// Attention Kmart Hackers // // by dual_parallel // // http://www.oldskoolphreak.com Kmart is almost as ubiquitous as Wal-Mart, and every bastion of BlueLight is filled with technology to play with. This article explores that technology. At the Customer Service counter sits one of two public computers running BlueLight.com, Kmart's online shopping application. These computers (the other residing in Electronics or sometimes at Sporting Goods) run NT 4, have LCD monitors, a keyboard and an enclosed trackball where the right mouse button is trapped under plastic. The BlueLight.com application starts automatically, so logging off or shutting down just brings the application right back up. Ctrl+Shift+Esc for 10 or 15 seconds will open infinite Task Managers and crash the machine, but that's not what we want (plus, sysadmins are actually getting around to applying patches and service packs). We want info and access, like browsing all the nodes on Kmart’s big network. Start with BlueLight. BlueLight.com (v 1.0.55) is an e-commerce application that features products and a shopping cart, running on publicly available NT computers in undoubtedly every Kmart across the nation. The application is a browser, accessing the Internet to transmit selections from the local Kmart to Kmart.com’s servers (kih.kmart.com). BlueLight takes over the machine, running in the foreground. So the first thing to do is to log off by pressing Ctrl+Alt+Delete and Logoff. The machine will cycle quickly, bringing up the NT desktop and then the BlueLight app. Now, do anything to stop the machine from running the BlueLight app. Hit function keys, click something from the Start button, anything. I was lucky. There were some printer configuration problems that popped up an error window and stopped BlueLight. I left the printer error window alone and started poking around the desktop. I saw that anything significant that could be accessed from the Start button was missing. Task Manager was disabled. The only thing in the system tray was antivirus and...the clock. I double-clicked the clock and the time was correct. Not for long. Windows apps and temporal anomalies don't mix. So I set the year to 1980, clicked Apply, and OK. Dr. Watson promptly crashed. What can I leverage here? One of the buttons in the Dr. Watson error window was Help. I messed around in Help until I had the option to search for Windows Help files. This gave me an Open File dialog box. Should I search the C drive, C:\WINNT? No, I went to Network Neighborhood. Kmart has a lot of computers. I only perused a little, but I saw large nets like kmnorthamerica, kminternational, kih.kmart.com - way more than I could write down without being noticed. I plan to go back and check out Kmart's network, mainly because I believe Kmart is counting on securing unwanted access from the BlueLight computers (which probably have trusted access) to the rest of their network by locking down these NT boxes. I'm also going back to play with the phones. Kmart uses a Nortel Norstar phone system, with phones hanging on columns throughout the store. Therefore, I'm sure all customers are more than welcome to access these feature-rich phones (see Table 1). Table 1: Norstar Features ------------------------- Background Music Feature 8 6 Call Forward Feature 4 Call Pickup Feature 7 5 Conference/Transfer Feature 3 Do Not Disturb Feature 8 5 Exclusive Hold Feature Hold Last Number Redial Feature 5 Link Feature 7 1 Message - Reply Feature 6 5 Message - Send Feature 1 Page Feature 6 0 Program External Autodial Feature * 1 Program Feature Autodial Feature *3 Program Internal Autodial Feature *2 Ring Again Feature 2 Speed Dial Feature 0 Transfer (if equipped) Feature 7 0 Voice Call Feature 6 6 Voice Call Deny Feature 8 8 Cancel Features Feature + # + code Extensions are not the same at every store, but this list (see Table 2) should be useful. Table 2: Kmart Extensions ------------------------- 200 Garage 366 Layaway 211 Auto 377 Manager 222 Camera 388 Mens & Boys 233 Cash Cage 399 Personnel 244 Check Out 1 400 Pharmacy 1 255 Check Out 2 411 Pharmacy 2 266 Dressing Rm. 414 Pharmacy 3 277 Eatery/Deli 422 Processing 288 Footwear 433 Receiving 299 Garden Ins 444 HBA/Reader 300 Garden Out 455 Securities 311 Office 466 Service Desk 1 322 Electronics 477 Service Desk 2 333 Housewares 488 Sporting 344 Jewelry 499 Toys 355 Ladies 500 605 Area The POS system at Kmart is IBM centric with Symbol peripherals. Kmart uses IBM 4683 POS terminals with NCR countertop UPC scanners and Checkmate MICR scanners. The pin pads used are Checkmate model CM 2120's, OS 1.07, version 2.1. Gain access to the pin pad by pressing the four small buttons by the LCD screen, and the two bottom-most buttons, green Enter and red Cancel, simultaneously. You'll get a password prompt, where I've yet to guess the correct code. An incorrect password gets CM2100 Starting O.S... On the way to the back of the store (towards Layaway), you’ll notice a Symbol Spectrum 4 network controller adapter (NCA) high up on a column. The NCA connects the 4683 POS computers, the Symbol hand-held terminals, and the IBM 4680 server in the back. The Spectrum 4 allows price-update downloads, remote administration of the 4683 terminals, and storewide communication with the hand-helds. Once in Layaway, you'll find payphones and two terminals, both Symbol LS 7000 II's with bar code guns plugged into Symbol Link LL320's. The first menu on the LS 7000 II's is the Layaway Application Menu, with the following choices: 1. Layaway 2. Store Functions 3. Layaway Reporting 4. End of Day Basically, the only time to use the Layaway computers is when Layaway is closed. Unfortunately, the End of Day functions have been performed, and a new day has to be initiated to access any other functions. On a side note, by the pharmacy sits a Health Monitor Center. It's a Vita-Stat computer that measures blood pressure and heart rate. Three buttons adorn the fake wood-veneered, sit-down cabinet - Start, Erase, and Stop. I'd love to see a hack for this, like artificially high readings. As one can see, Kmart holds a lot of promise - further access on the BlueLight network, exploring the POS system, spoofing heart conditions - all in the name of hacking fun. 1-800-866-0086 - Kmart locator 1-800-GO-KMART - Kmart Mastercard