added unreleased README

[oweals/thc-archive.git] / Papers / vmb.txt

0. First Words\r
--------------\r
\r
Hi!\r
This will be an article on what you can do with VMB's.\r
I was not sure if I really could add anything new to this topic, but I think\r
I can give you a complete list of "What they can do for you" and also I pro-\r
mised this artcle to van Hauser so here it is.\r
Don't blame me if you already know anything, again, it is WHY someone should\r
concern about VMB's.\r
There are quiete a lot of text files on VMB Systems and I will give\r
you an overview of files which deal with the hacking of special systems at\r
the end of this article.\r
\r
1. Overview of what-do-to with VMB's\r
------------------------------------\r
-use them as (simply) Voice-Mail\r
-use them as 3rd party call possibility\r
-use them to call for free\r
-use them to make conferences\r
-use them to find switching systems\r
\r
2. Voice Mail\r
-------------\r
The originating thing why VMB's got invented. Suppose you have a company and\r
50 guys working there. Let's say you got 20 calls after hours on your\r
answering machine and each one is for a different guy. So why not having a\r
system where anybody can leave a message to the specific guy he wants?\r
So each guy has his own mailbox where he gets his calls if he is away from\r
his desk or not at home. If you connect to a voicemail, you will always get\r
a prompt where normally you can leave a message to the company or if you know\r
the extension of the guy you want to talk to to him directly.\r
So within your own VMB, you can hear messages from outside callers or from\r
someone within your company. That's the basis.\r
If you want to hack a VMB, you always have to find where the 3 or 4 (the\r
only system with 2 digit extensions I know is Partnell Mail from AT&T?)\r
digit extension are, they are mostly grouped. You always have 2 possibilities,\r
you can transfer to extensions and see if they do exist (meaning you hear\r
some greetings) or enter a mailbox and see if it prompts with password.\r
There are different systems but I suggest you always transfer to extensions\r
because you can find interesting things (see later on). If you have a clue\r
where the most extensions are, you can start hacking one box with trying\r
passwords like 1234 or the boxnumber. I would never concern on more passwords\r
because if no easy password fits, than the system is often better protected,\r
and there are enough silly systems with stupid administrators you can hack.\r
If you have hacked a box belonging to someone else, you should NEVER hear\r
any mails, you just find free boxes belonging to noone by using the\r
distribution list command or the message received command which exists on\r
all systems. Normally you notice a free box (either when transfering to a\r
box from outside or when using the commands from inside) when there is no\r
greeting and just a message like 'extension 123' or 'record at the tone'.\r
A very good way to locate boxes is to use the name-search which exists on\r
almost any systems. Hear the company's greeting and they often tell some-\r
thing like "press 9 to use the directory". Enter the beginnings of common\r
names and you will get the person's extension number.\r
So well, why should you hack a VMB and have a extension? Simply because\r
it's quiete cool & useful to keep in contact with other hacker's.\r
If you hack more extensions on one system, they invite your friends and\r
have a big communication tool - tollfree! (Ah btw, NEVER ever hack voice-\r
mail systems in your own country, because of the bust & trace possibility,\r
but if you hack american systems on toll-free numbers [of course reachable\r
from within your own country], you cannot be busted. At least not in Germany)\r
The THC posse uses an Aspen system for more than 6 month with more than\r
20 extensions I hacked in September '95. Really, it is a big helpful tool to\r
keep in touch with each other for free, and we do not only talk about hacking\r
stuff, it is quiete funny to leave messages to the other's if you are drunken\r
at a party or whatever!\r
The most comfortable system in my eye's is Aspen from Octel ("Voice Infor-\r
mation processing") which exits in different dimensions and cost up to\r
$600.000. It has become -sad but true- hard to hack because most systems\r
have no defaults anymore. The Aspen systems can be integrated into several\r
switches and often has the bridge capacibility. (see later)\r
\r
3. 3rd party calling\r
--------------------\r
I guess you know what this is. If not, you can pay calls over certain\r
companies (e.g. MCI) which accept that a 3rd party pays all costs.\r
You tell the operator to place a 3rd party call and he calls the number you\r
give him to verify he will accept the charges. Because operators are dumb\r
(well why they are just operators) and because of the good line quality,\r
you can trick them with a VMB which has a greeting like "hallo? ah .... hmm\r
(pause) ... yes ... I accept the charges".\r
Well you ask, how can an american operator dial a toll-free number in Germany\r
and enter an extension or what? In fact, many VMB systems have a direct dial\r
(Especially Meridian's) and if it is an american company, of course in the\r
states. (and this number can be dialed from the operator)\r
Direct dial means that your extension is not only reachable over the main\r
number (where you can enter the person's extension), it is reachable over\r
a normal telephone number. Let's say the company originates in AC 718, and\r
the company wants their guys (of course) to be called by customers. So they\r
have a whole prefix which belongs to the company, The last four digits are\r
for the guys in the company. If this company owns a VMB, the extensions of\r
the guys normally are the last four digits of the phonenumber. So if you\r
hacked extension 3000, and the company is located in 718-123-xxxx, your\r
direct dial would be 718-123-3000. So go and ask the operator (by paging\r
or within business hours) for their main number in the states, and they\r
will tell you the things you need (AC, prefix). If they give you an 1-800\r
number ask them for their fax number or whatever, to get the missing digits.\r
If anything fails go and ask them for their direct dial.\r
So know you can change your greeting to the one above and tell the operator\r
to bill the call to 718-123-3000.\r
Again, many companies already got abused and have restricted their whole\r
prefix for accepting 3rd party calls, but it is always worth a try and MCI\r
has good overseas lines from Germany.\r
\r
4. Make free calls\r
------------------\r
Remember the things of a direct dial. Think of the use of a PBX and\r
what a PBX does. Bingo, of course if the company has PBX and has a direct\r
dial, you can reach their dialtone toll-free. So if you are scanning a VMB\r
(by transfering to the extensions) you may run over a dialtone which VERY\r
often has no code on it. I think the systems which have the possibility of\r
being a part of the PBX are limmited. Audix (by AT&T) and Meridian (by\r
Northern Telecom) are worth a try and I have run over severals dialtones\r
on these systems. I guess Aspen has the possibility too, but I never found\r
anything. If you have a girlfriend which speaks a good english, you can try\r
to social-engineer the extension where the dialtone is located. (Use a name\r
which is really in the company you got from the names directory, say you\r
are struck in Europe and forgot all your paper's with the extension. Better,\r
[because not too many companies have agents which travel to Europe] you let\r
your call look like it originates from the US by using the 3rd party call\r
way or so. Or if you have hacked a box, page the operator from within the box,\r
because he cant see where your call is originating from!)\r
Anyway if you are struck by scanning the system but you do think it really\r
must have a dialtone (probably because the company is so big and has direct\r
dial), go and do social-engineering, especially after hours, because these\r
operator are unsophisticated and often have no idea of fraud. At business\r
time, they could connect you to security (oops) or they even are the security\r
operator (ooooops).\r
There is also a way to call for free if the VMB system has the ability to for-\r
ward calls. If you want that all calls after hours are forwarded to your home\r
phone, you enter configure this within your box. Many bigger systems like\r
Audix do have the capacibility, but it is disabled very often. Smaller\r
systems like Cindy or The Message Desk have this feature not disabled and you\r
can use it to divert your calls by entering the phone number you want within\r
your hacked box and then transfer to your own hacked extension which will\r
forward the call to your favourite BBS.\r
As small bonus, I include a special section on The Message Desk systems,\r
because I haven't found any text file about it and because Germans can abuse\r
Message Desk Systems in UK very easy! A big Thanks & GOOD LUCK! to Krew-l-t\r
who introduced me to this neat system.\r
Well basically when you dial press # and then enter a box number...most\r
are unpassworded...to find extensions dial in and press * then dial\r
3 digits or 4 (there is also boxes 1,2 and 3). If you hear no special\r
greeting then enter this box number and if it has no password, you have your\r
own box. You can also use boxes belonging to someone IF he hasnot activated\r
call-forwarding; he would be quiete anxious if he is awaiting calls at his\r
home and all guys will get connected to LORE BBS :). So always change the\r
number back after you used it. Once in a box do 7 then 7 again...then 2, then 9+ the number you wannt to reach then #, then # again,\r
then * twice, then the box number you wannt to divert to.\r
There is a special possibility to dial out on Meridian voicemail system. There\r
are certain extensions you can transfer to and hear nothing. You may have\r
found the outdial code. Try to transfer to this extension and add a number.\r
Let's say at extension 1234 you hear nothing. If you dial 1234+00-cc-number\r
you may be connected to your desired target. Especially systems in the UK\r
often have this outdial possibility, and since you have unlimmited tries for\r
scanning extensions, you can find them quiete easily. Of course, any Meridian\r
in any country has this possibility, but it must not be set up on the system.\r
Something you may also try is to key in certain digits at the main prompt\r
(the one with the company's greeting) and I sometimes got a dialtone just by\r
pressing 9 at this prompt.\r
\r
5. Conferences\r
--------------\r
Probably you have visited the DefCon Voice bridge in the USA. You can find\r
something like this on Meridian, Aspen and Audix Systems. Basicly, it is the\r
same thing as with the outdial code. You enter extensions and if you hear\r
nothing, but it is not an outdial, it may be a conference setup. The Analyst\r
for example found a conferences for 8 people on a Meridian in Germany.\r
Let's say there was 2000 and then silence, but 2000+00-cc-number didnot work.\r
So he tried something and when entering 200008 a voice said "Conference set\r
up for 8 persons." They could connect to the conference when dialing 2000X1.\r
If you ever want to be a part of our great conferences we hold from time to\r
time just contact me or any of the THC crew.\r
On Audix systems, you hear a special bridge-tone when you have found a\r
conference extension. Check up if someone may transfer to this extension\r
at the same time and you can speak to each other now, or try extensions near\r
the bride extensions, or something like this.\r
But be careful, you might stumble into existing conferences sometimes!\r
(But it may be quiete funny to be a part of them!)\r
\r
6. Switching Systems\r
--------------------\r
In my opinion, this is the interesting part now, becuase it can give you a\r
lot of power if you have managed it to hack a switching system through a\r
voice mail system.\r
Almost all voice mail systems are a part of a switching system, but there\r
are certain systems that are ONLY for voicemail. Let's say you have a big\r
switching system of the Definity Series from AT&T. You can integrate a voice\r
mail (in this case Audix) into your PBX System. You have the possibility to\r
set up an extension to maintain your PBX, let's say your company owns\r
645-xxxx. You can setup the dial-in port on extension 645-9999, and if\r
you dial 645-9999, you will be connected to a terminal where you can setup\r
or maintain the WHOLE PBX system. (Well I guess nothing new for you guys.)\r
If you have a voicemail system, you can setup the dial-in port also to be\r
reachable through your voicemail, so let's say you transfer to extension 9999\r
and bingo, you get the carrier. This is very interesting, because it\r
is a great possibilty to reach a switching system from outside a country\r
trough a toll-free number. Audix voicemail e.g. is often integrated into\r
the Definity Series (System 75 and 85; the G1 - G3 series), so the chance\r
of finding a Sys75 on an Audix extension is quiete high. BUT I suggest that\r
you give this up. Why? Because AT&T changed ALL default login's and password's\r
due to a massive abuse in the States. I talked to a woman from Lucent on\r
the CEBIT this year (she is in the toll-fraud prevention center), and she\r
said that they still ship the Definity Series with the defaults, BUT their\r
technicians are told to change them. You may try the looker/browser account\r
but in general, you have no chance of entering the system easiely. Of course,\r
social-engeneering is a possibility. You should concentrate on the switches\r
from Nortel. (Sl-1 series etc.) A Meridian Voice Mail system is sometimes\r
integrated into this PBX system, and the hacking is quiete easy.\r
A SL-1 switch answers like this:\r
OVL111 IDLE and has different signs on the screen like TTY and such.\r
(Check the reference article; read the end of this file)\r
To logon, you type LOGI and it responds with PASS?.\r
The older SL-1 switch ONLY allows a 4 digit numeric code and you have\r
UNLIMMITED tries, so fuck, write a script and you are in FAST!\r
The newer one (sigh) allows 16? signs so give it up.\r
Once in, you can setup DISA's and more ... remember, if you have access\r
to a switching system, you can do ALL with their telephone system.\r
(Even shut-down if you are malicious).\r
You sould be abled to access a ROLM CBX system through Phonemail, but\r
I never found this myself.\r
\r
7. End / Contact the author\r
---------------------------\r
I hope you found this article enjoyable to read and know, why to concern\r
with VMB's now. Something I wanted to add: DON'T think you cannot hack\r
those systems and their PBX systems, because most technicians are not\r
half that intelligent as you are. The often chose simple passwords and\r
left a backdoor open. I know it myself, because I'm a low-level technician\r
of a German PBX system and the technician who installed the whole system\r
was really stupid without any knowledge that got behind his manual.\r
To maintain the system for me was really hard because of the bad setup.\r
I'll write a file about German PBX systems later this year.\r
(Octopus from Telekom, HiCOM from Siemens and 4000 series from Alcatel)\r
BTW, use the WWW to gain good informations about anything! Use\r
Lycos and you will get a lot of interesting pages with stuff for you,\r
concerning VMB's and PBX systems.\r
To contact me from within Germany, dial 0130-817698 and leave mail to\r
extension 2389. From outside Germany, please call +1-510-624-7120 and\r
leave me a voicemail. Or call LORE BBS in Germany to leave me a mail,\r
or you can also ask any THC member how to reach me. And yes, I am\r
on IRC sometimes, try to catch me in #bluebox.\r
\r
                                                    -WiLKiNS!\r
\r
8. Appendix\r
-----------\r
\r
NOTE: These are ONLY the *best* textfiles I found about these VMB systems.\r
      I didn't put a description of hacking tools for boxes in too, because\r
      hacking boxes with tools is senseless once you have one valid box on\r
      the system.\r
\r
General\r
-------\r
tao90-04.zip\r
\r
This file describes a lot of VMB systems and their features. Short-cut,\r
but the best you can get! Written by (?) accidential tourist.\r
\r
Aspen\r
-----\r
aspen1.zip\r
aspen2.zip\r
\r
Both files were written by CaveMan and are also distributed under caveasp.zip\r
They give you a good overview about the commands and on how-to-hack.\r
NOTE: The 3-digit-error is STILL found very often!\r
\r
Audix\r
-----\r
cotno01.zip\r
audexvp.zip\r
\r
The article from DeadKat in the Cotno Mag #1 is about the hacking of Audix;\r
the second one is from Crazybyte. It contains some mistakes but reading it\r
is still worthwhile.\r
\r
Cindy\r
-----\r
cinditut.zip\r
\r
The Cindy system is not very common, but quiete nice.\r
Article from Slycath.\r
\r
Meridian Voice Mail\r
-------------------\r
cotno04.zip\r
mmail.zip\r
\r
Again, DeadKat brings us an excellent article in Cotno Mag #4. (He, please\r
contact me if you read this!) The other one is from ColdFire and concerns\r
about the setup of the voicemail system through the computer extension.\r
\r
ROLM CBX / Phonemail\r
--------------------\r
rolm-01.zip\r
9x_rlmpn.zip\r
\r
The first article from OleBuzzard deals with the PBX system; the second\r
one from Substance is on how to setup Phonemail through the dial-in port.\r
\r
SL-1\r
----\r
phrack44.zip\r
\r
The article from IceMan in Phrack #44 is a good article for beginners.\r
It introduces the features of the SL-1 series and gives a command overview,\r
but it doesnot explain enough on the programming. Where is the promised\r
part 2? Nortel "secures" its systems with a variety of abbreviations, so\r
you must have a manual or simply have to guess. Special Info: If you\r
try something, and you want to cancel the commands, press **** and you\r
will be back at the main screen.\r
\r
System 75\r
---------\r
cotno01.zip\r
\r
You see, Cotno is really a great mag. The article from Panther Modern is\r
one of the best one's about System 75, and there are a lot of them.\r
\r
\r
Greets,\r
          WiLKiNS\r
\1a