-o[ hacking meridian mail - an overview ]o- -o[ D4RKCYDE ]o- -o[ by hybrid ]o----------------------------------- I think I have read about 6 guides to hacking meridian mail, and they get worse all the time. Every meridian text I have read concentrates on the features and architecture of the meridian mail system, however I am supprised at the lack of information available that concentrates on the actual hacking of meridian mail. This article with concentrate on various techniques that can be used when hacking meridian mail. For those of you who are unaware, meridian mail is a voice messaging system designed by Nortel technologys and has many advanced features. Alot of people seem to think that hacking voicemail networks is lame; bullshit. I would argue that meridian mail is the most advanced voice platform there is when it comes to voicemail and voicemail networking. Meridian is way more advanced than any other voicemail system out there, it puts Octel, Audix, Aspen, Phonemail and other network leaders such as Infostar to shame. Meridian is designed to be fairly secure, but like most networks it can be very vulnerable if you know the weak points. The only voicemail system that I believe offers a respectable level of security is the Audix voicemail platform, but thats another article. Unlike the other meridian mail guides out there, I'm not going to rant on and on about meridian mail features and network architecture, I've written several files on that already, so I'm going to get staight to the point; here is how you hack meridian mail (the effective way). Before you do anything, you need to be able to identify a meridian mail system properly. There are many different ways to identify a meridian mail system, most of the time people only pick up on the real obvious meridian mail systems, where you get a login prompt after you have dialed the number, (" meridian mail, mailbox?.. "). However, there are many different ways to identifying a meridian mail system. The voiceprompts on merdian mail are all in a female voice, and can adopt a multitude of forms from different accents to different languages, depending on where you are. The majority of the time the voice prompts will be Americian-English in accent, and quite monotone in nature. There are several different prompts you can come accross when dialing a meridian system. As I said before, the most obvious one would be.. 18OOxxx xxxx.. " meridian mail, mailbox? ". Here is a table to show you different types of meridian mail dialin examples. [ " meridian mail, mailbox? " ] Here you are confronted with the meridian user login prompt, your only option here is to guess a box number and password. Here is where meridian mail can be a real bitch, there is no way of telling if you have dialed a valid box on the system, you could hit any number of digits and still get a password prompt. Either way, you will usually have 3 login attempts before you will hear somthing like: " login incorrect, please contact your system administrator for assistance, goodbye. " Because there is no way of telling what prefix the mailbox/extension numbers are in from this dialin prompt, you are dialing blind, so your only hope with this type of dialin prompt is simple guess work, or if you read this, an educated guess. Most systems will have 4 digit boxes, which will usually have a default passcode set to be the same as the box number. The login convention is like this: you dial your mailbox number xxxx suffixed by [ # ] you then recieve the password prompt which will ask you to enter your password followed by the # key. Like I said before, there is no way of telling if you have found a valid box because you will be asked for a passcode whatever you enter. So, for this type of login prompt we simply guess. The box ranges could be 3 to 5 digits long+ depending on the size of the voice network, 4 digit boxes is the most common though. Just try random boxes like this.. 5463 [ # ] 5463 [ # ], 3788 [ # ] 3788 [ # ] etc etc, until you successfully login to a valid box. (more on this later) note: if someone trys to incorrectly login to a valid box to many times, the system will disable the box so even the legitimate user cant access it, they would subseqently have to goto the sys- admin in order to get the box reactivated. [ " express messaging, to mailbox? " ] Here is another common meridian prompt that you are likely to come accross. It is simply a meridian prompt for an external users to leave a message for someone on that system, if they know the persons extension/mailbox number. Here you cant really go wrong, because you are able to find out what prefix the mailbox/extension numbers are likely to be in. You will get one of these 2 system messages after entering an extension/mailbox number + [ # ]. a) " There is no mailbox at, xxxx " b) " mailbox xxxx, please leave a message at the tone. (or the persons recorded name - if they bothered to set one). If you guessed an invalid mailbox number, just keep trying until you find a valid mailbox and you should recieve system recording [ b ]. When you have successfully managed to find a valid box, note the prefix down as there is bound to be a nice cluster of mailboxes in that area aswell. You now have the option to do a few things. Once you get system recording [ b ] you could hit * and you will hear " there is no recorded message, to record a.... " or if you waited for the tone prompt to record you message for that mailbox hit [ # ] and you will get " recording stoped " (wherever you get lost with the commands of meridian mail, simply hit [ * ] to here a limited set of help on message/mailbox commands. Now, you could hit [ 81 ] and you will recieve the standard meridian mail login prompt as described above, but all you can do here is try to login as the box number you successfully guessed, which should work most of the time, but if it does'nt you need to find more boxes, which can be achived by dialing various extensions on the internal pbx system. I will discuss this in a little while. [ " the person at extension xxxx is not available to take your call, please leave your message at the tone. " ] Again, here you can hit * to get your list of options, such as [ 81 ] to login, 0 xxxx[ # ] to dial an extension etc. [ " mailbox xxxx, please leave your message at the tone " ] Again, hit [ 81 ] to login, * to get message options. [ " the person at extension xxxx is not a subscriber to this service, call answering cannot be completed at this time, transfering to an attendant, one moment please.. or: please try again later, goodbye. " ] Here there is not alot you can really do, unless you have dialed the number after buisness hours and it transfers you to the attendtant/operator who is not likely to be there so a recorded greeting would be in place, where you would be able to login, dial around the system as normal. [ " please dial the number of the person you are calling. " (hit * and you will hear: " you have reached an automated service which will connect you to the phone number you enter.. " you also have an option to dial by name. ] Here is meridian's biggest vulnerabily, you are able to dial extensions on the system. Big deal I hear you say. The fact is, if you are going to hack a meridian mail system effectivly, you need to get to this prompt so you can explore the entire system. You can get to this prompt through many ways as discussed before, or by dialing 0 number # at a recording prompt, but this prompt can usally be found by direct dial. You are looking for a number of things here, such as modems on extensions (meridian remote administration), valid extensions (valid mailboxes) and meridian goodies such as the MICB built in meridian conference bridge. Other things to look out for on meridian extensions are prompt maintanance extensions, PA extensions (where you control the companys PA system) and external lines. (more on external lines in a while). Guessing valid extensions is fairly self explanitory, but sitting there for ages getting " that number cannot be reached from this service " over and over again can be a little off-puttting, so we employ our own ways of gussing an extension number. Here is a vulnerablity that exists on most meridian mail systems where you are able to get an extension prompt, I give a guy called 'public_nuisance' credit for this, as he was the person who origionaly found this meridian vulnerabilty. This is what you do if you cant seem to guess a valid extension. First start at the higher numbers and work your way up, for example, hit 8 then [ # ] you will get either " beep, that number cannot be reached from this service, please try again.. " or " pause.. your call cannot be completed at this time, transfering to an attendant, one moment please.." If this is the case, and you get " transfering to an attendant " quickly hit [ * ] a couple of times and it will drop yo back to the dial extension prompt. Now, here is where the vulnerability lays, if you recieve that system recording, it means that the system is expecting more digits to be dialed after [ 8 ] or whatever number you choose to start with. So next you try dialing 89[#] if you get the same system recording it means it wants more digits so just hit ** again to get back to the dial extension prompt, or you may get " that number cannot be reached... " which means you need to try 8 then somthing else like 87[#] see where I'm going?.. Basically you are trying to step up the digits and looking for the system anouncment that says " transfering to an attendant " where you will hit [ * ] a few times, and keep dialing adding more digits to the seqence each time until eventually you find the prefix of box/extension numbers. 1 2 3 8[ # ] " your call cannot be | completed at this time " | ( ** ) 4 <-x-- 5 <---- 6 87[ # ] " that number cannot be | reached from this service " | 89[ # ] " your call cannot be 7 <-x-- 8 ----> 9 completed at this time " ( ** ) | 896[ # ] " your call cannot be 0 completed at this time " ( ** ) 8965[ # ] " your call cannot be completed at this time " ( ** ) 89654[ # ] " that number cannot be reached from this service " 89652[ # ]--> [ ring ring ring ring ] So, in the above diagram/working example, we see that the valid extension number was [ 89652 ], this was found via the means of a proccess of elimination with the help of the extension vulnerability. This way you do not have to sit there for ages guessing vaild extensions, you just step up and up through the trunk selection. This method can also be used if the system is configured for through-dialing but has a passcode protecting the outdial service, in which case you can get the passcode by using the above vulnerabilty because meridian outdialing passcode protection is based on trunk selection on the pbx system.. way-to-go Nortel ;] One of the reasons people hack meridian is because of its nice outdialing feature. Usually once inside a box, you can sometimes get an outside line by dialing 9 before the number. So for example, if inside a box, you dial 0, 1234 [ # ] that will put you through to extension 1234. But if system outdialing is enabled you can simply dial like this, 0,9,number [ # ] and this will select an exteranl trunk and route your call to the outside. On a poorly configured system (which most are) you may be able to dial externaly without even loging into a mailbox. For example, if you get to the dial an extension prompt, you could simply prefix the number with a [ 9 ] and your call would be proccessed as normal. Word of warning though. Meridian logs all routing activity, so for example, say you called your g/f via the means of meridian outdialing, the system administation part (MAT - meridian administration tool) would log the following; you dialed 0,9,npa-blahblah[ # ].. meridian will log the extension (or origionating location) from where the call attemt is commuing from, it will then log the number, the time of the call, length of the call, and even how long it took you to dial the digits. (very handy for the 'law'). There are several ways around this though. for starters, dont even think about calling a meridian direct from your home if you are going to use one for outdialing, if you do, route you call. Or, if you managed to find the remote administration dialin modem on one of the extensions, you can configure your own trunks for through-dialing ie; with no origionating point or call tracking features enababled. Now, thats enough of the extensions and call routing etc, now for the rest of the article. If you dial a number and you get somthing like " press 1 for blah-blah, hit 2 for yack-yack " etc etc, dont just pass it off as some IVR system whatever, because meridian can be configured to act as a dialin menu aswell. Infact, this is the most popular type of meridian dialin that you are likely to come accross. To identify the menu system as meridian, you can use the following: If you hit an invalid key that is not in the menu options you may get: [ " that command is not recognised " ] Again, this is a dead givaway that the system is likely to be meridian based. If this is the case, it is likely that in the dialin menu, you may have an option to dial an extension number, leave a message (express messaging) login to meridian mail etc. If none of those options exist, call the number back after buisness hours, and try out all of the options until you eventually get routed to an un-attended extension where the extension owners voicemail greeting should come on, where you will be able to do what was discussed before. If all else fails, simply hit [ 0 ] for the operator, if they are not attending the switchboard, the general voicemail box for that company should come on, and you can do your stuff. Now, you know how to identify a meridian mail system, and have managed to login to a box. Heres what to do next.. When you have loged into a box you will hear somthing like " you have no new messages " or " you have x new messages " or " your mailbox is full, to delete a message you no longer require press 76 " or " your password has expired, to change your password press 84 " etc etc. Now, you know the defualt password for the system, so you need your own box. The mistake alot of people make when hacking meridian is they take over a box that they think is not being used becuase it has no messages in it, the fact is, if a box has no messages in it, it's likely that the legitimate owner checks thier messages on a regualar basis. What you are looking for is a box that either asks you to change your password, or a box with backdated new messagess from like months ago. To scan for more valid boxes, login to the one that you have access to, and hit 75. You will then be asked to enter the mailbox of the recipient, where you have the option to address the message to multiple boxes, ie: 5400#, 5401#,5402# etc etc. keep addressing the message to seqnetial boxes, so you are scanning the system internaly. eventually, when you have written down a list of valid boxes, hit [ # ], then, 76 to erase/cancel the message. You will then be retured the the mailbox main menu, where you can hot 81 to re-login to meridian mail, try 2 boxes from your list, if they dont have the default passcode, log back into a box that you know the passcode to, then 81 again to go through the next 2 boxes on your list, this way you can avoid being loged off from the system, and keep going until your fingers fall off. Eventually you will find a box as described before that is not in use (either loads of backdated messages, or passcode change prompt). You can then hit 84 to change your passcode, and then you can call the box 'yours'. I'm not going to list all the functions/options available on meridian mail user boxes, simply becuase all you need to do is hit [ * ] to have them read out to you by the automated system help. All you need to know really is that [ 2 ] will play any messages you have, 76 will erase it, 71 will reply, 79 will send, 75 to compose a message, etc. A few notes on meridian mail: If outdialing is enabled, you may find that certain numbers are blocked, for example ld numbers, numbers prefixed with a 1, or 01 for UK. This can be overcome in most cases. If you can call the external operator [ 09,00# ] go through the usuall bullshit with him/her/it to get them to dial/place the call for you. Or you can find a telco service provider that offers 8OO numbers that bill back to the line you are calling from. Or if you are in the UK, you can sometimes trick the outdial baring by prefixing your call with things like 9,[141] or 9,[1470] etc. You can sometimes set the operator assistance number for your voicemail box to dial an external number, when inside the box hit 82 then follow the prompts. The number you set would usually be prefixed with a 9, then suffixed with a # to end the string of entered digits. So when someone calls your extension/mailbox and they hit [ 0 ] at your personal greeting, they would get routed to a number of your choice, instead of the internal operator. This feature can be usefull for simple diverters, but again, not very safe. Meridian Integrated Conference Bridge (MICB) is a fully integrated, all- digital audio conference bridge from Nortel (Northern Telecom) designed to improve and simplify enterprise conferencing capabilities. MICB provides fast and reliable access to an in-house conference bridge, eliminating the need to frequently contact conference service bureaus or accommodate complex third- party conference bridge equipment. Offering simple plug-and-play installation within a Meridian 1 Intelligent Peripheral Equipment (IPE) shelf, software keycode activated upgrades, and a variety of flexible features for increased conference control, MICB is for organizations requiring frequent audio collaboration to keep multiple dispersed parties connected with critical communication. As an integrated solution, a single MICB card supports up to 32 ports and up to 10 simultaneous conference calls. There are four MICB card capacity options available: 12, 16, 24 and 32 ports. If the conferencing requirements increase, software keycodes activate additional ports on the MICB card to support the larger port capacities. In addition, multiple MICB cards can be supported within the Meridian 1 Communications System. Expunged from one of my previous meridian files, an extract from a Nortel technical document explaining how meridian call-logging is implemented etc. "Detect and Alarm Toll Fraud" Day by day, your Meridian 1 operates, routing calls to and from your company. Ever wonder what your traffic calling patterns look like on a realtime basis? Using MAT Call Tracking, you can now visually monitor traffic patterns. How long are station users on the phone? What percentage of calls are incoming, outgoing, or via tandem tie lines? These are a few of the available features. Better yet, you can set up your own meter to visually cue on the criteria that you want to monitor. Have you ever been a victim of toll fraud? Want to know who's making long international calls, as they happen? The integrated alarm filter can detect these scenarios and alarm you when the event occurs. With multiple alarming notification methods, the system is sure to reach you, where ever you may be. Features Call Tracking is an on-line call monitor and alarm application for the examination of call usage patterns leading to toll fraud detection. Graphs are used to indicate trends and provide displays of unusual calls, enabling you to adjust equipment and services to maximize resources. Multiple filtering templates allow for your customization of [ toll fraud ] criteria. The Call Tracking Module provides a number of alarm notification options to alert you when the filter criteria have been met. Call Tracking is designed to be used with Call Accounting but can also exist on a stand- alone basis. Welp, thats it for this brief overview of hacking meridian. Shouts to: [ D4RKCYDE ] [ 9X ] [ B4B0 ] [ downtime ] [ zomba ] [ substance ] [ gr1p ] ------------------------ http://hybrid.dtmf.org hybrid@dtmf.org hybrid@ninex.com http://phunc.com/~hybrid hybrid@b4b0.org hybrid@phunc.com " 4-wire trunk circuits were converted to 2-wire local cabling, using a device called a hybrid. Unfortunately, the hybrid is by its very nature a leaky device. "