yyyyyssssyyyy yyyyssssyyyy      yyyy         yyyy
|lS$$ yy $$$$ """" yy lS$$ S$$$ S$$$$$ $$$$$ S$$$ssssyyyy
:|lS$ ""yyyyy yyyyssss|lS$ lS$$ lS$$ yy$$$$$ lS$$ yy lS$$
:||lS$$ $$$$$ :|lS yy :|lS |lS$ |lS$ $$ yyyy |lS$ $$ |lS$
:::|l  ,$$$$$ ::|l $$ ::|l :|lS :|lS $$ :|lS :|lS $$ :|lS
::::|  $$$$$$ :::| $$ :::| ::|l ::|l $$ ::|l ::|l $$ ::|l
.:::: ....... .:::....:::: .::| ..:|....:::| .::| .. .::|
=========================================================
F41th 15 - November 2002 - 	     http://www.f41th.org
D4RKCYDE 97-02++			  #darkcyde efnet
=========================================================

"Behold here the strength of the prophet's F41th!"



Editorial.............................................. zomba
The OSI Model and SS7 Protocol Stack...................	foneman
Bash wardialer.........................................	hybrid
Hiding Running Services from Portscanners Part I.......	phractal
Frequency Scanning.....................................	datawar
The DATU Modes and Practical Uses......................	phractal
DATU for Dummies.......................................	teletrix
A Hackers Guide to Meridian Mail.......................	prephix
0800-212-000 to 0800-212-200 (UK)...................... prephix
0800-963-XXX (UK)......................................	random 
0800-013-0000 to 0800-013-0200 (UK).................... prephix
Things to consider when (Ab)using a PBX................ b4ckch4tter




.........................................................................
Editorial................................................................
by zomba (zomba@f41th.org)...............................................

I'd like to start this (short) editorial by apologising for the lateness
of this issue of f41th. We realise that within a year a lot of people 
will have stopped visiting f41th.org - especially since f41th.com (our
old domain name) dropped and was bought by some lame company before we
realised.

In the future we are hoping to get issues out a bit more frequently, not
quite how we used to be but maybe bi- or tri- monthly. We are trying to
make f41th.org more of a community site as well, so go sign up on the bbs
at http://f41th.org/bbs/ and get talking.

So what have we been up to? good question... quite a lot of our time has
been taken up with RL issues, education/work/whatever - we haven't had
the time we would have liked to devote to DC or f41th. We have however
not ignored the hp scene and have a lot of shit that isn't ready for this
issue but will be explained in greater detail in f16, including a fair
amount of juarez snarfed in several ninja reconnaissance missions so
keep your eyes and ears open for the next release.

So anyway, lets get on with this issue, there's some decent info for you
to digest as well as hybrids bash scanner (its not that good ;) -hy) and 
some other bits and pieces.

So without further ado, I give you f41th 15...

--
Thanks to everyone that has contributed to this issue (over the past year!).
Hopefully we can obtain a greater number of articles in a shorter period of
time to enable us to release f16 sooner. Phuk everything else, F41th lives.
Fear the static. -hy


.........................................................................
The OSI Model and SS7 Protocol Stack.....................................
by foneman...............................................................


Note:  The following article explains the relationship between the OSI
Model and the SS7 Protocol Stack, it does *not* explain the protocols
within the stack itself.  Those will be later explained in a future
article.


The OSI Model: History
======================
	As you may or may not know, the Open Systems Interconnect (OSI)
data communications standard was developed and published in 1982 by the
International Standards Organization (ISO) mainly for use with mainframes.
It wasn't until 1984 that it was actually adopted as a standard.  OSI is a
protocol which provides the methods necessary for mainframes to
communicate with devices such as modems and terminals.  Since SS7 was
defined and being developed starting in 1981, the SS7 levels only map
loosely to the OSI 7 layer model.


The OSI Model: Layer Responsibilities
=====================================
*Note:  Each layer provides a service to the layer above and below it.
	Ex:  Layer 1 provides a service to layer 2, and layer 2 provides a
        service to layer 3.

				    OSI MODEL
			    
				   ____________
				7 |Application |
				  |            |
				   ------------
				6 |Presentation|
				  |            |
				   ------------
				5 |  Session   |
				  |            |
				   ------------
				4 | Transport  |
				  |            |
				   ------------
				3 |  Network   |
				  |            |
				   ------------
				2 | Data Link  |
				  |            |
				   ------------
				1 |  Physical  |
				  |____________|



	Layer 1: The Physical Layer - The responsibility of this layer is
to convert digital data into a bit stream to enable transmission over the
network, such as conversion from electrical to audible and light.

	Layer 2: The Data Link Layer - The responsibility of this layer is
to provide the services for reliable data communications between two
devices by using some method of sequencing and error detection and
correction, also called the reliability factor.  This layer is *only*
concerned with the transmission of data between the two devices and *not*
the whole network.

	Layer 3: The Network Layer - The responsibility of this layer is
to provide routing services for packets received from some other node.  It
is up to this layer to look at the destination address and find the link
to be used to get there.

	Layer 4: The Transport Layer - The responsibility of this layer is
to make sure the communications over the network are reliable and without
error.  The reliability factor, which was discussed in the Data Link
section, can be built into the Transport layer should the Network layer
become unreliable.

	Layer 5: The Session Layer - The responsibility of this layer is
to establish a dialog with another entity as well as define what type
of dialog to be established.  It also provides flow control procedures
and manages synchronization points.

	Layer 6: The Presentation Layer - The only responsibility of this
layer is to compress and/or encrypt the data and to provide it in a syntax
that can be sent and received over the network at a distant node and then
decompressed and/or decrypted.

	Layer 7: The Application Layer - The Application layer is
basically the interface between the application entity and the OSI model.
This is the first stage in preparing the data to be sent over the network.


The SS7 Protocol Stack: An Overview
===================================
	The SS7 protocol has proved to be an incredibly reliable and
efficient packet-switching protocol that provides all of the services and
functions required by telephone service providers.
	One thing that you might have noticed right off the bat is that
while the OSI model is made up of 7 different layers, the SS7 standard
only uses 4.  This is because the functions carried out by the 4 SS7
levels correspond with the OSI model's 7 layers.  Also, some of the OSI
model's functions serve no purpose in the SS7 network.  The fact that the
SS7 stack doesn't perfectly align with the OSI model is due to the fact
mentioned earlier in this text.


The SS7 Layers: Level Definitions
=================================

			       CCS7 LEVELS

			_  ______   __  __  __
		       |  | TCAP | |  ||  ||  |
		       |  |______| |  ||  ||  |
		       |   ______  |T ||I ||B |
		       |  | ASP  | |U ||S ||I |
		      4|  |______| |P ||U ||S |
		       |   ______  |  ||P ||U |
		       |  | SCCP | |  ||  ||P |
		       |_ |______| |__||__||__|
			   ___________________
			3 |    MTP Level 3    |
			  |                   |
			   -------------------
			2 |    MTP Level 2    |
			  |                   |
			   -------------------
			1 |    MTP Level 1    |
			  |___________________|



	Level 1: The Message Transfer Part Level 1 - The MTP Level 1 is
the SS7 equivalent to the OSI Physical Layer, except for the fact that
while the OSI model doesn't specify which type of interface to be used, in
SS7, we can specify that.

	Level 2: The Message Transfer Part Level 2 - The SS7 MTP Level 2
is the SS7 equivalent to the OSI Data Link Layer, except for the fact that
the SS7 level does not provide the routing for SS7.  Level 2 ensures
reliable end-to-end data transfer over the network, implements flow
control, message sequence validation, and error checking.

	Level 3: The Message Transfer Part Level 3 - The SS7 MTP Level 3
is the SS7 equivalent to the OSI Network Level.  It provides the following
functions: routing, message discrimination, and distribution.  Message
discrimination basically figures out who the message is addressed to.  The
distribution occurs when the discrimination determines that the address is
a local address.  In this case message distribution is responsible for
identifying which user part the message is addressed to and routing the
message to its internal user.

	Level 4: The User Parts Level - The SS7 User Parts Level is made
up of multiple protocols called user parts and application parts.  These
protocols are responsible for functions from basic telephone call
connection and disconnection, provided by the Telephone User Part (TUP) or
the ISDN User Part (ISUP) protocols, to passing subscriber information
from one cell network to another, provided by the somewhat new Mobile
Application Part (MAP) protocol.


Conclusion: What Comes Next?
============================
	A few people have asked me if I think Signaling System 7 is going
to become obsolete.  SS7 is a digital and multi-layered signaling system.
It is quite flexable and fully capable of adaptation.  This has already
been proved when application parts were added to SS7 when Public Land
Mobile Networks were introduced.
	As stated at the beginning of the article, in the future I will be
writing more in depth about the SS7 protocols within the stack.

Greets:  tprophet, lineman, fringe, elektron, c4, borodir, devolve, icbm,
darkcube, subz, downtime, #darkcyde, radiofreq, zoro-a, mega elite.  And
all the people I haven't forgotten:  baiac, panther, kool-aid, brain
phreak, impy, bell phreak, scarface, channel surfer, sdphreak, doomd,
hologram, chaos451, prodigy, chameleon, johnny yo yo, placid, sedition,
water, william tell, vi, broken-, autopsy, theorem, the old sysfail crew,
phriend, dizzy and the rest of the old #telephony cats.


.....................................................................
Bash Wardialer.......................................................
hybrid...............................................................
hybrid@f41th.org..................................................... 
lynx -source http://www.f41th.org/hybrid.asc |gpg --import...........


#!/bin/bash
#==========================================================
# Random/Sequential carrier scanner implementing pppd+chat
# hybrid
#==========================================================
# rnd|std 	- Random(bash prng) or Seqential scanning.
# -r		- Randomization:
# Implements SRegister 11 (DTMF Speed Control) with a random 
# pattern between 50 - 255 milliseconds + Generates random
# pauses between dialing a different number.
# For verbosity, tail -f your syslog.
# Logs results to <pre+range.log> in pwd. 
# Generates Dial-List to <pre+range.dat>
# Note: when scanning low ranges, ie: 0800 123 000 010, 
# take out the suffixing 0 from the scanto range, ie:
# ./scn.sh 0800 123 000 10 rnd -r, instead of 000 010. 
# implementation: 
# * Remote scanning from box inside internal LAN, internal
#   extensions. (todo: internal Meridian/Audix/Octel RA
#   dialup hunting mode.
# * Daemonize the script, crond.. 
#==========================================================

# prefix before dialed number, ie: CLID blocking,
# 9 for outside line etc. 

ROUTE="141,"

# recomended 45 (sec)

TIMEOUT="30"
BAUD="9600"
DEV="/dev/ttyS0"

# pause between dialing limits (used in -r)
# default 0-10 seconds. For greater stealth, increase the
# upper limit

p_upper=10
p_lower=0

# S Register's
# Lost Carrier Hang Up Delay, length of time to wait before
# hanging up after carrier loss has been detected (1-255 tenths of sec)

declare -i LC=14

# DTMF Speed Control, length of DTMF tone/speed of dialing
# (50-255 milliseconds)

declare -i DTMFSPC=95

# Some/Most eXchanges will not allow rapid dialing (in the 50/ms mark),
# adjust the lower limit to suit your line when scanning with random dtmf
# speeds. Standard mode is preset to 95m/s, adjust this to suit. 

upper=255
lower=50

if [ $# -lt 4 ] ;then {	
   echo "./`basename $0` <prefix> <range> <from> <to> <std|rnd> <-r>" 
} >&2
exit 1
fi

pre=$1
ran=$2
from=$3
declare -i to=$4
rdial=$6
code="${pre}${ran}${from}-${to}.log"
stat="${pre}${ran}${from}-${to}.stat"
data="${pre}${ran}${from}-${to}.dat"

dial() {
   line=`cat ${stat}`
   declare -i length=`cat ${data} |wc -l`
   let "length -= ${line}"
   for (( i=0 ; i<=length ; i++ )) ;do
      noint=`ps x |grep pppd |grep -v grep |wc -l`
      if [ ${noint} -eq 0 ] ;then
         if [ "${rdial}" == "-r" ] ;then
            DTMFSPC=0
            while [ ${DTMFSPC} -le ${lower} ] ;do
               DTMFSPC=${RANDOM}
               let "DTMFSPC %= ${upper}"
            done
	    pause=0
            while [ ${pause} -le ${p_lower} ] ;do
               pause=${RANDOM}
               let "pause %= ${p_upper}"
            done
	    echo "done"
	    echo "waiting ${pause} seconds before dialing..."
	    sleep ${pause}
         fi
         num=`cat ${data} |sed ${line}q |tail -1 |awk '{ print $1$2$3 }'`
         killall -9 pppd chat 2>/dev/null
         echo ;echo -n "dialing ${ROUTE}${num}"
         pppd ${DEV} ${BAUD} debug kdebug 4 logfile ${code}	\
         connect						\
         'chat -E -v -t '${TIMEOUT}'				\
            ABORT "BUSY"					\
            ABORT "VOICE"					\
            ABORT "NO ANSWER"					\
            ABORT "NO DIALTONE"					\
	    ABORT "NO CARRIER"					\
	    ABORT "ERROR"					\
	    ECHO OFF						\
            SAY "'${num}':\n"					\
	    "''" "AT S10='${LC}' S11='${DTMFSPC}'"		\
	    OK ATDT'${ROUTE}${num}' 				\
	    CONNECT "''"					\
            SAY "CARRIER DETECTED ON: '${num}'\n"'
	    let "line++"
	    echo ${line} >${stat}
      else
         sleep 2
         echo -n "."
         let "length++"
      fi
   done
}
std() {
   echo "${from}" >tmp.$$
   bs="`cat tmp.$$ |wc -L`"
   for (( i=from ; i<=to ; i++ )) ;do
      if [ $i -lt 10 ] && [ ${bs} -le 3 ] ;then range[pos]=00${i}
      elif [ $i -lt 100 ] && [ ${bs} -le 3 ] ;then range[pos]=0${i}
      elif [ $i -lt 10 ] && [ ${bs} -ge 4 ] ;then range[pos]=000${i}
      elif [ $i -lt 100 ] && [ ${bs} -ge 4 ] ;then range[pos]=00${i}
      elif [ $i -lt 1000 ] && [ ${bs} -ge 4 ] ;then range[pos]=0${i}
      else range[pos]=${i}
      fi
      {
         echo "${pre} ${ran} ${range[pos]}"
      } >>${data}
      let "pos += 1"
   done
   rm -rf tmp.$$
}
rnd() {
   echo "${from}" >tmp.$$
   bs="`cat tmp.$$ |wc -L`"
   echo ;echo "generating array" ;echo
   for (( i=from ; i<=to ; i++ )) ;do
      echo -n "-"
      if [ $i -lt 10 ] && [ ${bs} -le 3 ] ;then range[pos]=00${i}
      elif [ $i -lt 100 ] && [ ${bs} -le 3 ] ;then range[pos]=0${i}
      elif [ $i -lt 10 ] && [ ${bs} -ge 4 ] ;then range[pos]=000${i}
      elif [ $i -lt 100 ] && [ ${bs} -ge 4 ] ;then range[pos]=00${i}
      elif [ $i -lt 1000 ] && [ ${bs} -ge 4 ] ;then range[pos]=0${i}
      else range[pos]=${i}
      fi
      let "pos += 1"
   done
   echo -n ">DONE" ;echo ;echo
   p=0
   range_length=${#range[@]}
   echo "generating random suffix" ;echo
   for (( j=0 ; j<range_length ; j++ )) ;do
      echo -n "-"
      alg=$RANDOM
      let "alg %= $range_length"
      local temp=${range[j]}
      range[j]=${range[alg]}
      range[alg]=$temp
   done
   echo -n ">DONE" ;echo 
   echo "saving output to file.." ;echo
   {
      while [ $p -lt $range_length ] ;do
         echo "${pre} ${ran} ${range[$p]}"
 	 let "p = $p + 1"
      done
   } >${data}
   rm -rf tmp.$$
   echo "DONE" 
}
if [ "${5}" == "std" ] ;then
   if [ ! -e ${stat} ] || [ ! -e ${data} ] ;then 	
      echo "1" >${stat}
      #==============
      std ;dial ;echo 
      #==============
   elif [ `cat ${stat}` -gt `cat ${data} |wc -l` ] ;then
      echo "seqential scan complete."
      exit 0
   else
      #==============
      dial ;echo 
      #==============
   fi
elif [ "${5}" == "rnd" ] ;then
   if [ ! -e ${stat} ] || [ ! -e ${data} ] ;then
      echo "1" >${stat}
      #==============
      rnd ;dial ;echo
      #============== 
   elif [ `cat ${stat}` -gt `cat ${data} |wc -l` ] ;then
      echo "random scan complete."
      exit 0
   else
      #==============
      dial ;echo
      #==============
   fi
else
   echo "choose random(rnd) or seqential scan(std)"
fi
exit 0


.......................................................................
Hiding Running Services from Portscanners Part I.......................
by phractal............................................................



/* parts of this article are theoretical and some
is proven with code, feel free to get in touch
to comment or point out flaws in my theories */


Hey there. Have you ever wished to run a certain daemon or backdoor
but have it hidden from the eyes of network scannners. Suppose you
want to run a private ssh server for only a select few, but they
don't always have the same hostname, or perhaps a backdoor to a 
unix that you worked hard to get to. Well, I got to thinking of
ways to have an actual service running and yet being undetectable
to people snooping in on your network. 



Here's what I will discuss

	-'port tripwire'
	  -how it works
	  -porttrip.c
	  -end notes


#############
Port Tripwire:
#############

Port tripwire is a name i came up with for opening up a low port in
an attempt to catch a port scanner before he reaches any ports that
you want to hide. 

If you or your borrowed remote host are running:

Port       State       Service
23/tcp     open        telnet
53/udp     open        domain
80/tcp     open        http
3557/tcp   open        BACKDOOR

You might want to hide this machine from scanning kiddies to hide
anyone who might want to abuse your server if they want to get in
via telnet, or maybe you don't want it known that you run a web
server, and of course, that backdoor is supposed to be hidden from 
view of scanners as well. How can we prevent a scanner, of whom
we will have no idea of his IP address, from finding these running
services via scanning? Well, port scanners will generally scan ports
in sequence or in rough sequence. They will or will usually access 
the low ports first, and then proceed to connect/request ACK replys
of higher and higher ports. We can intervene on the scanning process
if we stop the scanner midway. We can do that by looking for him
where he'll come in, the low ports. We should choose a fairly obscure
port to try and detect the scanner, because otherwise it could be
a legitimate session, a normal user accessing a known service. For
my little port tripwire program, I chose port 3, it is a low port, 
and almost no one runs it. If you wish to hide common services, you
may wish to change that to port 7(echo), as that is obscure, but it
is also listeded in nmap's services to scan for.

The way that Port Tripwire works is, it opens up a socket and 
listens on that low port. If any connection is made to that port,
the program identifies who that host is, and immediatly issues
a command to firewall out any further attempted connections made
by the scanner. It blocks him out, turns the computer silent on
him. The following code proves this concept. It is however 
incomplete, not a full security program, and most likely has
plenty of vulnerabilities itself. It is used just to demonstrate
this concept.

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>       

#define PORT 3
#define BACKLOG 1

//Port Tripwire BETA
//made for BSD or any ipfw firewalled OS
//by phractal


int main() {

	//printf("PortScan Tripwire BETA by phractal \n");
	int fd=socket(AF_INET,SOCK_STREAM,0);
	int fd2;
	
	struct sockaddr_in server;
	struct sockaddr_in client;
	int sin_size;
	
	server.sin_family = AF_INET;
	server.sin_port = htons(PORT); 
	server.sin_addr.s_addr = INADDR_ANY;
	bzero(&(server.sin_zero),8);
	
	bind(fd,(struct sockaddr*)&server,sizeof(struct sockaddr));
      		
	
	

	listen(fd,BACKLOG);	
	
	while(1){
  		sin_size=sizeof(struct sockaddr_in);
		if((fd2=accept(fd,(struct sockaddr *)&client,&sin_size))>-1) {
		//printf("connection from %s\n",inet_ntoa(client.sin_addr) );
		//printf("DENY! \n");
		char cmd[150];
		char cmdpt1[] = "ipfw add 01234 deny tcp from ";
		char cmdpt2[] = " to any";
		sprintf(cmd, "%s%s%s", &cmdpt1, inet_ntoa(client.sin_addr), &cmdpt2);
		printf("%s",cmd);
		system(cmd);
		
		}
	}
	close(fd2);
	return 0;
}


While this program is running, if i nmapped a server running it with a 
normal TCP connect() scan then I would see port 3 as the only running
service. 

There are some problems with this program. Since it uses accept() to 
determine that a scan is in place, SYN scans will not be picked up,
and if a scanner was lucky or smooth enough, maybe he might scan a 
certain block of ports that is outside the port that the tripwire
program runs on.

In Part 2, I will discuss more advanced port scan detection methods.
I will focus on using promiscuous mode to sniff for SYN packets
and will be using methods different from the tripwire approach.

-------------------------------------------------------------------->


greetz go out to h/pers and coders better than me:

stain, team phreak, awnex, dvdman, l33tsecurity, pare, bor, trunklord
linear, bor, 9x, subz, hybrid, datawar, downt1me, notten, telec
and people i forgot


.....................................................................
Frequency Scanning...................................................
DataWaR, dw@f41th.org................................................

===> Setup

Radio shack Realistic PRO 37 scanner modified to unlock high frequencies
and the 800 range. If you want to know how I did this you may either lookup
at google or ask me through email.

First step is to get hold of signal mixer. I used one with two UHF inputs
and 1 VHF output. You may be able to get hold of any single VHF/UHF
combination or others depending on how much power you need. Unlike most ppl
do the amplification comes by modifying the edge of the UHF antenna with 
a small plate designed in spiral form.

You may either construct this on your own or by asking for a ready one. 
Availability may be an issue as they are not sold separete. The idea 
behind this is to enable a better receiving interface on all directions.
The next step is to connect the two antennas in the mixer (to avoid noise 
use the extra grounding wire strip on the box). Follow the same procedure 
for as many antennas you wish or the mixer supports. Make sure the 
indications on the box are similar to the input type i.e VHF. If the box 
does not indicate this, a way around it is to open the mixer and lookup 
the circuit at the back. The wire that does not end up in the grounding of 
the circuit is the one where you need to connect up the strip of the 
arial.

Replace the rubber antenna that the scanner comes with with the output 
lead of the mixer. Make sure you have a female->male adaptor to ensure 
that the fitting is good although I tried connecting the wire directly in 
and it worked. But it is better to keep a good design.

Once everything is connected you may need to start tweaking the direction 
of your antenna(s) depending on what singal you want to pick up. The trick 
while scanning is to either go manually (slow way) or speed up by using a 
delay factor. This is done to ensure that the scanner will have time to 
pick up a signal if the channel being scanned is idle for a few seconds. 
This will delay our scanning process but it will increase the 
probabilities of grabbing an active channel of communication. Another good 
tip is to make the scanner sensitive to signals incase you are receiving
something weak. Although this will help it will sometimes pick up channels 
with a lot of noise and no activity which you should ignore.

Finally an amplifier may be needed to reconstruct weak signals received. 
This is an intermidiate device between the mixer or single antenna 
depending on what you followed and the actual scanner input. Usually such 
a device wont be needed unless you live in a rural area (hah!).

===> Scanning results

132.800 Airport traffic? 
	A woman giving plane coordinates and directions of 
	destinations and flight levels probably military 
	training planes. Also directing flight levels, coordinates 
	of radar placement etc.

149.600 Coast police station center. 
	Loads of fun feel free to abuse them with a tranceiver.

141.500 Pirated radio shack?

145.000 ~5 ppl communicating with code names couldnt figure out any pattern.

146.750 Truck drivers communicating probably some lame cargo company. 
	Loads of noise in the channel use some sort of high pass filter if 
	you wanna get rid of it.

153.125 Police vehicle frequency. 
	Most of them report incidents to all the police vehicles.

164.800 Radio taxi (lame!)

165.525 Didnt pay too much notice to them I think its an ambulance frequency.

169.885 Street car repair. They are retards (I warned you!).

170.625 Street police, they communicate a lot with coordinate systems 
	on locating places. (probably a street maping system)

173.125 Fire station (lame!)

445.000 Periodic signal which seems to be modulated probably needs a 
	demodulator to listen correct.

900.625 My neigh. wireless phone. (haha nice messing around with him!)
	I noticed that a lot of wireless phones use 900mhz to communicate 
	so if you are close to a lot of them you might pick up different 
	all the time.

945.125 Constant ticking and rarely one person talks with no sense. 
	Experimental broadcasting frequency?

Note: I did not pay much attention scanning the entire frequenct range 
I just picked up some open channels and had them into monitoring mode. 
This test was made in two areas in Greece where I was able to pull my 
setup and not being disturbed.

===> Conclusion

Scanning is illegal by the law and is prohibited in most countries especially
if used without a license. So I have no responsibility if you get caught in 
any way. Theoretically it is very hard to get caught if you are doing dynamic
scanning such as moving in a car as your location coordinates change all the
time and it is hard to track down your exact location although it is possible.
Furthermore care must be taken especially if you are in area that you know
ppl perform checks with radar scanners. I tried to keep this document 
independant of a scanner make. Although some features described above such 
as the delay factor and others may or may not exist in your scanner. Also 
unlocking frequencies may
vary depending on the design of your circuit/scanner. This document was not 
made to discuss how to unlock certain types of scanners so if you want to 
do that look it up yourself, there are already a lot of articles written 
on such procedures.

Take care and have fun :-)

-- DataWaR


.........................................................................
The DATU Modes and Practical Uses........................................
by Phractal..............................................................


[ disclaimer: unless you are a certified technician, any DATU you access
is not your property and therefore is electronic trespassing into the
insides of your local Central Office. Know what you're getting into. This
information may or may not have been test by someone certified to operate
a DATU. This is merely information, nothing more.]

I.    Intro, Switching Diagrams, DATU definition
II.   Format of DATUs
III.  Test Mode
IV.   Admin Mode
V.    Practical DATU uses
VI.   Theoretical DATU uses
VII.  Final Notes
VIII. Technical Acronyms

I. Intro
	Well, a great many of articles have been written recently
regarding the Direct Access Test Unit (DATU). A DATU is a computer
that you can connect to via the PSTN, all you need is the phone number.
My local Central Office uses a AT&T 5ESS switch, so I know for a fact that
those switches use DATUs, I am not sure about others, like DMS switches,
but chances are, your local, residential Central Office has a DATU. DATUs
use the ring and tip wires a lot to test lines, the ring and tip wires
are often the red and green wires that go into your phone.

	DATUs are tubular little wonders that allow the phone company and
phreaks to perform tests on local loops. To test a line outside your
Central Office's area, you need the DATU number for the Central Office
that serves it.

I should mention that this article discusses but is not necessarily
limited to testing POTS lines.

>From the PSTN to your home:

          |
  \              /
                         /------------------\   /-----------------------\
_      PSTN!     ---ss7--| Toll Switch      |---| Local Switch / CO     |
                         |DMS 200, 250, 500 |   | 5ESS, DMS 10, DMS 100 |
                         \------------------/   \-----------------------/
  /       |     \                                         |
                                			  |
                                                     <POTS lines>
                                                          |
                                                         ___
                                                        /   \
                                               /--------\   /--------\
                                               |Junction|   |Junction|
                                               |  Box   |   |   Box  |
                                               \--------/   \--------/
		                                  /\   Split    /\
                        Your k-rad line~~~~~~~~~>/  \   lines  /  \
                                                /\  /\        /\  /\
                                               /  \          /
                                              /
                                             /
                                       tip> /\ <ring     Residential
                                           /  \          Loops
                                           |  |
                                           |  |
                                         /------\
                                         | home |
                                         \------/



II. The Format of DATUs

The format of most DATUs is xxx-9935

It is up to you to find an exchange that works, it shouldn't be too hard
since most non-toll COs only serve less than 15 or so exchanges. If you
still can't find it, the DATU could be anyplace else, or you have a
different switch, but for most 9935 is the suffix for the DATU. You can
try wardialing for them. You will recognize a DATU by it's weird prompt.
It is a 440hz tone sounding like a low hum. The prompt is asking you to
enter in the DATU password on your DTMF keypad. All passwords that I have
found to work are 4 digits, the default is 1111. If it isn't the password,
try pairs like 3535 or 9292, i have found some that work with pairs, as
well as 4300. Then again, don't try and brute force the password, at least
not from home. If the Telco notices a lot of failed DATU logins then they
will contact you or they will change the password, causing a headache for
all the linemen and phreaks who already know it. Use your head :)



The real hardcore hardware nerdy stuff of DATUs can be acquired by reading
Phrack 52, and PPM issue 2 and 3.

Therefore I'm not going to heavily explain what all the functions do
inside the DATU.

Also, for a quick reference, check Telec's article @ phonerangers.org

-Once you have the DATU, and the 440Hz tone, you will have to dial the
password using DTMF tones. There are two accounts/passwords THAT I KNOW OF
for each DATU. There is the normal account which is a 4 digit password,
and there is an ADMIN account, which is * followed by 7 digits.

III. Test Mode

Default passwords for the normal account are 1111 and 4300
Once inside the DATU using the normal account you will hear a second
440 Hz tone prompting you to enter in a seven digit phone number that
is served by the switch the DATU is at. After that you should hear an OK
to confirm, otherwise you did something wrong, or the line is busy. You
can perform tests on the line by using the corresponding codes:

Code:   Test:                     Fuction:
1       ----                      Announces the menu over the phone

2       Audio Montior             Hear SCRAMBLED traffic on the phone, can
                                  be used to test if there is activity on
                                  line or not.

33      Short to Ground           Shorts the ring, tip and ground wires of
                                  your line back at the CO(red and green
                                  wires)

37      Ring Ground               Shorts ground and ring wires

38      Tip Ground                Shorts ground and tip wires

44      Ring/Tip High Tone        Bursts a high level tone onto the Tip
                                  and Ring Wires

47      Ring High Tone            Bursts a high level tone onto Ring wire,
                                  Tip grounded

48      Tip Hight Tone            Bursts a high level tone onto Tip wire,
                                  Ring grounded

5       Low level Tone            Bursts low level tone onto tip and ring
                                  wires

6       Open Line                 Cuts battery power to tip and ring, line
                                  has no electricuty from CO, rendering it
                                  unusable

7       Short Line                Electricity given to tip and ring from
                                  CO

9       Permanent Signal Release  Used on busy lines in older switches,
                                  refer to the DATU article by BlackAxe in
                                  Phone Punx Magazine Issue 2

*       Hold Function             Keeps current test on line active after
                                  you disconnect for a specified amount of
                                  time that you have to enter in, most of
                                  the time 10  minutes is the max, to
				          prevent things like a line being open
                                  for a month.
#       New Test                  Disconnects you from current line, and
                                  prompts you to enter in a new number to
                                  test, like the Control-C of a DATU.

IV. ADMIN MODE:

/!#@$%@#$

HI, I just want to make a point of saying that the following is info is
NOT confirmed, I am writing this from my experiences using admin mode.
For example, I don't know if option 3 actually has the power to delete
exchanges or not, i haven't tried it, and neither should you, really.

The Admin mode is entered by entering in a * followed by a seven digit
passsword. I currently am un-aware of any 'defaults' for this. The
options in the admin account allow you to do things that pertain more to
the Central Office and how it serves the public. You cannot test local
loops with the ADMIN ACCOUNT. Once you get a valid password, you should
NOT hear a second 440hz tone, you should just automatically hear an 'OK'. 
The
following codes work for the ADMIN mode:

***PLEASE IF YOU HAVE ACCESS HERE, EXPLORE WITH CARE! YOU COULD SERIOUSLY
CAUSE DAMAGE TO YOU AND YOUR LOCAL NEIGHBORS SERVED BY THE LOCAL CO. I
WOULD SUGGEST YOU DO NOT EVEN ATTEMPT TO CHANGE OR ACCESS ANY OPTIONS
OTHER THAN TO CLEAR YOUR TRACKS(covered later).

Code:     Option:                       Sub-Optionz:
1         Set password                  1.Set System Password
					          2.Set User Password

2         Select Busy Test              1.Select Busy Test
                                           4. Stanard Busy Test
                                           5. 5ESS Busy Test
                                        2.Select Dialing Message
                                           1. MF Dialing Message (??)
                                           2. MF Dialing Message
                                           3. Pulse Dialing Message (??)
                                           4. Pulse Dialing Message
                                           5. MF with Reversal Sensing
                                           6. Pulse with Reversal Sensing
                                        3.Select Trunk
                                           1.Standard Trunk
			                         2.Special Trunk
                                             1. Trunk Share
                                             2. No Trunk Share

3         Read/Change Prefixes          3.Add Prefix
                                        4.Clear all prefixes
                                        5.Delete Prefix
                                        6.Read all prefixes

4         Read/Clear Timers             1. Read Timers
					             1. Usage Timers
					             2. Function Timers
					          2. Clear Timers
                                           1. Clear Usage Timers
                                           2. Clear Function Timers
                                           3. Clear all Timers

5         Select # of digits            Dial 4, 5, or 7

6         Set AccessTimeout Parameters  Dial Three Digits

7         Read/Clear Counters           1. Read Counters
                                           1. Read Usage Counters
                                           2. Read Function Counters
                                        2. Clear Counters
                                           1. Clear Usage Counters
                                           2. Clear Function Counters
                                           3. Clear all Counters
8         Enable/Disable Test 9         Toggle wheather Permanent Signal
                                        Release is allowed or not to be
                                        used
0         Clear Alarm                        ??



There are other kinds of lines and functions that you can do with the DATU
computer, but I suggest you look them up in Phrack or PPM, or maybe I'll
write a part 2 sometime later :)

BTW, the only tests that work on a busy line are: Audio Monitor, Low Level
Tone, and Permanent Signal Release.

To cover  your tracks, clear the onboard logs, aka Timers, via Option 7.

V. Practical Uses for DATUs:

Busy Lines:
	Let's say you call a number, be a friend, or wardialing and its
busy. You can use the audio montitor to test if there is actual traffic
on the line, if not, then maybe the line is somesort of test line or
someone left a phone off the hook. I have found audio monitor useful when
trying to hack weird modern COCOTs. Let's say you know a BBS or some
carrier that you want to connect to, but it's busy, like a COCOT's
computer modem, you can blast a Low Level Tone to throw off the modem and
have it get disconected, you can also remotely disconnect any modem from
a connection if you know the number of the line. (You can only do this if
the line has a ground going into thehouse, or building and not just at
the CO) If there is a number you have found that is ALWAYS busy, i mean
ALWAYS, try  opening the line and dialing it right after the line is
shorted back. I find that COCOTS almost always have grounds in them.

*Most residential lines will not hear Low Level Tone, because they have
no ground going into the phone.

Beige Boxing in a large Telco Boxes:
	When beiging in a large telcobox, depending on where you are, it
can be a puzzle to find the right pair to connect to the line you want to,
if it is a specific line that you are looking for. You can use High Level
Tone Tests to look for the pair, when you reach a pair that has a beeping
you can bet its the same line you inputted into the DATU. If the line is
busy, or you want to be more stealthy, you can use the low level tone,
which is less likely for someone to hear unless they have a ground going
into their phone, most don't nowadays.

Remote Busy Box:
	Remember the Busy Box? You crossed the green and red wires to busy
out any line. The green and red wires are tip and ring, so test code 33
can remotely turn any local line into a busy box since the tip and ring
wires are shorted out at the CO. Be in mind that most likely you can only
keep a line shorted for 10 minutes after you hang up, if you want longer,
just keep dialing in every 10 minutes. The same goes for opening a line
(shutting it off) or any tone tests.

(Hint about time limits, study ADMIN functions)

Some notes about Audio Monitor:

--- The Audio Monitor feature is not a tap or eavesdropping feature, you
can not understand any speech or capture any DTMF tones traveling along
the line though the DATU. It is merely used to verify that there is indeed
activity on a line, if the line is busy and there is no acitivy, then
there could be a problem.

VI. Theoretical Uses for DATUs:

Creating Phone Numbers:
	Have you ever dreamed of creating a phone number out of thin air,
with no billable address like the Legion of Doom did back in the day?
Well, the first step could be creating a new exchange to use your numbers
on. Once the exchange is created, I can't really tell you where to go
from there. If you find other ways of entering the switch, like thru a
dialup or over some Packet Switched Network, then go for it, but be
careful, respect the telco's turf, and DON'T MODIFY OTHER PEOPLE'S STUFF!

Mapping Switch Hardware:

	I have heard some DATUs announce the switch they are attached to.
This can be useful to find out info on how to remotely explore the switch.
Also, if Permanent Signal Release is enabled, then you could find a stroke
of unbelievable good luck, Step by Step switching, which in theory of
course, all kinds of things would work, like blueboxing (inband
signalling), black boxes, etc...


VII. Final Notes:

DATUs are for testing lines only, they apply certain tones and can short
lines, but they are not used to add features or anything to a line. You
cannot add three way calling to your line through a DATU. You cannot add
Call Forwarding to you line, you cannot get ISDN or ADSL. And please test
responsably. If you keep opening a line to annoy someone then the
password will most likely get changed.

As far as I know, if you have the dialup and password, you can access the
DATU from anyplace on the PSTN, there is no confirmation that you are
calling from a local number or anything, so If you are in NY, you can test
lines in California providing you have the DATU k0d3z.

VIII. Technical Acronyms:

PSTN   Public Switched Telephone Network (the global phone network)
AT&T   American Telephone and Telegraph
ESS    Electronic Switching System
DMS    Digital Multiplexing System
CCITT  Committee Consultative International Telegraph and Telephone
POTS   Plain Old Telephone System
DTMF   Dual Tone Multi Frequency
PPM    Phone Punx Magazine
MF     Multi Frequency
CO     Central Office
COCOT  Customer Owned Coin Operated Telephone
BBS    Bulliten Board System
ISDN   Integrated Services Digital Network
ADSL   Asynchronous Digital Subscriber Line
DATU   You should know this...

Greets:

9x, Substance, Hybrid, D4RKCYDE, Downtime, Phonerangers, Telec, Mastermind,
Black Axe, Janus, linear, terror eyz, dijit, nawleed, vixen, Zylone,
Pinguino, The Clone, logicbox, velocity, Venadium, Brisk, Bor, Xade :),
notten, barby, bikr, tomgavin, leprekaun, dinkee, purp, vap0r,
Tubular Phreak, 3rd worm, diozepart, Team Phreak, and all my other old
skool conf buddiez, you know who you are ;)

I also owe alot to Telec and MMX to my current understanding of the DATU.


.........................................................................
DATU for Dummies.........................................................
Text by: teletrix, written for f41th.....................................


Preface

So now I assume that most of us have heard of the wonderful tool which
we call the DATU.  It stands for Direct Access Testing Unit.  This
testing unit is a remote tool utilized by technicians.  I don't know if
they exist in Canada, and for the most part I believe they are mainly a
state-side toy, if I'm wrong please let me know I'd love to see a DATU
from another country, differences and etc.  Now to let you know where
this information came from: I went through many attempts at SEing the
Harris corporation for the System Administrator Manual to the DATU, (The
Dracon division of Harris makes these testing units) I searched the
dumpsters, I tried every resource.  Finally, I got someone at Harris to
give me the manual and I also asked him a lot of questions, this
information was what I used to make this test.  The people at Phrack did
this too to get the info, but they didn't give all the info such as
administrator mode.  This text will teach you about the basics of the
DATU, how to find one, and all about the User and Administrative modes
on each.  Just some food for thought, these things are really expensive,
so be careful.  Know what you are getting into, if you access these
lines through boxing it is a Federal Crime (wiretapping) if you damage
it, destroy it, all that stuff it is a federal crime, know the risks,
don't pretend like you didn't know.

Where is the DATU?

The DATU is located at your local central office, or CO.  The way it
works is you have the PSTN, and then that is connect to the CCITT5
Trunk, which goes to the toll switch (DMS 200, 250, 500), which is
connect to your CO, your local switch if you will, which runs off of
5ess, or DMS 10, or DMS 100.  From the CO you have your Plain Old
Telephone Service Lines (POTS), they go through the area, nicely for one
area at a junction box, then to your home.  Anyway the DATU itself is
located at the CO as part of the computer.  So you're saying that's
great, but I don't give a shit about the technicals just tell me what
number the DATU is at. 

.  Type in your area code and exchange, you will then at the bottom of
the page receive a report of all the exchanges on that switch.  Now you
need to try each exchange with 9935 until you find that DATU.  You will
know you've found the DATU when you hear a 440mhz tone, the DATU will
either be busy, or pick up usually on the first or second ring. 
Congratulations you found the DATU, now this isn't time for a smoke
break or anything like that, this was cake, in fact nothing about this
is really too hard, but if you're a first timer you should feel happy
about the fact that you just found the DATU.

Accessing the DATU

So now you're saying well done asshole, but how do I use this thing, how
do I make this god damned noise stop.  Well if you noticed you are
hearing this noise and then being disconnected after a few seconds,
approximately 7, well then you are waiting for what to do next.  This
first 440mhz tone is a signal to enter input.  In this case they want
you to enter the user password.  So now you've accessed your DATU, you
can enter that user password, which is a four digit code, or you can
enter the system password.

Entering User Mode

To enter user mode you simply need to enter the four digit code, and
then you will hear a second 440mhz tone, a second input prompt.  Now,
the default set password is 1111, yeah telco just never learns, I have
never once encountered a DATU in my area, NJ, where this does not work. 
So after entering that password you will hear Incorrect, or if it is the
default you will hear another 440mhz tone.  If 1111 doesn't work, try
4300 the default for older models, or try pairs that are easy to
remember 5454, 5353 and so on.  At default it is set for 16 attempts at
a password before a warning goes off at the CO.  So be careful they do
have some kind of counter-measure for just brute forcing the fucker. 
But again, 1111 works perfectly fine 9 out of 10 times unless some
phreaks before you fucked with the DATU to royal extremes.

Now once you enter the password and hear that second 440mhz tone it
wants you to enter the number to be tested.  You must enter a number
which is one of the exchanges served by that CO, hence served by that
DATU.  Now once you type in the number, usually just the 7 digits will
work, if not you will get an error message telling you to use all 10
digits.  When this happens the DATU will do one of two things it will
say: ``Connected to xxx-xxxx, OK'' or it will say ``Connected to
xxx-xxxx, BUSY LINE. Audio Monitor.  If its busy the audio monitor will
start which allows you to hear unintelligible scrambled traffic, this
will last for 10 seconds.  If the line remains busy you will have
limited testing options.  Below you will find the list of options
available, what they do, and if they have a `+' in front of them they
can only be used on an idle line.

Number		Function			Description	

1		Read off Menu			Reads DATU Menu
2		Audio Monitor			Check for Line Activity
+33		Tip/Ring Short to Ground	Connects Tip/Ring to Ground
+37 		Ring Ground			Unterminates the Tip Lead	
+38		Tip Ground			Unterminates the Ring Lead
+44		Tip/Ring High Level Tone	+22dBm, 577hz bursts on line
+47		Ring High Level Tone		High Level Tone with Tip Grd
+48		Tip High Level Tone		High Level Tone with Ring Grd
5		Low Level Tone			-12dBm, 577hz burst on Line
+6		Open Subscriber Line		Removes Power to Line at CO	
+7		Short Subscriber Line		Electrical Short Sent to Line
9		Permanent Signal Release	Clears Busy Line Condition
*		Keep Test After Disconnect	Allows to Keep Test on Line
#		For New Subscriber Line		Enter new Line to Test

Below are some important notes about certain functions.

For those numbers which are two digits indicates the selection of the
function, the first digit, and the corresponding submenu, the second
digit.

Permanent Signal Release will only work if it is set as active in the
system settings, accessible by the System Programming Menu.

For keeping a test after Disconnect you will be prompted to enter data,
indicated the amount of time to continue the condition.  If the minute
interval is less than 10 simply dial 1-9 depending on the minute, if it
is 10 or greater you must first dial two digits, for 10 minutes simply
dial 0.  After this you will be prompted to hang up, and will have no
other choice, in approximately 30 seconds the condition should enter
into effect.

If you need to do this on the same line you are calling from simply dial
* first then choose the option, afterwards it will ask you for a time
interval.

There is even more crazy stuff you can do with carrier access and pair
gains but that is more advanced, and if you are interested can read all
about that in PPM 2 and 3.

Administrator Mode

Well I'm sure this is what many of you have been waiting for, or just
scrolled on down to, the administrator mode, allowing you to set
everything on the DATU.  Now when you dial in the DATU, you will as
mentioned hear that sweet, sweet 440mhz tone.  This time you're going to
want to enter * then a 7 digit code.  Now, the default administrator
code is 2222222, that's right, and in every DATU I have dialed it has
been this default.  Once you do that you will hear ``OK''.  Under Admin
mode you can not do any subscriber line testing.

Important to note here, you can seriously fuck shit up under Admin mode.
 I caution you to make sure you understand what you are doing, fucking
this up can cause big problems, use your head, if you mess this up you
better damn well bet ma bell is going to come after you and make you pay
for a new one, and then jail your ass.  Below are all the functions you
can do and they will be described in detail.  Please understand what
this means, and use your head if you fuck it up you didn't just screw
yourself, you screwed the other phreaks in the area who have used their
head.

Number		Function		Description

1	Change Passwords		Set User and Admin Passwords
2	Select Busy Test		Not Sure, Don't Play With
3	Read/Change Prefixes		Read, Add, Delete Prefixes
4	Read or Clear Timers		Read/Clear Usage/Function Timers
5	Set Digits to Select Line	Set 4,5,7,10 Digits to Select Line
6	Set Time out Parameters		Set Timeout Interval
7	Read/Clear Counters		Read/Clear Usage/Function Counters
8	Permanent Signal Release	Enable or Disable Function
9	Pair-Gains Parameters		Read/Change Paramaters
0	Clear Alarm Condition		Clear Alarm

Important notes about Administrator Mode

Changing the passwords is never a good idea, it can screw things for you
and other phreaks as well as tip off the technicians, however if it's on
a DATU not in your area, you could have some serious fun.  Because the
user password is stored in a memory, however the system password is
reset after the DATU looses power for 7 seconds.  So you could change
the user password, and it would be living hell to fix.

Under Read/Change Prefixes you will have the option to list prefixes on
that switch, add, and delete.  Now this does not mean you can create
your own exchange, it just let's the DATU know what exchanges it has
access to, and adding one that is not served by that CO will be totally
useless, and cause errors.

Permanent Signal Release will allow you to enable that function, which
would allow you to use that function on a busy line in user mode.

For the Pair Gains stuff I suggest you read PPM 2 and 3 they really
outlined it nicely, and the best I could so with that is simply copy and
paste.

Clear Alarm Condition this is useful if you fuck something up and are
worried that an alarm was tripped, or if you screwed up the password 16
times, remember to cover your ass.

Uses for the DATU 

Well there are a ton of uses for this new toy, some legitimate, some
just plain fucking stupid, but all can be fun.  So under user mode you
could use your DATU to do the following: free that busy signal on your
friends line, if he's on the computer you could blast a low level tone
to throw off the modem, you could open someone's line for 20+ minutes
for fun, and then blast high level tones right before they pick up the
phone.  Trust me setting a high level tone then having the person in
your house pick up the phone to use it is hysterical.  The other use for
the high level tone is say you're boxing in a cabinet, you have a good
feeling that your mark's line is in that cabinet, simply use the DATU
place a high level tone on the line, and look for a line that has a
pulsating 577mhz tone.  You could screw with the linemen in the area by
changing the user password, but you really shouldn't even though this is
saved in memory even if the board short circuits, it will fuck things up
in your area, and tip them off.  You could do a Short to Ground making
someone's line busy, or your own if you don't want to be bothered.  Also
you do not have to be calling from that switch to use that DATU, you can
use it from anywhere on the PTSN.

Conclusion

Well that's the DATU at it's best, if you have any questions contact me
at efnet in #darkcyde, and if you are interested in getting a copy of
the official system manual talk to me and we might be able to make a
trade.  Use this information carefully, know what you're getting into,
have fun, and learn all you can.

For further reading check out Phrack 52 and PPM 2&3


.......................................................................
A Hackers Guide to Meridian Mail.......................................
Version 1.00 - December 2001...........................................
by prephix - prephix@bigfoot.com.......................................



 [:. contents .:]


  1... introduction
  2... what is meridian mail
  3... how do i find a meridian mail system
  4... how do i get access
  5... how do i keep access
  6... mailbox commands
  7... final words


 [:. introduction .:]


Ok, the primary purpose for writing this file is for my own personal
reference.  Until a few months ago, it had been a very long time since
I'd actually gone out and messed about with voicemail and PBXs etc,
so I figured it was time I got back into that whole area of things.

There are already a bunch of files floating about that deal with Meridian
Mail, some are bad or vague, a couple are good, so why the need to write
another one?  Well, I figure that I can write a fairly comprehensive
text on the subject, so why the hell not?  Anyway, I want to write one,
if only to get what I know about the subject down onto paper, or into
binary... whatever.

Let me say at this point that this file deals with how somebody would
theoretically gain unauthorised access to Meridian Mail, it's theoretical,
as of course hacking any voicemail or pbx system is obviously illegal,
and I don't encourage anyone to break the law.  Obvious really.  I shall
also be making updates and changes in later versions.


 [:. what is meridian mail .:]


Ok, let's start with the Meridian PBX.  A PBX is a private branch
exchange, which is a small private telephone network that an organisation
uses to handle it's telecoms.  For instance, it's much cheaper to
implement a PBX than to connect an external line to every telephone in
the company.  Phone numbers within the PBX will usually only be 3 or 4
digits long, and they share lines when calling outside of the company.

Meridian PBXs are fairly similar, but come in different sizes that are
referred to as 'Options'.  For example, Option 11C is one of the
smallest Meridian PBXs, hosting between 16 and 700 users, Option 51C
host upto 1,000 ports, Option 61C hosts upto 2,000 ports (and is dual
processor), and Option 81C can handle 16,000 ports and boasts all kinds
of knobs and whistles that are irrelevant in this file.

Meridian Mail is a feature of the Meridian PBX.  It's an electronic
voice messaging system that allows the users to send and receive voice
mail with various delivery options to other users.  It also supports
message forwarding, and allows the setup of distribution lists (lists
of mailbox numbers).  Here in the UK it's very popular with medium to
large sized organisations, and it doesn't take too long to find one.


 [:. how do i find a meridian mail system .:]


Before I tell you how to identify a system, you have to know how to
actually look for one.  It's best to find your own system, if you use
a system that was in a public scan then there is an increased chance
that other unauthorised users are messing around in it.  This is bad
because the company is more likely to notice, either through increased
use, or through mailboxes being 'locked' from too many failed login
attempts.  If you want your mailbox to last, find your own system.

Ok this is real basic, but I'll assume you know nothing.  The best way
to find any VMS or PBX is to go out to a payphone and manually dial
through a range of freephone numbers.  Be methodical, and write down
anything of interest.  Dial after office hours otherwise you'll get
people answering the phone, a lot of systems are only accessable after
office hours (unless its a large 24 hour system).

When numbers connect, start fiddling around, try * and #, just mess
about and you'll see what I mean, there are countless hackable systems
worth playing around with.  Anyway, identifying a system as Meridian
Mail depends on how it's been setup.  The most obvious is when you
call and a female voice says: "Meridian Mail, mailbox?", which is the
login prompt.  These are usually large 24 hour systems, and are not
that common.  An example can be found on 0800-800-214.

Anyway, most numbers you call will have a recorded message saying
something like, "Sorry, the office is now closed, please leave a
message after the tone...".  If you hit * before it starts recording
your message, a Meridian will usually respond with:

  "There is no recorded message.  To record a call answering message
   press 5.  Other commands are, message options 70, login 81,
   disconnect 84, and attendent 0."

Alternatively you can wait for the beep, start to leave a message, and
then hit #, in which case a Meridian will usually respond with:

  "Recording stopped.  To record some more, press 5.  To review your
   message press 2, for more info press *."

Hit *:

  "You have stopped recording.  Commands you can use are: play 2,
   record 5, message options 70, delete 76, and send 79.  Other
   commands are login 81, disconnect 83, and attendent 0."

Meridian Mail may sometimes be setup differently, with limited options
for remote access.  For instance it may just be a single voice mail box
that they're using like an answerphone etc.  Sometimes if you divert
yourself to the attendent (try hitting 0) it will connect you to the
attendant's voicemail, and you may then be able to access the main system
by using the above methods.  Sometimes if the attendant's box hasn't
set a greeting, it will tell you the box number, i.e. "Mailbox 4501
isn't availble, please leave a message", which can help when trying to
figure out what range clusters of mailboxes are in.


 [:. how do i get access .:]


Now sometimes you can just hit 81 (login) and start guessing (it
actually ain't that hard, I once got in on my first guess), but there
are sometimes ways to check where the mailboxes are, i.e what range
they're in, like what do they start with, how many digits are they, etc.

Ok hit 0*.

Meridian Mail should respond with something like:

  "You have reached an automated service which will connect you
   to the phone number that you enter.  Please enter the number
   or name of the person you wish to reach followed by square sign..."

Ok, now mailboxes are typically 3 or 4 digits long (but can be upto
6 digits long), and usually start with either a 2 or a 4.  I'm going to
use an example system to show you what I'm trying to explain here.  Let's
say we have a Meridian Mail, we're at the above prompt, and theres only
two boxes on the system, box 4621 and 4200, but we don't know that, so
this is how we find out.

I'd like to point out that this may not be the same for all Meridian
Mail systems, but it's worked exactly like this for all the ones I've
bust into during the last few months.

Ok, so we've hit 0* and it says:

  "You have reached an automated service which will connect you
   to the phone number that you enter.  Please enter the number
   or name of the person you wish to reach followed by square sign..."

So we enter, 2 followed by #.

Meridian says:

  "That number cannot be reaced from this service, please try again."

So we enter, 4 followed by #.

Meridian says:

   "Your session cannot be continued at this time, please try again
    later, goodbye."  <disconnects>

Ok weird, so when we try connecting to '2' it tells us that the number
cannot be reached, but when we try connecting to '4', it tells us that
our session cannot be continued and it disconnects.  Hmm..

This means that there are definately valid mailboxes that start with 4,
so we go to the next number.  We call again, get to that prompt by hitting
0.. this time we enter 41#

Meridian says:

  "That number cannot be reaced from this service, please try again."

So 4# disconnects us, and 41# tells us the number cannot be reached.
As far as I can tell, this means there are no boxes starting 41, but
there are boxes starting with 4.  So we try again with 42.

Meridian says:

   "Your session cannot be continued at this time, please try again
    later, goodbye."  <disconnects>

Ok!  So there are boxes starting 42, but not 41, and we carry on, until
it finally trys to put you through to a valid extension.  You should be
able to see what I'm trying to get across here, it ain't exactly rocket
science, but I'm also crap at explaining stuff.  :)

Once you know where boxes are clustered, hit 81 to login, enter the
mail box number followed by #, and it will ask you for the password.
The default password is usually the same as the box number.  For instance
box 4112 will have a password of 4112.  If you don't get in straight
away, move onto the next box.  After two failed login attempts I always
hang up and call back, even though Meridian allows three attempts.  This
is because you don't want to accidently 'lock' mailboxes through too
many failed login attempts.  A bunch of locked boxes is going to alert
the administrator that someone was having a pop at getting into his
system, so even if you do get in, your box may not last very long.

When you get into a box you have to make sure it's unused.  If there
are new messages don't read them.  You can read any old messages, but
if they're fairly recent then you can't keep the box for personal use.
If the internal and external greetings have also been set then that's
also an indicator that the box is being used.

However, if the box is empty, and there are no greetings set, then
chances are the box is unused, in which case you can keep it.  Either
way, used or unused, you can now use the distribution list feature to
hunt for more boxes.  Hit 85 to create a new list, then enter 1 to 9
to identify a distribution list number (you can have 9 distribution
lists).  If you're using a used box and there are entries then
forget about it, try another list, you don't want to change anything
that will show you've been there.  Once you enter an empty list, hit
5 to start creating the list.  Now you start entering mailbox numbers
to be added to the list (followed by #).  It will tell you if the box
is valid or not, and you can work your way through a large amount
of box numbers, writing down valid entries.  You want boxes which
don't have recorded greetings, as they're more likely to be empty and
unused.  Later you can see if they have their default passwords set.

If you login and it forces you to change your password because it's
expired, then chances are it's an unused box.

Right, if for whatever reason you can't do this, or if you're confronted
with just the login prompt when calling, then you can always try
pot luck guessing.  This does work, and I would try the following
combinations first... and then work around them:

BOX/PASS

2000/2000  4000/4000  200/200
2001/2001  4001/4001  201/201
2002/2002  4002/4002  250/250
2100/2100  4100/4100  299/299
2101/2101  4101/4101
2500/2500  4111/4111    etc etc.. you get the idea anyway.
2501/2501  4150/4150


 [:. how do i keep access .:]


Common sense really.  Don't record some crazy greetings like "Heh man
this is the awesome bytebandit of the telelame crew.. leave a message
now you mother fucker!".  It's best to leave the greetings unset, but
if you have to, then keep it simple.. like "Leave a message after the
tone" will do.

Don't lock mailboxes through bad login attempts, and don't send real
users mail.  If you have access to employees boxes, try not to read
their new mail, as it will no longer be flagged as new, and obvious
that someone has read it.  I know it's tempting to read other peoples
shit, but try and stick to mail thats already been read.

Also try and keep your system to a select group.  The fewer guys using
it, then the lesser chance of being noticed.  I've was once using a
system with a couple of other guys for almost 6 months.  Thats about
it really, as I said, just use your common sense.


 [:. mailbox commands .:]


You'll become familiar with using it as you go along, you can hit * at
any time for online help.  Here's a list of the major functions anyway:

Recording a greeting:

  Press 82, press 1 for external, 2 for internal, 5 to record, # to stop.

Changing the password:

  Press 84, enter new password, press #, repeat, enter old password, hit #.

Recording personal verification:

  Press 89, press 5 to record name, press #.

Creating a message:

  Press 75, enter mailbox(s) or distribution list number(s), pressing #
  after each one, press # again, press 5 to record, # to stop,
  press 79 to send.

Forwarding a message:

  Find the message to forward, press 73, enter forwarding mailbox number(s)
  each followed by #, press ## to finish list, press 5 to record a
  message header, press 79 to send.

Deleting/undeleting a message:

  76 to delete a message, 76 again to restore it.

Outdial:

  Press #0, then (usually) 9 for an outside line, then the phone number.
  This probably will have been disabled, or will appear to be, but
  definatly worth a fiddle, try different things.  We had a system where
  you had to dial 9, then a 5 digit code, and then it allowed you to
  dial 3 digit external numbers (i.e the operator who could then put
  you through to another number).


 [:. final words .:]


Ok it's fucking late, and I'm going to bed now.  If it's shit, then my
excuse is that it's only version 1.00, and I'll no doubt be maknig
numerous changes in later versions... ha... anyway fuck it, the only way
to learn is to actually get out there, find a system, and figure things
out yourself.  Feel free to email me any questions, abuse, etc...


                            prephix@bigfoot.com


.........................................................................
scan of 0800-212-000 to 0800-212-200 (UK)................................
compiled by prephix in september 2001....................................


0800-212-000 - Dead
0800-212-001 - Dead
0800-212-002 - Voice
0800-212-003 - Dead
0800-212-004 - Recorded message
0800-212-005 - Dead
0800-212-006 - Recorded message
0800-212-007 - Rings
0800-212-008 - Dead
0800-212-009 - Rings
0800-212-010 - Dead
0800-212-011 - "The number you have dialed is not recognised"
0800-212-012 - Dead
0800-212-013 - PBX
0800-212-014 - Dead
0800-212-015 - Recorded message
0800-212-016 - Modem
0800-212-017 - Dead
0800-212-018 - Dead
0800-212-019 - Voice
0800-212-020 - "The number you have dialed is not available"
0800-212-021 - Answer phone
0800-212-022 - Dead
0800-212-023 - Recorded message
0800-212-024 - Dead
0800-212-025 - Dead
0800-212-026 - Dead
0800-212-027 - Voice
0800-212-028 - Dead
0800-212-029 - PBX, # to login, mainly 3 digit extensions, many around
               the 2** range with simple passwords
0800-212-030 - Fax
0800-212-031 - Dead
0800-212-032 - Dead
0800-212-033 - Dead
0800-212-034 - Dead
0800-212-035 - Dead
0800-212-036 - Dead
0800-212-037 - Dead
0800-212-038 - Dead
0800-212-039 - Dead
0800-212-040 - Dead
0800-212-041 - Fax
0800-212-042 - "The number you have dialed is not recognised"
0800-212-043 - Fax
0800-212-044 - Dead
0800-212-045 - Dead
0800-212-046 - Dead
0800-212-047 - "This number does not receive incoming calls"
0800-212-048 - Fax
0800-212-049 - Fax
0800-212-050 - Rings
0800-212-051 - Fax
0800-212-052 - Rings
0800-212-053 - Engaged tone
0800-212-054 - Fax
0800-212-055 - Dead
0800-212-056 - Fax
0800-212-057 - Dead
0800-212-058 - Rings
0800-212-059 - Dead
0800-212-060 - Voice
0800-212-061 - Rings
0800-212-062 - Recorded message
0800-212-063 - Rings
0800-212-064 - Answer phone
0800-212-065 - Dead
0800-212-066 - Rings
0800-212-067 - Rings
0800-212-068 - Rings
0800-212-069 - Dead
0800-212-070 - Voice
0800-212-071 - Large 24 hour voice mail system, press * to login, many
               5 digit boxes starting 6**** with guessable passwords
0800-212-072 - Dead
0800-212-073 - Rings
0800-212-074 - Dead
0800-212-075 - Dead
0800-212-076 - Dead
0800-212-077 - Dead
0800-212-078 - Recorded message
0800-212-079 - Dead
0800-212-080 - Disconnects on DTMF tones
0800-212-081 - Dead
0800-212-082 - Rings
0800-212-083 - Dead
0800-212-084 - Dead
0800-212-085 - Dead
0800-212-086 - Dead
0800-212-087 - Dead
0800-212-088 - Fax
0800-212-089 - Dead
0800-212-090 - Rings
0800-212-091 - Dead
0800-212-092 - Recorded message
0800-212-093 - Dead
0800-212-094 - Dead
0800-212-095 - Voice
0800-212-096 - Dead
0800-212-097 - Dead
0800-212-098 - Rings
0800-212-099 - PBX
0800-212-100 - Rings
0800-212-101 - Dead
0800-212-102 - Voice mail system, press # to login
0800-212-103 - Dead
0800-212-104 - Dead
0800-212-105 - "The number you have dialed is not recognised"
0800-212-106 - Dead
0800-212-107 - Voice mail system, press # twice to enter ID
0800-212-108 - Dead
0800-212-109 - Fax
0800-212-110 - Dead
0800-212-111 - Voice
0800-212-112 - Rings
0800-212-113 - Answer phone
0800-212-114 - "This number has been changed to ..."
0800-212-115 - Dead
0800-212-116 - Dead
0800-212-117 - Dead
0800-212-118 - Rings
0800-212-119 - Dead
0800-212-120 - Voice
0800-212-121 - Rings
0800-212-122 - Dead
0800-212-123 - "The number you have dialed is not recognised"
0800-212-124 - "This number is temporarily out of order"
0800-212-125 - Dead
0800-212-126 - Recorded message
0800-212-127 - Recorded message
0800-212-128 - Dead
0800-212-129 - Dead
0800-212-130 - Dead
0800-212-131 - Recorded message
0800-212-132 - Dead
0800-212-133 - Dead
0800-212-134 - Answer phone
0800-212-135 - Rings
0800-212-136 - Dead
0800-212-137 - Dead
0800-212-138 - Dead
0800-212-139 - Engaged tone
0800-212-140 - Dead
0800-212-141 - Rings
0800-212-142 - Dead
0800-212-143 - Dead
0800-212-144 - Dead
0800-212-145 - Dead
0800-212-146 - Rings
0800-212-147 - Recorded message
0800-212-148 - Dead
0800-212-149 - Dead
0800-212-150 - Rings
0800-212-151 - Recorded message
0800-212-152 - "The number you have dialed is not recognised"
0800-212-153 - Dead
0800-212-154 - Dead
0800-212-155 - Voice mail system, press # to login
0800-212-156 - "The number you have dialed is not recognised"
0800-212-157 - Recorded message
0800-212-158 - Rings
0800-212-159 - Rings
0800-212-160 - Dead
0800-212-161 - Recorded message
0800-212-162 - Dead
0800-212-163 - Dead
0800-212-164 - "The number you have dialed is not recognised"
0800-212-165 - Dead
0800-212-166 - Dead
0800-212-167 - Dead
0800-212-168 - "The number you have dialed is not recognised"
0800-212-169 - Dead
0800-212-170 - Recorded message
0800-212-171 - Dead
0800-212-172 - Rings
0800-212-173 - Dead
0800-212-174 - Dead
0800-212-175 - Dead
0800-212-176 - Voice
0800-212-177 - Voice mail box, perss # to login
0800-212-178 - "The number you have dialed is not recognised"
0800-212-179 - Rings
0800-212-180 - Rings
0800-212-181 - Dead
0800-212-182 - Voice
0800-212-183 - Rings
0800-212-184 - Rings
0800-212-185 - Voice
0800-212-186 - Fax
0800-212-187 - Voice
0800-212-188 - Dead
0800-212-189 - Dead
0800-212-190 - Dead
0800-212-191 - Voice
0800-212-192 - Fax
0800-212-193 - Rings
0800-212-194 - Fax
0800-212-195 - Dead
0800-212-196 - Rings
0800-212-197 - Recorded message
0800-212-198 - Recorded message
0800-212-199 - Dead
0800-212-200 - Dead

                           prephix@bigfoot.com

......................................................................
0800963-xxx...........................................................
random................................................................
	

0800963 000-250
scanned between 2-5am GMT

0800963000		KDDI card expired
0800963001		voice, sounded chinese
0800963002		KDDI card expired
0800963004		KDDI please enter your personal identification number
0800963006		KDDI please enter your personal identification number
0800963007		2BM
0800963008		KDDI please enter your personal identification number
0800963009		The conference calling centre
0800963011		The conference calling centre
0800963012		2BZ
0800963014		voice, foreign
0800963015		KDDI please enter your personal identification number
0800963016		KDDI card expired
0800963017		KDDI please enter your personal identification number
0800963020		carrier
0800963021		voice, foreign
0800963022		carrier  :)
0800963023		voice, english
0800963024		voice, english same bloke as 23
0800963025		voice, english same bloke as 23 & 24 (this time he left the fone off hook and i could hear him talk to some1 for ages)
0800963026		weird ! something picks up then hangs up then error message "sorry there is a fault"
0800963027		KDDI please enter your personal identification number
0800963030		The electric saftey centre, transfers to an op
0800963031		KDDI please enter your personal identification number
0800963033		voice, foreign
0800963034		KDDI please enter your personal identification number
0800963035		KDDI card expired
0800963036		voice, english speaking
0800963039		KDDI please enter your personal identification number
0800963042		"were sorry u have reached a number that has been disconnected or is no longer in service"
0800963044		carrier
0800963046		foreign recording
0800963048		weird beeps !?!?
0800963050		some guys answer fone with txt message,page,call,fax options
0800963054		does nothing for ages then a foreign busy
0800963056		Eagle ocean inc. * then # enters vmb
0800963065		ring ring ring.........
0800963068		"the number u dialed is not valid anymore please check the number"
0800963074		busy
0800963080		2BZ
0800963081		2BJ
0800963082		711 "the 800 number u dialed is not in service" sez that twice then rings again then hangs up straight away !?!?
0800963083		2EG
0800963084		essential software support *7 supposed to transfer to voicemail but i just got cheesy hold music for 2 minutes then hung up
0800963086		2EG
0800963090		212
0800963093		nothing then busy
0800963095		busy
0800963096		carrier
0800963097		rwd technologies
0800963099		voice, some travel company
0800963101		US busy signal
0800963102		ring ring ring........
0800963103		carrier
0800963105		2BZ
0800963110		pbx, ext 12 gets customer service
0800963111		carrier
0800963112		audix vmb "enter extension then pass code"
0800963114		"were sorry your call cannot be completed as dialed please check the number and dial again or call your operator to help u"
0800963115		busy
0800963116		foreign recording then hangs up
0800963117		dialtone ! *resets back to dialtone #gets busy signal . tried allsorts with this ! uk & us numbers , dialing 9 dialing country c0des all i can get is error messages
0800963118		ring ring ring........
0800963119		2BM
0800963120		"were sorry but your call cannot be completed as dialed please check the toll free number and dial again thank you for using bezick(??) international"
0800963122		carrier/fax
0800963124		2BJ
0800963125		"were sorry the globe 800 universal number u dialed is not in service please check the number and dial again"
0800963128		card smart please enter authorization code
0800963129		voice, foreign
0800963130		busy
0800963132		2BZ
0800963133		"call cannot be made from that fone"   tried it from my calling card and got a weird busy signal
0800963134		2BM
0800963136		ring ring ring.........
0800963137		212
0800963139		2EG
0800963140		2BZ
0800963141		"number cannot be reached from your area please check the number and dial again this is a recording (duh!)" 
0800963142		"call cannot be made from that fone"   tried it from my calling card and got a weird busy signal
0800963145		blank ship real estate answer fone/pbx , voice at 6p'mish GMT
0800963147		2BJ
0800963148		pwc consulting pbx # gets an op
0800963150		"call cannot be made from that fone"   tried it from my calling card and got a weird busy signal
0800963151		2BJ
0800963153		answerfone/pbx, voice at 6pm'ish GMT
0800963154		vmb
0800963155		"call cannot be made from that fone"   tried it from my calling card and got a weird busy signal
0800963156		"call cannot be made from that fone"   tried it from my calling card and got a weird busy signal
0800963157		voice, sounded like a little kid, foreign 
0800963158		"call cannot be made from that fone"   tried it from my calling card and got a weird busy signal
0800963162		weird beeps , do not respond to DTMF
0800963165		weird beeps , do not respond to DTMF
0800963166		carrier/fax
0800963168		2BM
0800963169		weird beeps , do not respond to DTMF
0800963170		"please enter you pin"
0800963171		weird beeps , do not respond to DTMF
0800963172		voice, english speaking
0800963176		weird beeps , do not respond to DTMF
0800963178		foreign recording then hangs up
0800963179		"please enter your pin"
0800963180		weird beeps , do not respond to DTMF
0800963181		weird long ring then french recording does respond to DTMF but i dont know wot it does coz i dont speak french
0800963182		"the number u dialed is not valid anymore please check the number"
0800963185		weird beeps , do not respond to DTMF
0800963187		weird beeps , do not respond to DTMF
0800963190		toyota survery. asks for some sort of code
0800963191		voice , foreign , holland accordin to the bloke on fone . (err why u call at this time to ask wot country i in ? it is night) lol , there was a pleep on hangup not as high pitched as c5
0800963192		busy
0800963194		2EG
0800963196		jarvis cutting tools answerfone/pbx , voice at 6pm'ish GMT
0800963197		2EG
0800963198		Grenich association answerfone/pbx , voice at 6pm'ish GMT
0800963200		busy
0800963201		answerfone , voice at 6pm'ish GMT
0800963203		2BM
0800963206		carrier
0800963207		carrier
0800963208		the conferencing centre 328
0800963209		2BJ
0800963210		codey code hotline answerfone
0800963211		212
0800963213		"sorry there is a fault"
0800963214		carrier
0800963215		2BM
0800963219		pbx ** to enter vmb number and password 3 trys then disconnects
0800963220		carrier/fax
0800963228		carrier
0800963229		2EG
0800963230		carrier
0800963231		2BM
0800963232		2EG
0800963233		carrier
0800963234		RWD tech. answer machine/pbx , voice at 6pm'ish GMT
0800963235		RWD latitude 360 answer machine/pbx , voice at 6pm'ish GMT
0800963236		RWD tech. answer machine/pbx , voice at 6pm'ish GMT
0800963237		busy
0800963238		2EG
0800963239		2BZ
0800963242		voice, foreign
0800963246		voice, foreign		
0800963247		voice, foreign
--------------------------------------------------------------
0800963252		Live - Foreign
0800963253		Live - Foreign
0800963256		Ring Tone No Reply (RTNR)
0800963257		Live - Foreign
0800963259		Carrier - Silent

Offers ms chap authentification.		
[LCP ConfReq id=0x0 <asyncmap 0x0> <auth chap m$oft>

0800963262		? Dead air ?
0800963268		Equity Saverz *=enter passcode 4dig
0800963270		FAX
0800963271		PBX/VMS *=enter mailbox number
0800963274		KDD
0800963276		Live
0800963277		RTNR
0800963280		Worldcom
0800963282		RTNR
0800963292		AUDIX
0800963293		Erm... answered once then NU ever since
0800963294		Carrier

User Access Verification
Username:

0800963301		??? Netherlands something or other
0800963303		Carrier - Silent
0800963304		PBX/VMS
0800963305		Carrier - Silent

offers chap MD5 verification
end point MAC:00:80:d3:79:e5:00
name = "Odyssey3"
(took itself offline after 1st attempt)

0800963306		Carrier - Silent
0800963307		Carrier - Silent
0800963311		'Conference Call Centre'
0800963313		'Conference Call Centre'
0800963314		'Conference Call Centre'
0800963316		'Conference Call Centre'
0800963317		Thomas Cook Test Number...
0800963318		Fault
0800963320		'Conference Call Centre'
0800963323		PBX/VMS Audix
0800963326		'Conference Call Centre'
0800963327		'Conference Call Centre'
0800963328		'Conference Call Centre'
0800963329		MCI
0800963332		'Conference Call Centre'
0800963333		'Conference Call Centre'
0800963336		Carrier - Silent
0800963337		Carrier 
0800963347		TeraCyte Audix
0800963355		Sec code
0800963360		ID code
0800963367		Live
0800963370		Access code
0800963371		VMS
0800963372		VMS
0800963373		BUSY
0800963374		Fault
0800963377		BUSY
0800963379		BUSY
0800963379		Carrier - Silent
0800963380		BUSY
0800963381		Carrier - Silent
0800963382		Ext not in service...
0800963383		BUSY
0800963385		Fault
0800963387		pips...
0800963389 		pips...
0800963390		Rainbow PBX
0800963392 		RTNR
0800963394		PBX
0800963397		Graceland Uni VMS
0800963398		PBX (could be interesting)
0800963400		VMS with a great greeting....
0800963403		RTNR
0800963406		PBX
0800963408		Carrier

Starting SecurID Authentication...
User ID:

0800963411		Fault
0800963421		RTNR
0800963424		FAX
0800963427 		Carrier AND ringing at the same time???
0800963428		Carrier
0800963429		Audix?
0800963431		RTNR
0800963432		? Dead air ?
0800963435		Live
0800963438		VMS
0800963439		Message Centre
0800963442		???
0800963446		Chat line advert
0800963450		PBX
0800963452		Fujitsu PBX/VMS
0800963453		RTNR
0800963456		BUSY
0800963459		ACI - x4555
0800963460		PBX
0800963463		Live
0800963471		Fault
0800963474		'Conference Call Centre'
0800963476		RTNR
0800963479		RTNR
0800963490		Foreign message
0800963492		Foreign message
0800963493		Foreign message
0800963497		Foreign message
0800963500 		Test Number for Int Phreefone
--------------------------------------------------------------
0800963500		Internation Free Phone Services
0800963527		Rings and Rings... dunno
0800963530		four beeps in sucession repeated... dunno
0800963540		Vorizons Voicemail
0800963553		Rings.. then not inservices then code "SCT4T"
0800963558		US Ring... Just rings and rings
0800963565		Carrier
0800963570		Some Chinease Person talks
0800963577		Connects then hangsup
0800963579		Chinease person
0800963591		Chinease person
0800963595		Free phone service of European Anti Fraud Office
0800963596		Chinease Talking
0800963596		Chinease Talking
0800963600		Sigma RVI Voicemail System
0800963602		Carrier

RING BACK

0800963607		Rings.. Strange though.. worth a look
0800963658		"Welcome to Woltel"
0800963663		"Please dial your card and pin number now"
0800963957		Not In Service then code NYCR12
0800963698		"announcement is not defigned" - Merdian
0800963700		US Ring.. just rings
0800963703		"In Itailian: Welcome to telecom italia"
0800963709		"In Itailian: Welcome to telecom italia"
0800963712		"In Itailian: Welcome to telecom italia"
0800963716		Tempararilly out of order
0800963720		CAE Clune Technologies Ransolhoof
0800963724		US Ring.. "welcome to Bank first national"
0800963725		US Ring.. "Jonh maxwell First Sale vioce mail
0800963728		US Ring.. Carrier

Remote message: E=691 R=1  V=3

0800963729		Carrier

|z-~R>
      9^29w,)({E26am.Y.?.R_/7Wb1Plk(!kqu6.z[p.oB

0800963736		Voicemail
0800963737		HQ Massitusites National Guard. Audix.
--------------------------------------------------------------
0800 963 750		2BM
0800 963 751		Interpayment credit
0800 963 752		no answer
0800 963 753		no answer
0800 963 754		German Meridian Mail System
0800 963 755		nr
0800 963 756		nr
0800 963 757		2EG
0800 963 758		nr
0800 963 759		nr
0800 963 780		Octel system, 4799 diverts to op
0800 963 781		2BM
0800 963 782		nr
0800 963 783		nr
0800 963 784		nr
0800 963 785		Dialtone, requires Auth code
0800 963 786		answer service, * enter passcode
0800 963 787		nr
0800 963 788		111P
0800 963 789		Army, CPAC/CPOC military line
0800 963 790		nr
0800 963 791		nr
0800 963 792		Meridian Mail system
0800 963 793		some voicemail system
0800 963 794		2BM
0800 963 795		Dial ID Number
0800 963 796		live op,
0800 963 797		nr
0800 963 798		nr
0800 963 799		QRS corporation, 
0800 963 800		no answer, weired ring tone
0800 963 801		fax/carrier
0800 963 802		picks up, doesnt say anything
0800 963 803		na
0800 963 804		na
0800 963 805		citiebank
0800 963 806		na
0800 963 807		nr
0800 963 808		Octel, north-west airlines. 
0800 963 809		nr
0800 963 810		nr
0800 963 811		nr
0800 963 812		Direct dial to Audix
0800 963 813		nr
0800 963 814		AIG international, Audix
0800 963 815		nr
0800 963 816		busy
0800 963 817		semi-aloys answerphone
0800 963 818		Octel, for a cardiac hospital. 
0800 963 819		Octel, Direct dial (for above)
0800 963 820		Octel, Direct dial (for above)
0800 963 821		fault
0800 963 822		Audix System
0800 963 823		nr
0800 963 824		nr
0800 963 825		nr
0800 963 826		Conference calling centre
0800 963 827		nr
0800 963 828		customer serivces
0800 963 829		111P
0800 963 830		Octel system
0800 963 831		fault
0800 963 832		customer support number
0800 963 833		Visa travel money customer service number, 
0800 963 834		nr
0800 963 835		fault
0800 963 836		nr
0800 963 837		no answer
0800 963 838		busy
0800 963 839		Octel system,
0800 963 840		nr
0800 963 841		nr
0800 963 842		711 not in service
0800 963 843		nr
0800 963 844		nr
0800 963 845		nr
0800 963 846		nr
0800 963 847		nr
0800 963 848		busy
0800 963 849		network accounts payable
0800 963 850		nr
0800 963 851		nr
0800 963 852		nr
0800 963 853		nr
0800 963 854		nr
0800 963 855		nr
0800 963 856		fault
0800 963 857		anna, at comprihensive formula
0800 963 858		KDD
0800 963 859		global 1,
0800 963 860		no answer
0800 963 861		busy
0800 963 862		nr
0800 963 863		busy
0800 963 864		pbx system, enter ext
0800 963 865		answerphone
0800 963 866		non working toll free number
0800 963 867		live op
0800 963 868		no answer
0800 963 869		no answer
0800 963 870		KLA customer support, 
0800 963 871		nr
0800 963 872		busy
0800 963 873		nr
0800 963 874		Direct dial to Audix
0800 963 875		fax/carrier
0800 963 876		nr
0800 963 877		nr
0800 963 878		fault
0800 963 879		live op
0800 963 880		live op
0800 963 881		nr
0800 963 882		nr
0800 963 883		nr
0800 963 884		2BM
0800 963 885		fault
0800 963 886		fault
0800 963 887		nr
0800 963 888		nr
0800 963 889		nr
0800 963 890		nr
0800 963 891		nr
0800 963 892		nr
0800 963 893		nr
0800 963 894		nr
0800 963 895		no asnwer
0800 963 896		nr
0800 963 897		nr
0800 963 898		no answer
0800 963 899		no answer
0800 963 900		nr
0800 963 901		carrier

User Access Verification
Username:

0800 963 902		nr
0800 963 903		cisco systems technical centre, emergency centre
0800 963 904		nr
0800 963 905		no answer
0800 963 906		no answer
0800 963 907		cisco systems
0800 963 908		cisco systems
0800 963 909		pbx system
0800 963 910		no answer
0800 963 911		Merdian System for WorldCon Conferencing
0800 963 912		Conference calling centre
0800 963 913		Conference calling centre
0800 963 914		nr
0800 963 915		nr
0800 963 916		800 out of order
0800 963 917		MCI worldcom pre-paid access card
0800 963 918		nr
0800 963 919		nis
0800 963 920		Conference calling centre
0800 963 921		Conference calling centre
0800 963 922		nr
0800 963 923		Conference calling centre
0800 963 924		Conference calling centre
0800 963 925		answerphone
0800 963 926		Conference calling centre
0800 963 927		Conference calling centre
0800 963 928		carrier/fax

Annex Command Line Interpreter   *   Copyright (C) 1988, 1995 Xylogics, Inc.
Checking authorization, Please wait...
Annex username:

0800 963 929		Conference calling centre
0800 963 930		nr
0800 963 931		2BM
0800 963 932		Conference calling centre
0800 963 933		busy
0800 963 934		nr
0800 963 935		nr
0800 963 936		2BM
0800 963 937		no answer
0800 963 938		nr
0800 963 939		nr
0800 963 940		nr
0800 963 941		GE Access, pbx system
0800 963 942		nr
0800 963 944		nr
0800 963 945		nr
0800 963 946		nr
0800 963 947		live op
0800 963 948		nr
0800 963 949		nr
0800 963 950		nr
0800 963 951		no answer
0800 963 952		nr
0800 963 953		nr
0800 963 954		nr
0800 963 955		no answer
0800 963 956		nr
0800 963 957		nr
0800 963 958		nr
0800 963 959		carrier/fax
0800 963 960		no answer
0800 963 961		nr
0800 963 962		no answer
0800 963 963		carrier/fax
0800 963 964		nr
0800 963 965		nr
0800 963 966		nr
0800 963 967		busy
0800 963 968		carrier/fax
0800 963 969		NCL customer care centre		
0800 963 970		Conference calling centre
0800 963 971		carrier

S4...
login:

0800 963 972		2BM
0800 963 973		nr
0800 963 974		Meridian Mail System, some pharmacutical co
0800 963 975		Octel system, to corpotate security hotline
0800 963 976		Merdian as above
0800 963 977		Octel recording
0800 963 978		same as above
0800 963 979		nr
0800 963 980		carrier/fax
0800 963 981		carrier/fax
0800 963 982		MCI worldcom 
0800 963 983		Some network co
0800 963 984		Conference calling centre
0800 963 985		Conference calling centre
0800 963 986		Conference calling centre
0800 963 987		2BM
0800 963 988		2BM
0800 963 989		2BM
0800 963 990		Octel System
0800 963 991		Conference calling centre
0800 963 992		Conference calling centre
0800 963 993		Conference calling centre
0800 963 994		nr
0800 963 995		Conference calling centre
0800 963 996		busy
0800 963 997		Conference calling centre
0800 963 998		ATS voice proccessing centre
0800 963 999		Conference calling centre
0800 964 000		French


......................................................................
scan of 0800-013-0000 to 0800-013-0200 (UK)...........................
compiled by prephix in decemmber 2001.................................


0800-013-0000 - Engaged
0800-013-0001 - Voice
0800-013-0002 - "Sorry we're unable to connect your call"
0800-013-0003 - Rings
0800-013-0004 - Recorded message
0800-013-0005 - Modem
0800-013-0006 - "Sorry we're unable to connect your call"
0800-013-0007 - Rings
0800-013-0008 - Modem
0800-013-0009 - "Sorry we're unable to connect your call"
0800-013-0010 - Recorded message
0800-013-0011 - AT&T calling card line
0800-013-0012 - "Sorry we're unable to connect your call"
0800-013-0013 - "You've been forwarded to a voice mail system, however
                this mailbox does not subscribe to this service"
0800-013-0014 - Dead
0800-013-0015 - Rings
0800-013-0016 - Simple PBX (not worth wasting time with)
0800-013-0017 - Modem
0800-013-0018 - Dead
0800-013-0019 - Modem
0800-013-0020 - Modem
0800-013-0021 - Scotish Widows info line
0800-013-0022 - Rings
0800-013-0023 - Dead
0800-013-0024 - Scotish Insurance helpline
0800-013-0025 - Modem
0800-013-0026 - Rings
0800-013-0027 - White noise, weird
0800-013-0028 - "Sorry we're unable to connect your call"
0800-013-0029 - "Sorry we're unable to connect your call"
0800-013-0030 - Voice
0800-013-0031 - "Sorry we're unable to connect your call"
0800-013-0032 - "Sorry we're unable to connect your call"
0800-013-0033 - Meridian, but features been disabled, of no use
0800-013-0034 - Voice with cukoo (payphone) tone in background
0800-013-0035 - Recorded message
0800-013-0036 - Recorded message
0800-013-0037 - Recorded message
0800-013-0038 - Voice
0800-013-0039 - Modem
0800-013-0040 - Recruitment line
0800-013-0041 - High pitched tone
0800-013-0042 - "Sorry we're unable to connect your call"
0800-013-0043 - "Sorry we're unable to connect your call"
0800-013-0044 - Recorded message
0800-013-0045 - Enquiry line
0800-013-0046 - Enquiry line
0800-013-0047 - Enquiry line
0800-013-0048 - Voice
0800-013-0049 - Rings, hit *, pauses for 10 seconds, then diverts
                to a helpdesk, hit * again, diverts again, wait,
                on connect hit *7 to access the main menu of an
                Audix voice mail system.
0800-013-0050 - "Sorry we're unable to connect your call"
0800-013-0051 - Dead
0800-013-0052 - Dead
0800-013-0053 - Voice mail system with 4 digit boxes. Hit # to login.
                When you enter an empty box it asks for the temporary
                password given to you by the administrator.
0800-013-0054 - Modem
0800-013-0055 - Answerphone
0800-013-0056 - Number not recorded
0800-013-0057 - Weird DTMF tones, then disconnects
0800-013-0058 - "Sorry we're unable to connect your call"
0800-013-0059 - "Sorry we're unable to connect your call"
0800-013-0060 - "Sorry we're unable to connect your call"
0800-013-0061 - Answerphone
0800-013-0062 - Rings
0800-013-0063 - Rings
0800-013-0064 - "Sorry we're unable to connect your call"
0800-013-0065 - "Sorry we're unable to connect your call"
0800-013-0066 - Rings
0800-013-0067 - Voice
0800-013-0068 - Rings
0800-013-0069 - Rings
0800-013-0070 - Modem
0800-013-0071 - Modem
0800-013-0072 - Rings
0800-013-0073 - Rings
0800-013-0074 - Fax
0800-013-0075 - Fax
0800-013-0076 - Claims line
0800-013-0077 - "Sorry we're unable to connect your call"
0800-013-0078 - "Sorry we're unable to connect your call"
0800-013-0079 - "Sorry we're unable to connect your call"
0800-013-0080 - "Sorry we're unable to connect your call"
0800-013-0081 - "Sorry we're unable to connect your call"
0800-013-0082 - Rings, then goes to BT Callminder
0800-013-0083 - Rings
0800-013-0084 - High pitched tone
0800-013-0085 - Dead
0800-013-0086 - Voice
0800-013-0087 - Rings
0800-013-0088 - Helpline
0800-013-0089 - Rings
0800-013-0090 - Dead
0800-013-0091 - Recorded message
0800-013-0092 - Dead
0800-013-0093 - "There is no service currently available on this line"
0800-013-0094 - "There is no service currently available on this line"
0800-013-0095 - "There is no service currently available on this line"
0800-013-0096 - "There is no service currently available on this line"
0800-013-0097 - Answerphone
0800-013-0098 - Engaged
0800-013-0099 - Answerphone
0800-013-0100 - "You've been forwarded to a voice mail system, however
                this mailbox does not subscribe to this service"
0800-013-0101 - "Sorry we're unable to connect your call"
0800-013-0102 - Rings
0800-013-0103 - "Sorry we're unable to connect your call"
0800-013-0104 - Dead
0800-013-0105 - "Sorry we're unable to connect your call"
0800-013-0106 - "Sorry we're unable to connect your call"
0800-013-0107 - "Sorry we're unable to connect your call"
0800-013-0108 - "Sorry we're unable to connect your call"
0800-013-0109 - "Sorry we're unable to connect your call"
0800-013-0110 - Rings
0800-013-0111 - "Sorry we're unable to connect your call"
0800-013-0112 - "Sorry we're unable to connect your call"
0800-013-0113 - Order line
0800-013-0114 - Rings
0800-013-0115 - Rings
0800-013-0116 - Dead
0800-013-0117 - Engaged
0800-013-0118 - Orange answerphone
0800-013-0119 - "Sorry we're unable to connect your call"
0800-013-0120 - "Sorry we're unable to connect your call"
0800-013-0121 - Dead
0800-013-0122 - Dead
0800-013-0123 - "Sorry we're unable to connect your call"
0800-013-0124 - "You've been forwarded to a voice mail system, however
                this mailbox does not subscribe to this service"
0800-013-0125 - "You've been forwarded to a voice mail system, however
                this mailbox does not subscribe to this service"
0800-013-0126 - Rings
0800-013-0127 - Rings
0800-013-0128 - Rings
0800-013-0129 - Rings
0800-013-0130 - Rings
0800-013-0131 - Dead
0800-013-0132 - "Sorry we're unable to connect your call"
0800-013-0133 - Answerphone
0800-013-0134 - "This phone number has changed to..."
0800-013-0135 - "Sorry we're unable to connect your call"
0800-013-0136 - "This phone number has changed to..."
0800-013-0137 - Rings
0800-013-0138 - "The audio conferncing service is closed"
0800-013-0139 - Modem
0800-013-0140 - Engaged
0800-013-0141 - Rings
0800-013-0142 - Engaged
0800-013-0143 - Voice
0800-013-0144 - Dead
0800-013-0145 - "Sorry we're unable to connect your call"
0800-013-0146 - "Sorry we're unable to connect your call"
0800-013-0147 - "Sorry we're unable to connect your call"
0800-013-0148 - "Sorry we're unable to connect your call"
0800-013-0149 - "Sorry we're unable to connect your call"
0800-013-0150 - Answerphone
0800-013-0151 - "Sorry we're unable to connect your call"
0800-013-0152 - "Sorry we're unable to connect your call"
0800-013-0153 - "Sorry we're unable to connect your call"
0800-013-0154 - Voice
0800-013-0155 - Rings
0800-013-0156 - Rings
0800-013-0157 - Call waiting (engaged)
0800-013-0158 - Recorded message
0800-013-0159 - Voice
0800-013-0160 - Fax
0800-013-0161 - Voice
0800-013-0162 - "Sorry we're unable to connect your call"
0800-013-0163 - Rings
0800-013-0164 - Very basic PBX. Unlimited attempts at extension passcodes.
0800-013-0165 - Rings
0800-013-0166 - Engaged
0800-013-0167 - Rings
0800-013-0168 - "Sorry we're unable to connect your call"
0800-013-0169 - Voice mail box
0800-013-0170 - Voice
0800-013-0171 - "Sorry we're unable to connect your call"
0800-013-0172 - "Sorry we're unable to connect your call"
0800-013-0173 - "Sorry we're unable to connect your call"
0800-013-0174 - "Sorry we're unable to connect your call"
0800-013-0175 - "Sorry we're unable to connect your call"
0800-013-0176 - "Sorry we're unable to connect your call"
0800-013-0177 - "Sorry we're unable to connect your call"
0800-013-0178 - "Sorry we're unable to connect your call"
0800-013-0179 - "Sorry we're unable to connect your call"
0800-013-0180 - Rings, then message "Please call back later"
0800-013-0181 - Voice     (One of these bastards kept calling
0800-013-0182 - Voice     back and wouldn't hang up his end.)
0800-013-0183 - Rings
0800-013-0184 - "Sorry we're unable to connect your call"
0800-013-0185 - "Sorry we're unable to connect your call"
0800-013-0186 - "Sorry we're unable to connect your call"
0800-013-0187 - Recorded message
0800-013-0188 - "This phone number has changed to..."
0800-013-0189 - "Sorry we're unable to connect your call"
0800-013-0190 - Answerphone
0800-013-0191 - "Your call is in a queue" (help/info line)
0800-013-0192 - "Sorry we're unable to connect your call"
0800-013-0193 - Recorded message
0800-013-0194 - Answerphone
0800-013-0195 - Dead
0800-013-0196 - "Sorry we're unable to connect your call"
0800-013-0197 - "Sorry we're unable to connect your call"
0800-013-0198 - "Sorry we're unable to connect your call"
0800-013-0199 - "Sorry we're unable to connect your call"
0800-013-0200 - "Sorry we're unable to connect your call"

                           prephix@bigfoot.com


..........................................................................
Things to consider when (Ab)using a PBX...................................
by the B4ckCh4tter........................................................
2002......................................................................

Foreword
--------

This document will not teach you how to hack a PBX - it's a discussion of 
possible approaches you might consider once the hacking has been done.  It's 
a basic outline of some exploits that are well known to the phreaking 
community at large, and many that are not known by most.  To test the 
viabilty of many of them you'll need to have either physical access to the 
PBX "instruments" in question, or some way (heh) to interpret the data they 
display remotely.  Almost all of the specialised consoles mentioned here can 
be bought from reputable companies, or else (with the right tools, software 
and knowledge) emulated on a standard PC workstation hooked up to an outside 
line.  I've even seen some of the necessary software available for download, 
naming no names or locations...

If you're aim is simply to abuse the system to obtain 'phree' calls, this 
file is not for you.  This is written for the real phreaks out there; the 
ones with a genuine interest in how these systems actually work - so if 
you're in it to save a little cash and couldn't care less about the theories 
and methodology involved in advanced telecommunications - GO AWAY; read up 
on 'boxing' or some such dinosaur-shit and spend the rest of your life 
wondering why the info you've got doesn't work anymore.

Okay, whining's over...this is all adapted from available security sources, 
so it's technically sound...blah...yadda...you get the picture.  On with the 
file.

.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
|------> THE Private Branch eXchange: AN INTRODUCTION |
'-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'

A Private Branch eXchange (PBX) is a sophisticated computer-based switch 
that can be thought of as essentially a small, in-house phone company for 
the organization (governmental or industrial) that operates it.  As we all 
know, a company's failiure to secure a PBX can result in it exposing itself 
to toll fraud, theft of proprietary or confidential information, and other 
types of losses.

This file presents a generic methodology for conducting an analysis of a PBX 
in order to identify and exploit various security vulnerabilities; focusing 
on digital-based PBXs and addressing the following areas of study:

---> System Architecture

---> Hardware

---> Maintenence

---> Administrative Database/Software

---> User Features

As I've already mentioned, this file is not intended as a step-by-step guide 
to hacking a PBX, but rather a guideline for what specific areas should be 
studied for the existence of a number of possible vulnerabilities.  This 
process must be customized for each specific PBX you target, depending upon 
the actual switch features - which you yourself must determine by A) 
engineering the appropriate docs out of the owner/manufacturer, or B) by 
trial and error during your exploration.  This file provides information on 
vulnerabilities that are *not* well known to many in the phreaking 
community, as well as suggested procedures for penetration.  For any of this 
information to be useful, you have to be able to identify and exploit these 
vulnerabilities before a sys admin identifies them and patches them up!  The 
race is on...(but don't worry too much, most admins haven't got the first 
fucking clue about effective security...heh).

.-=-=-=-=-=-=-=-=-=-.
|------> BACKGROUND |
'-=-=-=-=-=-=-=-=-=-'

Digital PBXs are widespread throughout both government and industry, having 
replaced their analog predecessors.  Although these older systems contained 
known vulnerabilities (e.g., conventional tapping, on-hook live microphones, 
etc.), the advent of software based PBXs has provided a wealth of 
communications capabilities within these switches.  Today, even the most 
basic PBX systems have a wide range of capabilities that were previously 
available only in large scale switches.  These new features have opened up 
many new opportunities for us to attempt to exploit the PBX, particularly by 
using the features as designed for a purpose that was never intended.  
Opportunities on PBX telephone systems are many, depending on your motives 
and goals.

These might include:

---> Theft of service

i.e., toll fraud, probably the most common of motives.

---> Disclosure of information

data disclosed without authorization. Examples include both eavesdropping on 
conversations or unauthorized access to routing and address data.

---> Data modification

data altered in some meaningful way by reordering, deleting or modifying it. 
For example, you  might change billing information, or modify system tables 
to gain additional services.

---> Unauthorized access

actions that permit you to gain access to system resources or privileges.

---> Denial of service

actions that prevent the system from functioning in accordance with its 
intended purpose.  A piece of equipment or entity may be rendered inoperable 
or forced to operate in a degraded state; operations that depend on 
timeliness may be delayed.

---> Traffic analysis

a form of passive attack in which a phreak/spy observes information about 
messages being transmitted (although not necessarily the contents of the 
messages) and makes inferences, e.g. from the source and destination 
addresses, or frequency and length of the messages.  For example, a phreak 
observes a high volume of communications between a company’s legal 
department and the Patent Office, and concludes that a patent is being 
filed.

PBXs are sophisticated computer systems, and many of the opportunities and 
vulnerabilities associated with operating systems are shared by PBXs.  But 
there are two important ways in which PBX security is different from 
conventional operating system security:

---> External access/control.

Like larger telephone switches, PBXs typically require remote maintenance by 
the vendor.  Instead of relying on local administrators to make operating 
system updates and patches, organizations normally have updates installed 
remotely by the switch manufacturer.  This of course requires remote 
maintenance ports and access to the switch by a potentially large pool of 
outside parties.

---> Feature richness.

The wide variety of features available on PBXs, particularly administrative 
features and conference functions, provide the possibility of unexpected 
attacks.  You could use a feature in a manner that was not intended by its 
designers.  Features may also interact in unpredictable ways, leading to 
system compromise even if each component of the system conforms to its 
security requirements and the system is operated and administrated 
correctly.

Although most features are common from PBX to PBX, the design implementation 
of these features may vary.  For example, many PBX vendors have proprietary 
designs for the digital signaling protocol between the PBX and the user 
instruments.  This is the reason digital instruments usually cannot be 
interchanged between PBXs of different manufacturers.  The methodology 
outlined in this file will assist in the investigation of PBX features that 
are known to be susceptible to attack. However, the degree of vulnerability, 
if any, will depend on how each feature is implemented.

This file assumes that the reader has a working knowledge of telephony and 
PBX structure and operation (so if you don't, go do some homework, then come 
back...).  You will also need access to certain types of specific 
hardware/software.

.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
|------> SYSTEM ARCHITECHTURE |
'-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'

This section addresses the ways in which you may be able to exploit 
vulnerabilities that are inherent in the system architecture.

Separation of Switching and Administrative Functions
----------------------------------------------------

All modern PBXs have central computer processors that are controlled from a 
software-driven stored program.

+----------------------------+                       +------------------+
|                            |-----------------------|  Peripheral Bay  |
|       SYSTEM UNIT          |                       +------------------+
|                            |                       |  Trunk           |
+----------------------------+                       |                  |
              |                                      |  Universal       |
              |                           +----------|                  |
              |                           |          |  COV             |
              |                           |          |                  |
      +----------------+                  |          |  Digital         |
      | PC or Terminal |                  |          +------------------+
      +----------------+                  |              |           |
                                 +----------------+  +------------+  |
                                 | Central office |  | Subscriber |  |
                                 |                |  | Phone      |  |
                                 | Trunk Lines    |  +------------+  |
                                 +----------------+                  |
                                                              
+---------------+
                                                              | Console 
Phone |
                                                              
+---------------+

Figure 1.

In addition, most PBXs have microprocessors dispersed throughout the switch 
that provide real-time signaling and supervision control as instructed from 
the central processor.  One or more terminals and their associated port(s) 
provide computer operating system, database management, and maintenance 
access to the PBX processor.  Access to these functions gives the user total 
control of the PBX.  Depending on the size of the PBX, these functions may 
be separate or combined.

Administrative Terminals.
-------------------------

The switch should be examined to determine whether the administrative 
functions are performed on terminals that are connected to the PBX via the 
same type of ports that switch the voice and data traffic, or if the 
terminals are connected via dedicated ports.  If they are connected via the 
same type of voice and data ports, these terminals could be surreptitiously 
switched to an unauthorized user.  This may or may not require a modem. If 
the ports are dedicated for use by these terminals, this opportunity is 
mostly eliminated.  However, it is still possible to exploit this through 
the use of a modem coupled with an unauthorized connection to a switched 
port, enabling the resourceful phreak to dial in and make database 
modifications.

In smaller PBXs, these functions are often combined.  For example, the 
attendant (operator) terminal may also be the database terminal, or the 
database terminal may also be the maintenance terminal.  Attempts should be 
made to use these terminals to modify the database or gain access to 
unauthorized functions.  For example, investigate whether you can access 
and/or manipulate the database via the attendants terminal or the 
maintenance terminal.
Switching Algorithm
--------------------

Switching is performed using time division multiplexing techniques where 
each voice (digitized) and data port is assigned a time slot.  Under control 
of the call processing routines, incoming time slots are connected to 
outgoing time slots.  If the number of incoming slots is less than or equal 
to the number of outgoing slots, there will be no contention for switching 
resources.  This is commonly known as non-blocking switching.

Dual Connections.
-----------------

To investigate for vulnerabilities, attempts should be made to route another 
incoming time slot to an outgoing time slot in addition to the intended time 
slot.  This might be accomplished by a database entry or by a modification 
to the PBX control software.  After accomplishing this, test calls should be 
made to verify the dual connection and to determine whether the intended 
calling or called party can detect the false connection.  If the PBX under 
study has status or maintenance query features, and you can access them, you 
can check if they detected the modification.

Function Allocation
-------------------

Although most PBX functions are software driven, the PBX under study should 
be examined to determine how specific features are implemented so that 
potential vulnerabilities can be explored.  For example, conferencing can be 
implemented in hardware or software.  Knowing the design implementation will 
aid you in determining how to exploit the function itself.  Figure 2 shows a 
typical PBX functional architecture.

+----------+           +--------------------------------+
| Terminal |-----------| Identification & Authorization |
+----------+           +--------------------------------+
                      /                 |
                     /                  |
                    /                   |
                   /           +----------------+
+-----------------+            |                |
|   Audit Trail   |------------| User Functions 
|---------------------------------.
+-----------------+            |                |                            
      |
                |              +----------------+                            
      |
                |                      |         \                           
      |
                |                      |          \                          
      |
                |                      |           \                         
      |
                |                      |           
+---------------------------+  |
                '----------------------|-----------| Internal Switch 
Functions |  |
                                       |           
+---------------------------+  |
                                       |          / \                        
      |
                                       |         /   \                       
      |
                                       |        /     \                      
      |
           +------------+    +-----------------+       +------------------+  
      |
           | Subscriber |    | Subscriber Info |       | Trunk Attributes 
|-------'
           +------------+    +-----------------+       +------------------+
           |                /                          |
           |               /                           |
           |              /                            |
           +-------------+-----------------------------'
           | Call Router |
           
+-------------+-----------------------------+------------------------+
                                                       | Request For 
Connection |
                                                       |                     
    |
                                                       | Subscriber Data 
Input  |
                                                       |                     
    |
                                                       | Subscriber Date 
Output |
                                                       
+------------------------+
Figure 2.

.-=-=-=-=-=-=-=-=-.
|------> HARDWARE |
'-=-=-=-=-=-=-=-=-'

This section addresses the ways in which you could exploit vulnerabilities 
that are inherent in the system hardware to gain unauthorized access to 
information passing through the switch.

Susceptibility to Tapping
-------------------------

A PBX's susceptibility to tapping depends on the methods used for 
communication between the PBX and its instruments.  This communication may 
include voice, data, and signaling information.  The signaling information 
is typically commands to the instrument (turn on indicators, microphones, 
speakers, etc.) and status from the instrument (hook status, keys pressed, 
etc.).  Three general communications methods are discussed below.

Analog Voice with or without Separate Control Signals
-----------------------------------------------------

This is the simplest of the three methods discussed here.  Analog voice 
information is passed between the PBX and the instrument on either a single 
pair of wires or two pairs (one for transmit and one for receive).  If there 
is any additional signaling communication (other than the hook switch) 
between the PBX and the instrument, it is done on wires that are separate 
from the voice pair(s).

The voice information is transmitted essentially as it is picked up by a 
microphone.  It is in a form that can be directly reproduced by a speaker.  
The voice line can be easily tapped by connecting a high impedance 
differential amplifier to the pair of voice wires.  The amplified voice 
signal can then be heard directly with a speaker or headphones, or, you 
sneeky so and so, it can be recorded for later playback.

If signaling data is transmitted on a separate set of wires, it is normally 
in proprietary formats.  A phreak with physical access to the target PBX can 
gain useful information by hooking an oscilloscope up to each wire and 
observing the effects when the instrument is taken on and off hook, keys are 
pressed, etc.  For example, in one common format the voltage present on each 
data wire reflects the on/off status of a control or indicator.

Another possible format is one in which information is passed as bytes of 
digital data in a serial asynchronous bit stream similar to that of a 
PC's/terminal's serial data port. Each data byte being transmitted would 
appear in a pattern similar to the following:

*Start Bit, Data Bits (5..8, frequently 8), optional Parity Bit, Stop Bits 
(1, 1.5, or 2)*.

The Start Bit and Stop bits are of opposite polarity.  The bit rate could be 
measured with an oscilloscope.  A device such as a PC or pbx terminal could 
then be configured to capture the serial data and perhaps store it for some 
(hehehe) later use.

Analog Voice with Inclusive Control Signals
-------------------------------------------

In this scheme, analog voice and control signaling is passed between the PBX 
and the instrument on either a single pair of wires or two pairs (one pair 
for transmit and another for receive).  This can be done if the signal path 
is of a high enough bandwidth to pass voice information (less than 4 KHz) 
plus additional data information.  For example, voice information can be 
combined with data information modulated onto a carrier tone that is 
centered outside of the voice band.

This type of line is vulnerable to tapping by connecting a high impedance 
differential amplifier to the pair and passing the signal through filters to 
separate the voice and data information.  Data information could be 
recovered by demodulating the carrier tone.  The methods outlined in the 
section above could then be used to determine the format of the data being 
transmitted.

Digital Voice with Inclusive Control Signals
--------------------------------------------

With this method, voice and control signaling data are passed across the 
same pair of wires.  There may be two pairs of wires, one for each 
direction, or both directions could be combined onto one pair of wires using 
echo cancellation as is done with ISDN.  Conventional tapping techniques 
would not work against most types of digital lines.  The format and type of 
digital signals that pass between the PBX and its instruments vary widely 
between switch types.

If separate pairs are used for transmit and receive, each pair could be 
tapped to provide access to the transmit and receive digital bit streams by 
first determining in what digital format the data is being transmitted.  
Then a digital to analog converter could be used to convert the digital data 
back into analog voice that can be listened to or recorded.  A great deal of 
information useful to an advanced phreak could be gained by disassembling 
the telephone models of interest and determining what types of parts are 
used for CODECs, UARTs, A/Ds, D/As, etc.  Published information on these 
parts can generally be engineered from the manufacturers.

Echo Cancellation
------------------

If both transmit and receive are combined on one pair using echo 
cancellation, the above methods would not be useful for tapping.  This is 
because each transmit end of the link can only determine what is being 
received by subtracting out what it is transmitting from the total signal.  
If you tapped the line somewhere between the two ends you would only have 
access to the total signal and would therefore find it nearly impossible to 
reproduce either end.

One possible way of tapping this kind of line would be to build a device 
that is placed in-line between the two transmitting ends.  The device would 
pass information between the two ends as if it were not there, while 
providing access to the separate bit streams.  The device would depend on a 
known initial condition on both ends (such as silence) in order to be able 
to subtract the correct information from the total signal. The technical 
difficulty of this attack probably makes systems using echo cancellation 
most resistant to attack among all of those described here, since protecting 
against this kind of attack simply requires ensuring that lines are not 
physically compromised.

Conferencing (Hardware)
-----------------------

When implemented in hardware, the conferencing feature may employ a circuit 
card known as a conference bridge or a signal processor chip.  This allows 
multiple lines to be "bridged" to create a conference where all parties can 
both speak and listen.  Some PBXs have a feature where all parties can hear, 
but only certain parties can speak.  This is a type of broadcast conference. 
  For whatever reason, you might desire a connection to the bridge where the 
conference could be overheard.  A hardware modification to the bridge itself 
may make it possible to cause the "output" of the bridge to be available to 
a specific port.  As in instrument modifications, some additional steps must 
be taken to receive this information.  This may include modifying the 
database to make yourself a permanent member of the bridge so that any 
conference on that bridge could be overheard.

.-=-=-=-=-=-=-=-=-=-=.
|------> MAINTENANCE |
'-=-=-=-=-=-=-=-=-=-='

Maintenance procedures are the most commonly exploitable functions in 
networked systems, and the opportunity is even greater with PBXs because PBX 
maintenance frequently requires the involvement of outside personnel. This 
section addresses the ways in which you could exploit vulnerabilities in 
maintenance features to gain access to the switch.

Remote Access
-------------

Remote access is frequently an unavoidable necessity for the owner of the 
PBX, but it can represent a serious vulnerability.  The maintenance features 
may be accessible via a remote terminal with a modem, an Attendant Console 
or other instrument, or even over an outside dial-in line.  This allows for 
systems to be located over a large area (perhaps around the world) and have 
one central location from which maintenance can be performed.  Often it is 
necessary for the switch manufacturer to have remote access to the switch to 
install software upgrades or to restart a switch that has experienced a 
service degradation.

Dial-back modem vulnerabilities.
--------------------------------

Unattended remote access to a switch clearly represents a vulnerability.  
Many organizations have employed dial-back modems to control access to 
remote maintenance facilities.  This access control method works by 
identifying the incoming call, disconnecting the circuit, and dialing the 
identified person or computer at a predetermined telephone number.  Although 
helpful, this form of access control is weak because methods of defeating it 
are well known.  For example, if the local telephone company central office 
uses originator control for phone lines, you can stay on the line, send a 
dial tone when the modem attempts to disconnect, then wait for the modem to 
dial out again on the same line.  A more sophisticated means of defeating 
dial-back modems has also been used in attacks reported in the open 
literature.  In this method, the local phone company switch is penetrated 
and its databases modified to forward the returned calls directly to the 
attacker's computer.

Social engineering attacks.
---------------------------

Even if the organization requires some action by local operators to provide 
access to the remote maintenance connection, serious vulnerabilities may 
still exist.  For example, modems on lines used by remote maintenance may be 
kept off, and only turned on when a call is received from the switch 
manufacturer.  Often the only form of authentication used by the 
organization may be ensuring that the manufacturer remote maintenance 
personnel requesting access are listed among legitimate remote users.  This 
form of authentication is clearly inadequate.  If you're a good engineer, it 
would be fairly easy for you to contact the switch manufacturer on the 
pretext of needing help with a particular type of switch, obtain the names 
of the manufacturer's remote maintenance personnel, and then masquerade as 
these personnel to obtain access to the target switch.

Maintenance Feature Vulnerabilities
------------------------------------

A common maintenance feature is Maintenance-Out-of-Service (MOS).  This 
feature allows maintenance personnel to place a line out of service for 
maintenance.  It is typically used when a problem is detected with a line or 
when it is desired to disable a line. However, if a line is placed MOS while 
it is in operation, the PBX may terminate its signaling communication with 
the instrument and leave the instrument's voice channel connection active 
even after the instrument is placed on-hook.  If the MOS feature were to 
function in this manner, the potential exists for you to use the MOS feature 
to establish a live microphone connection to a user's location without the 
user's knowledge, and thereby eavesdrop on the area surrounding the user's 
instrument.

Line Testing Capabilities
--------------------------

Another common maintenance feature is the ability to connect two lines 
together in order to transmit data from one line to the other and verify 
whether or not the second line receives the data properly.  This feature 
would allow someone with maintenance access to connect a user's instrument 
to an instrument at another location in order to eavesdrop on the area 
surrounding the user's instrument without the user's knowledge.

Undocumented Maintenance Features
----------------------------------

The PBX may support some maintenance features that are not normally 
accessible to the owner/operator of the PBX for several reasons.  These 
types of utilities vary greatly from one PBX to another so that a general 
approach to finding them cannot be detailed.  Some suggested courses of 
action are listed below:


---> Engineer the manufacturer or maintenance company into telling you if 
any such features exist.

---> Attempt to learn about undocumented usernames/passwords.

---> Attempt to search the system PROMS or disks for evidence of such 
features.

Viewing the system load files with a binary editor will sometimes reveal the 
names of undocumented commands among a list of known maintenance commands 
that can be recognized in the binaries.

Special Manufacturer's Features
--------------------------------

There may be features that the manufacturer considers useful in the event a 
customer's PBX becomes disabled to such a point that on-site maintenance 
personnel cannot resolve the problems.  The manufacturer could then instruct 
the maintenance personnel to configure and connect a modem to the 
maintenance port.  The manufacturer may then be able to dial-in and use 
certain special features to resolve the problems without sending a 
representative to the customer's location.  The potential cost savings is a 
likely reason for adding such special features.  The manufacturer would not 
want the special features to be well known because of their potential 
vulnerability.  These types of features would most likely be accessible via 
undocumented username/password access to the maintenance and/or 
administrative tools.  Some possible undocumented features are listed below:

---> Database upload/download utility:

Such a utility allows the manufacturer to download the database from a 
system that is malfunctioning and examine it at their location to try to 
determine the cause of the malfunction.  It would also allow the 
manufacturer to upload a new database to a PBX in the event that the 
database got so corrupted that the system became inoperable.  The existence 
of such a utility could potentially allow you to download a system's 
database, insert a trojan horse or otherwise modify it to allow special 
features to be available, and upload the modified database back into the 
system.

---> Database examine/modification utility:

Such a utility allows the manufacturer to remotely examine and modify a 
system's database to repair damage caused by incorrect configuration, design 
bugs, or tampering.  This utility would also p