Hacking the SR1000 PBX

by maldoror

Of course I guess I should start by saying that any information contained in this article is for informational purposes only, and that this article is merely an example of how such a cheap PBX system could easily be taken advantage of.

The SR1000 is a large fully redundant PBX system capable of maintaining over 1000 ports and supporting digital trunk access, conferencing, inbound call distribution, residential resale, voice mail applications, etc.

The SR1000 PBX was designed and built by Solid State Systems in Kennesaw, Georgia and is currently being used by the military, 911, long distance companies, debit card companies, phone sex, and whoever else lacks the common sense to make better decisions.

Hopefully this article will cause some neurons to fire and some security procedures to improve, although I doubt it.

When you first connect to an SSSINC SR1000 you will most likely see something to the effect of "Solid State Systems" and a bunch of garbage.  This, of course, is because you are connected to just that, something a little more advanced than a spark plug (O.K., well maybe I'm exaggerating... but hey, this thing ain't no 5ESS.)  O.K., so obviously the real reason for the garbage is of course because you are using the wrong emulation... switch to ADDS 90 (PCPlus has it) and we'll continue.  Hopefully you figured all of this out for yourself anyway.

Now that you're in the right emulation and providing you are connected to an SR1000 one of two things will happen:

1. You have a screen that says SUPERVISOR: and PASSWORD:
2. You have SR1000 in the left corner, and some type of menu or shell.

If you get the first result, Laugh Out Loud because this screen is most likely just a joke.

(As I said, it has no security so this screen must be a joke.)  Most likely you will not see the first screen which means you're seeing the second result.  Guess what?  You're in!  (Difficult?)

Going back to the login screen (providing this rarity has stumbled upon you), try the following defaults:

Supervisor Name Password SSSINC KENNESAW SUP1 SUP1

If none of these work, call later and try again.  If anyone is using the console, or forgets to log out, you will of course drop right into their session... just watch first to make sure they aren't typing when you drop in...  (This is why you usually don't get the logon screen.)

You're In!  What First?

If you are at a menu, type: SHELL

If it doesn't let you go to shell, hit Esc once to go back a menu, and type SHELL again.  You should now be in shell.

Remember: Esc will get you out of almost everything on the SR1000.  If you have something that looks like a DOS prompt (and you will now if you just went to shell), type the following to get a dump of the login/password table: SH ABK DOM

Guess what?  Yeah, exactly.  No encryption.  Can you believe it?  The funny part is that technicians aren't trained to do this, and since the software doesn't allow the administrator to list the valid accounts, they usually don't even know which accounts are active and which aren't.  (Good one, guys.)

I don't have the time or the space to explain the entire SR1000 filesystem or manuals, but here's a list of a couple of simple shell commands and explanations:

DUMP [filename] (Dump the file in HEX to the screen) COPY [file1] [file2] DIR DELETE [filename] (* is a wildcard) CD [directory] (You can't see the DIR names) HELP EXIT (Exit SHELL) TRAN (Transfer files to redundant system) SH ABK [abbreviation] (Show a table)

There are many more commands that I have purposely left out which range from defrag programs to sector editors.  Keep in mind it's really easy to screw up in shell, so don't just guess or you'll make a scene.  No, this is not MS-DOS.

Type EXIT and return to the menus.  You will see a list of options with abbreviations (such as SYSMON, TRNKMOD, SHELL, etc.) to the right of each option.  You'll notice they are the same as the .RO files you saw in shell.  You can type the file name to skip menus.

O.K., So What Should I Do?

The most important part of the SR1000 is its routing information.

To take a look at the important routing and calling card validation info, you'll want to do the following (and you'll have to figure this out from the menus of course):

Go to the Utilities menu, then the Trunk Group Listings, and dump all the trunk groups.  This will tell you which ports are under which groups.  This will be important later.

Dump the Direct in Access numbers... this is an option under the Utilities/Trunk Group Listing menus.  This will give you an idea which trunk groups are being used and how.

Dump the Authcodes... this will most likely be back one menu, but still under the Utilities menus.  Type FEATACC to get a list of all of the Feature Access Codes.

Go through each trunk group and write down the first trunk listed.  This is how you'll figure out what type of trunks this group is comprised of (T1s, B1s, DIDs, whatever).

Type TRNKMOD and do a (F)ind for each of the trunk names that you have written down.  If you see something like "T2" for the port type, it's a T1 span... if you see "LS" or "GS" it's either a loop-start or ground-start analog phone line.  If you see anything else, don't worry about it right now.  Find me and ask questions.

What Can I Do With This Stuff?

Now you're going to want to look down the Direct in Access number listing you dumped earlier.

If your list is long enough, you will hopefully have either 1-800 numbers, or other phone numbers which have an access number of 2364 next to them (this number may be different, but will always be in the Feature Access Codes table as "Validation" or something similar towards the bottom-right of the screen).

This means they go to the authcode validator which of course requires one of the authcodes from the list you also dumped earlier.

Congratulations - you have the dial-in and all of the calling cards.  If they aren't using the calling cards, you have several options, of which I'll give you two...

Add Your Own and Set Up an Indial

Look on the Feature Access Codes (FEATACC) screen for the Validation Access which will be towards the lower-right of this screen.

If it's blank, you can add one by typing (A)dd, moving to it, changing it, and hitting HOME and then (A)ctivate.

Now pick a number in the Direct in Access Codes (DIACODE) listing and go to the DIACODE screen and (F)ind this number If the first field under this screen is a 1 (match by DNIS) after the find you are all set, especially if it is an 800 number.

Select (C)hange, and change the Access Offset to match the code you found or added into the FEATACC screen.  (Note:  Any other Feature Access Code should work at this point providing it is allowed by the STACOS and RRSCOS of this trunk group.)

Now type AUTHCODE and enter an 8-digit code along with a Class of Service (COS).  If you don't know what Class of Service to use you can just guess, or you can add one into the STACOS and RRSCOS tables.  (These tables are self-explanatory.)  Grab another phone and call the number you set up.  You, should get a tone, and you should be able to enter your code and get a second dial tone.

Go For a Direct in System Access (DISH)

Pick a number in the Direct in Access Codes (DIACODE) listing and go to the DIACODE screen and (F)ind this number.

If the first field under for this screen is a 1 (match by DNIS) after the find you are all set, especially if it is an 800 number.  Look on the FEATACC table for the "Remote Access" or "Meet Me Conference".  (C)hange the Access Offset of the DIACODE Number to match the Remote Access code.

If the Remote Access code was blank you can either add one to the FEATACC Table or pick another FEATACC Code.  Hit HOME then (A)ctivate it.  You now have an 800 number that will either give you an inside dial tone or drop you into the conference.  (You would now dial 9 to get an outside line.)

If you decide you want to learn a little about routing, you can try the following experiment, providing your SR1000 has 800 numbers in service.

800 Line Routing

If you have a good sized list of numbers in the DIACODE table, you can look at the Access Offset.

Write it down.  (Note:  800 numbers which are not terminated outside the PBX will most likely have a Station number in the DIACODE Access number field instead of a Direct Routing Table Access (DRTA) Number.  DRTAs are usually 1XXX to 19XX, whereas stations are usually 1XX to 9XX)

If you found a DRTA in DIACODE's Access Offset field, type DRTAS and do a (F)ind for the Access Offset.

You will now get what is called a Routing Code.  Type ROUTE and do a (F)ind on the Routing Code.  Here you will get a table which contains this and any other routing code which associates with the routing table.  Type (N)ext and you will now see the routing procedure which usually selects a trunk group and a dialing procedure.  It looks similar to this:

1] TKGP 15 2] PROCEDURE 54 3] 4] 5] 6]

Now hit Esc and type DIALPROC and (F)ind the procedure listed in your routing table.  This is the actual wink and dial out on the trunk.  It may look something like this:

1] SEIZE 2] MF 3] DIAL D 4] DIAL 601 5] DIAL 4672345 6] DIAL F 7] WAIT 8] CONNECT 9] TERMINATE 10]

Just a bit more information before I stop rambling:

Cortelco (the distributor for the SR1000) has their own BBS which contains the last version of the SR1000 operating system, which provides hours of meaty debugging pleasure.  (Hey!  It's better than burning a Tandy or crashing Windows, or crashing a Tandy through RadioShack's window...  O.K., maybe not.)

Also, this switch is capable of Silent Monitoring in several different ways... keep this in mind when you get permission to play with one...

More later...  As Bootleg would say, "Nuff Said."

Keep in mind, unauthorized access to any computer is a felony, so of course make sure you have permission before you try such an experiment.  Uhem.