--- /dev/null
+0. First Words\r
+--------------\r
+\r
+Hi!\r
+This will be an article on what you can do with VMB's.\r
+I was not sure if I really could add anything new to this topic, but I think\r
+I can give you a complete list of "What they can do for you" and also I pro-\r
+mised this artcle to van Hauser so here it is.\r
+Don't blame me if you already know anything, again, it is WHY someone should\r
+concern about VMB's.\r
+There are quiete a lot of text files on VMB Systems and I will give\r
+you an overview of files which deal with the hacking of special systems at\r
+the end of this article.\r
+\r
+1. Overview of what-do-to with VMB's\r
+------------------------------------\r
+-use them as (simply) Voice-Mail\r
+-use them as 3rd party call possibility\r
+-use them to call for free\r
+-use them to make conferences\r
+-use them to find switching systems\r
+\r
+2. Voice Mail\r
+-------------\r
+The originating thing why VMB's got invented. Suppose you have a company and\r
+50 guys working there. Let's say you got 20 calls after hours on your\r
+answering machine and each one is for a different guy. So why not having a\r
+system where anybody can leave a message to the specific guy he wants?\r
+So each guy has his own mailbox where he gets his calls if he is away from\r
+his desk or not at home. If you connect to a voicemail, you will always get\r
+a prompt where normally you can leave a message to the company or if you know\r
+the extension of the guy you want to talk to to him directly.\r
+So within your own VMB, you can hear messages from outside callers or from\r
+someone within your company. That's the basis.\r
+If you want to hack a VMB, you always have to find where the 3 or 4 (the\r
+only system with 2 digit extensions I know is Partnell Mail from AT&T?)\r
+digit extension are, they are mostly grouped. You always have 2 possibilities,\r
+you can transfer to extensions and see if they do exist (meaning you hear\r
+some greetings) or enter a mailbox and see if it prompts with password.\r
+There are different systems but I suggest you always transfer to extensions\r
+because you can find interesting things (see later on). If you have a clue\r
+where the most extensions are, you can start hacking one box with trying\r
+passwords like 1234 or the boxnumber. I would never concern on more passwords\r
+because if no easy password fits, than the system is often better protected,\r
+and there are enough silly systems with stupid administrators you can hack.\r
+If you have hacked a box belonging to someone else, you should NEVER hear\r
+any mails, you just find free boxes belonging to noone by using the\r
+distribution list command or the message received command which exists on\r
+all systems. Normally you notice a free box (either when transfering to a\r
+box from outside or when using the commands from inside) when there is no\r
+greeting and just a message like 'extension 123' or 'record at the tone'.\r
+A very good way to locate boxes is to use the name-search which exists on\r
+almost any systems. Hear the company's greeting and they often tell some-\r
+thing like "press 9 to use the directory". Enter the beginnings of common\r
+names and you will get the person's extension number.\r
+So well, why should you hack a VMB and have a extension? Simply because\r
+it's quiete cool & useful to keep in contact with other hacker's.\r
+If you hack more extensions on one system, they invite your friends and\r
+have a big communication tool - tollfree! (Ah btw, NEVER ever hack voice-\r
+mail systems in your own country, because of the bust & trace possibility,\r
+but if you hack american systems on toll-free numbers [of course reachable\r
+from within your own country], you cannot be busted. At least not in Germany)\r
+The THC posse uses an Aspen system for more than 6 month with more than\r
+20 extensions I hacked in September '95. Really, it is a big helpful tool to\r
+keep in touch with each other for free, and we do not only talk about hacking\r
+stuff, it is quiete funny to leave messages to the other's if you are drunken\r
+at a party or whatever!\r
+The most comfortable system in my eye's is Aspen from Octel ("Voice Infor-\r
+mation processing") which exits in different dimensions and cost up to\r
+$600.000. It has become -sad but true- hard to hack because most systems\r
+have no defaults anymore. The Aspen systems can be integrated into several\r
+switches and often has the bridge capacibility. (see later)\r
+\r
+3. 3rd party calling\r
+--------------------\r
+I guess you know what this is. If not, you can pay calls over certain\r
+companies (e.g. MCI) which accept that a 3rd party pays all costs.\r
+You tell the operator to place a 3rd party call and he calls the number you\r
+give him to verify he will accept the charges. Because operators are dumb\r
+(well why they are just operators) and because of the good line quality,\r
+you can trick them with a VMB which has a greeting like "hallo? ah .... hmm\r
+(pause) ... yes ... I accept the charges".\r
+Well you ask, how can an american operator dial a toll-free number in Germany\r
+and enter an extension or what? In fact, many VMB systems have a direct dial\r
+(Especially Meridian's) and if it is an american company, of course in the\r
+states. (and this number can be dialed from the operator)\r
+Direct dial means that your extension is not only reachable over the main\r
+number (where you can enter the person's extension), it is reachable over\r
+a normal telephone number. Let's say the company originates in AC 718, and\r
+the company wants their guys (of course) to be called by customers. So they\r
+have a whole prefix which belongs to the company, The last four digits are\r
+for the guys in the company. If this company owns a VMB, the extensions of\r
+the guys normally are the last four digits of the phonenumber. So if you\r
+hacked extension 3000, and the company is located in 718-123-xxxx, your\r
+direct dial would be 718-123-3000. So go and ask the operator (by paging\r
+or within business hours) for their main number in the states, and they\r
+will tell you the things you need (AC, prefix). If they give you an 1-800\r
+number ask them for their fax number or whatever, to get the missing digits.\r
+If anything fails go and ask them for their direct dial.\r
+So know you can change your greeting to the one above and tell the operator\r
+to bill the call to 718-123-3000.\r
+Again, many companies already got abused and have restricted their whole\r
+prefix for accepting 3rd party calls, but it is always worth a try and MCI\r
+has good overseas lines from Germany.\r
+\r
+4. Make free calls\r
+------------------\r
+Remember the things of a direct dial. Think of the use of a PBX and\r
+what a PBX does. Bingo, of course if the company has PBX and has a direct\r
+dial, you can reach their dialtone toll-free. So if you are scanning a VMB\r
+(by transfering to the extensions) you may run over a dialtone which VERY\r
+often has no code on it. I think the systems which have the possibility of\r
+being a part of the PBX are limmited. Audix (by AT&T) and Meridian (by\r
+Northern Telecom) are worth a try and I have run over severals dialtones\r
+on these systems. I guess Aspen has the possibility too, but I never found\r
+anything. If you have a girlfriend which speaks a good english, you can try\r
+to social-engineer the extension where the dialtone is located. (Use a name\r
+which is really in the company you got from the names directory, say you\r
+are struck in Europe and forgot all your paper's with the extension. Better,\r
+[because not too many companies have agents which travel to Europe] you let\r
+your call look like it originates from the US by using the 3rd party call\r
+way or so. Or if you have hacked a box, page the operator from within the box,\r
+because he cant see where your call is originating from!)\r
+Anyway if you are struck by scanning the system but you do think it really\r
+must have a dialtone (probably because the company is so big and has direct\r
+dial), go and do social-engineering, especially after hours, because these\r
+operator are unsophisticated and often have no idea of fraud. At business\r
+time, they could connect you to security (oops) or they even are the security\r
+operator (ooooops).\r
+There is also a way to call for free if the VMB system has the ability to for-\r
+ward calls. If you want that all calls after hours are forwarded to your home\r
+phone, you enter configure this within your box. Many bigger systems like\r
+Audix do have the capacibility, but it is disabled very often. Smaller\r
+systems like Cindy or The Message Desk have this feature not disabled and you\r
+can use it to divert your calls by entering the phone number you want within\r
+your hacked box and then transfer to your own hacked extension which will\r
+forward the call to your favourite BBS.\r
+As small bonus, I include a special section on The Message Desk systems,\r
+because I haven't found any text file about it and because Germans can abuse\r
+Message Desk Systems in UK very easy! A big Thanks & GOOD LUCK! to Krew-l-t\r
+who introduced me to this neat system.\r
+Well basically when you dial press # and then enter a box number...most\r
+are unpassworded...to find extensions dial in and press * then dial\r
+3 digits or 4 (there is also boxes 1,2 and 3). If you hear no special\r
+greeting then enter this box number and if it has no password, you have your\r
+own box. You can also use boxes belonging to someone IF he hasnot activated\r
+call-forwarding; he would be quiete anxious if he is awaiting calls at his\r
+home and all guys will get connected to LORE BBS :). So always change the\r
+number back after you used it. Once in a box do 7 then 7 again...then 2, then 9+ the number you wannt to reach then #, then # again,\r
+then * twice, then the box number you wannt to divert to.\r
+There is a special possibility to dial out on Meridian voicemail system. There\r
+are certain extensions you can transfer to and hear nothing. You may have\r
+found the outdial code. Try to transfer to this extension and add a number.\r
+Let's say at extension 1234 you hear nothing. If you dial 1234+00-cc-number\r
+you may be connected to your desired target. Especially systems in the UK\r
+often have this outdial possibility, and since you have unlimmited tries for\r
+scanning extensions, you can find them quiete easily. Of course, any Meridian\r
+in any country has this possibility, but it must not be set up on the system.\r
+Something you may also try is to key in certain digits at the main prompt\r
+(the one with the company's greeting) and I sometimes got a dialtone just by\r
+pressing 9 at this prompt.\r
+\r
+5. Conferences\r
+--------------\r
+Probably you have visited the DefCon Voice bridge in the USA. You can find\r
+something like this on Meridian, Aspen and Audix Systems. Basicly, it is the\r
+same thing as with the outdial code. You enter extensions and if you hear\r
+nothing, but it is not an outdial, it may be a conference setup. The Analyst\r
+for example found a conferences for 8 people on a Meridian in Germany.\r
+Let's say there was 2000 and then silence, but 2000+00-cc-number didnot work.\r
+So he tried something and when entering 200008 a voice said "Conference set\r
+up for 8 persons." They could connect to the conference when dialing 2000X1.\r
+If you ever want to be a part of our great conferences we hold from time to\r
+time just contact me or any of the THC crew.\r
+On Audix systems, you hear a special bridge-tone when you have found a\r
+conference extension. Check up if someone may transfer to this extension\r
+at the same time and you can speak to each other now, or try extensions near\r
+the bride extensions, or something like this.\r
+But be careful, you might stumble into existing conferences sometimes!\r
+(But it may be quiete funny to be a part of them!)\r
+\r
+6. Switching Systems\r
+--------------------\r
+In my opinion, this is the interesting part now, becuase it can give you a\r
+lot of power if you have managed it to hack a switching system through a\r
+voice mail system.\r
+Almost all voice mail systems are a part of a switching system, but there\r
+are certain systems that are ONLY for voicemail. Let's say you have a big\r
+switching system of the Definity Series from AT&T. You can integrate a voice\r
+mail (in this case Audix) into your PBX System. You have the possibility to\r
+set up an extension to maintain your PBX, let's say your company owns\r
+645-xxxx. You can setup the dial-in port on extension 645-9999, and if\r
+you dial 645-9999, you will be connected to a terminal where you can setup\r
+or maintain the WHOLE PBX system. (Well I guess nothing new for you guys.)\r
+If you have a voicemail system, you can setup the dial-in port also to be\r
+reachable through your voicemail, so let's say you transfer to extension 9999\r
+and bingo, you get the carrier. This is very interesting, because it\r
+is a great possibilty to reach a switching system from outside a country\r
+trough a toll-free number. Audix voicemail e.g. is often integrated into\r
+the Definity Series (System 75 and 85; the G1 - G3 series), so the chance\r
+of finding a Sys75 on an Audix extension is quiete high. BUT I suggest that\r
+you give this up. Why? Because AT&T changed ALL default login's and password's\r
+due to a massive abuse in the States. I talked to a woman from Lucent on\r
+the CEBIT this year (she is in the toll-fraud prevention center), and she\r
+said that they still ship the Definity Series with the defaults, BUT their\r
+technicians are told to change them. You may try the looker/browser account\r
+but in general, you have no chance of entering the system easiely. Of course,\r
+social-engeneering is a possibility. You should concentrate on the switches\r
+from Nortel. (Sl-1 series etc.) A Meridian Voice Mail system is sometimes\r
+integrated into this PBX system, and the hacking is quiete easy.\r
+A SL-1 switch answers like this:\r
+OVL111 IDLE and has different signs on the screen like TTY and such.\r
+(Check the reference article; read the end of this file)\r
+To logon, you type LOGI and it responds with PASS?.\r
+The older SL-1 switch ONLY allows a 4 digit numeric code and you have\r
+UNLIMMITED tries, so fuck, write a script and you are in FAST!\r
+The newer one (sigh) allows 16? signs so give it up.\r
+Once in, you can setup DISA's and more ... remember, if you have access\r
+to a switching system, you can do ALL with their telephone system.\r
+(Even shut-down if you are malicious).\r
+You sould be abled to access a ROLM CBX system through Phonemail, but\r
+I never found this myself.\r
+\r
+7. End / Contact the author\r
+---------------------------\r
+I hope you found this article enjoyable to read and know, why to concern\r
+with VMB's now. Something I wanted to add: DON'T think you cannot hack\r
+those systems and their PBX systems, because most technicians are not\r
+half that intelligent as you are. The often chose simple passwords and\r
+left a backdoor open. I know it myself, because I'm a low-level technician\r
+of a German PBX system and the technician who installed the whole system\r
+was really stupid without any knowledge that got behind his manual.\r
+To maintain the system for me was really hard because of the bad setup.\r
+I'll write a file about German PBX systems later this year.\r
+(Octopus from Telekom, HiCOM from Siemens and 4000 series from Alcatel)\r
+BTW, use the WWW to gain good informations about anything! Use\r
+Lycos and you will get a lot of interesting pages with stuff for you,\r
+concerning VMB's and PBX systems.\r
+To contact me from within Germany, dial 0130-817698 and leave mail to\r
+extension 2389. From outside Germany, please call +1-510-624-7120 and\r
+leave me a voicemail. Or call LORE BBS in Germany to leave me a mail,\r
+or you can also ask any THC member how to reach me. And yes, I am\r
+on IRC sometimes, try to catch me in #bluebox.\r
+\r
+ -WiLKiNS!\r
+\r
+8. Appendix\r
+-----------\r
+\r
+NOTE: These are ONLY the *best* textfiles I found about these VMB systems.\r
+ I didn't put a description of hacking tools for boxes in too, because\r
+ hacking boxes with tools is senseless once you have one valid box on\r
+ the system.\r
+\r
+General\r
+-------\r
+tao90-04.zip\r
+\r
+This file describes a lot of VMB systems and their features. Short-cut,\r
+but the best you can get! Written by (?) accidential tourist.\r
+\r
+Aspen\r
+-----\r
+aspen1.zip\r
+aspen2.zip\r
+\r
+Both files were written by CaveMan and are also distributed under caveasp.zip\r
+They give you a good overview about the commands and on how-to-hack.\r
+NOTE: The 3-digit-error is STILL found very often!\r
+\r
+Audix\r
+-----\r
+cotno01.zip\r
+audexvp.zip\r
+\r
+The article from DeadKat in the Cotno Mag #1 is about the hacking of Audix;\r
+the second one is from Crazybyte. It contains some mistakes but reading it\r
+is still worthwhile.\r
+\r
+Cindy\r
+-----\r
+cinditut.zip\r
+\r
+The Cindy system is not very common, but quiete nice.\r
+Article from Slycath.\r
+\r
+Meridian Voice Mail\r
+-------------------\r
+cotno04.zip\r
+mmail.zip\r
+\r
+Again, DeadKat brings us an excellent article in Cotno Mag #4. (He, please\r
+contact me if you read this!) The other one is from ColdFire and concerns\r
+about the setup of the voicemail system through the computer extension.\r
+\r
+ROLM CBX / Phonemail\r
+--------------------\r
+rolm-01.zip\r
+9x_rlmpn.zip\r
+\r
+The first article from OleBuzzard deals with the PBX system; the second\r
+one from Substance is on how to setup Phonemail through the dial-in port.\r
+\r
+SL-1\r
+----\r
+phrack44.zip\r
+\r
+The article from IceMan in Phrack #44 is a good article for beginners.\r
+It introduces the features of the SL-1 series and gives a command overview,\r
+but it doesnot explain enough on the programming. Where is the promised\r
+part 2? Nortel "secures" its systems with a variety of abbreviations, so\r
+you must have a manual or simply have to guess. Special Info: If you\r
+try something, and you want to cancel the commands, press **** and you\r
+will be back at the main screen.\r
+\r
+System 75\r
+---------\r
+cotno01.zip\r
+\r
+You see, Cotno is really a great mag. The article from Panther Modern is\r
+one of the best one's about System 75, and there are a lot of them.\r
+\r
+\r
+Greets,\r
+ WiLKiNS\r
+\1a
\ No newline at end of file
projects / oweals / thc-archive.git / blobdiff