yyyyyssssyyyy yyyyssssyyyy      yyyy         yyyy
|lS$$ yy $$$$ """" yy lS$$ S$$$ S$$$$$ $$$$$ S$$$ssssyyyy
:|lS$ ""yyyyy yyyyssss|lS$ lS$$ lS$$ yy$$$$$ lS$$ yy lS$$
:||lS$$ $$$$$ :|lS yy :|lS |lS$ |lS$ $$ yyyy |lS$ $$ |lS$
:::|l  ,$$$$$ ::|l $$ ::|l :|lS :|lS $$ :|lS :|lS $$ :|lS
::::|  $$$$$$ :::| $$ :::| ::|l ::|l $$ ::|l ::|l $$ ::|l
.:::: ....... .:::....:::: .::| ..:|....:::| .::| .. .::|
=========================================================
F41th 15 - November 2002 - 	     http://www.f41th.org
D4RKCYDE 97-02++			  #darkcyde efnet
=========================================================

"Behold here the strength of the prophet's F41th!"



Editorial.............................................. zomba
The OSI Model and SS7 Protocol Stack...................	foneman
Bash wardialer.........................................	hybrid
Hiding Running Services from Portscanners Part I.......	phractal
Frequency Scanning.....................................	datawar
The DATU Modes and Practical Uses......................	phractal
DATU for Dummies.......................................	teletrix
A Hackers Guide to Meridian Mail.......................	prephix
0800-212-000 to 0800-212-200 (UK)...................... prephix
0800-963-XXX (UK)......................................	random 
0800-013-0000 to 0800-013-0200 (UK).................... prephix
Things to consider when (Ab)using a PBX................ b4ckch4tter




.........................................................................
Editorial................................................................
by zomba (zomba@f41th.org)...............................................

I'd like to start this (short) editorial by apologising for the lateness
of this issue of f41th. We realise that within a year a lot of people 
will have stopped visiting f41th.org - especially since f41th.com (our
old domain name) dropped and was bought by some lame company before we
realised.

In the future we are hoping to get issues out a bit more frequently, not
quite how we used to be but maybe bi- or tri- monthly. We are trying to
make f41th.org more of a community site as well, so go sign up on the bbs
at http://f41th.org/bbs/ and get talking.

So what have we been up to? good question... quite a lot of our time has
been taken up with RL issues, education/work/whatever - we haven't had
the time we would have liked to devote to DC or f41th. We have however
not ignored the hp scene and have a lot of shit that isn't ready for this
issue but will be explained in greater detail in f16, including a fair
amount of juarez snarfed in several ninja reconnaissance missions so
keep your eyes and ears open for the next release.

So anyway, lets get on with this issue, there's some decent info for you
to digest as well as hybrids bash scanner (its not that good ;) -hy) and 
some other bits and pieces.

So without further ado, I give you f41th 15...

--
Thanks to everyone that has contributed to this issue (over the past year!).
Hopefully we can obtain a greater number of articles in a shorter period of
time to enable us to release f16 sooner. Phuk everything else, F41th lives.
Fear the static. -hy


.........................................................................
The OSI Model and SS7 Protocol Stack.....................................
by foneman...............................................................


Note:  The following article explains the relationship between the OSI
Model and the SS7 Protocol Stack, it does *not* explain the protocols
within the stack itself.  Those will be later explained in a future
article.


The OSI Model: History
======================
	As you may or may not know, the Open Systems Interconnect (OSI)
data communications standard was developed and published in 1982 by the
International Standards Organization (ISO) mainly for use with mainframes.
It wasn't until 1984 that it was actually adopted as a standard.  OSI is a
protocol which provides the methods necessary for mainframes to
communicate with devices such as modems and terminals.  Since SS7 was
defined and being developed starting in 1981, the SS7 levels only map
loosely to the OSI 7 layer model.


The OSI Model: Layer Responsibilities
=====================================
*Note:  Each layer provides a service to the layer above and below it.
	Ex:  Layer 1 provides a service to layer 2, and layer 2 provides a
        service to layer 3.

				    OSI MODEL
			    
				   ____________
				7 |Application |
				  |            |
				   ------------
				6 |Presentation|
				  |            |
				   ------------
				5 |  Session   |
				  |            |
				   ------------
				4 | Transport  |
				  |            |
				   ------------
				3 |  Network   |
				  |            |
				   ------------
				2 | Data Link  |
				  |            |
				   ------------
				1 |  Physical  |
				  |____________|



	Layer 1: The Physical Layer - The responsibility of this layer is
to convert digital data into a bit stream to enable transmission over the
network, such as conversion from electrical to audible and light.

	Layer 2: The Data Link Layer - The responsibility of this layer is
to provide the services for reliable data communications between two
devices by using some method of sequencing and error detection and
correction, also called the reliability factor.  This layer is *only*
concerned with the transmission of data between the two devices and *not*
the whole network.

	Layer 3: The Network Layer - The responsibility of this layer is
to provide routing services for packets received from some other node.  It
is up to this layer to look at the destination address and find the link
to be used to get there.

	Layer 4: The Transport Layer - The responsibility of this layer is
to make sure the communications over the network are reliable and without
error.  The reliability factor, which was discussed in the Data Link
section, can be built into the Transport layer should the Network layer
become unreliable.

	Layer 5: The Session Layer - The responsibility of this layer is
to establish a dialog with another entity as well as define what type
of dialog to be established.  It also provides flow control procedures
and manages synchronization points.

	Layer 6: The Presentation Layer - The only responsibility of this
layer is to compress and/or encrypt the data and to provide it in a syntax
that can be sent and received over the network at a distant node and then
decompressed and/or decrypted.

	Layer 7: The Application Layer - The Application layer is
basically the interface between the application entity and the OSI model.
This is the first stage in preparing the data to be sent over the network.


The SS7 Protocol Stack: An Overview
===================================
	The SS7 protocol has proved to be an incredibly reliable and
efficient packet-switching protocol that provides all of the services and
functions required by telephone service providers.
	One thing that you might have noticed right off the bat is that
while the OSI model is made up of 7 different layers, the SS7 standard
only uses 4.  This is because the functions carried out by the 4 SS7
levels correspond with the OSI model's 7 layers.  Also, some of the OSI
model's functions serve no purpose in the SS7 network.  The fact that the
SS7 stack doesn't perfectly align with the OSI model is due to the fact
mentioned earlier in this text.


The SS7 Layers: Level Definitions
=================================

			       CCS7 LEVELS

			_  ______   __  __  __
		       |  | TCAP | |  ||  ||  |
		       |  |______| |  ||  ||  |
		       |   ______  |T ||I ||B |
		       |  | ASP  | |U ||S ||I |
		      4|  |______| |P ||U ||S |
		       |   ______  |  ||P ||U |
		       |  | SCCP | |  ||  ||P |
		       |_ |______| |__||__||__|
			   ___________________
			3 |    MTP Level 3    |
			  |                   |
			   -------------------
			2 |    MTP Level 2    |
			  |                   |
			   -------------------
			1 |    MTP Level 1    |
			  |___________________|



	Level 1: The Message Transfer Part Level 1 - The MTP Level 1 is
the SS7 equivalent to the OSI Physical Layer, except for the fact that
while the OSI model doesn't specify which type of interface to be used, in
SS7, we can specify that.

	Level 2: The Message Transfer Part Level 2 - The SS7 MTP Level 2
is the SS7 equivalent to the OSI Data Link Layer, except for the fact that
the SS7 level does not provide the routing for SS7.  Level 2 ensures
reliable end-to-end data transfer over the network, implements flow
control, message sequence validation, and error checking.

	Level 3: The Message Transfer Part Level 3 - The SS7 MTP Level 3
is the SS7 equivalent to the OSI Network Level.  It provides the following
functions: routing, message discrimination, and distribution.  Message
discrimination basically figures out who the message is addressed to.  The
distribution occurs when the discrimination determines that the address is
a local address.  In this case message distribution is responsible for
identifying which user part the message is addressed to and routing the
message to its internal user.

	Level 4: The User Parts Level - The SS7 User Parts Level is made
up of multiple protocols called user parts and application parts.  These
protocols are responsible for functions from basic telephone call
connection and disconnection, provided by the Telephone User Part (TUP) or
the ISDN User Part (ISUP) protocols, to passing subscriber information
from one cell network to another, provided by the somewhat new Mobile
Application Part (MAP) protocol.


Conclusion: What Comes Next?
============================
	A few people have asked me if I think Signaling System 7 is going
to become obsolete.  SS7 is a digital and multi-layered signaling system.
It is quite flexable and fully capable of adaptation.  This has already
been proved when application parts were added to SS7 when Public Land
Mobile Networks were introduced.
	As stated at the beginning of the article, in the future I will be
writing more in depth about the SS7 protocols within the stack.

Greets:  tprophet, lineman, fringe, elektron, c4, borodir, devolve, icbm,
darkcube, subz, downtime, #darkcyde, radiofreq, zoro-a, mega elite.  And
all the people I haven't forgotten:  baiac, panther, kool-aid, brain
phreak, impy, bell phreak, scarface, channel surfer, sdphreak, doomd,
hologram, chaos451, prodigy, chameleon, johnny yo yo, placid, sedition,
water, william tell, vi, broken-, autopsy, theorem, the old sysfail crew,
phriend, dizzy and the rest of the old #telephony cats.


.....................................................................
Bash Wardialer.......................................................
hybrid...............................................................
hybrid@f41th.org..................................................... 
lynx -source http://www.f41th.org/hybrid.asc |gpg --import...........


#!/bin/bash
#==========================================================
# Random/Sequential carrier scanner implementing pppd+chat
# hybrid
#==========================================================
# rnd|std 	- Random(bash prng) or Seqential scanning.
# -r		- Randomization:
# Implements SRegister 11 (DTMF Speed Control) with a random 
# pattern between 50 - 255 milliseconds + Generates random
# pauses between dialing a different number.
# For verbosity, tail -f your syslog.
# Logs results to <pre+range.log> in pwd. 
# Generates Dial-List to <pre+range.dat>
# Note: when scanning low ranges, ie: 0800 123 000 010, 
# take out the suffixing 0 from the scanto range, ie:
# ./scn.sh 0800 123 000 10 rnd -r, instead of 000 010. 
# implementation: 
# * Remote scanning from box inside internal LAN, internal
#   extensions. (todo: internal Meridian/Audix/Octel RA
#   dialup hunting mode.
# * Daemonize the script, crond.. 
#==========================================================

# prefix before dialed number, ie: CLID blocking,
# 9 for outside line etc. 

ROUTE="141,"

# recomended 45 (sec)

TIMEOUT="30"
BAUD="9600"
DEV="/dev/ttyS0"

# pause between dialing limits (used in -r)
# default 0-10 seconds. For greater stealth, increase the
# upper limit

p_upper=10
p_lower=0

# S Register's
# Lost Carrier Hang Up Delay, length of time to wait before
# hanging up after carrier loss has been detected (1-255 tenths of sec)

declare -i LC=14

# DTMF Speed Control, length of DTMF tone/speed of dialing
# (50-255 milliseconds)

declare -i DTMFSPC=95

# Some/Most eXchanges will not allow rapid dialing (in the 50/ms mark),
# adjust the lower limit to suit your line when scanning with random dtmf
# speeds. Standard mode is preset to 95m/s, adjust this to suit. 

upper=255
lower=50

if [ $# -lt 4 ] ;then {	
   echo "./`basename $0` <prefix> <range> <from> <to> <std|rnd> <-r>" 
} >&2
exit 1
fi

pre=$1
ran=$2
from=$3
declare -i to=$4
rdial=$6
code="${pre}${ran}${from}-${to}.log"
stat="${pre}${ran}${from}-${to}.stat"
data="${pre}${ran}${from}-${to}.dat"

dial() {
   line=`cat ${stat}`
   declare -i length=`cat ${data} |wc -l`
   let "length -= ${line}"
   for (( i=0 ; i<=length ; i++ )) ;do
      noint=`ps x |grep pppd |grep -v grep |wc -l`
      if [ ${noint} -eq 0 ] ;then
         if [ "${rdial}" == "-r" ] ;then
            DTMFSPC=0
            while [ ${DTMFSPC} -le ${lower} ] ;do
               DTMFSPC=${RANDOM}
               let "DTMFSPC %= ${upper}"
            done
	    pause=0
            while [ ${pause} -le ${p_lower} ] ;do
               pause=${RANDOM}
               let "pause %= ${p_upper}"
            done
	    echo "done"
	    echo "waiting ${pause} seconds before dialing..."
	    sleep ${pause}
         fi
         num=`cat ${data} |sed ${line}q |tail -1 |awk '{ print $1$2$3 }'`
         killall -9 pppd chat 2>/dev/null
         echo ;echo -n "dialing ${ROUTE}${num}"
         pppd ${DEV} ${BAUD} debug kdebug 4 logfile ${code}	\
         connect						\
         'chat -E -v -t '${TIMEOUT}'				\
            ABORT "BUSY"					\
            ABORT "VOICE"					\
            ABORT "NO ANSWER"					\
            ABORT "NO DIALTONE"					\
	    ABORT "NO CARRIER"					\
	    ABORT "ERROR"					\
	    ECHO OFF						\
            SAY "'${num}':\n"					\
	    "''" "AT S10='${LC}' S11='${DTMFSPC}'"		\
	    OK ATDT'${ROUTE}${num}' 				\
	    CONNECT "''"					\
            SAY "CARRIER DETECTED ON: '${num}'\n"'
	    let "line++"
	    echo ${line} >${stat}
      else
         sleep 2
         echo -n "."
         let "length++"
      fi
   done
}
std() {
   echo "${from}" >tmp.$$
   bs="`cat tmp.$$ |wc -L`"
   for (( i=from ; i<=to ; i++ )) ;do
      if [ $i -lt 10 ] && [ ${bs} -le 3 ] ;then range[pos]=00${i}
      elif [ $i -lt 100 ] && [ ${bs} -le 3 ] ;then range[pos]=0${i}
      elif [ $i -lt 10 ] && [ ${bs} -ge 4 ] ;then range[pos]=000${i}
      elif [ $i -lt 100 ] && [ ${bs} -ge 4 ] ;then range[pos]=00${i}
      elif [ $i -lt 1000 ] && [ ${bs} -ge 4 ] ;then range[pos]=0${i}
      else range[pos]=${i}
      fi
      {
         echo "${pre} ${ran} ${range[pos]}"
      } >>${data}
      let "pos += 1"
   done
   rm -rf tmp.$$
}
rnd() {
   echo "${from}" >tmp.$$
   bs="`cat tmp.$$ |wc -L`"
   echo ;echo "generating array" ;echo
   for (( i=from ; i<=to ; i++ )) ;do
      echo -n "-"
      if [ $i -lt 10 ] && [ ${bs} -le 3 ] ;then range[pos]=00${i}
      elif [ $i -lt 100 ] && [ ${bs} -le 3 ] ;then range[pos]=0${i}
      elif [ $i -lt 10 ] && [ ${bs} -ge 4 ] ;then range[pos]=000${i}
      elif [ $i -lt 100 ] && [ ${bs} -ge 4 ] ;then range[pos]=00${i}
      elif [ $i -lt 1000 ] && [ ${bs} -ge 4 ] ;then range[pos]=0${i}
      else range[pos]=${i}
      fi
      let "pos += 1"
   done
   echo -n ">DONE" ;echo ;echo
   p=0
   range_length=${#range[@]}
   echo "generating random suffix" ;echo
   for (( j=0 ; j<range_length ; j++ )) ;do
      echo -n "-"
      alg=$RANDOM
      let "alg %= $range_length"
      local temp=${range[j]}
      range[j]=${range[alg]}
      range[alg]=$temp
   done
   echo -n ">DONE" ;echo 
   echo "saving output to file.." ;echo
   {
      while [ $p -lt $range_length ] ;do
         echo "${pre} ${ran} ${range[$p]}"
 	 let "p = $p + 1"
      done
   } >${data}
   rm -rf tmp.$$
   echo "DONE" 
}
if [ "${5}" == "std" ] ;then
   if [ ! -e ${stat} ] || [ ! -e ${data} ] ;then 	
      echo "1" >${stat}
      #==============
      std ;dial ;echo 
      #==============
   elif [ `cat ${stat}` -gt `cat ${data} |wc -l` ] ;then
      echo "seqential scan complete."
      exit 0
   else
      #==============
      dial ;echo 
      #==============
   fi
elif [ "${5}" == "rnd" ] ;then
   if [ ! -e ${stat} ] || [ ! -e ${data} ] ;then
      echo "1" >${stat}
      #==============
      rnd ;dial ;echo
      #============== 
   elif [ `cat ${stat}` -gt `cat ${data} |wc -l` ] ;then
      echo "random scan complete."
      exit 0
   else
      #==============
      dial ;echo
      #==============
   fi
else
   echo "choose random(rnd) or seqential scan(std)"
fi
exit 0


.......................................................................
Hiding Running Services from Portscanners Part I.......................
by phractal............................................................



/* parts of this article are theoretical and some
is proven with code, feel free to get in touch
to comment or point out flaws in my theories */


Hey there. Have you ever wished to run a certain daemon or backdoor
but have it hidden from the eyes of network scannners. Suppose you
want to run a private ssh server for only a select few, but they
don't always have the same hostname, or perhaps a backdoor to a 
unix that you worked hard to get to. Well, I got to thinking of
ways to have an actual service running and yet being undetectable
to people snooping in on your network. 



Here's what I will discuss

	-'port tripwire'
	  -how it works
	  -porttrip.c
	  -end notes


#############
Port Tripwire:
#############

Port tripwire is a name i came up with for opening up a low port in
an attempt to catch a port scanner before he reaches any ports that
you want to hide. 

If you or your borrowed remote host are running:

Port       State       Service
23/tcp     open        telnet
53/udp     open        domain
80/tcp     open        http
3557/tcp   open        BACKDOOR

You might want to hide this machine from scanning kiddies to hide
anyone who might want to abuse your server if they want to get in
via telnet, or maybe you don't want it known that you run a web
server, and of course, that backdoor is supposed to be hidden from 
view of scanners as well. How can we prevent a scanner, of whom
we will have no idea of his IP address, from finding these running
services via scanning? Well, port scanners will generally scan ports
in sequence or in rough sequence. They will or will usually access 
the low ports first, and then proceed to connect/request ACK replys
of higher and higher ports. We can intervene on the scanning process
if we stop the scanner midway. We can do that by looking for him
where he'll come in, the low ports. We should choose a fairly obscure
port to try and detect the scanner, because otherwise it could be
a legitimate session, a normal user accessing a known service. For
my little port tripwire program, I chose port 3, it is a low port, 
and almost no one runs it. If you wish to hide common services, you
may wish to change that to port 7(echo), as that is obscure, but it
is also listeded in nmap's services to scan for.

The way that Port Tripwire works is, it opens up a socket and 
listens on that low port. If any connection is made to that port,
the program identifies who that host is, and immediatly issues
a command to firewall out any further attempted connections made
by the scanner. It blocks him out, turns the computer silent on
him. The following code proves this concept. It is however 
incomplete, not a full security program, and most likely has
plenty of vulnerabilities itself. It is used just to demonstrate
this concept.

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>       

#define PORT 3
#define BACKLOG 1

//Port Tripwire BETA
//made for BSD or any ipfw firewalled OS
//by phractal


int main() {

	//printf("PortScan Tripwire BETA by phractal \n");
	int fd=socket(AF_INET,SOCK_STREAM,0);
	int fd2;
	
	struct sockaddr_in server;
	struct sockaddr_in client;
	int sin_size;
	
	server.sin_family = AF_INET;
	server.sin_port = htons(PORT); 
	server.sin_addr.s_addr = INADDR_ANY;
	bzero(&(server.sin_zero),8);
	
	bind(fd,(struct sockaddr*)&server,sizeof(struct sockaddr));
      		
	
	

	listen(fd,BACKLOG);	
	
	while(1){
  		sin_size=sizeof(struct sockaddr_in);
		if((fd2=accept(fd,(struct sockaddr *)&client,&sin_size))>-1) {
		//printf("connection from %s\n",inet_ntoa(client.sin_addr) );
		//printf("DENY! \n");
		char cmd[150];
		char cmdpt1[] = "ipfw add 01234 deny tcp from ";
		char cmdpt2[] = " to any";
		sprintf(cmd, "%s%s%s", &cmdpt1, inet_ntoa(client.sin_addr), &cmdpt2);
		printf("%s",cmd);
		system(cmd);
		
		}
	}
	close(fd2);
	return 0;
}


While this program is running, if i nmapped a server running it with a 
normal TCP connect() scan then I would see port 3 as the only running
service. 

There are some problems with this program. Since it uses accept() to 
determine that a scan is in place, SYN scans will not be picked up,
and if a scanner was lucky or smooth enough, maybe he might scan a 
certain block of ports that is outside the port that the tripwire
program runs on.

In Part 2, I will discuss more advanced port scan detection methods.
I will focus on using promiscuous mode to sniff for SYN packets
and will be using methods different from the tripwire approach.

-------------------------------------------------------------------->


greetz go out to h/pers and coders better than me:

stain, team phreak, awnex, dvdman, l33tsecurity, pare, bor, trunklord
linear, bor, 9x, subz, hybrid, datawar, downt1me, notten, telec
and people i forgot


.....................................................................
Frequency Scanning...................................................
DataWaR, dw@f41th.org................................................

===> Setup

Radio shack Realistic PRO 37 scanner modified to unlock high frequencies
and the 800 range. If you want to know how I did this you may either lookup
at google or ask me through email.

First step is to get hold of signal mixer. I used one with two UHF inputs
and 1 VHF output. You may be able to get hold of any single VHF/UHF
combination or others depending on how much power you need. Unlike most ppl
do the amplification comes by modifying the edge of the UHF antenna with 
a small plate designed in spiral form.

You may either construct this on your own or by asking for a ready one. 
Availability may be an issue as they are not sold separete. The idea 
behind this is to enable a better receiving interface on all directions.
The next step is to connect the two antennas in the mixer (to avoid noise 
use the extra grounding wire strip on the box). Follow the same procedure 
for as many antennas you wish or the mixer supports. Make sure the 
indications on the box are similar to the input type i.e VHF. If the box 
does not indicate this, a way around it is to open the mixer and lookup 
the circuit at the back. The wire that does not end up in the grounding of 
the circuit is the one where you need to connect up the strip of the 
arial.

Replace the rubber antenna that the scanner comes with with the output 
lead of the mixer. Make sure you have a female->male adaptor to ensure 
that the fitting is good although I tried connecting the wire directly in 
and it worked. But it is better to keep a good design.

Once everything is connected you may need to start tweaking the direction 
of your antenna(s) depending on what singal you want to pick up. The trick 
while scanning is to either go manually (slow way) or speed up by using a 
delay factor. This is done to ensure that the scanner will have time to 
pick up a signal if the channel being scanned is idle for a few seconds. 
This will delay our scanning process but it will increase the 
probabilities of grabbing an active channel of communication. Another good 
tip is to make the scanner sensitive to signals incase you are receiving
something weak. Although this will help it will sometimes pick up channels 
with a lot of noise and no activity which you should ignore.

Finally an amplifier may be needed to reconstruct weak signals received. 
This is an intermidiate device between the mixer or single antenna 
depending on what you followed and the actual scanner input. Usually such 
a device wont be needed unless you live in a rural area (hah!).

===> Scanning results

132.800 Airport traffic? 
	A woman giving plane coordinates and directions of 
	destinations and flight levels probably military 
	training planes. Also directing flight levels, coordinates 
	of radar placement etc.

149.600 Coast police station center. 
	Loads of fun feel free to abuse them with a tranceiver.

141.500 Pirated radio shack?

145.000 ~5 ppl communicating with code names couldnt figure out any pattern.

146.750 Truck drivers communicating probably some lame cargo company. 
	Loads of noise in the channel use some sort of high pass filter if 
	you wanna get rid of it.

153.125 Police vehicle frequency. 
	Most of them report incidents to all the police vehicles.

164.800 Radio taxi (lame!)

165.525 Didnt pay too much notice to them I think its an ambulance frequency.

169.885 Street car repair. They are retards (I warned you!).

170.625 Street police, they communicate a lot with coordinate systems 
	on locating places. (probably a street maping system)

173.125 Fire station (lame!)

445.000 Periodic signal which seems to be modulated probably needs a 
	demodulator to listen correct.

900.625 My neigh. wireless phone. (haha nice messing around with him!)
	I noticed that a lot of wireless phones use 900mhz to communicate 
	so if you are close to a lot of them you might pick up different 
	all the time.

945.125 Constant ticking and rarely one person talks with no sense. 
	Experimental broadcasting frequency?

Note: I did not pay much attention scanning the entire frequenct range 
I just picked up some open channels and had them into monitoring mode. 
This test was made in two areas in Greece where I was able to pull my 
setup and not being disturbed.

===> Conclusion

Scanning is illegal by the law and is prohibited in most countries especially
if used without a license. So I have no responsibility if you get caught in 
any way. Theoretically it is very hard to get caught if you are doing dynamic
scanning such as moving in a car as your location coordinates change all the
time and it is hard to track down your exact location although it is possible.
Furthermore care must be taken especially if you are in area that you know
ppl perform checks with radar scanners. I tried to keep this document 
independant of a scanner make. Although some features described above such 
as the delay factor and others may or may not exist in your scanner. Also 
unlocking frequencies may
vary depending on the design of your circuit/scanner. This document was not 
made to discuss how to unlock certain types of scanners so if you want to 
do that look it up yourself, there are already a lot of articles written 
on such procedures.

Take care and have fun :-)

-- DataWaR


.........................................................................
The DATU Modes and Practical Uses........................................
by Phractal..............................................................


[ disclaimer: unless you are a certified technician, any DATU you access
is not your property and therefore is electronic trespassing into the
insides of your local Central Office. Know what you're getting into. This
information may or may not have been test by someone certified to operate
a DATU. This is merely information, nothing more.]

I.    Intro, Switching Diagrams, DATU definition
II.   Format of DATUs
III.  Test Mode
IV.   Admin Mode
V.    Practical DATU uses
VI.   Theoretical DATU uses
VII.  Final Notes
VIII. Technical Acronyms

I. Intro
	Well, a great many of articles have been written recently
regarding the Direct Access Test Unit (DATU). A DATU is a computer
that you can connect to via the PSTN, all you need is the phone number.
My local Central Office uses a AT&T 5ESS switch, so I know for a fact that
those switches use DATUs, I am not sure about others, like DMS switches,
but chances are, your local, residential Central Office has a DATU. DATUs
use the ring and tip wires a lot to test lines, the ring and tip wires
are often the red and green wires that go into your phone.

	DATUs are tubular little wonders that allow the phone company and
phreaks to perform tests on local loops. To test a line outside your
Central Office's area, you need the DATU number for the Central Office
that serves it.

I should mention that this article discusses but is not necessarily
limited to testing POTS lines.

>From the PSTN to your home:

          |
  \              /
                         /------------------\   /-----------------------\
_      PSTN!     ---ss7--| Toll Switch      |---| Local Switch / CO     |
                         |DMS 200, 250, 500 |   | 5ESS, DMS 10, DMS 100 |
                         \------------------/   \-----------------------/
  /       |     \                                         |
                                			  |
                                                     <POTS lines>
                                                          |
                                                         ___
                                                        /   \
                                               /--------\   /--------\
                                               |Junction|   |Junction|
                                               |  Box   |   |   Box  |
                                               \--------/   \--------/
		                                  /\   Split    /\
                        Your k-rad line~~~~~~~~~>/  \   lines  /  \
                                                /\  /\        /\  /\
                                               /  \          /
                                              /
                                             /
                                       tip> /\ <ring     Residential
                                           /  \          Loops
                                           |  |
                                           |  |
                                         /------\
                                         | home |
                                         \------/



II. The Format of DATUs

The format of most DATUs is xxx-9935

It is up to you to find an exchange that works, it shouldn't be too hard
since most non-toll COs only serve less than 15 or so exchanges. If you
still can't find it, the DATU could be anyplace else, or you have a
different switch, but for most 9935 is the suffix for the DATU. You can
try wardialing for them. You will recognize a DATU by it's weird prompt.
It is a 440hz tone sounding like a low hum. The prompt is asking you to
enter in the DATU password on your DTMF keypad. All passwords that I have
found to work are 4 digits, the default is 1111. If it isn't the password,
try pairs like 3535 or 9292, i have found some that work with pairs, as
well as 4300. Then again, don't try and brute force the password, at least
not from home. If the Telco notices a lot of failed DATU logins then they
will contact you or they will change the password, causing a headache for
all the linemen and phreaks who already know it. Use your head :)



The real hardcore hardware nerdy stuff of DATUs can be acquired by reading
Phrack 52, and PPM issue 2 and 3.

Therefore I'm not going to heavily explain what all the functions do
inside the DATU.

Also, for a quick reference, check Telec's article @ phonerangers.org

-Once you have the DATU, and the 440Hz tone, you will have to dial the
password using DTMF tones. There are two accounts/passwords THAT I KNOW OF
for each DATU. There is the normal account which is a 4 digit password,
and there is an ADMIN account, which is * followed by 7 digits.

III. Test Mode

Default passwords for the normal account are 1111 and 4300
Once inside the DATU using the normal account you will hear a second
440 Hz tone prompting you to enter in a seven digit phone number that
is served by the switch the DATU is at. After that you should hear an OK
to confirm, otherwise you did something wrong, or the line is busy. You
can perform tests on the line by using the corresponding codes:

Code:   Test:                     Fuction:
1       ----                      Announces the menu over the phone

2       Audio Montior             Hear SCRAMBLED traffic on the phone, can
                                  be used to test if there is activity on
                                  line or not.

33      Short to Ground           Shorts the ring, tip and ground wires of
                                  your line back at the CO(red and green
                                  wires)

37      Ring Ground               Shorts ground and ring wires

38      Tip Ground                Shorts ground and tip wires

44      Ring/Tip High Tone        Bursts a high level tone onto the Tip
                                  and Ring Wires

47      Ring High Tone            Bursts a high level tone onto Ring wire,
                                  Tip grounded

48      Tip Hight Tone            Bursts a high level tone onto Tip wire,
                                  Ring grounded

5       Low level Tone            Bursts low level tone onto tip and ring
                                  wires

6       Open Line                 Cuts battery power to tip and ring, line
                                  has no electricuty from CO, rendering it
                                  unusable

7       Short Line                Electricity given to tip and ring from
                                  CO

9       Permanent Signal Release  Used on busy lines in older switches,
                                  refer to the DATU article by BlackAxe in
                                  Phone Punx Magazine Issue 2

*       Hold Function             Keeps current test on line active after
                                  you disconnect for a specified amount of
                                  time that you have to enter in, most of
                                  the time 10  minutes is the max, to
				          prevent things like a line being open
                                  for a month.
#       New Test                  Disconnects you from current line, and
                                  prompts you to enter in a new number to
                                  test, like the Control-C of a DATU.

IV. ADMIN MODE:

/!#@$%@#$

HI, I just want to make a point of saying that the following is info is
NOT confirmed, I am writing this from my experiences using admin mode.
For example, I don't know if option 3 actually has the power to delete
exchanges or not, i haven't tried it, and neither should you, really.

The Admin mode is entered by entering in a * followed by a seven digit
passsword. I currently am un-aware of any 'defaults' for this. The
options in the admin account allow you to do things that pertain more to
the Central Office and how it serves the public. You cannot test local
loops with the ADMIN ACCOUNT. Once you get a valid password, you should
NOT hear a second 440hz tone, you should just automatically hear an 'OK'. 
The
following codes work for the ADMIN mode:

***PLEASE IF YOU HAVE ACCESS HERE, EXPLORE WITH CARE! YOU COULD SERIOUSLY
CAUSE DAMAGE TO YOU AND YOUR LOCAL NEIGHBORS SERVED BY THE LOCAL CO. I
WOULD SUGGEST YOU DO NOT EVEN ATTEMPT TO CHANGE OR ACCESS ANY OPTIONS
OTHER THAN TO CLEAR YOUR TRACKS(covered later).

Code:     Option:                       Sub-Optionz:
1         Set password                  1.Set System Password
					          2.Set User Password

2         Select Busy Test              1.Select Busy Test
                                           4. Stanard Busy Test
                                           5. 5ESS Busy Test
                                        2.Select Dialing Message
                                           1. MF Dialing Message (??)
                                           2. MF Dialing Message
                                           3. Pulse Dialing Message (??)
                                           4. Pulse Dialing Message
                                           5. MF with Reversal Sensing
                                           6. Pulse with Reversal Sensing
                                        3.Select Trunk
                                           1.Standard Trunk
			                         2.Special Trunk
                                             1. Trunk Share
                                             2. No Trunk Share

3         Read/Change Prefixes          3.Add Prefix
                                        4.Clear all prefixes
                                        5.Delete Prefix
                                        6.Read all prefixes

4         Read/Clear Timers             1. Read Timers
					             1. Usage Timers
					             2. Function Timers
					          2. Clear Timers
                                           1. Clear Usage Timers
                                           2. Clear Function Timers
                                           3. Clear all Timers

5         Select # of digits            Dial 4, 5, or 7

6         Set AccessTimeout Parameters  Dial Three Digits

7         Read/Clear Counters           1. Read Counters
                                           1. Read Usage Counters
                                           2. Read Function Counters
                                        2. Clear Counters
                                           1. Clear Usage Counters
                                           2. Clear Function Counters
                                           3. Clear all Counters
8         Enable/Disable Test 9         Toggle wheather Permanent Signal
                                        Release is allowed or not to be
                                        used
0         Clear Alarm                        ??



There are other kinds of lines and functions that you can do with the DATU
computer, but I suggest you look them up in Phrack or PPM, or maybe I'll
write a part 2 sometime later :)

BTW, the only tests that work on a busy line are: Audio Monitor, Low Level
Tone, and Permanent Signal Release.

To cover  your tracks, clear the onboard logs, aka Timers, via Option 7.

V. Practical Uses for DATUs:

Busy Lines:
	Let's say you call a number, be a friend, or wardialing and its
busy. You can use the audio montitor to test if there is actual traffic
on the line, if not, then maybe the line is somesort of test line or
someone left a phone off the hook. I have found audio monitor useful when
trying to hack weird modern COCOTs. Let's say you know a BBS or some
carrier that you want to connect to, but it's busy, like a COCOT's
computer modem, you can blast a Low Level Tone to throw off the modem and
have it get disconected, you can also remotely disconnect any modem from
a connection if you know the number of the line. (You can only do this if
the line has a ground going into thehouse, or building and not just at
the CO) If there is a number you have found that is ALWAYS busy, i mean
ALWAYS, try  opening the line and dialing it right after the line is
shorted back. I find that COCOTS almost always have grounds in them.

*Most residential lines will not hear Low Level Tone, because they have
no ground going into the phone.

Beige Boxing in a large Telco Boxes:
	When beiging in a large telcobox, depending on where you are, it
can be a puzzle to find the right pair to connect to the line you want to,
if it is a specific line that you are looking for. You can use High Level
Tone Tests to look for the pair, when you reach a pair that has a beeping
you can bet its the same line you inputted into the DATU. If the line is
busy, or you want to be more stealthy, you can use the low level tone,
which is less likely for someone to hear unless they have a ground going
into their phone, most don't nowadays.

Remote Busy Box:
	Remember the Busy Box? You crossed the green and red wires to busy
out any line. The green and red wires are tip and ring, so test code 33
can remotely turn any local line into a busy box since the tip and ring
wires are shorted out at the CO. Be in mind that most likely you can only
keep a line shorted for 10 minutes after you hang up, if you want longer,
just keep dialing in every 10 minutes. The same goes for opening a line
(shutting it off) or any tone tests.

(Hint about time limits, study ADMIN functions)

Some notes about Audio Monitor:

--- The Audio Monitor feature is not a tap or eavesdropping feature, you
can not understand any speech or capture any DTMF tones traveling along
the line though the DATU. It is merely used to verify that there is indeed
activity on a line, if the line is busy and there is no acitivy, then
there could be a problem.

VI. Theoretical Uses for DATUs:

Creating Phone Numbers:
	Have you ever dreamed of creating a phone number out of thin air,
with no billable address like the Legion of Doom did back in the day?
Well, the first step could be creating a new exchange to use your numbers
on. Once the exchange is created, I can't really tell you where to go
from there. If you find other ways of entering the switch, like thru a
dialup or over some Packet Switched Network, then go for it, but be
careful, respect the telco's turf, and DON'T MODIFY OTHER PEOPLE'S STUFF!

Mapping Switch Hardware:

	I have heard some DATUs announce the switch they are attached to.
This can be useful to find out info on how to remotely explore the switch.
Also, if Permanent Signal Release is enabled, then you could find a stroke
of unbelievable good luck, Step by Step switching, which in theory of
course, all kinds of things would work, like blueboxing (inband
signalling), black boxes, etc...


VII. Final Notes:

DATUs are for testing lines only, they apply certain tones and can short
lines, but they are not used to add features or anything to a line. You
cannot add three way calling to your line through a DATU. You cannot add
Call Forwarding to you line, you cannot get ISDN or ADSL. And please test
responsably. If you keep opening a line to annoy someone then the
password will most likely get changed.

As far as I know, if you have the dialup and password, you can access the
DATU from anyplace on the PSTN, there is no confirmation that you are
calling from a local number or anything, so If you are in NY, you can test
lines in California providing you have the DATU k0d3z.

VIII. Technical Acronyms:

PSTN   Public Switched Telephone Network (the global phone network)
AT&T   American Telephone and Telegraph
ESS    Electronic Switching System
DMS    Digital Multiplexing System
CCITT  Committee Consultative International Telegraph and Telephone
POTS   Plain Old Telephone System
DTMF   Dual Tone Multi Frequency
PPM    Phone Punx Magazine
MF     Multi Frequency
CO     Central Office
COCOT  Customer Owned Coin Operated Telephone
BBS    Bulliten Board System
ISDN   Integrated Services Digital Network
ADSL   Asynchronous Digital Subscriber Line
DATU   You should know this...

Greets:

9x, Substance, Hybrid, D4RKCYDE, Downtime, Phonerangers, Telec, Mastermind,
Black Axe, Janus, linear, terror eyz, dijit, nawleed, vixen, Zylone,
Pinguino, The Clone, logicbox, velocity, Venadium, Brisk, Bor, Xade :),
notten, barby, bikr, tomgavin, leprekaun, dinkee, purp, vap0r,
Tubular Phreak, 3rd worm, diozepart, Team Phreak, and all my other old
skool conf buddiez, you know who you are ;)

I also owe alot to Telec and MMX to my current understanding of the DATU.


.........................................................................
DATU for Dummies.........................................................
Text by: teletrix, written for f41th.....................................


Preface

So now I assume that most of us have heard of the wonderful tool which
we call the DATU.  It stands for Direct Access Testing Unit.  This
testing unit is a remote tool utilized by technicians.  I don't know if
they exist in Canada, and for the most part I believe they are mainly a
state-side toy, if I'm wrong please let me know I'd love to see a DATU
from another country, differences and etc.  Now to let you know where
this information came from: I went through many attempts at SEing the
Harris corporation for the System Administrator Manual to the DATU, (The
Dracon division of Harris makes these testing units) I searched the
dumpsters, I tried every resource.  Finally, I got someone at Harris to
give me the manual and I also asked him a lot of questions, this
information was what I used to make this test.  The people at Phrack did
this too to get the info, but they didn't give all the info such as
administrator mode.  This text will teach you about the basics of the
DATU, how to find one, and all about the User and Administrative modes
on each.  Just some food for thought, these things are really expensive,
so be careful.  Know what you are getting into, if you access these
lines through boxing it is a Federal Crime (wiretapping) if you damage
it, destroy it, all that stuff it is a federal crime, know the risks,
don't pretend like you didn't know.

Where is the DATU?

The DATU is located at your local central office, or CO.  The way it
works is you have the PSTN, and then that is connect to the CCITT5
Trunk, which goes to the toll switch (DMS 200, 250, 500), which is
connect to your CO, your local switch if you will, which runs off of
5ess, or DMS 10, or DMS 100.  From the CO you have your Plain Old
Telephone Service Lines (POTS), they go through the area, nicely for one
area at a junction box, then to your home.  Anyway the DATU itself is
located at the CO as part of the computer.  So you're saying that's
great, but I don't give a shit about the technicals just tell me what
number the DATU is at. 

.  Type in your area code and exchange, you will then at the bottom of
the page receive a report of all the exchanges on that switch.  Now you
need to try each exchange with 9935 until you find that DATU.  You will
know you've found the DATU when you hear a 440mhz tone, the DATU will
either be busy, or pick up usually on the first or second ring. 
Congratulations you found the DATU, now this isn't time for a smoke
break or anything like that, this was cake, in fact nothing about this
is really too hard, but if you're a first timer you should feel happy
about the fact that you just found the DATU.

Accessing the DATU

So now you're saying well done asshole, but how do I use this thing, how
do I make this god damned noise stop.  Well if you noticed you are
hearing this noise and then being disconnected after a few seconds,
approximately 7, well then you are waiting for what to do next.  This
first 440mhz tone is a signal to enter input.  In this case they want
you to enter the user password.  So now you've accessed your DATU, you
can enter that user password, which is a four digit code, or you can
enter the system password.

Entering User Mode

To enter user mode you simply need to enter the four digit code, and
then you will hear a second 440mhz tone, a second input prompt.  Now,
the default set password is 1111, yeah telco just never learns, I have
never once encountered a DATU in my area, NJ, where this does not work. 
So after entering that password you will hear Incorrect, or if it is the
default you will hear another 440mhz tone.  If 1111 doesn't work, try
4300 the default for older models, or try pairs that are easy to
remember 5454, 5353 and so on.  At default it is set for 16 attempts at
a password before a warning goes off at the CO.  So be careful they do
have some kind of counter-measure for just brute forcing the fucker. 
But again, 1111 works perfectly fine 9 out of 10 times unless some
phreaks before you fucked with the DATU to royal extremes.

Now once you enter the password and hear that second 440mhz tone it
wants you to enter the number to be tested.  You must enter a number
which is one of the exchanges served by that CO, hence served by that
DATU.  Now once you type in the number, usually just the 7 digits will
work, if not you will get an error message telling you to use all 10
digits.  When this happens the DATU will do one of two things it will
say: ``Connected to xxx-xxxx, OK'' or it will say ``Connected to
xxx-xxxx, BUSY LINE. Audio Monitor.  If its busy the audio monitor will
start which allows you to hear unintelligible scrambled traffic, this
will last for 10 seconds.  If the line remains busy you will have
limited testing options.  Below you will find the list of options
available, what they do, and if they have a `+' in front of them they
can only be used on an idle line.

Number		Function			Description	

1		Read off Menu			Reads DATU Menu
2		Audio Monitor			Check for Line Activity
+33		Tip/Ring Short to Ground	Connects Tip/Ring to Ground
+37 		Ring Ground			Unterminates the Tip Lead	
+38		Tip Ground			Unterminates the Ring Lead
+44		Tip/Ring High Level Tone	+22dBm, 577hz bursts on line
+47		Ring High Level Tone		High Level Tone with Tip Grd
+48		Tip High Level Tone		High Level Tone with Ring Grd
5		Low Level Tone			-12dBm, 577hz burst on Line
+6		Open Subscriber Line		Removes Power to Line at CO	
+7		Short Subscriber Line		Electrical Short Sent to Line
9		Permanent Signal Release	Clears Busy Line Condition
*		Keep Test After Disconnect	Allows to Keep Test on Line
#		For New Subscriber Line		Enter new Line to Test

Below are some important notes about certain functions.

For those numbers which are two digits indicates the selection of the
function, the first digit, and the corresponding submenu, the second
digit.

Permanent Signal Release will only work if it is set as active in the
system settings, accessible by the System Programming Menu.

For keeping a test after Disconnect you will be prompted to enter data,
indicated the amount of time to continue the condition.  If the minute
interval is less than 10 simply dial 1-9 depending on the minute, if it
is 10 or greater you must first dial two digits, for 10 minutes simply
dial 0.  After this you will be prompted to hang up, and will have no
other choice, in approximately 30 seconds the condition should enter
into effect.

If you need to do this on the same line you are calling from simply dial
* first then choose the option, afterwards it will ask you for a time
interval.

There is even more crazy stuff you can do with carrier access and pair
gains but that is more advanced, and if you are interested can read all
about that in PPM 2 and 3.

Administrator Mode

Well I'm sure this is what many of you have been waiting for, or just
scrolled on down to, the administrator mode, allowing you to set
everything on the DATU.  Now when you dial in the DATU, you will as
mentioned hear that sweet, sweet 440mhz tone.  This time you're going to
want to enter * then a 7 digit code.  Now, the default administrator
code is 2222222, that's right, and in every DATU I have dialed it has
been this default.  Once you do that you will hear ``OK''.  Under Admin
mode you can not do any subscriber line testing.

Important to note here, you can seriously fuck shit up under Admin mode.
 I caution you to make sure you understand what you are doing, fucking
this up can cause big problems, use your head, if you mess this up you
better damn well bet ma bell is going to come after you and make you pay
for a new one, and then jail your ass.  Below are all the functions you
can do and they will be described in detail.  Please understand what
this means, and use your head if you fuck it up you didn't just screw
yourself, you screwed the other phreaks in the area who have used their
head.

Number		Function		Description

1	Change Passwords		Set User and Admin Passwords
2	Select Busy Test		Not Sure, Don't Play With
3	Read/Change Prefixes		Read, Add, Delete Prefixes
4	Read or Clear Timers		Read/Clear Usage/Function Timers
5	Set Digits to Select Line	Set 4,5,7,10 Digits to Select Line
6	Set Time out Parameters		Set Timeout Interval
7	Read/Clear Counters		Read/Clear Usage/Function Counters
8	Permanent Signal Release	Enable or Disable Function
9	Pair-Gains Parameters		Read/Change Paramaters
0	Clear Alarm Condition		Clear Alarm

Important notes about Administrator Mode

Changing the passwords is never a good idea, it can screw things for you
and other phreaks as well as tip off the technicians, however if it's on
a DATU not in your area, you could have some serious fun.  Because the
user password is stored in a memory, however the system password is
reset after the DATU looses power for 7 seconds.  So you could change
the user password, and it would be living hell to fix.

Under Read/Change Prefixes you will have the option to list prefixes on
that switch, add, and delete.  Now this does not mean you can create
your own exchange, it just let's the DATU know what exchanges it has
access to, and adding one that is not served by that CO will be totally
useless, and cause errors.

Permanent Signal Release will allow you to enable that function, which
would allow you to use that function on a busy line in user mode.

For the Pair Gains stuff I suggest you read PPM 2 and 3 they really
outlined it nicely, and the best I could so with that is simply copy and
paste.

Clear Alarm Condition this is useful if you fuck something up and are
worried that an alarm was tripped, or if you screwed up the password 16
times, remember to cover your ass.

Uses for the DATU 

Well there are a ton of uses for this new toy, some legitimate, some
just plain fucking stupid, but all can be fun.  So under user mode you
could use your DATU to do the following: free that busy signal on your
friends line, if he's on the computer you could blast a low level tone
to throw off the modem, you could open someone's line for 20+ minutes
for fun, and then blast high level tones right before they pick up the
phone.  Trust me setting a high level tone then having the person in
your house pick up the phone to use it is hysterical.  The other use for
the high level tone is say you're boxing in a cabinet, you have a good
feeling that your mark's line is in that cabinet, simply use the DATU
place a high level tone on the line, and look for a line that has a
pulsating 577mhz tone.  You could screw with the linemen in the area by
changing the user password, but you really shouldn't even though this is
saved in memory even if the board short circuits, it will fuck things up
in your area, and tip them off.  You could do a Short to Ground making
someone's line busy, or your own if you don't want to be bothered.  Also
you do not have to be calling from that switch to use that DATU, you can
use it from anywhere on the PTSN.

Conclusion

Well that's the DATU at it's best, if you have any questions contact me
at efnet in #darkcyde, and if you are interested in getting a copy of
the official system manual talk to me and we might be able to make a
trade.  Use this information carefully, know what you're getting into,
have fun, and learn all you can.

For further reading check out Phrack 52 and PPM 2&3


.......................................................................
A Hackers Guide to Meridian Mail.......................................
Version 1.00 - December 2001...........................................
by prephix - prephix@bigfoot.com.......................................



 [:. contents .:]


  1... introduction
  2... what is meridian mail
  3... how do i find a meridian mail system
  4... how do i get access
  5... how do i keep access
  6... mailbox commands
  7... final words


 [:. introduction .:]


Ok, the primary purpose for writing this file is for my own personal
reference.  Until a few months ago, it had been a very long time since
I'd actually gone out and messed about with voicemail and PBXs etc,
so I figured it was time I got back into that whole area of things.

There are already a bunch of files floating about that deal with Meridian
Mail, some are bad or vague, a couple are good, so why the need to write
another one?  Well, I figure that I can write a fairly comprehensive
text on the subject, so why the hell not?  Anyway, I want to write one,
if only to get what I know about the subject down onto paper, or into
binary... whatever.

Let me say at this point that this file deals with how somebody would
theoretically gain unauthorised access to Meridian Mail, it's theoretical,
as of course hacking any voicemail or pbx system is obviously illegal,
and I don't encourage anyone to break the law.  Obvious really.  I shall
also be making updates and changes in later versions.


 [:. what is meridian mail .:]


Ok, let's start with the Meridian PBX.  A PBX is a private branch
exchange, which is a small private telephone network that an organisation
uses to handle it's telecoms.  For instance, it's much cheaper to
implement a PBX than to connect an external line to every telephone in
the company.  Phone numbers within the PBX will usually only be 3 or 4
digits long, and they share lines when calling outside of the company.

Meridian PBXs are fairly similar, but come in different sizes that are
referred to as 'Options'.  For example, Option 11C is one of the
smallest Meridian PBXs, hosting between 16 and 700 users, Option 51C
host upto 1,000 ports, Option 61C hosts upto 2,000 ports (and is dual
processor), and Option 81C can handle 16,000 ports and boasts all kinds
of knobs and whistles that are irrelevant in this file.

Meridian Mail is a feature of the Meridian PBX.  It's an electronic
voice messaging system that allows the users to send and receive voice
mail with various delivery options to other users.  It also supports
message forwarding, and allows the setup of distribution lists (lists
of mailbox numbers).  Here in the UK it's very popular with medium to
large sized organisations, and it doesn't take too long to find one.


 [:. how do i find a meridian mail system .:]


Before I tell you how to identify a system, you have to know how to
actually look for one.  It's best to find your own system, if you use
a system that was in a public scan then there is an increased chance
that other unauthorised users are messing around in it.  This is bad
because the company is more likely to notice, either through increased
use, or through mailboxes being 'locked' from too many failed login
attempts.  If you want your mailbox to last, find your own system.

Ok this is real basic, but I'll assume you know nothing.  The best way
to find any VMS or PBX is to go out to a payphone and manually dial
through a range of freephone numbers.  Be methodical, and write down
anything of interest.  Dial after office hours otherwise you'll get
people answering the phone, a lot of systems are only accessable after
office hours (unless its a large 24 hour system).

When numbers connect, start fiddling around, try * and #, just mess
about and you'll see what I mean, there are countless hackable systems
worth playing around with.  Anyway, identifying a system as Meridian
Mail depends on how it's been setup.  The most obvious is when you
call and a female voice says: "Meridian Mail, mailbox?", which is the
login prompt.  These are usually large 24 hour systems, and are not
that common.  An example can be found on 0800-800-214.

Anyway, most numbers you call will have a recorded message saying
something like, "Sorry, the office is now closed, please leave a
message after the tone...".  If you hit * before it starts recording
your message, a Meridian will usually respond with:

  "There is no recorded message.  To record a call answering message
   press 5.  Other commands are, message options 70, login 81,
   disconnect 84, and attendent 0."

Alternatively you can wait for the beep, start to leave a message, and
then hit #, in which case a Meridian will usually respond with:

  "Recording stopped.  To record some more, press 5.  To review your
   message press 2, for more info press *."

Hit *:

  "You have stopped recording.  Commands you can use are: play 2,
   record 5, message options 70, delete 76, and send 79.  Other
   commands are login 81, disconnect 83, and attendent 0."

Meridian Mail may sometimes be setup differently, with limited options
for remote access.  For instance it may just be a single voice mail box
that they're using like an answerphone etc.  Sometimes if you divert
yourself to the attendent (try hitting 0) it will connect you to the
attendant's voicemail, and you may then be able to access the main system
by using the above methods.  Sometimes if the attendant's box hasn't
set a greeting, it will tell you the box number, i.e. "Mailbox 4501
isn't availble, please leave a message", which can help when trying to
figure out what range clusters of mailboxes are in.


 [:. how do i get access .:]


Now sometimes you can just hit 81 (login) and start guessing (it
actually ain't that hard, I once got in on my first guess), but there
are sometimes ways to check where the mailboxes are, i.e what range
they're in, like what do they start with, how many digits are they, etc.

Ok hit 0*.

Meridian Mail should respond with something like:

  "You have reached an automated service which will connect you
   to the phone number that you enter.  Please enter the number
   or name of the person you wish to reach followed by square sign..."

Ok, now mailboxes are typically 3 or 4 digits long (but can be upto
6 digits long), and usually start with either a 2 or a 4.  I'm going to
use an example system to show you what I'm trying to explain here.  Let's
say we have a Meridian Mail, we're at the above prompt, and theres only
two boxes on the system, box 4621 and 4200, but we don't know that, so
this is how we find out.

I'd like to point out that this may not be the same for all Meridian
Mail systems, but it's worked exactly like this for all the ones I've
bust into during the last few months.

Ok, so we've hit 0* and it says:

  "You have reached an automated service which will connect you
   to the phone number that you enter.  Please enter the number
   or name of the person you wish to reach followed by square sign..."

So we enter, 2 followed by #.

Meridian says:

  "That number cannot be reaced from this service, please try again."

So we enter, 4 followed by #.

Meridian says:

   "Your session cannot be continued at this time, please try again
    later, goodbye."  <disconnects>

Ok weird, so when we try connecting to '2' it tells us that the number
cannot be reached, but when we try connecting to '4', it tells us that
our session cannot be continued and it disconnects.  Hmm..

This means that there are definately valid mailboxes that start with 4,
so we go to the next number.  We call again, get to that prompt by hitting
0.. this time we enter 41#

Meridian says:

  "That number cannot be reaced from this service, please try again."

So 4# disconnects us, and 41# tells us the number cannot be reached.
As far as I can tell, this means there are no boxes starting 41, but
there are boxes starting with 4.  So we try again with 42.

Meridian says:

   "Your session cannot be continued at this time, please try again
    later, goodbye."  <disconnects>

Ok!  So there are boxes starting 42, but not 41, and we carry on, until
it finally trys to put you through to a valid extension.  You should be
able to see what I'm trying to get across here, it ain't exactly rocket
science, but I'm also crap at explaining stuff.  :)

Once you know where boxes are clustered, hit 81 to login, enter the
mail box number followed by #, and it will ask you for the password.
The default password is usually the same as the box number.  For instance
box 4112 will have a password of 4112.  If you don't get in straight
away, move onto the next box.  After two failed login attempts I always
hang up and call back, even though Meridian allows three attempts.  This
is because you don't want to accidently 'lock' mailboxes through too
many failed login attempts.  A bunch of locked boxes is going to alert
the administrator that someone was having a pop at getting into his
system, so even if you do get in, your box may not last very long.

When you get into a box you have to make sure it's unused.  If there
are new messages don't read them.  You can read any old messages, but
if they're fairly recent then you can't keep the box for personal use.
If the internal and external greetings have also been set then that's
also an indicator that the box is being used.

However, if the box is empty, and there are no greetings set, then
chances are the box is unused, in which case you can keep it.  Either
way, used or unused, you can now use the distribution list feature to
hunt for more boxes.  Hit 85 to create a new list, then enter 1 to 9
to identify a distribution list number (you can have 9 distribution
lists).  If you're using a used box and there are entries then
forget about it, try another list, you don't want to change anything
that will show you've been there.  Once you enter an empty list, hit
5 to start creating the list.  Now you start entering mailbox numbers
to be added to the list (followed by #).  It will tell you if the box
is valid or not, and you can work your way through a large amount
of box numbers, writing down valid entries.  You want boxes which
don't have recorded greetings, as they're more likely to be empty and
unused.  Later you can see if they have their default passwords set.

If you login and it forces you to change your password because it's
expired, then chances are it's an unused box.

Right, if for whatever reason you can't do this, or if you're confronted
with just the login prompt when calling, then you can always try
pot luck guessing.  This does work, and I would try the following
combinations first... and then work around them:

BOX/PASS

2000/2000  4000/4000  200/200
2001/2001  4001/4001  201/201
2002/2002  4002/4002  250/250
2100/2100  4100/4100  299/299
2101/2101  4101/4101
2500/2500  4111/4111    etc etc.. you get the idea anyway.
2501/2501  4150/4150


 [:. how do i keep access .:]


Common sense really.  Don't record some crazy greetings like "Heh man
this is the awesome bytebandit of the telelame crew.. leave a message
now you mother fucker!".  It's best to leave the greetings unset, but
if you have to, then keep it simple.. like "Leave a message after the
tone" will do.

Don't lock mailboxes through bad login attempts, and don't send real
users mail.  If you have access to employees boxes, try not to read
their new mail, as it will no longer be flagged as new, and obvious
that someone has read it.  I know it's tempting to read other peoples
shit, but try and stick to mail thats already been read.

Also try and keep your system to a select group.  The fewer guys using
it, then the lesser chance of being noticed.  I've was once using a
system with a couple of other guys for almost 6 months.  Thats about
it really, as I said, just use your common sense.


 [:. mailbox commands .:]


You'll become familiar with using it as you go along, you can hit * at
any time for online help.  Here's a list of the major functions anyway:

Recording a greeting:

  Press 82, press 1 for external, 2 for internal, 5 to record, # to stop.

Changing the password:

  Press 84, enter new password, press #, repeat, enter old password, hit #.

Recording personal verification:

  Press 89, press 5 to record name, press #.

Creating a message:

  Press 75, enter mailbox(s) or distribution list number(s), pressing #
  after each one, press # again, press 5 to record, # to stop,
  press 79 to send.

Forwarding a message:

  Find the message to forward, press 73, enter forwarding mailbox number(s)
  each followed by #, press ## to finish list, press 5 to record a
  message header, press 79 to send.

Deleting/undeleting a message:

  76 to delete a message, 76 again to restore it.

Outdial:

  Press #0, then (usually) 9 for an outside line, then the phone number.
  This probably will have been disabled, or will appear to be, but
  definatly worth a fiddle, try different things.  We had a system where
  you had to dial 9, then a 5 digit code, and then it allowed you to
  dial 3 digit external numbers (i.e the operator who could then put
  you through to another number).


 [:. final words .:]


Ok it's fucking late, and I'm going to bed now.  If it's shit, then my
excuse is that it's only version 1.00, and I'll no doubt be maknig
numerous changes in later versions... ha... anyway fuck it, the only way
to learn is to actually get out there, find a system, and figure things
out yourself.  Feel free to email me any questions, abuse, etc...


                            prephix@bigfoot.com


.........................................................................
scan of 0800-212-000 to 0800-212-200 (UK)................................
compiled by prephix in september 2001....................................


0800-212-000 - Dead
0800-212-001 - Dead
0800-212-002 - Voice
0800-212-003 - Dead
0800-212-004 - Recorded message
0800-212-005 - Dead
0800-212-006 - Recorded message
0800-212-007 - Rings
0800-212-008 - Dead
0800-212-009 - Rings
0800-212-010 - Dead
0800-212-011 - "The number you have dialed is not recognised"
0800-212-012 - Dead
0800-212-013 - PBX
0800-212-014 - Dead
0800-212-015 - Recorded message
0800-212-016 - Modem
0800-212-017 - Dead
0800-212-018 - Dead
0800-212-019 - Voice
0800-212-020 - "The number you have dialed is not available"
0800-212-021 - Answer phone
0800-212-022 - Dead
0800-212-023 - Recorded message
0800-212-024 - Dead
0800-212-025 - Dead
0800-212-026 - Dead
0800-212-027 - Voice
0800-212-028 - Dead
0800-212-029 - PBX, # to login, mainly 3 digit extensions, many around
               the 2** range with simple passwords
0800-212-030 - Fax
0800-212-031 - Dead
0800-212-032 - Dead
0800-212-033 - Dead
0800-212-034 - Dead
0800-212-035 - Dead
0800-212-036 - Dead
0800-212-037 - Dead
0800-212-038 - Dead
0800-212-039 - Dead
0800-212-040 - Dead
0800-212-041 - Fax
0800-212-042 - "The number you have dialed is not recognised"
0800-212-043 - Fax
0800-212-044 - Dead
0800-212-045 - Dead
0800-212-046 - Dead
0800-212-047 - "This number does not receive incoming calls"
0800-212-048 - Fax
0800-212-049 - Fax
0800-212-050 - Rings
0800-212-051 - Fax
0800-212-052 - Rings
0800-212-053 - Engaged tone
0800-212-054 - Fax
0800-212-055 - Dead
0800-212-056 - Fax
0800-212-057 - Dead
0800-212-058 - Rings
0800-212-059 - Dead
0800-212-060 - Voice
0800-212-061 - Rings
0800-212-062 - Recorded message
0800-212-063 - Rings
0800-212-064 - Answer phone
0800-212-065 - Dead
0800-212-066 - Rings
0800-212-067 - Rings
0800-212-068 - Rings
0800-212-069 - Dead
0800-212-070 - Voice
0800-212-071 - Large 24 hour voice mail system, press * to login, many
               5 digit boxes starting 6**** with guessable passwords
0800-212-072 - Dead
0800-212-073 - Rings
0800-212-074 - Dead
0800-212-075 - Dead
0800-212-076 - Dead
0800-212-077 - Dead
0800-212-078 - Recorded message
0800-212-079 - Dead
0800-212-080 - Disconnects on DTMF tones
0800-212-081 - Dead
0800-212-082 - Rings
0800-212-083 - Dead
0800-212-084 - Dead
0800-212-085 - Dead
0800-212-086 - Dead
0800-212-087 - Dead
0800-212-088 - Fax
0800-212-089 - Dead
0800-212-090 - Rings
0800-212-091 - Dead
0800-212-092 - Recorded message
0800-212-093 - Dead
0800-212-094 - Dead
0800-212-095 - Voice
0800-212-096 - Dead
0800-212-097 - Dead
0800-212-098 - Rings
0800-212-099 - PBX
0800-212-100 - Rings
0800-212-101 - Dead
0800-212-102 - Voice mail system, press # to login
0800-212-103 - Dead
0800-212-104 - Dead
0800-212-105 - "The number you have dialed is not recognised"
0800-212-106 - Dead
0800-212-107 - Voice mail system, press # twice to enter ID
0800-212-108 - Dead
0800-212-109 - Fax
0800-212-110 - Dead
0800-212-111 - Voice
0800-212-112 - Rings
0800-212-113 - Answer phone
0800-212-114 - "This number has been changed to ..."
0800-212-115 - Dead
0800-212-116 - Dead
0800-212-117 - Dead
0800-212-118 - Rings
0800-212-119 - Dead
0800-212-120 - Voice
0800-212-121 - Rings
0800-212-122 - Dead
0800-212-123 - "The number you have dialed is not recognised"
0800-212-124 - "This number is temporarily out of order"
0800-212-125 - Dead
0800-212-126 - Recorded message
0800-212-127 - Recorded message
0800-212-128 - Dead
0800-212-129 - Dead
0800-212-130 - Dead
0800-212-131 - Recorded message
0800-212-132 - Dead
0800-212-133 - Dead
0800-212-134 - Answer phone
0800-212-135 - Rings
0800-212-136 - Dead
0800-212-137 - Dead
0800-212-138 - Dead
0800-212-139 - Engaged tone
0800-212-140 - Dead
0800-212-141 - Rings
0800-212-142 - Dead
0800-212-143 - Dead
0800-212-144 - Dead
0800-212-145 - Dead
0800-212-146 - Rings
0800-212-147 - Recorded message
0800-212-148 - Dead
0800-212-149 - Dead
0800-212-150 - Rings
0800-212-151 - Recorded message
0800-212-152 - "The number you have dialed is not recognised"
0800-212-153 - Dead
0800-212-154 - Dead
0800-212-155 - Voice mail system, press # to login
0800-212-156 - "The number you have dialed is not recognised"
0800-212-157 - Recorded message
0800-212-158 - Rings
0800-212-159 - Rings
0800-212-160 - Dead
0800-212-161 - Recorded message
0800-212-162 - Dead
0800-212-163 - Dead
0800-212-164 - "The number you have dialed is not recognised"
0800-212-165 - Dead
0800-212-166 - Dead
0800-212-167 - Dead
0800-212-168 - "The number you have dialed is not recognised"
0800-212-169 - Dead
0800-212-170 - Recorded message
0800-212-171 - Dead
0800-212-172 - Rings
0800-212-173 - Dead
0800-212-174 - Dead
0800-212-175 - Dead
0800-212-176 - Voice
0800-212-177 - Voice mail box, perss # to login
0800-212-178 - "The number you have dialed is not recognised"
0800-212-179 - Rings
0800-212-180 - Rings
0800-212-181 - Dead
0800-212-182 - Voice
0800-212-183 - Rings
0800-212-184 - Rings
0800-212-185 - Voice
0800-212-186 - Fax
0800-212-187 - Voice
0800-212-188 - Dead
0800-212-189 - Dead
0800-212-190 - Dead
0800-212-191 - Voice
0800-212-192 - Fax
0800-212-193 - Rings
0800-212-194 - Fax
0800-212-195 - Dead
0800-212-196 - Rings
0800-212-197 - Recorded message
0800-212-198 - Recorded message
0800-212-199 - Dead
0800-212-200 - Dead

                           prephix@bigfoot.com

......................................................................
0800963-xxx...........................................................
random................................................................
	

0800963 000-250
scanned between 2-5am GMT

0800963000		KDDI card expired
0800963001		voice, sounded chinese
0800963002		KDDI card expired
0800963004		KDDI please enter your personal identification number
0800963006		KDDI please enter your personal identification number
0800963007		2BM
0800963008		KDDI please enter your personal identification number
0800963009		The conference calling centre
0800963011		The conference calling centre
0800963012		2BZ
0800963014		voice, foreign
0800963015		KDDI please enter your personal identification number
0800963016		KDDI card expired
0800963017		KDDI please enter your personal identification number
0800963020		carrier
0800963021		voice, foreign
0800963022		carrier  :)
0800963023		voice, english
0800963024		voice, english same bloke as 23
0800963025		voice, english same bloke as 23 & 24 (this time he left the fone off hook and i could hear him talk to some1 for ages)
0800963026		weird ! something picks up then hangs up then error message "sorry there is a fault"
0800963027		KDDI please enter your personal identification number
0800963030		The electric saftey centre, transfers to an op
0800963031		KDDI please enter your personal identification number
0800963033		voice, foreign
0800963034		KDDI please enter your personal identification number
0800963035		KDDI card expired
0800963036		voice, english speaking
0800963039		KDDI please enter your personal identification number
0800963042		"were sorry u have reached a number that has been disconnected or is no longer in service"
0800963044		carrier
0800963046		foreign recording
0800963048		weird beeps !?!?
0800963050		some guys answer fone with txt message,page,call,fax options
0800963054		does nothing for ages then a foreign busy
0800963056		Eagle ocean inc. * then # enters vmb
0800963065		ring ring ring.........
0800963068		"the number u dialed is not valid anymore please check the number"
0800963074		busy
0800963080		2BZ
0800963081		2BJ
0800963082		711 "the 800 number u dialed is not in service" sez that twice then rings again then hangs up straight away !?!?
0800963083		2EG
0800963084		essential software support *7 supposed to transfer to voicemail but i just got cheesy hold music for 2 minutes then hung up
0800963086		2EG
0800963090		212
0800963093		nothing then busy
0800963095		busy
0800963096		carrier
0800963097		rwd technologies
0800963099		voice, some travel company
0800963101		US busy signal
0800963102		ring ring ring........
0800963103		carrier
0800963105		2BZ
0800963110		pbx, ext 12 gets customer service
0800963111		carrier
0800963112		audix vmb "enter extension then pass code"
0800963114		"were sorry your call cannot be completed as dialed please check the number and dial again or call your operator to help u"
0800963115		busy
0800963116		foreign recording then hangs up
0800963117		dialtone ! *resets back to dialtone #gets busy signal . tried allsorts with this ! uk & us numbers , dialing 9 dialing country c0des all i can get is error messages
0800963118		ring ring ring........
0800963119		2BM
0800963120		"were sorry but your call cannot be completed as dialed please check the toll free number and dial again thank you for using bezick(??) international"
0800963122		carrier/fax
0800963124		2BJ
0800963125		"were sorry the globe 800 universal number u dialed is not in service please check the number and dial again"
0800963128		card smart please enter authorization code
0800963129		voice, foreign
0800963130		busy
0800963132		2BZ
0800963133		"call cannot be made from that fone"   tried it from my calling card and got a weird busy signal
0800963134		2BM
0800963136		ring ring ring.........
0800963137		212
0800963139		2EG
0800963140		2BZ
0800963141		"number cannot be reached from your area please check the number and dial again this is a recording (duh!)" 
0800963142		"call cannot be made from that fone"   tried it from my calling card and got a weird busy signal
0800963145		blank ship real estate answer fone/pbx , voice at 6p'mish GMT
0800963147		2BJ
0800963148		pwc consulting pbx # gets an op
0800963150		"call cannot be made from that fone"   tried it from my calling card and got a weird busy signal
0800963151		2BJ
0800963153		answerfone/pbx, voice at 6pm'ish GMT
0800963154		vmb
0800963155		"call cannot be made from that fone"   tried it from my calling card and got a weird busy signal
0800963156		"call cannot be made from that fone"   tried it from my calling card and got a weird busy signal
0800963157		voice, sounded like a little kid, foreign 
0800963158		"call cannot be made from that fone"   tried it from my calling card and got a weird busy signal
0800963162		weird beeps , do not respond to DTMF
0800963165		weird beeps , do not respond to DTMF
0800963166		carrier/fax
0800963168		2BM
0800963169		weird beeps , do not respond to DTMF
0800963170		"please enter you pin"
0800963171		weird beeps , do not respond to DTMF
0800963172		voice, english speaking
0800963176		weird beeps , do not respond to DTMF
0800963178		foreign recording then hangs up
0800963179		"please enter your pin"
0800963180		weird beeps , do not respond to DTMF
0800963181		weird long ring then french recording does respond to DTMF but i dont know wot it does coz i dont speak french
0800963182		"the number u dialed is not valid anymore please check the number"
0800963185		weird beeps , do not respond to DTMF
0800963187		weird beeps , do not respond to DTMF
0800963190		toyota survery. asks for some sort of code
0800963191		voice , foreign , holland accordin to the bloke on fone . (err why u call at this time to ask wot country i in ? it is night) lol , there was a pleep on hangup not as high pitched as c5
0800963192		busy
0800963194		2EG
0800963196		jarvis cutting tools answerfone/pbx , voice at 6pm'ish GMT
0800963197		2EG
0800963198		Grenich association answerfone/pbx , voice at 6pm'ish GMT
0800963200		busy
0800963201		answerfone , voice at 6pm'ish GMT
0800963203		2BM
0800963206		carrier
0800963207		carrier
0800963208		the conferencing centre 328
0800963209		2BJ
0800963210		codey code hotline answerfone
0800963211		212
0800963213		"sorry there is a fault"
0800963214		carrier
0800963215		2BM
0800963219		pbx ** to enter vmb number and password 3 trys then disconnects
0800963220		carrier/fax
0800963228		carrier
0800963229		2EG
0800963230		carrier
0800963231		2BM
0800963232		2EG
0800963233		carrier
0800963234		RWD tech. answer machine/pbx , voice at 6pm'ish GMT
0800963235		RWD latitude 360 answer machine/pbx , voice at 6pm'ish GMT
0800963236		RWD tech. answer machine/pbx , voice at 6pm'ish GMT
0800963237		busy
0800963238		2EG
0800963239		2BZ
0800963242		voice, foreign
0800963246		voice, foreign		
0800963247		voice, foreign
--------------------------------------------------------------
0800963252		Live - Foreign
0800963253		Live - Foreign
0800963256		Ring Tone No Reply (RTNR)
0800963257		Live - Foreign
0800963259		Carrier - Silent

Offers ms chap authentification.		
[LCP ConfReq id=0x0 <asyncmap 0x0> <auth chap m$oft>

0800963262		? Dead air ?
0800963268		Equity Saverz *=enter passcode 4dig
0800963270		FAX
0800963271		PBX/VMS *=enter mailbox number
0800963274		KDD
0800963276		Live
0800963277		RTNR
0800963280		Worldcom
0800963282		RTNR
0800963292		AUDIX
0800963293		Erm... answered once then NU ever since
0800963294		Carrier

User Access Verification
Username:

0800963301		??? Netherlands something or other
0800963303		Carrier - Silent
0800963304		PBX/VMS
0800963305		Carrier - Silent

offers chap MD5 verification
end point MAC:00:80:d3:79:e5:00
name = "Odyssey3"
(took itself offline after 1st attempt)

0800963306		Carrier - Silent
0800963307		Carrier - Silent
0800963311		'Conference Call Centre'
0800963313		'Conference Call Centre'
0800963314		'Conference Call Centre'
0800963316		'Conference Call Centre'
0800963317		Thomas Cook Test Number...
0800963318		Fault
0800963320		'Conference Call Centre'
0800963323		PBX/VMS Audix
0800963326		'Conference Call Centre'
0800963327		'Conference Call Centre'
0800963328		'Conference Call Centre'
0800963329		MCI
0800963332		'Conference Call Centre'
0800963333		'Conference Call Centre'
0800963336		Carrier - Silent
0800963337		Carrier 
0800963347		TeraCyte Audix
0800963355		Sec code
0800963360		ID code
0800963367		Live
0800963370		Access code
0800963371		VMS
0800963372		VMS
0800963373		BUSY
0800963374		Fault
0800963377		BUSY
0800963379		BUSY
0800963379		Carrier - Silent
0800963380		BUSY
0800963381		Carrier - Silent
0800963382		Ext not in service...
0800963383		BUSY
0800963385		Fault
0800963387		pips...
0800963389 		pips...
0800963390		Rainbow PBX
0800963392 		RTNR
0800963394		PBX
0800963397		Graceland Uni VMS
0800963398		PBX (could be interesting)
0800963400		VMS with a great greeting....
0800963403		RTNR
0800963406		PBX
0800963408		Carrier

Starting SecurID Authentication...
User ID:

0800963411		Fault
0800963421		RTNR
0800963424		FAX
0800963427 		Carrier AND ringing at the same time???
0800963428		Carrier
0800963429		Audix?
0800963431		RTNR
0800963432		? Dead air ?
0800963435		Live
0800963438		VMS
0800963439		Message Centre
0800963442		???
0800963446		Chat line advert
0800963450		PBX
0800963452		Fujitsu PBX/VMS
0800963453		RTNR
0800963456		BUSY
0800963459		ACI - x4555
0800963460		PBX
0800963463		Live
0800963471		Fault
0800963474		'Conference Call Centre'
0800963476		RTNR
0800963479		RTNR
0800963490		Foreign message
0800963492		Foreign message
0800963493		Foreign message
0800963497		Foreign message
0800963500 		Test Number for Int Phreefone
--------------------------------------------------------------
0800963500		Internation Free Phone Services
0800963527		Rings and Rings... dunno
0800963530		four beeps in sucession repeated... dunno
0800963540		Vorizons Voicemail
0800963553		Rings.. then not inservices then code "SCT4T"
0800963558		US Ring... Just rings and rings
0800963565		Carrier
0800963570		Some Chinease Person talks
0800963577		Connects then hangsup
0800963579		Chinease person
0800963591		Chinease person
0800963595		Free phone service of European Anti Fraud Office
0800963596		Chinease Talking
0800963596		Chinease Talking
0800963600		Sigma RVI Voicemail System
0800963602		Carrier

RING BACK

0800963607		Rings.. Strange though.. worth a look
0800963658		"Welcome to Woltel"
0800963663		"Please dial your card and pin number now"
0800963957		Not In Service then code NYCR12
0800963698		"announcement is not defigned" - Merdian
0800963700		US Ring.. just rings
0800963703		"In Itailian: Welcome to telecom italia"
0800963709		"In Itailian: Welcome to telecom italia"
0800963712		"In Itailian: Welcome to telecom italia"
0800963716		Tempararilly out of order
0800963720		CAE Clune Technologies Ransolhoof
0800963724		US Ring.. "welcome to Bank first national"
0800963725		US Ring.. "Jonh maxwell First Sale vioce mail
0800963728		US Ring.. Carrier

Remote message: E=691 R=1  V=3

0800963729		Carrier

|z-~R>
      9^29w,)({E26am.Y.?.R_/7Wb1Plk(!kqu6.z[p.oB

0800963736		Voicemail
0800963737		HQ Massitusites National Guard. Audix.
--------------------------------------------------------------
0800 963 750		2BM
0800 963 751		Interpayment credit
0800 963 752		no answer
0800 963 753		no answer
0800 963 754		German Meridian Mail System
0800 963 755		nr
0800 963 756		nr
0800 963 757		2EG
0800 963 758		nr
0800 963 759		nr
0800 963 780		Octel system, 4799 diverts to op
0800 963 781		2BM
0800 963 782		nr
0800 963 783		nr
0800 963 784		nr
0800 963 785		Dialtone, requires Auth code
0800 963 786		answer service, * enter passcode
0800 963 787		nr
0800 963 788		111P
0800 963 789		Army, CPAC/CPOC military line
0800 963 790		nr
0800 963 791		nr
0800 963 792		Meridian Mail system
0800 963 793		some voicemail system
0800 963 794		2BM
0800 963 795		Dial ID Number
0800 963 796		live op,
0800 963 797		nr
0800 963 798		nr
0800 963 799		QRS corporation, 
0800 963 800		no answer, weired ring tone
0800 963 801		fax/carrier
0800 963 802		picks up, doesnt say anything
0800 963 803		na
0800 963 804		na
0800 963 805		citiebank
0800 963 806		na
0800 963 807		nr
0800 963 808		Octel, north-west airlines. 
0800 963 809		nr
0800 963 810		nr
0800 963 811		nr
0800 963 812		Direct dial to Audix
0800 963 813		nr
0800 963 814		AIG international, Audix
0800 963 815		nr
0800 963 816		busy
0800 963 817		semi-aloys answerphone
0800 963 818		Octel, for a cardiac hospital. 
0800 963 819		Octel, Direct dial (for above)
0800 963 820		Octel, Direct dial (for above)
0800 963 821		fault
0800 963 822		Audix System
0800 963 823		nr
0800 963 824		nr
0800 963 825		nr
0800 963 826		Conference calling centre
0800 963 827		nr
0800 963 828		customer serivces
0800 963 829		111P
0800 963 830		Octel system
0800 963 831		fault
0800 963 832		customer support number
0800 963 833		Visa travel money customer service number, 
0800 963 834		nr
0800 963 835		fault
0800 963 836		nr
0800 963 837		no answer
0800 963 838		busy
0800 963 839		Octel system,
0800 963 840		nr
0800 963 841		nr
0800 963 842		711 not in service
0800 963 843		nr
0800 963 844		nr
0800 963 845		nr
0800 963 846		nr
0800 963 847		nr
0800 963 848		busy
0800 963 849		network accounts payable
0800 963 850		nr
0800 963 851		nr
0800 963 852		nr
0800 963 853		nr
0800 963 854		nr
0800 963 855		nr
0800 963 856		fault
0800 963 857		anna, at comprihensive formula
0800 963 858		KDD
0800 963 859		global 1,
0800 963 860		no answer
0800 963 861		busy
0800 963 862		nr
0800 963 863		busy
0800 963 864		pbx system, enter ext
0800 963 865		answerphone
0800 963 866		non working toll free number
0800 963 867		live op
0800 963 868		no answer
0800 963 869		no answer
0800 963 870		KLA customer support, 
0800 963 871		nr
0800 963 872		busy
0800 963 873		nr
0800 963 874		Direct dial to Audix
0800 963 875		fax/carrier
0800 963 876		nr
0800 963 877		nr
0800 963 878		fault
0800 963 879		live op
0800 963 880		live op
0800 963 881		nr
0800 963 882		nr
0800 963 883		nr
0800 963 884		2BM
0800 963 885		fault
0800 963 886		fault
0800 963 887		nr
0800 963 888		nr
0800 963 889		nr
0800 963 890		nr
0800 963 891		nr
0800 963 892		nr
0800 963 893		nr
0800 963 894		nr
0800 963 895		no asnwer
0800 963 896		nr
0800 963 897		nr
0800 963 898		no answer
0800 963 899		no answer
0800 963 900		nr
0800 963 901		carrier

User Access Verification
Username:

0800 963 902		nr
0800 963 903		cisco systems technical centre, emergency centre
0800 963 904		nr
0800 963 905		no answer
0800 963 906		no answer
0800 963 907		cisco systems
0800 963 908		cisco systems
0800 963 909		pbx system
0800 963 910		no answer
0800 963 911		Merdian System for WorldCon Conferencing
0800 963 912		Conference calling centre
0800 963 913		Conference calling centre
0800 963 914		nr
0800 963 915		nr
0800 963 916		800 out of order
0800 963 917		MCI worldcom pre-paid access card
0800 963 918		nr
0800 963 919		nis
0800 963 920		Conference calling centre
0800 963 921		Conference calling centre
0800 963 922		nr
0800 963 923		Conference calling centre
0800 963 924		Conference calling centre
0800 963 925		answerphone
0800 963 926		Conference calling centre
0800 963 927		Conference calling centre
0800 963 928		carrier/fax

Annex Command Line Interpreter   *   Copyright (C) 1988, 1995 Xylogics, Inc.
Checking authorization, Please wait...
Annex username:

0800 963 929		Conference calling centre
0800 963 930		nr
0800 963 931		2BM
0800 963 932		Conference calling centre
0800 963 933		busy
0800 963 934		nr
0800 963 935		nr
0800 963 936		2BM
0800 963 937		no answer
0800 963 938		nr
0800 963 939		nr
0800 963 940		nr
0800 963 941		GE Access, pbx system
0800 963 942		nr
0800 963 944		nr
0800 963 945		nr
0800 963 946		nr
0800 963 947		live op
0800 963 948		nr
0800 963 949		nr
0800 963 950		nr
0800 963 951		no answer
0800 963 952		nr
0800 963 953		nr
0800 963 954		nr
0800 963 955		no answer
0800 963 956		nr
0800 963 957		nr
0800 963 958		nr
0800 963 959		carrier/fax
0800 963 960		no answer
0800 963 961		nr
0800 963 962		no answer
0800 963 963		carrier/fax
0800 963 964		nr
0800 963 965		nr
0800 963 966		nr
0800 963 967		busy
0800 963 968		carrier/fax
0800 963 969		NCL customer care centre		
0800 963 970		Conference calling centre
0800 963 971		carrier

S4...
login:

0800 963 972		2BM
0800 963 973		nr
0800 963 974		Meridian Mail System, some pharmacutical co
0800 963 975		Octel system, to corpotate security hotline
0800 963 976		Merdian as above
0800 963 977		Octel recording
0800 963 978		same as above
0800 963 979		nr
0800 963 980		carrier/fax
0800 963 981		carrier/fax
0800 963 982		MCI worldcom 
0800 963 983		Some network co
0800 963 984		Conference calling centre
0800 963 985		Conference calling centre
0800 963 986		Conference calling centre
0800 963 987		2BM
0800 963 988		2BM
0800 963 989		2BM
0800 963 990		Octel System
0800 963 991		Conference calling centre
0800 963 992		Conference calling centre
0800 963 993		Conference calling centre
0800 963 994		nr
0800 963 995		Conference calling centre
0800 963 996		busy
0800 963 997		Conference calling centre
0800 963 998		ATS voice proccessing centre
0800 963 999		Conference calling centre
0800 964 000		French


......................................................................
scan of 0800-013-0000 to 0800-013-0200 (UK)...........................
compiled by prephix in decemmber 2001.................................


0800-013-0000 - Engaged
0800-013-0001 - Voice
0800-013-0002 - "Sorry we're unable to connect your call"
0800-013-0003 - Rings
0800-013-0004 - Recorded message
0800-013-0005 - Modem
0800-013-0006 - "Sorry we're unable to connect your call"
0800-013-0007 - Rings
0800-013-0008 - Modem
0800-013-0009 - "Sorry we're unable to connect your call"
0800-013-0010 - Recorded message
0800-013-0011 - AT&T calling card line
0800-013-0012 - "Sorry we're unable to connect your call"
0800-013-0013 - "You've been forwarded to a voice mail system, however
                this mailbox does not subscribe to this service"
0800-013-0014 - Dead
0800-013-0015 - Rings
0800-013-0016 - Simple PBX (not worth wasting time with)
0800-013-0017 - Modem
0800-013-0018 - Dead
0800-013-0019 - Modem
0800-013-0020 - Modem
0800-013-0021 - Scotish Widows info line
0800-013-0022 - Rings
0800-013-0023 - Dead
0800-013-0024 - Scotish Insurance helpline
0800-013-0025 - Modem
0800-013-0026 - Rings
0800-013-0027 - White noise, weird
0800-013-0028 - "Sorry we're unable to connect your call"
0800-013-0029 - "Sorry we're unable to connect your call"
0800-013-0030 - Voice
0800-013-0031 - "Sorry we're unable to connect your call"
0800-013-0032 - "Sorry we're unable to connect your call"
0800-013-0033 - Meridian, but features been disabled, of no use
0800-013-0034 - Voice with cukoo (payphone) tone in background
0800-013-0035 - Recorded message
0800-013-0036 - Recorded message
0800-013-0037 - Recorded message
0800-013-0038 - Voice
0800-013-0039 - Modem
0800-013-0040 - Recruitment line
0800-013-0041 - High pitched tone
0800-013-0042 - "Sorry we're unable to connect your call"
0800-013-0043 - "Sorry we're unable to connect your call"
0800-013-0044 - Recorded message
0800-013-0045 - Enquiry line
0800-013-0046 - Enquiry line
0800-013-0047 - Enquiry line
0800-013-0048 - Voice
0800-013-0049 - Rings, hit *, pauses for 10 seconds, then diverts
                to a helpdesk, hit * again, diverts again, wait,
                on connect hit *7 to access the main menu of an
                Audix voice mail system.
0800-013-0050 - "Sorry we're unable to connect your call"
0800-013-0051 - Dead
0800-013-0052 - Dead
0800-013-0053 - Voice mail system with 4 digit boxes. Hit # to login.
                When you enter an empty box it asks for the temporary
                password given to you by the administrator.
0800-013-0054 - Modem
0800-013-0055 - Answerphone
0800-013-0056 - Number not recorded
0800-013-0057 - Weird DTMF tones, then disconnects
0800-013-0058 - "Sorry we're unable to connect your call"
0800-013-0059 - "Sorry we're unable to connect your call"
0800-013-0060 - "Sorry we're unable to connect your call"
0800-013-0061 - Answerphone
0800-013-0062 - Rings
0800-013-0063 - Rings
0800-013-0064 - "Sorry we're unable to connect your call"
0800-013-0065 - "Sorry we're unable to connect your call"
0800-013-0066 - Rings
0800-013-0067 - Voice
0800-013-0068 - Rings
0800-013-0069 - Rings
0800-013-0070 - Modem
0800-013-0071 - Modem
0800-013-0072 - Rings
0800-013-0073 - Rings
0800-013-0074 - Fax
0800-013-0075 - Fax
0800-013-0076 - Claims line
0800-013-0077 - "Sorry we're unable to connect your call"
0800-013-0078 - "Sorry we're unable to connect your call"
0800-013-0079 - "Sorry we're unable to connect your call"
0800-013-0080 - "Sorry we're unable to connect your call"
0800-013-0081 - "Sorry we're unable to connect your call"
0800-013-0082 - Rings, then goes to BT Callminder
0800-013-0083 - Rings
0800-013-0084 - High pitched tone
0800-013-0085 - Dead
0800-013-0086 - Voice
0800-013-0087 - Rings
0800-013-0088 - Helpline
0800-013-0089 - Rings
0800-013-0090 - Dead
0800-013-0091 - Recorded message
0800-013-0092 - Dead
0800-013-0093 - "There is no service currently available on this line"
0800-013-0094 - "There is no service currently available on this line"
0800-013-0095 - "There is no service currently available on this line"
0800-013-0096 - "There is no service currently available on this line"
0800-013-0097 - Answerphone
0800-013-0098 - Engaged
0800-013-0099 - Answerphone
0800-013-0100 - "You've been forwarded to a voice mail system, however
                this mailbox does not subscribe to this service"
0800-013-0101 - "Sorry we're unable to connect your call"
0800-013-0102 - Rings
0800-013-0103 - "Sorry we're unable to connect your call"
0800-013-0104 - Dead
0800-013-0105 - "Sorry we're unable to connect your call"
0800-013-0106 - "Sorry we're unable to connect your call"
0800-013-0107 - "Sorry we're unable to connect your call"
0800-013-0108 - "Sorry we're unable to connect your call"
0800-013-0109 - "Sorry we're unable to connect your call"
0800-013-0110 - Rings
0800-013-0111 - "Sorry we're unable to connect your call"
0800-013-0112 - "Sorry we're unable to connect your call"
0800-013-0113 - Order line
0800-013-0114 - Rings
0800-013-0115 - Rings
0800-013-0116 - Dead
0800-013-0117 - Engaged
0800-013-0118 - Orange answerphone
0800-013-0119 - "Sorry we're unable to connect your call"
0800-013-0120 - "Sorry we're unable to connect your call"
0800-013-0121 - Dead
0800-013-0122 - Dead
0800-013-0123 - "Sorry we're unable to connect your call"
0800-013-0124 - "You've been forwarded to a voice mail system, however
                this mailbox does not subscribe to this service"
0800-013-0125 - "You've been forwarded to a voice mail system, however
                this mailbox does not subscribe to this service"
0800-013-0126 - Rings
0800-013-0127 - Rings
0800-013-0128 - Rings
0800-013-0129 - Rings
0800-013-0130 - Rings
0800-013-0131 - Dead
0800-013-0132 - "Sorry we're unable to connect your call"
0800-013-0133 - Answerphone
0800-013-0134 - "This phone number has changed to..."
0800-013-0135 - "Sorry we're unable to connect your call"
0800-013-0136 - "This phone number has changed to..."
0800-013-0137 - Rings
0800-013-0138 - "The audio conferncing service is closed"
0800-013-0139 - Modem
0800-013-0140 - Engaged
0800-013-0141 - Rings
0800-013-0142 - Engaged
0800-013-0143 - Voice
0800-013-0144 - Dead
0800-013-0145 - "Sorry we're unable to connect your call"
0800-013-0146 - "Sorry we're unable to connect your call"
0800-013-0147 - "Sorry we're unable to connect your call"
0800-013-0148 - "Sorry we're unable to connect your call"
0800-013-0149 - "Sorry we're unable to connect your call"
0800-013-0150 - Answerphone
0800-013-0151 - "Sorry we're unable to connect your call"
0800-013-0152 - "Sorry we're unable to connect your call"
0800-013-0153 - "Sorry we're unable to connect your call"
0800-013-0154 - Voice
0800-013-0155 - Rings
0800-013-0156 - Rings
0800-013-0157 - Call waiting (engaged)
0800-013-0158 - Recorded message
0800-013-0159 - Voice
0800-013-0160 - Fax
0800-013-0161 - Voice
0800-013-0162 - "Sorry we're unable to connect your call"
0800-013-0163 - Rings
0800-013-0164 - Very basic PBX. Unlimited attempts at extension passcodes.
0800-013-0165 - Rings
0800-013-0166 - Engaged
0800-013-0167 - Rings
0800-013-0168 - "Sorry we're unable to connect your call"
0800-013-0169 - Voice mail box
0800-013-0170 - Voice
0800-013-0171 - "Sorry we're unable to connect your call"
0800-013-0172 - "Sorry we're unable to connect your call"
0800-013-0173 - "Sorry we're unable to connect your call"
0800-013-0174 - "Sorry we're unable to connect your call"
0800-013-0175 - "Sorry we're unable to connect your call"
0800-013-0176 - "Sorry we're unable to connect your call"
0800-013-0177 - "Sorry we're unable to connect your call"
0800-013-0178 - "Sorry we're unable to connect your call"
0800-013-0179 - "Sorry we're unable to connect your call"
0800-013-0180 - Rings, then message "Please call back later"
0800-013-0181 - Voice     (One of these bastards kept calling
0800-013-0182 - Voice     back and wouldn't hang up his end.)
0800-013-0183 - Rings
0800-013-0184 - "Sorry we're unable to connect your call"
0800-013-0185 - "Sorry we're unable to connect your call"
0800-013-0186 - "Sorry we're unable to connect your call"
0800-013-0187 - Recorded message
0800-013-0188 - "This phone number has changed to..."
0800-013-0189 - "Sorry we're unable to connect your call"
0800-013-0190 - Answerphone
0800-013-0191 - "Your call is in a queue" (help/info line)
0800-013-0192 - "Sorry we're unable to connect your call"
0800-013-0193 - Recorded message
0800-013-0194 - Answerphone
0800-013-0195 - Dead
0800-013-0196 - "Sorry we're unable to connect your call"
0800-013-0197 - "Sorry we're unable to connect your call"
0800-013-0198 - "Sorry we're unable to connect your call"
0800-013-0199 - "Sorry we're unable to connect your call"
0800-013-0200 - "Sorry we're unable to connect your call"

                           prephix@bigfoot.com


..........................................................................
Things to consider when (Ab)using a PBX...................................
by the B4ckCh4tter........................................................
2002......................................................................

Foreword
--------

This document will not teach you how to hack a PBX - it's a discussion of 
possible approaches you might consider once the hacking has been done.  It's 
a basic outline of some exploits that are well known to the phreaking 
community at large, and many that are not known by most.  To test the 
viabilty of many of them you'll need to have either physical access to the 
PBX "instruments" in question, or some way (heh) to interpret the data they 
display remotely.  Almost all of the specialised consoles mentioned here can 
be bought from reputable companies, or else (with the right tools, software 
and knowledge) emulated on a standard PC workstation hooked up to an outside 
line.  I've even seen some of the necessary software available for download, 
naming no names or locations...

If you're aim is simply to abuse the system to obtain 'phree' calls, this 
file is not for you.  This is written for the real phreaks out there; the 
ones with a genuine interest in how these systems actually work - so if 
you're in it to save a little cash and couldn't care less about the theories 
and methodology involved in advanced telecommunications - GO AWAY; read up 
on 'boxing' or some such dinosaur-shit and spend the rest of your life 
wondering why the info you've got doesn't work anymore.

Okay, whining's over...this is all adapted from available security sources, 
so it's technically sound...blah...yadda...you get the picture.  On with the 
file.

.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
|------> THE Private Branch eXchange: AN INTRODUCTION |
'-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'

A Private Branch eXchange (PBX) is a sophisticated computer-based switch 
that can be thought of as essentially a small, in-house phone company for 
the organization (governmental or industrial) that operates it.  As we all 
know, a company's failiure to secure a PBX can result in it exposing itself 
to toll fraud, theft of proprietary or confidential information, and other 
types of losses.

This file presents a generic methodology for conducting an analysis of a PBX 
in order to identify and exploit various security vulnerabilities; focusing 
on digital-based PBXs and addressing the following areas of study:

---> System Architecture

---> Hardware

---> Maintenence

---> Administrative Database/Software

---> User Features

As I've already mentioned, this file is not intended as a step-by-step guide 
to hacking a PBX, but rather a guideline for what specific areas should be 
studied for the existence of a number of possible vulnerabilities.  This 
process must be customized for each specific PBX you target, depending upon 
the actual switch features - which you yourself must determine by A) 
engineering the appropriate docs out of the owner/manufacturer, or B) by 
trial and error during your exploration.  This file provides information on 
vulnerabilities that are *not* well known to many in the phreaking 
community, as well as suggested procedures for penetration.  For any of this 
information to be useful, you have to be able to identify and exploit these 
vulnerabilities before a sys admin identifies them and patches them up!  The 
race is on...(but don't worry too much, most admins haven't got the first 
fucking clue about effective security...heh).

.-=-=-=-=-=-=-=-=-=-.
|------> BACKGROUND |
'-=-=-=-=-=-=-=-=-=-'

Digital PBXs are widespread throughout both government and industry, having 
replaced their analog predecessors.  Although these older systems contained 
known vulnerabilities (e.g., conventional tapping, on-hook live microphones, 
etc.), the advent of software based PBXs has provided a wealth of 
communications capabilities within these switches.  Today, even the most 
basic PBX systems have a wide range of capabilities that were previously 
available only in large scale switches.  These new features have opened up 
many new opportunities for us to attempt to exploit the PBX, particularly by 
using the features as designed for a purpose that was never intended.  
Opportunities on PBX telephone systems are many, depending on your motives 
and goals.

These might include:

---> Theft of service

i.e., toll fraud, probably the most common of motives.

---> Disclosure of information

data disclosed without authorization. Examples include both eavesdropping on 
conversations or unauthorized access to routing and address data.

---> Data modification

data altered in some meaningful way by reordering, deleting or modifying it. 
For example, you  might change billing information, or modify system tables 
to gain additional services.

---> Unauthorized access

actions that permit you to gain access to system resources or privileges.

---> Denial of service

actions that prevent the system from functioning in accordance with its 
intended purpose.  A piece of equipment or entity may be rendered inoperable 
or forced to operate in a degraded state; operations that depend on 
timeliness may be delayed.

---> Traffic analysis

a form of passive attack in which a phreak/spy observes information about 
messages being transmitted (although not necessarily the contents of the 
messages) and makes inferences, e.g. from the source and destination 
addresses, or frequency and length of the messages.  For example, a phreak 
observes a high volume of communications between a company’s legal 
department and the Patent Office, and concludes that a patent is being 
filed.

PBXs are sophisticated computer systems, and many of the opportunities and 
vulnerabilities associated with operating systems are shared by PBXs.  But 
there are two important ways in which PBX security is different from 
conventional operating system security:

---> External access/control.

Like larger telephone switches, PBXs typically require remote maintenance by 
the vendor.  Instead of relying on local administrators to make operating 
system updates and patches, organizations normally have updates installed 
remotely by the switch manufacturer.  This of course requires remote 
maintenance ports and access to the switch by a potentially large pool of 
outside parties.

---> Feature richness.

The wide variety of features available on PBXs, particularly administrative 
features and conference functions, provide the possibility of unexpected 
attacks.  You could use a feature in a manner that was not intended by its 
designers.  Features may also interact in unpredictable ways, leading to 
system compromise even if each component of the system conforms to its 
security requirements and the system is operated and administrated 
correctly.

Although most features are common from PBX to PBX, the design implementation 
of these features may vary.  For example, many PBX vendors have proprietary 
designs for the digital signaling protocol between the PBX and the user 
instruments.  This is the reason digital instruments usually cannot be 
interchanged between PBXs of different manufacturers.  The methodology 
outlined in this file will assist in the investigation of PBX features that 
are known to be susceptible to attack. However, the degree of vulnerability, 
if any, will depend on how each feature is implemented.

This file assumes that the reader has a working knowledge of telephony and 
PBX structure and operation (so if you don't, go do some homework, then come 
back...).  You will also need access to certain types of specific 
hardware/software.

.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
|------> SYSTEM ARCHITECHTURE |
'-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'

This section addresses the ways in which you may be able to exploit 
vulnerabilities that are inherent in the system architecture.

Separation of Switching and Administrative Functions
----------------------------------------------------

All modern PBXs have central computer processors that are controlled from a 
software-driven stored program.

+----------------------------+                       +------------------+
|                            |-----------------------|  Peripheral Bay  |
|       SYSTEM UNIT          |                       +------------------+
|                            |                       |  Trunk           |
+----------------------------+                       |                  |
              |                                      |  Universal       |
              |                           +----------|                  |
              |                           |          |  COV             |
              |                           |          |                  |
      +----------------+                  |          |  Digital         |
      | PC or Terminal |                  |          +------------------+
      +----------------+                  |              |           |
                                 +----------------+  +------------+  |
                                 | Central office |  | Subscriber |  |
                                 |                |  | Phone      |  |
                                 | Trunk Lines    |  +------------+  |
                                 +----------------+                  |
                                                              
+---------------+
                                                              | Console 
Phone |
                                                              
+---------------+

Figure 1.

In addition, most PBXs have microprocessors dispersed throughout the switch 
that provide real-time signaling and supervision control as instructed from 
the central processor.  One or more terminals and their associated port(s) 
provide computer operating system, database management, and maintenance 
access to the PBX processor.  Access to these functions gives the user total 
control of the PBX.  Depending on the size of the PBX, these functions may 
be separate or combined.

Administrative Terminals.
-------------------------

The switch should be examined to determine whether the administrative 
functions are performed on terminals that are connected to the PBX via the 
same type of ports that switch the voice and data traffic, or if the 
terminals are connected via dedicated ports.  If they are connected via the 
same type of voice and data ports, these terminals could be surreptitiously 
switched to an unauthorized user.  This may or may not require a modem. If 
the ports are dedicated for use by these terminals, this opportunity is 
mostly eliminated.  However, it is still possible to exploit this through 
the use of a modem coupled with an unauthorized connection to a switched 
port, enabling the resourceful phreak to dial in and make database 
modifications.

In smaller PBXs, these functions are often combined.  For example, the 
attendant (operator) terminal may also be the database terminal, or the 
database terminal may also be the maintenance terminal.  Attempts should be 
made to use these terminals to modify the database or gain access to 
unauthorized functions.  For example, investigate whether you can access 
and/or manipulate the database via the attendants terminal or the 
maintenance terminal.
Switching Algorithm
--------------------

Switching is performed using time division multiplexing techniques where 
each voice (digitized) and data port is assigned a time slot.  Under control 
of the call processing routines, incoming time slots are connected to 
outgoing time slots.  If the number of incoming slots is less than or equal 
to the number of outgoing slots, there will be no contention for switching 
resources.  This is commonly known as non-blocking switching.

Dual Connections.
-----------------

To investigate for vulnerabilities, attempts should be made to route another 
incoming time slot to an outgoing time slot in addition to the intended time 
slot.  This might be accomplished by a database entry or by a modification 
to the PBX control software.  After accomplishing this, test calls should be 
made to verify the dual connection and to determine whether the intended 
calling or called party can detect the false connection.  If the PBX under 
study has status or maintenance query features, and you can access them, you 
can check if they detected the modification.

Function Allocation
-------------------

Although most PBX functions are software driven, the PBX under study should 
be examined to determine how specific features are implemented so that 
potential vulnerabilities can be explored.  For example, conferencing can be 
implemented in hardware or software.  Knowing the design implementation will 
aid you in determining how to exploit the function itself.  Figure 2 shows a 
typical PBX functional architecture.

+----------+           +--------------------------------+
| Terminal |-----------| Identification & Authorization |
+----------+           +--------------------------------+
                      /                 |
                     /                  |
                    /                   |
                   /           +----------------+
+-----------------+            |                |
|   Audit Trail   |------------| User Functions 
|---------------------------------.
+-----------------+            |                |                            
      |
                |              +----------------+                            
      |
                |                      |         \                           
      |
                |                      |          \                          
      |
                |                      |           \                         
      |
                |                      |           
+---------------------------+  |
                '----------------------|-----------| Internal Switch 
Functions |  |
                                       |           
+---------------------------+  |
                                       |          / \                        
      |
                                       |         /   \                       
      |
                                       |        /     \                      
      |
           +------------+    +-----------------+       +------------------+  
      |
           | Subscriber |    | Subscriber Info |       | Trunk Attributes 
|-------'
           +------------+    +-----------------+       +------------------+
           |                /                          |
           |               /                           |
           |              /                            |
           +-------------+-----------------------------'
           | Call Router |
           
+-------------+-----------------------------+------------------------+
                                                       | Request For 
Connection |
                                                       |                     
    |
                                                       | Subscriber Data 
Input  |
                                                       |                     
    |
                                                       | Subscriber Date 
Output |
                                                       
+------------------------+
Figure 2.

.-=-=-=-=-=-=-=-=-.
|------> HARDWARE |
'-=-=-=-=-=-=-=-=-'

This section addresses the ways in which you could exploit vulnerabilities 
that are inherent in the system hardware to gain unauthorized access to 
information passing through the switch.

Susceptibility to Tapping
-------------------------

A PBX's susceptibility to tapping depends on the methods used for 
communication between the PBX and its instruments.  This communication may 
include voice, data, and signaling information.  The signaling information 
is typically commands to the instrument (turn on indicators, microphones, 
speakers, etc.) and status from the instrument (hook status, keys pressed, 
etc.).  Three general communications methods are discussed below.

Analog Voice with or without Separate Control Signals
-----------------------------------------------------

This is the simplest of the three methods discussed here.  Analog voice 
information is passed between the PBX and the instrument on either a single 
pair of wires or two pairs (one for transmit and one for receive).  If there 
is any additional signaling communication (other than the hook switch) 
between the PBX and the instrument, it is done on wires that are separate 
from the voice pair(s).

The voice information is transmitted essentially as it is picked up by a 
microphone.  It is in a form that can be directly reproduced by a speaker.  
The voice line can be easily tapped by connecting a high impedance 
differential amplifier to the pair of voice wires.  The amplified voice 
signal can then be heard directly with a speaker or headphones, or, you 
sneeky so and so, it can be recorded for later playback.

If signaling data is transmitted on a separate set of wires, it is normally 
in proprietary formats.  A phreak with physical access to the target PBX can 
gain useful information by hooking an oscilloscope up to each wire and 
observing the effects when the instrument is taken on and off hook, keys are 
pressed, etc.  For example, in one common format the voltage present on each 
data wire reflects the on/off status of a control or indicator.

Another possible format is one in which information is passed as bytes of 
digital data in a serial asynchronous bit stream similar to that of a 
PC's/terminal's serial data port. Each data byte being transmitted would 
appear in a pattern similar to the following:

*Start Bit, Data Bits (5..8, frequently 8), optional Parity Bit, Stop Bits 
(1, 1.5, or 2)*.

The Start Bit and Stop bits are of opposite polarity.  The bit rate could be 
measured with an oscilloscope.  A device such as a PC or pbx terminal could 
then be configured to capture the serial data and perhaps store it for some 
(hehehe) later use.

Analog Voice with Inclusive Control Signals
-------------------------------------------

In this scheme, analog voice and control signaling is passed between the PBX 
and the instrument on either a single pair of wires or two pairs (one pair 
for transmit and another for receive).  This can be done if the signal path 
is of a high enough bandwidth to pass voice information (less than 4 KHz) 
plus additional data information.  For example, voice information can be 
combined with data information modulated onto a carrier tone that is 
centered outside of the voice band.

This type of line is vulnerable to tapping by connecting a high impedance 
differential amplifier to the pair and passing the signal through filters to 
separate the voice and data information.  Data information could be 
recovered by demodulating the carrier tone.  The methods outlined in the 
section above could then be used to determine the format of the data being 
transmitted.

Digital Voice with Inclusive Control Signals
--------------------------------------------

With this method, voice and control signaling data are passed across the 
same pair of wires.  There may be two pairs of wires, one for each 
direction, or both directions could be combined onto one pair of wires using 
echo cancellation as is done with ISDN.  Conventional tapping techniques 
would not work against most types of digital lines.  The format and type of 
digital signals that pass between the PBX and its instruments vary widely 
between switch types.

If separate pairs are used for transmit and receive, each pair could be 
tapped to provide access to the transmit and receive digital bit streams by 
first determining in what digital format the data is being transmitted.  
Then a digital to analog converter could be used to convert the digital data 
back into analog voice that can be listened to or recorded.  A great deal of 
information useful to an advanced phreak could be gained by disassembling 
the telephone models of interest and determining what types of parts are 
used for CODECs, UARTs, A/Ds, D/As, etc.  Published information on these 
parts can generally be engineered from the manufacturers.

Echo Cancellation
------------------

If both transmit and receive are combined on one pair using echo 
cancellation, the above methods would not be useful for tapping.  This is 
because each transmit end of the link can only determine what is being 
received by subtracting out what it is transmitting from the total signal.  
If you tapped the line somewhere between the two ends you would only have 
access to the total signal and would therefore find it nearly impossible to 
reproduce either end.

One possible way of tapping this kind of line would be to build a device 
that is placed in-line between the two transmitting ends.  The device would 
pass information between the two ends as if it were not there, while 
providing access to the separate bit streams.  The device would depend on a 
known initial condition on both ends (such as silence) in order to be able 
to subtract the correct information from the total signal. The technical 
difficulty of this attack probably makes systems using echo cancellation 
most resistant to attack among all of those described here, since protecting 
against this kind of attack simply requires ensuring that lines are not 
physically compromised.

Conferencing (Hardware)
-----------------------

When implemented in hardware, the conferencing feature may employ a circuit 
card known as a conference bridge or a signal processor chip.  This allows 
multiple lines to be "bridged" to create a conference where all parties can 
both speak and listen.  Some PBXs have a feature where all parties can hear, 
but only certain parties can speak.  This is a type of broadcast conference. 
  For whatever reason, you might desire a connection to the bridge where the 
conference could be overheard.  A hardware modification to the bridge itself 
may make it possible to cause the "output" of the bridge to be available to 
a specific port.  As in instrument modifications, some additional steps must 
be taken to receive this information.  This may include modifying the 
database to make yourself a permanent member of the bridge so that any 
conference on that bridge could be overheard.

.-=-=-=-=-=-=-=-=-=-=.
|------> MAINTENANCE |
'-=-=-=-=-=-=-=-=-=-='

Maintenance procedures are the most commonly exploitable functions in 
networked systems, and the opportunity is even greater with PBXs because PBX 
maintenance frequently requires the involvement of outside personnel. This 
section addresses the ways in which you could exploit vulnerabilities in 
maintenance features to gain access to the switch.

Remote Access
-------------

Remote access is frequently an unavoidable necessity for the owner of the 
PBX, but it can represent a serious vulnerability.  The maintenance features 
may be accessible via a remote terminal with a modem, an Attendant Console 
or other instrument, or even over an outside dial-in line.  This allows for 
systems to be located over a large area (perhaps around the world) and have 
one central location from which maintenance can be performed.  Often it is 
necessary for the switch manufacturer to have remote access to the switch to 
install software upgrades or to restart a switch that has experienced a 
service degradation.

Dial-back modem vulnerabilities.
--------------------------------

Unattended remote access to a switch clearly represents a vulnerability.  
Many organizations have employed dial-back modems to control access to 
remote maintenance facilities.  This access control method works by 
identifying the incoming call, disconnecting the circuit, and dialing the 
identified person or computer at a predetermined telephone number.  Although 
helpful, this form of access control is weak because methods of defeating it 
are well known.  For example, if the local telephone company central office 
uses originator control for phone lines, you can stay on the line, send a 
dial tone when the modem attempts to disconnect, then wait for the modem to 
dial out again on the same line.  A more sophisticated means of defeating 
dial-back modems has also been used in attacks reported in the open 
literature.  In this method, the local phone company switch is penetrated 
and its databases modified to forward the returned calls directly to the 
attacker's computer.

Social engineering attacks.
---------------------------

Even if the organization requires some action by local operators to provide 
access to the remote maintenance connection, serious vulnerabilities may 
still exist.  For example, modems on lines used by remote maintenance may be 
kept off, and only turned on when a call is received from the switch 
manufacturer.  Often the only form of authentication used by the 
organization may be ensuring that the manufacturer remote maintenance 
personnel requesting access are listed among legitimate remote users.  This 
form of authentication is clearly inadequate.  If you're a good engineer, it 
would be fairly easy for you to contact the switch manufacturer on the 
pretext of needing help with a particular type of switch, obtain the names 
of the manufacturer's remote maintenance personnel, and then masquerade as 
these personnel to obtain access to the target switch.

Maintenance Feature Vulnerabilities
------------------------------------

A common maintenance feature is Maintenance-Out-of-Service (MOS).  This 
feature allows maintenance personnel to place a line out of service for 
maintenance.  It is typically used when a problem is detected with a line or 
when it is desired to disable a line. However, if a line is placed MOS while 
it is in operation, the PBX may terminate its signaling communication with 
the instrument and leave the instrument's voice channel connection active 
even after the instrument is placed on-hook.  If the MOS feature were to 
function in this manner, the potential exists for you to use the MOS feature 
to establish a live microphone connection to a user's location without the 
user's knowledge, and thereby eavesdrop on the area surrounding the user's 
instrument.

Line Testing Capabilities
--------------------------

Another common maintenance feature is the ability to connect two lines 
together in order to transmit data from one line to the other and verify 
whether or not the second line receives the data properly.  This feature 
would allow someone with maintenance access to connect a user's instrument 
to an instrument at another location in order to eavesdrop on the area 
surrounding the user's instrument without the user's knowledge.

Undocumented Maintenance Features
----------------------------------

The PBX may support some maintenance features that are not normally 
accessible to the owner/operator of the PBX for several reasons.  These 
types of utilities vary greatly from one PBX to another so that a general 
approach to finding them cannot be detailed.  Some suggested courses of 
action are listed below:


---> Engineer the manufacturer or maintenance company into telling you if 
any such features exist.

---> Attempt to learn about undocumented usernames/passwords.

---> Attempt to search the system PROMS or disks for evidence of such 
features.

Viewing the system load files with a binary editor will sometimes reveal the 
names of undocumented commands among a list of known maintenance commands 
that can be recognized in the binaries.

Special Manufacturer's Features
--------------------------------

There may be features that the manufacturer considers useful in the event a 
customer's PBX becomes disabled to such a point that on-site maintenance 
personnel cannot resolve the problems.  The manufacturer could then instruct 
the maintenance personnel to configure and connect a modem to the 
maintenance port.  The manufacturer may then be able to dial-in and use 
certain special features to resolve the problems without sending a 
representative to the customer's location.  The potential cost savings is a 
likely reason for adding such special features.  The manufacturer would not 
want the special features to be well known because of their potential 
vulnerability.  These types of features would most likely be accessible via 
undocumented username/password access to the maintenance and/or 
administrative tools.  Some possible undocumented features are listed below:

---> Database upload/download utility:

Such a utility allows the manufacturer to download the database from a 
system that is malfunctioning and examine it at their location to try to 
determine the cause of the malfunction.  It would also allow the 
manufacturer to upload a new database to a PBX in the event that the 
database got so corrupted that the system became inoperable.  The existence 
of such a utility could potentially allow you to download a system's 
database, insert a trojan horse or otherwise modify it to allow special 
features to be available, and upload the modified database back into the 
system.

---> Database examine/modification utility:

Such a utility allows the manufacturer to remotely examine and modify a 
system's database to repair damage caused by incorrect configuration, design 
bugs, or tampering.  This utility would also provide you with the ability to 
modify the database to gain access to special features.

---> Software debugger/update utility:

This type of utility gives the manufacturer the ability to remotely debug a 
malfunctioning system under the conditions at which it malfunctions.  It 
also allows the manufacturer to remotely update systems with bug fixes and 
software upgrades.  Such a utility could also grant an advanced phreak the 
same abilities.  This is perhaps the most exciting vulnerability because 
access to the software would give you virtually unlimited access to the PBX 
and its associated instruments.

Manufacturer's Development & Test Features
-------------------------------------------

There may be features that were added to the system during its development 
phase that were forgotten and not removed when production versions were 
released.  There also may be hidden features that were added by a person on 
the development team with the intent of creating a backdoor into customers 
systems.   Left-over debugging code, binary editors, and even a "battleship" 
game have been discovered in commercial PBX system load modules!

These types of features potentially create extreme vulnerabilities for the 
PBX system if a phreak has detailed knowledge of the software and its 
structure.  This is because there is generally little or no protection given 
to test features that are expected to be removed.  The test features are 
probably easy to access for ease of development and have few restrictions in 
order to reduce development time.  These types of features could come in 
many forms, such as:

---> Undocumented username/passwords

---> Entering out-of-range values in database fields

---> Dialing undocumented access codes on instruments

---> Pressing certain key sequences on instruments

It may be possible to discover some of these undocumented features during 
the normal course of the evaluation.  If open technical discussions are held 
with the manufacturer, this area should be discussed, although they may only 
be known to the original designers/developers.  Lastly, some "shortcuts" may 
be described in vendor training courses as an aid to maintenance people.

.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
|------> ADMINISTRATIVE DATABASES |
'-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'

This section addresses the administration of the PBX, the creation and 
modification of its user databases, and the operating software controlling 
the switch.

Software Loading and Update Tampering (WooHoo!)
-----------------------------------------------

When software is initially loaded onto a PBX and when any software 
updates/patches are loaded, the PBX is particularly vulnerable to software 
tampering.  You could intercept a software update sent to a PBX 
administrator.  The update could be modified to allow special access or 
special features.  The modified update could then be sent to the PBX 
administrator who would install the update and unknowingly give the you 
unwanted access to the PBX.

Tamper and Error Detection (Doh!)
---------------------------------

Your fun can be reduced in several ways.  The software could be encrypted by 
the manufacturer and decrypted by the PBX during the install/update process 
using unique keys only possessed by the manufacturer and PBX administrator 
(or the PBX itself).  This method would work well in thwarting you unless 
you could somehow discover the key and encryption method.  The presence of 
such an encryption scheme could be detected by looking through the software 
with an ASCII dump utility on a PC or workstation.  The software will almost 
definitely contain words and phrases that are recognizable to people such as 
messages, variable and function names used by debuggers, etc.  If no readily 
recognizable words or phrases are found, it is very likely that the software 
is encrypted.

The software manufacturer could also use error detection methods in order to 
detect your tampered-with software before installation.  Various cyclical 
redundancy checks and checksums can be performed on the software before it 
is installed.  The results can be compared with known correct results stored 
with the software or in ROM on the PBX to determine whether or not the 
software is valid.  This scheme is useful against hardware or other 
unintentional errors, but only marginally effective against a a determined 
intruder.  Software can be intentionally modified in such a way that the 
modification will not be detectable by standard error detection algorithms.  
A PC or workstation could be used to read the PBX software, make changes, 
and place the modified software on media used by the PBX.  The installation 
or update process can then be attempted with the modified software.  If an 
error detection scheme is in fact used, it is very unlikely that the 
installation process will allow the modified software to be installed.

.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=.
|------> CRASH RESTART ATTACKS |
'-=-=-=-=-=-=-=-=-=-=-=-=-=-=-='

System crashes primarily present a denial-of-service vulnerability.  The 
means by which a system may be crashed vary significantly from one system to 
another.  The following list suggests a few features and conditions that can 
sometimes trigger a system crash:


---> Call Forwarding.

---> Voicemail.

---> Physical removal of hardware or media from the PBX.

---> Use of administrative/maintenance terminal functions.

Direct modification of the system or the database may be possible if the 
media can be read by utilities typically found on a PC or workstation.

---> Normal system Shutdown procedures.

These approaches should be tested as possible ways of exposing the 
weaknesses discussed in the remainder of this section.

Live Microphone Vulnerabilities
-------------------------------

Although denial-of-service is the primary vulnerability of a system crash, 
it is not the only possibility.  A system may in some cases be crashed in 
such a way as to disable the interaction between the PBX and its instruments 
without terminating the calls in progress.  When a user then attempts to 
terminate a call, the PBX may be unable to command the instruments to 
disable their microphones thereby causing voice data to continue to be 
received by the microphone and transmitted to a destination that may be 
accessible.  You could then eavesdrop on areas around the target instrument 
until normal operation of the PBX is restored.

Embedded Login IDs and Passwords
--------------------------------

Passwords are normally stored in the system database and can be changed by 
administrators and users, as in any computer operating system.  However, 
testing has shown that some PBXs have embedded login IDs and passwords that 
are restored on rebooting the system.  These may be needed to allow 
manufacturer personnel to bring up a system remotely after a failure that 
has corrupted the local database.  However, they also make it possible for 
you to gain administrator privileges on a system by crashing the system, 
then applying a previously acquired embedded login ID/password combination.

Passwords
---------

Most PBXs grant administrative access to the system database through an 
Attendant Console or a generic dumb terminal.  Username/password 
combinations are often used to protect the system from unwanted changes to 
the database. If remote access to the maintenance features is available, it 
is usually restricted by some form of password protection.  There may be a 
single fixed maintenance account, multiple fixed maintenance accounts, or 
general user defined maintenance accounts.  The documentation provided with 
the PBX should state what type of maintenance access is available.  The 
documentation should also indicate how passwords function (so get your 
goddamned hands on the documentation...)

Password Types
--------------

Passwords may be set at the factory to predetermined permanent values.  If 
this is the case, the passwords should be provided by the manufacturer.  
They may also be determined by searching the contents of the system media 
(ROM, PROM, EPROM, EEPROM, FLASH, floppy/hard disk, CD-ROM) for the user or 
account names. Passwords may be stored in a look-up table near the account 
names.  However, some form of encryption may be used to make it difficult to 
determine the passwords.

Passwords may also be set to factory default values that can be changed by 
the user.  Default values are typically published in the documentation 
provided with the PBX.  If there are multiple maintenance accounts and only 
one is used by maintenance personnel, the others may remain at their 
published factory settings.  This would grant maintenance access to anyone 
who knows the factory default settings.

Tables where passwords are stored may be readily found by making a copy of 
likely storage media (EEPROM, FLASH, floppy disk), changing a password, and 
comparing the updated media with the older copy.  Any differences are likely 
to indicate where passwords are stored.  Even if the passwords are 
encrypted, the encrypted versions of known passwords could be placed into 
the password locations of other accounts to set the password of an account 
without having prior access to that account.  Potentially, you could use 
this to seize control of the entire PBX since only you would know the 
passwords.

In addition to published or user defined usernames/passwords, there may be 
additional combinations that are intended only for use by the manufacturer.  
If a table containing usernames or passwords can be found in the load 
module, comparing the number of entries in the table with the number of 
known combinations could lead to the discovery of additional combinations.  
If additional passwords are found but the usernames associated with them are 
unknown, it may be possible to determine correct combinations as follows:

Change the password to one that is known.  Then try logging in using the 
known password with various reasonable guesses at the username such as 
ADMIN, MAINT, SYSTEM, SUPERUSER, ROOT, etc.  If a valid username can be 
determined without a password, it would be useful to try logical guesses at 
the password.

The maximum allowable length of a password would be useful to know when 
guessing passwords.  If not published, it could be determined by using the 
system to set the password of an accessible account to longer and longer 
passwords until perhaps the password is not accepted.  If a very long 
password is accepted, the system may only use part of it.  The useful part 
could be determined by first setting a very long password and then trying to 
log in using only the first few characters.  Try longer and longer parts of 
the password until a part is found that works.  The length of the successful 
part is likely to be the maximum password length.

Password Login Timeouts
-----------------------

A potential vulnerability of the password access system is that an authentic 
user may log onto the system and at some point leave the active terminal 
unattended without intentionally logging-off of the system.  A phreak with 
access to the terminal could then have access to the maintenance system and 
its features.

The PBX may provide protection from such a vulnerability in the form of a 
timeout period.  The system could measure the amount of inactive time on the 
terminal and automatically terminate the login session.  If the timeout 
period is set to a short enough time, the chances of a phreak gaining access 
to an unattended terminal are significantly reduced.  However, the timeout 
period cannot be so short that an authentic user becomes annoyed by frequent 
automatic logouts during normal use.

A system without a timeout feature that has dial-up maintenance capabilities 
could give you access to remote maintenance capabilities.  For example, an 
authentic user may dial-up and log-into the maintenance system, perform 
maintenance tasks, and disconnect without logging-off.  If you were then to 
dial-up the maintenance system, access to the system may be available 
without the use of a username/password to gain access.  This way you know 
it's possible to get an account with more benefits than a standard user 
account.

Multi-Level Password Access
---------------------------

The password system may employ a scheme where the level of access granted to 
a user is dependent on the username or password that is used.  For example, 
there may be a "super user" that has virtually unlimited access to the 
database and maintenance features while an "attendant" may only be able to 
adjust a limited set of database parameters.

If there are multiple levels of access, try to determine if they are user 
selectable (perhaps by the "super user") or if they are predetermined by the 
manufacturer.  Look for a feature that allows a higher level user to 
determine the access level of those below it.  If the levels of access are 
adjustable, a user with a low level of access may be able to increase their 
access levels by modification of the system database.

Physical Security
-----------------

Physical access to the PBX hardware grants access to the software, the 
configuration database, and all calls going in and out of the PBX.  With 
easy access to the PBX, you could exploit practically any conceivable 
vulnerability.

The type of media on which the software and databases are stored is 
important to a PBX's physical security.  If these are stored on ROM type 
devices or on an internal hard disk, it is more difficult to gain access to 
them than if they are stored on floppy disks or CD-ROM.  ROM devices are 
mounted on circuit boards and may be soldered in rather than socketed, 
making removal and replacement difficult (but not impossible).  Likewise, an 
internal hard disk is probably mounted behind something and is bolted into 
the chassis making removal and replacement difficult (but not impossible).  
However, floppy disks are easily removable and replaceable.  As they become 
smaller, they also become more easily concealable (a good old 3.5" floppy 
disk can easily be concealed inside a pocket).  If you had access to the 
floppy disks, you could easily conceal a disk containing modified 
software/databases, gain access to the PBX, and replace the original disk 
with the modified disk.  Similarly, CD-ROMs can be easily removed and 
replaced; since equipment for creating CD-ROMs is nearly as readily 
available as for floppy disks, you may find it equally as easy to copy and 
modify a CD-ROM based system.

If the PBX supports configuration/maintenance via a dumb terminal, the 
terminal may be located near the PBX.  If the terminal is not at the same 
location as the PBX, the terminal port is still available and you could use 
it with a small portable PC acting as a terminal.

Some PBXs may be configured as a central system unit with peripheral units 
at remote locations.  The remote peripheral units may also support 
configuration/maintenance via a dumb terminal and therefore provide the same 
vulnerabilities as the system unit's terminal.  Also, all calls routed 
through a particular peripheral unit are accessible to someone with physical 
access to the peripheral unit.

Attendant Consoles may offer access to PBX maintenance and configuration 
software. Special features may also be available to Attendant Consoles such 
as Override, Forwarding, and Conferencing.  If any of these features are 
available to the user of an Attendant Console, physical access to it will 
probably be restricted to prevent giving you unwanted access to these 
features.

Another feature common to PBXs is a printer.  Various information may be 
printed out on this printer including source and destination of calls that 
are made or received (possibly every call), access codes used to access 
certain features, Account or Authorization codes used for making special 
calls, etc.  Access to these printouts could provide you with information 
that could have potentially "damaging" effects such as toll fraud.

Remote Administrative Access
----------------------------

A very useful but potentially vulnerable feature of many PBXs is remote 
administrative access.  The PBX may allow an administrator to make changes 
to the system configuration database through an Attendant Console or from a 
terminal that is not physically located near the PBX, perhaps over a dial-in 
line with a modem.

Remote Access via an Attendant Console
--------------------------------------

The degree of the vulnerability created by remote access via an Attendant 
Console is determined by several factors:  Password access, Physical 
connection of the Attendant Console to the PBX, and availability of 
administrative features through the Attendant Console.

If there is no password protection or if the password protection is not very 
good, physical access to the Attendant Console becomes very important.  If 
the Attendant console connects to the PBX in the same manner as the 
telephone instruments, you could connect your own Attendant Console in place 
of any other instrument to gain access to the administrative features.

Remote Access via a Terminal
----------------------------

If a standard dumb terminal can be used for access to the administrative 
features,  more opportunities become available for you to gain access.  A 
modem could be connected to a terminal port and an outside dial-in line 
allowing easy access for the PBX administrator to do remote configuration 
and maintenance. Fortunately, it gives easy remote access to you too.

Setting up remote access in this manner, a poor password protection system, 
the existence of backdoors (e.g., a special key sequence that would bypass 
required authorization levels), or the use of easy-to-guess passwords are 
all definite signs that you've found a system you can own, that the admin 
doesn't have a clue, and that you can be relatively sure of your own safety.

Some PBX systems may even support multiple terminal ports.  For example, a 
system with multiple remote switching components (nodes) may have a terminal 
port for each node.  If all of the terminal ports were considered to be one 
access point by the PBX, you could use an unused port to copy the 
communications of a port that is used.  This may allow you to gain password 
information that could then be used to gain full access to the system's 
administrative and maintenance features.

Alarms and Audit Trails
-----------------------

Alarms occur within the PBX for many reasons: hardware failure, thresholds 
exceeded, etc.  They are usually categorized as either major or minor 
depending on whether a function is lost or just operating in a degraded 
mode.  You must be aware of these alarms when attempting to modify the 
system to exploit a vulnerability and, in some cases, attempt to defeat them 
to determine if it is possible to avoid detection of the modification.

Similarly, a system administrator can use these alarms to detect such 
modifications.  An audit of the database may also detect a modification such 
as a user line enabled for Silent Monitoring that was not authorized for it. 
  The success of such an audit is only as good as the amount of 
configuration management applied during switch operation.

The PBX may maintain a history of significant system events to provide a 
system administrator a means to determine what activity has occurred on a 
PBX.  The audit trail or system log may contain information about various 
events such as: database changes, power failures, hardware failures, card 
changes, disk changes, etc.  Stored with the event type may be information 
such as: time and date of occurrence, type of database change, the user that 
made the change, the line on which remote maintenance was performed, etc.

The level of detail stored in the audit trail determines how hard it will be 
to phreak the PBX successfully and safely.  For instance, if a system does 
not log the time and date of an event, it may be difficult for an 
administrator to pinpoint the details of your actions.  Also, if the system 
provides a means of editing, erasing, or replacing the audit trail, you 
could use that feature to mask changes the that you made.  Such a feature 
would present a vulnerability to the system.  In researching the 
vulnerabilities in a particular audit trail system, it is useful to 
determine the level of detail stored to determine if you can make changes 
that go unnoticed or hide changes that have been made.

.-=-=-=-=-=-=-=-=-=-=-=.
|------> USER FEATURES |
'-=-=-=-=-=-=-=-=-=-=-='

This section addresses the ways in which you may be able to exploit 
vulnerabilities in a system's features and the way in which features can 
interact.  As with many aspects of information technology, the proliferation 
of features that make PBXs easy to configure and use has also led to an 
expansion of vulnerabilities.  Many of these are inherent in the features 
themselves, or arise out of feature interactions, making them difficult for 
the company's who own the PBXs to avoid.

The objective of this section is to illustrate some of these 
vulnerabilities.

Attendant Console
-----------------

Attendant Consoles typically have more function keys and a larger 
alphanumeric display than standard instruments to support the extra features 
available to the Attendant Console.  The Attendant Console may be used for 
access to maintenance and administrative functions.  Some typical features 
available with an Attendant Console are Override, Forwarding, and 
Conferencing.

Attendant Override
------------------

This is intended to allow the Attendant to break into a busy line to inform 
a user of an important incoming call.  If you had access to the functions of 
an Attendant Console you could eavesdrop on conversations.  Certain PBXs 
might provide some protection against abuses of Override by providing visual 
and/or audible warnings to their users that an Override is in progress.  To 
be on the safe side, when you're testing the Override feature to see if you 
can abuse it, there are a few things that might warn you that you're not as 
anonymous as you'd like to be.

Note whether both parties can be heard by the Attendant and whether both 
parties can hear the Attendant.  Also listen for indications that reveal 
that an Override is in progress.  Audible warnings may come in the form of a 
single tone when the Override is initiated, periodic warning tones while 
Override is active, or a combination of the two.

---> If any warnings are observed, look to see if there is any way of 
disabling them via the administrative tools.

---> Try using Override with various combinations of inside extensions and 
outside lines.  There may be differences in the amount and type of warnings 
given between inside and outside lines.

Attendant Forwarding
--------------------

A common feature granted to the Attendant is the ability to control the 
forwarding of other instruments.  With access to the Attendant Console you 
could use this feature to forward any instrument's incoming calls to a long 
distance number.  You could then call the target instrument and be forwarded 
to the long distance number, thereby gaining free long distance access.  The 
availability of this exploit could be tested as follows:

Attendant Forwarding
--------------------

A common feature granted to the Attendant is the ability to control the 
forwarding of other instruments.  With access to the Attendant Console you 
could use this feature to forward any instrument's incoming calls to a long 
distance number.  You could then call the target instrument and be forwarded 
to the long distance number, thereby gaining free long distance access.

If this doesn't seem to work on the PBX you've targeted, access the 
administrative tools and look for an option that would allow an 
administrator to disable the use of Attendant Forwarding to prevent you from 
exploiting any vulnerabilities related to Attendant Forwarding, and simply 
re-enable it.

Attendant Conferencing
----------------------

Attendants may also have the ability to initiate a conference or join into 
an existing conference.  If this feature is available, the potential exists 
for you to eavesdrop on a conversation or add an additional party to a 
conference without the knowledge of the other parties.

Automatic Call Distribution (ACD)
---------------------------------

ACD allows a PBX to be configured so that incoming calls are distributed to 
the next available Agent or placed on hold until an Agent becomes available. 
  Agents may be grouped together with each group having a Supervisor.  The 
group of Supervisors may then even have a higher-level Supervisor.  The 
number of Supervisors and number of levels of Supervisors is dependent on 
the type of PBX being used.

Most ACD systems grant a Supervisor the ability to monitor the calls of the 
group they are supervising.  The monitoring is typically done without the 
knowledge of the parties being monitored.

Because of this feature, ACD systems are a potential vulnerability to the 
users of a PBX.  If you could gain access to the configuration tools or the 
system database, you could set up an ACD Supervisor and an ACD Group.  The 
Supervisor could then monitor the calls of any of the users in the Group.  
Suggested method:

---> Using the system configuration tools, create an ACD Agent and assign 
the Agent to a specific line.

---> Then create an ACD Supervisor that has the newly created Agent in its 
supervisory Group and assign the Supervisor to a specific line.

---> On the Agent's line, place a call to another extension or outside line. 
  Alternately, place a call from another extension or outside line into the 
Agent's line.

---> From the Supervisor's line, access the monitoring feature for the 
desired Agent.

---> The Silent Monitoring feature should allow the Supervisor to monitor 
both sides of the Agent's call without either party having any visual or 
audible warning.  Listen to verify that the Supervisor cannot be heard on 
either of the target instruments.

Depending on the way the ACD system works, the Agents and Supervisors may 
need to be permanently assigned to specific lines.  A more flexible method 
may also be used where the Agents and Supervisors are assigned ID codes and 
can be logged into any line.  The type of method used will affect how the 
first two steps are performed.  In either case it is useful to closely 
observe the monitored instruments to see if there are any indications that 
the line is being used as an ACD Agent.

Call Forwarding
---------------

Call Forwarding is a common feature that allows a user to specify an 
alternate number to which calls are to be forwarded based on certain 
conditions.  Common conditions are: forward all calls, forward only when 
line is busy, forward when there is no answer after a certain number of 
rings, or forward when the line is busy or there is no answer.

Forwarding Loops.
-----------------

One potential opportunity with Call Forwarding is the ability to set up 
forwarding loops.  This occurs when one line is forwarded through any number 
of intermediary lines and back to itself.  If such a loop is set up, it may 
cause the entire system to crash or stop processing calls.  This may require 
that one of the lines in the loop be called in order to initiate the 
failure.
For example:

---> You'd set up a forwarding loop by forwarding line A to line B, line B 
to line C, and so on.  When the last is reached, forward it back to the 
first.  A call placed from an outside line to any of the numbers in the 
loop, or from a number in the loop to a number also in the loop, could now 
cause a fatal system crash.

User Tracking.
--------------

Another potential use of Call Forwarding is to learn the whereabouts of a 
PBX user.  Many PBXs can use instruments that possess alphanumeric displays 
which display messages to users.  These displays may be used by the Call 
Forwarding feature to inform a caller that the called line has been 
forwarded to another line.  If any instruments possessing an alphanumeric 
display are available, this feature can be tested as follows:

---> Forward a line to another extension.

---> From an instrument possessing an alphanumeric display, call the 
forwarded line.  Observe the display and look for messages that indicate 
that the dialed line has been forwarded to another extension.

---> Repeat after adding other forwards.

Call Forwarding may be detectable even if an instrument with an alphanumeric 
display is not available, but the forwarding destination will still be 
unavailable.  Many PBXs have a limit on the number of hops that a Forwarding 
chain may include.  This limitation can be used to determine the Forwarding 
status of another instrument.

The following procedure could be used to test for this limitation and its 
potential for exploitation:

---> Instrument A is forwarded to instrument B.  Another instrument is then 
used to call A.

---> The call is forwarded to B.

---> Instrument B is then forwarded to instrument C.  Again call instrument 
A.

---> The call is forwarded through B to C.

---> Instruments are added to the forwarding chain until one of the 
following occurs: 1) You run out of instruments to use or the chain gets too 
long (about 10 or more hops); 2) The system informs you that the number of 
hops is exceeded via a warning tone or display message; or 3) The call to A 
does not get forwarded to the final destination.

---> If condition 2 or 3 above occurs, the number of hops in the attempted 
chain is one more than the maximum number allowed by the system.

---> If condition 2 occurs, you could create a Forwarding chain that ends 
with an instrument being forwarded to the target instrument.  As the chain 
is made longer, a warning will eventually occur.  If the warning comes 
before the known part of the chain exceeds the limit, then the target 
instrument is forwarded.  The length of the unknown part of the chain can be 
determined by the length of the known part of the chain.

---> If condition 3 occurs, you could create a Forwarding chain that ends 
with an instrument being forwarded to the target instrument.  The chain's 
length should be such that the number of hops equals the maximum assuming 
the target instrument is not forwarded.  If a call placed to the start of 
the chain is not processed or terminated before the end of the chain, then 
the target instrument is forwarded.

Account Codes/Authorization Codes
---------------------------------

Account Codes are normally used for tracking calls made by certain people or 
projects so that bills can be charged appropriately.  For example, a user 
may be required to enter an Account Code prior to placing a long distance 
call.  Depending on the configuration of the PBX, the Account Code may have 
to be on a list of approved codes for the call to be successful.  If this is 
the case, the Account Code may be considered an Authorization Code because 
the user must dial a specific Account Code that is authorized for making 
long distance calls.

Another important use for Access Codes is for Dial In System Access (DISA).  
DISA typically allows a user to dial in to the PBX system from an outside 
line and gain access to the normal features of the PBX, almost as if they 
were a subscriber on the PBX instead of an outside caller.

Certain Account Codes may also be allocated for changing a user's Class of 
Service (COS). When the COS is changed, the user may have access to a 
different set of features.  For example, most instruments may be assigned a 
COS that does not permit the use of an Override feature, but a special COS 
that is only accessible by using an Account Code may be created that does 
permit the use of Override.  This means by using the appropriate Account 
Code, you could then gain access to the Override feature.

Since the Account Codes are used for billing, there are records kept of the 
calls that are made for the various Account Codes.  These records generally 
include the source, destination, Account Code, and time/date of the call.  
The records may be stored as files on one of the system's disks, or they may 
be printed out on a system printer.  If the records are printed, a wise 
phreak who is able to gain access to the printed material will have access 
not only to traffic information, but the printed Account Codes.  Once the 
codes are known, you will be able to use the codes for toll fraud, 
additional feature access, etc.

Access Codes
------------

Access Codes are frequently assigned to features so that users with simple 
instruments (e.g., traditional analog phones) may have access to these 
features.  In determining vulnerabilities due to Access Codes, it is useful 
to determine to which features Access Codes can and cannot be assigned.  For 
those that can have Access Codes assigned, determine from what types of 
lines and instruments the features are accessible.  For example, allowing a 
Silent Monitoring feature to be accessed from an outside line can be a 
significant vulnerability.

Silent Monitoring
-----------------

A Silent Monitoring feature may be available that allows a user, given 
special access to this feature, to monitor other calls without the knowledge 
of the parties being eavesdropped upon.  If such a feature exists, its use 
will probably be limited to as few people as possible to prevent 
unauthorized use.

Conferencing
------------

The common Conferencing feature could allow you to eavesdrop on a 
conversation or add an additional party to a conference without the 
knowledge of the other parties.

Override (Intrude)
------------------

An Override or Intrude feature is common to many PBXs.  Due to its potential 
vulnerability, it is commonly selectable as a feature that can be 
allowed/disallowed on a single instrument or a group of instruments.  
Override is intended to allow one user (perhaps a supervisor) to break into 
a busy line to inform another user (perhaps a subordinate) of an important 
message. With access to any instrument permitted to use the Override feature 
you could use this to eavesdrop on conversations.  The PBX will probably 
provide for some protection against such uses of Override by providing 
visual and/or audible warnings that an Override is in progress.

Auto Answer
-----------

Auto Answer is a common feature that allows an instrument to automatically 
go off-hook when called.  The instrument is generally equipped with a 
speaker and microphone in addition to the handset.  It is intended for use 
by people who may frequently not have their hands free to answer an incoming 
call (e.g., a hospital nursing station).

You could use this feature to gain information that would not normally be 
available.  For example, an instrument in a conference room could be set up 
for Auto Answer.  Since the microphone in the room would be live, you could 
monitor a meeting remotely by simply calling that extension.

The degree to which this is possible depends on the specific configuration 
of the PBX and instruments.  There is typically some warning given to a user 
that a call has come in and been answered by their instrument.  The warning 
may be in the form of a light or other visual indicator on the instrument, 
or a ring from the instrument's ringer or speaker, or a combination.

The audible warning may be easily defeated by turning off the ringer or by 
turning down the speaker/ringer volume so that the warning is very quiet.  
The on/off or volume control may be a physical control on the instrument 
and/or a remote control under the configuration of the system database.  If 
it is remotely controlled, you could change it easily without direct access 
to the instrument via access to the PBX configuration tools.

Tenanting
---------

Tenanting is a feature commonly used to limit subscriber access to only 
those subscribers that belong to the same Tenant group.  It would be used in 
a situation where one company owns a building or group of buildings and 
leases out parts of the buildings to other companies.  The building owner 
may also own a PBX that is used to provide voice/data service to the tenants 
of the buildings.  The tenants would all share the resources of a common 
PBX, but each would like to have its own configuration, Attendants, Trunk 
lines, etc.  The Tenanting feature can be used to divide the resources of 
the PBX in this manner.

The operation of the Tenanting feature will vary from one PBX to another.  
The PBX may restrict the Tenant groups so that to each group, there appear 
to be no other users of the PBX.  Alternately, the PBX may allow for 
adjustments in the restrictions placed between groups.  Reducing the 
limitations between groups may be useful for the company in question, but it 
introduces a potential vulnerability into the system.

If you were to gain access to the PBX administrative tools, or access to the 
configuration database, the limitations between Tenant groups could be 
intentionally reduced.  You could create an additional Tenant group that has 
unrestricted access to all other groups.  You could assign Instruments 
and/or trunk lines to the new group, allowing yourself to access the 
instruments and trunk lines of the other groups.

VOICE MAIL
----------

The voice mail feature of many PBXs can be a particularly vulnerable 
feature.  This is because voice mail is typically used to let someone store 
voice messages at a central location by calling in from any inside or 
outside line and then retrieve the messages from any inside or outside line. 
  It also grants the general public access to the PBX system.

Unauthorized Access to Stored Messages
--------------------------------------

In retrieving messages, the target extension and a password are usually 
required to gain access to the messages.  Since the target extension is 
usually easy to determine, the only significant restriction to you is the 
password.  Once you determine a target user's password, all messages left 
for the target user are accessible.  Some weaknesses of voice mail and 
answering machine passwords include the following:

---> Default and obvious passwords.

If you know the user once the his/her extension is known, try obvious 
passwords such as birth dates, other significant dates, and names that may 
be significant to the user. If you don't know the user try the usual Default 
passwords (e.g., voice mail box number, ‘9999’, ‘1000’, etc.) established at 
system initialization time, as they are often never changed.

---> Fixed length passwords.

Check if a password entry can be terminated by a special key such as the # 
or * key.  If not, the passwords may be of fixed length.  Try to determine 
if the passwords have a fixed length and, if so, what that length is.  This 
may be done by entering a known incorrect password slowly while listening to 
determine when the password is rejected.  If such a limitation can be found, 
it reduces the number of random combinations that may be tried before a 
correct password is found.

---> Non-terminated password entry.

Some systems accept a continuous string of digits, granting entry when the 
correct password sequence is entered.  For example, if the password is 
‘896’, and the sequence ‘1935896’ is entered, the password is accepted and 
access granted.  You could use a simple algorithm to overlap digit 
sequences.  By not requiring a password entry to be terminated, the length 
of the average sequence needed to guess a four-digit password is reduced by 
a factor of five.

---> Check to determine if a complete password must be entered before an 
incorrect password is rejected.  Do this by entering several correct digits 
followed by an incorrect digit.  Does the system reject the password as soon 
as the first incorrect digit is entered or must the entire password be 
entered?  If it is rejected on the first incorrect digit, sequential 
guessing becomes much more practical.  For example, on such a system that 
has a fixed password length of four and uses the digits 0-9, it would take 
at most, 40 sequential attempts to guess a password whereas on a similar 
system that required all four digits to be entered, at most 10,000 guesses 
would be required.

Denial of Service
-----------------

You may be able to use a PBX's voice mail system to damage the system in 
such a way that other users cannot access the voice mail system or even the 
entire switch.

Lengthy Messages
----------------

The amount of message time that can be stored on a voice mail system is 
typically limited by the size and number of hard disks allocated to voice 
mail.  By leaving a user an excessively long message full of random noise, 
much if not all of the total message time can be used.  The system may not 
be able to deal with a situation like this and crash, causing access to 
voice mail or the PBX to be limited.  The system may impose a per-message 
time limit.  If this is the case, multiple lengthy messages can still be 
left and have the same effect.

Try to determine if the switch has a per-message time limit by attempting to 
leave a message so long that it uses all of the available space.  You should 
use a message that consists of some sort of noise since most systems don't 
record silence.

If the entire message space cannot be used in a single message or set of 
messages to a single user, try to determine if there is a per-user message 
space limit.  Even if general access to the system cannot be denied in this 
manner, an individual user may still be denied incoming messages by filling 
the user's message space to its limit.

Embedding Codes in Messages
---------------------------

Many voice mail systems have playback features such as: Fast Forward, 
Rewind, Skip, Send a Copy, etc.  These are typically accessed by pressing 
various digit keys during playback.  It may be possible to insert these 
codes into a message during recording in order to cause undesirable results 
if they are interpreted during playback.  A few examples are listed below:

---> You could send a message to a target user that contains a Rewind code 
at the immediate beginning of the message.  When the user plays back the 
message, it immediately rewinds to the beginning of the message and gets 
stuck in a loop playing back that message continuously.

---> You could send a message to a target user that contains a Send a Copy 
code and an extension for the copy's destination.  If the target user's same 
extension is used as the destination, this may create a message that is 
duplicated every time it is played, thereby making a message that seemingly 
cannot be deleted.  Even if the destination extension cannot be added to the 
message, during playback the system may still enter the Send a Copy mode 
requiring the user to enter a destination.  This may create an annoying 
situation where a user must send the message to another user in order to 
delete it, causing the message to "float" around from one user to another 
until perhaps a system administrator can delete it.

---> Try embedding playback codes into a voice mail message.  If this is 
possible, try ideas similar to the examples above and determine how the 
system acts upon playback.  The details will depend on the playback options 
available on each specific voice mail system.

Access to Outgoing Lines
------------------------

Some systems may allow access to the PBX via the Voice Mail system in a 
similar manner as a DISA line.  If this can be done, you may be able to gain 
access to many of the switch's features.  Depending on which features are 
accessible, toll fraud and theft of information are possible.  Checking for 
these types of vulnerabilities can be done as follows:

---> From extension A, call extension B and leave a message.  Search through 
the available menu options for any options that may grant access to another 
line.

---> Dial in to the Voice Mail system to retrieve the message.  Search 
through the available menu options for any options that may grant access to 
another line.

---> If any access to another line is possible when leaving or retrieving a 
message, further investigation is required.

---> After getting access to another line, try using various Access Codes to 
attempt to use their associated switch features.  Also try using Account 
Codes or Authorization codes to make long distance calls.

Privacy Release
---------------

Privacy Release is a feature that may be used when more than one instrument 
shares the same extension.  Frequently, instruments can be configured to 
support multiple extensions where some or all of the extensions are shared 
with other instruments.  The PBX normally ensures the security of each line 
by allowing each extension to be used by only one instrument at a time.  The 
Privacy Release feature disables this security by allowing instruments to 
connect to an extension that is already in use.

If possible, examine the configuration database to try to determine if the 
status of Privacy Release is stored in the database or in the instrument.  
If it is stored in the database,  you could remotely change the Privacy 
Release status of one/any/all instruments attached to the PBX.

Non-Busy Extensions
-------------------

The Non-Busy Extensions feature typically allows calls to an in-use 
extension to be added to a conference with the existing parties when the 
extension is already off-hook.  You could configure a target instrument as a 
Non-Busy Extension and then call that extension to eavesdrop on a call in 
progress.  The PBX will probably issue some form of warning to the user of 
the Non-Busy Extension that another party has joined the call in progress.

Diagnostics
-----------

In addition to the major diagnostic features available at a maintenance 
terminal or Attendant Console, many PBXs provide diagnostics that can be 
initiated from any instrument.  These diagnostic features may permit a user 
to make connections through the PBX by bypassing normal call processing 
restrictions.  This means you may be able to deny service or make undetected 
connections allowing for the monitoring of other calls.  These features are 
commonly vulnerable when used in combinations with other feature 
vulnerabilities.

Camp-On
-------

The Camp-On or Call Waiting feature allows a party to call into a busy 
extension and indicate to the busy party that someone is calling.  The party 
wanting to Camp-On may be required to press a key that activates Camp-On, or 
Camp-On may be automatically activated when the calling party waits on the 
line.  When activated, the called party may receive a visual and/or audible 
warning indicating that another party is Camped-On.  Some typical options 
available are Forward, Trade to, and Conference with the Camped-On party.

If the calling party is brought into a conference, other parties on the call 
may or may not receive a visual or audible indication that another party is 
added to the conference.  By using this feature, you may be able to Camp-On 
to a party in a conference and be brought into the conference without the 
knowledge of some of the conference members.

Dedicated Connections
---------------------

The use of Dedicated Connections allows connections to be made through the 
PBX without need for normal dialing sequences.  Dedicated Connections may be 
used for creating a voice hot line between two instruments so that when one 
instrument goes off-hook, the other immediately rings.  Another example is 
for a dedicated data line between a subscriber's PC or terminal and a 
central server or mainframe.

This can create a vulnerability in which you could make a dedicated 
connection to a user's line and thereby eavesdrop on that line.  Such 
changes may be possible if you have access to the system's software, 
configuration tools, or database.

Feature Interaction Attacks
----------------------------

With the advent of the digital PBX and its wealth of features, the 
interaction between features presents a significant possibility for 
vulnerabilities.  With such a large number of features available, it becomes 
difficult for the manufacturer to consider all of the multitude of 
combinations in which different features may interact.  Because of this, 
vulnerabilities may exist which were undetected by the manufacturer that 
allow you access to the PBX and its instruments.

Since the actual Feature Interaction vulnerabilities found on a specific 
system depend heavily on the particular implementation of the features, it 
would be nearly impossible to describe every possibility for a generic 
system.  Listed below are a few examples that involve common features.  In 
testing for Feature Interaction vulnerabilities, one should examine the 
features available, look for commonalities between features (keys, database 
configuration, etc.), and then test combinations you feel may prove 
vulnerable.  It is useful to even try combinations that do not appear to 
have obvious potential for vulnerability because many Feature Interaction 
vulnerabilities are results of quirks in the implementation of the features.

Call Forwarding/Return Call
---------------------------

A possible Feature Interaction vulnerability is the use of Call Forwarding 
to defeat the Return Call feature.  Normally, if you were to call a target 
user (perhaps harassment via the telephone), after the call is terminated, 
the target user could use the Return Call feature to call you back or 
discover your number or extension (the returned extension may be displayed 
on an alphanumeric display when the call is returned).  You probably would 
not want the target user to discover this information.  Well, often you can 
hide your extension from the target user by using Call Forwarding.  A basic 
example:

Let's say you have dialed into extension A.  You want to call extension B 
with anonimity.  So you'd simply forward extension A to extension C.  Then 
forward extension C to extension D and from D connect the call to B.

Obviously, you'd want it a little safer than this - just use your 
imagination.

Conference/Call Park
--------------------

You may be able to use the Call Park feature to sneak into a target user's 
Conference.  Call Park is typically used to transfer a call to a busy 
extension.  The busy user is informed of the parked call and can connect to 
it if desired.  Conferencing may use the same key to bring a party into a 
conference as Call Park uses to connect to a parked call.  This could allow 
you to park a call onto an extension that is setting up a conference.  When 
the conference is connected, the parked call may also be connected thereby 
bringing you into the conference anonymously.  For example:

---> A call is placed from one extension (A) to another (B).

---> From (A), the caller places (B) on hold and connects to another 
extension (C).

---> A call is then placed between two other extensions, (D) and (E).

---> The Call Park feature is used to park the incoming call to (E) from (D) 
onto (A).

---> (A)'s conference with (B) and (C) is connected.

---> The call parked onto (A) by (D) is brought into the conference with (B) 
and (C).

Return Call/Camp-On/Caller-ID Blocking
--------------------------------------

The Return Call, Camp-On, and Caller-ID Blocking features may be combined to 
cause unwanted disclosure of telephone numbers.  In the example below, 
caller (A) attempts to call (B) using Caller-ID Blocking so as not to 
disclose (A)'s telephone number.  The example below illustrates how (B) can 
use Return Call and Camp-On to defeat Caller-ID Blocking and discover (A)'s 
telephone number ragardless:


---> A call is placed from (A) to (B), using Caller-ID Blocking to conceal 
(A)'s number.

---> (B) does not answer the call and (A) hangs up.

---> (B) uses Return Call to call (A) back.

---> (A) answers the call.

---> (B) hangs up and immediately uses Return Call again to call (A) back a 
second time.  Since (A) is still off-hook, Camp-On is invoked (automatically 
or manually).  (B) hangs up.

---> (A) hangs up and The Camp-On takes effect.  The switch rings both (A) 
and (B).  Caller-ID information is transmitted to both (A) and (B) at the 
same time, disclosing (A)'s telephone number to (B) regardless of (A)'s wish 
to conceal it.

.-=-=-=-=-=-=-=-=-=-=-=-=-=-.
|------> COMPUTER TELEPHONY |
'-=-=-=-=-=-=-=-=-=-=-=-=-=-'

One of the biggest new developments in telecommunications is the advent of 
computer based telephony systems (CT).  As microprocessor speeds have 
increased and memory prices dropped, it has become possible to implement a 
PBX on little more than a high-end PC.  A CT system typically requires only 
the addition of specialized voice processing boards to a PC with 64 MB of 
memory, a 3 GB disk, and 300 MHz processor running Windows NT.  Some CT 
systems use specialized real-time operating systems, but the trend is toward 
commercial off-the-shelf systems such as Windows, Linux, or other versions 
of UNIX.  This development has brought great reductions in the cost of PBX 
systems, but means the possibility of enormously increased security risks.  
Two factors in particular can increase exposure: greatly expanded 
integration of telephony with the computer network, and implementation of 
PBX functions over operating systems with widely known vulnerabilities.   
Some of the features appearing in new CT systems include:

---> Voice over IP.

---> Browser-based call handling and administration.

---> Integration of IP PBX with legacy PBXs and voicemail systems.

---> Integration of wireless networks with office network systems.

---> Virtual private networks.

We can safely assume that most or all of the vulnerabilities described here 
apply to CT systems as well as traditional PBXs.  CT systems may also have 
added vulnerabilities resulting from well-known weaknesses of PC operating 
systems.

I hope you enjoyed the file :)

Play safely, boys and girls...

the B4ckCh4tter

.-=-=-=-=-=-=-=-=-=-=.
|------> END OF FILE |
'-=-=-=-=-=-=-=-=-=-='



......................................................
HTTP://WWW.F41TH.ORG - D4RKCYDE - F41TH MAGAZINE - EOF

<click>
NO CARRIER