Hacking VMBs (Voice Mail Boxes) By Cyber Thief 9/14/98 Introduction ------------ Have you ever wanted to hack a voicemail box? Well, you've come to the right place because this file will show you how to do it. Enough of the shit, let's get started. Step 1: Finding a System ------------------------- Hacking voicemail can be an easy five step process if done correctly. The first step is to find a system to hack. There are several ways one would find it. First off, you could do some old fashioned manual scanning of your favorite 800 prefix. Although this is a long and tedious process. An easier way would be to look in the phone book for companies that boast "24 hour answering service". Make a list of these as well as other numbers that are likely targets. You could also start a collection of business cards. Business card phone numbers are often great sources for VMBs. Anyway, you're bound to run across some systems. When calling a suspect number, listen for a recording that sounds digital. The system should sound a lot better than your average answer machine. If you hear something in the greeting about extensions, then search no more. Extension numbers are a dead give away. By the way, do not, I repeat DO NOT attempt to hack systems you know have been hacked in the past. If you acquire a box on such a system, it will not last as long. Your ultimate goal would be a virgin system that has had no prior experiences with hackers. Step 2: Gaining Access ----------------------- Once you've found a mailbox system, you must determine the access sign. This is probably the easiest part. Access signs are either *, 0, or #. On some systems they may be 8, or 9 but that is pretty unlikely. When calling the system and entering the correct access sign, you should be prompted for a mailbox number. This is where things get tricky so pay close attention to the next two steps. Step 3: Finding a Valid Box ---------------------------- Before finding a box to take over, you must find a VALID box on the system. When prompted for the mailbox number, enter 10 (followed by # or * if required). If you receive an error, try 20. Continue counting by tens until you are prompted for a password. If you receive more errors, try counting by hundreds (100, 200, 300, etc.) If more errors occur try counting by thousands. When you reach ten thousand with no success go back to the beginning and count by fives or tens until you reach ten thousand. Some voicemail systems also give you the option of searching for a subscriber by using his or her last name. If such an option is made available to you, use it to your advantage. Most systems will allow you to key in the first few letters of the subscriber's name. Try common last names like Smith, Jones, Brown etc. If this works, you'll receive a listing of valid boxes to call. This will give you some idea of where to search. If you still have no success, pack up and go home. I guess it was never meant to be. Oh well, VMBs are not for everybody. By this time, most of you should have found a valid box. Let's assume the box you found was number 120. Let's also assume that 110 is not a valid box number, but 150 is. At this point you'll want to do some basic scanning to determine the range of boxes. Scan 119 and below. Keep checking until you start getting errors. Write down the last valid box number you reached before the errors began. Do the same with 120 on up, and 150 on up. This should give you a fairly accurate view of how the boxes are mapped out on the system. NOTE: On some systems such as Meridian Mail, you will be prompted for a password no matter what box number you type in. This can be deceiving since you believe you have found a valid box when in fact you have not. Step 4: Finding a Vacant Box ----------------------------- Once you have found some valid boxes, start scanning for vacant boxes. Vacant mailboxes are either boxes that were created by the system administrator for future employees, or boxes that were abandoned when an employee was fired, transferred, etc. How do you identify a vacant box? Simple. Call the system after hours and enter in some of the valid box numbers you recorded during your earlier scanning. You should be listening for a greeting that sounds like one of the following... A. "Box 120 please leave a message". B. "Box 120". C. "Please record a message after the tone". Of course, if you encounter any outgoing messages recorded by a human assume the box is in-use. NEVER take over a box that is in-use by an employee. You'll feel cool for a few days, but when the owner logs in to check his messages, he'll see evidence of your tampering and change his password. In this case you'll be the one locked out! Step 5: Cracking the Password ------------------------------ All right, this part is EASY. I shit you not, getting the password is the easiest part of the procedure besides hacking out the access sign. If your mailbox is currently unoccupied the password should be reset to the default. The default is the generic password the administrator sets after the box is created. Here is a list of some common default passwords... 000 111 222 333 444 555 666 777 888 999 0000 1111 2222 3333 4444 5555 6666 7777 8888 9999 123 321 The Box number plus 1 (eg. 1201) 1 plus the box number (eg. 1120) The box number itself (Box number = 120, Password = 120) Those are all the password combinations you'll need to know. Just use common sense and you should get in. Don't give up until you've exhausted ALL of the above mentioned possibilities. If none of the defaults work you have either attempted to hack an employee's box (most employees change the password, but some are really stupid) or the system has had problems with hackers in the past and as a result there are no vacant/default boxes. Maintaining your Mailbox ------------------------- Once you've gotten into a box, don't change a thing...yet. First, see if there are any messages. If there are, listen to them. If the messages sound new (some systems will leave the date the message was recorded) you must have hacked a box that is already in use. Go back to step four and try again. If the messages are several months/years old, or sound universal it is probably safe to use the box. Sometimes universal messages are sent to every box in the system by the administrator. Don't confuse these with actual personalized messages. Another good way to determine box status is to call the suspect box and leave a message yourself. Wait a few days/months and log in again. If the message has been listened to, an employee probably controls the box. If the message is still new, chances are the box is abandoned. Once you've determined the status of the box, you can change the password and the outgoing message. Although I would recommend you make your first outgoing message something generic like "Hi, you've reached my box, leave a message". Wait a month or two and see if your box still exists. If it does, you can change the greeting to say whatever you want. The waiting is a necessary evil. If you set your first outgoing message to say something like "YO THIS IS CYBER THIEF THE AWESOME K-RAD ELITE HAXOR LEAVE A MESSAGE OR VISIT MY YO FUNK RAD PAGE G", your box will not last long. I would also recommend you change the password to prevent outsiders from accessing your mail. Features --------- Once you've successfully hacked a box, become familiar with it's features. Some mailboxes are connected to PBXs and thus have dial out capabilities! With some systems you can only call numbers that are local to the system. In other cases there is no restriction on calling which means long distance and toll calls can be placed at the expense of the system administrator. If your box does have dial out, abuse the fuck out of it before it is turned off. Other voicemail features include the ability to create distribution lists, leave messages for other users, message notification, and more. Distribution lists are just like mailing lists. Say your three best friends have boxes on the same system. You can make a distribution list with their box numbers, and forward messages to all three boxes with only a few key presses. So, the distribution list is almost like CC (Carbon Copy) in email. You can save multiple user's IDs and forward one message to all of them simultaneously. Message notification is a setting that will have the system call you when a new message is received. Just enter your phone number and you're set. Although I would advise against this. Otherwise you may get a call from a pissed off system administrator demanding to know WHY your number is on message verification. The bottom line is you shouldn't screw with it. But, if you have the urge just look for a feature called "message verification" or "follow me". How Long Will My Box Last? --------------------------- This question is difficult to answer. I've had boxes that lasted for up to six months. However, I don't think there is any way to guarantee the longevity of your mailbox. If the system is on an 800 number you can count on your box being deleted eventually. This is because 800 numbers have to foot the bill every time someone calls them. Even if your system is local, calling the 800 number will guarantee a charge. If the administrator finds you're calling just to make use of a stolen box, you can bet your bottom dollar it will be deleted. Another common problem is the random system check. Every once in awhile the administrator will perform "security or maintenance exercises". If you find a universal message in your mailbox referring to this, change everything back to normal. Hopefully he will think nothing is different and leave your box alone. Be sure to tell your friends not to call you during this time either. Hacker Resistant Systems and Other Problems -------------------------------------------- Some of the more desirable systems have certain safeguards to prevent outsiders from obtaining mailboxes. While the obvious countermeasures include effective management of vacant/unused boxes, and smart password selection, some systems have their own security features that make the modern voicemail hacker's task much more difficult. Systems such as Skytel, require the user to enter his/her password prior to selecting the box number. This renders the traditional hacking methods inoperable since most rely on vacant boxes and default pass codes. In addition, these systems will automatically log the user off if too many errors occur. A few systems will allow only limited access to vacant boxes. In other words, the box exists with the default pass code but the user can not change the greeting, or even configure the box to receive messages without consent of the administrators. In this scenario, it is the administrator's job to "activate" the box by recording the greeting, and setting up the extension. I have encountered this annoying feature on several new systems including Meridian. The only real "fix" is to hack the administrator's box and do the configuration process yourself. Good luck with that! A Discussion on Systems ------------------------ The purpose of this section is to briefly touch on some of the voicemail systems you are likely to encounter. I will provide general background on each system, as well as default passwords if they are available. Alltel - This is a voicemail system for cellular telephone users only. From your cellular phone, dial #99 and "SEND". Enter your security code, and you are in. All vacant boxes will have a default password of 9999. Alltel voicemail has several desirable features including the ability to change your security code, record a personal greeting, create a "greeting schedule", and forward messages to other users. A.S.P.E.N. - Most people will agree that A.S.P.E.N. (Automated Speech Network) is one of the best voicemail systems. To find a vacant box, scan some common three digit numbers until you hear an automated voice say "You entered XXX. Please leave a message at the tone...BEEP". Hit # and enter the box number when prompted. A friendly female voice will discuss some of the better features of the system and ask for your "temporary password". The password is usually four digits. It is probably one of those on my default list. Features to look out for include the ability to control message playback speed, message forwarding, and "envelopes", extended absence greetings, the awesome ability to create and moderate "guest boxes" for friends, and distribution lists. Audex Voice Power - From the onset, Audex systems are difficult to identify. When calling a suspect number, hit *7. It should respond with "Welcome to Audex Voice Power, please enter extension and # sign". Box numbers are three or four digits and usually start with a 2. The password will be the same as the box number. You are required to hit # after entering the extension number, and the password. Features include easy message recording and forwarding, as well as out call for message receipt notification. Centagram - Most Centagram systems are direct dial. This means that each customer has his/her own 800 number where you can leave messages without having to go through extensions. You can only hack these systems if you have the valid number of at least one legitimate user. Once you have a valid box, scan other numbers in sequence. Most, if not all, Centagram systems will group the boxes together in "blocks". Upon calling a vacant box, you should hear a generic greeting. Before you are told to leave a message, hit #. You will be prompted for a password. The password will usually be the last four digits of the box's telephone number. If this does not work, try some of the defaults mentioned above. Centagram systems are very user friendly, and the nice lady will guide you through a list of options upon entering the box. Cindi - Cindi systems are pretty easy to get into, and they tend to have some nice features. Upon calling the system and pressing #, you should hear "Please enter the person's name using your touch tone keypad, last name followed by first. To enter a Q or Z push 1..." The disconnection message should sound something like "Thank You, Good day". Mailboxes are usually grouped together in blocks and will be either 3 or 4 digits. To log in you'll have to call the vacant box and hit "0" when the message starts playing. The default password for Cindi systems is also "0". Features include message recording and forwarding, playback volume adjustment, call placements, distribution lists, certified messages, and the ability to create guest accounts for friends. Meridian - These systems are the easiest to identify. Upon calling the number you should hear a female voice say "Meridian Mail.... Mailbox?" The box numbers are usually four digits and are grouped together in a logical fashion. The default password is the same as the box number. Meridians have some nice features, including the ability to dial out (some systems). Other features include message forwarding, and "envelopes", distribution lists, personal greetings inside the mailbox, and the ability to log out. Message Center - The Message Center is the easiest direct dial system to hack. Once again, you must find a valid box in the prefix you are scanning. After you have successfully located a box, hit * twice to access the main Message Center Board. It should say something to the effect of "Welcome to the Message Center. Please enter a mailbox number or wait". Enter box numbers in the same prefix and listen for a generic message. Once you've located a vacant box, hit * once to log in! It's really that easy. Although features are lacking, it is always nice to have a direct dial box. Octel - Not much is known about these systems. Upon calling the system and hitting the # key, you'll be prompted for a mailbox number. Enter the number followed by # and you'll get the password prompt. Feel free to try some of the defaults from my list above. Remember, all commands made outside the box must be followed by #. Once inside, you'll be walked through the basic setup. Some Octel systems will require you to change your pass code immediately. Desirable features include the ability to control message playback speed and volume, message notification, future delivery option, "private" delivery option, faxing feature, and distribution lists. One Connect - Perhaps the most useful voicemail system currently on the market. Most One Connect systems are direct dial. Virgin boxes will give you set up instructions when called. Press * for the password prompt, and key in the default code 1234. Once inside, you can listen to messages, retrieve faxed messages, set up message verification, call long distance numbers using the PBX, configure instant paging, and even set up a toll free loop where callers can reach you. Q Voice Mail - This system is very similar to Cindi, and is pretty easy to hack as well. The greeting should say "Welcome to Q Voice Mail Paging". Mailbox numbers are usually five digits, and the default password for vacant boxes is "0". RSVP - These systems suck! They can only hold 23 boxes. Upon calling, hit * for the directory of boxes. If you hit # first, you'll be given a list of options. As soon as you select any option, you'll be prompted for a mailbox number. The mailbox numbers are almost always two digits. The password will be the same as the box number. Skytel - One of the more difficult systems. Skytel voicemail is a bitch because you are required to enter the password first, followed by the box number. Many new voice mail systems are adopting this method since it makes hacking next to impossible. The best way to hack Skytel is to get a PIN number of a user and call customer support claiming to be the dissatisfied customer. Call 1-800-SKYUSER (1-800-759-8737) for Customer Support. Sperry Link - An all around nice system that can be a bitch to hack. Call it up and you'll hear "This is a Sperry Link voice station. Please enter your user ID". Just try some common numbers in sequence. Most IDs are five digits. If you hear "This is an XXX answering service" you have found a valid box. Hit *# to get the log in prompt. At this point you'll just have to guess the password. Try some of the defaults from my list. The passwords are usually four digits. Xerox - This system is not very common. Features include message recording and "delivery", the ability to skip to the end of a given message, notification of non-delivery, future delivery, and a reply option. Call 1-800-TEAM-XRX (1-800-832-5979) for more information on Xerox voicemail systems. In addition there are many other systems not listed here. You'll encounter these unnamed systems too. Some of them are nice others are not. Conclusion ----------- I hope you've enjoyed my file. If you have any questions, comments, or if you would like information about other files I've written, please feel free to contact me. You can do so by sending email to cyberthief@deathsdoor.com. You could also leave a message on my voicemail. Call 1-800-553-2112 after business hours and press "1104". This will forward you to my mailbox where you can leave voice messages. Since the box is hacked, I have no idea if it will still be valid when you read this. Although it should be up for quite awhile. If it does not work, you can call 1-800-289-6689 for my direct dial mailbox. It takes five rings for the system to pick up, but once it does you'll be asked to leave a message. --*- Boundary Sn946+gqUW.Dq?'d-VSFÁS--