. .. ... .......... BL4CKM1LK teleph0nics .......... ... .. . . .. ... .......... http://hybrid.dtmf.org ......... ... .. . So close it has no boundaries... A blinking cursor pulses in the electric darkness like a heart coursing with phosphorous light, burning beneath the derma of black-neon glass. A PHONE begins to RING, we hear it as though we were making the call. The cursor continues to throb, relentlessly patient, until... Meridian I Switch and Trunk Interception.......... ..... ... . An account of how an ENTIRE companys PBX.......... ..... ... . can be taken over (The hardcore phreak way)....... ..... ... . by hybrid ...... ..... ... . Hi. I'm not going to write a mad big introduction to this article, because I dont feel their is a need for one. All I want to say here is that this article is intended for the more "hardcore" phreak, yes, hardcore phreak, not for lame ass calling card leeching kiddies who call themsleves phreaks. If you are intersted in hacking telephony switches, and you have prior/prefixed knowledge of Meridian, read on.. Through my experience, I've seen alot of meridian admins go through many different and sometimes repetitive lengths to supposidly secure an internal PSTN connected PABX. In this article I'm going to share my knowledge of PBX switch hacking, and enlighten you to the intricate techneques that can be used to "trunk hop" etc. The information provided in this article has been obtained from my own personal accounts of hacking telephony switches, which I'd like to state, I don't participate in anymore. Now, for the sake of timesaving, I'll setup a possible scenario.. Consider the following: o You have stumbled accross a nice Meridian Mail system, which you have already compromised by finding yourself a few boxdes in their. You discover that the Meridian Mail system you have gained access to belongs to a certain telco, and is used for internal communication between emloyees high up in the hierarchial chain. Now, any "normal" phreak would gradually take over the system by finding as many free boxes as possible and hnading them over to friends, or would keep the nice lil' system to themselves as a means of obtaining information about the telco that owns the PBX, via the the means of eavesdroping on used voicemail boxes. This is a very primitive form of remote eavesdroping, which this file is not designed to illistrate. Meridian PBX systems are all administered by a primary system console, which can be remotely accessed by many different protocols. The most popular of which is remote dialup via assigned extensions. If the companys main switch is centrex based, it is likely that the meridian admin console is accessable via IP on the companys intranet. If you manage to gain access to the actual switching conponment, you are likely to have the following privalges on the meridian based network: o 100% control over every single inbound/outbound trunk group o Access to every single voicemail box on the switch o Access to trunk/group/node administration Basically, the meridian administration module is designed to make the admin (or whoever has access to it) GOD over the entire system, I say GOD because you could do anything you wanted, as far as your telephony derived imagination extends. OK, enough of this.. I'm just going to stop going on about what if's for the time being, now I'm going to concentrate on the factual based information, and how one would go about accessing such a switch. The simpilist way to find the internal dialup to a meridian switch is to scan the internal extensions which the switch controls. It's generaly a good idea to begin scanning network/node extensions such as 00,01,02,03[xx] etc. What you are looking for is a modem carrier, which when you connect should ask you for a singular password, which in most cases is bypassed by hitting control-SD. Once you are in, you should recieve the switches command line prompt, somthing similar to this: > or SWITCH0> OMG, I hear you think.. It looks like a DMS switch prompt.. Well, it is, in a funny kind of way. Meridian switches are designed to emualte certain levels of DMS-100 O/S types, so you'll find that many of the BCS leveled commands that you know from DMS will be usefull here. The information that follows has been obtained from public Meridian Mail Administration sources on the net.. /* Basic Meridian 1 Security Audit ------------------------------- "Users will go nuts calling a radio station to win a free toaster, taking over all the trunks in your phone system." An audit of the Meridian 1 telephone system will ensure that every possible "system" precaution has been made to prevent fraud. The first step involves querying data from the system in the form of printouts (or "capturing" the data to a file in a PC). The next step is to analyze the data and confirm the reason for each entry. Please be advised that this procedure is not designed for all "networked" Meridian 1 systems, however, most of the items apply to all systems. Use at your own risk. PRINTOUTS REQUIRED FOR SECURITY AUDIT: It is suggested that you "capture" all of the data from these printouts to separate files. This can be accomplished with a PC and communications program. For the BARS LD90 NET printout, try this file. (enclosed in faith10.zip barparse.zip) ------------------------------------------------------------------------------ LD22 CFN LD22 PWD LD21 CDB LD21 RDB LD21 LTM LD23 ACD LD24 DISA LD20 SCL LD86 ESN LD86 RLB LD86 DMI LD87 NCTL LD87 FCAS LD87 CDP LD90 NET LD90 SUM LD20 TNB LD22 DNB LD88 AUB ------------------------------------------------------------------------------ GATHERING DATA FROM LD81 ------------------------ List (LST) the following FEAT entries to form an information base on the telephones. ------------------------------------------------------------------------------ NCOS 00 99 CFXA UNR TLD SRE FRE FR1 FR2 CUN CTD ------------------------------------------------------------------------------ DATA BLOCK REVIEW ITEMS ----------------------- From the printouts, a review of the following areas must be made. Some of the items may or may not be appropriate depending on the applications of the telephone system. ------------------------------------------------------------------------------ CFN - Configuration Verify that History File is in use. ------------------------------------------------------------------------------ PWD - Passwords Verify that FLTH (failed login attempt threshold) is low enough. Verify that PWD1 and PWD2 (passwords) use both alpha and numeric characters and are eight or more characters long. Note any LAPW's (limited access passwords) assigned. Enable audit trails. ------------------------------------------------------------------------------ CDB - Customer Verify that CFTA (call forward to trunk access code) Data Block is set to NO. Verify NCOS level of console. Verify that NIT1 through NIT4 (or other night numbers) are pointing to valid numbers. EXTT prompt should be NO to work in conjunction with trunk route disconnect controls (See RDB) ------------------------------------------------------------------------------ RDB - Trunk Route Verify that every route has a TARG assigned. Confirm Data Block that FEDC and NEDC are set correctly. ETH is typical, however for maximum security in blocking trunk to trunk connections, set NEDC to ORG and FEDC to JNT Confirm that ACCD's are a minimum of four digits long (unless for paging). If ESN signaling is active on trunk routes, verify that it needs to be. ESN signaling, if not required, should be avoided. NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block ------------------------------------------------------------------------------ ACD - Automatic Verify ACD queues and associated NCFW numbers. Call Distrobution Verify all referenced extensions. ------------------------------------------------------------------------------ DISA - Direct Remove DISA if not required. If required, verify that Inward System security codes are in use. Access ------------------------------------------------------------------------------ ESN - Electronic AC1 is typically "9". If there is an AC2 assigned, Switched Network verify its use. If TOD or ETOD is used - verify what NCOS levels are changed, when they are changed and why they are changed. Apply FLEN to your SPNs to insure nobody is ever allowed to be transferred to a partially dialed number, like "Transfer me to 91800" Study EQAR (Equal Access Restriction) to insure that users can only follow a "Carrier Access Code" with a zero rather than a one: (1010321-1-414-555-1212 is blocked but 1010321-0-414-555-1212 is allowed with EQAR) ------------------------------------------------------------------------------ NCTL - Network Use LD81 FEAT PRINT to verify all NCOS being used. Control Does NCOS 0 = FRL 0? Does NCOS X always equal FRL X in the NCTL? Does FRL 0 have any capabilities? - It should not be able to dial anything. ------------------------------------------------------------------------------ FCAS - Free Call Confirm the need to use FCAS and remove it if Screening possible. FCAS is usually a waste of system memory and complicates the system without saving money. ------------------------------------------------------------------------------ DGT (DMI) - Digit Confirm all numbers referenced in the "insert" Manipulation section of each DMI table. ------------------------------------------------------------------------------ RLB - BARS Route Are any RLB ENTR'S assigned FRL 0 - typically, only List Block the RLB that handles 911 calls should have an FRL 0. If DMI is in use, confirm all "inserted" numbers. ------------------------------------------------------------------------------ CDP - BARS Are all CDP numbers valid? Check the RLBs they point Coordinated to and see what the DMI value is. Confirm insertions. Dialing Plan ------------------------------------------------------------------------------ NET - ALL - BARS Add 000,001,002,003,004,005,006,007,008,009 as SPNs Network Numbers pointing to a route list block that is set to LTER YES. These entries block transfers to "ext. 9000" and similar numbers. Point SPN "0" to a RLI with a high FRL, then consider adding new SPNs of 02, 03, 04, 05, 06, 07, 08, 09 to point to a RLI with a lower FRL so that users cannot dial "0", but can dial "0+NPA credit card calls. Check FRL of 0, 00, 011 and confirm that each is pointed to separate NET entry requiring a high FRL. Remove all of shore NPAs (Like 1-809 Dominican Republic) if possible. Regulations are almost non-existent in some of those areas and they are hot fraud targets. Verify blocking 900 and 976 access. Also consider blocking the NXX of your local radio station contest lines. Users will go nuts calling a radio station to win a free toaster, taking over all the trunks in your phone system. Restrict the main numbers and DID range within the BARS system. There is no need to call from an outgoing to an incoming line at the same location. ------------------------------------------------------------------------------ TRUNKS Confirm that all trunks have TGAR assigned. Confirm that all incoming and TIE trunks have class of service SRE assigned. (caution on networked systems) Confirm that all trunks have an NCOS of zero. NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block ------------------------------------------------------------------------------ SETS-PHONES Does every phone have a TGAR of 1 assigned? (This must be checked set by set, TN by TN). Can you change every phone that is UNR to CTD? Review LD81 FEAT PRINT to find out the UNR sets. CTD class of service is explained below. Confirm that all sets are assigned CLS CFXD? Confirm that the NCOS is appropriate on each set. In Release 20 or above, removing transfer feature may be appropriate. Confirm that all sets CFW digit length is set to the system DN length. NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block Apply Flexible Trunk to Trunk Connections on the set, and FTOP in the CDB if deemed appropriate. These restrictions are done on a set by set basis and allow or deny the ability to transfer incoming calls out of the facility. ------------------------------------------------------------------------------ VOICE MAIL PORTS Each port should be CLS of SRE Each port should be NCOS 0 - NCOS 0 must be known to be too low to pass any call Each port should be TGAR 1 (all trunk routes must be TARG 1 also) NOTES ON TGAR: For demonstration purposes, this document suggests that sets be a "TGAR 1". The only requirement for TGAR is that it match one of the TARG numbers assigned in the Route Data Block NOTE: If you are used to your Mail system doing outcalling, you can forget about that working after applying these restrictions. ------------------------------------------------------------------------------ CLASS OF SERVICE AND TRUNK GROUP ACCESS RESTRICTIONS: ----------------------------------------------------- EXPLANATION OF CLASS OF SERVICE SRE: ------------------------------------ NTP DEFINITION: Allowed to receive calls from the exchange network. Restricted from all dial access to the exchange network. Allowed to access the exchange network through an attendant or an unrestricted telephone only. Essentially, an SRE set can do nothing on it's own except dial internal and TIE line extensions. If a trunk is SRE - it will work normally and allow conference calls and transfers. EXAMPLES OF 'SRE' IN USE: ------------------------- Voice Mail cannot connect to an outgoing line, but can receive incoming calls. Callers on the far end of a TIE line cannot call out through your end (for their sake, both ends should be SRE). EXPLANATION OF CLASS OF SERVICE CTD: ------------------------------------ If a route access code is accessed (if there was no match between the TGAR and TARG), the caller cannot dial 1 or 0 as the leading digits. If the caller makes a "dial 9" BARS call, the NCOS will control the call. EXPLANATION OF TGAR AND TARG: ----------------------------- The best restriction is to have all trunk routes TARG'd to 1 and all TNs (including actual trunk TNs) TGAR'd to 1. This will block all access to direct trunk route selection. BENEFITS OF IMPLEMENTING THESE SECURITY RESTRICTIONS ---------------------------------------------------- No incoming caller will have access to an outside line unless physically transferred or conferenced by an internal party. If voice mail ports are SRE and NCOS 0 and have a TGAR matching the TARG - they will not be able to transfer a call out of the system, regardless of the voice mail system's resident restrictions assigned. No phone will be able to dial a trunk route access code. Consider allowing telecom staff this ability for testing. Layered security: ----------------- If in phone programming, TGAR was overlooked on a phone, the CTD class of service would block the user from dialing a 0 or 1 if they stumble upon a route access code. If in programming, the CTD class of service was overlooked, both TGAR and NCOS would maintain the restrictions. If in programming, the NCOS is overlooked, it will defaults to zero, which is totally restricted if NCTL and RLBs are set up correctly. Quick Tour of a Simple Meridian 1 BARS Call ------------------------------------------- Basic Automatic Route Selection. If you dial "9", you are accessing BARS. "9" is the "BARS Access Code" 1. A telephone dials "9" - BARS activates. 2. The telephone calls a number - Example: 1-312-XXX-XXXX 3. The PBX hold the digits while it looks up "1-312" to figure out what Route List to use for processing the call. 4. The Route List determines the possible trunk routes that can be used. 5. The Route List checks the facility restriction level of the telephone and compares it to its own required facility restriction level. 6. The Route List checks to see if any special digit manipulation should be performed. LD90 NET -------- The LD90 Network overlay is where area codes and exchanges are defined. If a prefix is not entered into LD90, it cannot be dialed through BARS. Each area code or exchange refers to a "Route List" or RLI which contains the instructions for routing the call. >ld 90 ESN000 REQ prt CUST 0 FEAT net TRAN ac1 TYPE npa NPA 1312 NPA 1312 <-- This is the network number (prefix) RLI 11 <-- This is the Route List that the prefix gets instruction from DENY 976 <-- This is an exchange in NPA 312 that is blocked SDRR DENY CODES = 1 DMI 0 ITEI NONE REQ end LD86 RLB (or RLI) ----------------- The RLB is a "list" of possible trunk routes that an area code or exchange can be dialed over. Each "ENTR" or list entry contains a trunk route. Each entry also has a "minimum Facility Restriction Level" or "FRL" that must be met before a phone can access that entry. In the following example, the first entry can be accessed by phones whose NCOS equals an FRL of 3 or above. The second entry can only be accessed by phones whose NCOS equals an FRL of 6 or above. Along with the trunk route and the FRL, you can apply specific "digit manipulation" with the DMI entry. The DMI entries are explained here. >ld 86 ESN000 REQ prt CUST 0 FEAT rlb RLI 11 RLI 11 ENTR 0 <-- This is the list's first "Entry Number" LTER NO ROUT 15 <-- This is the first choice Trunk Route Number TOD 0 ON 1 ON 2 ON 3 ON 4 ON 5 ON 6 ON 7 ON CNV NO EXP NO FRL 3 <-- This is the Facility Restriction Level DMI 10 <-- This is the Digit Manipulation Index Number FCI 0 FSNI 0 OHQ YES CBQ YES ENTR 1 <-- This is the list's second "Entry Number" LTER NO ROUT 9 <-- This is the second choice Trunk Route Number TOD 0 ON 1 ON 2 ON 3 ON 4 ON 5 ON 6 ON 7 ON CNV NO EXP YES <-- This is considered the "expensive" choice FRL 6 <-- Note that the Facility Restriction Level is higher DMI 0 <-- Note no digit manipulation is required for this trunk route FCI 0 FSNI 0 OHQ YES CBQ YES ISET 2 MFRL 3 REQ end LD87 NCTL --------- The FRL to NCOS "relationship" is built in the NCTL data block. The FRL and the NCOS do not necessarily have the equal one another, however they usually do. A higher FRL/NCOS has more capability than a lower FRL/NCOS. For an NCOS number to have any capability, it must first be defined in the NCTL data block. >ld 87 ESN000 REQ prt CUST 0 FEAT nctl NRNG 0 7 <-- Range from NCOS 0 through 7 was requested SOHQ NO SCBQ YES CBTL 10 --------------- NCOS 0 EQA NO FRL 0 RWTA NO NSC NO OHQ NO CBQ NO MPRI 0 PROM 0 --------------- NCOS 1 EQA NO FRL 1 RWTA NO NSC NO OHQ NO CBQ YES RETT 10 RETC 5 ROUT I RADT 0 SPRI 0 MPRI 0 PROM 0 --------------- NCOS 2 EQA NO FRL 0 RWTA NO NSC NO OHQ NO CBQ NO MPRI 0 PROM 0 --------------- NCOS 3 EQA NO FRL 3 <-- NCOS 3 equals FRL 3. RWTA YES NSC NO OHQ NO CBQ YES RETT 10 RETC 5 ROUT I RADT 10 SPRI 0 MPRI 0 PROM 0 --------------- NCOS 4 EQA NO FRL 4 RWTA YES NSC NO OHQ NO CBQ YES RETT 10 RETC 5 ROUT A RADT 10 SPRI 0 MPRI 0 PROM 0 --------------- NCOS 5 EQA NO FRL 5 RWTA NO NSC NO OHQ NO CBQ YES RETT 10 RETC 5 ROUT A RADT 10 SPRI 0 MPRI 0 PROM 0 --------------- NCOS 6 EQA NO FRL 6 <-- NCOS 6 equals FRL 6. RWTA NO NSC NO OHQ NO CBQ YES RETT 10 RETC 5 ROUT A RADT 0 SPRI 0 MPRI 0 PROM 0 --------------- NCOS 7 EQA NO FRL 7 RWTA NO NSC NO OHQ NO CBQ YES RETT 10 RETC 5 ROUT A RADT 0 SPRI 0 MPRI 0 PROM 0 TOHQ NONE LD86 Digit Manipulation ----------------------- The Digit Manipulation data blocks are where special prefixes are entered before numbers are sent out over trunks. An example of digit manipulation is where a 1010XXX carrier access code must be inserted before a number is processed over a trunk. REQ prt CUST 0 FEAT dgt DMI 10 DMI 10 <-- This is simply the index number. DEL 1 <-- This says "delete the first digit after "9" CTYP NCHG REQ prt CUST 0 FEAT dgt DMI 3 DMI 3 DEL 0 <-- This says "delete nothing after 9" INST 101288 <-- This says "Insert 101288 after 9 and before the actual number dialed" CTYP NCHG REQ end Telephone --------- This is simply a telephone's data block DES 5135 TN 004 0 14 00 TYPE 500 CDEN 4D CUST 0 DN 5135 MARP CPND NAME Typical User XPLN 9 DISPLAY_FMT FIRST,LAST AST NO IAPG 0 HUNT TGAR 1 LDN NO NCOS 5 <-- What FRL does this equal? SGRP 0 RNPG 0 LNRS 16 XLST SCI 0 CLS CTD DTN FBD XFA WTA THFD FND HTD ONS LPR XRA CWD SWD MWA LPD XHD CCSD LNA TVD CFTD SFD C6D PDN CNID CLBD AUTU ICDD CDMD EHTD MCTD GPUD DPUD CFXD ARHD OVDD AGTD CLTD LDTA ASCD MBXD CPFA CPTA DDGA NAMA SHL ABDD CFHD USRD BNRD OCBD RCO 0 PLEV 02 FTR CFW 4 DATE 28 NOV 1978 LD86 ESN - the Start of BARS ---------------------------- The ESN data block is the root of BARS. Before BARS can be set up, the ESN data block must be defined. >ld 86 ESN000 REQ prt CUST 0 FEAT esn MXLC 0 MXSD 30 MXIX 0 MXDM 100 MXRL 80 MXFC 60 MXFS 0 MXSC 120 NCDP 4 AC1 9 <-- This is where "9" is defined AC2 DLTN YES ERWT YES ERDT 0 TODS 0 00 00 23 59 <-- This section refers only to time of day routing controls RTCL DIS NCOS 0 - 0 <-- This section refers only to time of day routing controls NCOS 1 - 1 NCOS 2 - 2 NCOS 3 - 3 NCOS 4 - 4 NCOS 5 - 5 NCOS 6 - 6 NCOS 7 - 7 NCOS 99 - 99 ETOD TGAR NO REQ end ISLUA 99 Session BA 20 Capturing Data From Your Meridian 1 to Various PC Software Packages Curt Kempf City of Columbia, Missouri Thanks for attending the workshop I hope you find this information helpful ======================================== o ACD Daily Report o Procomm Plus Script to capture ACD reports to disk. Format: MMDDYY.TXT o TN PRT out of Host MCA card o Procomm Script to CHG a TN when it becomes IDLE o Procomm Script to CHG/NEW a list of DNs and their NAMES (LD 95) o Procomm Script to monitor PBX for "DTA0021", "INI0", "PWR01", then send an alpha numeric page when received. ACD Daily Report ================ ACD 000 1999 03 29 17:00 DAILY TOTALS REPORT REPT 1 ACD AVG CALLS AVG AVG AVG AVG DN AVG #-XFER AVG-TIME-POSN DN AGTS ANSWD ASA DCP PCP WORK WAIT CALLS TIME IDN ACD BUSY MANNED 7380 324 54 125 388 514 127 118 69 0 28 22085 27246 ------------------------------------------------------------------------------ 1 324 54 125 388 514 127 118 69 0 28 22085 27246 REPT 2 ACD CALLS RECALL ANSWERED ABANDONED TOF TOF OVER INTER DN ACCPTED TO LONGEST NO. AVG.WT TSF IN OUT FLOW FLOW SOURCE WT. TIME BUSY 7380 366 0 476 43 88 80 0 0 8 0 ------------------------------------------------------------------------------ 1 366 0 476 43 88 80 0 0 8 0 REPT 4 POS CALLS AVG AVG AVG DN INC DN OUT #-XFER BUSY MANNED ID ANSWD DCP PCP WAIT INC TIME OUT TIME IDN ACD TIME TIME ACD DN 7380 301 81 136 115 142 3 66 12 352 0 9 20716 32208 303 57 91 261 139 4 478 15 652 0 4 20788 28702 309 49 90 2 182 0 0 1 100 0 7 4550 13466 304 87 128 127 108 1 60 12 564 0 6 22662 32088 305 39 185 108 73 0 0 2 96 0 1 11464 14302 308 0 ***** ***** ***** 15 1770 20 1464 0 0 32256 32400 306 0 ***** ***** ***** 9 2950 13 1660 0 0 32400 32400 312 11 145 2686 50 4 286 7 416 0 1 31848 32400 ------------------------------------------------------------------------ 8 324 125 388 127 36 93 82 88 0 28 2945 3633 Procomm Plus Script to capture ACD reports to disk. Format: MMDDYY.TXT ==================================== ; ProComm script by Chris Fourroux & Curt Kempf/City of Columbia - tested ; with ProComm Plus 32 95/NT, version 4. Script to caputure ACD reports to ; disk with the format XXXXXX.txt, where XXXXXX is month day year. Script ; waits for "ACD DN 7380" to occur, which is on every hourly report, then ; closes and appends the newest statistics to MMDDYY.TXT file. string cmd="ncopy c:\capture\" string szFileName = $DATE string szDate = $DATE integer Pos = 0 proc main dial data "Option 61" set capture overwrite OFF ; if capture file exists, append data to it. capture off ; close capture file if it is open when TARGET 0 "ACD DN 7380" call CLOSECAP Startloop: clear ; clear contents of screen and scroll back buffer szFileName = $DATE szDate = $DATE while 1 if nullstr szFileName ; Check to see if we've reached exitwhile ; the end of source string endif ; and if so, exit loop. if strfind szFileName "/" Pos ; Check for char strdelete szFileName Pos 1 ; and delete it else exitwhile ; exit if no more characters endif endwhile strcat szFileName ".txt" set capture file szFileName ; Set name of capture file. capture on ; Open up the capture file. while strcmp $DATE szDate ; Loop while date is the same endwhile ; or if the date changes, capture off ; Close the capture file. goto Startloop ; and start a new one. endproc proc closecap pause 3 strcat cmd szFileName ; Append to variable "CMD" strcat cmd " h:\uab\" ; Append network drive to "CMD" transmit "^M***********^M" ; Put in asteriks between hourly reports capture off ; Close capture file pause 5 DOS cmd HIDDEN i0 ; Run "CMD" in DOS and copy file to the LAN pause 10 taskexit i0 ; Exit DOS window pause 10 cmd="ncopy c:\capture\" ; Reset "CMD" capture on ; Turn Capture back on. Endproc Procomm Screen of dialing up the host MCA card(direct connect 9600 baud) ===================================== ENTER NUMBER OR H (FOR HELP): 2206 CALLING 2206 RINGING ANSWERED CALL CONNECTED. SESSION STARTS logi PASS? TTY #02 LOGGED IN 08:59 11/4/1999 > TN PRT out of Host MCA card DES 2206 TN 020 0 04 31 ;note TN is TN of voice set(20 0 4 15) +(plus) 16 TYPE 2616 CDEN 8D CUST 0 AOM 0 FDN TGAR 1 LDN NO NCOS 2 SGRP 0 RNPG 0 SCI 0 SSU XLST SCPW CLS CTD FBD WTD LPR MTD FND HTD ADD HFD MWD AAD IMD XHD IRD NID OLD DTA DRG1 POD DSX VMD CMSD CCSD SWD LND CNDD CFTD SFD DDV CNID CDCA ICDD CDMD MCTD CLBD AUTU GPUD DPUD DNDD CFXD ARHD FITD CLTD ASCD CPFA CPTA ABDD CFHD FICD NAID DDGA NAMA USRD ULAD RTDD PGND OCBD FLXD FTTU TOV 0 MINS DTAO MCA PSEL DMDM HUNT PSDS NO TRAN ASYN PAR SPACE DTR OFF DUP FULL HOT OFF AUT ON BAUD 9600 DCD ON PRM HOST ON VLL OFF MOD YES INT OFF CLK OFF KBD ON RTS ON PLEV 02 AST IAPG 0 AACS NO ITNA NO DGRP DNDR 0 KEY 00 SCR 2206 0 MARP 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 DATE 30 DEC 1997 Very rarely, I can not dial up the host MCA card. It simply won't answer, so the following usually clears it up: ITEM ITEM OPE YES DCD ON PRM OFF If that doesn't work, since 020 0 04 31 is "digital", it could be disabled. LD 32 and ENLU it. Procomm Script to CHG a TN when it becomes IDLE =============================================== string TN ;TN string TIPE ;TYPE, however word is reserved in ASPECT string EYETEM ;ITEM, ditto above. string szList ;List of items. string szItem ;Item selected from list. integer Event ;Dialog box event. integer Num ;integer value proc MAIN set txpace 50 ;delay for keyboard when TARGET 0 "IDLE" call CHGIT ;when receive IDLE, go change set. ;Input the TN, TYPE, and ITEM sdlginput "LD 11, CHG when IDLE :-)" "Enter TN: " TN if strcmp TN "" ; compare to see if NULL? halt ;if enter is pressed, halt script. else endif ; Display dialog box with list of items. ; Pick if set is a 500, 2008, or 2616 szList = "2616,2008,500" dialogbox 0 55 96 100 74 11 "LD 11, CHG when IDLE :-)" listbox 1 5 5 90 40 szList single szItem pushbutton 2 28 52 40 14 "&Exit" ok default enddialog while 1 dlgevent 0 Event ; Get the dialog event. switch Event ; Evaluate the event. case 0 ; No event occurred. endcase case 1 if strcmp szItem "2616" tipe = "2616" else if strcmp szItem "2008" tipe = "2008" else if strcmp szItem "500" tipe = "500" endif endif endif endcase default ; Exit case chosen. exitwhile endcase endswitch endwhile dlgdestroy 0 CANCEL ; Destroy the dialog box. sdlginput "LD 11, CHG when IDLE :-)" "ITEM: (IE: CLS HTA)" EYETEM Transmit "LD 11^M" ;Go in to overlay 11 Waitfor "REQ" for Num = 0 upto 100 ;Keep STAT'n til IDLE Transmit "STAT " Transmit TN Transmit "^M" pause 10 ; wait 10 seconds endfor endproc PROC CHGIT Transmit "CHG^M" ;Go change the set, then halt the script. Waitfor "TYPE" Transmit TIPE pause 1 ;pause 1 second Transmit "^M" Waitfor "TN" Transmit TN Transmit "^M" Waitfor "ECHG" Transmit "YES^M" Waitfor "ITEM" Transmit EYETEM Transmit "^M" waitfor "ITEM" transmit "^M" Waitfor "REQ:" Transmit "END^M" halt endproc Procomm Script to CHG/NEW a list of DNs and their NAMES (LD 95) =============================================================== integer flag=0 ;set flag proc main set txpace 100 ;delay for keyboard when TARGET 1 "SCH2115" call LD95NEW ;wait for 'name does not exit' error ;open text file that has a list of ;DNs & NAMEs you want to change/add. fopen 1 "C:\phone\chgnames.txt" READ ;chgnames.txt it in the format of ; 7354, Jane Doe ; 6745, John Smith ; 7645, Dan White ;script doesn't care if the NAME is NEW or CHG J if failure usermsg "could not open the file." else Transmit "LD 95^M" ;Go in to overlay 95 Waitfor "REQ" Transmit "CHG^M" Waitfor "TYPE" Transmit "NAME^M" Waitfor "CUST" Transmit "0^M" Waitfor "DIG" Transmit "^M" fseek 1 0 0 while 1 fgets 1 s0 if FEOF 1 exitwhile endif strtok s1 s0 "," 1 strtok s2 s0 "," 1 DelStr (&s1) DelStr (&s2) DelLineFeed (&s2) ;strfmt s4 "TN: %s" s1 ;uncomment these two for ;usermsg s4 ;troubleshooting the script strlen s1 i0 if (i0 > 2) LD95CHG () else Transmit "****^M" halt endif endwhile endif endproc proc LD95CHG Waitfor "DN" Transmit s1 Transmit "^M" pause 1 if FLAG==1 FLAG=0 Transmit "^M" return else Transmit s2 Transmit "^M" Waitfor "DISPLAY_FMT" endif endproc proc LD95NEW FLAG=1 Transmit "^M" Transmit "**^M" Waitfor "REQ" Transmit "NEW^M" Waitfor "TYPE" Transmit "NAME^M" Waitfor "CUST" Transmit "0^M" Waitfor "DIG" Transmit "^M" Waitfor "DN" Transmit s1 Transmit "^M" Waitfor "NAME" Transmit s2 Transmit "^M" Waitfor "DISPLAY_FMT" Transmit "^M" Waitfor "DN" Transmit "^M" Waitfor "REQ" Transmit "CHG^M" Waitfor "TYPE" Transmit "NAME^M" Waitfor "CUST" Transmit "0^M" Waitfor "DIG" endproc proc DelStr param string szStr integer Pos while 1 if StrFind szStr "`"" Pos StrDelete szStr Pos 1 else exitwhile endif endwhile endproc PROC DelLineFeed param string szStr integer Pos strlen szStr Pos if (Pos > 2) StrDelete szStr (Pos-1) 1 endif endproc You could very easily modify this script to say, change an ASCII list of TNs /TYPEs to TGAR 1, and have it executed at 2:00 a.m. The s0 and s1 variables would change from DN & NAME, to TN & TYPE, and add Waituntil "2:00:00" "7/16 /99" to kick it off at 2:00 a.m. Procomm Script to monitor PBX for "DTA0021", "INI0", "PWR01", then send an alph numeric page when received. ======================================================================= proc Main #DEFINE pagernum "235.5334" ;Enter your pager number here. string szName="OPT61.cap" ;Name of text file to capture to. string passw when TARGET 1 "DTA021" call DTA021 ;what do you want to 'wait for' ? when TARGET 2 "INI0" call INI0 when TARGET 3 "PWR01" call PWR0 set capture file szName capture on set txpace 150 ;delay for keyboard HANGUP Dial DATA "MCA" transmit "^M" waitfor "HELP):" transmit "2206^M" waitfor "SESSION STARTS" while $CARRIER transmit "****" pause 1 transmit "LOGI^M" waitfor "PASS?" sdlginput "Security" "Password: (all caps!)" passw MASKED if stricmp passw "sss" ;to bypass logging in. transmit "*" call loggedin endif transmit passw transmit "^M" pause 2 endwhile set txpace 1 endproc proc DTA021 pageA() ;dial paging provider TRANSMIT "Digital Trunk Diagnostic. Frame alignment persisted for 3 seconds^M" ;send specific x11 error to pager pageB() ;end connection to provider mcacard() ;connect back to Option 61 endproc proc INI0 pageA() TRANSMIT "An initialization has taken place.^M" pageB() mcacard() endproc proc PWR0 pageA() TRANSMIT "Power failure from power and system monitor.^M" pageB() mcacard() endproc proc mcacard HANGUP PAUSE 2 Dial DATA "MCA" ;Connect up to option 61 through MCA card. while $DIALING endwhile transmit "^M" pause 1 transmit "^M" waitfor "HELP):" transmit "2206^M" waitfor "SESSION STARTS" pause 1 when RESUME call loggedin loggedin() endproc proc loggedin while $CARRIER ;wait for errors to occur. Continue to do your MACs etc.. endwhile endproc proc pageA when SUSPEND set port dropdtr on pause 1 hangup ;hangup Option 61 connection pause 2 hangup ;release mca card from COM port set port dropdtr off pause 1 Dial DATA "TriStar" ;Dial your paging provider while $DIALING endwhile TRANSMIT "^M" ;TAPI protocol, M puts in manual mode. WAITFOR "ID=" TRANSMIT "M^M" WAITFOR "Enter pager" TRANSMIT pagernum TRANSMIT "^M" WAITFOR "Enter alpha" endproc proc pageB TRANSMIT "^M" WAITFOR "More Pag" TRANSMIT "^M" pause 2 endproc Little Known Meridian 1 Features And Programming Tricks ======================================================= HELP and Error Lookup HELP - Type " ? " at many prompts LOOKUP - At " > " sign, type ERR AUD028 to find out what AUD028 indicates. At any other prompt, type " ! ", then you will receive " > " symbol for getting ERR lookup. Find Sets with a Certain Feature ================================ LD81 REQ LST FEAT CFXA FEAT UNR Lists all sets that have the "Call Forward External Allow" feature, then lists all UNR sets. Inventory and Identification Commands ===================================== LD32 IDU l s c u (or) IDC l s c LD22 CINV (and) ISSP LD30 UNTT l s c u Speed Call Stuff ================ Create many Speed Call lists at once. LD18 REQ: NEW 100 - Creates 100 lists. When memory is plentiful, make Speed Call list number the same as the persons DN. Need to increase MSCL in LD17 Find a "Controller" in LD81 by: REQ:LST, FEAT:SCC, then the Speed List Number Allow Restricted Sets to Dial Certain Long Distance Numbers. ============================================================ Add the numbers to a System Speed Call List. Assign an NCOS to the "List" that replaces the users NCOS during the call. Alternate: Add the suffix of the telephone number to an ARRN list in the prefixes RLI. This will point only that number to a new RLI with a lower (or higher if you choose) FRL. Look up ARRN in LD86 PBX Clock Fast or Slow? ======================= LD2 SDTA X Y -- x y X = 0 for "subtract time each day" -or- 1 for "add time each day" Y = 0-60 seconds to be added or subtracted each day. Daylight Savings Question? TDST Look this one up in LD2 before changing Phantom DNs, TNs, and "MARP to Voice Mail" TNs ============================================== Phantom TN with FTR DCFW ACD Queues with NCFW but no Agents 2616 Sets with AOMs (AOMs can be in "software", but do not need to be "installed" on the set). This is an excellent "MARP TN" for DNs that need to HUNT/FDN to Voice Mail Digit Display on Trunk Routes and ACD Queues ============================================ Find Trunk Route Access Codes - name in LD95 like any other DN ACD Numbers - name in LD95 like any other DN IDC Numbers - name in LD95 at DCNO prompt. Limited Access Passwords ======================== Print PWD in LD22 before starting LD17 LAPW 01 PW01 12345 OVLA 10 11 20 Identify Trunks, Routes and TTY Ports with "DES" Entry ====================================================== LD17 ADAN DES can be 1-16 characters LD16 RDB DES can be 1-16 characters LD14 TRK DES can be 1-16 characters TKID - enter telephone number Free Up or Block DN Range ========================= Change your SPRE Code to 4 digits LD15 - SPRE XXXX Assign all current feature codes as Flexible Feature Codes To hide DNs from appearing in LUDN printouts, enter DN prefix ranges as an FFC for "Ring Again Activate" Save "Call Forward" Status upon Reload/Sysload ============================================== LD17 CFWS YES Call Waiting "Buzz" on Digital Sets is Not Long Enough ====================================================== Turn on Flexible Incoming Tones Allowed LD15 OPT SBA DBA LD 11 CLS FITA "DSP" Display Key Applications ============================== Youre on the phone, another call comes in...Press DSP, then ringing line to see whos calling. Press DSP, then Speed Call, then entry number to view entries. Rls23 Update - automatic Display CLS TDD NHC - No Hold Conference ======================== With NHC, other party is not placed on hold while adding conferees. You can also disconnect conferee called with NHC LD11 KEY X NHC Rls23 Update - Conf. Display/Disconnect LD11 CLS CDCA Call Forward Indication on 2500 Sets ==================================== Add Call Forward Reminder Tone. Special dial tone is heard only when call forwarded. LD15 OPT CFRA Override Call Forwarded Phone ============================= Add Flexible Feature Code for "CFHO". Dial CFHO code, then dial extension. LD57 CODE CFHO On sets needing ability to perform override CLS CFHA Call Forward ONLY Internal Calls - Let Externals Ring ===================================================== Great when you need to prioritize external callers. LD11 KEY X ICF 4 ZZZZ "Delayed" Ring on Multiple Appearance DNs ========================================= Non-ringing (SCN) keys will ring after a certain duration. Great for areas where many of the same DNs appear. LD11 DNDR X (X = 0-120 seconds of delay before SCN keys will start to ring) Audible Reminder of Held Calls ============================== Receive "buzz tone" every X seconds to remind user that call is on hold. Also reminds user that Conference/Transfer was mishandled - call was never transferred LD15 DBRC X (X = 2-120 seconds between reminders) LD11, CLS ARHA Which Call "On Hold" is Mine ============================ Exclusive Hold sets held calls to "wink" at holding set, but stay "steady" at other sets. LD10/11 CLS XHA Change Ring Cadence/Tone ======================== There are 4 ring styles, adjusted in the CLS of the digital set. LD11 CLS: DRG1 -or- DGR2 -or- DRG3 -or- DRG4 Set pesky customer phones to DRG4 ! BFS - Nightmare in Shining Armor ? ================================== BFS Keys allow the user to monitor the Call Forward and busy status of a set, activate and deactivate Call Forward, and can be used as an Autodial key. NOTE: Cannot perform MOV command with BFS. User can also forward sets by accident. LD11 Key XX BFS l s c u (target sets TN) More Than 4 DNs Answered by One Mailbox? ======================================== Add up to 3 DNs to DN list in mailbox programming. Add 4th and all additional DNs in "Voice Service DN" (VSID) Table and set to "EM" to the mailbox. 1 Single LineTelephone, 3 DNs, 3 Users, 3 Mailboxes? How? ========================================================= Create one 2500 set with one of the three DNs. Create 2 Phantom TNs, each one with a new DN and DCFW each of them to the 2500 sets DN (from above) Add the three mailboxes…now any of the three numbers will ring the one set, but messages will be separated! Change An NCOS After Hours ========================== Here's an excerpt from the LD86 ESN data block that has NCOS 3 & 4 change to NCOS 2 after 4:30PM and all day on weekends AC1 9 AC2 DLTN YES ERWT YES ERDT 0 TODS 0 06 00 16 29 7 00 00 05 59 7 16 30 23 59 RTCL YES NCOS 0 - 0 NCOS 1 - 1 NCOS 2 - 2 NCOS 3 - 2 NCOS 4 - 2 NCOS 5 - 5 Oops..the Console Went Into NITE...During the DAY! ================================================== Use NITE entries that are based on "Time of Day". See Night Service in Features Book If the console goes into NITE during the day, send them to either a set of DNs next to the console, or a voice menu/thru-dialer explaining that there are "technical difficulties". After hours, NITE calls goes to where they should. Just Two Security Tricks ======================== Create SPNs in BARS of: 000 thru 009 and create a Route List Block for them with LTER=YES Now when Phreakers ask for extn 9000, they get nobody. Use the FLEN entry on SPNs 0, 00, 011 so that nobody can transfer a caller to 9011, 90, etc. Break Into Meridian Mailbox? ============================ Simply make the mailbox "Auto-logon". For remote access, add their DN to your set. Convenient if you need to access an employees mailbox without changing their password. Useful for modifying greetings of an absent employees or allowing a temporary employee access to a mailbox without divulging the regular employees password. Tracing Phone Calls =================== TRAC 0 XXXX (X=extension) TRAC l s c u TRAC l s c u DEV (Adds BARS info) TRAT 0 X (X=Console number) TRAD (see book, traces T1 channels) ENTC (see book, traces TN continuously - up to 3 TNs at a time ! ) Forgot your M3000 Directory Password? ===================================== LD32 CPWD l s c u Another Idea ============ Use a PC to log into your PBX, then activate the "capture file". Now run a TNB and keep it as a file rather than on paper. If your TNB file is large, try a high power text editor, which can open even 20meg files in seconds. Search the Internet "Text Editor" Keep copies so you can go back and see how a set was programmed when you out it by mistake. */ Using the above information you could sucessfully do the following: a) Setup your own trunk configurations that allow outgoing calls. b) Reset lines and trunks, reconfugure lines and trunks. c) Set an internal extension(s) to share the same multiplexed trunk as you so you can effectivly listen in on any incomming/outgoing phone call made on that extension. d) Set up calls that don't exist with no trunk assignment. e) Set any users voicemail box with auto-logon paremters temporarily. f) Close down the entire network g) Set every phone in the company to ring forever... h) Re-route incomming/outgoing trunk calls to any destination. i) Park your own incomming line as "on console" so you can answer calls made to a pre-set extension. j) Make yourself the company oprtator. k) Trace phonecalls, audit logs etc. l) Set all trunks to loopback on one another. m) Anything you want? Thats just a few ideas. But before you do ANYTHING, you should be aware that anything you do could have devestating impact on the companys phone switch. For example, say you accidently commanded the system to shut down.. You would effectivly be killing 6000+ peoples phone lines, which would yield colosal financial burden/loss onto the company. Generaly I'm just saying, be nice.. Just because you have the power to do such things, it doesnt mean you have to do it. :) A final note: In the aftermath of obtaining access to a merdian switch, it is generaly advisable to erase all trace of you ever being on there. This can be achived by reseting trunk audit logs, and erasing any log of your incoming trunk setups. Therefore, if the real admin decided to track what was going on he/she would get nowhere because the lines you used to initially call into the system DO NOT EXIST. Its just a case of using your imagination. Don't be destructive, Don't alter anything that would be noticed, Generally don't be a f00l.. Thats the end of this file, I hope you enjoed it. Take it easy. Shouts to D4RKCYDE, NOU!, b4b0, 9x, subz, pbxphreak, lusta, gr1p, LINEMANPUNX. . .. ... .......... BL4CKM1LK teleph0nics .......... ... .. . . .. ... .......... http://hybrid.dtmf.org ......... ... .. .