meridian mail switch managment and security audit. meridian switch hacking (expunged) written for f41th magazine.
53fdc2fa5f05cf1777e8479352cc1d861cec9b6e6f8e3889967f641800081772
. .. ... .......... BL4CKM1LK teleph0nics .......... ... .. .
. .. ... .......... http://hybrid.dtmf.org ......... ... .. .
So close it has no boundaries...
A blinking cursor pulses in the electric darkness like a heart coursing with
phosphorous light, burning beneath the derma of black-neon glass. A PHONE
begins to RING, we hear it as though we were making the call. The cursor
continues to throb, relentlessly patient, until...
Meridian I Switch and Trunk Interception.......... ..... ... .
An account of how an ENTIRE companys PBX.......... ..... ... .
can be taken over (The hardcore phreak way)....... ..... ... .
by hybrid <hybrid@dtmf.org hybrid@ninex.com>...... ..... ... .
Hi. I'm not going to write a mad big introduction to this article, because
I dont feel their is a need for one. All I want to say here is that this
article is intended for the more "hardcore" phreak, yes, hardcore phreak, not
for lame ass calling card leeching kiddies who call themsleves phreaks. If
you are intersted in hacking telephony switches, and you have prior/prefixed
knowledge of Meridian, read on..
Through my experience, I've seen alot of meridian admins go through many
different and sometimes repetitive lengths to supposidly secure an internal
PSTN connected PABX. In this article I'm going to share my knowledge of
PBX switch hacking, and enlighten you to the intricate techneques that can
be used to "trunk hop" etc. The information provided in this article has been
obtained from my own personal accounts of hacking telephony switches, which
I'd like to state, I don't participate in anymore.
Now, for the sake of timesaving, I'll setup a possible scenario.. Consider
the following:
o You have stumbled accross a nice Meridian Mail system, which you
have already compromised by finding yourself a few boxdes in their.
You discover that the Meridian Mail system you have gained access
to belongs to a certain telco, and is used for internal
communication between emloyees high up in the hierarchial chain.
Now, any "normal" phreak would gradually take over the system by finding as
many free boxes as possible and hnading them over to friends, or would keep
the nice lil' system to themselves as a means of obtaining information about
the telco that owns the PBX, via the the means of eavesdroping on used
voicemail boxes. This is a very primitive form of remote eavesdroping, which
this file is not designed to illistrate.
Meridian PBX systems are all administered by a primary system console, which
can be remotely accessed by many different protocols. The most popular of
which is remote dialup via assigned extensions. If the companys main switch
is centrex based, it is likely that the meridian admin console is accessable
via IP on the companys intranet. If you manage to gain access to the
actual switching conponment, you are likely to have the following privalges
on the meridian based network:
o 100% control over every single inbound/outbound trunk group
o Access to every single voicemail box on the switch
o Access to trunk/group/node administration
Basically, the meridian administration module is designed to make the admin
(or whoever has access to it) GOD over the entire system, I say GOD because
you could do anything you wanted, as far as your telephony derived
imagination extends. OK, enough of this.. I'm just going to stop going on
about what if's for the time being, now I'm going to concentrate on the
factual based information, and how one would go about accessing such a
switch.
The simpilist way to find the internal dialup to a meridian switch is to
scan the internal extensions which the switch controls. It's generaly a
good idea to begin scanning network/node extensions such as 00,01,02,03[xx]
etc. What you are looking for is a modem carrier, which when you connect
should ask you for a singular password, which in most cases is bypassed
by hitting control-SD. Once you are in, you should recieve the switches
command line prompt, somthing similar to this:
>
or
SWITCH0>
OMG, I hear you think.. It looks like a DMS switch prompt.. Well, it is, in
a funny kind of way. Meridian switches are designed to emualte certain levels
of DMS-100 O/S types, so you'll find that many of the BCS leveled commands
that you know from DMS will be usefull here. The information that follows
has been obtained from public Meridian Mail Administration sources on the
net..
/*
Basic Meridian 1 Security Audit
-------------------------------
"Users will go nuts calling a radio station to win a free toaster,
taking over all the trunks in your phone system."
An audit of the Meridian 1 telephone system will ensure that every possible
"system" precaution has been made to prevent fraud. The first step involves
querying data from the system in the form of printouts (or "capturing" the
data to a file in a PC). The next step is to analyze the data and confirm the
reason for each entry. Please be advised that this procedure is not designed
for all "networked" Meridian 1 systems, however, most of the items apply to
all systems. Use at your own risk.
PRINTOUTS REQUIRED FOR SECURITY AUDIT: It is suggested that you "capture" all
of the data from these printouts to separate files. This can be accomplished
with a PC and communications program. For the BARS LD90 NET printout, try
this file. (enclosed in faith10.zip barparse.zip)
------------------------------------------------------------------------------
LD22 CFN LD22 PWD LD21 CDB LD21 RDB
LD21 LTM LD23 ACD LD24 DISA LD20 SCL
LD86 ESN LD86 RLB LD86 DMI LD87 NCTL
LD87 FCAS LD87 CDP LD90 NET LD90 SUM
LD20 TNB LD22 DNB LD88 AUB
------------------------------------------------------------------------------
GATHERING DATA FROM LD81
------------------------
List (LST) the following FEAT entries to form an information base on the
telephones.
------------------------------------------------------------------------------
NCOS 00 99 CFXA UNR TLD SRE
FRE FR1 FR2 CUN CTD
------------------------------------------------------------------------------
DATA BLOCK REVIEW ITEMS
-----------------------
From the printouts, a review of the following areas must be made. Some of the
items may or may not be appropriate depending on the applications of the
telephone system.
------------------------------------------------------------------------------
CFN - Configuration Verify that History File is in use.
------------------------------------------------------------------------------
PWD - Passwords Verify that FLTH (failed login attempt threshold) is
low enough. Verify that PWD1 and PWD2 (passwords) use
both alpha and numeric characters and are eight or
more characters long. Note any LAPW's (limited access
passwords) assigned. Enable audit trails.
------------------------------------------------------------------------------
CDB - Customer Verify that CFTA (call forward to trunk access code)
Data Block is set to NO. Verify NCOS level of console. Verify
that NIT1 through NIT4 (or other night numbers) are
pointing to valid numbers. EXTT prompt should be NO
to work in conjunction with trunk route disconnect
controls (See RDB)
------------------------------------------------------------------------------
RDB - Trunk Route Verify that every route has a TARG assigned. Confirm
Data Block that FEDC and NEDC are set correctly. ETH is typical,
however for maximum security in blocking trunk to
trunk connections, set NEDC to ORG and FEDC to JNT
Confirm that ACCD's are a minimum of four digits long
(unless for paging). If ESN signaling is active on
trunk routes, verify that it needs to be. ESN
signaling, if not required, should be avoided. NOTES
ON TGAR: For demonstration purposes, this document
suggests that sets be a "TGAR 1". The only
requirement for TGAR is that it match one of the TARG
numbers assigned in the Route Data Block
------------------------------------------------------------------------------
ACD - Automatic Verify ACD queues and associated NCFW numbers.
Call Distrobution Verify all referenced extensions.
------------------------------------------------------------------------------
DISA - Direct Remove DISA if not required. If required, verify that
Inward System security codes are in use.
Access
------------------------------------------------------------------------------
ESN - Electronic AC1 is typically "9". If there is an AC2 assigned,
Switched Network verify its use. If TOD or ETOD is used - verify what
NCOS levels are changed, when they are changed and
why they are changed. Apply FLEN to your SPNs to
insure nobody is ever allowed to be transferred to a
partially dialed number, like "Transfer me to 91800"
Study EQAR (Equal Access Restriction) to insure that
users can only follow a "Carrier Access Code" with a
zero rather than a one: (1010321-1-414-555-1212 is
blocked but 1010321-0-414-555-1212 is allowed with
EQAR)
------------------------------------------------------------------------------
NCTL - Network Use LD81 FEAT PRINT to verify all NCOS being used.
Control Does NCOS 0 = FRL 0? Does NCOS X always equal FRL X
in the NCTL? Does FRL 0 have any capabilities? - It
should not be able to dial anything.
------------------------------------------------------------------------------
FCAS - Free Call Confirm the need to use FCAS and remove it if
Screening possible. FCAS is usually a waste of system memory
and complicates the system without saving money.
------------------------------------------------------------------------------
DGT (DMI) - Digit Confirm all numbers referenced in the "insert"
Manipulation section of each DMI table.
------------------------------------------------------------------------------
RLB - BARS Route Are any RLB ENTR'S assigned FRL 0 - typically, only
List Block the RLB that handles 911 calls should have an FRL 0.
If DMI is in use, confirm all "inserted" numbers.
------------------------------------------------------------------------------
CDP - BARS Are all CDP numbers valid? Check the RLBs they point
Coordinated to and see what the DMI value is. Confirm insertions.
Dialing Plan
------------------------------------------------------------------------------
NET - ALL - BARS Add 000,001,002,003,004,005,006,007,008,009 as SPNs
Network Numbers pointing to a route list block that is set to LTER
YES. These entries block transfers to "ext. 9000" and
similar numbers. Point SPN "0" to a RLI with a high
FRL, then consider adding new SPNs of 02, 03, 04, 05,
06, 07, 08, 09 to point to a RLI with a lower FRL so
that users cannot dial "0", but can dial "0+NPA
credit card calls. Check FRL of 0, 00, 011 and
confirm that each is pointed to separate NET entry
requiring a high FRL. Remove all of shore NPAs (Like
1-809 Dominican Republic) if possible. Regulations
are almost non-existent in some of those areas and
they are hot fraud targets. Verify blocking 900 and
976 access. Also consider blocking the NXX of your
local radio station contest lines. Users will go nuts
calling a radio station to win a free toaster, taking
over all the trunks in your phone system. Restrict
the main numbers and DID range within the BARS
system. There is no need to call from an outgoing to
an incoming line at the same location.
------------------------------------------------------------------------------
TRUNKS Confirm that all trunks have TGAR assigned. Confirm
that all incoming and TIE trunks have class of
service SRE assigned. (caution on networked systems)
Confirm that all trunks have an NCOS of zero.
NOTES ON TGAR: For demonstration purposes, this
document suggests that sets be a "TGAR 1". The only
requirement for TGAR is that it match one of the TARG
numbers assigned in the Route Data Block
------------------------------------------------------------------------------
SETS-PHONES Does every phone have a TGAR of 1 assigned? (This
must be checked set by set, TN by TN). Can you change
every phone that is UNR to CTD? Review LD81 FEAT
PRINT to find out the UNR sets. CTD class of service
is explained below. Confirm that all sets are
assigned CLS CFXD? Confirm that the NCOS is
appropriate on each set. In Release 20 or above,
removing transfer feature may be appropriate. Confirm
that all sets CFW digit length is set to the system
DN length. NOTES ON TGAR: For demonstration purposes,
this document suggests that sets be a "TGAR 1". The
only requirement for TGAR is that it match one of the
TARG numbers assigned in the Route Data Block Apply
Flexible Trunk to Trunk Connections on the set, and
FTOP in the CDB if deemed appropriate. These
restrictions are done on a set by set basis and allow
or deny the ability to transfer incoming calls out of
the facility.
------------------------------------------------------------------------------
VOICE MAIL PORTS Each port should be CLS of SRE Each port should be
NCOS 0 - NCOS 0 must be known to be too low to pass
any call Each port should be TGAR 1 (all trunk routes
must be TARG 1 also) NOTES ON TGAR: For demonstration
purposes, this document suggests that sets be a
"TGAR 1". The only requirement for TGAR is that it
match one of the TARG numbers assigned in the Route
Data Block NOTE: If you are used to your Mail system
doing outcalling, you can forget about that working
after applying these restrictions.
------------------------------------------------------------------------------
CLASS OF SERVICE AND TRUNK GROUP ACCESS RESTRICTIONS:
-----------------------------------------------------
EXPLANATION OF CLASS OF SERVICE SRE:
------------------------------------
NTP DEFINITION: Allowed to receive calls from the exchange network.
Restricted from all dial access to the exchange network. Allowed to access
the exchange network through an attendant or an unrestricted telephone only.
Essentially, an SRE set can do nothing on it's own except dial internal and
TIE line extensions. If a trunk is SRE - it will work normally and allow
conference calls and transfers.
EXAMPLES OF 'SRE' IN USE:
-------------------------
Voice Mail cannot connect to an outgoing line, but can receive incoming
calls. Callers on the far end of a TIE line cannot call out through your end
(for their sake, both ends should be SRE).
EXPLANATION OF CLASS OF SERVICE CTD:
------------------------------------
If a route access code is accessed (if there was no match between the TGAR
and TARG), the caller cannot dial 1 or 0 as the leading digits. If the caller
makes a "dial 9" BARS call, the NCOS will control the call.
EXPLANATION OF TGAR AND TARG:
-----------------------------
The best restriction is to have all trunk routes TARG'd to 1 and all TNs
(including actual trunk TNs) TGAR'd to 1. This will block all access to
direct trunk route selection.
BENEFITS OF IMPLEMENTING THESE SECURITY RESTRICTIONS
----------------------------------------------------
No incoming caller will have access to an outside line unless physically
transferred or conferenced by an internal party. If voice mail ports are SRE
and NCOS 0 and have a TGAR matching the TARG - they will not be able to
transfer a call out of the system, regardless of the voice mail system's
resident restrictions assigned. No phone will be able to dial a trunk route
access code. Consider allowing telecom staff this ability for testing.
Layered security:
-----------------
If in phone programming, TGAR was overlooked on a phone, the CTD class of
service would block the user from dialing a 0 or 1 if they stumble upon a
route access code. If in programming, the CTD class of service was
overlooked, both TGAR and NCOS would maintain the restrictions. If in
programming, the NCOS is overlooked, it will defaults to zero, which is
totally restricted if NCTL and RLBs are set up correctly.
Quick Tour of a Simple Meridian 1 BARS Call
-------------------------------------------
Basic Automatic Route Selection. If you dial "9", you are accessing BARS.
"9" is the "BARS Access Code"
1. A telephone dials "9" - BARS activates.
2. The telephone calls a number - Example: 1-312-XXX-XXXX
3. The PBX hold the digits while it looks up "1-312" to figure out what
Route List to use for processing the call.
4. The Route List determines the possible trunk routes that can be used.
5. The Route List checks the facility restriction level of the telephone
and compares it to its own required facility restriction level.
6. The Route List checks to see if any special digit manipulation should
be performed.
LD90 NET
--------
The LD90 Network overlay is where area codes and exchanges are defined. If a
prefix is not entered into LD90, it cannot be dialed through BARS. Each area
code or exchange refers to a "Route List" or RLI which contains the
instructions for routing the call.
>ld 90
ESN000
REQ prt
CUST 0
FEAT net
TRAN ac1
TYPE npa
NPA 1312
NPA 1312 <-- This is the network number (prefix)
RLI 11 <-- This is the Route List that the prefix gets instruction from
DENY 976 <-- This is an exchange in NPA 312 that is blocked
SDRR DENY CODES = 1
DMI 0
ITEI NONE
REQ end
LD86 RLB (or RLI)
-----------------
The RLB is a "list" of possible trunk routes that an area code or exchange
can be dialed over. Each "ENTR" or list entry contains a trunk route. Each
entry also has a "minimum Facility Restriction Level" or "FRL" that must be
met before a phone can access that entry. In the following example, the first
entry can be accessed by phones whose NCOS equals an FRL of 3 or above. The
second entry can only be accessed by phones whose NCOS equals an FRL of 6 or
above. Along with the trunk route and the FRL, you can apply specific "digit
manipulation" with the DMI entry. The DMI entries are explained here.
>ld 86
ESN000
REQ prt
CUST 0
FEAT rlb
RLI 11
RLI 11
ENTR 0 <-- This is the list's first "Entry Number"
LTER NO
ROUT 15 <-- This is the first choice Trunk Route Number
TOD 0 ON 1 ON 2 ON 3 ON
4 ON 5 ON 6 ON 7 ON
CNV NO
EXP NO
FRL 3 <-- This is the Facility Restriction Level
DMI 10 <-- This is the Digit Manipulation Index Number
FCI 0
FSNI 0
OHQ YES
CBQ YES
ENTR 1 <-- This is the list's second "Entry Number"
LTER NO
ROUT 9 <-- This is the second choice Trunk Route Number
TOD 0 ON 1 ON 2 ON 3 ON
4 ON 5 ON 6 ON 7 ON
CNV NO
EXP YES <-- This is considered the "expensive" choice
FRL 6 <-- Note that the Facility Restriction Level is higher
DMI 0 <-- Note no digit manipulation is required for this trunk
route
FCI 0
FSNI 0
OHQ YES
CBQ YES
ISET 2
MFRL 3
REQ end
LD87 NCTL
---------
The FRL to NCOS "relationship" is built in the NCTL data block. The FRL and
the NCOS do not necessarily have the equal one another, however they usually
do. A higher FRL/NCOS has more capability than a lower FRL/NCOS. For an NCOS
number to have any capability, it must first be defined in the NCTL data
block.
>ld 87
ESN000
REQ prt
CUST 0
FEAT nctl
NRNG 0 7 <-- Range from NCOS 0 through 7 was requested
SOHQ NO
SCBQ YES
CBTL 10
---------------
NCOS 0
EQA NO
FRL 0
RWTA NO
NSC NO
OHQ NO
CBQ NO
MPRI 0
PROM 0
---------------
NCOS 1
EQA NO
FRL 1
RWTA NO
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT I
RADT 0
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 2
EQA NO
FRL 0
RWTA NO
NSC NO
OHQ NO
CBQ NO
MPRI 0
PROM 0
---------------
NCOS 3
EQA NO
FRL 3 <-- NCOS 3 equals FRL 3.
RWTA YES
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT I
RADT 10
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 4
EQA NO
FRL 4
RWTA YES
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT A
RADT 10
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 5
EQA NO
FRL 5
RWTA NO
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT A
RADT 10
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 6
EQA NO
FRL 6 <-- NCOS 6 equals FRL 6.
RWTA NO
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT A
RADT 0
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 7
EQA NO
FRL 7
RWTA NO
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT A
RADT 0
SPRI 0
MPRI 0
PROM 0
TOHQ NONE
LD86 Digit Manipulation
-----------------------
The Digit Manipulation data blocks are where special prefixes are entered
before numbers are sent out over trunks. An example of digit manipulation is
where a 1010XXX carrier access code must be inserted before a number is
processed over a trunk.
REQ prt
CUST 0
FEAT dgt
DMI 10
DMI 10 <-- This is simply the index number.
DEL 1 <-- This says "delete the first digit after "9"
CTYP NCHG
REQ prt
CUST 0
FEAT dgt
DMI 3
DMI 3
DEL 0 <-- This says "delete nothing after 9"
INST 101288 <-- This says "Insert 101288 after 9 and before the actual number
dialed"
CTYP NCHG
REQ end
Telephone
---------
This is simply a telephone's data block
DES 5135
TN 004 0 14 00
TYPE 500
CDEN 4D
CUST 0
DN 5135 MARP
CPND
NAME Typical User
XPLN 9
DISPLAY_FMT FIRST,LAST
AST NO
IAPG 0
HUNT
TGAR 1
LDN NO
NCOS 5 <-- What FRL does this equal?
SGRP 0
RNPG 0
LNRS 16
XLST
SCI 0
CLS CTD DTN FBD XFA WTA THFD FND HTD ONS
LPR XRA CWD SWD MWA LPD XHD CCSD LNA TVD
CFTD SFD C6D PDN CNID CLBD AUTU
ICDD CDMD EHTD MCTD
GPUD DPUD CFXD ARHD OVDD AGTD CLTD LDTA ASCD
MBXD CPFA CPTA DDGA NAMA
SHL ABDD CFHD
USRD BNRD OCBD
RCO 0
PLEV 02
FTR CFW 4
DATE 28 NOV 1978
LD86 ESN - the Start of BARS
----------------------------
The ESN data block is the root of BARS. Before BARS can be set up, the ESN
data block must be defined.
>ld 86
ESN000
REQ prt
CUST 0
FEAT esn
MXLC 0
MXSD 30
MXIX 0
MXDM 100
MXRL 80
MXFC 60
MXFS 0
MXSC 120
NCDP 4
AC1 9 <-- This is where "9" is defined
AC2
DLTN YES
ERWT YES
ERDT 0
TODS 0 00 00 23 59 <-- This section refers only to time of day
routing controls
RTCL DIS
NCOS 0 - 0 <-- This section refers only to time of day routing
controls
NCOS 1 - 1
NCOS 2 - 2
NCOS 3 - 3
NCOS 4 - 4
NCOS 5 - 5
NCOS 6 - 6
NCOS 7 - 7
<continued to 99...>
NCOS 99 - 99
ETOD
TGAR NO
REQ end
ISLUA 99 Session BA 20
Capturing Data From Your Meridian 1
to Various PC Software Packages
Curt Kempf City of Columbia, Missouri
Thanks for attending the workshop
I hope you find this information helpful
========================================
o ACD Daily Report
o Procomm Plus Script to
capture ACD reports to
disk. Format: MMDDYY.TXT
o TN PRT out of Host MCA card
o Procomm Script to CHG a TN
when it becomes IDLE
o Procomm Script to CHG/NEW
a list of DNs and their
NAMES (LD 95)
o Procomm Script to monitor
PBX for "DTA0021", "INI0",
"PWR01", then send an
alpha numeric page when
received.
ACD Daily Report
================
ACD 000 1999 03 29 17:00
DAILY TOTALS REPORT
REPT 1
ACD AVG CALLS AVG AVG AVG AVG DN AVG #-XFER AVG-TIME-POSN
DN AGTS ANSWD ASA DCP PCP WORK WAIT CALLS TIME IDN ACD BUSY MANNED
7380 324 54 125 388 514 127 118 69 0 28 22085 27246
------------------------------------------------------------------------------
1 324 54 125 388 514 127 118 69 0 28 22085 27246
REPT 2
ACD CALLS RECALL ANSWERED ABANDONED TOF TOF OVER INTER
DN ACCPTED TO LONGEST NO. AVG.WT TSF IN OUT FLOW FLOW
SOURCE WT. TIME BUSY
7380 366 0 476 43 88 80 0 0 8 0
------------------------------------------------------------------------------
1 366 0 476 43 88 80 0 0 8 0
REPT 4
POS CALLS AVG AVG AVG DN INC DN OUT #-XFER BUSY MANNED
ID ANSWD DCP PCP WAIT INC TIME OUT TIME IDN ACD TIME TIME
ACD DN 7380
301 81 136 115 142 3 66 12 352 0 9 20716 32208
303 57 91 261 139 4 478 15 652 0 4 20788 28702
309 49 90 2 182 0 0 1 100 0 7 4550 13466
304 87 128 127 108 1 60 12 564 0 6 22662 32088
305 39 185 108 73 0 0 2 96 0 1 11464 14302
308 0 ***** ***** ***** 15 1770 20 1464 0 0 32256 32400
306 0 ***** ***** ***** 9 2950 13 1660 0 0 32400 32400
312 11 145 2686 50 4 286 7 416 0 1 31848 32400
------------------------------------------------------------------------
8 324 125 388 127 36 93 82 88 0 28 2945 3633
Procomm Plus Script to capture ACD
reports to disk. Format: MMDDYY.TXT
====================================
; ProComm script by Chris Fourroux & Curt Kempf/City of Columbia - tested
; with ProComm Plus 32 95/NT, version 4. Script to caputure ACD reports to
; disk with the format XXXXXX.txt, where XXXXXX is month day year. Script
; waits for "ACD DN 7380" to occur, which is on every hourly report, then
; closes and appends the newest statistics to MMDDYY.TXT file.
string cmd="ncopy c:\capture\"
string szFileName = $DATE
string szDate = $DATE
integer Pos = 0
proc main
dial data "Option 61"
set capture overwrite OFF ; if capture file exists, append data to it.
capture off ; close capture file if it is open
when TARGET 0 "ACD DN 7380" call CLOSECAP
Startloop:
clear ; clear contents of screen and scroll back buffer
szFileName = $DATE
szDate = $DATE
while 1
if nullstr szFileName ; Check to see if we've reached
exitwhile ; the end of source string
endif ; and if so, exit loop.
if strfind szFileName "/" Pos ; Check for char
strdelete szFileName Pos 1 ; and delete it
else
exitwhile ; exit if no more characters
endif
endwhile
strcat szFileName ".txt"
set capture file szFileName ; Set name of capture file.
capture on ; Open up the capture file.
while strcmp $DATE szDate ; Loop while date is the same
endwhile ; or if the date changes,
capture off ; Close the capture file.
goto Startloop ; and start a new one.
endproc
proc closecap
pause 3
strcat cmd szFileName ; Append to variable "CMD"
strcat cmd " h:\uab\" ; Append network drive to "CMD"
transmit "^M***********^M" ; Put in asteriks between hourly reports
capture off ; Close capture file
pause 5
DOS cmd HIDDEN i0 ; Run "CMD" in DOS and copy file to the LAN
pause 10
taskexit i0 ; Exit DOS window
pause 10
cmd="ncopy c:\capture\" ; Reset "CMD"
capture on ; Turn Capture back on.
Endproc
Procomm Screen of dialing up the host
MCA card(direct connect 9600 baud)
=====================================
ENTER NUMBER OR H (FOR HELP): 2206
CALLING 2206
RINGING
ANSWERED
CALL CONNECTED. SESSION STARTS
logi
PASS?
TTY #02 LOGGED IN 08:59 11/4/1999
>
TN PRT out of Host MCA card
DES 2206
TN 020 0 04 31 ;note TN is TN of voice set(20 0 4 15) +(plus) 16
TYPE 2616
CDEN 8D
CUST 0
AOM 0
FDN
TGAR 1
LDN NO
NCOS 2
SGRP 0
RNPG 0
SCI 0
SSU
XLST
SCPW
CLS CTD FBD WTD LPR MTD FND HTD ADD HFD
MWD AAD IMD XHD IRD NID OLD DTA DRG1
POD DSX VMD CMSD CCSD SWD LND CNDD
CFTD SFD DDV CNID CDCA
ICDD CDMD MCTD CLBD AUTU
GPUD DPUD DNDD CFXD ARHD FITD CLTD ASCD
CPFA CPTA ABDD CFHD FICD NAID
DDGA NAMA
USRD ULAD RTDD PGND OCBD FLXD FTTU
TOV 0 MINS
DTAO MCA
PSEL DMDM
HUNT
PSDS NO
TRAN ASYN
PAR SPACE
DTR OFF
DUP FULL
HOT OFF
AUT ON
BAUD 9600
DCD ON
PRM HOST ON
VLL OFF
MOD YES
INT OFF
CLK OFF
KBD ON
RTS ON
PLEV 02
AST
IAPG 0
AACS NO
ITNA NO
DGRP
DNDR 0
KEY 00 SCR 2206 0 MARP
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
DATE 30 DEC 1997
Very rarely, I can not dial up the host MCA card. It simply won't answer, so
the following usually clears it up:
ITEM
ITEM OPE YES
DCD ON
PRM OFF
If that doesn't work, since 020 0 04 31 is "digital", it could be disabled.
LD 32 and ENLU it.
Procomm Script to CHG a TN when it becomes IDLE
===============================================
string TN ;TN
string TIPE ;TYPE, however word is reserved in ASPECT
string EYETEM ;ITEM, ditto above.
string szList ;List of items.
string szItem ;Item selected from list.
integer Event ;Dialog box event.
integer Num ;integer value
proc MAIN
set txpace 50 ;delay for keyboard
when TARGET 0 "IDLE" call CHGIT ;when receive IDLE, go change set.
;Input the TN, TYPE, and ITEM
sdlginput "LD 11, CHG when IDLE :-)" "Enter TN: " TN
if strcmp TN "" ; compare to see if NULL?
halt ;if enter is pressed, halt script.
else
endif
; Display dialog box with list of items.
; Pick if set is a 500, 2008, or 2616
szList = "2616,2008,500"
dialogbox 0 55 96 100 74 11 "LD 11, CHG when IDLE :-)"
listbox 1 5 5 90 40 szList single szItem
pushbutton 2 28 52 40 14 "&Exit" ok default
enddialog
while 1
dlgevent 0 Event ; Get the dialog event.
switch Event ; Evaluate the event.
case 0 ; No event occurred.
endcase
case 1
if strcmp szItem "2616"
tipe = "2616"
else
if strcmp szItem "2008"
tipe = "2008"
else
if strcmp szItem "500"
tipe = "500"
endif
endif
endif
endcase
default ; Exit case chosen.
exitwhile
endcase
endswitch
endwhile
dlgdestroy 0 CANCEL ; Destroy the dialog box.
sdlginput "LD 11, CHG when IDLE :-)" "ITEM: (IE: CLS HTA)" EYETEM
Transmit "LD 11^M" ;Go in to overlay 11
Waitfor "REQ"
for Num = 0 upto 100 ;Keep STAT'n til IDLE
Transmit "STAT "
Transmit TN
Transmit "^M"
pause 10 ; wait 10 seconds
endfor
endproc
PROC CHGIT
Transmit "CHG^M" ;Go change the set, then halt the script.
Waitfor "TYPE"
Transmit TIPE
pause 1 ;pause 1 second
Transmit "^M"
Waitfor "TN"
Transmit TN
Transmit "^M"
Waitfor "ECHG"
Transmit "YES^M"
Waitfor "ITEM"
Transmit EYETEM
Transmit "^M"
waitfor "ITEM"
transmit "^M"
Waitfor "REQ:"
Transmit "END^M"
halt
endproc
Procomm Script to CHG/NEW a list of DNs and their NAMES (LD 95)
===============================================================
integer flag=0 ;set flag
proc main
set txpace 100 ;delay for keyboard
when TARGET 1 "SCH2115" call LD95NEW ;wait for 'name does not exit' error
;open text file that has a list of
;DNs & NAMEs you want to change/add.
fopen 1 "C:\phone\chgnames.txt" READ
;chgnames.txt it in the format of
; 7354, Jane Doe
; 6745, John Smith
; 7645, Dan White
;script doesn't care if the NAME is NEW or CHG J
if failure
usermsg "could not open the file."
else
Transmit "LD 95^M" ;Go in to overlay 95
Waitfor "REQ"
Transmit "CHG^M"
Waitfor "TYPE"
Transmit "NAME^M"
Waitfor "CUST"
Transmit "0^M"
Waitfor "DIG"
Transmit "^M"
fseek 1 0 0
while 1
fgets 1 s0
if FEOF 1
exitwhile
endif
strtok s1 s0 "," 1
strtok s2 s0 "," 1
DelStr (&s1)
DelStr (&s2)
DelLineFeed (&s2)
;strfmt s4 "TN: %s" s1 ;uncomment these two for
;usermsg s4 ;troubleshooting the script
strlen s1 i0
if (i0 > 2)
LD95CHG ()
else
Transmit "****^M"
halt
endif
endwhile
endif
endproc
proc LD95CHG
Waitfor "DN"
Transmit s1
Transmit "^M"
pause 1
if FLAG==1
FLAG=0
Transmit "^M"
return
else
Transmit s2
Transmit "^M"
Waitfor "DISPLAY_FMT"
endif
endproc
proc LD95NEW
FLAG=1
Transmit "^M"
Transmit "**^M"
Waitfor "REQ"
Transmit "NEW^M"
Waitfor "TYPE"
Transmit "NAME^M"
Waitfor "CUST"
Transmit "0^M"
Waitfor "DIG"
Transmit "^M"
Waitfor "DN"
Transmit s1
Transmit "^M"
Waitfor "NAME"
Transmit s2
Transmit "^M"
Waitfor "DISPLAY_FMT"
Transmit "^M"
Waitfor "DN"
Transmit "^M"
Waitfor "REQ"
Transmit "CHG^M"
Waitfor "TYPE"
Transmit "NAME^M"
Waitfor "CUST"
Transmit "0^M"
Waitfor "DIG"
endproc
proc DelStr
param string szStr
integer Pos
while 1
if StrFind szStr "`"" Pos
StrDelete szStr Pos 1
else
exitwhile
endif
endwhile
endproc
PROC DelLineFeed
param string szStr
integer Pos
strlen szStr Pos
if (Pos > 2)
StrDelete szStr (Pos-1) 1
endif
endproc
You could very easily modify this script to say, change an ASCII list of TNs
/TYPEs to TGAR 1, and have it executed at 2:00 a.m. The s0 and s1 variables
would change from DN & NAME, to TN & TYPE, and add Waituntil "2:00:00" "7/16
/99" to kick it off at 2:00 a.m.
Procomm Script to monitor PBX for "DTA0021", "INI0", "PWR01", then send
an alph numeric page when received.
=======================================================================
proc Main
#DEFINE pagernum "235.5334" ;Enter your pager number here.
string szName="OPT61.cap" ;Name of text file to capture to.
string passw
when TARGET 1 "DTA021" call DTA021 ;what do you want to 'wait for' ?
when TARGET 2 "INI0" call INI0
when TARGET 3 "PWR01" call PWR0
set capture file szName
capture on
set txpace 150 ;delay for keyboard
HANGUP
Dial DATA "MCA"
transmit "^M"
waitfor "HELP):"
transmit "2206^M"
waitfor "SESSION STARTS"
while $CARRIER
transmit "****"
pause 1
transmit "LOGI^M"
waitfor "PASS?"
sdlginput "Security" "Password: (all caps!)" passw MASKED
if stricmp passw "sss" ;to bypass logging in.
transmit "*"
call loggedin
endif
transmit passw
transmit "^M"
pause 2
endwhile
set txpace 1
endproc
proc DTA021
pageA() ;dial paging provider
TRANSMIT "Digital Trunk Diagnostic. Frame alignment persisted for
3 seconds^M" ;send specific x11 error to pager
pageB() ;end connection to provider
mcacard() ;connect back to Option 61
endproc
proc INI0
pageA()
TRANSMIT "An initialization has taken place.^M"
pageB()
mcacard()
endproc
proc PWR0
pageA()
TRANSMIT "Power failure from power and system monitor.^M"
pageB()
mcacard()
endproc
proc mcacard
HANGUP
PAUSE 2
Dial DATA "MCA" ;Connect up to option 61 through MCA card.
while $DIALING
endwhile
transmit "^M"
pause 1
transmit "^M"
waitfor "HELP):"
transmit "2206^M"
waitfor "SESSION STARTS"
pause 1
when RESUME
call loggedin
loggedin()
endproc
proc loggedin
while $CARRIER ;wait for errors to occur. Continue to do your MACs etc..
endwhile
endproc
proc pageA
when SUSPEND
set port dropdtr on
pause 1
hangup ;hangup Option 61 connection
pause 2
hangup ;release mca card from COM port
set port dropdtr off
pause 1
Dial DATA "TriStar" ;Dial your paging provider
while $DIALING
endwhile
TRANSMIT "^M" ;TAPI protocol, M puts in manual mode.
WAITFOR "ID="
TRANSMIT "M^M"
WAITFOR "Enter pager"
TRANSMIT pagernum
TRANSMIT "^M"
WAITFOR "Enter alpha"
endproc
proc pageB
TRANSMIT "^M"
WAITFOR "More Pag"
TRANSMIT "^M"
pause 2
endproc
Little Known Meridian 1 Features And Programming Tricks
=======================================================
HELP and Error Lookup
HELP - Type " ? " at many prompts
LOOKUP - At " > " sign, type
ERR AUD028 to find out what AUD028 indicates.
At any other prompt, type " ! ", then you will receive " > "
symbol for getting ERR lookup.
Find Sets with a Certain Feature
================================
LD81
REQ LST
FEAT CFXA
FEAT UNR
Lists all sets that have the "Call Forward External Allow"
feature, then lists all UNR sets.
Inventory and Identification Commands
=====================================
LD32
IDU l s c u (or) IDC l s c
LD22
CINV (and) ISSP
LD30
UNTT l s c u
Speed Call Stuff
================
Create many Speed Call lists at once. LD18 REQ: NEW 100 - Creates 100 lists.
When memory is plentiful, make Speed Call list number the same as the persons
DN. Need to increase MSCL in LD17 Find a "Controller" in LD81 by: REQ:LST,
FEAT:SCC, then the Speed List Number
Allow Restricted Sets to Dial Certain Long Distance Numbers.
============================================================
Add the numbers to a System Speed Call List. Assign an NCOS to the "List"
that replaces the users NCOS during the call. Alternate: Add the suffix of
the telephone number to an ARRN list in the prefixes RLI. This will point
only that number to a new RLI with a lower (or higher if you choose) FRL.
Look up ARRN in LD86
PBX Clock Fast or Slow?
=======================
LD2
SDTA X Y -- x y
X = 0 for "subtract time each day" -or- 1 for "add time each day"
Y = 0-60 seconds to be added or subtracted each day.
Daylight Savings Question?
TDST Look this one up in LD2 before changing
Phantom DNs, TNs, and "MARP to Voice Mail" TNs
==============================================
Phantom TN with FTR DCFW ACD Queues with NCFW but no Agents 2616 Sets with
AOMs (AOMs can be in "software", but do not need to be "installed" on the
set). This is an excellent "MARP TN" for DNs that need to HUNT/FDN to Voice
Mail
Digit Display on Trunk Routes and ACD Queues
============================================
Find Trunk Route Access Codes - name in LD95 like any other DN ACD Numbers -
name in LD95 like any other DN IDC Numbers - name in LD95 at DCNO prompt.
Limited Access Passwords
========================
Print PWD in LD22 before starting
LD17
LAPW 01
PW01 12345
OVLA 10 11 20
Identify Trunks, Routes and TTY Ports with "DES" Entry
======================================================
LD17 ADAN
DES can be 1-16 characters
LD16 RDB
DES can be 1-16 characters
LD14 TRK
DES can be 1-16 characters
TKID - enter telephone number
Free Up or Block DN Range
=========================
Change your SPRE Code to 4 digits LD15 - SPRE XXXX Assign all current feature
codes as Flexible Feature Codes To hide DNs from appearing in LUDN printouts,
enter DN prefix ranges as an FFC for "Ring Again Activate"
Save "Call Forward" Status upon Reload/Sysload
==============================================
LD17
CFWS YES
Call Waiting "Buzz" on Digital Sets is Not Long Enough
======================================================
Turn on Flexible Incoming Tones Allowed
LD15
OPT SBA DBA
LD 11
CLS FITA
"DSP" Display Key Applications
==============================
Youre on the phone, another call comes in...Press DSP, then ringing line to
see whos calling. Press DSP, then Speed Call, then entry number to view
entries. Rls23 Update - automatic Display CLS TDD
NHC - No Hold Conference
========================
With NHC, other party is not placed on hold while adding conferees. You can
also disconnect conferee called with NHC
LD11
KEY X NHC
Rls23 Update - Conf. Display/Disconnect
LD11
CLS CDCA
Call Forward Indication on 2500 Sets
====================================
Add Call Forward Reminder Tone. Special dial tone is heard only when call
forwarded.
LD15
OPT CFRA
Override Call Forwarded Phone
=============================
Add Flexible Feature Code for "CFHO". Dial CFHO code, then dial extension.
LD57
CODE CFHO
On sets needing ability to perform override
CLS CFHA
Call Forward ONLY Internal Calls - Let Externals Ring
=====================================================
Great when you need to prioritize external callers.
LD11
KEY X ICF 4 ZZZZ
"Delayed" Ring on Multiple Appearance DNs
=========================================
Non-ringing (SCN) keys will ring after a certain duration. Great for areas
where many of the same DNs appear.
LD11
DNDR X
(X = 0-120 seconds of delay before SCN keys will start to ring)
Audible Reminder of Held Calls
==============================
Receive "buzz tone" every X seconds to remind user that call is on hold. Also
reminds user that Conference/Transfer was mishandled - call was never
transferred
LD15
DBRC X (X = 2-120 seconds between reminders)
LD11, CLS ARHA
Which Call "On Hold" is Mine
============================
Exclusive Hold sets held calls to "wink" at holding set, but stay "steady" at
other sets.
LD10/11
CLS XHA
Change Ring Cadence/Tone
========================
There are 4 ring styles, adjusted in the CLS of the digital set.
LD11
CLS: DRG1 -or- DGR2 -or- DRG3 -or- DRG4
Set pesky customer phones to DRG4 !
BFS - Nightmare in Shining Armor ?
==================================
BFS Keys allow the user to monitor the Call Forward and busy status of a set,
activate and deactivate Call Forward, and can be used as an Autodial key.
NOTE: Cannot perform MOV command with BFS. User can also forward sets by
accident.
LD11
Key XX BFS l s c u (target sets TN)
More Than 4 DNs Answered by One Mailbox?
========================================
Add up to 3 DNs to DN list in mailbox programming. Add 4th and all additional
DNs in "Voice Service DN" (VSID) Table and set to "EM" to the mailbox.
1 Single LineTelephone, 3 DNs, 3 Users, 3 Mailboxes? How?
=========================================================
Create one 2500 set with one of the three DNs. Create 2 Phantom TNs, each one
with a new DN and DCFW each of them to the 2500 sets DN (from above) Add the
three mailboxes…now any of the three numbers will ring the one set, but
messages will be separated!
Change An NCOS After Hours
==========================
Here's an excerpt from the LD86 ESN data block that has NCOS 3 & 4 change to
NCOS 2 after 4:30PM and all day on weekends
<snip>
AC1 9
AC2
DLTN YES
ERWT YES
ERDT 0
TODS 0 06 00 16 29
7 00 00 05 59
7 16 30 23 59
RTCL YES
NCOS 0 - 0
NCOS 1 - 1
NCOS 2 - 2
NCOS 3 - 2
NCOS 4 - 2
NCOS 5 - 5
<snip>
Oops..the Console Went Into NITE...During the DAY!
==================================================
Use NITE entries that are based on "Time of Day". See Night Service in
Features Book If the console goes into NITE during the day, send them to
either a set of DNs next to the console, or a voice menu/thru-dialer
explaining that there are "technical difficulties". After hours, NITE calls
goes to where they should.
Just Two Security Tricks
========================
Create SPNs in BARS of: 000 thru 009 and create a Route List Block for them
with LTER=YES Now when Phreakers ask for extn 9000, they get nobody. Use the
FLEN entry on SPNs 0, 00, 011 so that nobody can transfer a caller to 9011,
90, etc.
Break Into Meridian Mailbox?
============================
Simply make the mailbox "Auto-logon". For remote access, add their DN to your
set. Convenient if you need to access an employees mailbox without changing
their password. Useful for modifying greetings of an absent employees or
allowing a temporary employee access to a mailbox without divulging the
regular employees password.
Tracing Phone Calls
===================
TRAC 0 XXXX (X=extension)
TRAC l s c u
TRAC l s c u DEV (Adds BARS info)
TRAT 0 X (X=Console number)
TRAD (see book, traces T1 channels)
ENTC (see book, traces TN continuously - up to 3 TNs at a time ! )
Forgot your M3000 Directory Password?
=====================================
LD32
CPWD l s c u
Another Idea
============
Use a PC to log into your PBX, then activate the "capture file". Now run a
TNB and keep it as a file rather than on paper. If your TNB file is large,
try a high power text editor, which can open even 20meg files in seconds.
Search the Internet "Text Editor" Keep copies so you can go back and see how
a set was programmed when you out it by mistake.
*/
Using the above information you could sucessfully do the following:
a) Setup your own trunk configurations that allow outgoing calls.
b) Reset lines and trunks, reconfugure lines and trunks.
c) Set an internal extension(s) to share the same multiplexed trunk as you
so you can effectivly listen in on any incomming/outgoing phone call
made on that extension.
d) Set up calls that don't exist with no trunk assignment.
e) Set any users voicemail box with auto-logon paremters temporarily.
f) Close down the entire network
g) Set every phone in the company to ring forever...
h) Re-route incomming/outgoing trunk calls to any destination.
i) Park your own incomming line as "on console" so you can answer calls made
to a pre-set extension.
j) Make yourself the company oprtator.
k) Trace phonecalls, audit logs etc.
l) Set all trunks to loopback on one another.
m) Anything you want?
Thats just a few ideas. But before you do ANYTHING, you should be aware that
anything you do could have devestating impact on the companys phone switch.
For example, say you accidently commanded the system to shut down.. You would
effectivly be killing 6000+ peoples phone lines, which would yield colosal
financial burden/loss onto the company. Generaly I'm just saying, be nice..
Just because you have the power to do such things, it doesnt mean you have to
do it. :)
A final note: In the aftermath of obtaining access to a merdian switch, it is
generaly advisable to erase all trace of you ever being on there. This can
be achived by reseting trunk audit logs, and erasing any log of your incoming
trunk setups. Therefore, if the real admin decided to track what was going on
he/she would get nowhere because the lines you used to initially call into
the system DO NOT EXIST. Its just a case of using your imagination. Don't be
destructive, Don't alter anything that would be noticed, Generally don't be
a f00l.. Thats the end of this file, I hope you enjoed it. Take it easy.
Shouts to D4RKCYDE, NOU!, b4b0, 9x, subz, pbxphreak, lusta, gr1p, LINEMANPUNX.
. .. ... .......... BL4CKM1LK teleph0nics .......... ... .. .
. .. ... .......... http://hybrid.dtmf.org ......... ... .. .
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed