Manipulating the Aspect
by HyTeK
Aspect is a manufacturer of Automatic Call Distribution (ACD) systems or CallCenter as they call it. It is basically another PBX with specialized functions.
The architecture of the switch is fairly simple. It is based on a very scaled down version of AT&T System V UNIX. On top of that is an Informix database, which holds every little piece of data on the switch. The only other piece is the Aspect developed user interface and call routing software.
The hardware is pretty basic - built-in CSU/DSUs for ISDN or analog T-1s. Everything you plug into the switch (i.e., phones [they call them telsets], circuits, and terminals) has dedicated cards. These cards plug into shelves and are controlled by a dedicated shelf controller card. All of these cards are tied together by - are you sitting down - Ethernet. Yep, standard 10base2 Ethernet (guess what happens when you remove a terminator). This Ethernet bus also connects to the main processor boards: Processor, Ethernet card, and Terminal Control card. The main processor is a Motorola and has a SCSI hard drive and tape drive connected to it. The Ethernet card connects the switch to the customer's LAN. The Terminal Control card connects to VT100 terminals.
Why Should I Read On?
You may be wondering "Why do I care about some switch I've never heard of before?"
Well... there are many holes in the system and the company itself. The biggest hole: all the passwords on every Aspect system in the world are the same for each software revision! A new software version comes out about 1-2 times a year and that is the only time the passwords change. You know the password to one system; you know it for every system. Where would I find one of these systems? I don't want to make it too easy for you but some of the smaller customers are the IRS and Delta Air Lines. You call one of the 800 numbers to the IRS and you are going through an Aspect switch.
Tie This All Together
The main part of the system is the Aspect written user interface.
This is just standard VT100 but can be accessed using TCP/IP. The interface is all menu driven and can be learned by just about anyone in a few minutes. You have the option to shell out to UNIX, but this doesn't have much of a "legitimate" use.
To get the full use of this user interface you have to log into the switch. If you have access to one of the VT100 terminals, you are just about in, if it's not logged in already. You want to be able to log in as god. All user IDs are the same as extensions that agents use to log into the telsets. The login is usually 9998 and can be 999x - 9999. This is the password that you must find out (get this later).
The other way is through the network. You can establish a normal Telnet session with the switch, but this requires a few more passwords. Aspect provides a software package and a script to Telnet into the switch easier. When you try and access the switch through the network, it checks your IP address against its hosts file - yeah, you read that right, just an ordinary hosts file in the normal directory.
The last way is through the dial-up modem. There is a password to get past the modem security, but this is the same on all the Aspect systems as well. You can also attach a modem to a normal terminal port to make dialing in easier and not have to worry about a dial-up password or Aspect catching someone dialing in on their modems.
Need Input
Aspect is based in San Jose, California and prides themselves on system uptime.
They have big help desks in San Jose and Atlanta. They can dial into any Aspect system in the world by using a four-digit site ID number. Because of the dedication to uptime, the help desk people are very willing to help and very willing to provide information - all you need to know is the site ID number. Even if you don't have an ID number, remember, all you need is one password.
Most of the people in the help desks are not too bright. They are a fast growing company and will hire anybody for these positions. So, with a little social engineering, anything is possible. The most recent version of software is 7.0, so you probably want the 7.0 passwords. Passwords for the 999x login spell a word on the DTMF pad but from the terminal you need to enter the digits. All other passwords are words. They always like to use punctuation that means something (i.e., * translates as star, ~ translates to tilde). That should be more than enough to get you started.
I'm In!
Now that you are in, the system is yours.
You should create another user and give it the same privileges as the 9998 user, which is called Technician. This will allow you an easy backdoor in. Now, what is the most useful thing a switch can do? Reroute incoming local calls or 800 numbers to an agent (or a long distance trunk).
All the call routing is done using Call Control Tables (CCTs). This is a very simple programming language using one-word commands and parameters. The nice thing is, the system will show you the choices of parameters you have. With a little bit of studying CCTs, you can write a 10-line program to let you dial a local or 800 number, enter a password with your Touch-Tone phone, and be routed to an outbound long distance trunk.
There will be a main CCT used to route incoming calls to agents. You can insert a few lines into the main CCT and be able to break out into a trunk. Something to try: most call centers are busy so you get hold music. Well, if you play hold music for the incoming calls, but at the same time are listening for a password, only you will know how to break out of the hold queue.
All other resources are managed by groups. Trunk groups are made for inbound trunks, local trunks, and long distance outbound trunks. Agents are divided into different groups to take different types of calls. Calls can be routed based on Dialed Number Identification Service (DNIS), or ANI. When using a CCT, you have to specify what trunk group the call will be coming in on, and on what group you want it to go out. Trunk groups are accessed by a number they are given but also have a description.
Covering Your Tracks
Any CCT you make or anything the CCT accesses will have to be given a name.
Look around at what other CCTs and trunk groups are called and make up a name that goes along with the existing naming strategy. Keep in mind, people from Aspect and employees of the company that owns the switch will be in the switch looking around all the time. Any naming you do will be seen by everyone, but if it doesn't stick out, nobody will question it.
After you write a new CCT, you have to load it into the system. This action is written to the logs, and can sometimes take a few minutes and use resources on the switch. Do this after hours! Log files are kept as text files in a /log directory. vi is included in the system - edit the logs. There are nine log files. List them by date and edit the most recent one. Don't let anybody see that the CCTs have been loaded in the system. Any administrator who sees this will question what has happened.
Other Thoughts
Remember, the switch is connected to the network through Ethernet.
The Ethernet card doesn't filter anything out. While 500 agents' phone calls are going through the internal Ethernet bus, all packets from the LAN are broadcast on the internal Ethernet also. What happens when the Ethernet is totally flooded?
Most on site work for Aspect is done by a company called Norstan. Norstan is the only company that is certified to work on these switches. Remember that the help desk people are pretty clueless, and they don't know everybody from Norstan.
Find out more info from www.aspect.com. The help desk number for Aspect is: 800-541-7799
And, as always, have fun and be careful.
This is provided as information only. Use at your discretion.