// Attention Kmart Hackers
//
// by dual_parallel
//
// http://www.oldskoolphreak.com

Kmart is almost as ubiquitous as Wal-Mart, and every bastion of BlueLight is 
filled with technology to play with.  This article explores that technology.
 
At the Customer Service counter sits one of two public computers running 
BlueLight.com, Kmart's online shopping application.  These computers (the other
residing in Electronics or sometimes at Sporting Goods) run NT 4, have LCD 
monitors, a keyboard and an enclosed trackball where the right mouse button is 
trapped under plastic.  The BlueLight.com application starts automatically, so 
logging off or shutting down just brings the application right back up.   
Ctrl+Shift+Esc for 10 or 15 seconds will open infinite Task Managers and crash 
the machine, but that's not what we want (plus, sysadmins are actually getting 
around to applying patches and service packs).  We want info and access, like 
browsing all the nodes on Kmart’s big network.  Start with BlueLight.  
             
BlueLight.com (v 1.0.55) is an e-commerce application that features products and 
a shopping cart, running on publicly available NT computers in undoubtedly every 
Kmart across the nation.  The application is a browser, accessing the Internet 
to transmit selections from the local Kmart to Kmart.com’s servers 
(kih.kmart.com).  BlueLight takes over the machine, running in the foreground.  
So the first thing to do is to log off by pressing Ctrl+Alt+Delete and Logoff.  
The machine will cycle quickly, bringing up the NT desktop and then the 
BlueLight app.  Now, do anything to stop the machine from running the BlueLight 
app.  Hit function keys, click something from the Start button, anything.  I was 
lucky.  There were some printer configuration problems that popped up an error 
window and stopped BlueLight.
 
I left the printer error window alone and started poking around the desktop. I 
saw that anything significant that could be accessed from the Start button was 
missing.  Task Manager was disabled.  The only thing in the system tray was 
antivirus and...the clock.  I double-clicked the clock and the time was 
correct.  Not for long.  Windows apps and temporal anomalies don't mix.  So I
set the year to 1980, clicked Apply, and OK.  Dr. Watson promptly crashed.
 
What can I leverage here?  One of the buttons in the Dr. Watson error window 
was Help.  I messed around in Help until I had the option to search for Windows
Help files.  This gave me an Open File dialog box.
 
Should I search the C drive, C:\WINNT?  No, I went to Network Neighborhood.  
Kmart has a lot of computers.  I only perused a little, but I saw large 
nets like kmnorthamerica, kminternational, kih.kmart.com - way more than I could 
write down without being noticed.
 
I plan to go back and check out Kmart's network, mainly because I believe Kmart 
is counting on securing unwanted access from the BlueLight computers (which 
probably have trusted access) to the rest of their network by locking down these 
NT boxes.
 
I'm also going back to play with the phones.  Kmart uses a Nortel Norstar phone 
system, with phones hanging on columns throughout the store.  Therefore, I'm 
sure all customers are more than welcome to access these feature-rich phones 
(see Table 1).
 
Table 1: Norstar Features
-------------------------
Background Music                Feature 8 6
Call Forward                    Feature 4
Call Pickup                     Feature 7 5
Conference/Transfer             Feature 3
Do Not Disturb                  Feature 8 5
Exclusive Hold                  Feature Hold
Last Number Redial              Feature 5
Link                            Feature 7 1
Message - Reply                 Feature 6 5
Message - Send                  Feature 1
Page                            Feature 6 0
Program External Autodial   	Feature * 1
Program Feature Autodial   	Feature *3
Program Internal Autodial    	Feature *2
Ring Again                      Feature 2
Speed Dial                      Feature 0
Transfer (if equipped)          Feature 7 0
Voice Call                      Feature 6 6
Voice Call Deny                 Feature 8 8
Cancel Features                 Feature + # + code
 
Extensions are not the same at every store, but this list (see Table 2) should 
be useful.
            
Table 2: Kmart Extensions
-------------------------
200 Garage               	366 Layaway
211 Auto                    	377 Manager
222 Camera              	388 Mens & Boys
233 Cash Cage       	 	399 Personnel
244 Check Out 1       		400 Pharmacy 1
255 Check Out 2       		411 Pharmacy 2
266 Dressing Rm.     		414 Pharmacy 3
277 Eatery/Deli         	422 Processing
288 Footwear            	433 Receiving
299 Garden Ins          	444 HBA/Reader
300 Garden Out        		455 Securities
311 Office                  	466 Service Desk 1
322 Electronics         	477 Service Desk 2
333 Housewares       		488 Sporting
344 Jewelry               	499 Toys
355 Ladies                	500 605 Area
 
The POS system at Kmart is IBM centric with Symbol peripherals.  Kmart uses IBM 
4683 POS terminals with NCR countertop UPC scanners and Checkmate MICR scanners. 
The pin pads used are Checkmate model CM 2120's, OS 1.07, version 2.1.  Gain 
access to the pin pad by pressing the four small buttons by the LCD screen, and 
the two bottom-most buttons, green Enter and red Cancel, simultaneously.  You'll 
get a password prompt, where I've yet to guess the correct code.  An incorrect 
password gets
 
CM2100
Starting O.S...
 
On the way to the back of the store (towards Layaway), you’ll notice a Symbol 
Spectrum 4 network controller adapter (NCA) high up on a column.  The NCA 
connects the 4683 POS computers, the Symbol hand-held terminals, and the IBM 
4680 server in the back.  The Spectrum 4 allows price-update downloads, remote 
administration of the 4683 terminals, and storewide communication with the 
hand-helds.   
 
Once in Layaway, you'll find payphones and two terminals, both Symbol LS 7000 
II's with bar code guns plugged into Symbol Link LL320's.  The first menu on the 
LS 7000 II's is the Layaway Application Menu, with the following choices:
 
1. Layaway
2. Store Functions
3. Layaway Reporting
4. End of Day
 
Basically, the only time to use the Layaway computers is when Layaway is closed. 
Unfortunately, the End of Day functions have been performed, and a new day has 
to be initiated to access any other functions.
 
On a side note, by the pharmacy sits a Health Monitor Center.  It's a Vita-Stat 
computer that measures blood pressure and heart rate.  Three buttons adorn the 
fake wood-veneered, sit-down cabinet - Start, Erase, and Stop.  I'd love to see 
a hack for this, like artificially high readings.
 
As one can see, Kmart holds a lot of promise - further access on the BlueLight 
network, exploring the POS system, spoofing heart conditions - all in the name 
of hacking fun.
 
1-800-866-0086 - Kmart locator
1-800-GO-KMART - Kmart Mastercard