Stripped Ink Issue 4, Volume 1 Presents ********************************* * * * Voice Mail Hacking * * * * By: ROADKILL * * * * March/April 1994 * * * ********************************* Contents: I. Introduction II. Voice Mail Hacking Basics III. AUDIX IV. Message Center V. Infostar VX Voice Processing System VI. Meridian Mail VII. ASPEN VIII. Phone Mail IX. Ready X. Sydney XI. Pac-Tel Meridian XII. System Manager Functions (TaKiNG C0NTR0L!) A. System Management Overview B. Message Center Administration C. Infostar VX Administration XIII. Hacking Unknown Systems XIV. Advanced VMB Hacking XV. Conclusion _________________________________________________________________ Introduction: OK, so you want to know how to hack VMB's. In case you don't know already, VMB is an acronym for Voice Mail Box. A VMB is basically a sophisticated answering machine run by computer. The computer is usually an IBM compatible with a large hard drive, and the necessary voice mail equipment. Some systems such as ROLM's Phone Mail store their data on magnetic tape, and the ASPEN, made by Octel, uses a modified Quantum hard drive. A typical voice mail system can have hundreds, sometimes thousands of voice mail boxes available. Most companies now use voice mail. A voice mail system can be of great convenience to a company. It can reduce the number of calls to a receptionist, therefore providing her/him with more time for other tasks. It also aids an employee by being able to record messages while he/she is out of the office or on another line. Some voice mail systems can even page a person when they receive a message, and most voice mail systems allow you to transfer messages to another user and other cool functions. "What the hell can I use a VMB for?" you ask? Well they are handy to have to trade with, or if your K-RaD enough, you could run an 3l33t code line (k0DeZ!). However, most people use them as an easy way to keep in touch with people. What I'm going to describe in this file is how to get a box on a system, and some other stuff I hope you find interesting. Well, enough of this; let's learn how to hack some VMB's! _________________________________________________________________ Voice Mail Hacking Basics: To hack VMB's, it's necessary to be able to know the following things: What kind of system it is, Some of the common defaults, How to transfer to the box itself, How to login to the box, The number of digits the boxes are, The range of the boxes (ex.2200 to 9999), How to access the names directory... If you know what kind of system you're trying to get a box on, it will be easier for you because you'll know how to exploit the weaknesses of a system. Read the individual system descriptions that are in this file. OK, as usual, people are often lazy and use a passcode that is easy to remember. The following is a list of the most common passcodes that people use: Box Number (ie. Box number:2225, Passcode:2225) 1234 12345 123456 0000 00000 000000 1111 11111 111111 2222 22222 222222 3333 33333 333333 4444 44444 444444 5555 55555 555555 6666 66666 666666 7777 77777 777777 8888 88888 888888 9999 99999 999999 Some systems have a default that is unique to that system. I'll cover these in the system descriptions below. Finding out how to transfer to the box should be pretty easy, the reason for this should be obvious. Finding out how to login to the box can sometimes be a little more difficult, but it shouldn't be that hard. Determining the number of digits and the range of the boxes is essential; you need to know this in order to find out where the boxes are. It is not necessary to use the names directory. However, it sure does make finding empty boxes, the number of digits in the box number, and the range a lot easier. _________________________________________________________________ AUDIX AUDIX (AUDio Information eXchange) is a voice mail system made by AT&T. It is easily identified by the command voice: "Entry not understood, please try again after the tone. [BEEP!]" You'll hear this message after you enter an invalid key or option. You can usually snag a box off an AUDIX system without much difficulty. First, press "*"+"T" (to transfer). Try this when you get the main greeting. It should say enter the X (number) digit extension. Remember the number of digits the extensions are. Now press "*"+"*"+"N" (for the names directory). Now, try a couple of common names to get an idea of the range of the boxes. After you got an idea of the range press "*"+"A" (to look up by extension). Now, just start scanning for boxes. Do this by entering the box number plus "#". You should get one of following responses: 1. The name of the box owner. 2. Extension XXXX, Not Valid. 3. Extension XXXX (This is what we're looking for). OK, keep track of all the extensions that give you response number three. After you're done scanning, press "*"+"#" to exit the directory. Now enter "*"+"R" (to login). Enter the number of one of the boxes you found while scanning, then press "#". You'll now be prompted for a password. The default password for AUDIX is the "#" sign (ie. Bx.1234, Pw.#). If you can't login using the "#" sign try the defaults listed above. Once you get into a box, if no one has used it before, it will give you a brief tutorial, and help you set the box up. DO NOT record a name for the box. Just leave silence. You don't want some one going through the directory and hearing: "For [your name] press 2222". So, just record silence. Sometimes you'll find an empty box that won't have the tutorial. These are cool to use too (as long as they are empty). Remember, anytime you need help on an AUDIX, press "*"+"H". AUDIX Commands: *R - login *H - help *T - transfer to extension **N - names directory (*A to look up by extension) 1 - send message to another user 2 - get messages 3 - personal greetings 4 - check outgoing messages 5 - personal options(see below) 6 - outcalling information(see below) 7 - autoscan incoming messages Personal Options: 1 - mailing lists 2 - personal directory 4 - password 5 - record mailbox name Outcalling Information: AUDIX can be set up to notify you when you receive an incoming message. From the outcalling menu, you enter the number that it will contact you at. It can also be used to call a pager. When you receive a message AUDIX will call you and say: "This is AUDIX". "[mailbox name], please enter your password." This is a neat feature, but I don't recommend that you use it, for obvious reasons. _________________________________________________________________ Message Center Message Center is another system that is widely used with companies today. A good way to tell if you've found a Message Center is to press "*" or "* + *" at the system greeting. If it's a Message Center it will say "Welcome to the Message Center". OK, find the range of the boxes by checking out the directory. If you come across an entry that just lists the box number, take note of it, it's probably a vacant box. Now, transfer to the box. While the greeting is playing press "*". One of two things will happen: 1. You'll be prompted for the passcode 2. You'll be let into the box There is no real default for the Message Center. If a box hasn't been assigned a passcode, pressing "*" during the greeting will let you into the mailbox. If it asks for a passcode you can try the regular defaults. You can also press "*" at the passcode prompt to transfer another extension. The Message Center uses a couple of tricks to discourage hacking. This can also be of use to us. The first trick is: When entering the passcode, it will stop you when you enter one digit more than the length of the passcode. The corollary is, that the passcode length is one digit less than the length of the passcode you entered before you were stopped. The second trick is: If your first passcode guess is wrong, but the second is correct, it will still give you an error. If you enter the correct passcode the third time it will let you in the mailbox. However, both the second and the third entry must have the correct passcode entry. Two more things, if your scanning through the directory, and happen to come across a box with the name System Manager or System Administrator, remember this; this is the System Manager mailbox. See the section on System Manager functions below. Also the Message Center will tell a mailbox subscriber when a suspicious amount of invalid passcodes have been entered. Message Center Commands: M(6) - Send a message to another user P(7) - Play messages U(8) - User options X(9) - Exit system User Options Menu: N(6) - Change mailbox name P(7) - Change passcode L(5) - Distribution list T(8) - Tutorial (not always implemented) X(9) - Exit user options _________________________________________________________________ Infostar VX Voice Processing System The Infostar VX is another common system. To login to a mailbox you press the "#" sign at the main greeting. You are then prompted to enter your mailbox number, then your password. To transfer to a box press "*" then the box number. The Infostar VX has no set default. When a mailbox is created it assigns a random passcode for the box. The system manager usually changes this to something easy to remember, so when you find an empty box try all the common defaults. A good way to find boxes on an Infostar is to go to the directory. It will tell you to enter the first couple of letters of a person's name. A cool trick here is that you can usually enter just one letter, and it will start spitting all the people whose name's begin with that letter. If you happen to transfer to a box that says "This is the Infostar VX Voice Processing System." "Dial the number of the person you're calling." "If you have a mailbox on the system press pound." Remember this is the administrator mailbox. See the section on system management below. Infostar VX Commands: Main Menu: 1 - To listen to messages 2 - Record and send a message 3 - Personal options 4 - Check delivery User Options: 1 - Greetings 2 - Access code 3 - Group list 4 - Message notification ----------------------------------------------------------------- Meridian Mail Meridian Mail is a very popular system. It's made by Northern Telecom. A good way to tell is, when you transfer to a box it will usually say "Meridian Mail, mailbox?". Another way to tell is pressing "81" during the mailbox greeting. If it says something like "mailbox?", you can be pretty sure it's a Meridian. "81" is the command to login to a box. You enter the box number and "#", followed by the passcode and "#". The default is usually the mailbox number. Meridian Mail Commands: * - Help 0* - OUTCALLING! (see below) 2 - Play message 4 - Goto previous message 6 - Goto next message 9 - Call the sender of a message 70 - Message options 71 - Reply to the message you just listened to. 72 - Play envelope 73 - Forward message to another mailbox 74 - Record one reply for all messages 75 - Record a message. Press "#" to stop recording. 76 -Delete message 79 - Send message 80 - Mailbox options 1 -Change operator assistance number 2 - Remote notification (depends on class of service) 81 - Login 82 - Change greeting 1 - Internal greeting 2 - External greeting 83 - Logout 84 - Change passcode 85 - Create distribution list ( This can be used to scan for other mailboxes. Press "5" to compose a new list. Now enter the box number plus "#". Take note of boxes that respond with "mailbox XXXX". Press "#+#" to stop, then 76 to delete the list. ) 86 - Goto message 89 - Personal verification 4 - Exit 5 - Record mailbox name Outcalling: Yes, you can dial out of a Meridian Mail mailbox. Press "0+*", it will then say something like: "This is a service that will connect you to the number that you specify." On some systems you can only connect to another extension. A lot of them usually dial local. However, there are a few that can dial LD and overseas. There are a few different formats that are used. Extension+# 9+Local number+# 9+0+Local number+# 9+1+Local number+# 8+Local number+# 8+0+Local number+# 8+1+Local number+# 9+Area code/number+# 9+1+Area code/number+# 8+Area code/number+# 8+1+Area code/number+# 9+011+Country code/city code/number+# (Very rare) A lot of companies are becoming aware of this little trick, so you might have to look for a while until you can find one that will outdial to anything other than another extension. However there are a lot out there that will still dial locally. _________________________________________________________________ ASPEN The ASPEN (Automated SPeech Exchange Network) is made by Octel. The is a good article on the hardware specifics of this system in Phrack #45. To hack a box start scanning through the boxes until you come across one that says: "You have reached mailbox number XXXX please record a message at the tone." Most likely that is an empty box. To login to an ASPEN press "#". You'll be prompted for your mailbox number and your passcode. If it is a new box after you enter the box number it will say: "Welcome to your new mailbox, please enter the temporary passcode assigned to you by your system manager". There is no set default for an ASPEN mailbox. Just try all the common ones until you get in. ASPEN's are full of features that make it appealing to people. ASPEN Commands: Main menu: 1 - Review messages 2 - Send message 3 - Check for a receipt (of a message sent) 4 - Personal options Review Messages menu: During message review: 1 - Rewind 2 - Pause or restart 3 - Forward 4 - Play slower 5 - Message envelope 6 - Play faster 7 - Quieter 8 - Normal volume After message review: 4 - Replay 5 - Message envelope 6 - Send copy 7 - Delete message 8 - Reply 9 - Save message Send Message menu: 1 - Private message 2 - Urgent message 3 - Message confirmation 1 - Confirm receipt 2 - Notify of non-receipt 4 - Future delivery Personal Options menu: 1 - Message notification on/off 2 - Administration 1 - Change password 2 - Distribution list 3 - Prompt levels 3 - Greetings 1 - Personal greeting 2 - Extended absence greeting 3 - Mailbox name 4 - Notification schedule 1 - First schedule 2 - Second schedule 3 - Temporary schedule _________________________________________________________________ Phone Mail Phone Mail is made by ROLM. It is one of the most challenging voice mail systems to hack. It is also one of the most rewarding. On some boxes you can have over a ten minute greeting (depends on class of service). The Phone Mail system can be configured in several different ways, one which is almost impossible to hack. Phone Mail can be set up to be a sort of information center. When it's set up for this there are usually no boxes on the system. You can usually tell if a system has been set up this way if it says something like "Press 1 for info. on "blah." Press 2 for info. on blah, etc." These are usually set up by companies for advertising, and it will not allow you to leave a message. When you do find a system, just start scanning through the directory. All Phone Mail systems have some sort of directory you can scan through. The hardest thing about Phone Mail is finding the access method. Some are set up where you have to dial an access number (try scanning around where you found the Phone Mail at). On these you dial the number and it says: "This is the Phone Mail system, you can either enter your extension or your name." Sometimes they set up a specific extension you have to dial before you can access your mailbox. Also sometimes they have it set up where you just press "#" to login to your mailbox. No matter what method they use, there's no reason to worry, because there's a simple way around this. Here's an example of how to use this: Transfer to an extension. Wait until you heard the greeting and the tone. Now press "*"+"6"+"#". It will now say something like: "Please enter the extension of the person you are calling, or press "#" to use the Phone Mail features". Now all you have to do is enter the extension + "#", then the passcode + "#". The default for Phone Mail seems to be "111" or "1111". I'm not positive about this, but it's what I've usually came across. One more thing: when you're in the directory try entering "Test" or "TestMailbox" for the person's name. Most systems usually have one of these boxes set up. It's usually empty (This also may work on some other voice mail systems also). Try using "111" or "1111" to get in the mailbox. Phone Mail Commands: 1 - Record message 3 - Listen to messages 8 - Answering options 9 - Mailbox options 70 - Transfer out of Phone Mail 76 - Disconnect from Phone Mail Answering Options menu: 1 - Greetings 2 - Answering mode 3 - Set referral extension 4 - Mailbox name # - Goto main menu Mailbox Options menu: 1 - Distribution lists 2 - Prompt level 3 - Password 4 - Outcalling schedule # - Goto main _________________________________________________________________ Ready Systems Ready systems are also known as Bix. Hacking this system is easy, but it can take a while. First you can do two things: the first is that you can scan through the directory until you find an empty box. Now go back to the main menu and login to the box by pressing "#". You'll then be prompted for you mailbox number then your passcode. If the box is new, you will not need a passcode. It will let you right in. Sometimes people assign a simple passcode for new boxes. If that is the case, try the defaults. The second way to hack a Ready system is after you find the range of the boxes, go back to the main menu and login (by pressing "#"). Now enter the number of the mailbox you want to start scanning from. If it prompts you for a passcode, press "*"+"0"+"#". Then try the next box. You can scan through the entire range to see if you can get into any boxes. What the "*"+"0"+"#" combination does is this: * - Aborts the passcode entering feature. 0 - Pages the operator (You should get a message, but if a human answers, hang up and try hacking the system after hours. When you page the operator this sets the error count to zero.) # - Command to login to a box. Ready Commands: 4 - Change greeting 5 - Listen to messages 6 - Record and send a message 9 - Exit 0 - Dial another box 9 - Exit system * - Continue using mailbox 1+8 - Change volume of prompts 1+6 - Administration options 1 - Message waiting 2 - Passcode # - Return to main 0+Command - Help description for command _________________________________________________________________ Sydney The Sydney system is from Australia, and can be easily identified by its unique logoff message of "Good day" (it also can be "Good morning" or "Good evening" -depends on the time of day). Another indication is that when you press "*" it will change the volume level. Sydney can be hacked pretty easy, however you'll get logged off if you enter three invalid mailboxes in a row. There is a simple trick to hacking Sydney. For example, let's say the boxes start at 100. You transfer to the box and during the greeting press "0" (This is the login command. You can also use this at the system greeting). Now it will prompt you for a passcode try "0". If it doesn't say "You have no messages.", then press "#"+"#". Repeat the process for mailbox 101 and so on. "0" is the default passcode for mailboxes that have just been set up. If you press "0" and it just sits there, it is actually waiting for you to enter three more digits (the maximum passcode length on a Sydney seems to be four digits) which is why you press "#"+"#". Sydney has a function called "Call Placement". Using this you can record a message, have Sydney dial a number and the person will hear the message, and their response will be saved in your mailbox. You can set it up so that Sydney will call the number every X number of minutes, and deliver the message. (This is great for pranking someone you dislike.) Sydney Commands: 1 - Record message 2 - Receive messages 3 - Message forwarding 4 - Call Placement 5 - Group messages 6 - Certified messages 7 - Guest accounts (Create an account for a buddy.) 8 - Personal Options 9 - End call Personal Options menu: 1 - Change greeting 2 - Change passcode 3 - Change mailbox name 4 - Listen to system bulletin 9 - Return to main menu _________________________________________________________________ Pac-Tel Meridian This is a great system. It's easy to use and you can have a long greeting. Sometimes you can identify one because it will play four tones when the system answers. Some systems have this disabled. The way to login is to press "#" at the system greeting. The default is "0000". A good way to find empty boxes is to go to the directory. When it asks you to press a letter just press one key. It will go through all the extensions that begin with the corresponding letters. When you come across something like "Mailbox XXXX", you've found a blank box. Pac-Tel Meridian Commands: 2 - Record and send a message 3 - Phone manager functions * - Quit # - help Phone Manager Functions: 1 - Personal Options 1 - Immediate message notification 2 - Daily message reminder 3 - Record greeting 4 - Change passcode 5 - Record mailbox name 6 - Record announcement for a mailbox you sponsor * - Exit personal options 2 - Voice Mail Options 1 - Check unacknowledged messages 2 - Record the name for a mailbox you sponsors 3 - Change distribution list * - Exit voice mail options 3 - Automated Attendant Options 1 - Call Screening 2 - Call processing 3 - Extension specific processing * - Exit automated attendant options _________________________________________________________________ System Manager Functions (TaKiNG C0NTR0L!) Overview: If you have come across a box with the name "System Manager" or "System Administrator" definitely try to access this box. This could be the Administrator Box! Once in this box you can create boxes, delete boxes, change class of service, send a broadcast message (sends the message to every box on the system), change passcodes and a lot of other stuff. In other words this is the God box. It is usually the last (most common) or first box on a system. Not all systems have administrator boxes. For example all Phone Mail administration is handled through a computer dial up. (There will be an article on this in a future issue of this publication). Basically, if you can get in the administrator box you control the system. Out of the systems I covered in this article, Infostar, ASPEN and the Message Center have administrator boxes. I'm going to cover Infostar and the Message Center here. Alas, I haven't been able to access an ASPEN administrator box yet, so I don't know the commands. If anyone reading this does please contact me. Message Center Administration Commands: (Once in the admin box press "*" from user options) A(2) - Add a mailbox D(3) - Delete a mailbox M(6) - Modify a mailbox P(7) - Change the passcode of a mailbox K(5) - Clock I(4) - Backup to floppy U(8) - Usage statistics * - Exit mailbox administration When you add a mailbox you need to enter a class of service, a limits class of service and a message waiting class. Here is a list of the ones to use: Normal Box Check In Check out Time Box Class: 01 04 05 09 Limits class: 03 05 05 05 Mess.waiting: 00 05 05 05 The Time Box tells the time when you transfer to the box. The Check In and Check Out boxes allow you to read mail and change the passcode on other boxes. Infostar VX Administration Commands: 1 - System greetings 2 - Broadcast message 3 - Mailbox administration 1 - Change passcode 2 - Add mailbox 3 - Delete mailbox 8 - Record mailbox greeting 9 - Reset message waiting indicator 4 - System group lists 5 - Time and date When you add a box on an Infostar system always use "100" for the class of service. The mailbox types are: 1 to 3-Regular box 10-Administrator box (You can have more than one on a system!) Also when you create a mailbox you'll be prompted for the following: Extension number Attendant extension number Department number Spell subscriber's name When you get these prompts,just hit "#" to skip them. The only things you need to enter are: The mailbox number, class of service and mailbox type. The system will add the box and assign a random four digit passcode. _________________________________________________________________ Hacking Unknown Systems There are a lot of systems out there that I haven't covered. A lot of companies also use proprietary systems. It can be just as easy (if not easier) to get a box on these systems as well. Start by finding out the main functions (See VMB Hacking Basics above). Go through the directory, and all that good stuff. Look for administrator boxes. Do it all. Just remember, most people aren't security conscious when it comes to voice mail, Oh well, their negligence can be to your benefit. _________________________________________________________________ Advanced VMB Hacking These are just some tips that I picked up over time. OK, first of all check out all of the extensions you can (this takes time), and see what you find. You may come across fax machines, carriers, PBX tones or a bridge. Sometimes these will be in the directory as an extension with no recorded name. Definitely check the box out. If you transfer to the box and don't get anything but a short beep, have a friend try to transfer to the same extension while you are on it to see if it is a bridge. I don't think I need to explain what is possible with a PBX tone. The carriers can be PBX dial-ups, company dial-ups, anything is possible. If you're nosy like myself you can login other peoples boxes and hear thief messages. Take care when doing this, because you don't want the company to know you are doing this. It's a good idea to reset the message pointer (if you can). The boxes I always try to listen messages are: Computer Room, MIS, System Administrator, Switch Room and Computer Operations. Well, you get the idea just try to get in any box that might have something that could be interesting. Another thing you may want to find is an after hoursorder line. If you can get into one of these you could have an abundant supply of credit cards (KeWL! KaRDZ F0R MY K0De LiNE!). Another thing is for those of you that want a 800 VMB, but can't get a box on it. Try to find a company in your area code that has an 800 number going to their voicemail system. Find the local number and go through the system and find the boxes you want. Now go load up your favorite code hacker. Now you can set it up to try to get into the box. You can do a couple of things: You can set it up to go in and change the passcode , or you can set it up to send a message after it has got into the box. Just find a box you can get into. It doesn't matter if someone is using it or not. Now have your code hacker programmed to dial the system, access the box, enter a passcode, and send a message to the box you can get in. For example we'll say that you have a Message Center that the box you want the passcode to is 999 and you can get into box 222. Now set your code hacker to dial the following string: atdt XXX-XXXX,,,999,,*,,YYYY,,6,,222,,,#,,,,,#,9 XXX-XXXX-The number of the voice mail system 999-Transfers to the box you want to hack *-to login YYYY-The passcode the for the code hacker to try 6-To send a message to another user 222-The box to send the message to. #-To start recording to message #-To stop recording 9-Send message Now all you have to do is check mailbox number 222, and see what time the message was delivered.Now look at your scan logs and see what number it dialed at the time your message was sent. Voila! You now have the passcode for box 999! If your can't set your code hacker to record all numbers dialed, just set it to scan sequentially. Every 30 minutes or so jot down what code it's trying. This way you can get a good idea of the area that the passcode is in. Another way: If you came across a carrier on the system. Set the code hacker to transfer to the extension of the carrier. When it connects to the carrier you'll have the passcode in your log. (This is the method I prefer.) _________________________________________________________________ Conclusion Well that's about it for this file. I hope some of out there found this file useful. If anyone has any questions, comments or complaints, you can email me at: roadkill@uss.lonestar.org Greetings to: Bane(314), Cjesus(313), Mr.Smith(615), Lucid Nightmare(214), Sirius(214), Dr.Strange(901), FuNKY G00DHeaRT(214) and to Jack the Ripper(214) for putting this in Stripped Ink. _________________________________________________________________