTION NUMBER or the two-character MENU CODE), you may begin at the FEDIX Main Menu and work your way through various intermediate menus to a desired sub-menu. However, if you already know the menu code of a desired menu, you may bypass the intermediate menus and proceed directly to that menu by typing the menu code at the prompt. Help screens are available for key menus and can be viewed by typing '?' at the prompt. Capturing Data -- If you are using a microcomputer with communicaions software, it is likely that your system is capable of storing or "capturing" information as it comes across your screen. If you "turn capture on", you will be able to view information from the databases and store it in a file on your system to be printed later. This may be desirable at times when downloading is not appropriate. Refer to your communications software documentation for instructions on how to activate the capture feature. Downloading -- Throughout the system, options are available which allow you to search, list, and/or download files containing information on specific topics. The download feature can be used to deliver text files (ASCII) or compressed, self-extracting ASCII files to your system very quickly for later use at your convenience. Text files in ASCII format, tagged with a ".MAC" extension, are downloadable by Macintosh users. Compressed ASCII files, tagged with an ".EXE" extension, may be downloaded by users of IBM compatible computers. However, your system must be capable of file transfers. (See the documentation on your communication software). Mail -- An electronic bulletin board feature allows you to send and receive messages to and from the SYSTEM OPERATOR ONLY. This feature will NOT send messages between users. It can be used to inquire about operating the system, receive helpful suggestions from the systems operator, etc. Utility Menu -- The Utility Menu, selected from the FEDIX Main Menu, enables you to modify user information, prioritize agencies for viewing, search and download agency information, set a default calling menu, and set the file transfer protocol for downloading files. INDEX OF KEY INFORMATION ON FEDIX Key information for each agency is listed below with the code for the menu from which the information can be accessed. Please be advised that this list is not comprehensive and that a significant amount of information is available on FEDIX in addition to what is listed here. AGENCY/DATABASE MENU CODE DEPARTMENT OF ENERGY (DOE)/DOEINFO Available Used Research Equipment :EG: Research Program Information :IX: Education Program Information :GA: Search/List/Download Program Information :IX: Research and Training Reactors Information :RT: Procurement Notices :MM: Current Events :DN: NATIONAL AERONAUTICS AND SPACE ADMINISTRATION/NASINFO Research Program Information :RP: Education Program Information :EA: Search/List/Download Program Information :NN: Description/Activities of Space Centers :SC: Procurement Notices :EV: Proposal/Award Guidelines :NA: OFFICE OF NAVAL RESEARCH/ONRINFO Research Program Information :RY:,:AR: Special Programs (Special Research and Education Initiatives) :ON: Search/List/Download Program Information :NR: Description/Activities of Laboratories and other ONR Facilities :LB: Procurement Notices (Broad Agency Announcements, Requests for -- Proposals, etc. :NE: Information on the Preparation and Administration of Contracts, -- Grants, Proposals :AD: FEDERAL AVIATION ADMINISTRATION/FAAINFO Education Program Information - Pre-College :FE: Mio rity Aviation Education Programs :FY: Search/List/Download Program Information :FF: Aviation Education Resources (Newsletters, Films/Videos, -- Publications) :FR: Aviation Education Contacts (Government, Industry, Academic, -- Associations) :FO: College-Level Airway Science Curriculum Information :FC: Procurement Notice :FP: Planned Competitive and Noncompetitive Procurements for the -- Current Fiscal Year :F1: Employment Information :FN: Current Events :FV: MINORITY/MININFO U. S. Department of Commerce Research/Education Minority Assistance Programs :CP: Procurement Notices (ALL Notices for Agency) :M1: Current Events :M1: Minority Contacts :M1: Department of Energy Research/Education Minority Assistance Programs :EP: Procurement Notices (ALL Notices for Agency) :M2: Current Events :M2: Minority Contacts :M2: U.S. Department of Housing and Urban Development Research/Education Minority Assistance Programs :HP: Procurement Notices (ALL Notices for Agency) :M3: Current Events :M3: Minority Contacts :M3: National Aeronautics and Space Administration Research/Education Minority Assistance Programs :NP: Procurement Notices (ALL Notices for Agency) :M4: Current Events :M4: Minority Contacts :M4: National Science Foundation Research/Education Minority AssisdaXce Programs :SP: Procurement Notices (ALL Notices for Agency) :M5: Budget Information :SB: NSF Bulletin :M5: Minority Contacts :M5: _______________________________________________________________________________ ==Phrack Inc.== Volume Three, Issue Thirty-Three, File 5 of 13 |\/\/\/\/\/\/\/\/\/\/\/\/\/| | | | LATA Referance List | | | | by Infinite Loop | | | |/\/\/\/\/\/\/\/\/\/\/\/\/\| United States telephone LATA official designation numbers: STATE NAME NUMBER AK ALASKA 832 AL BIRMINGHAM 476 AL HUNTSVILLE 477 AL MONTGOMERY 478 AL MOBILE 480 AR FORT SMITH 526 AR LITTLE ROCK 528 AR PINE BLUFF 530 AZ PHOENIX 666 AZ TUCSON 668 AZ NAVAJO RESERVATION 980 CA SAN FRANCISCO 722 CA CHICO 724 CA SACRAMENTO 726 CA FRESNO 728 CA LOS ANGELES 730 CA SAN DIEGO 732 CA BAKERSFIELD 734 CA MONTEREY 736 CA STOCKTON 738 CA SAN LUIS OBISPO 740 CA PALM SPRINGS 973 CO DENVER 656 CO COLORADO SRPINGS 658 CT CONNECTICUT 920 DC WASHINGTON 236 FL PENSACOLA 448 FL PANAMA CITY 450 FL JACKSONVILLE 452 FL GAINESVILLE 454 FL DAYTONA BEACH 456 FL ORLANDO 458 FL SOUTHEAST 460 FL FORT MYERS 939 FL GULF COST 952 FL TALLAHASSEE 953 GA ATLANTA 438 GA SAVANNAH 440 GA AUGUSTA 442 GA ALBANY 444 GA MACON 446 HI HAWAII 834 IA SIOUX CITY 630 IA DES MOINES 632 IA DAVENPORT 634 IA CEDAR RAPIDS 635 ID IDAHO 652 ID COEUR D'ALENE 960 IL CHICAGO 358 IL ROCKFORD 360 IL CAIRO 362 IL STERLING 364 IL FORREST 366 IL PEORIA 368 IL CHAMPAIGN 370 IL SPRINGFIELD 372 IL QUINCY 374 IL MATTOON 976 IL GALESBURG 977 IL OLNEY 978 IN EVANSVILLE 330 IN SOUTH BEND 332 IN AUBURN/HUNTINGTON 334 IN INDIANAPOLIS 336 IN BLOOMINGTON 338 IN RICHMOND 937 IN TERRE HAUTE 938 KS WICHITA 532 KS TOPEKA 534 KY LOUISVILLE 462 KY OWENSBORO 464 KY WINCHESTER 466 LA SHREVEPORT 486 LA LAFAYETTE 488 LA NEW ORLEANS 490 LA BATON ROUGE 492 MA WESTERN MASSACHUSETT 126 MA EASTERN MASSACHUSETT 128 MD BALTIMORE 238 MD HAGERSTOWN 240 MD SALISBURY 242 ME MAINE 120 MI DETROIT 340 MI UPPER PENINSULA 342 MI SAGINAW 344 MI LANSING 346 MI GRAND RAPIDS 348 MN ROCHESTER 620 MN DULUTH 624 MN ST CLOUD 626 MN MINNEAPOLIS 628 MO ST LOUIS 520 MO WESTPHALIA 521 MO SPRINGFIELD 522 MO KANSAS CITY 524 MS JACKSON 482 MS BILOXI 484 MT GREAT FALLS 648 MT BILLINGS 650 MT KALISPELL 963 NC ASHEVILLE 420 NC CHARLOTTE 422 NC GREENSBORO 424 NC RALEIGH 426 NC WILMINGTON 428 NC FAYETTEVILLE 949 NC ROCKY MOUNT 951 ND FARGO 636 ND BISMARCK 638 NE OMAHA 644 NE GRAND ISLAND 646 NE LINCOLN 958 NH NEW HAMPSHIRE 122 NJ ATLANTIC COSTAL 220 NJ DELAWARE VALLEY 222 NJ NORTH JERSEY 224 NM NEW MEXICO 664 NV RENO 720 NV PAHRUMP 721 NY NEW YORK METRO 132 NY POUGHKEEPSIE 133 NY ALBANY 134 NY SYRACUSE 136 NY BINGHAMTON 138 NY BUFFALO 140 NY FISHERS ISLAND 921 NY ROCHESTER 974 OH CLEAVELAND 320 OH YOUNGSTOWN 322 OH COLUMBUS 324 OH AKRON 325 OH TOLEDO 326 OH DAYTON 328 OH CINCINNATI BELL 922 OH MANSFIELD 923 OK OKLAHOMA CITY 536 OK TULSA 538 OR EUGENE 670 OR PORTLAND 672 PA CAPITAL 226 PA PHILADELPHIA 228 PA ALTOONA 230 PA NORTHEAST 232 PA PITTSBURG 234 PA ERIE 924 PR PUERTO RICO 820 RI RHODE ISLAND 130 SC GREENVILLE 430 SC FLORENCE 432 SC COLUMBIA 434 SC CHARLESTON 436 SD SOUTH DAKOTA 640 TN MEMPHIS 468 TN NASHVILLE 470 TN CHATTANOOGA 472 TN KNOXVILLE 474 TN BRISTOL 956 TX EL PASO 540 TX MIDLAND 542 TX LUBBOCK 544 TX AMARILLO 546 TX WICHITA FALLS 548 TX ABILENE 550 TX DALLAS 552 TX LONGVIEW 554 TX WACO 556 TX AUSTIN 558 TX HOUSTON 560 TX BEAUMONT 562 TX CORPUS CHRISTI 564 TX SAN ANTONIO 566 TX BROWNSVILLE 568 TX HEARNE 570 TX SAN ANGELO 961 US MIDWAY/WAKE 836 UT UTAH 660 UT NAVAJO RESERVATION 981 VA ROANOKE 244 VA CULPEPER 246 VA RICHMOND 248 VA LYNCHBURG 250 VA NORFOLK 252 VA HARRISONBURG 927 VA CHARLOTTESVILLE 928 VA EDINBURG 929 VI US VIRGIN ISLANDS 822 VT VERMONT 124 WA SEATTLE 674 WA SPOKANE 676 WI NORTHEASST 350 WI NORTHWEST 352 WI SOUTHWEST 354 WI SOUTHEAST 356 WV CHARLESTON 254 WV CLARKSBURG 256 WV BLUEFIELD 932 WY WYOMING 654 _______________________________________________________________________________ ==Phrack Inc.== Volume Three, Issue Thirty-Three, File 6 of 13 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - - = International Toll-free, Local Rated, = - - = and Specially Toll Services = - - = by The Trunk Terminator = - - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The following indicates access codes and numbers used within various countries for toll-free and special paid services. The dialing codes shown represent how they would be dialed within the country involved. Generally, it is not possible to access another country's domestic toll-free or specialty network directly. Where an international access is available, it is normally done by using the domestic services which then forward the call to the destination country. Where possible, the number of digits has been indicated with 'n' (a number from 2 to 8) or 'x' (any number). An ellipsis (...) indicates that there are a variable number of extra digits, or possibly a conflict in the reports of numbers of digits used. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Toll-free or equivalent local charge services =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ================= A u s t r a l i a ================= 008 xxx xxx That is how Phrack Inc. recomends it be written to differentiate it from STD area codes which are written with area codes (0x) thru (0xxx) and numbers n xxxx through nxx xxxx. 0014 ttt xxx xxx International Toll free access from Australia (ttt is reported as "800" or other toll-free access code; or, ttt may not be present at all. (Canada Direct uses 0014 881 150) ============= B e l g i u m ============= 11 xxxx ============= D e n m a r k ============= 800 xxxxx 8001 xxxx (charged as local call) ============= F i n l a n d ============= 9800 xxxxx (...) (PTT as local service provider) 0800 xxxxx (...) (Private phone company as local service provider) 9800 costs the same as a local call (dialable from all areas in Finland), while 0800 are truly toll-free and dialable from all private telco areas. =========== F r a n c e =========== 05 xxxxxx This is outside area code 1, so from Paris 16 05. 05 19 xx xx These numbers terminate outside France. 36 63 xx xx (local call rate) '11' is computer directory information. '12' is voice directory information (equivalent to 411). =========================== G e r m a n y ( w e s t ) =========================== 0130 xxxx (...xx) The number to use AT&T is 0130-0010 and U.S. Sprint is 0130-0013. For a general toll-free number listings, pick up a copy of the International Herald newspaper and look in the sports section is for an AT&T add. You will find a number for dialing the US from various countries. Mearly, chop off the exchange and only use the "area code" number. ============= I r e l a n d ============= 1800 xxxxxx 1850 xxxxxx (local rate) ========= I t a l y ========= 167 xxxxx (digits length) We're not 100% sure about the length of digits for Italy. One way to check these is to get a copy of an *international* edition of the weekly magazines like TIME, all ads and little contents. But they do goof up regularly, like printing Paris numbers as (01) xxxxxxxx when they mean (1) xxxxxxxx. =========== M e x i c o =========== 91 800 xxxxx.... ===================== N e t h e r l a n d s ===================== 06-0xxx 06-0xxxxxx 06-4xx(x) 06-2229111 is AT&T USA direct and Sprint & MCI have operator services on 06-022xxxx. It used to be possible to call 06-022xxxx to Denmark, and then use the CCITT no. 4 signalling system to phreak calls to anywhere in the world. 06-11 This is the Dutch equivalent of 911, it is free when dialled from a phone company operated payphone, otherwise the charge is one unit, DFL 0.15, about US $ 0.08. There were discussions about making such calls free from any phone, but I haven't followed them recently. Calling a toll-free number from a payphone requires a deposit of one coin, which is returned after the call. The total length of the numbers varies from 4 to 10 digits and the dash indicates the secondary dial tone. It is not possible to reach 06 prefixed numbers from abroad. ===================== N e w Z e a l a n d ===================== 0800 xxx xxx That is through the state telco, Telecom New Zealand. Clear Communications, the recently started alternative LD carrier, does not offer a toll-free service as yet. When Clear offer one, it will more than likely be to the subscribers existing number (eg Dial toll free 050-04-654-3210) as they are not in control of number issue. 0800 is strictly Telecom at this stage. ========================= N o r t h A m e r i c a ========================= 1 800 nxx xxxx Access to toll free numbers can vary according to region, state or country (ie. not all 800 numbers are accessible to all regions). The nxx prefix portion of the 800 number presently determines which long distance carrier or 800 service company will handle the call (and in some cases determine the geographical region). ========= S p a i n ========= 900 xxxxxx The number for ATT direct in Spain is 900-99-00-11. The payphones are all push-button but generate pulses. It takes forever to get connected. =========== S w e d e n =========== 020 xxxxxx (without dialtone after '020'). ===================== S w i t z e r l a n d ===================== 04605 xxxx (not toll-free but metered at lowest rate) 155 xx xx ("green number") In Switzerland there is nothing exactly like the equivalent to United States "800" service. The PTT is now encouraging the use of "green numbers" beginning with 155. The direct marketing ads on TV often give the order number for Switzerland as a number such as 155 XX XX. The access number for MCI Call USA is for example 155 02 22. There are two problems with this: 1] When calling from a model AZ44(older model) payphone all numbers which begin with a "1" are treated as "service" numbers and the payphone begins to sound a "cuckoo clock noise" once the 155 is entered. The "cuckoo clock noise" is to alert operators on the "service numbers" that the caller is using a payphone (fraud protection). This noise is quite a distraction when calling someone in the USA using MCI Call USA. 2] The newer style TelcaStar phones are programmed to block the keypad after 3 digits are dialed of a "service number". It used to be that the only numbers beginning with "1" were "service numbers" and all "service numbers" were 3 digits. The PTT is aware of this problem and are said to be considering what instructions to give the manufacturer of the payphones. AT&T USA Direct has an access number of 046 05 00 11. This is not a free call, but the time is metered at the lowest rate. This number does not suffer the "cuckoo clock noise" problem. Canada Direct uses 046 05 83 30. =========================== U n i t e d K i n g d o m =========================== 0800 xxx xxx (Toll-free) 0345 xxx xxx (Local rate) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Tolled/Specialty Pay services =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ================= A u s t r a l i a ================= 0055 x yxxx where y=0-4,8 means the number is Australia wide (and costs more), y=5 means the number is only state wide, y=6,7,9 means the number is for the capital city only. ============= F i n l a n d ============= 9700 xxxxx (PTT-operated) 0700 xxxxx (Private telco-operated) The cost ranges from about 0.5 USD to 5 USD per minute. =========== F r a n c e =========== 36 65 xx xx (5 message units each call for up to 140 seconds) These are for various information services as well as chat lines. ===================== N e t h e r l a n d s ===================== 06-9 xx... 06-321 xx... 06-8 xx... (3 to 40ct/min) Other codes (such as 06-9) precede special tariff calls (similar to 900 in the US). The highest special rate is (currently) DFL 0.50 / minute. ========================= N o r t h A m e r i c a ========================= 1 900 nxx xxxx (various rates, depending on provider) 1 (npa) 976 xxxx (in many area codes, connected through regional telco; in some areas, the call requires the area code where depending on the intra-area dialing used) (other exchange prefixes within area codes such as 540, 720 or 915 are used for other pay services such as group chat, other types of recorded messages, etc. These vary depending on the area code within North America, and not all regions in North America have these.) =========== S w e d e n =========== 071 x xxxxx The Swedish answer to the United States "900"-number, 071 are as follows. (Charges are related to the next digit) code SEK/minute 0712xxxxx 3,65 0713xxxxx 4,90 0714xxxxx 6,90 0715xxxxx 9,90 0716xxxxx 12,50 0717xxxxx 15,30 0719xx varying fees, cannot be dialled directly but needs operator Numbers starting with 0713-0717 can only be dialled from phones connected to AXE exchanges. At present about half of all phones in Sweden are connected to such exchanges. Another special toll number is domestic number information: 07975 (6,90 SEK/minute). =========================== U n i t e d K i n g d o m =========================== 0836 xxx xxx 0898 xxx xxx The rate seems to be uniform as 34p per minute cheap rate, 45p at all other times. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ==Phrack Inc.== Volume Three, Issue Thirty-Three, File 7 of 13 //---------------------\\ || P h r e a k i n g || || || || i n || || || || G e r m a n y || || || || by || || || || -=+Ninja Master+=- || || || || of || || || || -[The Hellfire Club]- || \\---------------------// Phreaking in Germany at this moment is at an all time high. The main reason is because of the German reunification. Most, if not all, of the equipment in Germany is still mechanical (especially on the former Communist side). So Boxing is VERY easy to do, as are line taps. Tracing on the other hand, is still hard to do. This is because with the mechanical switches they need many technicians who look at the switches and follow the wires on their own. They usually don't know where the wire leads, so they have to physically follow the wire to trace it. There are two main ways of phreaking in Germany at the moment. One is Boxing and the other is through Cordless Phones, both of which I will describe. //------\\ || Boxing || \\------// Boxing in Germany is somewhat similar to the US, but I will describe to you the whole process. Most boxing in Germany is started with a call to a toll free number (most of which produce a connection to a firm in the US, AT&T.) To initiate the call, you dial 0130 - 81 and the number. Germany's toll free net starts with 0130. 81 is for connection to the US. You wait for the connection, and blast the dissconect signal. As we all know, in the US it's 2600 Hz, but in Germany it's a mixture of 2400 and 2600 Hz. After that, you send a single 2400 Hz frequency to hold the line. Then you decide if you want a local US call, or an International call. Don't forget, you are connected to the US now, so it looks as if anything out of it as International, even though your calling from Germany. Calls within the US are done normally, with KP+0+AC+NNNNNNN. To make the international call, it's KP2+internalional code+0+number. You have to drop the zero though from the number you care calling. For example, in Germany all numbers start with a 02366. One big difference between boxing in the US and Germany, are the laws. In Germany, they look very strictly at data-security, but the laws are not clear in the area of phreaking. No one knows if a phreak is really stealin something from the German phone company, since he is using a normal phone number. This may sound stupid to us, but that's how they view it. Phreaks getting busted for in Germany is usually a rare occassion, if ever. //---------------\\ || Cordless Phones || \\---------------// When I am refering to "cordless phones", I'm not talking about portable phones in the cellular phone system. I'm talking about simple cordless phones that you have in your home. Cordless phones broadcast on a speciffic radio frequency (around 46MHz) to a "base unit" that is connected to the wall jack. What the you do now is put a long antenna on the roof of your car. Then connect the antenna to your handset. The length of the antenna is usually best around 1.5 meters long. You only need the handset, because you are going to be connecting to another persons base, but make sure the batteries in the handset are fully charged. Now, the next step is to drive around in your car, until you hear a free line. Then, mearly call anywhere you like! Usually you have to situate yourself, and find where the best postion is to recieve the signal clearly, and that the person who's base your connected to can't see you. One reason this works quite well, is because most cordless phones in Germany don't have the code feature that is so prominent here (where you can select a scrambling code on the handset and base). One of the incentives to phreak in this manner is because, cordless phones being illegal, the person, who's dial tone you used, would much rather pay a few high long distance bills than the even higher fines for geting caught with a cordless phone. Cordless phones are forbidden in Germany, although you can buy them almost anywhere. What is illegal is to physically connect them to the phone system. The phone company there actually searches for people with cordless phones, by using a specially equiped van. Once they find that you have a cordless phone connected, they come with two policmen and a search warrant. You can be charged with anything from illegal connection of nontested equipment to forging of a document. //----------\\ || Conclusion || \\----------// Well, I hope this gave you a little bit of understanding of how disorganized the phone system is in over there, and gave you a few helpfull hints in case you ever happen to find yourself in Germany. If you have any comments, corrections, or additions, you can reach me through Phrack, or the following boards: Lightning Systems 9th Dimension 414-363-4282 818-783-5320 Until next time! -=+Ninja Master+=- -[The Hellfire Club]- "Tell Telco We're Phreaking, Phreaking USA!" \\---------------------------------------------------------------------------// ==Phrack Inc.== Volume Three, Issue Thirty-Three, File 8 of 13 A TCP/IP Tutorial : Behind The Internet Part One of Two September 12, 1991 by The Not Table of Contents 1. Introduction 2. TCP/IP Overview 3. Ethernet 4. ARP 1. Introduction This tutorial contains only one view of the salient points of TCP/IP, and therefore it is the "bare bones" of TCP/IP technology. It omits the history of development and funding, the business case for its use, and its future as compared to ISO OSI. Indeed, a great deal of technical information is also omitted. What remains is a minimum of information that must be understood by the professional working in a TCP/IP environment. These professionals include the systems administrator, the systems programmer, and the network manager. This tutorial uses examples from the UNIX TCP/IP environment, however the main points apply across all implementations of TCP/IP. Note that the purpose of this memo is explanation, not definition. If any question arises about the correct specification of a protocol, please refer to the actual standards defining RFC. The next section is an overview of TCP/IP, followed by detailed descriptions of individual components. 2. TCP/IP Overview The generic term "TCP/IP" usually means anything and everything related to the specific protocols of TCP and IP. It can include other protocols, applications, and even the network medium. A sample of these protocols are: UDP, ARP, and ICMP. A sample of these applications are: TELNET, FTP, and rcp. A more accurate term is "internet technology". A network that uses internet technology is called an "internet". 2.1 Basic Structure To understand this technology you must first understand the following logical structure: ---------------------------- | network applications | | | |... \ | / .. \ | / ...| | ----- ----- | | |TCP| |UDP| | | ----- ----- | | \ / | | -------- | | | IP | | | ----- -*------ | | |ARP| | | | ----- | | | \ | | | ------ | | |ENET| | | ---@-- | ----------|----------------- | ----------------------o--------- Ethernet Cable Figure 1. Basic TCP/IP Network Node This is the logical structure of the layered protocols inside a computer on an internet. Each computer that can communicate using internet technology has such a logical structure. It is this logical structure that determines the behavior of the computer on the internet. The boxes represent processing of the data as it passes through the computer, and the lines connecting boxes show the path of data. The horizontal line at the bottom represents the Ethernet cable; the "o" is the transceiver. The "*" is the IP address and the "@" is the Ethernet address. Understanding this logical structure is essential to understanding internet technology; it is referred to throughout this tutorial. 2.2 Terminology The name of a unit of data that flows through an internet is dependent upon where it exists in the protocol stack. In summary: if it is on an Ethernet it is called an Ethernet frame; if it is between the Ethernet driver and the IP module it is called a IP packet; if it is between the IP module and the UDP module it is called a UDP datagram; if it is between the IP module and the TCP module it is called a TCP segment (more generally, a transport message); and if it is in a network application it is called a application message. These definitions are imperfect. Actual definitions vary from one publication to the next. More specific definitions can be found in RFC 1122, section 1.3.3. A driver is software that communicates directly with the network interface hardware. A module is software that communicates with a driver, with network applications, or with another module. The terms driver, module, Ethernet frame, IP packet, UDP datagram, TCP message, and application message are used where appropriate throughout this tutorial. 2.3 Flow of Data Let's follow the data as it flows down through the protocol stack shown in Figure 1. For an application that uses TCP (Transmission Control Protocol), data passes between the application and the TCP module. For applications that use UDP (User Datagram Protocol), data passes between the application and the UDP module. FTP (File Transfer Protocol) is a typical application that uses TCP. Its protocol stack in this example is FTP/TCP/IP/ENET. SNMP (Simple Network Management Protocol) is an application that uses UDP. Its protocol stack in this example is SNMP/UDP/IP/ENET. The TCP module, UDP module, and the Ethernet driver are n-to-1 multiplexers. As multiplexers they switch many inputs to one output. They are also 1-to-n de-multiplexers. As de-multiplexers they switch one input to many outputs according to the type field in the protocol header. 1 2 3 ... n 1 2 3 ... n \ | / | \ | | / ^ \ | | / | \ | | / | ------------- flow ---------------- flow |multiplexer| of |de-multiplexer| of ------------- data ---------------- data | | | | | v | | 1 1 Figure 2. n-to-1 multiplexer and 1-to-n de-multiplexer If an Ethernet frame comes up into the Ethernet driver off the network, the packet can be passed upwards to either the ARP (Address Resolution Protocol) module or to the IP (Internet Protocol) module. The value of the type field in the Ethernet frame determines whether the Ethernet frame is passed to the ARP or the IP module. If an IP packet comes up into IP, the unit of data is passed upwards to either TCP or UDP, as determined by the value of the protocol field in the IP header. If the UDP datagram comes up into UDP, the application message is passed upwards to the network application based on the value of the port field in the UDP header. If the TCP message comes up into TCP, the application message is passed upwards to the network application based on the value of the port field in the TCP header. The downwards multiplexing is simple to perform because from each starting point there is only the one downward path; each protocol module adds its header information so the packet can be de- multiplexed at the destination computer. Data passing out from the applications through either TCP or UDP converges on the IP module and is sent downwards through the lower network interface driver. Although internet technology supports many different network media, Ethernet is used for all examples in this tutorial because it is the most common physical network used under IP. The computer in Figure 1 has a single Ethernet connection. The 6-byte Ethernet address is unique for each interface on an Ethernet and is located at the lower interface of the Ethernet driver. The computer also has a 4-byte IP address. This address is located at the lower interface to the IP module. The IP address must be unique for an internet. A running computer always knows its own IP address and Ethernet address. 2.4 Two Network Interfaces If a computer is connected to 2 separate Ethernets it is as in Figure 3. ---------------------------- | network applications | | | |... \ | / .. \ | / ...| | ----- ----- | | |TCP| |UDP| | | ----- ----- | | \ / | | -------- | | | IP | | | ----- -*----*- ----- | | |ARP| | | |ARP| | | ----- | | ----- | | \ | | / | | ------ ------ | | |ENET| |ENET| | | ---@-- ---@-- | ----------|-------|--------- | | | ---o--------------------------- | Ethernet Cable 2 ---------------o---------- Ethernet Cable 1 Figure 3. TCP/IP Network Node on 2 Ethernets Please note that this computer has 2 Ethernet addresses and 2 IP addresses. It is seen from this structure that for computers with more than one physical network interface, the IP module is both a n-to-m multiplexer and an m-to-n de-multiplexer. 1 2 3 ... n 1 2 3 ... n \ | | / | \ | | / ^ \ | | / | \ | | / | ------------- flow ---------------- flow |multiplexer| of |de-multiplexer| of ------------- data ---------------- data / | | \ | / | | \ | / | | \ v / | | \ | 1 2 3 ... m 1 2 3 ... m Figure 4. n-to-m multiplexer and m-to-n de-multiplexer It performs this multiplexing in either direction to accommodate incoming and outgoing data. An IP module with more than 1 network interface is more complex than our original example in that it can forward data onto the next network. Data can arrive on any network interface and be sent out on any other. TCP UDP \ / \ / -------------- | IP | | | | --- | | / \ | | / v | -------------- / \ / \ data data comes in goes out here here Figure 5. Example of IP Forwarding a IP Packet The process of sending an IP packet out onto another network is called "forwarding" an IP packet. A computer that has been dedicated to the task of forwarding IP packets is called an "IP-router". As you can see from the figure, the forwarded IP packet never touches the TCP and UDP modules on the IP-router. Some IP-router implementations do not have a TCP or UDP module. 2.5 IP Creates a Single Logical Network The IP module is central to the success of internet technology. Each module or driver adds its header to the message as the message passes down through the protocol stack. Each module or driver strips the corresponding header from the message as the message climbs the protocol stack up towards the application. The IP header contains the IP address, which builds a single logical network from multiple physical networks. This interconnection of physical networks is the source of the name: internet. A set of interconnected physical networks that limit the range of an IP packet is called an "internet". 2.6 Physical Network Independence IP hides the underlying network hardware from the network applications. If you invent a new physical network, you can put it into service by implementing a new driver that connects to the internet underneath IP. Thus, the network applications remain intact and are not vulnerable to changes in hardware technology. 2.7 Interoperability If two computers on an internet can communicate, they are said to "interoperate"; if an implementation of internet technology is good, it is said to have "interoperability". Users of general-purpose computers benefit from the installation of an internet because of the interoperability in computers on the market. Generally, when you buy a computer, it will interoperate. If the computer does not have interoperability, and interoperability can not be added, it occupies a rare and special niche in the market. 2.8 After the Overview With the background set, we will answer the following questions: When sending out an IP packet, how is the destination Ethernet address determined? How does IP know which of multiple lower network interfaces to use when sending out an IP packet? How does a client on one computer reach the server on another? Why do both TCP and UDP exist, instead of just one or the other? What network applications are available? These will be explained, in turn, after an Ethernet refresher. 3. Ethernet This section is a short review of Ethernet technology. An Ethernet frame contains the destination address, source address, type field, and data. An Ethernet address is 6 bytes. Every device has its own Ethernet address and listens for Ethernet frames with that destination address. All devices also listen for Ethernet frames with a wild- card destination address of "FF-FF-FF-FF-FF-FF" (in hexadecimal), called a "broadcast" address. Ethernet uses CSMA/CD (Carrier Sense and Multiple Access with Collision Detection). CSMA/CD means that all devices communicate on a single medium, that only one can transmit at a time, and that they can all receive simultaneously. If 2 devices try to transmit at the same instant, the transmit collision is detected, and both devices wait a random (but short) period before trying to transmit again. 3.1 A Human Analogy A good analogy of Ethernet technology is a group of people talking in a small, completely dark room. In this analogy, the physical network medium is sound waves on air in the room instead of electrical signals on a coaxial cable. Each person can hear the words when another is talking (Carrier Sense). Everyone in the room has equal capability to talk (Multiple Access), but none of them give lengthy speeches because they are polite. If a person is impolite, he is asked to leave the room (i.e., thrown off the net). No one talks while another is speaking. But if two people start speaking at the same instant, each of them know this because each hears something they haven't said (Collision Detection). When these two people notice this condition, they wait for a moment, then one begins talking. The other hears the talking and waits for the first to finish before beginning his own speech. Each person has an unique name (unique Ethernet address) to avoid confusion. Every time one of them talks, he prefaces the message with the name of the person he is talking to and with his own name (Ethernet destination and source address, respectively), i.e., "Hello Jane, this is Jack, ..blah blah blah...". If the sender wants to talk to everyone he might say "everyone" (broadcast address), i.e., "Hello Everyone, this is Jack, ..blah blah blah...". 4. ARP When sending out an IP packet, how is the destination Ethernet address determined? ARP (Address Resolution Protocol) is used to translate IP addresses to Ethernet addresses. The translation is done only for outgoing IP packets, because this is when the IP header and the Ethernet header are created. 4.1 ARP Table for Address Translation The translation is performed with a table look-up. The table, called the ARP table, is stored in memory and contains a row for each computer. There is a column for IP address and a column for Ethernet address. When translating an IP address to an Ethernet address, the table is searched for a matching IP address. The following is a simplified ARP table: ------------------------------------ |IP address Ethernet address | ------------------------------------ |223.1.2.1 08-00-39-00-2F-C3| |223.1.2.3 08-00-5A-21-A7-22| |223.1.2.4 08-00-10-99-AC-54| ------------------------------------ TABLE 1. Example ARP Table The human convention when writing out the 4-byte IP address is each byte in decimal and separating bytes with a period. When writing out the 6-byte Ethernet address, the conventions are each byte in hexadecimal and separating bytes with either a minus sign or a colon. The ARP table is necessary because the IP address and Ethernet address are selected independently; you can not use an algorithm to translate IP address to Ethernet address. The IP address is selected by the network manager based on the location of the computer on the internet. When the computer is moved to a different part of an internet, its IP address must be changed. The Ethernet address is selected by the manufacturer based on the Ethernet address space licensed by the manufacturer. When the Ethernet hardware interface board changes, the Ethernet address changes. 4.2 Typical Translation Scenario During normal operation a network application, such as TELNET, sends an application message to TCP, then TCP sends the corresponding TCP message to the IP module. The destination IP address is known by the application, the TCP module, and the IP module. At this point the IP packet has been constructed and is ready to be given to the Ethernet driver, but first the destination Ethernet address must be determined. The ARP table is used to look-up the destination Ethernet address. 4.3 ARP Request/Response Pair But how does the ARP table get filled in the first place? The answer is that it is filled automatically by ARP on an "as-needed" basis. Two things happen when the ARP table can not be used to translate an address: 1. An ARP request packet with a broadcast Ethernet address is sent out on the network to every computer. 2. The outgoing IP packet is queued. Every computer's Ethernet interface receives the broadcast Ethernet frame. Each Ethernet driver examines the Type field in the Ethernet frame and passes the ARP packet to the ARP module. The ARP request packet says "If your IP address matches this target IP address, then please tell me your Ethernet address". An ARP request packet looks something like this: --------------------------------------- |Sender IP Address 223.1.2.1 | |Sender Enet Address 08-00-39-00-2F-C3| --------------------------------------- |Target IP Address 223.1.2.2 | |Target Enet Address | --------------------------------------- TABLE 2. Example ARP Request Each ARP module examines the IP address and if the Target IP address matches its own IP address, it sends a response directly to the source Ethernet address. The ARP response packet says "Yes, that target IP address is mine, let me give you my Ethernet address". An ARP response packet has the sender/target field contents swapped as compared to the request. It looks something like this: --------------------------------------- |Sender IP Address 223.1.2.2 | |Sender Enet Address 08-00-28-00-38-A9| --------------------------------------- |Target IP Address 223.1.2.1 | |Target Enet Address 08-00-39-00-2F-C3| --------------------------------------- TABLE 3. Example ARP Response The response is received by the original sender computer. The Ethernet driver looks at the Type field in the Ethernet frame then passes the ARP packet to the ARP module. The ARP module examines the ARP packet and adds the sender's IP and Ethernet addresses to its ARP table. The updated table now looks like this: ---------------------------------- |IP address Ethernet address | ---------------------------------- |223.1.2.1 08-00-39-00-2F-C3| |223.1.2.2 08-00-28-00-38-A9| |223.1.2.3 08-00-5A-21-A7-22| |223.1.2.4 08-00-10-99-AC-54| ---------------------------------- TA BLE 4. ARP Table after Response 4.4 Scenario Continued The new translation has now been installed automatically in the table, just milli-seconds after it was needed. As you remember from step 2 above, the outgoing IP packet was queued. Next, the IP address to Ethernet address translation is performed by look-up in the ARP table then the Ethernet frame is transmitted on the Ethernet. Therefore, with the new steps 3, 4, and 5, the scenario for the sender computer is: 1. An ARP request packet with a broadcast Ethernet address is sent out on the network to every computer. 2. The outgoing IP packet is queued. 3. The ARP response arrives with the IP-to-Ethernet address translation for the ARP table. 4. For the queued IP packet, the ARP table is used to translate the IP address to the Ethernet address. 5. The Ethernet frame is transmitted on the Ethernet. In summary, when the translation is missing from the ARP table, one IP packet is queued. The translation data is quickly filled in with ARP request/response and the queued IP packet is transmitted. Each computer has a separate ARP table for each of its Ethernet interfaces. If the target computer does not exist, there will be no ARP response and no entry in the ARP table. IP will discard outgoing IP packets sent to that address. The upper layer protocols can't tell the difference between a broken Ethernet and the absence of a computer with the target IP address. Some implementations of IP and ARP don't queue the IP packet while waiting for the ARP response. Instead the IP packet is discarded and the recovery from the IP packet loss is left to the TCP module or the UDP network application. This recovery is performed by time-out and retransmission. The retransmitted message is successfully sent out onto the network because the first copy of the message has already caused the ARP table to be filled. _______________________________________________________________________________ ==Phrack Inc.== Volume Three, Issue Thirty-Three, File 9 of 13 /////////////////////\\\\\\\\\\\\\\\\\\\\\ || || || A Real Functioning RED BOX Schematic || || || || Written by: R.J. "BoB" Dobbs || || || \\\\\\\\\\\\\\\\\\\\\///////////////////// ::What is a Red Box?:: Essentially, the Red Box is a device used to fool the phone company's computer into thinking coins are deposited into a payphone. Every time you drop a coin into a payphone, the phone signals the type of coin inserted with one or more bursts of a combination of 1700hz and 2200hz. The tone bursts are coded as follows: Nickel : One 60 millisecond pulse Dime : Two 60 millisecond pulses separated by 60 milliseconds Quarter: Five 35 millisecond pulses separated by 35 milliseconds ::How to use it:: Simply dial a long distance number (some areas require you to stick in a genuine nickel first), wait for the ACTS computer to demand your cash, and press the "deposit" button on the red box for each coin you want to simulate. The coin signals are coupled from the red box into the phone with a small speaker held to the mouthpiece. For local calls, either you must first deposit a genuine nickle before simulating more coins or place your call through the operator with 0+xxx+yyyy. Use some care when the operator is on the line - sometimes they catch on to your beeper ploy. ::Circuit Operation:: Each time the pushbutton is pressed, it triggers half of IC1, configured as a monostable multivibrator to energize the rest of the circuit for a length of time determined by the setting of the coin selector switch. This in turn starts the other half of IC1, configured as an astable multivibrator, pulsing on and off at regular intervals at a rate determined by the 100k pot between pins 12 and 13. The output of the astable thus alternately powers of IC2, configured as a square wave oscillator, providing the required 1700hz and 2200hz to the op amp which acts as a buffer to drive the speaker. ::Alignment & Testing:: When you are making this thing by no means should you use a 9v AC to DC adapter! I also suggest not using a bread board. So be careful with that sodering iron. Both of these things will cause you problems. For alignment, a frequency counter is desired but you can use a good oscilloscope as well. (These are not ABSOLUTELY necessary, but to help.) In order to figure frequency in Hz with your scope you can use the following formula. 1 S = The measurement of the wave that is on the display Hz = ----------- S*(T*10^-6) T = The setting of the time selector (milliseconds) 1 Hz = ------------------ Hz = 2198 9.1 * 50ms * 10^-6 Carefully remove IC1 from it's socket. Install a temporary jumper from +9v supply to pin 14 of IC2 and temporarily disconnect the 0.01uF capacitors from pins 5 and 9 of IC2. Power up the circuit. Measuring the output from pin 5 of IC2 with the frequency counter or scope, adjust the 50k pot between pins 1 and 6 for an output of 1700hz. Now adjust the 50k pot between pins 8 and 13 for an output of 2200hz from pin 9 of IC2. Remove the temporary jumper and re-attach the capacitors to pins 5 and 9 of IC2, and re-insert IC1. (Note: if no frequency counter is available, the outputs can be adjusted by ear one at a time by zero-beating the output tone with a computer generated tone of known precision.) Next, using a multimeter, adjust the 10K pot at the cathode of the "quarter" diode for resistance of approximately 8K ohms. (This sets the difference between the duration of the quarter pulses and those of the nickel/dime -- fine tuning of this ratio may be necessary durring the latter stages of alignment; this can be done by ear.) Now, temporarily disconnect the wire between pins 5 and 10 of IC1. Set coin selector switch in the "N" (nickel) position. With the oscilloscope measuring the output from pin 9 of IC1, adjust the 100k pot between pins 12 and 13 of IC1 for output pulses of 60 millisecond duration. Reconnect the wire between pins 5 and 10. (Note: If no scope is available, adjust the pulse rate by ear using computer generated tones for comparison.) Leave the selector switch in the "N" position. Adjust the 50K pot labeled "Nickel" for a single beep each time the deposit pushbutton is pressed. Next set the coin selector switch to "Dime". Adjust the 50k pot labelled "Dime" for a quick double beep each time the pushbutton is pressed. Finally, set the selector to "Quarter". Adjust the 50k pot labelled "Quarter" until exactly 5 very quick beeps are heard for each button press. Don't worry if the quarter beeps sound shorter and faster than the nickel and dime ones. They should be. ::Conclusion:: If all went well to this point, your red box should be completely aligned and functional. A final test should now be conducted from a payphone using the DATL (Dial Access Test Line) coin test. Dial 09591230 and follow the computer instructions using the red box at the proper prompts. The computer should correctly identify all coins "simulated" and flag any anomalies. With a little discretion, your red box should bring you many years of use. Remember, there is no such thing as spare change! ::Parts list for Red Box:: 2 556 Dual Timer IC's 8 0.01uF Caps 1 741 Op Amp IC 2 0.1uF Cap 2 1N914 Diodes 1 1.0uF Electrolytic Cap 5 10k Resistors 2 10uF Electrolytic Caps 1 4.7k Resistor 1 3 Position Rotary Switch 2 100k Resistors 1 SPST Toggle Switch 1 100k PC Mount Pots 1 Momentary Push Button Switch (n/o) 3 50k PC Mount Pot 1 9v Battery Clip 1 10k PC Mount Pot 2 14 Pin Dip Socket 2 50k Multi-Turn Pots 1 8 Pin Dip Socket ::Schematic:: _ +9__S1/ _____________________________________________________________ | | | | | S3 | R1 R2 | R3 o @ o | |___C1___| _____| |_________|/___ / o \___ | | ____|_____|_____|____ | | |\ | | _| | _| o | 6 4 14 | R4 R5 D1 | | R9< | S2 | o _|5 13|_____| | | |__ | | | | | | |__ g | _| | | g |_|10 IC1 8|_ _| | R8< | | | 556 | |__R6< |__ | | | _|9 12|_| _| | | | | | | |__C2__g R7< | | | | |_11___3___7___2___1__| | | | | | | | | |___|_______________________|____|____| | | | C3 | | | |__|/| | | C4 | | |\ | | | | | D2 g g g | |_____________________ | | | | | ___ R10 | R11 ___ | v | | | | | v | __R12 |__| ___|___ |__| R13__ | | _|___|___|___|____|_ | | | | 1 4 14 10 13 | | | | | | | | |_______|6 8|_______| | | | | IC2 | | | | C5 |__|2 556 12|__| C6 | | | | | | g __|3 11|__ g | | |_____7___5___9______| | | C7 | | | C8 |