���������������������������������������������� � � �������� ���������������������������������� � � ����� ����� ������������� � � � � � � � � � � � ����� � � ��������� � � � � � � � � � � � � � � � ����� � � ��������� � � � � � � � � ������ ����� �����

������������� ���������������������������������������������� � The Hacker's Choice � ���������������������������������������������� ������������������� FUSiON OF DTi AND LORE ���۲��������������

********************************** * DOCUMENTATION FOR PBXHACK v1.1 * **********************************


There will be a private release (v1.2p) for 5 guys who helped me most with this project, with professional functions you'll probably never see on any other hacker or this public versions. If you wanna know what these powerful functions are look at the end of the file ;) This is the reward for those guys supporting programmers. Think about it. Sorry, no full docu ... a) i'm to lazy, b) everthing is easy to understand c) if you don't understand it, it's not a program that should be in your hands. Thats the reason this is only a Question-Answer Docu ... so read this -> Question � Answer ������������������������������������������������������������������������������ Why is the HISTORY even � Because nobody is interested in the work and after the PGP key at the end� effort a programmer puts into his program ... :( of this text ?? � thats the old story. � If *YOU* want to cheer me up - contact me (see � much below) and do so ;-) ������������������������������������������������������������������������������ The computer hangs up after � There are TWO possibilities for this : starting PBXHACK ! � a) you are running PBXHACK in a DOS Windows � of Win95 or similar ... doesn't happen often � but sometimes (serial port conflict) � b) you just ran a new version of PBXHACK and � the .CFG file structure changed. Delete � PBXHACK.CFG and try again (shouldn't happen � any more with 1.x+ -> version check made) ������������������������������������������������������������������������������ What are the keys in � ALT-H Hangup, ALT-X Exit, ALT-S Status, terminal mode ? � ALT-B Send Break, ALT-C Clear Screen.

������������������������������������������������������������������������������ The program doesn't dial in � You must first setup your modem correctly ! PBX Hacking mode, and also � Do that in SETUP/MODEM ! The important things to not in TRAIN Mode (Setup) � change are IRQ and BASE ADRESS ! ������������������������������������������������������������������������������ What are common BaseAdress � Com1: Irq4 Base3F8, Com2: Irq3 Base2F8, and IRQs for the Com Ports? � Com3: Irq4 Base3E8, Com4: Irq3 Base2E8 (i'm to lazy to look it up) � ������������������������������������������������������������������������������ The program doesn't dial in � The program *WOULD* dial if you would wait some PBX Hacking mode, but does � time! before every call it places, it waits in TRAIN mode � randomly between the MIN & MAX Settings of � SETUP/HACKING/Wait between Calls. � if you want do have NO delay between your calls, � change MIN & MAX to Zero. ������������������������������������������������������������������������������ Hey cool, i just corrected � Yeah, the COM port variable is of no use ;) IRQ and Base Adress but NOT � it's only for that you feel safer hehehehe the COM Port but it works! � ������������������������������������������������������������������������������ I hate the "welcome" scoll- � Just start PBXHACK with any parameter, like ing after starting the prog!� "PBXHACK -" and it doesn't scroll ;) � A reward for those reading the docu ;) ������������������������������������������������������������������������������ Hey, i got an E1eete Courier� Enable Touchtone Recognition in the modem init Modem! How can *I* be elite � string with %T ... and try TRAIN RESPONSE to and use that el1tee modem � look after how you must setup the success and with this ELiTE program to � failure response recognition with your PBX. become *really* c00l ? � ������������������������������������������������������������������������������ How high should be the � Experiment with about 15 (10-18) when using Timeout number ? � "W;" etc. as DialAfterCode and 20-60 when � dialing a modem/... number in DialAfterCode � (see below of DialAfterCode usage) ������������������������������������������������������������������������������ SHIT - your crap program � Cool down. No PBXHacker can recognize this! doesn't recognize a BUSY � But here a tip how to do that : PBX number !! FUCK YOU !!! � Try the TRAIN RESPONSE option with just the � number of the pbx and a "W;" after the number. � If the line is NOT busy and you get the modem � response "OK" then put that AFTER the pbx no. � in the StartHacking Setup. That will do the busy � check. If you get a "NO CARRIER" or "NO ANSWER" � or "NO DIALTONE" response (depends on modem � brand) you can't use this. Try the above with � "@;" again, and if that works, use that. � if nothing of that works there's no possiblity � to detect a busy ... sorry. But if you find a � a possiblity - TELL ME ! � ARGH i just forgot : to TRAIN RESPONSE you use � a "@;" or "W;", but in the number setup you just � put a "@" or "W" after the number, NOT the ";" ! ������������������������������������������������������������������������������ Shit the program also doesnt� Thats even easier. Just put in Dial Prefix . check if there's a dialtone � a "W" ... that fixes it, but takes time to wait! before beginning to dial !! � you don't need this if you already have got � already BUSY check enabled with "@" or "W (s.a.) ������������������������������������������������������������������������������

� Sorry. This is a generic program to hack PBX, � not a silly straight forward one. thats the � reason why you need that... but trust me, it � saves much time ! � The MIN setting of BEFORE CODE must be the sec. � you need to dial to the pbx and the pickup + � intro message of the pbx (if exists) + 1 ������������������������������������������������������������������������������ ??? I can't find the LOG � Of course NO! The LOG is automatically created. Option in the program ! Is � It's name is the last 8 characters of the number the output to screen only?? � you input in the pbx-phon-number field with the � ending .LOG ... in the current directory. If � this file already exists, the data is appended. ������������������������������������������������������������������������������ What does the LOG log ? � Date, Time, CODE no. and a few words telling you � that a success was found. If the program detects � an unspecified Modem response (not success or � failure) it tells something like "unkown � response : " etc. Or TIMEOUT if you specified � that as success. ������������������������������������������������������������������������������ I live in an area where only� easy. Just put in Dial Prefix a P and in Code pulse dialing is possible :(� Prefix a T ... thats all ������������������������������������������������������������������������������ Hey a "," in a phone number � Right. The modem is initialized that a "," is a is NOT a 2 second pause ! � 1 second pause ! ������������������������������������������������������������������������������ Important questions : what � Anything you like. Every IMPORTANT options is should be in the modem init � done automatically : "X3 S6=0 S8=1 E0" ... string ?? � Everything else is up to you. Put a "Z" or "Z2" � or "&F" in there ... and setup your modem � as you wish. Your modem MUST support these � standard Hayes Options to work ! ������������������������������������������������������������������������������ hmmm, gimme a tip how to � Okay, thats easy. Once again it's like BUSY verify a valid CODE without � Checking ! but this time you must train it like the need to find too the � that : use TRAIN with the pbx no. a few "," to outdial function and to dial� wait for the code and then a "W;" ... if you get the phonenumber (which can � "OK" as response it might work like this : put be VERY risky!) � the modem line out of the phone line and use � TRAIN with only "W;" ! This will be the SUCCESS � response! FAILURE reponse must be "OK" then ! � this is because if the pbx does an alarm tone � after a wrong code, the modem might think thats � a new dialtone for which to wait etc. � if this doesnt work, sorry, then you must a) � guess what the outdial code is (if any) and then � input a good phonenumber ! (and some pbx are � only local and that shit etc.) � In the privat 1.2 version you can turn recording � on where you CAN`T make ANY mistakes! YEAH ! � (use an dtmf Voc decoder etc. 100% identifying!) ������������������������������������������������������������������������������ Why is this important Q. so � errm ... you found it, okay? so it's not too late in this Text ??? � late ;-) ������������������������������������������������������������������������������ Shit the modem response � The modem response can be checked easely for maybe anything for failure � different FAILURES with just a FAILURE response Yeah, seems to be good, but i don't like that i must calculate the time BEFORE and AFTER the code ... :(

like "NO ANSWER" to "NO � of "NO" ... ;) but this works only if you put CARRIER" etc. and the LOG � in a phone number in "Number to dial after code" File gets big :( � ������������������������������������������������������������������������������ I heard that often the � It's in SETUP/HACKING/TRAIN RESPONSE ... sentence "use TRAIN RESPONSE� When you select it, you get an input prompt to solve that" - so where's � which number to dial etc. where you can input this option and how to use ?� the data you like. after the dialing, you can � see the response after the menu point "Last � reponse : " ... this is for that you can test � which modem results you get when experimenting � with the pbx for optimal hack results. Also � VERY important to use with DTMF Rec. of Courier � Modems ... Try it ... ������������������������������������������������������������������������������ Why random CODE generation? � You *should* use random code generation cause And why only up to 6 digits?� modern PBX systems look if failed code input � attempts are sequentiell, so they detect you � very early !! � Random Code generation only up to 6 digits cause � more is not possible to do fast and check that � no doubles are tried ... any other can do only 4 ������������������������������������������������������������������������������ I would like to use another � In the Hacking menu is now an option named outdial before hacking the � "Number to dial before the PBX" ... f.e. to use pbxs to prevent a successful� a pbx/cc/vmb outdial in front of the hack, to trace, or to disable CallID � prevent tracing, to hack on an 1-800 number (some us countries only) � and calling from germany etc. � You must put everything in this field which is � needed for this function. To wait, use a ',' � which is a second. ������������������������������������������������������������������������������ Why is EVERYTHING random in � For YOUR Security ! Read the file SIC-PBXS.TXT this fine program ?? � included in this package and you know why ! � This is the ONLY pbx hacking program which does � an random delayed dial for every code no. and � phone no. to dial after! Even if you specified � more then one pbx to hack, it's random in which � order they are tried to hack. ������������������������������������������������������������������������������ Hey c00l this program ! � No problem. But this program was not that easy I would like to get the � to do ;) ... i would like to *exchange* it with source code, maybe even to � another interesting source code. just call my enhance it ! (or to learn � bbs (look at Q:how to contact, below) and or anything else) � write a message etc. etc. � For example i'm interested in the source of � ToneLoc 1.1 (great program! but can be enhanced) ������������������������������������������������������������������������������ How can i get into touch � 4 possiblities : with you ?? � a) Call my BBS -> ++49-(0)69-823282 and Login � as Login:THC and Password:THC ... write a � message to "van Hauser" - you can download � any THC release plus some more interesting � files in this guest shell. � b) Write me an email -> vh@campus.de � but i don't know how long it will be active � and how often I can check it (maybe once a � week. I DO ONLY RESPOND TO PGP ENCRYPTED

� MESSAGES! MY Public PGP key is at EOF ! � c) meet me on IRC #HACK, #PHREAK or #BLUEBOX � as "vanHauser" but *CHECK* if thats REALLY � me! i heard many guys telling me they met me � on irc or compuserve when i weren't there ... � and i'm not often on irc ... too "lame" ... � d) Thats the hardest one : meet me while playing � LiveRoleplaying on a castle somewhere in � Germany, nearly every second weekend ;) � Try to recognize me ;))))))))))) �please try first a) then b etc. ! ������������������������������������������������������������������������������ Can I do anything for you? � Hehehe ... NOW we are getting somewhere hehehe � I'm interested in *ANY* information about � IPSPOOFING, R2 PHREAKING, and good source codes � especially on ToneLoc 1.1 - i would like to � enhance it that it can do a) DOMAIN DEEPNESS � SCANNING b) to accept up to 6X's (yep up to � 1.000.000 calls at once random!) in the mask, � c) better PBX hacking possibilities � d) optimize modem result analyzing ... so gimme � the code or bring me into touch with Minor � Threat or Mucho Maas ... ;-) � d) advanced hacking ability for carrier, fax etc ������������������������������������������������������������������������������ Hey whats THC, and how can � THC stands for "The Hacker's Choice". (if some I be part of this great � of us really smoke THC, i don't know - i don't) group ? � We are releasing quality Hacking/Phreaking � Texts & Programs, about 4-10 (with updates) � per month ... if YOU wanna be part of THC, we � always are looking for good coders with useful/ � intelligent HP programs. So if you want us to � spread them and we think your modem is great � - yeah we'll do it! We got also a good team of � beta testers and spreaders, so you are working � in an nice atmosphere with even nicer guys ;-) � How to contact us? See above, how to contact � me, or read THC.NFO ... ������������������������������������������������������������������������������ CAN'T YOU WRITE ENGLISH ??? � I know. I put them all in only for you. THERE MANY MANY MISTAKES !! � But COUNT THEM, send me the correct answer until � 31-Dec-1999 and you can win : � A Photo with signature from me (1st Prize!) � A Horse � A nomore working Cherry Keyboard with click � A Weekend Trip to th Bahamas with my girlfriend � (yeah! yeah! free time now! ;-)) � and a Banana. � EVERYONE who sends in an answer may spend � a weeking with MICHAEL SCHUHMACHER !! and learn � to drive safe and carefully! ������������������������������������������������������������������������������ How dangerous is PBX � Okay guy, without any jokes : Pbx Hacking is Hacking? � *very* dangerous! Try not to use/hack/scan � them from home. � The PBX computer equipment is very sensitive � nowadays, thats the reason i programmed this � "next generation" Pbx hacker ... but it's still

� dangerous! � NEVER EVER hack a pbx which is in your country! � Try to hack PBXs of firms on your toll free � numbers which are in another country AND haven't � got a residence in yours. � ---> CRYPT YOUR HARDDISK! <--� Even if you don't do pbx hacking. As long as you � do something other's shouldn't know about, CRYPT � YOUR HARDDISK! Use SFS, which is the best, or � SecureDrive (both Freeware). NOT bad ones like � Diskreet from Norton! � When you get the police in your house - THEY � must prove YOU did the calls/crime, and not your � little sister (so no chance for them if YOU � tell them) etc. � ! NEVER EVER COOPERATE WITH COPS ! ������������������������������������������������������������������������������

Okay, i hope that helped everyone. If you got additional questions, or ideas or found bugs etc. tell me - i'll enhance/fix it - see above how to get into touch with me ! Thats all from me ... (my PGP key is below)

Ciao... van Hauser ------------------------------------------------------------------------------*** LORE BBS Sysop (best H/P BBS in Germany) *** *** [THC] Organizer/Programmer (best HP group) *** ------------------------------------------------------------------------------Please email to this adress --> vh@campus.de I do ONLY respond to PGP encrypted mails ! This is my public key: van Hauser/THC of LORE BBS -----BEGIN PGP PUBLIC KEY BLOCK----Version: 2.6.1 mQCNAzB6PNQAAAEEALx5p2jI/2rNF9tYandxctI6jP+ZJUcGPTs7QTFtF2c+zK9H ElFfvsC0QkaaUJjyTq7TyII18Na1IuGj2duIHTtG1DTDOnbnZzIRsXndfjCIz5p+ Dt6UYhotbJhCQKkxuIT5F8EZpLTAL88WqaMZJ155uvSTb9uk58pv3AI7GIx9AAUT tBp2YW4gSGF1c2VyL1RIQyBvZiBMT1JFIEJCUw== =6UhL -----END PGP PUBLIC KEY BLOCK------------------------------- HISTORY -----------------------------------~~~~~~ v0.2 NonPublic ALPHA Release 1-nov-95 Betatesters : Scavenger * First Version. Does everything except random code generation

~~~~~~ v0.6 NonPublic BETA Release 2-nov-95 Betatesters : Dr. Fraud, JFF * * * * * Did some enhancements! 2 small bugs removed (many others put in hehehe) Min & Max Settings now also for BEFORE/AFTER Code Wait Optimizes Standard Modem/Hacking Settings Train Response mode activated

~~~~~~ v0.7 NonPublic BETA Release 2-nov-95 Betatesters : JFF, Dr. Fraud, Scavenger, Omega, The Q, Wilkins, Plasmoid * SOOOOOORRRRRYYYYYYYYY I *REALLY* put in 4 BUGS into v0.6 !!! with the result it didn't work :((((((( * No CODE found was reported in either LOG File or Screen ! ARGH ! fixed... * TRAIN Mode does work now. After programming it, i didn't test it :( Now the Seriell Fevice Handlers are installed and removed ... * The Modem did dial a 61 in front of every number... fixed that. * NO Modem response could be identified ! fixed too ... * SHOOT ME !! * ah ... on second though, don't ;-) * There should be one or two small bugs left, watch out for Runtime Errors like "Runtime Error 201 at [0000:01F3]" and report them ! But in my testings i didn't encounter them ... maybe that was just a small bug in v0.6 which is now removed too ... (hope so) * The Textfile SIC-PBXS.TXT added to this archive - i'm too lazy to tell you about PBX hacking, this text is god enough ! ~~~~~~ v0.8 NonPublic BETA Release 3-nov-95 Betatesters : JFF, Dr. Fraud, Scavenger, Omega, Wilkins * I encluded now the original archive of the SIC-PBXS release - good release! * I rewrote the DOCUMENTATION (yeah this) completly. * included the RANDOM CODE generate function for 1-6 Digits Code Length hope it works correctly ... * Fixed a small bug if no Number to dial was specified. ~~~~~~ v0.9 *PUBLIC* GAMMA Release 6-nov-95 Betatesters : JFF, Dr. Fraud, Scavenger, Wilkins, Plasmoid, The Analyst * Press [S] during Hacking gives out the current Status (Dr. Fraud's Idea) * Dial Prefix to use a CC/vmb outdial/or another pbx before hacking a pbx (much more secure!) (Wilkins' Idea) * Fixed & Enhance DelayDialing of Codes & No2DialafterCode * Fixed Modem response analyzing * removed some writing mistakes ... * updated this DOC file ... * enhanced the greetings ;) * recompiled it.


Released 18-Nov-95

* little Terminal included (as announced) For ANSI graphics you must have loaded ANSI.SYS ! * If the Final Modem Response is "CONNECT" an alarm rings with the option to enter terminal mode! (Hit "Y" within 10 seconds) * Small Check in the LOG file creation done ... * Memory for Random Code Generation is now released without hangup ;-) wasn't my fault but the buggy pointer/memory handling under Turbo Pascal with disk access blockread/write commands ... had to work around it. * Added Maximum Attempts to hack ... (The Analyst's Idea) * PBX No. to hack may have 30 digits now * Added Code-Prefix if you want to scan f.e. 4 digits code but all with the beginning '5' ... set code length to 3 and set code_prefix to 5 and do it (The Analyst's Idea) * A version Check of PBXHACK.CFG is now made to prevent hangups due config file from old beta versions. * Display Enhancements (f.e. the Status while hacking etc.) ~~~~~ v1.1 *PUBLIC* FULL RELEASE Released 1-Dec-95 (bug fix version)

* Wrong Size in function RandomDatWrite when saving Random Data for CodeLength 6 ... -> RuntimeError ... shit .. made the random functions a bit more random too ;) * Random functions are now more random then before ;) (TP does only a silly random ... shit) * First Number generated now won't be ZERO in random mode ;) * Terminal Mode fixed * Enhanced Greetings/Information and this Documentation * Remember if you wanna make/have this utility better you must support/tell me ~~~~~ v1.2p *PRIVAT* will be Released 24-Dec-95 -> Special-Thank-Release for The Analyst, Dr. Fraud, Wilkins, Plasmoid & JFF <* Recording the line after the last code no# is dialed for specified seconds via soundblaster. Very cool if you don't know what a success string could be etc. (The Analyst's standard analyzing mode - very successful, about 100% correct identification afterwards ... cool) * 2ndTRY : some pbx let you enter the code a second time after the first failure. Specify the time to wait before the 2nd try and it will do it. saves about 50% time on those pbx ! And to make this even MORE better : It tells you HOW many tries you can make. So you can even use them to hack/check vmbs or internal telekom outdial/check numbers etc. etc. but you can do this ONLY on special occasions: 1) where a FAILURE string is "OK" 2) you are using TouchTone Recognition with USR Dual modems 3) You are recording (see above) * Second EXEcuteable File, which is PBXHACK MULTIMODE (where the old pbxhack.exe is single mode) called pbxmulti.exe - here you can set success string, failure string, timeout, code length etc. for EVERY Pbx no. - up to 13 PBX numbers may now be (ab)used. Very useful cause you'll never find more then 3 PBXs of one type or same, for which you can use the same codelength, success strings, Dial after code etc. etc. etc. Of course in this multimode is also the new RECORD and 2ndTRY Option available ... * Password protected startup and Config Cryption. Only those 5 guys may use this version. Don't give them to others or ya get never a privat

version again. Every program of those is registered to that special guy. maybe, i'll put one of these features into v1.5 of the public version of pbxhack (1.3 & 1.4 will be privat bug fix versions of 1.2p), released mid/end January ... but maybe not. ~~~~~ Thanks to all the BETATESTERS ! #