
                
                                                            
                    
                                  
                                                   
                                        
                                             
                                             
                                        
                                                   
                              
                
                             The Hacker's Choice            
                

          FUSiON OF DTi AND LORE ۲




**********************************
* DOCUMENTATION FOR PBXHACK v1.1 *    PUBLIC FULL RELEASE
**********************************


There will be a private release (v1.2p) for 5 guys who helped me
most with this project, with professional functions you'll probably never
see on any other hacker or this public versions. If you wanna know what these
powerful functions are look at the end of the file ;) 
This is the reward for those guys supporting programmers.
Think about it.

Sorry, no full docu ... a) i'm to lazy, b) everthing is easy to understand
c) if you don't understand it, it's not a program that should be in your hands.

Thats the reason this is only a Question-Answer Docu ... so read this ->

  Question                    Answer
 
 Why is the HISTORY even      Because nobody is interested in the work and
 after the PGP key at the end effort a programmer puts into his program ... :(
 of this text ??              thats the old story.
                              If *YOU* want to cheer me up - contact me (see
                              much below) and do so ;-)
 
 The computer hangs up after  There are TWO possibilities for this :
 starting PBXHACK !            a) you are running PBXHACK in a DOS Windows
                                  of Win95 or similar ... doesn't happen often
                                  but sometimes (serial port conflict)
                               b) you just ran a new version of PBXHACK and
                                  the .CFG file structure changed. Delete
                                  PBXHACK.CFG and try again (shouldn't happen
                                  any more with 1.x+ -> version check made)
 
 What are the keys in         ALT-H Hangup, ALT-X Exit, ALT-S Status,
 terminal mode ?              ALT-B Send Break, ALT-C Clear Screen.
 
 The program doesn't dial in  You must first setup your modem correctly !
 PBX Hacking mode, and also   Do that in SETUP/MODEM ! The important things to
 not in TRAIN Mode (Setup)    change are IRQ and BASE ADRESS !
 
 What are common BaseAdress   Com1: Irq4 Base3F8, Com2: Irq3 Base2F8,
 and IRQs for the Com Ports?  Com3: Irq4 Base3E8, Com4: Irq3 Base2E8
 (i'm to lazy to look it up) 
 
 The program doesn't dial in  The program *WOULD* dial if you would wait some
 PBX Hacking mode, but does   time! before every call it places, it waits     
 in TRAIN mode                randomly between the MIN & MAX Settings of
                              SETUP/HACKING/Wait between Calls.
                              if you want do have NO delay between your calls,
                              change MIN & MAX to Zero.
 
 Hey cool, i just corrected   Yeah, the COM port variable is of no use ;)
 IRQ and Base Adress but NOT  it's only for that you feel safer hehehehe
 the COM Port but it works!  
 
 I hate the "welcome" scoll-  Just start PBXHACK with any parameter, like
 ing after starting the prog! "PBXHACK -" and it doesn't scroll ;)
                              A reward for those reading the docu ;)
 
 Hey, i got an E1eete Courier Enable Touchtone Recognition in the modem init 
 Modem! How can *I* be elite  string with %T ... and try TRAIN RESPONSE to 
 and use that el1tee modem    look after how you must setup the success and
 with this ELiTE program to   failure response recognition with your PBX.
 become *really* c00l ?       
 
 How high should be the       Experiment with about 15 (10-18) when using
 Timeout number ?             "W;" etc. as DialAfterCode and 20-60 when
                              dialing a modem/... number in DialAfterCode
                              (see below of DialAfterCode usage)
 
 SHIT - your crap program     Cool down. No PBXHacker can recognize this!
 doesn't recognize a BUSY     But here a tip how to do that :
 PBX number !! FUCK YOU !!!   Try the TRAIN RESPONSE option with just the
                              number of the pbx and a "W;" after the number.
                              If the line is NOT busy and you get the modem
                              response "OK" then put that AFTER the pbx no. 
                              in the StartHacking Setup. That will do the busy
                              check. If you get a "NO CARRIER" or "NO ANSWER"
                              or "NO DIALTONE" response (depends on modem
                              brand) you can't use this. Try the above with
                              "@;" again, and if that works, use that.
                              if nothing of that works there's no possiblity
                              to detect a busy ... sorry. But if you find a
                              a possiblity - TELL ME !
                              ARGH i just forgot :  to TRAIN RESPONSE you use
                              a "@;" or "W;", but in the number setup you just
                              put a "@" or "W" after the number, NOT the ";" !
 
 Shit the program also doesnt Thats even easier. Just put in Dial Prefix     .
 check if there's a dialtone  a "W" ... that fixes it, but takes time to wait!
 before beginning to dial !!  you don't need this if you already have got
                              already BUSY check enabled with "@" or "W (s.a.)
 
 Yeah, seems to be good, but  Sorry. This is a generic program to hack PBX,
 i don't like that i must     not a silly straight forward one. thats the 
 calculate the time BEFORE    reason why you need that... but trust me, it
 and AFTER the code ... :(    saves much time !
                              The MIN setting of BEFORE CODE must be the sec.
                              you need to dial to the pbx and the pickup +
                              intro message of the pbx (if exists) + 1 
 
 ??? I can't find the LOG     Of course NO! The LOG is automatically created.
 Option in the program ! Is   It's name is the last 8 characters of the number
 the output to screen only??  you input in the pbx-phon-number field with the
                              ending .LOG ... in the current directory. If 
                              this file already exists, the data is appended.
 
 What does the LOG log ?      Date, Time, CODE no. and a few words telling you
                              that a success was found. If the program detects
                              an unspecified Modem response (not success or
                              failure) it tells something like "unkown
                              response : " etc. Or TIMEOUT if you specified
                              that as success.
 
 I live in an area where only easy. Just put in Dial Prefix a P and in Code
 pulse dialing is possible :( Prefix a T ... thats all 
 
 Hey a "," in a phone number  Right. The modem is initialized that a "," is a
 is NOT a 2 second pause !    1 second pause !
 
 Important questions : what   Anything you like. Every IMPORTANT options is
 should be in the modem init  done automatically : "X3 S6=0 S8=1 E0" ...
 string ??                    Everything else is up to you. Put a "Z" or "Z2"
                              or "&F" in there ... and setup your modem
                              as you wish. Your modem MUST support these
                              standard Hayes Options to work !
 
 hmmm, gimme a tip how to     Okay, thats easy. Once again it's like BUSY
 verify a valid CODE without  Checking ! but this time you must train it like
 the need to find too the     that : use TRAIN with the pbx no. a few "," to
 outdial function and to dial wait for the code and then a "W;" ... if you get
 the phonenumber (which can   "OK" as response it might work like this : put
 be VERY risky!)              the modem line out of the phone line and use
                              TRAIN with only "W;" ! This will be the SUCCESS
                              response! FAILURE reponse must be "OK" then !
                              this is because if the pbx does an alarm tone
                              after a wrong code, the modem might think thats
                              a new dialtone for which to wait etc.
                              if this doesnt work, sorry, then you must a) 
                              guess what the outdial code is (if any) and then
                              input a good phonenumber ! (and some pbx are    
                              only local and that shit etc.)
                              In the privat 1.2 version you can turn recording
                              on where you CAN`T make ANY mistakes! YEAH !
                              (use an dtmf Voc decoder etc. 100% identifying!)
 
 Why is this important Q. so  errm ... you found it, okay? so it's not too
 late in this Text ???        late ;-)
 
 Shit the modem response      The modem response can be checked easely for
 maybe anything for failure   different FAILURES with just a FAILURE response
 like "NO ANSWER" to "NO      of "NO" ... ;) but this works only if you put
 CARRIER" etc. and the LOG    in a phone number in "Number to dial after code"
 File gets big :(            
 
 I heard that often the       It's in SETUP/HACKING/TRAIN RESPONSE ...
 sentence "use TRAIN RESPONSE When you select it, you get an input prompt 
 to solve that" - so where's  which number to dial etc. where you can input
 this option and how to use ? the data you like. after the dialing, you can
                              see the response after the menu point "Last
                              reponse : " ... this is for that you can test
                              which modem results you get when experimenting
                              with the pbx for optimal hack results. Also
                              VERY important to use with DTMF Rec. of Courier
                              Modems ... Try it ...
 
 Why random CODE generation?  You *should* use random code generation cause
 And why only up to 6 digits? modern PBX systems look if failed code input
                              attempts are sequentiell, so they detect you
                              very early !!
                              Random Code generation only up to 6 digits cause
                              more is not possible to do fast and check that 
                              no doubles are tried ... any other can do only 4
 
 I would like to use another  In the Hacking menu is now an option named
 outdial before hacking the   "Number to dial before the PBX" ... f.e. to use
 pbxs to prevent a successful a pbx/cc/vmb outdial in front of the hack, to
 trace, or to disable CallID  prevent tracing, to hack on an 1-800 number
 (some us countries only)     and calling from germany etc.
                              You must put everything in this field which is
                              needed for this function. To wait, use a ','
                              which is a second.
 
 Why is EVERYTHING random in  For YOUR Security ! Read the file SIC-PBXS.TXT
 this fine program ??         included in this package and you know why !
                              This is the ONLY pbx hacking program which does
                              an random delayed dial for every code no. and
                              phone no. to dial after! Even if you specified
                              more then one pbx to hack, it's random in which
                              order they are tried to hack.
 
 Hey c00l this program !      No problem. But this program was not that easy
 I would like to get the      to do ;) ... i would like to *exchange* it with
 source code, maybe even to   another interesting source code. just call my 
 enhance it ! (or to learn    bbs (look at Q:how to contact, below) and
 or anything else)            write a message etc. etc.
                              For example i'm interested in the source of
                              ToneLoc 1.1 (great program! but can be enhanced)
 
 How can i get into touch     4 possiblities : 
 with you ??                  a) Call my BBS -> ++49-(0)69-823282 and Login
                                 as Login:THC and Password:THC ... write a
                                 message to "van Hauser" - you can download
                                 any THC release plus some more interesting
                                 files in this guest shell.
                              b) Write me an email -> vh@campus.de
                                 but i don't know how long it will be active
                                 and how often I can check it (maybe once a
                                 week. I DO ONLY RESPOND TO PGP ENCRYPTED
                                 MESSAGES! MY Public PGP key is at EOF !
                              c) meet me on IRC #HACK, #PHREAK or #BLUEBOX
                                 as "vanHauser" but *CHECK* if thats REALLY
                                 me! i heard many guys telling me they met me
                                 on irc or compuserve when i weren't there ...
                                 and i'm not often on irc ... too "lame" ...
                              d) Thats the hardest one : meet me while playing
                                 LiveRoleplaying on a castle somewhere in
                                 Germany, nearly every second weekend ;)
                                 Try to recognize me ;)))))))))))
                             please try first a) then b etc. !
 
 Can I do anything for you?   Hehehe ... NOW we are getting somewhere hehehe
                              I'm interested in *ANY* information about
                              IPSPOOFING, R2 PHREAKING, and good source codes
                              especially on ToneLoc 1.1 - i would like to
                              enhance it that it can do a) DOMAIN DEEPNESS
                              SCANNING  b) to accept up to 6X's (yep up to
                              1.000.000 calls at once random!) in the mask,
                              c) better PBX hacking possibilities
                              d) optimize modem result analyzing ... so gimme
                              the code or bring me into touch with Minor
                              Threat or Mucho Maas ... ;-)
                              d) advanced hacking ability for carrier, fax etc
 
 Hey whats THC, and how can   THC stands for "The Hacker's Choice". (if some
 I be part of this great      of us really smoke THC, i don't know - i don't)
 group ?                      We are releasing quality Hacking/Phreaking
                              Texts & Programs, about 4-10 (with updates)
                              per month ... if YOU wanna be part of THC, we
                              always are looking for good coders with useful/
                              intelligent HP programs. So if you want us to
                              spread them  and we think your modem is great
                              - yeah we'll do it! We got also a good team of
                              beta testers and spreaders, so you are working
                              in an nice atmosphere with even nicer guys ;-)
                              How to contact us? See above, how to contact
                              me, or read THC.NFO ...
 
 CAN'T YOU WRITE ENGLISH ???  I know. I put them all in only for you. 
 THERE MANY MANY MISTAKES !!  But COUNT THEM, send me the correct answer until
                              31-Dec-1999 and you can win :
                              A Photo with signature from me (1st Prize!)
                              A Horse
                              A nomore working Cherry Keyboard with click
                              A Weekend Trip to th Bahamas with my girlfriend
                                (yeah! yeah! free time now! ;-))
                              and a Banana.
                              EVERYONE who sends in an answer may spend
                              a weeking with MICHAEL SCHUHMACHER !! and learn
                              to drive safe and carefully!
 
 How dangerous is PBX         Okay guy, without any jokes : Pbx Hacking is
 Hacking?                     *very* dangerous! Try not to use/hack/scan 
                              them from home.
                              The PBX computer equipment is very sensitive
                              nowadays, thats the reason i programmed this
                              "next generation" Pbx hacker ... but it's still
                              dangerous!
                              NEVER EVER hack a pbx which is in your country!
                              Try to hack PBXs of firms on your toll free 
                              numbers which are in another country AND haven't
                              got a residence in yours.
                              ---> CRYPT YOUR HARDDISK! <---
                              Even if you don't do pbx hacking. As long as you
                              do something other's shouldn't know about, CRYPT
                              YOUR HARDDISK! Use SFS, which is the best, or
                              SecureDrive (both Freeware). NOT bad ones like
                              Diskreet from Norton!
                              When you get the police in your house - THEY
                              must prove YOU did the calls/crime, and not your
                              little sister (so no chance for them if YOU
                              tell them) etc.
                              ! NEVER EVER COOPERATE WITH COPS !
 



Okay, i hope that helped everyone. If you got additional questions, or ideas
or found bugs etc. tell me - i'll enhance/fix it - see above how to get into
touch with me !

Thats all from me ... (my PGP key is below) 



Ciao...
               van Hauser

-------------------------------------------------------------------------------
*** LORE BBS Sysop   (best H/P BBS in Germany) ***
*** [THC] Organizer/Programmer (best HP group) ***
-------------------------------------------------------------------------------
Please email to this adress --> vh@campus.de
I do ONLY respond to PGP encrypted mails ! This is my public key:

van Hauser/THC of LORE BBS
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.1

mQCNAzB6PNQAAAEEALx5p2jI/2rNF9tYandxctI6jP+ZJUcGPTs7QTFtF2c+zK9H
ElFfvsC0QkaaUJjyTq7TyII18Na1IuGj2duIHTtG1DTDOnbnZzIRsXndfjCIz5p+
Dt6UYhotbJhCQKkxuIT5F8EZpLTAL88WqaMZJ155uvSTb9uk58pv3AI7GIx9AAUT
tBp2YW4gSGF1c2VyL1RIQyBvZiBMT1JFIEJCUw==
=6UhL
-----END PGP PUBLIC KEY BLOCK-----


--------------------------- HISTORY ------------------------------------

~~~~~~
v0.2 NonPublic ALPHA Release 1-nov-95
     Betatesters : Scavenger

 * First Version. Does everything except random code generation


~~~~~~
v0.6 NonPublic BETA Release 2-nov-95
     Betatesters : Dr. Fraud, JFF

 * Did some enhancements!
 * 2 small bugs removed (many others put in hehehe)
 * Min & Max Settings now also for BEFORE/AFTER Code Wait
 * Optimizes Standard Modem/Hacking Settings
 * Train Response mode activated


~~~~~~
v0.7 NonPublic BETA Release 2-nov-95
     Betatesters : JFF, Dr. Fraud, Scavenger, Omega, The Q, Wilkins, Plasmoid

 * SOOOOOORRRRRYYYYYYYYY I *REALLY*  put in 4 BUGS into v0.6 !!! with the
   result it didn't work :(((((((
 * No CODE found was reported in either LOG File or Screen ! ARGH ! fixed...
 * TRAIN Mode does work now. After programming it, i didn't test it :(
   Now the Seriell Fevice Handlers are installed and removed ...
 * The Modem did dial a 61 in front of every number... fixed that.
 * NO Modem response could be identified ! fixed too ...
 * SHOOT ME !!
 * ah ... on second though, don't ;-)
 * There should be one or two small bugs left, watch out for Runtime Errors
   like "Runtime Error 201 at [0000:01F3]" and report them ! But in my testings
   i didn't encounter them ... maybe that was just a small bug in v0.6 which
   is now removed too ... (hope so)
 * The Textfile SIC-PBXS.TXT added to this archive - i'm too lazy to tell you
   about PBX hacking, this text is god enough !


~~~~~~
v0.8 NonPublic BETA Release 3-nov-95
     Betatesters : JFF, Dr. Fraud, Scavenger, Omega, Wilkins

 * I encluded now the original archive of the SIC-PBXS release - good release!
 * I rewrote the DOCUMENTATION (yeah this) completly.
 * included the RANDOM CODE generate function for 1-6 Digits Code Length
   hope it works correctly ...
 * Fixed a small bug if no Number to dial was specified.


~~~~~~
v0.9 *PUBLIC* GAMMA Release 6-nov-95
     Betatesters : JFF, Dr. Fraud, Scavenger, Wilkins, Plasmoid, The Analyst

 * Press [S] during Hacking gives out the current Status (Dr. Fraud's Idea)
 * Dial Prefix to use a CC/vmb outdial/or another pbx before hacking a pbx
   (much more secure!) (Wilkins' Idea)
 * Fixed & Enhance DelayDialing of Codes & No2DialafterCode
 * Fixed Modem response analyzing
 * removed some writing mistakes ...
 * updated this DOC file ...
 * enhanced the greetings ;)
 * recompiled it.

~~~~~~
v1.0 *PUBLIC* FULL RELEASE  Released 18-Nov-95

 * little Terminal included (as announced)
   For ANSI graphics you must have loaded ANSI.SYS !
 * If the Final Modem Response is "CONNECT" an alarm rings with the option
   to enter terminal mode! (Hit "Y" within 10 seconds)
 * Small Check in the LOG file creation done ...
 * Memory for Random Code Generation is now released without hangup ;-)
   wasn't my fault but the buggy pointer/memory handling under Turbo Pascal
   with disk access blockread/write commands ... had to work around it.
 * Added Maximum Attempts to hack ... (The Analyst's Idea)
 * PBX No. to hack may have 30 digits now
 * Added Code-Prefix if you want to scan f.e. 4 digits code but all with the
   beginning '5' ... set code length to 3 and set code_prefix to 5 and do it
   (The Analyst's Idea)
 * A version Check of PBXHACK.CFG is now made to prevent hangups due config
   file from old beta versions.
 * Display Enhancements (f.e. the Status while hacking etc.)

~~~~~
v1.1 *PUBLIC* FULL RELEASE  Released  1-Dec-95 (bug fix version)

 * Wrong Size in function RandomDatWrite when saving Random Data for CodeLength
   6 ... -> RuntimeError ... shit .. made the random functions a bit more
   random too ;)
 * Random functions are now more random then before ;) (TP does only a silly
   random ... shit)
 * First Number generated now won't be ZERO in random mode ;)
 * Terminal Mode fixed
 * Enhanced Greetings/Information and this Documentation
 * Remember if you wanna make/have this utility better you must support/tell me

~~~~~
v1.2p *PRIVAT* will be Released 24-Dec-95
-> Special-Thank-Release for The Analyst, Dr. Fraud, Wilkins, Plasmoid & JFF <-

 * Recording the line after the last code no# is dialed for specified seconds
   via soundblaster. Very cool if you don't know what a success string could
   be etc. (The Analyst's standard analyzing mode - very successful, about
   100% correct identification afterwards ... cool)
 * 2ndTRY : some pbx let you enter the code a second time after the first
   failure. Specify the time to wait before the 2nd try and it will do it.
   saves about 50% time on those pbx ! And to make this even MORE better :
   It tells you HOW many tries you can make. So you can even use them to
   hack/check vmbs or internal telekom outdial/check numbers etc. etc.
   but you can do this ONLY on special occasions: 1) where a FAILURE string
   is "OK"   2) you are using TouchTone Recognition with USR Dual modems
   3) You are recording (see above)
 * Second EXEcuteable File, which is PBXHACK MULTIMODE (where the old
   pbxhack.exe is single mode) called pbxmulti.exe - here you can set success
   string, failure string, timeout, code length etc. for EVERY Pbx no. - up
   to 13 PBX numbers may now be (ab)used. Very useful cause you'll never find
   more then 3 PBXs of one type or same, for which you can use the same
   codelength, success strings, Dial after code etc. etc. etc. Of course in
   this multimode is also the new RECORD and 2ndTRY Option available ...
 * Password protected startup and Config Cryption. Only those 5 guys may
   use this version. Don't give them to others or ya get never a privat
   version again. Every program of those is registered to that special guy.

maybe, i'll put one of these features into v1.5 of the public version of
pbxhack (1.3 & 1.4 will be privat bug fix versions of 1.2p), released
mid/end January ... but maybe not.

~~~~~

Thanks to all the BETATESTERS !
