Inter-Tel Phone Systems
by Sundance Bean
Inter-Tel phone systems can be compromised with simple communications programs like ProComm. A little social engineering is needed to get past the receptionist, depending on the voice mail status of the company in question.
Every day, Inter-Tel systems are remotely programmed from branch offices. So the company should not expect any foul play during your conversation. What worked for me was as simple as, "Hello, I'm XXXXX calling from Inter-Tel, I have an order to do some programming on your system today. Could you please transfer me to extension 260? Thank you."
Sometimes you will get a receptionist with the IQ of lettuce, thereby requiring you to use more patience. You will get, "We don't have an extension 260. Who are you trying to reach?" Simply add, "I'm calling from the company that maintains your telephone system. Extension 260 is the modem extension we use to login to your system." Nine out of ten times you will be transferred.
Logging In - Dial-in properties: 300 bps - 14.4 kbps (8N1)
You will need a telephone connected to your modem on the extra RJ port to accomplish a successful login. Boot up ProComm and enter ATD for modem instructions. Just ATD, that's it.
Dial the company using the Inter-Tel IMX system, engineer yourself to extension 260. When she says she is going to transfer you and you hear the transfer click, hit Enter to execute the manual modem commands and hang up the phone.
After you hear the modems chat for a second or two and you hear silence (or have a blank screen), hit Enter twice and then you're in.
The default database password is just to hit Enter. If there is another password, 1437 or 8996 seem to always work. The possibilities of this system are average, unlike the AXXESS system which I will get into later. (You could run a business literally from someone else's AXXESS system without them knowing.)
I am working on a more detailed file for this system including specifications and database programming procedures. Sometimes extensions get switched around - valid extensions are 260, 261 (voice mail), 270 (GMX and other systems), 271 (other voice mail systems).
Inter-Tel AXXESS & AXXENT
Now to the mother of digital PBX systems.
This is the system that was rated #1 by CTI Magazine. You could run a separate company from this system and no one would even know about it. This system uses proprietary software from Inter-Tel Technologies and there are numerous versions out there.
Valid versions in use are: 2.0, 2.1, 2.2, 3.0, 3.1, 4.0, 4.1, 4.2, 4.22, 4.3, and 5.0 is scheduled for release this year. 25% of systems use 2.0, 25% use 3.x, and 35% use 4.0-4.22, while the remaining 15% use 4.3. I have seen 4.3 via FTP.
The AXXESS also uses extension 260 for remote programming, but also uses 2600 for bigger companies. Barely any social engineering is needed to access these systems mainly because 80% of the companies utilizing the AXXESS have IVR or voice automation installed. Voice mail and/or IVR are accessible once inside 260 or 2600.
Logging In - Dial-in properties, 9.6 - 28.8 kbps (8N1)
Execute the AXXESS software and hit F5 to bring up the connection menu. Enter the appropriate information regarding dialing. Say for example the number is 123-456-7890.
Dial-in properties would be: 11234567890,,,,,260 (or 2600).
Once the modems chat away and your screen calms down, hit F3 to login. Again, the default password is just hitting Enter while 1437 and 8996 also work. Use caution dialing into these systems as the companies probably have T1 with Caller ID activated or standard COs with Caller ID. The access does support DNIS and ANI - on keysets with LCDs, the caller's name and number can appear if the database is programmed to do so.
Companies known to use the AXXESS are Nice Shoes in New York City and Mayer Berkshire, in Wayne, New Jersey. I will go into database programming techniques further in the future. If the company does not have IVR or Voice Automation you will need to use the same technique as the IMX systems.
Where you would enter ATD, you would just leave the phone number blank in the Dial It properties menu, hit Enter, and hang up the phone once the call was transferred.
Beating Access and Account Codes on Inter-Tel Systems
If you are ever in an office that has Inter-Tel installed PBXs and you feel you should add some dollar signs to the phone bill or call your old friend in Peru while in the states, just follow these simple instructions.
Access and Account Codes: Companies that utilize this feature are trying to keep tabs on employees' calling habits. While you would be lucky to guess an employee's four digit account or access code, these few will always work: 8996, 8997, 8998, 8999, and 1437
Voice Mail Boxes: Voice mail is accessed by either dialing extension 200 or 2000 from an Inter-Tel keyset. When dialed you get IVR or Voice Automation and a superficial menu. Hit * and you are asked to enter your mailbox. Nine times out of 10 the password to a mailbox is the extension number. Example: Extension 2342 uses mailbox number 2342 and could have a password of 2342.
Yet there will be mail-boxes you won't be able to into. This is where the Administrator feature comes in.
Usually if there isn't a Telecom Administrator employed at the company, the administrator station is the receptionist's phone. The database of the PBX can also be programmed from this station.
To piss off the receptionist, hit the Special or SPCL (sometimes the special button is shaped like an infinity sign or sideways figure 8) and enter a value of 301. This will put the phone into Japanese mode.
Anyway, the receptionist's mailbox number is either 100 or 1000, with either no password or 100 or 1000 as the password.
When you are into the box, hit 9 to enter into Administrator Mode. Choose the option for mailbox maintenance, enter the mailbox number you wish to get into, verify it is the correct mailbox, and enter 3 for password change, or just 1 for listen to messages. The beauty is, this can be done from the comfort of your own home by dialing the company's main number.