PBX HACKING

Octel Voice Network Login

With Octel PBXs, the system manager password must be a number. How helpful these systems can be sometimes! The system manager's mailbox by default is 9999 on many Octel systems. We have also observed that some organizations simply change the default box from 9999 to 99999 to thwart attackers . If you know the voicemail system phone number to your target company, you can try to input four or five or more 9s and see if you can call up the system manager's voicemail box. Then if so, you might get lucky to connect back to the dial-in interface shown next and use the same system manager box. In most cases, the dial-in account is not the same as the system manager account that one would use when making a phone call, but sometimes for ease of use and administration, system admins will keep things the same. There are no guarantees here, though.

 XX-Feb-XX 05:03:56 *91XXX5551234 C: CONNECT 9600/ARQ/V32/LAPM                 Welcome to the Octel voice/data network. All network data and programs are the confidential and/or proprietary property of Octel Communications Corporation and/or others. Unauthorized use, copying, downloading, forwarding or reproduction in any form by any person of any network data or program is prohibited. Copyright (C) 1994-1998 Octel Communications Corporation. All Rights Reserved. Please Enter System Manager Password:  Number must be entered  Enter the password of either System Manager mailbox, then press "Return." 

Williams/Northern Telecom PBX

If you come across a Williams/Northern Telecom PBX system, it probably looks something like the following example. Typing login will usually be followed with a prompt to enter a user number. This is typically a first-level user, and it requires a fourdigit numeric-only access code. Obviously, brute forcing a four-digit numeric-only code will not take a long time.

 XX-Feb-XX 04:03:56 *91XXX5551234 C: CONNECT 9600/ARQ/V32/LAPM OVL111 IDLE 0 > OVL111 IDLE 0 > OVL111 IDLE 0 > OVL111 IDLE 0 

Meridian Links

At first glance, some Meridian system banners may look more like standard UNIX login banners because many of the management interfaces use a generic restricted shell application to administer the PBX. Depending on how the system is configured, there are possibilities to break out of these restricted shells and poke around. For example, if default user ID passwords have not been previously disabled, system-level console access may be granted. The only way to know whether this condition exists is to try default user accounts and password combinations. Common default user accounts and passwords, such as the user ID "maint" with a password of "maint," may provide the keys to the kingdom. Additional default accounts such as the user ID "mluser" with the same password may also exist on the system.

 XX-Feb-XX 02:04:56 *91XXX5551234 C: CONNECT 9600/ARQ/V32/LAPM login: login: login: login: 

Rolm PhoneMail

If you come across a system that looks like this, it is probably an older Rolm PhoneMail system. It may even display the banners that tell you so.

 XX-Feb-XX 02:04:56 *91XXX5551234 C: CONNECT 9600/ARQ/V32/LAP PM Login> Illegal Input. 

Here are the Rolm PhoneMail default account user IDs and passwords:

 LOGIN: sysadmin PASSWORD: sysadmin LOGIN: tech PASSWORD: tech LOGIN: poll PASSWORD: tech 

ATT Definity G / System 75

An ATT Definity System 75 is one of the older PBXs around, and the login prompt looks quite like many UNIX login prompts. Sometimes even the banner information is provided.

 ATT UNIX S75 Login: Password: 

The following is a list of default accounts and passwords for the old System 75 package. By default, AT&T included a large number of accounts and passwords already installed and ready for usage. Usually, these accounts will be changed by the owners either through proactive wisdom or through some external force, such as an audit or security review. Occasionally, these same default accounts might get reinstalled when a new upgrade occurs with the system. Hence, the original installation of the system may have warranted a stringent password change, but an upgrade or series of upgrades may have reinvoked the default account password. Here is a listing of the known System 75 default accounts and passwords included in every Definity G package:

 Login: enquiry    Password: enquirypw Login: init       Password: initpw Login: browse     Password: looker       browsepw Login: maint      Password: rwmaint      maintpw Login: locate     Password: locatepw Login: rcust      Password: rcustpw Login: tech       Password: field Login: cust       Password: custpw Login: inads      Password: inads        indspw       inadspw Login: support    Password: supportpw Login: bcms       Password: bcms Login: bcms       Password: bcmpw Login:bcnas       Password: bcnspw Login: bcim       Password: bcimpw Login: bciim      Password: bciimpw Login: bcnas      Password: bcnspw Login: craft      Password: craftpw      crftpw       crack Login: blue       Password: bluepw Login: field     Password:support Login: kraft      Password: kraftpw Login: nms        Password:nmspw 

PBX Protected by ACE/Server

If you come across a prompt/system that looks like this, take a peek and leave, because you will more than likely not be able to defeat the mechanism used to protect it. It uses a challenge-response system that requires the use of a token.

 XX-Feb-XX 02:04:56 *91XXX5551234 C: CONNECT 9600/ARQ/V32/LAPM Hello Password :   89324123 : Hello Password :   65872901 : PBX Hacking Countermeasures 

As with the dial-up countermeasures, be sure to reduce the time you keep the modem turned on, deploy multiple forms of authenticationfor example, two-way authentication (if possible)and always employ some sort of lockout on failed attempts.