Title : Hacking Rolm's CBXII
Author : DH
===Phrack Inc.===
Volume Three, Issue Thirty-one, Phile #3 of 10
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
/ * * \
\ /
/ Hacking Rolm's CBXII/9000 \
\ by DH /
/ 05/24/90 \
\ * * /
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
Introduction
------------
IBM Rolm's CBXII/9000 is a very powerful machine. Powerful in the aspect
that one has the switch(s) at his control. Controling switches means you can
control the entire PBX environment (And it's users).
This file will not get technical. Basically, I'm writing this file on
the HOW-TO's of the internal works of CBXII and the basics of obtaining the
dialups and account information need to access the machines. For further
information on CBX's in general, read Epsilon's Phrack Phile on them, or
consult Evil Jay's phile on OSL's.
Obtaining Dialups
--------- -------
Obtaining dialups unfortunately is the hardest part of hacking CBXII's.
(Yes, even harder than hacking them). There are several ways to obtain the
dialups. I would say a good bit of CBX's are at universities and hospitals
where they own their own switches. Most of the time you can determine if they
have one by calling the Telecommunications Department of the target location.
Or, another way is to check with ROLM. If you *KNOW* that a target location
has a CBXxx machine, you can call ROLM's 800 wats line and say your with the
Telecommunications Department and your looking for the DIALUP. Rolm has files
on all their CBXxx's and the Dialups also. They might ask you for a NODE #
for the dialup, and you should usually respond with what node you want (Since
different nodes handle different areas of the PBX). Basically, nodes start at
ONE and usually goto THREE or FOUR, depending on the size of the PBX.
CBXxx's are greatly compatible of IBM Rolm's Phone-Mail system (Which
is a highly used and common voice mail system). This of course doesn't mean
that every PHM (Phone-Mail) system has a CBXxx attached. But it is generally
a good start.
The following is a checklist to determine if the target location could
have a CBXxx for controlling their switch. By no means however, if your target
location has all of the following it could have a CBXxx.
1) Does the location handle it's own switch?
If so, what kind, and who services it.
2) Does IBM Rolm handle any aspect of their telecommunications
department?
If so, this is a possible CBXxx location.
3) Does the location have Rolm Phone-Mail?
These three guidelines are not requirements. I.E. -- The location
could have a non-IBM PBX but still have a CBXxx for handling the switch.
So who knows.. It's up to you and your bullshitting and scans.
Hacking the CBXxx's
------- --- -------
Well, once you have obtained the dial-ups, you are almost halfway
there. Hacking the CBX is the easy part. 1st off, IBM Rolm ships *ALL*
of their machines with a default account (Yes, and they never change it).
When the destination of the CBX recieves the machine, they use the default
to create other accounts for employees, PBX operators, and administration.
Rolm IBM also has a field support account embedded in the machine. These
are different to each location and correspond to the serial number of the
machine (Rolm's accounts can be obtained from Rolm's 800 technical support
line). So, now that we know that there is a default account that telecom
department uses to setup the other accounts after they recieve the machine,
tells us that this is a priviledge account. And it is.
USERNAME: SU
PASSWORD: SUPER
How nice for them to give us such power. Yes, it's a basic default
with SuperUser priviledge. If for some reason the account default has been
changed, their are other ways of getting in:
1) Call Rolm and get the Field account information.
2) Try first names of Telecom Dept. employees, and PBX Operators.
3) Use every Hacking skills you have (If any).
Some older versions of CBX don't even require logging in with an
account. Those versions are less responsive to the administrators needs,
but can be useful to one also. Don't be discouraged if the SU password is
changed, just call Rolm and get the field account.
The following is the matrix before one access the machine. *Note that
it clearly identifies* *Also: Accessible at 300 baud and e,7,1*
CONNECT ID banner
_Release version # /
/ /\
Rolm CBXII RELEASE 9004.0.65 RB74UCLA11956
BIND DATE: 8/SEP/88 \
YOU HAVE ENTERED NODE 1, CPU 2 \_Name of owner, IE: UCLA
11:14:30 ON FRIDAY 2/11/1990 (System ID)
USERNAME: xxx
PASSWORD: xxx
INVALID USERNAME-PASSWORD PAIR.
Once your in
---- ---- --
Once your in, you should have no problems wondering around the
machine and using the utilities in the machine's operating system. There is
very specific help functions inside the machine that will guide you through
with no problems. At the CBX prompt:
%. HELP ?
or
%. ?
Should produce a valid listing of options and sub-functions. Every
function can be followed with a '?' to give lists of valid sub-functions under
that function or how the syntax of that function should be used.
The following is a listing of commands for CBXII/9000:
ABORT ACTIVATE ATTR BYE
CANCEL CARD CDRSM CDT
CHANGE CHG CLEAR CLR
CMPCT CMSTS CNCL CNFG
CONVERT COPY CPEG CTMON
CTRA CTRTL CXCLR COPY
CXCLR CXCON CXNET DACK
DADD DAEVT DANS DBDMP
DCAT DCF DCOM DDMA
DDQ DDT DE DEACTIVATE
DEFINE DELETE DEMOUNT DESUM
DEX DFACK DFCOM DFEAT
DFEVT DHTQ DHWS DIAG
DIQ DISABLE DIWQ DKQ
DML DMNT DMS DMTST
DOWN DPATR DPMR DPMS
DPPRI DPTR DQQ DRCT
DREGS DSBLE DSQ DSST
DSTAK DTCB DTDQ DWQ
DX_TR ENABLE ENB ENBLE
ETIO EX EXM EXN
EXP EXPAND FINIT FORMAT
FREER FSD GTOD HDBST
HELP INSTALL KPFA LCT
LIST LOAD LOGOFF LOGON
LPEG LPKT LSCT LSL
LST LTCB MNT MONITOR
MOUNT MTRACE NEXT NSTAT
PAGE PCNFG PDIO PFA
PKTS PLIST PLTT PPFA
PS PSH QAT QITM
QTEST RCT RECEIVE RENAME
REPLY RESTART RESTORE REVERSE
RM RMOFF RPFA RSC
RSCLK RSTOR RSTRT SAT
SCAN SEND SET SHOW
SITM SOCON SOUNC SSAT
START STATE STATUS STEST
STOD STOP STRT STS
TDCD TEST TKSTS TRTL
TST TX UNLK UNLOCK
UP VERIFY XDEF XMIT
XPND
These commands can be executed from and '% ' prompt. If the command is
followed by a '?', more information will be supplied about the command.
Using the ICI
----- --- ---
The Interactive Configuration Interface controls immediate changes in
the switch and PBX environment. The Utility is explained in great detail
through the actual running of it. You can access the ICI by typing:
% CNFG
CBXII/9000
INTERACTIVE CONFIGURATION INTERFACE
CPU 2
15:14:32 ON FRIDAY 5/02/1990
COMMAND:
This is the main command prompt. From here you can exercise the '?'
help list to get valid commands. There are four phases of the ICI utility:
Modify, Create, List, and Delete. These can be used on Extentions, Trunks,
Logon accounts, Feature Group sequences, Data_line access, Trunk Groups, ect.
The following is a sample of using 'list' to list a current extention in the
PBX:
_Forward to EXTN 2000
COMMAND: LIST EXT 4038 / _Outside number
/ FORWARD ON / to forward to
FORWARDING BSY RNA DND /
EXTN TYPE COS TARGET1 TARGET2 I E I E I E RINGDOWN NAME
---- ---- --- ------- ------- - - - - - - -------- ----------
DS 4038 EXTN 56 2000 1 1 1 1 1 1 95551212 R.STABELL
\ \ \ / / \ \
Extention / -Class of service if R Auto. Forward Owner of
--Type of line BUSY I No Matter What EXTN.
(Reg. Extention) N
G
Note: The 1's specifies to forward to target#1 & NO ANSWER
(As 2's would mean forward to #2 target)
This should detail how to modify a listing like above using the 'MODIFY'
command in the ICI. Once modified, all transactions are processed immediately.
Using the 'Delete' command one can delete extentions, trunks, ect.
So now we have the following commands in ICI: MODIFY, DELETE, LIST, CREATE.
Each can be used with the following "Nouns" to modify that "Noun":
BUTTON_120 BUTTON_240 CDR_EXCLUDE CNFG_ERRORS
CNFG_QUEUE CNFG_STATUS CNFG_USERS COM_GROUP
COS_FEAT DATA_ACCESS DATA_DEVICE DATA_GROUP
DATA_LINE DATA_SUBMUX DLI ETS
EXTEN FAC FAC_TYPE FAMILY
FEAT_CODE FIRST_DIGIT HD_GROUP LEX
LOGON_PROFILE MAP MEM_PARTS PARAM
PICK POWER Q_TYPE ROUTE_LIST
RP RPD RPI RPS_120S_ON
RPS_240S_ON SAT_NAME SEARCH_SEQ SECTION
SECURITY_GROUP SERVICE_LIST SIO_PARTS SLI
SPEED T1D3 T1D3_GRP TRUNK
TRUNK_GROUP VPC
The FAMILY, LOGON_PROFILE, and CNFG_USER all deal with the accounts on
the system. One can use MODFIY or CREATE to set them up an account with SU
access. The FAMILY noun is the listing of the groups with different access,
to different "nouns" available. I.E.: Not everyone can access the CHANGE
LOGON_PROFILE to create an account.
To create an account with SU access, type (while in ICI):
% CREATE LOGON_PROFILE
ENTER NAME (1-12 CHAR): TEST
ENTER PASSWORD: TEST
RETYPE: TEST
Next it will ask you for a family. For SU access, type "SYSTEM_ADMIN".
After family, the machine should prompt you for a "verb". Verbs are the actual
functions or commands, so in this environment you can set the commands a user
can access. So, for SU, enter "ALL" for every command access.
To get a valid listing of users online, try this:
% LIST CNFG_USERS
NUMBER OF USERS MAX NUMBER OF USERS
3 5
PORT USER_NAME START_TIME HOW_LONG
17 SU 17:47:57 0:28:34
2 FIELD 18:16:03 0:0:28
3 MARYB 18:16:03 0:10:03
Using the Monitoring Utility
----- --- ---------- -------
This command is one of the more powerful commands in the CBXxx system.
The monitor command should be invoked from within the main function command
level and not in the ICI level. The monitoring command allows you to actually
watch or monitor TRUNKS and EXTENTIONS. So, if I were to type:
% MONITOR EXT 4038
10:02:43 ON FRIDAY MAY/02/1990
EXT# STATE DI CODE DIGITS PROCESS STATUS
---- --------------- -- ---- ------------- ------------ ------
4038 IDLE STN FWD NUM FWD
\ \ / / / \
Extention Not in use Standard \ / Forwarded
Extention \ /
Forwarded to
a number
This shows the extention to be IDLE and not in use. But, with forwarded
call processes to a standard number. You would have to use ICI to look up the
number it's forwarded to if you wanted.
% MONITOR EXT 4038
10:03:44 ON FRIDAY MAY/11/1990
EXT# STATE DI CODE DIGITS PROCESS STATUS
---- -------------- -- ---- ------------- ----------- ------
4038 DIAL TONE STN FWD NUM FWD
4038 DIALING Y 9 / \ \ \
4038 DIALING Y 92 S F N \Extention
4038 DIALING Y 923 t o u Forwarded
4038 DIALING Y 9233 a N r m
4038 DIALING Y 92334 n u w b
4038 DIALING Y 923345 d m a e
4038 DIALING Y 9233456 a b r r
4038 DIALING Y 92334564 r e d
4038 CONN T025N N \ d r e
/ \ / \ d
\ \ \_Dialing NO \_Number dialed
\_Extention \
Connected to
Outside trunk T025N
This monitoring shows the extention actually dialing the number, and then
connecting to an outside truck. Unfortunatley, one we cannot monitor without
access to a bell switch.
Monitoring can also be done with trunks. I will not display any trunk
monitoring since it is quite simple to decypher.
Manipulating the switch
------------ --- ------
There are many ways you can manipulate the CBX's to gain accounting
information on data lines within the PBX environment. One sure-fire method
would be to forward an actual data dial-up extention to a bridge or loop and
then write an emulation to intercept the user's account information real-time
as they connect to your fake dial-up.
Or perhaps if an university uses the CBX, one could maybe forward the
computer help desk extention to a bridge or loop and as an unsuspecting user
calls up, ask him what machine and account info he has access to for a help
log sheet you are taking.
Who cares. Who knows. There are thousands of things you can do to use
the CBX to your advantage. Hell, you have the whole switch at your command.
DH - 05/11/90
_______________________________________________________________________________