'Meridian Mail Guide; Augsburg College, Minneapolis, MN' "I've got your pokèmon, so there." ^-^ Date: Monday December 20, 1999 Written by: The Clone ^-^ -- 1. Prologue 2. Augsburg College - Campus Information 3. Augsburg College - Meridian Box Directions 4. Access - Bypassing the Password Prompt 5. Dial In Port - Locating / System Options 6. Conclusion - General Review / Wrap-up 7. Contact - URL / E-mail 8. Credits -- [Prologue;] The last time I wrote a comprehensive document on the 'Meridian Mail' system was July 22, 1999. The document was called 'Meridian Mail rls.12'. In the file I spoke about release twelve features, exchange skanning, VMB hacking, commands/options, and creation of distribution lists. I've found that Meridian Mail rls.12 is used mainly by large companies because of its versatility, easy-to-use mail options, and compatibility with mainstream PBX/PABX's on the market. We're probably all aware that companies use various types of voice mail systems (i.e. Meridian Mail, Audix, One Connect, Skytel, etc.), and we're also aware that these systems are highly insecure. What then happens is these systems are exploited, documents are written, more company systems are discovered, and a literal looping process occurs. Unfortunately because this obvious trend, most of us ignore the fact that there are other party's who do run insecure voice mail systems. These particular "organizations" are a target waiting to be found. Close to all Canadian and American educational institutions have some sort of a "voice-mail" box system set-up. In this document, I'll be giving insight to one College Meridian Mail system that is desperately in need of some "fine tuning". -- [Augsburg College - Campus Information;] Augsburg College is a private, four-year co-educational liberal arts college affiliated with the Evangelical Lutheran Church in America. It is located in Minneapolis, Minnesota and is situated on approximately ten city blocks in the heart of the metropolitan area. Its mailing address is: Augsburg College 2211 Riverside Avenue Minneapolis, MN, USA 55454 Telephone: (612) 330-1000 FAX (612) 330-1649 email: webmaster@augsburg.edu -- [Augsburg College - Meridian Box Directions;] One particularly amusing thing about Augsburg College, is that on their web-site they give *specific* step by step instructions for students and staff on how to use their Meridian Voice-mail System. These instructions can be accessed by anyone in the world. By simply visiting www.augsburg.edu, anyone can potentially compromise this college's security. Giving specific data on a voice-mail system to students and staff is one thing, but allowing it to be accessed by billions of people is absolutely ridiculous. The following has been taken from the College's own site: Voice Mail Features: -------------------- + A tutorial will assist with feature prompts once you have logged on to the system. + Access to voice mail is possible from any location (on or off campus) with a touch-tone telephone set. + Voice mail will automatically pick-up after the fourth ring. 1. Log-on Procedure ------------------- + Enter 1600 (on-campus); 612-330-1600 (off-campus) + Enter extension followed by # + Enter password followed by # Now you are logged on to your voice mail box and the system will inform you of any new messages in chronological order. 2. Playing your Messages ------------------------ + Log-on to your voice mail box by using the Log-on Process. + Enter 2 to hear any new messages + Enter 6 to go to the next message + Enter 4 to return to the previous message 3. Deleting Messages -------------------- + Enter 76 to delete messages. + All messages that have listened to will be deleted after 4 days. + If you do not listen to your messages, they will remain in your mailbox indefinitely. 4. Recording External Greeting ------------------------------ + Log-on to your voice mail box (step 1 above). + Enter 82 + Enter I to record your external greeting (greeting for off-campus calls) + Enter 5 to start recording, wait for tone, then speak. + When you have finished recording press, press # + To listen to your greeting, enter 2 + If you do not like a greeting and would like to delete it, enter 76 after listening to the greeting. + When you are done recording, enter 83 to log off of the voice mail system. 5. Express Messaging: --------------------- + Allows a caller to leave a message in someone's voice mailbox without directly calling that person on their phone. + On campus Enter 1605; off-campus enter 612-330-1605 + Enter the mailbox number of the person for whom you want to leave a message, followed by # + After the prompt and record tone, leave your message, press # when finished + Exit voice mail system by entering 83 6. Password Change: (Passwords must be 4-16 digits long) -------------------------------------------------------- + Log-on (step 1) + Enter 84 + Enter the new password followed by # (you will be asked to enter it twice) + Enter the old password followed by the # to verify the change 7. Personal Verification: ---------------------------------------------------------------------- This a recording of your name and department affiliation used by the system in place of your mailbox number. It is very helpful for people using Express Messaging. + Log-on (step 1) + Enter 89 + Wait for the tone and speak your name and department affiliation/title + To stop and check the new recording, press # + Log off by entering 83 when you are satisfied with recording 8. Voice Mail Shortcut: ----------------------- To leave a message without listening to a length greeting, press 5 as soon as you hear the start of a greeting. At the tone begin recording your message. 'The Brief Tutorial' + Meridian Mail has a tutorial that will assist with feature prompts once you have logged on to the system. + Access to voice mail is possible from any location (on- or off-campus) with a touch-tone telephone set. + Incoming calls will be automatically routed to voice mail after the 4th ring when on the telephone with another call. + The incoming call will be directly routed to your voice mail box. + Voice mail will automatically record the date and time of each call as well as the location of the call. + Voice mail boxes are programmed to automatically delete all "opened" messages after 4 days. + Opened messages include those messages that have been listened to, but not yet deleted by the user. [This is very useful for intruders who want to eavesdrop on students and/or staff who rarely check their mailboxes.] + Call-waiting and answering machines are not feasible with the voice mail system. 'Additional Meridian Voice-mail information' Voice mail will automatically disable when: ------------------------------------------- + User has entered the wrong password. + User has incorrectly logged on to the system. + Voice mail boxes will disable on the 5th consecutive attempt. + If you are unable to log on by the 2nd attempt, hang up, verify the password, and follow log-on directions. [Why thank you! Now I know what to do in order to successfully brute-force hack your mailboxes.] + If your voice mail box does become disabled, contact the IT help desk at ext. 1044. + The voice mail box will be re-enabled at the earliest possible convenience. 'The Stutter Tone' Stutter Tone: ------------- + Voice mail will record a "stutter tone" to alert you to new messages in your voice mail box. + You will hear this stutter tone when you pick up your telephone handset. + At this point you can either log-on to voice mail, or dial through (the stutter tone) to place a call if you do not wish to check your messages. 'Log-Off Process' Log-Off Process: ---------------- + When finished with the voice mail system, press 83. (This will ensure that Meridian Mail has been properly disconnected.) + If you are experiencing problems with your voice mail box or the voice mail system please send an email to help@augsburg.edu or call 612-330-1044 for help. -- [Access - Bypassing the Password Prompt;] Hacking into any Voice Mail Box can be easy if you know what you're doing. Generally when you run into a Meridian Mail System, you will hear the account users temporary greeting. To bypass this nonsense, simply press the * key. Now you should be asked to enter your password or passcode (same deal). Out of the goodness of my heart, I have listed the most commonly used Meridian voice-mail passwords; *1#, bx#, 0000#, 1111#, 2222#, 1234#, 9999# (note: # is the button you press when you finish entering the password) -- [Dial In Port - Locating / System Options;] There is a possibility that Augsburg College may a Dial In Port of some kind because of the large number (in the thousands) of voice-mail accounts on the campus. One possibility of finding a Dial In Port, would be to wardial the 612-330-xxxx prefix. A wardialer would simply scan from 612-330-0000 to 612-330-9999 in suffixial order logging all carriers. If Augsburg College does happen to have a Dial In Port, they are always (from my experience) 2400 baud modem carriers. The Dial In Ports give no prompts because you're required to press ctrl-W. That's it! You're not asked for a login or password. This will give you a menu with two options to choose from. The options are: CONSOLE and MMI (Man Machine Interface). + If you select CONSOLE, you'll get system administration powers. (Talk about an ego booster, eh?) + If you select MMI, immediately a Meridian Mail logo ASCII drawing will appear. From there you'll need to press F1 to logon to the system. I won't get into the options too much because that's something you'll need to figure out for yourself. Besides, if I told you everything you might not be tempted to wardial or skan for the Dial In Port. ;-p -- [Conclusion - General Review / Wrap-up] Looking back at all the step-by-step instructions Augsburg College made available to everyone, it's quite clear that the people running the campus' Meridian Mail system are not concerned with privacy and security. If they cannot properly secure their voice-mail system, then there must be a lot more out there to exploit. Try using some of the methods I stated above and see what you can find. You'll be surprised what is out there if you simply just take the time to explore. -- [Contact - URL / E-mail] + URL: http://nettwerk.hypermart.net + E-mail: webmaster@nettwerk.hypermart.net -- [Credits;] I'd like to give credit to Dominique Duval for taking the time to put the Meridian Mail HTML document in text format, and for passing the information on. A N E T T W E R K E D P R O D U C T