The UK Phreaks and Hackers Usenet News Group FAQ

Version 0.5e (08/09/96)

(Note: This is an unfinished Beta version, please treat it as such. I welcome *any* contributions to this FAQ to the address below. - Cheers, J.)

Section 1        Introduction
	1.1       About
	1.1.1      What should and shouldn't be discussed?
	1.1.2      Who reads
	1.2       Anonymous Remailers/PGP
	1.3       Acknowledgements
	1.4       New this revision
	1.5       Where to get copies of this FAQ

Section 2        Phreaking
	2.1       Boxing
	2.1.1      Which boxes work in the UK?
	2.1.2      What are the UK DTMF tones?
	2.1.3      What are the UK Red Box tones?
	2.2       War-Dialling
	2.3       Loops
	2.4       How are 0800/0500 numbers used?
	2.4.1      What are the 0800 89xxxx numbers for?
	2.5       What is voicemail and what can I do with it?
	2.6       Are there any UK CNA numbers?
	2.7       Are there any UK numbers that always ring busy? 
	2.8       What is caller ID and what can I do with it?
	2.9       Are there any 'interesting' operator/test numbers?
	2.10      What is PBXing?
	2.10.1     I am on a cable phone, can I get busted for PBXing?
	2.10.2     Can I get busted for using international PBXs (ie. outside
		   the UK)?
	2.10.3     Intent to Pay
	2.10.4     I dial through one PBX to another before I use it, so am I
	2.11      How do UK phone cards work?

Section 3        Hacking
	3.1       About UNIX hacking
	3.1.1      How do I crack UNIX passwords ?
	3.2       About VMS cracking
	3.3       About PC cracking
	3.3.1      How do I crack bios passwords ?
	3.3.2      How can I crack the windows screen saver password ?
	3.4       Where can I find out about hacking other systems ?
	3.5       About Hacking TCP/IP 
	3.5.1      How do I do TCP/IP spoofing/packet seq prediction ?
	3.6       About Novell Hacking
	3.7       What is JANET?
	3.8       I don't have a POP in my local area!
	3.9       Are there any internet outdials in the UK ?

Section 4        Misc
	4.1       What does xxxx stand for ?
	4.2       What is and isn't illegal ?
	4.3       What should I do to avoid getting caught ?
	4.4       Where can I meet other hackers / phreaks ?
	4.5       What all this Kewl d00dz and 3l33t business ?
	4.6       Where can I get warez ?
	4.7       Are there any 'famous' UK Hackers/phreaks ?
	4.8       What about hacking cable/satellite TV?
	4.8.1      How do I build a cable TV descrambler?
	4.8.2      So how do I decode the channels?
	4.9       Who are British Telecom Security?
	4.10      How do I find out my phone bill before it comes?
Section 5        Resources
	5.1       On the Internet
	5.1.1      Newsgroups
	5.1.2      Web Pages
	5.1.3      FTP
	5.1.4      Mailing Lists
	5.1.5      Mags-EZines
	5.2       In Print
	5.2.1      Magazines
	5.2.2      Books
	5.3       Phone Numbers
Section 6         Questions I would like answered in the next version of
		  this FAQ - help!
	Disclaimer & Legal Status of this document and its authors 

It is not the intention of this FAQ or its authors to encourage people
to break the law. If you hack or phreak, you may get caught and you
could get fined or jailed. The author and contributors of this faq don't
endorse or encourage the use of any of the information in this document.

This article is provided as is without any express or implied warranties.

While every effort has been taken to ensure the accuracy of the
information contained in this article, the author and it contributors
assume no responsibility for errors or omissions, or for damages
resulting from the use of the information contained herein.

I disclaim everything I can.  The contents of this article might be
totally inaccurate, inappropriate, misguided, or otherwise perverse.
Much of this FAQ is based on the personal views of its contributors.

Copyright (c) 1996 by Glenn Pegden and Joel Rowbottom, all rights reserved.

This FAQ may be posted to any USENET newsgroup, on-line service, or BBS
as long as it is posted in its entirety and includes this copyright
This FAQ may not be distributed for financial gain.
This FAQ may not be included in commercial collections or compilations
without express permission from the author. If you find it on any such
collection please mail telling us where you
saw it.

			Section 1  -  Introduction
1.1 About
~~~~~~~~~~~~~~~~~~~ was originally formed to discuss issues relating to phone
phreaking, hacking (and other related 'underground' activities) in the
UK, given that the traditional hackers newsgroup alt.2600 had
degenerated to such an extent as to be virtually useless and very US
dominated. It was given birth on Thursday 26th January 1995, at 1:45am

PH is formed from the initial letters of -P-hreak and -H-ack.

This FAQ is intended to reduce the bandwidth taken up with people asking
the same questions over and over again. It is intended to complement
other FAQs (eg. alt.2600, uk.telecom) and not replicate them.

If anyone tries to ban it, it is obviously a group for the discussion of 
alternative philosophy in the UK.

1.1.1 What should and shouldn't be discussed in this group?
This group is primarily used to discuss the technical matters
surrounding hacking and phreaking in the UK and closely related topics.
This includes the UK phone system, hacking UK systems, issues relating
to the UK underground etc, the main thing to remember is this is a UK
group. Things to be avoided are those that can be dealt with better in
other groups (especially the kind of questions that alt.2600 is plagued
with such as sending fakemail/news, out of date boxes, IRC scripts, and
'where do I get kewl warez').

Check the newsgroups listed in section 5 of this faq for closely related
newsgroups which may be more appropriate. Always try find the answer
yourself first (see the list of references at the end of this FAQ),
mentioning where you have looked for info often helps too.

Other things to avoid to save you getting flamed are questions such as,
How do I get free phone calls, Can I have a list of underground BBSs,
How do I get an address for a phone number, How do I re-chip my mobile,
how do I get root on a Unix box and other such lame questions. Try to
avoid posting anything too juicy that would damage the community too
much (If you've got hold of such info, then you'll probably know where
to distribute it).

The contributors to this FAQ are not omnipotent, we are capable of being
wrong. Please tell us if we are.

Newbies please take note, people in this group aren't generally receptive
to private mail asking questions like 'How can I get free calls, re-chip
my moby, or hack my Uni's Unix boxes' Don't waste your time or theirs; go
and try to find out yourself then ask for help, not the other way round.

1.1.2 Who reads
It is beyond the scope of this document (as well as being downright unfair)
to name names in this document, but it is well known that aside from being
read by phreaks, hackers, etc. the newsgroup is also read (and has been
written to) by such people as BT Security as well as journalists and many

Generally it is to be presumed that the group is read by people who are
actively involved in prosecuting hackers and phreaks, and thus if you *are*
going to post sensitive information, it's a good idea to use an anonymous
remailer if you're going to post the information at all (see the next 
section, 1.2).

1.2 Anonymous Remailers and PGP in newsgroups and mailings
As mentioned in the previous section, there's a lot of people out there
who want to give phreakers and hackers a hard time. To make their life
that little bit harder, some people prefer to be 'anonymous' on the news-
groups and maillists.

1.2.1 Anonymous eMail
 Contrary to the popular belief, there are stacks of anonymous remailers
 out there.

 Remailers work by taking incoming messages from you, stripping off the
 headers and sending them on, although this is good enough for most of the
 time, the truly paranoid tend to string several remailers together to avoid
 the possibility of traffic analysis giving away their identity. Other
 options include PGP [see section 1.2.2] relay, random delays, random message
 size alteration, and so on. 

 More info can be found from:
		 (List of reliable remailers)
		 (info on Premail privacy tool)
		 (info on setting up pseudoanonymous account)
		 (info on Private Idaho privacy tool)

1.2.2 Anoymous Newsgroup Posting
There are a few ways of doing it properly, and thousands of ways of
doing it wrongly.
The Right way:
 Anonymous remailer -> Newsgroup
 At time of writing, three anonymous remailers support posting to 
 newsgroups. For a current list, finger
 and look for the entries with 'post' beside them.
 Anonymous remailer -> Mail2News gateway
 Any one of the high quality remailers can be used to send mail to
 a mail2news gateway. There are a large number of these gateways, 
 finding them is left as an exercise to the reader. (or to put it
 another way, I can't be bothered making a list!).

 Fake Mail -> Mail2News gateway
 Possible, but too much hassle for most, remember to test how 'fake'
 your mail is first by sending a message to yourself.

The Wrong way:
 There are stacks, heres a few.
 Changing your 'From: ' field in your news reader.
 Changing all the 'Identity' details in Netscape.
 Making a post through the IHAVE protocol using a news host that adds
 the 'NNTP-Posting-Host: ' header line (almost all)
 And so on...

If you want to remain anonymous, make the effort, or suffer the ridicule of
your peers.

1.2.3 Pretty Good Privacy (PGP) 
The whole PGP concept it too large to discuss in this document, so
heres a short summary from the docs that come with it.

"PGP (pretty good privacy) is a public key encryption package to 
 protect email and datafiles. It lets you communicate securely with
 people you've never met, with no secure channels needed for prior
 exchange of keys. It's well featured and fast, with sophisticated
 key management, digital signatures, data compression, and ergonomic

The latest versions of PGP are usually available by ftp from in /pub/crypto/pgp. Most internet service providers
carry precompiled versions for various platforms on their ftp servers also.

For more info read:* and sci.crypt on Usenet on the Web

1.3 Acknowledgements
So far, most of the info in the file has been cribbed from the FAQs for
the newsgroups listed at the end, and from postings to various
newsgroups. Additional stuff was added by ColdFire, Slam-Tilt, Daemian,
Micah, Per1com/Xer0, Arny, jrg, john@wine-gum.demon, Iain@kechb.demon,
shin@dios.demon, V0mit, and gus@bmsysltd.

1.4 New this revision (0.5d)
Maintainence taken over by Joel Rowbottom,, as of
1/8/1996. I'll do it properly when I get a spare couple of hours ;-)
- Updated section 1.2 to remove
- Updated sections 4.7, 5.1.2, 5.1.4, 6
- Added section 2.11

1.5 Where to get copies of this FAQ
This FAQ is posted every 21 days to the newsgroup It may also be
retrieved from the Madrab mail server by sending a message to:
This address is an autoresponder and you should receive the FAQ within a
short while. Don't email with requests, they will
be ignored.

		    Section 2  -  Phreaks & Phreaking

2.0 Phreaking
Phreaks are people who enjoy learning about the phone system,
especially the technical details, and the unpublished details that phone
companies would rather we didn't know about. Phreaks are also
interested in the workings of the phone company, and trying find ways
around the system, often the billing and accounting procedures.

A major part of Phreaking is attempting to obtain phone calls for free
or below the rate at which the phone company would like to charge. The news group is not here to teach people how to defraud phone
companies though, and most of the discussion is likely to be of purely
technical interest.

2.1.0 Boxing
Phreaks may also be interested in 'boxes', there are many types of boxes
which have varying degrees of success, boxes are usually categorised by
colour and offer a variety of facilities from seizing operator control
of the line, and hence calling for free (Blue Box) and stopping calling
party being billed (Black Box) to a charging ni-cads with your phone
(Chartreuse Box), also various other add-ons such as amps, hold buttons,
in-use lights etc.

2.1.1 Which boxes work in UK?
This list of boxes stolen from the alt.2600 FAQ and converted for the uk
(this is just an 'educated' guess of what will or will not work in the
uk, this is only in *theory* and any which I say will work will probably
need a lot of modification to work, that's if you can find a schematic
thats half way readable :) )

Acrylic  Steal Three-Way-Calling, Call Waiting and programmable
	 Call Forwarding on old 4-wire phone systems                    NO!
Aqua     Drain the voltage of the FBI lock-in-trace/trap-trace          NO!
Beige    Linemans handset                                               YES
Black    Allow callers to dial in for free                              NO
Blast    Phone microphone amplifier                                     YES
Blotto   Supposedly shorts every fone out in the immediate area         JOKE
Blue     Take operator control of a line (phone for free)               NO
Brown    Create a party line from 2 phone lines                         YES
Bud      Tap into your neighbors phone line                             YES
Chartreuse   Use the electricity from your phone line                   YES
Cheese   Connect two phones to create a diverter                        YES
Chrome   Alter traffic lights                                           NO
Clear    A telephone pickup coil and a small amp used to make free      NO!
	 calls on Fortress Phones
Color    Line activated telephone recorder                              YES
Copper   Cause crosstalk interference on an extender                    ???
Crimson  Hold button                                                    YES
Dark     Re-route outgoing or incoming calls to another phone           NO!
Dayglo   Connect to your neighbors phone line                           YES
Divertor Re-route outgoing or incoming calls to another phone           NO!
DLOC     Create a party line from 2 phone lines                         YES
Gold     Dialout router                                                 ???
Green    Emulate the Coin Collect, Coin Return, and Ringback tones      NO!
Infinity Remotely activated phone tap                                   YES
Jack     Touch-Tone key pad                                             YES
Light    In-use light                                                   YES
Lunch    AM transmitter                                                 YES
Magenta  Connect a remote phone line to another remote phone line       NO!
Mauve    Phone tap without cutting into a line                          ???
Neon     External microphone                                            YES
Noise    Create line noise                                              YES
Olive    External ringer                                                YES
Party    Create a party line from 2 phone lines                         YES
Pearl    Tone generator                                                 YES
Pink     Create a party line from 2 phone lines                         YES
Purple   Telephone hold button                                          YES
Rainbow  Kill a trace by putting 120v into the phone line (joke)        JOKE
Razz     Tap into your neighbors phone                                  YES
Red      Free calls from payphones                                      YES
Rock     Add music to your phone line                                   YES
Scarlet  Cause a neighbors phone line to have poor reception            YES
Static   Keep the voltage on a phone line high                          YES
Switch   Add hold, indicator lights, conferencing, etc..                ???
Tan      Line activated telephone recorder                              YES
Tron     Reverse the phase of power to your house, causing
	 your electric meter to run slower                              ???
TV Cable "See" sound waves on your TV                                   ???
Urine    Create a capacitative disturbance between the ring and
	 tip wires in another's telephone headset                       ???
Violet   Keep a payphone from hanging up                                NO!
White    Portable DTMF keypad                                           YES
Yellow   Add an extension phone                                         YES

Any of the above the generate tones will have to be modified (see below).

Box schematics may be retrieved from these FTP sites:          /pub/br/bradleym          /pub/va/vandal       /users/nitehwk

2.1.2 What are the UK DTMF tones?
	     1209Hz     1336Hz     1477Hz     1633Hz
697Hz          1          2          3          A
770Hz          4          5          6          B
852Hz          7          8          9          C
941Hz          *          0          #          D

(See the comp.dcom.telecom FAQ for an explanation of the ABCD tones)

2.1.3 What are the UK Red Box tones?
[ Note: I have not tried these, they are rumoured to work - anyone got them
  to work OK? - J. ]

10p   Length 200 milliseconds, Frequency 1000Hz.
20p   2 * The Above.
50p   Length 350 milliseconds, Frequency 1000Hz.
1ukp  2 * The Above.

Note that it is a 1000hz tone alone, and not dual tones etc. Also, for it to
work, you must get the operator to connect your call. When told to insert the
money, send your tones.

2.2 War-Dialling
War-Dialling (aka scanning) is the practise of repetitively dialling
phone numbers, to find out what is on the other end. These are mainly
voices, although sometimes you may find trunks, carriers (modems), VMBs,
FAXs, and other strange stuff. 'Tone-Loc' is a highly acclaimed package
to aid scanning. Normally you scan a block of numbers (the most common
scans are of 0800 / 0500 because they're free) and keep a log of
anything interesting you find for later attention. Scanning may be
illegal under the Computer Misuse Act [see Section 4.2].

2.3 Loops
See the alt.2600 FAQ for an explanation of what loops are and how the
can be used. There are virtually no known loops in the UK, mainly
because if the do exist, no-one scans for them (because unlike the US,
BT don't offer free local calls, so scanning is limited to 0800/0500

2.4 How are 0800/0500 numbers used?
You pickup the phone, dial the number, and wait for them to answer :-).
Other than that they're used in blue boxing, using calling cards,
finding modems and voicemail/PBX abuse. The reason the get a lot of
attention from phreaks is they are FREE!

2.4.1 What are the 0800 89xxxx numbers for?
They are direct overseas lines (known as country direct numbers), most
will ask you for pin numbers. BTs originally lumped all it direct
overseas lines in this area, but it has now realised this wasn't such a
good idea and is distributing them more evenly

Mercury's country direct numbers are evenly distributed through out the
0500 xxxxxx range.

Country direct numbers are numbers which forwards calls to a regular
number in the remote country. I believe these numbers are arranged with
your local Telco, who rent a number of 0800/0500 lines from BT/Mercury
and pay BT/Mercury for incoming calls over them. The remote telco then
resells these numbers to company's requiring a toll-free number from the
UK. You are not charged for the call, the company you reach is paying
for the call, as with all 0800/0500 numbers.

2.5 What is Voicemail (vmb) and what can I do with it?
VMB (Voice Mail Boxes) are used by company to help manage internal phone
systems. They offer a range of services from personal answer phones to
internal routing of calls. One facility often abused is the ability to
get an outside line.

Try reading ColdFire's guide to Meridian Mail, the address of his web
page can be found in section 5. Details of other VMBs are around, but I'm
not sure where to find them on the net.

2.6 Are there UK CNA Numbers?
CNA stands for customer name and addresses. A CNA number is a phone
number for telephone company personnel to call and get the name and
address for a phone line BT do have their own internal service, but
AFAIK there are none available to the public (unlike the US).

2.7 Are there any UK numbers that always ring busy / never answer?
[ More info on this would be appreciated ]

2.8 What is Caller-ID and what can I do with it?
On modern exchanges BT sends the phone number of the number that called
you (when possible), just before the first ring. BT will sell you a
device to read these (approx 50quid at time of writing). Home-brew (obviously
non BT Approved) are around. You *may* also have to pay BT for the recieving
the data. Caller-ID modems are now also available which will transmit the
data packet to a serial port of a computer.

You can block the sending of your phone number you are dialling by
prefixing it with 141. Your also have the number of the last person who
called (from a phone that supplies caller ID) by dialing 1471 (on some
exchanges this number can be automatically redialled by dialling 1474).

2.9 Are there any 'interesting' operator/test numbers?
The following is from a list posted to a while back. If any have
changed then please let me know (and any new ones too!). I admit that the
term 'interesting' is used *very* vaguely here ;-)

The numbers are:-
 100   - Operator Assistance
 112   - Emergency services (Euro standard number)
 1170  - Sprint DMS100 test message
 123   - Speaking clock (at the third stroke...)
 131   - Mercury (Test pin - 1234567)
 132   - Mercury
 133   - Mercury Calling Card
 141   - Withold Number.
 144   - BT Charge card.
 1470  - Release CLI
 1471  - Number of last person who called
 1474  - Access Withdrawn  (Formerly callback)
 150   - BT customer service (What customer service ? :)
 151   - BT Faults (Home)
 152   - BT Customer Enquiries
 153   - International Directory Enquiries
 154   - BT faults (Business)
 155   - International Operator (Con em into dialing inwards :)
 1571  - Call minder (Urghhh..)
 1619  - Energis Card Service (Voice recognition)
 1620  - Energis
 1621  - Energis
 1630  - NSS Metrocall (0800 376 7766)
 1631  - NSS Metrocall
 1639  - NSS metrocall
 1656  - Telia
 1660  - Worldcom (0500 20 3000)
 1661  - Worldcom
 1666  - Worldcom
 1670  - Sprint
 1678  - Sprint
 17070 - ANI Test Number - Press 1 for >Ringback and hang up
 17099 - Emergency services back door
 175   - On updated exchanges will timeout for 190 seconds
 176   - Line status Dial area code + Number (Works only on local exchange)
 1810  - Telstra.
 1812  - Telstra.
 190   - BT Telegrams (Changed to 0800 190190)
 192   - Directory Enquiries
 195   - Directory Enquiries (for the blind)
 198   - Operator Assistance (for the blind)
The following are ones which are still seeking descriptions:
 1431      1601      1602      1611      1616      1636      1637
 17094     17095     1811

Of course, the best way to find your own is to scan for them using ToneLoc
or a similar utility... or of course using a payphone and your fingers!

2.10 What is PBXing?
PBX stands for Private Branch eXchange and is the term used to describe
in-office telephone systems (eg. Meridian). You mustn't get PBX confused with
VMB (although one can involve the other).

A good dose of paranoia is always healthy when using such systems. If you do 
insist on using a PBX, diverting is better than nothing, and when you connect
wait a few minutes before placing an outgoing call.

Henceforth follow some common misconceptions about PBXing:

2.10.1 I am on a cable phone, can I get busted for PBXing?
Yes! Cable companies have to co-operate under the law. Some cable companies
actually have stricter policies than BT themselves.

2.10.2 Can I get busted for using international PBXs (ie. outside the UK)?
Yes! Prosecution is a different matter though. But people have got in trouble
for using 89/96x PBX's etc. in other countries.

2.10.3 Intent to Pay
If I'm not in England (ie. Scotland/N.Ireland) therefore am I not covered by
the 'fraudulent abstraction of electricity' and 'computer misuse' laws? I
heard they have to prove 'intent not to pay?'
WRONG! In fact, in these cases it might be worse, as they might choose to
charge you under general fraud laws.

2.10.4 I dial through one PBX to another before I use it, so I am safe?
No. Whilst it's much better than 'dialing direct' BT can trace things on
their own network fairly easily. Things just take more time. If they trace
you, they will put a monologue on your line.. It then doesnt matter how many
things you dial through, as they'll have every DTMF you dial!

2.11 How do UK Phone cards work?
By now Mercury has probably phased out all their old Payphones which used magnetic stripe cards.
Some of their street sites have been taken over by the Italian company Inter Phone
who have reverted to coin operations.

The Green BT cards use an optical system. The apparently black plastic is 
translucent in the infrared - hold a card up to a 60watt light bulb and you will see 
the purple stripes either side of the charge band on the printed side.

The mechanism , by Landis & Gyr shines an infrared laser onto the underside 
("black") side of the card. The charging strip has a diffraction grating pattern moulded into it
which back scatters the light to a detector set at a certain angle. The
angle is different for each Telecom operator. Once the call units have been used up
a heating element melts the plastic on the printed surface sufficiently to leave a visible
mark and enough to destroy the diffraction pattern at that point. The mechanism then
makes a verifying read to check that this has worked and will not physically release
the card until then. Any ideas about nail varnish etc making any difference are fiction.

Simple, cheap, and hackproof so therefore the telecoms companies are rushing away to
use smart cards instead !

The new BT smart cards have both an expiry date and a serial number, with presumably
some sort of anti-fraud database lookup. Therefore, in principle, there is 
an audit trail of all the calls made using a particular card - will all
bomb hoaxers, drug dealers and obscene callers remember not to use the same card to 
call home as well ?

			  Section 3  -  Hacking

3.0  Hacking
In the sections below I frequently use the terms hackers and cracker,
the actual meaning of the words will always be debated, but here is how
I am using them. A Cracker is someone who breaks passwords, often
without the need for a great deal of knowledge of the systems they are
breaking into, just a few tools and techniques. A hacker on the other
hand will take a great deal of time to learn about the system (s)he is
hacking. A hacker will read all the manuals and documentation possible
and newsgroups such as

To learn about cracking read alt.2600 and sit on various irc channels,
to learn about hacking RTFM, read everything you can get your hands on,
have a desire to understand the machine you are hacking.

3.1 About UNIX hacking
Unix is a fully multi-tasking multi-user operating system written in
C; one of its strengths being its ability to network. There are versions of
Unix for most systems from DEC AXPs to 386 PCs. A very large proportion
of the hosts on the internet are running UNIX or Linux (the public-domain
flavour of Unix).

The net is full of unix security info, but a good starting point is
Arny's UNIX hacking page (see section 5).

3.1.1 How do I crack UNIX passwords?
On some systems /etc/passwd contains and encrypted copy of your passwd
Cracking programs (Alex Muffits 'crack' for UNIX, and CrackerJack for
OS/2 and DOS are just two) try to *guess passwords by encrypting each
word in a dictionary and comparing each encrypted word against each
entry into /etc/passwd

On other systems /etc/passwd doesn't store the password. It can be
stored in a shadow file (that is not normally readable to normal users).
To obtain the (encrypted) passwords you have to have a special program
to read it. The source for a program to do this is obtainable from the
alt.2600 FAQ.

A third method is to use NIS (which again may or may not be shadowed).
This may be readable by using the ypcat command. Again, see the alt.2600
FAQ again.

3.2 About VMS cracking
Compared to UNIX, very little has been written about VMS security
(security via obscurity ?). The password file is in
sys$system:sysuaf.dat, but isn't normally readable to users. There are a
couple of vms crack programs around if you can get you hands on sysuaf.dat

3.3 About PC cracking
PCs running single users OS's aren't normally passworded, the most
common passwords are bios passwords. Sometime systems will run some
software when they booted these can sometimes be halted (Under MSDOS try
ctrl-C, also F5/F8 on DOS 6 onwards). Other things to look for are
options to run software packages that often have a 'shell' option. Also
try booting from a floppy and manually mounting remote disks.

3.3.1 How do I crack BIOS passwords?
This depends on what BIOS the machine has.  Common BIOS's include AMI,
Award, IBM and Phoenix.  Numerous other BIOS's do exist, but these are
the most common.

Some BIOS's allow you to require a password be entered before the system
will boot. Some BIOS's allow you to require a password to be entered
before the BIOS setup may be accessed.

Every BIOS must store this password information somewhere.  If you are
able to access the machine after it has been booted successfully, you
may be able to view the password.  You must know the memory address
where the password is stored, and the format in which the password is
stored.  Or, you must have a program that knows these things.

The most common BIOS password attack programs are for Ami BIOS.  Some
password attack programs will return the AMI BIOS password in plain
text, some will return it in ASCII codes, some will return it in scan
codes. This appears to be dependent not just on the password attacker,
but also  on the version of Ami BIOS.

To obtain Ami BIOS password attackers, ftp to

If you cannot access the machine after if has been powered up, it is
still possible to get past the password.  The password is stored in CMOS
memory that is maintained while the PC is powered off by a small
battery, which is attached to the motherboard.  If you remove this
battery, all CMOS information will be lost.  You will need to re-enter
the correct CMOS setup information to use the machine.  The machines
owner or user will most likely be alarmed when it is discovered that the
BIOS password has been deleted.

3.3.2 How can I crack the windows screen saver password?
[ I haven't had chance to check either of these
  Can someone please confirm / disprove them please ]

To remove the password all together (presuming it hasn't locked already)
edit control.ini, edit the line that says PWProtected=1 to =0 and in the
[ScreenSaver] section, where it says Password=12345 (where 12345 is the
encrypted password) change it to Password=
Now when prompted for a password just press return

If it is active, drag the window prompting you for the password around with the
mouse (making the active window). Then press ctrl-alt-del (having 3 hands would
be a help :). This should then give you the option to quit active application.

[ You may have to put something in control.ini to enable this ? - Info
anyone  ]

3.4 Where can I find out about hacking other systems?
The alt.2600 FAQ is a good place to start looking. As are the

3.5.0 About Hacking TCP/IP
TCP/IP is the protocol used for hosts to communicate on the internet, 
understanding TCP/IP is often as useful (if not more useful) than understanding
the individual operating systems

3.5.1  How do I do TCP/IP spoofing/packet sequence prediction?
Learn low level TCP/IP. Basically with IP you can pretend to be
any machine you want to be, i.e. you dont *have* to put your own IP
address as the 'source address' in the datagrams (or packets) that you
send out.  Unfortunately though, any reply to your faked packets will
normally go to the real machine, which kinda makes it difficult to use
TCP since TCP envolves a two way flow of IP datagrams both to and from
your machine.  However you can to some extent get round this by guessing
some of the contents (ie. the sequence numbers) of the lost datagrams
that were sent to the real machine.

If anyone has had any success with this, plaese tell us :)

3.7 About Novell Hacking
(Glenn writes...)
"I know next to nothing about Novell hacking, other than the passwords file is
stored in the bindery and older versions of Novell had a system call called
VerifyBindaryObjectPassword that when given an account and password wouth say if
they matched. This was very useful for knocking up quick Novell versions of
Crack. I believe also something clever can be done when you run Netware Lite
over the top of normal Netware."

I'll write something when I get chance to confirm some things, but if anyone
has anything to add here please get in touch!

3.6 What is JANET?
Janet is the UK academic backbone, it was once an X25 network that was only
connected to the internet via a few (over worked and oftern hacked) gateways,
but now SuperJanet is a genuine internet backbone. JANET is managed from
machines at  A lot of hackers use university machines for several
reasons (lack of security, no phone bills, fast links, being at Uni, etc)

JANET stands for Joint Academic NETwork.

3.7 I don't have a POP in my local area, what can I do?
Get a better ISP! ;-)

Universities are often very good at giving away accounts, and simply asking
often works (especially if you're unemployed, an ex-student, or a student at
another Uni). Universities are getting more paranoid now though, so choose
carefully where you want your account to be.

A (not too recent) list of University dial-ups can be found on ColdFires Web
Page. Many hackers uses 0800 pads / trunks / VMBs to hack from.

It's also worth checking your phone book, BTs 'local' areas can be surprisingly

3.8 Are there any internet outdials in the UK?
Yes, but with local calls not being free in the UK these are obviously not made

			Section 4  -  Miscellany

4.1 What does xxxx stand for?
Get the alt.2600 faq for an excellent list of acronyms. Also try the jargon
file (see Section 5).

4.2 What is and isn't illegal?
I'm no legal expert, so this may be rubbish... ;-)

 If a legal expert -would- like to clarify these points, please please do so
 There is a general feeling that nobody knows what they can and can't be
 prosecuted for. I would be pleased to listen (in confidence if required)
 to anyone who can be of help.
 *********************************************************************** ]

Unfortunately, unlike the US you may be liable for information you give out, so
you should be careful what you post to the group. See section 1 for info on
anonymous remailers and PGP.

Unauthorised computer access (or simply attempting it) is now illegal under the
Computer Misuse Act 1990. (See Coldfires Web Page for more info)

It has been mentioned that Criminal Justice Act and Public Order Act may include
legislation on possession of material explaining illegal acts. This will include
hacking text files. That is why this file doesn't tell you how to hack !

Telecom law is less specific, in general defrauding an phone company is
illegal, connecting un-approved devices to a BT network is 'unlawful' and
'prohibited'. I am unsure whether this includes sending tones from a hand-held
dial or personal-stereo. Using BT test codes may not be illegal, but is probably
in breach of your contact with them

The following is ColdFires interpretation of the legalities of War-Dialling

All the following is my opinion, as I have no legal qualifications DO 
NOT rely on it to be the case. Until wardialing is tested in court no
one will know for sure, now, who wants to be the test case :)

Quote from the Computer Misuse Act (1990) Section 1:

1(1)    A person is guilty of an offence if
a)      he causes a computer to perform any function with intent to
	secure access to any program or data held in a computer
b)      the access he intends to secure is unauthorised
c)      he knows at the time when he causes the computer to perform 
	the function that this is the case.
1(2)    The intent a person has to commit an offence under this 
	section need not be directed at
a)      any particular program or data
b)      a program or data of any particular kind
c)      a program or data held in any particular computer.
1(3)    A person guilty of an offence under this section shall be
	liable on summary conviction to imprisonment for a term not
	exceeding six months or to a fine not exceeding level 5 on the
	standard scale or both.

As you can see, causing a computer to perform any function with intent
to secure unauthorized access to a computer is illegal. If you are 
wardialing to find carrier, and then intend to gain unauthorized 
access, then war dialling IS illegal (In my opinion)

As most voicemail system can be classified as computer systems war-
dialling for VMB's with the intent of gaining unauthorized access to
the VMB system is illegal. The same applies to PBX's

I believe, from my interpretation of the law, that war-dialling is 
illegal under the Computer Misuse Act (1990). Of course to prosecute 
you under this law it would have to be proven that you intended to 
gain unauthorised access to a computer (note: computer is not defined
under the act).

Obviously this only applies to automated wardialing, dialling by hand
is not covered by this :)

Another comment that he made was on the use of system logs as evidence

Log files make crap evidence, for a start they're easily forged, and
you're reliant upon computer generated evidence. What jury will
believe a computer over a human ?

At best log files are supporting evidence, in  most cases they only 
show logins, connections and other impersonal evidence, no log can say
*BEYOND REASONABLE DOUBT* that someone did something, if in doubt deny
everything, after all its the job of the prosecution to *PROVE* you 
are guilty.

Things to check out are

The Computer Misuse Act (1990)
Telecommunications Act (1984)
Criminal Justice and Public Order Act (1994 ?)

4.3 What should I do to avoid getting caught?
Basically don't break the law! You can't be prosecuted for -knowing-
how to do things (can you?), but if you do hack/phreak, follow this advice,
don't get greedy, don't use any dodgy number / account for too long, don't go
boasting to your mates (especially on, when phreaking, try to route
your call so you are harder to trace, never dial direct from your own home. When
hacking, again try to cover you tracks, the more accounts / nodes you use the
harder you are to trace.

Another piece of sound advice came from the editor of Phrack Chris Goggans. 
Don't hack on your own door step, prosecuting someone in another country is
such a problem it's often not worth the effort.

4.4 Where can I meet other hackers / phreaks?
2600 meets are held on the first friday of the month all over the world. After
the initial meeting they generally move to a local pub/pizza hut/Phone Exchange
:). UK meets happen in -

London      Next to the VR machines in The Trocadero. Starts 7:00pm-7:45pm. 

Bristol     The payphones near the Almshouse pub (part of the Galleries).
	    Starts 6:45pm to 7:00pm; Pay phone numbers are +44-(0)117-929-9011, 
	    929-4437, 922-6897. Email for more info.
	    (Not sure if this meeting is still going - can someone confirm
	    this for me please?).

Manchester  Meet at Cyberia Cafe, Oxford Road, at around 7pm.
	    Email for more info.

Hull        Meet in the Old Grey Mare, Cottingham Road, at around 7pm. The
	    meeting dates change for this, as it depends on when the Uni is
	    in session, so check before travelling.
	    Email for more info or check out the
	    hackHull web page (URL in section 5.1.2).
Leeds       Meet on the second Friday of each month outside the payphones
	    on Leeds Train Station (next to John Menzies).

4.5 What all this Kewl d00dz and 3l33t business?
One explanation offered is ...

"It all stems from warez, warez d00dz 'traffic' warez (pirated software). The
practice of intentionally miss-spelling words and changing letters for numbers
etc come partly from the necessity to 'hide' files. So if someone (especially a
sysadm) decides to search the entire disk for a known software title, they
wouldn't be found"

...others claim its just sad kiddies who think it cool (or is that kewl :-)  )

4.6 Where can I get warez?
Sunday markets seem to be doing a roaring trade in Blobby/Ghost/Playdoh/Tango
CDs, and asking where to get them on the probably wont get you a
sensible reply. Try hanging around on #warez on irc (and its many derivatives,
although I believe you need to know the name of someone already on to get an
invite) and There are also many Warez BBSs in the

4.7 Are there any 'famous' UK Hackers/phreaks?
Steve Gold and Robert Schifreen were the first hacker/phreaks to
become well known in the UK (other than those in the old Bailey trail 
but that was long before). They were responsible for hacking prestel 
in 1984 and gained notoriety for hacking the Prince Phillips mailbox 
through gaining system manager status on the prestel system. They were
raided on 10th April 1985 and were charged with forgery, there being 
no anti-hacking laws in the UK at that time. Found guilty Schifreen 
was fined 750ukp and Gold 650ukp, with 1,000ukp costs each. On appeal they
were acquitted of all charges :) Neither continue to hack and are now 
freelance journalists. Robert Schifreen was also known as Hex and 
Triludan the Warrior

Nick Whitely specialized in ICL mainframes, he committed his first hack
around January 1988 breaking into an ICL at Queen Mary College, going 
on to hack Hull, Nottingham, Bath and Belfast Universities, always 
ICL's. He was raided on 6th July 1988, charged with Criminal Damage
and released on Bail. In 1990 he was tried for Criminal Damage and 
cleared of criminal damage to computer hardware, but found guilty of 
two charges of damaging disks. He was given 1 Year, 8  months 
suspended and served 2 months. His appeal was dismissed.

Paul Bedworth, member of 8lgm, was arrested in June 1991 and has the 
privilege of being the first person to be tried under the Computer 
Misuse Act 1990. He was acquitted of all charges in March 1993 after
successfully proving his 'addiction' to hacking after a 15 day trial.
Bedworth when on to do a degree in artificial intelligence at Edinburgh
University. His handle was Wandii.

Neil Woods and Karl Strickland, were and still are the main members of
8lgm (8 legged grove machine). As far as I know they were arrested 
around the same time as Paul Bedworth, June 1991. But didn't stand
trial till May 1993. They both (I think) pleaded guilty, and were 
convicted for six months each. They were the first people to be jailed
under the Computer Misuse Act (1990). They publish the 8lgm security
advisories, and act as computer security consultants. Neil Woods is 
certainly an active security consultant. Neil Woods was also known as pad
and Karl Strickland as Gandalf.

This is what 8lgm say about themselves :
"[8lgm] was created in early 1989 by several individuals with a common
interest in computer security.  Up until 1991, [8lgm] members actively
used vulnerabilities to obtain access to many computer systems
world-wide.  After this period, any results of research have been
reported and passed onto vendors."
See section 5 for details of the 8lgm WWW page

Eddie Singh was first arrested in (approx) 1988 for breaking into the
University of Surrey terminal rooms. He used the nickname Camelot and
was arrested very soon after the Computer Misuse Act came into operation
for hacking the Ritz video chain. There is a book about him: "Beating the
System (Hackers Phreakers and Electronic Spies)" by Owen Bowcott and Sally
Hamiliton (ISBN: 7475 0513 6 published by Bloomsbury Press, 1990)

Michael J Bevan - Fuji (?) and Richard Price are currently being prosecuted
for alledgedly breaking into US Airforce computers from the UK. Next hearing
in November. Serious Government Security interest in this case !

Coldfire seems to have had his computers, phones, etc. seized (including a new
Sun Sparc). This could be because press attention was focused on him and his
home page (no longer online).

4.8 What about hacking cable/satellite TV?
V0mit has the following to say on this subject:

4.8.1 How do I build a Cable TV Descrambler?
There are many different types of Cable box in use in the UK. This deals
with Jerrolds (The most common type), But also generally covers most 
boxes (Like Scientific Atlanta etc). If anyone has any more specifics
on other types, please feel free to e-mail
with updates, corrections etc. to this..

Firstly though, MANY cable companies only scramble SOME of their channels
(usually Premiums) and some apparently scramble NONE at all! (Though this
is becoming less and less common). However, these signals are usually 
sent well out of the range of frequencies that your average TV can pick
up. All the cable box is there for in cases like this is to 'convert
down' these frequencies into something that most TV's can tune in to. 
TV's vary wildly in what freq. range they can pick up. So the best bet
is to disconnect the cable from the box, plug it directly into the back 
of your TV, and 'tune around'  and see what you find!.. and try all your 
TV sets if you have more than one. You should find a few unscrambled 
channels if you're lucky.. 'The Box' (A music channel) is usually always
sent unscrambled, amongst others..

Some Televisions  (Nokia make one) can tune into all of these higher 
frequencies already. This type of TV is known in the USA as a 'cable
ready' television. I know that Maplin Electronics also sell something that
can convert down the higher frequencies used by the Cable signals for most
televisions to view. Take a look at for the
infamous Hull cable TV hack which uses this facility.

However, whilst just about everyone should be able to get some unscrambled
channels using this method, all the good stuff (yes, porno channels,
you shameless people), Sky One, etc. is usually scrambled.

4.8.2 How do I Descramble them?
Some old boxes do simple things to the horizontal and vertical sync of the
picture, and don't touch the sound etc. In cases like this it is probably
feasible to try and build a descrambler if you know what you are doing.
However, most modern boxes use some fairly ackward techniques. So people
thought: "Hmm, instead of building a descrambler, how about making the 
cable box (which already has the descrambler built in) do all the hard 
work for you?". So the 'test chip' and 'Cube' where born.

If you thought that to let you view a particular channel cable companies
had to switch some thing externally, you are wrong. In fact in most
systems all the channels are present when they reach your box. It is
your box that is programmed to stop you seeing these channels, Not
something outside the home! The only exception to this is possibly
a very few companies who use 'filtering' methods, ie. they use 
computerised 'smart filters' outside the home which filter out premium
channels etc. and control what you can and cannot see. If your cable co
uses this type of system (I know none that do in the UK) Then you are
screwed. (Either that or it's time to go pay a rich neighbour a visit
with some wire cutters, a spade, and a length of cable wire long enuff
to reach your house :) The one positive side to this method is that all
signals are sent in the clear, and the ones you dont pay for are 
filtered out. And so, if you have a 'cable ready' TV, it eliminates
the need for a box.

The following applies to 'Jerrold' cable boxes, But can also be assumed
to apply to most modern cable boxes like Scientific Atlanta etc.

All cable boxes contain a serial number. Your cable co. has this number
on record in their computers. When you phone and say "I'd like to 
subscribe to the Racing Channel, Cause its great value at only 20 quid
a month" They simply type in the computer you are allowed to see that
channel. The cable co. then sends a signal to your box saying box
AB 1234567890 is allowed to see channel 33. Your cable box contains a
modem that receives data from the cable co. in the form of an FM signal. 
The box specifically looks out for instructions to its serial number,
and obeys. It can be told where specific channels go, (Show BBC1 on 
ch 21 etc) can disconnect your service, or can show what are called
'barker' channels in place of the premium channels (Unless it's told
different ;). This FM signal is known as the cable boxes 'data stream'.
However, cable companies dont just send the data stream to your box
the once and then thats it. They send instructions to everyones box 
constantly looping around you all. And so, on a small system with a
few people your box might be updated every few minutes, or on a larger
one the box might be updated every 20 minutes etc. This ensures everyone
gets what they pay for.

And so, the point is that you don't build a descrambler - you trick
your cable box into thinking you're allowed to see the premium channels!
This can be done in two ways:  1. By Cube. 2. By Test chip. Both have
their advantages and disadvantages, much of which is outside ths scope of
this document and therefore you are encouraged to seek further information

Finally, because there are no UK sources for this type of thing
EVERYONE must get cubes/test chips etc. from the USA. And the UK being
the UK has to be a bit awkward and do it slightly different from the US.
Data streams there are 99 times out of 100 one of four frequencies
between 88-108.5 FM. However, here the data stream is often found at
higher rates like 122.75Mhz etc. (ie. outside the normal FM wave band).
If unsure, get yourself a scanner that can tune that high, plug
your cable into it, and search around for your data stream. Once you
find it let the company know, and many will be happy to modify it for
you before shipping to the UK. You need to know this or your cube will
not work!
Also read for a while and you might pick up some stuff.

4.9 Who are British Telecom Security?
BT security is basically made up of the following four sections:
1. Directorate Of Security & Investigation. The focal point for
   'expertise' within the group.
   Director Of Security & Investigation.
   Room A740
   BT Centre 
   81 Newgate Street
   London EC1A 7AJ
   Tel: 0171 356 4928.   Fax: 0171 356 5909.

2. Commercial Security Unit
   Room A169
   BT Centre
   81 Newgate Street
   London EC1A 7AJ
   Tel: 0171 356 5234.   Fax: 0171 356 6068.

3. Specialist Services Unit.
   Libra House.
   Sunrise Parkway.
   Milton Keynes   MK14 6PH.
   Tel: 01908 693939.   Fax: 01908 693961.

4. Investigation And Detection.
   Libra House.
   Sunrise Parkway.
   Milton Keynes   MK14 6PH.
   Tel: 01908 693838/3839 ;'Help desk' Fax: 01908 693860.
   Also : 01908 693800...

It's this last one which is responsible for actually 'busting' people
for nicking 0.00005v of electricity. It's mainly two of them who come see
you: Adrian Goram and Stephen Byrom. You'll probably get one or the other if
you're ever fortunate enough to get in trouble with BT. And apparently they
insists those are their real names.

4.10 How do I find out my phone bill before it comes?
There is an automated service on 0800 854608 which will give you your bill
amount, so you can start saving! When you call, dial ** followed by your
full number including STD code, then the first eight digits of your
account number (situated at the top of your last bill).

			Section 5  -  Resources

The following sources may be of interest

A very good list of resources is available in the alt.2600 faq, but these are
my recommendations.

5.1 On the net
These are constantly changing and thus some may not work by the time you read
this. Please do keep us updated about what's new and what's old.

5.1.1  Newsgroups
~~~~~~~~~~~~~~~~~                 - This group !
alt.2600                  - Hacking & Cracking
alt.dcom.telecom          - Telecom
alt.hackers               - Hacking (in the old sense of the word)
alt.cellular-phone-tech   - Mobile Phones              - Computer Security
comp.dcom.telecom         - Telecom   [moderated]    - Technical telecom
comp.dcom.cellular        - Cellular telecom        - Unix security        - Computer Security                - See what the German scene is up to courtesy
			    of the Chaos Computer Club, who usually run a
			    Congress around Christmas/New Year
uk.telecom                - UK Telecom Issues

5.1.2 Web Pages
The L0pht               -
EFF                     -
The UK.Telecom FAQ Page -
8lgm                    -
2600 Magazine           -
2600 Bristol Meets      -
FireWalls    - 
alt.2600 FAQ            -
TELECOM Digest FAQ      -
hackHull & Co.          -
Geek                    -
ITU archive,            - gopher://
OFTEL                   -
ICSTIS                  -
UK ISDN FAQ             -
Telephone charging      -

5.1.3 FTP
The L0pht                    -
Routes                       -
Spies                        -
EFF                          -
Firewalls                    -
Firewalls                    -*
The Jargon File              -
Security Archives            -

5.1.4 Mailing Lists
	  in the body of the message.

	Orange (check out for more details)

	  mail and put SUBSCRIBE HACKHULL in
	  the body of the message.

	BoS (Best of Security) maillist
	  can someone provide me with info please?

	Access All Areas
	 Planning and discussion for the next Access All Areas event
	 The Access All Areas Mailing List - mail with
	 the word 'help' in the body of the message for more information

5.1.5. Mags-EZines
	Phrack  (
	CuD     ( ????
	Condor  (
	P/H-UK  (

5.1.6 TV & Film
	 Unauthorized Access (
	 War Games, Sneakers et al :)
	 Hackers (
	 The Net (not as good as Hackers, but worth it for Sandra Bullock ;-)

5.2 In Print
5.2.1 Mags
       2600 magazine (Available at Tower Records, London, or direct from
		      AK Press at or by phoning
		      0131-667-1507 [Edinburgh])
       Wired (The US version)
       Mondo 2000
       Blacklisted! 411
	 (Does anyone know of a UK source for this mag?)

5.2.2 Books
(About Hackers)

       Cyberpunk: Outlaw & Hackers on the computer Frontier 
	 Katie Hafner and John Markoff - ISBN 1-872180-94-9
	 (3 Accounts in one book, Mitniks Early Years, widely discredited by 
	 people close to him. Pengo and The Chaos Computer Club (which ties in
	 with The Cuckoo's Egg') and Robert 'Internet Worm' Morris
       The Cuckoo's Egg
	 Clifford Stoll
	 (Techno Hippy gets compulsive about East German Hacker)
	 Steven Levy
	 (Early days of Old-Style MIT hackers)
       Approaching Zero
       Beating the System (Hackers, Phreakers and Electronic Spies)
	 Owen Bowcott and Sally Hamiliton.  ISBN: 7475 0513 6 
       Computer Hacking: Detection and Protection,
	 Sigma Press 1995?, UK - ISBN 1-85058-538-5

(About Systems)
       Any Tech Ref Manual you can lay your hands on
       Far too many to mention
5.3 Phone numbers
UK Interesting phone numbers
  Check out the uk.telecom FAQ for a good starting list of phone numbers

Section 6  -  Questions to be answered in the next version of the FAQ - Help!

      Who created
      Anthing contained in [] above :)
      Short sections on Novell, Cellphones
      Sources of 2600 magazine in the UK (except for Tower & AK, that is)

Return to the index