.    ..  ... .......... BL4CKM1LK teleph0nics .......... ...  ..    .
    .    ..  ... .......... http://hybrid.dtmf.org ......... ...  ..    .


So close it has no boundaries...

A blinking cursor pulses in the electric darkness like a heart coursing with
phosphorous light, burning beneath the derma of black-neon glass. A PHONE
begins to RING, we hear it as though we were making the call. The cursor
continues to throb, relentlessly patient, until...


Meridian I Switch and Trunk Interception.......... .....     ...        .      
An account of how an ENTIRE companys PBX.......... .....     ...        .
can be taken over (The hardcore phreak way)....... .....     ...        .
by hybrid <hybrid@dtmf.org hybrid@ninex.com>...... .....     ...        .


Hi. I'm not going to write a mad big introduction to this article, because
I dont feel their is a need for one. All I want to say here is that this
article is intended for the more "hardcore" phreak, yes, hardcore phreak, not
for lame ass calling card leeching kiddies who call themsleves phreaks. If
you are intersted in hacking telephony switches, and you have prior/prefixed
knowledge of Meridian, read on..

Through my experience, I've seen alot of meridian admins go through many
different and sometimes repetitive lengths to supposidly secure an internal
PSTN connected PABX. In this article I'm going to share my knowledge of
PBX switch hacking, and enlighten you to the intricate techneques that can
be used to "trunk hop" etc. The information provided in this article has been
obtained from my own personal accounts of hacking telephony switches, which
I'd like to state, I don't participate in anymore.

Now, for the sake of timesaving, I'll setup a possible scenario.. Consider
the following:

        o You have stumbled accross a nice Meridian Mail system, which you
          have already compromised by finding yourself a few boxdes in their.
          You discover that the Meridian Mail system you have gained access
          to belongs to a certain telco, and is used for internal
          communication between emloyees high up in the hierarchial chain.

Now, any "normal" phreak would gradually take over the system by finding as
many free boxes as possible and hnading them over to friends, or would keep
the nice lil' system to themselves as a means of obtaining information about
the telco that owns the PBX, via the the means of eavesdroping on used
voicemail boxes. This is a very primitive form of remote eavesdroping, which
this file is not designed to illistrate.

Meridian PBX systems are all administered by a primary system console, which
can be remotely accessed by many different protocols. The most popular of
which is remote dialup via assigned extensions. If the companys main switch
is centrex based, it is likely that the meridian admin console is accessable
via IP on the companys intranet. If you manage to gain access to the
actual switching conponment, you are likely to have the following privalges
on the meridian based network:

        o 100% control over every single inbound/outbound trunk group
        o Access to every single voicemail box on the switch
        o Access to trunk/group/node administration

Basically, the meridian administration module is designed to make the admin
(or whoever has access to it) GOD over the entire system, I say GOD because
you could do anything you wanted, as far as your telephony derived
imagination extends. OK, enough of this.. I'm just going to stop going on
about what if's for the time being, now I'm going to concentrate on the
factual based information, and how one would go about accessing such a
switch.

The simpilist way to find the internal dialup to a meridian switch is to
scan the internal extensions which the switch controls. It's generaly a
good idea to begin scanning network/node extensions such as 00,01,02,03[xx]
etc. What you are looking for is a modem carrier, which when you connect
should ask you for a singular password, which in most cases is bypassed
by hitting control-SD. Once you are in, you should recieve the switches
command line prompt, somthing similar to this:

>

or

SWITCH0>

OMG, I hear you think.. It looks like a DMS switch prompt.. Well, it is, in
a funny kind of way. Meridian switches are designed to emualte certain levels
of DMS-100 O/S types, so you'll find that many of the BCS leveled commands
that you know from DMS will be usefull here. The information that follows
has been obtained from public Meridian Mail Administration sources on the
net..

/*

Basic Meridian 1 Security Audit 
-------------------------------

        "Users will go nuts calling a radio station to win a free toaster,
         taking over all the trunks in your phone system."

An audit of the Meridian 1 telephone system will ensure that every possible
"system" precaution has been made to prevent fraud. The first step involves
querying data from the system in the form of printouts (or "capturing" the
data to a file in a PC). The next step is to analyze the data and confirm the
reason for each entry. Please be advised that this procedure is not designed
for all "networked" Meridian 1 systems, however, most of the items apply to
all systems. Use at your own risk.

PRINTOUTS REQUIRED FOR SECURITY AUDIT: It is suggested that you "capture" all
of the data from these printouts to separate files. This can be accomplished
with a PC and communications program. For the BARS LD90 NET printout, try
this file. (enclosed in faith10.zip barparse.zip)

------------------------------------------------------------------------------
LD22 CFN                LD22 PWD        LD21 CDB             LD21 RDB
LD21 LTM                LD23 ACD        LD24 DISA            LD20 SCL 
LD86 ESN                LD86 RLB        LD86 DMI             LD87 NCTL 
LD87 FCAS               LD87 CDP        LD90 NET             LD90 SUM 
LD20 TNB                LD22 DNB        LD88 AUB 
------------------------------------------------------------------------------

GATHERING DATA FROM LD81
------------------------
List (LST) the following FEAT entries to form an information base on the
telephones.

------------------------------------------------------------------------------
NCOS 00 99              CFXA            UNR             TLD             SRE
FRE                     FR1             FR2             CUN             CTD
------------------------------------------------------------------------------

DATA BLOCK REVIEW ITEMS
-----------------------
From the printouts, a review of the following areas must be made. Some of the
items may or may not be appropriate depending on the applications of the
telephone system.


------------------------------------------------------------------------------
CFN - Configuration     Verify that History File is in use.
------------------------------------------------------------------------------
PWD - Passwords         Verify that FLTH (failed login attempt threshold) is
                        low enough. Verify that PWD1 and PWD2 (passwords) use
                        both alpha and numeric characters and are eight or
                        more characters long. Note any LAPW's (limited access
                        passwords) assigned. Enable audit trails. 
------------------------------------------------------------------------------
CDB - Customer          Verify that CFTA (call forward to trunk access code)
Data Block              is set to NO. Verify NCOS level of console. Verify
                        that NIT1 through NIT4 (or other night numbers) are
                        pointing to valid numbers. EXTT prompt should be NO
                        to work in conjunction with trunk route disconnect
                        controls (See RDB)
------------------------------------------------------------------------------
RDB - Trunk Route       Verify that every route has a TARG assigned. Confirm
Data Block              that FEDC and NEDC are set correctly. ETH is typical,
                        however for maximum security in blocking trunk to
                        trunk connections, set NEDC to ORG and FEDC to JNT
                        Confirm that ACCD's are a minimum of four digits long
                        (unless for paging). If ESN signaling is active on
                        trunk routes, verify that it needs to be. ESN
                        signaling, if not required, should be avoided. NOTES
                        ON TGAR: For demonstration purposes, this document
                        suggests that sets be a "TGAR 1". The only
                        requirement for TGAR is that it match one of the TARG
                        numbers assigned in the Route Data Block 
------------------------------------------------------------------------------
ACD - Automatic         Verify ACD queues and associated NCFW numbers.
Call Distrobution       Verify all referenced extensions. 
------------------------------------------------------------------------------
DISA - Direct           Remove DISA if not required. If required, verify that
Inward System           security codes are in use.
Access
------------------------------------------------------------------------------
ESN - Electronic        AC1 is typically "9". If there is an AC2 assigned,
Switched Network        verify its use. If TOD or ETOD is used - verify what
                        NCOS levels are changed, when they are changed and
                        why they are changed. Apply FLEN to your SPNs to
                        insure nobody is ever allowed to be transferred to a
                        partially dialed number, like "Transfer me to 91800"
                        Study EQAR (Equal Access Restriction) to insure that
                        users can only follow a "Carrier Access Code" with a
                        zero rather than a one:   (1010321-1-414-555-1212 is
                        blocked but 1010321-0-414-555-1212 is allowed with
                        EQAR) 
------------------------------------------------------------------------------
NCTL - Network          Use LD81 FEAT PRINT to verify all NCOS being used.
Control                 Does NCOS 0 = FRL 0? Does NCOS X always equal FRL X
                        in the NCTL? Does FRL 0 have any capabilities? - It
                        should not be able to dial anything. 
------------------------------------------------------------------------------
FCAS - Free Call        Confirm the need to use FCAS and remove it if
Screening               possible. FCAS is usually a waste of system memory
                        and complicates the system without saving money. 
------------------------------------------------------------------------------
DGT (DMI) - Digit       Confirm all numbers referenced in the "insert"
Manipulation            section of each DMI table. 
------------------------------------------------------------------------------
RLB - BARS Route        Are any RLB ENTR'S assigned FRL 0 - typically, only
List Block              the RLB that handles 911 calls should have an FRL 0.
                        If DMI is in use, confirm all "inserted" numbers. 
------------------------------------------------------------------------------
CDP - BARS              Are all CDP numbers valid? Check the RLBs they point
Coordinated             to and see what the DMI value is. Confirm insertions.
Dialing Plan
------------------------------------------------------------------------------
NET - ALL - BARS        Add 000,001,002,003,004,005,006,007,008,009 as SPNs
Network Numbers         pointing to a route list block that is set to LTER
                        YES. These entries block transfers to "ext. 9000" and
                        similar numbers. Point SPN "0" to a RLI with a high
                        FRL, then consider adding new SPNs of 02, 03, 04, 05,
                        06, 07, 08, 09 to point to a RLI with a lower FRL so
                        that users cannot dial "0", but can dial "0+NPA
                        credit card calls. Check FRL of 0, 00, 011 and
                        confirm that each is pointed to separate NET entry
                        requiring a high FRL. Remove all of shore NPAs (Like
                        1-809 Dominican Republic) if possible. Regulations
                        are almost non-existent in some of those areas and
                        they are hot fraud targets. Verify blocking 900 and
                        976 access. Also consider blocking the NXX of your
                        local radio station contest lines. Users will go nuts
                        calling a radio station to win a free toaster, taking
                        over all the trunks in your phone system. Restrict
                        the main numbers and DID range within the BARS
                        system. There is no need to call from an outgoing to
                        an incoming line at the same location.
------------------------------------------------------------------------------
TRUNKS                  Confirm that all trunks have TGAR assigned. Confirm
                        that all incoming and TIE trunks have class of
                        service SRE assigned. (caution on networked systems) 
                        Confirm that all trunks have an NCOS of zero. 
                        NOTES ON TGAR: For demonstration purposes, this
                        document suggests that sets be a "TGAR 1". The only
                        requirement for TGAR is that it match one of the TARG
                        numbers assigned in the Route Data Block 
------------------------------------------------------------------------------
SETS-PHONES             Does every phone have a TGAR of 1 assigned? (This
                        must be checked set by set, TN by TN). Can you change
                        every phone that is UNR to CTD? Review LD81 FEAT
                        PRINT to find out the UNR sets. CTD class of service
                        is explained below. Confirm that all sets are
                        assigned CLS CFXD? Confirm that the NCOS is
                        appropriate on each set. In Release 20 or above,
                        removing transfer feature may be appropriate. Confirm
                        that all sets CFW digit length is set to the system
                        DN length. NOTES ON TGAR: For demonstration purposes,
                        this document suggests that sets be a "TGAR 1". The
                        only requirement for TGAR is that it match one of the
                        TARG numbers assigned in the Route Data Block Apply
                        Flexible Trunk to Trunk Connections on the set, and
                        FTOP in the CDB if deemed appropriate.  These
                        restrictions are done on a set by set basis and allow
                        or deny the ability to transfer incoming calls out of
                        the facility.
------------------------------------------------------------------------------
VOICE MAIL PORTS        Each port should be CLS of SRE Each port should be
                        NCOS 0 - NCOS 0 must be known to be too low to pass
                        any call Each port should be TGAR 1 (all trunk routes
                        must be TARG 1 also) NOTES ON TGAR: For demonstration
                        purposes, this document suggests that sets be a
                        "TGAR 1". The only requirement for TGAR is that it
                        match one of the TARG numbers assigned in the Route
                        Data Block NOTE:  If you are used to your Mail system
                        doing outcalling, you can forget about that working
                        after applying these restrictions. 
------------------------------------------------------------------------------

CLASS OF SERVICE AND TRUNK GROUP ACCESS RESTRICTIONS:
-----------------------------------------------------
EXPLANATION OF CLASS OF SERVICE SRE: 
------------------------------------
NTP DEFINITION: Allowed to receive calls from the exchange network.
Restricted from all dial access to the exchange network. Allowed to access
the exchange network through an attendant or an unrestricted telephone only.
Essentially, an SRE set can do nothing on it's own except dial internal and
TIE line extensions. If a trunk is SRE - it will work normally and allow
conference calls and transfers. 

EXAMPLES OF 'SRE' IN USE: 
-------------------------
Voice Mail cannot connect to an outgoing line, but can receive incoming
calls. Callers on the far end of a TIE line cannot call out through your end
(for their sake, both ends should be SRE). 

EXPLANATION OF CLASS OF SERVICE CTD: 
------------------------------------
If a route access code is accessed (if there was no match between the TGAR
and TARG), the caller cannot dial 1 or 0 as the leading digits. If the caller
makes a "dial 9" BARS call, the NCOS will control the call.

EXPLANATION OF TGAR AND TARG: 
-----------------------------
The best restriction is to have all trunk routes TARG'd to 1 and all TNs
(including actual trunk TNs) TGAR'd to 1. This will block all access to
direct trunk route selection. 

BENEFITS OF IMPLEMENTING THESE SECURITY RESTRICTIONS 
----------------------------------------------------
No incoming caller will have access to an outside line unless physically
transferred or conferenced by an internal party. If voice mail ports are SRE
and NCOS 0 and have a TGAR matching the TARG - they will not be able to
transfer a call out of the system, regardless of the voice mail system's
resident restrictions assigned. No phone will be able to dial a trunk route
access code. Consider allowing telecom staff this ability for testing. 

Layered security:
-----------------
If in phone programming, TGAR was overlooked on a phone, the CTD class of
service would block the user from dialing a 0 or 1 if they stumble upon a
route access code. If in programming, the CTD class of service was
overlooked, both TGAR and NCOS would maintain the restrictions. If in
programming, the NCOS is overlooked, it will defaults to zero, which is
totally restricted if NCTL and RLBs are set up correctly.


Quick Tour of a Simple Meridian 1 BARS Call
-------------------------------------------
Basic Automatic Route Selection. If you dial "9", you are accessing BARS.
"9" is the "BARS Access Code" 

   1. A telephone dials "9" - BARS activates. 
   2. The telephone calls a number - Example: 1-312-XXX-XXXX 
   3. The PBX hold the digits while it looks up "1-312" to figure out what
      Route List to use for processing the call. 
   4. The Route List determines the possible trunk routes that can be used. 
   5. The Route List checks the facility restriction level of the telephone
      and compares it to its own required facility restriction level. 
   6. The Route List checks to see if any special digit manipulation should
      be performed.

LD90 NET
--------
The LD90 Network overlay is where area codes and exchanges are defined. If a
prefix is not entered into LD90, it cannot be dialed through BARS. Each area
code or exchange refers to a "Route List" or RLI which contains the
instructions for routing the call.

>ld 90
ESN000

REQ prt
CUST 0
FEAT net
TRAN ac1
TYPE npa

NPA 1312

NPA 1312 <-- This is the network number (prefix)
RLI 11   <-- This is the Route List that the prefix gets instruction from
DENY 976 <-- This is an exchange in NPA 312 that is blocked

SDRR DENY CODES = 1
DMI 0
ITEI NONE

REQ end


LD86 RLB (or RLI)
-----------------
The RLB is a "list" of possible trunk routes that an area code or exchange
can be dialed over. Each "ENTR" or list entry contains a trunk route. Each
entry also has a "minimum Facility Restriction Level" or "FRL" that must be
met before a phone can access that entry. In the following example, the first
entry can be accessed by phones whose NCOS equals an FRL of 3 or above. The
second entry can only be accessed by phones whose NCOS equals an FRL of 6 or
above. Along with the trunk route and the FRL, you can apply specific "digit
manipulation" with the DMI entry. The DMI entries are explained here.

>ld 86
ESN000

REQ prt
CUST 0
FEAT rlb
RLI 11

RLI 11
ENTR 0  <-- This is the list's first "Entry Number"
LTER NO
ROUT 15 <-- This is the first choice Trunk Route Number
TOD 0 ON 1 ON 2 ON 3 ON
    4 ON 5 ON 6 ON 7 ON
CNV NO
EXP NO
FRL 3  <-- This is the Facility Restriction Level
DMI 10 <-- This is the Digit Manipulation Index Number
FCI 0
FSNI 0
OHQ YES
CBQ YES

ENTR 1 <-- This is the list's second "Entry Number"
LTER NO
ROUT 9 <-- This is the second choice Trunk Route Number
TOD 0 ON 1 ON 2 ON 3 ON
    4 ON 5 ON 6 ON 7 ON
CNV NO
EXP YES <-- This is considered the "expensive" choice
FRL 6   <-- Note that the Facility Restriction Level is higher
DMI 0   <-- Note no digit manipulation is required for this trunk
route
FCI 0
FSNI 0
OHQ YES
CBQ YES

ISET 2
MFRL 3

REQ end


LD87 NCTL
---------
The FRL to NCOS "relationship" is built in the NCTL data block. The FRL and
the NCOS do not necessarily have the equal one another, however they usually
do. A higher FRL/NCOS has more capability than a lower FRL/NCOS. For an NCOS
number to have any capability, it must first be defined in the NCTL data
block.

>ld 87
ESN000

REQ prt
CUST 0
FEAT nctl
NRNG 0 7 <-- Range from NCOS 0 through 7 was requested

SOHQ NO
SCBQ YES
CBTL 10
---------------
NCOS 0

EQA NO
FRL 0
RWTA NO
NSC NO
OHQ NO
CBQ NO
MPRI 0
PROM 0
---------------
NCOS 1

EQA NO
FRL 1
RWTA NO
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT I
RADT 0
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 2

EQA NO
FRL 0
RWTA NO
NSC NO
OHQ NO
CBQ NO
MPRI 0
PROM 0
---------------
NCOS 3

EQA NO
FRL 3 <-- NCOS 3 equals FRL 3.
RWTA YES
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT I
RADT 10
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 4

EQA NO
FRL 4
RWTA YES
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT A
RADT 10
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 5

EQA NO
FRL 5
RWTA NO
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT A
RADT 10
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 6

EQA NO
FRL 6 <-- NCOS 6 equals FRL 6.
RWTA NO
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT A
RADT 0
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 7

EQA NO
FRL 7
RWTA NO
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT A
RADT 0
SPRI 0
MPRI 0
PROM 0

TOHQ NONE


LD86 Digit Manipulation
-----------------------
The Digit Manipulation data blocks are where special prefixes are entered
before numbers are sent out over trunks. An example of digit manipulation is
where a 1010XXX carrier access code must be inserted before a number is
processed over a trunk.

REQ prt
CUST 0
FEAT dgt
DMI 10

DMI 10 <-- This is simply the index number.
DEL 1  <-- This says "delete the first digit after "9"
CTYP NCHG

REQ prt
CUST 0
FEAT dgt
DMI 3

DMI 3
DEL 0       <-- This says "delete nothing after 9"
INST 101288 <-- This says "Insert 101288 after 9 and before the actual number
                dialed"
CTYP NCHG

REQ end


Telephone
---------
This is simply a telephone's data block

DES 5135
TN 004 0 14 00
TYPE 500
CDEN 4D
CUST 0
DN 5135 MARP
     CPND
     NAME Typical User
     XPLN 9
     DISPLAY_FMT FIRST,LAST
AST NO
IAPG 0
HUNT
TGAR 1
LDN NO
NCOS 5  <-- What FRL does this equal?
SGRP 0
RNPG 0
LNRS 16
XLST
SCI 0
CLS CTD DTN FBD XFA WTA THFD FND HTD ONS
    LPR XRA CWD SWD MWA LPD XHD CCSD LNA TVD
    CFTD SFD C6D PDN CNID CLBD AUTU
    ICDD CDMD EHTD MCTD
    GPUD DPUD CFXD ARHD OVDD AGTD CLTD LDTA ASCD
    MBXD CPFA CPTA DDGA NAMA
    SHL ABDD CFHD
    USRD BNRD OCBD
RCO 0
PLEV 02
FTR CFW 4
DATE 28 NOV 1978


LD86 ESN - the Start of BARS
----------------------------

The ESN data block is the root of BARS. Before BARS can be set up, the ESN
data block must be defined.

>ld 86
ESN000

REQ prt
CUST 0
FEAT esn

MXLC 0
MXSD 30
MXIX 0
MXDM 100
MXRL 80
MXFC 60
MXFS 0
MXSC 120
NCDP 4
AC1 9 <-- This is where "9" is defined
AC2
DLTN YES
ERWT YES
ERDT 0
TODS 0 00 00 23 59  <-- This section refers only to time of day
routing controls
RTCL DIS
NCOS 0 - 0  <-- This section refers only to time of day routing
controls
NCOS 1 - 1
NCOS 2 - 2
NCOS 3 - 3
NCOS 4 - 4
NCOS 5 - 5
NCOS 6 - 6
NCOS 7 - 7
<continued to 99...>
NCOS 99 - 99
ETOD
TGAR NO

REQ end


ISLUA 99 Session BA 20  
Capturing Data From Your Meridian 1
to Various PC Software Packages
Curt Kempf City of Columbia, Missouri
Thanks for attending the workshop
I hope you find this information helpful
========================================

        o ACD Daily Report

        o Procomm Plus Script to
          capture ACD reports to
          disk. Format: MMDDYY.TXT

        o TN PRT out of Host MCA card

        o Procomm Script to CHG a TN
          when it becomes IDLE 

        o Procomm Script to CHG/NEW
          a list of DNs and their
          NAMES (LD 95)

        o Procomm Script to monitor
          PBX for "DTA0021", "INI0",
          "PWR01", then send an
          alpha numeric page when
          received.


ACD Daily Report
================
ACD 000   1999 03 29   17:00 
DAILY TOTALS REPORT 


REPT 1
ACD   AVG CALLS       AVG  AVG  AVG  AVG    DN  AVG   #-XFER   AVG-TIME-POSN
 DN  AGTS ANSWD  ASA  DCP  PCP WORK WAIT CALLS TIME  IDN  ACD   BUSY MANNED 
7380        324   54  125  388  514  127   118   69    0   28  22085  27246 
------------------------------------------------------------------------------
  1         324   54  125  388  514  127   118   69    0   28  22085  27246 

REPT 2
ACD  CALLS  RECALL ANSWERED  ABANDONED      TOF TOF  OVER    INTER  
 DN ACCPTED  TO    LONGEST   NO. AVG.WT TSF IN  OUT  FLOW    FLOW   
            SOURCE WT. TIME                                  BUSY
7380    366      0      476   43    88   80   0   0     8       0 
------------------------------------------------------------------------------
  1     366      0      476   43    88   80   0   0     8       0 

REPT 4
POS CALLS   AVG   AVG   AVG   DN  INC   DN   OUT   #-XFER   BUSY MANNED 
 ID ANSWD   DCP   PCP  WAIT  INC TIME  OUT  TIME  IDN  ACD  TIME   TIME 

ACD DN 7380 
 301     81   136   115   142    3   66   12   352    0    9 20716  32208 
 303     57    91   261   139    4  478   15   652    0    4 20788  28702 
 309     49    90     2   182    0    0    1   100    0    7  4550  13466 
 304     87   128   127   108    1   60   12   564    0    6 22662  32088 
 305     39   185   108    73    0    0    2    96    0    1 11464  14302 
 308      0 ***** ***** *****   15 1770   20  1464    0    0 32256  32400 
 306      0 ***** ***** *****    9 2950   13  1660    0    0 32400  32400 
 312     11   145  2686    50    4  286    7   416    0    1 31848  32400 
 ------------------------------------------------------------------------
   8    324   125   388   127   36   93   82    88    0   28  2945   3633 


Procomm Plus Script to capture ACD
reports to disk.  Format: MMDDYY.TXT
====================================

 ; ProComm script by Chris Fourroux & Curt Kempf/City of Columbia - tested
 ; with ProComm Plus 32 95/NT, version 4.  Script to caputure ACD reports to
 ; disk with the format XXXXXX.txt, where XXXXXX is month day year. Script
 ; waits for "ACD DN 7380" to occur, which is on every hourly report, then
 ; closes and appends the newest statistics to MMDDYY.TXT file.
  
    string cmd="ncopy c:\capture\"
    string szFileName = $DATE
    string szDate = $DATE
    integer Pos = 0
     
 proc main
    dial data "Option 61"  
    set capture overwrite OFF            ; if capture file exists, append data to it.
    capture off                          ; close capture file if it is open
    when TARGET 0 "ACD DN 7380" call CLOSECAP

    Startloop:
    clear                                ; clear contents of screen and scroll back buffer
    szFileName = $DATE
    szDate = $DATE
    while 1
      if nullstr szFileName              ; Check to see if we've reached
        exitwhile                        ; the end of source string
      endif                              ; and if so, exit loop.
      if strfind szFileName "/" Pos      ; Check for char
        strdelete szFileName Pos 1       ; and delete it
      else
        exitwhile                        ; exit if no more characters
      endif
    endwhile

    strcat szFileName ".txt"
    set capture file szFileName          ; Set name of capture file.
    capture on                           ; Open up the capture file.
    while strcmp $DATE  szDate           ; Loop while date is the same
    endwhile                             ; or if the date changes,
    capture off                          ; Close the capture file.
    goto Startloop                       ; and start a new one.
 endproc

 proc closecap
    pause 3
    strcat cmd szFileName                ; Append to variable "CMD"
    strcat cmd " h:\uab\"                ; Append network drive to "CMD"
    transmit "^M***********^M"           ; Put in asteriks between hourly reports
    capture off                          ; Close capture file
    pause 5
    DOS cmd HIDDEN i0                    ; Run "CMD" in DOS and copy file to the LAN
    pause 10
    taskexit i0                          ; Exit DOS window
    pause 10
    cmd="ncopy c:\capture\"              ; Reset "CMD"
    capture on                           ; Turn Capture back on.
 Endproc


Procomm Screen of dialing up the host
MCA card(direct connect 9600 baud)
=====================================

ENTER NUMBER OR H (FOR HELP):   2206

CALLING  2206
RINGING
ANSWERED
CALL CONNECTED. SESSION STARTS
logi
PASS?
TTY #02 LOGGED IN 08:59  11/4/1999
>

TN PRT out of Host MCA card

DES  2206
TN   020 0 04 31        ;note TN is TN of voice set(20 0 4 15) +(plus) 16
TYPE 2616
CDEN 8D
CUST 0
AOM  0
FDN
TGAR 1
LDN  NO
NCOS 2
SGRP 0
RNPG 0
SCI  0
SSU
XLST
SCPW
CLS  CTD FBD WTD LPR MTD FND HTD ADD HFD
     MWD AAD IMD XHD IRD NID OLD DTA DRG1
     POD DSX VMD CMSD CCSD SWD LND CNDD
     CFTD SFD DDV CNID CDCA
     ICDD CDMD MCTD CLBD AUTU
     GPUD DPUD DNDD CFXD ARHD FITD CLTD ASCD
     CPFA CPTA ABDD CFHD FICD NAID
     DDGA NAMA
     USRD ULAD RTDD PGND OCBD FLXD FTTU
TOV   0  MINS
DTAO MCA
PSEL  DMDM
HUNT
PSDS  NO
TRAN  ASYN
PAR  SPACE
DTR  OFF
DUP  FULL
HOT  OFF
AUT  ON
BAUD 9600
DCD  ON
PRM  HOST ON
VLL  OFF
MOD  YES
INT  OFF
CLK  OFF
KBD  ON
RTS  ON
PLEV 02
AST
IAPG 0
AACS NO
ITNA NO
DGRP
DNDR 0
KEY  00 SCR 2206 0     MARP
     01
     02
     03
     04
     05
     06
     07
     08
     09
     10
     11
     12
     13
     14
     15
DATE 30 DEC 1997

Very rarely, I can not dial up the host MCA card. It simply won't answer, so
the following usually clears it up:

ITEM
ITEM OPE YES
                DCD ON
                PRM OFF

If that doesn't work, since 020 0 04 31 is "digital", it could be disabled.

LD 32 and ENLU it.

Procomm Script to CHG a TN when it becomes IDLE 
===============================================

 string TN                               ;TN
 string TIPE                             ;TYPE, however word is reserved in ASPECT
 string EYETEM                           ;ITEM, ditto above.
 string szList                           ;List of items.
 string szItem                           ;Item selected from list.       
 integer Event                           ;Dialog box event.      
 integer Num                             ;integer value  
 proc MAIN
         set txpace 50                   ;delay for keyboard
         when TARGET 0 "IDLE" call CHGIT ;when receive IDLE, go change set.
                                                         ;Input the TN, TYPE, and ITEM
         sdlginput "LD 11, CHG when IDLE :-)" "Enter TN: " TN
         if strcmp TN ""                 ; compare to see if NULL?
           halt                          ;if enter is pressed, halt script.
         else
         endif
         
                                         ; Display dialog box with list of items.
                                         ; Pick if set is a 500, 2008, or 2616
         szList = "2616,2008,500"
         dialogbox 0 55 96 100 74 11 "LD 11, CHG when IDLE :-)"
         listbox 1 5 5 90 40 szList single szItem
         pushbutton 2 28 52 40 14 "&Exit" ok default
         enddialog
         
         while 1
         dlgevent 0 Event                ; Get the dialog event.
         switch Event                    ; Evaluate the event.
          case 0                         ; No event occurred.
          endcase
          case 1 
                 if strcmp szItem "2616"
                 tipe = "2616"
         else
         if strcmp szItem "2008"
                 tipe = "2008"
         else
         if strcmp szItem "500"
                 tipe = "500"
         endif
         endif
         endif

         endcase
          default                        ; Exit case chosen.
          exitwhile
         endcase
         endswitch       
         endwhile
         
         dlgdestroy 0 CANCEL             ; Destroy the dialog box.       

         sdlginput "LD 11, CHG when IDLE :-)" "ITEM: (IE: CLS HTA)" EYETEM       
         Transmit "LD 11^M"              ;Go in to overlay 11    
         Waitfor "REQ"
                 
         for Num = 0 upto 100            ;Keep STAT'n til IDLE
                 Transmit "STAT "
                 Transmit TN
                 Transmit "^M"
                 pause 10                ; wait 10 seconds
                 endfor

 endproc

 PROC CHGIT                      

         Transmit "CHG^M"                ;Go change the set, then halt the script.
                         
         Waitfor "TYPE"
         Transmit TIPE
         pause 1                         ;pause 1 second
         Transmit "^M"
                         
         Waitfor "TN"
         Transmit TN
         Transmit "^M"
         
         Waitfor "ECHG"
         Transmit "YES^M"
                         
         Waitfor "ITEM"
         Transmit EYETEM
         Transmit "^M"
         waitfor "ITEM"
         transmit "^M"

         Waitfor "REQ:"
         Transmit "END^M"
         
         halt
 endproc


Procomm Script to CHG/NEW a list of DNs and their NAMES (LD 95)
===============================================================

         integer flag=0          ;set flag

 proc main
         set txpace 100                                  ;delay for keyboard
         when TARGET 1 "SCH2115" call LD95NEW            ;wait for 'name does not exit' error
                                                         ;open text file that has a list of 
                                                         ;DNs & NAMEs you want to change/add.
         fopen 1 "C:\phone\chgnames.txt" READ                    
                 ;chgnames.txt it in the format of
                 ;       7354, Jane Doe
                 ;       6745, John Smith
                 ;       7645, Dan White
                 ;script doesn't care if the NAME is NEW or CHG J
         if failure
                 usermsg "could not open the file."
         else
                 Transmit "LD 95^M"              ;Go in to overlay 95    
                 Waitfor "REQ"
                 Transmit "CHG^M"
                 Waitfor "TYPE"
                 Transmit "NAME^M"
                 Waitfor "CUST"
                 Transmit "0^M"
                 Waitfor "DIG"
                 Transmit "^M"
                 fseek 1 0 0
                 while 1
                         fgets 1 s0
                         if FEOF 1
                                 exitwhile
                         endif
                         strtok s1 s0 "," 1
                         strtok s2 s0 "," 1              
                         DelStr (&s1)
                         DelStr (&s2)
                    DelLineFeed (&s2)
                      ;strfmt s4 "TN:  %s" s1    ;uncomment these two for
                      ;usermsg s4                ;troubleshooting the script
                         strlen s1 i0
                         if (i0 > 2)
                            LD95CHG ()
                         else
                            Transmit "****^M"
                            halt         
                         endif
                 endwhile
         endif
 endproc

 proc LD95CHG
 Waitfor "DN"
 Transmit s1
 Transmit "^M"
 pause 1

 if FLAG==1
         FLAG=0
         Transmit "^M"
         return
 else
 Transmit s2
 Transmit "^M"
 Waitfor "DISPLAY_FMT"
 endif
 endproc

 proc LD95NEW
         FLAG=1
         Transmit "^M"
         Transmit "**^M"
         Waitfor "REQ"
         Transmit "NEW^M"
         Waitfor "TYPE"
         Transmit "NAME^M"
         Waitfor "CUST"
         Transmit "0^M"
         Waitfor "DIG"
         Transmit "^M"
         Waitfor "DN"
         Transmit s1
         Transmit "^M"
         Waitfor "NAME"
         Transmit s2
         Transmit "^M"
         Waitfor "DISPLAY_FMT"
         Transmit "^M"
         Waitfor "DN"
         Transmit "^M"   
         Waitfor "REQ"
         Transmit "CHG^M"
         Waitfor "TYPE"
         Transmit "NAME^M"
         Waitfor "CUST"
         Transmit "0^M"
         Waitfor "DIG"
 endproc 

 proc DelStr 
 param string szStr
 integer Pos
         while 1
                 if StrFind szStr "`"" Pos
                         StrDelete szStr Pos 1
                 else
            exitwhile
                 endif
         endwhile
 endproc

 PROC DelLineFeed 
 param string szStr
 integer Pos
         strlen szStr Pos
         if (Pos > 2)
                 StrDelete szStr (Pos-1) 1
         endif
 endproc



You could very easily modify this script to say, change an ASCII list of TNs
/TYPEs to TGAR 1, and have it executed at 2:00 a.m. The s0 and s1 variables
would change from DN & NAME, to TN & TYPE, and add Waituntil "2:00:00" "7/16
/99" to kick it off at 2:00 a.m.

Procomm Script to monitor PBX for "DTA0021", "INI0", "PWR01", then send 
an alph numeric page when received.
=======================================================================

 proc Main
    #DEFINE pagernum "235.5334"          ;Enter your pager number here.
    string szName="OPT61.cap"            ;Name of text file to capture to.
    string passw
    when TARGET 1 "DTA021" call DTA021   ;what do you want to 'wait for' ?
    when TARGET 2 "INI0" call INI0
    when TARGET 3 "PWR01" call PWR0

    set capture file szName
    capture on
    set txpace 150                       ;delay for keyboard   
    HANGUP
    Dial DATA "MCA" 
    transmit "^M"
    waitfor "HELP):"  
    transmit "2206^M" 
    waitfor "SESSION STARTS"
    while $CARRIER
     transmit "****"
     pause 1
     transmit "LOGI^M"
     waitfor "PASS?"
     sdlginput "Security" "Password: (all caps!)" passw MASKED
     if stricmp passw "sss"                      ;to bypass logging in.
     transmit "*"
     call loggedin
     endif
     transmit passw
     transmit "^M"
     pause 2
    endwhile
    set txpace 1
 endproc

 proc DTA021
   pageA()                                       ;dial paging provider
   TRANSMIT "Digital Trunk Diagnostic. Frame alignment persisted for 
                 3 seconds^M"                    ;send specific x11 error to pager
   pageB()                                       ;end connection to provider
   mcacard()                                     ;connect back to Option 61
 endproc

 proc INI0
   pageA()
   TRANSMIT "An initialization has taken place.^M"
   pageB()
   mcacard()
 endproc
 proc PWR0
   pageA()
   TRANSMIT "Power failure from power and system monitor.^M"
   pageB()
   mcacard()
 endproc

 proc mcacard
  HANGUP
  PAUSE 2
  Dial DATA "MCA"                        ;Connect up to option 61 through MCA card.
  while $DIALING
  endwhile
  transmit "^M"
  pause 1
  transmit "^M"
  waitfor "HELP):"  
  transmit "2206^M" 
  waitfor "SESSION STARTS"
  pause 1
  when RESUME
  call loggedin
  loggedin()
 endproc

 proc loggedin
  while $CARRIER         ;wait for errors to occur.  Continue to do your MACs etc..
  endwhile
 endproc

 proc pageA
  when SUSPEND
  set port dropdtr on
  pause 1
  hangup                         ;hangup Option 61 connection
  pause 2
  hangup                         ;release mca card from COM port
  set port dropdtr off
  pause 1
  Dial DATA "TriStar"            ;Dial your paging provider
         while $DIALING
         endwhile
         TRANSMIT "^M"           ;TAPI protocol, M puts in manual mode.
         WAITFOR "ID="
         TRANSMIT "M^M"
         WAITFOR "Enter pager"
         TRANSMIT pagernum
         TRANSMIT "^M"
         WAITFOR "Enter alpha"
 endproc

 proc pageB
         TRANSMIT "^M"
         WAITFOR "More Pag"
                 TRANSMIT "^M"
         pause 2
 endproc


Little Known Meridian 1 Features And Programming Tricks
=======================================================
HELP and Error Lookup 

     HELP - Type " ? " at many prompts 
     LOOKUP - At " > " sign, type 
     ERR AUD028 to find out what AUD028 indicates. 
     At any other prompt, type " ! ", then you will receive " > "
     symbol for getting ERR lookup. 

Find Sets with a Certain Feature
================================
     LD81 
     REQ LST 
     FEAT CFXA 
     FEAT UNR 

          Lists all sets that have the "Call Forward External Allow"
          feature, then lists all UNR sets. 

Inventory and Identification Commands 
=====================================
     LD32 
     IDU l s c u (or) IDC l s c 
     LD22 
     CINV (and) ISSP 
     LD30 
     UNTT l s c u 

Speed Call Stuff 
================
Create many Speed Call lists at once. LD18 REQ: NEW 100 - Creates 100 lists.
When memory is plentiful, make Speed Call list number the same as the persons
DN. Need to increase MSCL in LD17 Find a "Controller" in LD81 by: REQ:LST,
FEAT:SCC, then the Speed List Number 

Allow Restricted Sets to Dial Certain Long Distance Numbers. 
============================================================
Add the numbers to a System Speed Call List. Assign an NCOS to the "List"
that replaces the users NCOS during the call. Alternate: Add the suffix of
the telephone number to an ARRN list in the prefixes RLI. This will point
only that number to a new RLI with a lower (or higher if you choose) FRL.
Look up ARRN in LD86 

PBX Clock Fast or Slow? 
=======================
LD2 
SDTA X Y -- x y 
     X = 0 for "subtract time each day" -or- 1 for "add time each day"
     Y = 0-60 seconds to be added or subtracted each day. 
Daylight Savings Question? 
TDST Look this one up in LD2 before changing 

Phantom DNs, TNs, and "MARP to Voice Mail" TNs 
==============================================
Phantom TN with FTR DCFW ACD Queues with NCFW but no Agents 2616 Sets with
AOMs (AOMs can be in "software", but do not need to be "installed" on the
set). This is an excellent "MARP TN" for DNs that need to HUNT/FDN to Voice
Mail

Digit Display on Trunk Routes and ACD Queues 
============================================
Find Trunk Route Access Codes - name in LD95 like any other DN ACD Numbers -
name in LD95 like any other DN IDC Numbers - name in LD95 at DCNO prompt. 

Limited Access Passwords 
========================
Print PWD in LD22 before starting
LD17
LAPW 01 
PW01 12345 
OVLA 10 11 20 

Identify Trunks, Routes and TTY Ports with "DES" Entry 
======================================================
LD17 ADAN 
DES can be 1-16 characters 
LD16 RDB 
DES can be 1-16 characters 
LD14 TRK 
DES can be 1-16 characters 
TKID - enter telephone number 

Free Up or Block DN Range 
=========================
Change your SPRE Code to 4 digits LD15 - SPRE XXXX Assign all current feature
codes as Flexible Feature Codes To hide DNs from appearing in LUDN printouts,
enter DN prefix ranges as an FFC for "Ring Again Activate" 

Save "Call Forward" Status upon Reload/Sysload 
==============================================
LD17 
CFWS YES 

Call Waiting "Buzz" on Digital Sets is Not Long Enough 
======================================================
Turn on Flexible Incoming Tones Allowed 
LD15 
OPT SBA DBA 
LD 11 
CLS FITA 

"DSP" Display Key Applications 
==============================
Youre on the phone, another call comes in...Press DSP, then ringing line to
see whos calling. Press DSP, then Speed Call, then entry number to view
entries. Rls23 Update - automatic Display CLS TDD 

NHC - No Hold Conference 
========================
With NHC, other party is not placed on hold while adding conferees. You can
also disconnect conferee called with NHC
LD11 
KEY X NHC 
Rls23 Update - Conf. Display/Disconnect 
LD11 
CLS CDCA 

Call Forward Indication on 2500 Sets 
====================================
Add Call Forward Reminder Tone. Special dial tone is heard only when call
forwarded.
LD15 
OPT CFRA 

Override Call Forwarded Phone 
=============================
Add Flexible Feature Code for "CFHO". Dial CFHO code, then dial extension. 
LD57 
CODE CFHO 
On sets needing ability to perform override 
CLS CFHA 

Call Forward ONLY Internal Calls - Let Externals Ring 
=====================================================
Great when you need to prioritize external callers. 
LD11 
KEY X ICF 4 ZZZZ 

"Delayed" Ring on Multiple Appearance DNs 
=========================================
Non-ringing (SCN) keys will ring after a certain duration. Great for areas
where many of the same DNs appear.
LD11 
DNDR X 
(X = 0-120 seconds of delay before SCN keys will start to ring) 

Audible Reminder of Held Calls 
==============================
Receive "buzz tone" every X seconds to remind user that call is on hold. Also
reminds user that Conference/Transfer was mishandled - call was never
transferred
LD15 
DBRC X (X = 2-120 seconds between reminders) 
LD11, CLS ARHA 

Which Call "On Hold" is Mine 
============================
Exclusive Hold sets held calls to "wink" at holding set, but stay "steady" at
other sets.
LD10/11 
CLS XHA 

Change Ring Cadence/Tone 
========================
There are 4 ring styles, adjusted in the CLS of the digital set. 
LD11 
CLS: DRG1 -or- DGR2 -or- DRG3 -or- DRG4 
Set pesky customer phones to DRG4 ! 

BFS - Nightmare in Shining Armor ? 
==================================
BFS Keys allow the user to monitor the Call Forward and busy status of a set,
activate and deactivate Call Forward, and can be used as an Autodial key.
NOTE: Cannot perform MOV command with BFS. User can also forward sets by
accident.
LD11 
Key XX BFS l s c u (target sets TN) 

More Than 4 DNs Answered by One Mailbox? 
========================================
Add up to 3 DNs to DN list in mailbox programming. Add 4th and all additional
DNs in "Voice Service DN" (VSID) Table and set to "EM" to the mailbox. 

1 Single LineTelephone, 3 DNs, 3 Users, 3 Mailboxes? How? 
=========================================================
Create one 2500 set with one of the three DNs. Create 2 Phantom TNs, each one
with a new DN and DCFW each of them to the 2500 sets DN (from above) Add the
three mailboxes…now any of the three numbers will ring the one set, but
messages will be separated!

Change An NCOS After Hours
==========================
Here's an excerpt from the LD86 ESN data block that has NCOS 3 & 4 change to
NCOS 2 after 4:30PM and all day on weekends

     <snip>

     AC1 9
     AC2
     DLTN YES
     ERWT YES
     ERDT 0
     TODS 0 06 00 16 29
          7 00 00 05 59
          7 16 30 23 59
     RTCL YES
     NCOS 0 - 0
     NCOS 1 - 1
     NCOS 2 - 2
     NCOS 3 - 2
     NCOS 4 - 2
     NCOS 5 - 5

     <snip>

Oops..the Console Went Into NITE...During the DAY! 
==================================================
Use NITE entries that are based on "Time of Day". See Night Service in
Features Book If the console goes into NITE during the day, send them to
either a set of DNs next to the console, or a voice menu/thru-dialer
explaining that there are "technical difficulties". After hours, NITE calls
goes to where they should.

Just Two Security Tricks 
========================
Create SPNs in BARS of: 000 thru 009 and create a Route List Block for them
with LTER=YES  Now when Phreakers ask for extn 9000, they get nobody. Use the
FLEN entry on SPNs 0, 00, 011 so that nobody can transfer a caller to 9011,
90, etc.

Break Into Meridian Mailbox? 
============================
Simply make the mailbox "Auto-logon". For remote access, add their DN to your
set. Convenient if you need to access an employees mailbox without changing
their password. Useful for modifying greetings of an absent employees or
allowing a temporary employee access to a mailbox without divulging the
regular employees password.

Tracing Phone Calls 
===================
TRAC 0 XXXX (X=extension) 
TRAC l s c u 
TRAC l s c u DEV (Adds BARS info) 
TRAT 0 X (X=Console number) 
TRAD (see book, traces T1 channels) 
ENTC (see book, traces TN continuously - up to 3 TNs at a time ! ) 

Forgot your M3000 Directory Password? 
=====================================
     LD32 
     CPWD l s c u 

Another Idea 
============
Use a PC to log into your PBX, then activate the "capture file". Now run a
TNB and keep it as a file rather than on paper. If your TNB file is large,
try a high power text editor, which can open even 20meg files in seconds.
Search the Internet "Text Editor" Keep copies so you can go back and see how
a set was programmed when you out it by mistake. 

*/

Using the above information you could sucessfully do the following:

a) Setup your own trunk configurations that allow outgoing calls.
b) Reset lines and trunks, reconfugure lines and trunks.
c) Set an internal extension(s) to share the same multiplexed trunk as you
   so you can effectivly listen in on any incomming/outgoing phone call
   made on that extension.
d) Set up calls that don't exist with no trunk assignment.
e) Set any users voicemail box with auto-logon paremters temporarily.
f) Close down the entire network
g) Set every phone in the company to ring forever...
h) Re-route incomming/outgoing trunk calls to any destination.
i) Park your own incomming line as "on console" so you can answer calls made
   to a pre-set extension.
j) Make yourself the company oprtator.
k) Trace phonecalls, audit logs etc.
l) Set all trunks to loopback on one another.
m) Anything you want?

Thats just a few ideas. But before you do ANYTHING, you should be aware that
anything you do could have devestating impact on the companys phone switch.
For example, say you accidently commanded the system to shut down.. You would
effectivly be killing 6000+ peoples phone lines, which would yield colosal
financial burden/loss onto the company. Generaly I'm just saying, be nice..
Just because you have the power to do such things, it doesnt mean you have to
do it. :)

A final note: In the aftermath of obtaining access to a merdian switch, it is
generaly advisable to erase all trace of you ever being on there. This can
be achived by reseting trunk audit logs, and erasing any log of your incoming
trunk setups. Therefore, if the real admin decided to track what was going on
he/she would get nowhere because the lines you used to initially call into
the system DO NOT EXIST. Its just a case of using your imagination. Don't be
destructive, Don't alter anything that would be noticed, Generally don't be
a f00l.. Thats the end of this file, I hope you enjoed it. Take it easy.

Shouts to D4RKCYDE, NOU!, b4b0, 9x, subz, pbxphreak, lusta, gr1p, LINEMANPUNX.


    .    ..  ... .......... BL4CKM1LK teleph0nics .......... ...  ..    .
    .    ..  ... .......... http://hybrid.dtmf.org ......... ...  ..    .