....................................................................... A Hackers Guide to Meridian Mail....................................... Version 1.00 - December 2001........................................... by prephix - prephix@bigfoot.com....................................... [:. contents .:] 1... introduction 2... what is meridian mail 3... how do i find a meridian mail system 4... how do i get access 5... how do i keep access 6... mailbox commands 7... final words [:. introduction .:] Ok, the primary purpose for writing this file is for my own personal reference. Until a few months ago, it had been a very long time since I'd actually gone out and messed about with voicemail and PBXs etc, so I figured it was time I got back into that whole area of things. There are already a bunch of files floating about that deal with Meridian Mail, some are bad or vague, a couple are good, so why the need to write another one? Well, I figure that I can write a fairly comprehensive text on the subject, so why the hell not? Anyway, I want to write one, if only to get what I know about the subject down onto paper, or into binary... whatever. Let me say at this point that this file deals with how somebody would theoretically gain unauthorised access to Meridian Mail, it's theoretical, as of course hacking any voicemail or pbx system is obviously illegal, and I don't encourage anyone to break the law. Obvious really. I shall also be making updates and changes in later versions. [:. what is meridian mail .:] Ok, let's start with the Meridian PBX. A PBX is a private branch exchange, which is a small private telephone network that an organisation uses to handle it's telecoms. For instance, it's much cheaper to implement a PBX than to connect an external line to every telephone in the company. Phone numbers within the PBX will usually only be 3 or 4 digits long, and they share lines when calling outside of the company. Meridian PBXs are fairly similar, but come in different sizes that are referred to as 'Options'. For example, Option 11C is one of the smallest Meridian PBXs, hosting between 16 and 700 users, Option 51C host upto 1,000 ports, Option 61C hosts upto 2,000 ports (and is dual processor), and Option 81C can handle 16,000 ports and boasts all kinds of knobs and whistles that are irrelevant in this file. Meridian Mail is a feature of the Meridian PBX. It's an electronic voice messaging system that allows the users to send and receive voice mail with various delivery options to other users. It also supports message forwarding, and allows the setup of distribution lists (lists of mailbox numbers). Here in the UK it's very popular with medium to large sized organisations, and it doesn't take too long to find one. [:. how do i find a meridian mail system .:] Before I tell you how to identify a system, you have to know how to actually look for one. It's best to find your own system, if you use a system that was in a public scan then there is an increased chance that other unauthorised users are messing around in it. This is bad because the company is more likely to notice, either through increased use, or through mailboxes being 'locked' from too many failed login attempts. If you want your mailbox to last, find your own system. Ok this is real basic, but I'll assume you know nothing. The best way to find any VMS or PBX is to go out to a payphone and manually dial through a range of freephone numbers. Be methodical, and write down anything of interest. Dial after office hours otherwise you'll get people answering the phone, a lot of systems are only accessable after office hours (unless its a large 24 hour system). When numbers connect, start fiddling around, try * and #, just mess about and you'll see what I mean, there are countless hackable systems worth playing around with. Anyway, identifying a system as Meridian Mail depends on how it's been setup. The most obvious is when you call and a female voice says: "Meridian Mail, mailbox?", which is the login prompt. These are usually large 24 hour systems, and are not that common. An example can be found on 0800-800-214. Anyway, most numbers you call will have a recorded message saying something like, "Sorry, the office is now closed, please leave a message after the tone...". If you hit * before it starts recording your message, a Meridian will usually respond with: "There is no recorded message. To record a call answering message press 5. Other commands are, message options 70, login 81, disconnect 84, and attendent 0." Alternatively you can wait for the beep, start to leave a message, and then hit #, in which case a Meridian will usually respond with: "Recording stopped. To record some more, press 5. To review your message press 2, for more info press *." Hit *: "You have stopped recording. Commands you can use are: play 2, record 5, message options 70, delete 76, and send 79. Other commands are login 81, disconnect 83, and attendent 0." Meridian Mail may sometimes be setup differently, with limited options for remote access. For instance it may just be a single voice mail box that they're using like an answerphone etc. Sometimes if you divert yourself to the attendent (try hitting 0) it will connect you to the attendant's voicemail, and you may then be able to access the main system by using the above methods. Sometimes if the attendant's box hasn't set a greeting, it will tell you the box number, i.e. "Mailbox 4501 isn't availble, please leave a message", which can help when trying to figure out what range clusters of mailboxes are in. [:. how do i get access .:] Now sometimes you can just hit 81 (login) and start guessing (it actually ain't that hard, I once got in on my first guess), but there are sometimes ways to check where the mailboxes are, i.e what range they're in, like what do they start with, how many digits are they, etc. Ok hit 0*. Meridian Mail should respond with something like: "You have reached an automated service which will connect you to the phone number that you enter. Please enter the number or name of the person you wish to reach followed by square sign..." Ok, now mailboxes are typically 3 or 4 digits long (but can be upto 6 digits long), and usually start with either a 2 or a 4. I'm going to use an example system to show you what I'm trying to explain here. Let's say we have a Meridian Mail, we're at the above prompt, and theres only two boxes on the system, box 4621 and 4200, but we don't know that, so this is how we find out. I'd like to point out that this may not be the same for all Meridian Mail systems, but it's worked exactly like this for all the ones I've bust into during the last few months. Ok, so we've hit 0* and it says: "You have reached an automated service which will connect you to the phone number that you enter. Please enter the number or name of the person you wish to reach followed by square sign..." So we enter, 2 followed by #. Meridian says: "That number cannot be reaced from this service, please try again." So we enter, 4 followed by #. Meridian says: "Your session cannot be continued at this time, please try again later, goodbye." Ok weird, so when we try connecting to '2' it tells us that the number cannot be reached, but when we try connecting to '4', it tells us that our session cannot be continued and it disconnects. Hmm.. This means that there are definately valid mailboxes that start with 4, so we go to the next number. We call again, get to that prompt by hitting 0.. this time we enter 41# Meridian says: "That number cannot be reaced from this service, please try again." So 4# disconnects us, and 41# tells us the number cannot be reached. As far as I can tell, this means there are no boxes starting 41, but there are boxes starting with 4. So we try again with 42. Meridian says: "Your session cannot be continued at this time, please try again later, goodbye." Ok! So there are boxes starting 42, but not 41, and we carry on, until it finally trys to put you through to a valid extension. You should be able to see what I'm trying to get across here, it ain't exactly rocket science, but I'm also crap at explaining stuff. :) Once you know where boxes are clustered, hit 81 to login, enter the mail box number followed by #, and it will ask you for the password. The default password is usually the same as the box number. For instance box 4112 will have a password of 4112. If you don't get in straight away, move onto the next box. After two failed login attempts I always hang up and call back, even though Meridian allows three attempts. This is because you don't want to accidently 'lock' mailboxes through too many failed login attempts. A bunch of locked boxes is going to alert the administrator that someone was having a pop at getting into his system, so even if you do get in, your box may not last very long. When you get into a box you have to make sure it's unused. If there are new messages don't read them. You can read any old messages, but if they're fairly recent then you can't keep the box for personal use. If the internal and external greetings have also been set then that's also an indicator that the box is being used. However, if the box is empty, and there are no greetings set, then chances are the box is unused, in which case you can keep it. Either way, used or unused, you can now use the distribution list feature to hunt for more boxes. Hit 85 to create a new list, then enter 1 to 9 to identify a distribution list number (you can have 9 distribution lists). If you're using a used box and there are entries then forget about it, try another list, you don't want to change anything that will show you've been there. Once you enter an empty list, hit 5 to start creating the list. Now you start entering mailbox numbers to be added to the list (followed by #). It will tell you if the box is valid or not, and you can work your way through a large amount of box numbers, writing down valid entries. You want boxes which don't have recorded greetings, as they're more likely to be empty and unused. Later you can see if they have their default passwords set. If you login and it forces you to change your password because it's expired, then chances are it's an unused box. Right, if for whatever reason you can't do this, or if you're confronted with just the login prompt when calling, then you can always try pot luck guessing. This does work, and I would try the following combinations first... and then work around them: BOX/PASS 2000/2000 4000/4000 200/200 2001/2001 4001/4001 201/201 2002/2002 4002/4002 250/250 2100/2100 4100/4100 299/299 2101/2101 4101/4101 2500/2500 4111/4111 etc etc.. you get the idea anyway. 2501/2501 4150/4150 [:. how do i keep access .:] Common sense really. Don't record some crazy greetings like "Heh man this is the awesome bytebandit of the telelame crew.. leave a message now you mother fucker!". It's best to leave the greetings unset, but if you have to, then keep it simple.. like "Leave a message after the tone" will do. Don't lock mailboxes through bad login attempts, and don't send real users mail. If you have access to employees boxes, try not to read their new mail, as it will no longer be flagged as new, and obvious that someone has read it. I know it's tempting to read other peoples shit, but try and stick to mail thats already been read. Also try and keep your system to a select group. The fewer guys using it, then the lesser chance of being noticed. I've was once using a system with a couple of other guys for almost 6 months. Thats about it really, as I said, just use your common sense. [:. mailbox commands .:] You'll become familiar with using it as you go along, you can hit * at any time for online help. Here's a list of the major functions anyway: Recording a greeting: Press 82, press 1 for external, 2 for internal, 5 to record, # to stop. Changing the password: Press 84, enter new password, press #, repeat, enter old password, hit #. Recording personal verification: Press 89, press 5 to record name, press #. Creating a message: Press 75, enter mailbox(s) or distribution list number(s), pressing # after each one, press # again, press 5 to record, # to stop, press 79 to send. Forwarding a message: Find the message to forward, press 73, enter forwarding mailbox number(s) each followed by #, press ## to finish list, press 5 to record a message header, press 79 to send. Deleting/undeleting a message: 76 to delete a message, 76 again to restore it. Outdial: Press #0, then (usually) 9 for an outside line, then the phone number. This probably will have been disabled, or will appear to be, but definatly worth a fiddle, try different things. We had a system where you had to dial 9, then a 5 digit code, and then it allowed you to dial 3 digit external numbers (i.e the operator who could then put you through to another number). [:. final words .:] Ok it's fucking late, and I'm going to bed now. If it's shit, then my excuse is that it's only version 1.00, and I'll no doubt be maknig numerous changes in later versions... ha... anyway fuck it, the only way to learn is to actually get out there, find a system, and figure things out yourself. Feel free to email me any questions, abuse, etc... prephix@bigfoot.com