💾 Archived View for gemini.spam.works › mirrors › textfiles › phreak › VOICEMAIL › vmbhaq.txt captured on 2022-06-12 at 17:52:47.
-=-=-=-=-=-=-
Stripped Ink
Issue 4, Volume 1
Presents
*********************************
* *
* Voice Mail Hacking *
* *
* By: ROADKILL *
* *
* March/April 1994 *
* *
*********************************
Contents:
I. Introduction
II. Voice Mail Hacking Basics
III. AUDIX
IV. Message Center
V. Infostar VX Voice Processing System
VI. Meridian Mail
VII. ASPEN
VIII. Phone Mail
IX. Ready
X. Sydney
XI. Pac-Tel Meridian
XII. System Manager Functions (TaKiNG C0NTR0L!)
A. System Management Overview
B. Message Center Administration
C. Infostar VX Administration
XIII. Hacking Unknown Systems
XIV. Advanced VMB Hacking
XV. Conclusion
_________________________________________________________________
Introduction:
OK, so you want to know how to hack VMB's. In case you
don't know already, VMB is an acronym for Voice Mail Box. A VMB
is basically a sophisticated answering machine run by computer.
The computer is usually an IBM compatible with a large hard
drive, and the necessary voice mail equipment. Some systems such
as ROLM's Phone Mail store their data on magnetic tape, and the
ASPEN, made by Octel, uses a modified Quantum hard drive. A
typical voice mail system can have hundreds, sometimes thousands
of voice mail boxes available. Most companies now use voice mail.
A voice mail system can be of great convenience to a company. It
can reduce the number of calls to a receptionist, therefore
providing her/him with more time for other tasks. It also aids an
employee by being able to record messages while he/she is out of
the office or on another line. Some voice mail systems can even
page a person when they receive a message, and most voice mail
systems allow you to transfer messages to another user and other
cool functions.
"What the hell can I use a VMB for?" you ask? Well they
are handy to have to trade with, or if your K-RaD enough, you
could run an 3l33t code line (k0DeZ!). However, most people use
them as an easy way to keep in touch with people. What I'm going
to describe in this file is how to get a box on a system, and
some other stuff I hope you find interesting. Well, enough of
this; let's learn how to hack some VMB's!
_________________________________________________________________
Voice Mail Hacking Basics:
To hack VMB's, it's necessary to be able to know the
following things:
What kind of system it is,
Some of the common defaults,
How to transfer to the box itself,
How to login to the box,
The number of digits the boxes are,
The range of the boxes (ex.2200 to 9999),
How to access the names directory...
If you know what kind of system you're trying to get a
box on, it will be easier for you because you'll know how to
exploit the weaknesses of a system. Read the individual system
descriptions that are in this file.
OK, as usual, people are often lazy and use a passcode
that is easy to remember. The following is a list of the most
common passcodes that people use:
Box Number (ie. Box number:2225, Passcode:2225)
1234 12345 123456
0000 00000 000000
1111 11111 111111
2222 22222 222222
3333 33333 333333
4444 44444 444444
5555 55555 555555
6666 66666 666666
7777 77777 777777
8888 88888 888888
9999 99999 999999
Some systems have a default that is unique to that
system. I'll cover these in the system descriptions below.
Finding out how to transfer to the box should be pretty
easy, the reason for this should be obvious. Finding out how to
login to the box can sometimes be a little more difficult, but it
shouldn't be that hard.
Determining the number of digits and the range of the
boxes is essential; you need to know this in order to find out
where the boxes are.
It is not necessary to use the names directory. However, it
sure does make finding empty boxes, the number of digits in the
box number, and the range a lot easier.
_________________________________________________________________
AUDIX
AUDIX (AUDio Information eXchange) is a voice mail system
made by AT&T. It is easily identified by the command voice:
"Entry not understood, please try again after the tone. [BEEP!]"
You'll hear this message after you enter an invalid key or
option. You can usually snag a box off an AUDIX system without
much difficulty. First, press "*"+"T" (to transfer). Try this
when you get the main greeting. It should say enter the X
(number) digit extension. Remember the number of digits the
extensions are. Now press "*"+"*"+"N" (for the names directory).
Now, try a couple of common names to get an idea of the range of
the boxes. After you got an idea of the range press "*"+"A" (to
look up by extension). Now, just start scanning for boxes. Do
this by entering the box number plus "#". You should get
one of following responses:
1. The name of the box owner.
2. Extension XXXX, Not Valid.
3. Extension XXXX (This is what we're looking for).
OK, keep track of all the extensions that give you
response number three. After you're done scanning, press "*"+"#"
to exit the directory. Now enter "*"+"R" (to login). Enter the
number of one of the boxes you found while scanning, then press
"#". You'll now be prompted for a password. The default password
for AUDIX is the "#" sign (ie. Bx.1234, Pw.#). If you can't login
using the "#" sign try the defaults listed above.
Once you get into a box, if no one has used it before, it
will give you a brief tutorial, and help you set the box up.
DO NOT record a name for the box. Just leave silence. You don't
want some one going through the directory and hearing: "For [your
name] press 2222". So, just record silence. Sometimes you'll find
an empty box that won't have the tutorial. These are cool to use
too (as long as they are empty). Remember, anytime you need help
on an AUDIX, press "*"+"H".
AUDIX Commands:
*R - login
*H - help
*T - transfer to extension
**N - names directory (*A to look up by extension)
1 - send message to another user
2 - get messages
3 - personal greetings
4 - check outgoing messages
5 - personal options(see below)
6 - outcalling information(see below)
7 - autoscan incoming messages
Personal Options:
1 - mailing lists
2 - personal directory
4 - password
5 - record mailbox name
Outcalling Information:
AUDIX can be set up to notify you when you receive an
incoming message. From the outcalling menu, you enter the
number that it will contact you at. It can also be used to
call a pager. When you receive a message AUDIX will call you and
say: "This is AUDIX". "[mailbox name], please enter your
password." This is a neat feature, but I don't recommend that you
use it, for obvious reasons.
_________________________________________________________________
Message Center
Message Center is another system that is widely used with
companies today. A good way to tell if you've found a Message
Center is to press "*" or "* + *" at the system greeting. If it's
a Message Center it will say "Welcome to the Message Center". OK,
find the range of the boxes by checking out the directory. If you
come across an entry that just lists the box number, take note of
it, it's probably a vacant box. Now, transfer to the box. While
the greeting is playing press "*". One of two things will happen:
1. You'll be prompted for the passcode
2. You'll be let into the box
There is no real default for the Message Center. If a box
hasn't been assigned a passcode, pressing "*" during the greeting
will let you into the mailbox. If it asks for a passcode you can
try the regular defaults. You can also press "*" at the passcode
prompt to transfer another extension.
The Message Center uses a couple of tricks to discourage
hacking. This can also be of use to us. The first trick is: When
entering the passcode, it will stop you when you enter one digit
more than the length of the passcode. The corollary is, that the
passcode length is one digit less than the length of the passcode
you entered before you were stopped. The second trick is: If your
first passcode guess is wrong, but the second is correct, it will
still give you an error. If you enter the correct passcode the
third time it will let you in the mailbox. However, both the
second and the third entry must have the correct passcode entry.
Two more things, if your scanning through the directory,
and happen to come across a box with the name System Manager or
System Administrator, remember this; this is the System Manager
mailbox. See the section on System Manager functions below. Also
the Message Center will tell a mailbox subscriber when a
suspicious amount of invalid passcodes have been entered.
Message Center Commands:
M(6) - Send a message to another user
P(7) - Play messages
U(8) - User options
X(9) - Exit system
User Options Menu:
N(6) - Change mailbox name
P(7) - Change passcode
L(5) - Distribution list
T(8) - Tutorial (not always implemented)
X(9) - Exit user options
_________________________________________________________________
Infostar VX Voice Processing System
The Infostar VX is another common system. To login to a
mailbox you press the "#" sign at the main greeting. You are then
prompted to enter your mailbox number, then your password. To
transfer to a box press "*" then the box number. The Infostar VX
has no set default. When a mailbox is created it assigns a random
passcode for the box. The system manager usually changes this to
something easy to remember, so when you find an empty box try all
the common defaults.
A good way to find boxes on an Infostar is to go to the
directory. It will tell you to enter the first couple of letters
of a person's name. A cool trick here is that you can usually
enter just one letter, and it will start spitting all the people
whose name's begin with that letter. If you happen to transfer to
a box that says "This is the Infostar VX Voice Processing
System." "Dial the number of the person you're calling." "If you
have a mailbox on the system press pound." Remember this is the
administrator mailbox. See the section on system management
below.
Infostar VX Commands:
Main Menu:
1 - To listen to messages
2 - Record and send a message
3 - Personal options
4 - Check delivery
User Options:
1 - Greetings
2 - Access code
3 - Group list
4 - Message notification
-----------------------------------------------------------------
Meridian Mail
Meridian Mail is a very popular system. It's made by
Northern Telecom. A good way to tell is, when you transfer to a
box it will usually say "Meridian Mail, mailbox?". Another way to
tell is pressing "81" during the mailbox greeting. If it says
something like "mailbox?", you can be pretty sure it's a
Meridian. "81" is the command to login to a box. You enter the
box number and "#", followed by the passcode and "#". The default
is usually the mailbox number.
Meridian Mail Commands:
* - Help
0* - OUTCALLING! (see below)
2 - Play message
4 - Goto previous message
6 - Goto next message
9 - Call the sender of a message
70 - Message options
71 - Reply to the message you just listened to.
72 - Play envelope
73 - Forward message to another mailbox
74 - Record one reply for all messages
75 - Record a message. Press "#" to stop recording.
76 -Delete message
79 - Send message
80 - Mailbox options
1 -Change operator assistance number
2 - Remote notification (depends on class of service)
81 - Login
82 - Change greeting
1 - Internal greeting
2 - External greeting
83 - Logout
84 - Change passcode
85 - Create distribution list
( This can be used to scan for other mailboxes.
Press "5" to compose a new list. Now enter the
box number plus "#". Take note of boxes that
respond with "mailbox XXXX". Press "#+#" to
stop, then 76 to delete the list. )
86 - Goto message
89 - Personal verification
4 - Exit
5 - Record mailbox name
Outcalling:
Yes, you can dial out of a Meridian Mail mailbox. Press
"0+*", it will then say something like: "This is a service that
will connect you to the number that you specify." On some systems
you can only connect to another extension. A lot of them usually
dial local. However, there are a few that can dial LD and
overseas. There are a few different formats that are used.
Extension+#
9+Local number+#
9+0+Local number+#
9+1+Local number+#
8+Local number+#
8+0+Local number+#
8+1+Local number+#
9+Area code/number+#
9+1+Area code/number+#
8+Area code/number+#
8+1+Area code/number+#
9+011+Country code/city code/number+# (Very rare)
A lot of companies are becoming aware of this little
trick, so you might have to look for a while until you can find
one that will outdial to anything other than another extension.
However there are a lot out there that will still dial locally.
_________________________________________________________________
ASPEN
The ASPEN (Automated SPeech Exchange Network) is made
by Octel. The is a good article on the hardware specifics of
this system in Phrack #45. To hack a box start scanning through
the boxes until you come across one that says: "You have reached
mailbox number XXXX please record a message at the tone." Most
likely that is an empty box. To login to an ASPEN press "#".
You'll be prompted for your mailbox number and your passcode. If
it is a new box after you enter the box number it will say:
"Welcome to your new mailbox, please enter the temporary passcode
assigned to you by your system manager". There is no set default
for an ASPEN mailbox. Just try all the common ones until you get
in. ASPEN's are full of features that make it appealing to
people.
ASPEN Commands:
Main menu:
1 - Review messages
2 - Send message
3 - Check for a receipt (of a message sent)
4 - Personal options
Review Messages menu:
During message review:
1 - Rewind
2 - Pause or restart
3 - Forward
4 - Play slower
5 - Message envelope
6 - Play faster
7 - Quieter
8 - Normal volume
After message review:
4 - Replay
5 - Message envelope
6 - Send copy
7 - Delete message
8 - Reply
9 - Save message
Send Message menu:
1 - Private message
2 - Urgent message
3 - Message confirmation
1 - Confirm receipt
2 - Notify of non-receipt
4 - Future delivery
Personal Options menu:
1 - Message notification on/off
2 - Administration
1 - Change password
2 - Distribution list
3 - Prompt levels
3 - Greetings
1 - Personal greeting
2 - Extended absence greeting
3 - Mailbox name
4 - Notification schedule
1 - First schedule
2 - Second schedule
3 - Temporary schedule
_________________________________________________________________
Phone Mail
Phone Mail is made by ROLM. It is one of the most
challenging voice mail systems to hack. It is also one of the
most rewarding. On some boxes you can have over a ten minute
greeting (depends on class of service). The Phone Mail system can
be configured in several different ways, one which is almost
impossible to hack. Phone Mail can be set up to be a sort of
information center. When it's set up for this there are usually
no boxes on the system. You can usually tell if a system has been
set up this way if it says something like "Press 1 for info.
on "blah." Press 2 for info. on blah, etc." These are usually set
up by companies for advertising, and it will not allow you to
leave a message.
When you do find a system, just start scanning through
the directory. All Phone Mail systems have some sort of directory
you can scan through.
The hardest thing about Phone Mail is finding the
access method. Some are set up where you have to dial an access
number (try scanning around where you found the Phone Mail at).
On these you dial the number and it says: "This is the Phone Mail
system, you can either enter your extension or your name."
Sometimes they set up a specific extension you have to dial
before you can access your mailbox. Also sometimes they have it
set up where you just press "#" to login to your mailbox.
No matter what method they use, there's no reason to worry,
because there's a simple way around this.
Here's an example of how to use this: Transfer to an
extension. Wait until you heard the greeting and the tone. Now
press "*"+"6"+"#". It will now say something like: "Please enter
the extension of the person you are calling, or press "#" to use
the Phone Mail features". Now all you have to do is enter the
extension + "#", then the passcode + "#". The default for
Phone Mail seems to be "111" or "1111". I'm not positive about
this, but it's what I've usually came across.
One more thing: when you're in the directory try entering
"Test" or "TestMailbox" for the person's name. Most systems
usually have one of these boxes set up. It's usually empty (This
also may work on some other voice mail systems also). Try using
"111" or "1111" to get in the mailbox.
Phone Mail Commands:
1 - Record message
3 - Listen to messages
8 - Answering options
9 - Mailbox options
70 - Transfer out of Phone Mail
76 - Disconnect from Phone Mail
Answering Options menu:
1 - Greetings
2 - Answering mode
3 - Set referral extension
4 - Mailbox name
# - Goto main menu
Mailbox Options menu:
1 - Distribution lists
2 - Prompt level
3 - Password
4 - Outcalling schedule
# - Goto main
_________________________________________________________________
Ready Systems
Ready systems are also known as Bix. Hacking this
system is easy, but it can take a while. First you can do two
things: the first is that you can scan through the directory
until you find an empty box. Now go back to the main menu and
login to the box by pressing "#". You'll then be prompted for you
mailbox number then your passcode. If the box is new, you will
not need a passcode. It will let you right in. Sometimes people
assign a simple passcode for new boxes. If that is the case, try
the defaults. The second way to hack a Ready system is after you
find the range of the boxes, go back to the main menu and login
(by pressing "#"). Now enter the number of the mailbox you want
to start scanning from. If it prompts you for a passcode, press
"*"+"0"+"#". Then try the next box. You can scan through the
entire range to see if you can get into any boxes.
What the "*"+"0"+"#" combination does is this:
* - Aborts the passcode entering feature.
0 - Pages the operator (You should get a message, but
if a human answers, hang up and try hacking the
system after hours. When you page the operator
this sets the error count to zero.)
# - Command to login to a box.
Ready Commands:
4 - Change greeting
5 - Listen to messages
6 - Record and send a message
9 - Exit
0 - Dial another box
9 - Exit system
* - Continue using mailbox
1+8 - Change volume of prompts
1+6 - Administration options
1 - Message waiting
2 - Passcode
# - Return to main
0+Command - Help description for command
_________________________________________________________________
Sydney
The Sydney system is from Australia, and can be easily
identified by its unique logoff message of "Good day" (it also
can be "Good morning" or "Good evening" -depends on the time of
day). Another indication is that when you press "*" it will
change the volume level. Sydney can be hacked pretty easy,
however you'll get logged off if you enter three invalid
mailboxes in a row.
There is a simple trick to hacking Sydney. For example,
let's say the boxes start at 100. You transfer to the box and
during the greeting press "0" (This is the login command. You can
also use this at the system greeting). Now it will prompt you for
a passcode try "0". If it doesn't say "You have no messages.",
then press "#"+"#". Repeat the process for mailbox 101 and so on.
"0" is the default passcode for mailboxes that have just
been set up. If you press "0" and it just sits there, it is
actually waiting for you to enter three more digits (the maximum
passcode length on a Sydney seems to be four digits) which is why
you press "#"+"#".
Sydney has a function called "Call Placement". Using this
you can record a message, have Sydney dial a number and the
person will hear the message, and their response will be saved in
your mailbox. You can set it up so that Sydney will call the
number every X number of minutes, and deliver the message. (This
is great for pranking someone you dislike.)
Sydney Commands:
1 - Record message
2 - Receive messages
3 - Message forwarding
4 - Call Placement
5 - Group messages
6 - Certified messages
7 - Guest accounts (Create an account for a buddy.)
8 - Personal Options
9 - End call
Personal Options menu:
1 - Change greeting
2 - Change passcode
3 - Change mailbox name
4 - Listen to system bulletin
9 - Return to main menu
_________________________________________________________________
Pac-Tel Meridian
This is a great system. It's easy to use and you can
have a long greeting. Sometimes you can identify one because it
will play four tones when the system answers. Some systems have
this disabled. The way to login is to press "#" at the system
greeting. The default is "0000". A good way to find empty boxes
is to go to the directory. When it asks you to press a letter
just press one key. It will go through all the extensions that
begin with the corresponding letters. When you come across
something like "Mailbox XXXX", you've found a blank box.
Pac-Tel Meridian Commands:
2 - Record and send a message
3 - Phone manager functions
* - Quit
# - help
Phone Manager Functions:
1 - Personal Options
1 - Immediate message notification
2 - Daily message reminder
3 - Record greeting
4 - Change passcode
5 - Record mailbox name
6 - Record announcement for a mailbox you sponsor
* - Exit personal options
2 - Voice Mail Options
1 - Check unacknowledged messages
2 - Record the name for a mailbox you sponsors
3 - Change distribution list
* - Exit voice mail options
3 - Automated Attendant Options
1 - Call Screening
2 - Call processing
3 - Extension specific processing
* - Exit automated attendant options
_________________________________________________________________
System Manager Functions (TaKiNG C0NTR0L!)
Overview:
If you have come across a box with the name "System
Manager" or "System Administrator" definitely try to access this
box. This could be the Administrator Box! Once in this box you
can create boxes, delete boxes, change class of service, send a
broadcast message (sends the message to every box on the system),
change passcodes and a lot of other stuff. In other words this is
the God box. It is usually the last (most common) or first box on
a system. Not all systems have administrator boxes. For example
all Phone Mail administration is handled through a computer dial
up. (There will be an article on this in a future issue of this
publication). Basically, if you can get in the administrator box
you control the system. Out of the systems I covered in this
article, Infostar, ASPEN and the Message Center have
administrator boxes. I'm going to cover Infostar and the Message
Center here. Alas, I haven't been able to access an ASPEN
administrator box yet, so I don't know the commands. If anyone
reading this does please contact me.
Message Center Administration Commands:
(Once in the admin box press "*" from user options)
A(2) - Add a mailbox
D(3) - Delete a mailbox
M(6) - Modify a mailbox
P(7) - Change the passcode of a mailbox
K(5) - Clock
I(4) - Backup to floppy
U(8) - Usage statistics
* - Exit mailbox administration
When you add a mailbox you need to enter a class of
service, a limits class of service and a message waiting class.
Here is a list of the ones to use:
Normal Box Check In Check out Time Box
Class: 01 04 05 09
Limits class: 03 05 05 05
Mess.waiting: 00 05 05 05
The Time Box tells the time when you transfer to the
box. The Check In and Check Out boxes allow you to read mail and
change the passcode on other boxes.
Infostar VX Administration Commands:
1 - System greetings
2 - Broadcast message
3 - Mailbox administration
1 - Change passcode
2 - Add mailbox
3 - Delete mailbox
8 - Record mailbox greeting
9 - Reset message waiting indicator
4 - System group lists
5 - Time and date
When you add a box on an Infostar system always use "100" for the
class of service. The mailbox types are:
1 to 3-Regular box
10-Administrator box (You can have more than one on
a system!)
Also when you create a mailbox you'll be prompted for the
following:
Extension number
Attendant extension number
Department number
Spell subscriber's name
When you get these prompts,just hit "#" to skip them. The only
things you need to enter are: The mailbox number, class of
service and mailbox type. The system will add the box and assign
a random four digit passcode.
_________________________________________________________________
Hacking Unknown Systems
There are a lot of systems out there that I haven't
covered. A lot of companies also use proprietary systems. It can
be just as easy (if not easier) to get a box on these systems as
well. Start by finding out the main functions (See VMB Hacking
Basics above). Go through the directory, and all that good stuff.
Look for administrator boxes. Do it all. Just remember, most
people aren't security conscious when it comes to voice mail, Oh
well, their negligence can be to your benefit.
_________________________________________________________________
Advanced VMB Hacking
These are just some tips that I picked up over time.
OK, first of all check out all of the extensions you can (this
takes time), and see what you find. You may come across fax
machines, carriers, PBX tones or a bridge. Sometimes these will
be in the directory as an extension with no recorded name.
Definitely check the box out. If you transfer to the box and
don't get anything but a short beep, have a friend try to
transfer to the same extension while you are on it to see if it
is a bridge. I don't think I need to explain what is possible
with a PBX tone. The carriers can be PBX dial-ups, company
dial-ups, anything is possible. If you're nosy like myself you
can login other peoples boxes and hear thief messages. Take care
when doing this, because you don't want the company to know you
are doing this. It's a good idea to reset the message pointer
(if you can). The boxes I always try to listen messages are:
Computer Room, MIS, System Administrator, Switch Room and
Computer Operations. Well, you get the idea just try to get in
any box that might have something that could be interesting.
Another thing you may want to find is an after hoursorder line.
If you can get into one of these you could have an abundant
supply of credit cards (KeWL! KaRDZ F0R MY K0De LiNE!).
Another thing is for those of you that want a 800 VMB,
but can't get a box on it. Try to find a company in your area
code that has an 800 number going to their voicemail system. Find
the local number and go through the system and find the boxes you
want. Now go load up your favorite code hacker. Now you can set
it up to try to get into the box. You can do a couple of things:
You can set it up to go in and change the passcode , or you can
set it up to send a message after it has got into the box. Just
find a box you can get into. It doesn't matter if someone is
using it or not. Now have your code hacker programmed to dial the
system, access the box, enter a passcode, and send a message to
the box you can get in. For example we'll say that you have a
Message Center that the box you want the passcode to is 999 and
you can get into box 222.
Now set your code hacker to dial the following string:
atdt XXX-XXXX,,,999,,*,,YYYY,,6,,222,,,#,,,,,#,9
XXX-XXXX-The number of the voice mail system
999-Transfers to the box you want to hack
*-to login
YYYY-The passcode the for the code hacker to try
6-To send a message to another user
222-The box to send the message to.
#-To start recording to message
#-To stop recording
9-Send message
Now all you have to do is check mailbox number 222,
and see what time the message was delivered.Now look at your scan
logs and see what number it dialed at the time your message was
sent. Voila! You now have the passcode for box 999!
If your can't set your code hacker to record all numbers
dialed, just set it to scan sequentially. Every 30 minutes or so
jot down what code it's trying. This way you can get a good idea
of the area that the passcode is in. Another way: If you came
across a carrier on the system. Set the code hacker to transfer
to the extension of the carrier. When it connects to the carrier
you'll have the passcode in your log. (This is the method I
prefer.)
_________________________________________________________________
Conclusion
Well that's about it for this file. I hope some of out
there found this file useful. If anyone has any questions,
comments or complaints, you can email me at:
roadkill@uss.lonestar.org
Greetings to:
Bane(314), Cjesus(313), Mr.Smith(615),
Lucid Nightmare(214), Sirius(214),
Dr.Strange(901), FuNKY G00DHeaRT(214)
and to Jack the Ripper(214) for putting
this in Stripped Ink.
_________________________________________________________________